2
0

s3_cbc.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506
  1. /*
  2. * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * This file has no dependencies on the rest of libssl because it is shared
  11. * with the providers. It contains functions for low level MAC calculations.
  12. * Responsibility for this lies with the HMAC implementation in the
  13. * providers. However there are legacy code paths in libssl which also need to
  14. * do this. In time those legacy code paths can be removed and this file can be
  15. * moved out of libssl.
  16. */
  17. /*
  18. * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for
  19. * internal use.
  20. */
  21. #include "internal/deprecated.h"
  22. #include "internal/constant_time.h"
  23. #include "internal/cryptlib.h"
  24. #include <openssl/evp.h>
  25. #include <openssl/md5.h>
  26. #include <openssl/sha.h>
  27. char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
  28. int ssl3_cbc_digest_record(const EVP_MD *md,
  29. unsigned char *md_out,
  30. size_t *md_out_size,
  31. const unsigned char header[13],
  32. const unsigned char *data,
  33. size_t data_size,
  34. size_t data_plus_mac_plus_padding_size,
  35. const unsigned char *mac_secret,
  36. size_t mac_secret_length, char is_sslv3);
  37. # define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
  38. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  39. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  40. *((c)++)=(unsigned char)(((l) )&0xff))
  41. # define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
  42. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  43. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  44. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  45. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  46. *((c)++)=(unsigned char)(((l) )&0xff))
  47. # define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
  48. *((c)++)=(unsigned char)(((l)>>48)&0xff), \
  49. *((c)++)=(unsigned char)(((l)>>40)&0xff), \
  50. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  51. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  52. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  53. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  54. *((c)++)=(unsigned char)(((l) )&0xff))
  55. /*
  56. * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
  57. * length field. (SHA-384/512 have 128-bit length.)
  58. */
  59. #define MAX_HASH_BIT_COUNT_BYTES 16
  60. /*
  61. * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
  62. * Currently SHA-384/512 has a 128-byte block size and that's the largest
  63. * supported by TLS.)
  64. */
  65. #define MAX_HASH_BLOCK_SIZE 128
  66. /*
  67. * u32toLE serializes an unsigned, 32-bit number (n) as four bytes at (p) in
  68. * little-endian order. The value of p is advanced by four.
  69. */
  70. #define u32toLE(n, p) \
  71. (*((p)++)=(unsigned char)(n), \
  72. *((p)++)=(unsigned char)(n>>8), \
  73. *((p)++)=(unsigned char)(n>>16), \
  74. *((p)++)=(unsigned char)(n>>24))
  75. /*
  76. * These functions serialize the state of a hash and thus perform the
  77. * standard "final" operation without adding the padding and length that such
  78. * a function typically does.
  79. */
  80. static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
  81. {
  82. MD5_CTX *md5 = ctx;
  83. u32toLE(md5->A, md_out);
  84. u32toLE(md5->B, md_out);
  85. u32toLE(md5->C, md_out);
  86. u32toLE(md5->D, md_out);
  87. }
  88. static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
  89. {
  90. SHA_CTX *sha1 = ctx;
  91. l2n(sha1->h0, md_out);
  92. l2n(sha1->h1, md_out);
  93. l2n(sha1->h2, md_out);
  94. l2n(sha1->h3, md_out);
  95. l2n(sha1->h4, md_out);
  96. }
  97. static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
  98. {
  99. SHA256_CTX *sha256 = ctx;
  100. unsigned i;
  101. for (i = 0; i < 8; i++) {
  102. l2n(sha256->h[i], md_out);
  103. }
  104. }
  105. static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
  106. {
  107. SHA512_CTX *sha512 = ctx;
  108. unsigned i;
  109. for (i = 0; i < 8; i++) {
  110. l2n8(sha512->h[i], md_out);
  111. }
  112. }
  113. #undef LARGEST_DIGEST_CTX
  114. #define LARGEST_DIGEST_CTX SHA512_CTX
  115. /*-
  116. * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  117. * record.
  118. *
  119. * ctx: the EVP_MD_CTX from which we take the hash function.
  120. * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
  121. * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
  122. * md_out_size: if non-NULL, the number of output bytes is written here.
  123. * header: the 13-byte, TLS record header.
  124. * data: the record data itself, less any preceding explicit IV.
