diff options
Diffstat (limited to 'nss/lib/freebl/hmacct.c')
-rw-r--r-- | nss/lib/freebl/hmacct.c | 215 |
1 files changed, 107 insertions, 108 deletions
diff --git a/nss/lib/freebl/hmacct.c b/nss/lib/freebl/hmacct.c index 0c3ba41..c7815ac 100644 --- a/nss/lib/freebl/hmacct.c +++ b/nss/lib/freebl/hmacct.c @@ -25,8 +25,8 @@ * * Note: the argument to these macros must be an unsigned int. * */ -#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned int)( (int)(x) >> (sizeof(int)*8-1) ) ) -#define DUPLICATE_MSB_TO_ALL_8(x) ( (unsigned char)(DUPLICATE_MSB_TO_ALL(x)) ) +#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1))) +#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) /* constantTimeGE returns 0xff if a>=b and 0x00 otherwise, where a, b < * MAX_UINT/2. */ @@ -115,7 +115,7 @@ MAC(unsigned char *mdOut, const unsigned int maxMACBytes = len - mdSize - 1; /* numBlocks is the maximum number of hash blocks. */ const unsigned int numBlocks = - (maxMACBytes + 1 + mdLengthSize + mdBlockSize - 1) / mdBlockSize; + (maxMACBytes + 1 + mdLengthSize + mdBlockSize - 1) / mdBlockSize; /* macEndOffset is the index just past the end of the data to be * MACed. */ const unsigned int macEndOffset = dataLen + headerLen - mdSize; @@ -152,67 +152,67 @@ MAC(unsigned char *mdOut, /* For SSLv3, if we're going to have any starting blocks then we need * at least two because the header is larger than a single block. */ if (numBlocks > varianceBlocks + (isSSLv3 ? 1 : 0)) { - numStartingBlocks = numBlocks - varianceBlocks; - k = mdBlockSize*numStartingBlocks; + numStartingBlocks = numBlocks - varianceBlocks; + k = mdBlockSize * numStartingBlocks; } - bits = 8*macEndOffset; + bits = 8 * macEndOffset; hashObj->begin(mdState); if (!isSSLv3) { - /* Compute the initial HMAC block. For SSLv3, the padding and - * secret bytes are included in |header| because they take more - * than a single block. */ - bits += 8*mdBlockSize; - memset(hmacPad, 0, mdBlockSize); - PORT_Assert(macSecretLen <= sizeof(hmacPad)); - memcpy(hmacPad, macSecret, macSecretLen); - for (i = 0; i < mdBlockSize; i++) - hmacPad[i] ^= 0x36; - hashObj->update(mdState, hmacPad, mdBlockSize); + /* Compute the initial HMAC block. For SSLv3, the padding and + * secret bytes are included in |header| because they take more + * than a single block. */ + bits += 8 * mdBlockSize; + memset(hmacPad, 0, mdBlockSize); + PORT_Assert(macSecretLen <= sizeof(hmacPad)); + memcpy(hmacPad, macSecret, macSecretLen); + for (i = 0; i < mdBlockSize; i++) + hmacPad[i] ^= 0x36; + hashObj->update(mdState, hmacPad, mdBlockSize); } j = 0; memset(lengthBytes, 0, sizeof(lengthBytes)); if (mdLengthSize == 16) { - j = 8; + j = 8; } if (hashObj->type == HASH_AlgMD5) { - /* MD5 appends a little-endian length. */ - for (i = 0; i < 4; i++) { - lengthBytes[i+j] = bits >> (8*i); - } + /* MD5 appends a little-endian length. */ + for (i = 0; i < 4; i++) { + lengthBytes[i + j] = bits >> (8 * i); + } } else { - /* All other TLS hash functions use a big-endian length. */ - for (i = 0; i < 4; i++) { - lengthBytes[4+i+j] = bits >> (8*(3-i)); - } + /* All other TLS hash functions use a big-endian length. */ + for (i = 0; i < 4; i++) { + lengthBytes[4 + i + j] = bits >> (8 * (3 - i)); + } } if (k > 0) { - if (isSSLv3) { - /* The SSLv3 header is larger than a single block. - * overhang is the number of bytes beyond a single - * block that the header consumes: either 7 bytes - * (SHA1) or 