/*
- * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
-#include "internal/constant_time_locl.h"
-#include "ssl_locl.h"
+/*
+ * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include "internal/constant_time.h"
+#include "ssl_local.h"
+#include "internal/cryptlib.h"
#include <openssl/md5.h>
#include <openssl/sha.h>
* padding too. )
* Returns 1 on success or 0 on error
*/
-int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+int ssl3_cbc_digest_record(SSL *s,
+ const EVP_MD_CTX *ctx,
unsigned char *md_out,
size_t *md_out_size,
const unsigned char header[13],
size_t mac_secret_length, char is_sslv3)
{
union {
- double align;
+ OSSL_UNION_ALIGN;
unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
} md_state;
void (*md_final_raw) (void *ctx, unsigned char *md_out);
*/
size_t md_length_size = 8;
char length_is_big_endian = 1;
- int ret;
+ int ret = 0;
+ const EVP_MD *md = NULL;
/*
* This is a, hopefully redundant, check that allows us to forget about
* many possible overflows later in this function.
*/
- OPENSSL_assert(data_plus_mac_plus_padding_size < 1024 * 1024);
+ if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
+ return 0;
switch (EVP_MD_CTX_type(ctx)) {
case NID_md5:
* ssl3_cbc_record_digest_supported should have been called first to
* check that the hash function is supported.
*/
- OPENSSL_assert(0);
- if (md_out_size)
+ if (md_out_size != NULL)
*md_out_size = 0;
- return 0;
+ return ossl_assert(0);
}
- OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
- OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
- OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
+ if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
+ || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
+ || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
+ return 0;
header_length = 13;
if (is_sslv3) {
* of hash termination (0x80 + 64-bit length) don't fit in the final
* block, we say that the final two blocks can vary based on the padding.
* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
- * required to be minimal. Therefore we say that the final six blocks can
+ * required to be minimal. Therefore we say that the final |variance_blocks|
+ * blocks can
* vary based on the padding. Later in the function, if the message is
* short and there obviously cannot be this many blocks then
* variance_blocks can be reduced.
*/
- variance_blocks = is_sslv3 ? 2 : 6;
+ variance_blocks = is_sslv3 ? 2 : ( ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1);
/*
* From now on we're dealing with the MAC, which conceptually has 13
* bytes of `header' before the start of the data (TLS) or 71/75 bytes
*/
bits += 8 * md_block_size;
memset(hmac_pad, 0, md_block_size);
- OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
+ if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
+ return 0;
memcpy(hmac_pad, mac_secret, mac_secret_length);
for (i = 0; i < md_block_size; i++)
hmac_pad[i] ^= 0x36;
*/
b = constant_time_select_8(is_past_c, 0x80, b);
/*
- * If this the the block containing the end of the application
- * data and we're past the 0x80 value then just write zero.
+ * If this block contains the end of the application data
+ * and we're past the 0x80 value then just write zero.
*/
b = b & ~is_past_cp1;
/*
md_ctx = EVP_MD_CTX_new();
if (md_ctx == NULL)
goto err;
- if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
+ md = ssl_evp_md_fetch(s->ctx->libctx, EVP_MD_type(EVP_MD_CTX_md(ctx)),
+ s->ctx->propq);
+ if (md == NULL)
+ goto err;
+ if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
goto err;
if (is_sslv3) {
/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
if (ret && md_out_size)
*md_out_size = md_out_size_u;
- EVP_MD_CTX_free(md_ctx);
- return 1;
+ ret = 1;
err:
EVP_MD_CTX_free(md_ctx);
- return 0;
+ ssl_evp_md_free(md);
+ return ret;
}