  125. * data_size: the secret, reported length of the data once the MAC and padding
  126. * has been removed.
  127. * data_plus_mac_plus_padding_size: the public length of the whole
  128. * record, including MAC and padding.
  129. * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
  130. *
  131. * On entry: we know that data is data_plus_mac_plus_padding_size in length
  132. * Returns 1 on success or 0 on error
  133. */
  134. int ssl3_cbc_digest_record(const EVP_MD *md,
  135. unsigned char *md_out,
  136. size_t *md_out_size,
  137. const unsigned char header[13],
  138. const unsigned char *data,
  139. size_t data_size,
  140. size_t data_plus_mac_plus_padding_size,
  141. const unsigned char *mac_secret,
  142. size_t mac_secret_length, char is_sslv3)
  143. {
  144. union {
  145. OSSL_UNION_ALIGN;
  146. unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
  147. } md_state;
  148. void (*md_final_raw) (void *ctx, unsigned char *md_out);
  149. void (*md_transform) (void *ctx, const unsigned char *block);
  150. size_t md_size, md_block_size = 64;
  151. size_t sslv3_pad_length = 40, header_length, variance_blocks,
  152. len, max_mac_bytes, num_blocks,
  153. num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
  154. size_t bits; /* at most 18 bits */
  155. unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
  156. /* hmac_pad is the masked HMAC key. */
  157. unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
  158. unsigned char first_block[MAX_HASH_BLOCK_SIZE];
  159. unsigned char mac_out[EVP_MAX_MD_SIZE];
  160. size_t i, j;
  161. unsigned md_out_size_u;
  162. EVP_MD_CTX *md_ctx = NULL;
  163. /*
  164. * mdLengthSize is the number of bytes in the length field that
  165. * terminates * the hash.
  166. */
  167. size_t md_length_size = 8;
  168. char length_is_big_endian = 1;
  169. int ret = 0;
  170. /*
  171. * This is a, hopefully redundant, check that allows us to forget about
  172. * many possible overflows later in this function.
  173. */
  174. if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
  175. return 0;
  176. if (EVP_MD_is_a(md, "MD5")) {
  177. if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
  178. return 0;
  179. md_final_raw = tls1_md5_final_raw;
  180. md_transform =
  181. (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
  182. md_size = 16;
  183. sslv3_pad_length = 48;
  184. length_is_big_endian = 0;
  185. } else if (EVP_MD_is_a(md, "SHA1")) {
  186. if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
  187. return 0;
  188. md_final_raw = tls1_sha1_final_raw;
  189. md_transform =
  190. (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
  191. md_size = 20;
  192. } else if (EVP_MD_is_a(md, "SHA2-224")) {
  193. if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
  194. return 0;
  195. md_final_raw = tls1_sha256_final_raw;
  196. md_transform =
  197. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  198. md_size = 224 / 8;
  199. } else if (EVP_MD_is_a(md, "SHA2-256")) {
  200. if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
  201. return 0;
  202. md_final_raw = tls1_sha256_final_raw;
  203. md_transform =
  204. (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
  205. md_size = 32;
  206. } else if (EVP_MD_is_a(md, "SHA2-384")) {
  207. if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
  208. return 0;
  209. md_final_raw = tls1_sha512_final_raw;
  210. md_transform =
  211. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  212. md_size = 384 / 8;
  213. md_block_size = 128;
  214. md_length_size = 16;
  215. } else if (EVP_MD_is_a(md, "SHA2-512")) {
  216. if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
  217. return 0;
  218. md_final_raw = tls1_sha512_final_raw;
  219. md_transform =
  220. (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
  221. md_size = 64;
  222. md_block_size = 128;
  223. md_length_size = 16;
  224. } else {
  225. /*
  226. * ssl3_cbc_record_digest_supported should have been called first to
  227. * check that the hash function is supported.
  228. */
  229. if (md_out_size != NULL)
  230. *md_out_size = 0;
  231. return ossl_assert(0);
  232. }
  233. if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
  234. || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
  235. || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
  236. return 0;
  237. header_length = 13;
  238. if (is_sslv3) {
  239. header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
  240. * number */ +
  241. 1 /* record type */ +
  242. 2 /* record length */ ;
  243. }
  244. /*
  245. * variance_blocks is the number of blocks of the hash that we have to
  246. * calculate in constant time because they could be altered by the
  247. * padding value. In SSLv3, the padding must be minimal so the end of
  248. * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
  249. * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
  250. * of hash termination (0x80 + 64-bit length) don't fit in the final
  251. * block, we say that the final two blocks can vary based on the padding.
