/src/openssl31/ssl/s3_cbc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * This file has no dependencies on the rest of libssl because it is shared |
12 | | * with the providers. It contains functions for low level MAC calculations. |
13 | | * Responsibility for this lies with the HMAC implementation in the |
14 | | * providers. However there are legacy code paths in libssl which also need to |
15 | | * do this. In time those legacy code paths can be removed and this file can be |
16 | | * moved out of libssl. |
17 | | */ |
18 | | |
19 | | |
20 | | /* |
21 | | * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for |
22 | | * internal use. |
23 | | */ |
24 | | #include "internal/deprecated.h" |
25 | | |
26 | | #include "internal/constant_time.h" |
27 | | #include "internal/cryptlib.h" |
28 | | |
29 | | #include <openssl/evp.h> |
30 | | #ifndef FIPS_MODULE |
31 | | # include <openssl/md5.h> |
32 | | #endif |
33 | | #include <openssl/sha.h> |
34 | | |
35 | | char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); |
36 | | int ssl3_cbc_digest_record(const EVP_MD *md, |
37 | | unsigned char *md_out, |
38 | | size_t *md_out_size, |
39 | | const unsigned char *header, |
40 | | const unsigned char *data, |
41 | | size_t data_size, |
42 | | size_t data_plus_mac_plus_padding_size, |
43 | | const unsigned char *mac_secret, |
44 | | size_t mac_secret_length, char is_sslv3); |
45 | | |
46 | 13.9k | # define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ |
47 | 13.9k | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ |
48 | 13.9k | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
49 | 13.9k | *((c)++)=(unsigned char)(((l) )&0xff)) |
50 | | |
51 | | # define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \ |
52 | | *((c)++)=(unsigned char)(((l)>>32)&0xff), \ |
53 | | *((c)++)=(unsigned char)(((l)>>24)&0xff), \ |
54 | | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ |
55 | | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
56 | | *((c)++)=(unsigned char)(((l) )&0xff)) |
57 | | |
58 | 1.00k | # define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ |
59 | 1.00k | *((c)++)=(unsigned char)(((l)>>48)&0xff), \ |
60 | 1.00k | *((c)++)=(unsigned char)(((l)>>40)&0xff), \ |
61 | 1.00k | *((c)++)=(unsigned char)(((l)>>32)&0xff), \ |
62 | 1.00k | *((c)++)=(unsigned char)(((l)>>24)&0xff), \ |
63 | 1.00k | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ |
64 | 1.00k | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
65 | 1.00k | *((c)++)=(unsigned char)(((l) )&0xff)) |
66 | | |
67 | | /* |
68 | | * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's |
69 | | * length field. (SHA-384/512 have 128-bit length.) |
70 | | */ |
71 | | #define MAX_HASH_BIT_COUNT_BYTES 16 |
72 | | |
73 | | /* |
74 | | * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. |
75 | | * Currently SHA-384/512 has a 128-byte block size and that's the largest |
76 | | * supported by TLS.) |
77 | | */ |
78 | | #define MAX_HASH_BLOCK_SIZE 128 |
79 | | |
80 | | #ifndef FIPS_MODULE |
81 | | /* |
82 | | * u32toLE serializes an unsigned, 32-bit number (n) as four bytes at (p) in |
83 | | * little-endian order. The value of p is advanced by four. |
84 | | */ |
85 | | # define u32toLE(n, p) \ |
86 | 0 | (*((p)++)=(unsigned char)(n), \ |
87 | 0 | *((p)++)=(unsigned char)(n>>8), \ |
88 | 0 | *((p)++)=(unsigned char)(n>>16), \ |
89 | 0 | *((p)++)=(unsigned char)(n>>24)) |
90 | | |
91 | | /* |
92 | | * These functions serialize the state of a hash and thus perform the |
93 | | * standard "final" operation without adding the padding and length that such |
94 | | * a function typically does. |
