~ubuntu-branches/ubuntu/hardy/openssl/hardy-security

Viewing changes to ssl/s3_cbc.c

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2013-02-18 15:49:05 UTC
Revision ID: package-import@ubuntu.com-20130218154905-wk025r1lxtt4g4ug

Tags: 0.9.8g-4ubuntu3.20

* SECURITY UPDATE: denial of service via invalid OCSP key
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=66e8211c0b1347970096e04b18aa52567c325200
  - CVE-2013-0166
* SECURITY UPDATE: "Lucky Thirteen" timing side-channel TLS attack
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=270881316664396326c461ec7a124aec2c6cc081
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=35a65e814beb899fa1c69a7673a8956c6059dce7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a33e6702a0db1b9f4648d247b8b28a5c0e42ca13
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2928cb4c82d6516d9e65ede4901a5957d8c39c32
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3a959a337b8083bc855623f24cebaf43a477350
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=be88529753897c29c677d1becb321f0072c0659c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=99f5093347c65eecbd05f0668aea94b32fcf20d7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=24b28060975c01b749391778d13ec2ea1323a1aa
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=924b11742296c13816a9f301e76fea023003920c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c23a7458209e773ffcd42bdcfa5cf2564df86bd7
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1909df070fb5c5b87246a2de19c17588deba5818
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=33ccde59a1ece0f68cc4b64e930001ab230725b1
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5f9345a2f0b592457fc4a619ac98ea59ffd394ba
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=40e0de03955e218f45a7979cb46fba193f4e7fc2
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1213e6c3c2d7abeeb886d911a3c6c06c5da2e3a4
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca3b81c8580a609edac1f13a3f62d4348d66c3a8
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6351adecb4726476def5f5ad904a7d2e63480d53
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fb092ef4fca897344daf7189526f5f26be6487ce
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=59b1129e0a50fdf7e4e58d7c355783a7bfc1f44c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4ea7019165db53b92b4284461c5c88bfe7c6e57d
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=76c61a5d1adb92388f39e585e4af860a20feb9bb
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ff58eaa4b645a38f3a226cf566d969fffa64ef94
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=5864fd2061f43dc8f89b5755f19bd2a35dec636c
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fbe621d08f2026926c91c1c5f386b27605e39a43
  - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=a8655eb21a7f9a313db18daa6ccaed928fb6027c
  - CVE-2013-0169

Show diffs side-by-side

added added

removed removed

ssl/s3_cbc.c

/* ssl/s3_cbc.c */

/* ====================================================================

* Redistribution and use in source and binary forms, with or without

* modification, are permitted provided that the following conditions

* are met:

* 1. Redistributions of source code must retain the above copyright

* notice, this list of conditions and the following disclaimer.

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in

* the documentation and/or other materials provided with the

* distribution.

* 3. All advertising materials mentioning features or use of this

* software must display the following acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

* endorse or promote products derived from this software without

* prior written permission. For written permission, please contact

* openssl-core@openssl.org.

* 5. Products derived from this software may not be called "OpenSSL"

* nor may "OpenSSL" appear in their names without prior written

* permission of the OpenSSL Project.

* 6. Redistributions of any form whatsoever must retain the following

* acknowledgment:

* "This product includes software developed by the OpenSSL Project

* for use in the OpenSSL Toolkit (http://www.openssl.org/)"

* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR

* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

* OF THE POSSIBILITY OF SUCH DAMAGE.

* ====================================================================

* This product includes cryptographic software written by Eric Young

* (eay@cryptsoft.com). This product includes software written by Tim

* Hudson (tjh@cryptsoft.com).

#include "ssl_locl.h"

#include <openssl/md5.h>

#include <openssl/sha.h>

/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length

* field. (SHA-384/512 have 128-bit length.) */

#define MAX_HASH_BIT_COUNT_BYTES 16

/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.

* Currently SHA-384/512 has a 128-byte block size and that's the largest

* supported by TLS.) */

#define MAX_HASH_BLOCK_SIZE 128

/* Some utility functions are needed:

* These macros return the given value with the MSB copied to all the other

* bits. They use the fact that arithmetic shift shifts-in the sign bit.

