OpenCoverage

s3_cbc.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/ssl/s3_cbc.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10#include "internal/constant_time_locl.h"-
11#include "ssl_locl.h"-
12#include "internal/cryptlib.h"-
13-
14#include <openssl/md5.h>-
15#include <openssl/sha.h>-
16-
17/*-
18 * MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's-
19 * length field. (SHA-384/512 have 128-bit length.)-
20 */-
21#define MAX_HASH_BIT_COUNT_BYTES 16-
22-
23/*-
24 * MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.-
25 * Currently SHA-384/512 has a 128-byte block size and that's the largest-
26 * supported by TLS.)-
27 */-
28#define MAX_HASH_BLOCK_SIZE 128-
29-
30/*-
31 * u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in-
32 * little-endian order. The value of p is advanced by four.-
33 */-
34#define u32toLE(n, p) \-
35 (*((p)++)=(unsigned char)(n), \-
36 *((p)++)=(unsigned char)(n>>8), \-
37 *((p)++)=(unsigned char)(n>>16), \-
38 *((p)++)=(unsigned char)(n>>24))-
39-
40/*-
41 * These functions serialize the state of a hash and thus perform the-
42 * standard "final" operation without adding the padding and length that such-
43 * a function typically does.-
44 */-
45static void tls1_md5_final_raw(void *ctx, unsigned char *md_out)-
46{-
47 MD5_CTX *md5 = ctx;-
48 u32toLE(md5->A, md_out);-
49 u32toLE(md5->B, md_out);-
50 u32toLE(md5->C, md_out);-
51 u32toLE(md5->D, md_out);-
52}
never executed: end of block
0
53-
54static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)-
55{-
56 SHA_CTX *sha1 = ctx;-
57 l2n(sha1->h0, md_out);-
58 l2n(sha1->h1, md_out);-
59 l2n(sha1->h2, md_out);-
60 l2n(sha1->h3, md_out);-
61 l2n(sha1->h4, md_out);-
62}
executed 1078 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
1078
63-
64static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)-
65{-
66 SHA256_CTX *sha256 = ctx;-
67 unsigned i;-
68-
69 for (i = 0; i < 8; i++) {
i < 8Description
TRUEevaluated 2912 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 364 times by 1 test
Evaluated by:
  • libssl.so.1.1
364-2912
70 l2n(sha256->h[i], md_out);-
71 }
executed 2912 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
2912
72}
executed 364 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
364
73-
74static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)-
75{-
76 SHA512_CTX *sha512 = ctx;-
77 unsigned i;-
78-
79 for (i = 0; i < 8; i++) {
i < 8Description
TRUEevaluated 840 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 105 times by 1 test
Evaluated by:
  • libssl.so.1.1
105-840
80 l2n8(sha512->h[i], md_out);-
81 }
executed 840 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
840
82}
executed 105 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
105
83-
84#undef LARGEST_DIGEST_CTX-
85#define LARGEST_DIGEST_CTX SHA512_CTX-
86-
87/*-
88 * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function-
89 * which ssl3_cbc_digest_record supports.-
90 */-
91char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)-
92{-
93 switch (EVP_MD_CTX_type(ctx)) {-
94 case NID_md5:
never executed: case 4:
0
95 case NID_sha1:
executed 154 times by 1 test: case 64:
Executed by:
  • libssl.so.1.1
154
96 case NID_sha224:
never executed: case 675:
0
97 case NID_sha256:
executed 52 times by 1 test: case 672:
Executed by:
  • libssl.so.1.1
52
98 case NID_sha384:
executed 15 times by 1 test: case 673:
Executed by:
  • libssl.so.1.1
15
99 case NID_sha512:
never executed: case 674:
0
100 return 1;
executed 221 times by 1 test: return 1;
Executed by:
  • libssl.so.1.1
221
101 default:
never executed: default:
0
102 return 0;
never executed: return 0;
0
103 }-
104}-
105-
106/*--
107 * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS-
108 * record.-
109 *-
110 * ctx: the EVP_MD_CTX from which we take the hash function.-
111 * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.-
112 * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.-
113 * md_out_size: if non-NULL, the number of output bytes is written here.-
114 * header: the 13-byte, TLS record header.-
115 * data: the record data itself, less any preceding explicit IV.-
