diff options
| -rw-r--r-- | CHANGES | 3 | ||||
| -rwxr-xr-x | Configure | 3 | ||||
| -rw-r--r-- | INSTALL | 5 | ||||
| -rw-r--r-- | crypto/asn1/standard_methods.h | 5 | ||||
| -rw-r--r-- | crypto/evp/evp_err.c | 2 | ||||
| -rw-r--r-- | crypto/evp/p_lib.c | 17 | ||||
| -rw-r--r-- | crypto/evp/pmeth_lib.c | 5 | ||||
| -rw-r--r-- | crypto/include/internal/asn1_int.h | 3 | ||||
| -rw-r--r-- | crypto/include/internal/evp_int.h | 3 | ||||
| -rw-r--r-- | crypto/include/internal/siphash.h | 24 | ||||
| -rw-r--r-- | crypto/objects/obj_dat.h | 9 | ||||
| -rw-r--r-- | crypto/objects/obj_mac.num | 1 | ||||
| -rw-r--r-- | crypto/objects/objects.txt | 2 | ||||
| -rw-r--r-- | crypto/siphash/build.info | 5 | ||||
| -rw-r--r-- | crypto/siphash/siphash.c | 230 | ||||
| -rw-r--r-- | crypto/siphash/siphash_ameth.c | 68 | ||||
| -rw-r--r-- | crypto/siphash/siphash_local.h | 23 | ||||
| -rw-r--r-- | crypto/siphash/siphash_pmeth.c | 206 | ||||
| -rw-r--r-- | doc/man3/EVP_PKEY_CTX_ctrl.pod | 2 | ||||
| -rw-r--r-- | include/openssl/evp.h | 14 | ||||
| -rw-r--r-- | include/openssl/obj_mac.h | 4 | ||||
| -rw-r--r-- | test/build.info | 7 | ||||
| -rw-r--r-- | test/evp_test.c | 9 | ||||
| -rw-r--r-- | test/evptests.txt | 62 | ||||
| -rw-r--r-- | test/siphash_internal_test.c | 431 | ||||
| -rw-r--r-- | util/libcrypto.num | 1 | ||||
| -rwxr-xr-x | util/mkdef.pl | 3 |
27 files changed, 1128 insertions, 19 deletions
@@ -4,6 +4,9 @@ Changes between 1.1.0a and 1.1.1 [xx XXX xxxx] + *) Add support for SipHash + [Todd Short] + *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually @@ -313,7 +313,7 @@ $config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", " # crypto/ subdirectories to build $config{sdirs} = [ "objects", - "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", + "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "des", "aes", "rc2", "rc4", "rc5", "idea", "bf", "cast", "camellia", "seed", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "dso", "engine", "buffer", "bio", "stack", "lhash", "rand", "err", @@ -397,6 +397,7 @@ my @disablables = ( "sctp", "seed", "shared", + "siphash", "sock", "srp", "srtp", @@ -494,8 +494,9 @@ Build without support for the specified algorithm, where <alg> is one of: bf, blake2, camellia, cast, chacha, cmac, des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305, - rc2, rc4, rmd160, scrypt, seed or whirlpool. The "ripemd" - algorithm is deprecated and if used is synonymous with rmd160. + rc2, rc4, rmd160, scrypt, seed, siphash or whirlpool. The + "ripemd" algorithm is deprecated and if used is synonymous + with rmd160. -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will be passed through to the diff --git a/crypto/asn1/standard_methods.h b/crypto/asn1/standard_methods.h index ca38b09fee..a0fd881b7a 100644 --- a/crypto/asn1/standard_methods.h +++ b/crypto/asn1/standard_methods.h @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -46,5 +46,8 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #ifndef OPENSSL_NO_POLY1305 &poly1305_asn1_meth, #endif +#ifndef OPENSSL_NO_SIPHASH + &siphash_asn1_meth, +#endif }; diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index bf09052809..6ff9ec4eae 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -69,6 +69,7 @@ static ERR_STRING_DATA