* However, this is not ensured by the C standard so you may need to replace

* them with something else on odd CPUs. */

#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )

#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))

/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */

static unsigned constant_time_lt(unsigned a, unsigned b)

{

a -= b;

return DUPLICATE_MSB_TO_ALL(a);

}

/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */

static unsigned constant_time_ge(unsigned a, unsigned b)

{

a -= b;

return DUPLICATE_MSB_TO_ALL(~a);

}

/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */

static unsigned char constant_time_eq_8(unsigned a, unsigned b)

{

unsigned c = a ^ b;

c--;

return DUPLICATE_MSB_TO_ALL_8(c);

}

100

101

/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC

102

* record in |rec| by updating |rec->length| in constant time.

103

104

* block_size: the block size of the cipher used to encrypt the record.

105

* returns:

106

* 0: (in non-constant time) if the record is publicly invalid.

107

* 1: if the padding was valid

108

* -1: otherwise. */

109

int ssl3_cbc_remove_padding(const SSL* s,

110

SSL3_RECORD *rec,

111

unsigned block_size,

112

unsigned mac_size)

113

{

114

unsigned padding_length, good;

115

const unsigned overhead = 1 /* padding length byte */ + mac_size;

116

117

/* These lengths are all public so we can test them in non-constant

118

* time. */

119

if (overhead > rec->length)

120

return 0;

121

122

padding_length = rec->data[rec->length-1];

123

good = constant_time_ge(rec->length, padding_length+overhead);

124

/* SSLv3 requires that the padding is minimal. */

125

good &= constant_time_ge(block_size, padding_length+1);

126

padding_length = good & (padding_length+1);

127

rec->length -= padding_length;

128

rec->type |= padding_length<<8; /* kludge: pass padding length */

129

return (int)((good & 1) | (~good & -1));

130

}

131

132

/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC

133

* record in |rec| in constant time and returns 1 if the padding is valid and

134

* -1 otherwise. It also removes any explicit IV from the start of the record

135

* without leaking any timing about whether there was enough space after the

136

* padding was removed.

137

138

* block_size: the block size of the cipher used to encrypt the record.

139

* returns:

140

* 0: (in non-constant time) if the record is publicly invalid.

141

* 1: if the padding was valid

142

* -1: otherwise. */

143

int tls1_cbc_remove_padding(const SSL* s,

144

SSL3_RECORD *rec,

145

unsigned block_size,

146

unsigned mac_size)

147

{

148

unsigned padding_length, good, to_check, i;

149

const unsigned overhead = 1 /* padding length byte */ + mac_size;

150

/* Check if version requires explicit IV */

151

if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)

152

{

153

/* These lengths are all public so we can test them in

154

* non-constant time.

155

156

if (overhead + block_size > rec->length)

157

return 0;

158

/* We can now safely skip explicit IV */

159

rec->data += block_size;

160

rec->input += block_size;

161

rec->length -= block_size;

162

}

163

else if (overhead > rec->length)

164

return 0;

165

166

padding_length = rec->data[rec->length-1];

167

168

/* NB: if compression is in operation the first packet may not be of

169

* even length so the padding bug check cannot be performed. This bug

170

* workaround has been around since SSLeay so hopefully it is either

171

* fixed now or no buggy implementation supports compression [steve]

172

173

if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)

174

{

175

/* First packet is even in size, so check */

176

if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&

177

!(padding_length & 1))

178

{

179

s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;

180

}

181

if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&

182

padding_length > 0)

183

{

184

padding_length--;

185

}

186

}

187

188

good = constant_time_ge(rec->length, overhead+padding_length);

189

/* The padding consists of a length byte at the end of the record and

190

* then that many bytes of padding, all with the same value as the

191

* length byte. Thus, with the length byte included, there are i+1

192

* bytes of padding.

193

194

* We can't check just |padding_length+1| bytes because that leaks

195

* decrypted information. Therefore we always have to check the maximum

196

* amount of padding possible. (Again, the length of the record is

197

* public information so we can use it.) */

198

to_check = 255; /* maximum amount of padding. */

199

if (to_check > rec->length-1)

200

to_check = rec->length-1;

201

202

for (i = 0; i < to_check; i++)

203

{

204

unsigned char mask = constant_time_ge(padding_length, i);

205

unsigned char b = rec->data[rec->length-1-i];

206

/* The final |padding_length+1| bytes should all have the value

207

* |padding_length|. Therefore the XOR should be zero. */

208

good &= ~(mask&(padding_length ^ b));

