1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/digest.h> 58 59 #include <assert.h> 60 #include <string.h> 61 62 #include <openssl/asn1.h> 63 #include <openssl/bytestring.h> 64 #include <openssl/md4.h> 65 #include <openssl/md5.h> 66 #include <openssl/nid.h> 67 #include <openssl/sha.h> 68 69 #include "internal.h" 70 #include "../internal.h" 71 72 #if defined(NDEBUG) 73 #define CHECK(x) (void) (x) 74 #else 75 #define CHECK(x) assert(x) 76 #endif 77 78 79 static void md4_init(EVP_MD_CTX *ctx) { 80 CHECK(MD4_Init(ctx->md_data)); 81 } 82 83 static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 84 CHECK(MD4_Update(ctx->md_data, data, count)); 85 } 86 87 static void md4_final(EVP_MD_CTX *ctx, uint8_t *out) { 88 CHECK(MD4_Final(out, ctx->md_data)); 89 } 90 91 static const EVP_MD md4_md = { 92 NID_md4, MD4_DIGEST_LENGTH, 0 /* flags */, md4_init, 93 md4_update, md4_final, 64 /* block size */, sizeof(MD4_CTX), 94 }; 95 96 const EVP_MD *EVP_md4(void) { return &md4_md; } 97 98 99 static void md5_init(EVP_MD_CTX *ctx) { 100 CHECK(MD5_Init(ctx->md_data)); 101 } 102 103 static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 104 CHECK(MD5_Update(ctx->md_data, data, count)); 105 } 106 107 static void md5_final(EVP_MD_CTX *ctx, uint8_t *out) { 108 CHECK(MD5_Final(out, ctx->md_data)); 109 } 110 111 static const EVP_MD md5_md = { 112 NID_md5, MD5_DIGEST_LENGTH, 0 /* flags */, md5_init, 113 md5_update, md5_final, 64 /* block size */, sizeof(MD5_CTX), 114 }; 115 116 const EVP_MD *EVP_md5(void) { return &md5_md; } 117 118 119 static void sha1_init(EVP_MD_CTX *ctx) { 120 CHECK(SHA1_Init(ctx->md_data)); 121 } 122 123 static void sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 124 CHECK(SHA1_Update(ctx->md_data, data, count)); 125 } 126 127 static void sha1_final(EVP_MD_CTX *ctx, uint8_t *md) { 128 CHECK(SHA1_Final(md, ctx->md_data)); 129 } 130 131 static const EVP_MD sha1_md = { 132 NID_sha1, SHA_DIGEST_LENGTH, 0 /* flags */, sha1_init, 133 sha1_update, sha1_final, 64 /* block size */, sizeof(SHA_CTX), 134 }; 135 136 const EVP_MD *EVP_sha1(void) { return &sha1_md; } 137 138 139 static void sha224_init(EVP_MD_CTX *ctx) { 140 CHECK(SHA224_Init(ctx->md_data)); 141 } 142 143 static void sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 144 CHECK(SHA224_Update(ctx->md_data, data, count)); 145 } 146 147 static void sha224_final(EVP_MD_CTX *ctx, uint8_t *md) { 148 CHECK(SHA224_Final(md, ctx->md_data)); 149 } 150 151 static const EVP_MD sha224_md = { 152 NID_sha224, SHA224_DIGEST_LENGTH, 0 /* flags */, 153 sha224_init, sha224_update, sha224_final, 154 64 /* block size */, sizeof(SHA256_CTX), 155 }; 156 157 const EVP_MD *EVP_sha224(void) { return &sha224_md; } 158 159 160 static void sha256_init(EVP_MD_CTX *ctx) { 161 CHECK(SHA256_Init(ctx->md_data)); 162 } 163 164 static void sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 165 CHECK(SHA256_Update(ctx->md_data, data, count)); 166 } 167 168 static void sha256_final(EVP_MD_CTX *ctx, uint8_t *md) { 169 CHECK(SHA256_Final(md, ctx->md_data)); 170 } 171 172 static const EVP_MD sha256_md = { 173 NID_sha256, SHA256_DIGEST_LENGTH, 0 /* flags */, 174 sha256_init, sha256_update, sha256_final, 175 64 /* block size */, sizeof(SHA256_CTX), 176 }; 177 178 const EVP_MD *EVP_sha256(void) { return &sha256_md; } 179 180 181 static void sha384_init(EVP_MD_CTX *ctx) { 182 CHECK(SHA384_Init(ctx->md_data)); 183 } 184 185 static void sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 186 