int _gnutls_epoch_alloc (gnutls_session_t session, uint16_t epoch, record_parameters_st ** out) { record_parameters_st **slot; _gnutls_record_log ("REC[%p]: Allocating epoch #%u\n", session, epoch); slot = epoch_get_slot (session, epoch); /* If slot out of range or not empty. */ if (slot == NULL) return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST); if (*slot != NULL) return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST); *slot = gnutls_calloc (1, sizeof (record_parameters_st)); if (*slot == NULL) return gnutls_assert_val (GNUTLS_E_MEMORY_ERROR); (*slot)->epoch = epoch; (*slot)->cipher_algorithm = GNUTLS_CIPHER_UNKNOWN; (*slot)->mac_algorithm = GNUTLS_MAC_UNKNOWN; (*slot)->compression_algorithm = GNUTLS_COMP_UNKNOWN; if (IS_DTLS (session)) _gnutls_write_uint16 (epoch, UINT64DATA((*slot)->write.sequence_number)); if (out != NULL) *out = *slot; return 0; }
/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ int _gnutls_ciphertext2compressed (gnutls_session_t session, opaque * compress_data, int compress_size, gnutls_datum_t ciphertext, uint8_t type, record_parameters_st * params) { uint8_t MAC[MAX_HASH_SIZE]; uint16_t c_length; uint8_t pad; int length; uint16_t blocksize; int ret, i, pad_failed = 0; opaque preamble[PREAMBLE_SIZE]; int preamble_size; int ver = gnutls_protocol_get_version (session); int hash_size = _gnutls_hash_get_algo_len (params->mac_algorithm); blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm); /* actual decryption (inplace) */ switch (_gnutls_cipher_is_block (params->cipher_algorithm)) { case CIPHER_STREAM: if ((ret = _gnutls_cipher_decrypt (¶ms->read.cipher_state, ciphertext.data, ciphertext.size)) < 0) { gnutls_assert (); return ret; } length = ciphertext.size - hash_size; break; case CIPHER_BLOCK: if ((ciphertext.size < blocksize) || (ciphertext.size % blocksize != 0)) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } if ((ret = _gnutls_cipher_decrypt (¶ms->read.cipher_state, ciphertext.data, ciphertext.size)) < 0) { gnutls_assert (); return ret; } /* ignore the IV in TLS 1.1. */ if (_gnutls_version_has_explicit_iv (session->security_parameters.version)) { ciphertext.size -= blocksize; ciphertext.data += blocksize; if (ciphertext.size == 0) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } } pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ if ((int) pad > (int) ciphertext.size - hash_size) { gnutls_assert (); _gnutls_record_log ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", session, pad, ciphertext.size, hash_size); /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; } length = ciphertext.size - hash_size - pad; /* Check the pading bytes (TLS 1.x) */ if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0) for (i = 2; i < pad; i++) { if (ciphertext.data[ciphertext.size - i] != ciphertext.data[ciphertext.size - 1]) pad_failed = GNUTLS_E_DECRYPTION_FAILED; } break; default: gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } if (length < 0) length = 0; c_length = _gnutls_conv_uint16 ((uint16_t) length); /* Pass the type, version, length and compressed through * MAC. */ if (params->mac_algorithm != GNUTLS_MAC_NULL) { digest_hd_st td; ret = mac_init (&td, params->mac_algorithm, params->read.mac_secret.data, params->read.mac_secret.size, ver); if (ret < 0) { gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } preamble_size = make_preamble (UINT64DATA (params->read.sequence_number), type, c_length, ver, preamble); mac_hash (&td, preamble, preamble_size, ver); if (length > 0) mac_hash (&td, ciphertext.data, length, ver); mac_deinit (&td, MAC, ver); } /* This one was introduced to avoid a timing attack against the TLS * 1.0 protocol. */ if (pad_failed != 0) { gnutls_assert (); return pad_failed; } /* HMAC was not the same. */ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } /* copy the decrypted stuff to compress_data. */ if (compress_size < length) { gnutls_assert (); return GNUTLS_E_DECOMPRESSION_FAILED; } memcpy (compress_data, ciphertext.data, length); return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ int _gnutls_compressed2ciphertext (gnutls_session_t session, opaque * cipher_data, int cipher_size, gnutls_datum_t compressed, content_type_t _type, int random_pad, record_parameters_st * params) { uint8_t MAC[MAX_HASH_SIZE]; uint16_t c_length; uint8_t pad; int length, ret; uint8_t type = _type; opaque preamble[PREAMBLE_SIZE]; int preamble_size; int hash_size = _gnutls_hash_get_algo_len (params->mac_algorithm); int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm); cipher_type_t block_algo = _gnutls_cipher_is_block (params->cipher_algorithm); opaque *data_ptr; int ver = gnutls_protocol_get_version (session); /* Initialize MAC */ c_length = _gnutls_conv_uint16 (compressed.size); if (params->mac_algorithm != GNUTLS_MAC_NULL) { /* actually when the algorithm in not the NULL one */ digest_hd_st td; ret = mac_init (&td, params->mac_algorithm, params->write.mac_secret.data, params->write.mac_secret.size, ver); if (ret < 0) { gnutls_assert (); return ret; } preamble_size = make_preamble (UINT64DATA (params->write.sequence_number), type, c_length, ver, preamble); mac_hash (&td, preamble, preamble_size, ver); mac_hash (&td, compressed.data, compressed.size, ver); mac_deinit (&td, MAC, ver); } /* Calculate the encrypted length (padding etc.) */ length = calc_enc_length (session, compressed.size, hash_size, &pad, random_pad, block_algo, blocksize); if (length < 0) { gnutls_assert (); return length; } /* copy the encrypted data to cipher_data. */ if (cipher_size < length) { gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } data_ptr = cipher_data; if (block_algo == CIPHER_BLOCK && _gnutls_version_has_explicit_iv (session->security_parameters.version)) { /* copy the random IV. */ ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize); if (ret < 0) { gnutls_assert (); return ret; } data_ptr += blocksize; } memcpy (data_ptr, compressed.data, compressed.size); data_ptr += compressed.size; if (hash_size > 0) { memcpy (data_ptr, MAC, hash_size); data_ptr += hash_size; } if (block_algo == CIPHER_BLOCK && pad > 0) { memset (data_ptr, pad - 1, pad); } /* Actual encryption (inplace). */ ret = _gnutls_cipher_encrypt (¶ms->write.cipher_state, cipher_data, length); if (ret < 0) { gnutls_assert (); return ret; } return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ int _gnutls_compressed2ciphertext (gnutls_session_t session, opaque * cipher_data, int cipher_size, gnutls_datum_t compressed, content_type_t _type, int random_pad) { uint8_t MAC[MAX_HASH_SIZE]; uint16_t c_length; uint8_t pad; int length, ret; digest_hd_st td; uint8_t type = _type; uint8_t major, minor; int hash_size = _gnutls_hash_get_algo_len (session->security_parameters. write_mac_algorithm); gnutls_protocol_t ver; int blocksize = _gnutls_cipher_get_block_size (session->security_parameters. write_bulk_cipher_algorithm); cipher_type_t block_algo = _gnutls_cipher_is_block (session->security_parameters. write_bulk_cipher_algorithm); opaque *data_ptr; ver = gnutls_protocol_get_version (session); minor = _gnutls_version_get_minor (ver); major = _gnutls_version_get_major (ver); /* Initialize MAC */ ret = mac_init (&td, session->security_parameters.write_mac_algorithm, session->connection_state.write_mac_secret.data, session->connection_state.write_mac_secret.size, ver); if (ret < 0 && session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { gnutls_assert (); return ret; } c_length = _gnutls_conv_uint16 (compressed.size); if (session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL) { /* actually when the algorithm in not the NULL one */ _gnutls_hmac (&td, UINT64DATA (session->connection_state. write_sequence_number), 8); _gnutls_hmac (&td, &type, 1); if (ver >= GNUTLS_TLS1) { /* TLS 1.0 or higher */ _gnutls_hmac (&td, &major, 1); _gnutls_hmac (&td, &minor, 1); } _gnutls_hmac (&td, &c_length, 2); _gnutls_hmac (&td, compressed.data, compressed.size); mac_deinit (&td, MAC, ver); } /* Calculate the encrypted length (padding etc.) */ length = calc_enc_length (session, compressed.size, hash_size, &pad, random_pad, block_algo, blocksize); if (length < 0) { gnutls_assert (); return length; } /* copy the encrypted data to cipher_data. */ if (cipher_size < length) { gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } data_ptr = cipher_data; if (block_algo == CIPHER_BLOCK && session->security_parameters.version >= GNUTLS_TLS1_1) { /* copy the random IV. */ ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize); if (ret < 0) { gnutls_assert (); return ret; } data_ptr += blocksize; } memcpy (data_ptr, compressed.data, compressed.size); data_ptr += compressed.size; if (hash_size > 0) { memcpy (data_ptr, MAC, hash_size); data_ptr += hash_size; } if (block_algo == CIPHER_BLOCK && pad > 0) { memset (data_ptr, pad - 1, pad); } /* Actual encryption (inplace). */ ret = _gnutls_cipher_encrypt (&session->connection_state.write_cipher_state, cipher_data, length); if (ret < 0) { gnutls_assert (); return ret; } return length; }
/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ int _gnutls_ciphertext2compressed (gnutls_session_t session, opaque * compress_data, int compress_size, gnutls_datum_t ciphertext, uint8_t type) { uint8_t MAC[MAX_HASH_SIZE]; uint16_t c_length; uint8_t pad; int length; digest_hd_st td; uint16_t blocksize; int ret, i, pad_failed = 0; uint8_t major, minor; gnutls_protocol_t ver; int hash_size = _gnutls_hash_get_algo_len (session->security_parameters. read_mac_algorithm); ver = gnutls_protocol_get_version (session); minor = _gnutls_version_get_minor (ver); major = _gnutls_version_get_major (ver); blocksize = _gnutls_cipher_get_block_size (session->security_parameters. read_bulk_cipher_algorithm); /* initialize MAC */ ret = mac_init (&td, session->security_parameters.read_mac_algorithm, session->connection_state.read_mac_secret.data, session->connection_state.read_mac_secret.size, ver); if (ret < 0 && session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } /* actual decryption (inplace) */ switch (_gnutls_cipher_is_block (session->security_parameters.read_bulk_cipher_algorithm)) { case CIPHER_STREAM: if ((ret = _gnutls_cipher_decrypt (&session->connection_state. read_cipher_state, ciphertext.data, ciphertext.size)) < 0) { gnutls_assert (); return ret; } length = ciphertext.size - hash_size; break; case CIPHER_BLOCK: if ((ciphertext.size < blocksize) || (ciphertext.size % blocksize != 0)) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } if ((ret = _gnutls_cipher_decrypt (&session->connection_state. read_cipher_state, ciphertext.data, ciphertext.size)) < 0) { gnutls_assert (); return ret; } /* ignore the IV in TLS 1.1. */ if (session->security_parameters.version >= GNUTLS_TLS1_1) { ciphertext.size -= blocksize; ciphertext.data += blocksize; if (ciphertext.size == 0) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } } pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */ if ((int) pad > (int) ciphertext.size - hash_size) { gnutls_assert (); _gnutls_record_log ("REC[%x]: Short record length %d > %d - %d (under attack?)