1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/digest.h>
16
17 #include <string.h>
18
19 #include <openssl/blake2.h>
20 #include <openssl/bytestring.h>
21 #include <openssl/md4.h>
22 #include <openssl/md5.h>
23 #include <openssl/nid.h>
24 #include <openssl/obj.h>
25 #include <openssl/sha.h>
26
27 #include "../asn1/internal.h"
28 #include "../fipsmodule/digest/internal.h"
29 #include "../internal.h"
30
31
32 struct nid_to_digest {
33 int nid;
34 const EVP_MD *(*md_func)(void);
35 const char *short_name;
36 const char *long_name;
37 };
38
39 static const struct nid_to_digest nid_to_digest_mapping[] = {
40 {NID_md4, EVP_md4, SN_md4, LN_md4},
41 {NID_md5, EVP_md5, SN_md5, LN_md5},
42 {NID_sha1, EVP_sha1, SN_sha1, LN_sha1},
43 {NID_sha224, EVP_sha224, SN_sha224, LN_sha224},
44 {NID_sha256, EVP_sha256, SN_sha256, LN_sha256},
45 {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
46 {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
47 {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256},
48 {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
49 // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
50 // hash function when given a signature OID. To avoid unintended lax parsing
51 // of hash OIDs, this is no longer supported for lookup by OID or NID.
52 // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
53 // consumers so we retain it there.
54 {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
55 {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
56 {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
57 {NID_undef, EVP_md5, SN_md5WithRSAEncryption, LN_md5WithRSAEncryption},
58 {NID_undef, EVP_sha1, SN_sha1WithRSAEncryption, LN_sha1WithRSAEncryption},
59 {NID_undef, EVP_sha224, SN_sha224WithRSAEncryption,
60 LN_sha224WithRSAEncryption},
61 {NID_undef, EVP_sha256, SN_sha256WithRSAEncryption,
62 LN_sha256WithRSAEncryption},
63 {NID_undef, EVP_sha384, SN_sha384WithRSAEncryption,
64 LN_sha384WithRSAEncryption},
65 {NID_undef, EVP_sha512, SN_sha512WithRSAEncryption,
66 LN_sha512WithRSAEncryption},
67 };
68
EVP_get_digestbynid(int nid)69 const EVP_MD *EVP_get_digestbynid(int nid) {
70 if (nid == NID_undef) {
71 // Skip the |NID_undef| entries in |nid_to_digest_mapping|.
72 return NULL;
73 }
74
75 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
76 if (nid_to_digest_mapping[i].nid == nid) {
77 return nid_to_digest_mapping[i].md_func();
78 }
79 }
80
81 return NULL;
82 }
83
84 static const struct {
85 uint8_t oid[9];
86 uint8_t oid_len;
87 int nid;
88 } kMDOIDs[] = {
89 // 1.2.840.113549.2.4
90 {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4},
91 // 1.2.840.113549.2.5
92 {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5},
93 // 1.3.14.3.2.26
94 {{0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1},
95 // 2.16.840.1.101.3.4.2.1
96 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256},
97 // 2.16.840.1.101.3.4.2.2
98 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384},
99 // 2.16.840.1.101.3.4.2.3
100 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512},
101 // 2.16.840.1.101.3.4.2.4
102 {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224},
103 };
104
cbs_to_md(const CBS * cbs)105 static const EVP_MD *cbs_to_md(const CBS *cbs) {
106 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {
107 if (CBS_len(cbs) == kMDOIDs[i].oid_len &&
108 OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) ==
109 0) {
110 return EVP_get_digestbynid(kMDOIDs[i].nid);
111 }
112 }
113
114 return NULL;
115 }
116
EVP_get_digestbyobj(const ASN1_OBJECT * obj)117 const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
118 // Handle objects with no corresponding OID. Note we don't use |OBJ_obj2nid|
119 // here to avoid pulling in the OID table.