116 * data_plus_mac_size: the secret, reported length of the data and MAC-
117 * once the padding has been removed.-
118 * data_plus_mac_plus_padding_size: the public length of the whole-
119 * record, including padding.-
120 * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.-
121 *-
122 * On entry: by virtue of having been through one of the remove_padding-
123 * functions, above, we know that data_plus_mac_size is large enough to contain-
124 * a padding byte and MAC. (If the padding was invalid, it might contain the-
125 * padding too. )-
126 * Returns 1 on success or 0 on error-
127 */-
128int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,-
129 unsigned char *md_out,-
130 size_t *md_out_size,-
131 const unsigned char header[13],-
132 const unsigned char *data,-
133 size_t data_plus_mac_size,-
134 size_t data_plus_mac_plus_padding_size,-
135 const unsigned char *mac_secret,-
136 size_t mac_secret_length, char is_sslv3)-
137{-
138 union {-
139 double align;-
140 unsigned char c[sizeof(LARGEST_DIGEST_CTX)];-
141 } md_state;-
142 void (*md_final_raw) (void *ctx, unsigned char *md_out);-
143 void (*md_transform) (void *ctx, const unsigned char *block);-
144 size_t md_size, md_block_size = 64;-
145 size_t sslv3_pad_length = 40, header_length, variance_blocks,-
146 len, max_mac_bytes, num_blocks,-
147 num_starting_blocks, k, mac_end_offset, c, index_a, index_b;-
148 size_t bits; /* at most 18 bits */-
149 unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];-
150 /* hmac_pad is the masked HMAC key. */-
151 unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];-
152 unsigned char first_block[MAX_HASH_BLOCK_SIZE];-
153 unsigned char mac_out[EVP_MAX_MD_SIZE];-
154 size_t i, j;-
155 unsigned md_out_size_u;-
156 EVP_MD_CTX *md_ctx = NULL;-
157 /*-
158 * mdLengthSize is the number of bytes in the length field that-
159 * terminates * the hash.-
160 */-
161 size_t md_length_size = 8;-
162 char length_is_big_endian = 1;-
163 int ret;-
164-
165 /*-
166 * This is a, hopefully redundant, check that allows us to forget about-
167 * many possible overflows later in this function.-
168 */-
169 if (!ossl_assert(data_plus_mac_plus_padding_size < 1024 * 1024))
!((data_plus_m... * 1024) != 0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
170 return 0;
never executed: return 0;
0
171-
172 switch (EVP_MD_CTX_type(ctx)) {-
173 case NID_md5:
never executed: case 4:
0
174 if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
MD5_Init((MD5_..._state.c) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
175 return 0;
never executed: return 0;
0
176 md_final_raw = tls1_md5_final_raw;-
177 md_transform =-
178 (void (*)(void *ctx, const unsigned char *block))MD5_Transform;-
179 md_size = 16;-
180 sslv3_pad_length = 48;-
181 length_is_big_endian = 0;-
182 break;
never executed: break;
0
183 case NID_sha1:
executed 154 times by 1 test: case 64:
Executed by:
  • libssl.so.1.1
154
184 if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
SHA1_Init((SHA..._state.c) <= 0Description
TRUEnever evaluated
FALSEevaluated 154 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-154
185 return 0;
never executed: return 0;
0
186 md_final_raw = tls1_sha1_final_raw;-
187 md_transform =-
188 (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;-
189 md_size = 20;-
190 break;
executed 154 times by 1 test: break;
Executed by:
  • libssl.so.1.1
154
191 case NID_sha224:
never executed: case 675:
0
192 if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
SHA224_Init((S..._state.c) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
193 return 0;
never executed: return 0;
0
194 md_final_raw = tls1_sha256_final_raw;-
195 md_transform =-
196 (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;-
197 md_size = 224 / 8;-
198 break;
never executed: break;
0
199 case NID_sha256:
executed 52 times by 1 test: case 672:
Executed by:
  • libssl.so.1.1
52
200 if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
SHA256_Init((S..._state.c) <= 0Description
TRUEnever evaluated
FALSEevaluated 52 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-52
