A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

513 lines
19 KiB

  1. /*
  2. * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file has no dependencies on the rest of libssl because it is shared
  11. * with the providers. It contains functions for low level MAC calculations.
  12. * Responsibility for this lies with the HMAC implementation in the
  13. * providers. However there are legacy code paths in libssl which also need to
  14. * do this. In time those legacy code paths can be removed and this file can be
  15. * moved out of libssl.
  16. */
  17. /*
  18. * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for
  19. * internal use.
  20. */
  21. #include "internal/deprecated.h"
  22. #include "internal/constant_time.h"
  23. #include "internal/cryptlib.h"
  24. #include <openssl/evp.h>
  25. #ifndef FIPS_MODULE
  26. # include <openssl/md5.h>
  27. #endif
  28. #include <openssl/sha.h>
  29. char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
  30. int ssl3_cbc_digest_record(const EVP_MD *md,
  31. unsigned char *md_out,
  32. size_t *md_out_size,
  33. const unsigned char *header,
  34. const unsigned char *data,
  35. size_t data_size,
  36. size_t data_plus_mac_plus_padding_size,
  37. const unsigned char *mac_secret,
  38. size_t mac_secret_length, char is_sslv3);
  39. # define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
  40. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  41. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  42. *((c)++)=(unsigned char)(((l) )&0xff))
  43. # define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
  44. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  45. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  46. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  47. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  48. *((c)++)=(unsigned char)(((l) )&0xff))
  49. # define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
  50. *((c)++)=(unsigned char)(((l)>>48)&0xff), \
  51. *((c)++)=(unsigned char)(((l)>>40)&0xff), \
  52. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  53. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  54. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  55. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  56. *((c)++)=(unsigned char)(((l) )&0xff))
  57. /*
  58. * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
  59. * length field. (SHA-384/512 have 128-bit length.)
  60. */
  61. #define MAX_HASH_BIT_COUNT_BYTES 16
  62. /*
  63. * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
  64. * Currently SHA-384/512 has a 128-byte block size and that's the largest
  65. * supported by TLS.)
  66. */
  67. #define MAX_HASH_BLOCK_SIZE 128
  68. #ifndef FIPS_MODULE
  69. /*
  70. * u32toLE serializes an unsigned, 32-bit number (n) as four bytes at (p) in
  71. * little-endian order. The value of p is advanced by four.
  72. */
  73. # define u32toLE(n, p) \
  74. (*((p)++)=(unsigned char)(n), \
  75. *((p)++)=(unsigned char)(n>>8), \
  76. *((p)++)=(unsigned char)(n>>16), \
  77. *((p)++)=(unsigned char)(n>>24))
  78. /*
  79. * These functions serialize the state of a hash and thus perform the
  80. * standard "final" operation without adding the padding and length that such
  81. * a function typically does.
  82. */
  83. static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
  84. {
  85. MD5_CTX *md5 = ctx;
  86. u32toLE(md5->A, md_out);
  87. u32toLE(md5->B, md_out);
  88. u32toLE(md5->C, md_out);
  89. u32toLE(md5->D, md_out);
  90. }
  91. #endif /* FIPS_MODULE */
  92. static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
  93. {
  94. SHA_CTX *sha1 = ctx;
  95. l2n(sha1->h0, md_out);
  96. l2n(sha1->h1, md_out);
  97. l2n(sha1->h2, md_out);
  98. l2n(sha1->h3, md_out);
  99. l2n(sha1->h4, md_out);
  100. }
  101. static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
  102. {
  103. SHA256_CTX *sha256 = ctx;
  104. unsigned i;
  105. for (i = 0; i < 8; i++) {
  106. l2n(sha256->h[i], md_out);
  107. }
  108. }
  109. static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
  110. {
  111. SHA512_CTX *sha512 = ctx;
  112. unsigned i;
  113. for (i = 0; i < 8; i++) {
  114. l2n8(sha512->h[i], md_out);
  115. }
  116. }
  117. #undef LARGEST_DIGEST_CTX
  118. #define LARGEST_DIGEST_CTX SHA512_CTX
  119. /*-
  120. * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  121. * record.
  122. *
  123. * ctx: the EVP_MD_CTX from which we take the hash function.
  124. * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
  125. * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
  126. * md_out_size: if non-NULL, the number of output bytes is written here.