95 | | */ |
96 | | static void tls1_md5_final_raw(void *ctx, unsigned char *md_out) |
97 | 0 | { |
98 | 0 | MD5_CTX *md5 = ctx; |
99 | 0 | u32toLE(md5->A, md_out); |
100 | 0 | u32toLE(md5->B, md_out); |
101 | 0 | u32toLE(md5->C, md_out); |
102 | 0 | u32toLE(md5->D, md_out); |
103 | 0 | } |
104 | | #endif /* FIPS_MODULE */ |
105 | | |
106 | | static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out) |
107 | 2.19k | { |
108 | 2.19k | SHA_CTX *sha1 = ctx; |
109 | 2.19k | l2n(sha1->h0, md_out); |
110 | 2.19k | l2n(sha1->h1, md_out); |
111 | 2.19k | l2n(sha1->h2, md_out); |
112 | 2.19k | l2n(sha1->h3, md_out); |
113 | 2.19k | l2n(sha1->h4, md_out); |
114 | 2.19k | } |
115 | | |
116 | | static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out) |
117 | 378 | { |
118 | 378 | SHA256_CTX *sha256 = ctx; |
119 | 378 | unsigned i; |
120 | | |
121 | 3.40k | for (i = 0; i < 8; i++) { |
122 | 3.02k | l2n(sha256->h[i], md_out); |
123 | 3.02k | } |
124 | 378 | } |
125 | | |
126 | | static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) |
127 | 125 | { |
128 | 125 | SHA512_CTX *sha512 = ctx; |
129 | 125 | unsigned i; |
130 | | |
131 | 1.12k | for (i = 0; i < 8; i++) { |
132 | 1.00k | l2n8(sha512->h[i], md_out); |
133 | 1.00k | } |
134 | 125 | } |
135 | | |
136 | | #undef LARGEST_DIGEST_CTX |
137 | | #define LARGEST_DIGEST_CTX SHA512_CTX |
138 | | |
139 | | /*- |
140 | | * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS |
141 | | * record. |
142 | | * |
143 | | * ctx: the EVP_MD_CTX from which we take the hash function. |
144 | | * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. |
145 | | * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. |
146 | | * md_out_size: if non-NULL, the number of output bytes is written here. |
147 | | * header: the 13-byte, TLS record header. |
148 | | * data: the record data itself, less any preceding explicit IV. |
149 | | * data_size: the secret, reported length of the data once the MAC and padding |
150 | | * has been removed. |
151 | | * data_plus_mac_plus_padding_size: the public length of the whole |
152 | | * record, including MAC and padding. |
153 | | * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. |
154 | | * |
155 | | * On entry: we know that data is data_plus_mac_plus_padding_size in length |
156 | | * Returns 1 on success or 0 on error |
157 | | */ |
158 | | int ssl3_cbc_digest_record(const EVP_MD *md, |
159 | | unsigned char *md_out, |
160 | | size_t *md_out_size, |
161 | | const unsigned char *header, |
162 | | const unsigned char *data, |
163 | | size_t data_size, |
164 | | size_t data_plus_mac_plus_padding_size, |
165 | | const unsigned char *mac_secret, |
166 | | size_t mac_secret_length, char is_sslv3) |
167 | 45.4k | { |
168 | 45.4k | union { |
169 | 45.4k | OSSL_UNION_ALIGN; |
170 | 45.4k | unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; |
171 | 45.4k | } md_state; |
172 | 45.4k | void (*md_final_raw) (void *ctx, unsigned char *md_out); |
173 | 45.4k | void (*md_transform) (void *ctx, const unsigned char *block); |
174 | 45.4k | size_t md_size, md_block_size = 64; |
175 | 45.4k | size_t sslv3_pad_length = 40, header_length, variance_blocks, |
176 | 45.4k | len, max_mac_bytes, num_blocks, |
177 | 45.4k | num_starting_blocks, k, mac_end_offset, c, index_a, index_b; |
178 | 45.4k | size_t bits; /* at most 18 bits */ |
179 | 45.4k | unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; |
180 | | /* hmac_pad is the masked HMAC key. */ |
181 | 45.4k | unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; |
182 | 45.4k | unsigned char first_block[MAX_HASH_BLOCK_SIZE]; |
