1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/digest.h>
58
59 #include <assert.h>
60 #include <string.h>
61
62 #include <openssl/asn1.h>
63 #include <openssl/bytestring.h>
64 #include <openssl/md4.h>
65 #include <openssl/md5.h>
66 #include <openssl/nid.h>
67 #include <openssl/sha.h>
68
69 #include "internal.h"
70 #include "../internal.h"
71
72 #if defined(NDEBUG)
73 #define CHECK(x) (void) (x)
74 #else
75 #define CHECK(x) assert(x)
76 #endif
77
78
md4_init(EVP_MD_CTX * ctx)79 static void md4_init(EVP_MD_CTX *ctx) {
80 CHECK(MD4_Init(ctx->md_data));
81 }
82
md4_update(EVP_MD_CTX * ctx,const void * data,size_t count)83 static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
84 CHECK(MD4_Update(ctx->md_data, data, count));
85 }
86
md4_final(EVP_MD_CTX * ctx,uint8_t * out)87 static void md4_final(EVP_MD_CTX *ctx, uint8_t *out) {
88 CHECK(MD4_Final(out, ctx->md_data));
89 }
90
91 static const EVP_MD md4_md = {
92 NID_md4, MD4_DIGEST_LENGTH, 0 /* flags */, md4_init,
93 md4_update, md4_final, 64 /* block size */, sizeof(MD4_CTX),
94 };
95
EVP_md4(void)96 const EVP_MD *EVP_md4(void) { return &md4_md; }
97
98
md5_init(EVP_MD_CTX * ctx)99 static void md5_init(EVP_MD_CTX *ctx) {
100 CHECK(MD5_Init(ctx->md_data));
101 }
102
md5_update(EVP_MD_CTX * ctx,const void * data,size_t count)103 static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
104 CHECK(MD5_Update(ctx->md_data, data, count));
105 }
106
md5_final(EVP_MD_CTX * ctx,uint8_t * out)107 static void md5_final(EVP_MD_CTX *ctx, uint8_t *out) {
108 CHECK(MD5_Final(out, ctx->md_data));
109 }
110
111 static const EVP_MD md5_md = {
112 NID_md5, MD5_DIGEST_LENGTH, 0 /* flags */, md5_init,
113 md5_update, md5_final, 64 /* block size */, sizeof(MD5_CTX),
114 };
115
EVP_md5(void)116 const EVP_MD *EVP_md5(void) { return &md5_md; }
117
118
sha1_init(EVP_MD_CTX * ctx)119 static void sha1_init(EVP_MD_CTX *ctx) {
120 CHECK(SHA1_Init(ctx->md_data));
121 }
122
sha1_update(EVP_MD_CTX * ctx,const void * data,size_t count)123 static void sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
124 CHECK(SHA1_Update(ctx->md_data, data, count));
125 }
126
sha1_final(EVP_MD_CTX * ctx,uint8_t * md)127 static void sha1_final(EVP_MD_CTX *ctx, uint8_t *md) {
128 CHECK(SHA1_Final(md, ctx->md_data));
129 }
130
131 static const EVP_MD sha1_md = {
132 NID_sha1, SHA_DIGEST_LENGTH, 0 /* flags */, sha1_init,
133 sha1_update, sha1_final, 64 /* block size */, sizeof(SHA_CTX),
134 };
135
EVP_sha1(void)136 const EVP_MD *EVP_sha1(void) { return &sha1_md; }
137
138
sha224_init(EVP_MD_CTX * ctx)139 static void sha224_init(EVP_MD_CTX *ctx) {
140 CHECK(SHA224_Init(ctx->md_data));
141 }
142
sha224_update(EVP_MD_CTX * ctx,const void * data,size_t count)143 static void sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
144 CHECK(SHA224_Update(ctx->md_data, data, count));
145 }
146
sha224_final(EVP_MD_CTX * ctx,uint8_t * md)147 static void sha224_final(EVP_MD_CTX *ctx, uint8_t *md) {
148 CHECK(SHA224_Final(md, ctx->md_data));
149 }
150
151 static const EVP_MD sha224_md = {
152 NID_sha224, SHA224_DIGEST_LENGTH, 0 /* flags */,
153 sha224_init, sha224_update, sha224_final,
154 64 /* block size */, sizeof(SHA256_CTX),
155 };
156
EVP_sha224(void)157 const EVP_MD *EVP_sha224(void) { return &sha224_md; }
158
159
sha256_init(EVP_MD_CTX * ctx)160 static void sha256_init(EVP_MD_CTX *ctx) {
161 CHECK(SHA256_Init(ctx->md_data));
162 }
163
sha256_update(EVP_MD_CTX * ctx,const void * data,size_t count)164 static void sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
165 CHECK(SHA256_Update(ctx->md_data, data, count));
166 }
167
sha256_final(EVP_MD_CTX * ctx,uint8_t * md)168 static void sha256_final(EVP_MD_CTX *ctx, uint8_t *md) {
169 CHECK(SHA256_Final(md, ctx->md_data));
170 }
171
172 static const EVP_MD sha256_md = {
