Loading ssl/s3_cbc.c +51 −0 Original line number Diff line number Diff line Loading @@ -368,6 +368,10 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { #ifdef OPENSSL_FIPS if (FIPS_mode()) return 0; #endif switch (ctx->digest->type) { case NID_md5: Loading Loading @@ -694,3 +698,50 @@ void ssl3_cbc_digest_record( *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); } #ifndef OPENSSL_FIPS /* Due to the need to use EVP in FIPS mode we can't reimplement digests but * we can ensure the number of blocks processed is equal for all cases * by digesting additional data. */ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len) { size_t block_size, digest_pad, blocks_data, blocks_orig; if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) return; block_size = EVP_MD_CTX_block_size(mac_ctx); /* We are in FIPS mode if we get this far so we know we have only SHA* * digests and TLS to deal with. * Minimum digest padding length is 17 for SHA384/SHA512 and 9 * otherwise. * Additional header is 13 bytes. To get the number of digest blocks * processed round up the amount of data plus padding to the nearest * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. * So we have: * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size * equivalently: * blocks = (payload_len + digest_pad + 12)/block_size + 1 * HMAC adds a constant overhead. * We're ultimately only interested in differences so this becomes * blocks = (payload_len + 29)/128 * for SHA384/SHA512 and * blocks = (payload_len + 21)/64 * otherwise. */ digest_pad = block_size == 64 ? 21 : 29; blocks_orig = (orig_len + digest_pad)/block_size; blocks_data = (data_len + digest_pad)/block_size; /* MAC enough blocks to make up the difference between the original * and actual lengths plus one extra block to ensure this is never a * no op. The "data" pointer should always have enough space to * perform this operation as it is large enough for a maximum * length TLS buffer. */ EVP_DigestSignUpdate(mac_ctx, data, (blocks_orig - blocks_data + 1) * block_size); } #endif ssl/ssl_locl.h +4 −0 Original line number Diff line number Diff line Loading @@ -1167,4 +1167,8 @@ void ssl3_cbc_digest_record( unsigned mac_secret_length, char is_sslv3); void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); #endif ssl/t1_enc.c +7 −0 Original line number Diff line number Diff line Loading @@ -1025,6 +1025,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); t=EVP_DigestSignFinal(mac_ctx,md,&md_size); OPENSSL_assert(t > 0); #ifdef OPENSSL_FIPS if (!send && FIPS_mode()) tls_fips_digest_extra( ssl->enc_read_ctx, mac_ctx, rec->input, rec->length, rec->orig_len); #endif } if (!stream_mac) Loading util/libeay.num +1 −0 Original line number Diff line number Diff line Loading @@ -3510,6 +3510,7 @@ BIO_get_callback_arg 3902 EXIST::FUNCTION: BIO_set_callback 3903 EXIST::FUNCTION: d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 CRYPTO_memcmp 3906 EXIST::FUNCTION: SEED_decrypt 3908 EXIST::FUNCTION:SEED SEED_encrypt 3909 EXIST::FUNCTION:SEED SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED Loading Loading
ssl/s3_cbc.c +51 −0 Original line number Diff line number Diff line Loading @@ -368,6 +368,10 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { #ifdef OPENSSL_FIPS if (FIPS_mode()) return 0; #endif switch (ctx->digest->type) { case NID_md5: Loading Loading @@ -694,3 +698,50 @@ void ssl3_cbc_digest_record( *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); } #ifndef OPENSSL_FIPS /* Due to the need to use EVP in FIPS mode we can't reimplement digests but * we can ensure the number of blocks processed is equal for all cases * by digesting additional data. */ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len) { size_t block_size, digest_pad, blocks_data, blocks_orig; if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) return; block_size = EVP_MD_CTX_block_size(mac_ctx); /* We are in FIPS mode if we get this far so we know we have only SHA* * digests and TLS to deal with. * Minimum digest padding length is 17 for SHA384/SHA512 and 9 * otherwise. * Additional header is 13 bytes. To get the number of digest blocks * processed round up the amount of data plus padding to the nearest * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. * So we have: * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size * equivalently: * blocks = (payload_len + digest_pad + 12)/block_size + 1 * HMAC adds a constant overhead. * We're ultimately only interested in differences so this becomes * blocks = (payload_len + 29)/128 * for SHA384/SHA512 and * blocks = (payload_len + 21)/64 * otherwise. */ digest_pad = block_size == 64 ? 21 : 29; blocks_orig = (orig_len + digest_pad)/block_size; blocks_data = (data_len + digest_pad)/block_size; /* MAC enough blocks to make up the difference between the original * and actual lengths plus one extra block to ensure this is never a * no op. The "data" pointer should always have enough space to * perform this operation as it is large enough for a maximum * length TLS buffer. */ EVP_DigestSignUpdate(mac_ctx, data, (blocks_orig - blocks_data + 1) * block_size); } #endif
ssl/ssl_locl.h +4 −0 Original line number Diff line number Diff line Loading @@ -1167,4 +1167,8 @@ void ssl3_cbc_digest_record( unsigned mac_secret_length, char is_sslv3); void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); #endif
ssl/t1_enc.c +7 −0 Original line number Diff line number Diff line Loading @@ -1025,6 +1025,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); t=EVP_DigestSignFinal(mac_ctx,md,&md_size); OPENSSL_assert(t > 0); #ifdef OPENSSL_FIPS if (!send && FIPS_mode()) tls_fips_digest_extra( ssl->enc_read_ctx, mac_ctx, rec->input, rec->length, rec->orig_len); #endif } if (!stream_mac) Loading
util/libeay.num +1 −0 Original line number Diff line number Diff line Loading @@ -3510,6 +3510,7 @@ BIO_get_callback_arg 3902 EXIST::FUNCTION: BIO_set_callback 3903 EXIST::FUNCTION: d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 CRYPTO_memcmp 3906 EXIST::FUNCTION: SEED_decrypt 3908 EXIST::FUNCTION:SEED SEED_encrypt 3909 EXIST::FUNCTION:SEED SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED Loading
