1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young ([email protected]).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson ([email protected]).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young ([email protected])"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson ([email protected])"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/digest.h>
58
59 #include <string.h>
60
61 #include <openssl/blake2.h>
62 #include <openssl/bytestring.h>
63 #include <openssl/obj.h>
64 #include <openssl/nid.h>
65
66 #include "../asn1/internal.h"
67 #include "../internal.h"
68 #include "../fipsmodule/digest/internal.h"
69
70
71 struct nid_to_digest {
72 int nid;
73 const EVP_MD* (*md_func)(void);
74 const char *short_name;
75 const char *long_name;
76 };
77
78 static const struct nid_to_digest nid_to_digest_mapping[] = {
79 {NID_md4, EVP_md4, SN_md4, LN_md4},
80 {NID_md5, EVP_md5, SN_md5, LN_md5},
81 {NID_sha1, EVP_sha1, SN_sha1, LN_sha1},
82 {NID_sha224, EVP_sha224, SN_sha224, LN_sha224},
83 {NID_sha256, EVP_sha256, SN_sha256, LN_sha256},
84 {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
85 {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
86 {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256},
87 {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
88 // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
89 // hash function when given a signature OID. To avoid unintended lax parsing
90 // of hash OIDs, this is no longer supported for lookup by OID or NID.
91 // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
92 // consumers so we retain it there.
93 {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
94 {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
95 {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
96 {NID_undef, EVP_md5, SN_md5WithRSAEncryption, LN_md5WithRSAEncryption},
97 {NID_undef, EVP_sha1, SN_sha1WithRSAEncryption, LN_sha1WithRSAEncryption},
98 {NID_undef, EVP_sha224, SN_sha224WithRSAEncryption,
99 LN_sha224WithRSAEncryption},
100 {NID_undef, EVP_sha256, SN_sha256WithRSAEncryption,
101 LN_sha256WithRSAEncryption},
102 {NID_undef, EVP_sha384, SN_sha384WithRSAEncryption,
103 LN_sha384WithRSAEncryption},
104 {NID_undef, EVP_sha512, SN_sha512WithRSAEncryption,
105 LN_sha512WithRSAEncryption},
106 };
107
EVP_get_digestbynid(int nid)108 const EVP_MD* EVP_get_digestbynid(int nid) {
109 if (nid == NID_undef) {
110 // Skip the |NID_undef| entries in |nid_to_digest_mapping|.
111 return NULL;
112 }
113
114 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
115 if (nid_to_digest_mapping[i].nid == nid) {
116 return nid_to_digest_mapping[i].md_func();
117 }
118 }
119
120 return NULL;
121 }
122
123 static const struct {
124 uint8_t oid[9];
125 uint8_t oid_len;
126 int nid;
127 } kMDOIDs[] = {
128 // 1.2.840.113549.2.4
129 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4 },
130 // 1.2.840.113549.2.5
131 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5 },
132 // 1.3.14.3.2.26
133 { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1 },
134 // 2.16.840.1.101.3.4.2.1
135 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256 },
136 // 2.16.840.1.101.3.4.2.2
137 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384 },
138 // 2.16.840.1.101.3.4.2.3
139 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512 },
140 // 2.16.840.1.101.3.4.2.4
141 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224 },
142 };
143
cbs_to_md(const CBS * cbs)144 static const EVP_MD *cbs_to_md(const CBS *cbs) {
145 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {
146 if (CBS_len(cbs) == kMDOIDs[i].oid_len &&
147 OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) ==
148 0) {
149 return EVP_get_digestbynid(kMDOIDs[i].nid);
150 }
151 }
152
153 return NULL;
154 }
155
EVP_get_digestbyobj(const ASN1_OBJECT * obj)156 const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
157 // Handle objects with no corresponding OID. Note we don't use |OBJ_obj2nid|
158 // here to avoid pulling in the OID table.