173 NID_sha256, SHA256_DIGEST_LENGTH, 0 /* flags */,
174 sha256_init, sha256_update, sha256_final,
175 64 /* block size */, sizeof(SHA256_CTX),
176 };
177
EVP_sha256(void)178 const EVP_MD *EVP_sha256(void) { return &sha256_md; }
179
180
sha384_init(EVP_MD_CTX * ctx)181 static void sha384_init(EVP_MD_CTX *ctx) {
182 CHECK(SHA384_Init(ctx->md_data));
183 }
184
sha384_update(EVP_MD_CTX * ctx,const void * data,size_t count)185 static void sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
186 CHECK(SHA384_Update(ctx->md_data, data, count));
187 }
188
sha384_final(EVP_MD_CTX * ctx,uint8_t * md)189 static void sha384_final(EVP_MD_CTX *ctx, uint8_t *md) {
190 CHECK(SHA384_Final(md, ctx->md_data));
191 }
192
193 static const EVP_MD sha384_md = {
194 NID_sha384, SHA384_DIGEST_LENGTH, 0 /* flags */,
195 sha384_init, sha384_update, sha384_final,
196 128 /* block size */, sizeof(SHA512_CTX),
197 };
198
EVP_sha384(void)199 const EVP_MD *EVP_sha384(void) { return &sha384_md; }
200
201
sha512_init(EVP_MD_CTX * ctx)202 static void sha512_init(EVP_MD_CTX *ctx) {
203 CHECK(SHA512_Init(ctx->md_data));
204 }
205
sha512_update(EVP_MD_CTX * ctx,const void * data,size_t count)206 static void sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) {
207 CHECK(SHA512_Update(ctx->md_data, data, count));
208 }
209
sha512_final(EVP_MD_CTX * ctx,uint8_t * md)210 static void sha512_final(EVP_MD_CTX *ctx, uint8_t *md) {
211 CHECK(SHA512_Final(md, ctx->md_data));
212 }
213
214 static const EVP_MD sha512_md = {
215 NID_sha512, SHA512_DIGEST_LENGTH, 0 /* flags */,
216 sha512_init, sha512_update, sha512_final,
217 128 /* block size */, sizeof(SHA512_CTX),
218 };
219
EVP_sha512(void)220 const EVP_MD *EVP_sha512(void) { return &sha512_md; }
221
222
223 typedef struct {
224 MD5_CTX md5;
225 SHA_CTX sha1;
226 } MD5_SHA1_CTX;
227
md5_sha1_init(EVP_MD_CTX * md_ctx)228 static void md5_sha1_init(EVP_MD_CTX *md_ctx) {
229 MD5_SHA1_CTX *ctx = md_ctx->md_data;
230 CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1));
231 }
232
md5_sha1_update(EVP_MD_CTX * md_ctx,const void * data,size_t count)233 static void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data,
234 size_t count) {
235 MD5_SHA1_CTX *ctx = md_ctx->md_data;
236 CHECK(MD5_Update(&ctx->md5, data, count) &&
237 SHA1_Update(&ctx->sha1, data, count));
238 }
239
md5_sha1_final(EVP_MD_CTX * md_ctx,uint8_t * out)240 static void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) {
241 MD5_SHA1_CTX *ctx = md_ctx->md_data;
242 CHECK(MD5_Final(out, &ctx->md5) &&
243 SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1));
244 }
245
246 static const EVP_MD md5_sha1_md = {
247 NID_md5_sha1,
248 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
249 0 /* flags */,
250 md5_sha1_init,
251 md5_sha1_update,
252 md5_sha1_final,
253 64 /* block size */,
254 sizeof(MD5_SHA1_CTX),
255 };
256
EVP_md5_sha1(void)257 const EVP_MD *EVP_md5_sha1(void) { return &md5_sha1_md; }
258
259
260 struct nid_to_digest {
261 int nid;
262 const EVP_MD* (*md_func)(void);
263 const char *short_name;
264 const char *long_name;
265 };
266
267 static const struct nid_to_digest nid_to_digest_mapping[] = {
268 {NID_md4, EVP_md4, SN_md4, LN_md4},
269 {NID_md5, EVP_md5, SN_md5, LN_md5},
270 {NID_sha1, EVP_sha1, SN_sha1, LN_sha1},
271 {NID_sha224, EVP_sha224, SN_sha224, LN_sha224},
272 {NID_sha256, EVP_sha256, SN_sha256, LN_sha256},
273 {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
274 {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
275 {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
276 /* As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
277 * hash function when given a signature OID. To avoid unintended lax parsing
278 * of hash OIDs, this is no longer supported for lookup by OID or NID.
