search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tpmtool now accepts the --inder and --outder options.
[gnutls.git] / lib / gnutls_cipher.c
blobe79100324caeb49f190c5ff541d1d12d89391268
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Some high level functions to be used in the record encryption are
24 * included here.
25 */
26
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
34 #include "debug.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
41 #include <random.h>
42
43 static int compressed_to_ciphertext (gnutls_session_t session,
44 uint8_t * cipher_data, int cipher_size,
45 gnutls_datum_t *compressed,
46 content_type_t _type,
47 record_parameters_st * params);
48 static int ciphertext_to_compressed (gnutls_session_t session,
49 gnutls_datum_t *ciphertext,
50 uint8_t * compress_data,
51 int compress_size,
52 uint8_t type,
53 record_parameters_st * params, uint64* sequence);
54
55 inline static int
56 is_write_comp_null (record_parameters_st * record_params)
57 {
58 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
59 return 0;
60
61 return 1;
62 }
63
64 inline static int
65 is_read_comp_null (record_parameters_st * record_params)
66 {
67 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
68 return 0;
69
70 return 1;
71 }
72
73
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
76 *
77 * If random pad != 0 then the random pad data will be appended.
78 */
79 int
80 _gnutls_encrypt (gnutls_session_t session, const uint8_t * headers,
81 size_t headers_size, const uint8_t * data,
82 size_t data_size, uint8_t * ciphertext,
83 size_t ciphertext_size, content_type_t type,
84 record_parameters_st * params)
85 {
86 gnutls_datum_t comp;
87 int free_comp = 0;
88 int ret;
89
90 if (data_size == 0 || is_write_comp_null (params) == 0)
91 {
92 comp.data = (uint8_t*)data;
93 comp.size = data_size;
94 }
95 else
96 {
97 /* Here comp is allocated and must be
98 * freed.
99 */
100 free_comp = 1;
101
102 comp.size = ciphertext_size - headers_size;
103 comp.data = gnutls_malloc(comp.size);
104 if (comp.data == NULL)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
106
107 ret = _gnutls_compress( &params->write.compression_state, data, data_size, comp.data, comp.size);
108 if (ret < 0)
109 {
110 gnutls_free(comp.data);
111 return gnutls_assert_val(ret);
112 }
113
114 comp.size = ret;
115 }
116
117 ret = compressed_to_ciphertext (session, &ciphertext[headers_size],
118 ciphertext_size - headers_size,
119 &comp, type, params);
120
121 if (free_comp)
122 gnutls_free(comp.data);
123
124 if (ret < 0)
125 return gnutls_assert_val(ret);
126
127 /* copy the headers */
128 memcpy (ciphertext, headers, headers_size);
129
130 if(IS_DTLS(session))
131 _gnutls_write_uint16 (ret, &ciphertext[11]);
132 else
133 _gnutls_write_uint16 (ret, &ciphertext[3]);
134
135 return ret + headers_size;
136 }
137
138 /* Decrypts the given data.
139 * Returns the decrypted data length.
140 */
141 int
142 _gnutls_decrypt (gnutls_session_t session, uint8_t * ciphertext,
143 size_t ciphertext_size, uint8_t * data,
144 size_t max_data_size, content_type_t type,
145 record_parameters_st * params, uint64 *sequence)
146 {
147 gnutls_datum_t gcipher;
148 int ret, data_size;
149
150 if (ciphertext_size == 0)
151 return 0;
152
153 gcipher.size = ciphertext_size;
154 gcipher.data = ciphertext;
155
156 if (is_read_comp_null (params) == 0)
157 {
158 ret =
159 ciphertext_to_compressed (session, &gcipher, data, max_data_size,
160 type, params, sequence);
161 if (ret < 0)
162 return gnutls_assert_val(ret);
163
164 return ret;
165 }
166 else
167 {
168 uint8_t* tmp_data;
169
170 tmp_data = gnutls_malloc(max_data_size);
171 if (tmp_data == NULL)
172 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
173
174 ret =
175 ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size,
176 type, params, sequence);
177 if (ret < 0)
178 goto leave;
179
180 data_size = ret;
181
182 if (ret != 0)
183 {
184 ret = _gnutls_decompress( &params->read.compression_state, tmp_data, data_size, data, max_data_size);
185 if (ret < 0)
186 goto leave;
187 }
188
189 leave:
190 gnutls_free(tmp_data);
191 return ret;
192 }
193 }
194
195
196 inline static int
197 calc_enc_length_block (gnutls_session_t session, int data_size,
198 int hash_size, uint8_t * pad,
199 unsigned auth_cipher, uint16_t blocksize)
200 {
201 uint8_t rnd = *pad;
202 unsigned int length;
203
204 *pad = 0;
205
206 /* make rnd a multiple of blocksize */
207 if (session->security_parameters.version == GNUTLS_SSL3)
208 {
209 rnd = 0;
210 }
211
212 if (rnd > 0)
213 {
214 rnd = (rnd / blocksize) * blocksize;
215 /* added to avoid the case of pad calculated 0
216 * seen below for pad calculation.
