Home | History | Annotate | Line # | Download | only in ssl
      1  1.1.1.2  christos /*
      2  1.1.1.2  christos  * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
      3      1.1  christos  *
      4  1.1.1.2  christos  * Licensed under the OpenSSL license (the "License").  You may not use
      5  1.1.1.2  christos  * this file except in compliance with the License.  You can obtain a copy
      6  1.1.1.2  christos  * in the file LICENSE in the source distribution or at
      7  1.1.1.2  christos  * https://www.openssl.org/source/license.html
      8      1.1  christos  */
      9      1.1  christos 
     10  1.1.1.2  christos #include "internal/constant_time.h"
     11  1.1.1.2  christos #include "ssl_local.h"
     12  1.1.1.2  christos #include "internal/cryptlib.h"
     13      1.1  christos 
     14      1.1  christos #include <openssl/md5.h>
     15      1.1  christos #include <openssl/sha.h>
     16      1.1  christos 
     17      1.1  christos /*
     18      1.1  christos  * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
     19      1.1  christos  * length field. (SHA-384/512 have 128-bit length.)
     20      1.1  christos  */
     21      1.1  christos #define MAX_HASH_BIT_COUNT_BYTES 16
     22      1.1  christos 
     23      1.1  christos /*
     24      1.1  christos  * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
     25      1.1  christos  * Currently SHA-384/512 has a 128-byte block size and that's the largest
     26      1.1  christos  * supported by TLS.)
     27      1.1  christos  */
     28      1.1  christos #define MAX_HASH_BLOCK_SIZE 128
     29      1.1  christos 
     30      1.1  christos /*
     31      1.1  christos  * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
     32      1.1  christos  * little-endian order. The value of p is advanced by four.
     33      1.1  christos  */
     34      1.1  christos #define u32toLE(n, p) \
     35      1.1  christos         (*((p)++)=(unsigned char)(n), \
     36      1.1  christos          *((p)++)=(unsigned char)(n>>8), \
     37      1.1  christos          *((p)++)=(unsigned char)(n>>16), \
     38      1.1  christos          *((p)++)=(unsigned char)(n>>24))
     39      1.1  christos 
     40      1.1  christos /*
     41      1.1  christos  * These functions serialize the state of a hash and thus perform the
     42      1.1  christos  * standard "final" operation without adding the padding and length that such
     43      1.1  christos  * a function typically does.
     44      1.1  christos  */
     45      1.1  christos static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
     46      1.1  christos {
     47      1.1  christos     MD5_CTX *md5 = ctx;
     48      1.1  christos     u32toLE(md5->A, md_out);
     49      1.1  christos     u32toLE(md5->B, md_out);
     50      1.1  christos     u32toLE(md5->C, md_out);
     51      1.1  christos     u32toLE(md5->D, md_out);
     52      1.1  christos }
     53      1.1  christos 
     54      1.1  christos static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
     55      1.1  christos {
     56      1.1  christos     SHA_CTX *sha1 = ctx;
     57      1.1  christos     l2n(sha1->h0, md_out);
     58      1.1  christos     l2n(sha1->h1, md_out);
     59      1.1  christos     l2n(sha1->h2, md_out);
     60      1.1  christos     l2n(sha1->h3, md_out);
     61      1.1  christos     l2n(sha1->h4, md_out);
     62      1.1  christos }
     63      1.1  christos 
     64      1.1  christos static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
     65      1.1  christos {
     66      1.1  christos     SHA256_CTX *sha256 = ctx;
     67      1.1  christos     unsigned i;
     68      1.1  christos 
     69      1.1  christos     for (i = 0; i < 8; i++) {
     70      1.1  christos         l2n(sha256->h[i], md_out);
     71      1.1  christos     }
     72      1.1  christos }
     73      1.1  christos 
     74      1.1  christos static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
     75      1.1  christos {
     76      1.1  christos     SHA512_CTX *sha512 = ctx;
     77      1.1  christos     unsigned i;
     78      1.1  christos 
     79      1.1  christos     for (i = 0; i < 8; i++) {
     80      1.1  christos         l2n8(sha512->h[i], md_out);
     81      1.1  christos     }
     82      1.1  christos }
     83      1.1  christos 
     84  1.1.1.2  christos #undef  LARGEST_DIGEST_CTX
     85  1.1.1.2  christos #define LARGEST_DIGEST_CTX SHA512_CTX
     86      1.1  christos 
     87      1.1  christos /*
     88      1.1  christos  * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
     89      1.1  christos  * which ssl3_cbc_digest_record supports.
