GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/s3_cbc.c Lines: 155 187 82.9 %
Date: 2017-11-13 Branches: 52 80 65.0 %

Line Branch Exec Source
1
/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */
2
/* ====================================================================
3
 * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 *
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 *
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in
14
 *    the documentation and/or other materials provided with the
15
 *    distribution.
16
 *
17
 * 3. All advertising materials mentioning features or use of this
18
 *    software must display the following acknowledgment:
19
 *    "This product includes software developed by the OpenSSL Project
20
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21
 *
22
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23
 *    endorse or promote products derived from this software without
24
 *    prior written permission. For written permission, please contact
25
 *    openssl-core@openssl.org.
26
 *
27
 * 5. Products derived from this software may not be called "OpenSSL"
28
 *    nor may "OpenSSL" appear in their names without prior written
29
 *    permission of the OpenSSL Project.
30
 *
31
 * 6. Redistributions of any form whatsoever must retain the following
32
 *    acknowledgment:
33
 *    "This product includes software developed by the OpenSSL Project
34
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35
 *
36
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47
 * OF THE POSSIBILITY OF SUCH DAMAGE.
48
 * ====================================================================
49
 *
50
 * This product includes cryptographic software written by Eric Young
51
 * (eay@cryptsoft.com).  This product includes software written by Tim
52
 * Hudson (tjh@cryptsoft.com).
53
 *
54
 */
55
56
#include "ssl_locl.h"
57
58
#include <openssl/md5.h>
59
#include <openssl/sha.h>
60
61
/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
62
 * field. (SHA-384/512 have 128-bit length.) */
63
#define MAX_HASH_BIT_COUNT_BYTES 16
64
65
/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
66
 * Currently SHA-384/512 has a 128-byte block size and that's the largest
67
 * supported by TLS.) */
68
#define MAX_HASH_BLOCK_SIZE 128
69
70
/* Some utility functions are needed:
71
 *
72
 * These macros return the given value with the MSB copied to all the other
73
 * bits. They use the fact that arithmetic shift shifts-in the sign bit.
74
 * However, this is not ensured by the C standard so you may need to replace
75
 * them with something else on odd CPUs. */
76
#define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1)))
77
#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
78
79
/* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */
80
static unsigned
81
constant_time_lt(unsigned a, unsigned b)
82
{
83
94368
	a -= b;
84
47184
	return DUPLICATE_MSB_TO_ALL(a);
85
}
86
87
/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
88
static unsigned
89
constant_time_ge(unsigned a, unsigned b)
90
{
91
689664
	a -= b;
92
344832
	return DUPLICATE_MSB_TO_ALL(~a);
93
}
94
95
/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
96
static unsigned char
97
constant_time_eq_8(unsigned a, unsigned b)
98
{
99
6720
	unsigned c = a ^ b;
100
3360
	c--;
101
3360
	return DUPLICATE_MSB_TO_ALL_8(c);
102
}
103
104
/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
105
 * record in |rec| in constant time and returns 1 if the padding is valid and
106
 * -1 otherwise. It also removes any explicit IV from the start of the record
107
 * without leaking any timing about whether there was enough space after the
108
 * padding was removed.
109
 *
110
 * block_size: the block size of the cipher used to encrypt the record.
111
 * returns:
112
 *   0: (in non-constant time) if the record is publicly invalid.
113
 *   1: if the padding was valid
114
 *  -1: otherwise. */
115
int
116
tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
117
    unsigned mac_size)
118
{
119
	unsigned padding_length, good, to_check, i;
120
1128
	const unsigned overhead = 1 /* padding length byte */ + mac_size;
121
122
	/* Check if version requires explicit IV */
123
564
	if (SSL_USE_EXPLICIT_IV(s)) {
124
		/* These lengths are all public so we can test them in
125
		 * non-constant time.
