From 24c6f09bf83015e04e16666e8a5fb66e75967e0d Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Wed, 26 Jul 2017 15:58:01 +0200 Subject: [PATCH 01/16] Added ChaCha20 implementation with SSE2 opcodes. --- inc/bearssl_block.h | 50 ++++++ mk/Rules.mk | 5 +- mk/mkrules.sh | 1 + src/config.h | 10 ++ src/inner.h | 42 ++++- src/ssl/ssl_engine_default_chapol.c | 24 ++- src/symcipher/chacha20_sse2.c | 257 ++++++++++++++++++++++++++++ test/test_crypto.c | 40 ++++- test/test_speed.c | 17 +- 9 files changed, 429 insertions(+), 17 deletions(-) create mode 100644 src/symcipher/chacha20_sse2.c diff --git a/inc/bearssl_block.h b/inc/bearssl_block.h index 415bc28..24f09ac 100644 --- a/inc/bearssl_block.h +++ b/inc/bearssl_block.h @@ -259,9 +259,26 @@ extern "C" { * `chacha20_ct` is a straightforward implementation of ChaCha20 in * plain C; it is constant-time, small, and reasonably fast. * + * `chacha20_sse2` leverages SSE2 opcodes (on x86 architectures that + * support these opcodes). It is faster than `chacha20_ct`. + * * `poly1305_ctmul` is an implementation of the ChaCha20+Poly1305 AEAD * construction, where the Poly1305 part is performed with mixed 32-bit * multiplications (operands are 32-bit, result is 64-bit). + * + * `poly1305_ctmul32` implements ChaCha20+Poly1305 using pure 32-bit + * multiplications (32-bit operands, 32-bit result). It is slower than + * `poly1305_ctmul`, except on some specific architectures such as + * the ARM Cortex M0+. + * + * `poly1305_ctmulq` implements ChaCha20+Poly1305 with mixed 64-bit + * multiplications (operands are 64-bit, result is 128-bit) on 64-bit + * platforms that support such operations. + * + * `poly1305_i15` implements ChaCha20+Poly1305 with the generic "i15" + * big integer implementation. It is meant mostly for testing purposes, + * although it can help with saving a few hundred bytes of code footprint + * on systems where code size is scarce. */ /** @@ -1684,6 +1701,39 @@ typedef uint32_t (*br_chacha20_run)(const void *key, uint32_t br_chacha20_ct_run(const void *key, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief ChaCha20 implementation (SSE2 code, constant-time). + * + * This implementation is available only on x86 platforms, depending on + * compiler support. Moreover, in 32-bit mode, it might not actually run, + * if the underlying hardware does not implement the SSE2 opcode (in + * 64-bit mode, SSE2 is part of the ABI, so if the code could be compiled + * at all, then it can run). Use `br_chacha20_sse2_get()` to safely obtain + * a pointer to that function. + * + * \see br_chacha20_run + * + * \param key secret key (32 bytes). + * \param iv IV (12 bytes). + * \param cc initial counter value. + * \param data data to encrypt or decrypt. + * \param len data length (in bytes). + */ +uint32_t br_chacha20_sse2_run(const void *key, + const void *iv, uint32_t cc, void *data, size_t len); + +/** + * \brief Obtain the `sse2` ChaCha20 implementation, if available. + * + * This function returns a pointer to `br_chacha20_sse2_run`, if + * that implementation was compiled in the library _and_ the SSE2 + * opcodes are available on the currently running CPU. If either of + * these conditions is not met, then this function returns `0`. + * + * \return the `sse2` ChaCha20 implementation, or `0`. + */ +br_chacha20_run br_chacha20_sse2_get(void); + /** * \brief Type for a ChaCha20+Poly1305 AEAD implementation. * diff --git a/mk/Rules.mk b/mk/Rules.mk index fdedc6e..694d04e 100644 --- a/mk/Rules.mk +++ b/mk/Rules.mk @@ -1,6 +1,6 @@ # Automatically generated rules. Use 'mkrules.sh' to modify/regenerate. -OBJ = $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O +OBJ = $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O OBJTESTCRYPTO = $(OBJDIR)$Ptest_crypto$O OBJTESTSPEED = $(OBJDIR)$Ptest_speed$O @@ -688,6 +688,9 @@ $(OBJDIR)$Paes_x86ni_ctr$O: src$Psymcipher$Paes_x86ni_ctr.c $(HEADERSPRIV) $(OBJDIR)$Pchacha20_ct$O: src$Psymcipher$Pchacha20_ct.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pchacha20_ct$O src$Psymcipher$Pchacha20_ct.c +$(OBJDIR)$Pchacha20_sse2$O: src$Psymcipher$Pchacha20_sse2.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pchacha20_sse2$O src$Psymcipher$Pchacha20_sse2.c + $(OBJDIR)$Pdes_ct$O: src$Psymcipher$Pdes_ct.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pdes_ct$O src$Psymcipher$Pdes_ct.c diff --git a/mk/mkrules.sh b/mk/mkrules.sh index 4929294..eab5287 100755 --- a/mk/mkrules.sh +++ b/mk/mkrules.sh @@ -258,6 +258,7 @@ coresrc=" \ src/symcipher/aes_x86ni_cbcenc.c \ src/symcipher/aes_x86ni_ctr.c \ src/symcipher/chacha20_ct.c \ + src/symcipher/chacha20_sse2.c \ src/symcipher/des_ct.c \ src/symcipher/des_ct_cbcdec.c \ src/symcipher/des_ct_cbcenc.c \ diff --git a/src/config.h b/src/config.h index c315a53..b06807b 100644 --- a/src/config.h +++ b/src/config.h @@ -162,6 +162,16 @@ #define BR_AES_X86NI 1 */ +/* + * When BR_SSE2 is enabled, SSE2 intrinsics will be used for some + * algorithm implementations that use them (e.g. chacha20_sse2). If this + * is not enabled explicitly, then support for SSE2 intrinsics will be + * automatically detected. If set explicitly to 0, then SSE2 code will + * not be compiled at all. + * +#define BR_SSE2 1 + */ + /* * When BR_POWER8 is enabled, the AES implementation using the POWER ISA * 2.07 opcodes (available on POWER8 processors and later) is compiled. diff --git a/src/inner.h b/src/inner.h index fb7f4a4..2829f23 100644 --- a/src/inner.h +++ b/src/inner.h @@ -144,10 +144,46 @@ #endif #endif +/* + * Determine whether SSE2 intrinsics are understood by the compiler. + * Right now, we restrict ourselves to compiler versions where things + * are documented to work well: + * -- GCC 4.4+ and Clang 3.7+ understand the function attribute "target" + * -- MS Visual Studio 2005 documents the existence of + * SSE2-powered code _might_ work with older versions, but there is no + * pressing need to do so right now. + */ +#ifndef BR_SSE2 +#if (__i386__ || __x86_64__) \ + && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) \ + || (__clang_major__ > 3 \ + || (__clang_major__ == 3 && __clang_minor__ >= 7))) +#define BR_SSE2 1 +#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1400) +#define BR_SSE2 1 +#endif +#endif + +/* + * If we use SSE2 intrinsics, determine the compiler brand. + */ +#if BR_SSE2 +#ifndef BR_SSE2_GCC +#if __GNUC__ +#define BR_SSE2_GCC 1 +#endif +#endif +#ifndef BR_SSE2_MSC +#if _MSC_VER >= 1400 +#define BR_SSE2_MSC 1 +#endif +#endif +#endif + /* * A macro to tag a function with a "target" attribute (for GCC and Clang). */ -#if BR_AES_X86NI_GCC +#if BR_AES_X86NI_GCC || BR_SSE2_GCC #define BR_TARGET(x) __attribute__((target(x))) #else #define BR_TARGET(x) @@ -156,8 +192,8 @@ /* * GCC versions from 4.4 to 4.8 (inclusive) must use a special #pragma * to activate extra opcodes before including the relevant intrinsic - * headers. But these don't work with Clang (which does not need them - * either). We also need that #pragma for GCC 4.9 in order to work + * AES-NI headers. But these don't work with Clang (which does not need + * them either). We also need that #pragma for GCC 4.9 in order to work * around a compiler bug (it tends to blow up on ghash_pclmul code * otherwise). */ diff --git a/src/ssl/ssl_engine_default_chapol.c b/src/ssl/ssl_engine_default_chapol.c index 630286a..47a0c98 100644 --- a/src/ssl/ssl_engine_default_chapol.c +++ b/src/ssl/ssl_engine_default_chapol.c @@ -31,21 +31,35 @@ br_ssl_engine_set_default_chapol(br_ssl_engine_context *cc) #if BR_INT128 || BR_UMUL128 br_poly1305_run bp; #endif +#if BR_SSE2 + br_chacha20_run bc; +#endif br_ssl_engine_set_chapol(cc, &br_sslrec_in_chapol_vtable, &br_sslrec_out_chapol_vtable); - br_ssl_engine_set_chacha20(cc, &br_chacha20_ct_run); +#if BR_SSE2 + bc = br_chacha20_sse2_get(); + if (bc) { + br_ssl_engine_set_chacha20(cc, bc); + } else { +#endif + br_ssl_engine_set_chacha20(cc, &br_chacha20_ct_run); +#if BR_SSE2 + } +#endif #if BR_INT128 || BR_UMUL128 bp = br_poly1305_ctmulq_get(); if (bp) { br_ssl_engine_set_poly1305(cc, bp); - return; - } + } else { #endif #if BR_LOMUL - br_ssl_engine_set_poly1305(cc, &br_poly1305_ctmul32_run); + br_ssl_engine_set_poly1305(cc, &br_poly1305_ctmul32_run); #else - br_ssl_engine_set_poly1305(cc, &br_poly1305_ctmul_run); + br_ssl_engine_set_poly1305(cc, &br_poly1305_ctmul_run); +#endif +#if BR_INT128 || BR_UMUL128 + } #endif } diff --git a/src/symcipher/chacha20_sse2.c b/src/symcipher/chacha20_sse2.c new file mode 100644 index 0000000..0b32d51 --- /dev/null +++ b/src/symcipher/chacha20_sse2.c @@ -0,0 +1,257 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* + * This file contains a ChaCha20 implementation that leverages SSE2 + * opcodes for better performance. + */ + +#if BR_SSE2 + +#if BR_SSE2_GCC +#include +#include +#endif +#if BR_SSE2_MSC +#include +#endif + +/* see bearssl_block.h */ +BR_TARGET("sse2") +uint32_t +br_chacha20_sse2_run(const void *key, + const void *iv, uint32_t cc, void *data, size_t len) +{ + unsigned char *buf; + uint32_t ivtmp[4]; + __m128i kw0, kw1; + __m128i iw, cw; + __m128i one; + + static const uint32_t CW[] = { + 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 + }; + + buf = data; + kw0 = _mm_loadu_si128(key); + kw1 = _mm_loadu_si128((const void *)((const unsigned char *)key + 16)); + ivtmp[0] = cc; + memcpy(ivtmp + 1, iv, 12); + iw = _mm_loadu_si128((const void *)ivtmp); + cw = _mm_loadu_si128((const void *)CW); + one = _mm_set_epi32(0, 0, 0, 1); + + while (len > 0) { + /* + * sj contains state words 4*j to 4*j+3. + */ + __m128i s0, s1, s2, s3; + int i; + + s0 = cw; + s1 = kw0; + s2 = kw1; + s3 = iw; + for (i = 0; i < 10; i ++) { + /* + * Even round is straightforward application on + * the state words. + */ + s0 = _mm_add_epi32(s0, s1); + s3 = _mm_xor_si128(s3, s0); + s3 = _mm_or_si128( + _mm_slli_epi32(s3, 16), + _mm_srli_epi32(s3, 16)); + + s2 = _mm_add_epi32(s2, s3); + s1 = _mm_xor_si128(s1, s2); + s1 = _mm_or_si128( + _mm_slli_epi32(s1, 12), + _mm_srli_epi32(s1, 20)); + + s0 = _mm_add_epi32(s0, s1); + s3 = _mm_xor_si128(s3, s0); + s3 = _mm_or_si128( + _mm_slli_epi32(s3, 8), + _mm_srli_epi32(s3, 24)); + + s2 = _mm_add_epi32(s2, s3); + s1 = _mm_xor_si128(s1, s2); + s1 = _mm_or_si128( + _mm_slli_epi32(s1, 7), + _mm_srli_epi32(s1, 25)); + + /* + * For the odd round, we must rotate some state + * words so that the computations apply on the + * right combinations of words. + */ + s1 = _mm_shuffle_epi32(s1, 0x39); + s2 = _mm_shuffle_epi32(s2, 0x4E); + s3 = _mm_shuffle_epi32(s3, 0x93); + + s0 = _mm_add_epi32(s0, s1); + s3 = _mm_xor_si128(s3, s0); + s3 = _mm_or_si128( + _mm_slli_epi32(s3, 16), + _mm_srli_epi32(s3, 16)); + + s2 = _mm_add_epi32(s2, s3); + s1 = _mm_xor_si128(s1, s2); + s1 = _mm_or_si128( + _mm_slli_epi32(s1, 12), + _mm_srli_epi32(s1, 20)); + + s0 = _mm_add_epi32(s0, s1); + s3 = _mm_xor_si128(s3, s0); + s3 = _mm_or_si128( + _mm_slli_epi32(s3, 8), + _mm_srli_epi32(s3, 24)); + + s2 = _mm_add_epi32(s2, s3); + s1 = _mm_xor_si128(s1, s2); + s1 = _mm_or_si128( + _mm_slli_epi32(s1, 7), + _mm_srli_epi32(s1, 25)); + + /* + * After the odd round, we rotate back the values + * to undo the rotate at the start of the odd round. + */ + s1 = _mm_shuffle_epi32(s1, 0x93); + s2 = _mm_shuffle_epi32(s2, 0x4E); + s3 = _mm_shuffle_epi32(s3, 0x39); + } + + /* + * Addition with the initial state. + */ + s0 = _mm_add_epi32(s0, cw); + s1 = _mm_add_epi32(s1, kw0); + s2 = _mm_add_epi32(s2, kw1); + s3 = _mm_add_epi32(s3, iw); + + /* + * Increment block counter. + */ + iw = _mm_add_epi32(iw, one); + + /* + * XOR final state with the data. + */ + if (len < 64) { + unsigned char tmp[64]; + size_t u; + + _mm_storeu_si128((void *)(tmp + 0), s0); + _mm_storeu_si128((void *)(tmp + 16), s1); + _mm_storeu_si128((void *)(tmp + 32), s2); + _mm_storeu_si128((void *)(tmp + 48), s3); + for (u = 0; u < len; u ++) { + buf[u] ^= tmp[u]; + } + break; + } else { + __m128i b0, b1, b2, b3; + + b0 = _mm_loadu_si128((const void *)(buf + 0)); + b1 = _mm_loadu_si128((const void *)(buf + 16)); + b2 = _mm_loadu_si128((const void *)(buf + 32)); + b3 = _mm_loadu_si128((const void *)(buf + 48)); + b0 = _mm_xor_si128(b0, s0); + b1 = _mm_xor_si128(b1, s1); + b2 = _mm_xor_si128(b2, s2); + b3 = _mm_xor_si128(b3, s3); + _mm_storeu_si128((void *)(buf + 0), b0); + _mm_storeu_si128((void *)(buf + 16), b1); + _mm_storeu_si128((void *)(buf + 32), b2); + _mm_storeu_si128((void *)(buf + 48), b3); + buf += 64; + len -= 64; + } + } + + /* + * _mm_extract_epi32() requires SSE4.1. We prefer to stick to + * raw SSE2, thus we use _mm_extract_epi16(). + */ + return (uint32_t)_mm_extract_epi16(iw, 0) + | ((uint32_t)_mm_extract_epi16(iw, 1) << 16); +} + +/* see bearssl_block.h */ +br_chacha20_run +br_chacha20_sse2_get(void) +{ + /* + * If using 64-bit mode, then SSE2 opcodes should be automatically + * available, since they are part of the ABI. + * + * In 32-bit mode, we use CPUID to detect the SSE2 feature. + */ + +#if __x86_64__ || _M_X64 + + return &br_chacha20_sse2_run; + +#else + + /* + * SSE2 support is indicated by bit 26 in EDX. + */ +#define MASK 0x04000000 + +#if BR_SSE2_GCC + unsigned eax, ebx, ecx, edx; + + if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) { + if ((edx & MASK) == MASK) { + return &br_chacha20_sse2_run; + } + } +#elif BR_SSE2_MSC + int info[4]; + + __cpuid(info, 1); + if (((uint32_t)info[3] & MASK) == MASK) { + return &br_chacha20_sse2_run; + } +#endif + return 0; + +#endif +} + +#else + +/* see bearssl_block.h */ +br_chacha20_run +br_chacha20_sse2_get(void) +{ + return 0; +} + +#endif diff --git a/test/test_crypto.c b/test/test_crypto.c index 9e68cd9..bea236b 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -4178,12 +4178,16 @@ static const struct { }; static void -test_ChaCha20_ct(void) +test_ChaCha20_generic(const char *name, br_chacha20_run cr) { size_t u; - printf("Test ChaCha20_ct: "); + printf("Test %s: ", name); fflush(stdout); + if (cr == 0) { + printf("UNAVAILABLE\n"); + return; + } for (u = 0; KAT_CHACHA20[u].skey; u ++) { unsigned char key[32], nonce[12], plain[400], cipher[400]; @@ -4199,10 +4203,11 @@ test_ChaCha20_ct(void) for (v = 0; v < len; v ++) { unsigned char tmp[400]; size_t w; + uint32_t cc2; memset(tmp, 0, sizeof tmp); memcpy(tmp, plain, v); - if (br_chacha20_ct_run(key, nonce, cc, tmp, v) + if (cr(key, nonce, cc, tmp, v) != cc + (uint32_t)((v + 63) >> 6)) { fprintf(stderr, "ChaCha20: wrong counter\n"); @@ -4218,7 +4223,21 @@ test_ChaCha20_ct(void) exit(EXIT_FAILURE); } } - br_chacha20_ct_run(key, nonce, cc, tmp, v); + for (w = 0, cc2 = cc; w < v; w += 64, cc2 ++) { + size_t x; + + x = v - w; + if (x > 64) { + x = 64; + } + if (cr(key, nonce, cc2, tmp + w, x) + != (cc2 + 1)) + { + fprintf(stderr, "ChaCha20:" + " wrong counter (2)\n"); + exit(EXIT_FAILURE); + } + } if (memcmp(tmp, plain, v) != 0) { fprintf(stderr, "ChaCha20 KAT fail (2)\n"); exit(EXIT_FAILURE); @@ -4233,6 +4252,18 @@ test_ChaCha20_ct(void) fflush(stdout); } +static void +test_ChaCha20_ct(void) +{ + test_ChaCha20_generic("ChaCha20_ct", &br_chacha20_ct_run); +} + +static void +test_ChaCha20_sse2(void) +{ + test_ChaCha20_generic("ChaCha20_sse2", br_chacha20_sse2_get()); +} + static const struct { const char *splain; const char *saad; @@ -6173,6 +6204,7 @@ static const struct { STU(DES_tab), STU(DES_ct), STU(ChaCha20_ct), + STU(ChaCha20_sse2), STU(Poly1305_ctmul), STU(Poly1305_ctmul32), STU(Poly1305_ctmulq), diff --git a/test/test_speed.c b/test/test_speed.c index a09aa04..296e914 100644 --- a/test/test_speed.c +++ b/test/test_speed.c @@ -175,17 +175,24 @@ test_speed_ ## fname(void) \ static void \ test_speed_ ## fname(void) \ { \ + br_chacha20_run bc; \ unsigned char key[32]; \ unsigned char buf[8192]; \ unsigned char iv[12]; \ int i; \ long num; \ \ + bc = br_ ## fname ## _get(); \ + if (bc == 0) { \ + printf("%-30s UNAVAILABLE\n", #Name); \ + fflush(stdout); \ + return; \ + } \ memset(key, 'T', sizeof key); \ memset(buf, 'P', sizeof buf); \ memset(iv, 'X', sizeof iv); \ for (i = 0; i < 10; i ++) { \ - br_ ## fname ## _run(key, iv, i, buf, sizeof buf); \ + bc(key, iv, i, buf, sizeof buf); \ } \ num = 10; \ for (;;) { \ @@ -195,8 +202,7 @@ test_speed_ ## fname(void) \ \ begin = clock(); \ for (k = num; k > 0; k --) { \ - br_ ## fname ## _run(key, iv, \ - (uint32_t)k, buf, sizeof buf); \ + bc(key, iv, (uint32_t)k, buf, sizeof buf); \ } \ end = clock(); \ tt = (double)(end - begin) / CLOCKS_PER_SEC; \ @@ -232,6 +238,7 @@ SPEED_HASH(SHA-512, sha512) #define br_aes_ct64_cbcenc_get_vtable() (&br_aes_ct64_cbcenc_vtable) #define br_aes_ct64_cbcdec_get_vtable() (&br_aes_ct64_cbcdec_vtable) #define br_aes_ct64_ctr_get_vtable() (&br_aes_ct64_ctr_vtable) +#define br_chacha20_ct_get() (&br_chacha20_ct_run) #define SPEED_AES(iname) \ SPEED_BLOCKCIPHER_CBC(AES-128 CBC encrypt (iname), aes128_ ## iname ## _cbcenc, aes_ ## iname, 16, enc) \ @@ -265,7 +272,8 @@ SPEED_BLOCKCIPHER_CBC(3DES CBC decrypt (iname), 3des_ ## iname ## _cbcdec, des_ SPEED_DES(tab) SPEED_DES(ct) -SPEED_CHACHA20(ChaCha20, chacha20_ct) +SPEED_CHACHA20(ChaCha20 (ct), chacha20_ct) +SPEED_CHACHA20(ChaCha20 (sse2), chacha20_sse2) static void test_speed_ghash_inner(char *name, br_ghash gh) @@ -1279,6 +1287,7 @@ static const struct { STU(3des_ct_cbcdec), STU(chacha20_ct), + STU(chacha20_sse2), STU(ghash_ctmul), STU(ghash_ctmul32), -- 2.17.1 From 0cc2e23690c83b6ea015eea3e78cb4236b685509 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Wed, 26 Jul 2017 16:03:32 +0200 Subject: [PATCH 02/16] Added name for new ChaCha20 implementation. --- tools/names.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/names.c b/tools/names.c index 3b4aa83..8fdcca8 100644 --- a/tools/names.c +++ b/tools/names.c @@ -418,6 +418,8 @@ static const struct { (const void *(*)(void))&br_aes_x86ni_cbcdec_get_vtable }, { "aes_x86ni_ctr", "x86ni", (const void *(*)(void))&br_aes_x86ni_ctr_get_vtable }, + { "chacha20_sse2", "sse2", + (const void *(*)(void))&br_chacha20_sse2_get }, { "ghash_pclmul", "pclmul", (const void *(*)(void))&br_ghash_pclmul_get }, { "ghash_pwr8", "pwr8", -- 2.17.1 From ce1c57909a1b089f1f9a5edafcc76d1b5f8139fc Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Sun, 30 Jul 2017 14:11:45 -0400 Subject: [PATCH 03/16] Fixed br_ssl_session_cache_lru_forget(). --- src/ssl/ssl_lru.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl/ssl_lru.c b/src/ssl/ssl_lru.c index 7a2036b..4c71011 100644 --- a/src/ssl/ssl_lru.c +++ b/src/ssl/ssl_lru.c @@ -530,7 +530,7 @@ void br_ssl_session_cache_lru_forget( * so this is not worth the extra code size. */ mask_id(cc, id, mid); - addr = find_node(cc, id, NULL); + addr = find_node(cc, mid, NULL); if (addr != ADDR_NULL) { br_enc16be(cc->store + addr + VERSION_OFF, 0); } -- 2.17.1 From 93681c283077b838ddfc5e276238640c9ed62343 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Sun, 30 Jul 2017 23:11:26 +0200 Subject: [PATCH 04/16] Added Twrch support. --- mk/Rules.mk | 5 +- mk/mkrules.sh | 1 + tools/brssl.c | 10 + tools/brssl.h | 10 +- tools/client.c | 2 +- tools/server.c | 17 +- tools/twrch.c | 1066 ++++++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 1100 insertions(+), 11 deletions(-) create mode 100644 tools/twrch.c diff --git a/mk/Rules.mk b/mk/Rules.mk index 694d04e..247c4bb 100644 --- a/mk/Rules.mk +++ b/mk/Rules.mk @@ -1,7 +1,7 @@ # Automatically generated rules. Use 'mkrules.sh' to modify/regenerate. OBJ = $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O -OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O +OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Ptwrch$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O OBJTESTCRYPTO = $(OBJDIR)$Ptest_crypto$O OBJTESTSPEED = $(OBJDIR)$Ptest_speed$O OBJTESTX509 = $(OBJDIR)$Ptest_x509$O @@ -775,6 +775,9 @@ $(OBJDIR)$Psslio$O: tools$Psslio.c $(HEADERSTOOLS) $(OBJDIR)$Pta$O: tools$Pta.c $(HEADERSTOOLS) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pta$O tools$Pta.c +$(OBJDIR)$Ptwrch$O: tools$Ptwrch.c $(HEADERSTOOLS) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Ptwrch$O tools$Ptwrch.c + $(OBJDIR)$Pvector$O: tools$Pvector.c $(HEADERSTOOLS) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pvector$O tools$Pvector.c diff --git a/mk/mkrules.sh b/mk/mkrules.sh index eab5287..26f8546 100755 --- a/mk/mkrules.sh +++ b/mk/mkrules.sh @@ -290,6 +290,7 @@ toolssrc=" \ tools/skey.c \ tools/sslio.c \ tools/ta.c \ + tools/twrch.c \ tools/vector.c \ tools/verify.c \ tools/xmem.c" diff --git a/tools/brssl.c b/tools/brssl.c index aba79e1..76f7539 100644 --- a/tools/brssl.c +++ b/tools/brssl.c @@ -50,6 +50,7 @@ usage(void) fprintf(stderr, " skey decode private key\n"); fprintf(stderr, " ta decode trust anchors\n"); fprintf(stderr, " chain make C code for certificate chains\n"); + fprintf(stderr, " twrch run the Twrch protocol\n"); } int @@ -98,6 +99,15 @@ main(int argc, char *argv[]) if (do_chain(argc - 2, argv + 2) < 0) { return EXIT_FAILURE; } + } else if (eqstr(cmd, "twrch")) { + int ret; + + ret = do_twrch(argc - 2, argv + 2); + if (ret < 0) { + return EXIT_FAILURE; + } else { + return ret; + } } else { fprintf(stderr, "unknown command: '%s'\n", cmd); usage(); diff --git a/tools/brssl.h b/tools/brssl.h index f2957e6..c47a026 100644 --- a/tools/brssl.h +++ b/tools/brssl.h @@ -485,7 +485,8 @@ const char *get_algo_name(const void *algo, int long_name); /* * Run a SSL engine, with a socket connected to the peer, and using - * stdin/stdout to exchange application data. + * stdin/stdout to exchange application data. The socket must be a + * non-blocking descriptor. * * To help with Win32 compatibility, the socket descriptor is provided * as an "unsigned long" value. @@ -538,4 +539,11 @@ int do_ta(int argc, char *argv[]); */ int do_chain(int argc, char *argv[]); +/* + * Do the "twrch" command. Returned value is 0 on success, -1 on failure + * (processing or arguments), or a non-zero exit code. Command-line + * arguments start _after_ the command name. + */ +int do_twrch(int argc, char *argv[]); + #endif diff --git a/tools/client.c b/tools/client.c index fad18e0..acd8512 100644 --- a/tools/client.c +++ b/tools/client.c @@ -764,7 +764,7 @@ do_client(int argc, char *argv[]) } arg = argv[i]; if (minhello_len != (size_t)-1) { - fprintf(stderr, "ERROR: duplicate minium" + fprintf(stderr, "ERROR: duplicate minimum" " ClientHello length\n"); usage_client(); goto client_exit_error; diff --git a/tools/server.c b/tools/server.c index cb04711..cac99c4 100644 --- a/tools/server.c +++ b/tools/server.c @@ -166,7 +166,7 @@ host_bind(const char *host, const char *port, int verbose) } static SOCKET -accept_client(SOCKET server_fd, int verbose) +accept_client(SOCKET server_fd, int verbose, int nonblock) { int fd; SOCKADDR_STORAGE sa; @@ -209,16 +209,16 @@ accept_client(SOCKET server_fd, int verbose) * We make the socket non-blocking, since we are going to use * poll() or select() to organise I/O. */ + if (nonblock) { #ifdef _WIN32 - { u_long arg; arg = 1; ioctlsocket(fd, FIONBIO, &arg); - } #else - fcntl(fd, F_SETFL, O_NONBLOCK); + fcntl(fd, F_SETFL, O_NONBLOCK); #endif + } return fd; } @@ -1177,15 +1177,16 @@ do_server(int argc, char *argv[]) */ for (;;) { int x; + unsigned run_flags; - fd = accept_client(server_fd, verbose); + fd = accept_client(server_fd, verbose, 1); if (fd == INVALID_SOCKET) { goto server_exit_error; } br_ssl_server_reset(&cc); - x = run_ssl_engine(&cc.eng, fd, - (verbose ? RUN_ENGINE_VERBOSE : 0) - | (trace ? RUN_ENGINE_TRACE : 0)); + run_flags = (verbose ? RUN_ENGINE_VERBOSE : 0) + | (trace ? RUN_ENGINE_TRACE : 0); + x = run_ssl_engine(&cc.eng, fd, run_flags); #ifdef _WIN32 closesocket(fd); #else diff --git a/tools/twrch.c b/tools/twrch.c new file mode 100644 index 0000000..3342667 --- /dev/null +++ b/tools/twrch.c @@ -0,0 +1,1066 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include +#include +#include +#include +#include + +#ifdef _WIN32 +#include +#else +#include +#include +#include +#endif + +#include "brssl.h" + +static int verbose = 0; + +static void +usage_twrch(void) +{ + fprintf(stderr, +"usage: brssl twrch [ options ]\n"); + fprintf(stderr, +"options:\n"); + fprintf(stderr, +" -trace dump all packets on stderr\n"); + fprintf(stderr, +" -v verbose error messages on stderr\n"); + fprintf(stderr, +" -server act as an SSL server\n"); + fprintf(stderr, +" -client act as an SSL client\n"); + fprintf(stderr, +" -sni name use specified name for SNI\n"); + fprintf(stderr, +" -mono use monodirectional buffering\n"); + fprintf(stderr, +" -buf length set the I/O buffer length (in bytes)\n"); + fprintf(stderr, +" -cache length set the session cache storage length (in bytes)\n"); + fprintf(stderr, +" -cert fname read certificate chain from file 'fname'\n"); + fprintf(stderr, +" -key fname read private key from file 'fname'\n"); + fprintf(stderr, +" -CA file add trust anchors from 'file' (for peer auth)\n"); + fprintf(stderr, +" -anon_ok request but do not require a client certificate\n"); + fprintf(stderr, +" -nostaticecdh prohibit full-static ECDH (client only)\n"); + fprintf(stderr, +" -list list supported names (protocols, algorithms...)\n"); + fprintf(stderr, +" -vmin name set minimum supported version (default: TLS-1.0)\n"); + fprintf(stderr, +" -vmax name set maximum supported version (default: TLS-1.2)\n"); + fprintf(stderr, +" -cs names set list of supported cipher suites (comma-separated)\n"); + fprintf(stderr, +" -hf names add support for some hash functions (comma-separated)\n"); + fprintf(stderr, +" -minhello len set minimum ClientHello length (in bytes)\n"); + fprintf(stderr, +" -serverpref enforce server's preferences for cipher suites\n"); + fprintf(stderr, +" -noreneg prohibit renegotiations\n"); + fprintf(stderr, +" -alpn name add protocol name to list of protocols (ALPN extension)\n"); + fprintf(stderr, +" -strictalpn fail on ALPN mismatch\n"); +} + +static void +free_alpn(void *alpn) +{ + xfree(*(char **)alpn); +} + +static void +dump_blob(const char *name, const void *data, size_t len) +{ + const unsigned char *buf; + size_t u; + + buf = data; + fprintf(stderr, "%s (len = %lu)", name, (unsigned long)len); + for (u = 0; u < len; u ++) { + if ((u & 15) == 0) { + fprintf(stderr, "\n%08lX ", (unsigned long)u); + } else if ((u & 7) == 0) { + fprintf(stderr, " "); + } + fprintf(stderr, " %02x", buf[u]); + } + fprintf(stderr, "\n"); +} + +/* + * Callback for reading bytes from standard input. + */ +static int +stdin_read(void *ctx, unsigned char *buf, size_t len) +{ + for (;;) { +#ifdef _WIN32 + DWORD rlen; +#else + ssize_t rlen; +#endif + int eof; + +#ifdef _WIN32 + eof = !ReadFile(GetStdHandle(STD_INPUT_HANDLE), + buf, len, &rlen, NULL) || rlen == 0; +#else + rlen = read(0, buf, len); + if (rlen <= 0) { + if (rlen < 0 && errno == EINTR) { + continue; + } + eof = 1; + } else { + eof = 0; + } +#endif + if (eof) { + if (*(int *)ctx) { + if (verbose) { + fprintf(stderr, "recv: EOF\n"); + } + } + return -1; + } + if (*(int *)ctx) { + dump_blob("recv", buf, (size_t)rlen); + } + return (int)rlen; + } +} + +/* + * Callback for writing bytes on standard output. + */ +static int +stdout_write(void *ctx, const unsigned char *buf, size_t len) +{ + for (;;) { +#ifdef _WIN32 + DWORD wlen; +#else + ssize_t wlen; +#endif + int eof; + +#ifdef _WIN32 + eof = !WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), + buf, len, &wlen, NULL); +#else + wlen = write(1, buf, len); + if (wlen <= 0) { + if (wlen < 0 && errno == EINTR) { + continue; + } + eof = 1; + } else { + eof = 0; + } +#endif + if (eof) { + if (*(int *)ctx) { + if (verbose) { + fprintf(stderr, "send: EOF\n"); + } + } + return -1; + } + if (*(int *)ctx) { + dump_blob("send", buf, (size_t)wlen); + } + return (int)wlen; + } +} + +static void +print_error(int err) +{ + const char *name, *comment; + + name = find_error_name(err, &comment); + if (name != NULL) { + fprintf(stderr, "ERR %d: %s\n %s\n", err, name, comment); + return; + } + if (err >= BR_ERR_RECV_FATAL_ALERT + && err < BR_ERR_RECV_FATAL_ALERT + 256) + { + fprintf(stderr, "ERR %d: received fatal alert %d\n", + err, err - BR_ERR_RECV_FATAL_ALERT); + return; + } + if (err >= BR_ERR_SEND_FATAL_ALERT + && err < BR_ERR_SEND_FATAL_ALERT + 256) + { + fprintf(stderr, "ERR %d: sent fatal alert %d\n", + err, err - BR_ERR_SEND_FATAL_ALERT); + return; + } + fprintf(stderr, "ERR %d: UNKNOWN\n", err); +} + +/* see brssl.h */ +int +do_twrch(int argc, char *argv[]) +{ + int retcode; + int trace; + int is_client; + int is_server; + const char *sni; + int i, bidi; + unsigned vmin, vmax; + cipher_suite *suites; + size_t num_suites; + uint16_t *suite_ids; + unsigned hfuns; + br_x509_certificate *chain; + size_t chain_len; + int cert_signer_algo; + private_key *sk; + int nostaticecdh; + anchor_list anchors = VEC_INIT; + VECTOR(char *) alpn_names = VEC_INIT; + br_x509_minimal_context xc; + x509_noanchor_context xwc; + const br_hash_class *dnhash; + size_t u; + union { + br_ssl_engine_context eng; + br_ssl_server_context srv; + br_ssl_client_context cnt; + } cc; + br_ssl_session_cache_lru lru; + unsigned char *iobuf, *cache; + size_t iobuf_len, cache_len, minhello_len; + br_sslio_context ioc; + uint32_t flags; + int reconnect; + + retcode = 0; + trace = 0; + is_client = 0; + is_server = 0; + sni = NULL; + bidi = 1; + vmin = 0; + vmax = 0; + suites = NULL; + num_suites = 0; + suite_ids = NULL; + hfuns = 0; + chain = NULL; + chain_len = 0; + cert_signer_algo = 0; + sk = NULL; + nostaticecdh = 0; + iobuf = NULL; + iobuf_len = 0; + cache = NULL; + cache_len = (size_t)-1; + minhello_len = (size_t)-1; + flags = 0; + reconnect = 0; + for (i = 0; i < argc; i ++) { + const char *arg; + + arg = argv[i]; + if (arg[0] != '-') { + usage_twrch(); + goto twrch_exit_error; + } + if (eqstr(arg, "-trace")) { + trace = 1; + } else if (eqstr(arg, "-v")) { + verbose = 1; + } else if (eqstr(arg, "-server")) { + is_server = 1; + } else if (eqstr(arg, "-client")) { + is_client = 1; + } else if (eqstr(arg, "-sni")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-sni'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (sni != NULL) { + fprintf(stderr, "ERROR: duplicate SNI\n"); + usage_twrch(); + goto twrch_exit_error; + } + sni = arg; + } else if (eqstr(arg, "-mono")) { + bidi = 0; + } else if (eqstr(arg, "-buf")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-buf'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (iobuf_len != 0) { + fprintf(stderr, + "ERROR: duplicate I/O buffer length\n"); + usage_twrch(); + goto twrch_exit_error; + } + iobuf_len = parse_size(arg); + if (iobuf_len == (size_t)-1) { + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-cache")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-cache'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (cache_len != (size_t)-1) { + fprintf(stderr, "ERROR: duplicate session" + " cache length\n"); + usage_twrch(); + goto twrch_exit_error; + } + cache_len = parse_size(arg); + if (cache_len == (size_t)-1) { + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-cert")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-cert'\n"); + usage_twrch(); + goto twrch_exit_error; + } + if (chain != NULL) { + fprintf(stderr, + "ERROR: duplicate certificate chain\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + chain = read_certificates(arg, &chain_len); + if (chain == NULL || chain_len == 0) { + goto twrch_exit_error; + } + } else if (eqstr(arg, "-key")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-key'\n"); + usage_twrch(); + goto twrch_exit_error; + } + if (sk != NULL) { + fprintf(stderr, + "ERROR: duplicate private key\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + sk = read_private_key(arg); + if (sk == NULL) { + goto twrch_exit_error; + } + } else if (eqstr(arg, "-CA")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-CA'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (read_trust_anchors(&anchors, arg) == 0) { + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-anon_ok")) { + flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH; + } else if (eqstr(arg, "-nostaticecdh")) { + nostaticecdh = 1; + } else if (eqstr(arg, "-list")) { + list_names(); + goto twrch_exit; + } else if (eqstr(arg, "-vmin")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-vmin'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (vmin != 0) { + fprintf(stderr, + "ERROR: duplicate minimum version\n"); + usage_twrch(); + goto twrch_exit_error; + } + vmin = parse_version(arg, strlen(arg)); + if (vmin == 0) { + fprintf(stderr, + "ERROR: unrecognised version '%s'\n", + arg); + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-vmax")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-vmax'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (vmax != 0) { + fprintf(stderr, + "ERROR: duplicate maximum version\n"); + usage_twrch(); + goto twrch_exit_error; + } + vmax = parse_version(arg, strlen(arg)); + if (vmax == 0) { + fprintf(stderr, + "ERROR: unrecognised version '%s'\n", + arg); + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-cs")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-cs'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (suites != NULL) { + fprintf(stderr, "ERROR: duplicate list" + " of cipher suites\n"); + usage_twrch(); + goto twrch_exit_error; + } + suites = parse_suites(arg, &num_suites); + if (suites == NULL) { + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-hf")) { + unsigned x; + + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-hf'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + x = parse_hash_functions(arg); + if (x == 0) { + usage_twrch(); + goto twrch_exit_error; + } + hfuns |= x; + } else if (eqstr(arg, "-minhello")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-minhello'\n"); + usage_twrch(); + goto twrch_exit_error; + } + arg = argv[i]; + if (minhello_len != (size_t)-1) { + fprintf(stderr, "ERROR: duplicate minimum" + " ClientHello length\n"); + usage_twrch(); + goto twrch_exit_error; + } + minhello_len = parse_size(arg); + /* + * Minimum ClientHello length must fit on 16 bits. + */ + if (minhello_len == (size_t)-1 + || (((minhello_len >> 12) >> 4) != 0)) + { + usage_twrch(); + goto twrch_exit_error; + } + } else if (eqstr(arg, "-serverpref")) { + flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES; + } else if (eqstr(arg, "-noreneg")) { + flags |= BR_OPT_NO_RENEGOTIATION; + } else if (eqstr(arg, "-alpn")) { + if (++ i >= argc) { + fprintf(stderr, + "ERROR: no argument for '-alpn'\n"); + usage_twrch(); + goto twrch_exit_error; + } + VEC_ADD(alpn_names, xstrdup(argv[i])); + } else if (eqstr(arg, "-strictalpn")) { + flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH; + } else { + fprintf(stderr, "ERROR: unknown option: '%s'\n", arg); + usage_twrch(); + goto twrch_exit_error; + } + } + + /* + * Verify consistency of options. + */ + if (!is_client && !is_server) { + fprintf(stderr, "ERROR:" + " one of -server and -client must be specified\n"); + usage_twrch(); + goto twrch_exit_error; + } + if (is_client && is_server) { + fprintf(stderr, "ERROR:" + " -server and -client may not be both specified\n"); + usage_twrch(); + goto twrch_exit_error; + } + + if (vmin == 0) { + vmin = BR_TLS10; + } + if (vmax == 0) { + vmax = BR_TLS12; + } + if (vmax < vmin) { + fprintf(stderr, "ERROR: impossible minimum/maximum protocol" + " version combination\n"); + usage_twrch(); + goto twrch_exit_error; + } + if (is_server) { + if (chain == NULL) { + fprintf(stderr, "ERROR: no certificate specified" + " for server (-cert)\n"); + usage_twrch(); + goto twrch_exit_error; + } + if (sk == NULL) { + fprintf(stderr, "ERROR: no private key specified" + " for server (-key)\n"); + usage_twrch(); + goto twrch_exit_error; + } + } else { + if (chain == NULL && sk != NULL) { + fprintf(stderr, "ERROR: private key (-key)" + " but no certificate (-cert)"); + usage_twrch(); + goto twrch_exit_error; + } + if (chain != NULL && sk == NULL) { + fprintf(stderr, "ERROR: certificate (-cert)" + " but no private key (-key)"); + usage_twrch(); + goto twrch_exit_error; + } + } + if (suites == NULL) { + num_suites = 0; + + for (u = 0; cipher_suites[u].name; u ++) { + if ((cipher_suites[u].req & REQ_TLS12) == 0 + || vmax >= BR_TLS12) + { + num_suites ++; + } + } + suites = xmalloc(num_suites * sizeof *suites); + num_suites = 0; + for (u = 0; cipher_suites[u].name; u ++) { + if ((cipher_suites[u].req & REQ_TLS12) == 0 + || vmax >= BR_TLS12) + { + suites[num_suites ++] = cipher_suites[u]; + } + } + } + if (hfuns == 0) { + hfuns = (unsigned)-1; + } + if (sk != NULL) { + switch (sk->key_type) { + int curve; + uint32_t supp; + + case BR_KEYTYPE_RSA: + break; + case BR_KEYTYPE_EC: + curve = sk->key.ec.curve; + supp = br_ec_get_default()->supported_curves; + if (curve > 31 || !