2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Some high level functions to be used in the record encryption are
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
43 static int compressed_to_ciphertext (gnutls_session_t session
,
44 uint8_t * cipher_data
, int cipher_size
,
45 gnutls_datum_t
*compressed
,
47 record_parameters_st
* params
);
48 static int ciphertext_to_compressed (gnutls_session_t session
,
49 gnutls_datum_t
*ciphertext
,
50 uint8_t * compress_data
,
53 record_parameters_st
* params
, uint64
* sequence
);
56 is_write_comp_null (record_parameters_st
* record_params
)
58 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
65 is_read_comp_null (record_parameters_st
* record_params
)
67 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
77 * If random pad != 0 then the random pad data will be appended.
80 _gnutls_encrypt (gnutls_session_t session
, const uint8_t * headers
,
81 size_t headers_size
, const uint8_t * data
,
82 size_t data_size
, uint8_t * ciphertext
,
83 size_t ciphertext_size
, content_type_t type
,
84 record_parameters_st
* params
)
90 if (data_size
== 0 || is_write_comp_null (params
) == 0)
92 comp
.data
= (uint8_t*)data
;
93 comp
.size
= data_size
;
97 /* Here comp is allocated and must be
102 comp
.size
= ciphertext_size
- headers_size
;
103 comp
.data
= gnutls_malloc(comp
.size
);
104 if (comp
.data
== NULL
)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
107 ret
= _gnutls_compress( ¶ms
->write
.compression_state
, data
, data_size
, comp
.data
, comp
.size
);
110 gnutls_free(comp
.data
);
111 return gnutls_assert_val(ret
);
117 ret
= compressed_to_ciphertext (session
, &ciphertext
[headers_size
],
118 ciphertext_size
- headers_size
,
119 &comp
, type
, params
);
122 gnutls_free(comp
.data
);
125 return gnutls_assert_val(ret
);
127 /* copy the headers */
128 memcpy (ciphertext
, headers
, headers_size
);
131 _gnutls_write_uint16 (ret
, &ciphertext
[11]);
133 _gnutls_write_uint16 (ret
, &ciphertext
[3]);
135 return ret
+ headers_size
;
138 /* Decrypts the given data.
139 * Returns the decrypted data length.
142 _gnutls_decrypt (gnutls_session_t session
, uint8_t * ciphertext
,
143 size_t ciphertext_size
, uint8_t * data
,
144 size_t max_data_size
, content_type_t type
,
145 record_parameters_st
* params
, uint64
*sequence
)
147 gnutls_datum_t gcipher
;
150 if (ciphertext_size
== 0)
153 gcipher
.size
= ciphertext_size
;
154 gcipher
.data
= ciphertext
;
156 if (is_read_comp_null (params
) == 0)
159 ciphertext_to_compressed (session
, &gcipher
, data
, max_data_size
,
160 type
, params
, sequence
);
162 return gnutls_assert_val(ret
);
170 tmp_data
= gnutls_malloc(max_data_size
);
171 if (tmp_data
== NULL
)
172 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
175 ciphertext_to_compressed (session
, &gcipher
, tmp_data
, max_data_size
,
176 type
, params
, sequence
);
184 ret
= _gnutls_decompress( ¶ms
->read
.compression_state
, tmp_data
, data_size
, data
, max_data_size
);
190 gnutls_free(tmp_data
);
197 calc_enc_length (gnutls_session_t session
, int data_size
,
198 int hash_size
, uint8_t * pad
, int random_pad
,
199 unsigned block_algo
, unsigned auth_cipher
, uint16_t blocksize
)
210 length
= data_size
+ hash_size
;
212 length
+= AEAD_EXPLICIT_DATA_SIZE
;
216 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &rnd
, 1);
218 return gnutls_assert_val(ret
);
220 /* make rnd a multiple of blocksize */
221 if (session
->security_parameters
.version
== GNUTLS_SSL3
||
228 rnd
= (rnd
/ blocksize
) * blocksize
;
229 /* added to avoid the case of pad calculated 0
230 * seen below for pad calculation.
236 length
= data_size
+ hash_size
;
238 *pad
= (uint8_t) (blocksize
- (length
% blocksize
)) + rnd
;
241 if (_gnutls_version_has_explicit_iv
242 (session
->security_parameters
.version
))
243 length
+= blocksize
; /* for the IV */
247 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
253 #define MAX_PREAMBLE_SIZE 16
255 /* generates the authentication data (data to be hashed only
256 * and are not to be sent). Returns their size.
