1 1.1.1.2 christos /* 2 1.1.1.2 christos * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1.1.2 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1.1.2 christos * this file except in compliance with the License. You can obtain a copy 6 1.1.1.2 christos * in the file LICENSE in the source distribution or at 7 1.1.1.2 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1.1.2 christos #include "internal/constant_time.h" 11 1.1.1.2 christos #include "ssl_local.h" 12 1.1.1.2 christos #include "internal/cryptlib.h" 13 1.1 christos 14 1.1 christos #include <openssl/md5.h> 15 1.1 christos #include <openssl/sha.h> 16 1.1 christos 17 1.1 christos /* 18 1.1 christos * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's 19 1.1 christos * length field. (SHA-384/512 have 128-bit length.) 20 1.1 christos */ 21 1.1 christos #define MAX_HASH_BIT_COUNT_BYTES 16 22 1.1 christos 23 1.1 christos /* 24 1.1 christos * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. 25 1.1 christos * Currently SHA-384/512 has a 128-byte block size and that's the largest 26 1.1 christos * supported by TLS.) 27 1.1 christos */ 28 1.1 christos #define MAX_HASH_BLOCK_SIZE 128 29 1.1 christos 30 1.1 christos /* 31 1.1 christos * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in 32 1.1 christos * little-endian order. The value of p is advanced by four. 33 1.1 christos */ 34 1.1 christos #define u32toLE(n, p) \ 35 1.1 christos (*((p)++)=(unsigned char)(n), \ 36 1.1 christos *((p)++)=(unsigned char)(n>>8), \ 37 1.1 christos *((p)++)=(unsigned char)(n>>16), \ 38 1.1 christos *((p)++)=(unsigned char)(n>>24)) 39 1.1 christos 40 1.1 christos /* 41 1.1 christos * These functions serialize the state of a hash and thus perform the 42 1.1 christos * standard "final" operation without adding the padding and length that such 43 1.1 christos * a function typically does. 44 1.1 christos */ 45 1.1 christos static void tls1_md5_final_raw(void *ctx, unsigned char *md_out) 46 1.1 christos { 47 1.1 christos MD5_CTX *md5 = ctx; 48 1.1 christos u32toLE(md5->A, md_out); 49 1.1 christos u32toLE(md5->B, md_out); 50 1.1 christos u32toLE(md5->C, md_out); 51 1.1 christos u32toLE(md5->D, md_out); 52 1.1 christos } 53 1.1 christos 54 1.1 christos static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out) 55 1.1 christos { 56 1.1 christos SHA_CTX *sha1 = ctx; 57 1.1 christos l2n(sha1->h0, md_out); 58 1.1 christos l2n(sha1->h1, md_out); 59 1.1 christos l2n(sha1->h2, md_out); 60 1.1 christos l2n(sha1->h3, md_out); 61 1.1 christos l2n(sha1->h4, md_out); 62 1.1 christos } 63 1.1 christos 64 1.1 christos static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out) 65 1.1 christos { 66 1.1 christos SHA256_CTX *sha256 = ctx; 67 1.1 christos unsigned i; 68 1.1 christos 69 1.1 christos for (i = 0; i < 8; i++) { 70 1.1 christos l2n(sha256->h[i], md_out); 71 1.1 christos } 72 1.1 christos } 73 1.1 christos 74 1.1 christos static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out) 75 1.1 christos { 76 1.1 christos SHA512_CTX *sha512 = ctx; 77 1.1 christos unsigned i; 78 1.1 christos 79 1.1 christos for (i = 0; i < 8; i++) { 80 1.1 christos l2n8(sha512->h[i], md_out); 81 1.1 christos } 82 1.1 christos } 83 1.1 christos 84 1.1.1.2 christos #undef LARGEST_DIGEST_CTX 85 1.1.1.2 christos #define LARGEST_DIGEST_CTX SHA512_CTX 86 1.1 christos 87 1.1 christos /* 88 1.1 christos * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function 89 1.1 christos * which ssl3_cbc_digest_record supports. 