/* the same as _gnutls_handshake_sign_crt_vrfy except that it is made for TLS 1.2
*/
static int
_gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session,
gnutls_pcert_st * cert,
gnutls_privkey_t pkey,
gnutls_datum_t * signature)
{
gnutls_datum_t dconcat;
int ret;
uint8_t concat[MAX_SIG_SIZE];
gnutls_sign_algorithm_t sign_algo;
const mac_entry_st *me;
sign_algo = _gnutls_session_get_sign_algo(session, cert);
if (sign_algo == GNUTLS_SIGN_UNKNOWN) {
gnutls_assert();
return GNUTLS_E_UNKNOWN_PK_ALGORITHM;
}
gnutls_sign_algorithm_set_client(session, sign_algo);
me = hash_to_entry(gnutls_sign_get_hash_algorithm(sign_algo));
_gnutls_debug_log("sign handshake cert vrfy: picked %s with %s\n",
gnutls_sign_algorithm_get_name(sign_algo),
_gnutls_mac_get_name(me));
ret =
_gnutls_hash_fast((gnutls_digest_algorithm_t)me->id,
session->internals.handshake_hash_buffer.
data,
session->internals.handshake_hash_buffer.
length, concat);
if (ret < 0)
return gnutls_assert_val(ret);
dconcat.data = concat;
dconcat.size = _gnutls_hash_get_algo_len(me);
ret = sign_tls_hash(session, me, cert, pkey, &dconcat, signature);
if (ret < 0) {
gnutls_assert();
return ret;
}
return sign_algo;
}
/* in case of DSA puts into data, r,s
*/
static int
_wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
gnutls_datum_t * signature,
const gnutls_datum_t * vdata,
const gnutls_pk_params_st * pk_params)
{
int ret;
unsigned int hash_len;
const mac_entry_st *me;
switch (algo) {
case GNUTLS_PK_EC: /* we do ECDSA */
{
struct ecc_scalar priv;
struct dsa_signature sig;
int curve_id = pk_params->flags;
const struct ecc_curve *curve;
curve = get_supported_curve(curve_id);
if (curve == NULL)
return
gnutls_assert_val
(GNUTLS_E_ECC_UNSUPPORTED_CURVE);
ret =
_ecc_params_to_privkey(pk_params, &priv,
curve);
if (ret < 0)
return gnutls_assert_val(ret);
dsa_signature_init(&sig);
me = _gnutls_dsa_q_to_hash(algo, pk_params,
&hash_len);
if (hash_len > vdata->size) {
gnutls_assert();
_gnutls_debug_log
("Security level of algorithm requires hash %s(%d) or better\n",
_gnutls_mac_get_name(me), hash_len);
hash_len = vdata->size;
}
ecdsa_sign(&priv, NULL, rnd_func, hash_len,
vdata->data, &sig);
ret =
_gnutls_encode_ber_rs(signature, &sig.r,
&sig.s);
dsa_signature_clear(&sig);
ecc_scalar_clear(&priv);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
break;
}
case GNUTLS_PK_DSA:
{
struct dsa_public_key pub;
struct dsa_private_key priv;
struct dsa_signature sig;
memset(&priv, 0, sizeof(priv));
memset(&pub, 0, sizeof(pub));
_dsa_params_to_pubkey(pk_params, &pub);
_dsa_params_to_privkey(pk_params, &priv);
dsa_signature_init(&sig);
me = _gnutls_dsa_q_to_hash(algo, pk_params,
&hash_len);
if (hash_len > vdata->size) {
gnutls_assert();
_gnutls_debug_log
("Security level of algorithm requires hash %s(%d) or better\n",
_gnutls_mac_get_name(me), hash_len);
hash_len = vdata->size;
}
ret =
_dsa_sign(&pub, &priv, NULL, rnd_func,
hash_len, vdata->data, &sig);
if (ret == 0) {
gnutls_assert();
ret = GNUTLS_E_PK_SIGN_FAILED;
goto dsa_fail;
}
ret =
_gnutls_encode_ber_rs(signature, &sig.r,
&sig.s);
dsa_fail:
dsa_signature_clear(&sig);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
break;
}
case GNUTLS_PK_RSA:
{
struct rsa_private_key priv;
struct rsa_public_key pub;
mpz_t s;
_rsa_params_to_privkey(pk_params, &priv);
_rsa_params_to_pubkey(pk_params, &pub);
mpz_init(s);
ret =
rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_func,
vdata->size, vdata->data, s);
if (ret == 0) {
gnutls_assert();
ret = GNUTLS_E_PK_SIGN_FAILED;
goto rsa_fail;
}
ret =
_gnutls_mpi_dprint_size(s, signature,
pub.size);
rsa_fail:
mpz_clear(s);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
break;
}
default:
gnutls_assert();
ret = GNUTLS_E_INTERNAL_ERROR;
goto cleanup;
}
ret = 0;
cleanup:
return ret;
}
/* This is the actual encryption
* Encrypts the given compressed datum, and puts the result to cipher_data,
* which has cipher_size size.
