void aont_package(RandomNumberGenerator& rng, BlockCipher* cipher, const byte input[], size_t input_len, byte output[]) { const size_t BLOCK_SIZE = cipher->block_size(); if(!cipher->valid_keylength(BLOCK_SIZE)) throw Invalid_Argument("AONT::package: Invalid cipher"); // The all-zero string which is used both as the CTR IV and as K0 const std::string all_zeros(BLOCK_SIZE*2, '0'); SymmetricKey package_key(rng, BLOCK_SIZE); Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key)); pipe.process_msg(input, input_len); pipe.read(output, pipe.remaining()); // Set K0 (the all zero key) cipher->set_key(SymmetricKey(all_zeros)); SecureVector<byte> buf(BLOCK_SIZE); const size_t blocks = (input_len + BLOCK_SIZE - 1) / BLOCK_SIZE; byte* final_block = output + input_len; clear_mem(final_block, BLOCK_SIZE); // XOR the hash blocks into the final block for(size_t i = 0; i != blocks; ++i) { const size_t left = std::min<size_t>(BLOCK_SIZE, input_len - BLOCK_SIZE * i); zeroise(buf); copy_mem(&buf[0], output + (BLOCK_SIZE * i), left); for(size_t j = 0; j != sizeof(i); ++j) buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i); cipher->encrypt(buf); xor_buf(final_block, buf, BLOCK_SIZE); } // XOR the random package key into the final block xor_buf(final_block, package_key.begin(), BLOCK_SIZE); }
void aont_unpackage(BlockCipher* cipher, const byte input[], size_t input_len, byte output[]) { const size_t BLOCK_SIZE = cipher->block_size(); if(!cipher->valid_keylength(BLOCK_SIZE)) throw Invalid_Argument("AONT::unpackage: Invalid cipher"); if(input_len < BLOCK_SIZE) throw Invalid_Argument("AONT::unpackage: Input too short"); // The all-zero string which is used both as the CTR IV and as K0 const std::string all_zeros(BLOCK_SIZE*2, '0'); cipher->set_key(SymmetricKey(all_zeros)); SecureVector<byte> package_key(BLOCK_SIZE); SecureVector<byte> buf(BLOCK_SIZE); // Copy the package key (masked with the block hashes) copy_mem(&package_key[0], input + (input_len - BLOCK_SIZE), BLOCK_SIZE); const size_t blocks = ((input_len - 1) / BLOCK_SIZE); // XOR the blocks into the package key bits for(size_t i = 0; i != blocks; ++i) { const size_t left = std::min<size_t>(BLOCK_SIZE, input_len - BLOCK_SIZE * (i+1)); zeroise(buf); copy_mem(&buf[0], input + (BLOCK_SIZE * i), left); for(size_t j = 0; j != sizeof(i); ++j) buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i); cipher->encrypt(buf); xor_buf(&package_key[0], buf, BLOCK_SIZE); } Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key)); pipe.process_msg(input, input_len - BLOCK_SIZE); pipe.read(output, pipe.remaining()); }
SymmetricKey psk(const std::string&, const std::string&, const std::string&) override { return SymmetricKey("AABBCCDDEEFF00112233445566778899"); }
/* * Read a Client Key Exchange message */ Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents, const Handshake_State& state, const Private_Key* server_rsa_kex_key, Credentials_Manager& creds, const Policy& policy, RandomNumberGenerator& rng) { const std::string kex_algo = state.ciphersuite().kex_algo(); if(kex_algo == "RSA") { BOTAN_ASSERT(state.server_certs() && !state.server_certs()->cert_chain().empty(), "RSA key exchange negotiated so server sent a certificate"); if(!server_rsa_kex_key) throw Internal_Error("Expected RSA kex but no server kex key set"); if(!dynamic_cast<const