1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
|
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/* this file is patched by Sidetrail, clang-format invalidates patches */
/* clang-format off */
#include <openssl/md5.h>
#include <openssl/sha.h>
#include "error/s2n_errno.h"
#include "crypto/s2n_hmac.h"
#include "crypto/s2n_hash.h"
#include "crypto/s2n_fips.h"
#include "utils/s2n_safety.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_mem.h"
#include <stdint.h>
int s2n_hash_hmac_alg(s2n_hash_algorithm hash_alg, s2n_hmac_algorithm *out)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
switch(hash_alg) {
case S2N_HASH_NONE: *out = S2N_HMAC_NONE; break;
case S2N_HASH_MD5: *out = S2N_HMAC_MD5; break;
case S2N_HASH_SHA1: *out = S2N_HMAC_SHA1; break;
case S2N_HASH_SHA224: *out = S2N_HMAC_SHA224; break;
case S2N_HASH_SHA256: *out = S2N_HMAC_SHA256; break;
case S2N_HASH_SHA384: *out = S2N_HMAC_SHA384; break;
case S2N_HASH_SHA512: *out = S2N_HMAC_SHA512; break;
case S2N_HASH_MD5_SHA1: /* Fall through ... */
default:
POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
return S2N_SUCCESS;
}
int s2n_hmac_hash_alg(s2n_hmac_algorithm hmac_alg, s2n_hash_algorithm *out)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
switch(hmac_alg) {
case S2N_HMAC_NONE: *out = S2N_HASH_NONE; break;
case S2N_HMAC_MD5: *out = S2N_HASH_MD5; break;
case S2N_HMAC_SHA1: *out = S2N_HASH_SHA1; break;
case S2N_HMAC_SHA224: *out = S2N_HASH_SHA224; break;
case S2N_HMAC_SHA256: *out = S2N_HASH_SHA256; break;
case S2N_HMAC_SHA384: *out = S2N_HASH_SHA384; break;
case S2N_HMAC_SHA512: *out = S2N_HASH_SHA512; break;
case S2N_HMAC_SSLv3_MD5: *out = S2N_HASH_MD5; break;
case S2N_HMAC_SSLv3_SHA1: *out = S2N_HASH_SHA1; break;
default:
POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
return S2N_SUCCESS;
}
int s2n_hmac_digest_size(s2n_hmac_algorithm hmac_alg, uint8_t *out)
{
s2n_hash_algorithm hash_alg;
POSIX_GUARD(s2n_hmac_hash_alg(hmac_alg, &hash_alg));
POSIX_GUARD(s2n_hash_digest_size(hash_alg, out));
return S2N_SUCCESS;
}
/* Return 1 if hmac algorithm is available, 0 otherwise. */
bool s2n_hmac_is_available(s2n_hmac_algorithm hmac_alg)
{
switch(hmac_alg) {
case S2N_HMAC_MD5:
case S2N_HMAC_SSLv3_MD5:
case S2N_HMAC_SSLv3_SHA1:
/* Set is_available to 0 if in FIPS mode, as MD5/SSLv3 algs are not available in FIPS mode. */
return !s2n_is_in_fips_mode();
case S2N_HMAC_NONE:
case S2N_HMAC_SHA1:
case S2N_HMAC_SHA224:
case S2N_HMAC_SHA256:
case S2N_HMAC_SHA384:
case S2N_HMAC_SHA512:
return true;
}
return false;
}
static int s2n_sslv3_mac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
for (int i = 0; i < state->xor_pad_size; i++) {
state->xor_pad[i] = 0x36;
}
POSIX_GUARD(s2n_hash_update(&state->inner_just_key, key, klen));
POSIX_GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->xor_pad_size));
for (int i = 0; i < state->xor_pad_size; i++) {
state->xor_pad[i] = 0x5c;
}
POSIX_GUARD(s2n_hash_update(&state->outer_just_key, key, klen));
POSIX_GUARD(s2n_hash_update(&state->outer_just_key, state->xor_pad, state->xor_pad_size));
return S2N_SUCCESS;
}
static int s2n_tls_hmac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
memset(&state->xor_pad, 0, sizeof(state->xor_pad));
if (klen > state->xor_pad_size) {
POSIX_GUARD(s2n_hash_update(&state->outer, key, klen));
POSIX_GUARD(s2n_hash_digest(&state->outer, state->digest_pad, state->digest_size));
POSIX_CHECKED_MEMCPY(state->xor_pad, state->digest_pad, state->digest_size);
} else {
POSIX_CHECKED_MEMCPY(state->xor_pad, key, klen);
}
for (int i = 0; i < state->xor_pad_size; i++) {
state->xor_pad[i] ^= 0x36;
}
POSIX_GUARD(s2n_hash_update(&state->inner_just_key, state->xor_pad, state->xor_pad_size));
/* 0x36 xor 0x5c == 0x6a */
