зеркало из https://github.com/mozilla/gecko-dev.git
337 строки
12 KiB
C
337 строки
12 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifdef FREEBL_NO_DEPEND
|
|
#include "stubs.h"
|
|
#endif
|
|
|
|
#include "secport.h"
|
|
#include "hasht.h"
|
|
#include "blapit.h"
|
|
#include "hmacct.h"
|
|
#include "secerr.h"
|
|
|
|
/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
|
|
* field. (SHA-384/512 have 128-bit length.) */
|
|
#define MAX_HASH_BIT_COUNT_BYTES 16
|
|
|
|
/* Some utility functions are needed:
|
|
*
|
|
* These macros return the given value with the MSB copied to all the other
|
|
* bits. They use the fact that an arithmetic shift shifts-in the sign bit.
|
|
* However, this is not ensured by the C standard so you may need to replace
|
|
* them with something else on odd CPUs.
|
|
*
|
|
* Note: the argument to these macros must be an unsigned int.
|
|
* */
|
|
#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned int)( (int)(x) >> (sizeof(int)*8-1) ) )
|
|
#define DUPLICATE_MSB_TO_ALL_8(x) ( (unsigned char)(DUPLICATE_MSB_TO_ALL(x)) )
|
|
|
|
/* constantTimeGE returns 0xff if a>=b and 0x00 otherwise, where a, b <
|
|
* MAX_UINT/2. */
|
|
static unsigned char
|
|
constantTimeGE(unsigned int a, unsigned int b)
|
|
{
|
|
a -= b;
|
|
return DUPLICATE_MSB_TO_ALL(~a);
|
|
}
|
|
|
|
/* constantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */
|
|
static unsigned char
|
|
constantTimeEQ8(unsigned char a, unsigned char b)
|
|
{
|
|
unsigned int c = a ^ b;
|
|
c--;
|
|
return DUPLICATE_MSB_TO_ALL_8(c);
|
|
}
|
|
|
|
/* MAC performs a constant time SSLv3/TLS MAC of |dataLen| bytes of |data|,
|
|
* where |dataLen| includes both the authenticated bytes and the MAC tag from
|
|
* the sender. |dataLen| must be >= the length of the MAC tag.
|
|
*
|
|
* |dataTotalLen| is >= |dataLen| and also accounts for any padding bytes
|
|
* that may follow the sender's MAC. (Only a single block of padding may
|
|
* follow in SSLv3, or up to 255 bytes in TLS.)
|
|
*
|
|
* Since the results of decryption are secret information (otherwise a
|
|
* padding-oracle is created), this function is constant-time with respect to
|
|
* |dataLen|.
|
|
*
|
|
* |header| contains either the 13-byte TLS header (containing the sequence
|
|
* number, record type etc), or it contains the SSLv3 header with the SSLv3
|
|
* padding bytes etc. */
|
|
static SECStatus
|
|
MAC(unsigned char *mdOut,
|
|
unsigned int *mdOutLen,
|
|
unsigned int mdOutMax,
|
|
const SECHashObject *hashObj,
|
|
const unsigned char *macSecret,
|
|
unsigned int macSecretLen,
|
|
const unsigned char *header,
|
|
unsigned int headerLen,
|
|
const unsigned char *data,
|
|
unsigned int dataLen,
|
|
unsigned int dataTotalLen,
|
|
unsigned char isSSLv3)
|
|
{
|
|
void *mdState = hashObj->create();
|
|
const unsigned int mdSize = hashObj->length;
|
|
const unsigned int mdBlockSize = hashObj->blocklength;
|
|
/* mdLengthSize is the number of bytes in the length field that terminates
|
|
* the hash.