209

}

210

211

/* If any of the final |padding_length+1| bytes had the wrong value,

212

* one or more of the lower eight bits of |good| will be cleared. We

213

* AND the bottom 8 bits together and duplicate the result to all the

214

* bits. */

215

good &= good >> 4;

216

good &= good >> 2;

217

good &= good >> 1;

218

good <<= sizeof(good)*8-1;

219

good = DUPLICATE_MSB_TO_ALL(good);

220

221

padding_length = good & (padding_length+1);

222

rec->length -= padding_length;

223

rec->type |= padding_length<<8; /* kludge: pass padding length */

224

225

return (int)((good & 1) | (~good & -1));

226

}

227

228

/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in

229

* constant time (independent of the concrete value of rec->length, which may

230

* vary within a 256-byte window).

231

232

* ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to

233

* this function.

234

235

* On entry:

236

* rec->orig_len >= md_size

237

* md_size <= EVP_MAX_MD_SIZE

238

239

* If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with

240

* variable accesses in a 64-byte-aligned buffer. Assuming that this fits into

241

* a single or pair of cache-lines, then the variable memory accesses don't

242

* actually affect the timing. CPUs with smaller cache-lines [if any] are

243

* not multi-core and are not considered vulnerable to cache-timing attacks.

244

245

#define CBC_MAC_ROTATE_IN_PLACE

246

247

void ssl3_cbc_copy_mac(unsigned char* out,

248

const SSL3_RECORD *rec,

249

unsigned md_size,unsigned orig_len)

250

{

251

#if defined(CBC_MAC_ROTATE_IN_PLACE)

252

unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE];

253

unsigned char *rotated_mac;

254

#else

255

unsigned char rotated_mac[EVP_MAX_MD_SIZE];

256

#endif

257

258

/* mac_end is the index of |rec->data| just after the end of the MAC. */

259

unsigned mac_end = rec->length;

260

unsigned mac_start = mac_end - md_size;

261

/* scan_start contains the number of bytes that we can ignore because

262

* the MAC's position can only vary by 255 bytes. */

263

unsigned scan_start = 0;

264

unsigned i, j;

265

unsigned div_spoiler;

266

unsigned rotate_offset;

267

268

OPENSSL_assert(orig_len >= md_size);

269

OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);

270

271

#if defined(CBC_MAC_ROTATE_IN_PLACE)

272

rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63);

273

#endif

274

275

/* This information is public so it's safe to branch based on it. */

276

if (orig_len > md_size + 255 + 1)

277

scan_start = orig_len - (md_size + 255 + 1);

278

/* div_spoiler contains a multiple of md_size that is used to cause the

279

* modulo operation to be constant time. Without this, the time varies

280

* based on the amount of padding when running on Intel chips at least.

281

282

* The aim of right-shifting md_size is so that the compiler doesn't

283

* figure out that it can remove div_spoiler as that would require it

284

* to prove that md_size is always even, which I hope is beyond it. */

285

div_spoiler = md_size >> 1;

286

div_spoiler <<= (sizeof(div_spoiler)-1)*8;

287

rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;

288

289

memset(rotated_mac, 0, md_size);

290

for (i = scan_start, j = 0; i < orig_len; i++)

291

{

292

unsigned char mac_started = constant_time_ge(i, mac_start);

293

unsigned char mac_ended = constant_time_ge(i, mac_end);

294

unsigned char b = rec->data[i];

295

rotated_mac[j++] |= b & mac_started & ~mac_ended;

296

j &= constant_time_lt(j,md_size);

297

}

298

299

/* Now rotate the MAC */

300

#if defined(CBC_MAC_ROTATE_IN_PLACE)

301

j = 0;

302

for (i = 0; i < md_size; i++)

303

{

304

/* in case cache-line is 32 bytes, touch second line */

305

((volatile unsigned char *)rotated_mac)[rotate_offset^32];

306

out[j++] = rotated_mac[rotate_offset++];

307

rotate_offset &= constant_time_lt(rotate_offset,md_size);

308

}

309

#else

310

memset(out, 0, md_size);

311

rotate_offset = md_size - rotate_offset;

312

rotate_offset &= constant_time_lt(rotate_offset,md_size);

313

for (i = 0; i < md_size; i++)

314

{

315

for (j = 0; j < md_size; j++)

316

out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);