259 make_preamble (uint8_t * uint64_data
, uint8_t type
, unsigned int length
,
260 uint8_t ver
, uint8_t * preamble
)
262 uint8_t minor
= _gnutls_version_get_minor (ver
);
263 uint8_t major
= _gnutls_version_get_major (ver
);
264 uint8_t *p
= preamble
;
267 c_length
= _gnutls_conv_uint16 (length
);
269 memcpy (p
, uint64_data
, 8);
273 if (ver
!= GNUTLS_SSL3
)
274 { /* TLS protocols */
280 memcpy (p
, &c_length
, 2);
285 /* This is the actual encryption
286 * Encrypts the given compressed datum, and puts the result to cipher_data,
287 * which has cipher_size size.
288 * return the actual encrypted data length.
291 compressed_to_ciphertext (gnutls_session_t session
,
292 uint8_t * cipher_data
, int cipher_size
,
293 gnutls_datum_t
*compressed
,
295 record_parameters_st
* params
)
297 uint8_t * tag_ptr
= NULL
;
299 int length
, length_to_encrypt
, ret
;
300 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
302 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->write
.cipher_state
);
303 int blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
304 unsigned block_algo
=
305 _gnutls_cipher_is_block (params
->cipher_algorithm
);
307 int ver
= gnutls_protocol_get_version (session
);
308 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
309 int auth_cipher
= _gnutls_auth_cipher_is_aead(¶ms
->write
.cipher_state
);
312 /* We don't use long padding if requested or if we are in DTLS.
314 if (session
->internals
.priorities
.no_padding
== 0 && (!IS_DTLS(session
)))
319 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
320 session
, gnutls_cipher_get_name(params
->cipher_algorithm
), gnutls_mac_get_name(params
->mac_algorithm
),
321 (unsigned int)params
->epoch
);
324 make_preamble (UINT64DATA
325 (params
->write
.sequence_number
),
326 type
, compressed
->size
, ver
, preamble
);
328 /* Calculate the encrypted length (padding etc.)
330 length_to_encrypt
= length
=
331 calc_enc_length (session
, compressed
->size
, tag_size
, &pad
,
332 random_pad
, block_algo
, auth_cipher
, blocksize
);
335 return gnutls_assert_val(length
);
338 /* copy the encrypted data to cipher_data.
340 if (cipher_size
< length
)
342 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
345 data_ptr
= cipher_data
;
350 if (block_algo
== CIPHER_BLOCK
)
352 /* copy the random IV.
354 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, data_ptr
, blocksize
);
356 return gnutls_assert_val(ret
);
358 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, data_ptr
, blocksize
);
360 data_ptr
+= blocksize
;
361 cipher_data
+= blocksize
;
362 length_to_encrypt
-= blocksize
;
364 else if (auth_cipher
)
366 uint8_t nonce
[blocksize
];
368 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
370 if (params
->write
.IV
.data
== NULL
|| params
->write
.IV
.size
!= AEAD_IMPLICIT_DATA_SIZE
)
371 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
373 /* Instead of generating a new nonce on every packet, we use the
374 * write.sequence_number (It is a MAY on RFC 5288).
376 memcpy(nonce
, params
->write
.IV
.data
, params
->write
.IV
.size
);
377 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], UINT64DATA(params
->write
.sequence_number
), 8);
379 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, nonce
, AEAD_IMPLICIT_DATA_SIZE
+AEAD_EXPLICIT_DATA_SIZE
);
381 /* copy the explicit part */
382 memcpy(data_ptr
, &nonce
[AEAD_IMPLICIT_DATA_SIZE
], AEAD_EXPLICIT_DATA_SIZE
);
384 data_ptr
+= AEAD_EXPLICIT_DATA_SIZE
;
385 cipher_data
+= AEAD_EXPLICIT_DATA_SIZE
;
386 /* In AEAD ciphers we don't encrypt the tag
388 length_to_encrypt
-= AEAD_EXPLICIT_DATA_SIZE
+ tag_size
;
393 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
395 if (auth_cipher
) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
398 memcpy (data_ptr
, compressed
->data
, compressed
->size
);
399 data_ptr
+= compressed
->size
;
404 data_ptr
+= tag_size
;
406 if (block_algo
== CIPHER_BLOCK
&& pad
> 0)
408 memset (data_ptr
, pad
- 1, pad
);
411 /* add the authenticate data */
412 ret
= _gnutls_auth_cipher_add_auth(¶ms
->write
.cipher_state
, preamble
, preamble_size
);
414 return gnutls_assert_val(ret
);
416 /* Actual encryption (inplace).
419 _gnutls_auth_cipher_encrypt2_tag (¶ms
->write
.cipher_state
,
420 cipher_data
, length_to_encrypt
,
421 cipher_data
, cipher_size
,
422 tag_ptr
, tag_size
, compressed
->size
);
424 return gnutls_assert_val(ret
);
430 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
431 * Returns the actual compressed packet size.
