s2n_hash.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631
  1. /*
  2. * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License, Version 2.0 (the "License").
  5. * You may not use this file except in compliance with the License.
  6. * A copy of the License is located at
  7. *
  8. * http://aws.amazon.com/apache2.0
  9. *
  10. * or in the "license" file accompanying this file. This file is distributed
  11. * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  12. * express or implied. See the License for the specific language governing
  13. * permissions and limitations under the License.
  14. */
  15. #include "crypto/s2n_hash.h"
  16. #include "crypto/s2n_fips.h"
  17. #include "crypto/s2n_hmac.h"
  18. #include "crypto/s2n_openssl.h"
  19. #include "error/s2n_errno.h"
  20. #include "utils/s2n_safety.h"
  21. static bool s2n_use_custom_md5_sha1()
  22. {
  23. #if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH)
  24. return false;
  25. #else
  26. return true;
  27. #endif
  28. }
  29. static bool s2n_use_evp_impl()
  30. {
  31. return s2n_is_in_fips_mode();
  32. }
  33. bool s2n_hash_evp_fully_supported()
  34. {
  35. return s2n_use_evp_impl() && !s2n_use_custom_md5_sha1();
  36. }
  37. const EVP_MD *s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg)
  38. {
  39. switch (alg) {
  40. case S2N_HASH_MD5:
  41. return EVP_md5();
  42. case S2N_HASH_SHA1:
  43. return EVP_sha1();
  44. case S2N_HASH_SHA224:
  45. return EVP_sha224();
  46. case S2N_HASH_SHA256:
  47. return EVP_sha256();
  48. case S2N_HASH_SHA384:
  49. return EVP_sha384();
  50. case S2N_HASH_SHA512:
  51. return EVP_sha512();
  52. #if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH)
  53. case S2N_HASH_MD5_SHA1:
  54. return EVP_md5_sha1();
  55. #endif
  56. default:
  57. return NULL;
  58. }
  59. }
  60. int s2n_hash_digest_size(s2n_hash_algorithm alg, uint8_t *out)
  61. {
  62. POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
  63. /* clang-format off */
  64. switch (alg) {
  65. case S2N_HASH_NONE: *out = 0; break;
  66. case S2N_HASH_MD5: *out = MD5_DIGEST_LENGTH; break;
  67. case S2N_HASH_SHA1: *out = SHA_DIGEST_LENGTH; break;
  68. case S2N_HASH_SHA224: *out = SHA224_DIGEST_LENGTH; break;
  69. case S2N_HASH_SHA256: *out = SHA256_DIGEST_LENGTH; break;
  70. case S2N_HASH_SHA384: *out = SHA384_DIGEST_LENGTH; break;
  71. case S2N_HASH_SHA512: *out = SHA512_DIGEST_LENGTH; break;
  72. case S2N_HASH_MD5_SHA1: *out = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH; break;
  73. default:
  74. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  75. }
  76. /* clang-format on */
  77. return S2N_SUCCESS;
  78. }
  79. /* NOTE: s2n_hash_const_time_get_currently_in_hash_block takes advantage of the fact that
  80. * hash_block_size is a power of 2. This is true for all hashes we currently support
  81. * If this ever becomes untrue, this would require fixing*/
  82. int s2n_hash_block_size(s2n_hash_algorithm alg, uint64_t *block_size)
  83. {
  84. POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(block_size, sizeof(*block_size)), S2N_ERR_PRECONDITION_VIOLATION);
  85. /* clang-format off */
  86. switch (alg) {
  87. case S2N_HASH_NONE: *block_size = 64; break;
  88. case S2N_HASH_MD5: *block_size = 64; break;
  89. case S2N_HASH_SHA1: *block_size = 64; break;
  90. case S2N_HASH_SHA224: *block_size = 64; break;
  91. case S2N_HASH_SHA256: *block_size = 64; break;
  92. case S2N_HASH_SHA384: *block_size = 128; break;
  93. case S2N_HASH_SHA512: *block_size = 128; break;
  94. case S2N_HASH_MD5_SHA1: *block_size = 64; break;
  95. default:
  96. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  97. }
  98. /* clang-format on */
  99. return S2N_SUCCESS;
  100. }
  101. /* Return true if hash algorithm is available, false otherwise. */
  102. bool s2n_hash_is_available(s2n_hash_algorithm alg)
  103. {
  104. switch (alg) {
  105. case S2N_HASH_MD5:
  106. case S2N_HASH_MD5_SHA1:
  107. /* return false if in FIPS mode, as MD5 algs are not available in FIPS mode. */
  108. return !s2n_is_in_fips_mode();
  109. case S2N_HASH_NONE:
  110. case S2N_HASH_SHA1:
  111. case S2N_HASH_SHA224:
  112. case S2N_HASH_SHA256:
  113. case S2N_HASH_SHA384:
  114. case S2N_HASH_SHA512:
  115. return true;
  116. case S2N_HASH_SENTINEL:
  117. return false;
  118. }
  119. return false;
  120. }
  121. int s2n_hash_is_ready_for_input(struct s2n_hash_state *state)
  122. {
  123. POSIX_PRECONDITION(s2n_hash_state_validate(state));
  124. return state->is_ready_for_input;
  125. }
  126. static int s2n_low_level_hash_new(struct s2n_hash_state *state)
  127. {
  128. /* s2n_hash_new will always call the corresponding implementation of the s2n_hash
  129. * being used. For the s2n_low_level_hash implementation, new is a no-op.