317

rotate_offset++;

318

rotate_offset &= constant_time_lt(rotate_offset,md_size);

319

}

320

#endif

321

}

322

323

/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in

324

* little-endian order. The value of p is advanced by four. */

325

#define u32toLE(n, p) \

326

(*((p)++)=(unsigned char)(n), \

327

*((p)++)=(unsigned char)(n>>8), \

328

*((p)++)=(unsigned char)(n>>16), \

329

*((p)++)=(unsigned char)(n>>24))

330

331

/* These functions serialize the state of a hash and thus perform the standard

332

* "final" operation without adding the padding and length that such a function

333

* typically does. */

334

static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)

335

{

336

MD5_CTX *md5 = ctx;

337

u32toLE(md5->A, md_out);

338

u32toLE(md5->B, md_out);

339

u32toLE(md5->C, md_out);

340

u32toLE(md5->D, md_out);

341

}

342

343

static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)

344

{

345

SHA_CTX *sha1 = ctx;

346

l2n(sha1->h0, md_out);

347

l2n(sha1->h1, md_out);

348

l2n(sha1->h2, md_out);

349

l2n(sha1->h3, md_out);

350

l2n(sha1->h4, md_out);

351

}

352

#define LARGEST_DIGEST_CTX SHA_CTX

353

354

#ifndef OPENSSL_NO_SHA256

355

static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)

356

{

357

SHA256_CTX *sha256 = ctx;

358

unsigned i;

359

360

for (i = 0; i < 8; i++)

361

{

362

l2n(sha256->h[i], md_out);

363

}

364

}

365

#undef LARGEST_DIGEST_CTX

366

#define LARGEST_DIGEST_CTX SHA256_CTX

367

#endif

368

369

#ifndef OPENSSL_NO_SHA512

370

static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)

371

{

372

SHA512_CTX *sha512 = ctx;

373

unsigned i;

374

375

for (i = 0; i < 8; i++)

376

{

377

l2n8(sha512->h[i], md_out);

378

}

379

}

380

#undef LARGEST_DIGEST_CTX

381

#define LARGEST_DIGEST_CTX SHA512_CTX

382

#endif

383

384

/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function

385

* which ssl3_cbc_digest_record supports. */

386

char ssl3_cbc_record_digest_supported(const EVP_MD *digest)

387

{

388

#ifdef OPENSSL_FIPS

389

if (FIPS_mode())

390

return 0;

391

#endif

392

switch (EVP_MD_type(digest))

393

{

394

case NID_md5:

395

case NID_sha1:

396

#ifndef OPENSSL_NO_SHA256

397

case NID_sha224:

398

case NID_sha256:

399

#endif

400

#ifndef OPENSSL_NO_SHA512

401

case NID_sha384:

402

case NID_sha512:

403

#endif

404

return 1;

405

default:

406

return 0;

407

}

408

}

409

410

/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS

411

* record.

412

413

* ctx: the EVP_MD_CTX from which we take the hash function.

414

* ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.

415

* md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.

416

* md_out_size: if non-NULL, the number of output bytes is written here.

417

* header: the 13-byte, TLS record header.

418

* data: the record data itself, less any preceeding explicit IV.

419

* data_plus_mac_size: the secret, reported length of the data and MAC

420

* once the padding has been removed.

421

* data_plus_mac_plus_padding_size: the public length of the whole

422

* record, including padding.

423

* is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.

424

425

* On entry: by virtue of having been through one of the remove_padding

426

* functions, above, we know that data_plus_mac_size is large enough to contain

427

* a padding byte and MAC. (If the padding was invalid, it might contain the

428

* padding too. ) */

429

void ssl3_cbc_digest_record(

430

const EVP_MD *digest,

431

unsigned char* md_out,

432

size_t* md_out_size,

433

const unsigned char header[13],

434

const unsigned char *data,

435

size_t data_plus_mac_size,

436

size_t data_plus_mac_plus_padding_size,

437

const unsigned char *mac_secret,

438

unsigned mac_secret_length,

439

char is_sslv3)

440

{

441

union { double align;

442

unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;

443

void (*md_final_raw)(void *ctx, unsigned char *md_out);

444

void (*md_transform)(void *ctx, const unsigned char *block);

445

unsigned md_size, md_block_size = 64;