120 if (obj->nid != NID_undef) {
121 return EVP_get_digestbynid(obj->nid);
122 }
123
124 CBS cbs;
125 CBS_init(&cbs, OBJ_get0_data(obj), OBJ_length(obj));
126 return cbs_to_md(&cbs);
127 }
128
EVP_parse_digest_algorithm(CBS * cbs)129 const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {
130 CBS algorithm, oid;
131 if (!CBS_get_asn1(cbs, &algorithm, CBS_ASN1_SEQUENCE) ||
132 !CBS_get_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
133 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
134 return NULL;
135 }
136
137 const EVP_MD *ret = cbs_to_md(&oid);
138 if (ret == NULL) {
139 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
140 return NULL;
141 }
142
143 // The parameters, if present, must be NULL. Historically, whether the NULL
144 // was included or omitted was not well-specified. When parsing an
145 // AlgorithmIdentifier, we allow both. (Note this code is not used when
146 // verifying RSASSA-PKCS1-v1_5 signatures.)
147 if (CBS_len(&algorithm) > 0) {
148 CBS param;
149 if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||
150 CBS_len(¶m) != 0 || //
151 CBS_len(&algorithm) != 0) {
152 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
153 return NULL;
154 }
155 }
156
157 return ret;
158 }
159
marshal_digest_algorithm(CBB * cbb,const EVP_MD * md,bool with_null)160 static int marshal_digest_algorithm(CBB *cbb, const EVP_MD *md,
161 bool with_null) {
162 CBB algorithm, oid, null;
163 if (!CBB_add_asn1(cbb, &algorithm, CBS_ASN1_SEQUENCE) ||
164 !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
165 return 0;
166 }
167
168 bool found = false;
169 int nid = EVP_MD_type(md);
170 for (const auto &mdoid : kMDOIDs) {
171 if (nid == mdoid.nid) {
172 if (!CBB_add_bytes(&oid, mdoid.oid, mdoid.oid_len)) {
173 return 0;
174 }
175 found = true;
176 break;
177 }
178 }
179
180 if (!found) {
181 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
182 return 0;
183 }
184
185 if ((with_null && !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL)) || //
186 !CBB_flush(cbb)) {
187 return 0;
188 }
189
190 return 1;
191 }
192
EVP_marshal_digest_algorithm(CBB * cbb,const EVP_MD * md)193 int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) {
194 return marshal_digest_algorithm(cbb, md, /*with_null=*/true);
195 }
196
EVP_marshal_digest_algorithm_no_params(CBB * cbb,const EVP_MD * md)197 int EVP_marshal_digest_algorithm_no_params(CBB *cbb, const EVP_MD *md) {
198 return marshal_digest_algorithm(cbb, md, /*with_null=*/false);
199 }
200
EVP_get_digestbyname(const char * name)201 const EVP_MD *EVP_get_digestbyname(const char *name) {
202 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
203 const char *short_name = nid_to_digest_mapping[i].short_name;
204 const char *long_name = nid_to_digest_mapping[i].long_name;
205 if ((short_name && strcmp(short_name, name) == 0) ||
206 (long_name && strcmp(long_name, name) == 0)) {
207 return nid_to_digest_mapping[i].md_func();
208 }
209 }
210
211 return NULL;
212 }
213
blake2b256_init(EVP_MD_CTX * ctx)214 static void blake2b256_init(EVP_MD_CTX *ctx) {
215 BLAKE2B256_Init(reinterpret_cast<BLAKE2B_CTX *>(ctx->md_data));
216 }
217
blake2b256_update(EVP_MD_CTX * ctx,const void * data,size_t len)218 static void blake2b256_update(EVP_MD_CTX *ctx, const void *data, size_t len) {
219 BLAKE2B256_Update(reinterpret_cast<BLAKE2B_CTX *>(ctx->md_data), data, len);
220 }
221
blake2b256_final(EVP_MD_CTX * ctx,uint8_t * md)222 static void blake2b256_final(EVP_MD_CTX *ctx, uint8_t *md) {
