search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove unneeded stuff.
[gnutls.git] / lib / gnutls_cipher.c
blob716b7c9bd261ba7e38ab493ab74d34d839d66244
1 /*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 3 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>
21 *
22 */
23
24 /* Some high level functions to be used in the record encryption are
25 * included here.
26 */
27
28 #include "gnutls_int.h"
29 #include "gnutls_errors.h"
30 #include "gnutls_compress.h"
31 #include "gnutls_cipher.h"
32 #include "algorithms.h"
33 #include "gnutls_hash_int.h"
34 #include "gnutls_cipher_int.h"
35 #include "debug.h"
36 #include "gnutls_num.h"
37 #include "gnutls_datum.h"
38 #include "gnutls_kx.h"
39 #include "gnutls_record.h"
40 #include "gnutls_constate.h"
41 #include <gnutls_state.h>
42 #include <random.h>
43
44 static int compressed_to_ciphertext (gnutls_session_t session,
45 opaque * cipher_data, int cipher_size,
46 gnutls_datum_t *compressed,
47 content_type_t _type,
48 record_parameters_st * params);
49 static int ciphertext_to_compressed (gnutls_session_t session,
50 gnutls_datum_t *ciphertext,
51 opaque * compress_data,
52 int compress_size,
53 uint8_t type,
54 record_parameters_st * params, uint64* sequence);
55
56 inline static int
57 is_write_comp_null (record_parameters_st * record_params)
58 {
59 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
60 return 0;
61
62 return 1;
63 }
64
65 inline static int
66 is_read_comp_null (record_parameters_st * record_params)
67 {
68 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
69 return 0;
70
71 return 1;
72 }
73
74
75 /* returns ciphertext which contains the headers too. This also
76 * calculates the size in the header field.
77 *
78 * If random pad != 0 then the random pad data will be appended.
79 */
80 int
81 _gnutls_encrypt (gnutls_session_t session, const opaque * headers,
82 size_t headers_size, const opaque * data,
83 size_t data_size, opaque * ciphertext,
84 size_t ciphertext_size, content_type_t type,
85 record_parameters_st * params)
86 {
87 gnutls_datum_t comp;
88 int free_comp = 0;
89 int ret;
90
91 if (data_size == 0 || is_write_comp_null (params) == 0)
92 {
93 comp.data = (opaque*)data;
94 comp.size = data_size;
95 }
96 else
97 {
98 /* Here comp is allocated and must be
99 * freed.
100 */
101 free_comp = 1;
102
103 comp.size = ciphertext_size - headers_size;
104 comp.data = gnutls_malloc(comp.size);
105 if (comp.data == NULL)
106 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
107
108 ret = _gnutls_compress( &params->write.compression_state, data, data_size, comp.data, comp.size);
109 if (ret < 0)
110 {
111 gnutls_free(comp.data);
112 return gnutls_assert_val(ret);
113 }
114
115 comp.size = ret;
116 }
117
118 ret = compressed_to_ciphertext (session, &ciphertext[headers_size],
119 ciphertext_size - headers_size,
120 &comp, type, params);
121
122 if (free_comp)
123 gnutls_free(comp.data);
124
125 if (ret < 0)
126 return gnutls_assert_val(ret);
127
128 /* copy the headers */
129 memcpy (ciphertext, headers, headers_size);
130
131 if(IS_DTLS(session))
132 _gnutls_write_uint16 (ret, &ciphertext[11]);
133 else
134 _gnutls_write_uint16 (ret, &ciphertext[3]);
135
136 return ret + headers_size;
137 }
138
139 /* Decrypts the given data.
140 * Returns the decrypted data length.
