s3_cbc.c revision 1.1.1.1 1 1.1 christos /* ssl/s3_cbc.c */
2 1.1 christos /* ====================================================================
3 1.1 christos * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
4 1.1 christos *
5 1.1 christos * Redistribution and use in source and binary forms, with or without
6 1.1 christos * modification, are permitted provided that the following conditions
7 1.1 christos * are met:
8 1.1 christos *
9 1.1 christos * 1. Redistributions of source code must retain the above copyright
10 1.1 christos * notice, this list of conditions and the following disclaimer.
11 1.1 christos *
12 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright
13 1.1 christos * notice, this list of conditions and the following disclaimer in
14 1.1 christos * the documentation and/or other materials provided with the
15 1.1 christos * distribution.
16 1.1 christos *
17 1.1 christos * 3. All advertising materials mentioning features or use of this
18 1.1 christos * software must display the following acknowledgment:
19 1.1 christos * "This product includes software developed by the OpenSSL Project
20 1.1 christos * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21 1.1 christos *
22 1.1 christos * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 1.1 christos * endorse or promote products derived from this software without
24 1.1 christos * prior written permission. For written permission, please contact
25 1.1 christos * openssl-core (at) openssl.org.
26 1.1 christos *
27 1.1 christos * 5. Products derived from this software may not be called "OpenSSL"
28 1.1 christos * nor may "OpenSSL" appear in their names without prior written
29 1.1 christos * permission of the OpenSSL Project.
30 1.1 christos *
31 1.1 christos * 6. Redistributions of any form whatsoever must retain the following
32 1.1 christos * acknowledgment:
33 1.1 christos * "This product includes software developed by the OpenSSL Project
34 1.1 christos * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35 1.1 christos *
36 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 1.1 christos * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 1.1 christos * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 1.1 christos * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 1.1 christos * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 1.1 christos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 1.1 christos * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 1.1 christos * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 1.1 christos * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 1.1 christos * OF THE POSSIBILITY OF SUCH DAMAGE.
48 1.1 christos * ====================================================================
49 1.1 christos *
50 1.1 christos * This product includes cryptographic software written by Eric Young
51 1.1 christos * (eay (at) cryptsoft.com). This product includes software written by Tim
52 1.1 christos * Hudson (tjh (at) cryptsoft.com).
53 1.1 christos *
54 1.1 christos */
55 1.1 christos
56 1.1 christos #include "../crypto/constant_time_locl.h"
57 1.1 christos #include "ssl_locl.h"
58 1.1 christos
59 1.1 christos #include <openssl/md5.h>
60 1.1 christos #include <openssl/sha.h>
61 1.1 christos
62 1.1 christos /*
63 1.1 christos * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
64 1.1 christos * length field. (SHA-384/512 have 128-bit length.)
65 1.1 christos */
66 1.1 christos #define MAX_HASH_BIT_COUNT_BYTES 16
67 1.1 christos
68 1.1 christos /*
69 1.1 christos * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
70 1.1 christos * Currently SHA-384/512 has a 128-byte block size and that's the largest
71 1.1 christos * supported by TLS.)
72 1.1 christos */
73 1.1 christos #define MAX_HASH_BLOCK_SIZE 128
74 1.1 christos
75 1.1 christos /*-
76 1.1 christos * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
77 1.1 christos * record in |rec| by updating |rec->length| in constant time.
78 1.1 christos *
79 1.1 christos * block_size: the block size of the cipher used to encrypt the record.
80 1.1 christos * returns:
81 1.1 christos * 0: (in non-constant time) if the record is publicly invalid.
82 1.1 christos * 1: if the padding was valid
83 1.1 christos * -1: otherwise.
84 1.1 christos */
85 1.1 christos int ssl3_cbc_remove_padding(const SSL *s,
86 1.1 christos SSL3_RECORD *rec,
87 1.1 christos unsigned block_size, unsigned mac_size)
88 1.1 christos {
89 1.1 christos unsigned padding_length, good;
90 1.1 christos const unsigned overhead = 1 /* padding length byte */ + mac_size;
91 1.1 christos
92 1.1 christos /*
93 1.1 christos * These lengths are all public so we can test them in non-constant time.
94 1.1 christos */
95 1.1 christos if (overhead > rec->length)
96 1.1 christos return 0;
97 1.1 christos
98 1.1 christos padding_length = rec->data[rec->length - 1];
99 1.1 christos good = constant_time_ge(rec->length, padding_length + overhead);
100 1.1 christos /* SSLv3 requires that the padding is minimal. */
101 1.1 christos good &= constant_time_ge(block_size, padding_length + 1);
102 1.1 christos padding_length = good & (padding_length + 1);
103 1.1 christos rec->length -= padding_length;
104 1.1 christos rec->type |= padding_length << 8; /* kludge: pass padding length */
105 1.1 christos return constant_time_select_int(good, 1, -1);
106 1.1 christos }
107 1.1 christos
108 1.1 christos /*-
109 1.1 christos * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
110 1.1 christos * record in |rec| in constant time and returns 1 if the padding is valid and
111 1.1 christos * -1 otherwise. It also removes any explicit IV from the start of the record
112 1.1 christos * without leaking any timing about whether there was enough space after the
113 1.1 christos * padding was removed.