217 */
218 if (rnd > blocksize)
219 rnd -= blocksize;
220 }
221
222 length = data_size + hash_size;
223
224 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
225
226 length += *pad;
227 if (_gnutls_version_has_explicit_iv
228 (session->security_parameters.version))
229 length += blocksize; /* for the IV */
230
231 return length;
232 }
233
234 inline static int
235 calc_enc_length_stream (gnutls_session_t session, int data_size,
236 int hash_size, unsigned auth_cipher)
237 {
238 unsigned int length;
239
240 length = data_size + hash_size;
241 if (auth_cipher)
242 length += AEAD_EXPLICIT_DATA_SIZE;
243
244 return length;
245 }
246
247 #define MAX_PREAMBLE_SIZE 16
248
249 /* generates the authentication data (data to be hashed only
250 * and are not to be sent). Returns their size.
251 */
252 static inline int
253 make_preamble (uint8_t * uint64_data, uint8_t type, unsigned int length,
254 uint8_t ver, uint8_t * preamble)
255 {
256 uint8_t minor = _gnutls_version_get_minor (ver);
257 uint8_t major = _gnutls_version_get_major (ver);
258 uint8_t *p = preamble;
259 uint16_t c_length;
260
261 c_length = _gnutls_conv_uint16 (length);
262
263 memcpy (p, uint64_data, 8);
264 p += 8;
265 *p = type;
266 p++;
267 if (ver != GNUTLS_SSL3)
268 { /* TLS protocols */
269 *p = major;
270 p++;
271 *p = minor;
272 p++;
273 }
274 memcpy (p, &c_length, 2);
275 p += 2;
276 return p - preamble;
277 }
278
279 /* This is the actual encryption
280 * Encrypts the given compressed datum, and puts the result to cipher_data,
281 * which has cipher_size size.
282 * return the actual encrypted data length.
283 */
284 static int
285 compressed_to_ciphertext (gnutls_session_t session,
286 uint8_t * cipher_data, int cipher_size,
287 gnutls_datum_t *compressed,
288 content_type_t type,
289 record_parameters_st * params)
290 {
291 uint8_t * tag_ptr = NULL;
292 uint8_t pad = 0;
293 int length, length_to_encrypt, ret;
294 uint8_t preamble[MAX_PREAMBLE_SIZE];
295 int preamble_size;
296 int tag_size = _gnutls_auth_cipher_tag_len (&params->write.cipher_state);
297 int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
298 unsigned block_algo =
299 _gnutls_cipher_is_block (params->cipher_algorithm);
300 uint8_t *data_ptr;
301 int ver = gnutls_protocol_get_version (session);
302 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
303 int auth_cipher = _gnutls_auth_cipher_is_aead(&params->write.cipher_state);
304 uint8_t nonce[MAX_CIPHER_BLOCK_SIZE+1];
305
306
307 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
308 session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
309 (unsigned int)params->epoch);
310
311 preamble_size =
312 make_preamble (UINT64DATA
313 (params->write.sequence_number),
314 type, compressed->size, ver, preamble);
315
316 /* Calculate the encrypted length (padding etc.)
317 */
318 if (block_algo == CIPHER_BLOCK)
319 {
320 /* Call _gnutls_rnd() once. Get data used for the IV + 1 for
321 * the random padding.