     90      1.1  christos  */
     91      1.1  christos char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
     92      1.1  christos {
     93      1.1  christos     switch (EVP_MD_CTX_type(ctx)) {
     94      1.1  christos     case NID_md5:
     95      1.1  christos     case NID_sha1:
     96      1.1  christos     case NID_sha224:
     97      1.1  christos     case NID_sha256:
     98      1.1  christos     case NID_sha384:
     99      1.1  christos     case NID_sha512:
    100      1.1  christos         return 1;
    101      1.1  christos     default:
    102      1.1  christos         return 0;
    103      1.1  christos     }
    104      1.1  christos }
    105      1.1  christos 
    106      1.1  christos /*-
    107      1.1  christos  * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
    108      1.1  christos  * record.
    109      1.1  christos  *
    110      1.1  christos  *   ctx: the EVP_MD_CTX from which we take the hash function.
    111      1.1  christos  *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
    112      1.1  christos  *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
    113      1.1  christos  *   md_out_size: if non-NULL, the number of output bytes is written here.
    114      1.1  christos  *   header: the 13-byte, TLS record header.
    115  1.1.1.2  christos  *   data: the record data itself, less any preceding explicit IV.
    116      1.1  christos  *   data_plus_mac_size: the secret, reported length of the data and MAC
    117      1.1  christos  *     once the padding has been removed.
    118      1.1  christos  *   data_plus_mac_plus_padding_size: the public length of the whole
    119      1.1  christos  *     record, including padding.
    120      1.1  christos  *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
    121      1.1  christos  *
    122      1.1  christos  * On entry: by virtue of having been through one of the remove_padding
    123      1.1  christos  * functions, above, we know that data_plus_mac_size is large enough to contain
    124      1.1  christos  * a padding byte and MAC. (If the padding was invalid, it might contain the
    125      1.1  christos  * padding too. )
    126      1.1  christos  * Returns 1 on success or 0 on error
    127      1.1  christos  */
    128      1.1  christos int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
    129  1.1.1.2  christos                            unsigned char *md_out,
    130  1.1.1.2  christos                            size_t *md_out_size,
    131  1.1.1.2  christos                            const unsigned char *header,
    132  1.1.1.2  christos                            const unsigned char *data,
    133  1.1.1.2  christos                            size_t data_plus_mac_size,
    134  1.1.1.2  christos                            size_t data_plus_mac_plus_padding_size,
    135  1.1.1.2  christos                            const unsigned char *mac_secret,
    136  1.1.1.2  christos                            size_t mac_secret_length, char is_sslv3)
    137      1.1  christos {
    138      1.1  christos     union {
    139      1.1  christos         double align;
    140      1.1  christos         unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
    141      1.1  christos     } md_state;
    142      1.1  christos     void (*md_final_raw) (void *ctx, unsigned char *md_out);
    143      1.1  christos     void (*md_transform) (void *ctx, const unsigned char *block);
    144  1.1.1.2  christos     size_t md_size, md_block_size = 64;
    145  1.1.1.2  christos     size_t sslv3_pad_length = 40, header_length, variance_blocks,
    146      1.1  christos         len, max_mac_bytes, num_blocks,
    147      1.1  christos         num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
    148  1.1.1.2  christos     size_t bits;          /* at most 18 bits */
    149      1.1  christos     unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
    150      1.1  christos     /* hmac_pad is the masked HMAC key. */
    151      1.1  christos     unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
    152      1.1  christos     unsigned char first_block[MAX_HASH_BLOCK_SIZE];
    153      1.1  christos     unsigned char mac_out[EVP_MAX_MD_SIZE];
    154  1.1.1.2  christos     size_t i, j;
    155  1.1.1.2  christos     unsigned md_out_size_u;
    156  1.1.1.2  christos     EVP_MD_CTX *md_ctx = NULL;
    157      1.1  christos     /*
    158      1.1  christos      * mdLengthSize is the number of bytes in the length field that
    159      1.1  christos      * terminates * the hash.
