1 | /* |
2 | * Copyright (C) 2000-2013 Free Software Foundation, Inc. |
3 | * Copyright (C) 2013 Nikos Mavrogiannopoulos |
4 | * |
5 | * Author: Nikos Mavrogiannopoulos |
6 | * |
7 | * This file is part of GnuTLS. |
8 | * |
9 | * The GnuTLS is free software; you can redistribute it and/or |
10 | * modify it under the terms of the GNU Lesser General Public License |
11 | * as published by the Free Software Foundation; either version 2.1 of |
12 | * the License, or (at your option) any later version. |
13 | * |
14 | * This library is distributed in the hope that it will be useful, but |
15 | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | * Lesser General Public License for more details. |
18 | * |
19 | * You should have received a copy of the GNU Lesser General Public License |
20 | * along with this program. If not, see <http://www.gnu.org/licenses/> |
21 | * |
22 | */ |
23 | |
24 | /* Some high level functions to be used in the record encryption are |
25 | * included here. |
26 | */ |
27 | |
28 | #include "gnutls_int.h" |
29 | #include "gnutls_errors.h" |
30 | #include "gnutls_compress.h" |
31 | #include "gnutls_cipher.h" |
32 | #include "algorithms.h" |
33 | #include "gnutls_hash_int.h" |
34 | #include "gnutls_cipher_int.h" |
35 | #include "debug.h" |
36 | #include "gnutls_num.h" |
37 | #include "gnutls_datum.h" |
38 | #include "gnutls_kx.h" |
39 | #include "gnutls_record.h" |
40 | #include "gnutls_constate.h" |
41 | #include "gnutls_mbuffers.h" |
42 | #include <gnutls_state.h> |
43 | #include <random.h> |
44 | |
45 | static int compressed_to_ciphertext (gnutls_session_t session, |
46 | uint8_t * cipher_data, int cipher_size, |
47 | gnutls_datum_t *compressed, |
48 | size_t target_size, |
49 | content_type_t _type, |
50 | record_parameters_st * params); |
51 | static int ciphertext_to_compressed (gnutls_session_t session, |
52 | gnutls_datum_t *ciphertext, |
53 | gnutls_datum_t * compressed, |
54 | uint8_t type, |
55 | record_parameters_st * params, uint64* sequence); |
56 | |
57 | static int ciphertext_to_compressed_new (gnutls_session_t session, |
58 | gnutls_datum_t *ciphertext, |
59 | gnutls_datum_t * compressed, |
60 | uint8_t type, |
61 | record_parameters_st * params, uint64* sequence); |
62 | |
63 | static int |
64 | compressed_to_ciphertext_new (gnutls_session_t session, |
65 | uint8_t * cipher_data, int cipher_size, |
66 | gnutls_datum_t *compressed, |
67 | size_t target_size, |
68 | content_type_t type, |
69 | record_parameters_st * params); |
70 | |
71 | inline static int |
72 | is_write_comp_null (record_parameters_st * record_params) |
73 | { |
74 | if (record_params->compression_algorithm == GNUTLS_COMP_NULL) |
75 | return 0; |
76 | |
77 | return 1; |
78 | } |
79 | |
80 | inline static int |
81 | is_read_comp_null (record_parameters_st * record_params) |
82 | { |
83 | if (record_params->compression_algorithm == GNUTLS_COMP_NULL) |
84 | return 0; |
85 | |
86 | return 1; |
87 | } |
88 | |
89 | |
90 | /* returns ciphertext which contains the headers too. This also |
91 | * calculates the size in the header field. |
92 | * |
93 | */ |
94 | int |
95 | _gnutls_encrypt (gnutls_session_t session, |
96 | const uint8_t * data, size_t data_size, |
97 | size_t target_size, |
98 | mbuffer_st* bufel, |
99 | content_type_t type, |
100 | record_parameters_st * params) |
101 | { |
102 | gnutls_datum_t comp; |
103 | int free_comp = 0; |
104 | int ret; |
105 | |
106 | if (data_size == 0 || is_write_comp_null (params) == 0) |
107 | { |
108 | comp.data = (uint8_t*)data; |
109 | comp.size = data_size; |
110 | } |
111 | else |
112 | { |
113 | /* Here comp is allocated and must be |
114 | * freed. |
115 | */ |
116 | free_comp = 1; |
117 | |
118 | comp.size = _mbuffer_get_udata_size(bufel); |
119 | comp.data = gnutls_malloc(comp.size); |
120 | if (comp.data == NULL) |
121 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
122 | |
123 | ret = _gnutls_compress(¶ms->write.compression_state, data, data_size, |