  252. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
  253. * required to be minimal. Therefore we say that the final |variance_blocks|
  254. * blocks can
  255. * vary based on the padding. Later in the function, if the message is
  256. * short and there obviously cannot be this many blocks then
  257. * variance_blocks can be reduced.
  258. */
  259. variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
  260. /*
  261. * From now on we're dealing with the MAC, which conceptually has 13
  262. * bytes of `header' before the start of the data (TLS) or 71/75 bytes
  263. * (SSLv3)
  264. */
  265. len = data_plus_mac_plus_padding_size + header_length;
  266. /*
  267. * max_mac_bytes contains the maximum bytes of bytes in the MAC,
  268. * including * |header|, assuming that there's no padding.
  269. */
  270. max_mac_bytes = len - md_size - 1;
  271. /* num_blocks is the maximum number of hash blocks. */
  272. num_blocks =
  273. (max_mac_bytes + 1 + md_length_size + md_block_size -
  274. 1) / md_block_size;
  275. /*
  276. * In order to calculate the MAC in constant time we have to handle the
  277. * final blocks specially because the padding value could cause the end
  278. * to appear somewhere in the final |variance_blocks| blocks and we can't
  279. * leak where. However, |num_starting_blocks| worth of data can be hashed
  280. * right away because no padding value can affect whether they are
  281. * plaintext.
  282. */
  283. num_starting_blocks = 0;
  284. /*
  285. * k is the starting byte offset into the conceptual header||data where
  286. * we start processing.
  287. */
  288. k = 0;
  289. /*
  290. * mac_end_offset is the index just past the end of the data to be MACed.
  291. */
  292. mac_end_offset = data_size + header_length;
  293. /*
  294. * c is the index of the 0x80 byte in the final hash block that contains
  295. * application data.
  296. */
  297. c = mac_end_offset % md_block_size;
  298. /*
  299. * index_a is the hash block number that contains the 0x80 terminating
  300. * value.
  301. */
  302. index_a = mac_end_offset / md_block_size;
  303. /*
  304. * index_b is the hash block number that contains the 64-bit hash length,
  305. * in bits.
  306. */
  307. index_b = (mac_end_offset + md_length_size) / md_block_size;
  308. /*
  309. * bits is the hash-length in bits. It includes the additional hash block
  310. * for the masked HMAC key, or whole of |header| in the case of SSLv3.
  311. */
  312. /*
  313. * For SSLv3, if we're going to have any starting blocks then we need at
  314. * least two because the header is larger than a single block.
  315. */
  316. if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
  317. num_starting_blocks = num_blocks - variance_blocks;
  318. k = md_block_size * num_starting_blocks;
  319. }
  320. bits = 8 * mac_end_offset;
  321. if (!is_sslv3) {
  322. /*
  323. * Compute the initial HMAC block. For SSLv3, the padding and secret
  324. * bytes are included in |header| because they take more than a
  325. * single block.
