michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifdef FREEBL_NO_DEPEND michael@0: #include "stubs.h" michael@0: #endif michael@0: michael@0: #include "secport.h" michael@0: #include "hasht.h" michael@0: #include "blapit.h" michael@0: #include "hmacct.h" michael@0: #include "secerr.h" michael@0: michael@0: /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length michael@0: * field. (SHA-384/512 have 128-bit length.) */ michael@0: #define MAX_HASH_BIT_COUNT_BYTES 16 michael@0: michael@0: /* Some utility functions are needed: michael@0: * michael@0: * These macros return the given value with the MSB copied to all the other michael@0: * bits. They use the fact that an arithmetic shift shifts-in the sign bit. michael@0: * However, this is not ensured by the C standard so you may need to replace michael@0: * them with something else on odd CPUs. michael@0: * michael@0: * Note: the argument to these macros must be an unsigned int. michael@0: * */ michael@0: #define DUPLICATE_MSB_TO_ALL(x) ( (unsigned int)( (int)(x) >> (sizeof(int)*8-1) ) ) michael@0: #define DUPLICATE_MSB_TO_ALL_8(x) ( (unsigned char)(DUPLICATE_MSB_TO_ALL(x)) ) michael@0: michael@0: /* constantTimeGE returns 0xff if a>=b and 0x00 otherwise, where a, b < michael@0: * MAX_UINT/2. */ michael@0: static unsigned char michael@0: constantTimeGE(unsigned int a, unsigned int b) michael@0: { michael@0: a -= b; michael@0: return DUPLICATE_MSB_TO_ALL(~a); michael@0: } michael@0: michael@0: /* constantTimeEQ8 returns 0xff if a==b and 0x00 otherwise. */ michael@0: static unsigned char michael@0: constantTimeEQ8(unsigned char a, unsigned char b) michael@0: { michael@0: unsigned int c = a ^ b; michael@0: c--; michael@0: return DUPLICATE_MSB_TO_ALL_8(c); michael@0: } michael@0: michael@0: /* MAC performs a constant time SSLv3/TLS MAC of |dataLen| bytes of |data|, michael@0: * where |dataLen| includes both the authenticated bytes and the MAC tag from michael@0: * the sender. |dataLen| must be >= the length of the MAC tag. michael@0: * michael@0: * |dataTotalLen| is >= |dataLen| and also accounts for any padding bytes michael@0: * that may follow the sender's MAC. (Only a single block of padding may michael@0: * follow in SSLv3, or up to 255 bytes in TLS.) michael@0: * michael@0: * Since the results of decryption are secret information (otherwise a michael@0: * padding-oracle is created), this function is constant-time with respect to michael@0: * |dataLen|. michael@0: * michael@0: * |header| contains either the 13-byte TLS header (containing the sequence michael@0: * number, record type etc), or it contains the SSLv3 header with the SSLv3 michael@0: * padding bytes etc. */ michael@0: static SECStatus michael@0: MAC(unsigned char *mdOut, michael@0: unsigned int *mdOutLen, michael@0: unsigned int mdOutMax, michael@0: const SECHashObject *hashObj, michael@0: const unsigned char *macSecret, michael@0: unsigned int macSecretLen, michael@0: const unsigned char *header, michael@0: unsigned int headerLen, michael@0: const unsigned char *data, michael@0: unsigned int dataLen, michael@0: unsigned int dataTotalLen, michael@0: unsigned char isSSLv3) michael@0: { michael@0: void *mdState = hashObj->create(); michael@0: const unsigned int mdSize = hashObj->length; michael@0: const unsigned int mdBlockSize = hashObj->blocklength; michael@0: /* mdLengthSize is the number of bytes in the length field that terminates michael@0: * the hash. michael@0: * michael@0: * This assumes that hash functions with a 64 byte block size use a 64-bit michael@0: * length, and otherwise they use a 128-bit length. This is true of {MD5, michael@0: * SHA*} (which are all of the hash functions specified for use with TLS michael@0: * today). */ michael@0: const unsigned int mdLengthSize = mdBlockSize == 64 ? 