X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_cbc.c;h=522522291362a4e3cea93ecd363f022fd2860af0;hb=5f3d93e4a336c590d7b56a889dde4a93b725e058;hp=b20c56408445944e8f75def46944d1fff87d107c;hpb=02a36fdae8cb503e2f88eac52eb3053431089397;p=openssl.git diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b20c564084..5225222913 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -53,7 +53,7 @@ * */ -#include "../crypto/constant_time_locl.h" +#include "internal/constant_time_locl.h" #include "ssl_locl.h" #include @@ -172,8 +172,9 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) * functions, above, we know that data_plus_mac_size is large enough to contain * a padding byte and MAC. (If the padding was invalid, it might contain the * padding too. ) + * Returns 1 on success or 0 on error */ -void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, +int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], @@ -217,7 +218,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, switch (EVP_MD_CTX_type(ctx)) { case NID_md5: - MD5_Init((MD5_CTX *)md_state.c); + if (MD5_Init((MD5_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_md5_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))MD5_Transform; @@ -226,28 +228,32 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, length_is_big_endian = 0; break; case NID_sha1: - SHA1_Init((SHA_CTX *)md_state.c); + if (SHA1_Init((SHA_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha1_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA1_Transform; md_size = 20; break; case NID_sha224: - SHA224_Init((SHA256_CTX *)md_state.c); + if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha256_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; md_size = 224 / 8; break; case NID_sha256: - SHA256_Init((SHA256_CTX *)md_state.c); + if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha256_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA256_Transform; md_size = 32; break; case NID_sha384: - SHA384_Init((SHA512_CTX *)md_state.c); + if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha512_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; @@ -256,7 +262,8 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, md_length_size = 16; break; case NID_sha512: - SHA512_Init((SHA512_CTX *)md_state.c); + if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0) + return 0; md_final_raw = tls1_sha512_final_raw; md_transform = (void (*)(void *ctx, const unsigned char *block))SHA512_Transform; @@ -272,7 +279,7 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, OPENSSL_assert(0); if (md_out_size) *md_out_size = -1; - return; + return 0; } OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); @@ -397,12 +404,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + unsigned overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return 0; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); @@ -481,26 +498,34 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, } EVP_MD_CTX_init(&md_ctx); - EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ); + if (EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ) <= 0) + goto err; if (is_sslv3) { /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ memset(hmac_pad, 0x5c, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); - EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); + if (EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length) <= 0 + || EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length) <= 0 + || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0) + goto err; } else { /* Complete the HMAC in the standard manner. */ for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x6a; - EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); - EVP_DigestUpdate(&md_ctx, mac_out, md_size); + if (EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size) <= 0 + || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0) + goto err; } ret = EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); if (ret && md_out_size) *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); + + return 1; +err: + EVP_MD_CTX_cleanup(&md_ctx); + return 0; } /*