  127. * header: the 13-byte, TLS record header.
  128. * data: the record data itself, less any preceding explicit IV.
  129. * data_size: the secret, reported length of the data once the MAC and padding
  130. * has been removed.
  131. * data_plus_mac_plus_padding_size: the public length of the whole
  132. * record, including MAC and padding.
  133. * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
  134. *
  135. * On entry: we know that data is data_plus_mac_plus_padding_size in length
  136. * Returns 1 on success or 0 on error
  137. */
  138. int ssl3_cbc_digest_record(const EVP_MD *md,
  139. unsigned char *md_out,
  140. size_t *md_out_size,
  141. const unsigned char *header,
  142. const unsigned char *data,
  143. size_t data_size,
  144. size_t data_plus_mac_plus_padding_size,
  145. const unsigned char *mac_secret,
  146. size_t mac_secret_length, char is_sslv3)
  147. {
  148. union {
  149. OSSL_UNION_ALIGN;
  150. unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
  151. } md_state;
  152. void (*md_final_raw) (void *ctx, unsigned char *md_out);
  153. void (*md_transform) (void *ctx, const unsigned char *block);
  154. size_t md_size, md_block_size = 64;
  155. size_t sslv3_pad_length = 40, header_length, variance_blocks,
  156. len, max_mac_bytes, num_blocks,
  157. num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
  158. size_t bits; /* at most 18 bits */
  159. unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
  160. /* hmac_pad is the masked HMAC key. */
  161. unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
  162. unsigned char first_block[MAX_HASH_BLOCK_SIZE];
  163. unsigned char mac_out[EVP_MAX_MD_SIZE];
  164. size_t i, j;
  165. unsigned md_out_size_u;
  166. EVP_MD_CTX *md_ctx = NULL;
  167. /*
  168. * mdLengthSize is the number of bytes in the length field that
  169. * terminates * the hash.
  170. */
  171. size_t md_length_size = 8;
  172. char length_is_big_endian = 1;
  173. int ret = 0;
  174. /*
  175. * This is a, hopefully redundant, check that allows us to forget about
  176. * many possible overflows later in this function.
  177. */
  178. if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
  179. return 0;
  180. if (EVP_MD_is_a(md, "MD5")) {
  181. #ifdef FIPS_MODULE
  182. return 0;
  183. #else
  184. if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
  185. return 0;
  186. md_final_raw = tls1_md5_final_raw;
  187. md_transform =
  188. (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
  189. md_size = 16;
  190. sslv3_pad_length = 48;
  191. length_is_big_endian = 0;
  192. #endif
  193. } else if (EVP_MD_is_a(md, "SHA1")) {
  194. if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
  195. return 0;
  196. md_final_raw = tls1_sha1_final_raw;
  197. md_transform =
  198. (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
  199. md_size = 20;
  200. } else if (EVP_MD_is_a(md, "SHA2-224")) {
  201. if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
  202. return 0;
  203. md_final_raw = tls1_sha256_final_raw;
  204. md_transform =
  205. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  206. md_size = 224 / 8;
  207. } else if (EVP_MD_is_a(md, "SHA2-256")) {
  208. if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
  209. return 0;
  210. md_final_raw = tls1_sha256_final_raw;
  211. md_transform =
  212. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  213. md_size = 32;
  214. } else if (EVP_MD_is_a(md, "SHA2-384")) {
  215. if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
  216. return 0;
  217. md_final_raw = tls1_sha512_final_raw;
  218. md_transform =
  219. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  220. md_size = 384 / 8;
  221. md_block_size = 128;
  222. md_length_size = 16;
  223. } else if (EVP_MD_is_a(md, "SHA2-512")) {
  224. if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
  225. return 0;
  226. md_final_raw = tls1_sha512_final_raw;
  227. md_transform =
  228. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  229. md_size = 64;
  230. md_block_size = 128;
  231. md_length_size = 16;
  232. } else {
  233. /*
  234. * ssl3_cbc_record_digest_supported should have been called first to
  235. * check that the hash function is supported.