183 | 45.4k | unsigned char mac_out[EVP_MAX_MD_SIZE]; |
184 | 45.4k | size_t i, j; |
185 | 45.4k | unsigned md_out_size_u; |
186 | 45.4k | EVP_MD_CTX *md_ctx = NULL; |
187 | | /* |
188 | | * mdLengthSize is the number of bytes in the length field that |
189 | | * terminates * the hash. |
190 | | */ |
191 | 45.4k | size_t md_length_size = 8; |
192 | 45.4k | char length_is_big_endian = 1; |
193 | 45.4k | int ret = 0; |
194 | | |
195 | | /* |
196 | | * This is a, hopefully redundant, check that allows us to forget about |
197 | | * many possible overflows later in this function. |
198 | | */ |
199 | 45.4k | if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024)) |
200 | 0 | return 0; |
201 | | |
202 | 45.4k | if (EVP_MD_is_a(md, "MD5")) { |
203 | | #ifdef FIPS_MODULE |
204 | | return 0; |
205 | | #else |
206 | 0 | if (MD5_Init((MD5_CTX *)md_state.c) <= 0) |
207 | 0 | return 0; |
208 | 0 | md_final_raw = tls1_md5_final_raw; |
209 | 0 | md_transform = |
210 | 0 | (void (*)(void *ctx, const unsigned char *block))MD5_Transform; |
211 | 0 | md_size = 16; |
212 | 0 | sslv3_pad_length = 48; |
213 | 0 | length_is_big_endian = 0; |
214 | 0 | #endif |
215 | 45.4k | } else if (EVP_MD_is_a(md, "SHA1")) { |
216 | 30.8k | if (SHA1_Init((SHA_CTX *)md_state.c) <= 0) |
217 | 0 | return 0; |
218 | 30.8k | md_final_raw = tls1_sha1_final_raw; |
219 | 30.8k | md_transform = |
220 | 30.8k | (void (*)(void *ctx, const unsigned char *block))SHA1_Transform; |
221 | 30.8k | md_size = 20; |
222 | 30.8k | } else if (EVP_MD_is_a(md, "SHA2-224")) { |
223 | 0 | if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0) |
224 | 0 | return 0; |
225 | 0 | md_final_raw = tls1_sha256_final_raw; |
226 | 0 | md_transform = |
227 | 0 | (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; |
228 | 0 | md_size = 224 / 8; |
229 | 14.6k | } else if (EVP_MD_is_a(md, "SHA2-256")) { |
230 | 10.0k | if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0) |
231 | 0 | return 0; |
232 | 10.0k | md_final_raw = tls1_sha256_final_raw; |
233 | 10.0k | md_transform = |
234 | 10.0k | (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; |
235 | 10.0k | md_size = 32; |
236 | 10.0k | } else if (EVP_MD_is_a(md, "SHA2-384")) { |
237 | 4.59k | if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0) |
238 | 0 | return 0; |
239 | 4.59k | md_final_raw = tls1_sha512_final_raw; |
240 | 4.59k | md_transform = |
241 | 4.59k | (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; |
242 | 4.59k | md_size = 384 / 8; |
243 | 4.59k | md_block_size = 128; |
244 | 4.59k | md_length_size = 16; |
245 | 4.59k | } else if (EVP_MD_is_a(md, "SHA2-512")) { |
246 | 0 | if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0) |
247 | 0 | return 0; |
248 | 0 | md_final_raw = tls1_sha512_final_raw; |
249 | 0 | md_transform = |
250 | 0 | (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; |
251 | 0 | md_size = 64; |
252 | 0 | md_block_size = 128; |
253 | 0 | md_length_size = 16; |
254 | 0 | } else { |
255 | | /* |
256 | | * ssl3_cbc_record_digest_supported should have been called first to |
257 | | * check that the hash function is supported. |
258 | | */ |
259 | 0 | if (md_out_size != NULL) |
260 | 0 | *md_out_size = 0; |
261 | 0 | return ossl_assert(0); |
262 | 0 | } |
263 | | |
264 | 45.4k | if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES) |
265 | 45.4k | || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE) |
266 | 45.4k | || !ossl_assert(md_size <= EVP_MAX_MD_SIZE)) |
267 | 0 | return 0; |
268 | | |
269 | 45.4k | header_length = 13; |
270 | 45.4k | if (is_sslv3) { |
271 | 7.94k | header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence |
272 | 7.94k | * number */ + |
273 | 7.94k | 1 /* record type */ + |
274 | 7.94k | 2 /* record length */ ; |
275 | 7.94k | } |
276 | | |
277 | | /* |
278 | | * variance_blocks is the number of blocks of the hash that we have to |
279 | | * calculate in constant time because they could be altered by the |
280 | | * padding value. In SSLv3, the padding must be minimal so the end of |
281 | | * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively |
282 | | * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes |
283 | | * of hash termination (0x80 + 64-bit length) don't fit in the final |
284 | | * block, we say that the final two blocks can vary based on the padding. |
285 | | * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not |
286 | | * required to be minimal. Therefore we say that the final |variance_blocks| |
287 | | * blocks can |
288 | | * vary based on the padding. Later in the function, if the message is |
289 | | * short and there obviously cannot be this many blocks then |
290 | | * variance_blocks can be reduced. |
291 | | */ |
292 | 45.4k | variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1); |
293 | | /* |
294 | | * From now on we're dealing with the MAC, which conceptually has 13 |
295 | | * bytes of `header' before the start of the data (TLS) or 71/75 bytes |
296 | | * (SSLv3) |
297 | | */ |
298 | 45.4k | len = data_plus_mac_plus_padding_size + header_length; |
299 | | /* |
300 | | * max_mac_bytes contains the maximum bytes of bytes in the MAC, |
301 | | * including * |header|, assuming that there's no padding. |
302 | | */ |
303 | 45.4k | max_mac_bytes = len - md_size - 1; |
304 | | /* num_blocks is the maximum number of hash blocks. */ |
305 | 45.4k | num_blocks = |
306 | 45.4k | (max_mac_bytes + 1 + md_length_size + md_block_size - |
307 | 45.4k | 1) / md_block_size; |
308 | | /* |
309 | | * In order to calculate the MAC in constant time we have to handle the |
310 | | * final blocks specially because the padding value could cause the end |
311 | | * to appear somewhere in the final |variance_blocks| blocks and we can't |
312 | | * leak where. However, |num_starting_blocks| worth of data can be hashed |
313 | | * right away because no padding value can affect whether they are |
314 | | * plaintext. |
315 | | */ |
316 | 45.4k | num_starting_blocks = 0; |
317 | | /* |
318 | | * k is the starting byte offset into the conceptual header||data where |
319 | | * we start processing. |
320 | | */ |
321 | 45.4k | k = 0; |
322 | | /* |
323 | | * mac_end_offset is the index just past the end of the data to be MACed. |
324 | | */ |
325 | 45.4k | mac_end_offset = data_size + header_length; |
326 | | /* |
327 | | * c is the index of the 0x80 byte in the final hash block that contains |
328 | | * application data. |
329 | | */ |
330 | 45.4k | c = mac_end_offset % md_block_size; |
331 | | /* |
332 | | * index_a is the hash block number that contains the 0x80 terminating |
333 | | * value. |
334 | | */ |
335 | 45.4k | index_a = mac_end_offset / md_block_size; |
336 | | /* |
337 | | * index_b is the hash block number that contains the 64-bit hash length, |
338 | | * in bits. |
339 | | */ |
340 | 45.4k | index_b = (mac_end_offset + md_length_size) / md_block_size; |
341 | | /* |
342 | | * bits is the hash-length in bits. It includes the additional hash block |
343 | | * for the masked HMAC key, or whole of |header| in the case of SSLv3. |
344 | | */ |
345 | | |
346 | | /* |
347 | | * For SSLv3, if we're going to have any starting blocks then we need at |
348 | | * least two because the header is larger than a single block. |
