Home | History | Annotate | Line # | Download | only in ssl
s3_cbc.c revision 1.1
      1  1.1  christos /* ssl/s3_cbc.c */
      2  1.1  christos /* ====================================================================
      3  1.1  christos  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
      4  1.1  christos  *
      5  1.1  christos  * Redistribution and use in source and binary forms, with or without
      6  1.1  christos  * modification, are permitted provided that the following conditions
      7  1.1  christos  * are met:
      8  1.1  christos  *
      9  1.1  christos  * 1. Redistributions of source code must retain the above copyright
     10  1.1  christos  *    notice, this list of conditions and the following disclaimer.
     11  1.1  christos  *
     12  1.1  christos  * 2. Redistributions in binary form must reproduce the above copyright
     13  1.1  christos  *    notice, this list of conditions and the following disclaimer in
     14  1.1  christos  *    the documentation and/or other materials provided with the
     15  1.1  christos  *    distribution.
     16  1.1  christos  *
     17  1.1  christos  * 3. All advertising materials mentioning features or use of this
     18  1.1  christos  *    software must display the following acknowledgment:
     19  1.1  christos  *    "This product includes software developed by the OpenSSL Project
     20  1.1  christos  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     21  1.1  christos  *
     22  1.1  christos  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     23  1.1  christos  *    endorse or promote products derived from this software without
     24  1.1  christos  *    prior written permission. For written permission, please contact
     25  1.1  christos  *    openssl-core (at) openssl.org.
     26  1.1  christos  *
     27  1.1  christos  * 5. Products derived from this software may not be called "OpenSSL"
     28  1.1  christos  *    nor may "OpenSSL" appear in their names without prior written
     29  1.1  christos  *    permission of the OpenSSL Project.
     30  1.1  christos  *
     31  1.1  christos  * 6. Redistributions of any form whatsoever must retain the following
     32  1.1  christos  *    acknowledgment:
     33  1.1  christos  *    "This product includes software developed by the OpenSSL Project
     34  1.1  christos  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     35  1.1  christos  *
     36  1.1  christos  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     37  1.1  christos  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     38  1.1  christos  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     39  1.1  christos  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     40  1.1  christos  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     41  1.1  christos  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     42  1.1  christos  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     43  1.1  christos  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     44  1.1  christos  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     45  1.1  christos  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     46  1.1  christos  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     47  1.1  christos  * OF THE POSSIBILITY OF SUCH DAMAGE.
     48  1.1  christos  * ====================================================================
     49  1.1  christos  *
     50  1.1  christos  * This product includes cryptographic software written by Eric Young
     51  1.1  christos  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     52  1.1  christos  * Hudson (tjh (at) cryptsoft.com).
     53  1.1  christos  *
     54  1.1  christos  */
     55  1.1  christos 
     56  1.1  christos #include "../crypto/constant_time_locl.h"
     57  1.1  christos #include "ssl_locl.h"
     58  1.1  christos 
     59  1.1  christos #include <openssl/md5.h>
     60  1.1  christos #include <openssl/sha.h>
     61  1.1  christos 
     62  1.1  christos /*
     63  1.1  christos  * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
     64  1.1  christos  * length field. (SHA-384/512 have 128-bit length.)
     65  1.1  christos  */
     66  1.1  christos #define MAX_HASH_BIT_COUNT_BYTES 16
     67  1.1  christos 
     68  1.1  christos /*
     69  1.1  christos  * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
     70  1.1  christos  * Currently SHA-384/512 has a 128-byte block size and that's the largest
     71  1.1  christos  * supported by TLS.)
     72  1.1  christos  */
     73  1.1  christos #define MAX_HASH_BLOCK_SIZE 128
     74  1.1  christos 
     75  1.1  christos /*-
     76  1.1  christos  * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
     77  1.1  christos  * record in |rec| by updating |rec->length| in constant time.
     78  1.1  christos  *
     79  1.1  christos  * block_size: the block size of the cipher used to encrypt the record.
     80  1.1  christos  * returns:
     81  1.1  christos  *   0: (in non-constant time) if the record is publicly invalid.
     82  1.1  christos  *   1: if the padding was valid
     83  1.1  christos  *  -1: otherwise.
     84  1.1  christos  */
     85  1.1  christos int ssl3_cbc_remove_padding(const SSL *s,
     86  1.1  christos                             SSL3_RECORD *rec,
     87  1.1  christos                             unsigned block_size, unsigned mac_size)
     88  1.1  christos {
     89  1.1  christos     unsigned padding_length, good;
     90  1.1  christos     const unsigned overhead = 1 /* padding length byte */  + mac_size;
     91  1.1  christos 
     92  1.1  christos     /*
     93  1.1  christos      * These lengths are all public so we can test them in non-constant time.
     94  1.1  christos      */
     95  1.1  christos     if (overhead > rec->length)
     96  1.1  christos         return 0;
     97  1.1  christos 
     98  1.1  christos     padding_length = rec->data[rec->length - 1];
     99  1.1  christos     good = constant_time_ge(rec->length, padding_length + overhead);
    100  1.1  christos     /* SSLv3 requires that the padding is minimal. */
    101  1.1  christos     good &= constant_time_ge(block_size, padding_length + 1);
    102  1.1  christos     padding_length = good & (padding_length + 1);
    103  1.1  christos     rec->length -= padding_length;
    104  1.1  christos     rec->type |= padding_length << 8; /* kludge: pass padding length */
    105  1.1  christos     return constant_time_select_int(good, 1, -1);
    106  1.1  christos }
    107  1.1  christos 
    108  1.1  christos /*-
    109  1.1  christos  * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
    110  1.1  christos  * record in |rec| in constant time and returns 1 if the padding is valid and
    111  1.1  christos  * -1 otherwise. It also removes any explicit IV from the start of the record
    112  1.1  christos  * without leaking any timing about whether there was enough space after the
    113  1.1  christos  * padding was removed.