((supp >> curve) & 1)) { + fprintf(stderr, "ERROR: private key curve (%d)" + " is not supported\n", curve); + goto twrch_exit_error; + } + break; + default: + fprintf(stderr, "ERROR: unsupported" + " private key type (%d)\n", sk->key_type); + goto twrch_exit_error; + } + } + if (chain != NULL) { + cert_signer_algo = get_cert_signer_algo(chain); + if (cert_signer_algo == 0) { + goto twrch_exit_error; + } + } + if (iobuf_len == 0) { + if (bidi) { + iobuf_len = BR_SSL_BUFSIZE_BIDI; + } else { + iobuf_len = BR_SSL_BUFSIZE_MONO; + } + } + iobuf = xmalloc(iobuf_len); + if (is_server) { + if (cache_len == (size_t)-1) { + cache_len = 5000; + } + cache = xmalloc(cache_len); + } + + /* + * Initialise the relevant context. + */ + if (is_client) { + br_ssl_client_zero(&cc.cnt); + } else { + br_ssl_server_zero(&cc.srv); + } + + /* + * Compute implementation requirements and inject implementations. + */ + suite_ids = xmalloc(num_suites * sizeof *suite_ids); + br_ssl_engine_set_versions(&cc.eng, vmin, vmax); + br_ssl_engine_set_all_flags(&cc.eng, flags); + if (vmin <= BR_TLS11) { + if (!(hfuns & (1 << br_md5_ID))) { + fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n"); + goto twrch_exit_error; + } + if (!(hfuns & (1 << br_sha1_ID))) { + fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n"); + goto twrch_exit_error; + } + } + for (u = 0; u < num_suites; u ++) { + unsigned req; + + req = suites[u].req; + suite_ids[u] = suites[u].suite; + if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) { + fprintf(stderr, + "ERROR: cipher suite %s requires TLS 1.2\n", + suites[u].name); + goto twrch_exit_error; + } + if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) { + fprintf(stderr, + "ERROR: cipher suite %s requires SHA-1\n", + suites[u].name); + goto twrch_exit_error; + } + if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) { + fprintf(stderr, + "ERROR: cipher suite %s requires SHA-256\n", + suites[u].name); + goto twrch_exit_error; + } + if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) { + fprintf(stderr, + "ERROR: cipher suite %s requires SHA-384\n", + suites[u].name); + goto twrch_exit_error; + } + /* TODO: algorithm implementation selection */ + if ((req & REQ_AESCBC) != 0) { + br_ssl_engine_set_default_aes_cbc(&cc.eng); + } + if ((req & REQ_AESGCM) != 0) { + br_ssl_engine_set_default_aes_gcm(&cc.eng); + } + if ((req & REQ_CHAPOL) != 0) { + br_ssl_engine_set_default_chapol(&cc.eng); + } + if ((req & REQ_3DESCBC) != 0) { + br_ssl_engine_set_default_des_cbc(&cc.eng); + } + if (is_client && (req & REQ_RSAKEYX) != 0) { + br_ssl_client_set_default_rsapub(&cc.cnt); + } + if (is_client && (req & REQ_ECDHE_RSA) != 0) { + br_ssl_engine_set_default_rsavrfy(&cc.eng); + } + if (is_client && (req & REQ_ECDH) != 0) { + br_ssl_engine_set_default_ec(&cc.eng); + } + if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) { + br_ssl_engine_set_default_ec(&cc.eng); + } + } + br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites); + + dnhash = NULL; + for (u = 0; hash_functions[u].name; u ++) { + const br_hash_class *hc; + int id; + + hc = hash_functions[u].hclass; + id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK; + if ((hfuns & ((unsigned)1 << id)) != 0) { + dnhash = hc; + br_ssl_engine_set_hash(&cc.eng, id, hc); + } + } + if (vmin <= BR_TLS11) { + br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf); + } + if (vmax >= BR_TLS12) { + if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) { + br_ssl_engine_set_prf_sha256(&cc.eng, + &br_tls12_sha256_prf); + } + if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) { + br_ssl_engine_set_prf_sha384(&cc.eng, + &br_tls12_sha384_prf); + } + } + if (VEC_LEN(alpn_names) != 0) { + br_ssl_engine_set_protocol_names(&cc.eng, + (const char **)&VEC_ELT(alpn_names, 0), + VEC_LEN(alpn_names)); + } + + /* + * In server role, we use a session cache (size can be + * specified; if size is zero, then no cache is set). + */ + if (is_server && cache != NULL) { + br_ssl_session_cache_lru_init(&lru, cache, cache_len); + br_ssl_server_set_cache(&cc.srv, &lru.vtable); + } + + /* + * For a server, set the policy handler. + */ + if (is_server) { + switch (sk->key_type) { + case BR_KEYTYPE_RSA: + br_ssl_server_set_single_rsa(&cc.srv, + chain, chain_len, &sk->key.rsa, + BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, + br_rsa_private_get_default(), + br_rsa_pkcs1_sign_get_default()); + break; + case BR_KEYTYPE_EC: + br_ssl_server_set_single_ec(&cc.srv, + chain, chain_len, &sk->key.ec, + BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, + cert_signer_algo, + br_ec_get_default(), + br_ecdsa_sign_asn1_get_default()); + break; + default: + fprintf(stderr, "ERROR: unsupported" + " private key type (%d)\n", sk->key_type); + goto twrch_exit_error; + } + } + + /* + * For a client, if a certificate was specified, use it. + */ + if (is_client && chain != NULL) { + switch (sk->key_type) { + unsigned usages; + + case BR_KEYTYPE_RSA: + br_ssl_client_set_single_rsa(&cc.cnt, + chain, chain_len, &sk->key.rsa, + br_rsa_pkcs1_sign_get_default()); + break; + case BR_KEYTYPE_EC: + if (nostaticecdh) { + cert_signer_algo = 0; + usages = BR_KEYTYPE_SIGN; + } else { + usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN; + } + br_ssl_client_set_single_ec(&cc.cnt, + chain, chain_len, &sk->key.ec, + usages, cert_signer_algo, + br_ec_get_default(), + br_ecdsa_sign_asn1_get_default()); + break; + default: + fprintf(stderr, "ERROR: unsupported" + " private key type (%d)\n", sk->key_type); + goto twrch_exit_error; + } + } + + /* + * On a client, or if trust anchors have been configured, then + * set an X.509 validation engine. If there are no trust anchors + * (client only), then a "no anchor" wrapper will be applied. + */ + if (is_client || VEC_LEN(anchors) != 0) { + br_x509_minimal_init(&xc, dnhash, + &VEC_ELT(anchors, 0), VEC_LEN(anchors)); + for (u = 0; hash_functions[u].name; u ++) { + const br_hash_class *hc; + int id; + + hc = hash_functions[u].hclass; + id = (hc->desc >> BR_HASHDESC_ID_OFF) + & BR_HASHDESC_ID_MASK; + if ((hfuns & ((unsigned)1 << id)) != 0) { + br_x509_minimal_set_hash(&xc, id, hc); + } + } + br_ssl_engine_set_default_rsavrfy(&cc.eng); + br_ssl_engine_set_default_ecdsa(&cc.eng); + br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default()); + br_x509_minimal_set_ecdsa(&xc, + br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default()); + br_ssl_engine_set_x509(&cc.eng, &xc.vtable); + + if (VEC_LEN(anchors) == 0) { + x509_noanchor_init(&xwc, &xc.vtable); + br_ssl_engine_set_x509(&cc.eng, &xwc.vtable); + } else { + br_ssl_engine_set_x509(&cc.eng, &xc.vtable); + } + if (is_server) { + br_ssl_server_set_trust_anchor_names_alt(&cc.srv, + &VEC_ELT(anchors, 0), VEC_LEN(anchors)); + } + } + + /* + * Set I/O buffer. + */ + br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi); + + /* + * Start the engine. + */ + if (is_client) { + br_ssl_client_reset(&cc.cnt, sni, 0); + } + if (is_server) { + br_ssl_server_reset(&cc.srv); + } + + /* + * On Unix systems, we want to ignore SIGPIPE: if the peer + * closes the connection abruptly, then we want to report it + * as a "normal" error (exit code = 1). + */ +#ifndef _WIN32 + signal(SIGPIPE, SIG_IGN); +#endif + + /* + * Initialize the callbacks for exchanging data over stdin and + * stdout. + */ + br_sslio_init(&ioc, &cc.eng, stdin_read, &trace, stdout_write, &trace); + + /* + * Run the Twrch protocol. + */ + for (;;) { + br_sha1_context sc; + unsigned char hv[20], tmp[41]; + uint64_t count; + int fb, i; + + /* + * Read line, byte by byte, hashing it on the fly. + */ + br_sha1_init(&sc); + count = 0; + fb = 0; + for (;;) { + unsigned char x; + + if (br_sslio_read(&ioc, &x, 1) < 0) { + if (count == 0 && reconnect) { + reconnect = 0; + if (br_sslio_close(&ioc) < 0) { + goto twrch_loop_finished; + } + if (is_client) { + br_ssl_client_reset( + &cc.cnt, sni, 1); + } + if (is_server) { + br_ssl_server_reset(&cc.srv); + } + br_sslio_init(&ioc, &cc.eng, + stdin_read, &trace, + stdout_write, &trace); + continue; + } + goto twrch_loop_finished; + } + if (count == 0) { + fb = x; + } + if (x == 0x0A) { + break; + } + br_sha1_update(&sc, &x, 1); + count ++; + } + if (count == 1) { + switch (fb) { + case 'C': + br_sslio_close(&ioc); + goto twrch_loop_finished; + case 'T': + if (br_sslio_close(&ioc) < 0) { + goto twrch_loop_finished; + } + if (is_client) { + br_ssl_client_reset(&cc.cnt, sni, 1); + } + if (is_server) { + br_ssl_server_reset(&cc.srv); + } + br_sslio_init(&ioc, &cc.eng, + stdin_read, &trace, + stdout_write, &trace); + continue; + case 'G': + if (!br_ssl_engine_renegotiate(&cc.eng)) { + br_sslio_write_all(&ioc, "DENIED\n", 7); + br_sslio_flush(&ioc); + } else { + br_sslio_write_all(&ioc, "OK\n", 3); + br_sslio_flush(&ioc); + } + continue; + case 'R': + reconnect = 1; + br_sslio_write_all(&ioc, "OK\n", 3); + br_sslio_flush(&ioc); + continue; + case 'U': + if (is_client) { + br_ssl_client_forget_session(&cc.cnt); + } + if (is_server && cache != NULL) { + br_ssl_session_parameters pp; + + br_ssl_engine_get_session_parameters( + &cc.eng, &pp); + if (pp.session_id_len == 32) { + br_ssl_session_cache_lru_forget( + &lru, pp.session_id); + } + } + br_sslio_write_all(&ioc, "DONE\n", 5); + br_sslio_flush(&ioc); + continue; + } + } + br_sha1_out(&sc, hv); + for (i = 0; i < 20; i ++) { + int x; + + x = hv[i]; + tmp[(i << 1) + 0] = "0123456789abcdef"[x >> 4]; + tmp[(i << 1) + 1] = "0123456789abcdef"[x & 15]; + } + tmp[40] = 0x0A; + br_sslio_write_all(&ioc, tmp, 41); + br_sslio_flush(&ioc); + } + +twrch_loop_finished: + if (br_ssl_engine_current_state(&cc.eng) == BR_SSL_CLOSED) { + int err; + + err = br_ssl_engine_last_error(&cc.eng); + if (err == 0) { + retcode = 0; + } else { + if (verbose) { + print_error(err); + } + retcode = 1; + } + } else { + if (verbose) { + fprintf(stderr, "Engine not closed!\n"); + } + retcode = 1; + } + + /* + * Release allocated structures. + */ +twrch_exit: + xfree(suites); + xfree(suite_ids); + free_certificates(chain, chain_len); + free_private_key(sk); + VEC_CLEAREXT(anchors, &free_ta_contents); + VEC_CLEAREXT(alpn_names, &free_alpn); + xfree(iobuf); + xfree(cache); + return retcode; + +twrch_exit_error: + retcode = -1; + goto twrch_exit; +} -- 2.17.1 From ceb6ded7b9dbd9c6cf16ab0b62e17a1123d84093 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Sun, 30 Jul 2017 23:26:06 +0200 Subject: [PATCH 05/16] Fixed documentation (new include file for AEAD). --- Doxyfile | 2 +- inc/bearssl.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Doxyfile b/Doxyfile index 8d0030e..df5bc95 100644 --- a/Doxyfile +++ b/Doxyfile @@ -771,7 +771,7 @@ WARN_LOGFILE = # spaces. See also FILE_PATTERNS and EXTENSION_MAPPING # Note: If this tag is empty the current directory is searched. -INPUT = inc/bearssl.h inc/bearssl_block.h inc/bearssl_ec.h inc/bearssl_hash.h inc/bearssl_hmac.h inc/bearssl_pem.h inc/bearssl_prf.h inc/bearssl_rand.h inc/bearssl_rsa.h inc/bearssl_ssl.h inc/bearssl_x509.h +INPUT = inc/bearssl.h inc/bearssl_aead.h inc/bearssl_block.h inc/bearssl_ec.h inc/bearssl_hash.h inc/bearssl_hmac.h inc/bearssl_pem.h inc/bearssl_prf.h inc/bearssl_rand.h inc/bearssl_rsa.h inc/bearssl_ssl.h inc/bearssl_x509.h # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses diff --git a/inc/bearssl.h b/inc/bearssl.h index 3436789..de62963 100644 --- a/inc/bearssl.h +++ b/inc/bearssl.h @@ -42,6 +42,7 @@ * | bearssl_rand.h | Pseudorandom byte generators | * | bearssl_prf.h | PRF implementations (for SSL/TLS) | * | bearssl_block.h | Symmetric encryption | + * | bearssl_aead.h | AEAD algorithms (combined encryption + MAC) | * | bearssl_rsa.h | RSA encryption and signatures | * | bearssl_ec.h | Elliptic curves support (including ECDSA) | * | bearssl_ssl.h | SSL/TLS engine interface | -- 2.17.1 From 79eec9d9e36f9406cba99a1eb328d408f6f2d1ee Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 14 Aug 2017 14:15:13 +0200 Subject: [PATCH 06/16] Some renaming to avoid spurious warnings on some old GCC versions. --- src/ec/ec_p256_m31.c | 22 +++++++++++----------- src/int/i15_modpow2.c | 6 +++--- src/int/i31_modpow2.c | 6 +++--- src/x509/x509_minimal.c | 5 +++++ src/x509/x509_minimal.t0 | 5 +++++ 5 files changed, 27 insertions(+), 17 deletions(-) diff --git a/src/ec/ec_p256_m31.c b/src/ec/ec_p256_m31.c index 0462c15..b9826c3 100644 --- a/src/ec/ec_p256_m31.c +++ b/src/ec/ec_p256_m31.c @@ -423,17 +423,17 @@ mul_f256(uint32_t *d, const uint32_t *a, const uint32_t *b) } for (i = 17; i >= 9; i --) { - uint64_t x; - - x = s[i]; - s[i - 1] += ARSHW(x, 2); - s[i - 2] += (x << 28) & 0x3FFFFFFF; - s[i - 2] -= ARSHW(x, 4); - s[i - 3] -= (x << 26) & 0x3FFFFFFF; - s[i - 5] -= ARSHW(x, 10); - s[i - 6] -= (x << 20) & 0x3FFFFFFF; - s[i - 8] += ARSHW(x, 16); - s[i - 9] += (x << 14) & 0x3FFFFFFF; + uint64_t y; + + y = s[i]; + s[i - 1] += ARSHW(y, 2); + s[i - 2] += (y << 28) & 0x3FFFFFFF; + s[i - 2] -= ARSHW(y, 4); + s[i - 3] -= (y << 26) & 0x3FFFFFFF; + s[i - 5] -= ARSHW(y, 10); + s[i - 6] -= (y << 20) & 0x3FFFFFFF; + s[i - 8] += ARSHW(y, 16); + s[i - 9] += (y << 14) & 0x3FFFFFFF; } /* diff --git a/src/int/i15_modpow2.c b/src/int/i15_modpow2.c index 37073a4..4b32118 100644 --- a/src/int/i15_modpow2.c +++ b/src/int/i15_modpow2.c @@ -134,11 +134,11 @@ br_i15_modpow_opt(uint16_t *x, br_i15_zero(t2, m[0]); base = t2 + mwlen; for (u = 1; u < ((uint32_t)1 << k); u ++) { - uint32_t m; + uint32_t mask; - m = -EQ(u, bits); + mask = -EQ(u, bits); for (v = 1; v < mwlen; v ++) { - t2[v] |= m & base[v]; + t2[v] |= mask & base[v]; } base += mwlen; } diff --git a/src/int/i31_modpow2.c b/src/int/i31_modpow2.c index 23ae0cd..0b8f8cf 100644 --- a/src/int/i31_modpow2.c +++ b/src/int/i31_modpow2.c @@ -134,11 +134,11 @@ br_i31_modpow_opt(uint32_t *x, br_i31_zero(t2, m[0]); base = t2 + mwlen; for (u = 1; u < ((uint32_t)1 << k); u ++) { - uint32_t m; + uint32_t mask; - m = -EQ(u, bits); + mask = -EQ(u, bits); for (v = 1; v < mwlen; v ++) { - t2[v] |= m & base[v]; + t2[v] |= mask & base[v]; } base += mwlen; } diff --git a/src/x509/x509_minimal.c b/src/x509/x509_minimal.c index 5da61e1..a8283e3 100644 --- a/src/x509/x509_minimal.c +++ b/src/x509/x509_minimal.c @@ -222,8 +222,13 @@ void br_x509_minimal_run(void *t0ctx); #include #endif +/* + * The T0 compiler will produce these prototypes declarations in the + * header. + * void br_x509_minimal_init_main(void *ctx); void br_x509_minimal_run(void *ctx); + */ /* see bearssl_x509.h */ void diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0 index 1b1f684..2104d2c 100644 --- a/src/x509/x509_minimal.t0 +++ b/src/x509/x509_minimal.t0 @@ -171,8 +171,13 @@ preamble { #include #endif +/* + * The T0 compiler will produce these prototypes declarations in the + * header. + * void br_x509_minimal_init_main(void *ctx); void br_x509_minimal_run(void *ctx); + */ /* see bearssl_x509.h */ void -- 2.17.1 From 8cd3f8fecbb8eee7d4cd71c464694cf1621c5e99 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 14 Aug 2017 19:55:34 +0200 Subject: [PATCH 07/16] Some more renaming to avoid shadowing. --- src/ec/ec_p256_m31.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/ec/ec_p256_m31.c b/src/ec/ec_p256_m31.c index b9826c3..ec22c3e 100644 --- a/src/ec/ec_p256_m31.c +++ b/src/ec/ec_p256_m31.c @@ -535,17 +535,17 @@ square_f256(uint32_t *d, const uint32_t *a) } for (i = 17; i >= 9; i --) { - uint64_t x; - - x = s[i]; - s[i - 1] += ARSHW(x, 2); - s[i - 2] += (x << 28) & 0x3FFFFFFF; - s[i - 2] -= ARSHW(x, 4); - s[i - 3] -= (x << 26) & 0x3FFFFFFF; - s[i - 5] -= ARSHW(x, 10); - s[i - 6] -= (x << 20) & 0x3FFFFFFF; - s[i - 8] += ARSHW(x, 16); - s[i - 9] += (x << 14) & 0x3FFFFFFF; + uint64_t y; + + y = s[i]; + s[i - 1] += ARSHW(y, 2); + s[i - 2] += (y << 28) & 0x3FFFFFFF; + s[i - 2] -= ARSHW(y, 4); + s[i - 3] -= (y << 26) & 0x3FFFFFFF; + s[i - 5] -= ARSHW(y, 10); + s[i - 6] -= (y << 20) & 0x3FFFFFFF; + s[i - 8] += ARSHW(y, 16); + s[i - 9] += (y << 14) & 0x3FFFFFFF; } /* -- 2.17.1 From 8e86598b33f9df81d1f77d6cc32568d9ae119d67 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Sat, 19 Aug 2017 15:50:45 +0200 Subject: [PATCH 08/16] Added intermediate casts to void* to prevent spurious warnings (with Clang and -Wcast-align). --- src/codec/pemdec.c | 2 +- src/codec/pemdec.t0 | 2 +- src/ssl/ssl_hs_client.c | 10 +++++----- src/ssl/ssl_hs_common.t0 | 10 +++++----- src/ssl/ssl_hs_server.c | 10 +++++----- src/x509/asn1.t0 | 8 ++++---- src/x509/skey_decoder.c | 2 +- src/x509/skey_decoder.t0 | 2 +- src/x509/x509_decoder.c | 4 ++-- src/x509/x509_decoder.t0 | 2 +- src/x509/x509_minimal.c | 10 +++++----- src/x509/x509_minimal.t0 | 2 +- tools/client.c | 6 ++++-- tools/server.c | 4 ++-- 14 files changed, 38 insertions(+), 36 deletions(-) diff --git a/src/codec/pemdec.c b/src/codec/pemdec.c index 51e610b..db8f0e6 100644 --- a/src/codec/pemdec.c +++ b/src/codec/pemdec.c @@ -69,7 +69,7 @@ void br_pem_decoder_run(void *t0ctx); #include "inner.h" -#define CTX ((br_pem_decoder_context *)((unsigned char *)t0ctx - offsetof(br_pem_decoder_context, cpu))) +#define CTX ((br_pem_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_pem_decoder_context, cpu))) /* see bearssl_pem.h */ void diff --git a/src/codec/pemdec.t0 b/src/codec/pemdec.t0 index ba4a9e2..d76be44 100644 --- a/src/codec/pemdec.t0 +++ b/src/codec/pemdec.t0 @@ -24,7 +24,7 @@ preamble { #include "inner.h" -#define CTX ((br_pem_decoder_context *)((unsigned char *)t0ctx - offsetof(br_pem_decoder_context, cpu))) +#define CTX ((br_pem_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_pem_decoder_context, cpu))) /* see bearssl_pem.h */ void diff --git a/src/ssl/ssl_hs_client.c b/src/ssl/ssl_hs_client.c index 9d3418b..2faba6a 100644 --- a/src/ssl/ssl_hs_client.c +++ b/src/ssl/ssl_hs_client.c @@ -75,7 +75,7 @@ void br_ssl_hs_client_run(void *t0ctx); /* * This macro evaluates to a pointer to the current engine context. */ -#define ENG ((br_ssl_engine_context *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) +#define ENG ((br_ssl_engine_context *)(void *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) @@ -1397,7 +1397,7 @@ br_ssl_hs_client_run(void *t0ctx) /* get16 */ size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint16_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint16_t *)(void *)((unsigned char *)ENG + addr)); } break; @@ -1405,7 +1405,7 @@ br_ssl_hs_client_run(void *t0ctx) /* get32 */ size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint32_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint32_t *)(void *)((unsigned char *)ENG + addr)); } break; @@ -1557,7 +1557,7 @@ br_ssl_hs_client_run(void *t0ctx) /* set16 */ size_t addr = (size_t)T0_POP(); - *(uint16_t *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); + *(uint16_t *)(void *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); } break; @@ -1565,7 +1565,7 @@ br_ssl_hs_client_run(void *t0ctx) /* set32 */ size_t addr = (size_t)T0_POP(); - *(uint32_t *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); + *(uint32_t *)(void *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); } break; diff --git a/src/ssl/ssl_hs_common.t0 b/src/ssl/ssl_hs_common.t0 index dc025ff..f4ad65b 100644 --- a/src/ssl/ssl_hs_common.t0 +++ b/src/ssl/ssl_hs_common.t0 @@ -34,7 +34,7 @@ preamble { /* * This macro evaluates to a pointer to the current engine context. */ -#define ENG ((br_ssl_engine_context *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) +#define ENG ((br_ssl_engine_context *)(void *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) } @@ -112,13 +112,13 @@ cc: get8 ( addr -- val ) { \ Read a 16-bit word from the context (address is offset in context). cc: get16 ( addr -- val ) { size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint16_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint16_t *)(void *)((unsigned char *)ENG + addr)); } \ Read a 32-bit word from the context (address is offset in context). cc: get32 ( addr -- val ) { size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint32_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint32_t *)(void *)((unsigned char *)ENG + addr)); } \ Set a byte in the context (address is offset in context). @@ -130,13 +130,13 @@ cc: set8 ( val addr -- ) { \ Set a 16-bit word in the context (address is offset in context). cc: set16 ( val addr -- ) { size_t addr = (size_t)T0_POP(); - *(uint16_t *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); + *(uint16_t *)(void *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); } \ Set a 32-bit word in the context (address is offset in context). cc: set32 ( val addr -- ) { size_t addr = (size_t)T0_POP(); - *(uint32_t *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); + *(uint32_t *)(void *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); } \ Define a word that evaluates as an address of a field within the diff --git a/src/ssl/ssl_hs_server.c b/src/ssl/ssl_hs_server.c index 3970d28..5dd30a1 100644 --- a/src/ssl/ssl_hs_server.c +++ b/src/ssl/ssl_hs_server.c @@ -75,7 +75,7 @@ void br_ssl_hs_server_run(void *t0ctx); /* * This macro evaluates to a pointer to the current engine context. */ -#define ENG ((br_ssl_engine_context *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) +#define ENG ((br_ssl_engine_context *)(void *)((unsigned char *)t0ctx - offsetof(br_ssl_engine_context, cpu))) @@ -1454,7 +1454,7 @@ br_ssl_hs_server_run(void *t0ctx) /* get16 */ size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint16_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint16_t *)(void *)((unsigned char *)ENG + addr)); } break; @@ -1462,7 +1462,7 @@ br_ssl_hs_server_run(void *t0ctx) /* get32 */ size_t addr = (size_t)T0_POP(); - T0_PUSH(*(uint32_t *)((unsigned char *)ENG + addr)); + T0_PUSH(*(uint32_t *)(void *)((unsigned char *)ENG + addr)); } break; @@ -1635,7 +1635,7 @@ br_ssl_hs_server_run(void *t0ctx) /* set16 */ size_t addr = (size_t)T0_POP(); - *(uint16_t *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); + *(uint16_t *)(void *)((unsigned char *)ENG + addr) = (uint16_t)T0_POP(); } break; @@ -1643,7 +1643,7 @@ br_ssl_hs_server_run(void *t0ctx) /* set32 */ size_t addr = (size_t)T0_POP(); - *(uint32_t *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); + *(uint32_t *)(void *)((unsigned char *)ENG + addr) = (uint32_t)T0_POP(); } break; diff --git a/src/x509/asn1.t0 b/src/x509/asn1.t0 index d6bb2e4..6732f9d 100644 --- a/src/x509/asn1.t0 +++ b/src/x509/asn1.t0 @@ -198,12 +198,12 @@ cc: set8 ( val addr -- ) { cc: set16 ( val addr -- ) { uint32_t addr = T0_POP(); - *(uint16_t *)((unsigned char *)CTX + addr) = T0_POP(); + *(uint16_t *)(void *)((unsigned char *)CTX + addr) = T0_POP(); } cc: set32 ( val addr -- ) { uint32_t addr = T0_POP(); - *(uint32_t *)((unsigned char *)CTX + addr) = T0_POP(); + *(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP(); } cc: get8 ( addr -- val ) { @@ -213,12 +213,12 @@ cc: get8 ( addr -- val ) { cc: get16 ( addr -- val ) { uint32_t addr = T0_POP(); - T0_PUSH(*(uint16_t *)((unsigned char *)CTX + addr)); + T0_PUSH(*(uint16_t *)(void *)((unsigned char *)CTX + addr)); } cc: get32 ( addr -- val ) { uint32_t addr = T0_POP(); - T0_PUSH(*(uint32_t *)((unsigned char *)CTX + addr)); + T0_PUSH(*(uint32_t *)(void *)((unsigned char *)CTX + addr)); } \ Read an ASN.1 tag. This function returns the "constructed" status diff --git a/src/x509/skey_decoder.c b/src/x509/skey_decoder.c index 4c486d5..f4e43e7 100644 --- a/src/x509/skey_decoder.c +++ b/src/x509/skey_decoder.c @@ -75,7 +75,7 @@ void br_skey_decoder_run(void *t0ctx); #include "inner.h" -#define CTX ((br_skey_decoder_context *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu))) +#define CTX ((br_skey_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu))) #define CONTEXT_NAME br_skey_decoder_context /* see bearssl_x509.h */ diff --git a/src/x509/skey_decoder.t0 b/src/x509/skey_decoder.t0 index 336b932..5b59421 100644 --- a/src/x509/skey_decoder.t0 +++ b/src/x509/skey_decoder.t0 @@ -24,7 +24,7 @@ preamble { #include "inner.h" -#define CTX ((br_skey_decoder_context *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu))) +#define CTX ((br_skey_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_skey_decoder_context, cpu))) #define CONTEXT_NAME br_skey_decoder_context /* see bearssl_x509.h */ diff --git a/src/x509/x509_decoder.c b/src/x509/x509_decoder.c index 42620c6..8dd970f 100644 --- a/src/x509/x509_decoder.c +++ b/src/x509/x509_decoder.c @@ -75,7 +75,7 @@ void br_x509_decoder_run(void *t0ctx); #include "inner.h" -#define CTX ((br_x509_decoder_context *)((unsigned char *)t0ctx - offsetof(br_x509_decoder_context, cpu))) +#define CTX ((br_x509_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_decoder_context, cpu))) #define CONTEXT_NAME br_x509_decoder_context /* see bearssl_x509.h */ @@ -743,7 +743,7 @@ br_x509_decoder_run(void *t0ctx) /* set32 */ uint32_t addr = T0_POP(); - *(uint32_t *)((unsigned char *)CTX + addr) = T0_POP(); + *(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP(); } break; diff --git a/src/x509/x509_decoder.t0 b/src/x509/x509_decoder.t0 index 1b6089b..0bf276f 100644 --- a/src/x509/x509_decoder.t0 +++ b/src/x509/x509_decoder.t0 @@ -24,7 +24,7 @@ preamble { #include "inner.h" -#define CTX ((br_x509_decoder_context *)((unsigned char *)t0ctx - offsetof(br_x509_decoder_context, cpu))) +#define CTX ((br_x509_decoder_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_decoder_context, cpu))) #define CONTEXT_NAME br_x509_decoder_context /* see bearssl_x509.h */ diff --git a/src/x509/x509_minimal.c b/src/x509/x509_minimal.c index a8283e3..ea14ad2 100644 --- a/src/x509/x509_minimal.c +++ b/src/x509/x509_minimal.c @@ -356,7 +356,7 @@ const br_x509_class br_x509_minimal_vtable = { xm_get_pkey }; -#define CTX ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) +#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) #define CONTEXT_NAME br_x509_minimal_context #define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK) @@ -1444,7 +1444,7 @@ br_x509_minimal_run(void *t0ctx) /* get16 */ uint32_t addr = T0_POP(); - T0_PUSH(*(uint16_t *)((unsigned char *)CTX + addr)); + T0_PUSH(*(uint16_t *)(void *)((unsigned char *)CTX + addr)); } break; @@ -1452,7 +1452,7 @@ br_x509_minimal_run(void *t0ctx) /* get32 */ uint32_t addr = T0_POP(); - T0_PUSH(*(uint32_t *)((unsigned char *)CTX + addr)); + T0_PUSH(*(uint32_t *)(void *)((unsigned char *)CTX + addr)); } break; @@ -1606,7 +1606,7 @@ br_x509_minimal_run(void *t0ctx) /* set16 */ uint32_t addr = T0_POP(); - *(uint16_t *)((unsigned char *)CTX + addr) = T0_POP(); + *(uint16_t *)(void *)((unsigned char *)CTX + addr) = T0_POP(); } break; @@ -1614,7 +1614,7 @@ br_x509_minimal_run(void *t0ctx) /* set32 */ uint32_t addr = T0_POP(); - *(uint32_t *)((unsigned char *)CTX + addr) = T0_POP(); + *(uint32_t *)(void *)((unsigned char *)CTX + addr) = T0_POP(); } break; diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0 index 2104d2c..bce37ad 100644 --- a/src/x509/x509_minimal.t0 +++ b/src/x509/x509_minimal.t0 @@ -305,7 +305,7 @@ const br_x509_class br_x509_minimal_vtable = { xm_get_pkey }; -#define CTX ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) +#define CTX ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu))) #define CONTEXT_NAME br_x509_minimal_context #define DNHASH_LEN ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK) diff --git a/tools/client.c b/tools/client.c index acd8512..3d13510 100644 --- a/tools/client.c +++ b/tools/client.c @@ -72,9 +72,11 @@ host_connect(const char *host, const char *port, int verbose) sa = (struct sockaddr *)p->ai_addr; if (sa->sa_family == AF_INET) { - addr = &((struct sockaddr_in *)sa)->sin_addr; + addr = &((struct sockaddr_in *) + (void *)sa)->sin_addr; } else if (sa->sa_family == AF_INET6) { - addr = &((struct sockaddr_in6 *)sa)->sin6_addr; + addr = &((struct sockaddr_in6 *) + (void *)sa)->sin6_addr; } else { addr = NULL; } diff --git a/tools/server.c b/tools/server.c index cac99c4..8fcf2eb 100644 --- a/tools/server.c +++ b/tools/server.c @@ -75,7 +75,7 @@ host_bind(const char *host, const char *port, int verbose) sa = (struct sockaddr *)p->ai_addr; if (sa->sa_family == AF_INET) { - sa4 = *(struct sockaddr_in *)sa; + memcpy(&sa4, sa, sizeof sa4); sa = (struct sockaddr *)&sa4; sa_len = sizeof sa4; addr = &sa4.sin_addr; @@ -83,7 +83,7 @@ host_bind(const char *host, const char *port, int verbose) sa4.sin_addr.s_addr = INADDR_ANY; } } else if (sa->sa_family == AF_INET6) { - sa6 = *(struct sockaddr_in6 *)sa; + memcpy(&sa6, sa, sizeof sa6); sa = (struct sockaddr *)&sa6; sa_len = sizeof sa6; addr = &sa6.sin6_addr; -- 2.17.1 From a52cff8309f48ca8487410cfa2a8fb6c11152e2b Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Sun, 20 Aug 2017 23:19:51 +0200 Subject: [PATCH 09/16] Some more extra casts to avoid alignment warnings with Clang and -Wcast-align on 32-bit systems with 64-bit alignment requirements (e.g. ARMv7). --- src/x509/x509_minimal.c | 14 +++++++------- src/x509/x509_minimal.t0 | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/x509/x509_minimal.c b/src/x509/x509_minimal.c index ea14ad2..ddf2515 100644 --- a/src/x509/x509_minimal.c +++ b/src/x509/x509_minimal.c @@ -249,7 +249,7 @@ xm_start_chain(const br_x509_class **ctx, const char *server_name) br_x509_minimal_context *cc; size_t u; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; for (u = 0; u < cc->num_name_elts; u ++) { cc->name_elts[u].status = 0; cc->name_elts[u].buf[0] = 0; @@ -272,7 +272,7 @@ xm_start_cert(const br_x509_class **ctx, uint32_t length) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err != 0) { return; } @@ -288,7 +288,7 @@ xm_append(const br_x509_class **ctx, const unsigned char *buf, size_t len) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err != 0) { return; } @@ -302,7 +302,7 @@ xm_end_cert(const br_x509_class **ctx) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == 0 && cc->cert_length != 0) { cc->err = BR_ERR_X509_TRUNCATED; } @@ -314,7 +314,7 @@ xm_end_chain(const br_x509_class **ctx) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == 0) { if (cc->num_certs == 0) { cc->err = BR_ERR_X509_EMPTY_CHAIN; @@ -332,14 +332,14 @@ xm_get_pkey(const br_x509_class *const *ctx, unsigned *usages) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == BR_ERR_X509_OK || cc->err == BR_ERR_X509_NOT_TRUSTED) { if (usages != NULL) { *usages = cc->key_usages; } - return &((br_x509_minimal_context *)ctx)->pkey; + return &((br_x509_minimal_context *)(void *)ctx)->pkey; } else { return NULL; } diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0 index bce37ad..a46076e 100644 --- a/src/x509/x509_minimal.t0 +++ b/src/x509/x509_minimal.t0 @@ -198,7 +198,7 @@ xm_start_chain(const br_x509_class **ctx, const char *server_name) br_x509_minimal_context *cc; size_t u; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; for (u = 0; u < cc->num_name_elts; u ++) { cc->name_elts[u].status = 0; cc->name_elts[u].buf[0] = 