    160      1.1  christos      */
    161  1.1.1.2  christos     size_t md_length_size = 8;
    162      1.1  christos     char length_is_big_endian = 1;
    163  1.1.1.2  christos     int ret;
    164      1.1  christos 
    165      1.1  christos     /*
    166      1.1  christos      * This is a, hopefully redundant, check that allows us to forget about
    167      1.1  christos      * many possible overflows later in this function.
    168      1.1  christos      */
    169  1.1.1.2  christos     if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
    170  1.1.1.2  christos         return 0;
    171      1.1  christos 
    172      1.1  christos     switch (EVP_MD_CTX_type(ctx)) {
    173      1.1  christos     case NID_md5:
    174      1.1  christos         if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
    175      1.1  christos             return 0;
    176      1.1  christos         md_final_raw = tls1_md5_final_raw;
    177      1.1  christos         md_transform =
    178      1.1  christos             (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
    179      1.1  christos         md_size = 16;
    180      1.1  christos         sslv3_pad_length = 48;
    181      1.1  christos         length_is_big_endian = 0;
    182      1.1  christos         break;
    183      1.1  christos     case NID_sha1:
    184      1.1  christos         if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
    185      1.1  christos             return 0;
    186      1.1  christos         md_final_raw = tls1_sha1_final_raw;
    187      1.1  christos         md_transform =
    188      1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
    189      1.1  christos         md_size = 20;
    190      1.1  christos         break;
    191      1.1  christos     case NID_sha224:
    192      1.1  christos         if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
    193      1.1  christos             return 0;
    194      1.1  christos         md_final_raw = tls1_sha256_final_raw;
    195      1.1  christos         md_transform =
    196      1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    197      1.1  christos         md_size = 224 / 8;
    198      1.1  christos         break;
    199      1.1  christos     case NID_sha256:
    200      1.1  christos         if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
    201      1.1  christos             return 0;
    202      1.1  christos         md_final_raw = tls1_sha256_final_raw;
    203      1.1  christos         md_transform =
    204      1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    205      1.1  christos         md_size = 32;
    206      1.1  christos         break;
    207      1.1  christos     case NID_sha384:
    208      1.1  christos         if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
    209      1.1  christos             return 0;
    210      1.1  christos         md_final_raw = tls1_sha512_final_raw;
    211      1.1  christos         md_transform =
    212      1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    213      1.1  christos         md_size = 384 / 8;
    214      1.1  christos         md_block_size = 128;
    215      1.1  christos         md_length_size = 16;
    216      1.1  christos         break;
    217      1.1  christos     case NID_sha512:
    218      1.1  christos         if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
    219      1.1  christos             return 0;
    220      1.1  christos         md_final_raw = tls1_sha512_final_raw;
    221      1.1  christos         md_transform =
    222      1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    223      1.1  christos         md_size = 64;
    224      1.1  christos         md_block_size = 128;
    225      1.1  christos         md_length_size = 16;
    226      1.1  christos         break;
    227      1.1  christos     default:
    228      1.1  christos         /*
    229      1.1  christos          * ssl3_cbc_record_digest_supported should have been called first to
    230      1.1  christos          * check that the hash function is supported.
    231      1.1  christos          */
    232  1.1.1.2  christos         if (md_out_size != NULL)
    233      1.1  christos             *md_out_size = 0;
    234  1.1.1.2  christos         return ossl_assert(0);
    235      1.1  christos     }
    236      1.1  christos 
    237  1.1.1.2  christos     if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
    238  1.1.1.2  christos             || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
    239  1.1.1.2  christos             || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
    240  1.1.1.2  christos         return 0;
    241      1.1  christos 
    242      1.1  christos     header_length = 13;
    243      1.1  christos     if (is_sslv3) {
    244      1.1  christos         header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
    245      1.1  christos                                                                   * number */  +
    246      1.1  christos             1 /* record type */  +
    247      1.1  christos             2 /* record length */ ;
    248      1.1  christos     }
    249      1.1  christos 
    250      1.1  christos     /*
    251      1.1  christos      * variance_blocks is the number of blocks of the hash that we have to
    252      1.1  christos      * calculate in constant time because they could be altered by the
    253      1.1  christos      * padding value. In SSLv3, the padding must be minimal so the end of
    254      1.1  christos      * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
    255      1.1  christos      * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
    256      1.1  christos      * of hash termination (0x80 + 64-bit length) don't fit in the final
    257      1.1  christos      * block, we say that the final two blocks can vary based on the padding.