141 */
142 int
143 _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext,
144 size_t ciphertext_size, uint8_t * data,
145 size_t max_data_size, content_type_t type,
146 record_parameters_st * params, uint64 *sequence)
147 {
148 gnutls_datum_t gcipher;
149 int ret, data_size;
150
151 if (ciphertext_size == 0)
152 return 0;
153
154 gcipher.size = ciphertext_size;
155 gcipher.data = ciphertext;
156
157 if (is_read_comp_null (params) == 0)
158 {
159 ret =
160 ciphertext_to_compressed (session, &gcipher, data, max_data_size,
161 type, params, sequence);
162 if (ret < 0)
163 return gnutls_assert_val(ret);
164
165 return ret;
166 }
167 else
168 {
169 opaque* tmp_data;
170
171 tmp_data = gnutls_malloc(max_data_size);
172 if (tmp_data == NULL)
173 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
174
175 ret =
176 ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size,
177 type, params, sequence);
178 if (ret < 0)
179 goto leave;
180
181 data_size = ret;
182
183 if (ret != 0)
184 {
185 ret = _gnutls_decompress( &params->read.compression_state, tmp_data, data_size, data, max_data_size);
186 if (ret < 0)
187 goto leave;
188 }
189
190 leave:
191 gnutls_free(tmp_data);
192 return ret;
193 }
194 }
195
196
197 inline static int
198 calc_enc_length (gnutls_session_t session, int data_size,
199 int hash_size, uint8_t * pad, int random_pad,
200 unsigned block_algo, unsigned auth_cipher, uint16_t blocksize)
201 {
202 uint8_t rnd;
203 int length, ret;
204
205 *pad = 0;
206
207 switch (block_algo)
208 {
209 case CIPHER_STREAM:
210 length = data_size + hash_size;
211 if (auth_cipher)
212 length += AEAD_EXPLICIT_DATA_SIZE;
213
214 break;
215 case CIPHER_BLOCK:
216 ret = gnutls_rnd (GNUTLS_RND_NONCE, &rnd, 1);
217 if (ret < 0)
218 return gnutls_assert_val(ret);
219
220 /* make rnd a multiple of blocksize */
221 if (session->security_parameters.version == GNUTLS_SSL3 ||
222 random_pad == 0)
223 {
224 rnd = 0;
225 }
226 else
227 {
228 rnd = (rnd / blocksize) * blocksize;
229 /* added to avoid the case of pad calculated 0
230 * seen below for pad calculation.
231 */
232 if (rnd > blocksize)
233 rnd -= blocksize;
234 }
235
236 length = data_size + hash_size;
237
238 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
239
240 length += *pad;
241 if (_gnutls_version_has_explicit_iv
242 (session->security_parameters.version))
243 length += blocksize; /* for the IV */
244
245 break;
246 default:
247 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
248 }
249
250 return length;
251 }
252
253 #define MAX_PREAMBLE_SIZE 16
254
255 /* generates the authentication data (data to be hashed only
256 * and are not to be send). Returns their size.
257 */
258 static inline int
259 make_preamble (opaque * uint64_data, opaque type, int length,
260 opaque ver, opaque * preamble)
261 {
262 opaque minor = _gnutls_version_get_minor (ver);
263 opaque major = _gnutls_version_get_major (ver);
264 opaque *p = preamble;
265 uint16_t c_length;
266
267 c_length = _gnutls_conv_uint16 (length);
268
269 memcpy (p, uint64_data, 8);
270 p += 8;
271 *p = type;
272 p++;
273 if (ver != GNUTLS_SSL3)
274 { /* TLS protocols */
275 *p = major;
276 p++;
277 *p = minor;
278 p++;
279 }
280 memcpy (p, &c_length, 2);
281 p += 2;
282 return p - preamble;
283 }
284
285 /* This is the actual encryption
286 * Encrypts the given compressed datum, and puts the result to cipher_data,
287 * which has cipher_size size.
288 * return the actual encrypted data length.
289 */
290 static int
291 compressed_to_ciphertext (gnutls_session_t session,
292 opaque * cipher_data, int cipher_size,
293 gnutls_datum_t *compressed,
294 content_type_t type,
295 record_parameters_st * params)
296 {
297 uint8_t * tag_ptr = NULL;
298 uint8_t pad;
299 int length, length_to_encrypt, ret;
300 opaque preamble[MAX_PREAMBLE_SIZE];
301 int preamble_size;
302 int tag_size = _gnutls_auth_cipher_tag_len (&params->write.cipher_state);
303 int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
304 unsigned block_algo =
305 _gnutls_cipher_is_block (params->cipher_algorithm);
306 opaque *data_ptr;
307 int ver = gnutls_protocol_get_version (session);
308 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
309 int auth_cipher = _gnutls_auth_cipher_is_aead(&params->write.cipher_state);
310 int random_pad;
311
312 /* We don't use long padding if requested or if we are in DTLS.