0; @@ -221,7 +221,7 @@ xm_start_cert(const br_x509_class **ctx, uint32_t length) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err != 0) { return; } @@ -237,7 +237,7 @@ xm_append(const br_x509_class **ctx, const unsigned char *buf, size_t len) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err != 0) { return; } @@ -251,7 +251,7 @@ xm_end_cert(const br_x509_class **ctx) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == 0 && cc->cert_length != 0) { cc->err = BR_ERR_X509_TRUNCATED; } @@ -263,7 +263,7 @@ xm_end_chain(const br_x509_class **ctx) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == 0) { if (cc->num_certs == 0) { cc->err = BR_ERR_X509_EMPTY_CHAIN; @@ -281,14 +281,14 @@ xm_get_pkey(const br_x509_class *const *ctx, unsigned *usages) { br_x509_minimal_context *cc; - cc = (br_x509_minimal_context *)ctx; + cc = (br_x509_minimal_context *)(void *)ctx; if (cc->err == BR_ERR_X509_OK || cc->err == BR_ERR_X509_NOT_TRUSTED) { if (usages != NULL) { *usages = cc->key_usages; } - return &((br_x509_minimal_context *)ctx)->pkey; + return &((br_x509_minimal_context *)(void *)ctx)->pkey; } else { return NULL; } -- 2.17.1 From 9dc6211237abcc4a4854818f8e5d7b8973bf31e3 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 28 Aug 2017 16:25:20 +0200 Subject: [PATCH 10/16] Extra Makefile hack for compatibility with OpenBSD 'make'. --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 044f5bc..f7f24fc 100644 --- a/Makefile +++ b/Makefile @@ -37,5 +37,9 @@ !else .POSIX: include mk/SingleUnix.mk +# Extra hack for OpenBSD make. +ifndef: all +0: all +endif: all # \ !endif -- 2.17.1 From 5b980fb6250788735f56d9640696864e82e35f59 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 28 Aug 2017 16:26:33 +0200 Subject: [PATCH 11/16] Switch C compiler to the generic 'cc' (to use the default compiler, not necessarily GCC -- this is for systems that offer both GCC and Clang, and use Clang as default). --- conf/Unix.mk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/Unix.mk b/conf/Unix.mk index 7764748..02f2b2b 100644 --- a/conf/Unix.mk +++ b/conf/Unix.mk @@ -37,7 +37,7 @@ RM = rm -f MKDIR = mkdir -p # C compiler and flags. -CC = gcc +CC = cc CFLAGS = -W -Wall -Os -fPIC CCOUT = -c -o @@ -47,12 +47,12 @@ ARFLAGS = -rcs AROUT = # DLL building tool. -LDDLL = gcc +LDDLL = cc LDDLLFLAGS = -shared LDDLLOUT = -o # Static linker. -LD = gcc +LD = cc LDFLAGS = LDOUT = -o -- 2.17.1 From af9c79a0710a45361f9ae4313f8bb5bf738c3b7a Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 28 Aug 2017 16:37:30 +0200 Subject: [PATCH 12/16] Added seeder API. Also overhauled compile-time detection of features. --- inc/bearssl.h | 30 +++ inc/bearssl_rand.h | 35 +++ inc/bearssl_ssl.h | 8 + mk/Rules.mk | 13 +- mk/mkrules.sh | 3 + src/config.h | 11 + src/hash/ghash_pclmul.c | 200 ++++++++++-------- src/inner.h | 351 ++++++++++++++++++++++++++----- src/rand/sysrng.c | 169 +++++++++++++++ src/settings.c | 306 +++++++++++++++++++++++++++ src/ssl/ssl_engine.c | 151 ++++++------- src/symcipher/aes_x86ni.c | 48 +---- src/symcipher/aes_x86ni_cbcdec.c | 28 +-- src/symcipher/aes_x86ni_cbcenc.c | 28 +-- src/symcipher/aes_x86ni_ctr.c | 32 +-- src/symcipher/chacha20_sse2.c | 78 +++---- src/x509/x509_minimal.c | 14 -- src/x509/x509_minimal.t0 | 14 -- tools/brssl.c | 5 + tools/brssl.h | 6 + tools/impl.c | 48 +++++ tools/sslio.c | 4 + 22 files changed, 1183 insertions(+), 399 deletions(-) create mode 100644 src/rand/sysrng.c create mode 100644 src/settings.c create mode 100644 tools/impl.c diff --git a/inc/bearssl.h b/inc/bearssl.h index de62963..3d5e63a 100644 --- a/inc/bearssl.h +++ b/inc/bearssl.h @@ -135,4 +135,34 @@ #include "bearssl_x509.h" #include "bearssl_pem.h" +/** \brief Type for a configuration option. + * + * A "configuration option" is a value that is selected when the BearSSL + * library itself is compiled. Most options are boolean; their value is + * then either 1 (option is enabled) or 0 (option is disabled). Some + * values have other integer values. Option names correspond to macro + * names. Some of the options can be explicitly set in the internal + * `"config.h"` file. + */ +typedef struct { + /** \brief Configurable option name. */ + const char *name; + /** \brief Configurable option value. */ + long value; +} br_config_option; + +/** \brief Get configuration report. + * + * This function returns compiled configuration options, each as a + * 'long' value. Names match internal macro names, in particular those + * that can be set in the `"config.h"` inner file. For boolean options, + * the numerical value is 1 if enabled, 0 if disabled. For maximum + * key sizes, values are expressed in bits. + * + * The returned array is terminated by an entry whose `name` is `NULL`. + * + * \return the configuration report. + */ +const br_config_option *br_get_config(void); + #endif diff --git a/inc/bearssl_rand.h b/inc/bearssl_rand.h index 59628fb..37379d2 100644 --- a/inc/bearssl_rand.h +++ b/inc/bearssl_rand.h @@ -253,6 +253,41 @@ br_hmac_drbg_get_hash(const br_hmac_drbg_context *ctx) return ctx->digest_class; } +/** + * \brief Type for a provider of entropy seeds. + * + * A "seeder" is a function that is able to obtain random values from + * some source and inject them as entropy seed in a PRNG. A seeder + * shall guarantee that the total entropy of the injected seed is large + * enough to seed a PRNG for purposes of cryptographic key generation + * (i.e. at least 128 bits). + * + * A seeder may report a failure to obtain adequate entropy. Seeders + * shall endeavour to fix themselves transient errors by trying again; + * thus, callers may consider reported errors as permanent. + * + * \param ctx PRNG context to seed. + * \return 1 on success, 0 on error. + */ +typedef int (*br_prng_seeder)(const br_prng_class **ctx); + +/** + * \brief Get a seeder backed by the operating system or hardware. + * + * Get a seeder that feeds on RNG facilities provided by the current + * operating system or hardware. If no such facility is known, then 0 + * is returned. + * + * If `name` is not `NULL`, then `*name` is set to a symbolic string + * that identifies the seeder implemention. If no seeder is returned + * and `name` is not `NULL`, then `*name` is set to a pointer to the + * constant string `"none"`. + * + * \param name receiver for seeder name, or `NULL`. + * \return the system seeder, if available, or 0. + */ +br_prng_seeder br_prng_seeder_system(const char **name); + #ifdef __cplusplus } #endif diff --git a/inc/bearssl_ssl.h b/inc/bearssl_ssl.h index 45ac599..6640bc6 100644 --- a/inc/bearssl_ssl.h +++ b/inc/bearssl_ssl.h @@ -833,6 +833,14 @@ typedef struct { /* * Context RNG. + * + * rng_init_done is initially 0. It is set to 1 when the + * basic structure of the RNG is set, and 2 when some + * entropy has been pushed in. The value 2 marks the RNG + * as "properly seeded". + * + * rng_os_rand_done is initially 0. It is set to 1 when + * some seeding from the OS or hardware has been attempted. */ br_hmac_drbg_context rng; int rng_init_done; diff --git a/mk/Rules.mk b/mk/Rules.mk index 247c4bb..21a58ce 100644 --- a/mk/Rules.mk +++ b/mk/Rules.mk @@ -1,7 +1,7 @@ # Automatically generated rules. Use 'mkrules.sh' to modify/regenerate. -OBJ = $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O -OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Ptwrch$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O +OBJ = $(OBJDIR)$Psettings$O $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Psysrng$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O +OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pimpl$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Ptwrch$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O OBJTESTCRYPTO = $(OBJDIR)$Ptest_crypto$O OBJTESTSPEED = $(OBJDIR)$Ptest_speed$O OBJTESTX509 = $(OBJDIR)$Ptest_x509$O @@ -61,6 +61,9 @@ $(TESTSPEED): $(BEARSSLLIB) $(OBJTESTSPEED) $(TESTX509): $(BEARSSLLIB) $(OBJTESTX509) $(LD) $(LDFLAGS) $(LDOUT)$(TESTX509) $(OBJTESTX509) $(BEARSSLLIB) +$(OBJDIR)$Psettings$O: src$Psettings.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Psettings$O src$Psettings.c + $(OBJDIR)$Pgcm$O: src$Paead$Pgcm.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pgcm$O src$Paead$Pgcm.c @@ -409,6 +412,9 @@ $(OBJDIR)$Phmac_ct$O: src$Pmac$Phmac_ct.c $(HEADERSPRIV) $(OBJDIR)$Phmac_drbg$O: src$Prand$Phmac_drbg.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Phmac_drbg$O src$Prand$Phmac_drbg.c +$(OBJDIR)$Psysrng$O: src$Prand$Psysrng.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Psysrng$O src$Prand$Psysrng.c + $(OBJDIR)$Prsa_default_pkcs1_sign$O: src$Prsa$Prsa_default_pkcs1_sign.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Prsa_default_pkcs1_sign$O src$Prsa$Prsa_default_pkcs1_sign.c @@ -757,6 +763,9 @@ $(OBJDIR)$Perrors$O: tools$Perrors.c $(HEADERSTOOLS) $(OBJDIR)$Pfiles$O: tools$Pfiles.c $(HEADERSTOOLS) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pfiles$O tools$Pfiles.c +$(OBJDIR)$Pimpl$O: tools$Pimpl.c $(HEADERSTOOLS) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pimpl$O tools$Pimpl.c + $(OBJDIR)$Pkeys$O: tools$Pkeys.c $(HEADERSTOOLS) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pkeys$O tools$Pkeys.c diff --git a/mk/mkrules.sh b/mk/mkrules.sh index 26f8546..44f787e 100755 --- a/mk/mkrules.sh +++ b/mk/mkrules.sh @@ -49,6 +49,7 @@ set -e # Source files. Please keep in alphabetical order. coresrc=" \ + src/settings.c \ src/aead/gcm.c \ src/codec/ccopy.c \ src/codec/dec16be.c \ @@ -165,6 +166,7 @@ coresrc=" \ src/mac/hmac.c \ src/mac/hmac_ct.c \ src/rand/hmac_drbg.c \ + src/rand/sysrng.c \ src/rsa/rsa_default_pkcs1_sign.c \ src/rsa/rsa_default_pkcs1_vrfy.c \ src/rsa/rsa_default_priv.c \ @@ -284,6 +286,7 @@ toolssrc=" \ tools/client.c \ tools/errors.c \ tools/files.c \ + tools/impl.c \ tools/keys.c \ tools/names.c \ tools/server.c \ diff --git a/src/config.h b/src/config.h index b06807b..accae3e 100644 --- a/src/config.h +++ b/src/config.h @@ -98,6 +98,17 @@ #define BR_NO_ARITH_SHIFT 1 */ +/* + * When BR_RDRAND is enabled, the SSL engine will use the RDRAND opcode + * to automatically obtain quality randomness for seeding its internal + * PRNG. Since that opcode is present only in recent x86 CPU, its + * support is dynamically tested; if the current CPU does not support + * it, then another random source will be used, such as /dev/urandom or + * CryptGenRandom(). + * +#define BR_RDRAND 1 + */ + /* * When BR_USE_URANDOM is enabled, the SSL engine will use /dev/urandom * to automatically obtain quality randomness for seedings its internal diff --git a/src/hash/ghash_pclmul.c b/src/hash/ghash_pclmul.c index 7c8f2fa..a58e7dc 100644 --- a/src/hash/ghash_pclmul.c +++ b/src/hash/ghash_pclmul.c @@ -22,6 +22,7 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" /* @@ -31,20 +32,27 @@ #if BR_AES_X86NI -#if BR_AES_X86NI_GCC -#if BR_AES_X86NI_GCC_OLD -#pragma GCC push_options -#pragma GCC target("sse2,ssse3,pclmul") -#pragma GCC diagnostic ignored "-Wpsabi" -#endif -#include -#include -#include -#endif +/* + * Test CPU support for PCLMULQDQ. + */ +static inline int +pclmul_supported(void) +{ + /* + * Bit mask for features in ECX: + * 1 PCLMULQDQ support + */ + return br_cpuid(0, 0, 0x00000002, 0); +} -#if BR_AES_X86NI_MSC -#include -#endif +/* see bearssl_hash.h */ +br_ghash +br_ghash_pclmul_get(void) +{ + return pclmul_supported() ? &br_ghash_pclmul : 0; +} + +BR_TARGETS_X86_UP /* * GHASH is defined over elements of GF(2^128) with "full little-endian" @@ -73,6 +81,66 @@ * chunks. We number chunks from 0 to 3 in left to right order. */ +/* + * Byte-swap a complete 128-bit value. This normally uses + * _mm_shuffle_epi8(), which gets translated to pshufb (an SSSE3 opcode). + * However, this crashes old Clang versions, so, for Clang before 3.8, + * we use an alternate (and less efficient) version. + */ +#if BR_CLANG && !BR_CLANG_3_8 +#define BYTESWAP_DECL +#define BYTESWAP_PREP (void)0 +#define BYTESWAP(x) do { \ + __m128i byteswap1, byteswap2; \ + byteswap1 = (x); \ + byteswap2 = _mm_srli_epi16(byteswap1, 8); \ + byteswap1 = _mm_slli_epi16(byteswap1, 8); \ + byteswap1 = _mm_or_si128(byteswap1, byteswap2); \ + byteswap1 = _mm_shufflelo_epi16(byteswap1, 0x1B); \ + byteswap1 = _mm_shufflehi_epi16(byteswap1, 0x1B); \ + (x) = _mm_shuffle_epi32(byteswap1, 0x4E); \ + } while (0) +#else +#define BYTESWAP_DECL __m128i byteswap_index; +#define BYTESWAP_PREP do { \ + byteswap_index = _mm_set_epi8( \ + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); \ + } while (0) +#define BYTESWAP(x) do { \ + (x) = _mm_shuffle_epi8((x), byteswap_index); \ + } while (0) +#endif + +/* + * Call pclmulqdq. Clang appears to have trouble with the intrinsic, so, + * for that compiler, we use inline assembly. Inline assembly is + * potentially a bit slower because the compiler does not understand + * what the opcode does, and thus cannot optimize instruction + * scheduling. + * + * We use a target of "sse2" only, so that Clang may still handle the + * '__m128i' type and allocate SSE2 registers. + */ +#if BR_CLANG +BR_TARGET("sse2") +static inline __m128i +pclmulqdq00(__m128i x, __m128i y) +{ + __asm__ ("pclmulqdq $0x00, %1, %0" : "+x" (x) : "x" (y)); + return x; +} +BR_TARGET("sse2") +static inline __m128i +pclmulqdq11(__m128i x, __m128i y) +{ + __asm__ ("pclmulqdq $0x11, %1, %0" : "+x" (x) : "x" (y)); + return x; +} +#else +#define pclmulqdq00(x, y) _mm_clmulepi64_si128(x, y, 0x00) +#define pclmulqdq11(x, y) _mm_clmulepi64_si128(x, y, 0x11) +#endif + /* * From a 128-bit value kw, compute kx as the XOR of the two 64-bit * halves of kw (into the right half of kx; left half is unspecified). @@ -150,8 +218,8 @@ */ #define SQUARE_F128(kw, dw, dx) do { \ __m128i z0, z1, z2, z3; \ - z1 = _mm_clmulepi64_si128(kw, kw, 0x11); \ - z3 = _mm_clmulepi64_si128(kw, kw, 0x00); \ + z1 = pclmulqdq11(kw, kw); \ + z3 = pclmulqdq00(kw, kw); \ z0 = _mm_shuffle_epi32(z1, 0x0E); \ z2 = _mm_shuffle_epi32(z3, 0x0E); \ SL_256(z0, z1, z2, z3); \ @@ -168,7 +236,7 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) unsigned char tmp[64]; size_t num4, num1; __m128i yw, h1w, h1x; - __m128i byteswap_index; + BYTESWAP_DECL /* * We split data into two chunks. First chunk starts at buf1 @@ -188,18 +256,17 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) } /* - * Constant value to perform endian conversion. + * Preparatory step for endian conversions. */ - byteswap_index = _mm_set_epi8( - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); + BYTESWAP_PREP; /* * Load y and h. */ yw = _mm_loadu_si128(y); h1w = _mm_loadu_si128(h); - yw = _mm_shuffle_epi8(yw, byteswap_index); - h1w = _mm_shuffle_epi8(h1w, byteswap_index); + BYTESWAP(yw); + BYTESWAP(h1w); BK(h1w, h1x); if (num4 > 0) { @@ -214,9 +281,9 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) /* * Compute h3 = h^3 = h*(h^2). */ - t1 = _mm_clmulepi64_si128(h1w, h2w, 0x11); - t3 = _mm_clmulepi64_si128(h1w, h2w, 0x00); - t2 = _mm_xor_si128(_mm_clmulepi64_si128(h1x, h2x, 0x00), + t1 = pclmulqdq11(h1w, h2w); + t3 = pclmulqdq00(h1w, h2w); + t2 = _mm_xor_si128(pclmulqdq00(h1x, h2x), _mm_xor_si128(t1, t3)); t0 = _mm_shuffle_epi32(t1, 0x0E); t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E)); @@ -238,10 +305,10 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) aw1 = _mm_loadu_si128((void *)(buf1 + 16)); aw2 = _mm_loadu_si128((void *)(buf1 + 32)); aw3 = _mm_loadu_si128((void *)(buf1 + 48)); - aw0 = _mm_shuffle_epi8(aw0, byteswap_index); - aw1 = _mm_shuffle_epi8(aw1, byteswap_index); - aw2 = _mm_shuffle_epi8(aw2, byteswap_index); - aw3 = _mm_shuffle_epi8(aw3, byteswap_index); + BYTESWAP(aw0); + BYTESWAP(aw1); + BYTESWAP(aw2); + BYTESWAP(aw3); buf1 += 64; aw0 = _mm_xor_si128(aw0, yw); @@ -252,25 +319,25 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) t1 = _mm_xor_si128( _mm_xor_si128( - _mm_clmulepi64_si128(aw0, h4w, 0x11), - _mm_clmulepi64_si128(aw1, h3w, 0x11)), + pclmulqdq11(aw0, h4w), + pclmulqdq11(aw1, h3w)), _mm_xor_si128( - _mm_clmulepi64_si128(aw2, h2w, 0x11), - _mm_clmulepi64_si128(aw3, h1w, 0x11))); + pclmulqdq11(aw2, h2w), + pclmulqdq11(aw3, h1w))); t3 = _mm_xor_si128( _mm_xor_si128( - _mm_clmulepi64_si128(aw0, h4w, 0x00), - _mm_clmulepi64_si128(aw1, h3w, 0x00)), + pclmulqdq00(aw0, h4w), + pclmulqdq00(aw1, h3w)), _mm_xor_si128( - _mm_clmulepi64_si128(aw2, h2w, 0x00), - _mm_clmulepi64_si128(aw3, h1w, 0x00))); + pclmulqdq00(aw2, h2w), + pclmulqdq00(aw3, h1w))); t2 = _mm_xor_si128( _mm_xor_si128( - _mm_clmulepi64_si128(ax0, h4x, 0x00), - _mm_clmulepi64_si128(ax1, h3x, 0x00)), + pclmulqdq00(ax0, h4x), + pclmulqdq00(ax1, h3x)), _mm_xor_si128( - _mm_clmulepi64_si128(ax2, h2x, 0x00), - _mm_clmulepi64_si128(ax3, h1x, 0x00))); + pclmulqdq00(ax2, h2x), + pclmulqdq00(ax3, h1x))); t2 = _mm_xor_si128(t2, _mm_xor_si128(t1, t3)); t0 = _mm_shuffle_epi32(t1, 0x0E); t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E)); @@ -286,15 +353,15 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) __m128i t0, t1, t2, t3; aw = _mm_loadu_si128((void *)buf2); - aw = _mm_shuffle_epi8(aw, byteswap_index); + BYTESWAP(aw); buf2 += 16; aw = _mm_xor_si128(aw, yw); BK(aw, ax); - t1 = _mm_clmulepi64_si128(aw, h1w, 0x11); - t3 = _mm_clmulepi64_si128(aw, h1w, 0x00); - t2 = _mm_clmulepi64_si128(ax, h1x, 0x00); + t1 = pclmulqdq11(aw, h1w); + t3 = pclmulqdq00(aw, h1w); + t2 = pclmulqdq00(ax, h1x); t2 = _mm_xor_si128(t2, _mm_xor_si128(t1, t3)); t0 = _mm_shuffle_epi32(t1, 0x0E); t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E)); @@ -304,52 +371,11 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len) yw = _mm_unpacklo_epi64(t1, t0); } - yw = _mm_shuffle_epi8(yw, byteswap_index); + BYTESWAP(yw); _mm_storeu_si128(y, yw); } -/* - * Test CPU support for PCLMULQDQ. - */ -static int -pclmul_supported(void) -{ - /* - * Bit mask for features in ECX: - * 1 PCLMULQDQ support - */ -#define MASK 0x00000002 - -#if BR_AES_X86NI_GCC - unsigned eax, ebx, ecx, edx; - - if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) { - return (ecx & MASK) == MASK; - } else { - return 0; - } -#elif BR_AES_X86NI_MSC - int info[4]; - - __cpuid(info, 1); - return ((uint32_t)info[2] & MASK) == MASK; -#else - return 0; -#endif - -#undef MASK -} - -/* see bearssl_hash.h */ -br_ghash -br_ghash_pclmul_get(void) -{ - return pclmul_supported() ? &br_ghash_pclmul : 0; -} - -#if BR_AES_X86NI_GCC && BR_AES_X86NI_GCC_OLD -#pragma GCC pop_options -#endif +BR_TARGETS_X86_DOWN #else diff --git a/src/inner.h b/src/inner.h index 2829f23..52bcaf0 100644 --- a/src/inner.h +++ b/src/inner.h @@ -109,97 +109,212 @@ * Set BR_LOMUL on platforms where it makes sense. */ #ifndef BR_LOMUL -#if BR_ARMEL_CORTEX_GCC +#if BR_ARMEL_CORTEXM_GCC #define BR_LOMUL 1 #endif #endif /* - * Determine whether x86 AES instructions are understood by the compiler. + * Architecture detection. */ -#ifndef BR_AES_X86NI -#if (__i386__ || __x86_64__) \ - && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 8)) \ - || (__clang_major__ > 3 \ - || (__clang_major__ == 3 && __clang_minor__ >= 7))) -#define BR_AES_X86NI 1 -#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1700) -#define BR_AES_X86NI 1 +#ifndef BR_i386 +#if __i386__ || _M_IX86 +#define BR_i386 1 +#endif +#endif + +#ifndef BR_amd64 +#if __x86_64__ || _M_X64 +#define BR_amd64 1 #endif #endif /* - * If we use x86 AES instruction, determine the compiler brand. - */ -#if BR_AES_X86NI -#ifndef BR_AES_X86NI_GCC -#if __GNUC__ -#define BR_AES_X86NI_GCC 1 + * Compiler brand and version. + * + * Implementations that use intrinsics need to detect the compiler type + * and version because some specific actions may be needed to activate + * the corresponding opcodes, both for header inclusion, and when using + * them in a function. + * + * BR_GCC, BR_CLANG and BR_MSC will be set to 1 for, respectively, GCC, + * Clang and MS Visual C. For each of them, sub-macros will be defined + * for versions; each sub-macro is set whenever the compiler version is + * at least as recent as the one corresponding to the macro. + */ + +/* + * GCC thresholds are on versions 4.4 to 4.9 and 5.0. + */ +#ifndef BR_GCC +#if __GNUC__ && !__clang__ +#define BR_GCC 1 + +#if __GNUC__ > 4 +#define BR_GCC_5_0 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9 +#define BR_GCC_4_9 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 8 +#define BR_GCC_4_8 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 7 +#define BR_GCC_4_7 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 6 +#define BR_GCC_4_6 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 5 +#define BR_GCC_4_5 1 +#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 4 +#define BR_GCC_4_4 1 +#endif + +#if BR_GCC_5_0 +#define BR_GCC_4_9 1 +#endif +#if BR_GCC_4_9 +#define BR_GCC_4_8 1 #endif +#if BR_GCC_4_8 +#define BR_GCC_4_7 1 #endif -#ifndef BR_AES_X86NI_MSC -#if _MSC_VER >= 1700 -#define BR_AES_X86NI_MSC 1 +#if BR_GCC_4_7 +#define BR_GCC_4_6 1 #endif +#if BR_GCC_4_6 +#define BR_GCC_4_5 1 +#endif +#if BR_GCC_4_5 +#define BR_GCC_4_4 1 +#endif + #endif #endif /* - * Determine whether SSE2 intrinsics are understood by the compiler. - * Right now, we restrict ourselves to compiler versions where things - * are documented to work well: - * -- GCC 4.4+ and Clang 3.7+ understand the function attribute "target" - * -- MS Visual Studio 2005 documents the existence of - * SSE2-powered code _might_ work with older versions, but there is no - * pressing need to do so right now. + * Clang thresholds are on versions 3.7.0 and 3.8.0. */ -#ifndef BR_SSE2 -#if (__i386__ || __x86_64__) \ - && ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) \ - || (__clang_major__ > 3 \ - || (__clang_major__ == 3 && __clang_minor__ >= 7))) -#define BR_SSE2 1 -#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1400) -#define BR_SSE2 1 +#ifndef BR_CLANG +#if __clang__ +#define BR_CLANG 1 + +#if __clang_major__ > 3 || (__clang_major__ == 3 && __clang_minor__ >= 8) +#define BR_CLANG_3_8 1 +#elif __clang_major__ == 3 && __clang_minor__ >= 7 +#define BR_CLANG_3_7 1 +#endif + +#if BR_CLANG_3_8 +#define BR_CLANG_3_7 1 +#endif + #endif #endif /* - * If we use SSE2 intrinsics, determine the compiler brand. + * MS Visual C thresholds are on Visual Studio 2005 to 2015. */ -#if BR_SSE2 -#ifndef BR_SSE2_GCC -#if __GNUC__ -#define BR_SSE2_GCC 1 +#ifndef BR_MSC +#if _MSC_VER +#define BR_MSC 1 + +#if _MSC_VER >= 1900 +#define BR_MSC_2015 1 +#elif _MSC_VER >= 1800 +#define BR_MSC_2013 1 +#elif _MSC_VER >= 1700 +#define BR_MSC_2012 1 +#elif _MSC_VER >= 1600 +#define BR_MSC_2010 1 +#elif _MSC_VER >= 1500 +#define BR_MSC_2008 1 +#elif _MSC_VER >= 1400 +#define BR_MSC_2005 1 #endif + +#if BR_MSC_2015 +#define BR_MSC_2013 1 +#endif +#if BR_MSC_2013 +#define BR_MSC_2012 1 +#endif +#if BR_MSC_2012 +#define BR_MSC_2010 1 #endif -#ifndef BR_SSE2_MSC -#if _MSC_VER >= 1400 -#define BR_SSE2_MSC 1 +#if BR_MSC_2010 +#define BR_MSC_2008 1 #endif +#if BR_MSC_2008 +#define BR_MSC_2005 1 +#endif + #endif #endif /* - * A macro to tag a function with a "target" attribute (for GCC and Clang). + * GCC 4.4+ and Clang 3.7+ allow tagging specific functions with a + * 'target' attribute that activates support for specific opcodes. */ -#if BR_AES_X86NI_GCC || BR_SSE2_GCC +#if BR_GCC_4_4 || BR_CLANG_3_7 #define BR_TARGET(x) __attribute__((target(x))) #else #define BR_TARGET(x) #endif /* - * GCC versions from 4.4 to 4.8 (inclusive) must use a special #pragma - * to activate extra opcodes before including the relevant intrinsic - * AES-NI headers. But these don't work with Clang (which does not need - * them either). We also need that #pragma for GCC 4.9 in order to work - * around a compiler bug (it tends to blow up on ghash_pclmul code - * otherwise). + * AES-NI intrinsics are available on x86 (32-bit and 64-bit) with + * GCC 4.8+, Clang 3.7+ and MSC 2012+. + */ +#ifndef BR_AES_X86NI +#if (BR_i386 || BR_amd64) && (BR_GCC_4_8 || BR_CLANG_3_7 || BR_MSC_2012) +#define BR_AES_X86NI 1 +#endif +#endif + +/* + * SSE2 intrinsics are available on x86 (32-bit and 64-bit) with + * GCC 4.4+, Clang 3.7+ and MSC 2005+. */ -#if BR_AES_X86NI_GCC && !defined BR_AES_X86NI_GCC_OLD -#if __GNUC__ == 4 && __GNUC_MINOR__ >= 4 && __GNUC_MINOR__ <= 9 && !__clang__ -#define BR_AES_X86NI_GCC_OLD 1 +#ifndef BR_SSE2 +#if (BR_i386 || BR_amd64) && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005) +#define BR_SSE2 1 +#endif +#endif + +/* + * RDRAND intrinsics are available on x86 (32-bit and 64-bit) with + * GCC 4.6+, Clang 3.7+ and MSC 2012+. + */ +#ifndef BR_RDRAND +#if (BR_i386 || BR_amd64) && (BR_GCC_4_6 || BR_CLANG_3_7 || BR_MSC_2012) +#define BR_RDRAND 1 +#endif +#endif + +/* + * Determine type of OS for random number generation. Macro names and + * values are documented on: + * https://sourceforge.net/p/predef/wiki/OperatingSystems/ + * + * TODO: enrich the list of detected system. Also add detection for + * alternate system calls like getentropy(), which are usually + * preferable when available. + */ + +#ifndef BR_USE_URANDOM +#if defined _AIX \ + || defined __ANDROID__ \ + || defined __FreeBSD__ \ + || defined __NetBSD__ \ + || defined __OpenBSD__ \ + || defined __DragonFly__ \ + || defined __linux__ \ + || (defined __sun && (defined __SVR4 || defined __svr4__)) \ + || (defined __APPLE__ && defined __MACH__) +#define BR_USE_URANDOM 1 +#endif +#endif + +#ifndef BR_USE_WIN32_RAND +#if defined _WIN32 || defined _WIN64 +#define BR_USE_WIN32_RAND 1 #endif #endif @@ -281,6 +396,24 @@ #endif +/* + * Detect support for an OS-provided time source. + */ + +#ifndef BR_USE_UNIX_TIME +#if defined __unix__ || defined __linux__ \ + || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \ + || (defined __APPLE__ && defined __MACH__) +#define BR_USE_UNIX_TIME 1 +#endif +#endif + +#ifndef BR_USE_WIN32_TIME +#if defined _WIN32 || defined _WIN64 +#define BR_USE_WIN32_TIME 1 +#endif +#endif + /* ==================================================================== */ /* * Encoding/decoding functions. @@ -2087,6 +2220,118 @@ int br_ssl_choose_hash(unsigned bf); #endif +/* ==================================================================== */ +/* + * Special "activate intrinsics" code, needed for some compiler versions. + * This is defined at the end of this file, so that it won't impact any + * of the inline functions defined previously; and it is controlled by + * a specific macro defined in the caller code. + * + * Calling code conventions: + * + * - Caller must define BR_ENABLE_INTRINSICS before including "inner.h". + * - Functions that use intrinsics must be enclosed in an "enabled" + * region (between BR_TARGETS_X86_UP and BR_TARGETS_X86_DOWN). + * - Functions that use intrinsics must be tagged with the appropriate + * BR_TARGET(). + */ + +#if BR_ENABLE_INTRINSICS && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005) + +/* + * x86 intrinsics (both 32-bit and 64-bit). + */ +#if BR_i386 || BR_amd64 + +#if BR_GCC && !BR_GCC_5_0 +#if BR_GCC_4_6 +#define BR_TARGETS_X86_UP \ + _Pragma("GCC push_options") \ + _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul,rdrnd\")") +#else +#define BR_TARGETS_X86_UP \ + _Pragma("GCC push_options") \ + _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")") +#endif +#define BR_TARGETS_X86_DOWN \ + _Pragma("GCC pop_options") +#pragma GCC diagnostic ignored "-Wpsabi" +#endif + +#if BR_CLANG && !BR_CLANG_3_8 +#undef __SSE2__ +#undef __SSE3__ +#undef __SSSE3__ +#undef __SSE4_1__ +#undef __AES__ +#undef __PCLMUL__ +#undef __RDRND__ +#define __SSE2__ 1 +#define __SSE3__ 1 +#define __SSSE3__ 1 +#define __SSE4_1__ 1 +#define __AES__ 1 +#define __PCLMUL__ 1 +#define __RDRND__ 1 +#endif + +#ifndef BR_TARGETS_X86_UP +#define BR_TARGETS_X86_UP +#endif +#ifndef BR_TARGETS_X86_DOWN +#define BR_TARGETS_X86_DOWN +#endif + +#if BR_GCC || BR_CLANG +BR_TARGETS_X86_UP +#include +#include +#define bswap32 __builtin_bswap32 +BR_TARGETS_X86_DOWN +#endif + +#if BR_MSC +#include +#include +#include +#define bswap32 _byteswap_ulong +#endif + +static inline int +br_cpuid(uint32_t mask_eax, uint32_t mask_ebx, + uint32_t mask_ecx, uint32_t mask_edx) +{ +#if BR_GCC || BR_CLANG + unsigned eax, ebx, ecx, edx; + + if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) { + if ((eax & mask_eax) == mask_eax + && (ebx & mask_ebx) == mask_ebx + && (ecx & mask_ecx) == mask_ecx + && (edx & mask_edx) == mask_edx) + { + return 1; + } + } +#elif BR_MSC + int info[4]; + + __cpuid(info, 1); + if (((uint32_t)info[0] & mask_eax) == mask_eax + && ((uint32_t)info[1] & mask_ebx) == mask_ebx + && ((uint32_t)info[2] & mask_ecx) == mask_ecx + && ((uint32_t)info[3] & mask_edx) == mask_edx) + { + return 1; + } +#endif + return 0; +} + +#endif + +#endif + /* ==================================================================== */ #endif diff --git a/src/rand/sysrng.c b/src/rand/sysrng.c new file mode 100644 index 0000000..3a10db9 --- /dev/null +++ b/src/rand/sysrng.c @@ -0,0 +1,169 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#define BR_ENABLE_INTRINSICS 1 +#include "inner.h" + +#if BR_USE_URANDOM +#include +#include +#include +#include +#endif + +#if BR_USE_WIN32_RAND +#include +#include +#pragma comment(lib, "advapi32") +#endif + +#if BR_RDRAND +BR_TARGETS_X86_UP +BR_TARGET("rdrnd") +static int +seeder_rdrand(const br_prng_class **ctx) +{ + unsigned char tmp[32]; + size_t u; + + for (u = 0; u < sizeof tmp; u += sizeof(uint32_t)) { + int j; + uint32_t x; + + /* + * We use the 32-bit intrinsic so that code is compatible + * with both 32-bit and 64-bit architectures. + * + * Intel recommends trying at least 10 times in case of + * failure. + */ + for (j = 0; j < 10; j ++) { + if (_rdrand32_step(&x)) { + goto next_word; + } + } + return 0; + next_word: + br_enc32le(tmp + u, x); + } + (*ctx)->update(ctx, tmp, sizeof tmp); + return 1; +} +BR_TARGETS_X86_DOWN + +static int +rdrand_supported(void) +{ + /* + * The RDRND support is bit 30 of ECX, as returned by CPUID. + */ + return br_cpuid(0, 0, 0x40000000, 0); +} + +#endif + +#if BR_USE_URANDOM +static int +seeder_urandom(const br_prng_class **ctx) +{ + int f; + + f = open("/dev/urandom", O_RDONLY); + if (f >= 0) { + unsigned char tmp[32]; + size_t u; + + for (u = 0; u < sizeof tmp;) { + ssize_t len; + + len = read(f, tmp + u, (sizeof tmp) - u); + if (len < 0) { + if (errno == EINTR) { + continue; + } + break; + } + u += (size_t)len; + } + close(f); + if (u == sizeof tmp) { + (*ctx)->update(ctx, tmp, sizeof tmp); + return 1; + } + } + return 0; +} +#endif + +#if BR_USE_WIN32_RAND +static int +seeder_win32(const br_prng_class **ctx) +{ + HCRYPTPROV hp; + + if (CryptAcquireContext(&hp, 0, 0, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) + { + BYTE buf[32]; + BOOL r; + + r = CryptGenRandom(hp, sizeof buf, buf); + CryptReleaseContext(hp, 0); + if (r) { + (*ctx)->update(ctx, buf, sizeof buf); + return 1; + } + } + return 0; +} +#endif + +/* see bearssl_rand.h.h */ +br_prng_seeder +br_prng_seeder_system(const char **name) +{ +#if BR_RDRAND + if (rdrand_supported()) { + if (name != NULL) { + *name = "rdrand"; + } + return &seeder_rdrand; + } +#endif +#if BR_USE_URANDOM + if (name != NULL) { + *name = "urandom"; + } + return &seeder_urandom; +#elif BR_USE_WIN32_RAND + if (name != NULL) { + *name = "win32"; + } + return &seeder_win32; +#endif + if (name != NULL) { + *name = "none"; + } + return 0; +} diff --git a/src/settings.c b/src/settings.c new file mode 100644 index 0000000..309271c --- /dev/null +++ b/src/settings.c @@ -0,0 +1,306 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +static const br_config_option config[] = { + { "BR_64", +#if BR_64 + 1 +#else + 0 +#endif + }, + { "BR_AES_X86NI", +#if BR_AES_X86NI + 1 +#else + 0 +#endif + }, + { "BR_amd64", +#if BR_amd64 + 1 +#else + 0 +#endif + }, + { "BR_ARMEL_CORTEXM_GCC", +#if BR_ARMEL_CORTEXM_GCC + 1 +#else + 0 +#endif + }, + { "BR_BE_UNALIGNED", +#if BR_BE_UNALIGNED + 1 +#else + 0 +#endif + }, + { "BR_CLANG", +#if BR_CLANG + 1 +#else + 0 +#endif + }, + { "BR_CLANG_3_7", +#if BR_CLANG_3_7 + 1 +#else + 0 +#endif + }, + { "BR_CLANG_3_8", +#if BR_CLANG_3_8 + 1 +#else + 0 +#endif + }, + { "BR_CT_MUL15", +#if BR_CT_MUL15 + 1 +#else + 0 +#endif + }, + { "BR_CT_MUL31", +#if BR_CT_MUL31 + 1 +#else + 0 +#endif + }, + { "BR_GCC", +#if BR_GCC + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_4", +#if BR_GCC_4_4 + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_5", +#if BR_GCC_4_5 + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_6", +#if BR_GCC_4_6 + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_7", +#if BR_GCC_4_7 + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_8", +#if BR_GCC_4_8 + 1 +#else + 0 +#endif + }, + { "BR_GCC_4_9", +#if BR_GCC_4_9 + 1 +#else + 0 +#endif + }, + { "BR_GCC_5_0", +#if BR_GCC_5_0 + 1 +#else + 0 +#endif + }, + { "BR_i386", +#if BR_i386 + 1 +#else + 0 +#endif + }, + { "BR_INT128", +#if BR_INT128 + 1 +#else + 0 +#endif + }, + { "BR_LE_UNALIGNED", +#if BR_LE_UNALIGNED + 1 +#else + 0 +#endif + }, + { "BR_LOMUL", +#if BR_LOMUL + 1 +#else + 0 +#endif + }, + { "BR_MAX_EC_SIZE", BR_MAX_EC_SIZE }, + { "BR_MAX_RSA_SIZE", BR_MAX_RSA_SIZE }, + { "BR_MAX_RSA_FACTOR", BR_MAX_RSA_FACTOR }, + { "BR_MSC", +#if BR_MSC + 1 +#else + 0 +#endif + }, + { "BR_MSC_2005", +#if BR_MSC_2005 + 1 +#else + 0 +#endif + }, + { "BR_MSC_2008", +#if BR_MSC_2008 + 1 +#else + 0 +#endif + }, + { "BR_MSC_2010", +#if BR_MSC_2010 + 1 +#else + 0 +#endif + }, + { "BR_MSC_2012", +#if BR_MSC_2012 + 1 +#else + 0 +#endif + }, + { "BR_MSC_2013", +#if BR_MSC_2013 + 1 +#else + 0 +#endif + }, + { "BR_MSC_2015", +#if BR_MSC_2015 + 1 +#else + 0 +#endif + }, + { "BR_POWER8", +#if BR_POWER8 + 1 +#else + 0 +#endif + }, + { "BR_RDRAND", +#if BR_RDRAND + 1 +#else + 0 +#endif + }, + { "BR_SLOW_MUL", +#if BR_SLOW_MUL + 1 +#else + 0 +#endif + }, + { "BR_SLOW_MUL15", +#if BR_SLOW_MUL15 + 1 +#else + 0 +#endif + }, + { "BR_SSE2", +#if BR_SSE2 + 1 +#else + 0 +#endif + }, + { "BR_UMUL128", +#if BR_UMUL128 + 1 +#else + 0 +#endif + }, + { "BR_USE_UNIX_TIME", +#if BR_USE_UNIX_TIME + 1 +#else + 0 +#endif + }, + { "BR_USE_WIN32_RAND", +#if BR_USE_WIN32_RAND + 1 +#else + 0 +#endif + }, + { "BR_USE_WIN32_TIME", +#if BR_USE_WIN32_TIME + 1 +#else + 0 +#endif + }, + + { NULL, 0 } +}; + +/* see bearssl.h */ +const br_config_option * +br_get_config(void) +{ + return config; +} diff --git a/src/ssl/ssl_engine.c b/src/ssl/ssl_engine.c index 529b107..1022d87 100644 --- a/src/ssl/ssl_engine.c +++ b/src/ssl/ssl_engine.c @@ -24,6 +24,9 @@ #include "inner.h" +#if 0 +/* obsolete */ + /* * If BR_USE_URANDOM is not defined, then try to autodetect its presence * through compiler macros. @@ -75,6 +78,8 @@ #pragma comment(lib, "advapi32") #endif +#endif + /* ==================================================================== */ /* * This part of the file does the low-level record management. @@ -456,65 +461,71 @@ engine_clearbuf(br_ssl_engine_context *rc) make_ready_out(rc); } -/* see inner.h */ -int -br_ssl_engine_init_rand(br_ssl_engine_context *cc) +/* + * Make sure the internal PRNG is initialised (but not necessarily + * seeded properly yet). + */ +static int +rng_init(br_ssl_engine_context *cc) { + const br_hash_class *h; + + if (cc->rng_init_done != 0) { + return 1; + } + /* - * TODO: use getrandom() on Linux systems, with a fallback to - * opening /dev/urandom if that system call fails. + * If using TLS-1.2, then SHA-256 or SHA-384 must be present (or + * both); we prefer SHA-256 which is faster for 32-bit systems. * - * Use similar OS facilities on other OS (getentropy() on OpenBSD, - * specialized sysctl on NetBSD and FreeBSD...). + * If using TLS-1.0 or 1.1 then SHA-1 must be present. + * + * Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as + * these things can be, we still prefer the SHA-2 functions over + * SHA-1, if only for public relations (known theoretical + * weaknesses of SHA-1 with regards to collisions are mostly + * irrelevant here, but they still make people nervous). */ -#if BR_USE_URANDOM - if (!cc->rng_os_rand_done) { - int f; - - f = open("/dev/urandom", O_RDONLY); - if (f >= 0) { - unsigned char tmp[32]; - size_t u; - - for (u = 0; u < sizeof tmp;) { - ssize_t len; - - len = read(f, tmp + u, (sizeof tmp) - u); - if (len < 0) { - if (errno == EINTR) { - continue; - } - break; - } - u += (size_t)len; - } - close(f); - if (u == sizeof tmp) { - br_ssl_engine_inject_entropy(cc, tmp, u); - cc->rng_os_rand_done = 1; + h = br_multihash_getimpl(&cc->mhash, br_sha256_ID); + if (!h) { + h = br_multihash_getimpl(&cc->mhash, br_sha384_ID); + if (!h) { + h = br_multihash_getimpl(&cc->mhash, + br_sha1_ID); + if (!h) { + br_ssl_engine_fail(cc, BR_ERR_BAD_STATE); + return 0; } } } -#elif BR_USE_WIN32_RAND - if (!cc->rng_os_rand_done) { - HCRYPTPROV hp; + br_hmac_drbg_init(&cc->rng, h, NULL, 0); + cc->rng_init_done = 1; + return 1; +} - if (CryptAcquireContextW(&hp, 0, 0, PROV_RSA_FULL, - CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) - { - BYTE buf[32]; +/* see inner.h */ +int +br_ssl_engine_init_rand(br_ssl_engine_context *cc) +{ + if (!rng_init(cc)) { + return 0; + } - if (CryptGenRandom(hp, sizeof buf, buf)) { - br_ssl_engine_inject_entropy(cc, - buf, sizeof buf); - cc->rng_os_rand_done = 1; - } - CryptReleaseContext(hp, 0); + /* + * We always try OS/hardware seeding once. If it works, then + * we assume proper seeding. If not, then external entropy must + * have been injected; otherwise, we report an error. + */ + if (!cc->rng_os_rand_done) { + br_prng_seeder sd; + + sd = br_prng_seeder_system(NULL); + if (sd != 0 && sd(&cc->rng.vtable)) { + cc->rng_init_done = 2; } + cc->rng_os_rand_done = 1; } -#endif - - if (!cc->rng_init_done) { + if (cc->rng_init_done < 2) { br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM); return 0; } @@ -526,41 +537,17 @@ void br_ssl_engine_inject_entropy(br_ssl_engine_context *cc, const void *data, size_t len) { - if (cc->rng_init_done) { - br_hmac_drbg_update(&cc->rng, data, len); - } else { - /* - * If using TLS-1.2, then SHA-256 or SHA-384 must be - * present (or both); we prefer SHA-256 which is faster - * for 32-bit systems. - * - * If using TLS-1.0 or 1.1 then SHA-1 must be present. - * - * Though HMAC_DRBG/SHA-1 is, as far as we know, as safe - * as these things can be, we still prefer the SHA-2 - * functions over SHA-1, if only for public relations - * (known theoretical weaknesses of SHA-1 with regards to - * collisions are mostly irrelevant here, but they still - * make people nervous). - */ - const br_hash_class *h; - - h = br_multihash_getimpl(&cc->mhash, br_sha256_ID); - if (!h) { - h = br_multihash_getimpl(&cc->mhash, br_sha384_ID); - if (!h) { - h = br_multihash_getimpl(&cc->mhash, - br_sha1_ID); - if (!h) { - br_ssl_engine_fail(cc, - BR_ERR_BAD_STATE); - return; - } - } - } - br_hmac_drbg_init(&cc->rng, h, data, len); - cc->rng_init_done = 1; + /* + * Externally provided entropy is assumed to be "good enough" + * (we cannot really test its quality) so if the RNG structure + * could be initialised at all, then we marked the RNG as + * "properly seeded". + */ + if (!rng_init(cc)) { + return; } + br_hmac_drbg_update(&cc->rng, data, len); + cc->rng_init_done = 2; } /* diff --git a/src/symcipher/aes_x86ni.c b/src/symcipher/aes_x86ni.c index d2d6369..d5408f1 100644 --- a/src/symcipher/aes_x86ni.c +++ b/src/symcipher/aes_x86ni.c @@ -22,6 +22,7 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" /* @@ -31,22 +32,6 @@ #if BR_AES_X86NI -#if BR_AES_X86NI_GCC -#if BR_AES_X86NI_GCC_OLD -#pragma GCC push_options -#pragma GCC target("sse2,sse4.1,aes,pclmul") -#endif -#include -#include -#if BR_AES_X86NI_GCC_OLD -#pragma GCC pop_options -#endif -#endif - -#if BR_AES_X86NI_MSC -#include -#endif - /* see inner.h */ int br_aes_x86ni_supported(void) @@ -56,35 +41,10 @@ br_aes_x86ni_supported(void) * 19 SSE4.1 (used for _mm_insert_epi32(), for AES-CTR) * 25 AES-NI */ -#define MASK 0x02080000 - -#if BR_AES_X86NI_GCC - unsigned eax, ebx, ecx, edx; - - if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) { - return (ecx & MASK) == MASK; - } else { - return 0; - } -#elif BR_AES_X86NI_MSC - int info[4]; - - __cpuid(info, 1); - return ((uint32_t)info[2] & MASK) == MASK; -#else - return 0; -#endif - -#undef MASK + return br_cpuid(0, 0, 0x02080000, 0); } -/* - * Per-function attributes appear unreliable on old GCC, so we use the - * pragma for all remaining functions in this file. - */ -#if BR_AES_X86NI_GCC_OLD -#pragma GCC target("sse2,sse4.1,aes,pclmul") -#endif +BR_TARGETS_X86_UP BR_TARGET("sse2,aes") static inline __m128i @@ -275,4 +235,6 @@ br_aes_x86ni_keysched_dec(unsigned char *skni, const void *key, size_t len) return num_rounds; } +BR_TARGETS_X86_DOWN + #endif diff --git a/src/symcipher/aes_x86ni_cbcdec.c b/src/symcipher/aes_x86ni_cbcdec.c index c97ce48..862b1b5 100644 --- a/src/symcipher/aes_x86ni_cbcdec.c +++ b/src/symcipher/aes_x86ni_cbcdec.c @@ -22,20 +22,17 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" #if BR_AES_X86NI -#if BR_AES_X86NI_GCC -#if BR_AES_X86NI_GCC_OLD -#pragma GCC target("sse2,sse4.1,aes,pclmul") -#endif -#include -#endif - -#if BR_AES_X86NI_MSC -#include -#endif +/* see bearssl_block.h */ +const br_block_cbcdec_class * +br_aes_x86ni_cbcdec_get_vtable(void) +{ + return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcdec_vtable : NULL; +} /* see bearssl_block.h */ void @@ -46,6 +43,8 @@ br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx, ctx->num_rounds = br_aes_x86ni_keysched_dec(ctx->skey.skni, key, len); } +BR_TARGETS_X86_UP + /* see bearssl_block.h */ BR_TARGET("sse2,aes") void @@ -199,6 +198,8 @@ br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, _mm_storeu_si128(iv, ivx); } +BR_TARGETS_X86_DOWN + /* see bearssl_block.h */ const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable = { sizeof(br_aes_x86ni_cbcdec_keys), @@ -210,13 +211,6 @@ const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable = { &br_aes_x86ni_cbcdec_run }; -/* see bearssl_block.h */ -const br_block_cbcdec_class * -br_aes_x86ni_cbcdec_get_vtable(void) -{ - return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcdec_vtable : NULL; -} - #else /* see bearssl_block.h */ diff --git a/src/symcipher/aes_x86ni_cbcenc.c b/src/symcipher/aes_x86ni_cbcenc.c index 2addfb6..85feecd 100644 --- a/src/symcipher/aes_x86ni_cbcenc.c +++ b/src/symcipher/aes_x86ni_cbcenc.c @@ -22,20 +22,17 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" #if BR_AES_X86NI -#if BR_AES_X86NI_GCC -#if BR_AES_X86NI_GCC_OLD -#pragma GCC target("sse2,sse4.1,aes,pclmul") -#endif -#include -#endif - -#if BR_AES_X86NI_MSC -#include -#endif +/* see bearssl_block.h */ +const br_block_cbcenc_class * +br_aes_x86ni_cbcenc_get_vtable(void) +{ + return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcenc_vtable : NULL; +} /* see bearssl_block.h */ void @@ -46,6 +43,8 @@ br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx, ctx->num_rounds = br_aes_x86ni_keysched_enc(ctx->skey.skni, key, len); } +BR_TARGETS_X86_UP + /* see bearssl_block.h */ BR_TARGET("sse2,aes") void @@ -98,6 +97,8 @@ br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx, _mm_storeu_si128(iv, ivx); } +BR_TARGETS_X86_DOWN + /* see bearssl_block.h */ const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable = { sizeof(br_aes_x86ni_cbcenc_keys), @@ -109,13 +110,6 @@ const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable = { &br_aes_x86ni_cbcenc_run }; -/* see bearssl_block.h */ -const br_block_cbcenc_class * -br_aes_x86ni_cbcenc_get_vtable(void) -{ - return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcenc_vtable : NULL; -} - #else /* see bearssl_block.h */ diff --git a/src/symcipher/aes_x86ni_ctr.c b/src/symcipher/aes_x86ni_ctr.c index 41c31b2..292d044 100644 --- a/src/symcipher/aes_x86ni_ctr.c +++ b/src/symcipher/aes_x86ni_ctr.c @@ -22,24 +22,17 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" #if BR_AES_X86NI -#if BR_AES_X86NI_GCC -#if BR_AES_X86NI_GCC_OLD -#pragma GCC target("sse2,sse4.1,aes,pclmul") -#endif -#include -#include -#define bswap32 __builtin_bswap32 -#endif - -#if BR_AES_X86NI_MSC -#include -#include -#define bswap32 _byteswap_ulong -#endif +/* see bearssl_block.h */ +const br_block_ctr_class * +br_aes_x86ni_ctr_get_vtable(void) +{ + return br_aes_x86ni_supported() ? &br_aes_x86ni_ctr_vtable : NULL; +} /* see bearssl_block.h */ void @@ -50,6 +43,8 @@ br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx, ctx->num_rounds = br_aes_x86ni_keysched_enc(ctx->skey.skni, key, len); } +BR_TARGETS_X86_UP + /* see bearssl_block.h */ BR_TARGET("sse2,sse4.1,aes") uint32_t @@ -190,6 +185,8 @@ br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx, return cc; } +BR_TARGETS_X86_DOWN + /* see bearssl_block.h */ const br_block_ctr_class br_aes_x86ni_ctr_vtable = { sizeof(br_aes_x86ni_ctr_keys), @@ -202,13 +199,6 @@ const br_block_ctr_class br_aes_x86ni_ctr_vtable = { &br_aes_x86ni_ctr_run }; -/* see bearssl_block.h */ -const br_block_ctr_class * -br_aes_x86ni_ctr_get_vtable(void) -{ - return br_aes_x86ni_supported() ? &br_aes_x86ni_ctr_vtable : NULL; -} - #else /* see bearssl_block.h */ diff --git a/src/symcipher/chacha20_sse2.c b/src/symcipher/chacha20_sse2.c index 0b32d51..92b4a4a 100644 --- a/src/symcipher/chacha20_sse2.c +++ b/src/symcipher/chacha20_sse2.c @@ -22,22 +22,43 @@ * SOFTWARE. */ +#define BR_ENABLE_INTRINSICS 1 #include "inner.h" +#if BR_SSE2 + /* * This file contains a ChaCha20 implementation that leverages SSE2 * opcodes for better performance. */ -#if BR_SSE2 +/* see bearssl_block.h */ +br_chacha20_run +br_chacha20_sse2_get(void) +{ + /* + * If using 64-bit mode, then SSE2 opcodes should be automatically + * available, since they are part of the ABI. + * + * In 32-bit mode, we use CPUID to detect the SSE2 feature. + */ -#if BR_SSE2_GCC -#include -#include -#endif -#if BR_SSE2_MSC -#include +#if BR_amd64 + return &br_chacha20_sse2_run; +#else + + /* + * SSE2 support is indicated by bit 26 in EDX. + */ + if (br_cpuid(0, 0, 0, 0x04000000)) { + return &br_chacha20_sse2_run; + } else { + return 0; + } #endif +} + +BR_TARGETS_X86_UP /* see bearssl_block.h */ BR_TARGET("sse2") @@ -202,48 +223,7 @@ br_chacha20_sse2_run(const void *key, | ((uint32_t)_mm_extract_epi16(iw, 1) << 16); } -/* see bearssl_block.h */ -br_chacha20_run -br_chacha20_sse2_get(void) -{ - /* - * If using 64-bit mode, then SSE2 opcodes should be automatically - * available, since they are part of the ABI. - * - * In 32-bit mode, we use CPUID to detect the SSE2 feature. - */ - -#if __x86_64__ || _M_X64 - - return &br_chacha20_sse2_run; - -#else - - /* - * SSE2 support is indicated by bit 26 in EDX. - */ -#define MASK 0x04000000 - -#if BR_SSE2_GCC - unsigned eax, ebx, ecx, edx; - - if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) { - if ((edx & MASK) == MASK) { - return &br_chacha20_sse2_run; - } - } -#elif BR_SSE2_MSC - int info[4]; - - __cpuid(info, 1); - if (((uint32_t)info[3] & MASK) == MASK) { - return &br_chacha20_sse2_run; - } -#endif - return 0; - -#endif -} +BR_TARGETS_X86_DOWN #else diff --git a/src/x509/x509_minimal.c b/src/x509/x509_minimal.c index ddf2515..3b876ef 100644 --- a/src/x509/x509_minimal.c +++ b/src/x509/x509_minimal.c @@ -200,20 +200,6 @@ void br_x509_minimal_run(void *t0ctx); * then validation is reported as failed. */ -#ifndef BR_USE_UNIX_TIME -#if defined __unix__ || defined __linux__ \ - || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \ - || (defined __APPLE__ && defined __MACH__) -#define BR_USE_UNIX_TIME 1 -#endif -#endif - -#ifndef BR_USE_WIN32_TIME -#if defined _WIN32 || defined _WIN64 -#define BR_USE_WIN32_TIME 1 -#endif -#endif - #if BR_USE_UNIX_TIME #include #endif diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0 index a46076e..1e60016 100644 --- a/src/x509/x509_minimal.t0 +++ b/src/x509/x509_minimal.t0 @@ -149,20 +149,6 @@ preamble { * then validation is reported as failed. */ -#ifndef BR_USE_UNIX_TIME -#if defined __unix__ || defined __linux__ \ - || defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \ - || (defined __APPLE__ && defined __MACH__) -#define BR_USE_UNIX_TIME 1 -#endif -#endif - -#ifndef BR_USE_WIN32_TIME -#if defined _WIN32 || defined _WIN64 -#define BR_USE_WIN32_TIME 1 -#endif -#endif - #if BR_USE_UNIX_TIME #include #endif diff --git a/tools/brssl.c b/tools/brssl.c index 76f7539..91372b0 100644 --- a/tools/brssl.c +++ b/tools/brssl.c @@ -51,6 +51,7 @@ usage(void) fprintf(stderr, " ta decode trust anchors\n"); fprintf(stderr, " chain make C code for certificate chains\n"); fprintf(stderr, " twrch run the Twrch protocol\n"); + fprintf(stderr, " impl report on implementations\n"); } int @@ -108,6 +109,10 @@ main(int argc, char *argv[]) } else { return ret; } + } else if (eqstr(cmd, "impl")) { + if (do_impl(argc - 2, argv + 2) < 0) { + return EXIT_FAILURE; + } } else { fprintf(stderr, "unknown command: '%s'\n", cmd); usage(); diff --git a/tools/brssl.h b/tools/brssl.h index c47a026..cd67399 100644 --- a/tools/brssl.h +++ b/tools/brssl.h @@ -546,4 +546,10 @@ int do_chain(int argc, char *argv[]); */ int do_twrch(int argc, char *argv[]); +/* + * Do the "impl" command. Returned value is 0 on success, -1 on failure. + * Command-line arguments start _after_ the command name. + */ +int do_impl(int argc, char *argv[]); + #endif diff --git a/tools/impl.c b/tools/impl.c new file mode 100644 index 0000000..e00cc32 --- /dev/null +++ b/tools/impl.c @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include +#include +#include +#include +#include + +#include "brssl.h" +#include "bearssl.h" + +/* see brssl.h */ +int +do_impl(int argc, char *argv[]) +{ + const br_config_option *opt; + + (void)argc; + (void)argv; + + for (opt = br_get_config(); opt->name != NULL; opt ++) { + printf("%-25s %8ld\n", opt->name, opt->value); + } + + return 0; +} diff --git a/tools/sslio.c b/tools/sslio.c index 3a8a6f3..7fc1d53 100644 --- a/tools/sslio.c +++ b/tools/sslio.c @@ -266,7 +266,11 @@ run_ssl_engine(br_ssl_engine_context *cc, unsigned long fd, unsigned flags) * Print algorithm details. */ if (verbose) { + const char *rngname; + fprintf(stderr, "Algorithms:\n"); + br_prng_seeder_system(&rngname); + fprintf(stderr, " RNG: %s\n", rngname); if (cc->iaes_cbcenc != 0) { fprintf(stderr, " AES/CBC (enc): %s\n", get_algo_name(cc->iaes_cbcenc, 0)); -- 2.17.1 From 8e94ad2fcb11794c559025277e56f3fbeb676f5d Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 28 Aug 2017 19:28:59 +0200 Subject: [PATCH 13/16] Worked around some compiler errors with GCC 4.4 and 4.5. --- src/inner.h | 17 ++++++++++++----- src/symcipher/aes_x86ni_ctr.c | 8 ++++---- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/src/inner.h b/src/inner.h index 52bcaf0..fb49d0e 100644 --- a/src/inner.h +++ b/src/inner.h @@ -2243,18 +2243,25 @@ int br_ssl_choose_hash(unsigned bf); */ #if BR_i386 || BR_amd64 +/* + * On GCC before version 5.0, we need to use the pragma to enable the + * target options globally, because the 'target' function attribute + * appears to be unreliable. Before 4.6 we must also avoid the + * push_options / pop_options mechanism, because it tends to trigger + * some internal compiler errors. + */ #if BR_GCC && !BR_GCC_5_0 #if BR_GCC_4_6 #define BR_TARGETS_X86_UP \ _Pragma("GCC push_options") \ _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul,rdrnd\")") +#define BR_TARGETS_X86_DOWN \ + _Pragma("GCC pop_options") #else #define BR_TARGETS_X86_UP \ - _Pragma("GCC push_options") \ _Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")") #endif -#define BR_TARGETS_X86_DOWN \ - _Pragma("GCC pop_options") +#define BR_TARGETS_X86_DOWN #pragma GCC diagnostic ignored "-Wpsabi" #endif @@ -2286,7 +2293,7 @@ int br_ssl_choose_hash(unsigned bf); BR_TARGETS_X86_UP #include #include -#define bswap32 __builtin_bswap32 +#define br_bswap32 __builtin_bswap32 BR_TARGETS_X86_DOWN #endif @@ -2294,7 +2301,7 @@ BR_TARGETS_X86_DOWN #include #include #include -#define bswap32 _byteswap_ulong +#define br_bswap32 _byteswap_ulong #endif static inline int diff --git a/src/symcipher/aes_x86ni_ctr.c b/src/symcipher/aes_x86ni_ctr.c index 292d044..1cddd60 100644 --- a/src/symcipher/aes_x86ni_ctr.c +++ b/src/symcipher/aes_x86ni_ctr.c @@ -68,10 +68,10 @@ br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx, while (len > 0) { __m128i x0, x1, x2, x3; - x0 = _mm_insert_epi32(ivx, bswap32(cc + 0), 3); - x1 = _mm_insert_epi32(ivx, bswap32(cc + 1), 3); - x2 = _mm_insert_epi32(ivx, bswap32(cc + 2), 3); - x3 = _mm_insert_epi32(ivx, bswap32(cc + 3), 3); + x0 = _mm_insert_epi32(ivx, br_bswap32(cc + 0), 3); + x1 = _mm_insert_epi32(ivx, br_bswap32(cc + 1), 3); + x2 = _mm_insert_epi32(ivx, br_bswap32(cc + 2), 3); + x3 = _mm_insert_epi32(ivx, br_bswap32(cc + 3), 3); x0 = _mm_xor_si128(x0, sk[0]); x1 = _mm_xor_si128(x1, sk[0]); x2 = _mm_xor_si128(x2, sk[0]); -- 2.17.1 From dddc412922f42f9c7dd6177133828be724f44424 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Mon, 23 Oct 2017 23:27:28 +0200 Subject: [PATCH 14/16] Added generic EAX and CCM implementations. --- inc/bearssl_aead.h | 513 +++++++++++++++++++++- inc/bearssl_block.h | 667 +++++++++++++++++++++++++++- mk/Rules.mk | 23 +- mk/mkrules.sh | 7 + src/aead/ccm.c | 346 +++++++++++++++ src/aead/eax.c | 413 ++++++++++++++++++ src/aead/gcm.c | 28 +- src/symcipher/aes_big_ctrcbc.c | 142 ++++++ src/symcipher/aes_ct64_ctrcbc.c | 433 +++++++++++++++++++ src/symcipher/aes_ct_ctrcbc.c | 422 ++++++++++++++++++ src/symcipher/aes_small_ctrcbc.c | 142 ++++++ src/symcipher/aes_x86ni_ctrcbc.c | 596 +++++++++++++++++++++++++ test/test_crypto.c | 719 ++++++++++++++++++++++++++++++- test/test_speed.c | 92 ++++ 14 files changed, 4530 insertions(+), 13 deletions(-) create mode 100644 src/aead/ccm.c create mode 100644 src/aead/eax.c create mode 100644 src/symcipher/aes_big_ctrcbc.c create mode 100644 src/symcipher/aes_ct64_ctrcbc.c create mode 100644 src/symcipher/aes_ct_ctrcbc.c create mode 100644 src/symcipher/aes_small_ctrcbc.c create mode 100644 src/symcipher/aes_x86ni_ctrcbc.c diff --git a/inc/bearssl_aead.h b/inc/bearssl_aead.h index 09cb9e8..b1e52a3 100644 --- a/inc/bearssl_aead.h +++ b/inc/bearssl_aead.h @@ -127,7 +127,7 @@ extern "C" { * * - Nonce, plaintext and additional authenticated data all consist * in an integral number of bytes. There is no provision to use - * elements whose lengh in bits is not a multiple of 8. + * elements whose length in bits is not a multiple of 8. * * Each AEAD algorithm has its own requirements and limits on the sizes * of additional data and plaintext. This API does not provide any @@ -169,6 +169,9 @@ extern "C" { * Note that there is no OOP method for context initialisation: the * various AEAD algorithms have different requirements that would not * map well to a single initialisation API. + * + * The OOP API is not provided for CCM, due to its specific requirements + * (length of plaintext must be known in advance). */ /** @@ -213,7 +216,7 @@ struct br_aead_class_ { * * \param cc AEAD context structure. * \param data pointer to additional authenticated data. - * \param len length of additiona authenticated data (in bytes). + * \param len length of additional authenticated data (in bytes). */ void (*aad_inject)(const br_aead_class **cc, const void *data, size_t len); @@ -266,6 +269,8 @@ struct br_aead_class_ { * `check_tag()` function may be used to compute and check the * tag value. * + * Tag length depends on the AEAD algorithm. + * * \param cc AEAD context structure. * \param tag destination buffer for the tag. */ @@ -282,11 +287,44 @@ struct br_aead_class_ { * data or the tag was altered in transit, normally leading to * wholesale rejection of the complete message. * + * Tag length depends on the AEAD algorithm. + * * \param cc AEAD context structure. - * \param tag tag value to compare with (16 bytes). + * \param tag tag value to compare with. * \return 1 on success (exact match of tag value), 0 otherwise. */ uint32_t (*check_tag)(const br_aead_class **cc, const void *tag); + + /** + * \brief Compute authentication tag (with truncation). + * + * This function is similar to `get_tag()`, except that the tag + * length is provided. Some AEAD algorithms allow several tag + * lengths, usually by truncating the normal tag. Shorter tags + * mechanically increase success probability of forgeries. + * The range of allowed tag lengths depends on the algorithm. + * + * \param cc AEAD context structure. + * \param tag destination buffer for the tag. + * \param len tag length (in bytes). + */ + void (*get_tag_trunc)(const br_aead_class **cc, void *tag, size_t len); + + /** + * \brief Compute and check authentication tag (with truncation). + * + * This function is similar to `check_tag()` except that it + * works over an explicit tag length. See `get_tag()` for a + * discussion of explicit tag lengths; the range of allowed tag + * lengths depends on the algorithm. + * + * \param cc AEAD context structure. + * \param tag tag value to compare with. + * \param len tag length (in bytes). + * \return 1 on success (exact match of tag value), 0 otherwise. + */ + uint32_t (*check_tag_trunc)(const br_aead_class **cc, + const void *tag, size_t len); }; /** @@ -379,7 +417,7 @@ void br_gcm_reset(br_gcm_context *ctx, const void *iv, size_t len); * * \param ctx GCM context structure. * \param data pointer to additional authenticated data. - * \param len length of additiona authenticated data (in bytes). + * \param len length of additional authenticated data (in bytes). */ void br_gcm_aad_inject(br_gcm_context *ctx, const void *data, size_t len); @@ -449,11 +487,478 @@ void br_gcm_get_tag(br_gcm_context *ctx, void *tag); */ uint32_t br_gcm_check_tag(br_gcm_context *ctx, const void *tag); +/** + * \brief Compute GCM authentication tag (with truncation). + * + * This function is similar to `br_gcm_get_tag()`, except that it allows + * the tag to be truncated to a smaller length. The intended tag length + * is provided as `len` (in bytes); it MUST be no more than 16, but + * it may be smaller. Note that decreasing tag length mechanically makes + * forgeries easier; NIST SP 800-38D specifies that the tag length shall + * lie between 12 and 16 bytes (inclusive), but may be truncated down to + * 4 or 8 bytes, for specific applications that can tolerate it. It must + * also be noted that successful forgeries leak information on the + * authentication key, making subsequent forgeries easier. Therefore, + * tag truncation, and in particular truncation to sizes lower than 12 + * bytes, shall be envisioned only with great care. + * + * The tag is written in the provided `tag` buffer. This call terminates + * the GCM run: no data may be processed with that GCM context + * afterwards, until `br_gcm_reset()` is called to initiate a new GCM + * run. + * + * The tag value must normally be sent along with the encrypted data. + * When decrypting, the tag value must be recomputed and compared with + * the received tag: if the two tag values differ, then either the tag + * or the encrypted data was altered in transit. As an alternative to + * this function, the `br_gcm_check_tag_trunc()` function can be used to + * compute and check the tag value. + * + * \param ctx GCM context structure. + * \param tag destination buffer for the tag. + * \param len tag length (16 bytes or less). + */ +void br_gcm_get_tag_trunc(br_gcm_context *ctx, void *tag, size_t len); + +/** + * \brief Compute and check GCM authentication tag (with truncation). + * + * This function is an alternative to `br_gcm_get_tag_trunc()`, normally used + * on the receiving end (i.e. when decrypting value). The tag value is + * recomputed and compared with the provided tag value. If they match, 1 + * is returned; on mismatch, 0 is returned. A returned value of 0 means + * that the data or the tag was altered in transit, normally leading to + * wholesale rejection of the complete message. + * + * Tag length MUST be 16 bytes or less. The normal GCM tag length is 16 + * bytes. See `br_check_tag_trunc()` for some discussion on the potential + * perils of truncating authentication tags. + * + * \param ctx GCM context structure. + * \param tag tag value to compare with. + * \param len tag length (in bytes). + * \return 1 on success (exact match of tag value), 0 otherwise. + */ +uint32_t br_gcm_check_tag_trunc(br_gcm_context *ctx, + const void *tag, size_t len); + /** * \brief Class instance for GCM. */ extern const br_aead_class br_gcm_vtable; +/** + * \brief Context structure for EAX. + * + * EAX is an AEAD mode that combines a block cipher in CTR mode with + * CBC-MAC using the same block cipher and the same key, to provide + * authenticated encryption: + * + * - Any block cipher with 16-byte blocks can be used with EAX + * (technically, other block sizes are defined as well, but this + * is not implemented by these functions; shorter blocks also + * imply numerous security issues). + * + * - The nonce can have any length, as long as nonce values are + * not reused (thus, if nonces are randomly selected, the nonce + * size should be such that reuse probability is negligible). + * + * - Additional authenticated data length is unlimited. + * + * - Message length is unlimited. + * + * - The authentication tag has length 16 bytes. + * + * The EAX initialisation function receives as parameter an + * _initialised_ block cipher implementation context, with the secret + * key already set. A pointer to that context will be kept within the + * EAX context structure. It is up to the caller to allocate and + * initialise that block cipher context. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_aead_class *vtable; + +#ifndef BR_DOXYGEN_IGNORE + const br_block_ctrcbc_class **bctx; + unsigned char L2[16]; + unsigned char L4[16]; + unsigned char nonce[16]; + unsigned char head[16]; + unsigned char ctr[16]; + unsigned char cbcmac[16]; + unsigned char buf[16]; + size_t ptr; +#endif +} br_eax_context; + +/** + * \brief Initialize an EAX context. + * + * A block cipher implementation, with its initialised context + * structure, is provided. The block cipher MUST use 16-byte blocks in + * CTR + CBC-MAC mode, and its secret key MUST have been already set in + * the provided context. The parameters are linked in the EAX context. + * + * After this function has been called, the `br_eax_reset()` function must + * be called, to provide the nonce for EAX computation. + * + * \param ctx EAX context structure. + * \param bctx block cipher context (already initialised with secret key). + */ +void br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx); + +/** + * \brief Reset an EAX context. + * + * This function resets an already initialised EAX context for a new + * computation run. Implementations and keys are conserved. This function + * can be called at any time; it cancels any ongoing EAX computation that + * uses the provided context structure. + * + * It is critical to EAX security that nonce values are not repeated for + * the same encryption key. Nonces can have arbitrary length. If nonces + * are randomly generated, then a nonce length of at least 128 bits (16 + * bytes) is recommended, to make nonce reuse probability sufficiently + * low. + * + * \param ctx EAX context structure. + * \param nonce EAX nonce to use. + * \param len EAX nonce length (in bytes). + */ +void br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len); + +/** + * \brief Inject additional authenticated data into EAX. + * + * The provided data is injected into a running EAX computation. Additional + * data must be injected _before_ the call to `br_eax_flip()`. + * Additional data can be injected in several chunks of arbitrary length; + * the total amount of additional authenticated data is unlimited. + * + * \param ctx EAX context structure. + * \param data pointer to additional authenticated data. + * \param len length of additional authenticated data (in bytes). + */ +void br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len); + +/** + * \brief Finish injection of additional authenticated data into EAX. + * + * This function MUST be called before beginning the actual encryption + * or decryption (with `br_eax_run()`), even if no additional authenticated + * data was injected. No additional authenticated data may be injected + * after this function call. + * + * \param ctx EAX context structure. + */ +void br_eax_flip(br_eax_context *ctx); + +/** + * \brief Encrypt or decrypt some data with EAX. + * + * Data encryption or decryption can be done after `br_eax_flip()` + * has been called on the context. If `encrypt` is non-zero, then the + * provided data shall be plaintext, and it is encrypted in place. + * Otherwise, the data shall be ciphertext, and it is decrypted in place. + * + * Data may be provided in several chunks of arbitrary length. + * + * \param ctx EAX context structure. + * \param encrypt non-zero for encryption, zero for decryption. + * \param data data to encrypt or decrypt. + * \param len data length (in bytes). + */ +void br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len); + +/** + * \brief Compute EAX authentication tag. + * + * Compute the EAX authentication tag. The tag is a 16-byte value which + * is written in the provided `tag` buffer. This call terminates the + * EAX run: no data may be processed with that EAX context afterwards, + * until `br_eax_reset()` is called to initiate a new EAX run. + * + * The tag value must normally be sent along with the encrypted data. + * When decrypting, the tag value must be recomputed and compared with + * the received tag: if the two tag values differ, then either the tag + * or the encrypted data was altered in transit. As an alternative to + * this function, the `br_eax_check_tag()` function can be used to + * compute and check the tag value. + * + * \param ctx EAX context structure. + * \param tag destination buffer for the tag (16 bytes). + */ +void br_eax_get_tag(br_eax_context *ctx, void *tag); + +/** + * \brief Compute and check EAX authentication tag. + * + * This function is an alternative to `br_eax_get_tag()`, normally used + * on the receiving end (i.e. when decrypting value). The tag value is + * recomputed and compared with the provided tag value. If they match, 1 + * is returned; on mismatch, 0 is returned. A returned value of 0 means + * that the data or the tag was altered in transit, normally leading to + * wholesale rejection of the complete message. + * + * \param ctx EAX context structure. + * \param tag tag value to compare with (16 bytes). + * \return 1 on success (exact match of tag value), 0 otherwise. + */ +uint32_t br_eax_check_tag(br_eax_context *ctx, const void *tag); + +/** + * \brief Compute EAX authentication tag (with truncation). + * + * This function is similar to `br_eax_get_tag()`, except that it allows + * the tag to be truncated to a smaller length. The intended tag length + * is provided as `len` (in bytes); it MUST be no more than 16, but + * it may be smaller. Note that decreasing tag length mechanically makes + * forgeries easier; NIST SP 800-38D specifies that the tag length shall + * lie between 12 and 16 bytes (inclusive), but may be truncated down to + * 4 or 8 bytes, for specific applications that can tolerate it. It must + * also be noted that successful forgeries leak information on the + * authentication key, making subsequent forgeries easier. Therefore, + * tag truncation, and in particular truncation to sizes lower than 12 + * bytes, shall be envisioned only with great care. + * + * The tag is written in the provided `tag` buffer. This call terminates + * the EAX run: no data may be processed with that EAX context + * afterwards, until `br_eax_reset()` is called to initiate