kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5405 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6855e0a470
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6855e0a470'
${ noResults }
boringssl/ssl/tls13_enc.cc

491 lines
18 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <utility>

  21. 

  22. #include <openssl/aead.h>

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/hkdf.h>

  26. #include <openssl/hmac.h>

  27. #include <openssl/mem.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. namespace bssl {

  34. 

  35. static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,

  36.                              const SSL_CIPHER *cipher) {

  37.   if (!hs->transcript.InitHash(version, cipher)) {

  38.     return 0;

  39.   }

  40. 

  41.   hs->hash_len = hs->transcript.DigestLen();

  42. 

  43.   // Initialize the secret to the zero key.

  44.   OPENSSL_memset(hs->secret, 0, hs->hash_len);

  45. 

  46.   return 1;

  47. }

  48. 

  49. int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  50.                             size_t psk_len) {

  51.   if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {

  52.     return 0;

  53.   }

  54. 

  55.   hs->transcript.FreeBuffer();

  56.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  57.                       psk_len, hs->secret, hs->hash_len);

  58. }

  59. 

  60. int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  61.                                   size_t psk_len) {

  62.   SSL *const ssl = hs->ssl;

  63.   return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),

  64.                            ssl->session->cipher) &&

  65.          HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  66.                       psk_len, hs->secret, hs->hash_len);

  67. }

  68. 

  69. static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,

  70.                              const uint8_t *secret, size_t secret_len,

  71.                              const char *label, size_t label_len,

  72.                              const uint8_t *hash, size_t hash_len, size_t len) {

  73.   static const char kTLS13LabelVersion[] = "tls13 ";

  74. 

  75.   ScopedCBB cbb;

  76.   CBB child;

  77.   Array<uint8_t> hkdf_label;

  78.   if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 +

  79.                                hash_len) ||

  80.       !CBB_add_u16(cbb.get(), len) ||

  81.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  82.       !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion,

  83.                      strlen(kTLS13LabelVersion)) ||

  84.       !CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||

  85.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  86.       !CBB_add_bytes(&child, hash, hash_len) ||

  87.       !CBBFinishArray(cbb.get(), &hkdf_label)) {

  88.     return 0;

  89.   }

  90. 

  91.   return HKDF_expand(out, len, digest, secret, secret_len, hkdf_label.data(),

  92.                      hkdf_label.size());

  93. }

  94. 

  95. static const char kTLS13LabelDerived[] = "derived";

  96. 

  97. int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,

  98.                                size_t len) {

  99.   uint8_t derive_context[EVP_MAX_MD_SIZE];

  100.   unsigned derive_context_len;

  101.   if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,

  102.                   hs->transcript.Digest(), nullptr)) {

  103.     return 0;

  104.   }

  105. 

  106.   if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,

  107.                          hs->hash_len, kTLS13LabelDerived,

  108.                          strlen(kTLS13LabelDerived), derive_context,

  109.                          derive_context_len, hs->hash_len)) {

  110.     return 0;

  111.   }

  112. 

  113.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), in,

  114.                       len, hs->secret, hs->hash_len);

  115. }

  116. 

  117. // derive_secret derives a secret of length |len| and writes the result in |out|

  118. // with the given label and the current base secret and most recently-saved

  119. // handshake context. It returns one on success and zero on error.

  120. static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,

  121.                          const char *label, size_t label_len) {

  122.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  123.   size_t context_hash_len;

  124.   if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {

  125.     return 0;

  126.   }

  127. 

  128.   return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,

  129.                            hs->hash_len, label, label_len, context_hash,

  130.                            context_hash_len, len);

  131. }

  132. 

  133. int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,

  134.                           const uint8_t *traffic_secret,

  135.                           size_t traffic_secret_len) {

  136.   const SSL_SESSION *session = SSL_get_session(ssl);

  137.   uint16_t version = ssl_session_protocol_version(session);

  138. 

  139.   if (traffic_secret_len > 0xff) {

  140.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  141.     return 0;

  142.   }

  143. 

  144.   // Look up cipher suite properties.

  145.   const EVP_AEAD *aead;

  146.   size_t discard;

  147.   if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,

  148.                                version, SSL_is_dtls(ssl))) {

  149.     return 0;

  150.   }

  151. 