201 return 0;
never executed: return 0;
0
202 md_final_raw = tls1_sha256_final_raw;-
203 md_transform =-
204 (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;-
205 md_size = 32;-
206 break;
executed 52 times by 1 test: break;
Executed by:
  • libssl.so.1.1
52
207 case NID_sha384:
executed 15 times by 1 test: case 673:
Executed by:
  • libssl.so.1.1
15
208 if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
SHA384_Init((S..._state.c) <= 0Description
TRUEnever evaluated
FALSEevaluated 15 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-15
209 return 0;
never executed: return 0;
0
210 md_final_raw = tls1_sha512_final_raw;-
211 md_transform =-
212 (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;-
213 md_size = 384 / 8;-
214 md_block_size = 128;-
215 md_length_size = 16;-
216 break;
executed 15 times by 1 test: break;
Executed by:
  • libssl.so.1.1
15
217 case NID_sha512:
never executed: case 674:
0
218 if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
SHA512_Init((S..._state.c) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
219 return 0;
never executed: return 0;
0
220 md_final_raw = tls1_sha512_final_raw;-
221 md_transform =-
222 (void (*)(void *ctx, const unsigned char *block))SHA512_Transform;-
223 md_size = 64;-
224 md_block_size = 128;-
225 md_length_size = 16;-
226 break;
never executed: break;
0
227 default:
never executed: default:
0
228 /*-
229 * ssl3_cbc_record_digest_supported should have been called first to-
230 * check that the hash function is supported.-
231 */-
232 if (md_out_size != NULL)
md_out_size != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
233 *md_out_size = 0;
never executed: *md_out_size = 0;
0
234 return ossl_assert(0);
never executed: return ((0) != 0);
0
235 }-
236-
237 if (!ossl_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES)
!((md_length_size <= 16) != 0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
238 || !ossl_assert(md_block_size <= MAX_HASH_BLOCK_SIZE)
!((md_block_size <= 128) != 0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
239 || !ossl_assert(md_size <= EVP_MAX_MD_SIZE))
!((md_size <= 64) != 0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
240 return 0;
never executed: return 0;
0
241-
242 header_length = 13;-
243 if (is_sslv3) {
is_sslv3Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
244 header_length = mac_secret_length + sslv3_pad_length + 8 /* sequence-
245 * number */ +-
246 1 /* record type */ +-
247 2 /* record length */ ;-
248 }
never executed: end of block
0
249-
250 /*-
251 * variance_blocks is the number of blocks of the hash that we have to-
252 * calculate in constant time because they could be altered by the-
253 * padding value. In SSLv3, the padding must be minimal so the end of-
254 * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively-
255 * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes-
256 * of hash termination (0x80 + 64-bit length) don't fit in the final-
257 * block, we say that the final two blocks can vary based on the padding.-
258 * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not-
259 * required to be minimal. Therefore we say that the final six blocks can-
260 * vary based on the padding. Later in the function, if the message is-
261 * short and there obviously cannot be this many blocks then-
262 * variance_blocks can be reduced.-
263 */-
264 variance_blocks = is_sslv3 ? 2 : 6;
is_sslv3Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
265 /*-
266 * From now on we're dealing with the MAC, which conceptually has 13-
267 * bytes of `header' before the start of the data (TLS) or 71/75 bytes-
268 * (SSLv3)-
269 */-
270 len = data_plus_mac_plus_padding_size + header_length;-
271 /*-
272 * max_mac_bytes contains the maximum bytes of bytes in the MAC,-
273 * including * |header|, assuming that there's no padding.-
274 */-
275 max_mac_bytes = len - md_size - 1;-
276 /* num_blocks is the maximum number of hash blocks. */-
277 num_blocks =-
278 (max_mac_bytes + 1 + md_length_size + md_block_size --
279 1) / md_block_size;-
280 /*-
281 * In order to calculate the MAC in constant time we have to handle the-