  130. */
  131. *state = (struct s2n_hash_state){ 0 };
  132. return S2N_SUCCESS;
  133. }
  134. static int s2n_low_level_hash_init(struct s2n_hash_state *state, s2n_hash_algorithm alg)
  135. {
  136. switch (alg) {
  137. case S2N_HASH_NONE:
  138. break;
  139. case S2N_HASH_MD5:
  140. POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5), S2N_ERR_HASH_INIT_FAILED);
  141. break;
  142. case S2N_HASH_SHA1:
  143. POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.sha1), S2N_ERR_HASH_INIT_FAILED);
  144. break;
  145. case S2N_HASH_SHA224:
  146. POSIX_GUARD_OSSL(SHA224_Init(&state->digest.low_level.sha224), S2N_ERR_HASH_INIT_FAILED);
  147. break;
  148. case S2N_HASH_SHA256:
  149. POSIX_GUARD_OSSL(SHA256_Init(&state->digest.low_level.sha256), S2N_ERR_HASH_INIT_FAILED);
  150. break;
  151. case S2N_HASH_SHA384:
  152. POSIX_GUARD_OSSL(SHA384_Init(&state->digest.low_level.sha384), S2N_ERR_HASH_INIT_FAILED);
  153. break;
  154. case S2N_HASH_SHA512:
  155. POSIX_GUARD_OSSL(SHA512_Init(&state->digest.low_level.sha512), S2N_ERR_HASH_INIT_FAILED);
  156. break;
  157. case S2N_HASH_MD5_SHA1:
  158. POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_INIT_FAILED);
  159. POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_INIT_FAILED);
  160. break;
  161. default:
  162. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  163. }
  164. state->alg = alg;
  165. state->is_ready_for_input = 1;
  166. state->currently_in_hash = 0;
  167. return 0;
  168. }
  169. static int s2n_low_level_hash_update(struct s2n_hash_state *state, const void *data, uint32_t size)
  170. {
  171. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  172. switch (state->alg) {
  173. case S2N_HASH_NONE:
  174. break;
  175. case S2N_HASH_MD5:
  176. POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  177. break;
  178. case S2N_HASH_SHA1:
  179. POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  180. break;
  181. case S2N_HASH_SHA224:
  182. POSIX_GUARD_OSSL(SHA224_Update(&state->digest.low_level.sha224, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  183. break;
  184. case S2N_HASH_SHA256:
  185. POSIX_GUARD_OSSL(SHA256_Update(&state->digest.low_level.sha256, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  186. break;
  187. case S2N_HASH_SHA384:
  188. POSIX_GUARD_OSSL(SHA384_Update(&state->digest.low_level.sha384, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  189. break;
  190. case S2N_HASH_SHA512:
  191. POSIX_GUARD_OSSL(SHA512_Update(&state->digest.low_level.sha512, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  192. break;
  193. case S2N_HASH_MD5_SHA1:
  194. POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.md5_sha1.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  195. POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5_sha1.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  196. break;
  197. default:
  198. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  199. }
  200. POSIX_ENSURE(size <= (UINT64_MAX - state->currently_in_hash), S2N_ERR_INTEGER_OVERFLOW);
  201. state->currently_in_hash += size;
  202. return S2N_SUCCESS;
  203. }
  204. static int s2n_low_level_hash_digest(struct s2n_hash_state *state, void *out, uint32_t size)
  205. {
  206. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  207. switch (state->alg) {
