/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
* Returns the actual compressed packet size.
*/
static int
ciphertext_to_compressed(gnutls_session_t session,
gnutls_datum_t * ciphertext,
gnutls_datum_t * compressed,
uint8_t type, record_parameters_st * params,
uint64 * sequence)
{
uint8_t tag[MAX_HASH_SIZE];
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
const uint8_t *tag_ptr = NULL;
unsigned int pad = 0, i;
int length, length_to_decrypt;
uint16_t blocksize;
int ret;
unsigned int tmp_pad_failed = 0;
unsigned int pad_failed = 0;
uint8_t preamble[MAX_PREAMBLE_SIZE];
unsigned int preamble_size = 0;
const version_entry_st *ver = get_version(session);
unsigned int tag_size =
_gnutls_auth_cipher_tag_len(¶ms->read.cipher_state);
unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
unsigned imp_iv_size, exp_iv_size;
unsigned cipher_type = _gnutls_cipher_type(params->cipher);
bool etm = 0;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
blocksize = _gnutls_cipher_get_block_size(params->cipher);
if (params->etm !=0 && cipher_type == CIPHER_BLOCK)
etm = 1;
/* if EtM mode and not AEAD */
if (etm) {
if (unlikely(ciphertext->size < tag_size))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
preamble_size = make_preamble(UINT64DATA(*sequence),
type, ciphertext->size-tag_size,
ver, preamble);
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
cipher_state, preamble,
preamble_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
cipher_state,
ciphertext->data,
ciphertext->size-tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) {
/* HMAC was not the same. */
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
}
/* actual decryption (inplace)
*/
switch (cipher_type) {
case CIPHER_AEAD:
/* The way AEAD ciphers are defined in RFC5246, it allows
* only stream ciphers.
*/
if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read.
cipher_state) == 0))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
*/
if (unlikely
(params->read.IV.data == NULL
|| params->read.IV.size != 4))
return
gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
if (unlikely(ciphertext->size < tag_size + exp_iv_size))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
memcpy(nonce, params->read.IV.data,
imp_iv_size);
memcpy(&nonce[imp_iv_size],
ciphertext->data, exp_iv_size);
ciphertext->data += exp_iv_size;
ciphertext->size -= exp_iv_size;
length =
ciphertext->size - tag_size;
length_to_decrypt = ciphertext->size;
/* Pass the type, version, length and compressed through
* MAC.
*/
preamble_size =
make_preamble(UINT64DATA(*sequence), type,
length, ver, preamble);
if (unlikely
((unsigned) length_to_decrypt > compressed->size)) {
_gnutls_audit_log(session,
"Received %u bytes, while expecting less than %u\n",
(unsigned int) length_to_decrypt,
(unsigned int) compressed->size);
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
ret = _gnutls_aead_cipher_decrypt(¶ms->read.cipher_state.cipher,
nonce, exp_iv_size + imp_iv_size,
preamble, preamble_size,
tag_size,
ciphertext->data, length_to_decrypt,
compressed->data, compressed->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
return length;
break;
case CIPHER_STREAM:
if (unlikely(ciphertext->size < tag_size))
return
gnutls_assert_val
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
length_to_decrypt = ciphertext->size;
length = ciphertext->size - tag_size;
tag_ptr = compressed->data + length;
/* Pass the type, version, length and compressed through
* MAC.
*/
preamble_size =
make_preamble(UINT64DATA(*sequence), type,
length, ver, preamble);
ret =
_gnutls_auth_cipher_add_auth(¶ms->read.
cipher_state, preamble,
preamble_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
if (unlikely
((unsigned) length_to_decrypt > compressed->size)) {
_gnutls_audit_log(session,
"Received %u bytes, while expecting less than %u\n",
(unsigned int) length_to_decrypt,
(unsigned int) compressed->size);
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
ret =
_gnutls_auth_cipher_decrypt2(¶ms->read.
cipher_state,
ciphertext->data,
length_to_decrypt,
compressed->data,
compressed->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
break;
case CIPHER_BLOCK:
if (unlikely(ciphertext->size < blocksize))
return
gnutls_assert_val
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
if (etm == 0) {
if (unlikely(ciphertext->size % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
} else {
if (unlikely((ciphertext->size - tag_size) % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
/* ignore the IV in TLS 1.1+
*/
if (explicit_iv) {
_gnutls_auth_cipher_setiv(¶ms->read.
cipher_state,
ciphertext->data,
blocksize);
memcpy(nonce, ciphertext->data, blocksize);
ciphertext->size -= blocksize;
ciphertext->data += blocksize;
}
if (unlikely(ciphertext->size < tag_size + 1))
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
/* we don't use the auth_cipher interface here, since
* TLS with block ciphers is impossible to be used under such
* an API. (the length of plaintext is required to calculate
* auth_data, but it is not available before decryption).