    258      1.1  christos      * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
    259  1.1.1.2  christos      * required to be minimal. Therefore we say that the final |variance_blocks|
    260  1.1.1.2  christos      * blocks can
    261      1.1  christos      * vary based on the padding. Later in the function, if the message is
    262      1.1  christos      * short and there obviously cannot be this many blocks then
    263      1.1  christos      * variance_blocks can be reduced.
    264      1.1  christos      */
    265  1.1.1.2  christos     variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
    266      1.1  christos     /*
    267      1.1  christos      * From now on we're dealing with the MAC, which conceptually has 13
    268      1.1  christos      * bytes of `header' before the start of the data (TLS) or 71/75 bytes
    269      1.1  christos      * (SSLv3)
    270      1.1  christos      */
    271      1.1  christos     len = data_plus_mac_plus_padding_size + header_length;
    272      1.1  christos     /*
    273      1.1  christos      * max_mac_bytes contains the maximum bytes of bytes in the MAC,
    274      1.1  christos      * including * |header|, assuming that there's no padding.
    275      1.1  christos      */
    276      1.1  christos     max_mac_bytes = len - md_size - 1;
    277      1.1  christos     /* num_blocks is the maximum number of hash blocks. */
    278      1.1  christos     num_blocks =
    279      1.1  christos         (max_mac_bytes + 1 + md_length_size + md_block_size -
    280      1.1  christos          1) / md_block_size;
    281      1.1  christos     /*
    282      1.1  christos      * In order to calculate the MAC in constant time we have to handle the
    283      1.1  christos      * final blocks specially because the padding value could cause the end
    284      1.1  christos      * to appear somewhere in the final |variance_blocks| blocks and we can't
    285      1.1  christos      * leak where. However, |num_starting_blocks| worth of data can be hashed
    286      1.1  christos      * right away because no padding value can affect whether they are
    287      1.1  christos      * plaintext.
    288      1.1  christos      */
    289      1.1  christos     num_starting_blocks = 0;
    290      1.1  christos     /*
    291      1.1  christos      * k is the starting byte offset into the conceptual header||data where
    292      1.1  christos      * we start processing.
    293      1.1  christos      */
    294      1.1  christos     k = 0;
    295      1.1  christos     /*
    296      1.1  christos      * mac_end_offset is the index just past the end of the data to be MACed.
    297      1.1  christos      */
    298      1.1  christos     mac_end_offset = data_plus_mac_size + header_length - md_size;
    299      1.1  christos     /*
    300      1.1  christos      * c is the index of the 0x80 byte in the final hash block that contains
    301      1.1  christos      * application data.
    302      1.1  christos      */
    303      1.1  christos     c = mac_end_offset % md_block_size;
    304      1.1  christos     /*
    305      1.1  christos      * index_a is the hash block number that contains the 0x80 terminating
    306      1.1  christos      * value.
    307      1.1  christos      */
    308      1.1  christos     index_a = mac_end_offset / md_block_size;
    309      1.1  christos     /*
    310      1.1  christos      * index_b is the hash block number that contains the 64-bit hash length,
    311      1.1  christos      * in bits.
    312      1.1  christos      */
    313      1.1  christos     index_b = (mac_end_offset + md_length_size) / md_block_size;
    314      1.1  christos     /*
    315      1.1  christos      * bits is the hash-length in bits. It includes the additional hash block
    316      1.1  christos      * for the masked HMAC key, or whole of |header| in the case of SSLv3.
    317      1.1  christos      */
    318      1.1  christos 
    319      1.1  christos     /*
    320      1.1  christos      * For SSLv3, if we're going to have any starting blocks then we need at
    321      1.1  christos      * least two because the header is larger than a single block.
    322      1.1  christos      */
    323      1.1  christos     if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
    324      1.1  christos         num_starting_blocks = num_blocks - variance_blocks;
    325      1.1  christos         k = md_block_size * num_starting_blocks;
    326      1.1  christos     }
    327      1.1  christos 
    328      1.1  christos     bits = 8 * mac_end_offset;
    329      1.1  christos     if (!is_sslv3) {
    330      1.1  christos         /*
    331      1.1  christos          * Compute the initial HMAC block. For SSLv3, the padding and secret
    332      1.1  christos          * bytes are included in |header| because they take more than a
    333      1.1  christos          * single block.
