/* A TLS CBC record looks like .. * * [ Payload data ] [ HMAC ] [ Padding ] [ Padding length byte ] * * Each byte in the padding is expected to be set to the same value * as the padding length byte. So if the padding length byte is '2' * then the padding will be [ '2', '2' ] (there'll be three bytes * set to that value if you include the padding length byte). * * The goal of s2n_verify_cbc() is to verify that the padding and hmac * are correct, without leaking (via timing) how much padding there * actually is: as this is considered secret. * * In addition to our efforts here though, s2n also wraps any CBC * verification error (or record parsing error in general) with * a randomized delay of between 1ms and 10 seconds. See s2n_connection.c. * This amount of delay randomization is sufficient to increase the * complexity of attack for even a 1 microsecond timing leak (which * is quite large) by a factor of around 83 trillion. */ int s2n_verify_cbc(struct s2n_connection *conn, struct s2n_hmac_state *hmac, struct s2n_blob *decrypted) { struct s2n_hmac_state copy; int mac_digest_size = s2n_hmac_digest_size(hmac->alg); /* The record has to be at least big enough to contain the MAC, * plus the padding length byte */ gt_check(decrypted->size, mac_digest_size); int payload_and_padding_size = decrypted->size - mac_digest_size; /* Determine what the padding length is */ uint8_t padding_length = decrypted->data[decrypted->size - 1]; int payload_length = MAX(payload_and_padding_size - padding_length - 1, 0); /* Update the MAC */ GUARD(s2n_hmac_update(hmac, decrypted->data, payload_length)); GUARD(s2n_hmac_copy(©, hmac)); /* Check the MAC */ uint8_t check_digest[S2N_MAX_DIGEST_LEN]; lte_check(mac_digest_size, sizeof(check_digest)); GUARD(s2n_hmac_digest_two_compression_rounds(hmac, check_digest, mac_digest_size)); int mismatches = s2n_constant_time_equals(decrypted->data + payload_length, check_digest, mac_digest_size) ^ 1; /* Compute a MAC on the rest of the data so that we perform the same number of hash operations */ GUARD(s2n_hmac_update(©, decrypted->data + payload_length + mac_digest_size, decrypted->size - payload_length - mac_digest_size - 1)); /* SSLv3 doesn't specify what the padding should actually be */ if (conn->actual_protocol_version == S2N_SSLv3) { return 0 - mismatches; } /* Check the maximum amount that could theoritically be padding */ int check = MIN(255, (payload_and_padding_size - 1)); int cutoff = check - padding_length; for (int i = 0, j = decrypted->size - 1 - check; i < check && j < decrypted->size; i++, j++) { uint8_t mask = ~(0xff << ((i >= cutoff) * 8)); mismatches |= (decrypted->data[j] ^ padding_length) & mask; } if (mismatches) { S2N_ERROR(S2N_ERR_CBC_VERIFY); } return 0; }
static int s2n_p_hash(union s2n_prf_working_space *ws, s2n_hmac_algorithm alg, struct s2n_blob *secret, struct s2n_blob *label, struct s2n_blob *seed_a, struct s2n_blob *seed_b, struct s2n_blob *out) { struct s2n_hmac_state *hmac = &ws->tls.hmac; uint32_t digest_size = s2n_hmac_digest_size(alg); /* First compute hmac(secret + A(0)) */ GUARD(s2n_hmac_init(hmac, alg, secret->data, secret->size)); GUARD(s2n_hmac_update(hmac, label->data, label->size)); GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size)); if (seed_b) { GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size)); } GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size)); uint32_t outputlen = out->size; uint8_t *output = out->data; while (outputlen) { /* Now compute hmac(secret + A(N - 1) + seed) */ GUARD(s2n_hmac_reset(hmac)); GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size)); /* Add the label + seed and compute this round's A */ GUARD(s2n_hmac_update(hmac, label->data, label->size)); GUARD(s2n_hmac_update(hmac, seed_a->data, seed_a->size)); if (seed_b) { GUARD(s2n_hmac_update(hmac, seed_b->data, seed_b->size)); } GUARD(s2n_hmac_digest(hmac, ws->tls.digest1, digest_size)); uint32_t bytes_to_xor = MIN(outputlen, digest_size); for (int i = 0; i < bytes_to_xor; i++) { *output ^= ws->tls.digest1[i]; output++; outputlen--; } /* Stash a digest of A(N), in A(N), for the next round */ GUARD(s2n_hmac_reset(hmac)); GUARD(s2n_hmac_update(hmac, ws->tls.digest0, digest_size)); GUARD(s2n_hmac_digest(hmac, ws->tls.digest0, digest_size)); } return 0; }