\n", session, pad, ciphertext.size, hash_size); /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; } length = ciphertext.size - hash_size - pad; /* Check the pading bytes (TLS 1.x) */ if (ver >= GNUTLS_TLS1 && pad_failed == 0) for (i = 2; i < pad; i++) { if (ciphertext.data[ciphertext.size - i] != ciphertext.data[ciphertext.size - 1]) pad_failed = GNUTLS_E_DECRYPTION_FAILED; } break; default: gnutls_assert (); return GNUTLS_E_INTERNAL_ERROR; } if (length < 0) length = 0; c_length = _gnutls_conv_uint16 ((uint16_t) length); /* Pass the type, version, length and compressed through * MAC. */ if (session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL) { _gnutls_hmac (&td, UINT64DATA (session->connection_state. read_sequence_number), 8); _gnutls_hmac (&td, &type, 1); if (ver >= GNUTLS_TLS1) { /* TLS 1.x */ _gnutls_hmac (&td, &major, 1); _gnutls_hmac (&td, &minor, 1); } _gnutls_hmac (&td, &c_length, 2); if (length > 0) _gnutls_hmac (&td, ciphertext.data, length); mac_deinit (&td, MAC, ver); } /* This one was introduced to avoid a timing attack against the TLS * 1.0 protocol. */ if (pad_failed != 0) return pad_failed; /* HMAC was not the same. */ if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } /* copy the decrypted stuff to compress_data. */ if (compress_size < length) { gnutls_assert (); return GNUTLS_E_DECOMPRESSION_FAILED; } memcpy (compress_data, ciphertext.data, length); return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int compressed_to_ciphertext(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * compressed, size_t min_pad, content_type_t type, record_parameters_st * params) { uint8_t pad; int length, ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.cipher_state); int blocksize = _gnutls_cipher_get_block_size(params->cipher); unsigned algo_type = _gnutls_cipher_type(params->cipher); uint8_t *data_ptr, *full_cipher_ptr; const version_entry_st *ver = get_version(session); int explicit_iv = _gnutls_version_has_explicit_iv(ver); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; unsigned imp_iv_size = 0, exp_iv_size = 0; bool etm = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); if (algo_type == CIPHER_BLOCK && params->etm != 0) etm = 1; _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); /* Calculate the encrypted length (padding etc.) */ if (algo_type == CIPHER_BLOCK) { /* Call _gnutls_rnd() once. Get data used for the IV */ ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); if (ret < 0) return gnutls_assert_val(ret); pad = min_pad; length = calc_enc_length_block(session, ver, compressed->size, tag_size, &pad, auth_cipher, blocksize, etm); } else { /* AEAD + STREAM */ imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher); pad = 0; length = calc_enc_length_stream(session, compressed->size, tag_size, auth_cipher, exp_iv_size); } if (length < 0) return gnutls_assert_val(length); /* copy the encrypted data to cipher_data. */ if (cipher_size < length) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); data_ptr = cipher_data; full_cipher_ptr = data_ptr; if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { if (algo_type == CIPHER_BLOCK && explicit_iv != 0) { /* copy the random IV. */ memcpy(data_ptr, nonce, blocksize); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; } } else { /* AEAD */ /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != imp_iv_size) return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288), and safer * as it will never reuse a value. */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[imp_iv_size], UINT64DATA(params->write.sequence_number), 8); /* copy the explicit part */ memcpy(data_ptr, &nonce[imp_iv_size], exp_iv_size); data_ptr += exp_iv_size; cipher_data += exp_iv_size; } if (etm) ret = length-tag_size; else ret = compressed->size; preamble_size = make_preamble(UINT64DATA(params->write.sequence_number), type, ret, ver, preamble); if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { /* add the authenticated data */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); if (ret < 0) return gnutls_assert_val(ret); if (etm && explicit_iv) { /* In EtM we need to hash the IV as well */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, full_cipher_ptr, blocksize); if (ret < 0) return gnutls_assert_val(ret); } /* Actual encryption. */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, compressed->data, compressed->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); } else { /* AEAD */ ret = _gnutls_aead_cipher_encrypt(¶ms->write.cipher_state.cipher, nonce, imp_iv_size + exp_iv_size, preamble, preamble_size, tag_size, compressed->data, compressed->size, cipher_data, cipher_size); if (ret < 0) return gnutls_assert_val(ret); } return length; }
/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ static int ciphertext_to_compressed(gnutls_session_t session, gnutls_datum_t * ciphertext, gnutls_datum_t * compressed, uint8_t type, record_parameters_st * params, uint64 * sequence) { uint8_t tag[MAX_HASH_SIZE]; uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; const uint8_t *tag_ptr = NULL; unsigned int pad = 0, i; int length, length_to_decrypt; uint16_t blocksize; int ret; unsigned int tmp_pad_failed = 0; unsigned int pad_failed = 0; uint8_t preamble[MAX_PREAMBLE_SIZE]; unsigned int preamble_size = 0; const version_entry_st *ver = get_version(session); unsigned int tag_size = _gnutls_auth_cipher_tag_len(¶ms->read.cipher_state); unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver); unsigned imp_iv_size, exp_iv_size; unsigned cipher_type = _gnutls_cipher_type(params->cipher); bool etm = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher); blocksize = _gnutls_cipher_get_block_size(params->cipher); if (params->etm !