DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Header

Mercurial (409f3966645a)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif

#include "secport.h"
#include "hasht.h"
#include "blapit.h"
#include "hmacct.h"
#include "secerr.h"

/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
 * field. (SHA-384/512 have 128-bit length.) */
#define MAX_HASH_BIT_COUNT_BYTES 16

/* Some utility functions are needed:
 *
 * These macros return the given value with the MSB copied to all the other
 * bits. They use the fact that an arithmetic shift shifts-in the sign bit.
 * However, this is not ensured by the C standard so you may need to replace
 * them with something else on odd CPUs.
 *
 * Note: the argument to these macros must be an unsigned int.
 * */
#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1)))
#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))

/* constantTimeGE returns 0xff if a>=b and 0x00 otherwise, where a, b <
 * MAX_UINT/2. */
static unsigned char
constantTimeGE(unsigned int a, unsigned int b)
{
    a -= b;
    return DUPLICATE_MSB_TO_ALL(~a);
}

/* constantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
static unsigned char
constantTimeEQ8(unsigned char a, unsigned char b)
{
    unsigned int c = a ^ b;
    c--;
    return DUPLICATE_MSB_TO_ALL_8(c);
}

/* MAC performs a constant time SSLv3/TLS MAC of |dataLen| bytes of |data|,
 * where |dataLen| includes both the authenticated bytes and the MAC tag from
 * the sender. |dataLen| must be >= the length of the MAC tag.
 *
 * |dataTotalLen| is >= |dataLen| and also accounts for any padding bytes
 * that may follow the sender's MAC. (Only a single block of padding may
 * follow in SSLv3, or up to 255 bytes in TLS.)
 *
 * Since the results of decryption are secret information (otherwise a
 * padding-oracle is created), this function is constant-time with respect to
 * |dataLen|.
 *
 * |header| contains either the 13-byte TLS header (containing the sequence
 * number, record type etc), or it contains the SSLv3 header with the SSLv3
 * padding bytes etc. */
static SECStatus
MAC(unsigned char *mdOut,
    unsigned int *mdOutLen,
    unsigned int mdOutMax,
    const SECHashObject *hashObj,
    const unsigned char *macSecret,
    unsigned int macSecretLen,
    const unsigned char *header,
    unsigned int headerLen,
    const unsigned char *data,
    unsigned int dataLen,
    unsigned int dataTotalLen,
    unsigned char isSSLv3)
{
    void *mdState = hashObj->create();
    const unsigned int mdSize = hashObj->length;
    const unsigned int mdBlockSize = hashObj->blocklength;
    /* mdLengthSize is the number of bytes in the length field that terminates
     * the hash.
     *
     * This assumes that hash functions with a 64 byte block size use a 64-bit
     * length, and otherwise they use a 128-bit length. This is true of {MD5,
     * SHA*} (which are all of the hash functions specified for use with TLS
     * today). */
    const unsigned int mdLengthSize = mdBlockSize == 64 ? 8 : 16;

    const unsigned int sslv3PadLen = hashObj->type == HASH_AlgMD5 ? 48 : 40;