EVP_str_functs[] = { {ERR_FUNC(EVP_F_EVP_PKEY_GET0_HMAC), "EVP_PKEY_get0_hmac"}, {ERR_FUNC(EVP_F_EVP_PKEY_GET0_POLY1305), "EVP_PKEY_get0_poly1305"}, {ERR_FUNC(EVP_F_EVP_PKEY_GET0_RSA), "EVP_PKEY_get0_RSA"}, + {ERR_FUNC(EVP_F_EVP_PKEY_GET0_SIPHASH), "EVP_PKEY_get0_siphash"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN), "EVP_PKEY_keygen"}, {ERR_FUNC(EVP_F_EVP_PKEY_KEYGEN_INIT), "EVP_PKEY_keygen_init"}, {ERR_FUNC(EVP_F_EVP_PKEY_NEW), "EVP_PKEY_new"}, @@ -119,6 +120,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY), "expecting a dsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY), "expecting a ec key"}, {ERR_REASON(EVP_R_EXPECTING_A_POLY1305_KEY), "expecting a poly1305 key"}, + {ERR_REASON(EVP_R_EXPECTING_A_SIPHASH_KEY), "expecting a siphash key"}, {ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"}, {ERR_REASON(EVP_R_ILLEGAL_SCRYPT_PARAMETERS), "illegal scrypt parameters"}, diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 047e832637..b5e5206778 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -263,6 +263,21 @@ const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len) } #endif +#ifndef OPENSSL_NO_SIPHASH +const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len) +{ + ASN1_OCTET_STRING *os = NULL; + + if (pkey->type != EVP_PKEY_SIPHASH) { + EVPerr(EVP_F_EVP_PKEY_GET0_SIPHASH, EVP_R_EXPECTING_A_SIPHASH_KEY); + return NULL; + } + os = EVP_PKEY_get0(pkey); + *len = os->length; + return os->data; +} +#endif + #ifndef OPENSSL_NO_RSA int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 66e1e08149..681e5e06c7 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -52,6 +52,9 @@ static const EVP_PKEY_METHOD *standard_methods[] = { #ifndef OPENSSL_NO_POLY1305 &poly1305_pkey_meth, #endif +#ifndef OPENSSL_NO_SIPHASH + &siphash_pkey_meth, +#endif }; DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h index 554f067740..f78ced6dab 100644 --- a/crypto/include/internal/asn1_int.h +++ b/crypto/include/internal/asn1_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,6 +67,7 @@ extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth; extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2]; extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD siphash_asn1_meth; /* * These are used internally in the ASN1_OBJECT to keep track of whether the diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index b5b6a13004..0b0d87838b 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -88,6 +88,7 @@ extern const EVP_PKEY_METHOD rsa_pss_pkey_meth; extern const EVP_PKEY_METHOD tls1_prf_pkey_meth; extern const EVP_PKEY_METHOD hkdf_pkey_meth; extern const EVP_PKEY_METHOD poly1305_pkey_meth; +extern const EVP_PKEY_METHOD siphash_pkey_meth; struct evp_md_st { int type; diff --git a/crypto/include/internal/siphash.h b/crypto/include/internal/siphash.h new file mode 100644 index 0000000000..e086859622 --- /dev/null +++ b/crypto/include/internal/siphash.h @@ -0,0 +1,24 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stddef.h> + +#define SIPHASH_BLOCK_SIZE 8 +#define SIPHASH_KEY_SIZE 16 +#define SIPHASH_MIN_DIGEST_SIZE 8 +#define SIPHASH_MAX_DIGEST_SIZE 16 + +typedef struct siphash_st SIPHASH; + +size_t SipHash_ctx_size(void); +size_t SipHash_hash_size(SIPHASH *ctx); +int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int hash_size, + int crounds, int drounds); +void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen); +int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen); diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 5171f56846..88d371aed0 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -963,7 +963,7 @@ static const unsigned char so[6765] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1C, /* [ 6753] OBJ_id_ct_xml */ }; -#define NUM_NID 1062 +#define NUM_NID 1063 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2027,9 +2027,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"id-smime-ct-authEnvelopedData", "id-smime-ct-authEnvelopedData", NID_id_smime_ct_authEnvelopedData, 11, &so[6742]}, {"id-ct-xml", "id-ct-xml", NID_id_ct_xml, 11, &so[6753]}, {"Poly1305", "poly1305", NID_poly1305}, + {"SipHash", "siphash", NID_siphash}, }; -#define NUM_SN 1053 +#define NUM_SN 1054 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -2256,6 +2257,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1006, /* "SNILS" */ 16, /* "ST" */ 143, /* "SXNetID" */ + 1062, /* "SipHash" */ 1021, /* "TLS1-PRF" */ 458, /* "UID" */ 0, /* "UNDEF" */ @@ -3086,7 +3088,7 @@ static const unsigned int sn_objs[NUM_SN] = { 160, /* "x509Crl" */ }; -#define NUM_LN 1053 +#define NUM_LN 1054 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -4096,6 +4098,7 @@ static const unsigned int ln_objs[NUM_LN] = { 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ + 1062, /* "siphash" */ 16, /* "stateOrProvinceName" */ 660, /* "streetAddress" */ 498, /* "subtreeMaximumQuality" */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 9aa490b670..3793951c62 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1059,3 +1059,4 @@ id_smime_ct_contentCollection 1058 id_smime_ct_authEnvelopedData 1059 id_ct_xml 1060 poly1305 1061 +siphash 1062 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 09701af4a1..5b1f2bdac5 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -1484,3 +1484,5 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response : AuthNULL : auth-null # NID for Poly1305 : Poly1305 : poly1305 +# NID for SipHash + : SipHash : siphash diff --git a/crypto/siphash/build.info b/crypto/siphash/build.info new file mode 100644 index 0000000000..4166344a5b --- /dev/null +++ b/crypto/siphash/build.info @@ -0,0 +1,5 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ + siphash.c \ + siphash_pmeth.c \ + siphash_ameth.c diff --git a/crypto/siphash/siphash.c b/crypto/siphash/siphash.c new file mode 100644 index 0000000000..4bf2382972 --- /dev/null +++ b/crypto/siphash/siphash.c @@ -0,0 +1,230 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Based on https://131002.net/siphash C reference implementation */ +/* + SipHash reference C implementation + + Copyright (c) 2012-2016 Jean-Philippe Aumasson + <jeanphilippe.aumasson@gmail.com> + Copyright (c) 2012-2014 Daniel J. Bernstein <djb@cr.yp.to> + + To the extent possible under law, the author(s) have dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. + + You should have received a copy of the CC0 Public Domain Dedication along + with + this software. If not, see + <http://creativecommons.org/publicdomain/zero/1.0/>. + */ + +#include <stdlib.h> +#include <string.h> +#include <openssl/crypto.h> + +#include "internal/siphash.h" +#include "siphash_local.h" + +/* default: SipHash-2-4 */ +#define SIPHASH_C_ROUNDS 2 +#define SIPHASH_D_ROUNDS 4 + +#define ROTL(x, b) (uint64_t)(((x) << (b)) | ((x) >> (64 - (b)))) + +#define U32TO8_LE(p, v) \ + (p)[0] = (uint8_t)((v)); \ + (p)[1] = (uint8_t)((v) >> 8); \ + (p)[2] = (uint8_t)((v) >> 16); \ + (p)[3] = (uint8_t)((v) >> 24); + +#define U64TO8_LE(p, v) \ + U32TO8_LE((p), (uint32_t)((v))); \ + U32TO8_LE((p) + 4, (uint32_t)((v) >> 32)); + +#define U8TO64_LE(p) \ + (((uint64_t)((p)[0])) | ((uint64_t)((p)[1]) << 8) | \ + ((uint64_t)((p)[2]) << 16) | ((uint64_t)((p)[3]) << 24) | \ + ((uint64_t)((p)[4]) << 32) | ((uint64_t)((p)[5]) << 40) | \ + ((uint64_t)((p)[6]) << 48) | ((uint64_t)((p)[7]) << 56)) + +#define SIPROUND \ + do { \ + v0 += v1; \ + v1 = ROTL(v1, 13); \ + v1 ^= v0; \ + v0 = ROTL(v0, 32); \ + v2 += v3; \ + v3 = ROTL(v3, 16); \ + v3 ^= v2; \ + v0 += v3; \ + v3 = ROTL(v3, 21); \ + v3 ^= v0; \ + v2 += v1; \ + v1 = ROTL(v1, 17); \ + v1 ^= v2; \ + v2 = ROTL(v2, 32); \ + } while (0) + +size_t SipHash_ctx_size(void) +{ + return sizeof(SIPHASH); +} + +size_t SipHash_hash_size(SIPHASH *ctx) +{ + return ctx->hash_size; +} + +/* hash_size = crounds = drounds = 0 means SipHash24 with 16-byte output */ +int SipHash_Init(SIPHASH *ctx, const unsigned char *k, int hash_size, int crounds, int drounds) +{ + uint64_t k0 = U8TO64_LE(k); + uint64_t k1 = U8TO64_LE(k + 8); + + if (hash_size == 0) + hash_size = SIPHASH_MAX_DIGEST_SIZE; + else if (hash_size != SIPHASH_MIN_DIGEST_SIZE && + hash_size != SIPHASH_MAX_DIGEST_SIZE) + return 0; + + if (drounds == 0) + drounds = SIPHASH_D_ROUNDS; + if (crounds == 0) + crounds = SIPHASH_C_ROUNDS; + + ctx->crounds = crounds; + ctx->drounds = drounds; + ctx->hash_size = hash_size; + + ctx->len = 0; + ctx->total_inlen = 0; + + ctx->v0 = 0x736f6d6570736575ULL ^ k0; + ctx->v1 = 0x646f72616e646f6dULL ^ k1; + ctx->v2 = 0x6c7967656e657261ULL ^ k0; + ctx->v3 = 0x7465646279746573ULL ^ k1; + + if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE) + ctx->v1 ^= 0xee; + + return 1; +} + +void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen) +{ + uint64_t m; + const uint8_t *end; + int left; + int i; + uint64_t v0 = ctx->v0; + uint64_t v1 = ctx->v1; + uint64_t v2 = ctx->v2; + uint64_t v3 = ctx->v3; + + ctx->total_inlen += inlen; + + if (ctx->len) { + /* deal with leavings */ + size_t available = SIPHASH_BLOCK_SIZE - ctx->len; + + /* not enough to fill leavings */ + if (inlen < available) { + memcpy(&ctx->leavings[ctx->len], in, inlen); + ctx->len += inlen; + return; + } + + /* copy data into leavings and reduce input */ + memcpy(&ctx->leavings[ctx->len], in, available); + inlen -= available; + in += available; + + /* process leavings */ + m = U8TO64_LE(ctx->leavings); + v3 ^= m; + for (i = 0; i < ctx->crounds; ++i) + SIPROUND; + v0 ^= m; + } + left = inlen & (SIPHASH_BLOCK_SIZE-1); /* gets put into leavings */ + end = in + inlen - left; + + for (; in != end; in += 8) { + m = U8TO64_LE(in); + v3 ^= m; + for (i = 0; i < ctx->crounds; ++i) + SIPROUND; + v0 ^= m; + } + + /* save leavings and other ctx */ + if (left) + memcpy(ctx->leavings, end, left); + ctx->len = left; + + ctx->v0 = v0; + ctx->v1 = v1; + ctx->v2 = v2; + ctx->v3 = v3; +} + +int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen) +{ + /* finalize hash */ + int i; + uint64_t b = ctx->total_inlen << 56; + uint64_t v0 = ctx->v0; + uint64_t v1 = ctx->v1; + uint64_t v2 = ctx->v2; + uint64_t v3 = ctx->v3; + + if (outlen != (size_t)ctx->hash_size) + return 0; + + switch (ctx->len) { + case 7: + b |= ((uint64_t)ctx->leavings[6]) << 48; + case 6: + b |= ((uint64_t)ctx->leavings[5]) << 40; + case 5: + b |= ((uint64_t)ctx->leavings[4]) << 32; + case 4: + b |= ((uint64_t)ctx->leavings[3]) << 24; + case 3: + b |= ((uint64_t)ctx->leavings[2]) << 16; + case 2: + b |= ((uint64_t)ctx->leavings[1]) << 