s3_cbc.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511
  1. /*
  2. * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file has no dependencies on the rest of libssl because it is shared
  11. * with the providers. It contains functions for low level MAC calculations.
  12. * Responsibility for this lies with the HMAC implementation in the
  13. * providers. However there are legacy code paths in libssl which also need to
  14. * do this. In time those legacy code paths can be removed and this file can be
  15. * moved out of libssl.
  16. */
  17. /*
  18. * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for
  19. * internal use.
  20. */
  21. #include "internal/deprecated.h"
  22. #include "internal/constant_time.h"
  23. #include "internal/cryptlib.h"
  24. #include <openssl/evp.h>
  25. #include <openssl/md5.h>
  26. #include <openssl/sha.h>
  27. char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
  28. int ssl3_cbc_digest_record(const EVP_MD *md,
  29. unsigned char *md_out,
  30. size_t *md_out_size,
  31. const unsigned char *header,
  32. const unsigned char *data,
  33. size_t data_size,
  34. size_t data_plus_mac_plus_padding_size,
  35. const unsigned char *mac_secret,
  36. size_t mac_secret_length, char is_sslv3);
  37. # define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
  38. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  39. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  40. *((c)++)=(unsigned char)(((l) )&0xff))
  41. # define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
  42. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  43. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  44. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  45. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  46. *((c)++)=(unsigned char)(((l) )&0xff))
  47. # define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
  48. *((c)++)=(unsigned char)(((l)>>48)&0xff), \
  49. *((c)++)=(unsigned char)(((l)>>40)&0xff), \
  50. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  51. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  52. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  53. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  54. *((c)++)=(unsigned char)(((l) )&0xff))
  55. /*
  56. * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
  57. * length field. (SHA-384/512 have 128-bit length.)
  58. */
  59. #define MAX_HASH_BIT_COUNT_BYTES 16
  60. /*
  61. * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
  62. * Currently SHA-384/512 has a 128-byte block size and that's the largest
  63. * supported by TLS.)
  64. */
  65. #define MAX_HASH_BLOCK_SIZE 128
  66. #ifndef FIPS_MODULE
  67. /*
  68. * u32toLE serializes an unsigned, 32-bit number (n) as four bytes at (p) in
  69. * little-endian order. The value of p is advanced by four.
  70. */
  71. # define u32toLE(n, p) \
  72. (*((p)++)=(unsigned char)(n), \
  73. *((p)++)=(unsigned char)(n>>8), \
  74. *((p)++)=(unsigned char)(n>>16), \
  75. *((p)++)=(unsigned char)(n>>24))
  76. /*
  77. * These functions serialize the state of a hash and thus perform the
  78. * standard "final" operation without adding the padding and length that such
  79. * a function typically does.
  80. */
  81. static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
  82. {
  83. MD5_CTX *md5 = ctx;
  84. u32toLE(md5->A, md_out);
  85. u32toLE(md5->B, md_out);
  86. u32toLE(md5->C, md_out);
  87. u32toLE(md5->D, md_out);
  88. }
  89. #endif /* FIPS_MODULE */
  90. static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
  91. {
  92. SHA_CTX *sha1 = ctx;
  93. l2n(sha1->h0, md_out);
  94. l2n(sha1->h1, md_out);
  95. l2n(sha1->h2, md_out);
  96. l2n(sha1->h3, md_out);
  97. l2n(sha1->h4, md_out);
  98. }
  99. static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
  100. {
  101. SHA256_CTX *sha256 = ctx;
  102. unsigned i;
  103. for (i = 0; i < 8; i++) {
  104. l2n(sha256->h[i], md_out);
  105. }
  106. }
  107. static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
  108. {
  109. SHA512_CTX *sha512 = ctx;
  110. unsigned i;
  111. for (i = 0; i < 8; i++) {
  112. l2n8(sha512->h[i], md_out);
  113. }
  114. }
  115. #undef LARGEST_DIGEST_CTX
  116. #define LARGEST_DIGEST_CTX SHA512_CTX
  117. /*-
  118. * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  119. * record.
  120. *
  121. * ctx: the EVP_MD_CTX from which we take the hash function.
  122. * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
  123. * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
  124. * md_out_size: if non-NULL, the number of output bytes is written here.
  125. * header: the 13-byte, TLS record header.