=0 && cipher_type == CIPHER_BLOCK) etm = 1; /* if EtM mode and not AEAD */ if (etm) { if (unlikely(ciphertext->size < tag_size)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); preamble_size = make_preamble(UINT64DATA(*sequence), type, ciphertext->size-tag_size, ver, preamble); ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, preamble, preamble_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, ciphertext->data, ciphertext->size-tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) { /* HMAC was not the same. */ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } } /* actual decryption (inplace) */ switch (cipher_type) { case CIPHER_AEAD: /* The way AEAD ciphers are defined in RFC5246, it allows * only stream ciphers. */ if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read. cipher_state) == 0)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (unlikely (params->read.IV.data == NULL || params->read.IV.size != 4)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); if (unlikely(ciphertext->size < tag_size + exp_iv_size)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); memcpy(nonce, params->read.IV.data, imp_iv_size); memcpy(&nonce[imp_iv_size], ciphertext->data, exp_iv_size); ciphertext->data += exp_iv_size; ciphertext->size -= exp_iv_size; length = ciphertext->size - tag_size; length_to_decrypt = ciphertext->size; /* Pass the type, version, length and compressed through * MAC. */ preamble_size = make_preamble(UINT64DATA(*sequence), type, length, ver, preamble); if (unlikely ((unsigned) length_to_decrypt > compressed->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, (unsigned int) compressed->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } ret = _gnutls_aead_cipher_decrypt(¶ms->read.cipher_state.cipher, nonce, exp_iv_size + imp_iv_size, preamble, preamble_size, tag_size, ciphertext->data, length_to_decrypt, compressed->data, compressed->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); return length; break; case CIPHER_STREAM: if (unlikely(ciphertext->size < tag_size)) return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); length_to_decrypt = ciphertext->size; length = ciphertext->size - tag_size; tag_ptr = compressed->data + length; /* Pass the type, version, length and compressed through * MAC. */ preamble_size = make_preamble(UINT64DATA(*sequence), type, length, ver, preamble); ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, preamble, preamble_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); if (unlikely ((unsigned) length_to_decrypt > compressed->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, (unsigned int) compressed->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } ret = _gnutls_auth_cipher_decrypt2(¶ms->read. cipher_state, ciphertext->data, length_to_decrypt, compressed->data, compressed->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); break; case CIPHER_BLOCK: if (unlikely(ciphertext->size < blocksize)) return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); if (etm == 0) { if (unlikely(ciphertext->size % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } else { if (unlikely((ciphertext->size - tag_size) % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } /* ignore the IV in TLS 1.1+ */ if (explicit_iv) { _gnutls_auth_cipher_setiv(¶ms->read. cipher_state, ciphertext->data, blocksize); memcpy(nonce, ciphertext->data, blocksize); ciphertext->size -= blocksize; ciphertext->data += blocksize; } if (unlikely(ciphertext->size < tag_size + 1)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); /* we don't use the auth_cipher interface here, since * TLS with block ciphers is impossible to be used under such * an API. (the length of plaintext is required to calculate * auth_data, but it is not available before decryption). */ if (unlikely(ciphertext->size > compressed->size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); if (etm == 0) { ret = _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size, compressed->data, compressed->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); pad = compressed->data[ciphertext->size - 1]; /* pad */ /* Check the pading bytes (TLS 1.x). * Note that we access all 256 bytes of ciphertext for padding check * because there is a timing channel in that memory access (in certain CPUs). */ if (ver->id != GNUTLS_SSL3) for (i = 2; i <= MIN(256, ciphertext->size); i++) { tmp_pad_failed |= (compressed-> data[ciphertext->size - i] != pad); pad_failed |= ((i <= (1 + pad)) & (tmp_pad_failed)); } if (unlikely (pad_failed != 0 || (1 + pad > ((int) ciphertext->size - tag_size)))) { /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = 1; pad = 0; } length = ciphertext->size - tag_size - pad - 1; tag_ptr = &compressed->data[length]; /* Pass the type, version, length and compressed through * MAC. */ preamble_size = make_preamble(UINT64DATA(*sequence), type, length, ver, preamble); ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, preamble, preamble_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_add_auth(¶ms->read. cipher_state, compressed->data, length); if (unlikely(ret < 0)) return gnutls_assert_val(ret); } else { /* EtM */ ret = _gnutls_cipher_decrypt2(¶ms->read.cipher_state. cipher, ciphertext->data, ciphertext->size - tag_size, compressed->data, compressed->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); pad = compressed->data[ciphertext->size - tag_size - 1]; /* pad */ length = ciphertext->size - tag_size - pad - 1; if (unlikely(length < 0)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } break; default: return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); } /* STREAM or BLOCK arrive here */ if (etm == 0) { ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); /* Here there could be a timing leakage in CBC ciphersuites that * could be exploited if the cost of a successful memcmp is high. * A constant time memcmp would help there, but it is not easy to maintain * against compiler optimizations. Currently we rely on the fact that * a memcmp comparison is negligible over the crypto operations. */ if (unlikely (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) { /* HMAC was not the same. */ dummy_wait(params, compressed, pad_failed, pad, length + preamble_size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } } return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int compressed_to_ciphertext (gnutls_session_t session, opaque * cipher_data, int cipher_size, gnutls_datum_t *compressed, content_type_t type, record_parameters_st * params) { uint8_t * tag_ptr = NULL; uint8_t pad; int length, length_to_encrypt, ret; opaque preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len (¶ms->write.cipher_state); int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm); unsigned