RSA_PrivateKey*>(server_rsa_kex_key)) throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name()); PK_Decryptor_EME decryptor(*server_rsa_kex_key, "PKCS1v15"); Protocol_Version client_version = state.client_hello()->version(); /* * This is used as the pre-master if RSA decryption fails. * Otherwise we can be used as an oracle. See Bleichenbacher * "Chosen Ciphertext Attacks against Protocols Based on RSA * Encryption Standard PKCS #1", Crypto 98 * * Create it here instead if in the catch clause as otherwise we * expose a timing channel WRT the generation of the fake value. * Some timing channel likely remains due to exception handling * and the like. */ secure_vector<byte> fake_pre_master = rng.random_vec(48); fake_pre_master[0] = client_version.major_version(); fake_pre_master[1] = client_version.minor_version(); try { TLS_Data_Reader reader("ClientKeyExchange", contents); m_pre_master = decryptor.decrypt(reader.get_range<byte>(2, 0, 65535)); if(m_pre_master.size() != 48 || client_version.major_version() != m_pre_master[0] || client_version.minor_version() != m_pre_master[1]) { throw Decoding_Error("Client_Key_Exchange: Secret corrupted"); } } catch(...) { m_pre_master = fake_pre_master; } } else { TLS_Data_Reader reader("ClientKeyExchange", contents); SymmetricKey psk; if(kex_algo == "PSK" || kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK") { const std::string psk_identity = reader.get_string(2, 0, 65535); psk = creds.psk("tls-server", state.client_hello()->sni_hostname(), psk_identity); if(psk.length() == 0) { if(policy.hide_unknown_users()) psk = SymmetricKey(rng, 16); else throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY, "No PSK for identifier " + psk_identity); } } if(kex_algo == "PSK") { std::vector<byte> zeros(psk.length()); append_tls_length_value(m_pre_master, zeros, 2); append_tls_length_value(m_pre_master, psk.bits_of(), 2); } #if defined(BOTAN_HAS_SRP6) else if(kex_algo == "SRP_SHA") { SRP6_Server_Session& srp = state.server_kex()->server_srp_params(); m_pre_master = srp.step2(BigInt::decode(reader.get_range<byte>(2, 0, 65535))).bits_of(); } #endif else if(kex_algo == "DH" || kex_algo == "DHE_PSK" || kex_algo == "ECDH" || kex_algo == "ECDHE_PSK") { const Private_Key& private_key = state.server_kex()->server_kex_key(); const PK_Key_Agreement_Key* ka_key = dynamic_cast<const PK_Key_Agreement_Key*>(&private_key); if(!ka_key) throw Internal_Error("Expected key agreement key type but got " + private_key.algo_name()); try { PK_Key_Agreement ka(*ka_key, "Raw"); std::vector<byte> client_pubkey; if(ka_key->algo_name() == "DH") client_pubkey = reader.get_range<byte>(2, 0, 65535); else client_pubkey = reader.get_range<byte>(1, 0, 255); secure_vector<byte> shared_secret = ka.derive_key(0, client_pubkey).bits_of(); if(ka_key->algo_name() == "DH") shared_secret = CT::strip_leading_zeros(shared_secret); if(kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK") { append_tls_length_value(m_pre_master, shared_secret, 2); append_tls_length_value(m_pre_master, psk.bits_of(), 2); } else m_pre_master = shared_secret; } catch(std::exception &) { /* * Something failed in the DH computation. To avoid possible * timing attacks, randomize the pre-master output and carry * on, allowing the protocol to fail later in the finished * checks. */ m_pre_master = rng.random_vec(ka_key->public_value().size()); } } else throw Internal_Error("Client_Key_Exchange: Unknown kex type " + kex_algo); } }