a new EAX + * run. + * + * The tag value must normally be sent along with the encrypted data. + * When decrypting, the tag value must be recomputed and compared with + * the received tag: if the two tag values differ, then either the tag + * or the encrypted data was altered in transit. As an alternative to + * this function, the `br_eax_check_tag_trunc()` function can be used to + * compute and check the tag value. + * + * \param ctx EAX context structure. + * \param tag destination buffer for the tag. + * \param len tag length (16 bytes or less). + */ +void br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len); + +/** + * \brief Compute and check EAX authentication tag (with truncation). + * + * This function is an alternative to `br_eax_get_tag_trunc()`, normally used + * on the receiving end (i.e. when decrypting value). The tag value is + * recomputed and compared with the provided tag value. If they match, 1 + * is returned; on mismatch, 0 is returned. A returned value of 0 means + * that the data or the tag was altered in transit, normally leading to + * wholesale rejection of the complete message. + * + * Tag length MUST be 16 bytes or less. The normal EAX tag length is 16 + * bytes. See `br_check_tag_trunc()` for some discussion on the potential + * perils of truncating authentication tags. + * + * \param ctx EAX context structure. + * \param tag tag value to compare with. + * \param len tag length (in bytes). + * \return 1 on success (exact match of tag value), 0 otherwise. + */ +uint32_t br_eax_check_tag_trunc(br_eax_context *ctx, + const void *tag, size_t len); + +/** + * \brief Class instance for EAX. + */ +extern const br_aead_class br_eax_vtable; + +/** + * \brief Context structure for CCM. + * + * CCM is an AEAD mode that combines a block cipher in CTR mode with + * CBC-MAC using the same block cipher and the same key, to provide + * authenticated encryption: + * + * - Any block cipher with 16-byte blocks can be used with CCM + * (technically, other block sizes are defined as well, but this + * is not implemented by these functions; shorter blocks also + * imply numerous security issues). + * + * - The authentication tag length, and plaintext length, MUST be + * known when starting processing data. Plaintext and ciphertext + * can still be provided by chunks, but the total size must match + * the value provided upon initialisation. + * + * - The nonce length is constrained betwen 7 and 13 bytes (inclusive). + * Furthermore, the plaintext length, when encoded, must fit over + * 15-nonceLen bytes; thus, if the nonce has length 13 bytes, then + * the plaintext length cannot exceed 65535 bytes. + * + * - Additional authenticated data length is practically unlimited + * (formal limit is at 2^64 bytes). + * + * - The authentication tag has length 4 to 16 bytes (even values only). + * + * The CCM initialisation function receives as parameter an + * _initialised_ block cipher implementation context, with the secret + * key already set. A pointer to that context will be kept within the + * CCM context structure. It is up to the caller to allocate and + * initialise that block cipher context. + */ +typedef struct { +#ifndef BR_DOXYGEN_IGNORE + const br_block_ctrcbc_class **bctx; + unsigned char ctr[16]; + unsigned char cbcmac[16]; + unsigned char tagmask[16]; + unsigned char buf[16]; + size_t ptr; + size_t tag_len; +#endif +} br_ccm_context; + +/** + * \brief Initialize a CCM context. + * + * A block cipher implementation, with its initialised context + * structure, is provided. The block cipher MUST use 16-byte blocks in + * CTR + CBC-MAC mode, and its secret key MUST have been already set in + * the provided context. The parameters are linked in the CCM context. + * + * After this function has been called, the `br_ccm_reset()` function must + * be called, to provide the nonce for CCM computation. + * + * \param ctx CCM context structure. + * \param bctx block cipher context (already initialised with secret key). + */ +void br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx); + +/** + * \brief Reset a CCM context. + * + * This function resets an already initialised CCM context for a new + * computation run. Implementations and keys are conserved. This function + * can be called at any time; it cancels any ongoing CCM computation that + * uses the provided context structure. + * + * The `aad_len` parameter contains the total length, in bytes, of the + * additional authenticated data. It may be zero. That length MUST be + * exact. + * + * The `data_len` parameter contains the total length, in bytes, of the + * data that will be injected (plaintext or ciphertext). That length MUST + * be exact. Moreover, that length MUST be less than 2^(8*(15-nonce_len)). + * + * The nonce length (`nonce_len`), in bytes, must be in the 7..13 range + * (inclusive). + * + * The tag length (`tag_len`), in bytes, must be in the 4..16 range, and + * be an even integer. Short tags mechanically allow for higher forgery + * probabilities; hence, tag sizes smaller than 12 bytes shall be used only + * with care. + * + * It is critical to CCM security that nonce values are not repeated for + * the same encryption key. Random generation of nonces is not generally + * recommended, due to the relatively small maximum nonce value. + * + * Returned value is 1 on success, 0 on error. An error is reported if + * the tag or nonce length is out of range, or if the + * plaintext/ciphertext length cannot be encoded with the specified + * nonce length. + * + * \param ctx CCM context structure. + * \param nonce CCM nonce to use. + * \param nonce_len CCM nonce length (in bytes, 7 to 13). + * \param aad_len additional authenticated data length (in bytes). + * \param data_len plaintext/ciphertext length (in bytes). + * \param tag_len tag length (in bytes). + * \return 1 on success, 0 on error. + */ +int br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len, + uint64_t aad_len, uint64_t data_len, size_t tag_len); + +/** + * \brief Inject additional authenticated data into CCM. + * + * The provided data is injected into a running CCM computation. Additional + * data must be injected _before_ the call to `br_ccm_flip()`. + * Additional data can be injected in several chunks of arbitrary length, + * but the total amount MUST exactly match the value which was provided + * to `br_ccm_reset()`. + * + * \param ctx CCM context structure. + * \param data pointer to additional authenticated data. + * \param len length of additional authenticated data (in bytes). + */ +void br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len); + +/** + * \brief Finish injection of additional authenticated data into CCM. + * + * This function MUST be called before beginning the actual encryption + * or decryption (with `br_ccm_run()`), even if no additional authenticated + * data was injected. No additional authenticated data may be injected + * after this function call. + * + * \param ctx CCM context structure. + */ +void br_ccm_flip(br_ccm_context *ctx); + +/** + * \brief Encrypt or decrypt some data with CCM. + * + * Data encryption or decryption can be done after `br_ccm_flip()` + * has been called on the context. If `encrypt` is non-zero, then the + * provided data shall be plaintext, and it is encrypted in place. + * Otherwise, the data shall be ciphertext, and it is decrypted in place. + * + * Data may be provided in several chunks of arbitrary length, provided + * that the total length exactly matches the length provided to the + * `br_ccm_reset()` call. + * + * \param ctx CCM context structure. + * \param encrypt non-zero for encryption, zero for decryption. + * \param data data to encrypt or decrypt. + * \param len data length (in bytes). + */ +void br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len); + +/** + * \brief Compute CCM authentication tag. + * + * Compute the CCM authentication tag. This call terminates the CCM + * run: all data must have been injected with `br_ccm_run()` (in zero, + * one or more successive calls). After this function has been called, + * no more data can br processed; a `br_ccm_reset()` call is required + * to start a new message. + * + * The tag length was provided upon context initialisation (last call + * to `br_ccm_reset()`); it is returned by this function. + * + * The tag value must normally be sent along with the encrypted data. + * When decrypting, the tag value must be recomputed and compared with + * the received tag: if the two tag values differ, then either the tag + * or the encrypted data was altered in transit. As an alternative to + * this function, the `br_ccm_check_tag()` function can be used to + * compute and check the tag value. + * + * \param ctx CCM context structure. + * \param tag destination buffer for the tag (up to 16 bytes). + * \return the tag length (in bytes). + */ +size_t br_ccm_get_tag(br_ccm_context *ctx, void *tag); + +/** + * \brief Compute and check CCM authentication tag. + * + * This function is an alternative to `br_ccm_get_tag()`, normally used + * on the receiving end (i.e. when decrypting value). The tag value is + * recomputed and compared with the provided tag value. If they match, 1 + * is returned; on mismatch, 0 is returned. A returned value of 0 means + * that the data or the tag was altered in transit, normally leading to + * wholesale rejection of the complete message. + * + * \param ctx CCM context structure. + * \param tag tag value to compare with (up to 16 bytes). + * \return 1 on success (exact match of tag value), 0 otherwise. + */ +uint32_t br_ccm_check_tag(br_ccm_context *ctx, const void *tag); + #ifdef __cplusplus } #endif diff --git a/inc/bearssl_block.h b/inc/bearssl_block.h index 24f09ac..4772779 100644 --- a/inc/bearssl_block.h +++ b/inc/bearssl_block.h @@ -136,6 +136,73 @@ extern "C" { * chunked processing, provided that each chunk length (except possibly * the last one) is a multiple of the block size. * + * - `br_xxx_ctrcbc_keys` + * + * Context structure that contains the subkeys resulting from the + * key expansion. These subkeys are appropriate for doing combined + * CTR encryption/decryption and CBC-MAC, as used in the CCM and EAX + * authenticated encryption modes. The structure first field is + * called `vtable` and points to the appropriate OOP structure. + * + * - `br_xxx_ctrcbc_init(br_xxx_ctr_keys *ctx, const void *key, size_t len)` + * + * Perform key expansion: subkeys for combined CTR + * encryption/decryption and CBC-MAC are computed and written in the + * provided context structure. The key length MUST be adequate for + * the implemented block cipher. This function also sets the + * `vtable` field. + * + * - `br_xxx_ctrcbc_encrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)` + * + * Perform CTR encryption of some data, and CBC-MAC. Processing is + * done "in place" (the output data replaces the input data). This + * function applies CTR encryption on the data, using a full + * block-size counter (i.e. for 128-bit blocks, the counter is + * incremented as a 128-bit value). The 'ctr' array contains the + * initial value for the counter (used in the first block) and it is + * updated with the new value after data processing. The 'cbcmac' + * value shall point to a block-sized value which is used as IV for + * CBC-MAC, computed over the encrypted data (output of CTR + * encryption); the resulting CBC-MAC is written over 'cbcmac' on + * output. + * + * The data length MUST be a multiple of the block size. + * + * - `br_xxx_ctrcbc_decrypt(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *cbcmac, void *data, size_t len)` + * + * Perform CTR decryption of some data, and CBC-MAC. Processing is + * done "in place" (the output data replaces the input data). This + * function applies CTR decryption on the data, using a full + * block-size counter (i.e. for 128-bit blocks, the counter is + * incremented as a 128-bit value). The 'ctr' array contains the + * initial value for the counter (used in the first block) and it is + * updated with the new value after data processing. The 'cbcmac' + * value shall point to a block-sized value which is used as IV for + * CBC-MAC, computed over the encrypted data (input of CTR + * encryption); the resulting CBC-MAC is written over 'cbcmac' on + * output. + * + * The data length MUST be a multiple of the block size. + * + * - `br_xxx_ctrcbc_ctr(const br_xxx_ctrcbc_keys *ctx, void *ctr, void *data, size_t len)` + * + * Perform CTR encryption or decryption of the provided data. The + * data is processed "in place" (the output data replaces the input + * data). A full block-sized counter is applied (i.e. for 128-bit + * blocks, the counter is incremented as a 128-bit value). The 'ctr' + * array contains the initial value for the counter (used in the + * first block), and it is updated with the new value after data + * processing. + * + * The data length MUST be a multiple of the block size. + * + * - `br_xxx_ctrcbc_mac(const br_xxx_ctrcbc_keys *ctx, void *cbcmac, const void *data, size_t len)` + * + * Compute CBC-MAC over the provided data. The IV for CBC-MAC is + * provided as 'cbcmac'; the output is written over the same array. + * The data itself is untouched. The data length MUST be a multiple + * of the block size. + * * * It shall be noted that the key expansion functions return `void`. If * the provided key length is not allowed, then there will be no error @@ -176,6 +243,41 @@ extern "C" { * * Pointer to the encryption/decryption function. * + * For combined CTR/CBC-MAC encryption, the `vtable` has a slightly + * different structure: + * + * - `context_size` + * + * The size (in bytes) of the context structure for subkeys. + * + * - `block_size` + * + * The cipher block size (in bytes). + * + * - `log_block_size` + * + * The base-2 logarithm of cipher block size (e.g. 4 for blocks + * of 16 bytes). + * + * - `init` + * + * Pointer to the key expansion function. + * + * - `encrypt` + * + * Pointer to the CTR encryption + CBC-MAC function. + * + * - `decrypt` + * + * Pointer to the CTR decryption + CBC-MAC function. + * + * - `ctr` + * + * Pointer to the CTR encryption/decryption function. + * + * - `mac` + * + * Pointer to the CBC-MAC function. * * For block cipher "`xxx`", static, constant instances of these * structures are defined, under the names: @@ -183,6 +285,7 @@ extern "C" { * - `br_xxx_cbcenc_vtable` * - `br_xxx_cbcdec_vtable` * - `br_xxx_ctr_vtable` + * - `br_xxx_ctrcbc_vtable` * * * ## Implemented Block Ciphers @@ -460,6 +563,132 @@ struct br_block_ctr_class_ { const void *iv, uint32_t cc, void *data, size_t len); }; +/** + * \brief Class type for combined CTR and CBC-MAC implementations. + * + * A `br_block_ctrcbc_class` instance points to the functions implementing + * a specific block cipher, when used in CTR mode for encrypting or + * decrypting data, along with CBC-MAC. + */ +typedef struct br_block_ctrcbc_class_ br_block_ctrcbc_class; +struct br_block_ctrcbc_class_ { + /** + * \brief Size (in bytes) of the context structure appropriate + * for containing subkeys. + */ + size_t context_size; + + /** + * \brief Size of individual blocks (in bytes). + */ + unsigned block_size; + + /** + * \brief Base-2 logarithm of the size of individual blocks, + * expressed in bytes. + */ + unsigned log_block_size; + + /** + * \brief Initialisation function. + * + * This function sets the `vtable` field in the context structure. + * The key length MUST be one of the key lengths supported by + * the implementation. + * + * \param ctx context structure to initialise. + * \param key secret key. + * \param key_len key length (in bytes). + */ + void (*init)(const br_block_ctrcbc_class **ctx, + const void *key, size_t key_len); + + /** + * \brief Run the CTR encryption + CBC-MAC. + * + * The `ctr` parameter points to the counter; its length shall + * be equal to the block size. It is updated by this function + * as encryption proceeds. + * + * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC + * is computed over the encrypted data (output of CTR + * encryption). Its length shall be equal to the block size. The + * computed CBC-MAC value is written over the `cbcmac` array. + * + * The data to encrypt is updated "in place". Its length (`len` + * bytes) MUST be a multiple of the block size. + * + * \param ctx context structure (already initialised). + * \param ctr counter for CTR encryption (initial and final). + * \param cbcmac IV and output buffer for CBC-MAC. + * \param data data to encrypt. + * \param len data length (in bytes). + */ + void (*encrypt)(const br_block_ctrcbc_class *const *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + + /** + * \brief Run the CTR decryption + CBC-MAC. + * + * The `ctr` parameter points to the counter; its length shall + * be equal to the block size. It is updated by this function + * as decryption proceeds. + * + * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC + * is computed over the encrypted data (i.e. before CTR + * decryption). Its length shall be equal to the block size. The + * computed CBC-MAC value is written over the `cbcmac` array. + * + * The data to decrypt is updated "in place". Its length (`len` + * bytes) MUST be a multiple of the block size. + * + * \param ctx context structure (already initialised). + * \param ctr counter for CTR encryption (initial and final). + * \param cbcmac IV and output buffer for CBC-MAC. + * \param data data to decrypt. + * \param len data length (in bytes). + */ + void (*decrypt)(const br_block_ctrcbc_class *const *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + + /** + * \brief Run the CTR encryption/decryption only. + * + * The `ctr` parameter points to the counter; its length shall + * be equal to the block size. It is updated by this function + * as decryption proceeds. + * + * The data to decrypt is updated "in place". Its length (`len` + * bytes) MUST be a multiple of the block size. + * + * \param ctx context structure (already initialised). + * \param ctr counter for CTR encryption (initial and final). + * \param data data to decrypt. + * \param len data length (in bytes). + */ + void (*ctr)(const br_block_ctrcbc_class *const *ctx, + void *ctr, void *data, size_t len); + + /** + * \brief Run the CBC-MAC only. + * + * The `cbcmac` parameter points to the IV for CBC-MAC. The MAC + * is computed over the encrypted data (i.e. before CTR + * decryption). Its length shall be equal to the block size. The + * computed CBC-MAC value is written over the `cbcmac` array. + * + * The data is unmodified. Its length (`len` bytes) MUST be a + * multiple of the block size. + * + * \param ctx context structure (already initialised). + * \param cbcmac IV and output buffer for CBC-MAC. + * \param data data to decrypt. + * \param len data length (in bytes). + */ + void (*mac)(const br_block_ctrcbc_class *const *ctx, + void *cbcmac, const void *data, size_t len); +}; + /* * Traditional, table-based AES implementation. It is fast, but uses * internal tables (in particular a 1 kB table for encryption, another @@ -517,6 +746,22 @@ typedef struct { #endif } br_aes_big_ctr_keys; +/** + * \brief Context for AES subkeys (`aes_big` implementation, CTR encryption + * and decryption + CBC-MAC). + * + * First field is a pointer to the vtable; it is set by the initialisation + * function. Other fields are not supposed to be accessed by user code. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_block_ctrcbc_class *vtable; +#ifndef BR_DOXYGEN_IGNORE + uint32_t skey[60]; + unsigned num_rounds; +#endif +} br_aes_big_ctrcbc_keys; + /** * \brief Class instance for AES CBC encryption (`aes_big` implementation). */ @@ -533,6 +778,12 @@ extern const br_block_cbcdec_class br_aes_big_cbcdec_vtable; */ extern const br_block_ctr_class br_aes_big_ctr_vtable; +/** + * \brief Class instance for AES CTR encryption/decryption + CBC-MAC + * (`aes_big` implementation). + */ +extern const br_block_ctrcbc_class br_aes_big_ctrcbc_vtable; + /** * \brief Context initialisation (key schedule) for AES CBC encryption * (`aes_big` implementation). @@ -566,6 +817,17 @@ void br_aes_big_cbcdec_init(br_aes_big_cbcdec_keys *ctx, void br_aes_big_ctr_init(br_aes_big_ctr_keys *ctx, const void *key, size_t len); +/** + * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC + * (`aes_big` implementation). + * + * \param ctx context to initialise. + * \param key secret key. + * \param len secret key length (in bytes). + */ +void br_aes_big_ctrcbc_init(br_aes_big_ctrcbc_keys *ctx, + const void *key, size_t len); + /** * \brief CBC encryption with AES (`aes_big` implementation). * @@ -594,13 +856,59 @@ void br_aes_big_cbcdec_run(const br_aes_big_cbcdec_keys *ctx, void *iv, * \param ctx context (already initialised). * \param iv IV (constant, 12 bytes). * \param cc initial block counter value. - * \param data data to decrypt (updated). + * \param data data to encrypt or decrypt (updated). * \param len data length (in bytes). * \return new block counter value. */ uint32_t br_aes_big_ctr_run(const br_aes_big_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief CTR encryption + CBC-MAC with AES (`aes_big` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to encrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_big_ctrcbc_encrypt(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR decryption + CBC-MAC with AES (`aes_big` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to decrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_big_ctrcbc_decrypt(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR encryption/decryption with AES (`aes_big` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param data data to MAC (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_big_ctrcbc_ctr(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len); + +/** + * \brief CBC-MAC with AES (`aes_big` implementation). + * + * \param ctx context (already initialised). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to MAC (unmodified). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len); + /* * AES implementation optimized for size. It is slower than the * traditional table-based AES implementation, but requires much less @@ -658,6 +966,22 @@ typedef struct { #endif } br_aes_small_ctr_keys; +/** + * \brief Context for AES subkeys (`aes_small` implementation, CTR encryption + * and decryption + CBC-MAC). + * + * First field is a pointer to the vtable; it is set by the initialisation + * function. Other fields are not supposed to be accessed by user code. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_block_ctrcbc_class *vtable; +#ifndef BR_DOXYGEN_IGNORE + uint32_t skey[60]; + unsigned num_rounds; +#endif +} br_aes_small_ctrcbc_keys; + /** * \brief Class instance for AES CBC encryption (`aes_small` implementation). */ @@ -674,6 +998,12 @@ extern const br_block_cbcdec_class br_aes_small_cbcdec_vtable; */ extern const br_block_ctr_class br_aes_small_ctr_vtable; +/** + * \brief Class instance for AES CTR encryption/decryption + CBC-MAC + * (`aes_small` implementation). + */ +extern const br_block_ctrcbc_class br_aes_small_ctrcbc_vtable; + /** * \brief Context initialisation (key schedule) for AES CBC encryption * (`aes_small` implementation). @@ -707,6 +1037,17 @@ void br_aes_small_cbcdec_init(br_aes_small_cbcdec_keys *ctx, void br_aes_small_ctr_init(br_aes_small_ctr_keys *ctx, const void *key, size_t len); +/** + * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC + * (`aes_small` implementation). + * + * \param ctx context to initialise. + * \param key secret key. + * \param len secret key length (in bytes). + */ +void br_aes_small_ctrcbc_init(br_aes_small_ctrcbc_keys *ctx, + const void *key, size_t len); + /** * \brief CBC encryption with AES (`aes_small` implementation). * @@ -742,6 +1083,52 @@ void br_aes_small_cbcdec_run(const br_aes_small_cbcdec_keys *ctx, void *iv, uint32_t br_aes_small_ctr_run(const br_aes_small_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief CTR encryption + CBC-MAC with AES (`aes_small` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to encrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_small_ctrcbc_encrypt(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR decryption + CBC-MAC with AES (`aes_small` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to decrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_small_ctrcbc_decrypt(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR encryption/decryption with AES (`aes_small` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param data data to MAC (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_small_ctrcbc_ctr(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len); + +/** + * \brief CBC-MAC with AES (`aes_small` implementation). + * + * \param ctx context (already initialised). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to MAC (unmodified). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_small_ctrcbc_mac(const br_aes_small_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len); + /* * Constant-time AES implementation. Its size is similar to that of * 'aes_big', and its performance is similar to that of 'aes_small' (faster @@ -798,6 +1185,22 @@ typedef struct { #endif } br_aes_ct_ctr_keys; +/** + * \brief Context for AES subkeys (`aes_ct` implementation, CTR encryption + * and decryption + CBC-MAC). + * + * First field is a pointer to the vtable; it is set by the initialisation + * function. Other fields are not supposed to be accessed by user code. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_block_ctrcbc_class *vtable; +#ifndef BR_DOXYGEN_IGNORE + uint32_t skey[60]; + unsigned num_rounds; +#endif +} br_aes_ct_ctrcbc_keys; + /** * \brief Class instance for AES CBC encryption (`aes_ct` implementation). */ @@ -814,6 +1217,12 @@ extern const br_block_cbcdec_class br_aes_ct_cbcdec_vtable; */ extern const br_block_ctr_class br_aes_ct_ctr_vtable; +/** + * \brief Class instance for AES CTR encryption/decryption + CBC-MAC + * (`aes_ct` implementation). + */ +extern const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable; + /** * \brief Context initialisation (key schedule) for AES CBC encryption * (`aes_ct` implementation). @@ -847,6 +1256,17 @@ void br_aes_ct_cbcdec_init(br_aes_ct_cbcdec_keys *ctx, void br_aes_ct_ctr_init(br_aes_ct_ctr_keys *ctx, const void *key, size_t len); +/** + * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC + * (`aes_ct` implementation). + * + * \param ctx context to initialise. + * \param key secret key. + * \param len secret key length (in bytes). + */ +void br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx, + const void *key, size_t len); + /** * \brief CBC encryption with AES (`aes_ct` implementation). * @@ -882,6 +1302,52 @@ void br_aes_ct_cbcdec_run(const br_aes_ct_cbcdec_keys *ctx, void *iv, uint32_t br_aes_ct_ctr_run(const br_aes_ct_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief CTR encryption + CBC-MAC with AES (`aes_ct` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to encrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR decryption + CBC-MAC with AES (`aes_ct` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to decrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR encryption/decryption with AES (`aes_ct` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param data data to MAC (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len); + +/** + * \brief CBC-MAC with AES (`aes_ct` implementation). + * + * \param ctx context (already initialised). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to MAC (unmodified). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len); + /* * 64-bit constant-time AES implementation. It is similar to 'aes_ct' * but uses 64-bit registers, making it about twice faster than 'aes_ct' @@ -940,6 +1406,22 @@ typedef struct { #endif } br_aes_ct64_ctr_keys; +/** + * \brief Context for AES subkeys (`aes_ct64` implementation, CTR encryption + * and decryption + CBC-MAC). + * + * First field is a pointer to the vtable; it is set by the initialisation + * function. Other fields are not supposed to be accessed by user code. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_block_ctrcbc_class *vtable; +#ifndef BR_DOXYGEN_IGNORE + uint64_t skey[30]; + unsigned num_rounds; +#endif +} br_aes_ct64_ctrcbc_keys; + /** * \brief Class instance for AES CBC encryption (`aes_ct64` implementation). */ @@ -956,6 +1438,12 @@ extern const br_block_cbcdec_class br_aes_ct64_cbcdec_vtable; */ extern const br_block_ctr_class br_aes_ct64_ctr_vtable; +/** + * \brief Class instance for AES CTR encryption/decryption + CBC-MAC + * (`aes_ct64` implementation). + */ +extern const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable; + /** * \brief Context initialisation (key schedule) for AES CBC encryption * (`aes_ct64` implementation). @@ -989,6 +1477,17 @@ void br_aes_ct64_cbcdec_init(br_aes_ct64_cbcdec_keys *ctx, void br_aes_ct64_ctr_init(br_aes_ct64_ctr_keys *ctx, const void *key, size_t len); +/** + * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC + * (`aes_ct64` implementation). + * + * \param ctx context to initialise. + * \param key secret key. + * \param len secret key length (in bytes). + */ +void br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx, + const void *key, size_t len); + /** * \brief CBC encryption with AES (`aes_ct64` implementation). * @@ -1024,6 +1523,52 @@ void br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv, uint32_t br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief CTR encryption + CBC-MAC with AES (`aes_ct64` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to encrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR decryption + CBC-MAC with AES (`aes_ct64` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to decrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR encryption/decryption with AES (`aes_ct64` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param data data to MAC (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len); + +/** + * \brief CBC-MAC with AES (`aes_ct64` implementation). + * + * \param ctx context (already initialised). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to MAC (unmodified). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len); + /* * AES implementation using AES-NI opcodes (x86 platform). */ @@ -1083,6 +1628,24 @@ typedef struct { #endif } br_aes_x86ni_ctr_keys; +/** + * \brief Context for AES subkeys (`aes_x86ni` implementation, CTR encryption + * and decryption + CBC-MAC). + * + * First field is a pointer to the vtable; it is set by the initialisation + * function. Other fields are not supposed to be accessed by user code. + */ +typedef struct { + /** \brief Pointer to vtable for this context. */ + const br_block_ctrcbc_class *vtable; +#ifndef BR_DOXYGEN_IGNORE + union { + unsigned char skni[16 * 15]; + } skey; + unsigned num_rounds; +#endif +} br_aes_x86ni_ctrcbc_keys; + /** * \brief Class instance for AES CBC encryption (`aes_x86ni` implementation). * @@ -1111,6 +1674,16 @@ extern const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable; */ extern const br_block_ctr_class br_aes_x86ni_ctr_vtable; +/** + * \brief Class instance for AES CTR encryption/decryption + CBC-MAC + * (`aes_x86ni` implementation). + * + * Since this implementation might be omitted from the library, or the + * AES opcode unavailable on the current CPU, a pointer to this class + * instance should be obtained through `br_aes_x86ni_ctrcbc_get_vtable()`. + */ +extern const br_block_ctrcbc_class br_aes_x86ni_ctrcbc_vtable; + /** * \brief Context initialisation (key schedule) for AES CBC encryption * (`aes_x86ni` implementation). @@ -1144,6 +1717,17 @@ void br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx, void br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx, const void *key, size_t len); +/** + * \brief Context initialisation (key schedule) for AES CTR + CBC-MAC + * (`aes_x86ni` implementation). + * + * \param ctx context to initialise. + * \param key secret key. + * \param len secret key length (in bytes). + */ +void br_aes_x86ni_ctrcbc_init(br_aes_x86ni_ctrcbc_keys *ctx, + const void *key, size_t len); + /** * \brief CBC encryption with AES (`aes_x86ni` implementation). * @@ -1179,6 +1763,52 @@ void br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx, void *iv, uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx, const void *iv, uint32_t cc, void *data, size_t len); +/** + * \brief CTR encryption + CBC-MAC with AES (`aes_x86ni` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to encrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_x86ni_ctrcbc_encrypt(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR decryption + CBC-MAC with AES (`aes_x86ni` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to decrypt (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_x86ni_ctrcbc_decrypt(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len); + +/** + * \brief CTR encryption/decryption with AES (`aes_x86ni` implementation). + * + * \param ctx context (already initialised). + * \param ctr counter for CTR (16 bytes, updated). + * \param data data to MAC (updated). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_x86ni_ctrcbc_ctr(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len); + +/** + * \brief CBC-MAC with AES (`aes_x86ni` implementation). + * + * \param ctx context (already initialised). + * \param cbcmac IV for CBC-MAC (updated). + * \param data data to MAC (unmodified). + * \param len data length (in bytes, MUST be a multiple of 16). + */ +void br_aes_x86ni_ctrcbc_mac(const br_aes_x86ni_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len); + /** * \brief Obtain the `aes_x86ni` AES-CBC (encryption) implementation, if * available. @@ -1188,7 +1818,7 @@ uint32_t br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx, * opcodes are available on the currently running CPU. If either of * these conditions is not met, then this function returns `NULL`. * - * \return the `aes_x868ni` AES-CBC (encryption) implementation, or `NULL`. + * \return the `aes_x86ni` AES-CBC (encryption) implementation, or `NULL`. */ const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void); @@ -1201,7 +1831,7 @@ const br_block_cbcenc_class *br_aes_x86ni_cbcenc_get_vtable(void); * opcodes are available on the currently running CPU. If either of * these conditions is not met, then this function returns `NULL`. * - * \return the `aes_x868ni` AES-CBC (decryption) implementation, or `NULL`. + * \return the `aes_x86ni` AES-CBC (decryption) implementation, or `NULL`. */ const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void); @@ -1213,10 +1843,23 @@ const br_block_cbcdec_class *br_aes_x86ni_cbcdec_get_vtable(void); * opcodes are available on the currently running CPU. If either of * these conditions is not met, then this function returns `NULL`. * - * \return the `aes_x868ni` AES-CTR implementation, or `NULL`. + * \return the `aes_x86ni` AES-CTR implementation, or `NULL`. */ const br_block_ctr_class *br_aes_x86ni_ctr_get_vtable(void); +/** + * \brief Obtain the `aes_x86ni` AES-CTR + CBC-MAC implementation, if + * available. + * + * This function returns a pointer to `br_aes_x86ni_ctrcbc_vtable`, if + * that implementation was compiled in the library _and_ the x86 AES + * opcodes are available on the currently running CPU. If either of + * these conditions is not met, then this function returns `NULL`. + * + * \return the `aes_x86ni` AES-CTR implementation, or `NULL`. + */ +const br_block_ctrcbc_class *br_aes_x86ni_ctrcbc_get_vtable(void); + /* * AES implementation using POWER8 opcodes. */ @@ -1452,6 +2095,22 @@ typedef union { br_aes_pwr8_ctr_keys c_pwr8; } br_aes_gen_ctr_keys; +/** + * \brief Aggregate structure large enough to be used as context for + * subkeys (CTR encryption/decryption + CBC-MAC) for all AES implementations. + */ +typedef union { + const br_block_ctrcbc_class *vtable; + br_aes_big_ctrcbc_keys c_big; + br_aes_small_ctrcbc_keys c_small; + br_aes_ct_ctrcbc_keys c_ct; + br_aes_ct64_ctrcbc_keys c_ct64; + /* FIXME + br_aes_x86ni_ctrcbc_keys c_x86ni; + br_aes_pwr8_ctrcbc_keys c_pwr8; + */ +} br_aes_gen_ctrcbc_keys; + /* * Traditional, table-based implementation for DES/3DES. Since tables are * used, cache-timing attacks are conceptually possible. diff --git a/mk/Rules.mk b/mk/Rules.mk index 21a58ce..2a281ff 100644 --- a/mk/Rules.mk +++ b/mk/Rules.mk @@ -1,6 +1,6 @@ # Automatically generated rules. Use 'mkrules.sh' to modify/regenerate. -OBJ = $(OBJDIR)$Psettings$O $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Psysrng$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O +OBJ = $(OBJDIR)$Psettings$O $(OBJDIR)$Pccm$O $(OBJDIR)$Peax$O $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Psysrng$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_ctrcbc$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_ctrcbc$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_ctrcbc$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_ctrcbc$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Paes_x86ni_ctrcbc$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pimpl$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Ptwrch$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O OBJTESTCRYPTO = $(OBJDIR)$Ptest_crypto$O OBJTESTSPEED = $(OBJDIR)$Ptest_speed$O @@ -64,6 +64,12 @@ $(TESTX509): $(BEARSSLLIB) $(OBJTESTX509) $(OBJDIR)$Psettings$O: src$Psettings.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Psettings$O src$Psettings.c +$(OBJDIR)$Pccm$O: src$Paead$Pccm.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pccm$O src$Paead$Pccm.c + +$(OBJDIR)$Peax$O: src$Paead$Peax.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Peax$O src$Paead$Peax.c + $(OBJDIR)$Pgcm$O: src$Paead$Pgcm.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pgcm$O src$Paead$Pgcm.c @@ -607,6 +613,9 @@ $(OBJDIR)$Paes_big_cbcenc$O: src$Psymcipher$Paes_big_cbcenc.c $(HEADERSPRIV) $(OBJDIR)$Paes_big_ctr$O: src$Psymcipher$Paes_big_ctr.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_big_ctr$O src$Psymcipher$Paes_big_ctr.c +$(OBJDIR)$Paes_big_ctrcbc$O: src$Psymcipher$Paes_big_ctrcbc.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_big_ctrcbc$O src$Psymcipher$Paes_big_ctrcbc.c + $(OBJDIR)$Paes_big_dec$O: src$Psymcipher$Paes_big_dec.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_big_dec$O src$Psymcipher$Paes_big_dec.c @@ -631,6 +640,9 @@ $(OBJDIR)$Paes_ct64_cbcenc$O: src$Psymcipher$Paes_ct64_cbcenc.c $(HEADERSPRIV) $(OBJDIR)$Paes_ct64_ctr$O: src$Psymcipher$Paes_ct64_ctr.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct64_ctr$O src$Psymcipher$Paes_ct64_ctr.c +$(OBJDIR)$Paes_ct64_ctrcbc$O: src$Psymcipher$Paes_ct64_ctrcbc.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct64_ctrcbc$O src$Psymcipher$Paes_ct64_ctrcbc.c + $(OBJDIR)$Paes_ct64_dec$O: src$Psymcipher$Paes_ct64_dec.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct64_dec$O src$Psymcipher$Paes_ct64_dec.c @@ -646,6 +658,9 @@ $(OBJDIR)$Paes_ct_cbcenc$O: src$Psymcipher$Paes_ct_cbcenc.c $(HEADERSPRIV) $(OBJDIR)$Paes_ct_ctr$O: src$Psymcipher$Paes_ct_ctr.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct_ctr$O src$Psymcipher$Paes_ct_ctr.c +$(OBJDIR)$Paes_ct_ctrcbc$O: src$Psymcipher$Paes_ct_ctrcbc.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct_ctrcbc$O src$Psymcipher$Paes_ct_ctrcbc.c + $(OBJDIR)$Paes_ct_dec$O: src$Psymcipher$Paes_ct_dec.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_ct_dec$O src$Psymcipher$Paes_ct_dec.c @@ -673,6 +688,9 @@ $(OBJDIR)$Paes_small_cbcenc$O: src$Psymcipher$Paes_small_cbcenc.c $(HEADERSPRIV) $(OBJDIR)$Paes_small_ctr$O: src$Psymcipher$Paes_small_ctr.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_small_ctr$O src$Psymcipher$Paes_small_ctr.c +$(OBJDIR)$Paes_small_ctrcbc$O: src$Psymcipher$Paes_small_ctrcbc.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_small_ctrcbc$O src$Psymcipher$Paes_small_ctrcbc.c + $(OBJDIR)$Paes_small_dec$O: src$Psymcipher$Paes_small_dec.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_small_dec$O src$Psymcipher$Paes_small_dec.c @@ -691,6 +709,9 @@ $(OBJDIR)$Paes_x86ni_cbcenc$O: src$Psymcipher$Paes_x86ni_cbcenc.c $(HEADERSPRIV) $(OBJDIR)$Paes_x86ni_ctr$O: src$Psymcipher$Paes_x86ni_ctr.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_x86ni_ctr$O src$Psymcipher$Paes_x86ni_ctr.c +$(OBJDIR)$Paes_x86ni_ctrcbc$O: src$Psymcipher$Paes_x86ni_ctrcbc.c $(HEADERSPRIV) + $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Paes_x86ni_ctrcbc$O src$Psymcipher$Paes_x86ni_ctrcbc.c + $(OBJDIR)$Pchacha20_ct$O: src$Psymcipher$Pchacha20_ct.c $(HEADERSPRIV) $(CC) $(CFLAGS) $(INCFLAGS) $(CCOUT)$(OBJDIR)$Pchacha20_ct$O src$Psymcipher$Pchacha20_ct.c diff --git a/mk/mkrules.sh b/mk/mkrules.sh index 44f787e..2fd1f0f 100755 --- a/mk/mkrules.sh +++ b/mk/mkrules.sh @@ -50,6 +50,8 @@ set -e # Source files. Please keep in alphabetical order. coresrc=" \ src/settings.c \ + src/aead/ccm.c \ + src/aead/eax.c \ src/aead/gcm.c \ src/codec/ccopy.c \ src/codec/dec16be.c \ @@ -231,6 +233,7 @@ coresrc=" \ src/symcipher/aes_big_cbcdec.c \ src/symcipher/aes_big_cbcenc.c \ src/symcipher/aes_big_ctr.c \ + src/symcipher/aes_big_ctrcbc.c \ src/symcipher/aes_big_dec.c \ src/symcipher/aes_big_enc.c \ src/symcipher/aes_common.c \ @@ -239,11 +242,13 @@ coresrc=" \ src/symcipher/aes_ct64_cbcdec.c \ src/symcipher/aes_ct64_cbcenc.c \ src/symcipher/aes_ct64_ctr.c \ + src/symcipher/aes_ct64_ctrcbc.c \ src/symcipher/aes_ct64_dec.c \ src/symcipher/aes_ct64_enc.c \ src/symcipher/aes_ct_cbcdec.c \ src/symcipher/aes_ct_cbcenc.c \ src/symcipher/aes_ct_ctr.c \ + src/symcipher/aes_ct_ctrcbc.c \ src/symcipher/aes_ct_dec.c \ src/symcipher/aes_ct_enc.c \ src/symcipher/aes_pwr8.c \ @@ -253,12 +258,14 @@ coresrc=" \ src/symcipher/aes_small_cbcdec.c \ src/symcipher/aes_small_cbcenc.c \ src/symcipher/aes_small_ctr.c \ + src/symcipher/aes_small_ctrcbc.c \ src/symcipher/aes_small_dec.c \ src/symcipher/aes_small_enc.c \ src/symcipher/aes_x86ni.c \ src/symcipher/aes_x86ni_cbcdec.c \ src/symcipher/aes_x86ni_cbcenc.c \ src/symcipher/aes_x86ni_ctr.c \ + src/symcipher/aes_x86ni_ctrcbc.c \ src/symcipher/chacha20_ct.c \ src/symcipher/chacha20_sse2.c \ src/symcipher/des_ct.c \ diff --git a/src/aead/ccm.c b/src/aead/ccm.c new file mode 100644 index 0000000..68cc913 --- /dev/null +++ b/src/aead/ccm.c @@ -0,0 +1,346 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* + * Implementation Notes + * ==================== + * + * The combined CTR + CBC-MAC functions can only handle full blocks, + * so some buffering is necessary. + * + * - 'ptr' contains a value from 0 to 15, which is the number of bytes + * accumulated in buf[] that still needs to be processed with the + * current CBC-MAC computation. + * + * - When processing the message itself, CTR encryption/decryption is + * also done at the same time. The first 'ptr' bytes of buf[] then + * contains the plaintext bytes, while the last '16 - ptr' bytes of + * buf[] are the remnants of the stream block, to be used against + * the next input bytes, when available. When 'ptr' is 0, the + * contents of buf[] are to be ignored. + * + * - The current counter and running CBC-MAC values are kept in 'ctr' + * and 'cbcmac', respectively. + */ + +/* see bearssl_block.h */ +void +br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx) +{ + ctx->bctx = bctx; +} + +/* see bearssl_block.h */ +int +br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len, + uint64_t aad_len, uint64_t data_len, size_t tag_len) +{ + unsigned char tmp[16]; + unsigned u, q; + + if (nonce_len < 7 || nonce_len > 13) { + return 0; + } + if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) { + return 0; + } + q = 15 - (unsigned)nonce_len; + ctx->tag_len = tag_len; + + /* + * Block B0, to start CBC-MAC. + */ + tmp[0] = (aad_len > 0 ? 0x40 : 0x00) + | (((unsigned)tag_len - 2) << 2) + | (q - 1); + memcpy(tmp + 1, nonce, nonce_len); + for (u = 0; u < q; u ++) { + tmp[15 - u] = (unsigned char)data_len; + data_len >>= 8; + } + if (data_len != 0) { + /* + * If the data length was not entirely consumed in the + * loop above, then it exceeds the maximum limit of + * q bytes (when encoded). + */ + return 0; + } + + /* + * Start CBC-MAC. + */ + memset(ctx->cbcmac, 0, sizeof ctx->cbcmac); + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp); + + /* + * Assemble AAD length header. + */ + if ((aad_len >> 32) != 0) { + ctx->buf[0] = 0xFF; + ctx->buf[1] = 0xFF; + br_enc64be(ctx->buf + 2, aad_len); + ctx->ptr = 10; + } else if (aad_len >= 0xFF00) { + ctx->buf[0] = 0xFF; + ctx->buf[1] = 0xFE; + br_enc32be(ctx->buf + 2, (uint32_t)aad_len); + ctx->ptr = 6; + } else if (aad_len > 0) { + br_enc16be(ctx->buf, (unsigned)aad_len); + ctx->ptr = 2; + } else { + ctx->ptr = 0; + } + + /* + * Make initial counter value and compute tag mask. + */ + ctx->ctr[0] = q - 1; + memcpy(ctx->ctr + 1, nonce, nonce_len); + memset(ctx->ctr + 1 + nonce_len, 0, q); + memset(ctx->tagmask, 0, sizeof ctx->tagmask); + (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, + ctx->tagmask, sizeof ctx->tagmask); + + return 1; +} + +/* see bearssl_block.h */ +void +br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len) +{ + const unsigned char *dbuf; + size_t ptr; + + dbuf = data; + + /* + * Complete partial block, if needed. + */ + ptr = ctx->ptr; + if (ptr != 0) { + size_t clen; + + clen = (sizeof ctx->buf) - ptr; + if (clen > len) { + memcpy(ctx->buf + ptr, dbuf, len); + ctx->ptr = ptr + len; + return; + } + memcpy(ctx->buf + ptr, dbuf, clen); + dbuf += clen; + len -= clen; + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, + ctx->buf, sizeof ctx->buf); + } + + /* + * Process complete blocks. + */ + ptr = len & 15; + len -= ptr; + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len); + dbuf += len; + + /* + * Copy last partial block in the context buffer. + */ + memcpy(ctx->buf, dbuf, ptr); + ctx->ptr = ptr; +} + +/* see bearssl_block.h */ +void +br_ccm_flip(br_ccm_context *ctx) +{ + size_t ptr; + + /* + * Complete AAD partial block with zeros, if necessary. + */ + ptr = ctx->ptr; + if (ptr != 0) { + memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr); + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, + ctx->buf, sizeof ctx->buf); + ctx->ptr = 0; + } + + /* + * Counter was already set by br_ccm_reset(). + */ +} + +/* see bearssl_block.h */ +void +br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len) +{ + unsigned char *dbuf; + size_t ptr; + + dbuf = data; + + /* + * Complete a partial block, if any: ctx->buf[] contains + * ctx->ptr plaintext bytes (already reported), and the other + * bytes are CTR stream output. + */ + ptr = ctx->ptr; + if (ptr != 0) { + size_t clen; + size_t u; + + clen = (sizeof ctx->buf) - ptr; + if (clen > len) { + clen = len; + } + if (encrypt) { + for (u = 0; u < clen; u ++) { + unsigned w, x; + + w = ctx->buf[ptr + u]; + x = dbuf[u]; + ctx->buf[ptr + u] = x; + dbuf[u] = w ^ x; + } + } else { + for (u = 0; u < clen; u ++) { + unsigned w; + + w = ctx->buf[ptr + u] ^ dbuf[u]; + dbuf[u] = w; + ctx->buf[ptr + u] = w; + } + } + dbuf += clen; + len -= clen; + ptr += clen; + if (ptr < sizeof ctx->buf) { + ctx->ptr = ptr; + return; + } + (*ctx->bctx)->mac(ctx->bctx, + ctx->cbcmac, ctx->buf, sizeof ctx->buf); + } + + /* + * Process all complete blocks. Note that the ctrcbc API is for + * encrypt-then-MAC (CBC-MAC is computed over the encrypted + * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed + * over the plaintext blocks). Therefore, we need to use the + * _decryption_ function for encryption, and the encryption + * function for decryption (this works because CTR encryption + * and decryption are identical, so the choice really is about + * computing the CBC-MAC before or after XORing with the CTR + * stream). + */ + ptr = len & 15; + len -= ptr; + if (encrypt) { + (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, + dbuf, len); + } else { + (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, + dbuf, len); + } + dbuf += len; + + /* + * If there is some remaining data, then we need to compute an + * extra block of CTR stream. + */ + if (ptr != 0) { + size_t u; + + memset(ctx->buf, 0, sizeof ctx->buf); + (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, + ctx->buf, sizeof ctx->buf); + if (encrypt) { + for (u = 0; u < ptr; u ++) { + unsigned w, x; + + w = ctx->buf[u]; + x = dbuf[u]; + ctx->buf[u] = x; + dbuf[u] = w ^ x; + } + } else { + for (u = 0; u < ptr; u ++) { + unsigned w; + + w = ctx->buf[u] ^ dbuf[u]; + dbuf[u] = w; + ctx->buf[u] = w; + } + } + } + ctx->ptr = ptr; +} + +/* see bearssl_block.h */ +size_t +br_ccm_get_tag(br_ccm_context *ctx, void *tag) +{ + size_t ptr; + size_t u; + + /* + * If there is some buffered data, then we need to pad it with + * zeros and finish up CBC-MAC. + */ + ptr = ctx->ptr; + if (ptr != 0) { + memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr); + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, + ctx->buf, sizeof ctx->buf); + } + + /* + * XOR the tag mask into the CBC-MAC output. + */ + for (u = 0; u < ctx->tag_len; u ++) { + ctx->cbcmac[u] ^= ctx->tagmask[u]; + } + memcpy(tag, ctx->cbcmac, ctx->tag_len); + return ctx->tag_len; +} + +/* see bearssl_block.h */ +uint32_t +br_ccm_check_tag(br_ccm_context *ctx, const void *tag) +{ + unsigned char tmp[16]; + size_t u, tag_len; + uint32_t z; + + tag_len = br_ccm_get_tag(ctx, tmp); + z = 0; + for (u = 0; u < tag_len; u ++) { + z |= tmp[u] ^ ((const unsigned char *)tag)[u]; + } + return EQ0(z); +} diff --git a/src/aead/eax.c b/src/aead/eax.c new file mode 100644 index 0000000..07b1cb9 --- /dev/null +++ b/src/aead/eax.c @@ -0,0 +1,413 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* + * Implementation Notes + * ==================== + * + * The combined CTR + CBC-MAC functions can only handle full blocks, + * so some buffering is necessary. Moreover, EAX has a special padding + * rule for CBC-MAC, which implies that we cannot compute the MAC over + * the last received full block until we know whether we are at the + * end of the data or not. + * + * - 'ptr' contains a value from 1 to 16, which is the number of bytes + * accumulated in buf[] that still needs to be processed with the + * current OMAC computation. Beware that this can go to 16: a + * complete block cannot be processed until it is known whether it + * is the last block or not. However, it can never be 0, because + * OMAC^t works on an input that is at least one-block long. + * + * - When processing the message itself, CTR encryption/decryption is + * also done at the same time. The first 'ptr' bytes of buf[] then + * contains the encrypted bytes, while the last '16 - ptr' bytes of + * buf[] are the remnants of the stream block, to be used against + * the next input bytes, when available. + * + * - The current counter and running CBC-MAC values are kept in 'ctr' + * and 'cbcmac', respectively. + * + * - The derived keys for padding are kept in L2 and L4 (double and + * quadruple of Enc_K(0^n), in GF(2^128), respectively). + */ + +/* + * Start an OMAC computation; the first block is the big-endian + * representation of the provided value ('val' must fit on one byte). + * We make it a delayed block because it may also be the last one, + */ +static void +omac_start(br_eax_context *ctx, unsigned val) +{ + memset(ctx->cbcmac, 0, sizeof ctx->cbcmac); + memset(ctx->buf, 0, sizeof ctx->buf); + ctx->buf[15] = val; + ctx->ptr = 16; +} + +/* + * Double a value in finite field GF(2^128), defined with modulus + * X^128+X^7+X^2+X+1. + */ +static void +double_gf128(unsigned char *dst, const unsigned char *src) +{ + unsigned cc; + int i; + + cc = 0x87 & -((unsigned)src[0] >> 7); + for (i = 15; i >= 0; i --) { + unsigned z; + + z = (src[i] << 1) ^ cc; + cc = z >> 8; + dst[i] = (unsigned char)z; + } +} + +/* + * Apply padding to the last block, currently in ctx->buf (with + * ctx->ptr bytes), and finalize OMAC computation. + */ +static void +do_pad(br_eax_context *ctx) +{ + unsigned char *pad; + size_t ptr, u; + + ptr = ctx->ptr; + if (ptr == 16) { + pad = ctx->L2; + } else { + ctx->buf[ptr ++] = 0x80; + memset(ctx->buf + ptr, 0x00, 16 - ptr); + pad = ctx->L4; + } + for (u = 0; u < sizeof ctx->buf; u ++) { + ctx->buf[u] ^= pad[u]; + } + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, ctx->buf, sizeof ctx->buf); +} + +/* + * Apply CBC-MAC on the provided data, with buffering management. This + * function assumes that on input, ctx->buf contains a full block of + * unprocessed data. + */ +static void +do_cbcmac_chunk(br_eax_context *ctx, const void *data, size_t len) +{ + size_t ptr; + + if (len == 0) { + return; + } + ptr = len & (size_t)15; + if (ptr == 0) { + len -= 16; + ptr = 16; + } else { + len -= ptr; + } + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, ctx->buf, sizeof ctx->buf); + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, data, len); + memcpy(ctx->buf, (const unsigned char *)data + len, ptr); + ctx->ptr = ptr; +} + +/* see bearssl_aead.h */ +void +br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx) +{ + unsigned char tmp[16], iv[16]; + + ctx->vtable = &br_eax_vtable; + ctx->bctx = bctx; + + /* + * Encrypt a whole-zero block to compute L2 and L4. + */ + memset(tmp, 0, sizeof tmp); + memset(iv, 0, sizeof iv); + (*bctx)->ctr(bctx, iv, tmp, sizeof tmp); + double_gf128(ctx->L2, tmp); + double_gf128(ctx->L4, ctx->L2); +} + +/* see bearssl_aead.h */ +void +br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len) +{ + /* + * Process nonce with OMAC^0. + */ + omac_start(ctx, 0); + do_cbcmac_chunk(ctx, nonce, len); + do_pad(ctx); + memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac); + + /* + * Start OMAC^1 for the AAD ("header" in the EAX specification). + */ + omac_start(ctx, 1); +} + +/* see bearssl_aead.h */ +void +br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len) +{ + size_t ptr; + + ptr = ctx->ptr; + + /* + * If there is a partial block, first complete it. + */ + if (ptr < 16) { + size_t clen; + + clen = 16 - ptr; + if (len <= clen) { + memcpy(ctx->buf + ptr, data, len); + ctx->ptr = ptr + len; + return; + } + memcpy(ctx->buf + ptr, data, clen); + data = (const unsigned char *)data + clen; + len -= clen; + } + + /* + * We now have a full block in buf[], and this is not the last + * block. + */ + do_cbcmac_chunk(ctx, data, len); +} + +/* see bearssl_aead.h */ +void +br_eax_flip(br_eax_context *ctx) +{ + /* + * Complete the OMAC computation on the AAD. + */ + do_pad(ctx); + memcpy(ctx->head, ctx->cbcmac, sizeof ctx->cbcmac); + + /* + * Start OMAC^2 for the encrypted data. + */ + omac_start(ctx, 2); + + /* + * Initial counter value for CTR is the processed nonce. + */ + memcpy(ctx->ctr, ctx->nonce, sizeof ctx->nonce); +} + +/* see bearssl_aead.h */ +void +br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len) +{ + unsigned char *dbuf; + size_t ptr; + + /* + * Ensure that there is actual data to process. + */ + if (len == 0) { + return; + } + + dbuf = data; + ptr = ctx->ptr; + + if (ptr != 16) { + /* + * We have a partially consumed block. + */ + size_t u, clen; + + clen = 16 - ptr; + if (len <= clen) { + clen = len; + } + if (encrypt) { + for (u = 0; u < clen; u ++) { + ctx->buf[ptr + u] ^= dbuf[u]; + } + memcpy(dbuf, ctx->buf + ptr, clen); + } else { + for (u = 0; u < clen; u ++) { + unsigned dx, sx; + + sx = ctx->buf[ptr + u]; + dx = dbuf[u]; + ctx->buf[ptr + u] = dx; + dbuf[u] = sx ^ dx; + } + } + + if (len <= clen) { + ctx->ptr = ptr + clen; + return; + } + dbuf += clen; + len -= clen; + } + + /* + * We now have a complete encrypted block in buf[] that must still + * be processed with OMAC, and this is not the final buf. + */ + (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, ctx->buf, sizeof ctx->buf); + + /* + * Do CTR encryption or decryption and CBC-MAC for all full blocks + * except the last. + */ + ptr = len & (size_t)15; + if (ptr == 0) { + len -= 16; + ptr = 16; + } else { + len -= ptr; + } + if (encrypt) { + (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, + dbuf, len); + } else { + (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, + dbuf, len); + } + dbuf += len; + + /* + * Compute next block of CTR stream, and use it to finish + * encrypting or decrypting the data. + */ + memset(ctx->buf, 0, sizeof ctx->buf); + (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, ctx->buf, sizeof ctx->buf); + if (encrypt) { + size_t u; + + for (u = 0; u < ptr; u ++) { + ctx->buf[u] ^= dbuf[u]; + } + memcpy(dbuf, ctx->buf, ptr); + } else { + size_t u; + + for (u = 0; u < ptr; u ++) { + unsigned dx, sx; + + sx = ctx->buf[u]; + dx = dbuf[u]; + ctx->buf[u] = dx; + dbuf[u] = sx ^ dx; + } + } + ctx->ptr = ptr; +} + +/* + * Complete tag computation. The final tag is written in ctx->cbcmac. + */ +static void +do_final(br_eax_context *ctx) +{ + size_t u; + + do_pad(ctx); + + /* + * Authentication tag is the XOR of the three OMAC outputs for + * the nonce, AAD and encrypted data. + */ + for (u = 0; u < 16; u ++) { + ctx->cbcmac[u] ^= ctx->nonce[u] ^ ctx->head[u]; + } +} + +/* see bearssl_aead.h */ +void +br_eax_get_tag(br_eax_context *ctx, void *tag) +{ + do_final(ctx); + memcpy(tag, ctx->cbcmac, sizeof ctx->cbcmac); +} + +/* see bearssl_aead.h */ +void +br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len) +{ + do_final(ctx); + memcpy(tag, ctx->cbcmac, len); +} + +/* see bearssl_aead.h */ +uint32_t +br_eax_check_tag_trunc(br_eax_context *ctx, const void *tag, size_t len) +{ + unsigned char tmp[16]; + size_t u; + int x; + + br_eax_get_tag(ctx, tmp); + x = 0; + for (u = 0; u < len; u ++) { + x |= tmp[u] ^ ((const unsigned char *)tag)[u]; + } + return EQ0(x); +} + +/* see bearssl_aead.h */ +uint32_t +br_eax_check_tag(br_eax_context *ctx, const void *tag) +{ + return br_eax_check_tag_trunc(ctx, tag, 16); +} + +/* see bearssl_aead.h */ +const br_aead_class br_eax_vtable = { + 16, + (void (*)(const br_aead_class **, const void *, size_t)) + &br_eax_reset, + (void (*)(const br_aead_class **, const void *, size_t)) + &br_eax_aad_inject, + (void (*)(const br_aead_class **)) + &br_eax_flip, + (void (*)(const br_aead_class **, int, void *, size_t)) + &br_eax_run, + (void (*)(const br_aead_class **, void *)) + &br_eax_get_tag, + (uint32_t (*)(const br_aead_class **, const void *)) + &br_eax_check_tag, + (void (*)(const br_aead_class **, void *, size_t)) + &br_eax_get_tag_trunc, + (uint32_t (*)(const br_aead_class **, const void *, size_t)) + &br_eax_check_tag_trunc +}; diff --git a/src/aead/gcm.c b/src/aead/gcm.c index 9cf0f38..ede5f08 100644 --- a/src/aead/gcm.c +++ b/src/aead/gcm.c @@ -56,6 +56,7 @@ br_gcm_init(br_gcm_context *ctx, const br_block_ctr_class **bctx, br_ghash gh) { unsigned char iv[12]; + ctx->vtable = &br_gcm_vtable; ctx->bctx = bctx; ctx->gh = gh; @@ -262,9 +263,19 @@ br_gcm_get_tag(br_gcm_context *ctx, void *tag) (*ctx->bctx)->run(ctx->bctx, ctx->j0_1, ctx->j0_2, tag, 16); } +/* see bearssl_aead.h */ +void +br_gcm_get_tag_trunc(br_gcm_context *ctx, void *tag, size_t len) +{ + unsigned char tmp[16]; + + br_gcm_get_tag(ctx, tmp); + memcpy(tag, tmp, len); +} + /* see bearssl_aead.h */ uint32_t -br_gcm_check_tag(br_gcm_context *ctx, const void *tag) +br_gcm_check_tag_trunc(br_gcm_context *ctx, const void *tag, size_t len) { unsigned char tmp[16]; size_t u; @@ -272,12 +283,19 @@ br_gcm_check_tag(br_gcm_context *ctx, const void *tag) br_gcm_get_tag(ctx, tmp); x = 0; - for (u = 0; u < sizeof tmp; u ++) { + for (u = 0; u < len; u ++) { x |= tmp[u] ^ ((const unsigned char *)tag)[u]; } return EQ0(x); } +/* see bearssl_aead.h */ +uint32_t +br_gcm_check_tag(br_gcm_context *ctx, const void *tag) +{ + return br_gcm_check_tag_trunc(ctx, tag, 16); +} + /* see bearssl_aead.h */ const br_aead_class br_gcm_vtable = { 16, @@ -292,5 +310,9 @@ const br_aead_class br_gcm_vtable = { (void (*)(const br_aead_class **, void *)) &br_gcm_get_tag, (uint32_t (*)(const br_aead_class **, const void *)) - &br_gcm_check_tag + &br_gcm_check_tag, + (void (*)(const br_aead_class **, void *, size_t)) + &br_gcm_get_tag_trunc, + (uint32_t (*)(const br_aead_class **, const void *, size_t)) + &br_gcm_check_tag_trunc }; diff --git a/src/symcipher/aes_big_ctrcbc.c b/src/symcipher/aes_big_ctrcbc.c new file mode 100644 index 0000000..d45ca76 --- /dev/null +++ b/src/symcipher/aes_big_ctrcbc.c @@ -0,0 +1,142 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* see bearssl_block.h */ +void +br_aes_big_ctrcbc_init(br_aes_big_ctrcbc_keys *ctx, + const void *key, size_t len) +{ + ctx->vtable = &br_aes_big_ctrcbc_vtable; + ctx->num_rounds = br_aes_keysched(ctx->skey, key, len); +} + +static void +xorbuf(void *dst, const void *src, size_t len) +{ + unsigned char *d; + const unsigned char *s; + + d = dst; + s = src; + while (len -- > 0) { + *d ++ ^= *s ++; + } +} + +/* see bearssl_block.h */ +void +br_aes_big_ctrcbc_ctr(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len) +{ + unsigned char *buf, *bctr; + uint32_t cc0, cc1, cc2, cc3; + + buf = data; + bctr = ctr; + cc3 = br_dec32be(bctr + 0); + cc2 = br_dec32be(bctr + 4); + cc1 = br_dec32be(bctr + 8); + cc0 = br_dec32be(bctr + 12); + while (len > 0) { + unsigned char tmp[16]; + uint32_t carry; + + br_enc32be(tmp + 0, cc3); + br_enc32be(tmp + 4, cc2); + br_enc32be(tmp + 8, cc1); + br_enc32be(tmp + 12, cc0); + br_aes_big_encrypt(ctx->num_rounds, ctx->skey, tmp); + xorbuf(buf, tmp, 16); + buf += 16; + len -= 16; + cc0 ++; + carry = (~(cc0 | -cc0)) >> 31; + cc1 += carry; + carry &= (~(cc1 | -cc1)) >> 31; + cc2 += carry; + carry &= (~(cc2 | -cc2)) >> 31; + cc3 += carry; + } + br_enc32be(bctr + 0, cc3); + br_enc32be(bctr + 4, cc2); + br_enc32be(bctr + 8, cc1); + br_enc32be(bctr + 12, cc0); +} + +/* see bearssl_block.h */ +void +br_aes_big_ctrcbc_mac(const br_aes_big_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len) +{ + const unsigned char *buf; + + buf = data; + while (len > 0) { + xorbuf(cbcmac, buf, 16); + br_aes_big_encrypt(ctx->num_rounds, ctx->skey, cbcmac); + buf += 16; + len -= 16; + } +} + +/* see bearssl_block.h */ +void +br_aes_big_ctrcbc_encrypt(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + br_aes_big_ctrcbc_ctr(ctx, ctr, data, len); + br_aes_big_ctrcbc_mac(ctx, cbcmac, data, len); +} + +/* see bearssl_block.h */ +void +br_aes_big_ctrcbc_decrypt(const br_aes_big_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + br_aes_big_ctrcbc_mac(ctx, cbcmac, data, len); + br_aes_big_ctrcbc_ctr(ctx, ctr, data, len); +} + +/* see bearssl_block.h */ +const br_block_ctrcbc_class br_aes_big_ctrcbc_vtable = { + sizeof(br_aes_big_ctrcbc_keys), + 16, + 4, + (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) + &br_aes_big_ctrcbc_init, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_big_ctrcbc_encrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_big_ctrcbc_decrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, size_t)) + &br_aes_big_ctrcbc_ctr, + (void (*)(const br_block_ctrcbc_class *const *, + void *, const void *, size_t)) + &br_aes_big_ctrcbc_mac +}; diff --git a/src/symcipher/aes_ct64_ctrcbc.c b/src/symcipher/aes_ct64_ctrcbc.c new file mode 100644 index 0000000..21bb8ef --- /dev/null +++ b/src/symcipher/aes_ct64_ctrcbc.c @@ -0,0 +1,433 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* see bearssl_block.h */ +void +br_aes_ct64_ctrcbc_init(br_aes_ct64_ctrcbc_keys *ctx, + const void *key, size_t len) +{ + ctx->vtable = &br_aes_ct64_ctrcbc_vtable; + ctx->num_rounds = br_aes_ct64_keysched(ctx->skey, key, len); +} + +static void +xorbuf(void *dst, const void *src, size_t len) +{ + unsigned char *d; + const unsigned char *s; + + d = dst; + s = src; + while (len -- > 0) { + *d ++ ^= *s ++; + } +} + +/* see bearssl_block.h */ +void +br_aes_ct64_ctrcbc_ctr(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len) +{ + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint64_t sk_exp[120]; + + br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + buf = data; + while (len > 0) { + uint64_t q[8]; + uint32_t w[16]; + unsigned char tmp[64]; + int i, j; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + j = (len >= 64) ? 