Home | History | Annotate | Line # | Download | only in ssl
s3_cbc.c revision 1.1.1.2
      1 /*
      2  * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
      3  *
      4  * Licensed under the OpenSSL license (the "License").  You may not use
      5  * this file except in compliance with the License.  You can obtain a copy
      6  * in the file LICENSE in the source distribution or at
      7  * https://www.openssl.org/source/license.html
      8  */
      9 
     10 #include "internal/constant_time.h"
     11 #include "ssl_local.h"
     12 #include "internal/cryptlib.h"
     13 
     14 #include <openssl/md5.h>
     15 #include <openssl/sha.h>
     16 
     17 /*
     18  * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
     19  * length field. (SHA-384/512 have 128-bit length.)
     20  */
     21 #define MAX_HASH_BIT_COUNT_BYTES 16
     22 
     23 /*
     24  * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
     25  * Currently SHA-384/512 has a 128-byte block size and that's the largest
     26  * supported by TLS.)
     27  */
     28 #define MAX_HASH_BLOCK_SIZE 128
     29 
     30 /*
     31  * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
     32  * little-endian order. The value of p is advanced by four.
     33  */
     34 #define u32toLE(n, p) \
     35         (*((p)++)=(unsigned char)(n), \
     36          *((p)++)=(unsigned char)(n>>8), \
     37          *((p)++)=(unsigned char)(n>>16), \
     38          *((p)++)=(unsigned char)(n>>24))
     39 
     40 /*
     41  * These functions serialize the state of a hash and thus perform the
     42  * standard "final" operation without adding the padding and length that such
     43  * a function typically does.
     44  */
     45 static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
     46 {
     47     MD5_CTX *md5 = ctx;
     48     u32toLE(md5->A, md_out);
     49     u32toLE(md5->B, md_out);
     50     u32toLE(md5->C, md_out);
     51     u32toLE(md5->D, md_out);
     52 }
     53 
     54 static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
     55 {
     56     SHA_CTX *sha1 = ctx;
     57     l2n(sha1->h0, md_out);
     58     l2n(sha1->h1, md_out);
     59     l2n(sha1->h2, md_out);
     60     l2n(sha1->h3, md_out);
     61     l2n(sha1->h4, md_out);
     62 }
     63 
     64 static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
     65 {
     66     SHA256_CTX *sha256 = ctx;
     67     unsigned i;
     68 
     69     for (i = 0; i < 8; i++) {
     70         l2n(sha256->h[i], md_out);
     71     }
     72 }
     73 
     74 static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
     75 {
     76     SHA512_CTX *sha512 = ctx;
     77     unsigned i;
     78 
     79     for (i = 0; i < 8; i++) {
     80         l2n8(sha512->h[i], md_out);
     81     }
     82 }
     83 
     84 #undef  LARGEST_DIGEST_CTX
     85 #define LARGEST_DIGEST_CTX SHA512_CTX
     86 
     87 /*
     88  * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
     89  * which ssl3_cbc_digest_record supports.
     90  */
     91 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
     92 {
     93     switch (EVP_MD_CTX_type(ctx)) {
     94     case NID_md5:
     95     case NID_sha1:
     96     case NID_sha224:
     97     case NID_sha256:
     98     case NID_sha384:
     99     case NID_sha512:
    100         return 1;
    101     default:
    102         return 0;
    103     }
    104 }
    105 
    106 /*-
    107  * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
    108  * record.
    109  *
    110  *   ctx: the EVP_MD_CTX from which we take the hash function.
    111  *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
    112  *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
    113  *   md_out_size: if non-NULL, the number of output bytes is written here.
    114  *   header: the 13-byte, TLS record header.
    115  *   data: the record data itself, less any preceding explicit IV.
    116  *   data_plus_mac_size: the secret, reported length of the data and MAC
    117  *     once the padding has been removed.
    118  *   data_plus_mac_plus_padding_size: the public length of the whole
    119  *     record, including padding.