322 */
323 ret = _gnutls_rnd (GNUTLS_RND_NONCE, nonce, blocksize+1);
324 if (ret < 0)
325 return gnutls_assert_val(ret);
326
327 /* We don't use long padding if requested or if we are in DTLS.
328 */
329 if (session->internals.priorities.no_padding == 0 && !IS_DTLS(session))
330 pad = nonce[blocksize];
331
332 length_to_encrypt = length =
333 calc_enc_length_block (session, compressed->size, tag_size, &pad,
334 auth_cipher, blocksize);
335 }
336 else
337 length_to_encrypt = length =
338 calc_enc_length_stream (session, compressed->size, tag_size,
339 auth_cipher);
340 if (length < 0)
341 {
342 return gnutls_assert_val(length);
343 }
344
345 /* copy the encrypted data to cipher_data.
346 */
347 if (cipher_size < length)
348 {
349 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
350 }
351
352 data_ptr = cipher_data;
353
354 if (explicit_iv)
355 {
356 if (block_algo == CIPHER_BLOCK)
357 {
358 /* copy the random IV.
359 */
360 memcpy(data_ptr, nonce, blocksize);
361 _gnutls_auth_cipher_setiv(&params->write.cipher_state, data_ptr, blocksize);
362
363 data_ptr += blocksize;
364 cipher_data += blocksize;
365 length_to_encrypt -= blocksize;
366 }
367 else if (auth_cipher)
368 {
369 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
370 */
371 if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE)
372 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
373
374 /* Instead of generating a new nonce on every packet, we use the
375 * write.sequence_number (It is a MAY on RFC 5288).
376 */
377 memcpy(nonce, params->write.IV.data, params->write.IV.size);
378 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8);
379
380 _gnutls_auth_cipher_setiv(&params->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE);
381
382 /* copy the explicit part */
383 memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE);
384
385 data_ptr += AEAD_EXPLICIT_DATA_SIZE;
386 cipher_data += AEAD_EXPLICIT_DATA_SIZE;
387 /* In AEAD ciphers we don't encrypt the tag
388 */
389 length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size;
390 }
391 }
392 else
393 {
394 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
395 */
396 if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
397 }
398
399 memcpy (data_ptr, compressed->data, compressed->size);
400 data_ptr += compressed->size;
401
402 if (tag_size > 0)
403 {
404 tag_ptr = data_ptr;
405 data_ptr += tag_size;
406 }
407 if (block_algo == CIPHER_BLOCK && pad > 0)
408 {
409 memset (data_ptr, pad - 1, pad);
410 }
411
412 /* add the authenticate data */
413 ret = _gnutls_auth_cipher_add_auth(&params->write.cipher_state, preamble, preamble_size);
414 if (ret < 0)
415 return gnutls_assert_val(ret);
416
417 /* Actual encryption (inplace).
418 */
419 ret =
420 _gnutls_auth_cipher_encrypt2_tag (&params->write.cipher_state,
421 cipher_data, length_to_encrypt,
422 cipher_data, cipher_size,
423 tag_ptr, tag_size, compressed->size);
424 if (ret < 0)
425 return gnutls_assert_val(ret);
426
427 return length;
428 }
429
430
431 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
432 * Returns the actual compressed packet size.
433 */
434 static int
435 ciphertext_to_compressed (gnutls_session_t session,
436 gnutls_datum_t *ciphertext,
437 uint8_t * compress_data,
438 int compress_size,
439 uint8_t type, record_parameters_st * params,
440 uint64* sequence)
441 {
442 uint8_t tag[MAX_HASH_SIZE];
443 uint8_t pad;
444 int length, length_to_decrypt;
445 uint16_t blocksize;
446 int ret, i, pad_failed = 0;
447 uint8_t preamble[MAX_PREAMBLE_SIZE];
448 unsigned int preamble_size;
449 unsigned int ver = gnutls_protocol_get_version (session);
450 unsigned int tag_size = _gnutls_auth_cipher_tag_len (&params->read.cipher_state);
451 unsigned int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
452
453 blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
454
455 /* actual decryption (inplace)
456 */
457 switch (_gnutls_cipher_is_block (params->cipher_algorithm))
458 {
459 case CIPHER_STREAM:
460 /* The way AEAD ciphers are defined in RFC5246, it allows
461 * only stream ciphers.