block_algo = _gnutls_cipher_is_block (params->cipher_algorithm); opaque *data_ptr; int ver = gnutls_protocol_get_version (session); int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); int random_pad; /* We don't use long padding if requested or if we are in DTLS. */ if (session->internals.priorities.no_padding == 0 && (!IS_DTLS(session))) random_pad = 1; else random_pad = 0; _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm), (unsigned int)params->epoch); preamble_size = make_preamble (UINT64DATA (params->write.sequence_number), type, compressed->size, ver, preamble); /* Calculate the encrypted length (padding etc.) */ length_to_encrypt = length = calc_enc_length (session, compressed->size, tag_size, &pad, random_pad, block_algo, auth_cipher, blocksize); if (length < 0) { return gnutls_assert_val(length); } /* copy the encrypted data to cipher_data. */ if (cipher_size < length) { return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); } data_ptr = cipher_data; if (explicit_iv) { if (block_algo == CIPHER_BLOCK) { /* copy the random IV. */ ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize); if (ret < 0) return gnutls_assert_val(ret); _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; length_to_encrypt -= blocksize; } else if (auth_cipher) { uint8_t nonce[blocksize]; /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288). */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE); /* copy the explicit part */ memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); data_ptr += AEAD_EXPLICIT_DATA_SIZE; cipher_data += AEAD_EXPLICIT_DATA_SIZE; /* In AEAD ciphers we don't encrypt the tag */ length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size; } } else { /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. */ if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); } memcpy (data_ptr, compressed->data, compressed->size); data_ptr += compressed->size; if (tag_size > 0) { tag_ptr = data_ptr; data_ptr += tag_size; } if (block_algo == CIPHER_BLOCK && pad > 0) { memset (data_ptr, pad - 1, pad); } /* add the authenticate data */ _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); /* Actual encryption (inplace). */ ret = _gnutls_auth_cipher_encrypt_tag (¶ms->write.cipher_state, cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed->size); if (ret < 0) return gnutls_assert_val(ret); return length; }
/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size. * Returns the actual compressed packet size. */ static int ciphertext_to_compressed (gnutls_session_t session, gnutls_datum_t *ciphertext, opaque * compress_data, int compress_size, uint8_t type, record_parameters_st * params, uint64* sequence) { uint8_t tag[MAX_HASH_SIZE]; uint8_t pad; int length, length_to_decrypt; uint16_t blocksize; int ret, i, pad_failed = 0; opaque preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int ver = gnutls_protocol_get_version (session); int tag_size = _gnutls_auth_cipher_tag_len (¶ms->read.cipher_state); int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version); blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm); /* actual decryption (inplace) */ switch (_gnutls_cipher_is_block (params->cipher_algorithm)) { case CIPHER_STREAM: /* The way AEAD ciphers are defined in RFC5246, it allows * only stream ciphers. */ if (explicit_iv && _gnutls_auth_cipher_is_aead(¶ms->read.cipher_state)) { uint8_t nonce[blocksize]; /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->read.IV.data == NULL || params->read.IV.size != 4) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE); memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE); _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE); ciphertext->data += AEAD_EXPLICIT_DATA_SIZE; ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE; length_to_decrypt = ciphertext->size - tag_size; } else { if (ciphertext->size < tag_size) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); length_to_decrypt = ciphertext->size; } length = ciphertext->size - tag_size; /* Pass the type, version, length and compressed through * MAC. */ preamble_size = make_preamble (UINT64DATA(*sequence), type, length, ver, preamble); _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); if ((ret = _gnutls_auth_cipher_decrypt (¶ms->read.cipher_state, ciphertext->data, length_to_decrypt)) < 0) return gnutls_assert_val(ret); break; case CIPHER_BLOCK: if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); /* ignore the IV in TLS 1.1+ */ if (explicit_iv) { _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, ciphertext->data, blocksize); ciphertext->size -= blocksize; ciphertext->data += blocksize; if (ciphertext->size == 0) { gnutls_assert (); return GNUTLS_E_DECRYPTION_FAILED; } } /* we don't use the auth_cipher interface here, since * TLS with block ciphers is impossible to be used under such * an API. (the length of plaintext is required to calculate * auth_data, but it is not available before decryption). */ if ((ret = _gnutls_cipher_decrypt (¶ms->read.cipher_state.cipher, ciphertext->data, ciphertext->size)) < 0) return gnutls_assert_val(ret); pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */ if ((int) pad > (int) ciphertext->size - tag_size) { gnutls_assert (); _gnutls_record_log ("REC[%p]: Short record length %d > %d - %d (under attack?)\n", session, pad, ciphertext->size, tag_size); /* We do not fail here. We check below for the * the pad_failed. If zero means success. */ pad_failed = GNUTLS_E_DECRYPTION_FAILED; pad %= blocksize; } length = ciphertext->size - tag_size - pad; /* Check the pading bytes (TLS 1.x) */ if (ver != GNUTLS_SSL3) for (i = 2; i < pad; i++) { if (ciphertext->data[ciphertext->size - i] != ciphertext->data[ciphertext->size - 1]) pad_failed = GNUTLS_E_DECRYPTION_FAILED; } if (length < 0) length = 0; /* Pass the type, version, length and compressed through * MAC. */ preamble_size = make_preamble (UINT64DATA(*sequence), type, length, ver, preamble); _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size); _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, ciphertext->data, length); break; default: return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); } ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size); if (ret < 0) return gnutls_assert_val(ret); /* This one was introduced to avoid a timing attack against the TLS * 1.0 protocol. */ /* HMAC was not the same. */ if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); /* copy the decrypted stuff to compress_data. */ if (compress_size < length) return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED); if (compress_data != ciphertext->data) memcpy (compress_data, ciphertext->data, length); return length; }