|
|
*
|
|
* This assumes that hash functions with a 64 byte block size use a 64-bit
|
|
* length, and otherwise they use a 128-bit length. This is true of {MD5,
|
|
* SHA*} (which are all of the hash functions specified for use with TLS
|
|
* today). */
|
|
const unsigned int mdLengthSize = mdBlockSize == 64 ? 8 : 16;
|
|
|
|
const unsigned int sslv3PadLen = hashObj->type == HASH_AlgMD5 ? 48 : 40;
|
|
|
|
/* varianceBlocks is the number of blocks of the hash that we have to
|
|
* calculate in constant time because they could be altered by the
|
|
* padding value.
|
|
*
|
|
* In SSLv3, the padding must be minimal so the end of the plaintext
|
|
* varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
|
|
* the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
|
|
* termination (0x80 + 64-bit length) don't fit in the final block, we
|
|
* say that the final two blocks can vary based on the padding.
|
|
*
|
|
* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
|
|
* required to be minimal. Therefore we say that the final six blocks
|
|
* can vary based on the padding.
|
|
*
|
|
* Later in the function, if the message is short and there obviously
|
|
* cannot be this many blocks then varianceBlocks can be reduced. */
|
|
unsigned int varianceBlocks = isSSLv3 ? 2 : 6;
|
|
/* From now on we're dealing with the MAC, which conceptually has 13
|
|
* bytes of `header' before the start of the data (TLS) or 71/75 bytes
|
|
* (SSLv3) */
|
|
const unsigned int len = dataTotalLen + headerLen;
|
|
/* maxMACBytes contains the maximum bytes of bytes in the MAC, including
|
|
* |header|, assuming that there's no padding. */
|
|
const unsigned int maxMACBytes = len - mdSize - 1;
|
|
/* numBlocks is the maximum number of hash blocks. */
|
|
const unsigned int numBlocks =
|
|
(maxMACBytes + 1 + mdLengthSize + mdBlockSize - 1) / mdBlockSize;
|
|
/* macEndOffset is the index just past the end of the data to be
|
|
* MACed. */
|
|
const unsigned int macEndOffset = dataLen + headerLen - mdSize;
|
|
/* c is the index of the 0x80 byte in the final hash block that
|
|
* contains application data. */
|
|
const unsigned int c = macEndOffset % mdBlockSize;
|
|
/* indexA is the hash block number that contains the 0x80 terminating
|
|
* value. */
|
|
const unsigned int indexA = macEndOffset / mdBlockSize;
|
|
/* indexB is the hash block number that contains the 64-bit hash
|
|
* length, in bits. */
|
|
const unsigned int indexB = (macEndOffset + mdLengthSize) / mdBlockSize;
|
|
/* bits is the hash-length in bits. It includes the additional hash
|
|
* block for the masked HMAC key, or whole of |header| in the case of
|
|
* SSLv3. */
|
|
unsigned int bits;
|
|
/* In order to calculate the MAC in constant time we have to handle
|
|
* the final blocks specially because the padding value could cause the
|
|
* end to appear somewhere in the final |varianceBlocks| blocks and we
|
|
* can't leak where. However, |numStartingBlocks| worth of data can
|
|
* be hashed right away because no padding value can affect whether
|
|
* they are plaintext. */
|
|
unsigned int numStartingBlocks = 0;
|
|
/* k is the starting byte offset into the conceptual header||data where
|
|
* we start processing. */