    114  1.1  christos  *
    115  1.1  christos  * block_size: the block size of the cipher used to encrypt the record.
    116  1.1  christos  * returns:
    117  1.1  christos  *   0: (in non-constant time) if the record is publicly invalid.
    118  1.1  christos  *   1: if the padding was valid
    119  1.1  christos  *  -1: otherwise.
    120  1.1  christos  */
    121  1.1  christos int tls1_cbc_remove_padding(const SSL *s,
    122  1.1  christos                             SSL3_RECORD *rec,
    123  1.1  christos                             unsigned block_size, unsigned mac_size)
    124  1.1  christos {
    125  1.1  christos     unsigned padding_length, good, to_check, i;
    126  1.1  christos     const unsigned overhead = 1 /* padding length byte */  + mac_size;
    127  1.1  christos     /* Check if version requires explicit IV */
    128  1.1  christos     if (SSL_USE_EXPLICIT_IV(s)) {
    129  1.1  christos         /*
    130  1.1  christos          * These lengths are all public so we can test them in non-constant
    131  1.1  christos          * time.
    132  1.1  christos          */
    133  1.1  christos         if (overhead + block_size > rec->length)
    134  1.1  christos             return 0;
    135  1.1  christos         /* We can now safely skip explicit IV */
    136  1.1  christos         rec->data += block_size;
    137  1.1  christos         rec->input += block_size;
    138  1.1  christos         rec->length -= block_size;
    139  1.1  christos     } else if (overhead > rec->length)
    140  1.1  christos         return 0;
    141  1.1  christos 
    142  1.1  christos     padding_length = rec->data[rec->length - 1];
    143  1.1  christos 
    144  1.1  christos     /*
    145  1.1  christos      * NB: if compression is in operation the first packet may not be of even
    146  1.1  christos      * length so the padding bug check cannot be performed. This bug
    147  1.1  christos      * workaround has been around since SSLeay so hopefully it is either
    148  1.1  christos      * fixed now or no buggy implementation supports compression [steve]
    149  1.1  christos      */
    150  1.1  christos     if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) {
    151  1.1  christos         /* First packet is even in size, so check */
    152  1.1  christos         if ((CRYPTO_memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0", 8) == 0) &&
    153  1.1  christos             !(padding_length & 1)) {
    154  1.1  christos             s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG;
    155  1.1  christos         }
    156  1.1  christos         if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && padding_length > 0) {
    157  1.1  christos             padding_length--;
    158  1.1  christos         }
    159  1.1  christos     }
    160  1.1  christos 
    161  1.1  christos     if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
    162  1.1  christos         /* padding is already verified */
    163  1.1  christos         rec->length -= padding_length + 1;
    164  1.1  christos         return 1;
    165  1.1  christos     }
    166  1.1  christos 
    167  1.1  christos     good = constant_time_ge(rec->length, overhead + padding_length);
    168  1.1  christos     /*
    169  1.1  christos      * The padding consists of a length byte at the end of the record and
    170  1.1  christos      * then that many bytes of padding, all with the same value as the length
    171  1.1  christos      * byte. Thus, with the length byte included, there are i+1 bytes of
    172  1.1  christos      * padding. We can't check just |padding_length+1| bytes because that
    173  1.1  christos      * leaks decrypted information. Therefore we always have to check the
    174  1.1  christos      * maximum amount of padding possible. (Again, the length of the record
    175  1.1  christos      * is public information so we can use it.)
    176  1.1  christos      */
    177  1.1  christos     to_check = 255;             /* maximum amount of padding. */
    178  1.1  christos     if (to_check > rec->length - 1)
    179  1.1  christos         to_check = rec->length - 1;
    180  1.1  christos 
    181  1.1  christos     for (i = 0; i < to_check; i++) {
    182  1.1  christos         unsigned char mask = constant_time_ge_8(padding_length, i);
    183  1.1  christos         unsigned char b = rec->data[rec->length - 1 - i];
    184  1.1  christos         /*
    185  1.1  christos          * The final |padding_length+1| bytes should all have the value
    186  1.1  christos          * |padding_length|. Therefore the XOR should be zero.
    187  1.1  christos          */
    188  1.1  christos         good &= ~(mask & (padding_length ^ b));
    189  1.1  christos     }
    190  1.1  christos 
    191  1.1  christos     /*
    192  1.1  christos      * If any of the final |padding_length+1| bytes had the wrong value, one
    193  1.1  christos      * or more of the lower eight bits of |good| will be cleared.
    194  1.1  christos      */
    195  1.1  christos     good = constant_time_eq(0xff, good & 0xff);
    196  1.1  christos     padding_length = good & (padding_length + 1);
    197  1.1  christos     rec->length -= padding_length;
    198  1.1  christos     rec->type |= padding_length << 8; /* kludge: pass padding length */
    199  1.1  christos 
    200  1.1  christos     return constant_time_select_int(good, 1, -1);
    201  1.1  christos }
    202  1.1  christos 
    203  1.1  christos /*-
    204  1.1  christos  * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
    205  1.1  christos  * constant time (independent of the concrete value of rec->length, which may
    206  1.1  christos  * vary within a 256-byte window).