349 | | */ |
350 | 45.4k | if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) { |
351 | 1.48k | num_starting_blocks = num_blocks - variance_blocks; |
352 | 1.48k | k = md_block_size * num_starting_blocks; |
353 | 1.48k | } |
354 | | |
355 | 45.4k | bits = 8 * mac_end_offset; |
356 | 45.4k | if (!is_sslv3) { |
357 | | /* |
358 | | * Compute the initial HMAC block. For SSLv3, the padding and secret |
359 | | * bytes are included in |header| because they take more than a |
360 | | * single block. |
361 | | */ |
362 | 37.5k | bits += 8 * md_block_size; |
363 | 37.5k | memset(hmac_pad, 0, md_block_size); |
364 | 37.5k | if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad))) |
365 | 0 | return 0; |
366 | 37.5k | memcpy(hmac_pad, mac_secret, mac_secret_length); |
367 | 2.73M | for (i = 0; i < md_block_size; i++) |
368 | 2.69M | hmac_pad[i] ^= 0x36; |
369 | | |
370 | 37.5k | md_transform(md_state.c, hmac_pad); |
371 | 37.5k | } |
372 | | |
373 | 45.4k | if (length_is_big_endian) { |
374 | 45.4k | memset(length_bytes, 0, md_length_size - 4); |
375 | 45.4k | length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24); |
376 | 45.4k | length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16); |
377 | 45.4k | length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8); |
378 | 45.4k | length_bytes[md_length_size - 1] = (unsigned char)bits; |
379 | 45.4k | } else { |
380 | 0 | memset(length_bytes, 0, md_length_size); |
381 | 0 | length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24); |
382 | 0 | length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16); |
383 | 0 | length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8); |
384 | 0 | length_bytes[md_length_size - 8] = (unsigned char)bits; |
385 | 0 | } |
386 | | |
387 | 45.4k | if (k > 0) { |
388 | 1.48k | if (is_sslv3) { |
389 | 261 | size_t overhang; |
390 | | |
391 | | /* |
392 | | * The SSLv3 header is larger than a single block. overhang is |
393 | | * the number of bytes beyond a single block that the header |
394 | | * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no |
395 | | * ciphersuites in SSLv3 that are not SHA1 or MD5 based and |
396 | | * therefore we can be confident that the header_length will be |
397 | | * greater than |md_block_size|. However we add a sanity check just |
398 | | * in case |
399 | | */ |
400 | 261 | if (header_length <= md_block_size) { |
401 | | /* Should never happen */ |
402 | 0 | return 0; |
403 | 0 | } |
404 | 261 | overhang = header_length - md_block_size; |
405 | 261 | md_transform(md_state.c, header); |
406 | 261 | memcpy(first_block, header + md_block_size, overhang); |
407 | 261 | memcpy(first_block + overhang, data, md_block_size - overhang); |
408 | 261 | md_transform(md_state.c, first_block); |
409 | 10.7k | for (i = 1; i < k / md_block_size - 1; i++) |
410 | 10.4k | md_transform(md_state.c, data + md_block_size * i - overhang); |
411 | 1.22k | } else { |
412 | | /* k is a multiple of md_block_size. */ |
413 | 1.22k | memcpy(first_block, header, 13); |
414 | 1.22k | memcpy(first_block + 13, data, md_block_size - 13); |
415 | 1.22k | md_transform(md_state.c, first_block); |
416 | 29.1k | for (i = 1; i < k / md_block_size; i++) |
417 | 27.9k | md_transform(md_state.c, data + md_block_size * i - 13); |
418 | 1.22k | } |
419 | 1.48k | } |
420 | | |
421 | 45.4k | memset(mac_out, 0, sizeof(mac_out)); |
422 | | |
423 | | /* |
424 | | * We now process the final hash blocks. For each block, we construct it |
425 | | * in constant time. If the |i==index_a| then we'll include the 0x80 |
426 | | * bytes and zero pad etc. For each block we selectively copy it, in |
