Skip to content

Commit

Permalink
move the code to backup evp contexts from s2n_connection to s2n_hmac,…
Browse files Browse the repository at this point in the history 
… where it belongs. (#641)
  • Loading branch information
@danielsn @bpdavidson
danielsn authored and bpdavidson committed Nov 9, 2017
1 parent adbd31f commit 95b7b35
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 99 deletions.
20 changes: 20 additions & 0 deletions crypto/s2n_hmac.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,3 +339,23 @@ int s2n_hmac_copy(struct s2n_hmac_state *to, struct s2n_hmac_state *from)

return 0;
}


/* Preserve the handlers for hmac state pointers to avoid re-allocation
* Only valid if the HMAC is in EVP mode
*/
int s2n_hmac_save_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac)
{
backup->inner = hmac->inner.digest.high_level;
backup->inner_just_key = hmac->inner_just_key.digest.high_level;
backup->outer = hmac->outer.digest.high_level;
return 0;
}

int s2n_hmac_restore_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac)
{
hmac->inner.digest.high_level = backup->inner;
hmac->inner_just_key.digest.high_level = backup->inner_just_key;
hmac->outer.digest.high_level = backup->outer;
return 0;
}
9 changes: 9 additions & 0 deletions crypto/s2n_hmac.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ struct s2n_hmac_state {
uint8_t digest_pad[SHA512_DIGEST_LENGTH];
};

struct s2n_hmac_evp_backup {
struct s2n_hash_evp_digest inner;
struct s2n_hash_evp_digest inner_just_key;
struct s2n_hash_evp_digest outer;
};

extern int s2n_hmac_digest_size(s2n_hmac_algorithm alg, uint8_t *out);
extern int s2n_hmac_is_available(s2n_hmac_algorithm alg);
extern int s2n_hmac_hash_alg(s2n_hmac_algorithm hmac_alg, s2n_hash_algorithm *out);
Expand All @@ -63,3 +69,6 @@ extern int s2n_hmac_digest_verify(const void *a, const void *b, uint32_t len);
extern int s2n_hmac_free(struct s2n_hmac_state *state);
extern int s2n_hmac_reset(struct s2n_hmac_state *state);
extern int s2n_hmac_copy(struct s2n_hmac_state *to, struct s2n_hmac_state *from);
extern int s2n_hmac_save_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac);
extern int s2n_hmac_restore_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac);

80 changes: 14 additions & 66 deletions tls/s2n_connection_evp_digests.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,7 @@
int s2n_connection_save_prf_state(struct s2n_connection_prf_handles *prf_handles, struct s2n_connection *conn)
{
/* Preserve only the handlers for TLS PRF p_hash pointers to avoid re-allocation */
prf_handles->p_hash_s2n_hmac_inner = conn->prf_space.tls.p_hash.s2n_hmac.inner.digest.high_level;
prf_handles->p_hash_s2n_hmac_inner_just_key = conn->prf_space.tls.p_hash.s2n_hmac.inner_just_key.digest.high_level;
prf_handles->p_hash_s2n_hmac_outer = conn->prf_space.tls.p_hash.s2n_hmac.outer.digest.high_level;
GUARD(s2n_hmac_save_evp_hash_state(&prf_handles->p_hash_s2n_hmac, &conn->prf_space.tls.p_hash.s2n_hmac));
prf_handles->p_hash_evp_hmac = conn->prf_space.tls.p_hash.evp_hmac;

return 0;
Expand Down Expand Up @@ -69,36 +67,12 @@ int s2n_connection_save_hash_state(struct s2n_connection_hash_handles *hash_hand
*/
int s2n_connection_save_hmac_state(struct s2n_connection_hmac_handles *hmac_handles, struct s2n_connection *conn)
{
/* Preserve only the handlers for initial client mac hmac state pointers to avoid re-allocation */
hmac_handles->initial_client_mac_inner = conn->initial.client_record_mac.inner.digest.high_level;
hmac_handles->initial_client_mac_inner_just_key = conn->initial.client_record_mac.inner_just_key.digest.high_level;
hmac_handles->initial_client_mac_outer = conn->initial.client_record_mac.outer.digest.high_level;

/* Preserve only the handlers for initial server mac hmac state pointers to avoid re-allocation */
hmac_handles->initial_server_mac_inner = conn->initial.server_record_mac.inner.digest.high_level;
hmac_handles->initial_server_mac_inner_just_key = conn->initial.server_record_mac.inner_just_key.digest.high_level;
hmac_handles->initial_server_mac_outer = conn->initial.server_record_mac.outer.digest.high_level;