90 1.1 christos */ 91 1.1 christos char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) 92 1.1 christos { 93 1.1 christos switch (EVP_MD_CTX_type(ctx)) { 94 1.1 christos case NID_md5: 95 1.1 christos case NID_sha1: 96 1.1 christos case NID_sha224: 97 1.1 christos case NID_sha256: 98 1.1 christos case NID_sha384: 99 1.1 christos case NID_sha512: 100 1.1 christos return 1; 101 1.1 christos default: 102 1.1 christos return 0; 103 1.1 christos } 104 1.1 christos } 105 1.1 christos 106 1.1 christos /*- 107 1.1 christos * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS 108 1.1 christos * record. 109 1.1 christos * 110 1.1 christos * ctx: the EVP_MD_CTX from which we take the hash function. 111 1.1 christos * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. 112 1.1 christos * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. 113 1.1 christos * md_out_size: if non-NULL, the number of output bytes is written here. 114 1.1 christos * header: the 13-byte, TLS record header. 115 1.1.1.2 christos * data: the record data itself, less any preceding explicit IV. 116 1.1 christos * data_plus_mac_size: the secret, reported length of the data and MAC 117 1.1 christos * once the padding has been removed. 118 1.1 christos * data_plus_mac_plus_padding_size: the public length of the whole 119 1.1 christos * record, including padding. 120 1.1 christos * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. 121 1.1 christos * 122 1.1 christos * On entry: by virtue of having been through one of the remove_padding 123 1.1 christos * functions, above, we know that data_plus_mac_size is large enough to contain 124 1.1 christos * a padding byte and MAC. (If the padding was invalid, it might contain the 125 1.1 christos * padding too. ) 126 1.1 christos * Returns 1 on success or 0 on error 127 1.1 christos */ 128 1.1 christos int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, 129 1.1.1.2 christos unsigned char *md_out, 130 1.1.1.2 christos size_t *md_out_size, 131 1.1.1.2 christos const unsigned char *header, 132 1.1.1.2 christos const unsigned char *data, 133 1.1.1.2 christos size_t data_plus_mac_size, 134 1.1.1.2 christos size_t data_plus_mac_plus_padding_size, 135 1.1.1.2 christos const unsigned char *mac_secret, 136 1.1.1.2 christos size_t mac_secret_length, char is_sslv3) 137 1.1 christos { 138 1.1 christos union { 139 1.1 christos double align; 140 1.1 christos unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; 141 1.1 christos } md_state; 142 1.1 christos void (*md_final_raw) (void *ctx, unsigned char *md_out); 143 1.1 christos void (*md_transform) (void *ctx, const unsigned char *block); 144 1.1.1.2 christos size_t md_size, md_block_size = 64; 145 1.1.1.2 christos size_t sslv3_pad_length = 40, header_length, variance_blocks, 146 1.1 christos len, max_mac_bytes, num_blocks, 147 1.1 christos num_starting_blocks, k, mac_end_offset, c, index_a, index_b; 148 1.1.1.2 christos size_t bits; /* at most 18 bits */ 149 1.1 christos unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; 150 1.1 christos /* hmac_pad is the masked HMAC key. */ 151 1.1 christos unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; 152 1.1 christos unsigned char first_block[MAX_HASH_BLOCK_SIZE]; 153 1.1 christos unsigned char mac_out[EVP_MAX_MD_SIZE]; 154 1.1.1.2 christos size_t i, j; 155 1.1.1.2 christos unsigned md_out_size_u; 156 1.1.1.2 christos EVP_MD_CTX *md_ctx = NULL; 157 1.1 christos /* 158 1.1 christos * mdLengthSize is the number of bytes in the length field that 159 1.1 christos * terminates * the hash. 160 1.1 christos */ 161 1.1.1.2 christos size_t md_length_size = 8; 162 1.1 christos char length_is_big_endian = 1; 163 1.1.1.2 christos int ret; 164 1.1 christos 165 1.1 christos /* 166 1.1 christos * This is a, hopefully redundant, check that allows us to forget about 167 1.1 christos * many possible overflows later in this function. 