|
|
unsigned int k = 0;
|
|
unsigned char lengthBytes[MAX_HASH_BIT_COUNT_BYTES];
|
|
/* hmacPad is the masked HMAC key. */
|
|
unsigned char hmacPad[HASH_BLOCK_LENGTH_MAX];
|
|
unsigned char firstBlock[HASH_BLOCK_LENGTH_MAX];
|
|
unsigned char macOut[HASH_LENGTH_MAX];
|
|
unsigned i, j;
|
|
|
|
/* For SSLv3, if we're going to have any starting blocks then we need
|
|
* at least two because the header is larger than a single block. */
|
|
if (numBlocks > varianceBlocks + (isSSLv3 ? 1 : 0)) {
|
|
numStartingBlocks = numBlocks - varianceBlocks;
|
|
k = mdBlockSize*numStartingBlocks;
|
|
}
|
|
|
|
bits = 8*macEndOffset;
|
|
hashObj->begin(mdState);
|
|
if (!isSSLv3) {
|
|
/* Compute the initial HMAC block. For SSLv3, the padding and
|
|
* secret bytes are included in |header| because they take more
|
|
* than a single block. */
|
|
bits += 8*mdBlockSize;
|
|
memset(hmacPad, 0, mdBlockSize);
|
|
PORT_Assert(macSecretLen <= sizeof(hmacPad));
|
|
memcpy(hmacPad, macSecret, macSecretLen);
|
|
for (i = 0; i < mdBlockSize; i++)
|
|
hmacPad[i] ^= 0x36;
|
|
hashObj->update(mdState, hmacPad, mdBlockSize);
|
|
}
|
|
|
|
j = 0;
|
|
memset(lengthBytes, 0, sizeof(lengthBytes));
|
|
if (mdLengthSize == 16) {
|
|
j = 8;
|
|
}
|
|
if (hashObj->type == HASH_AlgMD5) {
|
|
/* MD5 appends a little-endian length. */
|
|
for (i = 0; i < 4; i++) {
|
|
lengthBytes[i+j] = bits >> (8*i);
|
|
}
|
|
} else {
|
|
/* All other TLS hash functions use a big-endian length. */
|
|
for (i = 0; i < 4; i++) {
|
|
lengthBytes[4+i+j] = bits >> (8*(3-i));
|
|
}
|
|
}
|
|
|
|
if (k > 0) {
|
|
if (isSSLv3) {
|
|
/* The SSLv3 header is larger than a single block.
|
|
* overhang is the number of bytes beyond a single
|
|
* block that the header consumes: either 7 bytes
|
|
* (SHA1) or 11 bytes (MD5). */
|
|
const unsigned int overhang = headerLen-mdBlockSize;
|
|
hashObj->update(mdState, header, mdBlockSize);
|
|
memcpy(firstBlock, header + mdBlockSize, overhang);
|
|
memcpy(firstBlock + overhang, data, mdBlockSize-overhang);
|
|
hashObj->update(mdState, firstBlock, mdBlockSize);
|
|
for (i = 1; i < k/mdBlockSize - 1; i++) {
|
|
hashObj->update(mdState, data + mdBlockSize*i - overhang,
|
|
mdBlockSize);
|
|
}
|
|
} else {
|
|
/* k is a multiple of mdBlockSize. */
|
|
memcpy(firstBlock, header, 13);
|
|
memcpy(firstBlock+13, data, mdBlockSize-13);
|
|
hashObj->update(mdState, firstBlock, mdBlockSize);
|
|
for (i = 1; i < k/mdBlockSize; i++) {
|
|
hashObj->update(mdState, data + mdBlockSize*i - 13,
|
|
mdBlockSize);
|
|
}
|
|
}
|
|
}
|
|
|
|
memset(macOut, 0, sizeof(macOut));
|
|
|
|
/* We now process the final hash blocks. For each block, we construct
|
|
* it in constant time. If i == indexA then we'll include the 0x80
|
|
* bytes and zero pad etc. For each block we selectively copy it, in
|
|
* constant time, to |macOut|. */
|
|
for (i = numStartingBlocks; i <= numStartingBlocks+varianceBlocks; i++) {
|
|
unsigned char block[HASH_BLOCK_LENGTH_MAX];
|
|
unsigned char isBlockA = constantTimeEQ8(i, indexA);
|
|
unsigned char isBlockB = constantTimeEQ8(i, indexB);
|
|
for (j = 0; j < mdBlockSize; j++) {
|
|
unsigned char isPastC = isBlockA & constantTimeGE(j, c);
|
|
unsigned char isPastCPlus1 = isBlockA & constantTimeGE(j, c+1);