126
		 */
127
240
		if (overhead + block_size > rec->length)
128
			return 0;
129
		/* We can now safely skip explicit IV */
130
240
		rec->data += block_size;
131
240
		rec->input += block_size;
132
240
		rec->length -= block_size;
133
564
	} else if (overhead > rec->length)
134
		return 0;
135
136
564
	padding_length = rec->data[rec->length - 1];
137
138
564
	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
139
		/* padding is already verified */
140
324
		rec->length -= padding_length + 1;
141
324
		return 1;
142
	}
143
144
240
	good = constant_time_ge(rec->length, overhead + padding_length);
145
	/* The padding consists of a length byte at the end of the record and
146
	 * then that many bytes of padding, all with the same value as the
147
	 * length byte. Thus, with the length byte included, there are i+1
148
	 * bytes of padding.
149
	 *
150
	 * We can't check just |padding_length+1| bytes because that leaks
151
	 * decrypted information. Therefore we always have to check the maximum
152
	 * amount of padding possible. (Again, the length of the record is
153
	 * public information so we can use it.) */
154
	to_check = 255; /* maximum amount of padding. */
155
240
	if (to_check > rec->length - 1)
156
120
		to_check = rec->length - 1;
157
158
75072
	for (i = 0; i < to_check; i++) {
159
37296
		unsigned char mask = constant_time_ge(padding_length, i);
160
37296
		unsigned char b = rec->data[rec->length - 1 - i];
161
		/* The final |padding_length+1| bytes should all have the value
162
		 * |padding_length|. Therefore the XOR should be zero. */
163
37296
		good &= ~(mask&(padding_length ^ b));
164
	}
165
166
	/* If any of the final |padding_length+1| bytes had the wrong value,
167
	 * one or more of the lower eight bits of |good| will be cleared. We
168
	 * AND the bottom 8 bits together and duplicate the result to all the
169
	 * bits. */
170
240
	good &= good >> 4;
171
240
	good &= good >> 2;
172
240
	good &= good >> 1;
173
240
	good <<= sizeof(good)*8 - 1;
174
240
	good = DUPLICATE_MSB_TO_ALL(good);
175
176
240
	padding_length = good & (padding_length + 1);
177
240
	rec->length -= padding_length;
178
240
	rec->type |= padding_length<<8;	/* kludge: pass padding length */
179
180
240
	return (int)((good & 1) | (~good & -1));
181
564
}
182
183
/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
184
 * constant time (independent of the concrete value of rec->length, which may
185
 * vary within a 256-byte window).
186
 *
187
 * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
188
 * this function.
189
 *
190
 * On entry:
191
 *   rec->orig_len >= md_size
192
 *   md_size <= EVP_MAX_MD_SIZE
193
 *
194
 * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
195
 * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
196
 * a single or pair of cache-lines, then the variable memory accesses don't
197
 * actually affect the timing. CPUs with smaller cache-lines [if any] are
198
 * not multi-core and are not considered vulnerable to cache-timing attacks.
199
 */
200
#define CBC_MAC_ROTATE_IN_PLACE
201
202
void
203
ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec,
204
    unsigned md_size, unsigned orig_len)
205
{
206
#if defined(CBC_MAC_ROTATE_IN_PLACE)
207
480
	unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE];
208
	unsigned char *rotated_mac;
209
#else
210
	unsigned char rotated_mac[EVP_MAX_MD_SIZE];
211
#endif
212
213
	/* mac_end is the index of |rec->data| just after the end of the MAC. */
214
240
	unsigned mac_end = rec->length;
215
240
	unsigned mac_start = mac_end - md_size;
216
	/* scan_start contains the number of bytes that we can ignore because
217
	 * the MAC's position can only vary by 255 bytes. */
218
	unsigned scan_start = 0;
219
	unsigned i, j;
220
	unsigned div_spoiler;
221
	unsigned rotate_offset;
222
223
240
	OPENSSL_assert(orig_len >= md_size);
224
240
	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
225
226
#if defined(CBC_MAC_ROTATE_IN_PLACE)
227
240
	rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf)&63);
228
#endif
229
230
	/* This information is public so it's safe to branch based on it. */
231
240
	if (orig_len > md_size + 255 + 1)
232
120
		scan_start = orig_len - (md_size + 255 + 1);
233
	/* div_spoiler contains a multiple of md_size that is used to cause the
234
	 * modulo operation to be constant time. Without this, the time varies
235
	 * based on the amount of padding when running on Intel chips at least.