168 1.1 christos */ 169 1.1.1.2 christos if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024)) 170 1.1.1.2 christos return 0; 171 1.1 christos 172 1.1 christos switch (EVP_MD_CTX_type(ctx)) { 173 1.1 christos case NID_md5: 174 1.1 christos if (MD5_Init((MD5_CTX *)md_state.c) <= 0) 175 1.1 christos return 0; 176 1.1 christos md_final_raw = tls1_md5_final_raw; 177 1.1 christos md_transform = 178 1.1 christos (void (*)(void *ctx, const unsigned char *block))MD5_Transform; 179 1.1 christos md_size = 16; 180 1.1 christos sslv3_pad_length = 48; 181 1.1 christos length_is_big_endian = 0; 182 1.1 christos break; 183 1.1 christos case NID_sha1: 184 1.1 christos if (SHA1_Init((SHA_CTX *)md_state.c) <= 0) 185 1.1 christos return 0; 186 1.1 christos md_final_raw = tls1_sha1_final_raw; 187 1.1 christos md_transform = 188 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA1_Transform; 189 1.1 christos md_size = 20; 190 1.1 christos break; 191 1.1 christos case NID_sha224: 192 1.1 christos if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0) 193 1.1 christos return 0; 194 1.1 christos md_final_raw = tls1_sha256_final_raw; 195 1.1 christos md_transform = 196 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; 197 1.1 christos md_size = 224 / 8; 198 1.1 christos break; 199 1.1 christos case NID_sha256: 200 1.1 christos if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0) 201 1.1 christos return 0; 202 1.1 christos md_final_raw = tls1_sha256_final_raw; 203 1.1 christos md_transform = 204 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; 205 1.1 christos md_size = 32; 206 1.1 christos break; 207 1.1 christos case NID_sha384: 208 1.1 christos if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0) 209 1.1 christos return 0; 210 1.1 christos md_final_raw = tls1_sha512_final_raw; 211 1.1 christos md_transform = 212 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; 213 1.1 christos md_size = 384 / 8; 214 1.1 christos md_block_size = 128; 215 1.1 christos md_length_size = 16; 216 1.1 christos break; 217 1.1 christos case NID_sha512: 218 1.1 christos if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0) 219 1.1 christos return 0; 220 1.1 christos md_final_raw = tls1_sha512_final_raw; 221 1.1 christos md_transform = 222 1.1 christos (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; 223 1.1 christos md_size = 64; 224 1.1 christos md_block_size = 128; 225 1.1 christos md_length_size = 16; 226 1.1 christos break; 227 1.1 christos default: 228 1.1 christos /* 229 1.1 christos * ssl3_cbc_record_digest_supported should have been called first to 230 1.1 christos * check that the hash function is supported. 231 1.1 christos */ 232 1.1.1.2 christos if (md_out_size != NULL) 233 1.1 christos *md_out_size = 0; 234 1.1.1.2 christos return ossl_assert(0); 235 1.1 christos } 236 1.1 christos 237 1.1.1.2 christos if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES) 238 1.1.1.2 christos || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE) 239 1.1.1.2 christos || !ossl_assert(md_size <= EVP_MAX_MD_SIZE)) 240 1.1.1.2 christos return 0; 241 1.1 christos 242 1.1 christos header_length = 13; 243 1.1 christos if (is_sslv3) { 244 1.1 christos header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence 245 1.1 christos * number */ + 246 1.1 christos 1 /* record type */ + 247 1.1 christos 2 /* record length */ ; 248 1.1 christos } 249 1.1 christos 250 1.1 christos /* 251 1.1 christos * variance_blocks is the number of blocks of the hash that we have to 252 1.1 christos * calculate in constant time because they could be altered by the 253 1.1 christos * padding value. In SSLv3, the padding must be minimal so the end of 254 1.1 christos * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively 255 1.1 christos * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes 256 1.1 christos * of hash termination (0x80 + 64-bit length) don't fit in the final 257 1.1 christos * block, we say that the final two blocks can vary based on the padding. 