223 BLAKE2B256_Final(md, reinterpret_cast<BLAKE2B_CTX *>(ctx->md_data));
224 }
225
226 static const EVP_MD evp_md_blake2b256 = {
227 NID_undef, BLAKE2B256_DIGEST_LENGTH, 0,
228 blake2b256_init, blake2b256_update, blake2b256_final,
229 BLAKE2B_CBLOCK, sizeof(BLAKE2B_CTX),
230 };
231
EVP_blake2b256(void)232 const EVP_MD *EVP_blake2b256(void) { return &evp_md_blake2b256; }
233
234 static_assert(sizeof(BLAKE2B_CTX) <= EVP_MAX_MD_DATA_SIZE);
235
236
md4_init(EVP_MD_CTX * ctx)237 static void md4_init(EVP_MD_CTX *ctx) {
238 BSSL_CHECK(MD4_Init(reinterpret_cast<MD4_CTX *>(ctx->md_data)));
239 }
240
md4_update(EVP_MD_CTX * ctx,const void * data,size_t count)241 static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
242 BSSL_CHECK(
243 MD4_Update(reinterpret_cast<MD4_CTX *>(ctx->md_data), data, count));
244 }
245
md4_final(EVP_MD_CTX * ctx,uint8_t * out)246 static void md4_final(EVP_MD_CTX *ctx, uint8_t *out) {
247 BSSL_CHECK(MD4_Final(out, reinterpret_cast<MD4_CTX *>(ctx->md_data)));
248 }
249
250 static const EVP_MD evp_md_md4 = {
251 NID_md4, //
252 MD4_DIGEST_LENGTH, //
253 0,
254 md4_init,
255 md4_update,
256 md4_final,
257 64,
258 sizeof(MD4_CTX),
259 };
260
EVP_md4(void)261 const EVP_MD *EVP_md4(void) { return &evp_md_md4; }
262
263 static_assert(sizeof(MD4_CTX) <= EVP_MAX_MD_DATA_SIZE);
264
265
md5_init(EVP_MD_CTX * ctx)266 static void md5_init(EVP_MD_CTX *ctx) {
267 BSSL_CHECK(MD5_Init(reinterpret_cast<MD5_CTX *>(ctx->md_data)));
268 }
269
md5_update(EVP_MD_CTX * ctx,const void * data,size_t count)270 static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
271 BSSL_CHECK(
272 MD5_Update(reinterpret_cast<MD5_CTX *>(ctx->md_data), data, count));
273 }
274
md5_final(EVP_MD_CTX * ctx,uint8_t * out)275 static void md5_final(EVP_MD_CTX *ctx, uint8_t *out) {
276 BSSL_CHECK(MD5_Final(out, reinterpret_cast<MD5_CTX *>(ctx->md_data)));
277 }
278
279 static const EVP_MD evp_md_md5 = {
280 NID_md5, MD5_DIGEST_LENGTH, 0, md5_init,
281 md5_update, md5_final, 64, sizeof(MD5_CTX),
282 };
283
EVP_md5(void)284 const EVP_MD *EVP_md5(void) { return &evp_md_md5; }
285
286 static_assert(sizeof(MD5_CTX) <= EVP_MAX_MD_DATA_SIZE);
287
288
289 typedef struct {
290 MD5_CTX md5;
291 SHA_CTX sha1;
292 } MD5_SHA1_CTX;
293
md5_sha1_init(EVP_MD_CTX * md_ctx)294 static void md5_sha1_init(EVP_MD_CTX *md_ctx) {
295 MD5_SHA1_CTX *ctx = reinterpret_cast<MD5_SHA1_CTX *>(md_ctx->md_data);
296 BSSL_CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1));
297 }
298
md5_sha1_update(EVP_MD_CTX * md_ctx,const void * data,size_t count)299 static void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data,
300 size_t count) {
301 MD5_SHA1_CTX *ctx = reinterpret_cast<MD5_SHA1_CTX *>(md_ctx->md_data);
302 BSSL_CHECK(MD5_Update(&ctx->md5, data, count) &&
303 SHA1_Update(&ctx->sha1, data, count));
304 }
305
md5_sha1_final(EVP_MD_CTX * md_ctx,uint8_t * out)306 static void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) {
307 MD5_SHA1_CTX *ctx = reinterpret_cast<MD5_SHA1_CTX *>(md_ctx->md_data);
308 BSSL_CHECK(MD5_Final(out, &ctx->md5) &&
309 SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1));
310 }
311
312 const EVP_MD evp_md_md5_sha1 = {
313 NID_md5_sha1,
314 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
315 0,
316 md5_sha1_init,
317 md5_sha1_update,
318 md5_sha1_final,
319 64,
320 sizeof(MD5_SHA1_CTX),
321 };
322
EVP_md5_sha1(void)323 const EVP_MD *EVP_md5_sha1(void) { return &evp_md_md5_sha1; }
324
325 static_assert(sizeof(MD5_SHA1_CTX) <= EVP_MAX_MD_DATA_SIZE);
326