  236. */
  237. if (md_out_size != NULL)
  238. *md_out_size = 0;
  239. return ossl_assert(0);
  240. }
  241. if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
  242. || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
  243. || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
  244. return 0;
  245. header_length = 13;
  246. if (is_sslv3) {
  247. header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
  248. * number */ +
  249. 1 /* record type */ +
  250. 2 /* record length */ ;
  251. }
  252. /*
  253. * variance_blocks is the number of blocks of the hash that we have to
  254. * calculate in constant time because they could be altered by the
  255. * padding value. In SSLv3, the padding must be minimal so the end of
  256. * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
  257. * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
  258. * of hash termination (0x80 + 64-bit length) don't fit in the final
  259. * block, we say that the final two blocks can vary based on the padding.
  260. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
  261. * required to be minimal. Therefore we say that the final |variance_blocks|
  262. * blocks can
  263. * vary based on the padding. Later in the function, if the message is
  264. * short and there obviously cannot be this many blocks then
  265. * variance_blocks can be reduced.
  266. */
  267. variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
  268. /*
  269. * From now on we're dealing with the MAC, which conceptually has 13
  270. * bytes of `header' before the start of the data (TLS) or 71/75 bytes
  271. * (SSLv3)
  272. */
  273. len = data_plus_mac_plus_padding_size + header_length;
  274. /*
  275. * max_mac_bytes contains the maximum bytes of bytes in the MAC,
  276. * including * |header|, assuming that there's no padding.
  277. */
  278. max_mac_bytes = len - md_size - 1;
  279. /* num_blocks is the maximum number of hash blocks. */
  280. num_blocks =
  281. (max_mac_bytes + 1 + md_length_size + md_block_size -
  282. 1) / md_block_size;
  283. /*
  284. * In order to calculate the MAC in constant time we have to handle the
  285. * final blocks specially because the padding value could cause the end
  286. * to appear somewhere in the final |variance_blocks| blocks and we can't
  287. * leak where. However, |num_starting_blocks| worth of data can be hashed
  288. * right away because no padding value can affect whether they are
  289. * plaintext.
  290. */
  291. num_starting_blocks = 0;
  292. /*
  293. * k is the starting byte offset into the conceptual header||data where
  294. * we start processing.
  295. */
  296. k = 0;
  297. /*
  298. * mac_end_offset is the index just past the end of the data to be MACed.
  299. */
  300. mac_end_offset = data_size + header_length;
  301. /*
  302. * c is the index of the 0x80 byte in the final hash block that contains
  303. * application data.
  304. */
  305. c = mac_end_offset % md_block_size;
  306. /*
  307. * index_a is the hash block number that contains the 0x80 terminating
  308. * value.
  309. */
  310. index_a = mac_end_offset / md_block_size;
  311. /*
  312. * index_b is the hash block number that contains the 64-bit hash length,
  313. * in bits.
  314. */
  315. index_b = (mac_end_offset + md_length_size) / md_block_size;
  316. /*
  317. * bits is the hash-length in bits. It includes the additional hash block
  318. * for the masked HMAC key, or whole of |header| in the case of SSLv3.
  319. */
  320. /*
  321. * For SSLv3, if we're going to have any starting blocks then we need at
  322. * least two because the header is larger than a single block.
  323. */
  324. if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
  325. num_starting_blocks = num_blocks - variance_blocks;
  326. k = md_block_size * num_starting_blocks;
  327. }
  328. bits = 8 * mac_end_offset;
  329. if (!is_sslv3) {
  330. /*
  331. * Compute the initial HMAC block. For SSLv3, the padding and secret
  332. * bytes are included in |header| because they take more than a
  333. * single block.