16 : (int)(len >> 2); + for (i = 0; i < j; i += 4) { + uint32_t carry; + + w[i + 0] = br_swap32(iv0); + w[i + 1] = br_swap32(iv1); + w[i + 2] = br_swap32(iv2); + w[i + 3] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + } + memset(w + i, 0, (16 - i) * sizeof(uint32_t)); + + for (i = 0; i < 4; i ++) { + br_aes_ct64_interleave_in( + &q[i], &q[i + 4], w + (i << 2)); + } + br_aes_ct64_ortho(q); + br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct64_ortho(q); + for (i = 0; i < 4; i ++) { + br_aes_ct64_interleave_out( + w + (i << 2), q[i], q[i + 4]); + } + + br_range_enc32le(tmp, w, 16); + if (len <= 64) { + xorbuf(buf, tmp, len); + break; + } + xorbuf(buf, tmp, 64); + buf += 64; + len -= 64; + } + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); +} + +/* see bearssl_block.h */ +void +br_aes_ct64_ctrcbc_mac(const br_aes_ct64_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len) +{ + const unsigned char *buf; + uint32_t cm0, cm1, cm2, cm3; + uint64_t q[8]; + uint64_t sk_exp[120]; + + br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + + buf = data; + memset(q, 0, sizeof q); + while (len > 0) { + uint32_t w[4]; + + w[0] = cm0 ^ br_dec32le(buf + 0); + w[1] = cm1 ^ br_dec32le(buf + 4); + w[2] = cm2 ^ br_dec32le(buf + 8); + w[3] = cm3 ^ br_dec32le(buf + 12); + + br_aes_ct64_interleave_in(&q[0], &q[4], w); + br_aes_ct64_ortho(q); + br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct64_ortho(q); + br_aes_ct64_interleave_out(w, q[0], q[4]); + + cm0 = w[0]; + cm1 = w[1]; + cm2 = w[2]; + cm3 = w[3]; + buf += 16; + len -= 16; + } + + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +void +br_aes_ct64_ctrcbc_encrypt(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + /* + * When encrypting, the CBC-MAC processing must be lagging by + * one block, since it operates on the encrypted values, so + * it must wait for that encryption to complete. + */ + + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint32_t cm0, cm1, cm2, cm3; + uint64_t sk_exp[120]; + uint64_t q[8]; + int first_iter; + + br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + /* + * The current CBC-MAC value is kept in little-endian convention. + */ + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + + buf = data; + first_iter = 1; + memset(q, 0, sizeof q); + while (len > 0) { + uint32_t w[8], carry; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + w[0] = br_swap32(iv0); + w[1] = br_swap32(iv1); + w[2] = br_swap32(iv2); + w[3] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + + /* + * The block for CBC-MAC. + */ + w[4] = cm0; + w[5] = cm1; + w[6] = cm2; + w[7] = cm3; + + br_aes_ct64_interleave_in(&q[0], &q[4], w); + br_aes_ct64_interleave_in(&q[1], &q[5], w + 4); + br_aes_ct64_ortho(q); + br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct64_ortho(q); + br_aes_ct64_interleave_out(w, q[0], q[4]); + br_aes_ct64_interleave_out(w + 4, q[1], q[5]); + + /* + * We do the XOR with the plaintext in 32-bit registers, + * so that the value are available for CBC-MAC processing + * as well. + */ + w[0] ^= br_dec32le(buf + 0); + w[1] ^= br_dec32le(buf + 4); + w[2] ^= br_dec32le(buf + 8); + w[3] ^= br_dec32le(buf + 12); + br_enc32le(buf + 0, w[0]); + br_enc32le(buf + 4, w[1]); + br_enc32le(buf + 8, w[2]); + br_enc32le(buf + 12, w[3]); + + buf += 16; + len -= 16; + + /* + * We set the cm* values to the block to encrypt in the + * next iteration. + */ + if (first_iter) { + first_iter = 0; + cm0 ^= w[0]; + cm1 ^= w[1]; + cm2 ^= w[2]; + cm3 ^= w[3]; + } else { + cm0 = w[0] ^ w[4]; + cm1 = w[1] ^ w[5]; + cm2 = w[2] ^ w[6]; + cm3 = w[3] ^ w[7]; + } + + /* + * If this was the last iteration, then compute the + * extra block encryption to complete CBC-MAC. + */ + if (len == 0) { + w[0] = cm0; + w[1] = cm1; + w[2] = cm2; + w[3] = cm3; + br_aes_ct64_interleave_in(&q[0], &q[4], w); + br_aes_ct64_ortho(q); + br_aes_ct64_bitslice_encrypt( + ctx->num_rounds, sk_exp, q); + br_aes_ct64_ortho(q); + br_aes_ct64_interleave_out(w, q[0], q[4]); + cm0 = w[0]; + cm1 = w[1]; + cm2 = w[2]; + cm3 = w[3]; + break; + } + } + + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +void +br_aes_ct64_ctrcbc_decrypt(const br_aes_ct64_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint32_t cm0, cm1, cm2, cm3; + uint64_t sk_exp[120]; + uint64_t q[8]; + + br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + /* + * The current CBC-MAC value is kept in little-endian convention. + */ + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + + buf = data; + memset(q, 0, sizeof q); + while (len > 0) { + uint32_t w[8], carry; + unsigned char tmp[16]; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + w[0] = br_swap32(iv0); + w[1] = br_swap32(iv1); + w[2] = br_swap32(iv2); + w[3] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + + /* + * The block for CBC-MAC. + */ + w[4] = cm0 ^ br_dec32le(buf + 0); + w[5] = cm1 ^ br_dec32le(buf + 4); + w[6] = cm2 ^ br_dec32le(buf + 8); + w[7] = cm3 ^ br_dec32le(buf + 12); + + br_aes_ct64_interleave_in(&q[0], &q[4], w); + br_aes_ct64_interleave_in(&q[1], &q[5], w + 4); + br_aes_ct64_ortho(q); + br_aes_ct64_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct64_ortho(q); + br_aes_ct64_interleave_out(w, q[0], q[4]); + br_aes_ct64_interleave_out(w + 4, q[1], q[5]); + + br_enc32le(tmp + 0, w[0]); + br_enc32le(tmp + 4, w[1]); + br_enc32le(tmp + 8, w[2]); + br_enc32le(tmp + 12, w[3]); + xorbuf(buf, tmp, 16); + cm0 = w[4]; + cm1 = w[5]; + cm2 = w[6]; + cm3 = w[7]; + buf += 16; + len -= 16; + } + + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +const br_block_ctrcbc_class br_aes_ct64_ctrcbc_vtable = { + sizeof(br_aes_ct64_ctrcbc_keys), + 16, + 4, + (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) + &br_aes_ct64_ctrcbc_init, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_ct64_ctrcbc_encrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_ct64_ctrcbc_decrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, size_t)) + &br_aes_ct64_ctrcbc_ctr, + (void (*)(const br_block_ctrcbc_class *const *, + void *, const void *, size_t)) + &br_aes_ct64_ctrcbc_mac +}; diff --git a/src/symcipher/aes_ct_ctrcbc.c b/src/symcipher/aes_ct_ctrcbc.c new file mode 100644 index 0000000..8ae9fc7 --- /dev/null +++ b/src/symcipher/aes_ct_ctrcbc.c @@ -0,0 +1,422 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* see bearssl_block.h */ +void +br_aes_ct_ctrcbc_init(br_aes_ct_ctrcbc_keys *ctx, + const void *key, size_t len) +{ + ctx->vtable = &br_aes_ct_ctrcbc_vtable; + ctx->num_rounds = br_aes_ct_keysched(ctx->skey, key, len); +} + +static void +xorbuf(void *dst, const void *src, size_t len) +{ + unsigned char *d; + const unsigned char *s; + + d = dst; + s = src; + while (len -- > 0) { + *d ++ ^= *s ++; + } +} + +/* see bearssl_block.h */ +void +br_aes_ct_ctrcbc_ctr(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len) +{ + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint32_t sk_exp[120]; + + br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + buf = data; + while (len > 0) { + uint32_t q[8], carry; + unsigned char tmp[32]; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + q[0] = br_swap32(iv0); + q[2] = br_swap32(iv1); + q[4] = br_swap32(iv2); + q[6] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + q[1] = br_swap32(iv0); + q[3] = br_swap32(iv1); + q[5] = br_swap32(iv2); + q[7] = br_swap32(iv3); + if (len > 16) { + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + } + + br_aes_ct_ortho(q); + br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct_ortho(q); + + br_enc32le(tmp, q[0]); + br_enc32le(tmp + 4, q[2]); + br_enc32le(tmp + 8, q[4]); + br_enc32le(tmp + 12, q[6]); + br_enc32le(tmp + 16, q[1]); + br_enc32le(tmp + 20, q[3]); + br_enc32le(tmp + 24, q[5]); + br_enc32le(tmp + 28, q[7]); + + if (len <= 32) { + xorbuf(buf, tmp, len); + break; + } + xorbuf(buf, tmp, 32); + buf += 32; + len -= 32; + } + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); +} + +/* see bearssl_block.h */ +void +br_aes_ct_ctrcbc_mac(const br_aes_ct_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len) +{ + const unsigned char *buf; + uint32_t cm0, cm1, cm2, cm3; + uint32_t q[8]; + uint32_t sk_exp[120]; + + br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + buf = data; + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + q[1] = 0; + q[3] = 0; + q[5] = 0; + q[7] = 0; + + while (len > 0) { + q[0] = cm0 ^ br_dec32le(buf + 0); + q[2] = cm1 ^ br_dec32le(buf + 4); + q[4] = cm2 ^ br_dec32le(buf + 8); + q[6] = cm3 ^ br_dec32le(buf + 12); + + br_aes_ct_ortho(q); + br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct_ortho(q); + + cm0 = q[0]; + cm1 = q[2]; + cm2 = q[4]; + cm3 = q[6]; + buf += 16; + len -= 16; + } + + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +void +br_aes_ct_ctrcbc_encrypt(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + /* + * When encrypting, the CBC-MAC processing must be lagging by + * one block, since it operates on the encrypted values, so + * it must wait for that encryption to complete. + */ + + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint32_t cm0, cm1, cm2, cm3; + uint32_t sk_exp[120]; + int first_iter; + + br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + /* + * The current CBC-MAC value is kept in little-endian convention. + */ + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + + buf = data; + first_iter = 1; + while (len > 0) { + uint32_t q[8], carry; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + q[0] = br_swap32(iv0); + q[2] = br_swap32(iv1); + q[4] = br_swap32(iv2); + q[6] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + + /* + * The odd values are used for CBC-MAC. + */ + q[1] = cm0; + q[3] = cm1; + q[5] = cm2; + q[7] = cm3; + + br_aes_ct_ortho(q); + br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct_ortho(q); + + /* + * We do the XOR with the plaintext in 32-bit registers, + * so that the value are available for CBC-MAC processing + * as well. + */ + q[0] ^= br_dec32le(buf + 0); + q[2] ^= br_dec32le(buf + 4); + q[4] ^= br_dec32le(buf + 8); + q[6] ^= br_dec32le(buf + 12); + br_enc32le(buf + 0, q[0]); + br_enc32le(buf + 4, q[2]); + br_enc32le(buf + 8, q[4]); + br_enc32le(buf + 12, q[6]); + + buf += 16; + len -= 16; + + /* + * We set the cm* values to the block to encrypt in the + * next iteration. + */ + if (first_iter) { + first_iter = 0; + cm0 ^= q[0]; + cm1 ^= q[2]; + cm2 ^= q[4]; + cm3 ^= q[6]; + } else { + cm0 = q[0] ^ q[1]; + cm1 = q[2] ^ q[3]; + cm2 = q[4] ^ q[5]; + cm3 = q[6] ^ q[7]; + } + + /* + * If this was the last iteration, then compute the + * extra block encryption to complete CBC-MAC. + */ + if (len == 0) { + q[0] = cm0; + q[2] = cm1; + q[4] = cm2; + q[6] = cm3; + br_aes_ct_ortho(q); + br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct_ortho(q); + cm0 = q[0]; + cm1 = q[2]; + cm2 = q[4]; + cm3 = q[6]; + break; + } + } + + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +void +br_aes_ct_ctrcbc_decrypt(const br_aes_ct_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + unsigned char *buf; + unsigned char *ivbuf; + uint32_t iv0, iv1, iv2, iv3; + uint32_t cm0, cm1, cm2, cm3; + uint32_t sk_exp[120]; + + br_aes_ct_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); + + /* + * We keep the counter as four 32-bit values, with big-endian + * convention, because that's what is expected for purposes of + * incrementing the counter value. + */ + ivbuf = ctr; + iv0 = br_dec32be(ivbuf + 0); + iv1 = br_dec32be(ivbuf + 4); + iv2 = br_dec32be(ivbuf + 8); + iv3 = br_dec32be(ivbuf + 12); + + /* + * The current CBC-MAC value is kept in little-endian convention. + */ + cm0 = br_dec32le((unsigned char *)cbcmac + 0); + cm1 = br_dec32le((unsigned char *)cbcmac + 4); + cm2 = br_dec32le((unsigned char *)cbcmac + 8); + cm3 = br_dec32le((unsigned char *)cbcmac + 12); + + buf = data; + while (len > 0) { + uint32_t q[8], carry; + unsigned char tmp[16]; + + /* + * The bitslice implementation expects values in + * little-endian convention, so we have to byteswap them. + */ + q[0] = br_swap32(iv0); + q[2] = br_swap32(iv1); + q[4] = br_swap32(iv2); + q[6] = br_swap32(iv3); + iv3 ++; + carry = ~(iv3 | -iv3) >> 31; + iv2 += carry; + carry &= -(~(iv2 | -iv2) >> 31); + iv1 += carry; + carry &= -(~(iv1 | -iv1) >> 31); + iv0 += carry; + + /* + * The odd values are used for CBC-MAC. + */ + q[1] = cm0 ^ br_dec32le(buf + 0); + q[3] = cm1 ^ br_dec32le(buf + 4); + q[5] = cm2 ^ br_dec32le(buf + 8); + q[7] = cm3 ^ br_dec32le(buf + 12); + + br_aes_ct_ortho(q); + br_aes_ct_bitslice_encrypt(ctx->num_rounds, sk_exp, q); + br_aes_ct_ortho(q); + + br_enc32le(tmp + 0, q[0]); + br_enc32le(tmp + 4, q[2]); + br_enc32le(tmp + 8, q[4]); + br_enc32le(tmp + 12, q[6]); + xorbuf(buf, tmp, 16); + cm0 = q[1]; + cm1 = q[3]; + cm2 = q[5]; + cm3 = q[7]; + buf += 16; + len -= 16; + } + + br_enc32be(ivbuf + 0, iv0); + br_enc32be(ivbuf + 4, iv1); + br_enc32be(ivbuf + 8, iv2); + br_enc32be(ivbuf + 12, iv3); + br_enc32le((unsigned char *)cbcmac + 0, cm0); + br_enc32le((unsigned char *)cbcmac + 4, cm1); + br_enc32le((unsigned char *)cbcmac + 8, cm2); + br_enc32le((unsigned char *)cbcmac + 12, cm3); +} + +/* see bearssl_block.h */ +const br_block_ctrcbc_class br_aes_ct_ctrcbc_vtable = { + sizeof(br_aes_ct_ctrcbc_keys), + 16, + 4, + (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) + &br_aes_ct_ctrcbc_init, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_ct_ctrcbc_encrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_ct_ctrcbc_decrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, size_t)) + &br_aes_ct_ctrcbc_ctr, + (void (*)(const br_block_ctrcbc_class *const *, + void *, const void *, size_t)) + &br_aes_ct_ctrcbc_mac +}; diff --git a/src/symcipher/aes_small_ctrcbc.c b/src/symcipher/aes_small_ctrcbc.c new file mode 100644 index 0000000..2d6ba32 --- /dev/null +++ b/src/symcipher/aes_small_ctrcbc.c @@ -0,0 +1,142 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "inner.h" + +/* see bearssl_block.h */ +void +br_aes_small_ctrcbc_init(br_aes_small_ctrcbc_keys *ctx, + const void *key, size_t len) +{ + ctx->vtable = &br_aes_small_ctrcbc_vtable; + ctx->num_rounds = br_aes_keysched(ctx->skey, key, len); +} + +static void +xorbuf(void *dst, const void *src, size_t len) +{ + unsigned char *d; + const unsigned char *s; + + d = dst; + s = src; + while (len -- > 0) { + *d ++ ^= *s ++; + } +} + +/* see bearssl_block.h */ +void +br_aes_small_ctrcbc_ctr(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len) +{ + unsigned char *buf, *bctr; + uint32_t cc0, cc1, cc2, cc3; + + buf = data; + bctr = ctr; + cc3 = br_dec32be(bctr + 0); + cc2 = br_dec32be(bctr + 4); + cc1 = br_dec32be(bctr + 8); + cc0 = br_dec32be(bctr + 12); + while (len > 0) { + unsigned char tmp[16]; + uint32_t carry; + + br_enc32be(tmp + 0, cc3); + br_enc32be(tmp + 4, cc2); + br_enc32be(tmp + 8, cc1); + br_enc32be(tmp + 12, cc0); + br_aes_small_encrypt(ctx->num_rounds, ctx->skey, tmp); + xorbuf(buf, tmp, 16); + buf += 16; + len -= 16; + cc0 ++; + carry = (~(cc0 | -cc0)) >> 31; + cc1 += carry; + carry &= (~(cc1 | -cc1)) >> 31; + cc2 += carry; + carry &= (~(cc2 | -cc2)) >> 31; + cc3 += carry; + } + br_enc32be(bctr + 0, cc3); + br_enc32be(bctr + 4, cc2); + br_enc32be(bctr + 8, cc1); + br_enc32be(bctr + 12, cc0); +} + +/* see bearssl_block.h */ +void +br_aes_small_ctrcbc_mac(const br_aes_small_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len) +{ + const unsigned char *buf; + + buf = data; + while (len > 0) { + xorbuf(cbcmac, buf, 16); + br_aes_small_encrypt(ctx->num_rounds, ctx->skey, cbcmac); + buf += 16; + len -= 16; + } +} + +/* see bearssl_block.h */ +void +br_aes_small_ctrcbc_encrypt(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + br_aes_small_ctrcbc_ctr(ctx, ctr, data, len); + br_aes_small_ctrcbc_mac(ctx, cbcmac, data, len); +} + +/* see bearssl_block.h */ +void +br_aes_small_ctrcbc_decrypt(const br_aes_small_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + br_aes_small_ctrcbc_mac(ctx, cbcmac, data, len); + br_aes_small_ctrcbc_ctr(ctx, ctr, data, len); +} + +/* see bearssl_block.h */ +const br_block_ctrcbc_class br_aes_small_ctrcbc_vtable = { + sizeof(br_aes_small_ctrcbc_keys), + 16, + 4, + (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) + &br_aes_small_ctrcbc_init, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_small_ctrcbc_encrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_small_ctrcbc_decrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, size_t)) + &br_aes_small_ctrcbc_ctr, + (void (*)(const br_block_ctrcbc_class *const *, + void *, const void *, size_t)) + &br_aes_small_ctrcbc_mac +}; diff --git a/src/symcipher/aes_x86ni_ctrcbc.c b/src/symcipher/aes_x86ni_ctrcbc.c new file mode 100644 index 0000000..f57fead --- /dev/null +++ b/src/symcipher/aes_x86ni_ctrcbc.c @@ -0,0 +1,596 @@ +/* + * Copyright (c) 2017 Thomas Pornin + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#define BR_ENABLE_INTRINSICS 1 +#include "inner.h" + +#if BR_AES_X86NI + +/* see bearssl_block.h */ +const br_block_ctrcbc_class * +br_aes_x86ni_ctrcbc_get_vtable(void) +{ + return br_aes_x86ni_supported() ? &br_aes_x86ni_ctrcbc_vtable : NULL; +} + +/* see bearssl_block.h */ +void +br_aes_x86ni_ctrcbc_init(br_aes_x86ni_ctrcbc_keys *ctx, + const void *key, size_t len) +{ + ctx->vtable = &br_aes_x86ni_ctrcbc_vtable; + ctx->num_rounds = br_aes_x86ni_keysched_enc(ctx->skey.skni, key, len); +} + +BR_TARGETS_X86_UP + +/* see bearssl_block.h */ +BR_TARGET("sse2,sse4.1,aes") +void +br_aes_x86ni_ctrcbc_ctr(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *data, size_t len) +{ + unsigned char *buf; + unsigned num_rounds; + __m128i sk[15]; + __m128i ivx0, ivx1, ivx2, ivx3; + __m128i erev, zero, one, four, notthree; + unsigned u; + + buf = data; + num_rounds = ctx->num_rounds; + for (u = 0; u <= num_rounds; u ++) { + sk[u] = _mm_loadu_si128((void *)(ctx->skey.skni + (u << 4))); + } + + /* + * Some SSE2 constants. + */ + erev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15); + zero = _mm_setzero_si128(); + one = _mm_set_epi64x(0, 1); + four = _mm_set_epi64x(0, 4); + notthree = _mm_sub_epi64(zero, four); + + /* + * Decode the counter in big-endian and pre-increment the other + * three counters. + */ + ivx0 = _mm_shuffle_epi8(_mm_loadu_si128((void *)ctr), erev); + ivx1 = _mm_add_epi64(ivx0, one); + ivx1 = _mm_sub_epi64(ivx1, + _mm_slli_si128(_mm_cmpeq_epi64(ivx1, zero), 8)); + ivx2 = _mm_add_epi64(ivx1, one); + ivx2 = _mm_sub_epi64(ivx2, + _mm_slli_si128(_mm_cmpeq_epi64(ivx2, zero), 8)); + ivx3 = _mm_add_epi64(ivx2, one); + ivx3 = _mm_sub_epi64(ivx3, + _mm_slli_si128(_mm_cmpeq_epi64(ivx3, zero), 8)); + while (len > 0) { + __m128i x0, x1, x2, x3; + + /* + * Load counter values; we need to byteswap them because + * the specification says that they use big-endian. + */ + x0 = _mm_shuffle_epi8(ivx0, erev); + x1 = _mm_shuffle_epi8(ivx1, erev); + x2 = _mm_shuffle_epi8(ivx2, erev); + x3 = _mm_shuffle_epi8(ivx3, erev); + + x0 = _mm_xor_si128(x0, sk[0]); + x1 = _mm_xor_si128(x1, sk[0]); + x2 = _mm_xor_si128(x2, sk[0]); + x3 = _mm_xor_si128(x3, sk[0]); + x0 = _mm_aesenc_si128(x0, sk[1]); + x1 = _mm_aesenc_si128(x1, sk[1]); + x2 = _mm_aesenc_si128(x2, sk[1]); + x3 = _mm_aesenc_si128(x3, sk[1]); + x0 = _mm_aesenc_si128(x0, sk[2]); + x1 = _mm_aesenc_si128(x1, sk[2]); + x2 = _mm_aesenc_si128(x2, sk[2]); + x3 = _mm_aesenc_si128(x3, sk[2]); + x0 = _mm_aesenc_si128(x0, sk[3]); + x1 = _mm_aesenc_si128(x1, sk[3]); + x2 = _mm_aesenc_si128(x2, sk[3]); + x3 = _mm_aesenc_si128(x3, sk[3]); + x0 = _mm_aesenc_si128(x0, sk[4]); + x1 = _mm_aesenc_si128(x1, sk[4]); + x2 = _mm_aesenc_si128(x2, sk[4]); + x3 = _mm_aesenc_si128(x3, sk[4]); + x0 = _mm_aesenc_si128(x0, sk[5]); + x1 = _mm_aesenc_si128(x1, sk[5]); + x2 = _mm_aesenc_si128(x2, sk[5]); + x3 = _mm_aesenc_si128(x3, sk[5]); + x0 = _mm_aesenc_si128(x0, sk[6]); + x1 = _mm_aesenc_si128(x1, sk[6]); + x2 = _mm_aesenc_si128(x2, sk[6]); + x3 = _mm_aesenc_si128(x3, sk[6]); + x0 = _mm_aesenc_si128(x0, sk[7]); + x1 = _mm_aesenc_si128(x1, sk[7]); + x2 = _mm_aesenc_si128(x2, sk[7]); + x3 = _mm_aesenc_si128(x3, sk[7]); + x0 = _mm_aesenc_si128(x0, sk[8]); + x1 = _mm_aesenc_si128(x1, sk[8]); + x2 = _mm_aesenc_si128(x2, sk[8]); + x3 = _mm_aesenc_si128(x3, sk[8]); + x0 = _mm_aesenc_si128(x0, sk[9]); + x1 = _mm_aesenc_si128(x1, sk[9]); + x2 = _mm_aesenc_si128(x2, sk[9]); + x3 = _mm_aesenc_si128(x3, sk[9]); + if (num_rounds == 10) { + x0 = _mm_aesenclast_si128(x0, sk[10]); + x1 = _mm_aesenclast_si128(x1, sk[10]); + x2 = _mm_aesenclast_si128(x2, sk[10]); + x3 = _mm_aesenclast_si128(x3, sk[10]); + } else if (num_rounds == 12) { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x2 = _mm_aesenc_si128(x2, sk[10]); + x3 = _mm_aesenc_si128(x3, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x2 = _mm_aesenc_si128(x2, sk[11]); + x3 = _mm_aesenc_si128(x3, sk[11]); + x0 = _mm_aesenclast_si128(x0, sk[12]); + x1 = _mm_aesenclast_si128(x1, sk[12]); + x2 = _mm_aesenclast_si128(x2, sk[12]); + x3 = _mm_aesenclast_si128(x3, sk[12]); + } else { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x2 = _mm_aesenc_si128(x2, sk[10]); + x3 = _mm_aesenc_si128(x3, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x2 = _mm_aesenc_si128(x2, sk[11]); + x3 = _mm_aesenc_si128(x3, sk[11]); + x0 = _mm_aesenc_si128(x0, sk[12]); + x1 = _mm_aesenc_si128(x1, sk[12]); + x2 = _mm_aesenc_si128(x2, sk[12]); + x3 = _mm_aesenc_si128(x3, sk[12]); + x0 = _mm_aesenc_si128(x0, sk[13]); + x1 = _mm_aesenc_si128(x1, sk[13]); + x2 = _mm_aesenc_si128(x2, sk[13]); + x3 = _mm_aesenc_si128(x3, sk[13]); + x0 = _mm_aesenclast_si128(x0, sk[14]); + x1 = _mm_aesenclast_si128(x1, sk[14]); + x2 = _mm_aesenclast_si128(x2, sk[14]); + x3 = _mm_aesenclast_si128(x3, sk[14]); + } + if (len >= 64) { + x0 = _mm_xor_si128(x0, + _mm_loadu_si128((void *)(buf + 0))); + x1 = _mm_xor_si128(x1, + _mm_loadu_si128((void *)(buf + 16))); + x2 = _mm_xor_si128(x2, + _mm_loadu_si128((void *)(buf + 32))); + x3 = _mm_xor_si128(x3, + _mm_loadu_si128((void *)(buf + 48))); + _mm_storeu_si128((void *)(buf + 0), x0); + _mm_storeu_si128((void *)(buf + 16), x1); + _mm_storeu_si128((void *)(buf + 32), x2); + _mm_storeu_si128((void *)(buf + 48), x3); + buf += 64; + len -= 64; + } else { + unsigned char tmp[64]; + + _mm_storeu_si128((void *)(tmp + 0), x0); + _mm_storeu_si128((void *)(tmp + 16), x1); + _mm_storeu_si128((void *)(tmp + 32), x2); + _mm_storeu_si128((void *)(tmp + 48), x3); + for (u = 0; u < len; u ++) { + buf[u] ^= tmp[u]; + } + switch (len) { + case 16: + ivx0 = ivx1; + break; + case 32: + ivx0 = ivx2; + break; + case 48: + ivx0 = ivx3; + break; + } + break; + } + + /* + * Add 4 to each counter value. For carry propagation + * into the upper 64-bit words, we would need to compare + * the results with 4, but SSE2+ has only _signed_ + * comparisons. Instead, we mask out the low two bits, + * and check whether the remaining bits are zero. + */ + ivx0 = _mm_add_epi64(ivx0, four); + ivx1 = _mm_add_epi64(ivx1, four); + ivx2 = _mm_add_epi64(ivx2, four); + ivx3 = _mm_add_epi64(ivx3, four); + ivx0 = _mm_sub_epi64(ivx0, + _mm_slli_si128(_mm_cmpeq_epi64( + _mm_and_si128(ivx0, notthree), zero), 8)); + ivx1 = _mm_sub_epi64(ivx1, + _mm_slli_si128(_mm_cmpeq_epi64( + _mm_and_si128(ivx1, notthree), zero), 8)); + ivx2 = _mm_sub_epi64(ivx2, + _mm_slli_si128(_mm_cmpeq_epi64( + _mm_and_si128(ivx2, notthree), zero), 8)); + ivx3 = _mm_sub_epi64(ivx3, + _mm_slli_si128(_mm_cmpeq_epi64( + _mm_and_si128(ivx3, notthree), zero), 8)); + } + + /* + * Write back new counter value. The loop took care to put the + * right counter value in ivx0. + */ + _mm_storeu_si128((void *)ctr, _mm_shuffle_epi8(ivx0, erev)); +} + +/* see bearssl_block.h */ +BR_TARGET("sse2,sse4.1,aes") +void +br_aes_x86ni_ctrcbc_mac(const br_aes_x86ni_ctrcbc_keys *ctx, + void *cbcmac, const void *data, size_t len) +{ + const unsigned char *buf; + unsigned num_rounds; + __m128i sk[15], ivx; + unsigned u; + + buf = data; + ivx = _mm_loadu_si128(cbcmac); + num_rounds = ctx->num_rounds; + for (u = 0; u <= num_rounds; u ++) { + sk[u] = _mm_loadu_si128((void *)(ctx->skey.skni + (u << 4))); + } + while (len > 0) { + __m128i x; + + x = _mm_xor_si128(_mm_loadu_si128((void *)buf), ivx); + x = _mm_xor_si128(x, sk[0]); + x = _mm_aesenc_si128(x, sk[1]); + x = _mm_aesenc_si128(x, sk[2]); + x = _mm_aesenc_si128(x, sk[3]); + x = _mm_aesenc_si128(x, sk[4]); + x = _mm_aesenc_si128(x, sk[5]); + x = _mm_aesenc_si128(x, sk[6]); + x = _mm_aesenc_si128(x, sk[7]); + x = _mm_aesenc_si128(x, sk[8]); + x = _mm_aesenc_si128(x, sk[9]); + if (num_rounds == 10) { + x = _mm_aesenclast_si128(x, sk[10]); + } else if (num_rounds == 12) { + x = _mm_aesenc_si128(x, sk[10]); + x = _mm_aesenc_si128(x, sk[11]); + x = _mm_aesenclast_si128(x, sk[12]); + } else { + x = _mm_aesenc_si128(x, sk[10]); + x = _mm_aesenc_si128(x, sk[11]); + x = _mm_aesenc_si128(x, sk[12]); + x = _mm_aesenc_si128(x, sk[13]); + x = _mm_aesenclast_si128(x, sk[14]); + } + ivx = x; + buf += 16; + len -= 16; + } + _mm_storeu_si128(cbcmac, ivx); +} + +/* see bearssl_block.h */ +BR_TARGET("sse2,sse4.1,aes") +void +br_aes_x86ni_ctrcbc_encrypt(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + unsigned char *buf; + unsigned num_rounds; + __m128i sk[15]; + __m128i ivx, cmx; + __m128i erev, zero, one; + unsigned u; + int first_iter; + + num_rounds = ctx->num_rounds; + for (u = 0; u <= num_rounds; u ++) { + sk[u] = _mm_loadu_si128((void *)(ctx->skey.skni + (u << 4))); + } + + /* + * Some SSE2 constants. + */ + erev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15); + zero = _mm_setzero_si128(); + one = _mm_set_epi64x(0, 1); + + /* + * Decode the counter in big-endian. + */ + ivx = _mm_shuffle_epi8(_mm_loadu_si128(ctr), erev); + cmx = _mm_loadu_si128(cbcmac); + + buf = data; + first_iter = 1; + while (len > 0) { + __m128i dx, x0, x1; + + /* + * Load initial values: + * dx encrypted block of data + * x0 counter (for CTR encryption) + * x1 input for CBC-MAC + */ + dx = _mm_loadu_si128((void *)buf); + x0 = _mm_shuffle_epi8(ivx, erev); + x1 = cmx; + + x0 = _mm_xor_si128(x0, sk[0]); + x1 = _mm_xor_si128(x1, sk[0]); + x0 = _mm_aesenc_si128(x0, sk[1]); + x1 = _mm_aesenc_si128(x1, sk[1]); + x0 = _mm_aesenc_si128(x0, sk[2]); + x1 = _mm_aesenc_si128(x1, sk[2]); + x0 = _mm_aesenc_si128(x0, sk[3]); + x1 = _mm_aesenc_si128(x1, sk[3]); + x0 = _mm_aesenc_si128(x0, sk[4]); + x1 = _mm_aesenc_si128(x1, sk[4]); + x0 = _mm_aesenc_si128(x0, sk[5]); + x1 = _mm_aesenc_si128(x1, sk[5]); + x0 = _mm_aesenc_si128(x0, sk[6]); + x1 = _mm_aesenc_si128(x1, sk[6]); + x0 = _mm_aesenc_si128(x0, sk[7]); + x1 = _mm_aesenc_si128(x1, sk[7]); + x0 = _mm_aesenc_si128(x0, sk[8]); + x1 = _mm_aesenc_si128(x1, sk[8]); + x0 = _mm_aesenc_si128(x0, sk[9]); + x1 = _mm_aesenc_si128(x1, sk[9]); + if (num_rounds == 10) { + x0 = _mm_aesenclast_si128(x0, sk[10]); + x1 = _mm_aesenclast_si128(x1, sk[10]); + } else if (num_rounds == 12) { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x0 = _mm_aesenclast_si128(x0, sk[12]); + x1 = _mm_aesenclast_si128(x1, sk[12]); + } else { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x0 = _mm_aesenc_si128(x0, sk[12]); + x1 = _mm_aesenc_si128(x1, sk[12]); + x0 = _mm_aesenc_si128(x0, sk[13]); + x1 = _mm_aesenc_si128(x1, sk[13]); + x0 = _mm_aesenclast_si128(x0, sk[14]); + x1 = _mm_aesenclast_si128(x1, sk[14]); + } + + x0 = _mm_xor_si128(x0, dx); + if (first_iter) { + cmx = _mm_xor_si128(cmx, x0); + first_iter = 0; + } else { + cmx = _mm_xor_si128(x1, x0); + } + _mm_storeu_si128((void *)buf, x0); + + buf += 16; + len -= 16; + + /* + * Increment the counter value. + */ + ivx = _mm_add_epi64(ivx, one); + ivx = _mm_sub_epi64(ivx, + _mm_slli_si128(_mm_cmpeq_epi64(ivx, zero), 8)); + + /* + * If this was the last iteration, then compute the + * extra block encryption to complete CBC-MAC. + */ + if (len == 0) { + cmx = _mm_xor_si128(cmx, sk[0]); + cmx = _mm_aesenc_si128(cmx, sk[1]); + cmx = _mm_aesenc_si128(cmx, sk[2]); + cmx = _mm_aesenc_si128(cmx, sk[3]); + cmx = _mm_aesenc_si128(cmx, sk[4]); + cmx = _mm_aesenc_si128(cmx, sk[5]); + cmx = _mm_aesenc_si128(cmx, sk[6]); + cmx = _mm_aesenc_si128(cmx, sk[7]); + cmx = _mm_aesenc_si128(cmx, sk[8]); + cmx = _mm_aesenc_si128(cmx, sk[9]); + if (num_rounds == 10) { + cmx = _mm_aesenclast_si128(cmx, sk[10]); + } else if (num_rounds == 12) { + cmx = _mm_aesenc_si128(cmx, sk[10]); + cmx = _mm_aesenc_si128(cmx, sk[11]); + cmx = _mm_aesenclast_si128(cmx, sk[12]); + } else { + cmx = _mm_aesenc_si128(cmx, sk[10]); + cmx = _mm_aesenc_si128(cmx, sk[11]); + cmx = _mm_aesenc_si128(cmx, sk[12]); + cmx = _mm_aesenc_si128(cmx, sk[13]); + cmx = _mm_aesenclast_si128(cmx, sk[14]); + } + break; + } + } + + /* + * Write back new counter value and CBC-MAC value. + */ + _mm_storeu_si128(ctr, _mm_shuffle_epi8(ivx, erev)); + _mm_storeu_si128(cbcmac, cmx); +} + +/* see bearssl_block.h */ +BR_TARGET("sse2,sse4.1,aes") +void +br_aes_x86ni_ctrcbc_decrypt(const br_aes_x86ni_ctrcbc_keys *ctx, + void *ctr, void *cbcmac, void *data, size_t len) +{ + unsigned char *buf; + unsigned num_rounds; + __m128i sk[15]; + __m128i ivx, cmx; + __m128i erev, zero, one; + unsigned u; + + num_rounds = ctx->num_rounds; + for (u = 0; u <= num_rounds; u ++) { + sk[u] = _mm_loadu_si128((void *)(ctx->skey.skni + (u << 4))); + } + + /* + * Some SSE2 constants. + */ + erev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15); + zero = _mm_setzero_si128(); + one = _mm_set_epi64x(0, 1); + + /* + * Decode the counter in big-endian. + */ + ivx = _mm_shuffle_epi8(_mm_loadu_si128(ctr), erev); + cmx = _mm_loadu_si128(cbcmac); + + buf = data; + while (len > 0) { + __m128i dx, x0, x1; + + /* + * Load initial values: + * dx encrypted block of data + * x0 counter (for CTR encryption) + * x1 input for CBC-MAC + */ + dx = _mm_loadu_si128((void *)buf); + x0 = _mm_shuffle_epi8(ivx, erev); + x1 = _mm_xor_si128(cmx, dx); + + x0 = _mm_xor_si128(x0, sk[0]); + x1 = _mm_xor_si128(x1, sk[0]); + x0 = _mm_aesenc_si128(x0, sk[1]); + x1 = _mm_aesenc_si128(x1, sk[1]); + x0 = _mm_aesenc_si128(x0, sk[2]); + x1 = _mm_aesenc_si128(x1, sk[2]); + x0 = _mm_aesenc_si128(x0, sk[3]); + x1 = _mm_aesenc_si128(x1, sk[3]); + x0 = _mm_aesenc_si128(x0, sk[4]); + x1 = _mm_aesenc_si128(x1, sk[4]); + x0 = _mm_aesenc_si128(x0, sk[5]); + x1 = _mm_aesenc_si128(x1, sk[5]); + x0 = _mm_aesenc_si128(x0, sk[6]); + x1 = _mm_aesenc_si128(x1, sk[6]); + x0 = _mm_aesenc_si128(x0, sk[7]); + x1 = _mm_aesenc_si128(x1, sk[7]); + x0 = _mm_aesenc_si128(x0, sk[8]); + x1 = _mm_aesenc_si128(x1, sk[8]); + x0 = _mm_aesenc_si128(x0, sk[9]); + x1 = _mm_aesenc_si128(x1, sk[9]); + if (num_rounds == 10) { + x0 = _mm_aesenclast_si128(x0, sk[10]); + x1 = _mm_aesenclast_si128(x1, sk[10]); + } else if (num_rounds == 12) { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x0 = _mm_aesenclast_si128(x0, sk[12]); + x1 = _mm_aesenclast_si128(x1, sk[12]); + } else { + x0 = _mm_aesenc_si128(x0, sk[10]); + x1 = _mm_aesenc_si128(x1, sk[10]); + x0 = _mm_aesenc_si128(x0, sk[11]); + x1 = _mm_aesenc_si128(x1, sk[11]); + x0 = _mm_aesenc_si128(x0, sk[12]); + x1 = _mm_aesenc_si128(x1, sk[12]); + x0 = _mm_aesenc_si128(x0, sk[13]); + x1 = _mm_aesenc_si128(x1, sk[13]); + x0 = _mm_aesenclast_si128(x0, sk[14]); + x1 = _mm_aesenclast_si128(x1, sk[14]); + } + x0 = _mm_xor_si128(x0, dx); + cmx = x1; + _mm_storeu_si128((void *)buf, x0); + + buf += 16; + len -= 16; + + /* + * Increment the counter value. + */ + ivx = _mm_add_epi64(ivx, one); + ivx = _mm_sub_epi64(ivx, + _mm_slli_si128(_mm_cmpeq_epi64(ivx, zero), 8)); + } + + /* + * Write back new counter value and CBC-MAC value. + */ + _mm_storeu_si128(ctr, _mm_shuffle_epi8(ivx, erev)); + _mm_storeu_si128(cbcmac, cmx); +} + +BR_TARGETS_X86_DOWN + +/* see bearssl_block.h */ +const br_block_ctrcbc_class br_aes_x86ni_ctrcbc_vtable = { + sizeof(br_aes_x86ni_ctrcbc_keys), + 16, + 4, + (void (*)(const br_block_ctrcbc_class **, const void *, size_t)) + &br_aes_x86ni_ctrcbc_init, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_x86ni_ctrcbc_encrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, void *, size_t)) + &br_aes_x86ni_ctrcbc_decrypt, + (void (*)(const br_block_ctrcbc_class *const *, + void *, void *, size_t)) + &br_aes_x86ni_ctrcbc_ctr, + (void (*)(const br_block_ctrcbc_class *const *, + void *, const void *, size_t)) + &br_aes_x86ni_ctrcbc_mac +}; + +#else + +/* see bearssl_block.h */ +const br_block_ctrcbc_class * +br_aes_x86ni_ctrcbc_get_vtable(void) +{ + return NULL; +} + +#endif diff --git a/test/test_crypto.c b/test/test_crypto.c index bea236b..e37034c 100644 --- a/test/test_crypto.c +++ b/test/test_crypto.c @@ -3411,6 +3411,224 @@ test_AES_pwr8(void) } } +/* + * Custom CTR + CBC-MAC AES implementation. Can also do CTR-only, and + * CBC-MAC-only. The 'aes_big' implementation (CTR) is used. This is + * meant for comparisons. + * + * If 'ctr' is NULL then no encryption/decryption is done; otherwise, + * CTR encryption/decryption is performed (full-block counter) and the + * 'ctr' array is updated with the new counter value. + * + * If 'cbcmac' is NULL then no CBC-MAC is done; otherwise, CBC-MAC is + * applied on the encrypted data, with 'cbcmac' as IV and destination + * buffer for the output. If 'ctr' is not NULL and 'encrypt' is non-zero, + * then CBC-MAC is computed over the result of CTR processing; otherwise, + * CBC-MAC is computed over the input data itself. + */ +static void +do_aes_ctrcbc(const void *key, size_t key_len, int encrypt, + void *ctr, void *cbcmac, unsigned char *data, size_t len) +{ + br_aes_big_ctr_keys bc; + int i; + + br_aes_big_ctr_init(&bc, key, key_len); + for (i = 0; i < 2; i ++) { + /* + * CBC-MAC is computed on the encrypted data, so in + * first pass if decrypting, second pass if encrypting. + */ + if (cbcmac != NULL + && ((encrypt && i == 1) || (!encrypt && i == 0))) + { + unsigned char zz[16]; + size_t u; + + memcpy(zz, cbcmac, sizeof zz); + for (u = 0; u < len; u += 16) { + unsigned char tmp[16]; + size_t v; + + for (v = 0; v < 16; v ++) { + tmp[v] = zz[v] ^ data[u + v]; + } + memset(zz, 0, sizeof zz); + br_aes_big_ctr_run(&bc, + tmp, br_dec32be(tmp + 12), zz, 16); + } + memcpy(cbcmac, zz, sizeof zz); + } + + /* + * CTR encryption/decryption is done only in the first pass. + * We process data block per block, because the CTR-only + * class uses a 32-bit counter, while the CTR+CBC-MAC + * class uses a 128-bit counter. + */ + if (ctr != NULL && i == 0) { + unsigned char zz[16]; + size_t u; + + memcpy(zz, ctr, sizeof zz); + for (u = 0; u < len; u += 16) { + int i; + + br_aes_big_ctr_run(&bc, + zz, br_dec32be(zz + 12), data + u, 16); + for (i = 15; i >= 0; i --) { + zz[i] = (zz[i] + 1) & 0xFF; + if (zz[i] != 0) { + break; + } + } + } + memcpy(ctr, zz, sizeof zz); + } + } +} + +static void +test_AES_CTRCBC_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + br_hmac_drbg_context rng; + size_t key_len; + + printf("Test AES CTR/CBC-MAC %s: ", name); + fflush(stdout); + + br_hmac_drbg_init(&rng, &br_sha256_vtable, name, strlen(name)); + for (key_len = 16; key_len <= 32; key_len += 8) { + br_aes_gen_ctrcbc_keys bc; + unsigned char key[32]; + size_t data_len; + + br_hmac_drbg_generate(&rng, key, key_len); + vt->init(&bc.vtable, key, key_len); + for (data_len = 0; data_len <= 512; data_len += 16) { + unsigned char plain[512]; + unsigned char data1[sizeof plain]; + unsigned char data2[sizeof plain]; + unsigned char ctr[16], cbcmac[16]; + unsigned char ctr1[16], cbcmac1[16]; + unsigned char ctr2[16], cbcmac2[16]; + int i; + + br_hmac_drbg_generate(&rng, plain, data_len); + + for (i = 0; i <= 16; i ++) { + if (i == 0) { + br_hmac_drbg_generate(&rng, ctr, 16); + } else { + memset(ctr, 0, i - 1); + memset(ctr + i - 1, 0xFF, 17 - i); + } + br_hmac_drbg_generate(&rng, cbcmac, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + vt->ctr(&bc.vtable, ctr1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, NULL, data2, data_len); + check_equals("CTR-only data", + data1, data2, data_len); + check_equals("CTR-only counter", + ctr1, ctr2, 16); + + memcpy(data1, plain, data_len); + memcpy(cbcmac1, cbcmac, 16); + vt->mac(&bc.vtable, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + NULL, cbcmac2, data2, data_len); + check_equals("CBC-MAC-only", + cbcmac1, cbcmac2, 16); + + memcpy(data1, plain, data_len); + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->encrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(data2, plain, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 1, + ctr2, cbcmac2, data2, data_len); + check_equals("encrypt: combined data", + data1, data2, data_len); + check_equals("encrypt: combined counter", + ctr1, ctr2, 16); + check_equals("encrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + + memcpy(ctr1, ctr, 16); + memcpy(cbcmac1, cbcmac, 16); + vt->decrypt(&bc.vtable, + ctr1, cbcmac1, data1, data_len); + memcpy(ctr2, ctr, 16); + memcpy(cbcmac2, cbcmac, 16); + do_aes_ctrcbc(key, key_len, 0, + ctr2, cbcmac2, data2, data_len); + check_equals("decrypt: combined data", + data1, data2, data_len); + check_equals("decrypt: combined counter", + ctr1, ctr2, 16); + check_equals("decrypt: combined CBC-MAC", + cbcmac1, cbcmac2, 16); + } + + printf("."); + fflush(stdout); + } + + printf(" "); + fflush(stdout); + } + + printf("done.