  126. * data: the record data itself, less any preceding explicit IV.
  127. * data_size: the secret, reported length of the data once the MAC and padding
  128. * has been removed.
  129. * data_plus_mac_plus_padding_size: the public length of the whole
  130. * record, including MAC and padding.
  131. * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
  132. *
  133. * On entry: we know that data is data_plus_mac_plus_padding_size in length
  134. * Returns 1 on success or 0 on error
  135. */
  136. int ssl3_cbc_digest_record(const EVP_MD *md,
  137. unsigned char *md_out,
  138. size_t *md_out_size,
  139. const unsigned char *header,
  140. const unsigned char *data,
  141. size_t data_size,
  142. size_t data_plus_mac_plus_padding_size,
  143. const unsigned char *mac_secret,
  144. size_t mac_secret_length, char is_sslv3)
  145. {
  146. union {
  147. OSSL_UNION_ALIGN;
  148. unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
  149. } md_state;
  150. void (*md_final_raw) (void *ctx, unsigned char *md_out);
  151. void (*md_transform) (void *ctx, const unsigned char *block);
  152. size_t md_size, md_block_size = 64;
  153. size_t sslv3_pad_length = 40, header_length, variance_blocks,
  154. len, max_mac_bytes, num_blocks,
  155. num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
  156. size_t bits; /* at most 18 bits */
  157. unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
  158. /* hmac_pad is the masked HMAC key. */
  159. unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
  160. unsigned char first_block[MAX_HASH_BLOCK_SIZE];
  161. unsigned char mac_out[EVP_MAX_MD_SIZE];
  162. size_t i, j;
  163. unsigned md_out_size_u;
  164. EVP_MD_CTX *md_ctx = NULL;
  165. /*
  166. * mdLengthSize is the number of bytes in the length field that
  167. * terminates * the hash.
  168. */
  169. size_t md_length_size = 8;
  170. char length_is_big_endian = 1;
  171. int ret = 0;
  172. /*
  173. * This is a, hopefully redundant, check that allows us to forget about
  174. * many possible overflows later in this function.
  175. */
  176. if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
  177. return 0;
  178. if (EVP_MD_is_a(md, "MD5")) {
  179. #ifdef FIPS_MODULE
  180. return 0;
  181. #else
  182. if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
  183. return 0;
  184. md_final_raw = tls1_md5_final_raw;
  185. md_transform =
  186. (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
  187. md_size = 16;
  188. sslv3_pad_length = 48;
  189. length_is_big_endian = 0;
  190. #endif
  191. } else if (EVP_MD_is_a(md, "SHA1")) {
  192. if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
  193. return 0;
  194. md_final_raw = tls1_sha1_final_raw;
  195. md_transform =
  196. (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
  197. md_size = 20;
  198. } else if (EVP_MD_is_a(md, "SHA2-224")) {
  199. if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
  200. return 0;
  201. md_final_raw = tls1_sha256_final_raw;
  202. md_transform =
  203. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  204. md_size = 224 / 8;
  205. } else if (EVP_MD_is_a(md, "SHA2-256")) {
  206. if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
  207. return 0;
  208. md_final_raw = tls1_sha256_final_raw;
  209. md_transform =
  210. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  211. md_size = 32;
  212. } else if (EVP_MD_is_a(md, "SHA2-384")) {
  213. if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
  214. return 0;
  215. md_final_raw = tls1_sha512_final_raw;
  216. md_transform =
  217. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  218. md_size = 384 / 8;
  219. md_block_size = 128;
  220. md_length_size = 16;
  221. } else if (EVP_MD_is_a(md, "SHA2-512")) {
  222. if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
  223. return 0;
  224. md_final_raw = tls1_sha512_final_raw;
  225. md_transform =
  226. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  227. md_size = 64;
  228. md_block_size = 128;
  229. md_length_size = 16;
  230. } else {
  231. /*
  232. * ssl3_cbc_record_digest_supported should have been called first to
  233. * check that the hash function is supported.