/* Preserve only the handlers for initial record mac copy hmac state pointers to avoid re-allocation */
hmac_handles->initial_client_mac_copy_inner = conn->initial.record_mac_copy_workspace.inner.digest.high_level;
hmac_handles->initial_client_mac_copy_inner_just_key = conn->initial.record_mac_copy_workspace.inner_just_key.digest.high_level;
hmac_handles->initial_client_mac_copy_outer = conn->initial.record_mac_copy_workspace.outer.digest.high_level;

/* Preserve only the handlers for secure client mac hmac state pointers to avoid re-allocation */
hmac_handles->secure_client_mac_inner = conn->secure.client_record_mac.inner.digest.high_level;
hmac_handles->secure_client_mac_inner_just_key = conn->secure.client_record_mac.inner_just_key.digest.high_level;
hmac_handles->secure_client_mac_outer = conn->secure.client_record_mac.outer.digest.high_level;

/* Preserve only the handlers for secure server mac hmac state pointers to avoid re-allocation */
hmac_handles->secure_server_mac_inner = conn->secure.server_record_mac.inner.digest.high_level;
hmac_handles->secure_server_mac_inner_just_key = conn->secure.server_record_mac.inner_just_key.digest.high_level;
hmac_handles->secure_server_mac_outer = conn->secure.server_record_mac.outer.digest.high_level;

/* Preserve only the handlers for secure record mac copy hmac state pointers to avoid re-allocation */
hmac_handles->secure_client_mac_copy_inner = conn->secure.record_mac_copy_workspace.inner.digest.high_level;
hmac_handles->secure_client_mac_copy_inner_just_key = conn->secure.record_mac_copy_workspace.inner_just_key.digest.high_level;
hmac_handles->secure_client_mac_copy_outer = conn->secure.record_mac_copy_workspace.outer.digest.high_level;

GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->initial_client, &conn->initial.client_record_mac));
GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->initial_server, &conn->initial.server_record_mac));
GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->initial_client_copy, &conn->initial.record_mac_copy_workspace));
GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->secure_client, &conn->secure.client_record_mac));
GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->secure_server, &conn->secure.server_record_mac));
GUARD(s2n_hmac_save_evp_hash_state(&hmac_handles->secure_client_copy, &conn->secure.record_mac_copy_workspace));
return 0;
}

Expand All @@ -109,9 +83,7 @@ int s2n_connection_save_hmac_state(struct s2n_connection_hmac_handles *hmac_hand
int s2n_connection_restore_prf_state(struct s2n_connection *conn, struct s2n_connection_prf_handles *prf_handles)
{
/* Restore s2n_connection handlers for TLS PRF p_hash */
conn->prf_space.tls.p_hash.s2n_hmac.inner.digest.high_level = prf_handles->p_hash_s2n_hmac_inner;
conn->prf_space.tls.p_hash.s2n_hmac.inner_just_key.digest.high_level = prf_handles->p_hash_s2n_hmac_inner_just_key;
conn->prf_space.tls.p_hash.s2n_hmac.outer.digest.high_level = prf_handles->p_hash_s2n_hmac_outer;
GUARD(s2n_hmac_restore_evp_hash_state(&prf_handles->p_hash_s2n_hmac, &conn->prf_space.tls.p_hash.s2n_hmac));
conn->prf_space.tls.p_hash.evp_hmac = prf_handles->p_hash_evp_hmac;

return 0;
Expand Down Expand Up @@ -154,35 +126,11 @@ int s2n_connection_restore_hash_state(struct s2n_connection *conn, struct s2n_co
*/
int s2n_connection_restore_hmac_state(struct s2n_connection *conn, struct s2n_connection_hmac_handles *hmac_handles)
{
/* Restore s2n_connection handlers for initial client record mac */
conn->initial.client_record_mac.inner.digest.high_level = hmac_handles->initial_client_mac_inner;
conn->initial.client_record_mac.inner_just_key.digest.high_level = hmac_handles->initial_client_mac_inner_just_key;
conn->initial.client_record_mac.outer.digest.high_level = hmac_handles->initial_client_mac_outer;

/* Restore s2n_connection handlers for initial server record mac */
conn->initial.server_record_mac.inner.digest.high_level = hmac_handles->initial_server_mac_inner;
conn->initial.server_record_mac.inner_just_key.digest.high_level = hmac_handles->initial_server_mac_inner_just_key;
conn->initial.server_record_mac.outer.digest.high_level = hmac_handles->initial_server_mac_outer;

/* Restore s2n_connection handlers for initial record mac copy */
conn->initial.record_mac_copy_workspace.inner.digest.high_level = hmac_handles->initial_client_mac_copy_inner;
conn->initial.record_mac_copy_workspace.inner_just_key.digest.high_level = hmac_handles->initial_client_mac_copy_inner_just_key;
conn->initial.record_mac_copy_workspace.outer.digest.high_level = hmac_handles->initial_client_mac_copy_outer;