CHECK(SHA384_Update(ctx->md_data, data, count)); 187 } 188 189 static void sha384_final(EVP_MD_CTX *ctx, uint8_t *md) { 190 CHECK(SHA384_Final(md, ctx->md_data)); 191 } 192 193 static const EVP_MD sha384_md = { 194 NID_sha384, SHA384_DIGEST_LENGTH, 0 /* flags */, 195 sha384_init, sha384_update, sha384_final, 196 128 /* block size */, sizeof(SHA512_CTX), 197 }; 198 199 const EVP_MD *EVP_sha384(void) { return &sha384_md; } 200 201 202 static void sha512_init(EVP_MD_CTX *ctx) { 203 CHECK(SHA512_Init(ctx->md_data)); 204 } 205 206 static void sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) { 207 CHECK(SHA512_Update(ctx->md_data, data, count)); 208 } 209 210 static void sha512_final(EVP_MD_CTX *ctx, uint8_t *md) { 211 CHECK(SHA512_Final(md, ctx->md_data)); 212 } 213 214 static const EVP_MD sha512_md = { 215 NID_sha512, SHA512_DIGEST_LENGTH, 0 /* flags */, 216 sha512_init, sha512_update, sha512_final, 217 128 /* block size */, sizeof(SHA512_CTX), 218 }; 219 220 const EVP_MD *EVP_sha512(void) { return &sha512_md; } 221 222 223 typedef struct { 224 MD5_CTX md5; 225 SHA_CTX sha1; 226 } MD5_SHA1_CTX; 227 228 static void md5_sha1_init(EVP_MD_CTX *md_ctx) { 229 MD5_SHA1_CTX *ctx = md_ctx->md_data; 230 CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1)); 231 } 232 233 static void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data, 234 size_t count) { 235 MD5_SHA1_CTX *ctx = md_ctx->md_data; 236 CHECK(MD5_Update(&ctx->md5, data, count) && 237 SHA1_Update(&ctx->sha1, data, count)); 238 } 239 240 static void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) { 241 MD5_SHA1_CTX *ctx = md_ctx->md_data; 242 CHECK(MD5_Final(out, &ctx->md5) && 243 SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1)); 244 } 245 246 static const EVP_MD md5_sha1_md = { 247 NID_md5_sha1, 248 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 249 0 /* flags */, 250 md5_sha1_init, 251 md5_sha1_update, 252 md5_sha1_final, 253 64 /* block size */, 254 sizeof(MD5_SHA1_CTX), 255 }; 256 257 const EVP_MD *EVP_md5_sha1(void) { return &md5_sha1_md; } 258 259 260 struct nid_to_digest { 261 int nid; 262 const EVP_MD* (*md_func)(void); 263 const char *short_name; 264 const char *long_name; 265 }; 266 267 static const struct nid_to_digest nid_to_digest_mapping[] = { 268 {NID_md4, EVP_md4, SN_md4, LN_md4}, 269 {NID_md5, EVP_md5, SN_md5, LN_md5}, 270 {NID_sha1, EVP_sha1, SN_sha1, LN_sha1}, 271 {NID_sha224, EVP_sha224, SN_sha224, LN_sha224}, 272 {NID_sha256, EVP_sha256, SN_sha256, LN_sha256}, 273 {NID_sha384, EVP_sha384, SN_sha384, LN_sha384}, 274 {NID_sha512, EVP_sha512, SN_sha512, LN_sha512}, 275 {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1}, 276 /* As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding 277 * hash function when given a signature OID. To avoid unintended lax parsing 278 * of hash OIDs, this is no longer supported for lookup by OID or NID. 279 * Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to 280 * consumers so we retain it there. */ 281 {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA}, 282 {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1}, 283 {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL}, 284 {NID_undef, EVP_md5, SN_md5WithRSAEncryption, LN_md5WithRSAEncryption}, 285 {NID_undef, EVP_sha1, SN_sha1WithRSAEncryption, LN_sha1WithRSAEncryption}, 286 {NID_undef, EVP_sha224, SN_sha224WithRSAEncryption, 287 LN_sha224WithRSAEncryption}, 288 {NID_undef, EVP_sha256, SN_sha256WithRSAEncryption, 289 LN_sha256WithRSAEncryption}, 