external/boringssl: Sync to faa539f877432814d0f2de19846eb99f2ea1e207.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/bbfe603519bc54fbc4c8dd87efe1ed385df550b4..faa539f877432814d0f2de19846eb99f2ea1e207
Test: BoringSSL CTS Presubmits
Change-Id: I3ea66c6a16d30b31f9a51e8154fa581a7d386918
diff --git a/src/crypto/cipher/tls_cbc.c b/src/crypto/cipher/tls_cbc.c
index 52880b0..a825c1c 100644
--- a/src/crypto/cipher/tls_cbc.c
+++ b/src/crypto/cipher/tls_cbc.c
@@ -73,20 +73,19 @@
* supported by TLS.) */
#define MAX_HASH_BLOCK_SIZE 128
-int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,
- const uint8_t *in, unsigned in_len,
- unsigned block_size, unsigned mac_size) {
- unsigned padding_length, good, to_check, i;
- const unsigned overhead = 1 /* padding length byte */ + mac_size;
+int EVP_tls_cbc_remove_padding(size_t *out_padding_ok, size_t *out_len,
+ const uint8_t *in, size_t in_len,
+ size_t block_size, size_t mac_size) {
+ const size_t overhead = 1 /* padding length byte */ + mac_size;
/* These lengths are all public so we can test them in non-constant time. */
if (overhead > in_len) {
return 0;
}
- padding_length = in[in_len - 1];
+ size_t padding_length = in[in_len - 1];
- good = constant_time_ge(in_len, overhead + padding_length);
+ size_t good = constant_time_ge_s(in_len, overhead + padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
* length byte. Thus, with the length byte included, there are i+1
@@ -96,12 +95,12 @@
* decrypted information. Therefore we always have to check the maximum
* amount of padding possible. (Again, the length of the record is
* public information so we can use it.) */
- to_check = 256; /* maximum amount of padding, inc length byte. */
+ size_t to_check = 256; /* maximum amount of padding, inc length byte. */
if (to_check > in_len) {
to_check = in_len;
}
- for (i = 0; i < to_check; i++) {
+ for (size_t i = 0; i < to_check; i++) {
uint8_t mask = constant_time_ge_8(padding_length, i);
uint8_t b = in[in_len - 1 - i];
/* The final |padding_length+1| bytes should all have the value
@@ -111,7 +110,7 @@
/* If any of the final |padding_length+1| bytes had the wrong value,
* one or more of the lower eight bits of |good| will be cleared. */
- good = constant_time_eq(0xff, good & 0xff);
+ good = constant_time_eq_s(0xff, good & 0xff);
/* Always treat |padding_length| as zero on error. If, assuming block size of
* 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
@@ -123,16 +122,15 @@
return 1;
}
-void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
- const uint8_t *in, unsigned in_len,
- unsigned orig_len) {
+void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
+ size_t in_len, size_t orig_len) {
uint8_t rotated_mac1[EVP_MAX_MD_SIZE], rotated_mac2[EVP_MAX_MD_SIZE];
uint8_t *rotated_mac = rotated_mac1;
uint8_t *rotated_mac_tmp = rotated_mac2;
/* mac_end is the index of |in| just after the end of the MAC. */
- unsigned mac_end = in_len;
- unsigned mac_start = mac_end - md_size;
+ size_t mac_end = in_len;
+ size_t mac_start = mac_end - md_size;
assert(orig_len >= in_len);
assert(in_len >= md_size);
@@ -140,20 +138,20 @@
/* scan_start contains the number of bytes that we can ignore because
* the MAC's position can only vary by 255 bytes. */
- unsigned scan_start = 0;
+ size_t scan_start = 0;
/* This information is public so it's safe to branch based on it. */
if (orig_len > md_size + 255 + 1) {
scan_start = orig_len - (md_size + 255 + 1);
}
- unsigned rotate_offset = 0;
+ size_t rotate_offset = 0;
uint8_t mac_started = 0;
OPENSSL_memset(rotated_mac, 0, md_size);
- for (unsigned i = scan_start, j = 0; i < orig_len; i++, j++) {
+ for (size_t i = scan_start, j = 0; i < orig_len; i++, j++) {
if (j >= md_size) {
j -= md_size;
}
- unsigned is_mac_start = constant_time_eq(i, mac_start);
+ size_t is_mac_start = constant_time_eq_s(i, mac_start);
mac_started |= is_mac_start;
