X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_cbc.c;h=d6198dddb9f9fd2a9ea2e10d93c1fbcc69cd3fb0;hb=270540fd5413b00a746a581e8939c30862c689b1;hp=186ab174baafce4bd8f5561c05342d5cdf4f51a7;hpb=b53338cbf8822dd774f9e4057307f347d2b63ff0;p=openssl.git diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 186ab174ba..d6198dddb9 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,14 +1,21 @@ /* - * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ -#include "internal/constant_time_locl.h" -#include "ssl_locl.h" +/* + * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + +#include "internal/constant_time.h" +#include "ssl_local.h" +#include "internal/cryptlib.h" #include #include @@ -124,7 +131,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) * padding too. ) * Returns 1 on success or 0 on error */ -int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, +int ssl3_cbc_digest_record(SSL *s, + const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], @@ -135,7 +143,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, size_t mac_secret_length, char is_sslv3) { union { - double align; + OSSL_UNION_ALIGN; unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state; void (*md_final_raw) (void *ctx, unsigned char *md_out); @@ -159,13 +167,15 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ size_t md_length_size = 8; char length_is_big_endian = 1; - int ret; + int ret = 0; + const EVP_MD *md = NULL; /* * This is a, hopefully redundant, check that allows us to forget about * many possible overflows later in this function. */ - OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024); + if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024)) + return 0; switch (EVP_MD_CTX_type(ctx)) { case NID_md5: @@ -227,15 +237,15 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * ssl3_cbc_record_digest_supported should have been called first to * check that the hash function is supported. */ - OPENSSL_assert(0); - if (md_out_size) + if (md_out_size != NULL) *md_out_size = 0; - return 0; + return ossl_assert(0); } - OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); - OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); - OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES) + || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE) + || !ossl_assert(md_size <= EVP_MAX_MD_SIZE)) + return 0; header_length = 13; if (is_sslv3) { @@ -254,12 +264,13 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, * of hash termination (0x80 + 64-bit length) don't fit in the final * block, we say that the final two blocks can vary based on the padding. * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not - * required to be minimal. Therefore we say that the final six blocks can + * required to be minimal. Therefore we say that the final |variance_blocks| + * blocks can * vary based on the padding. Later in the function, if the message is * short and there obviously cannot be this many blocks then * variance_blocks can be reduced. */ - variance_blocks = is_sslv3 ? 2 : 6; + variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1); /* * From now on we're dealing with the MAC, which conceptually has 13 * bytes of `header' before the start of the data (TLS) or 71/75 bytes @@ -331,7 +342,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ bits += 8 * md_block_size; memset(hmac_pad, 0, md_block_size); - OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); + if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad))) + return 0; memcpy(hmac_pad, mac_secret, mac_secret_length); for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x36; @@ -417,8 +429,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, */ b = constant_time_select_8(is_past_c, 0x80, b); /* - * If this the the block containing the end of the application - * data and we're past the 0x80 value then just write zero. + * If this block contains the end of the application data + * and we're past the 0x80 value then just write zero. */ b = b & ~is_past_cp1; /* @@ -451,7 +463,11 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, md_ctx = EVP_MD_CTX_new(); if (md_ctx == NULL) goto err; - if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0) + md = ssl_evp_md_fetch(s->ctx->libctx, EVP_MD_type(EVP_MD_CTX_md(ctx)), + s->ctx->propq); + if (md == NULL) + goto err; + if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0) goto err; if (is_sslv3) { /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ @@ -474,10 +490,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u); if (ret && md_out_size) *md_out_size = md_out_size_u; - EVP_MD_CTX_free(md_ctx); - return 1; + ret = 1; err: EVP_MD_CTX_free(md_ctx); - return 0; + ssl_evp_md_free(md); + return ret; }