    207  1.1  christos  *
    208  1.1  christos  * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
    209  1.1  christos  * this function.
    210  1.1  christos  *
    211  1.1  christos  * On entry:
    212  1.1  christos  *   rec->orig_len >= md_size
    213  1.1  christos  *   md_size <= EVP_MAX_MD_SIZE
    214  1.1  christos  *
    215  1.1  christos  * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
    216  1.1  christos  * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
    217  1.1  christos  * a single or pair of cache-lines, then the variable memory accesses don't
    218  1.1  christos  * actually affect the timing. CPUs with smaller cache-lines [if any] are
    219  1.1  christos  * not multi-core and are not considered vulnerable to cache-timing attacks.
    220  1.1  christos  */
    221  1.1  christos #define CBC_MAC_ROTATE_IN_PLACE
    222  1.1  christos 
    223  1.1  christos void ssl3_cbc_copy_mac(unsigned char *out,
    224  1.1  christos                        const SSL3_RECORD *rec,
    225  1.1  christos                        unsigned md_size, unsigned orig_len)
    226  1.1  christos {
    227  1.1  christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
    228  1.1  christos     unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
    229  1.1  christos     unsigned char *rotated_mac;
    230  1.1  christos #else
    231  1.1  christos     unsigned char rotated_mac[EVP_MAX_MD_SIZE];
    232  1.1  christos #endif
    233  1.1  christos 
    234  1.1  christos     /*
    235  1.1  christos      * mac_end is the index of |rec->data| just after the end of the MAC.
    236  1.1  christos      */
    237  1.1  christos     unsigned mac_end = rec->length;
    238  1.1  christos     unsigned mac_start = mac_end - md_size;
    239  1.1  christos     /*
    240  1.1  christos      * scan_start contains the number of bytes that we can ignore because the
    241  1.1  christos      * MAC's position can only vary by 255 bytes.
    242  1.1  christos      */
    243  1.1  christos     unsigned scan_start = 0;
    244  1.1  christos     unsigned i, j;
    245  1.1  christos     unsigned div_spoiler;
    246  1.1  christos     unsigned rotate_offset;
    247  1.1  christos 
    248  1.1  christos     OPENSSL_assert(orig_len >= md_size);
    249  1.1  christos     OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
    250  1.1  christos 
    251  1.1  christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
    252  1.1  christos     rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf) & 63);
    253  1.1  christos #endif
    254  1.1  christos 
    255  1.1  christos     /* This information is public so it's safe to branch based on it. */
    256  1.1  christos     if (orig_len > md_size + 255 + 1)
    257  1.1  christos         scan_start = orig_len - (md_size + 255 + 1);
    258  1.1  christos     /*
    259  1.1  christos      * div_spoiler contains a multiple of md_size that is used to cause the
    260  1.1  christos      * modulo operation to be constant time. Without this, the time varies
    261  1.1  christos      * based on the amount of padding when running on Intel chips at least.
    262  1.1  christos      * The aim of right-shifting md_size is so that the compiler doesn't
    263  1.1  christos      * figure out that it can remove div_spoiler as that would require it to
    264  1.1  christos      * prove that md_size is always even, which I hope is beyond it.
    265  1.1  christos      */
    266  1.1  christos     div_spoiler = md_size >> 1;
    267  1.1  christos     div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
    268  1.1  christos     rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
    269  1.1  christos 
    270  1.1  christos     memset(rotated_mac, 0, md_size);
    271  1.1  christos     for (i = scan_start, j = 0; i < orig_len; i++) {
    272  1.1  christos         unsigned char mac_started = constant_time_ge_8(i, mac_start);
    273  1.1  christos         unsigned char mac_ended = constant_time_ge_8(i, mac_end);
    274  1.1  christos         unsigned char b = rec->data[i];
    275  1.1  christos         rotated_mac[j++] |= b & mac_started & ~mac_ended;
    276  1.1  christos         j &= constant_time_lt(j, md_size);
    277  1.1  christos     }
    278  1.1  christos 
    279  1.1  christos     /* Now rotate the MAC */
    280  1.1  christos #if defined(CBC_MAC_ROTATE_IN_PLACE)
    281  1.1  christos     j = 0;
    282  1.1  christos     for (i = 0; i < md_size; i++) {
    283  1.1  christos         /* in case cache-line is 32 bytes, touch second line */
    284  1.1  christos         ((volatile unsigned char *)rotated_mac)[rotate_offset ^ 32];
    285  1.1  christos         out[j++] = rotated_mac[rotate_offset++];
    286  1.1  christos         rotate_offset &= constant_time_lt(rotate_offset, md_size);
    287  1.1  christos     }
    288  1.1  christos #else
    289  1.1  christos     memset(out, 0, md_size);
    290  1.1  christos     rotate_offset = md_size - rotate_offset;
    291  1.1  christos     rotate_offset &= constant_time_lt(rotate_offset, md_size);
    292  1.1  christos     for (i = 0; i < md_size; i++) {
    293  1.1  christos         for (j = 0; j < md_size; j++)
    294  1.1  christos             out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
    295  1.1  christos         rotate_offset++;
    296  1.1  christos         rotate_offset &= constant_time_lt(rotate_offset, md_size);
    297  1.1  christos     }
    298  1.1  christos #endif
    299  1.1  christos }
    300  1.1  christos 
    301  1.1  christos /*
    302  1.1  christos  * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
    303  1.1  christos  * little-endian order. The value of p is advanced by four.