313 */
314 if (session->internals.priorities.no_padding == 0 && (!IS_DTLS(session)))
315 random_pad = 1;
316 else
317 random_pad = 0;
318
319 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
320 session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
321 (unsigned int)params->epoch);
322
323 preamble_size =
324 make_preamble (UINT64DATA
325 (params->write.sequence_number),
326 type, compressed->size, ver, preamble);
327
328 /* Calculate the encrypted length (padding etc.)
329 */
330 length_to_encrypt = length =
331 calc_enc_length (session, compressed->size, tag_size, &pad,
332 random_pad, block_algo, auth_cipher, blocksize);
333 if (length < 0)
334 {
335 return gnutls_assert_val(length);
336 }
337
338 /* copy the encrypted data to cipher_data.
339 */
340 if (cipher_size < length)
341 {
342 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
343 }
344
345 data_ptr = cipher_data;
346
347 if (explicit_iv)
348 {
349
350 if (block_algo == CIPHER_BLOCK)
351 {
352 /* copy the random IV.
353 */
354 ret = gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize);
355 if (ret < 0)
356 return gnutls_assert_val(ret);
357
358 _gnutls_auth_cipher_setiv(&params->write.cipher_state, data_ptr, blocksize);
359
360 data_ptr += blocksize;
361 cipher_data += blocksize;
362 length_to_encrypt -= blocksize;
363 }
364 else if (auth_cipher)
365 {
366 uint8_t nonce[blocksize];
367
368 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
369 */
370 if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE)
371 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
372
373 /* Instead of generating a new nonce on every packet, we use the
374 * write.sequence_number (It is a MAY on RFC 5288).
375 */
376 memcpy(nonce, params->write.IV.data, params->write.IV.size);
377 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8);
378
379 _gnutls_auth_cipher_setiv(&params->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE);
380
381 /* copy the explicit part */
382 memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE);
383
384 data_ptr += AEAD_EXPLICIT_DATA_SIZE;
385 cipher_data += AEAD_EXPLICIT_DATA_SIZE;
386 /* In AEAD ciphers we don't encrypt the tag
387 */
388 length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size;
389 }
390 }
391 else
392 {
393 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
394 */
395 if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
396 }
397
398 memcpy (data_ptr, compressed->data, compressed->size);
399 data_ptr += compressed->size;
400
401 if (tag_size > 0)
402 {
403 tag_ptr = data_ptr;
404 data_ptr += tag_size;
405 }
406 if (block_algo == CIPHER_BLOCK && pad > 0)
407 {
408 memset (data_ptr, pad - 1, pad);
409 }
410
411 /* add the authenticate data */
412 _gnutls_auth_cipher_add_auth(&params->write.cipher_state, preamble, preamble_size);
413
414 /* Actual encryption (inplace).
415 */
416 ret =
417 _gnutls_auth_cipher_encrypt_tag (&params->write.cipher_state,
418 cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed->size);
419 if (ret < 0)
420 return gnutls_assert_val(ret);
421
422 return length;
423 }
424
425
426 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
427 * Returns the actual compressed packet size.
428 */
429 static int
430 ciphertext_to_compressed (gnutls_session_t session,
431 gnutls_datum_t *ciphertext,
432 opaque * compress_data,
433 int compress_size,
434 uint8_t type, record_parameters_st * params,
435 uint64* sequence)
436 {
437 uint8_t tag[MAX_HASH_SIZE];
438 uint8_t pad;
439 int length, length_to_decrypt;
440 uint16_t blocksize;
441 int ret, i, pad_failed = 0;
442 opaque preamble[MAX_PREAMBLE_SIZE];
443 int preamble_size;
444 int ver = gnutls_protocol_get_version (session);
445 int tag_size = _gnutls_auth_cipher_tag_len (&params->read.cipher_state);
446 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
447
448 blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
449
450 /* actual decryption (inplace)
451 */
452 switch (_gnutls_cipher_is_block (params->cipher_algorithm))
453 {
454 case CIPHER_STREAM:
455 /* The way AEAD ciphers are defined in RFC5246, it allows
456 * only stream ciphers.
