1 /*-
2 * Copyright (c) 2001, 2020 Oracle and/or its affiliates. All rights reserved.
3 *
4 * See the file LICENSE for license information.
5 *
6 * Some parts of this code originally written by Adam Stubblefield,
7 * -- astubble@rice.edu.
8 *
9 * $Id$
10 */
11
12 #include "db_config.h"
13
14 #include "db_int.h"
15 #include "dbinc/crypto.h"
16 #include "dbinc/db_page.h" /* for hash.h only */
17 #include "dbinc/hash.h"
18 #include "dbinc/hmac.h"
19 #include "dbinc/log.h"
20
21 static void __db_hmac __P((u_int8_t *, u_int8_t *, size_t, u_int8_t *));
22
23 /*
24 * !!!
25 * All of these functions use a ctx structure on the stack. The __db_SHA1Init
26 * call does not initialize the 64-byte buffer portion of it. The
27 * underlying SHA1 functions will properly pad the buffer if the data length
28 * is less than 64-bytes, so there isn't a chance of reading uninitialized
29 * memory. Although it would be cleaner to do a memset(ctx.buffer, 0, 64)
30 * we do not want to incur that penalty if we don't have to for performance.
31 */
32
33 /*
34 * __db_hmac --
35 * Do a hashed MAC.
36 */
37 static void
__db_hmac(k,data,data_len,mac)38 __db_hmac(k, data, data_len, mac)
39 u_int8_t *k, *data, *mac;
40 size_t data_len;
41 {
42 SHA1_CTX ctx;
43 u_int8_t key[HMAC_BLOCK_SIZE];
44 u_int8_t ipad[HMAC_BLOCK_SIZE];
45 u_int8_t opad[HMAC_BLOCK_SIZE];
46 u_int8_t tmp[HMAC_OUTPUT_SIZE];
47 int i;
48
49 memset(key, 0x00, HMAC_BLOCK_SIZE);
50 memset(ipad, 0x36, HMAC_BLOCK_SIZE);
51 memset(opad, 0x5C, HMAC_BLOCK_SIZE);
52
53 memcpy(key, k, HMAC_OUTPUT_SIZE);
54
55 for (i = 0; i < HMAC_BLOCK_SIZE; i++) {
56 ipad[i] ^= key[i];
57 opad[i] ^= key[i];
58 }
59
60 __db_SHA1Init(&ctx);
61 __db_SHA1Update(&ctx, ipad, HMAC_BLOCK_SIZE);
62 __db_SHA1Update(&ctx, data, data_len);
63 __db_SHA1Final(tmp, &ctx);
64 __db_SHA1Init(&ctx);
65 __db_SHA1Update(&ctx, opad, HMAC_BLOCK_SIZE);
66 __db_SHA1Update(&ctx, tmp, HMAC_OUTPUT_SIZE);
67 __db_SHA1Final(mac, &ctx);
68 return;
69 }
70
71 /*
72 * __db_chksum --
73 * Create a MAC/SHA1 checksum.
74 *
75 * PUBLIC: void __db_chksum __P((void *,
76 * PUBLIC: u_int8_t *, size_t, u_int8_t *, u_int8_t *));
77 */
78 void
__db_chksum(hdr,data,data_len,mac_key,store)79 __db_chksum(hdr, data, data_len, mac_key, store)
80 void *hdr;
81 u_int8_t *data;
82 size_t data_len;
83 u_int8_t *mac_key;
84 u_int8_t *store;
85 {
86 int sumlen;
87 u_int32_t hash4;
88
89 /*
90 * Since the checksum might be on a page of data we are checksumming
91 * we might be overwriting after checksumming, we zero-out the
92 * checksum value so that we can have a known value there when
93 * we verify the checksum.
94 * If we are passed a log header XOR in prev and len so we have
95 * some redundancy on these fields. Mostly we need to be sure that
96 * we detect a race when doing hot backups and reading a live log
97 * file.