    304  1.1  christos  */
    305  1.1  christos #define u32toLE(n, p) \
    306  1.1  christos         (*((p)++)=(unsigned char)(n), \
    307  1.1  christos          *((p)++)=(unsigned char)(n>>8), \
    308  1.1  christos          *((p)++)=(unsigned char)(n>>16), \
    309  1.1  christos          *((p)++)=(unsigned char)(n>>24))
    310  1.1  christos 
    311  1.1  christos /*
    312  1.1  christos  * These functions serialize the state of a hash and thus perform the
    313  1.1  christos  * standard "final" operation without adding the padding and length that such
    314  1.1  christos  * a function typically does.
    315  1.1  christos  */
    316  1.1  christos static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
    317  1.1  christos {
    318  1.1  christos     MD5_CTX *md5 = ctx;
    319  1.1  christos     u32toLE(md5->A, md_out);
    320  1.1  christos     u32toLE(md5->B, md_out);
    321  1.1  christos     u32toLE(md5->C, md_out);
    322  1.1  christos     u32toLE(md5->D, md_out);
    323  1.1  christos }
    324  1.1  christos 
    325  1.1  christos static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
    326  1.1  christos {
    327  1.1  christos     SHA_CTX *sha1 = ctx;
    328  1.1  christos     l2n(sha1->h0, md_out);
    329  1.1  christos     l2n(sha1->h1, md_out);
    330  1.1  christos     l2n(sha1->h2, md_out);
    331  1.1  christos     l2n(sha1->h3, md_out);
    332  1.1  christos     l2n(sha1->h4, md_out);
    333  1.1  christos }
    334  1.1  christos 
    335  1.1  christos #define LARGEST_DIGEST_CTX SHA_CTX
    336  1.1  christos 
    337  1.1  christos #ifndef OPENSSL_NO_SHA256
    338  1.1  christos static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
    339  1.1  christos {
    340  1.1  christos     SHA256_CTX *sha256 = ctx;
    341  1.1  christos     unsigned i;
    342  1.1  christos 
    343  1.1  christos     for (i = 0; i < 8; i++) {
    344  1.1  christos         l2n(sha256->h[i], md_out);
    345  1.1  christos     }
    346  1.1  christos }
    347  1.1  christos 
    348  1.1  christos # undef  LARGEST_DIGEST_CTX
    349  1.1  christos # define LARGEST_DIGEST_CTX SHA256_CTX
    350  1.1  christos #endif
    351  1.1  christos 
    352  1.1  christos #ifndef OPENSSL_NO_SHA512
    353  1.1  christos static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
    354  1.1  christos {
    355  1.1  christos     SHA512_CTX *sha512 = ctx;
    356  1.1  christos     unsigned i;
    357  1.1  christos 
    358  1.1  christos     for (i = 0; i < 8; i++) {
    359  1.1  christos         l2n8(sha512->h[i], md_out);
    360  1.1  christos     }
    361  1.1  christos }
    362  1.1  christos 
    363  1.1  christos # undef  LARGEST_DIGEST_CTX
    364  1.1  christos # define LARGEST_DIGEST_CTX SHA512_CTX
    365  1.1  christos #endif
    366  1.1  christos 
    367  1.1  christos /*
    368  1.1  christos  * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
    369  1.1  christos  * which ssl3_cbc_digest_record supports.
    370  1.1  christos  */
    371  1.1  christos char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
    372  1.1  christos {
    373  1.1  christos #ifdef OPENSSL_FIPS
    374  1.1  christos     if (FIPS_mode())
    375  1.1  christos         return 0;
    376  1.1  christos #endif
    377  1.1  christos     switch (EVP_MD_CTX_type(ctx)) {
    378  1.1  christos     case NID_md5:
    379  1.1  christos     case NID_sha1:
    380  1.1  christos #ifndef OPENSSL_NO_SHA256
    381  1.1  christos     case NID_sha224:
    382  1.1  christos     case NID_sha256:
    383  1.1  christos #endif
    384  1.1  christos #ifndef OPENSSL_NO_SHA512
    385  1.1  christos     case NID_sha384:
    386  1.1  christos     case NID_sha512:
    387  1.1  christos #endif
    388  1.1  christos         return 1;
    389  1.1  christos     default:
    390  1.1  christos         return 0;
    391  1.1  christos     }
    392  1.1  christos }
    393  1.1  christos 
    394  1.1  christos /*-
    395  1.1  christos  * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
    396  1.1  christos  * record.
    397  1.1  christos  *
    398  1.1  christos  *   ctx: the EVP_MD_CTX from which we take the hash function.
    399  1.1  christos  *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
    400  1.1  christos  *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
    401  1.1  christos  *   md_out_size: if non-NULL, the number of output bytes is written here.
    402  1.1  christos  *   header: the 13-byte, TLS record header.
    403  1.1  christos  *   data: the record data itself, less any preceeding explicit IV.
    404  1.1  christos  *   data_plus_mac_size: the secret, reported length of the data and MAC
    405  1.1  christos  *     once the padding has been removed.
    406  1.1  christos  *   data_plus_mac_plus_padding_size: the public length of the whole
    407  1.1  christos  *     record, including padding.