uint8_t mac_ended = constant_time_ge_8(i, mac_end);
rotated_mac[j] |= in[i] & mac_started & ~mac_ended;
@@ -163,12 +161,11 @@
/* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
* position. */
- for (unsigned offset = 1; offset < md_size;
- offset <<= 1, rotate_offset >>= 1) {
+ for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) {
/* Rotate by |offset| iff the corresponding bit is set in
* |rotate_offset|, placing the result in |rotated_mac_tmp|. */
const uint8_t skip_rotate = (rotate_offset & 1) - 1;
- for (unsigned i = 0, j = offset; i < md_size; i++, j++) {
+ for (size_t i = 0, j = offset; i < md_size; i++, j++) {
if (j >= md_size) {
j -= md_size;
}
@@ -211,40 +208,49 @@
*((p)++) = (uint8_t)((n)); \
} while (0)
+typedef union {
+ SHA_CTX sha1;
+ SHA256_CTX sha256;
+ SHA512_CTX sha512;
+} HASH_CTX;
+
+static void tls1_sha1_transform(HASH_CTX *ctx, const uint8_t *block) {
+ SHA1_Transform(&ctx->sha1, block);
+}
+
+static void tls1_sha256_transform(HASH_CTX *ctx, const uint8_t *block) {
+ SHA256_Transform(&ctx->sha256, block);
+}
+
+static void tls1_sha512_transform(HASH_CTX *ctx, const uint8_t *block) {
+ SHA512_Transform(&ctx->sha512, block);
+}
+
/* These functions serialize the state of a hash and thus perform the standard
* "final" operation without adding the padding and length that such a function
* typically does. */
-static void tls1_sha1_final_raw(void *ctx, uint8_t *md_out) {
- SHA_CTX *sha1 = ctx;
+static void tls1_sha1_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
+ SHA_CTX *sha1 = &ctx->sha1;
u32toBE(sha1->h[0], md_out);
u32toBE(sha1->h[1], md_out);
u32toBE(sha1->h[2], md_out);
u32toBE(sha1->h[3], md_out);
u32toBE(sha1->h[4], md_out);
}
-#define LARGEST_DIGEST_CTX SHA_CTX
-static void tls1_sha256_final_raw(void *ctx, uint8_t *md_out) {
- SHA256_CTX *sha256 = ctx;
- unsigned i;
-
- for (i = 0; i < 8; i++) {
+static void tls1_sha256_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
+ SHA256_CTX *sha256 = &ctx->sha256;
+ for (unsigned i = 0; i < 8; i++) {
u32toBE(sha256->h[i], md_out);
}
}
-#undef LARGEST_DIGEST_CTX
-#define LARGEST_DIGEST_CTX SHA256_CTX
-static void tls1_sha512_final_raw(void *ctx, uint8_t *md_out) {
- SHA512_CTX *sha512 = ctx;
- unsigned i;
-
- for (i = 0; i < 8; i++) {
+static void tls1_sha512_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
+ SHA512_CTX *sha512 = &ctx->sha512;
+ for (unsigned i = 0; i < 8; i++) {
u64toBE(sha512->h[i], md_out);
}
}
-#undef LARGEST_DIGEST_CTX
-#define LARGEST_DIGEST_CTX SHA512_CTX
int EVP_tls_cbc_record_digest_supported(const EVP_MD *md) {
switch (EVP_MD_type(md)) {
@@ -264,54 +270,42 @@
size_t data_plus_mac_plus_padding_size,
const uint8_t *mac_secret,
unsigned mac_secret_length) {
- union {
- double align;
- uint8_t c[sizeof(LARGEST_DIGEST_CTX)];
- } md_state;
- void (*md_final_raw)(void *ctx, uint8_t *md_out);
- void (*md_transform)(void *ctx, const uint8_t *block);
+ HASH_CTX md_state;
+ void (*md_final_raw)(HASH_CTX *ctx, uint8_t *md_out);
+ void (*md_transform)(HASH_CTX *ctx, const uint8_t *block);
unsigned md_size, md_block_size = 64;
- unsigned len, max_mac_bytes, num_blocks, num_starting_blocks, k,
- mac_end_offset, c, index_a, index_b;
- unsigned int bits; /* at most 18 bits */
- uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];
- /* hmac_pad is the masked HMAC key. */
- uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];
- uint8_t first_block[MAX_HASH_BLOCK_SIZE];
- uint8_t mac_out[EVP_MAX_MD_SIZE];
- unsigned i, j, md_out_size_u;
- EVP_MD_CTX md_ctx;
- /* mdLengthSize is the number of bytes in the length field that terminates
- * the hash. */
+ /* md_length_size is the number of bytes in the length field that terminates
+ * the hash. */
unsigned md_length_size = 8;
- /* This is a, hopefully redundant, check that allows us to forget about
- * many possible overflows later in this function. */