114 1.1 christos *
115 1.1 christos * block_size: the block size of the cipher used to encrypt the record.
116 1.1 christos * returns:
117 1.1 christos * 0: (in non-constant time) if the record is publicly invalid.
118 1.1 christos * 1: if the padding was valid
119 1.1 christos * -1: otherwise.
120 1.1 christos */
121 1.1 christos int tls1_cbc_remove_padding(const SSL *s,
122 1.1 christos SSL3_RECORD *rec,
123 1.1 christos unsigned block_size, unsigned mac_size)
124 1.1 christos {
125 1.1 christos unsigned padding_length, good, to_check, i;
126 1.1 christos const unsigned overhead = 1 /* padding length byte */ + mac_size;
127 1.1 christos /* Check if version requires explicit IV */
128 1.1 christos if (SSL_USE_EXPLICIT_IV(s)) {
129 1.1 christos /*
130 1.1 christos * These lengths are all public so we can test them in non-constant
131 1.1 christos * time.
132 1.1 christos */
133 1.1 christos if (overhead + block_size > rec->length)
134 1.1 christos return 0;
135 1.1 christos /* We can now safely skip explicit IV */
136 1.1 christos rec->data += block_size;
137 1.1 christos rec->input += block_size;
138 1.1 christos rec->length -= block_size;
139 1.1 christos } else if (overhead > rec->length)
140 1.1 christos return 0;
141 1.1 christos
142 1.1 christos padding_length = rec->data[rec->length - 1];
143 1.1 christos
144 1.1 christos /*
145 1.1 christos * NB: if compression is in operation the first packet may not be of even
146 1.1 christos * length so the padding bug check cannot be performed. This bug
147 1.1 christos * workaround has been around since SSLeay so hopefully it is either
148 1.1 christos * fixed now or no buggy implementation supports compression [steve]
149 1.1 christos */
150 1.1 christos if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
151 1.1 christos /* First packet is even in size, so check */
152 1.1 christos if ((CRYPTO_memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0", 8) == 0) &&
153 1.1 christos !(padding_length & 1)) {
154 1.1 christos s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
155 1.1 christos }
156 1.1 christos if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
157 1.1 christos padding_length--;
158 1.1 christos }
159 1.1 christos }
160 1.1 christos
161 1.1 christos if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
162 1.1 christos /* padding is already verified */
163 1.1 christos rec->length -= padding_length + 1;
164 1.1 christos return 1;
165 1.1 christos }
166 1.1 christos
167 1.1 christos good = constant_time_ge(rec->length, overhead + padding_length);
168 1.1 christos /*
169 1.1 christos * The padding consists of a length byte at the end of the record and
170 1.1 christos * then that many bytes of padding, all with the same value as the length
171 1.1 christos * byte. Thus, with the length byte included, there are i+1 bytes of
172 1.1 christos * padding. We can't check just |padding_length+1| bytes because that
173 1.1 christos * leaks decrypted information. Therefore we always have to check the
174 1.1 christos * maximum amount of padding possible. (Again, the length of the record
175 1.1 christos * is public information so we can use it.)
176 1.1 christos */
177 1.1 christos to_check = 255; /* maximum amount of padding. */
178 1.1 christos if (to_check > rec->length - 1)
179 1.1 christos to_check = rec->length - 1;
180 1.1 christos
181 1.1 christos for (i = 0; i < to_check; i++) {
182 1.1 christos unsigned char mask = constant_time_ge_8(padding_length, i);
183 1.1 christos unsigned char b = rec->data[rec->length - 1 - i];
184 1.1 christos /*
185 1.1 christos * The final |padding_length+1| bytes should all have the value
186 1.1 christos * |padding_length|. Therefore the XOR should be zero.
187 1.1 christos */
188 1.1 christos good &= ~(mask & (padding_length ^ b));
189 1.1 christos }
190 1.1 christos
191 1.1 christos /*
192 1.1 christos * If any of the final |padding_length+1| bytes had the wrong value, one
193 1.1 christos * or more of the lower eight bits of |good| will be cleared.
194 1.1 christos */
195 1.1 christos good = constant_time_eq(0xff, good & 0xff);
196 1.1 christos padding_length = good & (padding_length + 1);
197 1.1 christos rec->length -= padding_length;
198 1.1 christos rec->type |= padding_length << 8; /* kludge: pass padding length */
199 1.1 christos
200 1.1 christos return constant_time_select_int(good, 1, -1);
201 1.1 christos }
202 1.1 christos
203 1.1 christos /*-
204 1.1 christos * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
205 1.1 christos * constant time (independent of the concrete value of rec->length, which may
206 1.1 christos * vary within a 256-byte window).
