/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int compressed_to_ciphertext(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * compressed, size_t min_pad, content_type_t type, record_parameters_st * params) { uint8_t pad; int length, ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.cipher_state); int blocksize = _gnutls_cipher_get_block_size(params->cipher); unsigned algo_type = _gnutls_cipher_type(params->cipher); uint8_t *data_ptr, *full_cipher_ptr; const version_entry_st *ver = get_version(session); int explicit_iv = _gnutls_version_has_explicit_iv(ver); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; unsigned imp_iv_size = 0, exp_iv_size = 0; bool etm = 0; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); if (algo_type == CIPHER_BLOCK && params->etm != 0) etm = 1; _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); /* Calculate the encrypted length (padding etc.) */ if (algo_type == CIPHER_BLOCK) { /* Call _gnutls_rnd() once. Get data used for the IV */ ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); if (ret < 0) return gnutls_assert_val(ret); pad = min_pad; length = calc_enc_length_block(session, ver, compressed->size, tag_size, &pad, auth_cipher, blocksize, etm); } else { /* AEAD + STREAM */ imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher); pad = 0; length = calc_enc_length_stream(session, compressed->size, tag_size, auth_cipher, exp_iv_size); } if (length < 0) return gnutls_assert_val(length); /* copy the encrypted data to cipher_data. */ if (cipher_size < length) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); data_ptr = cipher_data; full_cipher_ptr = data_ptr; if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { if (algo_type == CIPHER_BLOCK && explicit_iv != 0) { /* copy the random IV. */ memcpy(data_ptr, nonce, blocksize); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; } } else { /* AEAD */ /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != imp_iv_size) return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288), and safer * as it will never reuse a value. */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[imp_iv_size], UINT64DATA(params->write.sequence_number), 8); /* copy the explicit part */ memcpy(data_ptr, &nonce[imp_iv_size], exp_iv_size); data_ptr += exp_iv_size; cipher_data += exp_iv_size; } if (etm) ret = length-tag_size; else ret = compressed->size; preamble_size = make_preamble(UINT64DATA(params->write.sequence_number), type, ret, ver, preamble); if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { /* add the authenticated data */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); if (ret < 0) return gnutls_assert_val(ret); if (etm && explicit_iv) { /* In EtM we need to hash the IV as well */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, full_cipher_ptr, blocksize); if (ret < 0) return gnutls_assert_val(ret); } /* Actual encryption. */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, compressed->data, compressed->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); } else { /* AEAD */ ret = _gnutls_aead_cipher_encrypt(¶ms->write.cipher_state.cipher, nonce, imp_iv_size + exp_iv_size, preamble, preamble_size, tag_size, compressed->data, compressed->size, cipher_data, cipher_size); if (ret < 0) return gnutls_assert_val(ret); } return length; }
/* This is the actual encryption * Encrypts the given compressed datum, and puts the result to cipher_data, * which has cipher_size size. * return the actual encrypted data length. */ static int compressed_to_ciphertext(gnutls_session_t session, uint8_t * cipher_data, int cipher_size, gnutls_datum_t * compressed, size_t min_pad, content_type_t type, record_parameters_st * params) { uint8_t pad; int length, ret; uint8_t preamble[MAX_PREAMBLE_SIZE]; int preamble_size; int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.cipher_state); int blocksize = _gnutls_cipher_get_block_size(params->cipher); unsigned block_algo = _gnutls_cipher_is_block(params->cipher); uint8_t *data_ptr; const version_entry_st *ver = get_version(session); int explicit_iv = _gnutls_version_has_explicit_iv(ver); int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state); uint8_t nonce[MAX_CIPHER_BLOCK_SIZE]; unsigned iv_size; if (unlikely(ver == NULL)) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, _gnutls_cipher_get_name(params->cipher), _gnutls_mac_get_name(params->mac), (unsigned int) params->epoch); preamble_size = make_preamble(UINT64DATA (params->write.sequence_number), type, compressed->size, ver, preamble); /* Calculate the encrypted length (padding etc.) */ if (block_algo == CIPHER_BLOCK) { /* Call _gnutls_rnd() once. Get data used for the IV */ ret = _gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); if (ret < 0) return gnutls_assert_val(ret); pad = min_pad; length = calc_enc_length_block(session, ver, compressed->size, tag_size, &pad, auth_cipher, blocksize); } else { pad = 0; length = calc_enc_length_stream(session, compressed->size, tag_size, auth_cipher); } if (length < 0) return gnutls_assert_val(length); /* copy the encrypted data to cipher_data. */ if (cipher_size < length) return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); data_ptr = cipher_data; if (explicit_iv) { /* TLS 1.1 or later */ if (block_algo == CIPHER_BLOCK) { /* copy the random IV. */ memcpy(data_ptr, nonce, blocksize); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, data_ptr, blocksize); data_ptr += blocksize; cipher_data += blocksize; } else if (auth_cipher) { /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block */ if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE) return gnutls_assert_val (GNUTLS_E_INTERNAL_ERROR); /* Instead of generating a new nonce on every packet, we use the * write.sequence_number (It is a MAY on RFC 5288). */ memcpy(nonce, params->write.IV.data, params->write.IV.size); memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8); _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE + AEAD_EXPLICIT_DATA_SIZE); /* copy the explicit part */ memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE); data_ptr += AEAD_EXPLICIT_DATA_SIZE; cipher_data += AEAD_EXPLICIT_DATA_SIZE; } else if (iv_size > 0) _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, UINT64DATA(params->write. sequence_number), 8); } else { /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise. */ if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); else if (block_algo == CIPHER_STREAM && iv_size > 0) _gnutls_auth_cipher_setiv(¶ms->write. cipher_state, UINT64DATA(params->write. sequence_number), 8); } _gnutls_auth_cipher_set_mac_nonce(¶ms->write.cipher_state, UINT64DATA(params->write. sequence_number), 8); /* add the authenticate data */ ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size); if (ret < 0) return gnutls_assert_val(ret); /* Actual encryption. */ ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.cipher_state, compressed->data, compressed->size, cipher_data, cipher_size, pad); if (ret < 0) return gnutls_assert_val(ret); return length; }