int s2n_record_write(struct s2n_connection *conn, uint8_t content_type, struct s2n_blob *in) { struct s2n_blob out, iv, aad; uint8_t padding = 0; uint16_t block_size = 0; uint8_t aad_gen[S2N_TLS_MAX_AAD_LEN] = { 0 }; uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 }; uint8_t *sequence_number = conn->server->server_sequence_number; struct s2n_hmac_state *mac = &conn->server->server_record_mac; struct s2n_session_key *session_key = &conn->server->server_key; const struct s2n_cipher_suite *cipher_suite = conn->server->cipher_suite; uint8_t *implicit_iv = conn->server->server_implicit_iv; if (conn->mode == S2N_CLIENT) { sequence_number = conn->client->client_sequence_number; mac = &conn->client->client_record_mac; session_key = &conn->client->client_key; cipher_suite = conn->client->cipher_suite; implicit_iv = conn->client->client_implicit_iv; } S2N_ERROR_IF(s2n_stuffer_data_available(&conn->out), S2N_ERR_BAD_MESSAGE); uint8_t mac_digest_size; GUARD(s2n_hmac_digest_size(mac->alg, &mac_digest_size)); /* Before we do anything, we need to figure out what the length of the * fragment is going to be. */ uint16_t data_bytes_to_take = MIN(in->size, s2n_record_max_write_payload_size(conn)); uint16_t extra = overhead(conn); /* If we have padding to worry about, figure that out too */ if (cipher_suite->record_alg->cipher->type == S2N_CBC) { block_size = cipher_suite->record_alg->cipher->io.cbc.block_size; if (((data_bytes_to_take + extra) % block_size)) { padding = block_size - ((data_bytes_to_take + extra) % block_size); } } else if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { block_size = cipher_suite->record_alg->cipher->io.comp.block_size; } /* Start the MAC with the sequence number */ GUARD(s2n_hmac_update(mac, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); /* Now that we know the length, start writing the record */ GUARD(s2n_stuffer_write_uint8(&conn->out, content_type)); GUARD(s2n_record_write_protocol_version(conn)); /* First write a header that has the payload length, this is for the MAC */ GUARD(s2n_stuffer_write_uint16(&conn->out, data_bytes_to_take)); if (conn->actual_protocol_version > S2N_SSLv3) { GUARD(s2n_hmac_update(mac, conn->out.blob.data, S2N_TLS_RECORD_HEADER_LENGTH)); } else { /* SSLv3 doesn't include the protocol version in the MAC */ GUARD(s2n_hmac_update(mac, conn->out.blob.data, 1)); GUARD(s2n_hmac_update(mac, conn->out.blob.data + 3, 2)); } /* Compute non-payload parts of the MAC(seq num, type, proto vers, fragment length) for composite ciphers. * Composite "encrypt" will MAC the payload data and fill in padding. */ if (cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { /* Only fragment length is needed for MAC, but the EVP ctrl function needs fragment length + eiv len. */ uint16_t payload_and_eiv_len = data_bytes_to_take; if (conn->actual_protocol_version > S2N_TLS10) { payload_and_eiv_len += block_size; } /* Outputs number of extra bytes required for MAC and padding */ int pad_and_mac_len; GUARD(cipher_suite->record_alg->cipher->io.comp.initial_hmac(session_key, sequence_number, content_type, conn->actual_protocol_version, payload_and_eiv_len, &pad_and_mac_len)); extra += pad_and_mac_len; } /* Rewrite the length to be the actual fragment length */ uint16_t actual_fragment_length = data_bytes_to_take + padding + extra; GUARD(s2n_stuffer_wipe_n(&conn->out, 2)); GUARD(s2n_stuffer_write_uint16(&conn->out, actual_fragment_length)); /* If we're AEAD, write the sequence number as an IV, and generate the AAD */ if (cipher_suite->record_alg->cipher->type == S2N_AEAD) { struct s2n_stuffer iv_stuffer = {{0}}; iv.data = aad_iv; iv.size = sizeof(aad_iv); GUARD(s2n_stuffer_init(&iv_stuffer, &iv)); if (cipher_suite->record_alg->flags & S2N_TLS12_AES_GCM_AEAD_NONCE) { /* Partially explicit nonce. See RFC 5288 Section 3 */ GUARD(s2n_stuffer_write_bytes(&conn->out, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, implicit_iv, cipher_suite->record_alg->cipher->io.aead.fixed_iv_size)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); } else if (cipher_suite->record_alg->flags & S2N_TLS12_CHACHA_POLY_AEAD_NONCE) { /* Fully implicit nonce. See RFC7905 Section 2 */ uint8_t four_zeroes[4] = { 0 }; GUARD(s2n_stuffer_write_bytes(&iv_stuffer, four_zeroes, 4)); GUARD(s2n_stuffer_write_bytes(&iv_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN)); for(int i = 0; i < cipher_suite->record_alg->cipher->io.aead.fixed_iv_size; i++) { aad_iv[i] = aad_iv[i] ^ implicit_iv[i]; } } else { S2N_ERROR(S2N_ERR_INVALID_NONCE_TYPE); } /* Set the IV size to the amount of data written */ iv.size = s2n_stuffer_data_available(&iv_stuffer); aad.data = aad_gen; aad.size = sizeof(aad_gen); struct s2n_stuffer ad_stuffer = {{0}}; GUARD(s2n_stuffer_init(&ad_stuffer, &aad)); GUARD(s2n_aead_aad_init(conn, sequence_number, content_type, data_bytes_to_take, &ad_stuffer)); } else if (cipher_suite->record_alg->cipher->type == S2N_CBC || cipher_suite->record_alg->cipher->type == S2N_COMPOSITE) { iv.size = block_size; iv.data = implicit_iv; /* For TLS1.1/1.2; write the IV with random data */ if (conn->actual_protocol_version > S2N_TLS10) { GUARD(s2n_get_public_random_data(&iv)); GUARD(s2n_stuffer_write(&conn->out, &iv)); } } /* We are done with this sequence number, so we can increment it */ struct s2n_blob seq = {.data = sequence_number,.size = S2N_TLS_SEQUENCE_NUM_LEN }; GUARD(s2n_increment_sequence_number(&seq)); /* Write the plaintext data */ out.data = in->data; out.size = data_bytes_to_take; GUARD(s2n_stuffer_write(&conn->out, &out)); GUARD(s2n_hmac_update(mac, out.data, out.size)); /* Write the digest */ uint8_t *digest = s2n_stuffer_raw_write(&conn->out, mac_digest_size); notnull_check(digest); GUARD(s2n_hmac_digest(mac, digest, mac_digest_size)); GUARD(s2n_hmac_reset(mac)); if (cipher_suite->record_alg->cipher->type == S2N_CBC) { /* Include padding bytes, each with the value 'p', and * include an extra padding length byte, also with the value 'p'. */ for (int i = 0; i <= padding; i++) { GUARD(s2n_stuffer_write_uint8(&conn->out, padding)); } } /* Rewind to rewrite/encrypt the packet */ GUARD(s2n_stuffer_rewrite(&conn->out)); /* Skip the header */ GUARD(s2n_stuffer_skip_write(&conn->out, S2N_TLS_RECORD_HEADER_LENGTH)); uint16_t encrypted_length = data_bytes_to_take + mac_digest_size; switch (cipher_suite->record_alg->cipher->type) { case S2N_AEAD: GUARD(s2n_stuffer_skip_write(&conn->out, cipher_suite->record_alg->cipher->io.aead.record_iv_size)); encrypted_length += cipher_suite->record_alg->cipher->io.aead.tag_size; break; case S2N_CBC: if (conn->actual_protocol_version > S2N_TLS10) { /* Leave the IV alone and unencrypted */ GUARD(s2n_stuffer_skip_write(&conn->out, iv.size)); } /* Encrypt the padding and the padding length byte too */ encrypted_length += padding + 1; break; case S2N_COMPOSITE: /* Composite CBC expects a pointer starting at explicit IV: [Explicit IV | fragment | MAC | padding | padding len ] * extra will account for the explicit IV len(if applicable), MAC digest len, padding len + padding byte. */ encrypted_length += extra; break; default: break; } /* Do the encryption */ struct s2n_blob en = {0}; en.size = encrypted_length; en.data = s2n_stuffer_raw_write(&conn->out, en.size); notnull_check(en.data); switch (cipher_suite->record_alg->cipher->type) { case S2N_STREAM: GUARD(cipher_suite->record_alg->cipher->io.stream.encrypt(session_key, &en, &en)); break; case S2N_CBC: GUARD(cipher_suite->record_alg->cipher->io.cbc.encrypt(session_key, &iv, &en, &en)); /* Copy the last encrypted block to be the next IV */ if (conn->actual_protocol_version < S2N_TLS11) { gte_check(en.size, block_size); memcpy_check(implicit_iv, en.data + en.size - block_size, block_size); } break; case S2N_AEAD: GUARD(cipher_suite->record_alg->cipher->io.aead.encrypt(session_key, &iv, &aad, &en, &en)); break; case S2N_COMPOSITE: /* This will: compute mac, append padding, append padding length, and encrypt */ GUARD(cipher_suite->record_alg->cipher->io.comp.encrypt(session_key, &iv, &en, &en)); /* Copy the last encrypted block to be the next IV */ gte_check(en.size, block_size); memcpy_check(implicit_iv, en.data + en.size - block_size, block_size); break; default: S2N_ERROR(S2N_ERR_CIPHER_TYPE); break; } conn->wire_bytes_out += actual_fragment_length + S2N_TLS_RECORD_HEADER_LENGTH; return data_bytes_to_take; }