8; + case 1: + b |= ((uint64_t)ctx->leavings[0]); + case 0: + break; + } + + v3 ^= b; + for (i = 0; i < ctx->crounds; ++i) + SIPROUND; + v0 ^= b; + if (ctx->hash_size == SIPHASH_MAX_DIGEST_SIZE) + v2 ^= 0xee; + else + v2 ^= 0xff; + for (i = 0; i < ctx->drounds; ++i) + SIPROUND; + b = v0 ^ v1 ^ v2 ^ v3; + U64TO8_LE(out, b); + if (ctx->hash_size == SIPHASH_MIN_DIGEST_SIZE) + return 1; + v1 ^= 0xdd; + for (i = 0; i < ctx->drounds; ++i) + SIPROUND; + b = v0 ^ v1 ^ v2 ^ v3; + U64TO8_LE(out + 8, b); + return 1; +} diff --git a/crypto/siphash/siphash_ameth.c b/crypto/siphash/siphash_ameth.c new file mode 100644 index 0000000000..d819461f8d --- /dev/null +++ b/crypto/siphash/siphash_ameth.c @@ -0,0 +1,68 @@ +/* + * Copyright 2007-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include "internal/cryptlib.h" +#include <openssl/evp.h> +#include "internal/asn1_int.h" +#include "internal/siphash.h" +#include "siphash_local.h" + +/* + * SIPHASH "ASN1" method. This is just here to indicate the maximum + * SIPHASH output length and to free up a SIPHASH key. + */ + +static int siphash_size(const EVP_PKEY *pkey) +{ + return SIPHASH_MAX_DIGEST_SIZE; +} + +static void siphash_key_free(EVP_PKEY *pkey) +{ + ASN1_OCTET_STRING *os = EVP_PKEY_get0(pkey); + + if (os != NULL) { + if (os->data != NULL) + OPENSSL_cleanse(os->data, os->length); + ASN1_OCTET_STRING_free(os); + } +} + +static int siphash_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) +{ + /* nothing (including ASN1_PKEY_CTRL_DEFAULT_MD_NID), is supported */ + return -2; +} + +static int siphash_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) +{ + return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b)); +} + +const EVP_PKEY_ASN1_METHOD siphash_asn1_meth = { + EVP_PKEY_SIPHASH, + EVP_PKEY_SIPHASH, + 0, + + "SIPHASH", + "OpenSSL SIPHASH method", + + 0, 0, siphash_pkey_public_cmp, 0, + + 0, 0, 0, + + siphash_size, + 0, 0, + 0, 0, 0, 0, 0, 0, 0, + + siphash_key_free, + siphash_pkey_ctrl, + 0, 0 +}; diff --git a/crypto/siphash/siphash_local.h b/crypto/siphash/siphash_local.h new file mode 100644 index 0000000000..5ad3476463 --- /dev/null +++ b/crypto/siphash/siphash_local.h @@ -0,0 +1,23 @@ +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Based on https://131002.net/siphash C reference implementation */ + +struct siphash_st { + uint64_t total_inlen; + uint64_t v0; + uint64_t v1; + uint64_t v2; + uint64_t v3; + unsigned int len; + int hash_size; + int crounds; + int drounds; + unsigned char leavings[SIPHASH_BLOCK_SIZE]; +}; diff --git a/crypto/siphash/siphash_pmeth.c b/crypto/siphash/siphash_pmeth.c new file mode 100644 index 0000000000..ae16e55878 --- /dev/null +++ b/crypto/siphash/siphash_pmeth.c @@ -0,0 +1,206 @@ +/* + * Copyright 2007-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include "internal/cryptlib.h" +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/evp.h> +#include "internal/siphash.h" +#include "siphash_local.h" +#include "internal/evp_int.h" + +/* SIPHASH pkey context structure */ + +typedef struct siphash_pkey_ctx_st { + ASN1_OCTET_STRING ktmp; /* Temp storage for key */ + SIPHASH ctx; +} SIPHASH_PKEY_CTX; + +static int pkey_siphash_init(EVP_PKEY_CTX *ctx) +{ + SIPHASH_PKEY_CTX *pctx; + + pctx = OPENSSL_zalloc(sizeof(*pctx)); + if (pctx == NULL) + return 0; + pctx->ktmp.type = V_ASN1_OCTET_STRING; + + EVP_PKEY_CTX_set_data(ctx, pctx); + EVP_PKEY_CTX_set0_keygen_info(ctx, NULL, 