124 | comp.data, comp.size, session->internals.priorities.stateless_compression); |
125 | if (ret < 0) |
126 | { |
127 | gnutls_free(comp.data); |
128 | return gnutls_assert_val(ret); |
129 | } |
130 | |
131 | comp.size = ret; |
132 | } |
133 | |
134 | if (params->write.new_record_padding != 0) |
135 | ret = compressed_to_ciphertext_new (session, _mbuffer_get_udata_ptr(bufel), |
136 | _mbuffer_get_udata_size(bufel), |
137 | &comp, target_size, type, params); |
138 | else |
139 | ret = compressed_to_ciphertext (session, _mbuffer_get_udata_ptr(bufel), |
140 | _mbuffer_get_udata_size(bufel), |
141 | &comp, target_size, type, params); |
142 | |
143 | if (free_comp) |
144 | gnutls_free(comp.data); |
145 | |
146 | if (ret < 0) |
147 | return gnutls_assert_val(ret); |
148 | |
149 | if(IS_DTLS(session)) |
150 | _gnutls_write_uint16 (ret, ((uint8_t*)_mbuffer_get_uhead_ptr(bufel))+11); |
151 | else |
152 | _gnutls_write_uint16 (ret, ((uint8_t*)_mbuffer_get_uhead_ptr(bufel))+3); |
153 | |
154 | _mbuffer_set_udata_size(bufel, ret); |
155 | _mbuffer_set_uhead_size(bufel, 0); |
156 | |
157 | return _mbuffer_get_udata_size(bufel); |
158 | } |
159 | |
160 | /* Decrypts the given data. |
161 | * Returns the decrypted data length. |
162 | * |
163 | * The output is preallocated with the maximum allowed data size. |
164 | */ |
165 | int |
166 | _gnutls_decrypt (gnutls_session_t session, |
167 | gnutls_datum_t *ciphertext, |
168 | gnutls_datum_t *output, |
169 | content_type_t type, |
170 | record_parameters_st * params, uint64 *sequence) |
171 | { |
172 | int ret; |
173 | |
174 | if (ciphertext->size == 0) |
175 | return 0; |
176 | |
177 | if (is_read_comp_null (params) == 0) |
178 | { |
179 | if (params->read.new_record_padding != 0) |
180 | ret = |
181 | ciphertext_to_compressed_new (session, ciphertext, output, |
182 | type, params, sequence); |
183 | else |
184 | ret = |
185 | ciphertext_to_compressed (session, ciphertext, output, |
186 | type, params, sequence); |
187 | if (ret < 0) |
188 | return gnutls_assert_val(ret); |
189 | |
190 | return ret; |
191 | } |
192 | else |
193 | { |
194 | gnutls_datum_t tmp; |
195 | |
196 | tmp.size = output->size; |
197 | tmp.data = gnutls_malloc(tmp.size); |
198 | if (tmp.data == NULL) |
199 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
200 | |
201 | if (params->read.new_record_padding != 0) |
202 | ret = |
203 | ciphertext_to_compressed_new (session, ciphertext, &tmp, |
204 | type, params, sequence); |
205 | else |
206 | ret = |
207 | ciphertext_to_compressed (session, ciphertext, &tmp, |
208 | type, params, sequence); |
209 | if (ret < 0) |
210 | goto leave; |
211 | |
212 | tmp.size = ret; |
213 | |
214 | if (ret != 0) |
215 | { |
216 | ret = _gnutls_decompress( ¶ms->read.compression_state, |
217 | tmp.data, tmp.size, |
218 | output->data, output->size); |
219 | if (ret < 0) |
220 | goto leave; |
221 | } |
222 | |
223 | leave: |
224 | gnutls_free(tmp.data); |
225 | return ret; |
226 | } |
227 | } |
228 | |
229 | |
230 | inline static int |
231 | calc_enc_length_block (gnutls_session_t session, |
232 | const version_entry_st* ver, |
233 | int data_size, |
234 | int hash_size, uint8_t * pad, |
235 | unsigned auth_cipher, uint16_t blocksize) |
236 | { |
237 | /* pad is the LH pad the user wants us to add. Besides |
238 | * this LH pad, we only add minimal padding |
239 | */ |
240 | unsigned int pre_length = data_size + hash_size + *pad; |
241 | unsigned int length, new_pad; |
242 | |
243 | new_pad = (uint8_t) (blocksize - (pre_length % blocksize)) + *pad; |
244 | |
245 | if (new_pad > 255) |
246 | new_pad -= blocksize; |
247 | *pad = new_pad; |
248 | |
249 | length = data_size + hash_size + *pad; |
250 | |
251 | if (_gnutls_version_has_explicit_iv(ver)) |
252 | length += blocksize; /* for the IV */ |
253 | |
254 | return length; |
255 | } |
256 | |
257 | inline static int |
258 | calc_enc_length_stream (gnutls_session_t session, int data_size, |
259 | int hash_size, unsigned auth_cipher) |
260 | { |
261 | unsigned int length; |
262 | |