* return the actual encrypted data length.
*/
static int
compressed_to_ciphertext(gnutls_session_t session,
uint8_t * cipher_data, int cipher_size,
gnutls_datum_t * compressed,
size_t min_pad,
content_type_t type,
record_parameters_st * params)
{
uint8_t pad;
int length, ret;
uint8_t preamble[MAX_PREAMBLE_SIZE];
int preamble_size;
int tag_size =
_gnutls_auth_cipher_tag_len(¶ms->write.cipher_state);
int blocksize = _gnutls_cipher_get_block_size(params->cipher);
unsigned algo_type = _gnutls_cipher_type(params->cipher);
uint8_t *data_ptr, *full_cipher_ptr;
const version_entry_st *ver = get_version(session);
int explicit_iv = _gnutls_version_has_explicit_iv(ver);
int auth_cipher =
_gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
unsigned imp_iv_size = 0, exp_iv_size = 0;
bool etm = 0;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
if (algo_type == CIPHER_BLOCK && params->etm != 0)
etm = 1;
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, _gnutls_cipher_get_name(params->cipher),
_gnutls_mac_get_name(params->mac),
(unsigned int) params->epoch);
/* Calculate the encrypted length (padding etc.)
*/
if (algo_type == CIPHER_BLOCK) {
/* Call _gnutls_rnd() once. Get data used for the IV
*/
ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
if (ret < 0)
return gnutls_assert_val(ret);
pad = min_pad;
length =
calc_enc_length_block(session, ver, compressed->size,
tag_size, &pad, auth_cipher,
blocksize, etm);
} else { /* AEAD + STREAM */
imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
pad = 0;
length =
calc_enc_length_stream(session, compressed->size,
tag_size, auth_cipher, exp_iv_size);
}
if (length < 0)
return gnutls_assert_val(length);
/* copy the encrypted data to cipher_data.
*/
if (cipher_size < length)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
data_ptr = cipher_data;
full_cipher_ptr = data_ptr;
if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
if (algo_type == CIPHER_BLOCK && explicit_iv != 0) {
/* copy the random IV.
*/
memcpy(data_ptr, nonce, blocksize);
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state, data_ptr,
blocksize);
data_ptr += blocksize;
cipher_data += blocksize;
}
} else { /* AEAD */
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
*/
if (params->write.IV.data == NULL
|| params->write.IV.size !=
imp_iv_size)
return
gnutls_assert_val
(GNUTLS_E_INTERNAL_ERROR);
/* Instead of generating a new nonce on every packet, we use the
* write.sequence_number (It is a MAY on RFC 5288), and safer
* as it will never reuse a value.
*/
memcpy(nonce, params->write.IV.data,
params->write.IV.size);
memcpy(&nonce[imp_iv_size],
UINT64DATA(params->write.sequence_number),
8);
/* copy the explicit part */
memcpy(data_ptr, &nonce[imp_iv_size],
exp_iv_size);
data_ptr += exp_iv_size;
cipher_data += exp_iv_size;
}
if (etm)
ret = length-tag_size;
else
ret = compressed->size;
preamble_size =
make_preamble(UINT64DATA(params->write.sequence_number),
type, ret, ver, preamble);
if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
/* add the authenticated data */
ret =
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
preamble, preamble_size);
if (ret < 0)
return gnutls_assert_val(ret);
if (etm && explicit_iv) {
/* In EtM we need to hash the IV as well */
ret =
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
full_cipher_ptr, blocksize);
if (ret < 0)
return gnutls_assert_val(ret);
}
/* Actual encryption.