462 */
463 if (explicit_iv && _gnutls_auth_cipher_is_aead(&params->read.cipher_state))
464 {
465 uint8_t nonce[blocksize];
466 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
467 */
468 if (params->read.IV.data == NULL || params->read.IV.size != 4)
469 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
470
471 if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
472 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
473
474 memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
475 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE);
476
477 _gnutls_auth_cipher_setiv(&params->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
478
479 ciphertext->data += AEAD_EXPLICIT_DATA_SIZE;
480 ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE;
481
482 length_to_decrypt = ciphertext->size - tag_size;
483 }
484 else
485 {
486 if (ciphertext->size < tag_size)
487 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
488
489 length_to_decrypt = ciphertext->size;
490 }
491
492 length = ciphertext->size - tag_size;
493
494 /* Pass the type, version, length and compressed through
495 * MAC.
496 */
497 preamble_size =
498 make_preamble (UINT64DATA(*sequence), type,
499 length, ver, preamble);
500
501 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
502 if (ret < 0)
503 return gnutls_assert_val(ret);
504
505 if ((ret =
506 _gnutls_auth_cipher_decrypt2 (&params->read.cipher_state,
507 ciphertext->data, length_to_decrypt,
508 ciphertext->data, ciphertext->size)) < 0)
509 return gnutls_assert_val(ret);
510
511 break;
512 case CIPHER_BLOCK:
513 if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))
514 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
515
516 /* ignore the IV in TLS 1.1+
517 */
518 if (explicit_iv)
519 {
520 _gnutls_auth_cipher_setiv(&params->read.cipher_state,
521 ciphertext->data, blocksize);
522
523 ciphertext->size -= blocksize;
524 ciphertext->data += blocksize;
525 }
526
527 if (ciphertext->size < tag_size)
528 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
529
530 /* we don't use the auth_cipher interface here, since
531 * TLS with block ciphers is impossible to be used under such
532 * an API. (the length of plaintext is required to calculate
533 * auth_data, but it is not available before decryption).
534 */
535 if ((ret =
536 _gnutls_cipher_decrypt (&params->read.cipher_state.cipher,
537 ciphertext->data, ciphertext->size)) < 0)
538 return gnutls_assert_val(ret);
539
540 pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
541
542
543 if ((int) pad > (int) ciphertext->size - tag_size)
544 {
545 gnutls_assert ();
546 _gnutls_record_log
547 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
548 session, pad, ciphertext->size, tag_size);
549 /* We do not fail here. We check below for the
550 * the pad_failed. If zero means success.
551 */
552 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
553 pad %= blocksize;
554 }
555
556 length = ciphertext->size - tag_size - pad;
557
558 /* Check the pading bytes (TLS 1.x)
559 */
560 if (ver != GNUTLS_SSL3)
561 for (i = 2; i < pad; i++)
562 {
563 if (ciphertext->data[ciphertext->size - i] !=
564 ciphertext->data[ciphertext->size - 1])
565 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
566 }
567
568 if (length < 0)
569 {
570 /* Setting a proper length to prevent timing differences in
571 * processing of records with invalid encryption.
572 */
573 length = ciphertext->size - tag_size;
574 }
575
576 /* Pass the type, version, length and compressed through
577 * MAC.
578 */
579 preamble_size =
580 make_preamble (UINT64DATA(*sequence), type,
581 length, ver, preamble);
582 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
583 if (ret < 0)
584 return gnutls_assert_val(ret);
585
586 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext->data, length);
587 if (ret < 0)
588 return gnutls_assert_val(ret);
589
590 break;
591 default:
592 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
593 }
594
595 ret = _gnutls_auth_cipher_tag(&params->read.cipher_state, tag, tag_size);
596 if (ret < 0)
597 return gnutls_assert_val(ret);
598
599 /* This one was introduced to avoid a timing attack against the TLS
600 * 1.0 protocol.
601 */
602 /* HMAC was not the same.
603 */
604 if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0)
605 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
606
607 /* copy the decrypted stuff to compress_data.
608 */
609 if (compress_size < length)
610 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
611
612 if (compress_data != ciphertext->data)
613 memcpy (compress_data, ciphertext->data, length);
614
615 return length;
616 }
Implementation of the SSL/TLS protocol