236
	 *
237
	 * The aim of right-shifting md_size is so that the compiler doesn't
238
	 * figure out that it can remove div_spoiler as that would require it
239
	 * to prove that md_size is always even, which I hope is beyond it. */
240
240
	div_spoiler = md_size >> 1;
241
240
	div_spoiler <<= (sizeof(div_spoiler) - 1) * 8;
242
240
	rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
243
244
240
	memset(rotated_mac, 0, md_size);
245
81984
	for (i = scan_start, j = 0; i < orig_len; i++) {
246
40752
		unsigned char mac_started = constant_time_ge(i, mac_start);
247
40752
		unsigned char mac_ended = constant_time_ge(i, mac_end);
248
40752
		unsigned char b = rec->data[i];
249
40752
		rotated_mac[j++] |= b & mac_started & ~mac_ended;
250
40752
		j &= constant_time_lt(j, md_size);
251
	}
252
253
	/* Now rotate the MAC */
254
#if defined(CBC_MAC_ROTATE_IN_PLACE)
255
	j = 0;
256
13344
	for (i = 0; i < md_size; i++) {
257
		/* in case cache-line is 32 bytes, touch second line */
258
6432
		((volatile unsigned char *)rotated_mac)[rotate_offset^32];
259
6432
		out[j++] = rotated_mac[rotate_offset++];
260
6432
		rotate_offset &= constant_time_lt(rotate_offset, md_size);
261
	}
262
#else
263
	memset(out, 0, md_size);
264
	rotate_offset = md_size - rotate_offset;
265
	rotate_offset &= constant_time_lt(rotate_offset, md_size);
266
	for (i = 0; i < md_size; i++) {
267
		for (j = 0; j < md_size; j++)
268
			out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset);
269
		rotate_offset++;
270
		rotate_offset &= constant_time_lt(rotate_offset, md_size);
271
	}
272
#endif
273
240
}
274
275
/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
276
 * little-endian order. The value of p is advanced by four. */
277
#define u32toLE(n, p) \
278
	(*((p)++)=(unsigned char)(n), \
279
	 *((p)++)=(unsigned char)(n>>8), \
280
	 *((p)++)=(unsigned char)(n>>16), \
281
	 *((p)++)=(unsigned char)(n>>24))
282
283
/* These functions serialize the state of a hash and thus perform the standard
284
 * "final" operation without adding the padding and length that such a function
285
 * typically does. */
286
static void
287
tls1_md5_final_raw(void* ctx, unsigned char *md_out)
288
{
289
	MD5_CTX *md5 = ctx;
290
	u32toLE(md5->A, md_out);
291
	u32toLE(md5->B, md_out);
292
	u32toLE(md5->C, md_out);
293
	u32toLE(md5->D, md_out);
294
}
295
296
static void
297
tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
298
{
299
1680
	SHA_CTX *sha1 = ctx;
300
840
	l2n(sha1->h0, md_out);
301
840
	l2n(sha1->h1, md_out);
302
840
	l2n(sha1->h2, md_out);
303
840
	l2n(sha1->h3, md_out);
304
840
	l2n(sha1->h4, md_out);
305
840
}
306
307
static void
308
tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
309
{
310
1512
	SHA256_CTX *sha256 = ctx;
311
	unsigned i;
312
313
13608
	for (i = 0; i < 8; i++) {
314
6048
		l2n(sha256->h[i], md_out);
315
	}
316
756
}
317
318
static void
319
tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
320
{
321
168
	SHA512_CTX *sha512 = ctx;
322
	unsigned i;
323
324
1512
	for (i = 0; i < 8; i++) {
325
672
		l2n8(sha512->h[i], md_out);
326
	}
327
84
}
328
329
/* Largest hash context ever used by the functions above. */
330
#define LARGEST_DIGEST_CTX SHA512_CTX
331
332
/* Type giving the alignment needed by the above */
333
#define LARGEST_DIGEST_CTX_ALIGNMENT SHA_LONG64
334
335
/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
336
 * which ssl3_cbc_digest_record supports. */
337
char
338
ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
339
{
340

480
	switch (EVP_MD_CTX_type(ctx)) {
341
	case NID_md5:
342
	case NID_sha1:
343
	case NID_sha224:
344
	case NID_sha256:
345
	case NID_sha384:
346
	case NID_sha512:
347
240
		return 1;
348
	default:
349
		return 0;
350
	}
351
240
}
352
353
/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS
354
 * record.
