21495e
diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c
21495e
index 4d65bb8..9231a5e 100644
21495e
--- a/modules/session/mod_session_crypto.c
21495e
+++ b/modules/session/mod_session_crypto.c
21495e
@@ -18,6 +18,7 @@
21495e
 #include "apu_version.h"
21495e
 #include "apr_base64.h"                /* for apr_base64_decode et al */
21495e
 #include "apr_lib.h"
21495e
+#include "apr_md5.h"
21495e
 #include "apr_strings.h"
21495e
 #include "http_log.h"
21495e
 #include "http_core.h"
21495e
@@ -57,6 +58,146 @@ typedef struct {
21495e
     int library_set;
21495e
 } session_crypto_conf;
21495e
 
21495e
+/* Wrappers around apr_siphash24() and apr_crypto_equals(),
21495e
+ * available in APU-1.6/APR-2.0 only.
21495e
+ */
21495e
+#if APU_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 6)
21495e
+
21495e
+#include "apr_siphash.h"
21495e
+
21495e
+#define AP_SIPHASH_DSIZE    APR_SIPHASH_DSIZE
21495e
+#define AP_SIPHASH_KSIZE    APR_SIPHASH_KSIZE
21495e
+#define ap_siphash24_auth   apr_siphash24_auth
21495e
+
21495e
+#define ap_crypto_equals    apr_crypto_equals
21495e
+
21495e
+#else
21495e
+
21495e
+#define AP_SIPHASH_DSIZE    8
21495e
+#define AP_SIPHASH_KSIZE    16
21495e
+
21495e
+#define ROTL64(x, n) (((x) << (n)) | ((x) >> (64 - (n))))
21495e
+
21495e
+#define U8TO64_LE(p) \
21495e
+    (((apr_uint64_t)((p)[0])      ) | \
21495e
+     ((apr_uint64_t)((p)[1]) <<  8) | \
21495e
+     ((apr_uint64_t)((p)[2]) << 16) | \
21495e
+     ((apr_uint64_t)((p)[3]) << 24) | \
21495e
+     ((apr_uint64_t)((p)[4]) << 32) | \
21495e
+     ((apr_uint64_t)((p)[5]) << 40) | \
21495e
+     ((apr_uint64_t)((p)[6]) << 48) | \
21495e
+     ((apr_uint64_t)((p)[7]) << 56))
21495e
+
21495e
+#define U64TO8_LE(p, v) \
21495e
+do { \
21495e
+    (p)[0] = (unsigned char)((v)      ); \
21495e
+    (p)[1] = (unsigned char)((v) >>  8); \
21495e
+    (p)[2] = (unsigned char)((v) >> 16); \
21495e
+    (p)[3] = (unsigned char)((v) >> 24); \
21495e
+    (p)[4] = (unsigned char)((v) >> 32); \
21495e
+    (p)[5] = (unsigned char)((v) >> 40); \
21495e
+    (p)[6] = (unsigned char)((v) >> 48); \
21495e
+    (p)[7] = (unsigned char)((v) >> 56); \
21495e
+} while (0)
21495e
+
21495e
+#define SIPROUND() \
21495e
+do { \
21495e
+    v0 += v1; v1=ROTL64(v1,13); v1 ^= v0; v0=ROTL64(v0,32); \
21495e
+    v2 += v3; v3=ROTL64(v3,16); v3 ^= v2; \
21495e
+    v0 += v3; v3=ROTL64(v3,21); v3 ^= v0; \
21495e
+    v2 += v1; v1=ROTL64(v1,17); v1 ^= v2; v2=ROTL64(v2,32); \
21495e
+} while(0)
21495e
+
21495e
+static apr_uint64_t ap_siphash24(const void *src, apr_size_t len,
21495e
+                                 const unsigned char key[AP_SIPHASH_KSIZE])
21495e
+{
21495e
+    const unsigned char *ptr, *end;
21495e
+    apr_uint64_t v0, v1, v2, v3, m;
21495e
+    apr_uint64_t k0, k1;
21495e
+    unsigned int rem;
21495e
+
21495e
+    k0 = U8TO64_LE(key + 0);
21495e
+    k1 = U8TO64_LE(key + 8);
21495e
+    v3 = k1 ^ (apr_uint64_t)0x7465646279746573ULL;
21495e
+    v2 = k0 ^ (apr_uint64_t)0x6c7967656e657261ULL;
21495e
+    v1 = k1 ^ (apr_uint64_t)0x646f72616e646f6dULL;
21495e
+    v0 = k0 ^ (apr_uint64_t)0x736f6d6570736575ULL;
21495e
+
21495e
+    rem = (unsigned int)(len & 0x7);
21495e
+    for (ptr = src, end = ptr + len - rem; ptr < end; ptr += 8) {
21495e
+        m = U8TO64_LE(ptr);
21495e
+        v3 ^= m;
21495e
+        SIPROUND();