263 | length = data_size + hash_size; |
264 | if (auth_cipher) |
265 | length += AEAD_EXPLICIT_DATA_SIZE; |
266 | |
267 | return length; |
268 | } |
269 | |
270 | #define MAX_PREAMBLE_SIZE 16 |
271 | |
272 | /* generates the authentication data (data to be hashed only |
273 | * and are not to be sent). Returns their size. |
274 | */ |
275 | static inline int |
276 | make_preamble (uint8_t * uint64_data, uint8_t type, unsigned int length, |
277 | const version_entry_st* ver, uint8_t * preamble) |
278 | { |
279 | uint8_t *p = preamble; |
280 | uint16_t c_length; |
281 | |
282 | c_length = _gnutls_conv_uint16 (length); |
283 | |
284 | memcpy (p, uint64_data, 8); |
285 | p += 8; |
286 | *p = type; |
287 | p++; |
288 | if (ver->id != GNUTLS_SSL3) |
289 | { /* TLS protocols */ |
290 | *p = ver->major; |
291 | p++; |
292 | *p = ver->minor; |
293 | p++; |
294 | } |
295 | memcpy (p, &c_length, 2); |
296 | p += 2; |
297 | return p - preamble; |
298 | } |
299 | |
300 | /* This is the actual encryption |
301 | * Encrypts the given compressed datum, and puts the result to cipher_data, |
302 | * which has cipher_size size. |
303 | * return the actual encrypted data length. |
304 | */ |
305 | static int |
306 | compressed_to_ciphertext (gnutls_session_t session, |
307 | uint8_t * cipher_data, int cipher_size, |
308 | gnutls_datum_t *compressed, |
309 | size_t target_size, |
310 | content_type_t type, |
311 | record_parameters_st * params) |
312 | { |
313 | uint8_t pad = target_size - compressed->size; |
314 | int length, ret; |
315 | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
316 | int preamble_size; |
317 | int tag_size = _gnutls_auth_cipher_tag_len (¶ms->write.cipher_state); |
318 | int blocksize = _gnutls_cipher_get_block_size (params->cipher); |
319 | unsigned block_algo = |
320 | _gnutls_cipher_is_block (params->cipher); |
321 | uint8_t *data_ptr; |
322 | const version_entry_st* ver = get_version (session); |
323 | int explicit_iv = _gnutls_version_has_explicit_iv (ver); |
324 | int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); |
325 | uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; |
326 | unsigned iv_size; |
327 | |
328 | if (unlikely(ver == NULL)) |
329 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
330 | |
331 | iv_size = _gnutls_cipher_get_iv_size(params->cipher); |
332 | |
333 | _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n" , |
334 | session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), |
335 | (unsigned int)params->epoch); |
336 | |
337 | preamble_size = |
338 | make_preamble (UINT64DATA |
339 | (params->write.sequence_number), |
340 | type, compressed->size, ver, preamble); |
341 | |
342 | /* Calculate the encrypted length (padding etc.) |
343 | */ |
344 | if (block_algo == CIPHER_BLOCK) |
345 | { |
346 | /* Call _gnutls_rnd() once. Get data used for the IV |
347 | */ |
348 | ret = _gnutls_rnd (GNUTLS_RND_NONCE, nonce, blocksize); |
349 | if (ret < 0) |
350 | return gnutls_assert_val(ret); |
351 | |
352 | length = |
353 | calc_enc_length_block (session, ver, compressed->size, tag_size, &pad, |
354 | auth_cipher, blocksize); |
355 | } |
356 | else |
357 | { |
358 | length = |
359 | calc_enc_length_stream (session, compressed->size, tag_size, |
360 | auth_cipher); |
361 | } |
362 | |
363 | if (length < 0) |
364 | return gnutls_assert_val(length); |
365 | |
366 | /* copy the encrypted data to cipher_data. |
367 | */ |
368 | if (cipher_size < length) |
369 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
370 | |
371 | data_ptr = cipher_data; |
372 | |
373 | if (explicit_iv) |
374 | { |
375 | if (block_algo == CIPHER_BLOCK) |
376 | { |
377 | /* copy the random IV. |
378 | */ |
379 | memcpy(data_ptr, nonce, blocksize); |
380 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, data_ptr, blocksize); |
381 | |
382 | data_ptr += blocksize; |
383 | cipher_data += blocksize; |
384 | } |
385 | else if (auth_cipher) |
386 | { |
387 | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
388 | */ |