static int s2n_hmac_p_hash_update(struct s2n_prf_working_space *ws, const void *data, uint32_t size) { return s2n_hmac_update(&ws->tls.p_hash.s2n_hmac, data, size); }
int main(int argc, char **argv) { uint8_t digest_pad[256]; uint8_t check_pad[256]; uint8_t output_pad[256]; struct s2n_stuffer output; uint8_t sekrit[] = "sekrit"; uint8_t longsekrit[] = "This is a really really really long key on purpose to make sure that it's longer than the block size"; uint8_t hello[] = "Hello world!"; struct s2n_hmac_state hmac, copy; struct s2n_hmac_state cmac; struct s2n_blob out = {.data = output_pad,.size = sizeof(output_pad) }; BEGIN_TEST(); /* Initialise our output stuffers */ EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_copy(©, &hmac)); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Check the copy */ EXPECT_SUCCESS(s2n_hmac_digest(©, digest_pad, 16)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "3ad68c53dc1a3cf35f6469877fae4585", 16 * 2), 0); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "2ce569d61f4ee6ad9ceebe02a112ace7", 16 * 2), 0); /* Verify that _verify works */ EXPECT_SUCCESS(s2n_hmac_init(&cmac, S2N_HMAC_MD5, longsekrit, strlen((char *)longsekrit))); EXPECT_SUCCESS(s2n_hmac_update(&cmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&cmac, check_pad, 16)); EXPECT_SUCCESS(s2n_hmac_digest_verify(digest_pad, 16, check_pad, 16)); /* Try SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "6d301861b599938eca94f6de917362886d97882f", 20 * 2), 0); /* Try SHA256 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA256), 32); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA256, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 32)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 32; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "adc20b12d236e6d1824d690622e33ead4f67ba5a2be9606fe762b2dd859a78a9", 32 * 2), 0); /* Try SHA384 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA384), 48); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA384, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 48)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 48; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "8552563cadd583b79dcc7225bb79bc6483c63f259187162e1c9d4283eb6299ef1bc3ca81c0c40fc7b22f7a1f3b93adb4", 48 * 2), 0); /* Try SHA512 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SHA512), 64); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SHA512, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 64)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 64; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from python */ EXPECT_EQUAL(memcmp(output_pad, "0a834a1ed265042e2897405edb4fdd9818950cd5bea10b828f2fed45a1cb6dbd2107e4b04eb20f211998cd4e8c7e11ebdcb0103ac63882481e1bb8083d07f4be", 64 * 2), 0); /* Try SSLv3 MD5 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5), 16); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 16; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "d4f0d06b9765de23e6c3e33a24c5ded0", 16 * 2), 0); /* Try SSLv3 SHA1 */ EXPECT_EQUAL(s2n_hmac_digest_size(S2N_HMAC_SSLv3_SHA1), 20); EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_SHA1, sekrit, strlen((char *)sekrit))); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } /* Reference value from Go */ EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); /* Test that a reset works */ EXPECT_SUCCESS(s2n_hmac_reset(&hmac)); EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *)hello))); EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 20)); EXPECT_SUCCESS(s2n_stuffer_init(&output, &out)); for (int i = 0; i < 20; i++) { EXPECT_SUCCESS(s2n_stuffer_write_uint8_hex(&output, digest_pad[i])); } EXPECT_EQUAL(memcmp(output_pad, "b0c66179f6eb5a46b4b7c4fca84b3ea5161b7326", 20 * 2), 0); END_TEST(); }