0); + return 1; +} + +static void pkey_siphash_cleanup(EVP_PKEY_CTX *ctx) +{ + SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); + + if (pctx != NULL) { + OPENSSL_clear_free(pctx->ktmp.data, pctx->ktmp.length); + OPENSSL_clear_free(pctx, sizeof(*pctx)); + EVP_PKEY_CTX_set_data(ctx, NULL); + } +} + +static int pkey_siphash_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) +{ + SIPHASH_PKEY_CTX *sctx, *dctx; + + /* allocate memory for dst->data and a new SIPHASH_CTX in dst->data->ctx */ + if (!pkey_siphash_init(dst)) + return 0; + sctx = EVP_PKEY_CTX_get_data(src); + dctx = EVP_PKEY_CTX_get_data(dst); + if (ASN1_STRING_get0_data(&sctx->ktmp) != NULL && + !ASN1_STRING_copy(&dctx->ktmp, &sctx->ktmp)) { + /* cleanup and free the SIPHASH_PKEY_CTX in dst->data */ + pkey_siphash_cleanup(dst); + return 0; + } + memcpy(&dctx->ctx, &sctx->ctx, sizeof(SIPHASH)); + return 1; +} + +static int pkey_siphash_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) +{ + ASN1_OCTET_STRING *key; + SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); + + if (ASN1_STRING_get0_data(&pctx->ktmp) == NULL) + return 0; + key = ASN1_OCTET_STRING_dup(&pctx->ktmp); + if (key == NULL) + return 0; + return EVP_PKEY_assign_SIPHASH(pkey, key); +} + +static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(EVP_MD_CTX_pkey_ctx(ctx)); + + SipHash_Update(&pctx->ctx, data, count); + return 1; +} + +static int siphash_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) +{ + SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); + const unsigned char* key; + size_t len; + int hash_size; + + key = EVP_PKEY_get0_siphash(EVP_PKEY_CTX_get0_pkey(ctx), &len); + if (key == NULL || len != SIPHASH_KEY_SIZE) + return 0; + EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT); + EVP_MD_CTX_set_update_fn(mctx, int_update); + /* use default rounds (2,4) */ + hash_size = SipHash_hash_size(&pctx->ctx); + return SipHash_Init(&pctx->ctx, key, hash_size, 0, 0); +} +static int siphash_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + EVP_MD_CTX *mctx) +{ + SIPHASH_PKEY_CTX *pctx = ctx->data; + + *siglen = SipHash_hash_size(&pctx->ctx); + if (sig != NULL) + return SipHash_Final(&pctx->ctx, sig, *siglen); + return 1; +} + +static int pkey_siphash_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +{ + SIPHASH_PKEY_CTX *pctx = EVP_PKEY_CTX_get_data(ctx); + const unsigned char *key; + size_t len; + int hash_size; + + switch (type) { + + case EVP_PKEY_CTRL_MD: + /* ignore */ + break; + + case EVP_PKEY_CTRL_SET_DIGEST_SIZE: + if (p1 != SIPHASH_MIN_DIGEST_SIZE && + p1 != SIPHASH_MAX_DIGEST_SIZE) { + return 0; + } + /* use default rounds (2,4) */ + return SipHash_Init(&pctx->ctx, ASN1_STRING_get0_data(&pctx->ktmp), p1, 0, 0); + + case EVP_PKEY_CTRL_SET_MAC_KEY: + case EVP_PKEY_CTRL_DIGESTINIT: + if (type == EVP_PKEY_CTRL_SET_MAC_KEY) { + /* user explicitly setting the key */ + key = p2; + len = p1; + } else { + /* user indirectly setting the key via EVP_DigestSignInit */ + key = EVP_PKEY_get0_siphash(EVP_PKEY_CTX_get0_pkey(ctx), &len); + } + if (key == NULL || len != SIPHASH_KEY_SIZE || + !ASN1_OCTET_STRING_set(&pctx->ktmp, key, len)) + return 0; + /* use default rounds (2,4) */ + hash_size = SipHash_hash_size(&pctx->ctx); + return SipHash_Init(&pctx->ctx, ASN1_STRING_get0_data(&pctx->ktmp), hash_size, 0, 0); + + default: + return -2; + + } + return 1; +} + +static int pkey_siphash_ctrl_str(EVP_PKEY_CTX *c |