389 | if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) |
390 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
391 | |
392 | /* Instead of generating a new nonce on every packet, we use the |
393 | * write.sequence_number (It is a MAY on RFC 5288). |
394 | */ |
395 | memcpy(nonce, params->write.IV.data, params->write.IV.size); |
396 | memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); |
397 | |
398 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE); |
399 | |
400 | /* copy the explicit part */ |
401 | memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); |
402 | |
403 | data_ptr += AEAD_EXPLICIT_DATA_SIZE; |
404 | cipher_data += AEAD_EXPLICIT_DATA_SIZE; |
405 | } |
406 | else if (iv_size > 0) |
407 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, UINT64DATA(params->write.sequence_number), 8); |
408 | } |
409 | else |
410 | { |
411 | /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. |
412 | */ |
413 | if (auth_cipher) |
414 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
415 | else if (block_algo == CIPHER_STREAM && iv_size > 0) |
416 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, UINT64DATA(params->write.sequence_number), 8); |
417 | } |
418 | |
419 | _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(params->write.sequence_number), 8); |
420 | |
421 | /* add the authenticate data */ |
422 | ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); |
423 | if (ret < 0) |
424 | return gnutls_assert_val(ret); |
425 | |
426 | /* Actual encryption. |
427 | */ |
428 | ret = |
429 | _gnutls_auth_cipher_encrypt2_tag (¶ms->write.cipher_state, |
430 | compressed->data, compressed->size, cipher_data, cipher_size, |
431 | pad); |
432 | if (ret < 0) |
433 | return gnutls_assert_val(ret); |
434 | |
435 | return length; |
436 | } |
437 | |
438 | static int |
439 | compressed_to_ciphertext_new (gnutls_session_t session, |
440 | uint8_t * cipher_data, int cipher_size, |
441 | gnutls_datum_t *compressed, |
442 | size_t target_size, |
443 | content_type_t type, |
444 | record_parameters_st * params) |
445 | { |
446 | uint16_t pad = target_size - compressed->size; |
447 | int length, length_to_encrypt, ret; |
448 | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
449 | int preamble_size; |
450 | int tag_size = _gnutls_auth_cipher_tag_len (¶ms->write.cipher_state); |
451 | int blocksize = _gnutls_cipher_get_block_size (params->cipher); |
452 | unsigned block_algo = |
453 | _gnutls_cipher_is_block (params->cipher); |
454 | uint8_t *data_ptr; |
455 | const version_entry_st* ver = get_version (session); |
456 | int explicit_iv = _gnutls_version_has_explicit_iv (ver); |
457 | int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); |
458 | uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; |
459 | unsigned iv_size; |
460 | |
461 | if (unlikely(ver == NULL)) |
462 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
463 | |
464 | iv_size = _gnutls_cipher_get_iv_size(params->cipher); |
465 | |
466 | _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n" , |
467 | session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), |
468 | (unsigned int)params->epoch); |
469 | |
470 | /* Call _gnutls_rnd() once. Get data used for the IV |
471 | */ |
472 | ret = _gnutls_rnd (GNUTLS_RND_NONCE, nonce, blocksize); |
473 | if (ret < 0) |
474 | return gnutls_assert_val(ret); |
475 | |
476 | /* cipher_data points to the start of data to be encrypted */ |
477 | data_ptr = cipher_data; |
478 | |
479 | length_to_encrypt = length = 0; |
480 | |
481 | if (explicit_iv) |
482 | { |
483 | if (block_algo == CIPHER_BLOCK) |
484 | { |
485 | /* copy the random IV. |
486 | */ |
487 | DECR_LEN(cipher_size, blocksize); |
488 | |
489 | memcpy(data_ptr, nonce, blocksize); |
490 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, data_ptr, blocksize); |
491 | |
492 | data_ptr += blocksize; |
493 | cipher_data += blocksize; |
494 | length += blocksize; |
495 | } |
496 | else if (auth_cipher) |
497 | { |