    408  1.1  christos  *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
    409  1.1  christos  *
    410  1.1  christos  * On entry: by virtue of having been through one of the remove_padding
    411  1.1  christos  * functions, above, we know that data_plus_mac_size is large enough to contain
    412  1.1  christos  * a padding byte and MAC. (If the padding was invalid, it might contain the
    413  1.1  christos  * padding too. )
    414  1.1  christos  * Returns 1 on success or 0 on error
    415  1.1  christos  */
    416  1.1  christos int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
    417  1.1  christos                             unsigned char *md_out,
    418  1.1  christos                             size_t *md_out_size,
    419  1.1  christos                             const unsigned char header[13],
    420  1.1  christos                             const unsigned char *data,
    421  1.1  christos                             size_t data_plus_mac_size,
    422  1.1  christos                             size_t data_plus_mac_plus_padding_size,
    423  1.1  christos                             const unsigned char *mac_secret,
    424  1.1  christos                             unsigned mac_secret_length, char is_sslv3)
    425  1.1  christos {
    426  1.1  christos     union {
    427  1.1  christos         double align;
    428  1.1  christos         unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
    429  1.1  christos     } md_state;
    430  1.1  christos     void (*md_final_raw) (void *ctx, unsigned char *md_out);
    431  1.1  christos     void (*md_transform) (void *ctx, const unsigned char *block);
    432  1.1  christos     unsigned md_size, md_block_size = 64;
    433  1.1  christos     unsigned sslv3_pad_length = 40, header_length, variance_blocks,
    434  1.1  christos         len, max_mac_bytes, num_blocks,
    435  1.1  christos         num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
    436  1.1  christos     unsigned int bits;          /* at most 18 bits */
    437  1.1  christos     unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
    438  1.1  christos     /* hmac_pad is the masked HMAC key. */
    439  1.1  christos     unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
    440  1.1  christos     unsigned char first_block[MAX_HASH_BLOCK_SIZE];
    441  1.1  christos     unsigned char mac_out[EVP_MAX_MD_SIZE];
    442  1.1  christos     unsigned i, j, md_out_size_u;
    443  1.1  christos     EVP_MD_CTX md_ctx;
    444  1.1  christos     /*
    445  1.1  christos      * mdLengthSize is the number of bytes in the length field that
    446  1.1  christos      * terminates * the hash.
    447  1.1  christos      */
    448  1.1  christos     unsigned md_length_size = 8;
    449  1.1  christos     char length_is_big_endian = 1;
    450  1.1  christos 
    451  1.1  christos     /*
    452  1.1  christos      * This is a, hopefully redundant, check that allows us to forget about
    453  1.1  christos      * many possible overflows later in this function.
    454  1.1  christos      */
    455  1.1  christos     OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024);
    456  1.1  christos 
    457  1.1  christos     switch (EVP_MD_CTX_type(ctx)) {
    458  1.1  christos     case NID_md5:
    459  1.1  christos         if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
    460  1.1  christos             return 0;
    461  1.1  christos         md_final_raw = tls1_md5_final_raw;
    462  1.1  christos         md_transform =
    463  1.1  christos             (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
    464  1.1  christos         md_size = 16;
    465  1.1  christos         sslv3_pad_length = 48;
    466  1.1  christos         length_is_big_endian = 0;
    467  1.1  christos         break;
    468  1.1  christos     case NID_sha1:
    469  1.1  christos         if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
    470  1.1  christos             return 0;
    471  1.1  christos         md_final_raw = tls1_sha1_final_raw;
    472  1.1  christos         md_transform =
    473  1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
    474  1.1  christos         md_size = 20;
    475  1.1  christos         break;
    476  1.1  christos #ifndef OPENSSL_NO_SHA256
    477  1.1  christos     case NID_sha224:
    478  1.1  christos         if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
    479  1.1  christos             return 0;
    480  1.1  christos         md_final_raw = tls1_sha256_final_raw;
    481  1.1  christos         md_transform =
    482  1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    483  1.1  christos         md_size = 224 / 8;
    484  1.1  christos         break;
    485  1.1  christos     case NID_sha256:
    486  1.1  christos         if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
    487  1.1  christos             return 0;
    488  1.1  christos         md_final_raw = tls1_sha256_final_raw;
    489  1.1  christos         md_transform =
    490  1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
    491  1.1  christos         md_size = 32;
    492  1.1  christos         break;
    493  1.1  christos #endif
    494  1.1  christos #ifndef OPENSSL_NO_SHA512
    495  1.1  christos     case NID_sha384:
    496  1.1  christos         if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
    497  1.1  christos             return 0;
    498  1.1  christos         md_final_raw = tls1_sha512_final_raw;
    499  1.1  christos         md_transform =
    500  1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    501  1.1  christos         md_size = 384 / 8;
    502  1.1  christos         md_block_size = 128;
    503  1.1  christos         md_length_size = 16;
    504  1.1  christos         break;
    505  1.1  christos     case NID_sha512:
    506  1.1  christos         if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
    507  1.1  christos             return 0;
    508  1.1  christos         md_final_raw = tls1_sha512_final_raw;
    509  1.1  christos         md_transform =
    510  1.1  christos             (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
    511  1.1  christos         md_size = 64;
    512  1.1  christos         md_block_size = 128;
    513  1.1  christos         md_length_size = 16;
    514  1.1  christos         break;
    515  1.1  christos #endif
    516  1.1  christos     default:
    517  1.1  christos         /*
    518  1.1  christos          * ssl3_cbc_record_digest_supported should have been called first to
    519  1.1  christos          * check that the hash function is supported.