21495e
+        SIPROUND();
21495e
+        v0 ^= m;
21495e
+    }
21495e
+    m = (apr_uint64_t)(len & 0xff) << 56;
21495e
+    switch (rem) {
21495e
+        case 7: m |= (apr_uint64_t)ptr[6] << 48;
21495e
+        case 6: m |= (apr_uint64_t)ptr[5] << 40;
21495e
+        case 5: m |= (apr_uint64_t)ptr[4] << 32;
21495e
+        case 4: m |= (apr_uint64_t)ptr[3] << 24;
21495e
+        case 3: m |= (apr_uint64_t)ptr[2] << 16;
21495e
+        case 2: m |= (apr_uint64_t)ptr[1] << 8;
21495e
+        case 1: m |= (apr_uint64_t)ptr[0];
21495e
+        case 0: break;
21495e
+    }
21495e
+    v3 ^= m;
21495e
+    SIPROUND();
21495e
+    SIPROUND();
21495e
+    v0 ^= m;
21495e
+
21495e
+    v2 ^= 0xff;
21495e
+    SIPROUND();
21495e
+    SIPROUND();
21495e
+    SIPROUND();
21495e
+    SIPROUND();
21495e
+
21495e
+    return v0 ^ v1 ^ v2 ^ v3;
21495e
+}
21495e
+
21495e
+static void ap_siphash24_auth(unsigned char out[AP_SIPHASH_DSIZE],
21495e
+                              const void *src, apr_size_t len,
21495e
+                              const unsigned char key[AP_SIPHASH_KSIZE])
21495e
+{
21495e
+    apr_uint64_t h;
21495e
+    h = ap_siphash24(src, len, key);
21495e
+    U64TO8_LE(out, h);
21495e
+}
21495e
+
21495e
+static int ap_crypto_equals(const void *buf1, const void *buf2,
21495e
+                            apr_size_t size)
21495e
+{
21495e
+    const unsigned char *p1 = buf1;
21495e
+    const unsigned char *p2 = buf2;
21495e
+    unsigned char diff = 0;
21495e
+    apr_size_t i;
21495e
+
21495e
+    for (i = 0; i < size; ++i) {
21495e
+        diff |= p1[i] ^ p2[i];
21495e
+    }
21495e
+
21495e
+    return 1 & ((diff - 1) >> 8);
21495e
+}
21495e
+
21495e
+#endif
21495e
+
21495e
+static void compute_auth(const void *src, apr_size_t len,
21495e
+                         const char *passphrase, apr_size_t passlen,
21495e
+                         unsigned char auth[AP_SIPHASH_DSIZE])
21495e
+{
21495e
+    unsigned char key[APR_MD5_DIGESTSIZE];
21495e
+
21495e
+    /* XXX: if we had a way to get the raw bytes from an apr_crypto_key_t
21495e
+     *      we could use them directly (not available in APR-1.5.x).
21495e
+     * MD5 is 128bit too, so use it to get a suitable siphash key
21495e
+     * from the passphrase.
21495e
+     */
21495e
+    apr_md5(key, passphrase, passlen);
21495e
+
21495e
+    ap_siphash24_auth(auth, src, len, key);
21495e
+}
21495e
+
21495e
 /**
21495e
  * Initialise the encryption as per the current config.
21495e
  *
21495e
@@ -128,21 +269,14 @@ static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     apr_crypto_block_t *block = NULL;
21495e
     unsigned char *encrypt = NULL;
21495e
     unsigned char *combined = NULL;
21495e
-    apr_size_t encryptlen, tlen;
21495e
+    apr_size_t encryptlen, tlen, combinedlen;
21495e
     char *base64;
21495e
     apr_size_t blockSize = 0;
21495e
     const unsigned char *iv = NULL;
21495e
     apr_uuid_t salt;
21495e
     apr_crypto_block_key_type_e *cipher;
21495e
     const char *passphrase;
21495e
-
21495e
-    /* by default, return an empty string */
21495e
-    *out = "";
21495e
-
21495e
-    /* don't attempt to encrypt an empty string, trying to do so causes a segfault */
21495e
-    if (!in || !*in) {
21495e
-        return APR_SUCCESS;
21495e
-    }
21495e
+    apr_size_t passlen;
21495e
 