11 bytes (MD5). */ - const unsigned int overhang = headerLen-mdBlockSize; - hashObj->update(mdState, header, mdBlockSize); - memcpy(firstBlock, header + mdBlockSize, overhang); - memcpy(firstBlock + overhang, data, mdBlockSize-overhang); - hashObj->update(mdState, firstBlock, mdBlockSize); - for (i = 1; i < k/mdBlockSize - 1; i++) { - hashObj->update(mdState, data + mdBlockSize*i - overhang, - mdBlockSize); - } - } else { - /* k is a multiple of mdBlockSize. */ - memcpy(firstBlock, header, 13); - memcpy(firstBlock+13, data, mdBlockSize-13); - hashObj->update(mdState, firstBlock, mdBlockSize); - for (i = 1; i < k/mdBlockSize; i++) { - hashObj->update(mdState, data + mdBlockSize*i - 13, - mdBlockSize); - } - } + if (isSSLv3) { + /* The SSLv3 header is larger than a single block. + * overhang is the number of bytes beyond a single + * block that the header consumes: either 7 bytes + * (SHA1) or 11 bytes (MD5). */ + const unsigned int overhang = headerLen - mdBlockSize; + hashObj->update(mdState, header, mdBlockSize); + memcpy(firstBlock, header + mdBlockSize, overhang); + memcpy(firstBlock + overhang, data, mdBlockSize - overhang); + hashObj->update(mdState, firstBlock, mdBlockSize); + for (i = 1; i < k / mdBlockSize - 1; i++) { + hashObj->update(mdState, data + mdBlockSize * i - overhang, + mdBlockSize); + } + } else { + /* k is a multiple of mdBlockSize. */ + memcpy(firstBlock, header, 13); + memcpy(firstBlock + 13, data, mdBlockSize - 13); + hashObj->update(mdState, firstBlock, mdBlockSize); + for (i = 1; i < k / mdBlockSize; i++) { + hashObj->update(mdState, data + mdBlockSize * i - 13, + mdBlockSize); + } + } } memset(macOut, 0, sizeof(macOut)); @@ -221,69 +221,69 @@ MAC(unsigned char *mdOut, * it in constant time. If i == indexA then we'll include the 0x80 * bytes and zero pad etc. For each block we selectively copy it, in * constant time, to |macOut|. */ - for (i = numStartingBlocks; i <= numStartingBlocks+varianceBlocks; i++) { - unsigned char block[HASH_BLOCK_LENGTH_MAX]; - unsigned char isBlockA = constantTimeEQ8(i, indexA); - unsigned char isBlockB = constantTimeEQ8(i, indexB); - for (j = 0; j < mdBlockSize; j++) { - unsigned char isPastC = isBlockA & constantTimeGE(j, c); - unsigned char isPastCPlus1 = isBlockA & constantTimeGE(j, c+1); - unsigned char b = 0; - if (k < headerLen) { - b = header[k]; - } else if (k < dataTotalLen + headerLen) { - b = data[k-headerLen]; - } - k++; + for (i = numStartingBlocks; i <= numStartingBlocks + varianceBlocks; i++) { + unsigned char block[HASH_BLOCK_LENGTH_MAX]; + unsigned char isBlockA = constantTimeEQ8(i, indexA); + unsigned char isBlockB = constantTimeEQ8(i, indexB); + for (j = 0; j < mdBlockSize; j++) { + unsigned char isPastC = isBlockA & constantTimeGE(j, c); + unsigned char isPastCPlus1 = isBlockA & constantTimeGE(j, c + 1); + unsigned char b = 0; + if (k < headerLen) { + b = header[k]; + } else if (k < dataTotalLen + headerLen) { + b = data[k - headerLen]; + } + k++; - /* If this is the block containing the end of the - * application data, and we are at the offset for the - * 0x80 value, then overwrite b with 0x80. */ - b = (b&~isPastC) | (0x80&isPastC); - /* If this the the block containing the end of the - * application data and we're past the 0x80 value then - * just write zero. */ - b = b&~isPastCPlus1; - /* If this is indexB (the final block), but not - * indexA (the end of the data), then the 64-bit - * length