    520  1.1  christos          */
    521  1.1  christos         OPENSSL_assert(0);
    522  1.1  christos         if (md_out_size)
    523  1.1  christos             *md_out_size = 0;
    524  1.1  christos         return 0;
    525  1.1  christos     }
    526  1.1  christos 
    527  1.1  christos     OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
    528  1.1  christos     OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
    529  1.1  christos     OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
    530  1.1  christos 
    531  1.1  christos     header_length = 13;
    532  1.1  christos     if (is_sslv3) {
    533  1.1  christos         header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence
    534  1.1  christos                                                                   * number */  +
    535  1.1  christos             1 /* record type */  +
    536  1.1  christos             2 /* record length */ ;
    537  1.1  christos     }
    538  1.1  christos 
    539  1.1  christos     /*
    540  1.1  christos      * variance_blocks is the number of blocks of the hash that we have to
    541  1.1  christos      * calculate in constant time because they could be altered by the
    542  1.1  christos      * padding value. In SSLv3, the padding must be minimal so the end of
    543  1.1  christos      * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
    544  1.1  christos      * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
    545  1.1  christos      * of hash termination (0x80 + 64-bit length) don't fit in the final
    546  1.1  christos      * block, we say that the final two blocks can vary based on the padding.
    547  1.1  christos      * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
    548  1.1  christos      * required to be minimal. Therefore we say that the final six blocks can
    549  1.1  christos      * vary based on the padding. Later in the function, if the message is
    550  1.1  christos      * short and there obviously cannot be this many blocks then
    551  1.1  christos      * variance_blocks can be reduced.
    552  1.1  christos      */
    553  1.1  christos     variance_blocks = is_sslv3 ? 2 : 6;
    554  1.1  christos     /*
    555  1.1  christos      * From now on we're dealing with the MAC, which conceptually has 13
    556  1.1  christos      * bytes of `header' before the start of the data (TLS) or 71/75 bytes
    557  1.1  christos      * (SSLv3)
    558  1.1  christos      */
    559  1.1  christos     len = data_plus_mac_plus_padding_size + header_length;
    560  1.1  christos     /*
    561  1.1  christos      * max_mac_bytes contains the maximum bytes of bytes in the MAC,
    562  1.1  christos      * including * |header|, assuming that there's no padding.
    563  1.1  christos      */
    564  1.1  christos     max_mac_bytes = len - md_size - 1;
    565  1.1  christos     /* num_blocks is the maximum number of hash blocks. */
    566  1.1  christos     num_blocks =
    567  1.1  christos         (max_mac_bytes + 1 + md_length_size + md_block_size -
    568  1.1  christos          1) / md_block_size;
    569  1.1  christos     /*
    570  1.1  christos      * In order to calculate the MAC in constant time we have to handle the
    571  1.1  christos      * final blocks specially because the padding value could cause the end
    572  1.1  christos      * to appear somewhere in the final |variance_blocks| blocks and we can't
    573  1.1  christos      * leak where. However, |num_starting_blocks| worth of data can be hashed
    574  1.1  christos      * right away because no padding value can affect whether they are
    575  1.1  christos      * plaintext.
    576  1.1  christos      */
    577  1.1  christos     num_starting_blocks = 0;
    578  1.1  christos     /*
    579  1.1  christos      * k is the starting byte offset into the conceptual header||data where
    580  1.1  christos      * we start processing.
    581  1.1  christos      */
    582  1.1  christos     k = 0;
    583  1.1  christos     /*
    584  1.1  christos      * mac_end_offset is the index just past the end of the data to be MACed.
    585  1.1  christos      */
    586  1.1  christos     mac_end_offset = data_plus_mac_size + header_length - md_size;
    587  1.1  christos     /*
    588  1.1  christos      * c is the index of the 0x80 byte in the final hash block that contains
    589  1.1  christos      * application data.
    590  1.1  christos      */
    591  1.1  christos     c = mac_end_offset % md_block_size;
    592  1.1  christos     /*
    593  1.1  christos      * index_a is the hash block number that contains the 0x80 terminating
    594  1.1  christos      * value.
    595  1.1  christos      */
    596  1.1  christos     index_a = mac_end_offset / md_block_size;
    597  1.1  christos     /*
    598  1.1  christos      * index_b is the hash block number that contains the 64-bit hash length,
    599  1.1  christos      * in bits.
    600  1.1  christos      */
    601  1.1  christos     index_b = (mac_end_offset + md_length_size) / md_block_size;
    602  1.1  christos     /*
    603  1.1  christos      * bits is the hash-length in bits. It includes the additional hash block
    604  1.1  christos      * for the masked HMAC key, or whole of |header| in the case of SSLv3.
    605  1.1  christos      */
    606  1.1  christos 
    607  1.1  christos     /*
    608  1.1  christos      * For SSLv3, if we're going to have any starting blocks then we need at
    609  1.1  christos      * least two because the header is larger than a single block.
    610  1.1  christos      */
    611  1.1  christos     if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
    612  1.1  christos         num_starting_blocks = num_blocks - variance_blocks;
    613  1.1  christos         k = md_block_size * num_starting_blocks;
    614  1.1  christos     }
    615  1.1  christos 
    616  1.1  christos     bits = 8 * mac_end_offset;
    617  1.1  christos     if (!is_sslv3) {
    618  1.1  christos         /*
    619  1.1  christos          * Compute the initial HMAC block. For SSLv3, the padding and secret
    620  1.1  christos          * bytes are included in |header| because they take more than a
    621  1.1  christos          * single block.