    120  *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
    121  *
    122  * On entry: by virtue of having been through one of the remove_padding
    123  * functions, above, we know that data_plus_mac_size is large enough to contain
    124  * a padding byte and MAC. (If the padding was invalid, it might contain the
    125  * padding too. )
    126  * Returns 1 on success or 0 on error
    127  */
    128 int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
    129                            unsigned char *md_out,
    130                            size_t *md_out_size,
    131                            const unsigned char *header,
    132                            const unsigned char *data,
    133                            size_t data_plus_mac_size,
    134                            size_t data_plus_mac_plus_padding_size,
    135                            const unsigned char *mac_secret,
    136                            size_t mac_secret_length, char is_sslv3)
    137 {
    138     union {
    139         double align;
    140         unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
    141     } md_state;
    142     void (*md_final_raw) (void *ctx, unsigned char *md_out);
    143     void (*md_transform) (void *ctx, const unsigned char *block);
    144     size_t md_size, md_block_size = 64;
    145     size_t sslv3_pad_length = 40, header_length, variance_blocks,
    146         len, max_mac_bytes, num_blocks,
    147         num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
    148     size_t bits;          /* at most 18 bits */
    149     unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
    150     /* hmac_pad is the masked HMAC key. */
    151     unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
    152     unsigned char first_block[MAX_HASH_BLOCK_SIZE];
    153     unsigned char mac_out[EVP_MAX_MD_SIZE];
    154     size_t i, j;
    155     unsigned md_out_size_u;
    156     EVP_MD_CTX *md_ctx = NULL;
    157     /*
    158      * mdLengthSize is the number of bytes in the length field that
    159      * terminates * the hash.
    160      */
    161     size_t md_length_size = 8;
    162     char length_is_big_endian = 1;
    163     int ret;
    164 
    165     /*
    166      * This is a, hopefully redundant, check that allows us to forget about
    167      * many possible overflows later in this function.
    168      */
    169     if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
    170         return 0;
    171 
    172     switch (EVP_MD_CTX_type(ctx)) {
    173     case NID_md5:
    174         if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
    175             return 0;
    176         md_final_raw = tls1_md5_final_raw;
    177         md_transform =
    178             (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
    179         md_size = 16;
    180         sslv3_pad_length = 48;
    181         length_is_big_endian = 0;
    182         break;
    183     case NID_sha1:
    184         if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
    185             return 0;
    186         md_final_raw = tls1_sha1_final_raw;
    187         md_transform =
    188             (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
    189         md_size = 20;
    190         break;
    191     case NID_sha224:
    192         if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
    193             return 0;
    194         md_final_raw = tls1_sha256_final_raw;
    195         md_transform =
    196             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    197         md_size = 224 / 8;
    198         break;
    199     case NID_sha256:
    200         if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
    201             return 0;
    202         md_final_raw = tls1_sha256_final_raw;
    203         md_transform =
    204             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    205         md_size = 32;
    206         break;
    207     case NID_sha384:
    208         if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
    209             return 0;
    210         md_final_raw = tls1_sha512_final_raw;
    211         md_transform =
    212             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    213         md_size = 384 / 8;
    214         md_block_size = 128;
    215         md_length_size = 16;
    216         break;
    217     case NID_sha512:
    218         if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
    219             return 0;
    220         md_final_raw = tls1_sha512_final_raw;
    221         md_transform =
    222             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    223         md_size = 64;
    224         md_block_size = 128;
    225         md_length_size = 16;
    226         break;
    227     default:
    228         /*
    229          * ssl3_cbc_record_digest_supported should have been called first to
    230          * check that the hash function is supported.
    231          */
    232         if (md_out_size != NULL)
    233             *md_out_size = 0;
    234         return ossl_assert(0);
    235     }
    236 
    237     if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
    238             || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
    239             || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
    240         return 0;
    241 
    242     header_length = 13;
    243     if (is_sslv3) {
    244         header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
    245                                                                   * number */  +
    246             1 /* record type */  +
    247             2 /* record length */ ;
    248     }
    249 
    250     /*
    251      * variance_blocks is the number of blocks of the hash that we have to
    252      * calculate in constant time because they could be altered by the
    253      * padding value. In SSLv3, the padding must be minimal so the end of
    254      * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
    255      * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
    256      * of hash termination (0x80 + 64-bit length) don't fit in the final
    257      * block, we say that the final two blocks can vary based on the padding.