|
|
unsigned char b = 0;
|
|
if (k < headerLen) {
|
|
b = header[k];
|
|
} else if (k < dataTotalLen + headerLen) {
|
|
b = data[k-headerLen];
|
|
}
|
|
k++;
|
|
|
|
/* If this is the block containing the end of the
|
|
* application data, and we are at the offset for the
|
|
* 0x80 value, then overwrite b with 0x80. */
|
|
b = (b&~isPastC) | (0x80&isPastC);
|
|
/* If this the the block containing the end of the
|
|
* application data and we're past the 0x80 value then
|
|
* just write zero. */
|
|
b = b&~isPastCPlus1;
|
|
/* If this is indexB (the final block), but not
|
|
* indexA (the end of the data), then the 64-bit
|
|
* length didn't fit into indexA and we're having to
|
|
* add an extra block of zeros. */
|
|
b &= ~isBlockB | isBlockA;
|
|
|
|
/* The final bytes of one of the blocks contains the length. */
|
|
if (j >= mdBlockSize - mdLengthSize) {
|
|
/* If this is indexB, write a length byte. */
|
|
b = (b&~isBlockB) |
|
|
(isBlockB&lengthBytes[j-(mdBlockSize-mdLengthSize)]);
|
|
}
|
|
block[j] = b;
|
|
}
|
|
|
|
hashObj->update(mdState, block, mdBlockSize);
|
|
hashObj->end_raw(mdState, block, NULL, mdSize);
|
|
/* If this is indexB, copy the hash value to |macOut|. */
|
|
for (j = 0; j < mdSize; j++) {
|
|
macOut[j] |= block[j]&isBlockB;
|
|
}
|
|
}
|
|
|
|
hashObj->begin(mdState);
|
|
|
|
if (isSSLv3) {
|
|
/* We repurpose |hmacPad| to contain the SSLv3 pad2 block. */
|
|
for (i = 0; i < sslv3PadLen; i++)
|
|
hmacPad[i] = 0x5c;
|
|
|
|
hashObj->update(mdState, macSecret, macSecretLen);
|
|
hashObj->update(mdState, hmacPad, sslv3PadLen);
|
|
hashObj->update(mdState, macOut, mdSize);
|
|
} else {
|
|
/* Complete the HMAC in the standard manner. */
|
|
for (i = 0; i < mdBlockSize; i++)
|
|
hmacPad[i] ^= 0x6a;
|
|
|
|
hashObj->update(mdState, hmacPad, mdBlockSize);
|
|
hashObj->update(mdState, macOut, mdSize);
|
|
}
|
|
|
|
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
|
|
hashObj->destroy(mdState, PR_TRUE);
|
|
|
|
return SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
HMAC_ConstantTime(
|
|
unsigned char *result,
|
|
unsigned int *resultLen,
|
|
unsigned int maxResultLen,
|
|
const SECHashObject *hashObj,
|
|
const unsigned char *secret,
|
|
unsigned int secretLen,
|
|
const unsigned char *header,
|
|
unsigned int headerLen,
|
|
const unsigned char *body,
|
|
unsigned int bodyLen,
|
|
unsigned int bodyTotalLen)
|
|
{
|
|
if (hashObj->end_raw == NULL)
|
|
return SECFailure;
|
|
return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen,
|
|
header, headerLen, body, bodyLen, bodyTotalLen,
|
|
0 /* not SSLv3 */);
|
|
}
|
|
|
|
SECStatus
|
|
SSLv3_MAC_ConstantTime(
|
|
unsigned char *result,
|
|
unsigned int *resultLen,
|
|
unsigned int maxResultLen,
|
|
const SECHashObject *hashObj,
|
|
const unsigned char *secret,
|
|
unsigned int secretLen,
|
|
const unsigned char *header,
|
|
unsigned int headerLen,
|
|
const unsigned char *body,
|
|
unsigned int bodyLen,
|
|
unsigned int bodyTotalLen)
|
|
{
|
|
if (hashObj->end_raw == NULL)
|
|
return SECFailure;
|
|
return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen,
|
|
header, headerLen, body, bodyLen, bodyTotalLen,
|
|
1 /* SSLv3 */);
|
|
}
|
|
|