  208. case S2N_HASH_NONE:
  209. break;
  210. case S2N_HASH_MD5:
  211. POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH);
  212. POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5), S2N_ERR_HASH_DIGEST_FAILED);
  213. break;
  214. case S2N_HASH_SHA1:
  215. POSIX_ENSURE_EQ(size, SHA_DIGEST_LENGTH);
  216. POSIX_GUARD_OSSL(SHA1_Final(out, &state->digest.low_level.sha1), S2N_ERR_HASH_DIGEST_FAILED);
  217. break;
  218. case S2N_HASH_SHA224:
  219. POSIX_ENSURE_EQ(size, SHA224_DIGEST_LENGTH);
  220. POSIX_GUARD_OSSL(SHA224_Final(out, &state->digest.low_level.sha224), S2N_ERR_HASH_DIGEST_FAILED);
  221. break;
  222. case S2N_HASH_SHA256:
  223. POSIX_ENSURE_EQ(size, SHA256_DIGEST_LENGTH);
  224. POSIX_GUARD_OSSL(SHA256_Final(out, &state->digest.low_level.sha256), S2N_ERR_HASH_DIGEST_FAILED);
  225. break;
  226. case S2N_HASH_SHA384:
  227. POSIX_ENSURE_EQ(size, SHA384_DIGEST_LENGTH);
  228. POSIX_GUARD_OSSL(SHA384_Final(out, &state->digest.low_level.sha384), S2N_ERR_HASH_DIGEST_FAILED);
  229. break;
  230. case S2N_HASH_SHA512:
  231. POSIX_ENSURE_EQ(size, SHA512_DIGEST_LENGTH);
  232. POSIX_GUARD_OSSL(SHA512_Final(out, &state->digest.low_level.sha512), S2N_ERR_HASH_DIGEST_FAILED);
  233. break;
  234. case S2N_HASH_MD5_SHA1:
  235. POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH);
  236. POSIX_GUARD_OSSL(SHA1_Final(((uint8_t *) out) + MD5_DIGEST_LENGTH, &state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_DIGEST_FAILED);
  237. POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_DIGEST_FAILED);
  238. break;
  239. default:
  240. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  241. }
  242. state->currently_in_hash = 0;
  243. state->is_ready_for_input = 0;
  244. return 0;
  245. }
  246. static int s2n_low_level_hash_copy(struct s2n_hash_state *to, struct s2n_hash_state *from)
  247. {
  248. POSIX_CHECKED_MEMCPY(to, from, sizeof(struct s2n_hash_state));
  249. return 0;
  250. }
  251. static int s2n_low_level_hash_reset(struct s2n_hash_state *state)
  252. {
  253. /* hash_init resets the ready_for_input and currently_in_hash fields. */
  254. return s2n_low_level_hash_init(state, state->alg);
  255. }
  256. static int s2n_low_level_hash_free(struct s2n_hash_state *state)
  257. {
  258. /* s2n_hash_free will always call the corresponding implementation of the s2n_hash
  259. * being used. For the s2n_low_level_hash implementation, free is a no-op.
  260. */
  261. state->is_ready_for_input = 0;
  262. return S2N_SUCCESS;
  263. }
  264. static int s2n_evp_hash_new(struct s2n_hash_state *state)
  265. {
  266. POSIX_ENSURE_REF(state->digest.high_level.evp.ctx = S2N_EVP_MD_CTX_NEW());
  267. if (s2n_use_custom_md5_sha1()) {
  268. POSIX_ENSURE_REF(state->digest.high_level.evp_md5_secondary.ctx = S2N_EVP_MD_CTX_NEW());
  269. }
  270. state->is_ready_for_input = 0;
  271. state->currently_in_hash = 0;
  272. return S2N_SUCCESS;
  273. }
  274. static int s2n_evp_hash_allow_md5_for_fips(struct s2n_hash_state *state)
  275. {
  276. /* This is only to be used for s2n_hash_states that will require MD5 to be used
  277. * to comply with the TLS 1.0 and 1.1 RFC's for the PRF. MD5 cannot be used
  278. * outside of the TLS 1.0 and 1.1 PRF when in FIPS mode. When needed, this must
  279. * be called prior to s2n_hash_init().