*/
ret =
_gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state,
compressed->data,
compressed->size, cipher_data,
cipher_size, pad);
if (ret < 0)
return gnutls_assert_val(ret);
} else { /* AEAD */
ret = _gnutls_aead_cipher_encrypt(¶ms->write.cipher_state.cipher,
nonce, imp_iv_size + exp_iv_size,
preamble, preamble_size,
tag_size,
compressed->data, compressed->size,
cipher_data, cipher_size);
if (ret < 0)
return gnutls_assert_val(ret);
}
return length;
}
static int
compressed_to_ciphertext_new(gnutls_session_t session,
uint8_t * cipher_data, int cipher_size,
gnutls_datum_t * compressed,
size_t min_pad,
content_type_t type,
record_parameters_st * params)
{
uint16_t pad = min_pad;
int length, length_to_encrypt, ret;
uint8_t preamble[MAX_PREAMBLE_SIZE];
int preamble_size;
int tag_size =
_gnutls_auth_cipher_tag_len(¶ms->write.cipher_state);
int blocksize = _gnutls_cipher_get_block_size(params->cipher);
unsigned block_algo = _gnutls_cipher_is_block(params->cipher);
uint8_t *data_ptr;
const version_entry_st *ver = get_version(session);
int explicit_iv = _gnutls_version_has_explicit_iv(ver);
int auth_cipher =
_gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
unsigned iv_size, final_cipher_size;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, _gnutls_cipher_get_name(params->cipher),
_gnutls_mac_get_name(params->mac),
(unsigned int) params->epoch);
/* Call _gnutls_rnd() once. Get data used for the IV
*/
ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
if (ret < 0)
return gnutls_assert_val(ret);
/* cipher_data points to the start of data to be encrypted */
data_ptr = cipher_data;
length_to_encrypt = length = 0;
if (explicit_iv) {
if (block_algo == CIPHER_BLOCK) {
/* copy the random IV.
*/
DECR_LEN(cipher_size, blocksize);
memcpy(data_ptr, nonce, blocksize);
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state, data_ptr,
blocksize);
data_ptr += blocksize;
cipher_data += blocksize;
length += blocksize;
} else if (auth_cipher) {
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
*/
if (params->write.IV.data == NULL
|| params->write.IV.size !=
AEAD_IMPLICIT_DATA_SIZE)
return
gnutls_assert_val
(GNUTLS_E_INTERNAL_ERROR);
/* Instead of generating a new nonce on every packet, we use the
* write.sequence_number (It is a MAY on RFC 5288).
*/
memcpy(nonce, params->write.IV.data,
params->write.IV.size);
memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE],
UINT64DATA(params->write.sequence_number),
8);
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state, nonce,
AEAD_IMPLICIT_DATA_SIZE +
AEAD_EXPLICIT_DATA_SIZE);
/* copy the explicit part */
DECR_LEN(cipher_size, AEAD_EXPLICIT_DATA_SIZE);
memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE],
AEAD_EXPLICIT_DATA_SIZE);
data_ptr += AEAD_EXPLICIT_DATA_SIZE;
cipher_data += AEAD_EXPLICIT_DATA_SIZE;
length += AEAD_EXPLICIT_DATA_SIZE;
} else if (iv_size > 0)
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state,
UINT64DATA(params->write.