207 1.1 christos *
208 1.1 christos * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
209 1.1 christos * this function.
210 1.1 christos *
211 1.1 christos * On entry:
212 1.1 christos * rec->orig_len >= md_size
213 1.1 christos * md_size <= EVP_MAX_MD_SIZE
214 1.1 christos *
215 1.1 christos * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
216 1.1 christos * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
217 1.1 christos * a single or pair of cache-lines, then the variable memory accesses don't
218 1.1 christos * actually affect the timing. CPUs with smaller cache-lines [if any] are
219 1.1 christos * not multi-core and are not considered vulnerable to cache-timing attacks.
220 1.1 christos */
221 1.1 christos #define CBC_MAC_ROTATE_IN_PLACE
222 1.1 christos
223 1.1 christos void ssl3_cbc_copy_mac(unsigned char *out,
224 1.1 christos const SSL3_RECORD *rec,
225 1.1 christos unsigned md_size, unsigned orig_len)
226 1.1 christos {
227 1.1 christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
228 1.1 christos unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
229 1.1 christos unsigned char *rotated_mac;
230 1.1 christos #else
231 1.1 christos unsigned char rotated_mac[EVP_MAX_MD_SIZE];
232 1.1 christos #endif
233 1.1 christos
234 1.1 christos /*
235 1.1 christos * mac_end is the index of |rec->data| just after the end of the MAC.
236 1.1 christos */
237 1.1 christos unsigned mac_end = rec->length;
238 1.1 christos unsigned mac_start = mac_end - md_size;
239 1.1 christos /*
240 1.1 christos * scan_start contains the number of bytes that we can ignore because the
241 1.1 christos * MAC's position can only vary by 255 bytes.
242 1.1 christos */
243 1.1 christos unsigned scan_start = 0;
244 1.1 christos unsigned i, j;
245 1.1 christos unsigned div_spoiler;
246 1.1 christos unsigned rotate_offset;
247 1.1 christos
248 1.1 christos OPENSSL_assert(orig_len >= md_size);
249 1.1 christos OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
250 1.1 christos
251 1.1 christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
252 1.1 christos rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
253 1.1 christos #endif
254 1.1 christos
255 1.1 christos /* This information is public so it's safe to branch based on it. */
256 1.1 christos if (orig_len > md_size + 255 + 1)
257 1.1 christos scan_start = orig_len - (md_size + 255 + 1);
258 1.1 christos /*
259 1.1 christos * div_spoiler contains a multiple of md_size that is used to cause the
260 1.1 christos * modulo operation to be constant time. Without this, the time varies
261 1.1 christos * based on the amount of padding when running on Intel chips at least.
262 1.1 christos * The aim of right-shifting md_size is so that the compiler doesn't
263 1.1 christos * figure out that it can remove div_spoiler as that would require it to
264 1.1 christos * prove that md_size is always even, which I hope is beyond it.
265 1.1 christos */
266 1.1 christos div_spoiler = md_size >> 1;
267 1.1 christos div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
268 1.1 christos rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
269 1.1 christos
270 1.1 christos memset(rotated_mac, 0, md_size);
271 1.1 christos for (i = scan_start, j = 0; i < orig_len; i++) {
272 1.1 christos unsigned char mac_started = constant_time_ge_8(i, mac_start);
273 1.1 christos unsigned char mac_ended = constant_time_ge_8(i, mac_end);
274 1.1 christos unsigned char b = rec->data[i];
275 1.1 christos rotated_mac[j++] |= b & mac_started & ~mac_ended;
276 1.1 christos j &= constant_time_lt(j, md_size);
277 1.1 christos }
278 1.1 christos
279 1.1 christos /* Now rotate the MAC */
280 1.1 christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
281 1.1 christos j = 0;
282 1.1 christos for (i = 0; i < md_size; i++) {
283 1.1 christos /* in case cache-line is 32 bytes, touch second line */
284 1.1 christos ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
285 1.1 christos out[j++] = rotated_mac[rotate_offset++];
286 1.1 christos rotate_offset &= constant_time_lt(rotate_offset, md_size);
287 1.1 christos }
288 1.1 christos #else
289 1.1 christos memset(out, 0, md_size);
290 1.1 christos rotate_offset = md_size - rotate_offset;
291 1.1 christos rotate_offset &= constant_time_lt(rotate_offset, md_size);
292 1.1 christos for (i = 0; i < md_size; i++) {
293 1.1 christos for (j = 0; j < md_size; j++)
294 1.1 christos out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
295 1.1 christos rotate_offset++;
296 1.1 christos rotate_offset &= constant_time_lt(rotate_offset, md_size);
297 1.1 christos }
298 1.1 christos #endif
299 1.1 christos }
300 1.1 christos
301 1.1 christos /*
302 1.1 christos * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
303 1.1 christos * little-endian order. The value of p is advanced by four.