498 | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
499 | */ |
500 | if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) |
501 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
502 | |
503 | /* Instead of generating a new nonce on every packet, we use the |
504 | * write.sequence_number (It is a MAY on RFC 5288). |
505 | */ |
506 | memcpy(nonce, params->write.IV.data, params->write.IV.size); |
507 | memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); |
508 | |
509 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE); |
510 | |
511 | /* copy the explicit part */ |
512 | DECR_LEN(cipher_size, AEAD_EXPLICIT_DATA_SIZE); |
513 | memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); |
514 | |
515 | data_ptr += AEAD_EXPLICIT_DATA_SIZE; |
516 | cipher_data += AEAD_EXPLICIT_DATA_SIZE; |
517 | length += AEAD_EXPLICIT_DATA_SIZE; |
518 | } |
519 | else if (iv_size > 0) |
520 | _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, UINT64DATA(params->write.sequence_number), 8); |
521 | } |
522 | else |
523 | { |
524 | /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. |
525 | */ |
526 | if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
527 | } |
528 | |
529 | DECR_LEN(cipher_size, 2); |
530 | |
531 | if (block_algo == CIPHER_BLOCK) /* make pad a multiple of blocksize */ |
532 | { |
533 | unsigned t = (2 + pad + compressed->size + tag_size) % blocksize; |
534 | if (t > 0) |
535 | { |
536 | pad += blocksize - t; |
537 | } |
538 | } |
539 | |
540 | _gnutls_write_uint16 (pad, data_ptr); |
541 | data_ptr += 2; |
542 | length_to_encrypt += 2; |
543 | length += 2; |
544 | |
545 | if (pad > 0) |
546 | { |
547 | memset(data_ptr, 0, pad); |
548 | data_ptr += pad; |
549 | length_to_encrypt += pad; |
550 | length += pad; |
551 | } |
552 | |
553 | memcpy (data_ptr, compressed->data, compressed->size); |
554 | data_ptr += compressed->size; |
555 | length_to_encrypt += compressed->size; |
556 | length += compressed->size; |
557 | |
558 | if (tag_size > 0) |
559 | { |
560 | data_ptr += tag_size; |
561 | |
562 | /* In AEAD ciphers we don't encrypt the tag |
563 | */ |
564 | length += tag_size; |
565 | } |
566 | |
567 | preamble_size = |
568 | make_preamble (UINT64DATA |
569 | (params->write.sequence_number), |
570 | type, compressed->size+2+pad, ver, preamble); |
571 | |
572 | _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(params->write.sequence_number), 8); |
573 | /* add the authenticated data */ |
574 | ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); |
575 | if (ret < 0) |
576 | return gnutls_assert_val(ret); |
577 | |
578 | /* Actual encryption (inplace). |
579 | */ |
580 | ret = |
581 | _gnutls_auth_cipher_encrypt2_tag (¶ms->write.cipher_state, |
582 | cipher_data, length_to_encrypt, |
583 | cipher_data, cipher_size, 0); |
584 | if (ret < 0) |
585 | return gnutls_assert_val(ret); |
586 | |
587 | return length; |
588 | } |
589 | |
590 | static void dummy_wait(record_parameters_st * params, gnutls_datum_t* plaintext, |
591 | unsigned pad_failed, unsigned int pad, unsigned total) |
592 | { |
593 | /* this hack is only needed on CBC ciphers */ |
594 | if (_gnutls_cipher_is_block (params->cipher) == CIPHER_BLOCK) |
595 | { |
596 | unsigned len; |
597 | |
598 | /* force an additional hash compression function evaluation to prevent timing |
599 | * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad. |
600 | */ |
601 | if (pad_failed == 0 && pad > 0) |
602 | { |
603 | len = _gnutls_mac_block_size(params->mac); |
604 | if (len > 0) |
605 | { |
606 | /* This is really specific to the current hash functions. |
607 | * It should be removed once a protocol fix is in place. |
608 | */ |
609 | if ((pad+total) % len > len-9 && total % len <= len-9) |
610 | { |
611 | if (len < plaintext->size) |
612 | _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, len); |
613 | else |
614 | _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, plaintext->data, plaintext->size); |
615 | } |
616 | } |
617 | } |
618 | } |
619 | } |
620 | |