  152.   const EVP_MD *digest = ssl_session_get_digest(session);

  153. 

  154.   // Derive the key.

  155.   size_t key_len = EVP_AEAD_key_length(aead);

  156.   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];

  157.   if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, "key",

  158.                          3, NULL, 0, key_len)) {

  159.     return 0;

  160.   }

  161. 

  162.   // Derive the IV.

  163.   size_t iv_len = EVP_AEAD_nonce_length(aead);

  164.   uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];

  165.   if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",

  166.                          2, NULL, 0, iv_len)) {

  167.     return 0;

  168.   }

  169. 

  170.   UniquePtr<SSLAEADContext> traffic_aead =

  171.       SSLAEADContext::Create(direction, session->ssl_version, SSL_is_dtls(ssl),

  172.                              session->cipher, MakeConstSpan(key, key_len),

  173.                              Span<const uint8_t>(), MakeConstSpan(iv, iv_len));

  174.   if (!traffic_aead) {

  175.     return 0;

  176.   }

  177. 

  178.   if (direction == evp_aead_open) {

  179.     if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {

  180.       return 0;

  181.     }

  182.   } else {

  183.     if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {

  184.       return 0;

  185.     }

  186.   }

  187. 

  188.   // Save the traffic secret.

  189.   if (direction == evp_aead_open) {

  190.     OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,

  191.                     traffic_secret_len);

  192.     ssl->s3->read_traffic_secret_len = traffic_secret_len;

  193.   } else {

  194.     OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret,

  195.                     traffic_secret_len);

  196.     ssl->s3->write_traffic_secret_len = traffic_secret_len;

  197.   }

  198. 

  199.   return 1;

  200. }

  201. 

  202. 

  203. static const char kTLS13LabelExporter[] = "exp master";

  204. static const char kTLS13LabelEarlyExporter[] = "e exp master";

  205. 

  206. static const char kTLS13LabelClientEarlyTraffic[] = "c e traffic";

  207. static const char kTLS13LabelClientHandshakeTraffic[] = "c hs traffic";

  208. static const char kTLS13LabelServerHandshakeTraffic[] = "s hs traffic";

  209. static const char kTLS13LabelClientApplicationTraffic[] = "c ap traffic";

  210. static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";

  211. 

  212. int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {

  213.   SSL *const ssl = hs->ssl;

  214.   if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,

  215.                      kTLS13LabelClientEarlyTraffic,

  216.                      strlen(kTLS13LabelClientEarlyTraffic)) ||

  217.       !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",

  218.                       hs->early_traffic_secret, hs->hash_len) ||

  219.       !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,

  220.                      kTLS13LabelEarlyExporter,

  221.                      strlen(kTLS13LabelEarlyExporter))) {

  222.     return 0;

  223.   }

  224.   ssl->s3->early_exporter_secret_len = hs->hash_len;

  225.   return 1;

  226. }

  227. 

  228. int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {

  229.   SSL *const ssl = hs->ssl;

  230.   return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,

  231.                        kTLS13LabelClientHandshakeTraffic,

  232.                        strlen(kTLS13LabelClientHandshakeTraffic)) &&

  233.          ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",

  234.                         hs->client_handshake_secret, hs->hash_len) &&

  235.          derive_secret(hs, hs->server_handshake_secret, hs->hash_len,

  236.                        kTLS13LabelServerHandshakeTraffic,

  237.                        strlen(kTLS13LabelServerHandshakeTraffic)) &&

  238.          ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",

  239.                         hs->server_handshake_secret, hs->hash_len);

  240. }

  241. 

  242. int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {

  243.   SSL *const ssl = hs->ssl;

  244.   ssl->s3->exporter_secret_len = hs->hash_len;

  245.   return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,

  246.                        kTLS13LabelClientApplicationTraffic,

  247.                        strlen(kTLS13LabelClientApplicationTraffic)) &&

  248.          ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",

  249.                         hs->client_traffic_secret_0, hs->hash_len) &&

  250.          derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,

  251.                        kTLS13LabelServerApplicationTraffic,

  252.                        strlen(kTLS13LabelServerApplicationTraffic)) &&

  253.          ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",

  254.                         hs->server_traffic_secret_0, hs->hash_len) &&

  255.          derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,

  256.                        kTLS13LabelExporter, strlen(kTLS13LabelExporter)) &&

  257.          ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret,

  258.                         hs->hash_len);

  259. }

  260. 