159 if (obj->nid != NID_undef) {
160 return EVP_get_digestbynid(obj->nid);
161 }
162
163 CBS cbs;
164 CBS_init(&cbs, OBJ_get0_data(obj), OBJ_length(obj));
165 return cbs_to_md(&cbs);
166 }
167
EVP_parse_digest_algorithm(CBS * cbs)168 const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {
169 CBS algorithm, oid;
170 if (!CBS_get_asn1(cbs, &algorithm, CBS_ASN1_SEQUENCE) ||
171 !CBS_get_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
172 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
173 return NULL;
174 }
175
176 const EVP_MD *ret = cbs_to_md(&oid);
177 if (ret == NULL) {
178 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
179 return NULL;
180 }
181
182 // The parameters, if present, must be NULL. Historically, whether the NULL
183 // was included or omitted was not well-specified. When parsing an
184 // AlgorithmIdentifier, we allow both. (Note this code is not used when
185 // verifying RSASSA-PKCS1-v1_5 signatures.)
186 if (CBS_len(&algorithm) > 0) {
187 CBS param;
188 if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||
189 CBS_len(¶m) != 0 ||
190 CBS_len(&algorithm) != 0) {
191 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
192 return NULL;
193 }
194 }
195
196 return ret;
197 }
198
EVP_marshal_digest_algorithm(CBB * cbb,const EVP_MD * md)199 int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) {
200 CBB algorithm, oid, null;
201 if (!CBB_add_asn1(cbb, &algorithm, CBS_ASN1_SEQUENCE) ||
202 !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
203 return 0;
204 }
205
206 int found = 0;
207 int nid = EVP_MD_type(md);
208 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {
209 if (nid == kMDOIDs[i].nid) {
210 if (!CBB_add_bytes(&oid, kMDOIDs[i].oid, kMDOIDs[i].oid_len)) {
211 return 0;
212 }
213 found = 1;
214 break;
215 }
216 }
217
218 if (!found) {
219 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
220 return 0;
221 }
222
223 // TODO(crbug.com/boringssl/710): Is this correct? See RFC 4055, section 2.1.
224 if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) ||
225 !CBB_flush(cbb)) {
226 return 0;
227 }
228
229 return 1;
230 }
231
EVP_get_digestbyname(const char * name)232 const EVP_MD *EVP_get_digestbyname(const char *name) {
233 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
234 const char *short_name = nid_to_digest_mapping[i].short_name;
235 const char *long_name = nid_to_digest_mapping[i].long_name;
236 if ((short_name && strcmp(short_name, name) == 0) ||
237 (long_name && strcmp(long_name, name) == 0)) {
238 return nid_to_digest_mapping[i].md_func();
239 }
240 }
241
242 return NULL;
243 }
244
blake2b256_init(EVP_MD_CTX * ctx)245 static void blake2b256_init(EVP_MD_CTX *ctx) { BLAKE2B256_Init(ctx->md_data); }
246
blake2b256_update(EVP_MD_CTX * ctx,const void * data,size_t len)247 static void blake2b256_update(EVP_MD_CTX *ctx, const void *data, size_t len) {
248 BLAKE2B256_Update(ctx->md_data, data, len);
249 }
250
blake2b256_final(EVP_MD_CTX * ctx,uint8_t * md)251 static void blake2b256_final(EVP_MD_CTX *ctx, uint8_t *md) {
252 BLAKE2B256_Final(md, ctx->md_data);
253 }
254
255 static const EVP_MD evp_md_blake2b256 = {
256 NID_undef,
257 BLAKE2B256_DIGEST_LENGTH,
258 0,
259 blake2b256_init,
260 blake2b256_update,
261 blake2b256_final,
262 BLAKE2B_CBLOCK,
263 sizeof(BLAKE2B_CTX),
264 };
265
EVP_blake2b256(void)266 const EVP_MD *EVP_blake2b256(void) { return &evp_md_blake2b256; }
267