  326. */
  327. bits += 8 * md_block_size;
  328. memset(hmac_pad, 0, md_block_size);
  329. if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
  330. return 0;
  331. memcpy(hmac_pad, mac_secret, mac_secret_length);
  332. for (i = 0; i < md_block_size; i++)
  333. hmac_pad[i] ^= 0x36;
  334. md_transform(md_state.c, hmac_pad);
  335. }
  336. if (length_is_big_endian) {
  337. memset(length_bytes, 0, md_length_size - 4);
  338. length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
  339. length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
  340. length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
  341. length_bytes[md_length_size - 1] = (unsigned char)bits;
  342. } else {
  343. memset(length_bytes, 0, md_length_size);
  344. length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
  345. length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
  346. length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
  347. length_bytes[md_length_size - 8] = (unsigned char)bits;
  348. }
  349. if (k > 0) {
  350. if (is_sslv3) {
  351. size_t overhang;
  352. /*
  353. * The SSLv3 header is larger than a single block. overhang is
  354. * the number of bytes beyond a single block that the header
  355. * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
  356. * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
  357. * therefore we can be confident that the header_length will be
  358. * greater than |md_block_size|. However we add a sanity check just
  359. * in case
  360. */
  361. if (header_length <= md_block_size) {
  362. /* Should never happen */
  363. return 0;
  364. }
  365. overhang = header_length - md_block_size;
  366. md_transform(md_state.c, header);
  367. memcpy(first_block, header + md_block_size, overhang);
  368. memcpy(first_block + overhang, data, md_block_size - overhang);
  369. md_transform(md_state.c, first_block);
  370. for (i = 1; i < k / md_block_size - 1; i++)
  371. md_transform(md_state.c, data + md_block_size * i - overhang);
  372. } else {
  373. /* k is a multiple of md_block_size. */
  374. memcpy(first_block, header, 13);
  375. memcpy(first_block + 13, data, md_block_size - 13);
  376. md_transform(md_state.c, first_block);
  377. for (i = 1; i < k / md_block_size; i++)
  378. md_transform(md_state.c, data + md_block_size * i - 13);
  379. }
  380. }
  381. memset(mac_out, 0, sizeof(mac_out));
  382. /*
  383. * We now process the final hash blocks. For each block, we construct it
  384. * in constant time. If the |i==index_a| then we'll include the 0x80
  385. * bytes and zero pad etc. For each block we selectively copy it, in
  386. * constant time, to |mac_out|.
  387. */
  388. for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
  389. i++) {
  390. unsigned char block[MAX_HASH_BLOCK_SIZE];
  391. unsigned char is_block_a = constant_time_eq_8_s(i, index_a);
  392. unsigned char is_block_b = constant_time_eq_8_s(i, index_b);
  393. for (j = 0; j < md_block_size; j++) {
  394. unsigned char b = 0, is_past_c, is_past_cp1;
  395. if (k < header_length)
  396. b = header[k];
  397. else if (k < data_plus_mac_plus_padding_size + header_length)
  398. b = data[k - header_length];
  399. k++;
  400. is_past_c = is_block_a & constant_time_ge_8_s(j, c);
  401. is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);
  402. /*
  403. * If this is the block containing the end of the application
  404. * data, and we are at the offset for the 0x80 value, then
  405. * overwrite b with 0x80.
  406. */
  407. b = constant_time_select_8(is_past_c, 0x80, b);
  408. /*
  409. * If this block contains the end of the application data
  410. * and we're past the 0x80 value then just write zero.
  411. */
  412. b = b & ~is_past_cp1;
  413. /*
  414. * If this is index_b (the final block), but not index_a (the end
  415. * of the data), then the 64-bit length didn't fit into index_a
  416. * and we're having to add an extra block of zeros.
  417. */
  418. b &= ~is_block_b | is_block_a;
  419. /*
  420. * The final bytes of one of the blocks contains the length.
  421. */
  422. if (j >= md_block_size - md_length_size) {
  423. /* If this is index_b, write a length byte. */
  424. b = constant_time_select_8(is_block_b,
  425. length_bytes[j -
  426. (md_block_size -
  427. md_length_size)], b);
  428. }
  429. block[j] = b;
  430. }
  431. md_transform(md_state.c, block);
  432. md_final_raw(md_state.c, block);
  433. /* If this is index_b, copy the hash value to |mac_out|. */
  434. for (j = 0; j < md_size; j++)
  435. mac_out[j] |= block[j] & is_block_b;
  436. }
  437. md_ctx = EVP_MD_CTX_new();
  438. if (md_ctx == NULL)
  439. goto err;
  440. if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
  441. goto err;
  442. if (is_sslv3) {
  443. /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
  444. memset(hmac_pad, 0x5c, sslv3_pad_length);
  445. if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
  446. || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
  447. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  448. goto err;
  449. } else {
  450. /* Complete the HMAC in the standard manner. */
  451. for (i = 0; i < md_block_size; i++)
  452. hmac_pad[i] ^= 0x6a;
  453. if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
  454. || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
  455. goto err;
  456. }
  457. /* TODO(size_t): Convert me */
  458. ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
  459. if (ret && md_out_size)
  460. *md_out_size = md_out_size_u;
  461. ret = 1;
  462. err:
  463. EVP_MD_CTX_free(md_ctx);
  464. return ret;
  465. }