void aont_package(RandomNumberGenerator& rng,
BlockCipher* cipher,
const byte input[], size_t input_len,
byte output[])
{
const size_t BLOCK_SIZE = cipher->block_size();
if(!cipher->valid_keylength(BLOCK_SIZE))
throw Invalid_Argument("AONT::package: Invalid cipher");
// The all-zero string which is used both as the CTR IV and as K0
const std::string all_zeros(BLOCK_SIZE*2, '0');
SymmetricKey package_key(rng, BLOCK_SIZE);
Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key));
pipe.process_msg(input, input_len);
pipe.read(output, pipe.remaining());
// Set K0 (the all zero key)
cipher->set_key(SymmetricKey(all_zeros));
SecureVector<byte> buf(BLOCK_SIZE);
const size_t blocks =
(input_len + BLOCK_SIZE - 1) / BLOCK_SIZE;
byte* final_block = output + input_len;
clear_mem(final_block, BLOCK_SIZE);
// XOR the hash blocks into the final block
for(size_t i = 0; i != blocks; ++i)
{
const size_t left = std::min<size_t>(BLOCK_SIZE,
input_len - BLOCK_SIZE * i);
zeroise(buf);
copy_mem(&buf[0], output + (BLOCK_SIZE * i), left);
for(size_t j = 0; j != sizeof(i); ++j)
buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i);
cipher->encrypt(buf);
xor_buf(final_block, buf, BLOCK_SIZE);
}
// XOR the random package key into the final block
xor_buf(final_block, package_key.begin(), BLOCK_SIZE);
}
void aont_unpackage(BlockCipher* cipher,
const byte input[], size_t input_len,
byte output[])
{
const size_t BLOCK_SIZE = cipher->block_size();
if(!cipher->valid_keylength(BLOCK_SIZE))
throw Invalid_Argument("AONT::unpackage: Invalid cipher");
if(input_len < BLOCK_SIZE)
throw Invalid_Argument("AONT::unpackage: Input too short");
// The all-zero string which is used both as the CTR IV and as K0
const std::string all_zeros(BLOCK_SIZE*2, '0');
cipher->set_key(SymmetricKey(all_zeros));
SecureVector<byte> package_key(BLOCK_SIZE);
SecureVector<byte> buf(BLOCK_SIZE);
// Copy the package key (masked with the block hashes)
copy_mem(&package_key[0],
input + (input_len - BLOCK_SIZE),
BLOCK_SIZE);
const size_t blocks = ((input_len - 1) / BLOCK_SIZE);
// XOR the blocks into the package key bits
for(size_t i = 0; i != blocks; ++i)
{
const size_t left = std::min<size_t>(BLOCK_SIZE,
input_len - BLOCK_SIZE * (i+1));
zeroise(buf);
copy_mem(&buf[0], input + (BLOCK_SIZE * i), left);
for(size_t j = 0; j != sizeof(i); ++j)
buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i);
cipher->encrypt(buf);
xor_buf(&package_key[0], buf, BLOCK_SIZE);
}
Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key));
pipe.process_msg(input, input_len - BLOCK_SIZE);
pipe.read(output, pipe.remaining());
}
SymmetricKey psk(const std::string&, const std::string&, const std::string&) override
{
return SymmetricKey("AABBCCDDEEFF00112233445566778899");
}
/*
* Read a Client Key Exchange message
*/
Client_Key_Exchange::Client_Key_Exchange(const std::vector<byte>& contents,
const Handshake_State& state,
const Private_Key* server_rsa_kex_key,
Credentials_Manager& creds,
const Policy& policy,
RandomNumberGenerator& rng)
{
const std::string kex_algo = state.ciphersuite().kex_algo();
if(kex_algo == "RSA")
{
BOTAN_ASSERT(state.server_certs() && !state.server_certs()->cert_chain().empty(),
"RSA key exchange negotiated so server sent a certificate");
if(!server_rsa_kex_key)
throw Internal_Error("Expected RSA kex but no server kex key set");
if(!dynamic_cast<const RSA_PrivateKey*>(server_rsa_kex_key))
throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name());
PK_Decryptor_EME decryptor(*server_rsa_kex_key, "PKCS1v15");
Protocol_Version client_version = state.client_hello()->version();
/*
* This is used as the pre-master if RSA decryption fails.