446

unsigned sslv3_pad_length = 40, header_length, variance_blocks,

447

len, max_mac_bytes, num_blocks,

448

num_starting_blocks, k, mac_end_offset, c, index_a, index_b;

449

unsigned int bits; /* at most 18 bits */

450

unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];

451

/* hmac_pad is the masked HMAC key. */

452

unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];

453

unsigned char first_block[MAX_HASH_BLOCK_SIZE];

454

unsigned char mac_out[EVP_MAX_MD_SIZE];

455

unsigned i, j, md_out_size_u;

456

EVP_MD_CTX md_ctx;

457

/* mdLengthSize is the number of bytes in the length field that terminates

458

* the hash. */

459

unsigned md_length_size = 8;

460

char length_is_big_endian = 1;

461

462

/* This is a, hopefully redundant, check that allows us to forget about

463

* many possible overflows later in this function. */

464

OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);

465

466

switch (EVP_MD_type(digest))

467

{

468

case NID_md5:

469

MD5_Init((MD5_CTX*)md_state.c);

470

md_final_raw = tls1_md5_final_raw;

471

md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;

472

md_size = 16;

473

sslv3_pad_length = 48;

474

length_is_big_endian = 0;

475

break;

476

case NID_sha1:

477

SHA1_Init((SHA_CTX*)md_state.c);

478

md_final_raw = tls1_sha1_final_raw;

479

md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;

480

md_size = 20;

481

break;

482

#ifndef OPENSSL_NO_SHA256

483

case NID_sha224:

484

SHA224_Init((SHA256_CTX*)md_state.c);

485

md_final_raw = tls1_sha256_final_raw;

486

md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;

487

md_size = 224/8;

488

break;

489

case NID_sha256:

490

SHA256_Init((SHA256_CTX*)md_state.c);

491

md_final_raw = tls1_sha256_final_raw;

492

md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;

493

md_size = 32;

494

break;

495

#endif

496

#ifndef OPENSSL_NO_SHA512

497

case NID_sha384:

498

SHA384_Init((SHA512_CTX*)md_state.c);

499

md_final_raw = tls1_sha512_final_raw;

500

md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;

501

md_size = 384/8;

502

md_block_size = 128;

503

md_length_size = 16;

504

break;

505

case NID_sha512:

506

SHA512_Init((SHA512_CTX*)md_state.c);

507

md_final_raw = tls1_sha512_final_raw;

508

md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;

509

md_size = 64;

510

md_block_size = 128;

511

md_length_size = 16;

512

break;

513

#endif

514

default:

515

/* ssl3_cbc_record_digest_supported should have been

516

* called first to check that the hash function is

517

* supported. */

518

OPENSSL_assert(0);

519

if (md_out_size)

520

*md_out_size = -1;

521

return;

522

}

523

524

OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);

525

OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);

526

OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);

527

528

header_length = 13;

529

if (is_sslv3)

530

{

531

header_length =

532

mac_secret_length +

533

sslv3_pad_length +

534

8 /* sequence number */ +

535

1 /* record type */ +

536

2 /* record length */;

537

}

538

539

/* variance_blocks is the number of blocks of the hash that we have to

540

* calculate in constant time because they could be altered by the

541

* padding value.

542

543

* In SSLv3, the padding must be minimal so the end of the plaintext

544

* varies by, at most, 15+20 = 35 bytes. (We conservatively assume that

545

* the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash

546

* termination (0x80 + 64-bit length) don't fit in the final block, we

547

* say that the final two blocks can vary based on the padding.

548

549

* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not

550

* required to be minimal. Therefore we say that the final six blocks

551

* can vary based on the padding.

552

553

* Later in the function, if the message is short and there obviously

554

* cannot be this many blocks then variance_blocks can be reduced. */

555

variance_blocks = is_sslv3 ? 2 : 6;

556

/* From now on we're dealing with the MAC, which conceptually has 13

557

* bytes of `header' before the start of the data (TLS) or 71/75 bytes

558

* (SSLv3) */

559

len = data_plus_mac_plus_padding_size + header_length;

560

/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including

561

* |header|, assuming that there's no padding. */

562

max_mac_bytes = len - md_size - 1;

563

/* num_blocks is the maximum number of hash blocks. */

564

num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;