304 1.1 christos */
305 1.1 christos #define u32toLE(n, p) \
306 1.1 christos (*((p)++)=(unsigned char)(n), \
307 1.1 christos *((p)++)=(unsigned char)(n>>8), \
308 1.1 christos *((p)++)=(unsigned char)(n>>16), \
309 1.1 christos *((p)++)=(unsigned char)(n>>24))
310 1.1 christos
311 1.1 christos /*
312 1.1 christos * These functions serialize the state of a hash and thus perform the
313 1.1 christos * standard "final" operation without adding the padding and length that such
314 1.1 christos * a function typically does.
315 1.1 christos */
316 1.1 christos static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
317 1.1 christos {
318 1.1 christos MD5_CTX *md5 = ctx;
319 1.1 christos u32toLE(md5->A, md_out);
320 1.1 christos u32toLE(md5->B, md_out);
321 1.1 christos u32toLE(md5->C, md_out);
322 1.1 christos u32toLE(md5->D, md_out);
323 1.1 christos }
324 1.1 christos
325 1.1 christos static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
326 1.1 christos {
327 1.1 christos SHA_CTX *sha1 = ctx;
328 1.1 christos l2n(sha1->h0, md_out);
329 1.1 christos l2n(sha1->h1, md_out);
330 1.1 christos l2n(sha1->h2, md_out);
331 1.1 christos l2n(sha1->h3, md_out);
332 1.1 christos l2n(sha1->h4, md_out);
333 1.1 christos }
334 1.1 christos
335 1.1 christos #define LARGEST_DIGEST_CTX SHA_CTX
336 1.1 christos
337 1.1 christos #ifndef OPENSSL_NO_SHA256
338 1.1 christos static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
339 1.1 christos {
340 1.1 christos SHA256_CTX *sha256 = ctx;
341 1.1 christos unsigned i;
342 1.1 christos
343 1.1 christos for (i = 0; i < 8; i++) {
344 1.1 christos l2n(sha256->h[i], md_out);
345 1.1 christos }
346 1.1 christos }
347 1.1 christos
348 1.1 christos # undef LARGEST_DIGEST_CTX
349 1.1 christos # define LARGEST_DIGEST_CTX SHA256_CTX
350 1.1 christos #endif
351 1.1 christos
352 1.1 christos #ifndef OPENSSL_NO_SHA512
353 1.1 christos static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
354 1.1 christos {
355 1.1 christos SHA512_CTX *sha512 = ctx;
356 1.1 christos unsigned i;
357 1.1 christos
358 1.1 christos for (i = 0; i < 8; i++) {
359 1.1 christos l2n8(sha512->h[i], md_out);
360 1.1 christos }
361 1.1 christos }
362 1.1 christos
363 1.1 christos # undef LARGEST_DIGEST_CTX
364 1.1 christos # define LARGEST_DIGEST_CTX SHA512_CTX
365 1.1 christos #endif
366 1.1 christos
367 1.1 christos /*
368 1.1 christos * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
369 1.1 christos * which ssl3_cbc_digest_record supports.
370 1.1 christos */
371 1.1 christos char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
372 1.1 christos {
373 1.1 christos #ifdef OPENSSL_FIPS
374 1.1 christos if (FIPS_mode())
375 1.1 christos return 0;
376 1.1 christos #endif
377 1.1 christos switch (EVP_MD_CTX_type(ctx)) {
378 1.1 christos case NID_md5:
379 1.1 christos case NID_sha1:
380 1.1 christos #ifndef OPENSSL_NO_SHA256
381 1.1 christos case NID_sha224:
382 1.1 christos case NID_sha256:
383 1.1 christos #endif
384 1.1 christos #ifndef OPENSSL_NO_SHA512
385 1.1 christos case NID_sha384:
386 1.1 christos case NID_sha512:
387 1.1 christos #endif
388 1.1 christos return 1;
389 1.1 christos default:
390 1.1 christos return 0;
391 1.1 christos }
392 1.1 christos }
393 1.1 christos
394 1.1 christos /*-
395 1.1 christos * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
396 1.1 christos * record.
397 1.1 christos *
398 1.1 christos * ctx: the EVP_MD_CTX from which we take the hash function.
399 1.1 christos * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
400 1.1 christos * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
401 1.1 christos * md_out_size: if non-NULL, the number of output bytes is written here.
402 1.1 christos * header: the 13-byte, TLS record header.
403 1.1 christos * data: the record data itself, less any preceeding explicit IV.
404 1.1 christos * data_plus_mac_size: the secret, reported length of the data and MAC
405 1.1 christos * once the padding has been removed.
406 1.1 christos * data_plus_mac_plus_padding_size: the public length of the whole
407 1.1 christos * record, including padding.