  334. */
  335. bits += 8 * md_block_size;
  336. memset(hmac_pad, 0, md_block_size);
  337. if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
  338. return 0;
  339. memcpy(hmac_pad, mac_secret, mac_secret_length);
  340. for (i = 0; i < md_block_size; i++)
  341. hmac_pad[i] ^= 0x36;
  342. md_transform(md_state.c, hmac_pad);
  343. }
  344. if (length_is_big_endian) {
  345. memset(length_bytes, 0, md_length_size - 4);
  346. length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
  347. length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
  348. length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
  349. length_bytes[md_length_size - 1] = (unsigned char)bits;
  350. } else {
  351. memset(length_bytes, 0, md_length_size);
  352. length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
  353. length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
  354. length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
  355. length_bytes[md_length_size - 8] = (unsigned char)bits;
  356. }
  357. if (k > 0) {
  358. if (is_sslv3) {
  359. size_t overhang;
  360. /*
  361. * The SSLv3 header is larger than a single block. overhang is
  362. * the number of bytes beyond a single block that the header
  363. * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
  364. * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
  365. * therefore we can be confident that the header_length will be
  366. * greater than |md_block_size|. However we add a sanity check just
  367. * in case
  368. */
  369. if (header_length <= md_block_size) {
  370. /* Should never happen */
  371. return 0;
  372. }
  373. overhang = header_length - md_block_size;
  374. md_transform(md_state.c, header);
  375. memcpy(first_block, header + md_block_size, overhang);
  376. memcpy(first_block + overhang, data, md_block_size - overhang);
  377. md_transform(md_state.c, first_block);
  378. for (i = 1; i < k / md_block_size - 1; i++)
  379. md_transform(md_state.c, data + md_block_size * i - overhang);
  380. } else {
  381. /* k is a multiple of md_block_size. */
  382. memcpy(first_block, header, 13);
  383. memcpy(first_block + 13, data, md_block_size - 13);
  384. md_transform(md_state.c, first_block);
  385. for (i = 1; i < k / md_block_size; i++)
  386. md_transform(md_state.c, data + md_block_size * i - 13);
  387. }
  388. }
  389. memset(mac_out, 0, sizeof(mac_out));
  390. /*
  391. * We now process the final hash blocks. For each block, we construct it
  392. * in constant time. If the |i==index_a| then we'll include the 0x80
  393. * bytes and zero pad etc. For each block we selectively copy it, in
  394. * constant time, to |mac_out|.
  395. */
  396. for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
  397. i++) {
  398. unsigned char block[MAX_HASH_BLOCK_SIZE];
  399. unsigned char is_block_a = constant_time_eq_8_s(i, index_a);
  400. unsigned char is_block_b = constant_time_eq_8_s(i, index_b);
  401. for (j = 0; j < md_block_size; j++) {
  402. unsigned char b = 0, is_past_c, is_past_cp1;
  403. if (k < header_length)
  404. b = header[k];
  405. else if (k < data_plus_mac_plus_padding_size + header_length)
  406. b = data[k - header_length];
  407. k++;
  408. is_past_c = is_block_a & constant_time_ge_8_s(j, c);
  409. is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);
  410. /*
  411. * If this is the block containing the end of the application
  412. * data, and we are at the offset for the 0x80 value, then
  413. * overwrite b with 0x80.
  414. */
  415. b = constant_time_select_8(is_past_c, 0x80, b);
  416. /*
  417. * If this block contains the end of the application data
  418. * and we're past the 0x80 value then just write zero.
  419. */
  420. b = b & ~is_past_cp1;
  421. /*
  422. * If this is index_b (the final block), but not index_a (the end
  423. * of the data), then the 64-bit length didn't fit into index_a
  424. * and we're having to add an extra block of zeros.
  425. */
  426. b &= ~is_block_b | is_block_a;
  427. /*
  428. * The final bytes of one of the blocks contains the length.
  429. */
  430. if (j >= md_block_size - md_length_size) {
  431. /* If this is index_b, write a length byte. */
  432. b = constant_time_select_8(is_block_b,
  433. length_bytes[j -
  434. (md_block_size -
  435. md_length_size)], b);
  436. }
  437. block[j] = b;
  438. }
  439. md_transform(md_state.c, block);
  440. md_final_raw(md_state.c, block);
  441. /* If this is index_b, copy the hash value to |mac_out|. */
  442. for (j = 0; j < md_size; j++)
  443. mac_out[j] |= block[j] & is_block_b;
  444. }
  445. md_ctx = EVP_MD_CTX_new();
  446. if (md_ctx == NULL)
  447. goto err;
  448. if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
  449. goto err;
  450. if (is_sslv3) {
  451. /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
  452. memset(hmac_pad, 0x5c, sslv3_pad_length);
  453. if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
  454. || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
  455. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  456. goto err;
  457. } else {
  458. /* Complete the HMAC in the standard manner. */
  459. for (i = 0; i < md_block_size; i++)
  460. hmac_pad[i] ^= 0x6a;
  461. if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
  462. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  463. goto err;
  464. }
  465. ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
  466. if (ret && md_out_size)
  467. *md_out_size = md_out_size_u;
  468. ret = 1;
  469. err:
  470. EVP_MD_CTX_free(md_ctx);
  471. return ret;
  472. }