  280. */
  281. POSIX_GUARD(s2n_digest_allow_md5_for_fips(&state->digest.high_level.evp));
  282. if (s2n_use_custom_md5_sha1()) {
  283. POSIX_GUARD(s2n_digest_allow_md5_for_fips(&state->digest.high_level.evp_md5_secondary));
  284. }
  285. return S2N_SUCCESS;
  286. }
  287. static int s2n_evp_hash_init(struct s2n_hash_state *state, s2n_hash_algorithm alg)
  288. {
  289. POSIX_ENSURE_REF(state->digest.high_level.evp.ctx);
  290. state->alg = alg;
  291. state->is_ready_for_input = 1;
  292. state->currently_in_hash = 0;
  293. if (alg == S2N_HASH_NONE) {
  294. return S2N_SUCCESS;
  295. }
  296. if (alg == S2N_HASH_MD5_SHA1 && s2n_use_custom_md5_sha1()) {
  297. POSIX_ENSURE_REF(state->digest.high_level.evp_md5_secondary.ctx);
  298. POSIX_GUARD_OSSL(EVP_DigestInit_ex(state->digest.high_level.evp.ctx, EVP_sha1(), NULL), S2N_ERR_HASH_INIT_FAILED);
  299. POSIX_GUARD_OSSL(EVP_DigestInit_ex(state->digest.high_level.evp_md5_secondary.ctx, EVP_md5(), NULL), S2N_ERR_HASH_INIT_FAILED);
  300. return S2N_SUCCESS;
  301. }
  302. POSIX_ENSURE_REF(s2n_hash_alg_to_evp_md(alg));
  303. POSIX_GUARD_OSSL(EVP_DigestInit_ex(state->digest.high_level.evp.ctx, s2n_hash_alg_to_evp_md(alg), NULL), S2N_ERR_HASH_INIT_FAILED);
  304. return S2N_SUCCESS;
  305. }
  306. static int s2n_evp_hash_update(struct s2n_hash_state *state, const void *data, uint32_t size)
  307. {
  308. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  309. POSIX_ENSURE(size <= (UINT64_MAX - state->currently_in_hash), S2N_ERR_INTEGER_OVERFLOW);
  310. state->currently_in_hash += size;
  311. if (state->alg == S2N_HASH_NONE) {
  312. return S2N_SUCCESS;
  313. }
  314. POSIX_ENSURE_REF(EVP_MD_CTX_md(state->digest.high_level.evp.ctx));
  315. POSIX_GUARD_OSSL(EVP_DigestUpdate(state->digest.high_level.evp.ctx, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  316. if (state->alg == S2N_HASH_MD5_SHA1 && s2n_use_custom_md5_sha1()) {
  317. POSIX_ENSURE_REF(EVP_MD_CTX_md(state->digest.high_level.evp_md5_secondary.ctx));
  318. POSIX_GUARD_OSSL(EVP_DigestUpdate(state->digest.high_level.evp_md5_secondary.ctx, data, size), S2N_ERR_HASH_UPDATE_FAILED);
  319. }
  320. return S2N_SUCCESS;
  321. }
  322. static int s2n_evp_hash_digest(struct s2n_hash_state *state, void *out, uint32_t size)
  323. {
  324. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  325. state->currently_in_hash = 0;
  326. state->is_ready_for_input = 0;
  327. unsigned int digest_size = size;
  328. uint8_t expected_digest_size = 0;
  329. POSIX_GUARD(s2n_hash_digest_size(state->alg, &expected_digest_size));
  330. POSIX_ENSURE_EQ(digest_size, expected_digest_size);
  331. if (state->alg == S2N_HASH_NONE) {
  332. return S2N_SUCCESS;
  333. }
  334. POSIX_ENSURE_REF(EVP_MD_CTX_md(state->digest.high_level.evp.ctx));
  335. if (state->alg == S2N_HASH_MD5_SHA1 && s2n_use_custom_md5_sha1()) {
  336. POSIX_ENSURE_REF(EVP_MD_CTX_md(state->digest.high_level.evp_md5_secondary.ctx));
  337. uint8_t sha1_digest_size = 0;
  338. POSIX_GUARD(s2n_hash_digest_size(S2N_HASH_SHA1, &sha1_digest_size));