434 ciphertext_to_compressed (gnutls_session_t session
,
435 gnutls_datum_t
*ciphertext
,
436 uint8_t * compress_data
,
438 uint8_t type
, record_parameters_st
* params
,
441 uint8_t tag
[MAX_HASH_SIZE
];
443 int length
, length_to_decrypt
;
445 int ret
, i
, pad_failed
= 0;
446 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
447 unsigned int preamble_size
;
448 unsigned int ver
= gnutls_protocol_get_version (session
);
449 unsigned int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->read
.cipher_state
);
450 unsigned int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
452 blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
454 /* actual decryption (inplace)
456 switch (_gnutls_cipher_is_block (params
->cipher_algorithm
))
459 /* The way AEAD ciphers are defined in RFC5246, it allows
460 * only stream ciphers.
462 if (explicit_iv
&& _gnutls_auth_cipher_is_aead(¶ms
->read
.cipher_state
))
464 uint8_t nonce
[blocksize
];
465 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
467 if (params
->read
.IV
.data
== NULL
|| params
->read
.IV
.size
!= 4)
468 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
470 if (ciphertext
->size
< tag_size
+AEAD_EXPLICIT_DATA_SIZE
)
471 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
473 memcpy(nonce
, params
->read
.IV
.data
, AEAD_IMPLICIT_DATA_SIZE
);
474 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], ciphertext
->data
, AEAD_EXPLICIT_DATA_SIZE
);
476 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
, nonce
, AEAD_EXPLICIT_DATA_SIZE
+AEAD_IMPLICIT_DATA_SIZE
);
478 ciphertext
->data
+= AEAD_EXPLICIT_DATA_SIZE
;
479 ciphertext
->size
-= AEAD_EXPLICIT_DATA_SIZE
;
481 length_to_decrypt
= ciphertext
->size
- tag_size
;
485 if (ciphertext
->size
< tag_size
)
486 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
488 length_to_decrypt
= ciphertext
->size
;
491 length
= ciphertext
->size
- tag_size
;
493 /* Pass the type, version, length and compressed through
497 make_preamble (UINT64DATA(*sequence
), type
,
498 length
, ver
, preamble
);
500 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
502 return gnutls_assert_val(ret
);
505 _gnutls_auth_cipher_decrypt2 (¶ms
->read
.cipher_state
,
506 ciphertext
->data
, length_to_decrypt
,
507 ciphertext
->data
, ciphertext
->size
)) < 0)
508 return gnutls_assert_val(ret
);
512 if (ciphertext
->size
< blocksize
|| (ciphertext
->size
% blocksize
!= 0))
513 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
515 /* ignore the IV in TLS 1.1+
519 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
,
520 ciphertext
->data
, blocksize
);
522 ciphertext
->size
-= blocksize
;
523 ciphertext
->data
+= blocksize
;
526 if (ciphertext
->size
< tag_size
)
527 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
529 /* we don't use the auth_cipher interface here, since
530 * TLS with block ciphers is impossible to be used under such
531 * an API. (the length of plaintext is required to calculate
532 * auth_data, but it is not available before decryption).
535 _gnutls_cipher_decrypt (¶ms
->read
.cipher_state
.cipher
,
536 ciphertext
->data
, ciphertext
->size
)) < 0)
537 return gnutls_assert_val(ret
);
539 pad
= ciphertext
->data
[ciphertext
->size
- 1] + 1; /* pad */
542 if ((int) pad
> (int) ciphertext
->size
- tag_size
)
546 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
547 session
, pad
, ciphertext
->size
, tag_size
);
548 /* We do not fail here. We check below for the
549 * the pad_failed. If zero means success.
551 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
555 length
= ciphertext
->size
- tag_size
- pad
;
557 /* Check the pading bytes (TLS 1.x)
559 if (ver
!= GNUTLS_SSL3
)
560 for (i
= 2; i
< pad
; i
++)
562 if (ciphertext
->data
[ciphertext
->size
- i
] !=
563 ciphertext
->data
[ciphertext
->size
- 1])
564 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
569 /* Setting a proper length to prevent timing differences in
570 * processing of records with invalid encryption.
572 length
= ciphertext
->size
- tag_size
;
575 /* Pass the type, version, length and compressed through
579 make_preamble (UINT64DATA(*sequence
), type
,
580 length
, ver
, preamble
);
581 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
583 return gnutls_assert_val(ret
);
585 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, ciphertext
->data
, length
);
587 return gnutls_assert_val(ret
);
591 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
594 ret
= _gnutls_auth_cipher_tag(¶ms
->read
.cipher_state
, tag
, tag_size
);
596 return gnutls_assert_val(ret
);
598 /* This one was introduced to avoid a timing attack against the TLS
601 /* HMAC was not the same.
603 if (memcmp (tag
, &ciphertext
->data
[length
], tag_size
) != 0 || pad_failed
!= 0)
604 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
606 /* copy the decrypted stuff to compress_data.
608 if (compress_size
< length
)
609 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
611 if (compress_data
!= ciphertext
->data
)
612 memcpy (compress_data
, ciphertext
->data
, length
);