sequence_number),
8);
} else {
/* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
*/
if (auth_cipher)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
}
DECR_LEN(cipher_size, 2);
if (block_algo == CIPHER_BLOCK) { /* make pad a multiple of blocksize */
unsigned t =
(2 + pad + compressed->size + tag_size) % blocksize;
if (t > 0) {
pad += blocksize - t;
}
}
_gnutls_write_uint16(pad, data_ptr);
data_ptr += 2;
length_to_encrypt += 2;
length += 2;
final_cipher_size = cipher_size;
if (pad > 0) {
unsigned t;
t = cipher_size - compressed->size;
if (pad > t) {
if (block_algo == CIPHER_BLOCK) {
if (pad <= blocksize)
return
gnutls_assert_val
(GNUTLS_E_INVALID_REQUEST);
pad -= blocksize * ((pad - t) / blocksize);
} else
pad = t;
}
DECR_LEN(cipher_size, pad);
memset(data_ptr, 0, pad);
data_ptr += pad;
length_to_encrypt += pad;
length += pad;
}
DECR_LEN(cipher_size, compressed->size);
memcpy(data_ptr, compressed->data, compressed->size);
data_ptr += compressed->size;
length_to_encrypt += compressed->size;
length += compressed->size;
if (tag_size > 0) {
DECR_LEN(cipher_size, tag_size);
data_ptr += tag_size;
/* In AEAD ciphers we don't encrypt the tag
*/
length += tag_size;
}
preamble_size =
make_preamble(UINT64DATA
(params->write.sequence_number),
type, compressed->size + 2 + pad, ver, preamble);
_gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state,
UINT64DATA(params->write.
sequence_number), 8);
/* add the authenticated data */
ret =
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
preamble, preamble_size);
if (ret < 0)
return gnutls_assert_val(ret);
/* Actual encryption (inplace).
*/
ret =
_gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state,
cipher_data,
length_to_encrypt,
cipher_data,
final_cipher_size, 0);
if (ret < 0)
return gnutls_assert_val(ret);
return length;
}
/* This is the actual encryption
* Encrypts the given compressed datum, and puts the result to cipher_data,
* which has cipher_size size.
* return the actual encrypted data length.
*/
static int
compressed_to_ciphertext(gnutls_session_t session,
uint8_t * cipher_data, int cipher_size,
gnutls_datum_t * compressed,
size_t min_pad,
content_type_t type,
record_parameters_st * params)
{
uint8_t pad;
int length, ret;
uint8_t preamble[MAX_PREAMBLE_SIZE];
int preamble_size;
int tag_size =
_gnutls_auth_cipher_tag_len(¶ms->write.cipher_state);
int blocksize = _gnutls_cipher_get_block_size(params->cipher);
unsigned block_algo = _gnutls_cipher_is_block(params->cipher);
uint8_t *data_ptr;
const version_entry_st *ver = get_version(session);
int explicit_iv = _gnutls_version_has_explicit_iv(ver);
int auth_cipher =
_gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
uint8_t nonce[MAX_CIPHER_BLOCK_SIZE];
unsigned iv_size;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, _gnutls_cipher_get_name(params->cipher),
_gnutls_mac_get_name(params->mac),
(unsigned int) params->epoch);
preamble_size =
make_preamble(UINT64DATA
(params->write.sequence_number),
type, compressed->size, ver, preamble);
/* Calculate the encrypted length (padding etc.)
*/
if (block_algo == CIPHER_BLOCK) {
/* Call _gnutls_rnd() once. Get data used for the IV
*/
ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
if (ret < 0)
return gnutls_assert_val(ret);
pad = min_pad;
length =
calc_enc_length_block(session, ver, compressed->size,
tag_size, &pad, auth_cipher,
blocksize);
} else {
pad = 0;
length =
calc_enc_length_stream(session, compressed->size,
tag_size, auth_cipher);
}
if (length < 0)
return gnutls_assert_val(length);
/* copy the encrypted data to cipher_data.
*/
if (cipher_size < length)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
data_ptr = cipher_data;
if (explicit_iv) { /* TLS 1.1 or later */
if (block_algo == CIPHER_BLOCK) {
/* copy the random IV.
*/
memcpy(data_ptr, nonce, blocksize);
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state, data_ptr,
blocksize);
data_ptr += blocksize;
cipher_data += blocksize;
} else if (auth_cipher) {
/* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
*/
if (params->write.IV.data == NULL
|| params->write.IV.size !=
AEAD_IMPLICIT_DATA_SIZE)
return
gnutls_assert_val
(GNUTLS_E_INTERNAL_ERROR);
/* Instead of generating a new nonce on every packet, we use the
* write.sequence_number (It is a MAY on RFC 5288).