- assert(data_plus_mac_plus_padding_size < 1024 * 1024);
+ /* Bound the acceptable input so we can forget about many possible overflows
+ * later in this function. This is redundant with the record size limits in
+ * TLS. */
+ if (data_plus_mac_plus_padding_size >= 1024 * 1024) {
+ assert(0);
+ return 0;
+ }
switch (EVP_MD_type(md)) {
case NID_sha1:
- SHA1_Init((SHA_CTX *)md_state.c);
+ SHA1_Init(&md_state.sha1);
md_final_raw = tls1_sha1_final_raw;
- md_transform =
- (void (*)(void *ctx, const uint8_t *block))SHA1_Transform;
- md_size = 20;
+ md_transform = tls1_sha1_transform;
+ md_size = SHA_DIGEST_LENGTH;
break;
case NID_sha256:
- SHA256_Init((SHA256_CTX *)md_state.c);
+ SHA256_Init(&md_state.sha256);
md_final_raw = tls1_sha256_final_raw;
- md_transform =
- (void (*)(void *ctx, const uint8_t *block))SHA256_Transform;
- md_size = 32;
+ md_transform = tls1_sha256_transform;
+ md_size = SHA256_DIGEST_LENGTH;
break;
case NID_sha384:
- SHA384_Init((SHA512_CTX *)md_state.c);
+ SHA384_Init(&md_state.sha512);
md_final_raw = tls1_sha512_final_raw;
- md_transform =
- (void (*)(void *ctx, const uint8_t *block))SHA512_Transform;
- md_size = 384 / 8;
+ md_transform = tls1_sha512_transform;
+ md_size = SHA384_DIGEST_LENGTH;
md_block_size = 128;
md_length_size = 16;
break;
@@ -328,7 +322,7 @@
assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
assert(md_size <= EVP_MAX_MD_SIZE);
- static const unsigned kHeaderLength = 13;
+ static const size_t kHeaderLength = 13;
/* kVarianceBlocks is the number of blocks of the hash that we have to
* calculate in constant time because they could be altered by the
@@ -337,16 +331,16 @@
* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
* required to be minimal. Therefore we say that the final six blocks
* can vary based on the padding. */
- static const unsigned kVarianceBlocks = 6;
+ static const size_t kVarianceBlocks = 6;
/* From now on we're dealing with the MAC, which conceptually has 13
* bytes of `header' before the start of the data. */
- len = data_plus_mac_plus_padding_size + kHeaderLength;
+ size_t len = data_plus_mac_plus_padding_size + kHeaderLength;
/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
- * |header|, assuming that there's no padding. */
- max_mac_bytes = len - md_size - 1;
+ * |header|, assuming that there's no padding. */
+ size_t max_mac_bytes = len - md_size - 1;
/* num_blocks is the maximum number of hash blocks. */
- num_blocks =
+ size_t num_blocks =
(max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
/* In order to calculate the MAC in constant time we have to handle
* the final blocks specially because the padding value could cause the
@@ -354,43 +348,47 @@
* can't leak where. However, |num_starting_blocks| worth of data can
* be hashed right away because no padding value can affect whether
* they are plaintext. */
- num_starting_blocks = 0;
+ size_t num_starting_blocks = 0;
/* k is the starting byte offset into the conceptual header||data where
* we start processing. */
- k = 0;
+ size_t k = 0;
/* mac_end_offset is the index just past the end of the data to be
* MACed. */
- mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;
+ size_t mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;
/* c is the index of the 0x80 byte in the final hash block that
* contains application data. */
- c = mac_end_offset % md_block_size;
+ size_t c = mac_end_offset % md_block_size;
/* index_a is the hash block number that contains the 0x80 terminating
* value. */
- index_a = mac_end_offset / md_block_size;
+ size_t index_a = mac_end_offset / md_block_size;
/* index_b is the hash block number that contains the 64-bit hash
* length, in bits. */
- index_b = (mac_end_offset + md_length_size) / md_block_size;
- /* bits is the hash-length in bits. It includes the additional hash
- * block for the masked HMAC key. */