    622  1.1  christos          */
    623  1.1  christos         bits += 8 * md_block_size;
    624  1.1  christos         memset(hmac_pad, 0, md_block_size);
    625  1.1  christos         OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
    626  1.1  christos         memcpy(hmac_pad, mac_secret, mac_secret_length);
    627  1.1  christos         for (i = 0; i < md_block_size; i++)
    628  1.1  christos             hmac_pad[i] ^= 0x36;
    629  1.1  christos 
    630  1.1  christos         md_transform(md_state.c, hmac_pad);
    631  1.1  christos     }
    632  1.1  christos 
    633  1.1  christos     if (length_is_big_endian) {
    634  1.1  christos         memset(length_bytes, 0, md_length_size - 4);
    635  1.1  christos         length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
    636  1.1  christos         length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
    637  1.1  christos         length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
    638  1.1  christos         length_bytes[md_length_size - 1] = (unsigned char)bits;
    639  1.1  christos     } else {
    640  1.1  christos         memset(length_bytes, 0, md_length_size);
    641  1.1  christos         length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
    642  1.1  christos         length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
    643  1.1  christos         length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
    644  1.1  christos         length_bytes[md_length_size - 8] = (unsigned char)bits;
    645  1.1  christos     }
    646  1.1  christos 
    647  1.1  christos     if (k > 0) {
    648  1.1  christos         if (is_sslv3) {
    649  1.1  christos             unsigned overhang;
    650  1.1  christos 
    651  1.1  christos             /*
    652  1.1  christos              * The SSLv3 header is larger than a single block. overhang is
    653  1.1  christos              * the number of bytes beyond a single block that the header
    654  1.1  christos              * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
    655  1.1  christos              * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
    656  1.1  christos              * therefore we can be confident that the header_length will be
    657  1.1  christos              * greater than |md_block_size|. However we add a sanity check just
    658  1.1  christos              * in case
    659  1.1  christos              */
    660  1.1  christos             if (header_length <= md_block_size) {
    661  1.1  christos                 /* Should never happen */
    662  1.1  christos                 return 0;
    663  1.1  christos             }
    664  1.1  christos             overhang = header_length - md_block_size;
    665  1.1  christos             md_transform(md_state.c, header);
    666  1.1  christos             memcpy(first_block, header + md_block_size, overhang);
    667  1.1  christos             memcpy(first_block + overhang, data, md_block_size - overhang);
    668  1.1  christos             md_transform(md_state.c, first_block);
    669  1.1  christos             for (i = 1; i < k / md_block_size - 1; i++)
    670  1.1  christos                 md_transform(md_state.c, data + md_block_size * i - overhang);
    671  1.1  christos         } else {
    672  1.1  christos             /* k is a multiple of md_block_size. */
    673  1.1  christos             memcpy(first_block, header, 13);
    674  1.1  christos             memcpy(first_block + 13, data, md_block_size - 13);
    675  1.1  christos             md_transform(md_state.c, first_block);
    676  1.1  christos             for (i = 1; i < k / md_block_size; i++)
    677  1.1  christos                 md_transform(md_state.c, data + md_block_size * i - 13);
    678  1.1  christos         }
    679  1.1  christos     }
    680  1.1  christos 
    681  1.1  christos     memset(mac_out, 0, sizeof(mac_out));
    682  1.1  christos 
    683  1.1  christos     /*
    684  1.1  christos      * We now process the final hash blocks. For each block, we construct it
    685  1.1  christos      * in constant time. If the |i==index_a| then we'll include the 0x80
    686  1.1  christos      * bytes and zero pad etc. For each block we selectively copy it, in
    687  1.1  christos      * constant time, to |mac_out|.
    688  1.1  christos      */
    689  1.1  christos     for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
    690  1.1  christos          i++) {
    691  1.1  christos         unsigned char block[MAX_HASH_BLOCK_SIZE];
    692  1.1  christos         unsigned char is_block_a = constant_time_eq_8(i, index_a);
    693  1.1  christos         unsigned char is_block_b = constant_time_eq_8(i, index_b);
    694  1.1  christos         for (j = 0; j < md_block_size; j++) {
    695  1.1  christos             unsigned char b = 0, is_past_c, is_past_cp1;
    696  1.1  christos             if (k < header_length)
    697  1.1  christos                 b = header[k];
    698  1.1  christos             else if (k < data_plus_mac_plus_padding_size + header_length)
    699  1.1  christos                 b = data[k - header_length];
    700  1.1  christos             k++;
    701  1.1  christos 
    702  1.1  christos             is_past_c = is_block_a & constant_time_ge_8(j, c);
    703  1.1  christos             is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
    704  1.1  christos             /*
    705  1.1  christos              * If this is the block containing the end of the application
    706  1.1  christos              * data, and we are at the offset for the 0x80 value, then
    707  1.1  christos              * overwrite b with 0x80.
    708  1.1  christos              */
    709  1.1  christos             b = constant_time_select_8(is_past_c, 0x80, b);
    710  1.1  christos             /*
    711  1.1  christos              * If this the the block containing the end of the application
    712  1.1  christos              * data and we're past the 0x80 value then just write zero.
    713  1.1  christos              */
    714  1.1  christos             b = b & ~is_past_cp1;
    715  1.1  christos             /*
    716  1.1  christos              * If this is index_b (the final block), but not index_a (the end
    717  1.1  christos              * of the data), then the 64-bit length didn't fit into index_a
    718  1.1  christos              * and we're having to add an extra block of zeros.