8 : 16; michael@0: michael@0: const unsigned int sslv3PadLen = hashObj->type == HASH_AlgMD5 ? 48 : 40; michael@0: michael@0: /* varianceBlocks is the number of blocks of the hash that we have to michael@0: * calculate in constant time because they could be altered by the michael@0: * padding value. michael@0: * michael@0: * In SSLv3, the padding must be minimal so the end of the plaintext michael@0: * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that michael@0: * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash michael@0: * termination (0x80 + 64-bit length) don't fit in the final block, we michael@0: * say that the final two blocks can vary based on the padding. michael@0: * michael@0: * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not michael@0: * required to be minimal. Therefore we say that the final six blocks michael@0: * can vary based on the padding. michael@0: * michael@0: * Later in the function, if the message is short and there obviously michael@0: * cannot be this many blocks then varianceBlocks can be reduced. */ michael@0: unsigned int varianceBlocks = isSSLv3 ? 2 : 6; michael@0: /* From now on we're dealing with the MAC, which conceptually has 13 michael@0: * bytes of `header' before the start of the data (TLS) or 71/75 bytes michael@0: * (SSLv3) */ michael@0: const unsigned int len = dataTotalLen + headerLen; michael@0: /* maxMACBytes contains the maximum bytes of bytes in the MAC, including michael@0: * |header|, assuming that there's no padding. */ michael@0: const unsigned int maxMACBytes = len - mdSize - 1; michael@0: /* numBlocks is the maximum number of hash blocks. */ michael@0: const unsigned int numBlocks = michael@0: (maxMACBytes + 1 + mdLengthSize + mdBlockSize - 1) / mdBlockSize; michael@0: /* macEndOffset is the index just past the end of the data to be michael@0: * MACed. */ michael@0: const unsigned int macEndOffset = dataLen + headerLen - mdSize; michael@0: /* c is the index of the 0x80 byte in the final hash block that michael@0: * contains application data. */ michael@0: const unsigned int c = macEndOffset % mdBlockSize; michael@0: /* indexA is the hash block number that contains the 0x80 terminating michael@0: * value. */ michael@0: const unsigned int indexA = macEndOffset / mdBlockSize; michael@0: /* indexB is the hash block number that contains the 64-bit hash michael@0: * length, in bits. */ michael@0: const unsigned int indexB = (macEndOffset + mdLengthSize) / mdBlockSize; michael@0: /* bits is the hash-length in bits. It includes the additional hash michael@0: * block for the masked HMAC key, or whole of |header| in the case of michael@0: * SSLv3. */ michael@0: unsigned int bits; michael@0: /* In order to calculate the MAC in constant time we have to handle michael@0: * the final blocks specially because the padding value could cause the michael@0: * end to appear somewhere in the final |varianceBlocks| blocks and we michael@0: * can't leak where. However, |numStartingBlocks| worth of data can michael@0: * be hashed right away because no padding value can affect whether michael@0: * they are plaintext. */ michael@0: unsigned int numStartingBlocks = 0; michael@0: /* k is the starting byte offset into the conceptual header||data where michael@0: * we start processing. */ michael@0: unsigned int k = 0; michael@0: unsigned char lengthBytes[MAX_HASH_BIT_COUNT_BYTES]; michael@0: /* hmacPad is the masked HMAC key. */ michael@0: unsigned char hmacPad[HASH_BLOCK_LENGTH_MAX]; michael@0: unsigned char firstBlock[HASH_BLOCK_LENGTH_MAX]; michael@0: unsigned char macOut[HASH_LENGTH_MAX]; michael@0: unsigned i, j; michael@0: michael@0: /* For SSLv3, if we're going to have any starting blocks then we need michael@0: * at least two because the header is larger than a single block. */ michael@0: if (numBlocks > varianceBlocks + (isSSLv3 ? 