355
 *
356
 *   ctx: the EVP_MD_CTX from which we take the hash function.
357
 *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
358
 *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
359
 *   md_out_size: if non-NULL, the number of output bytes is written here.
360
 *   header: the 13-byte, TLS record header.
361
 *   data: the record data itself, less any preceeding explicit IV.
362
 *   data_plus_mac_size: the secret, reported length of the data and MAC
363
 *     once the padding has been removed.
364
 *   data_plus_mac_plus_padding_size: the public length of the whole
365
 *     record, including padding.
366
 *
367
 * On entry: by virtue of having been through one of the remove_padding
368
 * functions, above, we know that data_plus_mac_size is large enough to contain
369
 * a padding byte and MAC. (If the padding was invalid, it might contain the
370
 * padding too. )
371
 */
372
int
373
ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out,
374
    size_t* md_out_size, const unsigned char header[13],
375
    const unsigned char *data, size_t data_plus_mac_size,
376
    size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
377
    unsigned mac_secret_length)
378
{
379
480
	union {
380
		/*
381
		 * Alignment here is to allow this to be cast as SHA512_CTX
382
		 * without losing alignment required by the 64-bit SHA_LONG64
383
		 * integer it contains.
384
		 */
385
		LARGEST_DIGEST_CTX_ALIGNMENT align;
386
		unsigned char c[sizeof(LARGEST_DIGEST_CTX)];
387
	} md_state;
388
	void (*md_final_raw)(void *ctx, unsigned char *md_out);
389
	void (*md_transform)(void *ctx, const unsigned char *block);
390
	unsigned md_size, md_block_size = 64;
391
	unsigned header_length, variance_blocks,
392
	len, max_mac_bytes, num_blocks,
393
	num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
394
	unsigned int bits;	/* at most 18 bits */
395
240
	unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
396
	/* hmac_pad is the masked HMAC key. */
397
240
	unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
398
240
	unsigned char first_block[MAX_HASH_BLOCK_SIZE];
399
240
	unsigned char mac_out[EVP_MAX_MD_SIZE];
400
240
	unsigned i, j, md_out_size_u;
401
240
	EVP_MD_CTX md_ctx;
402
	/* mdLengthSize is the number of bytes in the length field that terminates
403
	* the hash. */
404
	unsigned md_length_size = 8;
405
	char length_is_big_endian = 1;
406
407
	/* This is a, hopefully redundant, check that allows us to forget about
408
	 * many possible overflows later in this function. */
409
240
	OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
410
411

240
	switch (EVP_MD_CTX_type(ctx)) {
412
	case NID_md5:
413
		MD5_Init((MD5_CTX*)md_state.c);
414
		md_final_raw = tls1_md5_final_raw;
415
		md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
416
		md_size = 16;
417
		length_is_big_endian = 0;
418
		break;
419
	case NID_sha1:
420
120
		SHA1_Init((SHA_CTX*)md_state.c);
421
		md_final_raw = tls1_sha1_final_raw;
422
		md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
423
		md_size = 20;
424
120
		break;
425
	case NID_sha224:
426
		SHA224_Init((SHA256_CTX*)md_state.c);
427
		md_final_raw = tls1_sha256_final_raw;
428
		md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
429
		md_size = 224/8;
430
		break;
431
	case NID_sha256:
432
108
		SHA256_Init((SHA256_CTX*)md_state.c);
433
		md_final_raw = tls1_sha256_final_raw;
434
		md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
435
		md_size = 32;
436
108
		break;
437
	case NID_sha384:
438
12
		SHA384_Init((SHA512_CTX*)md_state.c);
439
		md_final_raw = tls1_sha512_final_raw;
440
		md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
441
		md_size = 384/8;
442
		md_block_size = 128;
443
		md_length_size = 16;
444
12
		break;
445
	case NID_sha512:
446