98 */
99 if (mac_key == NULL)
100 sumlen = sizeof(u_int32_t);
101 else
102 sumlen = DB_MAC_KEY;
103 if (hdr == NULL)
104 memset(store, 0, sumlen);
105 else
106 store = ((HDR*)hdr)->chksum;
107 if (mac_key == NULL) {
108 /* Just a hash, no MAC */
109 hash4 = __ham_func4(NULL, data, (u_int32_t)data_len);
110 if (hdr != NULL)
111 hash4 ^= ((HDR *)hdr)->prev ^ ((HDR *)hdr)->len;
112 memcpy(store, &hash4, sumlen);
113 } else {
114 __db_hmac(mac_key, data, data_len, store);
115 if (hdr != 0) {
116 ((int *)store)[0] ^= ((HDR *)hdr)->prev;
117 ((int *)store)[1] ^= ((HDR *)hdr)->len;
118 }
119 }
120 return;
121 }
122 /*
123 * __db_derive_mac --
124 * Create a MAC/SHA1 key.
125 *
126 * PUBLIC: void __db_derive_mac __P((u_int8_t *, size_t, u_int8_t *));
127 */
128 void
__db_derive_mac(passwd,plen,mac_key)129 __db_derive_mac(passwd, plen, mac_key)
130 u_int8_t *passwd;
131 size_t plen;
132 u_int8_t *mac_key;
133 {
134 SHA1_CTX ctx;
135
136 /* Compute the MAC key. mac_key must be 20 bytes. */
137 __db_SHA1Init(&ctx);
138 __db_SHA1Update(&ctx, passwd, plen);
139 __db_SHA1Update(&ctx, (u_int8_t *)DB_MAC_MAGIC, strlen(DB_MAC_MAGIC));
140 __db_SHA1Update(&ctx, passwd, plen);
141 __db_SHA1Final(mac_key, &ctx);
142
143 return;
144 }
145
146 /*
147 * __db_check_chksum --
148 * Verify a checksum.
149 *
150 * Return 0 on success, >0 (errno) on error, -1 on checksum mismatch.
151 *
152 * PUBLIC: int __db_check_chksum __P((ENV *,
153 * PUBLIC: void *, DB_CIPHER *, u_int8_t *, void *, size_t, int));
154 */
155 int
__db_check_chksum(env,hdr,db_cipher,chksum,data,data_len,is_hmac)156 __db_check_chksum(env, hdr, db_cipher, chksum, data, data_len, is_hmac)
157 ENV *env;
158 void *hdr;
159 DB_CIPHER *db_cipher;
160 u_int8_t *chksum;
161 void *data;
162 size_t data_len;
163 int is_hmac;
164 {
165 int ret;
166 size_t sum_len;
167 u_int32_t hash4;
168 u_int8_t *mac_key, old[DB_MAC_KEY], new[DB_MAC_KEY];
169
170 /*
171 * If we are just doing checksumming and not encryption, then checksum
172 * is 4 bytes. Otherwise, it is DB_MAC_KEY size. Check for illegal
173 * combinations of crypto/non-crypto checksums.
174 */
175 if (is_hmac == 0) {
176 if (db_cipher != NULL) {
177 __db_errx(env, DB_STR("0195",
178 "Unencrypted checksum with a supplied encryption key"));
179 return (EINVAL);
180 }
181 sum_len = sizeof(u_int32_t);
182 mac_key = NULL;
183 } else {
184 if (db_cipher == NULL) {
185 __db_errx(env, DB_STR("0196",
186 "Encrypted checksum: no encryption key specified"));
187 return (EINVAL);
188 }
189 sum_len = DB_MAC_KEY;
190 mac_key = db_cipher->mac_key;
191 }
192
193 /*
194 * !!!
195 * Since the checksum might be on the page, we need to have known data
196 * there so that we can generate the same original checksum. We zero
197 * it out, just like we do in __db_chksum above.
198 * If there is a log header, XOR the prev and len fields.
199 */
200 if (hdr == NULL) {
201 memcpy(old, chksum, sum_len);
202 memset(chksum, 0, sum_len);
203 chksum = old;
204 }
205
206 if (mac_key == NULL) {
207 /* Just a hash, no MAC */
208 hash4 = __ham_func4(NULL, data, (u_int32_t)data_len);
209 if (hdr != NULL)
210 LOG_HDR_SUM(0, hdr, &hash4);
211 ret = memcmp((u_int32_t *)chksum, &hash4, sum_len) ? -1 : 0;
212 } else {
213 __db_hmac(mac_key, data, data_len, new);
214 if (hdr != NULL)
215 LOG_HDR_SUM(1, hdr, new);
216 ret = memcmp(chksum, new, sum_len) ? -1 : 0;
217 }
218
219 return (ret);
220 }
221