427 | | * constant time, to |mac_out|. |
428 | | */ |
429 | 322k | for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; |
430 | 277k | i++) { |
431 | 277k | unsigned char block[MAX_HASH_BLOCK_SIZE]; |
432 | 277k | unsigned char is_block_a = constant_time_eq_8_s(i, index_a); |
433 | 277k | unsigned char is_block_b = constant_time_eq_8_s(i, index_b); |
434 | 19.4M | for (j = 0; j < md_block_size; j++) { |
435 | 19.2M | unsigned char b = 0, is_past_c, is_past_cp1; |
436 | 19.2M | if (k < header_length) |
437 | 1.01M | b = header[k]; |
438 | 18.2M | else if (k < data_plus_mac_plus_padding_size + header_length) |
439 | 3.00M | b = data[k - header_length]; |
440 | 19.2M | k++; |
441 | | |
442 | 19.2M | is_past_c = is_block_a & constant_time_ge_8_s(j, c); |
443 | 19.2M | is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); |
444 | | /* |
445 | | * If this is the block containing the end of the application |
446 | | * data, and we are at the offset for the 0x80 value, then |
447 | | * overwrite b with 0x80. |
448 | | */ |
449 | 19.2M | b = constant_time_select_8(is_past_c, 0x80, b); |
450 | | /* |
451 | | * If this block contains the end of the application data |
452 | | * and we're past the 0x80 value then just write zero. |
453 | | */ |
454 | 19.2M | b = b & ~is_past_cp1; |
455 | | /* |
456 | | * If this is index_b (the final block), but not index_a (the end |
457 | | * of the data), then the 64-bit length didn't fit into index_a |
458 | | * and we're having to add an extra block of zeros. |
459 | | */ |
460 | 19.2M | b &= ~is_block_b | is_block_a; |
461 | | |
462 | | /* |
463 | | * The final bytes of one of the blocks contains the length. |
464 | | */ |
465 | 19.2M | if (j >= md_block_size - md_length_size) { |
466 | | /* If this is index_b, write a length byte. */ |
467 | 2.40M | b = constant_time_select_8(is_block_b, |
468 | 2.40M | length_bytes[j - |
469 | 2.40M | (md_block_size - |
470 | 2.40M | md_length_size)], b); |
471 | 2.40M | } |
472 | 19.2M | block[j] = b; |
473 | 19.2M | } |
474 | | |
475 | 277k | md_transform(md_state.c, block); |
476 | 277k | md_final_raw(md_state.c, block); |
477 | | /* If this is index_b, copy the hash value to |mac_out|. */ |
478 | 7.31M | for (j = 0; j < md_size; j++) |
479 | 7.03M | mac_out[j] |= block[j] & is_block_b; |
480 | 277k | } |
481 | | |
482 | 45.4k | md_ctx = EVP_MD_CTX_new(); |
483 | 45.4k | if (md_ctx == NULL) |
484 | 0 | goto err; |
485 | | |
486 | 45.4k | if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0) |
487 | 0 | goto err; |
488 | 45.4k | if (is_sslv3) { |
489 | | /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ |
490 | 7.94k | memset(hmac_pad, 0x5c, sslv3_pad_length); |
491 | | |
492 | 7.94k | if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0 |
493 | 7.94k | || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0 |
494 | 7.94k | || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) |
495 | 0 | goto err; |
496 | 37.5k | } else { |
497 | | /* Complete the HMAC in the standard manner. */ |
498 | 2.73M | for (i = 0; i < md_block_size; i++) |
499 | 2.69M | hmac_pad[i] ^= 0x6a; |
500 | | |
501 | 37.5k | if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0 |
502 | 37.5k | || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) |
503 | 0 | goto err; |
504 | 37.5k | } |
505 | 45.4k | ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); |
506 | 45.4k | if (ret && md_out_size) |
507 | 45.4k | *md_out_size = md_out_size_u; |
508 | | |
509 | 45.4k | ret = 1; |
510 | 45.4k | err: |
511 | 45.4k | EVP_MD_CTX_free(md_ctx); |
512 | 45.4k | return ret; |
513 | 45.4k | } |