  339. unsigned int sha1_primary_digest_size = sha1_digest_size;
  340. unsigned int md5_secondary_digest_size = digest_size - sha1_primary_digest_size;
  341. POSIX_ENSURE(EVP_MD_CTX_size(state->digest.high_level.evp.ctx) <= sha1_digest_size, S2N_ERR_HASH_DIGEST_FAILED);
  342. POSIX_ENSURE((size_t) EVP_MD_CTX_size(state->digest.high_level.evp_md5_secondary.ctx) <= md5_secondary_digest_size, S2N_ERR_HASH_DIGEST_FAILED);
  343. POSIX_GUARD_OSSL(EVP_DigestFinal_ex(state->digest.high_level.evp.ctx, ((uint8_t *) out) + MD5_DIGEST_LENGTH, &sha1_primary_digest_size), S2N_ERR_HASH_DIGEST_FAILED);
  344. POSIX_GUARD_OSSL(EVP_DigestFinal_ex(state->digest.high_level.evp_md5_secondary.ctx, out, &md5_secondary_digest_size), S2N_ERR_HASH_DIGEST_FAILED);
  345. return S2N_SUCCESS;
  346. }
  347. POSIX_ENSURE((size_t) EVP_MD_CTX_size(state->digest.high_level.evp.ctx) <= digest_size, S2N_ERR_HASH_DIGEST_FAILED);
  348. POSIX_GUARD_OSSL(EVP_DigestFinal_ex(state->digest.high_level.evp.ctx, out, &digest_size), S2N_ERR_HASH_DIGEST_FAILED);
  349. return S2N_SUCCESS;
  350. }
  351. static int s2n_evp_hash_copy(struct s2n_hash_state *to, struct s2n_hash_state *from)
  352. {
  353. to->hash_impl = from->hash_impl;
  354. to->alg = from->alg;
  355. to->is_ready_for_input = from->is_ready_for_input;
  356. to->currently_in_hash = from->currently_in_hash;
  357. if (from->alg == S2N_HASH_NONE) {
  358. return S2N_SUCCESS;
  359. }
  360. POSIX_ENSURE_REF(to->digest.high_level.evp.ctx);
  361. POSIX_GUARD_OSSL(EVP_MD_CTX_copy_ex(to->digest.high_level.evp.ctx, from->digest.high_level.evp.ctx), S2N_ERR_HASH_COPY_FAILED);
  362. if (from->alg == S2N_HASH_MD5_SHA1 && s2n_use_custom_md5_sha1()) {
  363. POSIX_ENSURE_REF(to->digest.high_level.evp_md5_secondary.ctx);
  364. POSIX_GUARD_OSSL(EVP_MD_CTX_copy_ex(to->digest.high_level.evp_md5_secondary.ctx, from->digest.high_level.evp_md5_secondary.ctx), S2N_ERR_HASH_COPY_FAILED);
  365. }
  366. bool is_md5_allowed_for_fips = false;
  367. POSIX_GUARD_RESULT(s2n_digest_is_md5_allowed_for_fips(&from->digest.high_level.evp, &is_md5_allowed_for_fips));
  368. if (is_md5_allowed_for_fips && (from->alg == S2N_HASH_MD5 || from->alg == S2N_HASH_MD5_SHA1)) {
  369. POSIX_GUARD(s2n_hash_allow_md5_for_fips(to));
  370. }
  371. return S2N_SUCCESS;
  372. }
  373. static int s2n_evp_hash_reset(struct s2n_hash_state *state)
  374. {
  375. int reset_md5_for_fips = 0;
  376. bool is_md5_allowed_for_fips = false;
  377. POSIX_GUARD_RESULT(s2n_digest_is_md5_allowed_for_fips(&state->digest.high_level.evp, &is_md5_allowed_for_fips));
  378. if ((state->alg == S2N_HASH_MD5 || state->alg == S2N_HASH_MD5_SHA1) && is_md5_allowed_for_fips) {
  379. reset_md5_for_fips = 1;
  380. }
  381. POSIX_GUARD_OSSL(S2N_EVP_MD_CTX_RESET(state->digest.high_level.evp.ctx), S2N_ERR_HASH_WIPE_FAILED);
  382. if (state->alg == S2N_HASH_MD5_SHA1 && s2n_use_custom_md5_sha1()) {
  383. POSIX_GUARD_OSSL(S2N_EVP_MD_CTX_RESET(state->digest.high_level.evp_md5_secondary.ctx), S2N_ERR_HASH_WIPE_FAILED);