    258      * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
    259      * required to be minimal. Therefore we say that the final |variance_blocks|
    260      * blocks can
    261      * vary based on the padding. Later in the function, if the message is
    262      * short and there obviously cannot be this many blocks then
    263      * variance_blocks can be reduced.
    264      */
    265     variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
    266     /*
    267      * From now on we're dealing with the MAC, which conceptually has 13
    268      * bytes of `header' before the start of the data (TLS) or 71/75 bytes
    269      * (SSLv3)
    270      */
    271     len = data_plus_mac_plus_padding_size + header_length;
    272     /*
    273      * max_mac_bytes contains the maximum bytes of bytes in the MAC,
    274      * including * |header|, assuming that there's no padding.
    275      */
    276     max_mac_bytes = len - md_size - 1;
    277     /* num_blocks is the maximum number of hash blocks. */
    278     num_blocks =
    279         (max_mac_bytes + 1 + md_length_size + md_block_size -
    280          1) / md_block_size;
    281     /*
    282      * In order to calculate the MAC in constant time we have to handle the
    283      * final blocks specially because the padding value could cause the end
    284      * to appear somewhere in the final |variance_blocks| blocks and we can't
    285      * leak where. However, |num_starting_blocks| worth of data can be hashed
    286      * right away because no padding value can affect whether they are
    287      * plaintext.
    288      */
    289     num_starting_blocks = 0;
    290     /*
    291      * k is the starting byte offset into the conceptual header||data where
    292      * we start processing.
    293      */
    294     k = 0;
    295     /*
    296      * mac_end_offset is the index just past the end of the data to be MACed.
    297      */
    298     mac_end_offset = data_plus_mac_size + header_length - md_size;
    299     /*
    300      * c is the index of the 0x80 byte in the final hash block that contains
    301      * application data.
    302      */
    303     c = mac_end_offset % md_block_size;
    304     /*
    305      * index_a is the hash block number that contains the 0x80 terminating
    306      * value.
    307      */
    308     index_a = mac_end_offset / md_block_size;
    309     /*
    310      * index_b is the hash block number that contains the 64-bit hash length,
    311      * in bits.
    312      */
    313     index_b = (mac_end_offset + md_length_size) / md_block_size;
    314     /*
    315      * bits is the hash-length in bits. It includes the additional hash block
    316      * for the masked HMAC key, or whole of |header| in the case of SSLv3.
    317      */
    318 
    319     /*
    320      * For SSLv3, if we're going to have any starting blocks then we need at
    321      * least two because the header is larger than a single block.
    322      */
    323     if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
    324         num_starting_blocks = num_blocks - variance_blocks;
    325         k = md_block_size * num_starting_blocks;
    326     }
    327 
    328     bits = 8 * mac_end_offset;
    329     if (!is_sslv3) {
    330         /*
    331          * Compute the initial HMAC block. For SSLv3, the padding and secret
    332          * bytes are included in |header| because they take more than a
    333          * single block.
    334          */
    335         bits += 8 * md_block_size;
    336         memset(hmac_pad, 0, md_block_size);
    337         if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
    338             return 0;
    339         memcpy(hmac_pad, mac_secret, mac_secret_length);
    340         for (i = 0; i < md_block_size; i++)
    341             hmac_pad[i] ^= 0x36;
    342 
    343         md_transform(md_state.c, hmac_pad);
    344     }
    345 
    346     if (length_is_big_endian) {
    347         memset(length_bytes, 0, md_length_size - 4);
    348         length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
    349         length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
    350         length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
    351         length_bytes[md_length_size - 1] = (unsigned char)bits;
    352     } else {
    353         memset(length_bytes, 0, md_length_size);
    354         length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
    355         length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
    356         length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
    357         length_bytes[md_length_size - 8] = (unsigned char)bits;
    358     }
    359 
    360     if (k > 0) {
    361         if (is_sslv3) {
    362             size_t overhang;
    363 
    364             /*
    365              * The SSLv3 header is larger than a single block. overhang is
    366              * the number of bytes beyond a single block that the header
    367              * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
    368              * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
    369              * therefore we can be confident that the header_length will be
    370              * greater than |md_block_size|. However we add a sanity check just
    371              * in case
    372              */
    373             if (header_length <= md_block_size) {
    374                 /* Should never happen */
    375                 return 0;
    376             }
    377             overhang = header_length - md_block_size;
    378             md_transform(md_state.c, header);
    379             memcpy(first_block, header + md_block_size, overhang);
    380             memcpy(first_block + overhang, data, md_block_size - overhang);
    381             md_transform(md_state.c, first_block);
    382             for (i = 1; i < k / md_block_size - 1; i++)
    383                 md_transform(md_state.c, data + md_block_size * i - overhang);
    384         } else {
    385             /* k is a multiple of md_block_size. */
    386             memcpy(first_block, header, 13);
    387             memcpy(first_block + 13, data, md_block_size - 13);
    388             md_transform(md_state.c, first_block);
    389             for (i = 1; i < k / md_block_size; i++)
    390                 md_transform(md_state.c, data + md_block_size * i - 13);
    391         }
    392     }
    393 
    394     memset(mac_out, 0, sizeof(mac_out));
    395 
    396     /*
    397      * We now process the final hash blocks. For each block, we construct it
    398      * in constant time. If the |i==index_a| then we'll include the 0x80
    399      * bytes and zero pad etc. For each block we selectively copy it, in
    400      * constant time, to |mac_out|.