/* Restore s2n_connection handlers for secure client record mac */
conn->secure.client_record_mac.inner.digest.high_level = hmac_handles->secure_client_mac_inner;
conn->secure.client_record_mac.inner_just_key.digest.high_level = hmac_handles->secure_client_mac_inner_just_key;
conn->secure.client_record_mac.outer.digest.high_level = hmac_handles->secure_client_mac_outer;

/* Restore s2n_connection handlers for secure server record mac */
conn->secure.server_record_mac.inner.digest.high_level = hmac_handles->secure_server_mac_inner;
conn->secure.server_record_mac.inner_just_key.digest.high_level = hmac_handles->secure_server_mac_inner_just_key;
conn->secure.server_record_mac.outer.digest.high_level = hmac_handles->secure_server_mac_outer;

/* Restore s2n_connection handlers for secure record mac copy */
conn->secure.record_mac_copy_workspace.inner.digest.high_level = hmac_handles->secure_client_mac_copy_inner;
conn->secure.record_mac_copy_workspace.inner_just_key.digest.high_level = hmac_handles->secure_client_mac_copy_inner_just_key;
conn->secure.record_mac_copy_workspace.outer.digest.high_level = hmac_handles->secure_client_mac_copy_outer;

GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->initial_client, &conn->initial.client_record_mac));
GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->initial_server, &conn->initial.server_record_mac));
GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->initial_client_copy, &conn->initial.record_mac_copy_workspace));
GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->secure_client, &conn->secure.client_record_mac));
GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->secure_server, &conn->secure.server_record_mac));
GUARD(s2n_hmac_restore_evp_hash_state(&hmac_handles->secure_client_copy, &conn->secure.record_mac_copy_workspace));
return 0;
}
41 changes: 8 additions & 33 deletions tls/s2n_connection_evp_digests.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@

struct s2n_connection_prf_handles {
/* TLS PRF HMAC p_hash */
struct s2n_hash_evp_digest p_hash_s2n_hmac_inner;
struct s2n_hash_evp_digest p_hash_s2n_hmac_inner_just_key;
struct s2n_hash_evp_digest p_hash_s2n_hmac_outer;
struct s2n_hmac_evp_backup p_hash_s2n_hmac;

/* TLS PRF EVP p_hash */
struct s2n_evp_hmac_state p_hash_evp_hmac;
Expand Down Expand Up @@ -52,37 +50,14 @@ struct s2n_connection_hash_handles {
struct s2n_hash_evp_digest secure_signature_hash;
};

/* s2n hmac state components from hash states within each hmac */
/* Allocationg new EVP structs is expensive, so we back them up here and reuse them */
struct s2n_connection_hmac_handles {
/* Initial client mac hmac states */
struct s2n_hash_evp_digest initial_client_mac_inner;
struct s2n_hash_evp_digest initial_client_mac_inner_just_key;
struct s2n_hash_evp_digest initial_client_mac_outer;

/* Initial client mac copy hmac states */
struct s2n_hash_evp_digest initial_client_mac_copy_inner;
struct s2n_hash_evp_digest initial_client_mac_copy_inner_just_key;
struct s2n_hash_evp_digest initial_client_mac_copy_outer;

/* Initial server mac hmac states */
struct s2n_hash_evp_digest initial_server_mac_inner;
struct s2n_hash_evp_digest initial_server_mac_inner_just_key;
struct s2n_hash_evp_digest initial_server_mac_outer;

/* Secure client mac hmac states */
struct s2n_hash_evp_digest secure_client_mac_inner;
struct s2n_hash_evp_digest secure_client_mac_inner_just_key;
struct s2n_hash_evp_digest secure_client_mac_outer;

/* Secure client mac copy hmac states */
struct s2n_hash_evp_digest secure_client_mac_copy_inner;
struct s2n_hash_evp_digest secure_client_mac_copy_inner_just_key;
struct s2n_hash_evp_digest secure_client_mac_copy_outer;

/* Secure server mac hmac states */
struct s2n_hash_evp_digest secure_server_mac_inner;
struct s2n_hash_evp_digest secure_server_mac_inner_just_key;
struct s2n_hash_evp_digest secure_server_mac_outer;
struct s2n_hmac_evp_backup initial_client;
struct s2n_hmac_evp_backup initial_client_copy;
struct s2n_hmac_evp_backup initial_server;
struct s2n_hmac_evp_backup secure_client;
struct s2n_hmac_evp_backup secure_client_copy;
struct s2n_hmac_evp_backup secure_server;
};

extern int s2n_connection_save_prf_state(struct s2n_connection_prf_handles *prf_handles, struct s2n_connection *conn);
Expand Down

0 comments on commit 95b7b35

Please sign in to comment.