* Otherwise we can be used as an oracle. See Bleichenbacher
* "Chosen Ciphertext Attacks against Protocols Based on RSA
* Encryption Standard PKCS #1", Crypto 98
*
* Create it here instead if in the catch clause as otherwise we
* expose a timing channel WRT the generation of the fake value.
* Some timing channel likely remains due to exception handling
* and the like.
*/
secure_vector<byte> fake_pre_master = rng.random_vec(48);
fake_pre_master[0] = client_version.major_version();
fake_pre_master[1] = client_version.minor_version();
try
{
TLS_Data_Reader reader("ClientKeyExchange", contents);
m_pre_master = decryptor.decrypt(reader.get_range<byte>(2, 0, 65535));
if(m_pre_master.size() != 48 ||
client_version.major_version() != m_pre_master[0] ||
client_version.minor_version() != m_pre_master[1])
{
throw Decoding_Error("Client_Key_Exchange: Secret corrupted");
}
}
catch(...)
{
m_pre_master = fake_pre_master;
}
}
else
{
TLS_Data_Reader reader("ClientKeyExchange", contents);
SymmetricKey psk;
if(kex_algo == "PSK" || kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK")
{
const std::string psk_identity = reader.get_string(2, 0, 65535);
psk = creds.psk("tls-server",
state.client_hello()->sni_hostname(),
psk_identity);
if(psk.length() == 0)
{
if(policy.hide_unknown_users())
psk = SymmetricKey(rng, 16);
else
throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
"No PSK for identifier " + psk_identity);
}
}
if(kex_algo == "PSK")
{
std::vector<byte> zeros(psk.length());
append_tls_length_value(m_pre_master, zeros, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
#if defined(BOTAN_HAS_SRP6)
else if(kex_algo == "SRP_SHA")
{
SRP6_Server_Session& srp = state.server_kex()->server_srp_params();
m_pre_master = srp.step2(BigInt::decode(reader.get_range<byte>(2, 0, 65535))).bits_of();
}
#endif
else if(kex_algo == "DH" || kex_algo == "DHE_PSK" ||
kex_algo == "ECDH" || kex_algo == "ECDHE_PSK")
{
const Private_Key& private_key = state.server_kex()->server_kex_key();
const PK_Key_Agreement_Key* ka_key =
dynamic_cast<const PK_Key_Agreement_Key*>(&private_key);
if(!ka_key)
throw Internal_Error("Expected key agreement key type but got " +
private_key.algo_name());
try
{
PK_Key_Agreement ka(*ka_key, "Raw");
std::vector<byte> client_pubkey;
if(ka_key->algo_name() == "DH")
client_pubkey = reader.get_range<byte>(2, 0, 65535);
else
client_pubkey = reader.get_range<byte>(1, 0, 255);
secure_vector<byte> shared_secret = ka.derive_key(0, client_pubkey).bits_of();
if(ka_key->algo_name() == "DH")
shared_secret = CT::strip_leading_zeros(shared_secret);
if(kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK")
{
append_tls_length_value(m_pre_master, shared_secret, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
else
m_pre_master = shared_secret;
}
catch(std::exception &)
{
/*
* Something failed in the DH computation. To avoid possible
* timing attacks, randomize the pre-master output and carry
* on, allowing the protocol to fail later in the finished
* checks.