    401      */
    402     for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
    403          i++) {
    404         unsigned char block[MAX_HASH_BLOCK_SIZE];
    405         unsigned char is_block_a = constant_time_eq_8_s(i, index_a);
    406         unsigned char is_block_b = constant_time_eq_8_s(i, index_b);
    407         for (j = 0; j < md_block_size; j++) {
    408             unsigned char b = 0, is_past_c, is_past_cp1;
    409             if (k < header_length)
    410                 b = header[k];
    411             else if (k < data_plus_mac_plus_padding_size + header_length)
    412                 b = data[k - header_length];
    413             k++;
    414 
    415             is_past_c = is_block_a & constant_time_ge_8_s(j, c);
    416             is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);
    417             /*
    418              * If this is the block containing the end of the application
    419              * data, and we are at the offset for the 0x80 value, then
    420              * overwrite b with 0x80.
    421              */
    422             b = constant_time_select_8(is_past_c, 0x80, b);
    423             /*
    424              * If this block contains the end of the application data
    425              * and we're past the 0x80 value then just write zero.
    426              */
    427             b = b & ~is_past_cp1;
    428             /*
    429              * If this is index_b (the final block), but not index_a (the end
    430              * of the data), then the 64-bit length didn't fit into index_a
    431              * and we're having to add an extra block of zeros.
    432              */
    433             b &= ~is_block_b | is_block_a;
    434 
    435             /*
    436              * The final bytes of one of the blocks contains the length.
    437              */
    438             if (j >= md_block_size - md_length_size) {
    439                 /* If this is index_b, write a length byte. */
    440                 b = constant_time_select_8(is_block_b,
    441                                            length_bytes[j -
    442                                                         (md_block_size -
    443                                                          md_length_size)], b);
    444             }
    445             block[j] = b;
    446         }
    447 
    448         md_transform(md_state.c, block);
    449         md_final_raw(md_state.c, block);
    450         /* If this is index_b, copy the hash value to |mac_out|. */
    451         for (j = 0; j < md_size; j++)
    452             mac_out[j] |= block[j] & is_block_b;
    453     }
    454 
    455     md_ctx = EVP_MD_CTX_new();
    456     if (md_ctx == NULL)
    457         goto err;
    458     if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
    459         goto err;
    460     if (is_sslv3) {
    461         /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
    462         memset(hmac_pad, 0x5c, sslv3_pad_length);
    463 
    464         if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
    465             || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
    466             || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
    467             goto err;
    468     } else {
    469         /* Complete the HMAC in the standard manner. */
    470         for (i = 0; i < md_block_size; i++)
    471             hmac_pad[i] ^= 0x6a;
    472 
    473         if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
    474             || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
    475             goto err;
    476     }
    477     /* TODO(size_t): Convert me */
    478     ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
    479     if (ret && md_out_size)
    480         *md_out_size = md_out_size_u;
    481     EVP_MD_CTX_free(md_ctx);
    482 
    483     return 1;
    484  err:
    485     EVP_MD_CTX_free(md_ctx);
    486     return 0;
    487 }
    488