    334      1.1  christos          */
    335      1.1  christos         bits += 8 * md_block_size;
    336      1.1  christos         memset(hmac_pad, 0, md_block_size);
    337  1.1.1.2  christos         if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
    338  1.1.1.2  christos             return 0;
    339      1.1  christos         memcpy(hmac_pad, mac_secret, mac_secret_length);
    340      1.1  christos         for (i = 0; i < md_block_size; i++)
    341      1.1  christos             hmac_pad[i] ^= 0x36;
    342      1.1  christos 
    343      1.1  christos         md_transform(md_state.c, hmac_pad);
    344      1.1  christos     }
    345      1.1  christos 
    346      1.1  christos     if (length_is_big_endian) {
    347      1.1  christos         memset(length_bytes, 0, md_length_size - 4);
    348      1.1  christos         length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
    349      1.1  christos         length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
    350      1.1  christos         length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
    351      1.1  christos         length_bytes[md_length_size - 1] = (unsigned char)bits;
    352      1.1  christos     } else {
    353      1.1  christos         memset(length_bytes, 0, md_length_size);
    354      1.1  christos         length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
    355      1.1  christos         length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
    356      1.1  christos         length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
    357      1.1  christos         length_bytes[md_length_size - 8] = (unsigned char)bits;
    358      1.1  christos     }
    359      1.1  christos 
    360      1.1  christos     if (k > 0) {
    361      1.1  christos         if (is_sslv3) {
    362  1.1.1.2  christos             size_t overhang;
    363      1.1  christos 
    364      1.1  christos             /*
    365      1.1  christos              * The SSLv3 header is larger than a single block. overhang is
    366      1.1  christos              * the number of bytes beyond a single block that the header
    367      1.1  christos              * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
    368      1.1  christos              * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
    369      1.1  christos              * therefore we can be confident that the header_length will be
    370      1.1  christos              * greater than |md_block_size|. However we add a sanity check just
    371      1.1  christos              * in case
    372      1.1  christos              */
    373      1.1  christos             if (header_length <= md_block_size) {
    374      1.1  christos                 /* Should never happen */
    375      1.1  christos                 return 0;
    376      1.1  christos             }
    377      1.1  christos             overhang = header_length - md_block_size;
    378      1.1  christos             md_transform(md_state.c, header);
    379      1.1  christos             memcpy(first_block, header + md_block_size, overhang);
    380      1.1  christos             memcpy(first_block + overhang, data, md_block_size - overhang);
    381      1.1  christos             md_transform(md_state.c, first_block);
    382      1.1  christos             for (i = 1; i < k / md_block_size - 1; i++)
    383      1.1  christos                 md_transform(md_state.c, data + md_block_size * i - overhang);
    384      1.1  christos         } else {
    385      1.1  christos             /* k is a multiple of md_block_size. */
    386      1.1  christos             memcpy(first_block, header, 13);
    387      1.1  christos             memcpy(first_block + 13, data, md_block_size - 13);
    388      1.1  christos             md_transform(md_state.c, first_block);
    389      1.1  christos             for (i = 1; i < k / md_block_size; i++)
    390      1.1  christos                 md_transform(md_state.c, data + md_block_size * i - 13);
    391      1.1  christos         }
    392      1.1  christos     }
    393      1.1  christos 
    394      1.1  christos     memset(mac_out, 0, sizeof(mac_out));
    395      1.1  christos 
    396      1.1  christos     /*
    397      1.1  christos      * We now process the final hash blocks. For each block, we construct it
    398      1.1  christos      * in constant time. If the |i==index_a| then we'll include the 0x80
    399      1.1  christos      * bytes and zero pad etc. For each block we selectively copy it, in
    400      1.1  christos      * constant time, to |mac_out|.