for (int i = 0; i < state->xor_pad_size; i++) {
state->xor_pad[i] ^= 0x6a;
}
POSIX_GUARD(s2n_hash_update(&state->outer_just_key, state->xor_pad, state->xor_pad_size));
return S2N_SUCCESS;
}
int s2n_hmac_xor_pad_size(s2n_hmac_algorithm hmac_alg, uint16_t *xor_pad_size)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(xor_pad_size, sizeof(*xor_pad_size)), S2N_ERR_PRECONDITION_VIOLATION);
switch(hmac_alg) {
case S2N_HMAC_NONE: *xor_pad_size = 64; break;
case S2N_HMAC_MD5: *xor_pad_size = 64; break;
case S2N_HMAC_SHA1: *xor_pad_size = 64; break;
case S2N_HMAC_SHA224: *xor_pad_size = 64; break;
case S2N_HMAC_SHA256: *xor_pad_size = 64; break;
case S2N_HMAC_SHA384: *xor_pad_size = 128; break;
case S2N_HMAC_SHA512: *xor_pad_size = 128; break;
case S2N_HMAC_SSLv3_MD5: *xor_pad_size = 48; break;
case S2N_HMAC_SSLv3_SHA1: *xor_pad_size = 40; break;
default:
POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
return S2N_SUCCESS;
}
int s2n_hmac_hash_block_size(s2n_hmac_algorithm hmac_alg, uint16_t *block_size)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(block_size, sizeof(*block_size)), S2N_ERR_PRECONDITION_VIOLATION);
switch(hmac_alg) {
case S2N_HMAC_NONE: *block_size = 64; break;
case S2N_HMAC_MD5: *block_size = 64; break;
case S2N_HMAC_SHA1: *block_size = 64; break;
case S2N_HMAC_SHA224: *block_size = 64; break;
case S2N_HMAC_SHA256: *block_size = 64; break;
case S2N_HMAC_SHA384: *block_size = 128; break;
case S2N_HMAC_SHA512: *block_size = 128; break;
case S2N_HMAC_SSLv3_MD5: *block_size = 64; break;
case S2N_HMAC_SSLv3_SHA1: *block_size = 64; break;
default:
POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
return S2N_SUCCESS;
}
int s2n_hmac_new(struct s2n_hmac_state *state)
{
POSIX_ENSURE_REF(state);
POSIX_GUARD(s2n_hash_new(&state->inner));
POSIX_GUARD(s2n_hash_new(&state->inner_just_key));
POSIX_GUARD(s2n_hash_new(&state->outer));
POSIX_GUARD(s2n_hash_new(&state->outer_just_key));
POSIX_POSTCONDITION(s2n_hmac_state_validate(state));
return S2N_SUCCESS;
}
S2N_RESULT s2n_hmac_state_validate(struct s2n_hmac_state *state)
{
RESULT_ENSURE_REF(state);
RESULT_GUARD(s2n_hash_state_validate(&state->inner));
RESULT_GUARD(s2n_hash_state_validate(&state->inner_just_key));
RESULT_GUARD(s2n_hash_state_validate(&state->outer));
RESULT_GUARD(s2n_hash_state_validate(&state->outer_just_key));
return S2N_RESULT_OK;
}
int s2n_hmac_init(struct s2n_hmac_state *state, s2n_hmac_algorithm alg, const void *key, uint32_t klen)
{
POSIX_ENSURE_REF(state);
if (!s2n_hmac_is_available(alg)) {
/* Prevent hmacs from being used if they are not available. */
POSIX_BAIL(S2N_ERR_HMAC_INVALID_ALGORITHM);
}
state->alg = alg;
POSIX_GUARD(s2n_hmac_hash_block_size(alg, &state->hash_block_size));
state->currently_in_hash_block = 0;
POSIX_GUARD(s2n_hmac_xor_pad_size(alg, &state->xor_pad_size));
POSIX_GUARD(s2n_hmac_digest_size(alg, &state->digest_size));
POSIX_ENSURE_GTE(sizeof(state->xor_pad), state->xor_pad_size);
POSIX_ENSURE_GTE(sizeof(state->digest_pad), state->digest_size);
/* key needs to be as large as the biggest block size */
POSIX_ENSURE_GTE(sizeof(state->xor_pad), state->hash_block_size);
s2n_hash_algorithm hash_alg;
POSIX_GUARD(s2n_hmac_hash_alg(alg, &hash_alg));
POSIX_GUARD(s2n_hash_init(&state->inner, hash_alg));
POSIX_GUARD(s2n_hash_init(&state->inner_just_key, hash_alg));
POSIX_GUARD(s2n_hash_init(&state->outer, hash_alg));
POSIX_GUARD(s2n_hash_init(&state->outer_just_key, hash_alg));
if (alg == S2N_HMAC_SSLv3_SHA1 || alg == S2N_HMAC_SSLv3_MD5) {
POSIX_GUARD(s2n_sslv3_mac_init(state, alg, key, klen));
} else {
POSIX_GUARD(s2n_tls_hmac_init(state, alg, key, klen));
}
/* Once we have produced inner_just_key and outer_just_key, don't need the key material in xor_pad, so wipe it.
* Since xor_pad is used as a source of bytes in s2n_hmac_digest_two_compression_rounds,
* this also prevents uninitilized bytes being used.
*/
memset(&state->xor_pad, 0, sizeof(state->xor_pad));
POSIX_GUARD(s2n_hmac_reset(state));
return S2N_SUCCESS;
}
int s2n_hmac_update(struct s2n_hmac_state *state, const void *in, uint32_t size)
{
POSIX_PRECONDITION(s2n_hmac_state_validate(state));
POSIX_ENSURE(state->hash_block_size != 0, S2N_ERR_PRECONDITION_VIOLATION);
/* Keep track of how much of the current hash block is full
*
* Why the 4294949760 constant in this code? 4294949760 is the highest 32-bit
* value that is congruent to 0 modulo all of our HMAC block sizes, that is also
* at least 16k smaller than 2^32. It therefore has no effect on the mathematical
* result, and no valid record size can cause it to overflow.
*
* The value was found with the following python code;
*
* x = (2 ** 32) - (2 ** 14)
* while True:
* if x % 40 | x % 48 | x % 64 | x % 128 == 0:
* break
* x -= 1
* print x
*
* What it does do however is ensure that the mod operation takes a
* constant number of instruction cycles, regardless of the size of the
* input. On some platforms, including Intel, the operation can take a
* smaller number of cycles if the input is "small".
*/
const uint32_t HIGHEST_32_BIT = 4294949760;
POSIX_ENSURE(size <= (UINT32_MAX - HIGHEST_32_BIT), S2N_ERR_INTEGER_OVERFLOW);
uint32_t value = (HIGHEST_32_BIT + size) % state->hash_block_size;
POSIX_GUARD(s2n_add_overflow(state->currently_in_hash_block, value, &state->currently_in_hash_block));
state->currently_in_hash_block %= state->hash_block_size;
return s2n_hash_update(&state->inner, in, size);
}
int s2n_hmac_digest(struct s2n_hmac_state *state, void *out, uint32_t size)
{
POSIX_PRECONDITION(s2n_hmac_state_validate(state));
POSIX_GUARD(s2n_hash_digest(&state->inner, state->digest_pad, state->digest_size));
POSIX_GUARD(s2n_hash_copy(&state->outer, &state->outer_just_key));
POSIX_GUARD(s2n_hash_update(&state->outer, state->digest_pad, state->digest_size));
return s2n_hash_digest(&state->outer, out, size);
}
int s2n_hmac_digest_two_compression_rounds(struct s2n_hmac_state *state, void *out, uint32_t size)
{
/* Do the "real" work of this function. */
POSIX_GUARD(s2n_hmac_digest(state, out, size));
/* If there were 9 or more bytes of space left in the current hash block
* then the serialized length, plus an 0x80 byte, will have fit in that block.
* If there were fewer than 9 then adding the length will have caused an extra
* compression block round. This digest function always does two compression rounds,
* even if there is no need for the second.
*
* 17 bytes if the block size is 128.