258 1.1 christos * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not 259 1.1.1.2 christos * required to be minimal. Therefore we say that the final |variance_blocks| 260 1.1.1.2 christos * blocks can 261 1.1 christos * vary based on the padding. Later in the function, if the message is 262 1.1 christos * short and there obviously cannot be this many blocks then 263 1.1 christos * variance_blocks can be reduced. 264 1.1 christos */ 265 1.1.1.2 christos variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1); 266 1.1 christos /* 267 1.1 christos * From now on we're dealing with the MAC, which conceptually has 13 268 1.1 christos * bytes of `header' before the start of the data (TLS) or 71/75 bytes 269 1.1 christos * (SSLv3) 270 1.1 christos */ 271 1.1 christos len = data_plus_mac_plus_padding_size + header_length; 272 1.1 christos /* 273 1.1 christos * max_mac_bytes contains the maximum bytes of bytes in the MAC, 274 1.1 christos * including * |header|, assuming that there's no padding. 275 1.1 christos */ 276 1.1 christos max_mac_bytes = len - md_size - 1; 277 1.1 christos /* num_blocks is the maximum number of hash blocks. */ 278 1.1 christos num_blocks = 279 1.1 christos (max_mac_bytes + 1 + md_length_size + md_block_size - 280 1.1 christos 1) / md_block_size; 281 1.1 christos /* 282 1.1 christos * In order to calculate the MAC in constant time we have to handle the 283 1.1 christos * final blocks specially because the padding value could cause the end 284 1.1 christos * to appear somewhere in the final |variance_blocks| blocks and we can't 285 1.1 christos * leak where. However, |num_starting_blocks| worth of data can be hashed 286 1.1 christos * right away because no padding value can affect whether they are 287 1.1 christos * plaintext. 288 1.1 christos */ 289 1.1 christos num_starting_blocks = 0; 290 1.1 christos /* 291 1.1 christos * k is the starting byte offset into the conceptual header||data where 292 1.1 christos * we start processing. 293 1.1 christos */ 294 1.1 christos k = 0; 295 1.1 christos /* 296 1.1 christos * mac_end_offset is the index just past the end of the data to be MACed. 297 1.1 christos */ 298 1.1 christos mac_end_offset = data_plus_mac_size + header_length - md_size; 299 1.1 christos /* 300 1.1 christos * c is the index of the 0x80 byte in the final hash block that contains 301 1.1 christos * application data. 302 1.1 christos */ 303 1.1 christos c = mac_end_offset % md_block_size; 304 1.1 christos /* 305 1.1 christos * index_a is the hash block number that contains the 0x80 terminating 306 1.1 christos * value. 307 1.1 christos */ 308 1.1 christos index_a = mac_end_offset / md_block_size; 309 1.1 christos /* 310 1.1 christos * index_b is the hash block number that contains the 64-bit hash length, 311 1.1 christos * in bits. 312 1.1 christos */ 313 1.1 christos index_b = (mac_end_offset + md_length_size) / md_block_size; 314 1.1 christos /* 315 1.1 christos * bits is the hash-length in bits. It includes the additional hash block 316 1.1 christos * for the masked HMAC key, or whole of |header| in the case of SSLv3. 317 1.1 christos */ 318 1.1 christos 319 1.1 christos /* 320 1.1 christos * For SSLv3, if we're going to have any starting blocks then we need at 321 1.1 christos * least two because the header is larger than a single block. 322 1.1 christos */ 323 1.1 christos if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) { 324 1.1 christos num_starting_blocks = num_blocks - variance_blocks; 325 1.1 christos k = md_block_size * num_starting_blocks; 326 1.1 christos } 327 1.1 christos 328 1.1 christos bits = 8 * mac_end_offset; 329 1.1 christos if (!is_sslv3) { 330 1.1 christos /* 331 1.1 christos * Compute the initial HMAC block. For SSLv3, the padding and secret 332 1.1 christos * bytes are included in |header| because they take more than a 333 1.1 christos * single block. 