408 1.1 christos * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
409 1.1 christos *
410 1.1 christos * On entry: by virtue of having been through one of the remove_padding
411 1.1 christos * functions, above, we know that data_plus_mac_size is large enough to contain
412 1.1 christos * a padding byte and MAC. (If the padding was invalid, it might contain the
413 1.1 christos * padding too. )
414 1.1 christos * Returns 1 on success or 0 on error
415 1.1 christos */
416 1.1 christos int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
417 1.1 christos unsigned char *md_out,
418 1.1 christos size_t *md_out_size,
419 1.1 christos const unsigned char header[13],
420 1.1 christos const unsigned char *data,
421 1.1 christos size_t data_plus_mac_size,
422 1.1 christos size_t data_plus_mac_plus_padding_size,
423 1.1 christos const unsigned char *mac_secret,
424 1.1 christos unsigned mac_secret_length, char is_sslv3)
425 1.1 christos {
426 1.1 christos union {
427 1.1 christos double align;
428 1.1 christos unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
429 1.1 christos } md_state;
430 1.1 christos void (*md_final_raw) (void *ctx, unsigned char *md_out);
431 1.1 christos void (*md_transform) (void *ctx, const unsigned char *block);
432 1.1 christos unsigned md_size, md_block_size = 64;
433 1.1 christos unsigned sslv3_pad_length = 40, header_length, variance_blocks,
434 1.1 christos len, max_mac_bytes, num_blocks,
435 1.1 christos num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
436 1.1 christos unsigned int bits; /* at most 18 bits */
437 1.1 christos unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
438 1.1 christos /* hmac_pad is the masked HMAC key. */
439 1.1 christos unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
440 1.1 christos unsigned char first_block[MAX_HASH_BLOCK_SIZE];
441 1.1 christos unsigned char mac_out[EVP_MAX_MD_SIZE];
442 1.1 christos unsigned i, j, md_out_size_u;
443 1.1 christos EVP_MD_CTX md_ctx;
444 1.1 christos /*
445 1.1 christos * mdLengthSize is the number of bytes in the length field that
446 1.1 christos * terminates * the hash.
447 1.1 christos */
448 1.1 christos unsigned md_length_size = 8;
449 1.1 christos char length_is_big_endian = 1;
450 1.1 christos
451 1.1 christos /*
452 1.1 christos * This is a, hopefully redundant, check that allows us to forget about
453 1.1 christos * many possible overflows later in this function.
454 1.1 christos */
455 1.1 christos OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024);
456 1.1 christos
457 1.1 christos switch (EVP_MD_CTX_type(ctx)) {
458 1.1 christos case NID_md5:
459 1.1 christos if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
460 1.1 christos return 0;
461 1.1 christos md_final_raw = tls1_md5_final_raw;
462 1.1 christos md_transform =
463 1.1 christos (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
464 1.1 christos md_size = 16;
465 1.1 christos sslv3_pad_length = 48;
466 1.1 christos length_is_big_endian = 0;
467 1.1 christos break;
468 1.1 christos case NID_sha1:
469 1.1 christos if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
470 1.1 christos return 0;
471 1.1 christos md_final_raw = tls1_sha1_final_raw;
472 1.1 christos md_transform =
473 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
474 1.1 christos md_size = 20;
475 1.1 christos break;
476 1.1 christos #ifndef OPENSSL_NO_SHA256
477 1.1 christos case NID_sha224:
478 1.1 christos if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
479 1.1 christos return 0;
480 1.1 christos md_final_raw = tls1_sha256_final_raw;
481 1.1 christos md_transform =
482 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
483 1.1 christos md_size = 224 / 8;
484 1.1 christos break;
485 1.1 christos case NID_sha256:
486 1.1 christos if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
487 1.1 christos return 0;
488 1.1 christos md_final_raw = tls1_sha256_final_raw;
489 1.1 christos md_transform =
490 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
491 1.1 christos md_size = 32;
492 1.1 christos break;
493 1.1 christos #endif
494 1.1 christos #ifndef OPENSSL_NO_SHA512
495 1.1 christos case NID_sha384:
496 1.1 christos if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
497 1.1 christos return 0;
498 1.1 christos md_final_raw = tls1_sha512_final_raw;
499 1.1 christos md_transform =
500 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
501 1.1 christos md_size = 384 / 8;
502 1.1 christos md_block_size = 128;
503 1.1 christos md_length_size = 16;
504 1.1 christos break;
505 1.1 christos case NID_sha512:
506 1.1 christos if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
507 1.1 christos return 0;
508 1.1 christos md_final_raw = tls1_sha512_final_raw;
509 1.1 christos md_transform =
510 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
511 1.1 christos md_size = 64;
512 1.1 christos md_block_size = 128;
513 1.1 christos md_length_size = 16;
514 1.1 christos break;
515 1.1 christos #endif
516 1.1 christos default:
517 1.1 christos /*
518 1.1 christos * ssl3_cbc_record_digest_supported should have been called first to
519 1.1 christos * check that the hash function is supported.