621 | /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. |
622 | * Returns the actual compressed packet size. |
623 | */ |
624 | static int |
625 | ciphertext_to_compressed (gnutls_session_t session, |
626 | gnutls_datum_t *ciphertext, |
627 | gnutls_datum_t * compressed, |
628 | uint8_t type, record_parameters_st * params, |
629 | uint64* sequence) |
630 | { |
631 | uint8_t tag[MAX_HASH_SIZE]; |
632 | const uint8_t* tag_ptr; |
633 | unsigned int pad = 0, i; |
634 | int length, length_to_decrypt; |
635 | uint16_t blocksize; |
636 | int ret; |
637 | unsigned int tmp_pad_failed = 0; |
638 | unsigned int pad_failed = 0; |
639 | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
640 | unsigned int preamble_size; |
641 | const version_entry_st* ver = get_version (session); |
642 | unsigned int tag_size = _gnutls_auth_cipher_tag_len (¶ms->read.cipher_state); |
643 | unsigned int explicit_iv = _gnutls_version_has_explicit_iv (ver); |
644 | unsigned iv_size; |
645 | |
646 | if (unlikely(ver == NULL)) |
647 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
648 | |
649 | iv_size = _gnutls_cipher_get_iv_size(params->cipher); |
650 | blocksize = _gnutls_cipher_get_block_size (params->cipher); |
651 | |
652 | /* actual decryption (inplace) |
653 | */ |
654 | switch (_gnutls_cipher_is_block (params->cipher)) |
655 | { |
656 | case CIPHER_STREAM: |
657 | /* The way AEAD ciphers are defined in RFC5246, it allows |
658 | * only stream ciphers. |
659 | */ |
660 | if (explicit_iv && _gnutls_auth_cipher_is_aead(¶ms->read.cipher_state)) |
661 | { |
662 | uint8_t nonce[blocksize]; |
663 | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
664 | */ |
665 | if (unlikely(params->read.IV.data == NULL || params->read.IV.size != 4)) |
666 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
667 | |
668 | if (unlikely(ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)) |
669 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
670 | |
671 | memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE); |
672 | memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE); |
673 | |
674 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE); |
675 | |
676 | ciphertext->data += AEAD_EXPLICIT_DATA_SIZE; |
677 | ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE; |
678 | |
679 | length = length_to_decrypt = ciphertext->size - tag_size; |
680 | tag_ptr = ciphertext->data + length_to_decrypt; |
681 | } |
682 | else if (iv_size > 0) |
683 | { /* a stream cipher with explicit IV */ |
684 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, UINT64DATA(*sequence), 8); |
685 | length_to_decrypt = ciphertext->size; |
686 | length = ciphertext->size - tag_size; |
687 | tag_ptr = compressed->data + length; |
688 | } |
689 | else |
690 | { |
691 | if (unlikely(ciphertext->size < tag_size)) |
692 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
693 | |
694 | length_to_decrypt = ciphertext->size; |
695 | length = ciphertext->size - tag_size; |
696 | tag_ptr = compressed->data + length; |
697 | } |
698 | |
699 | |
700 | /* Pass the type, version, length and compressed through |
701 | * MAC. |
702 | */ |
703 | preamble_size = |
704 | make_preamble (UINT64DATA(*sequence), type, |
705 | length, ver, preamble); |
706 | |
707 | _gnutls_auth_cipher_set_mac_nonce(¶ms->read.cipher_state, UINT64DATA(*sequence), 8); |
708 | ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); |
709 | if (unlikely(ret < 0)) |
710 | return gnutls_assert_val(ret); |
711 | |
712 | if (unlikely((unsigned)length_to_decrypt > compressed->size)) |
713 | { |
714 | _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n" , |
715 | (unsigned int)length_to_decrypt, (unsigned int)compressed->size); |
716 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
717 | } |
718 | |
719 | ret = |
720 | _gnutls_auth_cipher_decrypt2 (¶ms->read.cipher_state, |
721 | ciphertext->data, length_to_decrypt, |
722 | compressed->data, compressed->size); |
723 | |
724 | if (unlikely(ret < 0)) |
725 | return gnutls_assert_val(ret); |