    /* varianceBlocks is the number of blocks of the hash that we have to
     * calculate in constant time because they could be altered by the
     * padding value.
     *
     * In SSLv3, the padding must be minimal so the end of the plaintext
     * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
     * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
     * termination (0x80 + 64-bit length) don't fit in the final block, we
     * say that the final two blocks can vary based on the padding.
     *
     * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
     * required to be minimal. Therefore we say that the final six blocks
     * can vary based on the padding.
     *
     * Later in the function, if the message is short and there obviously
     * cannot be this many blocks then varianceBlocks can be reduced. */
    unsigned int varianceBlocks = isSSLv3 ? 2 : 6;
    /* From now on we're dealing with the MAC, which conceptually has 13
     * bytes of `header' before the start of the data (TLS) or 71/75 bytes
     * (SSLv3) */
    const unsigned int len = dataTotalLen + headerLen;
    /* maxMACBytes contains the maximum bytes of bytes in the MAC, including
     * |header|, assuming that there's no padding. */
    const unsigned int maxMACBytes = len - mdSize - 1;
    /* numBlocks is the maximum number of hash blocks. */
    const unsigned int numBlocks =
        (maxMACBytes + 1 + mdLengthSize + mdBlockSize - 1) / mdBlockSize;
    /* macEndOffset is the index just past the end of the data to be
     * MACed. */
    const unsigned int macEndOffset = dataLen + headerLen - mdSize;
    /* c is the index of the 0x80 byte in the final hash block that
     * contains application data. */
    const unsigned int c = macEndOffset % mdBlockSize;
    /* indexA is the hash block number that contains the 0x80 terminating
     * value. */
    const unsigned int indexA = macEndOffset / mdBlockSize;
    /* indexB is the hash block number that contains the 64-bit hash
     * length, in bits. */
    const unsigned int indexB = (macEndOffset + mdLengthSize) / mdBlockSize;
    /* bits is the hash-length in bits. It includes the additional hash
     * block for the masked HMAC key, or whole of |header| in the case of
     * SSLv3. */
    unsigned int bits;
    /* In order to calculate the MAC in constant time we have to handle
     * the final blocks specially because the padding value could cause the
     * end to appear somewhere in the final |varianceBlocks| blocks and we
     * can't leak where. However, |numStartingBlocks| worth of data can
     * be hashed right away because no padding value can affect whether
     * they are plaintext. */
    unsigned int numStartingBlocks = 0;
    /* k is the starting byte offset into the conceptual header||data where
     * we start processing. */
    unsigned int k = 0;
    unsigned char lengthBytes[MAX_HASH_BIT_COUNT_BYTES];
    /* hmacPad is the masked HMAC key. */
    unsigned char hmacPad[HASH_BLOCK_LENGTH_MAX];
    unsigned char firstBlock[HASH_BLOCK_LENGTH_MAX];
    unsigned char macOut[HASH_LENGTH_MAX];
    unsigned i, j;

    /* For SSLv3, if we're going to have any starting blocks then we need
     * at least two because the header is larger than a single block. */
    if (numBlocks > varianceBlocks + (isSSLv3 ? 1 : 0)) {
        numStartingBlocks = numBlocks - varianceBlocks;
        k = mdBlockSize * numStartingBlocks;
    }

    bits = 8 * macEndOffset;
    hashObj->begin(mdState);
    if (!isSSLv3) {
        /* Compute the initial HMAC block. For SSLv3, the padding and
         * secret bytes are included in |header| because they take more
         * than a single block. */
        bits += 8 * mdBlockSize;
        memset(hmacPad, 0, mdBlockSize);
        PORT_Assert(macSecretLen <= sizeof(hmacPad));
        memcpy(hmacPad, macSecret, macSecretLen);
        for (i = 0; i < mdBlockSize; i++)
            hmacPad[i] ^= 0x36;
        hashObj->update(mdState, hmacPad, mdBlockSize);
    }

    j = 0;
    memset(lengthBytes, 0, sizeof(lengthBytes));
    if (mdLengthSize == 16) {
        j = 8;
    }
    if (hashObj->type == HASH_AlgMD5) {
        /* MD5 appends a little-endian length. */
        for (i = 0; i < 4; i++) {
            lengthBytes[i + j] = bits >> (8 * i);
        }
    } else {
        /* All other TLS hash functions use a big-endian length. */
        for (i = 0; i < 4; i++) {
            lengthBytes[4 + i + j] = bits >> (8 * (3 - i));
        }
    }

    if (k > 0) {
        if (isSSLv3) {
            /* The SSLv3 header is larger than a single block.
             * overhang is the number of bytes beyond a single
             * block that the header consumes: either 7 bytes
             * (SHA1) or 11 bytes (MD5). */
            const unsigned int overhang = headerLen - mdBlockSize;
            hashObj->update(mdState, header, mdBlockSize);
            memcpy(firstBlock, header + mdBlockSize, overhang);
            memcpy(firstBlock + overhang, data, mdBlockSize - overhang);
            hashObj->update(mdState, firstBlock, mdBlockSize);
            for (i = 1; i < k / mdBlockSize - 1; i++) {
                hashObj->update(mdState, data + mdBlockSize * i - overhang,
                                mdBlockSize);
            }
        } else {
            /* k is a multiple of mdBlockSize. */
            memcpy(firstBlock, header, 13);
            memcpy(firstBlock + 13, data, mdBlockSize - 13);
            hashObj->update(mdState, firstBlock, mdBlockSize);
            for (i = 1; i < k / mdBlockSize; i++) {
                hashObj->update(mdState, data + mdBlockSize * i - 13,
                                mdBlockSize);
            }
        }
    }

    memset(macOut, 0, sizeof(macOut));