21495e
     /* use a uuid as a salt value, and prepend it to our result */
21495e
     apr_uuid_get(&salt);
21495e
@@ -152,9 +286,9 @@ static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     }
21495e
 
21495e
     /* encrypt using the first passphrase in the list */
21495e
-    passphrase = APR_ARRAY_IDX(dconf->passphrases, 0, char *);
21495e
-    res = apr_crypto_passphrase(&key, &ivSize, passphrase,
21495e
-            strlen(passphrase),
21495e
+    passphrase = APR_ARRAY_IDX(dconf->passphrases, 0, const char *);
21495e
+    passlen = strlen(passphrase);
21495e
+    res = apr_crypto_passphrase(&key, &ivSize, passphrase, passlen,
21495e
             (unsigned char *) (&salt), sizeof(apr_uuid_t),
21495e
             *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
21495e
     if (APR_STATUS_IS_ENOKEY(res)) {
21495e
@@ -183,8 +317,9 @@ static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     }
21495e
 
21495e
     /* encrypt the given string */
21495e
-    res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,
21495e
-            strlen(in), block);
21495e
+    res = apr_crypto_block_encrypt(&encrypt, &encryptlen,
21495e
+                                   (const unsigned char *)in, strlen(in),
21495e
+                                   block);
21495e
     if (APR_SUCCESS != res) {
21495e
         ap_log_rerror(APLOG_MARK, APLOG_ERR, res, r, APLOGNO(01830)
21495e
                 "apr_crypto_block_encrypt failed");
21495e
@@ -198,18 +333,20 @@ static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     }
21495e
     encryptlen += tlen;
21495e
 
21495e
-    /* prepend the salt and the iv to the result */
21495e
-    combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));
21495e
-    memcpy(combined, &salt, sizeof(apr_uuid_t));
21495e
-    memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);
21495e
-    memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);
21495e
-
21495e
-    /* base64 encode the result */
21495e
-    base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +
21495e
-                    sizeof(apr_uuid_t) + 1)
21495e
-            * sizeof(char));
21495e
-    apr_base64_encode(base64, (const char *) combined,
21495e
-            ivSize + encryptlen + sizeof(apr_uuid_t));
21495e
+    /* prepend the salt and the iv to the result (keep room for the MAC) */
21495e
+    combinedlen = AP_SIPHASH_DSIZE + sizeof(apr_uuid_t) + ivSize + encryptlen;
21495e
+    combined = apr_palloc(r->pool, combinedlen);
21495e
+    memcpy(combined + AP_SIPHASH_DSIZE, &salt, sizeof(apr_uuid_t));
21495e
+    memcpy(combined + AP_SIPHASH_DSIZE + sizeof(apr_uuid_t), iv, ivSize);
21495e
+    memcpy(combined + AP_SIPHASH_DSIZE + sizeof(apr_uuid_t) + ivSize,
21495e
+           encrypt, encryptlen);
21495e
+    /* authenticate the whole salt+IV+ciphertext with a leading MAC */
21495e
+    compute_auth(combined + AP_SIPHASH_DSIZE, combinedlen - AP_SIPHASH_DSIZE,
21495e
+                 passphrase, passlen, combined);
21495e
+
21495e
+    /* base64 encode the result (APR handles the trailing '\0') */
21495e
+    base64 = apr_palloc(r->pool, apr_base64_encode_len(combinedlen));
21495e
+    apr_base64_encode(base64, (const char *) combined, combinedlen);
21495e
     *out = base64;
21495e
 