didn't fit into indexA and we're having to - * add an extra block of zeros. */ - b &= ~isBlockB | isBlockA; + /* If this is the block containing the end of the + * application data, and we are at the offset for the + * 0x80 value, then overwrite b with 0x80. */ + b = (b & ~isPastC) | (0x80 & isPastC); + /* If this the the block containing the end of the + * application data and we're past the 0x80 value then + * just write zero. */ + b = b & ~isPastCPlus1; + /* If this is indexB (the final block), but not + * indexA (the end of the data), then the 64-bit + * length didn't fit into indexA and we're having to + * add an extra block of zeros. */ + b &= ~isBlockB | isBlockA; - /* The final bytes of one of the blocks contains the length. */ - if (j >= mdBlockSize - mdLengthSize) { - /* If this is indexB, write a length byte. */ - b = (b&~isBlockB) | - (isBlockB&lengthBytes[j-(mdBlockSize-mdLengthSize)]); - } - block[j] = b; - } + /* The final bytes of one of the blocks contains the length. */ + if (j >= mdBlockSize - mdLengthSize) { + /* If this is indexB, write a length byte. */ + b = (b & ~isBlockB) | + (isBlockB & lengthBytes[j - (mdBlockSize - mdLengthSize)]); + } + block[j] = b; + } - hashObj->update(mdState, block, mdBlockSize); - hashObj->end_raw(mdState, block, NULL, mdSize); - /* If this is indexB, copy the hash value to |macOut|. */ - for (j = 0; j < mdSize; j++) { - macOut[j] |= block[j]&isBlockB; - } + hashObj->update(mdState, block, mdBlockSize); + hashObj->end_raw(mdState, block, NULL, mdSize); + /* If this is indexB, copy the hash value to |macOut|. */ + for (j = 0; j < mdSize; j++) { + macOut[j] |= block[j] & isBlockB; + } } hashObj->begin(mdState); if (isSSLv3) { - /* We repurpose |hmacPad| to contain the SSLv3 pad2 block. */ - for (i = 0; i < sslv3PadLen; i++) - hmacPad[i] = 0x5c; + /* We repurpose |hmacPad| to contain the SSLv3 pad2 block. */ + for (i = 0; i < sslv3PadLen; i++) + hmacPad[i] = 0x5c; - hashObj->update(mdState, macSecret, macSecretLen); - hashObj->update(mdState, hmacPad, sslv3PadLen); - hashObj->update(mdState, macOut, mdSize); + hashObj->update(mdState, macSecret, macSecretLen); + hashObj->update(mdState, hmacPad, sslv3PadLen); + hashObj->update(mdState, macOut, mdSize); } else { - /* Complete the HMAC in the standard manner. */ - for (i = 0; i < mdBlockSize; i++) - hmacPad[i] ^= 0x6a; + /* Complete the HMAC in the standard manner. */ + for (i = 0; i < mdBlockSize; i++) + hmacPad[i] ^= 0x6a; - hashObj->update(mdState, hmacPad, mdBlockSize); - hashObj->update(mdState, macOut, mdSize); + hashObj->update(mdState, hmacPad, mdBlockSize); + hashObj->update(mdState, macOut, mdSize); } hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); @@ -307,10 +307,10 @@ HMAC_ConstantTime( unsigned int bodyTotalLen) { if (hashObj->end_raw == NULL) - return SECFailure; + return SECFailure; return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen, - header, headerLen, body, bodyLen, bodyTotalLen, - 0 /* not SSLv3 */); + header, headerLen, body, bodyLen, bodyTotalLen, + 0 /* not SSLv3 */); } SECStatus @@ -328,9 +328,8 @@ SSLv3_MAC_ConstantTime( unsigned int bodyTotalLen) { if (hashObj->end_raw == NULL) - return SECFailure; + return SECFailure; return MAC(result, resultLen, maxResultLen, hashObj, secret, secretLen, - header, headerLen, body, bodyLen, bodyTotalLen, - 1 /* SSLv3 */); + header, headerLen, body, bodyLen, bodyTotalLen, + 1 /* SSLv3 */); } - |