334 1.1 christos */ 335 1.1 christos bits += 8 * md_block_size; 336 1.1 christos memset(hmac_pad, 0, md_block_size); 337 1.1.1.2 christos if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad))) 338 1.1.1.2 christos return 0; 339 1.1 christos memcpy(hmac_pad, mac_secret, mac_secret_length); 340 1.1 christos for (i = 0; i < md_block_size; i++) 341 1.1 christos hmac_pad[i] ^= 0x36; 342 1.1 christos 343 1.1 christos md_transform(md_state.c, hmac_pad); 344 1.1 christos } 345 1.1 christos 346 1.1 christos if (length_is_big_endian) { 347 1.1 christos memset(length_bytes, 0, md_length_size - 4); 348 1.1 christos length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24); 349 1.1 christos length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16); 350 1.1 christos length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8); 351 1.1 christos length_bytes[md_length_size - 1] = (unsigned char)bits; 352 1.1 christos } else { 353 1.1 christos memset(length_bytes, 0, md_length_size); 354 1.1 christos length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24); 355 1.1 christos length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16); 356 1.1 christos length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8); 357 1.1 christos length_bytes[md_length_size - 8] = (unsigned char)bits; 358 1.1 christos } 359 1.1 christos 360 1.1 christos if (k > 0) { 361 1.1 christos if (is_sslv3) { 362 1.1.1.2 christos size_t overhang; 363 1.1 christos 364 1.1 christos /* 365 1.1 christos * The SSLv3 header is larger than a single block. overhang is 366 1.1 christos * the number of bytes beyond a single block that the header 367 1.1 christos * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no 368 1.1 christos * ciphersuites in SSLv3 that are not SHA1 or MD5 based and 369 1.1 christos * therefore we can be confident that the header_length will be 370 1.1 christos * greater than |md_block_size|. However we add a sanity check just 371 1.1 christos * in case 372 1.1 christos */ 373 1.1 christos if (header_length <= md_block_size) { 374 1.1 christos /* Should never happen */ 375 1.1 christos return 0; 376 1.1 christos } 377 1.1 christos overhang = header_length - md_block_size; 378 1.1 christos md_transform(md_state.c, header); 379 1.1 christos memcpy(first_block, header + md_block_size, overhang); 380 1.1 christos memcpy(first_block + overhang, data, md_block_size - overhang); 381 1.1 christos md_transform(md_state.c, first_block); 382 1.1 christos for (i = 1; i < k / md_block_size - 1; i++) 383 1.1 christos md_transform(md_state.c, data + md_block_size * i - overhang); 384 1.1 christos } else { 385 1.1 christos /* k is a multiple of md_block_size. */ 386 1.1 christos memcpy(first_block, header, 13); 387 1.1 christos memcpy(first_block + 13, data, md_block_size - 13); 388 1.1 christos md_transform(md_state.c, first_block); 389 1.1 christos for (i = 1; i < k / md_block_size; i++) 390 1.1 christos md_transform(md_state.c, data + md_block_size * i - 13); 391 1.1 christos } 392 1.1 christos } 393 1.1 christos 394 1.1 christos memset(mac_out, 0, sizeof(mac_out)); 395 1.1 christos 396 1.1 christos /* 397 1.1 christos * We now process the final hash blocks. For each block, we construct it 398 1.1 christos * in constant time. If the |i==index_a| then we'll include the 0x80 399 1.1 christos * bytes and zero pad etc. For each block we selectively copy it, in 400 1.1 christos * constant time, to |mac_out|. 401 1.1 christos */ 402 1.1 christos for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; 403 1.1 christos i++) { 404 1.1 christos unsigned char block[MAX_HASH_BLOCK_SIZE]; 405 1.1.1.2 christos unsigned char is_block_a = constant_time_eq_8_s(i, index_a); 406 1.1.1.2 christos unsigned char is_block_b = constant_time_eq_8_s(i, index_b); 407 1.1 christos for (j = 0; j < md_block_size; j++) { 408 1.1 christos unsigned char b = 0, is_past_c, is_past_cp1; 409 1.1 christos if (k < header_length) 410 1.1 christos b = header[k]; 411 1.1 christos else if (k < data_plus_mac_plus_padding_size + header_length) 412 1.1 christos b = data[k - header_length]; 413 1.1 christos k++; 414 1.1 christos 415 1.1.1.2 christos is_past_c = is_block_a & constant_time_ge_8_s(j, c); 416 1.1.1.2 christos is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1); 417 1.1 christos /* 418 1.1 christos * If this is the block containing the end of the application 419 1.1 christos * data, and we are at the offset for the 0x80 value, then 420 1.1 christos * overwrite b with 0x80. 421 1.1 christos */ 422 1.1 christos b = constant_time_select_8(is_past_c, 0x80, b); 423 1.1 christos /* 424 1.1.1.2 christos * If this block contains the end of the application data 425 1.1.1.2 christos * and we're past the 0x80 value then just write zero. 426 1.1 christos */ 427 1.1 christos b = b & ~is_past_cp1; 428 1.1 christos /* 429 1.1 christos * If this is index_b (the final block), but not index_a (the end 430 1.1 christos * of the data), then the 64-bit length didn't fit into index_a 431 1.1 christos * and we're having to add an extra block of zeros. 432 1.1 christos */ 433 1.1 christos b &= ~is_block_b | is_block_a; 434 1.1 christos 435 1.1 christos /* 436 1.1 christos * The final bytes of one of the blocks contains the length. 437 1.1 christos */ 438 1.1 christos if (j >= md_block_size - md_length_size) { 439 1.1 christos /* If this is index_b, write a length byte. */ 440 1.1 christos b = constant_time_select_8(is_block_b, 441 1.1 christos length_bytes[j - 442 1.1 christos (md_block_size - 443 1.1 christos md_length_size)], b); 444 1.1 christos } 445 1.1 christos block[j] = b; 446 1.1 christos } 447 1.1 christos 448 1.1 christos md_transform(md_state.c, block); 449 1.1 christos md_final_raw(md_state.c, block); 450 1.1 christos /* If this is index_b, copy the hash value to |mac_out|. */ 451 1.1 christos for (j = 0; j < md_size; j++) 452 1.1 christos mac_out[j] |= block[j] & is_block_b; 453 1.1 christos } 454 1.1 christos 455 1.1.1.2 christos md_ctx = EVP_MD_CTX_new(); 456 1.1.1.2 christos if (md_ctx == NULL) 457 1.1.1.2 christos goto err; 458 1.1.1.2 christos if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0) 459 1.1 christos goto err; 460 1.1 christos if (is_sslv3) { 461 1.1 christos /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ 462 1.1 christos memset(hmac_pad, 0x5c, sslv3_pad_length); 463 1.1 christos 464 1.1.1.2 christos if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0 465 1.1.1.2 christos || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0 466 1.1.1.2 christos || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) 467 1.1 christos goto err; 468 1.1 christos } else { 469 1.1 christos /* Complete the HMAC in the standard manner. */ 470 1.1 christos for (i = 0; i < md_block_size; i++) 471 1.1 christos hmac_pad[i] ^= 0x6a; 472 1.1 christos 473 1.1.1.2 christos if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0 474 1.1.1.2 christos || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0) 475 1.1 christos goto err; 476 1.1 christos } 477 1.1.1.2 christos /* TODO(size_t): Convert me */ 478 1.1.1.2 christos ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); 479 1.1.1.2 christos if (ret && md_out_size) 480 1.1 christos *md_out_size = md_out_size_u; 481 1.1.1.2 christos EVP_MD_CTX_free(md_ctx); 482 1.1 christos 483 1.1 christos return 1; 484 1.1.1.2 christos err: 485 1.1.1.2 christos EVP_MD_CTX_free(md_ctx); 486 1.1 christos return 0; 487 1.1 christos } 488