290 {NID_undef, EVP_sha384, SN_sha384WithRSAEncryption, 291 LN_sha384WithRSAEncryption}, 292 {NID_undef, EVP_sha512, SN_sha512WithRSAEncryption, 293 LN_sha512WithRSAEncryption}, 294 }; 295 296 const EVP_MD* EVP_get_digestbynid(int nid) { 297 if (nid == NID_undef) { 298 /* Skip the |NID_undef| entries in |nid_to_digest_mapping|. */ 299 return NULL; 300 } 301 302 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) { 303 if (nid_to_digest_mapping[i].nid == nid) { 304 return nid_to_digest_mapping[i].md_func(); 305 } 306 } 307 308 return NULL; 309 } 310 311 static const struct { 312 uint8_t oid[9]; 313 uint8_t oid_len; 314 const EVP_MD *(*md_func) (void); 315 } kMDOIDs[] = { 316 /* 1.2.840.113549.2.4 */ 317 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, EVP_md4 }, 318 /* 1.2.840.113549.2.5 */ 319 { {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, EVP_md5 }, 320 /* 1.3.14.3.2.26 */ 321 { {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, EVP_sha1 }, 322 /* 2.16.840.1.101.3.4.2.1 */ 323 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, EVP_sha256 }, 324 /* 2.16.840.1.101.3.4.2.2 */ 325 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, EVP_sha384 }, 326 /* 2.16.840.1.101.3.4.2.3 */ 327 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, EVP_sha512 }, 328 /* 2.16.840.1.101.3.4.2.4 */ 329 { {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, EVP_sha224 }, 330 }; 331 332 static const EVP_MD *cbs_to_md(const CBS *cbs) { 333 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) { 334 if (CBS_len(cbs) == kMDOIDs[i].oid_len && 335 OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) == 336 0) { 337 return kMDOIDs[i].md_func(); 338 } 339 } 340 341 return NULL; 342 } 343 344 const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) { 345 /* Handle objects with no corresponding OID. */ 346 if (obj->nid != NID_undef) { 347 return EVP_get_digestbynid(obj->nid); 348 } 349 350 CBS cbs; 351 CBS_init(&cbs, obj->data, obj->length); 352 return cbs_to_md(&cbs); 353 } 354 355 const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) { 356 CBS algorithm, oid; 357 if (!CBS_get_asn1(cbs, &algorithm, CBS_ASN1_SEQUENCE) || 358 !CBS_get_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) { 359 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR); 360 return NULL; 361 } 362 363 const EVP_MD *ret = cbs_to_md(&oid); 364 if (ret == NULL) { 365 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH); 366 return NULL; 367 } 368 369 /* The parameters, if present, must be NULL. Historically, whether the NULL 370 * was included or omitted was not well-specified. When parsing an 371 * AlgorithmIdentifier, we allow both. (Note this code is not used when 372 * verifying RSASSA-PKCS1-v1_5 signatures.) */ 373 if (CBS_len(&algorithm) > 0) { 374 CBS param; 375 if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) || 376 CBS_len(¶m) != 0 || 377 CBS_len(&algorithm) != 0) { 378 OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR); 379 return NULL; 380 } 381 } 382 383 return ret; 384 } 385 386 const EVP_MD *EVP_get_digestbyname(const char *name) { 387 for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) { 388 const char *short_name = nid_to_digest_mapping[i].short_name; 389 const char *long_name = nid_to_digest_mapping[i].long_name; 390 if ((short_name && strcmp(short_name, name) == 0) || 391 (long_name && strcmp(long_name, name) == 0)) { 392 return nid_to_digest_mapping[i].md_func(); 393 } 394 } 395 396 return NULL; 397 } 398