*/
m_pre_master = rng.random_vec(ka_key->public_value().size());
}
}
else
throw Internal_Error("Client_Key_Exchange: Unknown kex type " + kex_algo);
}
}
/*
* Perform Self Tests
*/
bool passes_self_tests(Algorithm_Factory& af)
{
try
{
if(const BlockCipher* proto = af.prototype_block_cipher("DES"))
{
cipher_kat(proto,
"0123456789ABCDEF", "1234567890ABCDEF",
"4E6F77206973207468652074696D6520666F7220616C6C20",
"3FA40E8A984D48156A271787AB8883F9893D51EC4B563B53",
"E5C7CDDE872BF27C43E934008C389C0F683788499A7C05F6",
"F3096249C7F46E51A69E839B1A92F78403467133898EA622",
"F3096249C7F46E5135F24A242EEB3D3F3D6D5BE3255AF8C3",
"F3096249C7F46E51163A8CA0FFC94C27FA2F80F480B86F75");
}
if(const BlockCipher* proto = af.prototype_block_cipher("TripleDES"))
{
cipher_kat(proto,
"385D7189A5C3D485E1370AA5D408082B5CCCCB5E19F2D90E",
"C141B5FCCD28DC8A",
"6E1BD7C6120947A464A6AAB293A0F89A563D8D40D3461B68",
"64EAAD4ACBB9CEAD6C7615E7C7E4792FE587D91F20C7D2F4",
"6235A461AFD312973E3B4F7AA7D23E34E03371F8E8C376C9",
"E26BA806A59B0330DE40CA38E77A3E494BE2B212F6DD624B",
"E26BA806A59B03307DE2BCC25A08BA40A8BA335F5D604C62",
"E26BA806A59B03303C62C2EFF32D3ACDD5D5F35EBCC53371");
}
if(const BlockCipher* proto = af.prototype_block_cipher("AES"))
{
cipher_kat(proto,
"2B7E151628AED2A6ABF7158809CF4F3C",
"000102030405060708090A0B0C0D0E0F",
"6BC1BEE22E409F96E93D7E117393172A"
"AE2D8A571E03AC9C9EB76FAC45AF8E51",
"3AD77BB40D7A3660A89ECAF32466EF97"
"F5D3D58503B9699DE785895A96FDBAAF",
"7649ABAC8119B246CEE98E9B12E9197D"
"5086CB9B507219EE95DB113A917678B2",
"3B3FD92EB72DAD20333449F8E83CFB4A"
"C8A64537A0B3A93FCDE3CDAD9F1CE58B",
"3B3FD92EB72DAD20333449F8E83CFB4A"
"7789508D16918F03F53C52DAC54ED825",
"3B3FD92EB72DAD20333449F8E83CFB4A"
"010C041999E03F36448624483E582D0E");
}
if(const HashFunction* proto = af.prototype_hash_function("SHA-1"))
{
do_kat("", "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("616263", "A9993E364706816ABA3E25717850C26C9CD0D89D",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("6162636462636465636465666465666765666768666768696768696A"
"68696A6B696A6B6C6A6B6C6D6B6C6D6E6C6D6E6F6D6E6F706E6F7071",
"84983E441C3BD26EBAAE4AA1F95129E5E54670F1",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("4869205468657265",
"B617318655057264E28BC0B6FB378C8EF146BE00",
"HMAC(" + proto->name() + ")",
new MAC_Filter(new HMAC(proto->clone()),
SymmetricKey("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B")));
}
if(const HashFunction* proto = af.prototype_hash_function("SHA-256"))
{
do_kat("",
"E3B0C44298FC1C149AFBF4C8996FB924"
"27AE41E4649B934CA495991B7852B855",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("616263",
"BA7816BF8F01CFEA414140DE5DAE2223"
"B00361A396177A9CB410FF61F20015AD",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("6162636462636465636465666465666765666768666768696768696A"
"68696A6B696A6B6C6A6B6C6D6B6C6D6E6C6D6E6F6D6E6F706E6F7071",
"248D6A61D20638B8E5C026930C3E6039"
"A33CE45964FF2167F6ECEDD419DB06C1",
proto->name(), new Hash_Filter(proto->clone()));
do_kat("4869205468657265",
"198A607EB44BFBC69903A0F1CF2BBDC5"
"BA0AA3F3D9AE3C1C7A3B1696A0B68CF7",
"HMAC(" + proto->name() + ")",
new MAC_Filter(new HMAC(proto->clone()),
SymmetricKey("0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"
"0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B")));
}
}
catch(std::exception)
{
return false;
}
return true;
}