520 1.1 christos */
521 1.1 christos OPENSSL_assert(0);
522 1.1 christos if (md_out_size)
523 1.1 christos *md_out_size = 0;
524 1.1 christos return 0;
525 1.1 christos }
526 1.1 christos
527 1.1 christos OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
528 1.1 christos OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
529 1.1 christos OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
530 1.1 christos
531 1.1 christos header_length = 13;
532 1.1 christos if (is_sslv3) {
533 1.1 christos header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
534 1.1 christos * number */ +
535 1.1 christos 1 /* record type */ +
536 1.1 christos 2 /* record length */ ;
537 1.1 christos }
538 1.1 christos
539 1.1 christos /*
540 1.1 christos * variance_blocks is the number of blocks of the hash that we have to
541 1.1 christos * calculate in constant time because they could be altered by the
542 1.1 christos * padding value. In SSLv3, the padding must be minimal so the end of
543 1.1 christos * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
544 1.1 christos * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
545 1.1 christos * of hash termination (0x80 + 64-bit length) don't fit in the final
546 1.1 christos * block, we say that the final two blocks can vary based on the padding.
547 1.1 christos * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
548 1.1 christos * required to be minimal. Therefore we say that the final six blocks can
549 1.1 christos * vary based on the padding. Later in the function, if the message is
550 1.1 christos * short and there obviously cannot be this many blocks then
551 1.1 christos * variance_blocks can be reduced.
552 1.1 christos */
553 1.1 christos variance_blocks = is_sslv3 ? 2 : 6;
554 1.1 christos /*
555 1.1 christos * From now on we're dealing with the MAC, which conceptually has 13
556 1.1 christos * bytes of `header' before the start of the data (TLS) or 71/75 bytes
557 1.1 christos * (SSLv3)
558 1.1 christos */
559 1.1 christos len = data_plus_mac_plus_padding_size + header_length;
560 1.1 christos /*
561 1.1 christos * max_mac_bytes contains the maximum bytes of bytes in the MAC,
562 1.1 christos * including * |header|, assuming that there's no padding.
563 1.1 christos */
564 1.1 christos max_mac_bytes = len - md_size - 1;
565 1.1 christos /* num_blocks is the maximum number of hash blocks. */
566 1.1 christos num_blocks =
567 1.1 christos (max_mac_bytes + 1 + md_length_size + md_block_size -
568 1.1 christos 1) / md_block_size;
569 1.1 christos /*
570 1.1 christos * In order to calculate the MAC in constant time we have to handle the
571 1.1 christos * final blocks specially because the padding value could cause the end
572 1.1 christos * to appear somewhere in the final |variance_blocks| blocks and we can't
573 1.1 christos * leak where. However, |num_starting_blocks| worth of data can be hashed
574 1.1 christos * right away because no padding value can affect whether they are
575 1.1 christos * plaintext.
576 1.1 christos */
577 1.1 christos num_starting_blocks = 0;
578 1.1 christos /*
579 1.1 christos * k is the starting byte offset into the conceptual header||data where
580 1.1 christos * we start processing.
581 1.1 christos */
582 1.1 christos k = 0;
583 1.1 christos /*
584 1.1 christos * mac_end_offset is the index just past the end of the data to be MACed.
585 1.1 christos */
586 1.1 christos mac_end_offset = data_plus_mac_size + header_length - md_size;
587 1.1 christos /*
588 1.1 christos * c is the index of the 0x80 byte in the final hash block that contains
589 1.1 christos * application data.
590 1.1 christos */
591 1.1 christos c = mac_end_offset % md_block_size;
592 1.1 christos /*
593 1.1 christos * index_a is the hash block number that contains the 0x80 terminating
594 1.1 christos * value.
595 1.1 christos */
596 1.1 christos index_a = mac_end_offset / md_block_size;
597 1.1 christos /*
598 1.1 christos * index_b is the hash block number that contains the 64-bit hash length,
599 1.1 christos * in bits.
600 1.1 christos */
601 1.1 christos index_b = (mac_end_offset + md_length_size) / md_block_size;
602 1.1 christos /*
603 1.1 christos * bits is the hash-length in bits. It includes the additional hash block
604 1.1 christos * for the masked HMAC key, or whole of |header| in the case of SSLv3.
605 1.1 christos */
606 1.1 christos
607 1.1 christos /*
608 1.1 christos * For SSLv3, if we're going to have any starting blocks then we need at
609 1.1 christos * least two because the header is larger than a single block.
610 1.1 christos */
611 1.1 christos if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
612 1.1 christos num_starting_blocks = num_blocks - variance_blocks;
613 1.1 christos k = md_block_size * num_starting_blocks;
614 1.1 christos }
615 1.1 christos
616 1.1 christos bits = 8 * mac_end_offset;
617 1.1 christos if (!is_sslv3) {
618 1.1 christos /*
619 1.1 christos * Compute the initial HMAC block. For SSLv3, the padding and secret
620 1.1 christos * bytes are included in |header| because they take more than a
621 1.1 christos * single block.