    719  1.1  christos              */
    720  1.1  christos             b &= ~is_block_b | is_block_a;
    721  1.1  christos 
    722  1.1  christos             /*
    723  1.1  christos              * The final bytes of one of the blocks contains the length.
    724  1.1  christos              */
    725  1.1  christos             if (j >= md_block_size - md_length_size) {
    726  1.1  christos                 /* If this is index_b, write a length byte. */
    727  1.1  christos                 b = constant_time_select_8(is_block_b,
    728  1.1  christos                                            length_bytes[j -
    729  1.1  christos                                                         (md_block_size -
    730  1.1  christos                                                          md_length_size)], b);
    731  1.1  christos             }
    732  1.1  christos             block[j] = b;
    733  1.1  christos         }
    734  1.1  christos 
    735  1.1  christos         md_transform(md_state.c, block);
    736  1.1  christos         md_final_raw(md_state.c, block);
    737  1.1  christos         /* If this is index_b, copy the hash value to |mac_out|. */
    738  1.1  christos         for (j = 0; j < md_size; j++)
    739  1.1  christos             mac_out[j] |= block[j] & is_block_b;
    740  1.1  christos     }
    741  1.1  christos 
    742  1.1  christos     EVP_MD_CTX_init(&md_ctx);
    743  1.1  christos     if (EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ) <= 0)
    744  1.1  christos         goto err;
    745  1.1  christos     if (is_sslv3) {
    746  1.1  christos         /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
    747  1.1  christos         memset(hmac_pad, 0x5c, sslv3_pad_length);
    748  1.1  christos 
    749  1.1  christos         if (EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length) <= 0
    750  1.1  christos                 || EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length) <= 0
    751  1.1  christos                 || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
    752  1.1  christos             goto err;
    753  1.1  christos     } else {
    754  1.1  christos         /* Complete the HMAC in the standard manner. */
    755  1.1  christos         for (i = 0; i < md_block_size; i++)
    756  1.1  christos             hmac_pad[i] ^= 0x6a;
    757  1.1  christos 
    758  1.1  christos         if (EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size) <= 0
    759  1.1  christos                 || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
    760  1.1  christos             goto err;
    761  1.1  christos     }
    762  1.1  christos     EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
    763  1.1  christos     if (md_out_size)
    764  1.1  christos         *md_out_size = md_out_size_u;
    765  1.1  christos     EVP_MD_CTX_cleanup(&md_ctx);
    766  1.1  christos 
    767  1.1  christos     return 1;
    768  1.1  christos err:
    769  1.1  christos     EVP_MD_CTX_cleanup(&md_ctx);
    770  1.1  christos     return 0;
    771  1.1  christos }
    772  1.1  christos 
    773  1.1  christos #ifdef OPENSSL_FIPS
    774  1.1  christos 
    775  1.1  christos /*
    776  1.1  christos  * Due to the need to use EVP in FIPS mode we can't reimplement digests but
    777  1.1  christos  * we can ensure the number of blocks processed is equal for all cases by
    778  1.1  christos  * digesting additional data.
    779  1.1  christos  */
    780  1.1  christos 
    781  1.1  christos void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
    782  1.1  christos                            EVP_MD_CTX *mac_ctx, const unsigned char *data,
    783  1.1  christos                            size_t data_len, size_t orig_len)
    784  1.1  christos {
    785  1.1  christos     size_t block_size, digest_pad, blocks_data, blocks_orig;
    786  1.1  christos     if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
    787  1.1  christos         return;
    788  1.1  christos     block_size = EVP_MD_CTX_block_size(mac_ctx);
    789  1.1  christos     /*-
    790  1.1  christos      * We are in FIPS mode if we get this far so we know we have only SHA*
    791  1.1  christos      * digests and TLS to deal with.
    792  1.1  christos      * Minimum digest padding length is 17 for SHA384/SHA512 and 9
    793  1.1  christos      * otherwise.
    794  1.1  christos      * Additional header is 13 bytes. To get the number of digest blocks
    795  1.1  christos      * processed round up the amount of data plus padding to the nearest
    796  1.1  christos      * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
    797  1.1  christos      * So we have:
    798  1.1  christos      * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
    799  1.1  christos      * equivalently:
    800  1.1  christos      * blocks = (payload_len + digest_pad + 12)/block_size + 1
    801  1.1  christos      * HMAC adds a constant overhead.
    802  1.1  christos      * We're ultimately only interested in differences so this becomes
    803  1.1  christos      * blocks = (payload_len + 29)/128
    804  1.1  christos      * for SHA384/SHA512 and
    805  1.1  christos      * blocks = (payload_len + 21)/64
    806  1.1  christos      * otherwise.
    807  1.1  christos      */
    808  1.1  christos     digest_pad = block_size == 64 ? 21 : 29;
    809  1.1  christos     blocks_orig = (orig_len + digest_pad) / block_size;
    810  1.1  christos     blocks_data = (data_len + digest_pad) / block_size;
    811  1.1  christos     /*
    812  1.1  christos      * MAC enough blocks to make up the difference between the original and
    813  1.1  christos      * actual lengths plus one extra block to ensure this is never a no op.
    814  1.1  christos      * The "data" pointer should always have enough space to perform this
    815  1.1  christos      * operation as it is large enough for a maximum length TLS buffer.
    816  1.1  christos      */
    817  1.1  christos     EVP_DigestSignUpdate(mac_ctx, data,
    818  1.1  christos                          (blocks_orig - blocks_data + 1) * block_size);
    819  1.1  christos }
    820  1.1  christos #endif
    821