    401      1.1  christos      */
    402      1.1  christos     for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
    403      1.1  christos          i++) {
    404      1.1  christos         unsigned char block[MAX_HASH_BLOCK_SIZE];
    405  1.1.1.2  christos         unsigned char is_block_a = constant_time_eq_8_s(i, index_a);
    406  1.1.1.2  christos         unsigned char is_block_b = constant_time_eq_8_s(i, index_b);
    407      1.1  christos         for (j = 0; j < md_block_size; j++) {
    408      1.1  christos             unsigned char b = 0, is_past_c, is_past_cp1;
    409      1.1  christos             if (k < header_length)
    410      1.1  christos                 b = header[k];
    411      1.1  christos             else if (k < data_plus_mac_plus_padding_size + header_length)
    412      1.1  christos                 b = data[k - header_length];
    413      1.1  christos             k++;
    414      1.1  christos 
    415  1.1.1.2  christos             is_past_c = is_block_a & constant_time_ge_8_s(j, c);
    416  1.1.1.2  christos             is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);
    417      1.1  christos             /*
    418      1.1  christos              * If this is the block containing the end of the application
    419      1.1  christos              * data, and we are at the offset for the 0x80 value, then
    420      1.1  christos              * overwrite b with 0x80.
    421      1.1  christos              */
    422      1.1  christos             b = constant_time_select_8(is_past_c, 0x80, b);
    423      1.1  christos             /*
    424  1.1.1.2  christos              * If this block contains the end of the application data
    425  1.1.1.2  christos              * and we're past the 0x80 value then just write zero.
    426      1.1  christos              */
    427      1.1  christos             b = b & ~is_past_cp1;
    428      1.1  christos             /*
    429      1.1  christos              * If this is index_b (the final block), but not index_a (the end
    430      1.1  christos              * of the data), then the 64-bit length didn't fit into index_a
    431      1.1  christos              * and we're having to add an extra block of zeros.
    432      1.1  christos              */
    433      1.1  christos             b &= ~is_block_b | is_block_a;
    434      1.1  christos 
    435      1.1  christos             /*
    436      1.1  christos              * The final bytes of one of the blocks contains the length.
    437      1.1  christos              */
    438      1.1  christos             if (j >= md_block_size - md_length_size) {
    439      1.1  christos                 /* If this is index_b, write a length byte. */
    440      1.1  christos                 b = constant_time_select_8(is_block_b,
    441      1.1  christos                                            length_bytes[j -
    442      1.1  christos                                                         (md_block_size -
    443      1.1  christos                                                          md_length_size)], b);
    444      1.1  christos             }
    445      1.1  christos             block[j] = b;
    446      1.1  christos         }
    447      1.1  christos 
    448      1.1  christos         md_transform(md_state.c, block);
    449      1.1  christos         md_final_raw(md_state.c, block);
    450      1.1  christos         /* If this is index_b, copy the hash value to |mac_out|. */
    451      1.1  christos         for (j = 0; j < md_size; j++)
    452      1.1  christos             mac_out[j] |= block[j] & is_block_b;
    453      1.1  christos     }
    454      1.1  christos 
    455  1.1.1.2  christos     md_ctx = EVP_MD_CTX_new();
    456  1.1.1.2  christos     if (md_ctx == NULL)
    457  1.1.1.2  christos         goto err;
    458  1.1.1.2  christos     if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
    459      1.1  christos         goto err;
    460      1.1  christos     if (is_sslv3) {
    461      1.1  christos         /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
    462      1.1  christos         memset(hmac_pad, 0x5c, sslv3_pad_length);
    463      1.1  christos 
    464  1.1.1.2  christos         if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
    465  1.1.1.2  christos             || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
    466  1.1.1.2  christos             || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
    467      1.1  christos             goto err;
    468      1.1  christos     } else {
    469      1.1  christos         /* Complete the HMAC in the standard manner. */
    470      1.1  christos         for (i = 0; i < md_block_size; i++)
    471      1.1  christos             hmac_pad[i] ^= 0x6a;
    472      1.1  christos 
    473  1.1.1.2  christos         if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
    474  1.1.1.2  christos             || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
    475      1.1  christos             goto err;
    476      1.1  christos     }
    477  1.1.1.2  christos     /* TODO(size_t): Convert me */
    478  1.1.1.2  christos     ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
    479  1.1.1.2  christos     if (ret && md_out_size)
    480      1.1  christos         *md_out_size = md_out_size_u;
    481  1.1.1.2  christos     EVP_MD_CTX_free(md_ctx);
    482      1.1  christos 
    483      1.1  christos     return 1;
    484  1.1.1.2  christos  err:
    485  1.1.1.2  christos     EVP_MD_CTX_free(md_ctx);
    486      1.1  christos     return 0;
    487      1.1  christos }
    488