*/
memcpy(nonce, params->write.IV.data,
params->write.IV.size);
memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE],
UINT64DATA(params->write.sequence_number),
8);
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state, nonce,
AEAD_IMPLICIT_DATA_SIZE +
AEAD_EXPLICIT_DATA_SIZE);
/* copy the explicit part */
memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE],
AEAD_EXPLICIT_DATA_SIZE);
data_ptr += AEAD_EXPLICIT_DATA_SIZE;
cipher_data += AEAD_EXPLICIT_DATA_SIZE;
} else if (iv_size > 0)
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state,
UINT64DATA(params->write.
sequence_number),
8);
} else {
/* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
*/
if (auth_cipher)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
else if (block_algo == CIPHER_STREAM && iv_size > 0)
_gnutls_auth_cipher_setiv(¶ms->write.
cipher_state,
UINT64DATA(params->write.
sequence_number),
8);
}
_gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state,
UINT64DATA(params->write.
sequence_number), 8);
/* add the authenticate data */
ret =
_gnutls_auth_cipher_add_auth(¶ms->write.cipher_state,
preamble, preamble_size);
if (ret < 0)
return gnutls_assert_val(ret);
/* Actual encryption.
*/
ret =
_gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state,
compressed->data,
compressed->size, cipher_data,
cipher_size, pad);
if (ret < 0)
return gnutls_assert_val(ret);
return length;
}
static int
encrypt_packet_tls13(gnutls_session_t session,
uint8_t *cipher_data, size_t cipher_size,
gnutls_datum_t *plain,
size_t pad_size,
uint8_t type,
record_parameters_st *params)
{
int ret;
unsigned int tag_size = params->write.aead_tag_size;
const version_entry_st *ver = get_version(session);
uint8_t nonce[MAX_CIPHER_IV_SIZE];
unsigned iv_size = 0;
ssize_t max, total;
uint8_t aad[5];
giovec_t auth_iov[1];
giovec_t iov[2];
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
_gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
session, _gnutls_cipher_get_name(params->cipher),
_gnutls_mac_get_name(params->mac),
(unsigned int) params->epoch);
iv_size = params->write.iv_size;
if (params->cipher->id == GNUTLS_CIPHER_NULL) {
if (cipher_size < plain->size+1)
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
memcpy(cipher_data, plain->data, plain->size);
return plain->size;
}
if (unlikely(iv_size < 8))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
memcpy(nonce, params->write.iv, iv_size);
memxor(&nonce[iv_size-8], UINT64DATA(params->write.sequence_number), 8);
max = MAX_RECORD_SEND_SIZE(session);
/* make TLS 1.3 form of data */
total = plain->size + 1 + pad_size;
/* check whether padding would exceed max */
if (total > max) {
if (unlikely(max < (ssize_t)plain->size+1))
return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
pad_size = max - plain->size - 1;
total = max;
}
/* create authenticated data header */
aad[0] = GNUTLS_APPLICATION_DATA;
aad[1] = 0x03;
aad[2] = 0x03;
_gnutls_write_uint16(total+tag_size, &aad[3]);
auth_iov[0].iov_base = aad;
auth_iov[0].iov_len = sizeof(aad);
iov[0].iov_base = plain->data;
iov[0].iov_len = plain->size;
if (pad_size || (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) {
uint8_t *pad = gnutls_calloc(1, 1+pad_size);
if (pad == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
pad[0] = type;
iov[1].iov_base = pad;
iov[1].iov_len = 1+pad_size;
ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead,
nonce, iv_size,
auth_iov, 1,
tag_size,
iov, 2,
cipher_data, &cipher_size);
gnutls_free(pad);
} else {
iov[1].iov_base = &type;
iov[1].iov_len = 1;
ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead,
nonce, iv_size,
auth_iov, 1,
tag_size,
iov, 2,
cipher_data, &cipher_size);
}
if (ret < 0)
return gnutls_assert_val(ret);
return cipher_size;
}