622 1.1 christos */
623 1.1 christos bits += 8 * md_block_size;
624 1.1 christos memset(hmac_pad, 0, md_block_size);
625 1.1 christos OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
626 1.1 christos memcpy(hmac_pad, mac_secret, mac_secret_length);
627 1.1 christos for (i = 0; i < md_block_size; i++)
628 1.1 christos hmac_pad[i] ^= 0x36;
629 1.1 christos
630 1.1 christos md_transform(md_state.c, hmac_pad);
631 1.1 christos }
632 1.1 christos
633 1.1 christos if (length_is_big_endian) {
634 1.1 christos memset(length_bytes, 0, md_length_size - 4);
635 1.1 christos length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
636 1.1 christos length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
637 1.1 christos length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
638 1.1 christos length_bytes[md_length_size - 1] = (unsigned char)bits;
639 1.1 christos } else {
640 1.1 christos memset(length_bytes, 0, md_length_size);
641 1.1 christos length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
642 1.1 christos length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
643 1.1 christos length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
644 1.1 christos length_bytes[md_length_size - 8] = (unsigned char)bits;
645 1.1 christos }
646 1.1 christos
647 1.1 christos if (k > 0) {
648 1.1 christos if (is_sslv3) {
649 1.1 christos unsigned overhang;
650 1.1 christos
651 1.1 christos /*
652 1.1 christos * The SSLv3 header is larger than a single block. overhang is
653 1.1 christos * the number of bytes beyond a single block that the header
654 1.1 christos * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
655 1.1 christos * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
656 1.1 christos * therefore we can be confident that the header_length will be
657 1.1 christos * greater than |md_block_size|. However we add a sanity check just
658 1.1 christos * in case
659 1.1 christos */
660 1.1 christos if (header_length <= md_block_size) {
661 1.1 christos /* Should never happen */
662 1.1 christos return 0;
663 1.1 christos }
664 1.1 christos overhang = header_length - md_block_size;
665 1.1 christos md_transform(md_state.c, header);
666 1.1 christos memcpy(first_block, header + md_block_size, overhang);
667 1.1 christos memcpy(first_block + overhang, data, md_block_size - overhang);
668 1.1 christos md_transform(md_state.c, first_block);
669 1.1 christos for (i = 1; i < k / md_block_size - 1; i++)
670 1.1 christos md_transform(md_state.c, data + md_block_size * i - overhang);
671 1.1 christos } else {
672 1.1 christos /* k is a multiple of md_block_size. */
673 1.1 christos memcpy(first_block, header, 13);
674 1.1 christos memcpy(first_block + 13, data, md_block_size - 13);
675 1.1 christos md_transform(md_state.c, first_block);
676 1.1 christos for (i = 1; i < k / md_block_size; i++)
677 1.1 christos md_transform(md_state.c, data + md_block_size * i - 13);
678 1.1 christos }
679 1.1 christos }
680 1.1 christos
681 1.1 christos memset(mac_out, 0, sizeof(mac_out));
682 1.1 christos
683 1.1 christos /*
684 1.1 christos * We now process the final hash blocks. For each block, we construct it
685 1.1 christos * in constant time. If the |i==index_a| then we'll include the 0x80
686 1.1 christos * bytes and zero pad etc. For each block we selectively copy it, in
687 1.1 christos * constant time, to |mac_out|.
688 1.1 christos */
689 1.1 christos for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
690 1.1 christos i++) {
691 1.1 christos unsigned char block[MAX_HASH_BLOCK_SIZE];
692 1.1 christos unsigned char is_block_a = constant_time_eq_8(i, index_a);
693 1.1 christos unsigned char is_block_b = constant_time_eq_8(i, index_b);
694 1.1 christos for (j = 0; j < md_block_size; j++) {
695 1.1 christos unsigned char b = 0, is_past_c, is_past_cp1;
696 1.1 christos if (k < header_length)
697 1.1 christos b = header[k];
698 1.1 christos else if (k < data_plus_mac_plus_padding_size + header_length)
699 1.1 christos b = data[k - header_length];
700 1.1 christos k++;
701 1.1 christos
702 1.1 christos is_past_c = is_block_a & constant_time_ge_8(j, c);
703 1.1 christos is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
704 1.1 christos /*
705 1.1 christos * If this is the block containing the end of the application
706 1.1 christos * data, and we are at the offset for the 0x80 value, then
707 1.1 christos * overwrite b with 0x80.
708 1.1 christos */
709 1.1 christos b = constant_time_select_8(is_past_c, 0x80, b);
710 1.1 christos /*
711 1.1 christos * If this the the block containing the end of the application
712 1.1 christos * data and we're past the 0x80 value then just write zero.
713 1.1 christos */
714 1.1 christos b = b & ~is_past_cp1;
715 1.1 christos /*
716 1.1 christos * If this is index_b (the final block), but not index_a (the end
717 1.1 christos * of the data), then the 64-bit length didn't fit into index_a
718 1.1 christos * and we're having to add an extra block of zeros.
