aboutsummaryrefslogtreecommitdiff
path: root/ssl/s3_cbc.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/s3_cbc.c')
-rw-r--r--ssl/s3_cbc.c144
1 files changed, 85 insertions, 59 deletions
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index c95dcd9fdec1..85f296b80783 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -1,19 +1,69 @@
/*
* Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
+/*
+ * This file has no dependencies on the rest of libssl because it is shared
+ * with the providers. It contains functions for low level MAC calculations.
+ * Responsibility for this lies with the HMAC implementation in the
+ * providers. However there are legacy code paths in libssl which also need to
+ * do this. In time those legacy code paths can be removed and this file can be
+ * moved out of libssl.
+ */
+
+
+/*
+ * MD5 and SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
#include "internal/constant_time.h"
-#include "ssl_local.h"
#include "internal/cryptlib.h"
-#include <openssl/md5.h>
+#include <openssl/evp.h>
+#ifndef FIPS_MODULE
+# include <openssl/md5.h>
+#endif
#include <openssl/sha.h>
+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
+int ssl3_cbc_digest_record(const EVP_MD *md,
+ unsigned char *md_out,
+ size_t *md_out_size,
+ const unsigned char *header,
+ const unsigned char *data,
+ size_t data_size,
+ size_t data_plus_mac_plus_padding_size,
+ const unsigned char *mac_secret,
+ size_t mac_secret_length, char is_sslv3);
+
+# define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+ *((c)++)=(unsigned char)(((l) )&0xff))
+
+# define l2n6(l,c) (*((c)++)=(unsigned char)(((l)>>40)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>32)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>24)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+ *((c)++)=(unsigned char)(((l) )&0xff))
+
+# define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>48)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>40)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>32)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>24)&0xff), \
+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+ *((c)++)=(unsigned char)(((l) )&0xff))
+
/*
* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's
* length field. (SHA-384/512 have 128-bit length.)
@@ -27,15 +77,16 @@
*/
#define MAX_HASH_BLOCK_SIZE 128
+#ifndef FIPS_MODULE
/*
- * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+ * u32toLE serializes an unsigned, 32-bit number (n) as four bytes at (p) in
* little-endian order. The value of p is advanced by four.
*/
-#define u32toLE(n, p) \
- (*((p)++)=(unsigned char)(n), \
- *((p)++)=(unsigned char)(n>>8), \
- *((p)++)=(unsigned char)(n>>16), \
- *((p)++)=(unsigned char)(n>>24))
+# define u32toLE(n, p) \
+ (*((p)++)=(unsigned char)(n), \
+ *((p)++)=(unsigned char)(n>>8), \
+ *((p)++)=(unsigned char)(n>>16), \
+ *((p)++)=(unsigned char)(n>>24))
/*
* These functions serialize the state of a hash and thus perform the
@@ -50,6 +101,7 @@ static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)
u32toLE(md5->C, md_out);
u32toLE(md5->D, md_out);
}
+#endif /* FIPS_MODULE */
static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
{
@@ -84,25 +136,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
#undef LARGEST_DIGEST_CTX
#define LARGEST_DIGEST_CTX SHA512_CTX
-/*
- * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
- * which ssl3_cbc_digest_record supports.
- */
-char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
-{
- switch (EVP_MD_CTX_type(ctx)) {
- case NID_md5:
- case NID_sha1:
- case NID_sha224:
- case NID_sha256:
- case NID_sha384:
- case NID_sha512:
- return 1;
- default:
- return 0;
- }
-}
-
/*-
* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
* record.
@@ -113,30 +146,27 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
* md_out_size: if non-NULL, the number of output bytes is written here.
* header: the 13-byte, TLS record header.
* data: the record data itself, less any preceding explicit IV.
- * data_plus_mac_size: the secret, reported length of the data and MAC
- * once the padding has been removed.
+ * data_size: the secret, reported length of the data once the MAC and padding
+ * has been removed.
* data_plus_mac_plus_padding_size: the public length of the whole
- * record, including padding.
+ * record, including MAC and padding.
* is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
*
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. )
+ * On entry: we know that data is data_plus_mac_plus_padding_size in length
* Returns 1 on success or 0 on error
*/
-int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+int ssl3_cbc_digest_record(const EVP_MD *md,
unsigned char *md_out,
size_t *md_out_size,
const unsigned char *header,
const unsigned char *data,
- size_t data_plus_mac_size,
+ size_t data_size,
size_t data_plus_mac_plus_padding_size,
const unsigned char *mac_secret,
size_t mac_secret_length, char is_sslv3)
{
union {
- double align;
+ OSSL_UNION_ALIGN;
unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
} md_state;
void (*md_final_raw) (void *ctx, unsigned char *md_out);
@@ -160,7 +190,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
*/
size_t md_length_size = 8;
char length_is_big_endian = 1;
- int ret;
+ int ret = 0;
/*
* This is a, hopefully redundant, check that allows us to forget about
@@ -169,8 +199,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
return 0;
- switch (EVP_MD_CTX_type(ctx)) {
- case NID_md5:
+ if (EVP_MD_is_a(md, "MD5")) {
+#ifdef FIPS_MODULE
+ return 0;
+#else
if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_md5_final_raw;
@@ -179,32 +211,29 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
md_size = 16;
sslv3_pad_length = 48;
length_is_big_endian = 0;
- break;
- case NID_sha1:
+#endif
+ } else if (EVP_MD_is_a(md, "SHA1")) {
if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_sha1_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
md_size = 20;
- break;
- case NID_sha224:
+ } else if (EVP_MD_is_a(md, "SHA2-224")) {
if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_sha256_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
md_size = 224 / 8;
- break;
- case NID_sha256:
+ } else if (EVP_MD_is_a(md, "SHA2-256")) {
if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_sha256_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
md_size = 32;
- break;
- case NID_sha384:
+ } else if (EVP_MD_is_a(md, "SHA2-384")) {
if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_sha512_final_raw;
@@ -213,8 +242,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
md_size = 384 / 8;
md_block_size = 128;
md_length_size = 16;
- break;
- case NID_sha512:
+ } else if (EVP_MD_is_a(md, "SHA2-512")) {
if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
return 0;
md_final_raw = tls1_sha512_final_raw;
@@ -223,8 +251,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
md_size = 64;
md_block_size = 128;
md_length_size = 16;
- break;
- default:
+ } else {
/*
* ssl3_cbc_record_digest_supported should have been called first to
* check that the hash function is supported.
@@ -295,7 +322,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
/*
* mac_end_offset is the index just past the end of the data to be MACed.
*/
- mac_end_offset = data_plus_mac_size + header_length - md_size;
+ mac_end_offset = data_size + header_length;
/*
* c is the index of the 0x80 byte in the final hash block that contains
* application data.
@@ -455,7 +482,8 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
md_ctx = EVP_MD_CTX_new();
if (md_ctx == NULL)
goto err;
- if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
+
+ if (EVP_DigestInit_ex(md_ctx, md, NULL /* engine */ ) <= 0)
goto err;
if (is_sslv3) {
/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
@@ -474,14 +502,12 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
|| EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
goto err;
}
- /* TODO(size_t): Convert me */
ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
if (ret && md_out_size)
*md_out_size = md_out_size_u;
- EVP_MD_CTX_free(md_ctx);
- return 1;
+ ret = 1;
err:
EVP_MD_CTX_free(md_ctx);
- return 0;
+ return ret;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-05 09:14:37 +0000