457 */
458 if (explicit_iv && _gnutls_auth_cipher_is_aead(&params->read.cipher_state))
459 {
460 uint8_t nonce[blocksize];
461 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
462 */
463 if (params->read.IV.data == NULL || params->read.IV.size != 4)
464 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
465
466 if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
467 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
468
469 memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
470 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE);
471
472 _gnutls_auth_cipher_setiv(&params->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
473
474 ciphertext->data += AEAD_EXPLICIT_DATA_SIZE;
475 ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE;
476
477 length_to_decrypt = ciphertext->size - tag_size;
478 }
479 else
480 {
481 if (ciphertext->size < tag_size)
482 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
483
484 length_to_decrypt = ciphertext->size;
485 }
486
487 length = ciphertext->size - tag_size;
488
489 /* Pass the type, version, length and compressed through
490 * MAC.
491 */
492 preamble_size =
493 make_preamble (UINT64DATA(*sequence), type,
494 length, ver, preamble);
495
496 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
497
498 if ((ret =
499 _gnutls_auth_cipher_decrypt (&params->read.cipher_state,
500 ciphertext->data, length_to_decrypt)) < 0)
501 return gnutls_assert_val(ret);
502
503 break;
504 case CIPHER_BLOCK:
505 if (ciphertext->size < MAX(blocksize, tag_size) || (ciphertext->size % blocksize != 0))
506 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
507
508 /* ignore the IV in TLS 1.1+
509 */
510 if (explicit_iv)
511 {
512 _gnutls_auth_cipher_setiv(&params->read.cipher_state,
513 ciphertext->data, blocksize);
514
515 ciphertext->size -= blocksize;
516 ciphertext->data += blocksize;
517
518 if (ciphertext->size == 0)
519 {
520 gnutls_assert ();
521 return GNUTLS_E_DECRYPTION_FAILED;
522 }
523 }
524
525 /* we don't use the auth_cipher interface here, since
526 * TLS with block ciphers is impossible to be used under such
527 * an API. (the length of plaintext is required to calculate
528 * auth_data, but it is not available before decryption).
529 */
530 if ((ret =
531 _gnutls_cipher_decrypt (&params->read.cipher_state.cipher,
532 ciphertext->data, ciphertext->size)) < 0)
533 return gnutls_assert_val(ret);
534
535 pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
536
537 if ((int) pad > (int) ciphertext->size - tag_size)
538 {
539 gnutls_assert ();
540 _gnutls_record_log
541 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
542 session, pad, ciphertext->size, tag_size);
543 /* We do not fail here. We check below for the
544 * the pad_failed. If zero means success.
545 */
546 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
547 }
548
549 length = ciphertext->size - tag_size - pad;
550
551 /* Check the pading bytes (TLS 1.x)
552 */
553 if (ver != GNUTLS_SSL3 && pad_failed == 0)
554 for (i = 2; i < pad; i++)
555 {
556 if (ciphertext->data[ciphertext->size - i] !=
557 ciphertext->data[ciphertext->size - 1])
558 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
559 }
560
561 if (length < 0)
562 length = 0;
563
564 /* Pass the type, version, length and compressed through
565 * MAC.
566 */
567 preamble_size =
568 make_preamble (UINT64DATA(*sequence), type,
569 length, ver, preamble);
570 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
571 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext->data, length);
572
573 break;
574 default:
575 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
576 }
577
578 ret = _gnutls_auth_cipher_tag(&params->read.cipher_state, tag, tag_size);
579 if (ret < 0)
580 return gnutls_assert_val(ret);
581
582 /* This one was introduced to avoid a timing attack against the TLS
583 * 1.0 protocol.
584 */
585 if (pad_failed != 0)
586 return gnutls_assert_val(pad_failed);
587
588 /* HMAC was not the same.
589 */
590 if (memcmp (tag, &ciphertext->data[length], tag_size) != 0)
591 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
592
593 /* copy the decrypted stuff to compress_data.
594 */
595 if (compress_size < length)
596 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
597
598 if (compress_data != ciphertext->data)
599 memcpy (compress_data, ciphertext->data, length);
600
601 return length;
602 }
Implementation of the SSL/TLS protocol