  261. static const char kTLS13LabelApplicationTraffic[] = "traffic upd";

  262. 

  263. int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {

  264.   uint8_t *secret;

  265.   size_t secret_len;

  266.   if (direction == evp_aead_open) {

  267.     secret = ssl->s3->read_traffic_secret;

  268.     secret_len = ssl->s3->read_traffic_secret_len;

  269.   } else {

  270.     secret = ssl->s3->write_traffic_secret;

  271.     secret_len = ssl->s3->write_traffic_secret_len;

  272.   }

  273. 

  274.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  275.   if (!hkdf_expand_label(

  276.           secret, digest, secret, secret_len, kTLS13LabelApplicationTraffic,

  277.           strlen(kTLS13LabelApplicationTraffic), NULL, 0, secret_len)) {

  278.     return 0;

  279.   }

  280. 

  281.   return tls13_set_traffic_key(ssl, direction, secret, secret_len);

  282. }

  283. 

  284. static const char kTLS13LabelResumption[] = "res master";

  285. 

  286. int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

  287.   if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {

  288.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  289.     return 0;

  290.   }

  291.   hs->new_session->master_key_length = hs->hash_len;

  292.   return derive_secret(hs, hs->new_session->master_key,

  293.                        hs->new_session->master_key_length,

  294.                        kTLS13LabelResumption, strlen(kTLS13LabelResumption));

  295. }

  296. 

  297. static const char kTLS13LabelFinished[] = "finished";

  298. 

  299. // tls13_verify_data sets |out| to be the HMAC of |context| using a derived

  300. // Finished key for both Finished messages and the PSK binder.

  301. static int tls13_verify_data(const EVP_MD *digest, uint16_t version,

  302.                              uint8_t *out, size_t *out_len,

  303.                              const uint8_t *secret, size_t hash_len,

  304.                              uint8_t *context, size_t context_len) {

  305.   uint8_t key[EVP_MAX_MD_SIZE];

  306.   unsigned len;

  307.   if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,

  308.                          strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||

  309.       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {

  310.     return 0;

  311.   }

  312.   *out_len = len;

  313.   return 1;

  314. }

  315. 

  316. int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,

  317.                        int is_server) {

  318.   const uint8_t *traffic_secret;

  319.   if (is_server) {

  320.     traffic_secret = hs->server_handshake_secret;

  321.   } else {

  322.     traffic_secret = hs->client_handshake_secret;

  323.   }

  324. 

  325.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  326.   size_t context_hash_len;

  327.   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||

  328.       !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,

  329.                          out_len, traffic_secret, hs->hash_len, context_hash,

  330.                          context_hash_len)) {

  331.     return 0;

  332.   }

  333.   return 1;

  334. }

  335. 

  336. static const char kTLS13LabelResumptionPSK[] = "resumption";

  337. 

  338. bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {

  339.   const EVP_MD *digest = ssl_session_get_digest(session);

  340.   return hkdf_expand_label(session->master_key, digest, session->master_key,

  341.                            session->master_key_length, kTLS13LabelResumptionPSK,

  342.                            strlen(kTLS13LabelResumptionPSK), nonce.data(),

  343.                            nonce.size(), session->master_key_length);

  344. }

  345. 

  346. static const char kTLS13LabelExportKeying[] = "exporter";

  347. 

  348. int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,

  349.                                  Span<const uint8_t> secret,

  350.                                  Span<const char> label,

  351.                                  Span<const uint8_t> context) {

  352.   if (secret.empty()) {

  353.     assert(0);

  354.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  355.     return 0;

  356.   }

  357. 

  358.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  359. 