static int compressed_to_ciphertext_new(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * compressed, size_t min_pad, content_type_t type, record_parameters_st * params) { uint16_t pad = min_pad; int length, length_to_encrypt, ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.cipher_state); int blocksize = _gnutls_cipher_get_block_size(params->cipher); unsigned block_algo = _gnutls_cipher_is_block(params->cipher); uint8_t *data_ptr; const version_entry_st *ver = get_version(session); int explicit_iv = _gnutls_version_has_explicit_iv(ver); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; unsigned iv_size, final_cipher_size; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); /* Call _gnutls_rnd() once. Get data used for the IV */ ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); if (ret < 0) return gnutls_assert_val(ret); /* cipher_data points to the start of data to be encrypted */ data_ptr = cipher_data; length_to_encrypt = length = 0; if (explicit_iv) { if (block_algo == CIPHER_BLOCK) { /* copy the random IV. */ DECR_LEN(cipher_size, blocksize); memcpy(data_ptr, nonce, blocksize); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; length += blocksize; } else if (auth_cipher) { /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288). */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE + AEAD_EXPLICIT_DATA_SIZE); /* copy the explicit part */ DECR_LEN(cipher_size, AEAD_EXPLICIT_DATA_SIZE); memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); data_ptr += AEAD_EXPLICIT_DATA_SIZE; cipher_data += AEAD_EXPLICIT_DATA_SIZE; length += AEAD_EXPLICIT_DATA_SIZE; } else if (iv_size > 0) _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, UINT64DATA(params->write. sequence_number), 8); } else { /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. */ if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); } DECR_LEN(cipher_size, 2); if (block_algo == CIPHER_BLOCK) { /* make pad a multiple of blocksize */ unsigned t = (2 + pad + compressed->size + tag_size) % blocksize; if (t > 0) { pad += blocksize - t; } } _gnutls_write_uint16(pad, data_ptr); data_ptr += 2; length_to_encrypt += 2; length += 2; final_cipher_size = cipher_size; if (pad > 0) { unsigned t; t = cipher_size - compressed->size; if (pad > t) { if (block_algo == CIPHER_BLOCK) { if (pad <= blocksize) return gnutls_assert_val (GNUTLS_E_INVALID_REQUEST); pad -= blocksize * ((pad - t) / blocksize); } else pad = t; } DECR_LEN(cipher_size, pad); memset(data_ptr, 0, pad); data_ptr += pad; length_to_encrypt += pad; length += pad; } DECR_LEN(cipher_size, compressed->size); memcpy(data_ptr, compressed->data, compressed->size); data_ptr += compressed->size; length_to_encrypt += compressed->size; length += compressed->size; if (tag_size > 0) { DECR_LEN(cipher_size, tag_size); data_ptr += tag_size; /* In AEAD ciphers we don't encrypt the tag */ length += tag_size; } preamble_size = make_preamble(UINT64DATA (params->write.sequence_number), type, compressed->size + 2 + pad, ver, preamble); _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(params->write. sequence_number), 8); /* add the authenticated data */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); if (ret < 0) return gnutls_assert_val(ret); /* Actual encryption (inplace). */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, cipher_data, length_to_encrypt, cipher_data, final_cipher_size, 0); if (ret < 0) return gnutls_assert_val(ret); return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int compressed_to_ciphertext(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * compressed, size_t min_pad, content_type_t type, record_parameters_st * params) { uint8_t pad; int length, ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.cipher_state); int blocksize = _gnutls_cipher_get_block_size(params->cipher); unsigned block_algo = _gnutls_cipher_is_block(params->cipher); uint8_t *data_ptr; const version_entry_st *ver = get_version(session); int explicit_iv = _gnutls_version_has_explicit_iv(ver); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; unsigned iv_size; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); preamble_size = make_preamble(UINT64DATA (params->write.sequence_number), type, compressed->size, ver, preamble); /* Calculate the encrypted length (padding etc.) */ if (block_algo == CIPHER_BLOCK) { /* Call _gnutls_rnd() once. Get data used for the IV */ ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); if (ret < 0) return gnutls_assert_val(ret); pad = min_pad; length = calc_enc_length_block(session, ver, compressed->size, tag_size, &pad, auth_cipher, blocksize); } else { pad = 0; length = calc_enc_length_stream(session, compressed->size, tag_size, auth_cipher); } if (length < 0) return gnutls_assert_val(length); /* copy the encrypted data to cipher_data. */ if (cipher_size < length) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); data_ptr = cipher_data; if (explicit_iv) { /* TLS 1.1 or later */ if (block_algo == CIPHER_BLOCK) { /* copy the random IV. */ memcpy(data_ptr, nonce, blocksize); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; } else if (auth_cipher) { /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288). */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE + AEAD_EXPLICIT_DATA_SIZE); /* copy the explicit part */ memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); data_ptr += AEAD_EXPLICIT_DATA_SIZE; cipher_data += AEAD_EXPLICIT_DATA_SIZE; } else if (iv_size > 0) _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, UINT64DATA(params->write. sequence_number), 8); } else { /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. */ if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); else if (block_algo == CIPHER_STREAM && iv_size > 0) _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, UINT64DATA(params->write. sequence_number), 8); } _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(params->write. sequence_number), 8); /* add the authenticate data */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); if (ret < 0) return gnutls_assert_val(ret); /* Actual encryption. */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, compressed->data, compressed->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); return length; }
static int decrypt_packet_tls13(gnutls_session_t session, gnutls_datum_t *ciphertext, gnutls_datum_t *plain, content_type_t *type, record_parameters_st *params, gnutls_uint64 *sequence) { uint8_t nonce[MAX_CIPHER_IV_SIZE]; size_t length, length_to_decrypt; int ret; const version_entry_st *ver = get_version(session); unsigned int tag_size = params->read.aead_tag_size; unsigned iv_size; unsigned j; volatile unsigned length_set; uint8_t aad[5]; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); if (params->cipher->id == GNUTLS_CIPHER_NULL) { if (plain->size < ciphertext->size) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); length = ciphertext->size; memcpy(plain->data, ciphertext->data, length); return length; } iv_size = _gnutls_cipher_get_iv_size(params->cipher); /* The way AEAD ciphers are defined in RFC5246, it allows * only stream ciphers. */ if (unlikely(ciphertext->size < tag_size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); if (unlikely(params->read.iv_size != iv_size || iv_size < 8)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); memcpy(nonce, params->read.iv, params->read.iv_size); memxor(&nonce[iv_size-8], UINT64DATA(*sequence), 8); length = ciphertext->size - tag_size; length_to_decrypt = ciphertext->size; if (unlikely ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } aad[0] = GNUTLS_APPLICATION_DATA; aad[1] = 0x03; aad[2] = 0x03; _gnutls_write_uint16(ciphertext->size, &aad[3]); ret = gnutls_aead_cipher_decrypt(¶ms->read.ctx.aead, nonce, iv_size, aad, sizeof(aad), tag_size, ciphertext->data, length_to_decrypt, plain->data, &length); if (unlikely(ret < 0)) return gnutls_assert_val(ret); /* 1 octet for content type */ if (length > max_decrypted_size(session) + 1) { _gnutls_audit_log (session, "Received packet with illegal length: %u\n", (unsigned int) length); return gnutls_assert_val(GNUTLS_E_RECORD_OVERFLOW); } length_set = 0; /* now figure the actual data size. We intentionally iterate through all data, * to avoid leaking the padding length due to timing differences in processing. */ for (j=length;j>0;j--) { if (plain->data[j-1]!=0 && length_set == 0) { *type = plain->data[j-1]; length = j-1; length_set = 1; if (!(session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) break; } } if (!length_set) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); return length; }
/* Deciphers the ciphertext packet, and puts the result to plain. * Returns the actual plaintext packet size. */ static int decrypt_packet(gnutls_session_t session, gnutls_datum_t * ciphertext, gnutls_datum_t * plain, content_type_t type, record_parameters_st * params, gnutls_uint64 * sequence) { uint8_t tag[MAX_HASH_SIZE]; uint8_t nonce[MAX_CIPHER_IV_SIZE]; const uint8_t *tag_ptr = NULL; unsigned int pad = 0; int length, length_to_decrypt; uint16_t blocksize; int ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; unsigned int preamble_size = 0; const version_entry_st *ver = get_version(session); unsigned int tag_size = _gnutls_auth_cipher_tag_len(¶ms->read.ctx.tls12); unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver); unsigned imp_iv_size, exp_iv_size; unsigned cipher_type = _gnutls_cipher_type(params->cipher); bool etm = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher); blocksize = _gnutls_cipher_get_block_size(params->cipher); if (params->etm !=0 && cipher_type == CIPHER_BLOCK) etm = 1; /* if EtM mode and not AEAD */ if (etm) { if (unlikely(ciphertext->size < tag_size)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); preamble_size = _gnutls_make_preamble(UINT64DATA(*sequence), type, ciphertext->size-tag_size, ver, preamble); ret = _gnutls_auth_cipher_add_auth(¶ms->read. ctx.tls12, preamble, preamble_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_add_auth(¶ms->read. ctx.tls12, ciphertext->data, ciphertext->size-tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) { /* HMAC was not the same. */ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } } /* actual decryption (inplace) */ switch (cipher_type) { case CIPHER_AEAD: /* The way AEAD ciphers are defined in RFC5246, it allows * only stream ciphers. */ if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read. ctx.tls12) == 0)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); if (unlikely(ciphertext->size < (tag_size + exp_iv_size))) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); if (params->cipher->xor_nonce == 0) { /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (unlikely(params->read.iv_size != 4)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); memcpy(nonce, params->read.iv, imp_iv_size); memcpy(&nonce[imp_iv_size], ciphertext->data, exp_iv_size); ciphertext->data += exp_iv_size; ciphertext->size -= exp_iv_size; } else { /* XOR nonce with IV */ if (unlikely(params->read.