    /* We now process the final hash blocks. For each block, we construct
     * it in constant time. If i == indexA then we'll include the 0x80
     * bytes and zero pad etc. For each block we selectively copy it, in
     * constant time, to |macOut|. */
    for (i = numStartingBlocks; i <= numStartingBlocks + varianceBlocks; i++) {
        unsigned char block[HASH_BLOCK_LENGTH_MAX];
        unsigned char isBlockA = constantTimeEQ8(i, indexA);
        unsigned char isBlockB = constantTimeEQ8(i, indexB);
        for (j = 0; j < mdBlockSize; j++) {
            unsigned char isPastC = isBlockA & constantTimeGE(j, c);
            unsigned char isPastCPlus1 = isBlockA & constantTimeGE(j, c + 1);
            unsigned char b = 0;
            if (k < headerLen) {
                b = header[k];
            } else if (k < dataTotalLen + headerLen) {
                b = data[k - headerLen];
            }
            k++;

            /* If this is the block containing the end of the
             * application data, and we are at the offset for the
             * 0x80 value, then overwrite b with 0x80. */
            b = (b & ~isPastC) | (0x80 & isPastC);
            /* If this the the block containing the end of the
             * application data and we're past the 0x80 value then
             * just write zero. */
            b = b & ~isPastCPlus1;
            /* If this is indexB (the final block), but not
             * indexA (the end of the data), then the 64-bit
             * length didn't fit into indexA and we're having to
             * add an extra block of zeros. */
            b &= ~isBlockB | isBlockA;

            /* The final bytes of one of the blocks contains the length. */
            if (j >= mdBlockSize - mdLengthSize) {
                /* If this is indexB, write a length byte. */
                b = (b & ~isBlockB) |
                    (isBlockB & lengthBytes[j - (mdBlockSize - mdLengthSize)]);
            }
            block[j] = b;
        }

        hashObj->update(mdState, block, mdBlockSize);
        hashObj->end_raw(mdState, block, NULL, mdSize);
        /* If this is indexB, copy the hash value to |macOut|. */
        for (j = 0; j < mdSize; j++) {
            macOut[j] |= block[j] & isBlockB;
        }
    }

    hashObj->begin(mdState);

    if (isSSLv3) {
        /* We repurpose |hmacPad| to contain the SSLv3 pad2 block. */
        for (i = 0; i < sslv3PadLen; i++)
            hmacPad[i] = 0x5c;

        hashObj->update(mdState, macSecret, macSecretLen);
        hashObj->update(mdState, hmacPad, sslv3PadLen);
        hashObj->update(mdState, macOut, mdSize);
    } else {
        /* Complete the HMAC in the standard manner. */
        for (i = 0; i < mdBlockSize; i++)
            hmacPad[i] ^= 0x6a;

        hashObj->update(mdState, hmacPad, mdBlockSize);
        hashObj->update(mdState, macOut, mdSize);
    }

    hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
    hashObj->destroy(mdState, PR_TRUE);

    return SECSuccess;
}

SECStatus
HMAC_ConstantTime(
    unsigned char *result,
    unsigned int *resultLen,
    unsigned int maxResultLen,
    const SECHashObject *hashObj,
    const unsigned char *secret,
    unsigned int secretLen,
    const unsigned char *header,
    unsigned int headerLen,
    const unsigned char *body,
    unsigned int bodyLen,
    unsigned int bodyTotalLen)
{
    if (hashObj->end_raw == NULL)
        return SECFailure;
    return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen,
               header, headerLen, body, bodyLen, bodyTotalLen,
               0 /* not SSLv3 */);
}

SECStatus
SSLv3_MAC_ConstantTime(
    unsigned char *result,
    unsigned int *resultLen,
    unsigned int maxResultLen,
    const SECHashObject *hashObj,
    const unsigned char *secret,
    unsigned int secretLen,
    const unsigned char *header,
    unsigned int headerLen,
    const unsigned char *body,
    unsigned int bodyLen,
    unsigned int bodyTotalLen)
{
    if (hashObj->end_raw == NULL)
        return SECFailure;
    return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen,
               header, headerLen, body, bodyLen, bodyTotalLen,
               1 /* SSLv3 */);
}