279 * Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
280 * consumers so we retain it there. */
281 {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
282 {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
283 {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
284 {NID_undef, EVP_md5, SN_md5WithRSAEncryption, LN_md5WithRSAEncryption},
285 {NID_undef, EVP_sha1, SN_sha1WithRSAEncryption, LN_sha1WithRSAEncryption},
286 {NID_undef, EVP_sha224, SN_sha224WithRSAEncryption,
287 LN_sha224WithRSAEncryption},
288 {NID_undef, EVP_sha256, SN_sha256WithRSAEncryption,
289 LN_sha256WithRSAEncryption},
290 {NID_undef, EVP_sha384, SN_sha384WithRSAEncryption,
291 LN_sha384WithRSAEncryption},
292 {NID_undef, EVP_sha512, SN_sha512WithRSAEncryption,
293 LN_sha512WithRSAEncryption},
294 };
295
EVP_get_digestbynid(int nid)296 const EVP_MD* EVP_get_digestbynid(int nid) {
297 if (nid == NID_undef) {
298 /* Skip the |NID_undef| entries in |nid_to_digest_mapping|. */
299 return NULL;
300 }
301
302 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
303 if (nid_to_digest_mapping[i].nid == nid) {
304 return nid_to_digest_mapping[i].md_func();
305 }
306 }
307
308 return NULL;
309 }
310
311 static const struct {
312 uint8_t oid[9];
313 uint8_t oid_len;
314 const EVP_MD *(*md_func) (void);
315 } kMDOIDs[] = {
316 /* 1.2.840.113549.2.4 */
317 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, EVP_md4 },
318 /* 1.2.840.113549.2.5 */
319 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, EVP_md5 },
320 /* 1.3.14.3.2.26 */
321 { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, EVP_sha1 },
322 /* 2.16.840.1.101.3.4.2.1 */
323 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, EVP_sha256 },
324 /* 2.16.840.1.101.3.4.2.2 */
325 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, EVP_sha384 },
326 /* 2.16.840.1.101.3.4.2.3 */
327 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, EVP_sha512 },
328 /* 2.16.840.1.101.3.4.2.4 */
329 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, EVP_sha224 },
330 };
331
cbs_to_md(const CBS * cbs)332 static const EVP_MD *cbs_to_md(const CBS *cbs) {
333 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {
334 if (CBS_len(cbs) == kMDOIDs[i].oid_len &&
335 OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) ==
336 0) {
337 return kMDOIDs[i].md_func();
338 }
339 }
340
341 return NULL;
342 }
343
EVP_get_digestbyobj(const ASN1_OBJECT * obj)344 const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
345 /* Handle objects with no corresponding OID. */
346 if (obj->nid != NID_undef) {
347 return EVP_get_digestbynid(obj->nid);
348 }
349
350 CBS cbs;
351 CBS_init(&cbs, obj->data, obj->length);
352 return cbs_to_md(&cbs);
353 }
354
EVP_parse_digest_algorithm(CBS * cbs)355 const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {
356 CBS algorithm, oid;
357 if (!CBS_get_asn1(cbs, &algorithm, CBS_ASN1_SEQUENCE) ||
358 !CBS_get_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {
359 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
360 return NULL;
361 }
362
363 const EVP_MD *ret = cbs_to_md(&oid);
364 if (ret == NULL) {
365 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);
366 return NULL;
367 }
368
369 /* The parameters, if present, must be NULL. Historically, whether the NULL
370 * was included or omitted was not well-specified. When parsing an
371 * AlgorithmIdentifier, we allow both. (Note this code is not used when
372 * verifying RSASSA-PKCS1-v1_5 signatures.) */
373 if (CBS_len(&algorithm) > 0) {
374 CBS param;
375 if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||
376 CBS_len(¶m) != 0 ||
377 CBS_len(&algorithm) != 0) {
378 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);
379 return NULL;
380 }
381 }
382
383 return ret;
384 }
385
EVP_get_digestbyname(const char * name)386 const EVP_MD *EVP_get_digestbyname(const char *name) {
387 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {
388 const char *short_name = nid_to_digest_mapping[i].short_name;
389 const char *long_name = nid_to_digest_mapping[i].long_name;
390 if ((short_name && strcmp(short_name, name) == 0) ||
391 (long_name && strcmp(long_name, name) == 0)) {
392 return nid_to_digest_mapping[i].md_func();
393 }
394 }
395
396 return NULL;
397 }
398