719 1.1 christos */
720 1.1 christos b &= ~is_block_b | is_block_a;
721 1.1 christos
722 1.1 christos /*
723 1.1 christos * The final bytes of one of the blocks contains the length.
724 1.1 christos */
725 1.1 christos if (j >= md_block_size - md_length_size) {
726 1.1 christos /* If this is index_b, write a length byte. */
727 1.1 christos b = constant_time_select_8(is_block_b,
728 1.1 christos length_bytes[j -
729 1.1 christos (md_block_size -
730 1.1 christos md_length_size)], b);
731 1.1 christos }
732 1.1 christos block[j] = b;
733 1.1 christos }
734 1.1 christos
735 1.1 christos md_transform(md_state.c, block);
736 1.1 christos md_final_raw(md_state.c, block);
737 1.1 christos /* If this is index_b, copy the hash value to |mac_out|. */
738 1.1 christos for (j = 0; j < md_size; j++)
739 1.1 christos mac_out[j] |= block[j] & is_block_b;
740 1.1 christos }
741 1.1 christos
742 1.1 christos EVP_MD_CTX_init(&md_ctx);
743 1.1 christos if (EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ) <= 0)
744 1.1 christos goto err;
745 1.1 christos if (is_sslv3) {
746 1.1 christos /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
747 1.1 christos memset(hmac_pad, 0x5c, sslv3_pad_length);
748 1.1 christos
749 1.1 christos if (EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length) <= 0
750 1.1 christos || EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length) <= 0
751 1.1 christos || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
752 1.1 christos goto err;
753 1.1 christos } else {
754 1.1 christos /* Complete the HMAC in the standard manner. */
755 1.1 christos for (i = 0; i < md_block_size; i++)
756 1.1 christos hmac_pad[i] ^= 0x6a;
757 1.1 christos
758 1.1 christos if (EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size) <= 0
759 1.1 christos || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
760 1.1 christos goto err;
761 1.1 christos }
762 1.1 christos EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
763 1.1 christos if (md_out_size)
764 1.1 christos *md_out_size = md_out_size_u;
765 1.1 christos EVP_MD_CTX_cleanup(&md_ctx);
766 1.1 christos
767 1.1 christos return 1;
768 1.1 christos err:
769 1.1 christos EVP_MD_CTX_cleanup(&md_ctx);
770 1.1 christos return 0;
771 1.1 christos }
772 1.1 christos
773 1.1 christos #ifdef OPENSSL_FIPS
774 1.1 christos
775 1.1 christos /*
776 1.1 christos * Due to the need to use EVP in FIPS mode we can't reimplement digests but
777 1.1 christos * we can ensure the number of blocks processed is equal for all cases by
778 1.1 christos * digesting additional data.
779 1.1 christos */
780 1.1 christos
781 1.1 christos void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
782 1.1 christos EVP_MD_CTX *mac_ctx, const unsigned char *data,
783 1.1 christos size_t data_len, size_t orig_len)
784 1.1 christos {
785 1.1 christos size_t block_size, digest_pad, blocks_data, blocks_orig;
786 1.1 christos if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
787 1.1 christos return;
788 1.1 christos block_size = EVP_MD_CTX_block_size(mac_ctx);
789 1.1 christos /*-
790 1.1 christos * We are in FIPS mode if we get this far so we know we have only SHA*
791 1.1 christos * digests and TLS to deal with.
792 1.1 christos * Minimum digest padding length is 17 for SHA384/SHA512 and 9
793 1.1 christos * otherwise.
794 1.1 christos * Additional header is 13 bytes. To get the number of digest blocks
795 1.1 christos * processed round up the amount of data plus padding to the nearest
796 1.1 christos * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
797 1.1 christos * So we have:
798 1.1 christos * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
799 1.1 christos * equivalently:
800 1.1 christos * blocks = (payload_len + digest_pad + 12)/block_size + 1
801 1.1 christos * HMAC adds a constant overhead.
802 1.1 christos * We're ultimately only interested in differences so this becomes
803 1.1 christos * blocks = (payload_len + 29)/128
804 1.1 christos * for SHA384/SHA512 and
805 1.1 christos * blocks = (payload_len + 21)/64
806 1.1 christos * otherwise.
807 1.1 christos */
808 1.1 christos digest_pad = block_size == 64 ? 21 : 29;
809 1.1 christos blocks_orig = (orig_len + digest_pad) / block_size;
810 1.1 christos blocks_data = (data_len + digest_pad) / block_size;
811 1.1 christos /*
812 1.1 christos * MAC enough blocks to make up the difference between the original and
813 1.1 christos * actual lengths plus one extra block to ensure this is never a no op.
814 1.1 christos * The "data" pointer should always have enough space to perform this
815 1.1 christos * operation as it is large enough for a maximum length TLS buffer.
816 1.1 christos */
817 1.1 christos EVP_DigestSignUpdate(mac_ctx, data,
818 1.1 christos (blocks_orig - blocks_data + 1) * block_size);
819 1.1 christos }
820 1.1 christos #endif
821