1 : 0)) { michael@0: numStartingBlocks = numBlocks - varianceBlocks; michael@0: k = mdBlockSize*numStartingBlocks; michael@0: } michael@0: michael@0: bits = 8*macEndOffset; michael@0: hashObj->begin(mdState); michael@0: if (!isSSLv3) { michael@0: /* Compute the initial HMAC block. For SSLv3, the padding and michael@0: * secret bytes are included in |header| because they take more michael@0: * than a single block. */ michael@0: bits += 8*mdBlockSize; michael@0: memset(hmacPad, 0, mdBlockSize); michael@0: PORT_Assert(macSecretLen <= sizeof(hmacPad)); michael@0: memcpy(hmacPad, macSecret, macSecretLen); michael@0: for (i = 0; i < mdBlockSize; i++) michael@0: hmacPad[i] ^= 0x36; michael@0: hashObj->update(mdState, hmacPad, mdBlockSize); michael@0: } michael@0: michael@0: j = 0; michael@0: memset(lengthBytes, 0, sizeof(lengthBytes)); michael@0: if (mdLengthSize == 16) { michael@0: j = 8; michael@0: } michael@0: if (hashObj->type == HASH_AlgMD5) { michael@0: /* MD5 appends a little-endian length. */ michael@0: for (i = 0; i < 4; i++) { michael@0: lengthBytes[i+j] = bits >> (8*i); michael@0: } michael@0: } else { michael@0: /* All other TLS hash functions use a big-endian length. */ michael@0: for (i = 0; i < 4; i++) { michael@0: lengthBytes[4+i+j] = bits >> (8*(3-i)); michael@0: } michael@0: } michael@0: michael@0: if (k > 0) { michael@0: if (isSSLv3) { michael@0: /* The SSLv3 header is larger than a single block. michael@0: * overhang is the number of bytes beyond a single michael@0: * block that the header consumes: either 7 bytes michael@0: * (SHA1) or 11 bytes (MD5). */ michael@0: const unsigned int overhang = headerLen-mdBlockSize; michael@0: hashObj->update(mdState, header, mdBlockSize); michael@0: memcpy(firstBlock, header + mdBlockSize, overhang); michael@0: memcpy(firstBlock + overhang, data, mdBlockSize-overhang); michael@0: hashObj->update(mdState, firstBlock, mdBlockSize); michael@0: for (i = 1; i < k/mdBlockSize - 1; i++) { michael@0: hashObj->update(mdState, data + mdBlockSize*i - overhang, michael@0: mdBlockSize); michael@0: } michael@0: } else { michael@0: /* k is a multiple of mdBlockSize. */ michael@0: memcpy(firstBlock, header, 13); michael@0: memcpy(firstBlock+13, data, mdBlockSize-13); michael@0: hashObj->update(mdState, firstBlock, mdBlockSize); michael@0: for (i = 1; i < k/mdBlockSize; i++) { michael@0: hashObj->update(mdState, data + mdBlockSize*i - 13, michael@0: mdBlockSize); michael@0: } michael@0: } michael@0: } michael@0: michael@0: memset(macOut, 0, sizeof(macOut)); michael@0: michael@0: /* We now process the final hash blocks. For each block, we construct michael@0: * it in constant time. If i == indexA then we'll include the 0x80 michael@0: * bytes and zero pad etc. For each block we selectively copy it, in michael@0: * constant time, to |macOut|. */ michael@0: for (i = numStartingBlocks; i <= numStartingBlocks+varianceBlocks; i++) { michael@0: unsigned char block[HASH_BLOCK_LENGTH_MAX]; michael@0: unsigned char isBlockA = constantTimeEQ8(i, indexA); michael@0: unsigned char isBlockB = constantTimeEQ8(i, indexB); michael@0: for (j = 0; j < mdBlockSize; j++) { michael@0: unsigned char isPastC = isBlockA & constantTimeGE(j, c); michael@0: unsigned char isPastCPlus1 = isBlockA & constantTimeGE(j, c+1); michael@0: unsigned char b = 0; michael@0: if (k < headerLen) { michael@0: b = header[k]; michael@0: } else if (k < dataTotalLen + headerLen) { michael@0: b = data[k-headerLen]; michael@0: } michael@0: k++; michael@0: michael@0: /* If this is the block containing the end of the michael@0: * application data, and we are at the offset for the michael@0: * 0x80 value, then overwrite b with 0x80. */ michael@0: b = (b&~isPastC) | (0x80&isPastC); michael@0: /* If this the the block containing the end of the michael@0: * application data and we're past the 0x80 value then michael@0: * just write zero. */ michael@0: b = b&~isPastCPlus1; michael@0: /* If this is indexB (the final block), but not michael@0: * indexA (the end of the data), then the 64-bit michael@0: * length didn't fit into indexA and we're having to michael@0: * add an extra block of zeros. */ michael@0: b &= ~isBlockB | isBlockA; michael@0: michael@0: /* The final bytes of one of the blocks contains the length. */ michael@0: if (j >= mdBlockSize - mdLengthSize) { michael@0: /* If this is indexB, write a length byte. */ michael@0: b = (b&~isBlockB) | michael@0: (isBlockB&lengthBytes[j-(mdBlockSize-mdLengthSize)]); michael@0: } michael@0: block[j] = b; michael@0: } michael@0: michael@0: hashObj->update(mdState, block, mdBlockSize); michael@0: hashObj->end_raw(mdState, block, NULL, mdSize); michael@0: /* If this is indexB, copy the hash value to |macOut|. */ michael@0: for (j = 0; j < mdSize; j++) { michael@0: macOut[j] |= block[j]&isBlockB; michael@0: } michael@0: } michael@0: michael@0: hashObj->begin(mdState); michael@0: michael@0: if (isSSLv3) { michael@0: /* We repurpose |hmacPad| to contain the SSLv3 pad2 block. */ michael@0: for (i = 0; i < sslv3PadLen; i++) michael@0: hmacPad[i] = 0x5c; michael@0: michael@0: hashObj->update(mdState, macSecret, macSecretLen); michael@0: hashObj->update(mdState, hmacPad, sslv3PadLen); michael@0: hashObj->update(mdState, macOut, mdSize); michael@0: } else { michael@0: /* Complete the HMAC in the standard manner. */ michael@0: for (i = 0; i < mdBlockSize; i++) michael@0: hmacPad[i] ^= 0x6a; michael@0: michael@0: hashObj->update(mdState, hmacPad, mdBlockSize); michael@0: hashObj->update(mdState, macOut, mdSize); michael@0: } michael@0: michael@0: hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); michael@0: hashObj->destroy(mdState, PR_TRUE); michael@0: michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: HMAC_ConstantTime( michael@0: unsigned char *result, michael@0: unsigned int *resultLen, michael@0: unsigned int maxResultLen, michael@0: const SECHashObject *hashObj, michael@0: const unsigned char *secret, michael@0: unsigned int secretLen, michael@0: const unsigned char *header, michael@0: unsigned int headerLen, michael@0: const unsigned char *body, michael@0: unsigned int bodyLen, michael@0: unsigned int bodyTotalLen) michael@0: { michael@0: if (hashObj->end_raw == NULL) michael@0: return SECFailure; michael@0: return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen, michael@0: header, headerLen, body, bodyLen, bodyTotalLen, michael@0: 0 /* not SSLv3 */); michael@0: } michael@0: michael@0: SECStatus michael@0: SSLv3_MAC_ConstantTime( michael@0: unsigned char *result, michael@0: unsigned int *resultLen, michael@0: unsigned int maxResultLen, michael@0: const SECHashObject *hashObj, michael@0: const unsigned char *secret, michael@0: unsigned int secretLen, michael@0: const unsigned char *header, michael@0: unsigned int headerLen, michael@0: const unsigned char *body, michael@0: unsigned int bodyLen, michael@0: unsigned int bodyTotalLen) michael@0: { michael@0: if (hashObj->end_raw == NULL) michael@0: return SECFailure; michael@0: return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen, michael@0: header, headerLen, body, bodyLen, bodyTotalLen, michael@0: 1 /* SSLv3 */); michael@0: } michael@0: