1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/base64.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include "../internal.h"
22
23
24 // constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
25 // arguments for a slightly simpler implementation.
constant_time_lt_args_8(uint8_t a,uint8_t b)26 static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
27 crypto_word_t aw = a;
28 crypto_word_t bw = b;
29 // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
30 // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
31 return constant_time_msb_w(aw - bw);
32 }
33
34 // constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
35 // and |CONSTTIME_FALSE_8| otherwise.
constant_time_in_range_8(uint8_t a,uint8_t min,uint8_t max)36 static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
37 uint8_t max) {
38 a -= min;
39 return constant_time_lt_args_8(a, max - min + 1);
40 }
41
42 // Encoding.
43
conv_bin2ascii(uint8_t a)44 static uint8_t conv_bin2ascii(uint8_t a) {
45 // Since PEM is sometimes used to carry private keys, we encode base64 data
46 // itself in constant-time.
47 a &= 0x3f;
48 uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
49 ret =
50 constant_time_select_8(constant_time_lt_args_8(a, 62), a - 52 + '0', ret);
51 ret =
52 constant_time_select_8(constant_time_lt_args_8(a, 52), a - 26 + 'a', ret);
53 ret = constant_time_select_8(constant_time_lt_args_8(a, 26), a + 'A', ret);
54 return ret;
55 }
56
57 static_assert(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,
58 "data length must be a multiple of base64 chunk size");
59
EVP_EncodedLength(size_t * out_len,size_t len)60 int EVP_EncodedLength(size_t *out_len, size_t len) {
61 if (len + 2 < len) {
62 return 0;
63 }
64 len += 2;
65 len /= 3;
66
67 if (((len << 2) >> 2) != len) {
68 return 0;
69 }
70 len <<= 2;
71
72 if (len + 1 < len) {
73 return 0;
74 }
75 len++;
76
77 *out_len = len;
78 return 1;
79 }
80
EVP_ENCODE_CTX_new(void)81 EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) {
82 return reinterpret_cast<EVP_ENCODE_CTX *>(
83 OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)));
84 }
85
EVP_ENCODE_CTX_free(EVP_ENCODE_CTX * ctx)86 void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { OPENSSL_free(ctx); }
87
EVP_EncodeInit(EVP_ENCODE_CTX * ctx)88 void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {
89 OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
90 }
91
EVP_EncodeUpdate(EVP_ENCODE_CTX * ctx,uint8_t * out,int * out_len,const uint8_t * in,size_t in_len)92 void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
93 const uint8_t *in, size_t in_len) {
94 size_t total = 0;
95
96 *out_len = 0;
97 if (in_len == 0) {
98 return;
99 }
100
101 assert(ctx->data_used < sizeof(ctx->data));
102
103 if (sizeof(ctx->data) - ctx->data_used > in_len) {
104 OPENSSL_memcpy(&ctx->data[ctx->data_used], in, in_len);
105 ctx->data_used += (unsigned)in_len;
106 return;
107 }
108
109 if (ctx->data_used != 0) {
110 const size_t todo = sizeof(ctx->data) - ctx->data_used;
111 OPENSSL_memcpy(&ctx->data[ctx->data_used], in, todo);
112 in += todo;
113 in_len -= todo;
114
115 size_t encoded = EVP_EncodeBlock(out, ctx->data, sizeof(ctx->data));
116 ctx->data_used = 0;
117
118 out += encoded;
119 *(out++) = '\n';
120 *out = '\0';
121
122 total = encoded + 1;
123 }
124
125 while (in_len >= sizeof(ctx->data)) {
126 size_t encoded = EVP_EncodeBlock(out, in, sizeof(ctx->data));
127 in += sizeof(ctx->data);
128 in_len -= sizeof(ctx->data);
129
130 out += encoded;
131 *(out++) = '\n';
132 *out = '\0';
133
134 if (total + encoded + 1 < total) {
135 *out_len = 0;
136 return;
137 }
138
139 total += encoded + 1;
140 }
141
142 if (in_len != 0) {
143 OPENSSL_memcpy(ctx->data, in, in_len);
144 }
145
146 ctx->data_used = (unsigned)in_len;
147
148 if (total > INT_MAX) {
149 // We cannot signal an error, but we can at least avoid making *out_len
150 // negative.
151 total = 0;
152 }
153 *out_len = (int)total;
154 }
155
EVP_EncodeFinal(EVP_ENCODE_CTX * ctx,uint8_t * out,int * out_len)156 void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {
157 if (ctx->data_used == 0) {
158 *out_len = 0;
159 return;
160 }
161
162 size_t encoded = EVP_EncodeBlock(out, ctx->data, ctx->data_used);
163 out[encoded++] = '\n';
164 out[encoded] = '\0';
165 ctx->data_used = 0;
166
167 // ctx->data_used is bounded by sizeof(ctx->data), so this does not
168 // overflow.
169 assert(encoded <= INT_MAX);
170 *out_len = (int)encoded;
171 }
172
EVP_EncodeBlock(uint8_t * dst,const uint8_t * src,size_t src_len)173 size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
174 uint32_t l;
175 size_t remaining = src_len, ret = 0;
176
177 while (remaining) {
178 if (remaining >= 3) {
179 l = (((uint32_t)src[0]) << 16L) | (((uint32_t)src[1]) << 8L) | src[2];
180 *(dst++) = conv_bin2ascii(l >> 18L);
181 *(dst++) = conv_bin2ascii(l >> 12L);
182 *(dst++) = conv_bin2ascii(l >> 6L);
183 *(dst++) = conv_bin2ascii(l);
184 remaining -= 3;
185 } else {
186 l = ((uint32_t)src[0]) << 16L;
187 if (remaining == 2) {
188 l |= ((uint32_t)src[1] << 8L);
189 }
190
191 *(dst++) = conv_bin2ascii(l >> 18L);
192 *(dst++) = conv_bin2ascii(l >> 12L);
193 *(dst++) = (remaining == 1) ? '=' : conv_bin2ascii(l >> 6L);
194 *(dst++) = '=';
195 remaining = 0;
196 }
197 ret += 4;
198 src += 3;
199 }
200
201 *dst = '\0';
202 return ret;
203 }
204
205
206 // Decoding.
207
EVP_DecodedLength(size_t * out_len,size_t len)208 int EVP_DecodedLength(size_t *out_len, size_t len) {
209 if (len % 4 != 0) {
210 return 0;
211 }
212
213 *out_len = (len / 4) * 3;
214 return 1;
215 }
216
EVP_DecodeInit(EVP_ENCODE_CTX * ctx)217 void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {
218 OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
219 }
220
base64_ascii_to_bin(uint8_t a)221 static uint8_t base64_ascii_to_bin(uint8_t a) {
222 // Since PEM is sometimes used to carry private keys, we decode base64 data
223 // itself in constant-time.
224 const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
225 const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
226 const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
227 const uint8_t is_plus = constant_time_eq_8(a, '+');
228 const uint8_t is_slash = constant_time_eq_8(a, '/');
229 const uint8_t is_equals = constant_time_eq_8(a, '=');
230
231 uint8_t ret = 0;
232 ret |= is_upper & (a - 'A'); // [0,26)
233 ret |= is_lower & (a - 'a' + 26); // [26,52)
234 ret |= is_digit & (a - '0' + 52); // [52,62)
235 ret |= is_plus & 62;
236 ret |= is_slash & 63;
237 // Invalid inputs, 'A', and '=' have all been mapped to zero. Map invalid
238 // inputs to 0xff. Note '=' is padding and handled separately by the caller.
239 const uint8_t is_valid =
240 is_upper | is_lower | is_digit | is_plus | is_slash | is_equals;
241 ret |= ~is_valid;
242 return ret;
243 }
244
245 // base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
246 // data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
247 // number of bytes written, which will be less than three if the quad ended
248 // with padding. It returns one on success or zero on error.
base64_decode_quad(uint8_t * out,size_t * out_num_bytes,const uint8_t * in)249 static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
250 const uint8_t *in) {
251 const uint8_t a = base64_ascii_to_bin(in[0]);
252 const uint8_t b = base64_ascii_to_bin(in[1]);
253 const uint8_t c = base64_ascii_to_bin(in[2]);
254 const uint8_t d = base64_ascii_to_bin(in[3]);
255 if (a == 0xff || b == 0xff || c == 0xff || d == 0xff) {
256 return 0;
257 }
258
259 const uint32_t v = ((uint32_t)a) << 18 | ((uint32_t)b) << 12 |
260 ((uint32_t)c) << 6 | (uint32_t)d;
261
262 const unsigned padding_pattern = (in[0] == '=') << 3 | //
263 (in[1] == '=') << 2 | //
264 (in[2] == '=') << 1 | //
265 (in[3] == '=');
266
267 // In presence of padding, the lowest bits of v are unused. Canonical encoding
268 // (RFC 4648, section 3.5) requires that these bits all be set to zero. Common
269 // PEM parsers accept noncanonical base64, adding to the malleability of the
270 // format. This decoder follows OpenSSL's and Go's PEM parsers and accepts it.