*/
const uint8_t space_left = (state->hash_block_size == 128) ? 17 : 9;
if ((int64_t)state->currently_in_hash_block > (state->hash_block_size - space_left)) {
return S2N_SUCCESS;
}
/* Can't reuse a hash after it has been finalized, so reset and push another block in */
POSIX_GUARD(s2n_hash_reset(&state->inner));
/* No-op s2n_hash_update to normalize timing and guard against Lucky13. This does not affect the value of *out. */
return s2n_hash_update(&state->inner, state->xor_pad, state->hash_block_size);
}
int s2n_hmac_free(struct s2n_hmac_state *state)
{
if (state) {
POSIX_GUARD(s2n_hash_free(&state->inner));
POSIX_GUARD(s2n_hash_free(&state->inner_just_key));
POSIX_GUARD(s2n_hash_free(&state->outer));
POSIX_GUARD(s2n_hash_free(&state->outer_just_key));
}
return S2N_SUCCESS;
}
int s2n_hmac_reset(struct s2n_hmac_state *state)
{
POSIX_PRECONDITION(s2n_hmac_state_validate(state));
POSIX_ENSURE(state->hash_block_size != 0, S2N_ERR_PRECONDITION_VIOLATION);
POSIX_GUARD(s2n_hash_copy(&state->inner, &state->inner_just_key));
uint64_t bytes_in_hash;
POSIX_GUARD(s2n_hash_get_currently_in_hash_total(&state->inner, &bytes_in_hash));
bytes_in_hash %= state->hash_block_size;
POSIX_ENSURE(bytes_in_hash <= UINT32_MAX, S2N_ERR_INTEGER_OVERFLOW);
/* The length of the key is not private, so don't need to do tricky math here */
state->currently_in_hash_block = bytes_in_hash;
return S2N_SUCCESS;
}
int s2n_hmac_digest_verify(const void *a, const void *b, uint32_t len)
{
return S2N_SUCCESS - !s2n_constant_time_equals(a, b, len);
}
int s2n_hmac_copy(struct s2n_hmac_state *to, struct s2n_hmac_state *from)
{
POSIX_PRECONDITION(s2n_hmac_state_validate(to));
POSIX_PRECONDITION(s2n_hmac_state_validate(from));
/* memcpy cannot be used on s2n_hmac_state as the underlying s2n_hash implementation's
* copy must be used. This is enforced when the s2n_hash implementation is s2n_evp_hash.
*/
to->alg = from->alg;
to->hash_block_size = from->hash_block_size;
to->currently_in_hash_block = from->currently_in_hash_block;
to->xor_pad_size = from->xor_pad_size;
to->digest_size = from->digest_size;
POSIX_GUARD(s2n_hash_copy(&to->inner, &from->inner));
POSIX_GUARD(s2n_hash_copy(&to->inner_just_key, &from->inner_just_key));
POSIX_GUARD(s2n_hash_copy(&to->outer, &from->outer));
POSIX_GUARD(s2n_hash_copy(&to->outer_just_key, &from->outer_just_key));
POSIX_CHECKED_MEMCPY(to->xor_pad, from->xor_pad, sizeof(to->xor_pad));
POSIX_CHECKED_MEMCPY(to->digest_pad, from->digest_pad, sizeof(to->digest_pad));
POSIX_POSTCONDITION(s2n_hmac_state_validate(to));
POSIX_POSTCONDITION(s2n_hmac_state_validate(from));
return S2N_SUCCESS;
}
/* Preserve the handlers for hmac state pointers to avoid re-allocation
* Only valid if the HMAC is in EVP mode
*/
int s2n_hmac_save_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac)
{
POSIX_ENSURE_REF(backup);
POSIX_PRECONDITION(s2n_hmac_state_validate(hmac));
backup->inner = hmac->inner.digest.high_level;
backup->inner_just_key = hmac->inner_just_key.digest.high_level;
backup->outer = hmac->outer.digest.high_level;
backup->outer_just_key = hmac->outer_just_key.digest.high_level;
return S2N_SUCCESS;
}
int s2n_hmac_restore_evp_hash_state(struct s2n_hmac_evp_backup* backup, struct s2n_hmac_state* hmac)
{
POSIX_ENSURE_REF(backup);
POSIX_PRECONDITION(s2n_hmac_state_validate(hmac));
hmac->inner.digest.high_level = backup->inner;
hmac->inner_just_key.digest.high_level = backup->inner_just_key;
hmac->outer.digest.high_level = backup->outer;
hmac->outer_just_key.digest.high_level = backup->outer_just_key;
POSIX_POSTCONDITION(s2n_hmac_state_validate(hmac));
return S2N_SUCCESS;
}
S2N_RESULT s2n_hmac_md_from_alg(s2n_hmac_algorithm alg, const EVP_MD **md)
{
RESULT_ENSURE_REF(md);
switch (alg) {
case S2N_HMAC_SSLv3_MD5:
case S2N_HMAC_MD5:
*md = EVP_md5();
break;
case S2N_HMAC_SSLv3_SHA1:
case S2N_HMAC_SHA1:
*md = EVP_sha1();
break;
case S2N_HMAC_SHA224:
*md = EVP_sha224();
break;
case S2N_HMAC_SHA256:
*md = EVP_sha256();
break;
case S2N_HMAC_SHA384:
*md = EVP_sha384();
break;
case S2N_HMAC_SHA512:
*md = EVP_sha512();
break;
default:
RESULT_BAIL(S2N_ERR_P_HASH_INVALID_ALGORITHM);
}
return S2N_RESULT_OK;
}
|