		SHA512_Init((SHA512_CTX*)md_state.c);
447
		md_final_raw = tls1_sha512_final_raw;
448
		md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
449
		md_size = 64;
450
		md_block_size = 128;
451
		md_length_size = 16;
452
		break;
453
	default:
454
		/* ssl3_cbc_record_digest_supported should have been
455
		 * called first to check that the hash function is
456
		 * supported. */
457
		OPENSSL_assert(0);
458
		if (md_out_size)
459
			*md_out_size = 0;
460
		return 0;
461
	}
462
463
240
	OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
464
240
	OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
465
240
	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
466
467
	header_length = 13;
468
469
	/* variance_blocks is the number of blocks of the hash that we have to
470
	 * calculate in constant time because they could be altered by the
471
	 * padding value.
472
	 *
473
	 * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
474
	 * required to be minimal. Therefore we say that the final six blocks
475
	 * can vary based on the padding.
476
	 *
477
	 * Later in the function, if the message is short and there obviously
478
	 * cannot be this many blocks then variance_blocks can be reduced. */
479
	variance_blocks = 6;
480
	/* From now on we're dealing with the MAC, which conceptually has 13
481
	 * bytes of `header' before the start of the data (TLS) */
482
240
	len = data_plus_mac_plus_padding_size + header_length;
483
	/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
484
	* |header|, assuming that there's no padding. */
485
240
	max_mac_bytes = len - md_size - 1;
486
	/* num_blocks is the maximum number of hash blocks. */
487
240
	num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
488
	/* In order to calculate the MAC in constant time we have to handle
489
	 * the final blocks specially because the padding value could cause the
490
	 * end to appear somewhere in the final |variance_blocks| blocks and we
491
	 * can't leak where. However, |num_starting_blocks| worth of data can
492
	 * be hashed right away because no padding value can affect whether
493
	 * they are plaintext. */
494
	num_starting_blocks = 0;
495
	/* k is the starting byte offset into the conceptual header||data where
496
	 * we start processing. */
497
	k = 0;
498
	/* mac_end_offset is the index just past the end of the data to be
499
	 * MACed. */
500
240
	mac_end_offset = data_plus_mac_size + header_length - md_size;
501
	/* c is the index of the 0x80 byte in the final hash block that
502
	 * contains application data. */
503
240
	c = mac_end_offset % md_block_size;
504
	/* index_a is the hash block number that contains the 0x80 terminating
505
	 * value. */
506
240
	index_a = mac_end_offset / md_block_size;
507
	/* index_b is the hash block number that contains the 64-bit hash
508
	 * length, in bits. */
509
240
	index_b = (mac_end_offset + md_length_size) / md_block_size;
510
	/* bits is the hash-length in bits. It includes the additional hash
511
	 * block for the masked HMAC key. */
512
513
240
	if (num_blocks > variance_blocks) {
514
		num_starting_blocks = num_blocks - variance_blocks;
515
		k = md_block_size*num_starting_blocks;
516
	}
517
518
240
	bits = 8*mac_end_offset;
519
	/* Compute the initial HMAC block. */
520
240
	bits += 8*md_block_size;
521
240
	memset(hmac_pad, 0, md_block_size);
522
240
	OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
523
240
	memcpy(hmac_pad, mac_secret, mac_secret_length);
524
32736
	for (i = 0; i < md_block_size; i++)
525
16128
		hmac_pad[i] ^= 0x36;
526
527
240
	md_transform(md_state.c, hmac_pad);
528
529
240
	if (length_is_big_endian) {
530
240
		memset(length_bytes, 0, md_length_size - 4);
531
240
		length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);
532
240