  384. }
  385. if (reset_md5_for_fips) {
  386. POSIX_GUARD(s2n_hash_allow_md5_for_fips(state));
  387. }
  388. /* hash_init resets the ready_for_input and currently_in_hash fields. */
  389. return s2n_evp_hash_init(state, state->alg);
  390. }
  391. static int s2n_evp_hash_free(struct s2n_hash_state *state)
  392. {
  393. S2N_EVP_MD_CTX_FREE(state->digest.high_level.evp.ctx);
  394. state->digest.high_level.evp.ctx = NULL;
  395. if (s2n_use_custom_md5_sha1()) {
  396. S2N_EVP_MD_CTX_FREE(state->digest.high_level.evp_md5_secondary.ctx);
  397. state->digest.high_level.evp_md5_secondary.ctx = NULL;
  398. }
  399. state->is_ready_for_input = 0;
  400. return S2N_SUCCESS;
  401. }
  402. static const struct s2n_hash s2n_low_level_hash = {
  403. .alloc = &s2n_low_level_hash_new,
  404. .allow_md5_for_fips = NULL,
  405. .init = &s2n_low_level_hash_init,
  406. .update = &s2n_low_level_hash_update,
  407. .digest = &s2n_low_level_hash_digest,
  408. .copy = &s2n_low_level_hash_copy,
  409. .reset = &s2n_low_level_hash_reset,
  410. .free = &s2n_low_level_hash_free,
  411. };
  412. static const struct s2n_hash s2n_evp_hash = {
  413. .alloc = &s2n_evp_hash_new,
  414. .allow_md5_for_fips = &s2n_evp_hash_allow_md5_for_fips,
  415. .init = &s2n_evp_hash_init,
  416. .update = &s2n_evp_hash_update,
  417. .digest = &s2n_evp_hash_digest,
  418. .copy = &s2n_evp_hash_copy,
  419. .reset = &s2n_evp_hash_reset,
  420. .free = &s2n_evp_hash_free,
  421. };
  422. static int s2n_hash_set_impl(struct s2n_hash_state *state)
  423. {
  424. state->hash_impl = &s2n_low_level_hash;
  425. if (s2n_use_evp_impl()) {
  426. state->hash_impl = &s2n_evp_hash;
  427. }
  428. return S2N_SUCCESS;
  429. }
  430. int s2n_hash_new(struct s2n_hash_state *state)
  431. {
  432. POSIX_ENSURE_REF(state);
  433. /* Set hash_impl on initial hash creation.
  434. * When in FIPS mode, the EVP API's must be used for hashes.
  435. */
  436. POSIX_GUARD(s2n_hash_set_impl(state));
  437. POSIX_ENSURE_REF(state->hash_impl->alloc);
  438. POSIX_GUARD(state->hash_impl->alloc(state));
  439. return S2N_SUCCESS;
  440. }
  441. S2N_RESULT s2n_hash_state_validate(struct s2n_hash_state *state)
  442. {
  443. RESULT_ENSURE_REF(state);
  444. return S2N_RESULT_OK;
  445. }
  446. int s2n_hash_allow_md5_for_fips(struct s2n_hash_state *state)
  447. {
  448. POSIX_ENSURE_REF(state);
  449. /* Ensure that hash_impl is set, as it may have been reset for s2n_hash_state on s2n_connection_wipe.
  450. * When in FIPS mode, the EVP API's must be used for hashes.
  451. */
  452. POSIX_GUARD(s2n_hash_set_impl(state));
  453. POSIX_ENSURE_REF(state->hash_impl->allow_md5_for_fips);
  454. return state->hash_impl->allow_md5_for_fips(state);
  455. }
  456. int s2n_hash_init(struct s2n_hash_state *state, s2n_hash_algorithm alg)
  457. {
  458. POSIX_ENSURE_REF(state);
  459. /* Ensure that hash_impl is set, as it may have been reset for s2n_hash_state on s2n_connection_wipe.
  460. * When in FIPS mode, the EVP API's must be used for hashes.
