X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_cbc.c;h=7d9c3776973decb1398ff9b4b971dc2230824950;hp=b20c56408445944e8f75def46944d1fff87d107c;hb=6decf9436f77ff65ed8ed773268663a9273cfbc8;hpb=02a36fdae8cb503e2f88eac52eb3053431089397 diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b20c564084..7d9c377697 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,60 +1,15 @@ -/* ssl/s3_cbc.c */ -/* ==================================================================== - * Copyright (c) 2012 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). +/* + * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ -#include "../crypto/constant_time_locl.h" +#include "internal/constant_time_locl.h" #include "ssl_locl.h" +#include "internal/cryptlib.h" #include #include @@ -72,8 +27,6 @@ */ #define MAX_HASH_BLOCK_SIZE 128 - - /* * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in * little-endian order. The value of p is advanced by four. @@ -137,8 +90,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { - if (FIPS_mode()) - return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: @@ -172,16 +123,17 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) * functions, above, we know that data_plus_mac_size is large enough to contain * a padding byte and MAC. (If the padding was invalid, it might contain the * padding too. ) + * Returns 1 on success or 0 on error */ -void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, - unsigned char *md_out, - size_t *md_out_size, - const unsigned char header[13], - const unsigned char *data, - size_t data_plus_mac_size, - size_t data_plus_mac_plus_padding_size, - const unsigned char *mac_secret, - unsigned mac_secret_length, char is_sslv3) +int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, + unsigned char *md_out, + size_t *md_out_size, + const unsigned char header[13], + const unsigned char *data, + size_t data_plus_mac_size, + size_t data_plus_mac_plus_padding_size, + const unsigned char *mac_secret, + size_t mac_secret_length, char is_sslv3) { union { double align; @@ -189,23 +141,24 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, } md_state; void (*md_final_raw) (void *ctx, unsigned char *md_out); void (*md_transform) (void *ctx, const unsigned char *block); - unsigned md_size, md_block_size = 64; - unsigned sslv3_pad_length = 40, header_length, variance_blocks, + size_t md_size, md_block_size = 64; + size_t sslv3_pad_length = 40, header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; - unsigned int bits; /* at most 18 bits */ + size_t bits; /* at most 18 bits */ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; /* hmac_pad is the masked HMAC key. */ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; unsigned char first_block[MAX_HASH_BLOCK_SIZE]; unsigned char mac_out[EVP_MAX_MD_SIZE]; - unsigned i, j, md_out_size_u; - EVP_MD_CTX md_ctx; + size_t i, j; + unsigned md_out_size_u; + EVP_MD_CTX *md_ctx = NULL; /* * mdLengthSize is the number of bytes in the length field that * terminates * the hash. */ - unsigned md_length_size = 8; + size_t md_length_size = 8; char length_is_big_endian = 1; int ret; @@ -213,11 +166,13 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * This is a, hopefully redundant, check that allows us to forget about * many possible overflows later in this function. */ - OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024); + if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024)) + return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: - MD5_Init((MD5_CTX *)md_state.c); + if (MD5_Init((MD5_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_md5_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))MD5_Transform; @@ -226,28 +181,32 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, length_is_big_endian = 0; break; case NID_sha1: - SHA1_Init((SHA_CTX *)md_state.c); + if (SHA1_Init((SHA_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha1_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA1_Transform; md_size = 20; break; case NID_sha224: - SHA224_Init((SHA256_CTX *)md_state.c); + if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha256_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; md_size = 224 / 8; break; case NID_sha256: - SHA256_Init((SHA256_CTX *)md_state.c); + if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha256_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; md_size = 32; break; case NID_sha384: - SHA384_Init((SHA512_CTX *)md_state.c); + if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha512_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; @@ -256,7 +215,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, md_length_size = 16; break; case NID_sha512: - SHA512_Init((SHA512_CTX *)md_state.c); + if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha512_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; @@ -269,15 +229,15 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * ssl3_cbc_record_digest_supported should have been called first to * check that the hash function is supported. */ - OPENSSL_assert(0); - if (md_out_size) - *md_out_size = -1; - return; + if (md_out_size != NULL) + *md_out_size = 0; + return ossl_assert(0); } - OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); - OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES) + || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE) + || !ossl_assert(md_size <= EVP_MAX_MD_SIZE)) + return 0; header_length = 13; if (is_sslv3) { @@ -373,7 +333,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ bits += 8 * md_block_size; memset(hmac_pad, 0, md_block_size); - OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); + if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad))) + return 0; memcpy(hmac_pad, mac_secret, mac_secret_length); for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x36; @@ -397,12 +358,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + size_t overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return 0; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); @@ -430,8 +401,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) { unsigned char block[MAX_HASH_BLOCK_SIZE]; - unsigned char is_block_a = constant_time_eq_8(i, index_a); - unsigned char is_block_b = constant_time_eq_8(i, index_b); + unsigned char is_block_a = constant_time_eq_8_s(i, index_a); + unsigned char is_block_b = constant_time_eq_8_s(i, index_b); for (j = 0; j < md_block_size; j++) { unsigned char b = 0, is_past_c, is_past_cp1; if (k < header_length) @@ -440,8 +411,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, b = data[k - header_length]; k++; - is_past_c = is_block_a & constant_time_ge_8(j, c); - is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1); + is_past_c = is_block_a & constant_time_ge_8_s(j, c); + is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); /* * If this is the block containing the end of the application * data, and we are at the offset for the 0x80 value, then @@ -449,8 +420,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ b = constant_time_select_8(is_past_c, 0x80, b); /* - * If this the the block containing the end of the application - * data and we're past the 0x80 value then just write zero. + * If this block contains the end of the application data + * and we're past the 0x80 value then just write zero. */ b = b & ~is_past_cp1; /* @@ -480,71 +451,36 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, mac_out[j] |= block[j] & is_block_b; } - EVP_MD_CTX_init(&md_ctx); - EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ); + md_ctx = EVP_MD_CTX_new(); + if (md_ctx == NULL) + goto err; + if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0) + goto err; if (is_sslv3) { /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ memset(hmac_pad, 0x5c, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); - EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); + if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0 + || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0 + || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) + goto err; } else { /* Complete the HMAC in the standard manner. */ for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x6a; - EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); + if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0 + || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) + goto err; } - ret = EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); + /* TODO(size_t): Convert me */ + ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); if (ret && md_out_size) *md_out_size = md_out_size_u; - EVP_MD_CTX_cleanup(&md_ctx); -} - -/* - * Due to the need to use EVP in FIPS mode we can't reimplement digests but - * we can ensure the number of blocks processed is equal for all cases by - * digesting additional data. - */ + EVP_MD_CTX_free(md_ctx); -void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, - EVP_MD_CTX *mac_ctx, const unsigned char *data, - size_t data_len, size_t orig_len) -{ - size_t block_size, digest_pad, blocks_data, blocks_orig; - if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) - return; - block_size = EVP_MD_CTX_block_size(mac_ctx); - /*- - * We are in FIPS mode if we get this far so we know we have only SHA* - * digests and TLS to deal with. - * Minimum digest padding length is 17 for SHA384/SHA512 and 9 - * otherwise. - * Additional header is 13 bytes. To get the number of digest blocks - * processed round up the amount of data plus padding to the nearest - * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. - * So we have: - * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size - * equivalently: - * blocks = (payload_len + digest_pad + 12)/block_size + 1 - * HMAC adds a constant overhead. - * We're ultimately only interested in differences so this becomes - * blocks = (payload_len + 29)/128 - * for SHA384/SHA512 and - * blocks = (payload_len + 21)/64 - * otherwise. - */ - digest_pad = block_size == 64 ? 21 : 29; - blocks_orig = (orig_len + digest_pad) / block_size; - blocks_data = (data_len + digest_pad) / block_size; - /* - * MAC enough blocks to make up the difference between the original and - * actual lengths plus one extra block to ensure this is never a no op. - * The "data" pointer should always have enough space to perform this - * operation as it is large enough for a maximum length TLS buffer. - */ - EVP_DigestSignUpdate(mac_ctx, data, - (blocks_orig - blocks_data + 1) * block_size); + return 1; + err: + EVP_MD_CTX_free(md_ctx); + return 0; }