/* * Perform Self Tests */ bool passes_self_tests(Algorithm_Factory& af) { try { if(const BlockCipher* proto = af.prototype_block_cipher("DES")) { cipher_kat(proto, "0123456789ABCDEF", "1234567890ABCDEF", "4E6F77206973207468652074696D6520666F7220616C6C20", "3FA40E8A984D48156A271787AB8883F9893D51EC4B563B53", "E5C7CDDE872BF27C43E934008C389C0F683788499A7C05F6", "F3096249C7F46E51A69E839B1A92F78403467133898EA622", "F3096249C7F46E5135F24A242EEB3D3F3D6D5BE3255AF8C3", "F3096249C7F46E51163A8CA0FFC94C27FA2F80F480B86F75"); } if(const BlockCipher* proto = af.prototype_block_cipher("TripleDES")) { cipher_kat(proto, "385D7189A5C3D485E1370AA5D408082B5CCCCB5E19F2D90E", "C141B5FCCD28DC8A", "6E1BD7C6120947A464A6AAB293A0F89A563D8D40D3461B68", "64EAAD4ACBB9CEAD6C7615E7C7E4792FE587D91F20C7D2F4", "6235A461AFD312973E3B4F7AA7D23E34E03371F8E8C376C9", "E26BA806A59B0330DE40CA38E77A3E494BE2B212F6DD624B", "E26BA806A59B03307DE2BCC25A08BA40A8BA335F5D604C62", "E26BA806A59B03303C62C2EFF32D3ACDD5D5F35EBCC53371"); } if(const BlockCipher* proto = af.prototype_block_cipher("AES")) { cipher_kat(proto, "2B7E151628AED2A6ABF7158809CF4F3C", "000102030405060708090A0B0C0D0E0F", "6BC1BEE22E409F96E93D7E117393172A" "AE2D8A571E03AC9C9EB76FAC45AF8E51", "3AD77BB40D7A3660A89ECAF32466EF97" "F5D3D58503B9699DE785895A96FDBAAF", "7649ABAC8119B246CEE98E9B12E9197D" "5086CB9B507219EE95DB113A917678B2", "3B3FD92EB72DAD20333449F8E83CFB4A" "C8A64537A0B3A93FCDE3CDAD9F1CE58B", "3B3FD92EB72DAD20333449F8E83CFB4A" "7789508D16918F03F53C52DAC54ED825", "3B3FD92EB72DAD20333449F8E83CFB4A" "010C041999E03F36448624483E582D0E"); } if(const HashFunction* proto = af.prototype_hash_function("SHA-1")) { do_kat("", "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709", proto->name(), new Hash_Filter(proto->clone())); do_kat("616263", "A9993E364706816ABA3E25717850C26C9CD0D89D", proto->name(), new Hash_Filter(proto->clone())); do_kat("6162636462636465636465666465666765666768666768696768696A" "68696A6B696A6B6C6A6B6C6D6B6C6D6E6C6D6E6F6D6E6F706E6F7071", "84983E441C3BD26EBAAE4AA1F95129E5E54670F1", proto->name(), new Hash_Filter(proto->clone())); do_kat("4869205468657265", "B617318655057264E28BC0B6FB378C8EF146BE00", "HMAC(" + proto->name() + ")", new MAC_Filter(new HMAC(proto->clone()), SymmetricKey("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"))); } if(const HashFunction* proto = af.prototype_hash_function("SHA-256")) { do_kat("", "E3B0C44298FC1C149AFBF4C8996FB924" "27AE41E4649B934CA495991B7852B855", proto->name(), new Hash_Filter(proto->clone())); do_kat("616263", "BA7816BF8F01CFEA414140DE5DAE2223" "B00361A396177A9CB410FF61F20015AD", proto->name(), new Hash_Filter(proto->clone())); do_kat("6162636462636465636465666465666765666768666768696768696A" "68696A6B696A6B6C6A6B6C6D6B6C6D6E6C6D6E6F6D6E6F706E6F7071", "248D6A61D20638B8E5C026930C3E6039" "A33CE45964FF2167F6ECEDD419DB06C1", proto->name(), new Hash_Filter(proto->clone())); do_kat("4869205468657265", "198A607EB44BFBC69903A0F1CF2BBDC5" "BA0AA3F3D9AE3C1C7A3B1696A0B68CF7", "HMAC(" + proto->name() + ")", new MAC_Filter(new HMAC(proto->clone()), SymmetricKey("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B" "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"))); } } catch(std::exception) { return false; } return true; }