282 * final blocks specially because the padding value could cause the end-
283 * to appear somewhere in the final |variance_blocks| blocks and we can't-
284 * leak where. However, |num_starting_blocks| worth of data can be hashed-
285 * right away because no padding value can affect whether they are-
286 * plaintext.-
287 */-
288 num_starting_blocks = 0;-
289 /*-
290 * k is the starting byte offset into the conceptual header||data where-
291 * we start processing.-
292 */-
293 k = 0;-
294 /*-
295 * mac_end_offset is the index just past the end of the data to be MACed.-
296 */-
297 mac_end_offset = data_plus_mac_size + header_length - md_size;-
298 /*-
299 * c is the index of the 0x80 byte in the final hash block that contains-
300 * application data.-
301 */-
302 c = mac_end_offset % md_block_size;-
303 /*-
304 * index_a is the hash block number that contains the 0x80 terminating-
305 * value.-
306 */-
307 index_a = mac_end_offset / md_block_size;-
308 /*-
309 * index_b is the hash block number that contains the 64-bit hash length,-
310 * in bits.-
311 */-
312 index_b = (mac_end_offset + md_length_size) / md_block_size;-
313 /*-
314 * bits is the hash-length in bits. It includes the additional hash block-
315 * for the masked HMAC key, or whole of |header| in the case of SSLv3.-
316 */-
317-
318 /*-
319 * For SSLv3, if we're going to have any starting blocks then we need at-
320 * least two because the header is larger than a single block.-
321 */-
322 if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
num_blocks > v...sslv3 ? 1 : 0)Description
TRUEevaluated 34 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 187 times by 1 test
Evaluated by:
  • libssl.so.1.1
is_sslv3Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
323 num_starting_blocks = num_blocks - variance_blocks;-
324 k = md_block_size * num_starting_blocks;-
325 }
executed 34 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
34
326-
327 bits = 8 * mac_end_offset;-
328 if (!is_sslv3) {
!is_sslv3Description
TRUEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEnever evaluated
0-221
329 /*-
330 * Compute the initial HMAC block. For SSLv3, the padding and secret-
331 * bytes are included in |header| because they take more than a-
332 * single block.-
333 */-
334 bits += 8 * md_block_size;-
335 memset(hmac_pad, 0, md_block_size);-
336 if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
!((mac_secret_...ac_pad)) != 0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
337 return 0;
never executed: return 0;
0
338 memcpy(hmac_pad, mac_secret, mac_secret_length);-
339 for (i = 0; i < md_block_size; i++)
i < md_block_sizeDescription
TRUEevaluated 15104 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
221-15104
340 hmac_pad[i] ^= 0x36;
executed 15104 times by 1 test: hmac_pad[i] ^= 0x36;
Executed by:
  • libssl.so.1.1
15104
341-
342 md_transform(md_state.c, hmac_pad);-
343 }
executed 221 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
221
344-
345 if (length_is_big_endian) {
length_is_big_endianDescription
TRUEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEnever evaluated
0-221
346 memset(length_bytes, 0, md_length_size - 4);-
347 length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24);-
348 length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16);-
349 length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8);-
350 length_bytes[md_length_size - 1] = (unsigned char)bits;-
351 } else {
executed 221 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
221
352 memset(length_bytes, 0, md_length_size);-
353 length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24);-
354 length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16);-
355 length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8);-
356 length_bytes[md_length_size - 8] = (unsigned char)bits;-
357 }
never executed: end of block
0
358-
359 if (k > 0) {
k > 0Description
TRUEevaluated 34 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 187 times by 1 test
Evaluated by:
  • libssl.so.1.1
34-187
360 if (is_sslv3) {
is_sslv3Description