+ size_t index_b = (mac_end_offset + md_length_size) / md_block_size;
if (num_blocks > kVarianceBlocks) {
num_starting_blocks = num_blocks - kVarianceBlocks;
k = md_block_size * num_starting_blocks;
}
- bits = 8 * mac_end_offset;
+ /* bits is the hash-length in bits. It includes the additional hash
+ * block for the masked HMAC key. */
+ size_t bits = 8 * mac_end_offset; /* at most 18 bits to represent */
/* Compute the initial HMAC block. */
bits += 8 * md_block_size;
+ /* hmac_pad is the masked HMAC key. */
+ uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];
OPENSSL_memset(hmac_pad, 0, md_block_size);
assert(mac_secret_length <= sizeof(hmac_pad));
OPENSSL_memcpy(hmac_pad, mac_secret, mac_secret_length);
- for (i = 0; i < md_block_size; i++) {
+ for (size_t i = 0; i < md_block_size; i++) {
hmac_pad[i] ^= 0x36;
}
- md_transform(md_state.c, hmac_pad);
+ md_transform(&md_state, hmac_pad);
+ /* The length check means |bits| fits in four bytes. */
+ uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];
OPENSSL_memset(length_bytes, 0, md_length_size - 4);
length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);
length_bytes[md_length_size - 3] = (uint8_t)(bits >> 16);
@@ -399,27 +397,29 @@
if (k > 0) {
/* k is a multiple of md_block_size. */
+ uint8_t first_block[MAX_HASH_BLOCK_SIZE];
OPENSSL_memcpy(first_block, header, 13);
OPENSSL_memcpy(first_block + 13, data, md_block_size - 13);
- md_transform(md_state.c, first_block);
- for (i = 1; i < k / md_block_size; i++) {
- md_transform(md_state.c, data + md_block_size * i - 13);
+ md_transform(&md_state, first_block);
+ for (size_t i = 1; i < k / md_block_size; i++) {
+ md_transform(&md_state, data + md_block_size * i - 13);
}
}
+ uint8_t mac_out[EVP_MAX_MD_SIZE];
OPENSSL_memset(mac_out, 0, sizeof(mac_out));
/* We now process the final hash blocks. For each block, we construct
* it in constant time. If the |i==index_a| then we'll include the 0x80
* bytes and zero pad etc. For each block we selectively copy it, in
* constant time, to |mac_out|. */
- for (i = num_starting_blocks; i <= num_starting_blocks + kVarianceBlocks;
- i++) {
+ for (size_t i = num_starting_blocks;
+ i <= num_starting_blocks + kVarianceBlocks; i++) {
uint8_t block[MAX_HASH_BLOCK_SIZE];
uint8_t is_block_a = constant_time_eq_8(i, index_a);
uint8_t is_block_b = constant_time_eq_8(i, index_b);
- for (j = 0; j < md_block_size; j++) {
- uint8_t b = 0, is_past_c, is_past_cp1;
+ for (size_t j = 0; j < md_block_size; j++) {
+ uint8_t b = 0;
if (k < kHeaderLength) {
b = header[k];
} else if (k < data_plus_mac_plus_padding_size + kHeaderLength) {
@@ -427,8 +427,8 @@
}
k++;
- is_past_c = is_block_a & constant_time_ge_8(j, c);
- is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
+ uint8_t is_past_c = is_block_a & constant_time_ge_8(j, c);
+ uint8_t is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
/* If this is the block containing the end of the
* application data, and we are at the offset for the
* 0x80 value, then overwrite b with 0x80. */
@@ -453,14 +453,15 @@
block[j] = b;
}
- md_transform(md_state.c, block);
- md_final_raw(md_state.c, block);
+ md_transform(&md_state, block);
+ md_final_raw(&md_state, block);
/* If this is index_b, copy the hash value to |mac_out|. */
- for (j = 0; j < md_size; j++) {
+ for (size_t j = 0; j < md_size; j++) {
mac_out[j] |= block[j] & is_block_b;
}
}
+ EVP_MD_CTX md_ctx;
EVP_MD_CTX_init(&md_ctx);
if (!EVP_DigestInit_ex(&md_ctx, md, NULL /* engine */)) {
EVP_MD_CTX_cleanup(&md_ctx);
@@ -468,12 +469,13 @@
}
/* Complete the HMAC in the standard manner. */
- for (i = 0; i < md_block_size; i++) {
+ for (size_t i = 0; i < md_block_size; i++) {
hmac_pad[i] ^= 0x6a;
}
EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+ unsigned md_out_size_u;
EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
*md_out_size = md_out_size_u;
EVP_MD_CTX_cleanup(&md_ctx);