		length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);
533
240
		length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);
534
240
		length_bytes[md_length_size - 1] = (unsigned char)bits;
535
240
	} else {
536
		memset(length_bytes, 0, md_length_size);
537
		length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);
538
		length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);
539
		length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);
540
		length_bytes[md_length_size - 8] = (unsigned char)bits;
541
	}
542
543
240
	if (k > 0) {
544
		/* k is a multiple of md_block_size. */
545
		memcpy(first_block, header, 13);
546
		memcpy(first_block + 13, data, md_block_size - 13);
547
		md_transform(md_state.c, first_block);
548
		for (i = 1; i < k/md_block_size; i++)
549
			md_transform(md_state.c, data + md_block_size*i - 13);
550
	}
551
552
240
	memset(mac_out, 0, sizeof(mac_out));
553
554
	/* We now process the final hash blocks. For each block, we construct
555
	 * it in constant time. If the |i==index_a| then we'll include the 0x80
556
	 * bytes and zero pad etc. For each block we selectively copy it, in
557
	 * constant time, to |mac_out|. */
558
3840
	for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) {
559
1680
		unsigned char block[MAX_HASH_BLOCK_SIZE];
560
1680
		unsigned char is_block_a = constant_time_eq_8(i, index_a);
561
1680
		unsigned char is_block_b = constant_time_eq_8(i, index_b);
562
229152
		for (j = 0; j < md_block_size; j++) {
563
			unsigned char b = 0, is_past_c, is_past_cp1;
564
112896
			if (k < header_length)
565
3120
				b = header[k];
566
109776
			else if (k < data_plus_mac_plus_padding_size + header_length)
567
42336
				b = data[k - header_length];
568
112896
			k++;
569
570
112896
			is_past_c = is_block_a & constant_time_ge(j, c);
571
112896
			is_past_cp1 = is_block_a & constant_time_ge(j, c + 1);
572
			/* If this is the block containing the end of the
573
			 * application data, and we are at the offset for the
574
			 * 0x80 value, then overwrite b with 0x80. */
575
112896
			b = (b&~is_past_c) | (0x80&is_past_c);
576
			/* If this is the block containing the end of the
577
			 * application data and we're past the 0x80 value then
578
			 * just write zero. */
579
112896
			b = b&~is_past_cp1;
580
			/* If this is index_b (the final block), but not
581
			 * index_a (the end of the data), then the 64-bit
582
			 * length didn't fit into index_a and we're having to
583
			 * add an extra block of zeros. */
584
112896
			b &= ~is_block_b | is_block_a;
585
586
			/* The final bytes of one of the blocks contains the
587
			 * length. */
588
112896
			if (j >= md_block_size - md_length_size) {
589
				/* If this is index_b, write a length byte. */
590
14112
				b = (b&~is_block_b) | (is_block_b&length_bytes[j - (md_block_size - md_length_size)]);
591
14112
			}
592
112896
			block[j] = b;
593
		}
594
595
1680
		md_transform(md_state.c, block);
596
1680
		md_final_raw(md_state.c, block);
597
		/* If this is index_b, copy the hash value to |mac_out|. */
598
93408
		for (j = 0; j < md_size; j++)
599
45024
			mac_out[j] |= block[j]&is_block_b;
600
1680
	}
601
602
240
	EVP_MD_CTX_init(&md_ctx);
603
240
	if (!EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */)) {
604
		EVP_MD_CTX_cleanup(&md_ctx);
605
		return 0;
606
	}
607
608
	/* Complete the HMAC in the standard manner. */
609
32736
	for (i = 0; i < md_block_size; i++)
610
16128
		hmac_pad[i] ^= 0x6a;
611
612
240
	EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
613
240
	EVP_DigestUpdate(&md_ctx, mac_out, md_size);
614
615
240
	EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
616
240
	if (md_out_size)
617
240
		*md_out_size = md_out_size_u;
618
240
	EVP_MD_CTX_cleanup(&md_ctx);
619
620
240
	return 1;
621
240
}