726 | |
727 | break; |
728 | case CIPHER_BLOCK: |
729 | if (unlikely(ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))) |
730 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
731 | |
732 | /* ignore the IV in TLS 1.1+ |
733 | */ |
734 | if (explicit_iv) |
735 | { |
736 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, |
737 | ciphertext->data, blocksize); |
738 | |
739 | ciphertext->size -= blocksize; |
740 | ciphertext->data += blocksize; |
741 | } |
742 | |
743 | if (unlikely(ciphertext->size < tag_size+1)) |
744 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
745 | |
746 | /* we don't use the auth_cipher interface here, since |
747 | * TLS with block ciphers is impossible to be used under such |
748 | * an API. (the length of plaintext is required to calculate |
749 | * auth_data, but it is not available before decryption). |
750 | */ |
751 | if (unlikely(ciphertext->size > compressed->size)) |
752 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
753 | |
754 | ret = |
755 | _gnutls_cipher_decrypt2 (¶ms->read.cipher_state.cipher, |
756 | ciphertext->data, ciphertext->size, |
757 | compressed->data, compressed->size); |
758 | if (unlikely(ret < 0)) |
759 | return gnutls_assert_val(ret); |
760 | |
761 | pad = compressed->data[ciphertext->size - 1]; /* pad */ |
762 | |
763 | /* Check the pading bytes (TLS 1.x). |
764 | * Note that we access all 256 bytes of ciphertext for padding check |
765 | * because there is a timing channel in that memory access (in certain CPUs). |
766 | */ |
767 | if (ver->id != GNUTLS_SSL3) |
768 | for (i = 2; i <= MIN(256, ciphertext->size); i++) |
769 | { |
770 | tmp_pad_failed |= (compressed->data[ciphertext->size - i] != pad); |
771 | pad_failed |= ((i<= (1+pad)) & (tmp_pad_failed)); |
772 | } |
773 | |
774 | if (unlikely(pad_failed != 0 || (1+pad > ((int) ciphertext->size - tag_size)))) |
775 | { |
776 | /* We do not fail here. We check below for the |
777 | * the pad_failed. If zero means success. |
778 | */ |
779 | pad_failed = 1; |
780 | pad = 0; |
781 | } |
782 | |
783 | length = ciphertext->size - tag_size - pad - 1; |
784 | tag_ptr = &compressed->data[length]; |
785 | |
786 | /* Pass the type, version, length and compressed through |
787 | * MAC. |
788 | */ |
789 | preamble_size = |
790 | make_preamble (UINT64DATA(*sequence), type, |
791 | length, ver, preamble); |
792 | |
793 | _gnutls_auth_cipher_set_mac_nonce(¶ms->read.cipher_state, UINT64DATA(*sequence), 8); |
794 | ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); |
795 | if (unlikely(ret < 0)) |
796 | return gnutls_assert_val(ret); |
797 | |
798 | ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, compressed->data, length); |
799 | if (unlikely(ret < 0)) |
800 | return gnutls_assert_val(ret); |
801 | |
802 | break; |
803 | default: |
804 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
805 | } |
806 | |
807 | ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size); |
808 | if (unlikely(ret < 0)) |
809 | return gnutls_assert_val(ret); |
810 | |
811 | if (unlikely(memcmp (tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) |
812 | { |
813 | /* HMAC was not the same. */ |
814 | dummy_wait(params, compressed, pad_failed, pad, length+preamble_size); |
815 | |
816 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
817 | } |
818 | |
819 | return length; |
820 | } |
821 | |
822 | static int |
823 | ciphertext_to_compressed_new (gnutls_session_t restrict session, |
824 | gnutls_datum_t *restrict ciphertext, |
825 | gnutls_datum_t *restrict compressed, |
826 | uint8_t type, record_parameters_st *restrict params, |
827 | uint64* restrict sequence) |
828 | { |
829 | uint8_t tag[MAX_HASH_SIZE]; |
830 | const uint8_t *tag_ptr; |
831 | unsigned int pad; |
832 | int length, length_to_decrypt; |
833 | uint16_t blocksize; |
834 | int ret; |
835 | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
836 | unsigned int preamble_size; |
837 | const version_entry_st* ver = get_version (session); |