\n"); + fflush(stdout); +} + +static void +test_AES_CTRCBC_big(void) +{ + test_AES_CTRCBC_inner("big", &br_aes_big_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_small(void) +{ + test_AES_CTRCBC_inner("small", &br_aes_small_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct(void) +{ + test_AES_CTRCBC_inner("ct", &br_aes_ct_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_ct64(void) +{ + test_AES_CTRCBC_inner("ct64", &br_aes_ct64_ctrcbc_vtable); +} + +static void +test_AES_CTRCBC_x86ni(void) +{ + const br_block_ctrcbc_class *vt; + + vt = br_aes_x86ni_ctrcbc_get_vtable(); + if (vt != NULL) { + test_AES_CTRCBC_inner("x86ni", vt); + } else { + printf("Test AES CTR/CBC-MAC x86ni: UNAVAILABLE\n"); + } +} + /* * DES known-answer tests. Order: plaintext, key, ciphertext. * (mostly from NIST SP 800-20). @@ -5077,7 +5295,7 @@ test_GCM(void) br_aes_ct_ctr_keys bc; br_gcm_context gc; unsigned char tmp[100], out[16]; - size_t v; + size_t v, tag_len; key_len = hextobin(key, KAT_GCM[u]); plain_len = hextobin(plain, KAT_GCM[u + 1]); @@ -5167,6 +5385,268 @@ test_GCM(void) } } + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + br_gcm_get_tag_trunc(&gc, out, tag_len); + check_equals("KAT GCM 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_gcm_reset(&gc, iv, iv_len); + br_gcm_aad_inject(&gc, aad, aad_len); + br_gcm_flip(&gc); + br_gcm_run(&gc, 1, tmp, plain_len); + if (!br_gcm_check_tag_trunc(&gc, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +/* + * From "The EAX Mode of Operation (A Two-Pass Authenticated Encryption + * Scheme Optimized for Simplicity and Efficiency)" (Bellare, Rogaway, + * Wagner), presented at FSE 2004. Full article is available at: + * http://web.cs.ucdavis.edu/~rogaway/papers/eax.html + * + * EAX specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: plaintext, key, nonce, header, ciphertext, tag. + */ +static const char *const KAT_EAX[] = { + "", + "233952dee4d5ed5f9b9c6d6ff80ff478", + "62ec67f9c3a4a407fcb2a8c49031a8b3", + "6bfb914fd07eae6b", + "", + "e037830e8389f27b025a2d6527e79d01", + + "f7fb", + "91945d3f4dcbee0bf45ef52255f095a4", + "becaf043b0a23d843194ba972c66debd", + "fa3bfd4806eb53fa", + "19dd", + "5c4c9331049d0bdab0277408f67967e5", + + "1a47cb4933", + "01f74ad64077f2e704c0f60ada3dd523", + "70c3db4f0d26368400a10ed05d2bff5e", + "234a3463c1264ac6", + "d851d5bae0", + "3a59f238a23e39199dc9266626c40f80", + + "481c9e39b1", + "d07cf6cbb7f313bdde66b727afd3c5e8", + "8408dfff3c1a2b1292dc199e46b7d617", + "33cce2eabff5a79d", + "632a9d131a", + "d4c168a4225d8e1ff755939974a7bede", + + "40d0c07da5e4", + "35b6d0580005bbc12b0587124557d2c2", + "fdb6b06676eedc5c61d74276e1f8e816", + "aeb96eaebe2970e9", + "071dfe16c675", + "cb0677e536f73afe6a14b74ee49844dd", + + "4de3b35c3fc039245bd1fb7d", + "bd8e6e11475e60b268784c38c62feb22", + "6eac5c93072d8e8513f750935e46da1b", + "d4482d1ca78dce0f", + "835bb4f15d743e350e728414", + "abb8644fd6ccb86947c5e10590210a4f", + + "8b0a79306c9ce7ed99dae4f87f8dd61636", + "7c77d6e813bed5ac98baa417477a2e7d", + "1a8c98dcd73d38393b2bf1569deefc19", + "65d2017990d62528", + "02083e3979da014812f59f11d52630da30", + "137327d10649b0aa6e1c181db617d7f2", + + "1bda122bce8a8dbaf1877d962b8592dd2d56", + "5fff20cafab119ca2fc73549e20f5b0d", + "dde59b97d722156d4d9aff2bc7559826", + "54b9f04e6a09189a", + "2ec47b2c4954a489afc7ba4897edcdae8cc3", + "3b60450599bd02c96382902aef7f832a", + + "6cf36720872b8513f6eab1a8a44438d5ef11", + "a4a4782bcffd3ec5e7ef6d8c34a56123", + "b781fcf2f75fa5a8de97a9ca48e522ec", + "899a175897561d7e", + "0de18fd0fdd91e7af19f1d8ee8733938b1e8", + "e7f6d2231618102fdb7fe55ff1991700", + + "ca40d7446e545ffaed3bd12a740a659ffbbb3ceab7", + "8395fcf1e95bebd697bd010bc766aac3", + "22e7add93cfc6393c57ec0b3c17d6b44", + "126735fcc320d25a", + "cb8920f87a6c75cff39627b56e3ed197c552d295a7", + "cfc46afc253b4652b1af3795b124ab6e", + + NULL +}; + +static void +test_EAX_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + size_t u; + + printf("Test EAX %s: ", name); + fflush(stdout); + + for (u = 0; KAT_EAX[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad[100]; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len; + br_aes_gen_ctrcbc_keys bc; + br_eax_context ec; + unsigned char tmp[100], out[16]; + size_t v, tag_len; + + plain_len = hextobin(plain, KAT_EAX[u]); + key_len = hextobin(key, KAT_EAX[u + 1]); + nonce_len = hextobin(nonce, KAT_EAX[u + 2]); + aad_len = hextobin(aad, KAT_EAX[u + 3]); + hextobin(cipher, KAT_EAX[u + 4]); + hextobin(tag, KAT_EAX[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_eax_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 1", tmp, cipher, plain_len); + check_equals("KAT EAX 2", out, tag, 16); + + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 3", tmp, plain, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT EAX 4", tmp, cipher, plain_len); + if (!br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_eax_reset(&ec, nonce, nonce_len); + for (v = 0; v < aad_len; v ++) { + br_eax_aad_inject(&ec, aad + v, 1); + } + br_eax_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_eax_run(&ec, 0, tmp + v, 1); + } + br_eax_get_tag(&ec, out); + check_equals("KAT EAX 5", tmp, plain, plain_len); + check_equals("KAT EAX 6", out, tag, 16); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + aad[v] ^= 0x04; + br_eax_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_eax_flip(&ec); + br_eax_run(&ec, 0, tmp, plain_len); + check_equals("KAT EAX 7", tmp, plain, plain_len); + if (br_eax_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Tag truncation. + */ + for (tag_len = 1; tag_len <= 16; tag_len ++) { + memset(out, 0x54, sizeof out); + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + br_eax_get_tag_trunc(&ec, out, tag_len); + check_equals("KAT EAX 8", out, tag, tag_len); + for (v = tag_len; v < sizeof out; v ++) { + if (out[v] != 0x54) { + fprintf(stderr, "overflow on tag\n"); + exit(EXIT_FAILURE); + } + } + + memcpy(tmp, plain, plain_len); + br_eax_reset(&ec, nonce, nonce_len); + br_eax_aad_inject(&ec, aad, aad_len); + br_eax_flip(&ec); + br_eax_run(&ec, 1, tmp, plain_len); + if (!br_eax_check_tag_trunc(&ec, out, tag_len)) { + fprintf(stderr, "Tag not verified (3)\n"); + exit(EXIT_FAILURE); + } + } + printf("."); fflush(stdout); } @@ -5175,6 +5655,236 @@ test_GCM(void) fflush(stdout); } +static void +test_EAX(void) +{ + const br_block_ctrcbc_class *x_ctrcbc; + + test_EAX_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_EAX_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_EAX_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_EAX_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); + + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_EAX_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test EAX aes_x86ni: UNAVAILABLE\n"); + } +} + +/* + * From NIST SP 800-38C, appendix C. + * + * CCM specification concatenates the authentication tag at the end of + * the ciphertext; in our API and the vectors below, the tag is separate. + * + * Order is: key, nonce, aad, plaintext, ciphertext, tag. + */ +static const char *const KAT_CCM[] = { + "404142434445464748494a4b4c4d4e4f", + "10111213141516", + "0001020304050607", + "20212223", + "7162015b", + "4dac255d", + + "404142434445464748494a4b4c4d4e4f", + "1011121314151617", + "000102030405060708090a0b0c0d0e0f", + "202122232425262728292a2b2c2d2e2f", + "d2a1f0e051ea5f62081a7792073d593d", + "1fc64fbfaccd", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b", + "000102030405060708090a0b0c0d0e0f10111213", + "202122232425262728292a2b2c2d2e2f3031323334353637", + "e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5", + "484392fbc1b09951", + + "404142434445464748494a4b4c4d4e4f", + "101112131415161718191a1b1c", + NULL, + "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f", + "69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72", + "b4ac6bec93e8598e7f0dadbcea5b", + + NULL +}; + +static void +test_CCM_inner(const char *name, const br_block_ctrcbc_class *vt) +{ + size_t u; + + printf("Test CCM %s: ", name); + fflush(stdout); + + for (u = 0; KAT_CCM[u]; u += 6) { + unsigned char plain[100]; + unsigned char key[32]; + unsigned char nonce[100]; + unsigned char aad_buf[100], *aad; + unsigned char cipher[100]; + unsigned char tag[100]; + size_t plain_len, key_len, nonce_len, aad_len, tag_len; + br_aes_gen_ctrcbc_keys bc; + br_ccm_context ec; + unsigned char tmp[100], out[16]; + size_t v; + + key_len = hextobin(key, KAT_CCM[u]); + nonce_len = hextobin(nonce, KAT_CCM[u + 1]); + if (KAT_CCM[u + 2] == NULL) { + aad_len = 65536; + aad = malloc(aad_len); + if (aad == NULL) { + fprintf(stderr, "OOM error\n"); + exit(EXIT_FAILURE); + } + for (v = 0; v < 65536; v ++) { + aad[v] = (unsigned char)v; + } + } else { + aad = aad_buf; + aad_len = hextobin(aad, KAT_CCM[u + 2]); + } + plain_len = hextobin(plain, KAT_CCM[u + 3]); + hextobin(cipher, KAT_CCM[u + 4]); + tag_len = hextobin(tag, KAT_CCM[u + 5]); + + vt->init(&bc.vtable, key, key_len); + br_ccm_init(&ec, &bc.vtable); + + memset(tmp, 0x54, sizeof tmp); + + /* + * Basic operation. + */ + memcpy(tmp, plain, plain_len); + if (!br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len)) + { + fprintf(stderr, "CCM reset failed\n"); + exit(EXIT_FAILURE); + } + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 1, tmp, plain_len); + if (br_ccm_get_tag(&ec, out) != tag_len) { + fprintf(stderr, "CCM returned wrong tag length\n"); + exit(EXIT_FAILURE); + } + check_equals("KAT CCM 1", tmp, cipher, plain_len); + check_equals("KAT CCM 2", out, tag, tag_len); + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + br_ccm_aad_inject(&ec, aad, aad_len); + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 3", tmp, plain, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (1)\n"); + exit(EXIT_FAILURE); + } + + for (v = plain_len; v < sizeof tmp; v ++) { + if (tmp[v] != 0x54) { + fprintf(stderr, "overflow on data\n"); + exit(EXIT_FAILURE); + } + } + + /* + * Byte-by-byte injection. + */ + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 1, tmp + v, 1); + } + check_equals("KAT CCM 4", tmp, cipher, plain_len); + if (!br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag not verified (2)\n"); + exit(EXIT_FAILURE); + } + + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + for (v = 0; v < aad_len; v ++) { + br_ccm_aad_inject(&ec, aad + v, 1); + } + br_ccm_flip(&ec); + for (v = 0; v < plain_len; v ++) { + br_ccm_run(&ec, 0, tmp + v, 1); + } + br_ccm_get_tag(&ec, out); + check_equals("KAT CCM 5", tmp, plain, plain_len); + check_equals("KAT CCM 6", out, tag, tag_len); + + /* + * Check that alterations are detected. + */ + for (v = 0; v < aad_len; v ++) { + memcpy(tmp, cipher, plain_len); + br_ccm_reset(&ec, nonce, nonce_len, + aad_len, plain_len, tag_len); + aad[v] ^= 0x04; + br_ccm_aad_inject(&ec, aad, aad_len); + aad[v] ^= 0x04; + br_ccm_flip(&ec); + br_ccm_run(&ec, 0, tmp, plain_len); + check_equals("KAT CCM 7", tmp, plain, plain_len); + if (br_ccm_check_tag(&ec, tag)) { + fprintf(stderr, "Tag should have changed\n"); + exit(EXIT_FAILURE); + } + + /* + * When the AAD is really big, we don't want to do + * the complete quadratic operation. + */ + if (v >= 32) { + break; + } + } + + if (aad != aad_buf) { + free(aad); + } + + printf("."); + fflush(stdout); + } + + printf(" done.\n"); + fflush(stdout); +} + +static void +test_CCM(void) +{ + const br_block_ctrcbc_class *x_ctrcbc; + + test_CCM_inner("aes_big", &br_aes_big_ctrcbc_vtable); + test_CCM_inner("aes_small", &br_aes_small_ctrcbc_vtable); + test_CCM_inner("aes_ct", &br_aes_ct_ctrcbc_vtable); + test_CCM_inner("aes_ct64", &br_aes_ct64_ctrcbc_vtable); + + x_ctrcbc = br_aes_x86ni_ctrcbc_get_vtable(); + if (x_ctrcbc != NULL) { + test_CCM_inner("aes_x86ni", x_ctrcbc); + } else { + printf("Test CCM aes_x86ni: UNAVAILABLE\n"); + } +} + static void test_EC_inner(const char *sk, const char *sU, const br_ec_impl *impl, int curve) @@ -6201,6 +6911,11 @@ static const struct { STU(AES_ct64), STU(AES_pwr8), STU(AES_x86ni), + STU(AES_CTRCBC_big), + STU(AES_CTRCBC_small), + STU(AES_CTRCBC_ct), + STU(AES_CTRCBC_ct64), + STU(AES_CTRCBC_x86ni), STU(DES_tab), STU(DES_ct), STU(ChaCha20_ct), @@ -6218,6 +6933,8 @@ static const struct { STU(GHASH_ctmul64), STU(GHASH_pclmul), STU(GHASH_pwr8), + STU(CCM), + STU(EAX), STU(GCM), STU(EC_prime_i15), STU(EC_prime_i31), diff --git a/test/test_speed.c b/test/test_speed.c index 296e914..245a840 100644 --- a/test/test_speed.c +++ b/test/test_speed.c @@ -443,6 +443,82 @@ test_speed_poly1305_i15(void) test_speed_poly1305_inner("Poly1305 (i15)", &br_poly1305_i15_run); } +static void +test_speed_eax_inner(char *name, + const br_block_ctrcbc_class *vt, size_t key_len) +{ + unsigned char buf[8192], key[32], nonce[16], aad[16], tag[16]; + int i; + long num; + br_aes_gen_ctrcbc_keys ac; + br_eax_context ec; + + memset(key, 'K', key_len); + memset(nonce, 'N', sizeof nonce); + memset(aad, 'A', sizeof aad); + memset(buf, 'T', sizeof buf); + for (i = 0; i < 10; i ++) { + vt->init(&ac.vtable, key, key_len); + br_eax_init(&ec, &ac.vtable); + br_eax_reset(&ec, nonce, sizeof nonce); + br_eax_aad_inject(&ec, aad, sizeof aad); + br_eax_flip(&ec); + br_eax_run(&ec, 1, buf, sizeof buf); + br_eax_get_tag(&ec, tag); + } + num = 10; + for (;;) { + clock_t begin, end; + double tt; + long k; + + begin = clock(); + for (k = num; k > 0; k --) { + vt->init(&ac.vtable, key, key_len); + br_eax_init(&ec, &ac.vtable); + br_eax_reset(&ec, nonce, sizeof nonce); + br_eax_aad_inject(&ec, aad, sizeof aad); + br_eax_flip(&ec); + br_eax_run(&ec, 1, buf, sizeof buf); + br_eax_get_tag(&ec, tag); + } + end = clock(); + tt = (double)(end - begin) / CLOCKS_PER_SEC; + if (tt >= 2.0) { + printf("%-30s %8.2f MB/s\n", name, + ((double)sizeof buf) * (double)num + / (tt * 1000000.0)); + fflush(stdout); + return; + } + num <<= 1; + } +} + +#define SPEED_EAX(Algo, algo, keysize, impl) \ +static void \ +test_speed_eax_ ## algo ## keysize ## _ ## impl(void) \ +{ \ + test_speed_eax_inner("EAX " #Algo "-" #keysize "(" #impl ")", \ + &br_ ## algo ## _ ## impl ## _ctrcbc_vtable, (keysize) >> 3); \ +} + +SPEED_EAX(AES, aes, 128, big) +SPEED_EAX(AES, aes, 128, small) +SPEED_EAX(AES, aes, 128, ct) +SPEED_EAX(AES, aes, 128, ct64) +SPEED_EAX(AES, aes, 128, x86ni) +SPEED_EAX(AES, aes, 192, big) +SPEED_EAX(AES, aes, 192, small) +SPEED_EAX(AES, aes, 192, ct) +SPEED_EAX(AES, aes, 192, ct64) +SPEED_EAX(AES, aes, 192, x86ni) +SPEED_EAX(AES, aes, 256, big) +SPEED_EAX(AES, aes, 256, small) +SPEED_EAX(AES, aes, 256, ct) +SPEED_EAX(AES, aes, 256, ct64) +SPEED_EAX(AES, aes, 256, x86ni) + static const unsigned char RSA_N[] = { 0xE9, 0xF2, 0x4A, 0x2F, 0x96, 0xDF, 0x0A, 0x23, 0x01, 0x85, 0xF1, 0x2C, 0xB2, 0xA8, 0xEF, 0x23, @@ -1300,6 +1376,22 @@ static const struct { STU(poly1305_ctmulq), STU(poly1305_i15), + STU(eax_aes128_big), + STU(eax_aes192_big), + STU(eax_aes256_big), + STU(eax_aes128_small), + STU(eax_aes192_small), + STU(eax_aes256_small), + STU(eax_aes128_ct), + STU(eax_aes192_ct), + STU(eax_aes256_ct), + STU(eax_aes128_ct64), + STU(eax_aes192_ct64), + STU(eax_aes256_ct64), + STU(eax_aes128_x86ni), + STU(eax_aes192_x86ni), + STU(eax_aes256_x86ni), + STU(rsa_i15), STU(rsa_i31), STU(rsa_i32), -- 2.17.1 From 4cbe51b0d039c7afc477009cf7f327f8de9da487 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Thu, 2 Nov 2017 13:52:49 +0100 Subject: [PATCH 15/16] Make Rules.mk more compatible with merges and local diffs. --- mk/Rules.mk | 265 +++++++++++++++++++++++++++++++++++++++++++++++++- mk/mkrules.sh | 10 +- 2 files changed, 265 insertions(+), 10 deletions(-) diff --git a/mk/Rules.mk b/mk/Rules.mk index 2a281ff..15a95b3 100644 --- a/mk/Rules.mk +++ b/mk/Rules.mk @@ -1,10 +1,265 @@ # Automatically generated rules. Use 'mkrules.sh' to modify/regenerate. -OBJ = $(OBJDIR)$Psettings$O $(OBJDIR)$Pccm$O $(OBJDIR)$Peax$O $(OBJDIR)$Pgcm$O $(OBJDIR)$Pccopy$O $(OBJDIR)$Pdec16be$O $(OBJDIR)$Pdec16le$O $(OBJDIR)$Pdec32be$O $(OBJDIR)$Pdec32le$O $(OBJDIR)$Pdec64be$O $(OBJDIR)$Pdec64le$O $(OBJDIR)$Penc16be$O $(OBJDIR)$Penc16le$O $(OBJDIR)$Penc32be$O $(OBJDIR)$Penc32le$O $(OBJDIR)$Penc64be$O $(OBJDIR)$Penc64le$O $(OBJDIR)$Ppemdec$O $(OBJDIR)$Pec_all_m15$O $(OBJDIR)$Pec_all_m31$O $(OBJDIR)$Pec_c25519_i15$O $(OBJDIR)$Pec_c25519_i31$O $(OBJDIR)$Pec_c25519_m15$O $(OBJDIR)$Pec_c25519_m31$O $(OBJDIR)$Pec_curve25519$O $(OBJDIR)$Pec_default$O $(OBJDIR)$Pec_p256_m15$O $(OBJDIR)$Pec_p256_m31$O $(OBJDIR)$Pec_prime_i15$O $(OBJDIR)$Pec_prime_i31$O $(OBJDIR)$Pec_secp256r1$O $(OBJDIR)$Pec_secp384r1$O $(OBJDIR)$Pec_secp521r1$O $(OBJDIR)$Pecdsa_atr$O $(OBJDIR)$Pecdsa_default_sign_asn1$O $(OBJDIR)$Pecdsa_default_sign_raw$O $(OBJDIR)$Pecdsa_default_vrfy_asn1$O $(OBJDIR)$Pecdsa_default_vrfy_raw$O $(OBJDIR)$Pecdsa_i15_bits$O $(OBJDIR)$Pecdsa_i15_sign_asn1$O $(OBJDIR)$Pecdsa_i15_sign_raw$O $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O $(OBJDIR)$Pecdsa_i15_vrfy_raw$O $(OBJDIR)$Pecdsa_i31_bits$O $(OBJDIR)$Pecdsa_i31_sign_asn1$O $(OBJDIR)$Pecdsa_i31_sign_raw$O $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O $(OBJDIR)$Pecdsa_i31_vrfy_raw$O $(OBJDIR)$Pecdsa_rta$O $(OBJDIR)$Pdig_oid$O $(OBJDIR)$Pdig_size$O $(OBJDIR)$Pghash_ctmul$O $(OBJDIR)$Pghash_ctmul32$O $(OBJDIR)$Pghash_ctmul64$O $(OBJDIR)$Pghash_pclmul$O $(OBJDIR)$Pghash_pwr8$O $(OBJDIR)$Pmd5$O $(OBJDIR)$Pmd5sha1$O $(OBJDIR)$Pmultihash$O $(OBJDIR)$Psha1$O $(OBJDIR)$Psha2big$O $(OBJDIR)$Psha2small$O $(OBJDIR)$Pi15_add$O $(OBJDIR)$Pi15_bitlen$O $(OBJDIR)$Pi15_decmod$O $(OBJDIR)$Pi15_decode$O $(OBJDIR)$Pi15_decred$O $(OBJDIR)$Pi15_encode$O $(OBJDIR)$Pi15_fmont$O $(OBJDIR)$Pi15_iszero$O $(OBJDIR)$Pi15_modpow$O $(OBJDIR)$Pi15_modpow2$O $(OBJDIR)$Pi15_montmul$O $(OBJDIR)$Pi15_mulacc$O $(OBJDIR)$Pi15_muladd$O $(OBJDIR)$Pi15_ninv15$O $(OBJDIR)$Pi15_reduce$O $(OBJDIR)$Pi15_rshift$O $(OBJDIR)$Pi15_sub$O $(OBJDIR)$Pi15_tmont$O $(OBJDIR)$Pi31_add$O $(OBJDIR)$Pi31_bitlen$O $(OBJDIR)$Pi31_decmod$O $(OBJDIR)$Pi31_decode$O $(OBJDIR)$Pi31_decred$O $(OBJDIR)$Pi31_encode$O $(OBJDIR)$Pi31_fmont$O $(OBJDIR)$Pi31_iszero$O $(OBJDIR)$Pi31_modpow$O $(OBJDIR)$Pi31_modpow2$O $(OBJDIR)$Pi31_montmul$O $(OBJDIR)$Pi31_mulacc$O $(OBJDIR)$Pi31_muladd$O $(OBJDIR)$Pi31_ninv31$O $(OBJDIR)$Pi31_reduce$O $(OBJDIR)$Pi31_rshift$O $(OBJDIR)$Pi31_sub$O $(OBJDIR)$Pi31_tmont$O $(OBJDIR)$Pi32_add$O $(OBJDIR)$Pi32_bitlen$O $(OBJDIR)$Pi32_decmod$O $(OBJDIR)$Pi32_decode$O $(OBJDIR)$Pi32_decred$O $(OBJDIR)$Pi32_div32$O $(OBJDIR)$Pi32_encode$O $(OBJDIR)$Pi32_fmont$O $(OBJDIR)$Pi32_iszero$O $(OBJDIR)$Pi32_modpow$O $(OBJDIR)$Pi32_montmul$O $(OBJDIR)$Pi32_mulacc$O $(OBJDIR)$Pi32_muladd$O $(OBJDIR)$Pi32_ninv32$O $(OBJDIR)$Pi32_reduce$O $(OBJDIR)$Pi32_sub$O $(OBJDIR)$Pi32_tmont$O $(OBJDIR)$Pi62_modpow2$O $(OBJDIR)$Phmac$O $(OBJDIR)$Phmac_ct$O $(OBJDIR)$Phmac_drbg$O $(OBJDIR)$Psysrng$O $(OBJDIR)$Prsa_default_pkcs1_sign$O $(OBJDIR)$Prsa_default_pkcs1_vrfy$O $(OBJDIR)$Prsa_default_priv$O $(OBJDIR)$Prsa_default_pub$O $(OBJDIR)$Prsa_i15_pkcs1_sign$O $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O $(OBJDIR)$Prsa_i15_priv$O $(OBJDIR)$Prsa_i15_pub$O $(OBJDIR)$Prsa_i31_pkcs1_sign$O $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O $(OBJDIR)$Prsa_i31_priv$O $(OBJDIR)$Prsa_i31_pub$O $(OBJDIR)$Prsa_i32_pkcs1_sign$O $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O $(OBJDIR)$Prsa_i32_priv$O $(OBJDIR)$Prsa_i32_pub$O $(OBJDIR)$Prsa_i62_pkcs1_sign$O $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O $(OBJDIR)$Prsa_i62_priv$O $(OBJDIR)$Prsa_i62_pub$O $(OBJDIR)$Prsa_pkcs1_sig_pad$O $(OBJDIR)$Prsa_pkcs1_sig_unpad$O $(OBJDIR)$Prsa_ssl_decrypt$O $(OBJDIR)$Pprf$O $(OBJDIR)$Pprf_md5sha1$O $(OBJDIR)$Pprf_sha256$O $(OBJDIR)$Pprf_sha384$O $(OBJDIR)$Pssl_ccert_single_ec$O $(OBJDIR)$Pssl_ccert_single_rsa$O $(OBJDIR)$Pssl_client$O $(OBJDIR)$Pssl_client_default_rsapub$O $(OBJDIR)$Pssl_client_full$O $(OBJDIR)$Pssl_engine$O $(OBJDIR)$Pssl_engine_default_aescbc$O $(OBJDIR)$Pssl_engine_default_aesgcm$O $(OBJDIR)$Pssl_engine_default_chapol$O $(OBJDIR)$Pssl_engine_default_descbc$O $(OBJDIR)$Pssl_engine_default_ec$O $(OBJDIR)$Pssl_engine_default_ecdsa$O $(OBJDIR)$Pssl_engine_default_rsavrfy$O $(OBJDIR)$Pssl_hashes$O $(OBJDIR)$Pssl_hs_client$O $(OBJDIR)$Pssl_hs_server$O $(OBJDIR)$Pssl_io$O $(OBJDIR)$Pssl_keyexport$O $(OBJDIR)$Pssl_lru$O $(OBJDIR)$Pssl_rec_cbc$O $(OBJDIR)$Pssl_rec_chapol$O $(OBJDIR)$Pssl_rec_gcm$O $(OBJDIR)$Pssl_scert_single_ec$O $(OBJDIR)$Pssl_scert_single_rsa$O $(OBJDIR)$Pssl_server$O $(OBJDIR)$Pssl_server_full_ec$O $(OBJDIR)$Pssl_server_full_rsa$O $(OBJDIR)$Pssl_server_mine2c$O $(OBJDIR)$Pssl_server_mine2g$O $(OBJDIR)$Pssl_server_minf2c$O $(OBJDIR)$Pssl_server_minf2g$O $(OBJDIR)$Pssl_server_minr2g$O $(OBJDIR)$Pssl_server_minu2g$O $(OBJDIR)$Pssl_server_minv2g$O $(OBJDIR)$Paes_big_cbcdec$O $(OBJDIR)$Paes_big_cbcenc$O $(OBJDIR)$Paes_big_ctr$O $(OBJDIR)$Paes_big_ctrcbc$O $(OBJDIR)$Paes_big_dec$O $(OBJDIR)$Paes_big_enc$O $(OBJDIR)$Paes_common$O $(OBJDIR)$Paes_ct$O $(OBJDIR)$Paes_ct64$O $(OBJDIR)$Paes_ct64_cbcdec$O $(OBJDIR)$Paes_ct64_cbcenc$O $(OBJDIR)$Paes_ct64_ctr$O $(OBJDIR)$Paes_ct64_ctrcbc$O $(OBJDIR)$Paes_ct64_dec$O $(OBJDIR)$Paes_ct64_enc$O $(OBJDIR)$Paes_ct_cbcdec$O $(OBJDIR)$Paes_ct_cbcenc$O $(OBJDIR)$Paes_ct_ctr$O $(OBJDIR)$Paes_ct_ctrcbc$O $(OBJDIR)$Paes_ct_dec$O $(OBJDIR)$Paes_ct_enc$O $(OBJDIR)$Paes_pwr8$O $(OBJDIR)$Paes_pwr8_cbcdec$O $(OBJDIR)$Paes_pwr8_cbcenc$O $(OBJDIR)$Paes_pwr8_ctr$O $(OBJDIR)$Paes_small_cbcdec$O $(OBJDIR)$Paes_small_cbcenc$O $(OBJDIR)$Paes_small_ctr$O $(OBJDIR)$Paes_small_ctrcbc$O $(OBJDIR)$Paes_small_dec$O $(OBJDIR)$Paes_small_enc$O $(OBJDIR)$Paes_x86ni$O $(OBJDIR)$Paes_x86ni_cbcdec$O $(OBJDIR)$Paes_x86ni_cbcenc$O $(OBJDIR)$Paes_x86ni_ctr$O $(OBJDIR)$Paes_x86ni_ctrcbc$O $(OBJDIR)$Pchacha20_ct$O $(OBJDIR)$Pchacha20_sse2$O $(OBJDIR)$Pdes_ct$O $(OBJDIR)$Pdes_ct_cbcdec$O $(OBJDIR)$Pdes_ct_cbcenc$O $(OBJDIR)$Pdes_support$O $(OBJDIR)$Pdes_tab$O $(OBJDIR)$Pdes_tab_cbcdec$O $(OBJDIR)$Pdes_tab_cbcenc$O $(OBJDIR)$Ppoly1305_ctmul$O $(OBJDIR)$Ppoly1305_ctmul32$O $(OBJDIR)$Ppoly1305_ctmulq$O $(OBJDIR)$Ppoly1305_i15$O $(OBJDIR)$Pskey_decoder$O $(OBJDIR)$Px509_decoder$O $(OBJDIR)$Px509_knownkey$O $(OBJDIR)$Px509_minimal$O $(OBJDIR)$Px509_minimal_full$O -OBJBRSSL = $(OBJDIR)$Pbrssl$O $(OBJDIR)$Pcerts$O $(OBJDIR)$Pchain$O $(OBJDIR)$Pclient$O $(OBJDIR)$Perrors$O $(OBJDIR)$Pfiles$O $(OBJDIR)$Pimpl$O $(OBJDIR)$Pkeys$O $(OBJDIR)$Pnames$O $(OBJDIR)$Pserver$O $(OBJDIR)$Pskey$O $(OBJDIR)$Psslio$O $(OBJDIR)$Pta$O $(OBJDIR)$Ptwrch$O $(OBJDIR)$Pvector$O $(OBJDIR)$Pverify$O $(OBJDIR)$Pxmem$O -OBJTESTCRYPTO = $(OBJDIR)$Ptest_crypto$O -OBJTESTSPEED = $(OBJDIR)$Ptest_speed$O -OBJTESTX509 = $(OBJDIR)$Ptest_x509$O +OBJ = \ + $(OBJDIR)$Psettings$O \ + $(OBJDIR)$Pccm$O \ + $(OBJDIR)$Peax$O \ + $(OBJDIR)$Pgcm$O \ + $(OBJDIR)$Pccopy$O \ + $(OBJDIR)$Pdec16be$O \ + $(OBJDIR)$Pdec16le$O \ + $(OBJDIR)$Pdec32be$O \ + $(OBJDIR)$Pdec32le$O \ + $(OBJDIR)$Pdec64be$O \ + $(OBJDIR)$Pdec64le$O \ + $(OBJDIR)$Penc16be$O \ + $(OBJDIR)$Penc16le$O \ + $(OBJDIR)$Penc32be$O \ + $(OBJDIR)$Penc32le$O \ + $(OBJDIR)$Penc64be$O \ + $(OBJDIR)$Penc64le$O \ + $(OBJDIR)$Ppemdec$O \ + $(OBJDIR)$Pec_all_m15$O \ + $(OBJDIR)$Pec_all_m31$O \ + $(OBJDIR)$Pec_c25519_i15$O \ + $(OBJDIR)$Pec_c25519_i31$O \ + $(OBJDIR)$Pec_c25519_m15$O \ + $(OBJDIR)$Pec_c25519_m31$O \ + $(OBJDIR)$Pec_curve25519$O \ + $(OBJDIR)$Pec_default$O \ + $(OBJDIR)$Pec_p256_m15$O \ + $(OBJDIR)$Pec_p256_m31$O \ + $(OBJDIR)$Pec_prime_i15$O \ + $(OBJDIR)$Pec_prime_i31$O \ + $(OBJDIR)$Pec_secp256r1$O \ + $(OBJDIR)$Pec_secp384r1$O \ + $(OBJDIR)$Pec_secp521r1$O \ + $(OBJDIR)$Pecdsa_atr$O \ + $(OBJDIR)$Pecdsa_default_sign_asn1$O \ + $(OBJDIR)$Pecdsa_default_sign_raw$O \ + $(OBJDIR)$Pecdsa_default_vrfy_asn1$O \ + $(OBJDIR)$Pecdsa_default_vrfy_raw$O \ + $(OBJDIR)$Pecdsa_i15_bits$O \ + $(OBJDIR)$Pecdsa_i15_sign_asn1$O \ + $(OBJDIR)$Pecdsa_i15_sign_raw$O \ + $(OBJDIR)$Pecdsa_i15_vrfy_asn1$O \ + $(OBJDIR)$Pecdsa_i15_vrfy_raw$O \ + $(OBJDIR)$Pecdsa_i31_bits$O \ + $(OBJDIR)$Pecdsa_i31_sign_asn1$O \ + $(OBJDIR)$Pecdsa_i31_sign_raw$O \ + $(OBJDIR)$Pecdsa_i31_vrfy_asn1$O \ + $(OBJDIR)$Pecdsa_i31_vrfy_raw$O \ + $(OBJDIR)$Pecdsa_rta$O \ + $(OBJDIR)$Pdig_oid$O \ + $(OBJDIR)$Pdig_size$O \ + $(OBJDIR)$Pghash_ctmul$O \ + $(OBJDIR)$Pghash_ctmul32$O \ + $(OBJDIR)$Pghash_ctmul64$O \ + $(OBJDIR)$Pghash_pclmul$O \ + $(OBJDIR)$Pghash_pwr8$O \ + $(OBJDIR)$Pmd5$O \ + $(OBJDIR)$Pmd5sha1$O \ + $(OBJDIR)$Pmultihash$O \ + $(OBJDIR)$Psha1$O \ + $(OBJDIR)$Psha2big$O \ + $(OBJDIR)$Psha2small$O \ + $(OBJDIR)$Pi15_add$O \ + $(OBJDIR)$Pi15_bitlen$O \ + $(OBJDIR)$Pi15_decmod$O \ + $(OBJDIR)$Pi15_decode$O \ + $(OBJDIR)$Pi15_decred$O \ + $(OBJDIR)$Pi15_encode$O \ + $(OBJDIR)$Pi15_fmont$O \ + $(OBJDIR)$Pi15_iszero$O \ + $(OBJDIR)$Pi15_modpow$O \ + $(OBJDIR)$Pi15_modpow2$O \ + $(OBJDIR)$Pi15_montmul$O \ + $(OBJDIR)$Pi15_mulacc$O \ + $(OBJDIR)$Pi15_muladd$O \ + $(OBJDIR)$Pi15_ninv15$O \ + $(OBJDIR)$Pi15_reduce$O \ + $(OBJDIR)$Pi15_rshift$O \ + $(OBJDIR)$Pi15_sub$O \ + $(OBJDIR)$Pi15_tmont$O \ + $(OBJDIR)$Pi31_add$O \ + $(OBJDIR)$Pi31_bitlen$O \ + $(OBJDIR)$Pi31_decmod$O \ + $(OBJDIR)$Pi31_decode$O \ + $(OBJDIR)$Pi31_decred$O \ + $(OBJDIR)$Pi31_encode$O \ + $(OBJDIR)$Pi31_fmont$O \ + $(OBJDIR)$Pi31_iszero$O \ + $(OBJDIR)$Pi31_modpow$O \ + $(OBJDIR)$Pi31_modpow2$O \ + $(OBJDIR)$Pi31_montmul$O \ + $(OBJDIR)$Pi31_mulacc$O \ + $(OBJDIR)$Pi31_muladd$O \ + $(OBJDIR)$Pi31_ninv31$O \ + $(OBJDIR)$Pi31_reduce$O \ + $(OBJDIR)$Pi31_rshift$O \ + $(OBJDIR)$Pi31_sub$O \ + $(OBJDIR)$Pi31_tmont$O \ + $(OBJDIR)$Pi32_add$O \ + $(OBJDIR)$Pi32_bitlen$O \ + $(OBJDIR)$Pi32_decmod$O \ + $(OBJDIR)$Pi32_decode$O \ + $(OBJDIR)$Pi32_decred$O \ + $(OBJDIR)$Pi32_div32$O \ + $(OBJDIR)$Pi32_encode$O \ + $(OBJDIR)$Pi32_fmont$O \ + $(OBJDIR)$Pi32_iszero$O \ + $(OBJDIR)$Pi32_modpow$O \ + $(OBJDIR)$Pi32_montmul$O \ + $(OBJDIR)$Pi32_mulacc$O \ + $(OBJDIR)$Pi32_muladd$O \ + $(OBJDIR)$Pi32_ninv32$O \ + $(OBJDIR)$Pi32_reduce$O \ + $(OBJDIR)$Pi32_sub$O \ + $(OBJDIR)$Pi32_tmont$O \ + $(OBJDIR)$Pi62_modpow2$O \ + $(OBJDIR)$Phmac$O \ + $(OBJDIR)$Phmac_ct$O \ + $(OBJDIR)$Phmac_drbg$O \ + $(OBJDIR)$Psysrng$O \ + $(OBJDIR)$Prsa_default_pkcs1_sign$O \ + $(OBJDIR)$Prsa_default_pkcs1_vrfy$O \ + $(OBJDIR)$Prsa_default_priv$O \ + $(OBJDIR)$Prsa_default_pub$O \ + $(OBJDIR)$Prsa_i15_pkcs1_sign$O \ + $(OBJDIR)$Prsa_i15_pkcs1_vrfy$O \ + $(OBJDIR)$Prsa_i15_priv$O \ + $(OBJDIR)$Prsa_i15_pub$O \ + $(OBJDIR)$Prsa_i31_pkcs1_sign$O \ + $(OBJDIR)$Prsa_i31_pkcs1_vrfy$O \ + $(OBJDIR)$Prsa_i31_priv$O \ + $(OBJDIR)$Prsa_i31_pub$O \ + $(OBJDIR)$Prsa_i32_pkcs1_sign$O \ + $(OBJDIR)$Prsa_i32_pkcs1_vrfy$O \ + $(OBJDIR)$Prsa_i32_priv$O \ + $(OBJDIR)$Prsa_i32_pub$O \ + $(OBJDIR)$Prsa_i62_pkcs1_sign$O \ + $(OBJDIR)$Prsa_i62_pkcs1_vrfy$O \ + $(OBJDIR)$Prsa_i62_priv$O \ + $(OBJDIR)$Prsa_i62_pub$O \ + $(OBJDIR)$Prsa_pkcs1_sig_pad$O \ + $(OBJDIR)$Prsa_pkcs1_sig_unpad$O \ + $(OBJDIR)$Prsa_ssl_decrypt$O \ + $(OBJDIR)$Pprf$O \ + $(OBJDIR)$Pprf_md5sha1$O \ + $(OBJDIR)$Pprf_sha256$O \ + $(OBJDIR)$Pprf_sha384$O \ + $(OBJDIR)$Pssl_ccert_single_ec$O \ + $(OBJDIR)$Pssl_ccert_single_rsa$O \ + $(OBJDIR)$Pssl_client$O \ + $(OBJDIR)$Pssl_client_default_rsapub$O \ + $(OBJDIR)$Pssl_client_full$O \ + $(OBJDIR)$Pssl_engine$O \ + $(OBJDIR)$Pssl_engine_default_aescbc$O \ + $(OBJDIR)$Pssl_engine_default_aesgcm$O \ + $(OBJDIR)$Pssl_engine_default_chapol$O \ + $(OBJDIR)$Pssl_engine_default_descbc$O \ + $(OBJDIR)$Pssl_engine_default_ec$O \ + $(OBJDIR)$Pssl_engine_default_ecdsa$O \ + $(OBJDIR)$Pssl_engine_default_rsavrfy$O \ + $(OBJDIR)$Pssl_hashes$O \ + $(OBJDIR)$Pssl_hs_client$O \ + $(OBJDIR)$Pssl_hs_server$O \ + $(OBJDIR)$Pssl_io$O \ + $(OBJDIR)$Pssl_keyexport$O \ + $(OBJDIR)$Pssl_lru$O \ + $(OBJDIR)$Pssl_rec_cbc$O \ + $(OBJDIR)$Pssl_rec_chapol$O \ + $(OBJDIR)$Pssl_rec_gcm$O \ + $(OBJDIR)$Pssl_scert_single_ec$O \ + $(OBJDIR)$Pssl_scert_single_rsa$O \ + $(OBJDIR)$Pssl_server$O \ + $(OBJDIR)$Pssl_server_full_ec$O \ + $(OBJDIR)$Pssl_server_full_rsa$O \ + $(OBJDIR)$Pssl_server_mine2c$O \ + $(OBJDIR)$Pssl_server_mine2g$O \ + $(OBJDIR)$Pssl_server_minf2c$O \ + $(OBJDIR)$Pssl_server_minf2g$O \ + $(OBJDIR)$Pssl_server_minr2g$O \ + $(OBJDIR)$Pssl_server_minu2g$O \ + $(OBJDIR)$Pssl_server_minv2g$O \ + $(OBJDIR)$Paes_big_cbcdec$O \ + $(OBJDIR)$Paes_big_cbcenc$O \ + $(OBJDIR)$Paes_big_ctr$O \ + $(OBJDIR)$Paes_big_ctrcbc$O \ + $(OBJDIR)$Paes_big_dec$O \ + $(OBJDIR)$Paes_big_enc$O \ + $(OBJDIR)$Paes_common$O \ + $(OBJDIR)$Paes_ct$O \ + $(OBJDIR)$Paes_ct64$O \ + $(OBJDIR)$Paes_ct64_cbcdec$O \ + $(OBJDIR)$Paes_ct64_cbcenc$O \ + $(OBJDIR)$Paes_ct64_ctr$O \ + $(OBJDIR)$Paes_ct64_ctrcbc$O \ + $(OBJDIR)$Paes_ct64_dec$O \ + $(OBJDIR)$Paes_ct64_enc$O \ + $(OBJDIR)$Paes_ct_cbcdec$O \ + $(OBJDIR)$Paes_ct_cbcenc$O \ + $(OBJDIR)$Paes_ct_ctr$O \ + $(OBJDIR)$Paes_ct_ctrcbc$O \ + $(OBJDIR)$Paes_ct_dec$O \ + $(OBJDIR)$Paes_ct_enc$O \ + $(OBJDIR)$Paes_pwr8$O \ + $(OBJDIR)$Paes_pwr8_cbcdec$O \ + $(OBJDIR)$Paes_pwr8_cbcenc$O \ + $(OBJDIR)$Paes_pwr8_ctr$O \ + $(OBJDIR)$Paes_small_cbcdec$O \ + $(OBJDIR)$Paes_small_cbcenc$O \ + $(OBJDIR)$Paes_small_ctr$O \ + $(OBJDIR)$Paes_small_ctrcbc$O \ + $(OBJDIR)$Paes_small_dec$O \ + $(OBJDIR)$Paes_small_enc$O \ + $(OBJDIR)$Paes_x86ni$O \ + $(OBJDIR)$Paes_x86ni_cbcdec$O \ + $(OBJDIR)$Paes_x86ni_cbcenc$O \ + $(OBJDIR)$Paes_x86ni_ctr$O \ + $(OBJDIR)$Paes_x86ni_ctrcbc$O \ + $(OBJDIR)$Pchacha20_ct$O \ + $(OBJDIR)$Pchacha20_sse2$O \ + $(OBJDIR)$Pdes_ct$O \ + $(OBJDIR)$Pdes_ct_cbcdec$O \ + $(OBJDIR)$Pdes_ct_cbcenc$O \ + $(OBJDIR)$Pdes_support$O \ + $(OBJDIR)$Pdes_tab$O \ + $(OBJDIR)$Pdes_tab_cbcdec$O \ + $(OBJDIR)$Pdes_tab_cbcenc$O \ + $(OBJDIR)$Ppoly1305_ctmul$O \ + $(OBJDIR)$Ppoly1305_ctmul32$O \ + $(OBJDIR)$Ppoly1305_ctmulq$O \ + $(OBJDIR)$Ppoly1305_i15$O \ + $(OBJDIR)$Pskey_decoder$O \ + $(OBJDIR)$Px509_decoder$O \ + $(OBJDIR)$Px509_knownkey$O \ + $(OBJDIR)$Px509_minimal$O \ + $(OBJDIR)$Px509_minimal_full$O +OBJBRSSL = \ + $(OBJDIR)$Pbrssl$O \ + $(OBJDIR)$Pcerts$O \ + $(OBJDIR)$Pchain$O \ + $(OBJDIR)$Pclient$O \ + $(OBJDIR)$Perrors$O \ + $(OBJDIR)$Pfiles$O \ + $(OBJDIR)$Pimpl$O \ + $(OBJDIR)$Pkeys$O \ + $(OBJDIR)$Pnames$O \ + $(OBJDIR)$Pserver$O \ + $(OBJDIR)$Pskey$O \ + $(OBJDIR)$Psslio$O \ + $(OBJDIR)$Pta$O \ + $(OBJDIR)$Ptwrch$O \ + $(OBJDIR)$Pvector$O \ + $(OBJDIR)$Pverify$O \ + $(OBJDIR)$Pxmem$O +OBJTESTCRYPTO = \ + $(OBJDIR)$Ptest_crypto$O +OBJTESTSPEED = \ + $(OBJDIR)$Ptest_speed$O +OBJTESTX509 = \ + $(OBJDIR)$Ptest_x509$O HEADERSPUB = inc$Pbearssl.h inc$Pbearssl_aead.h inc$Pbearssl_block.h inc$Pbearssl_ec.h inc$Pbearssl_hash.h inc$Pbearssl_hmac.h inc$Pbearssl_pem.h inc$Pbearssl_prf.h inc$Pbearssl_rand.h inc$Pbearssl_rsa.h inc$Pbearssl_ssl.h inc$Pbearssl_x509.h HEADERSPRIV = $(HEADERSPUB) src$Pconfig.h src$Pinner.h HEADERSTOOLS = $(HEADERSPUB) tools$Pbrssl.h diff --git a/mk/mkrules.sh b/mk/mkrules.sh index 2fd1f0f..8df63f4 100755 --- a/mk/mkrules.sh +++ b/mk/mkrules.sh @@ -392,23 +392,23 @@ EOF (printf "\nOBJ =" for f in $coresrc ; do - printf ' $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" + printf ' \\\n $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" done printf "\nOBJBRSSL =" for f in $toolssrc ; do - printf ' $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" + printf ' \\\n $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" done printf "\nOBJTESTCRYPTO =" for f in $testcryptosrc ; do - printf ' $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" + printf ' \\\n $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" done printf "\nOBJTESTSPEED =" for f in $testspeedsrc ; do - printf ' $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" + printf ' \\\n $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" done printf "\nOBJTESTX509 =" for f in $testx509src ; do - printf ' $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" + printf ' \\\n $(OBJDIR)$P%s' "$(basename "$f" .c)\$O" done printf "\nHEADERSPUB =" for f in $headerspub ; do -- 2.17.1 From e51143dc16b44f8160d06b2e6203176f3510c349 Mon Sep 17 00:00:00 2001 From: Thomas Pornin Date: Thu, 21 Dec 2017 15:38:19 +0100 Subject: [PATCH 16/16] Fixed test code (removed static reference to aes_x86ni code). --- test/test_speed.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/test/test_speed.c b/test/test_speed.c index 245a840..3ea9b99 100644 --- a/test/test_speed.c +++ b/test/test_speed.c @@ -229,15 +229,19 @@ SPEED_HASH(SHA-512, sha512) #define br_aes_big_cbcenc_get_vtable() (&br_aes_big_cbcenc_vtable) #define br_aes_big_cbcdec_get_vtable() (&br_aes_big_cbcdec_vtable) #define br_aes_big_ctr_get_vtable() (&br_aes_big_ctr_vtable) +#define br_aes_big_ctrcbc_get_vtable() (&br_aes_big_ctrcbc_vtable) #define br_aes_small_cbcenc_get_vtable() (&br_aes_small_cbcenc_vtable) #define br_aes_small_cbcdec_get_vtable() (&br_aes_small_cbcdec_vtable) #define br_aes_small_ctr_get_vtable() (&br_aes_small_ctr_vtable) +#define br_aes_small_ctrcbc_get_vtable() (&br_aes_small_ctrcbc_vtable) #define br_aes_ct_cbcenc_get_vtable() (&br_aes_ct_cbcenc_vtable) #define br_aes_ct_cbcdec_get_vtable() (&br_aes_ct_cbcdec_vtable) #define br_aes_ct_ctr_get_vtable() (&br_aes_ct_ctr_vtable) +#define br_aes_ct_ctrcbc_get_vtable() (&br_aes_ct_ctrcbc_vtable) #define br_aes_ct64_cbcenc_get_vtable() (&br_aes_ct64_cbcenc_vtable) #define br_aes_ct64_cbcdec_get_vtable() (&br_aes_ct64_cbcdec_vtable) #define br_aes_ct64_ctr_get_vtable() (&br_aes_ct64_ctr_vtable) +#define br_aes_ct64_ctrcbc_get_vtable() (&br_aes_ct64_ctrcbc_vtable) #define br_chacha20_ct_get() (&br_chacha20_ct_run) #define SPEED_AES(iname) \ @@ -453,6 +457,11 @@ test_speed_eax_inner(char *name, br_aes_gen_ctrcbc_keys ac; br_eax_context ec; + if (vt == NULL) { + printf("%-30s UNAVAILABLE\n", name); + fflush(stdout); + return; + } memset(key, 'K', key_len); memset(nonce, 'N', sizeof nonce); memset(aad, 'A', sizeof aad); @@ -500,7 +509,8 @@ static void \ test_speed_eax_ ## algo ## keysize ## _ ## impl(void) \ { \ test_speed_eax_inner("EAX " #Algo "-" #keysize "(" #impl ")", \ - &br_ ## algo ## _ ## impl ## _ctrcbc_vtable, (keysize) >> 3); \ + br_ ## algo ## _ ## impl ## _ctrcbc_get_vtable() \ + , (keysize) >> 3); \ } SPEED_EAX(AES, aes, 128, big) -- 2.17.1