TRUEnever evaluated
FALSEevaluated 34 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-34
361 size_t overhang;-
362-
363 /*-
364 * The SSLv3 header is larger than a single block. overhang is-
365 * the number of bytes beyond a single block that the header-
366 * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no-
367 * ciphersuites in SSLv3 that are not SHA1 or MD5 based and-
368 * therefore we can be confident that the header_length will be-
369 * greater than |md_block_size|. However we add a sanity check just-
370 * in case-
371 */-
372 if (header_length <= md_block_size) {
header_length <= md_block_sizeDescription
TRUEnever evaluated
FALSEnever evaluated
0
373 /* Should never happen */-
374 return 0;
never executed: return 0;
0
375 }-
376 overhang = header_length - md_block_size;-
377 md_transform(md_state.c, header);-
378 memcpy(first_block, header + md_block_size, overhang);-
379 memcpy(first_block + overhang, data, md_block_size - overhang);-
380 md_transform(md_state.c, first_block);-
381 for (i = 1; i < k / md_block_size - 1; i++)
i < k / md_block_size - 1Description
TRUEnever evaluated
FALSEnever evaluated
0
382 md_transform(md_state.c, data + md_block_size * i - overhang);
never executed: md_transform(md_state.c, data + md_block_size * i - overhang);
0
383 } else {
never executed: end of block
0
384 /* k is a multiple of md_block_size. */-
385 memcpy(first_block, header, 13);-
386 memcpy(first_block + 13, data, md_block_size - 13);-
387 md_transform(md_state.c, first_block);-
388 for (i = 1; i < k / md_block_size; i++)
i < k / md_block_sizeDescription
TRUEevaluated 2730 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 34 times by 1 test
Evaluated by:
  • libssl.so.1.1
34-2730
389 md_transform(md_state.c, data + md_block_size * i - 13);
executed 2730 times by 1 test: md_transform(md_state.c, data + md_block_size * i - 13);
Executed by:
  • libssl.so.1.1
2730
390 }
executed 34 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
34
391 }-
392-
393 memset(mac_out, 0, sizeof(mac_out));-
394-
395 /*-
396 * We now process the final hash blocks. For each block, we construct it-
397 * in constant time. If the |i==index_a| then we'll include the 0x80-
398 * bytes and zero pad etc. For each block we selectively copy it, in-
399 * constant time, to |mac_out|.-
400 */-
401 for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks;
i <= num_start...ariance_blocksDescription
TRUEevaluated 1547 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
221-1547
402 i++) {-
403 unsigned char block[MAX_HASH_BLOCK_SIZE];-
404 unsigned char is_block_a = constant_time_eq_8_s(i, index_a);-
405 unsigned char is_block_b = constant_time_eq_8_s(i, index_b);-
406 for (j = 0; j < md_block_size; j++) {
j < md_block_sizeDescription
TRUEevaluated 105728 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 1547 times by 1 test
Evaluated by:
  • libssl.so.1.1
1547-105728
407 unsigned char b = 0, is_past_c, is_past_cp1;-
408 if (k < header_length)
k < header_lengthDescription
TRUEevaluated 2431 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 103297 times by 1 test
Evaluated by:
  • libssl.so.1.1
2431-103297
409 b = header[k];
executed 2431 times by 1 test: b = header[k];
Executed by:
  • libssl.so.1.1
2431
410 else if (k < data_plus_mac_plus_padding_size + header_length)
k < data_plus_... header_lengthDescription
TRUEevaluated 36786 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 66511 times by 1 test
Evaluated by:
  • libssl.so.1.1
36786-66511
411 b = data[k - header_length];
executed 36786 times by 1 test: b = data[k - header_length];
Executed by:
  • libssl.so.1.1
36786
412 k++;-
413-
414 is_past_c = is_block_a & constant_time_ge_8_s(j, c);-
415 is_past_cp1 = is_block_a & constant_time_ge_8_s(j, c + 1);-
416 /*-
417 * If this is the block containing the end of the application-
418 * data, and we are at the offset for the 0x80 value, then-
419 * overwrite b with 0x80.-
420 */-
421 b = constant_time_select_8(is_past_c, 0x80, b);-
422 /*-
423 * If this block contains the end of the application data-
424 * and we're past the 0x80 value then just write zero.-