*/
if (unlikely(ciphertext->size > compressed->size))
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
if (etm == 0) {
ret =
_gnutls_cipher_decrypt2(¶ms->read.cipher_state.
cipher, ciphertext->data,
ciphertext->size,
compressed->data,
compressed->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
pad = compressed->data[ciphertext->size - 1]; /* pad */
/* Check the pading bytes (TLS 1.x).
* Note that we access all 256 bytes of ciphertext for padding check
* because there is a timing channel in that memory access (in certain CPUs).
*/
if (ver->id != GNUTLS_SSL3)
for (i = 2; i <= MIN(256, ciphertext->size); i++) {
tmp_pad_failed |=
(compressed->
data[ciphertext->size - i] != pad);
pad_failed |=
((i <= (1 + pad)) & (tmp_pad_failed));
}
if (unlikely
(pad_failed != 0
|| (1 + pad > ((int) ciphertext->size - tag_size)))) {
/* We do not fail here. We check below for the
* the pad_failed. If zero means success.
*/
pad_failed = 1;
pad = 0;
}
length = ciphertext->size - tag_size - pad - 1;
tag_ptr = &compressed->data[length];
/* Pass the type, version, length and compressed through
* MAC.
*/
preamble_size =
make_preamble(UINT64DATA(*sequence), type,
length, ver, preamble);
ret =
_gnutls_auth_cipher_add_auth(¶ms->read.
cipher_state, preamble,
preamble_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret =
_gnutls_auth_cipher_add_auth(¶ms->read.
cipher_state,
compressed->data, length);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
} else { /* EtM */
ret =
_gnutls_cipher_decrypt2(¶ms->read.cipher_state.
cipher, ciphertext->data,
ciphertext->size - tag_size,
compressed->data,
compressed->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
pad = compressed->data[ciphertext->size - tag_size - 1]; /* pad */
length = ciphertext->size - tag_size - pad - 1;
if (unlikely(length < 0))
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
break;
default:
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
/* STREAM or BLOCK arrive here */
if (etm == 0) {
ret =
_gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag,
tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
/* Here there could be a timing leakage in CBC ciphersuites that
* could be exploited if the cost of a successful memcmp is high.
* A constant time memcmp would help there, but it is not easy to maintain
* against compiler optimizations. Currently we rely on the fact that
* a memcmp comparison is negligible over the crypto operations.
*/
if (unlikely
(gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
/* HMAC was not the same. */
dummy_wait(params, compressed, pad_failed, pad,
length + preamble_size);
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
}
return length;
}
/* Deciphers the ciphertext packet, and puts the result to plain.
* Returns the actual plaintext packet size.
*/
static int
decrypt_packet(gnutls_session_t session,
gnutls_datum_t * ciphertext,
gnutls_datum_t * plain,
content_type_t type, record_parameters_st * params,
gnutls_uint64 * sequence)
{
uint8_t tag[MAX_HASH_SIZE];
uint8_t nonce[MAX_CIPHER_IV_SIZE];
const uint8_t *tag_ptr = NULL;
unsigned int pad = 0;
int length, length_to_decrypt;
uint16_t blocksize;
int ret;
uint8_t preamble[MAX_PREAMBLE_SIZE];
unsigned int preamble_size = 0;
const version_entry_st *ver = get_version(session);
unsigned int tag_size =
_gnutls_auth_cipher_tag_len(¶ms->read.ctx.tls12);
unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
unsigned imp_iv_size, exp_iv_size;
unsigned cipher_type = _gnutls_cipher_type(params->cipher);
bool etm = 0;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
blocksize = _gnutls_cipher_get_block_size(params->cipher);
if (params->etm !=0 && cipher_type == CIPHER_BLOCK)
etm = 1;
/* if EtM mode and not AEAD */
if (etm) {
if (unlikely(ciphertext->size < tag_size))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
preamble_size = _gnutls_make_preamble(UINT64DATA(*sequence),
type, ciphertext->size-tag_size,
ver, preamble);
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
ctx.tls12, preamble,
preamble_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret = _gnutls_auth_cipher_add_auth(¶ms->read.
ctx.tls12,
ciphertext->data,
ciphertext->size-tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) {
/* HMAC was not the same. */
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
}
/* actual decryption (inplace)
*/
switch (cipher_type) {
case CIPHER_AEAD:
/* The way AEAD ciphers are defined in RFC5246, it allows
* only stream ciphers.