838 | unsigned int tag_size = _gnutls_auth_cipher_tag_len (¶ms->read.cipher_state); |
839 | unsigned int explicit_iv = _gnutls_version_has_explicit_iv (ver); |
840 | unsigned iv_size; |
841 | |
842 | if (unlikely(ver == NULL)) |
843 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
844 | |
845 | iv_size = _gnutls_cipher_get_iv_size(params->cipher); |
846 | blocksize = _gnutls_cipher_get_block_size (params->cipher); |
847 | |
848 | /* actual decryption (inplace) |
849 | */ |
850 | switch (_gnutls_cipher_is_block (params->cipher)) |
851 | { |
852 | case CIPHER_STREAM: |
853 | /* The way AEAD ciphers are defined in RFC5246, it allows |
854 | * only stream ciphers. |
855 | */ |
856 | if (explicit_iv && _gnutls_auth_cipher_is_aead(¶ms->read.cipher_state)) |
857 | { |
858 | uint8_t nonce[blocksize]; |
859 | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
860 | */ |
861 | if (params->read.IV.data == NULL || params->read.IV.size != 4) |
862 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
863 | |
864 | if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE + 2) |
865 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
866 | |
867 | memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE); |
868 | memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE); |
869 | |
870 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE); |
871 | |
872 | ciphertext->data += AEAD_EXPLICIT_DATA_SIZE; |
873 | ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE; |
874 | |
875 | length_to_decrypt = ciphertext->size - tag_size; |
876 | } |
877 | else if (iv_size > 0) |
878 | { /* a stream cipher with explicit IV */ |
879 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, UINT64DATA(*sequence), 8); |
880 | length_to_decrypt = ciphertext->size; |
881 | } |
882 | else |
883 | { |
884 | if (ciphertext->size < tag_size) |
885 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
886 | |
887 | length_to_decrypt = ciphertext->size; |
888 | } |
889 | break; |
890 | case CIPHER_BLOCK: |
891 | if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0)) |
892 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
893 | |
894 | if (explicit_iv) |
895 | { |
896 | _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, |
897 | ciphertext->data, blocksize); |
898 | |
899 | ciphertext->size -= blocksize; |
900 | ciphertext->data += blocksize; |
901 | } |
902 | |
903 | if (ciphertext->size < tag_size + 2) |
904 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
905 | |
906 | length_to_decrypt = ciphertext->size; |
907 | break; |
908 | |
909 | default: |
910 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
911 | } |
912 | |
913 | length = ciphertext->size - tag_size; |
914 | |
915 | preamble_size = |
916 | make_preamble (UINT64DATA(*sequence), type, |
917 | length, ver, preamble); |
918 | |
919 | _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(*sequence), 8); |
920 | ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); |
921 | if (ret < 0) |
922 | return gnutls_assert_val(ret); |
923 | |
924 | ret = |
925 | _gnutls_auth_cipher_decrypt2 (¶ms->read.cipher_state, |
926 | ciphertext->data, length_to_decrypt, |
927 | ciphertext->data, ciphertext->size); |
928 | if (ret < 0) |
929 | return gnutls_assert_val(ret); |
930 | |
931 | pad = _gnutls_read_uint16(ciphertext->data); |
932 | |
933 | tag_ptr = &ciphertext->data[length]; |
934 | ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size); |
935 | if (ret < 0) |
936 | return gnutls_assert_val(ret); |
937 | |
938 | /* Check MAC. |
939 | */ |
940 | if (memcmp (tag, tag_ptr, tag_size) != 0) |
941 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
942 | |
943 | DECR_LEN(length, 2+pad); |
944 | |
945 | /* copy the decrypted stuff to compress_data. |
946 | */ |
947 | if (compressed->size < (unsigned)length) |
948 | return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); |
949 | |
950 | memcpy (compressed->data, &ciphertext->data[2+pad], length); |
951 | |
952 | return length; |
953 | } |
954 | |