565

/* In order to calculate the MAC in constant time we have to handle

566

* the final blocks specially because the padding value could cause the

567

* end to appear somewhere in the final |variance_blocks| blocks and we

568

* can't leak where. However, |num_starting_blocks| worth of data can

569

* be hashed right away because no padding value can affect whether

570

* they are plaintext. */

571

num_starting_blocks = 0;

572

/* k is the starting byte offset into the conceptual header||data where

573

* we start processing. */

574

k = 0;

575

/* mac_end_offset is the index just past the end of the data to be

576

* MACed. */

577

mac_end_offset = data_plus_mac_size + header_length - md_size;

578

/* c is the index of the 0x80 byte in the final hash block that

579

* contains application data. */

580

c = mac_end_offset % md_block_size;

581

/* index_a is the hash block number that contains the 0x80 terminating

582

* value. */

583

index_a = mac_end_offset / md_block_size;

584

/* index_b is the hash block number that contains the 64-bit hash

585

* length, in bits. */

586

index_b = (mac_end_offset + md_length_size) / md_block_size;

587

/* bits is the hash-length in bits. It includes the additional hash

588

* block for the masked HMAC key, or whole of |header| in the case of

589

* SSLv3. */

590

591

/* For SSLv3, if we're going to have any starting blocks then we need

592

* at least two because the header is larger than a single block. */

593

if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))

594

{

595

num_starting_blocks = num_blocks - variance_blocks;

596

k = md_block_size*num_starting_blocks;

597

}

598

599

bits = 8*mac_end_offset;

600

if (!is_sslv3)

601

{

602

/* Compute the initial HMAC block. For SSLv3, the padding and

603

* secret bytes are included in |header| because they take more

604

* than a single block. */

605

bits += 8*md_block_size;

606

memset(hmac_pad, 0, md_block_size);

607

OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));

608

memcpy(hmac_pad, mac_secret, mac_secret_length);

609

for (i = 0; i < md_block_size; i++)

610

hmac_pad[i] ^= 0x36;

611

612

md_transform(md_state.c, hmac_pad);

613

}

614

615

if (length_is_big_endian)

616

{

617

memset(length_bytes,0,md_length_size-4);

618

length_bytes[md_length_size-4] = (unsigned char)(bits>>24);

619

length_bytes[md_length_size-3] = (unsigned char)(bits>>16);

620

length_bytes[md_length_size-2] = (unsigned char)(bits>>8);

621

length_bytes[md_length_size-1] = (unsigned char)bits;

622

}

623

else

624

{

625

memset(length_bytes,0,md_length_size);

626

length_bytes[md_length_size-5] = (unsigned char)(bits>>24);

627

length_bytes[md_length_size-6] = (unsigned char)(bits>>16);

628

length_bytes[md_length_size-7] = (unsigned char)(bits>>8);

629

length_bytes[md_length_size-8] = (unsigned char)bits;

630

}

631

632

if (k > 0)

633

{

634

if (is_sslv3)

635

{

636

/* The SSLv3 header is larger than a single block.

637

* overhang is the number of bytes beyond a single

638

* block that the header consumes: either 7 bytes

639

* (SHA1) or 11 bytes (MD5). */

640

unsigned overhang = header_length-md_block_size;

641

md_transform(md_state.c, header);

642

memcpy(first_block, header + md_block_size, overhang);

643

memcpy(first_block + overhang, data, md_block_size-overhang);

644

md_transform(md_state.c, first_block);

645

for (i = 1; i < k/md_block_size - 1; i++)

646

md_transform(md_state.c, data + md_block_size*i - overhang);

647

}

648

else

649

{

650

/* k is a multiple of md_block_size. */

651

memcpy(first_block, header, 13);

652

memcpy(first_block+13, data, md_block_size-13);

653

md_transform(md_state.c, first_block);

654

for (i = 1; i < k/md_block_size; i++)

655

md_transform(md_state.c, data + md_block_size*i - 13);

656

}

657

}

658

659

memset(mac_out, 0, sizeof(mac_out));

660

661

/* We now process the final hash blocks. For each block, we construct

662

* it in constant time. If the |i==index_a| then we'll include the 0x80

663

* bytes and zero pad etc. For each block we selectively copy it, in

664

* constant time, to |mac_out|. */

665

for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)

666

{

667

unsigned char block[MAX_HASH_BLOCK_SIZE];

668

unsigned char is_block_a = constant_time_eq_8(i, index_a);