*/
if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read.
ctx.tls12) == 0))
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
if (unlikely(ciphertext->size < (tag_size + exp_iv_size)))
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
if (params->cipher->xor_nonce == 0) {
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
*/
if (unlikely(params->read.iv_size != 4))
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
memcpy(nonce, params->read.iv,
imp_iv_size);
memcpy(&nonce[imp_iv_size],
ciphertext->data, exp_iv_size);
ciphertext->data += exp_iv_size;
ciphertext->size -= exp_iv_size;
} else { /* XOR nonce with IV */
if (unlikely(params->read.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
memset(nonce, 0, 4);
memcpy(&nonce[4], UINT64DATA(*sequence), 8);
memxor(nonce, params->read.iv, 12);
}
length =
ciphertext->size - tag_size;
length_to_decrypt = ciphertext->size;
/* Pass the type, version, length and plain through
* MAC.
*/
preamble_size =
_gnutls_make_preamble(UINT64DATA(*sequence), type,
length, ver, preamble);
if (unlikely
((unsigned) length_to_decrypt > plain->size)) {
_gnutls_audit_log(session,
"Received %u bytes, while expecting less than %u\n",
(unsigned int) length_to_decrypt,
(unsigned int) plain->size);
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
ret = _gnutls_aead_cipher_decrypt(¶ms->read.ctx.tls12.cipher,
nonce, exp_iv_size + imp_iv_size,
preamble, preamble_size,
tag_size,
ciphertext->data, length_to_decrypt,
plain->data, plain->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
return length;
break;
case CIPHER_STREAM:
if (unlikely(ciphertext->size < tag_size))
return
gnutls_assert_val
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
length_to_decrypt = ciphertext->size;
length = ciphertext->size - tag_size;
tag_ptr = plain->data + length;
/* Pass the type, version, length and plain through
* MAC.
*/
preamble_size =
_gnutls_make_preamble(UINT64DATA(*sequence), type,
length, ver, preamble);
ret =
_gnutls_auth_cipher_add_auth(¶ms->read.
ctx.tls12, preamble,
preamble_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
if (unlikely
((unsigned) length_to_decrypt > plain->size)) {
_gnutls_audit_log(session,
"Received %u bytes, while expecting less than %u\n",
(unsigned int) length_to_decrypt,
(unsigned int) plain->size);
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
ret =
_gnutls_auth_cipher_decrypt2(¶ms->read.
ctx.tls12,
ciphertext->data,
length_to_decrypt,
plain->data,
plain->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret =
_gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag,
tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
if (unlikely
(gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) {
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
break;
case CIPHER_BLOCK:
if (unlikely(ciphertext->size < blocksize))
return
gnutls_assert_val
(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
if (etm == 0) {
if (unlikely(ciphertext->size % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
} else {
if (unlikely((ciphertext->size - tag_size) % blocksize != 0))
return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
}
/* ignore the IV in TLS 1.1+
*/
if (explicit_iv) {
_gnutls_auth_cipher_setiv(¶ms->read.
ctx.tls12,
ciphertext->data,
blocksize);
memcpy(nonce, ciphertext->data, blocksize);
ciphertext->size -= blocksize;
ciphertext->data += blocksize;
}
if (unlikely(ciphertext->size < tag_size + 1))
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
/* we don't use the auth_cipher interface here, since
* TLS with block ciphers is impossible to be used under such
* an API. (the length of plaintext is required to calculate
* auth_data, but it is not available before decryption).
*/
if (unlikely(ciphertext->size > plain->size))
return
gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
if (etm == 0) {
ret =
_gnutls_cipher_decrypt2(¶ms->read.ctx.tls12.
cipher, ciphertext->data,
ciphertext->size,
plain->data,
plain->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
ret = cbc_mac_verify(session, params, preamble, type,
sequence, plain->data, ciphertext->size,
tag_size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
length = ret;
} else { /* EtM */
ret =
_gnutls_cipher_decrypt2(¶ms->read.ctx.tls12.
cipher, ciphertext->data,
ciphertext->size - tag_size,
plain->data,
plain->size);
if (unlikely(ret < 0))
return gnutls_assert_val(ret);
pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */
length = ciphertext->size - tag_size - pad - 1;
if (unlikely(length < 0))
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
break;
default:
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
}
return length;
}