  461. */
  462. POSIX_GUARD(s2n_hash_set_impl(state));
  463. bool is_md5_allowed_for_fips = false;
  464. POSIX_GUARD_RESULT(s2n_digest_is_md5_allowed_for_fips(&state->digest.high_level.evp, &is_md5_allowed_for_fips));
  465. if (s2n_hash_is_available(alg) || ((alg == S2N_HASH_MD5 || alg == S2N_HASH_MD5_SHA1) && is_md5_allowed_for_fips)) {
  466. /* s2n will continue to initialize an "unavailable" hash when s2n is in FIPS mode and
  467. * FIPS is forcing the hash to be made available.
  468. */
  469. POSIX_ENSURE_REF(state->hash_impl->init);
  470. return state->hash_impl->init(state, alg);
  471. } else {
  472. POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
  473. }
  474. }
  475. int s2n_hash_update(struct s2n_hash_state *state, const void *data, uint32_t size)
  476. {
  477. POSIX_PRECONDITION(s2n_hash_state_validate(state));
  478. POSIX_ENSURE(S2N_MEM_IS_READABLE(data, size), S2N_ERR_PRECONDITION_VIOLATION);
  479. POSIX_ENSURE_REF(state->hash_impl->update);
  480. return state->hash_impl->update(state, data, size);
  481. }
  482. int s2n_hash_digest(struct s2n_hash_state *state, void *out, uint32_t size)
  483. {
  484. POSIX_PRECONDITION(s2n_hash_state_validate(state));
  485. POSIX_ENSURE(S2N_MEM_IS_READABLE(out, size), S2N_ERR_PRECONDITION_VIOLATION);
  486. POSIX_ENSURE_REF(state->hash_impl->digest);
  487. return state->hash_impl->digest(state, out, size);
  488. }
  489. int s2n_hash_copy(struct s2n_hash_state *to, struct s2n_hash_state *from)
  490. {
  491. POSIX_PRECONDITION(s2n_hash_state_validate(to));
  492. POSIX_PRECONDITION(s2n_hash_state_validate(from));
  493. POSIX_ENSURE_REF(from->hash_impl->copy);
  494. return from->hash_impl->copy(to, from);
  495. }
  496. int s2n_hash_reset(struct s2n_hash_state *state)
  497. {
  498. POSIX_ENSURE_REF(state);
  499. /* Ensure that hash_impl is set, as it may have been reset for s2n_hash_state on s2n_connection_wipe.
  500. * When in FIPS mode, the EVP API's must be used for hashes.
  501. */
  502. POSIX_GUARD(s2n_hash_set_impl(state));
  503. POSIX_ENSURE_REF(state->hash_impl->reset);
  504. return state->hash_impl->reset(state);
  505. }
  506. int s2n_hash_free(struct s2n_hash_state *state)
  507. {
  508. if (state == NULL) {
  509. return S2N_SUCCESS;
  510. }
  511. /* Ensure that hash_impl is set, as it may have been reset for s2n_hash_state on s2n_connection_wipe.
  512. * When in FIPS mode, the EVP API's must be used for hashes.
  513. */
  514. POSIX_GUARD(s2n_hash_set_impl(state));
  515. POSIX_ENSURE_REF(state->hash_impl->free);
  516. return state->hash_impl->free(state);
  517. }
  518. int s2n_hash_get_currently_in_hash_total(struct s2n_hash_state *state, uint64_t *out)
  519. {
  520. POSIX_PRECONDITION(s2n_hash_state_validate(state));
  521. POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
  522. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  523. *out = state->currently_in_hash;
  524. return S2N_SUCCESS;
  525. }
  526. /* Calculate, in constant time, the number of bytes currently in the hash_block */
  527. int s2n_hash_const_time_get_currently_in_hash_block(struct s2n_hash_state *state, uint64_t *out)
  528. {
  529. POSIX_PRECONDITION(s2n_hash_state_validate(state));
  530. POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
  531. POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
  532. uint64_t hash_block_size;
  533. POSIX_GUARD(s2n_hash_block_size(state->alg, &hash_block_size));
  534. /* Requires that hash_block_size is a power of 2. This is true for all hashes we currently support
  535. * If this ever becomes untrue, this would require fixing this*/
  536. *out = state->currently_in_hash & (hash_block_size - 1);
  537. return S2N_SUCCESS;
  538. }