669

unsigned char is_block_b = constant_time_eq_8(i, index_b);

670

for (j = 0; j < md_block_size; j++)

671

{

672

unsigned char b = 0, is_past_c, is_past_cp1;

673

if (k < header_length)

674

b = header[k];

675

else if (k < data_plus_mac_plus_padding_size + header_length)

676

b = data[k-header_length];

677

k++;

678

679

is_past_c = is_block_a & constant_time_ge(j, c);

680

is_past_cp1 = is_block_a & constant_time_ge(j, c+1);

681

/* If this is the block containing the end of the

682

* application data, and we are at the offset for the

683

* 0x80 value, then overwrite b with 0x80. */

684

b = (b&~is_past_c) | (0x80&is_past_c);

685

/* If this the the block containing the end of the

686

* application data and we're past the 0x80 value then

687

* just write zero. */

688

b = b&~is_past_cp1;

689

/* If this is index_b (the final block), but not

690

* index_a (the end of the data), then the 64-bit

691

* length didn't fit into index_a and we're having to

692

* add an extra block of zeros. */

693

b &= ~is_block_b | is_block_a;

694

695

/* The final bytes of one of the blocks contains the

696

* length. */

697

if (j >= md_block_size - md_length_size)

698

{

699

/* If this is index_b, write a length byte. */

700

b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);

701

}

702

block[j] = b;

703

}

704

705

md_transform(md_state.c, block);

706

md_final_raw(md_state.c, block);

707

/* If this is index_b, copy the hash value to |mac_out|. */

708

for (j = 0; j < md_size; j++)

709

mac_out[j] |= block[j]&is_block_b;

710

}

711

712

EVP_MD_CTX_init(&md_ctx);

713

EVP_DigestInit_ex(&md_ctx, digest, NULL /* engine */);

714

if (is_sslv3)

715

{

716

/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */

717

memset(hmac_pad, 0x5c, sslv3_pad_length);

718

719

EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);

720

EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);

721

EVP_DigestUpdate(&md_ctx, mac_out, md_size);

722

}

723

else

724

{

725

/* Complete the HMAC in the standard manner. */

726

for (i = 0; i < md_block_size; i++)

727

hmac_pad[i] ^= 0x6a;

728

729

EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);

730

EVP_DigestUpdate(&md_ctx, mac_out, md_size);

731

}

732

EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);

733

if (md_out_size)

734

*md_out_size = md_out_size_u;

735

EVP_MD_CTX_cleanup(&md_ctx);

736

}

737

738

#ifdef OPENSSL_FIPS

739

740

/* Due to the need to use EVP in FIPS mode we can't reimplement digests but

741

* we can ensure the number of blocks processed is equal for all cases

742

* by digesting additional data.

743

744

745

void tls_fips_digest_extra(

746

const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,

747

const unsigned char *data, size_t data_len, size_t orig_len)

748

{

749

size_t block_size, digest_pad, blocks_data, blocks_orig;

750

if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)

751

return;

752

block_size = EVP_MD_block_size(hash);

753

/* We are in FIPS mode if we get this far so we know we have only SHA*

754

* digests and TLS to deal with.

755

* Minimum digest padding length is 17 for SHA384/SHA512 and 9

756

* otherwise.

757

* Additional header is 13 bytes. To get the number of digest blocks

758

* processed round up the amount of data plus padding to the nearest

759

* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.

760

* So we have:

761

* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size

762

* equivalently:

763

* blocks = (payload_len + digest_pad + 12)/block_size + 1

764

* HMAC adds a constant overhead.

765

* We're ultimately only interested in differences so this becomes

766

* blocks = (payload_len + 29)/128

767

* for SHA384/SHA512 and

768

* blocks = (payload_len + 21)/64

769

* otherwise.

770

771

digest_pad = block_size == 64 ? 21 : 29;

772

blocks_orig = (orig_len + digest_pad)/block_size;

773

blocks_data = (data_len + digest_pad)/block_size;

774

/* MAC enough blocks to make up the difference between the original

775

* and actual lengths plus one extra block to ensure this is never a

776

* no op. The "data" pointer should always have enough space to

777

* perform this operation as it is large enough for a maximum

778

* length TLS buffer.

779

780

HMAC_Update(hctx, data,

781

(blocks_orig - blocks_data + 1) * block_size);

782

}

783

#endif

Older »