21495e
     return res;
21495e
@@ -234,6 +371,7 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     char *decoded;
21495e
     apr_size_t blockSize = 0;
21495e
     apr_crypto_block_key_type_e *cipher;
21495e
+    unsigned char auth[AP_SIPHASH_DSIZE];
21495e
     int i = 0;
21495e
 
21495e
     /* strip base64 from the string */
21495e
@@ -241,6 +379,13 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     decodedlen = apr_base64_decode(decoded, in);
21495e
     decoded[decodedlen] = '\0';
21495e
 
21495e
+    /* sanity check - decoded too short? */
21495e
+    if (decodedlen < (AP_SIPHASH_DSIZE + sizeof(apr_uuid_t))) {
21495e
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO()
21495e
+                "too short to decrypt, aborting");
21495e
+        return APR_ECRYPT;
21495e
+    }
21495e
+
21495e
     res = crypt_init(r, f, &cipher, dconf);
21495e
     if (res != APR_SUCCESS) {
21495e
         return res;
21495e
@@ -249,14 +394,25 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
     /* try each passphrase in turn */
21495e
     for (; i < dconf->passphrases->nelts; i++) {
21495e
         const char *passphrase = APR_ARRAY_IDX(dconf->passphrases, i, char *);
21495e
-        apr_size_t len = decodedlen;
21495e
-        char *slider = decoded;
21495e
+        apr_size_t passlen = strlen(passphrase);
21495e
+        apr_size_t len = decodedlen - AP_SIPHASH_DSIZE;
21495e
+        unsigned char *slider = (unsigned char *)decoded + AP_SIPHASH_DSIZE;
21495e
+
21495e
+        /* Verify authentication of the whole salt+IV+ciphertext by computing
21495e
+         * the MAC and comparing it (timing safe) with the one in the payload.
21495e
+         */
21495e
+        compute_auth(slider, len, passphrase, passlen, auth);
21495e
+        if (!ap_crypto_equals(auth, decoded, AP_SIPHASH_DSIZE)) {
21495e
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO()
21495e
+                    "auth does not match, skipping");
21495e
+            continue;
21495e
+        }
21495e
 
21495e
         /* encrypt using the first passphrase in the list */
21495e
-        res = apr_crypto_passphrase(&key, &ivSize, passphrase,
21495e
-                strlen(passphrase),
21495e
-                (unsigned char *)decoded, sizeof(apr_uuid_t),
21495e
-                *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
21495e
+        res = apr_crypto_passphrase(&key, &ivSize, passphrase, passlen,
21495e
+                                    slider, sizeof(apr_uuid_t),
21495e
+                                    *cipher, APR_MODE_CBC, 1, 4096,
21495e
+                                    f, r->pool);
21495e
         if (APR_STATUS_IS_ENOKEY(res)) {
21495e
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01832)
21495e
                     "the passphrase '%s' was empty", passphrase);
21495e
@@ -279,7 +435,7 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
         }
21495e
 
21495e
         /* sanity check - decoded too short? */
21495e
-        if (decodedlen < (sizeof(apr_uuid_t) + ivSize)) {
21495e
+        if (len < (sizeof(apr_uuid_t) + ivSize)) {
21495e
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, APLOGNO(01836)
21495e
                     "too short to decrypt, skipping");
21495e
             res = APR_ECRYPT;
21495e
@@ -290,8 +446,8 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
         slider += sizeof(apr_uuid_t);
21495e
         len -= sizeof(apr_uuid_t);
21495e
 
21495e
-        res = apr_crypto_block_decrypt_init(&block, &blockSize, (unsigned char *)slider, key,
21495e
-                r->pool);
21495e
+        res = apr_crypto_block_decrypt_init(&block, &blockSize, slider, key,
21495e
+                                            r->pool);
21495e
         if (APR_SUCCESS != res) {
21495e
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01837)
21495e
                     "apr_crypto_block_decrypt_init failed");
21495e
@@ -304,7 +460,7 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_t *f,
21495e
 
21495e
         /* decrypt the given string */
21495e
         res = apr_crypto_block_decrypt(&decrypted, &decryptedlen,
21495e
-                (unsigned char *)slider, len, block);
21495e
+                                       slider, len, block);
21495e
         if (res) {
21495e
             ap_log_rerror(APLOG_MARK, APLOG_DEBUG, res, r, APLOGNO(01838)
21495e
                     "apr_crypto_block_decrypt failed");
21495e