  234. */
  235. if (md_out_size != NULL)
  236. *md_out_size = 0;
  237. return ossl_assert(0);
  238. }
  239. if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
  240. || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
  241. || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
  242. return 0;
  243. header_length = 13;
  244. if (is_sslv3) {
  245. header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
  246. * number */ +
  247. 1 /* record type */ +
  248. 2 /* record length */ ;
  249. }
  250. /*
  251. * variance_blocks is the number of blocks of the hash that we have to
  252. * calculate in constant time because they could be altered by the
  253. * padding value. In SSLv3, the padding must be minimal so the end of
  254. * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
  255. * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
  256. * of hash termination (0x80 + 64-bit length) don't fit in the final
  257. * block, we say that the final two blocks can vary based on the padding.
  258. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
  259. * required to be minimal. Therefore we say that the final |variance_blocks|
  260. * blocks can
  261. * vary based on the padding. Later in the function, if the message is
  262. * short and there obviously cannot be this many blocks then
  263. * variance_blocks can be reduced.
  264. */
  265. variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
  266. /*
  267. * From now on we're dealing with the MAC, which conceptually has 13
  268. * bytes of `header' before the start of the data (TLS) or 71/75 bytes
  269. * (SSLv3)
  270. */
  271. len = data_plus_mac_plus_padding_size + header_length;
  272. /*
  273. * max_mac_bytes contains the maximum bytes of bytes in the MAC,
  274. * including * |header|, assuming that there's no padding.
  275. */
  276. max_mac_bytes = len - md_size - 1;
  277. /* num_blocks is the maximum number of hash blocks. */
  278. num_blocks =
  279. (max_mac_bytes + 1 + md_length_size + md_block_size -
  280. 1) / md_block_size;
  281. /*
  282. * In order to calculate the MAC in constant time we have to handle the
  283. * final blocks specially because the padding value could cause the end
  284. * to appear somewhere in the final |variance_blocks| blocks and we can't
  285. * leak where. However, |num_starting_blocks| worth of data can be hashed
  286. * right away because no padding value can affect whether they are
  287. * plaintext.
  288. */
  289. num_starting_blocks = 0;
  290. /*
  291. * k is the starting byte offset into the conceptual header||data where
  292. * we start processing.
  293. */
  294. k = 0;
  295. /*
  296. * mac_end_offset is the index just past the end of the data to be MACed.
  297. */
  298. mac_end_offset = data_size + header_length;
  299. /*
  300. * c is the index of the 0x80 byte in the final hash block that contains
  301. * application data.
  302. */
  303. c = mac_end_offset % md_block_size;
  304. /*
  305. * index_a is the hash block number that contains the 0x80 terminating
  306. * value.
  307. */
  308. index_a = mac_end_offset / md_block_size;
  309. /*
  310. * index_b is the hash block number that contains the 64-bit hash length,
  311. * in bits.
  312. */
  313. index_b = (mac_end_offset + md_length_size) / md_block_size;
  314. /*
  315. * bits is the hash-length in bits. It includes the additional hash block
  316. * for the masked HMAC key, or whole of |header| in the case of SSLv3.
  317. */
  318. /*
  319. * For SSLv3, if we're going to have any starting blocks then we need at
  320. * least two because the header is larger than a single block.
  321. */
  322. if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
  323. num_starting_blocks = num_blocks - variance_blocks;
  324. k = md_block_size * num_starting_blocks;
  325. }
  326. bits = 8 * mac_end_offset;
  327. if (!is_sslv3) {
  328. /*
  329. * Compute the initial HMAC block. For SSLv3, the padding and secret
  330. * bytes are included in |header| because they take more than a
  331. * single block.
  332. */
  333. bits += 8 * md_block_size;
  334. memset(hmac_pad, 0, md_block_size);
  335. if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
  336. return 0;
  337. memcpy(hmac_pad, mac_secret, mac_secret_length);
  338. for (i = 0; i < md_block_size; i++)
  339. hmac_pad[i] ^= 0x36;
  340. md_transform(md_state.c, hmac_pad);
  341. }
  342. if (length_is_big_endian) {
  343. memset(length_bytes, 0, md_length_size - 4);
  344. length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
  345. length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
  346. length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
  347. length_bytes[md_length_size - 1] = (unsigned char)bits;
  348. } else {
  349. memset(length_bytes, 0, md_length_size);
  350. length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
  351. length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
  352. length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
  353. length_bytes[md_length_size - 8] = (unsigned char)bits;
  354. }
  355. if (k > 0) {
  356. if (is_sslv3) {
  357. size_t overhang;
  358. /*
  359. * The SSLv3 header is larger than a single block. overhang is
  360. * the number of bytes beyond a single block that the header
  361. * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
  362. * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
  363. * therefore we can be confident that the header_length will be
  364. * greater than |md_block_size|. However we add a sanity check just
  365. * in case
  366. */
  367. if (header_length <= md_block_size) {
  368. /* Should never happen */
  369. return 0;
  370. }
  371. overhang = header_length - md_block_size;
  372. md_transform(md_state.c, header);
  373. memcpy(first_block, header + md_block_size, overhang);
  374. memcpy(first_block + overhang, data, md_block_size - overhang);
  375. md_transform(md_state.c, first_block);
  376. for (i = 1; i < k / md_block_size - 1; i++)
  377. md_transform(md_state.c, data + md_block_size * i - overhang);
  378. } else {
  379. /* k is a multiple of md_block_size. */
  380. memcpy(first_block, header, 13);
  381. memcpy(first_block + 13, data, md_block_size - 13);
  382. md_transform(md_state.c, first_block);
  383. for (i = 1; i < k / md_block_size; i++)
  384. md_transform(md_state.c, data + md_block_size * i - 13);
  385. }
  386. }
  387. memset(mac_out, 0, sizeof(mac_out));
  388. /*
  389. * We now process the final hash blocks. For each block, we construct it
  390. * in constant time. If the |i==index_a| then we'll include the 0x80
  391. * bytes and zero pad etc. For each block we selectively copy it, in
  392. * constant time, to |mac_out|.
  393. */
  394. for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
  395. i++) {
  396. unsigned char block[MAX_HASH_BLOCK_SIZE];
  397. unsigned char is_block_a = constant_time_eq_8_s(i, index_a);
  398. unsigned char is_block_b = constant_time_eq_8_s(i, index_b);
  399. for (j = 0; j < md_block_size; j++) {
  400. unsigned char b = 0, is_past_c, is_past_cp1;
  401. if (k < header_length)
  402. b = header[k];
  403. else if (k < data_plus_mac_plus_padding_size + header_length)
  404. b = data[k - header_length];
  405. k++;
  406. is_past_c = is_block_a & constant_time_ge_8_s(j, c);
  407. is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);
  408. /*
  409. * If this is the block containing the end of the application
  410. * data, and we are at the offset for the 0x80 value, then
  411. * overwrite b with 0x80.
  412. */
  413. b = constant_time_select_8(is_past_c, 0x80, b);
  414. /*
  415. * If this block contains the end of the application data
  416. * and we're past the 0x80 value then just write zero.
  417. */
  418. b = b & ~is_past_cp1;
  419. /*
  420. * If this is index_b (the final block), but not index_a (the end
  421. * of the data), then the 64-bit length didn't fit into index_a
  422. * and we're having to add an extra block of zeros.
  423. */
  424. b &= ~is_block_b | is_block_a;
  425. /*
  426. * The final bytes of one of the blocks contains the length.
  427. */
  428. if (j >= md_block_size - md_length_size) {
  429. /* If this is index_b, write a length byte. */
  430. b = constant_time_select_8(is_block_b,
  431. length_bytes[j -
  432. (md_block_size -
  433. md_length_size)], b);
  434. }
  435. block[j] = b;
  436. }
  437. md_transform(md_state.c, block);
  438. md_final_raw(md_state.c, block);
  439. /* If this is index_b, copy the hash value to |mac_out|. */
  440. for (j = 0; j < md_size; j++)
  441. mac_out[j] |= block[j] & is_block_b;
  442. }
  443. md_ctx = EVP_MD_CTX_new();
  444. if (md_ctx == NULL)
  445. goto err;
  446. if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
  447. goto err;
  448. if (is_sslv3) {
  449. /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
  450. memset(hmac_pad, 0x5c, sslv3_pad_length);
  451. if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
  452. || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
  453. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  454. goto err;
  455. } else {
  456. /* Complete the HMAC in the standard manner. */
  457. for (i = 0; i < md_block_size; i++)
  458. hmac_pad[i] ^= 0x6a;
  459. if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
  460. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  461. goto err;
  462. }
  463. ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
  464. if (ret && md_out_size)
  465. *md_out_size = md_out_size_u;
  466. ret = 1;
  467. err:
  468. EVP_MD_CTX_free(md_ctx);
  469. return ret;
  470. }