  360.   uint8_t hash[EVP_MAX_MD_SIZE];

  361.   uint8_t export_context[EVP_MAX_MD_SIZE];

  362.   uint8_t derived_secret[EVP_MAX_MD_SIZE];

  363.   unsigned hash_len;

  364.   unsigned export_context_len;

  365.   unsigned derived_secret_len = EVP_MD_size(digest);

  366.   return EVP_Digest(context.data(), context.size(), hash, &hash_len, digest,

  367.                     nullptr) &&

  368.          EVP_Digest(nullptr, 0, export_context, &export_context_len, digest,

  369.                     nullptr) &&

  370.          hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(),

  371.                            label.data(), label.size(), export_context,

  372.                            export_context_len, derived_secret_len) &&

  373.          hkdf_expand_label(out.data(), digest, derived_secret,

  374.                            derived_secret_len, kTLS13LabelExportKeying,

  375.                            strlen(kTLS13LabelExportKeying), hash, hash_len,

  376.                            out.size());

  377. }

  378. 

  379. static const char kTLS13LabelPSKBinder[] = "res binder";

  380. 

  381. static int tls13_psk_binder(uint8_t *out, uint16_t version,

  382.                             const EVP_MD *digest, uint8_t *psk, size_t psk_len,

  383.                             uint8_t *context, size_t context_len,

  384.                             size_t hash_len) {

  385.   uint8_t binder_context[EVP_MAX_MD_SIZE];

  386.   unsigned binder_context_len;

  387.   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {

  388.     return 0;

  389.   }

  390. 

  391.   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};

  392.   size_t early_secret_len;

  393.   if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,

  394.                     NULL, 0)) {

  395.     return 0;

  396.   }

  397. 

  398.   uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};

  399.   size_t len;

  400.   if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,

  401.                          kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder),

  402.                          binder_context, binder_context_len, hash_len) ||

  403.       !tls13_verify_data(digest, version, out, &len, binder_key, hash_len,

  404.                          context, context_len)) {

  405.     return 0;

  406.   }

  407. 

  408.   return 1;

  409. }

  410. 

  411. int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {

  412.   SSL *const ssl = hs->ssl;

  413.   const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());

  414.   size_t hash_len = EVP_MD_size(digest);

  415. 

  416.   if (len < hash_len + 3) {

  417.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  418.     return 0;

  419.   }

  420. 

  421.   ScopedEVP_MD_CTX ctx;

  422.   uint8_t context[EVP_MAX_MD_SIZE];

  423.   unsigned context_len;

  424. 

  425.   if (!EVP_DigestInit_ex(ctx.get(), digest, NULL) ||

  426.       !EVP_DigestUpdate(ctx.get(), hs->transcript.buffer().data(),

  427.                         hs->transcript.buffer().size()) ||

  428.       !EVP_DigestUpdate(ctx.get(), msg, len - hash_len - 3) ||

  429.       !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {

  430.     return 0;

  431.   }

  432. 

  433.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  434.   if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,

  435.                         ssl->session->master_key,

  436.                         ssl->session->master_key_length, context, context_len,

  437.                         hash_len)) {

  438.     return 0;

  439.   }

  440. 

  441.   OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);

  442.   return 1;

  443. }

  444. 

  445. int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,

  446.                             const SSLMessage &msg, CBS *binders) {

  447.   size_t hash_len = hs->transcript.DigestLen();

  448. 

  449.   // The message must be large enough to exclude the binders.

  450.   if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {

  451.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  452.     return 0;

  453.   }

  454. 

  455.   // Hash a ClientHello prefix up to the binders. This includes the header. For

  456.   // now, this assumes we only ever verify PSK binders on initial

  457.   // ClientHellos.

  458.   uint8_t context[EVP_MAX_MD_SIZE];

  459.   unsigned context_len;

  460.   if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,

  461.                   context, &context_len, hs->transcript.Digest(), NULL)) {

  462.     return 0;

  463.   }

  464. 

  465.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  466.   CBS binder;

  467.   if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),

  468.                         session->master_key, session->master_key_length,

  469.                         context, context_len, hash_len) ||

  470.       // We only consider the first PSK, so compare against the first binder.

  471.       !CBS_get_u8_length_prefixed(binders, &binder)) {

  472.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  473.     return 0;

  474.   }

  475. 

  476.   int binder_ok =

  477.       CBS_len(&binder) == hash_len &&

  478.       CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;

  479. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  480.   binder_ok = 1;

  481. #endif

  482.   if (!binder_ok) {

  483.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  484.     return 0;

  485.   }

  486. 

  487.   return 1;

  488. }

  489. 

  490. }  // namespace bssl