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); memset(nonce, 0, 4); memcpy(&nonce[4], UINT64DATA(*sequence), 8); memxor(nonce, params->read.iv, 12); } length = ciphertext->size - tag_size; length_to_decrypt = ciphertext->size; /* Pass the type, version, length and plain through * MAC. */ preamble_size = _gnutls_make_preamble(UINT64DATA(*sequence), type, length, ver, preamble); if (unlikely ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } ret = _gnutls_aead_cipher_decrypt(¶ms->read.ctx.tls12.cipher, nonce, exp_iv_size + imp_iv_size, preamble, preamble_size, tag_size, ciphertext->data, length_to_decrypt, plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); return length; break; case CIPHER_STREAM: if (unlikely(ciphertext->size < tag_size)) return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); length_to_decrypt = ciphertext->size; length = ciphertext->size - tag_size; tag_ptr = plain->data + length; /* Pass the type, version, length and plain through * MAC. */ preamble_size = _gnutls_make_preamble(UINT64DATA(*sequence), type, length, ver, preamble); ret = _gnutls_auth_cipher_add_auth(¶ms->read. ctx.tls12, preamble, preamble_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); if (unlikely ((unsigned) length_to_decrypt > plain->size)) { _gnutls_audit_log(session, "Received %u bytes, while expecting less than %u\n", (unsigned int) length_to_decrypt, (unsigned int) plain->size); return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } ret = _gnutls_auth_cipher_decrypt2(¶ms->read. ctx.tls12, ciphertext->data, length_to_decrypt, plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); if (unlikely (gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) { return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } break; case CIPHER_BLOCK: if (unlikely(ciphertext->size < blocksize)) return gnutls_assert_val (GNUTLS_E_UNEXPECTED_PACKET_LENGTH); if (etm == 0) { if (unlikely(ciphertext->size % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } else { if (unlikely((ciphertext->size - tag_size) % blocksize != 0)) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } /* ignore the IV in TLS 1.1+ */ if (explicit_iv) { _gnutls_auth_cipher_setiv(¶ms->read. ctx.tls12, ciphertext->data, blocksize); memcpy(nonce, ciphertext->data, blocksize); ciphertext->size -= blocksize; ciphertext->data += blocksize; } if (unlikely(ciphertext->size < tag_size + 1)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); /* we don't use the auth_cipher interface here, since * TLS with block ciphers is impossible to be used under such * an API. (the length of plaintext is required to calculate * auth_data, but it is not available before decryption). */ if (unlikely(ciphertext->size > plain->size)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); if (etm == 0) { ret = _gnutls_cipher_decrypt2(¶ms->read.ctx.tls12. cipher, ciphertext->data, ciphertext->size, plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); ret = cbc_mac_verify(session, params, preamble, type, sequence, plain->data, ciphertext->size, tag_size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); length = ret; } else { /* EtM */ ret = _gnutls_cipher_decrypt2(¶ms->read.ctx.tls12. cipher, ciphertext->data, ciphertext->size - tag_size, plain->data, plain->size); if (unlikely(ret < 0)) return gnutls_assert_val(ret); pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */ length = ciphertext->size - tag_size - pad - 1; if (unlikely(length < 0)) return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } break; default: return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); } return length; }
static int encrypt_packet_tls13(gnutls_session_t session, uint8_t *cipher_data, size_t cipher_size, gnutls_datum_t *plain, size_t pad_size, uint8_t type, record_parameters_st *params) { int ret; unsigned int tag_size = params->write.aead_tag_size; const version_entry_st *ver = get_version(session); uint8_t nonce[MAX_CIPHER_IV_SIZE]; unsigned iv_size = 0; ssize_t max, total; uint8_t aad[5]; giovec_t auth_iov[1]; giovec_t iov[2]; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); iv_size = params->write.iv_size; if (params->cipher->id == GNUTLS_CIPHER_NULL) { if (cipher_size < plain->size+1) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); memcpy(cipher_data, plain->data, plain->size); return plain->size; } if (unlikely(iv_size < 8)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); memcpy(nonce, params->write.iv, iv_size); memxor(&nonce[iv_size-8], UINT64DATA(params->write.sequence_number), 8); max = MAX_RECORD_SEND_SIZE(session); /* make TLS 1.3 form of data */ total = plain->size + 1 + pad_size; /* check whether padding would exceed max */ if (total > max) { if (unlikely(max < (ssize_t)plain->size+1)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); pad_size = max - plain->size - 1; total = max; } /* create authenticated data header */ aad[0] = GNUTLS_APPLICATION_DATA; aad[1] = 0x03; aad[2] = 0x03; _gnutls_write_uint16(total+tag_size, &aad[3]); auth_iov[0].iov_base = aad; auth_iov[0].iov_len = sizeof(aad); iov[0].iov_base = plain->data; iov[0].iov_len = plain->size; if (pad_size || (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) { uint8_t *pad = gnutls_calloc(1, 1+pad_size); if (pad == NULL) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); pad[0] = type; iov[1].iov_base = pad; iov[1].iov_len = 1+pad_size; ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead, nonce, iv_size, auth_iov, 1, tag_size, iov, 2, cipher_data, &cipher_size); gnutls_free(pad); } else { iov[1].iov_base = &type; iov[1].iov_len = 1; ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead, nonce, iv_size, auth_iov, 1, tag_size, iov, 2, cipher_data, &cipher_size); } if (ret < 0) return gnutls_assert_val(ret); return cipher_size; }