271 switch (padding_pattern) {
272 case 0:
273 // The common case of no padding.
274 *out_num_bytes = 3;
275 out[0] = v >> 16;
276 out[1] = v >> 8;
277 out[2] = v;
278 break;
279
280 case 1: // xxx=
281 *out_num_bytes = 2;
282 out[0] = v >> 16;
283 out[1] = v >> 8;
284 break;
285
286 case 3: // xx==
287 *out_num_bytes = 1;
288 out[0] = v >> 16;
289 break;
290
291 default:
292 return 0;
293 }
294
295 return 1;
296 }
297
EVP_DecodeUpdate(EVP_ENCODE_CTX * ctx,uint8_t * out,int * out_len,const uint8_t * in,size_t in_len)298 int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
299 const uint8_t *in, size_t in_len) {
300 *out_len = 0;
301
302 if (ctx->error_encountered) {
303 return -1;
304 }
305
306 size_t bytes_out = 0, i;
307 for (i = 0; i < in_len; i++) {
308 const char c = in[i];
309 switch (c) {
310 case ' ':
311 case '\t':
312 case '\r':
313 case '\n':
314 continue;
315 }
316
317 if (ctx->eof_seen) {
318 ctx->error_encountered = 1;
319 return -1;
320 }
321
322 ctx->data[ctx->data_used++] = c;
323 if (ctx->data_used == 4) {
324 size_t num_bytes_resulting;
325 if (!base64_decode_quad(out, &num_bytes_resulting, ctx->data)) {
326 ctx->error_encountered = 1;
327 return -1;
328 }
329
330 ctx->data_used = 0;
331 bytes_out += num_bytes_resulting;
332 out += num_bytes_resulting;
333
334 if (num_bytes_resulting < 3) {
335 ctx->eof_seen = 1;
336 }
337 }
338 }
339
340 if (bytes_out > INT_MAX) {
341 ctx->error_encountered = 1;
342 *out_len = 0;
343 return -1;
344 }
345 *out_len = (int)bytes_out;
346
347 if (ctx->eof_seen) {
348 return 0;
349 }
350
351 return 1;
352 }
353
EVP_DecodeFinal(EVP_ENCODE_CTX * ctx,uint8_t * out,int * out_len)354 int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {
355 *out_len = 0;
356 if (ctx->error_encountered || ctx->data_used != 0) {
357 return -1;
358 }
359
360 return 1;
361 }
362
EVP_DecodeBase64(uint8_t * out,size_t * out_len,size_t max_out,const uint8_t * in,size_t in_len)363 int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out,
364 const uint8_t *in, size_t in_len) {
365 *out_len = 0;
366
367 if (in_len % 4 != 0) {
368 return 0;
369 }
370
371 size_t max_len;
372 if (!EVP_DecodedLength(&max_len, in_len) || max_out < max_len) {
373 return 0;
374 }
375
376 size_t i, bytes_out = 0;
377 for (i = 0; i < in_len; i += 4) {
378 size_t num_bytes_resulting;
379
380 if (!base64_decode_quad(out, &num_bytes_resulting, &in[i])) {
381 return 0;
382 }
383
384 bytes_out += num_bytes_resulting;
385 out += num_bytes_resulting;
386 if (num_bytes_resulting != 3 && i != in_len - 4) {
387 return 0;
388 }
389 }
390
391 *out_len = bytes_out;
392 return 1;
393 }
394
EVP_DecodeBlock(uint8_t * dst,const uint8_t * src,size_t src_len)395 int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
396 // Trim spaces and tabs from the beginning of the input.
397 while (src_len > 0) {
398 if (src[0] != ' ' && src[0] != '\t') {
399 break;
400 }
401
402 src++;
403 src_len--;
404 }
405
406 // Trim newlines, spaces and tabs from the end of the line.
407 while (src_len > 0) {
408 switch (src[src_len - 1]) {
409 case ' ':
410 case '\t':
411 case '\r':
412 case '\n':
413 src_len--;
414 continue;
415 }
416
417 break;
418 }
419
420 size_t dst_len;
421 if (!EVP_DecodedLength(&dst_len, src_len) || dst_len > INT_MAX ||
422 !EVP_DecodeBase64(dst, &dst_len, dst_len, src, src_len)) {
423 return -1;
424 }
425
426 // EVP_DecodeBlock does not take padding into account, so put the
427 // NULs back in... so the caller can strip them back out.
428 while (dst_len % 3 != 0) {
429 dst[dst_len++] = '\0';
430 }
431 assert(dst_len <= INT_MAX);
432
433 return (int)dst_len;
434 }
435