425 */-
426 b = b & ~is_past_cp1;-
427 /*-
428 * If this is index_b (the final block), but not index_a (the end-
429 * of the data), then the 64-bit length didn't fit into index_a-
430 * and we're having to add an extra block of zeros.-
431 */-
432 b &= ~is_block_b | is_block_a;-
433-
434 /*-
435 * The final bytes of one of the blocks contains the length.-
436 */-
437 if (j >= md_block_size - md_length_size) {
j >= md_block_...md_length_sizeDescription
TRUEevaluated 13216 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 92512 times by 1 test
Evaluated by:
  • libssl.so.1.1
13216-92512
438 /* If this is index_b, write a length byte. */-
439 b = constant_time_select_8(is_block_b,-
440 length_bytes[j --
441 (md_block_size --
442 md_length_size)], b);-
443 }
executed 13216 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
13216
444 block[j] = b;-
445 }
executed 105728 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
105728
446-
447 md_transform(md_state.c, block);-
448 md_final_raw(md_state.c, block);-
449 /* If this is index_b, copy the hash value to |mac_out|. */-
450 for (j = 0; j < md_size; j++)
j < md_sizeDescription
TRUEevaluated 38248 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 1547 times by 1 test
Evaluated by:
  • libssl.so.1.1
1547-38248
451 mac_out[j] |= block[j] & is_block_b;
executed 38248 times by 1 test: mac_out[j] |= block[j] & is_block_b;
Executed by:
  • libssl.so.1.1
38248
452 }
executed 1547 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
1547
453-
454 md_ctx = EVP_MD_CTX_new();-
455 if (md_ctx == NULL)
md_ctx == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
456 goto err;
never executed: goto err;
0
457 if (EVP_DigestInit_ex(md_ctx, EVP_MD_CTX_md(ctx), NULL /* engine */ ) <= 0)
EVP_DigestInit...id *)0) ) <= 0Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
458 goto err;
never executed: goto err;
0
459 if (is_sslv3) {
is_sslv3Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
460 /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */-
461 memset(hmac_pad, 0x5c, sslv3_pad_length);-
462-
463 if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
EVP_DigestUpda...t_length) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
464 || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
EVP_DigestUpda...d_length) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
465 || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
EVP_DigestUpda... md_size) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
466 goto err;
never executed: goto err;
0
467 } else {
never executed: end of block
0
468 /* Complete the HMAC in the standard manner. */-
469 for (i = 0; i < md_block_size; i++)
i < md_block_sizeDescription
TRUEevaluated 15104 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
221-15104
470 hmac_pad[i] ^= 0x6a;
executed 15104 times by 1 test: hmac_pad[i] ^= 0x6a;
Executed by:
  • libssl.so.1.1
15104
471-
472 if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
EVP_DigestUpda...ock_size) <= 0Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
473 || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
EVP_DigestUpda... md_size) <= 0Description
TRUEnever evaluated
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
0-221
474 goto err;
never executed: goto err;
0
475 }
executed 221 times by 1 test: end of block
Executed by:
  • libssl.so.1.1
221
476 /* TODO(size_t): Convert me */-
477 ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);-
478 if (ret && md_out_size)
retDescription
TRUEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEnever evaluated
md_out_sizeDescription
TRUEevaluated 221 times by 1 test
Evaluated by:
  • libssl.so.1.1
FALSEnever evaluated
0-221
479 *md_out_size = md_out_size_u;
executed 221 times by 1 test: *md_out_size = md_out_size_u;
Executed by:
  • libssl.so.1.1
221
480 EVP_MD_CTX_free(md_ctx);-
481-
482 return 1;
executed 221 times by 1 test: return 1;
Executed by:
  • libssl.so.1.1
221
483 err:-
484 EVP_MD_CTX_free(md_ctx);-
485 return 0;
never executed: return 0;
0
486}-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2