2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 3 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 /* Some high level functions to be used in the record encryption are
28 #include "gnutls_int.h"
29 #include "gnutls_errors.h"
30 #include "gnutls_compress.h"
31 #include "gnutls_cipher.h"
32 #include "algorithms.h"
33 #include "gnutls_hash_int.h"
34 #include "gnutls_cipher_int.h"
36 #include "gnutls_num.h"
37 #include "gnutls_datum.h"
38 #include "gnutls_kx.h"
39 #include "gnutls_record.h"
40 #include "gnutls_constate.h"
41 #include <gnutls_state.h>
44 static int compressed_to_ciphertext (gnutls_session_t session
,
45 opaque
* cipher_data
, int cipher_size
,
46 gnutls_datum_t
*compressed
,
48 record_parameters_st
* params
);
49 static int ciphertext_to_compressed (gnutls_session_t session
,
50 gnutls_datum_t
*ciphertext
,
51 opaque
* compress_data
,
54 record_parameters_st
* params
, uint64
* sequence
);
57 is_write_comp_null (record_parameters_st
* record_params
)
59 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
66 is_read_comp_null (record_parameters_st
* record_params
)
68 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
75 /* returns ciphertext which contains the headers too. This also
76 * calculates the size in the header field.
78 * If random pad != 0 then the random pad data will be appended.
81 _gnutls_encrypt (gnutls_session_t session
, const opaque
* headers
,
82 size_t headers_size
, const opaque
* data
,
83 size_t data_size
, opaque
* ciphertext
,
84 size_t ciphertext_size
, content_type_t type
,
85 record_parameters_st
* params
)
91 if (data_size
== 0 || is_write_comp_null (params
) == 0)
93 comp
.data
= (opaque
*)data
;
94 comp
.size
= data_size
;
98 /* Here comp is allocated and must be
103 comp
.size
= ciphertext_size
- headers_size
;
104 comp
.data
= gnutls_malloc(comp
.size
);
105 if (comp
.data
== NULL
)
106 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
108 ret
= _gnutls_compress( ¶ms
->write
.compression_state
, data
, data_size
, comp
.data
, comp
.size
);
111 gnutls_free(comp
.data
);
112 return gnutls_assert_val(ret
);
118 ret
= compressed_to_ciphertext (session
, &ciphertext
[headers_size
],
119 ciphertext_size
- headers_size
,
120 &comp
, type
, params
);
123 gnutls_free(comp
.data
);
126 return gnutls_assert_val(ret
);
128 /* copy the headers */
129 memcpy (ciphertext
, headers
, headers_size
);
132 _gnutls_write_uint16 (ret
, &ciphertext
[11]);
134 _gnutls_write_uint16 (ret
, &ciphertext
[3]);
136 return ret
+ headers_size
;
139 /* Decrypts the given data.
140 * Returns the decrypted data length.
143 _gnutls_decrypt (gnutls_session_t session
, opaque
* ciphertext
,
144 size_t ciphertext_size
, uint8_t * data
,
145 size_t max_data_size
, content_type_t type
,
146 record_parameters_st
* params
, uint64
*sequence
)
148 gnutls_datum_t gcipher
;
151 if (ciphertext_size
== 0)
154 gcipher
.size
= ciphertext_size
;
155 gcipher
.data
= ciphertext
;
157 if (is_read_comp_null (params
) == 0)
160 ciphertext_to_compressed (session
, &gcipher
, data
, max_data_size
,
161 type
, params
, sequence
);
163 return gnutls_assert_val(ret
);
171 tmp_data
= gnutls_malloc(max_data_size
);
172 if (tmp_data
== NULL
)
173 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
176 ciphertext_to_compressed (session
, &gcipher
, tmp_data
, max_data_size
,
177 type
, params
, sequence
);
185 ret
= _gnutls_decompress( ¶ms
->read
.compression_state
, tmp_data
, data_size
, data
, max_data_size
);
191 gnutls_free(tmp_data
);
198 calc_enc_length (gnutls_session_t session
, int data_size
,
199 int hash_size
, uint8_t * pad
, int random_pad
,
200 unsigned block_algo
, unsigned auth_cipher
, uint16_t blocksize
)
210 length
= data_size
+ hash_size
;
212 length
+= AEAD_EXPLICIT_DATA_SIZE
;
216 ret
= gnutls_rnd (GNUTLS_RND_NONCE
, &rnd
, 1);
218 return gnutls_assert_val(ret
);
220 /* make rnd a multiple of blocksize */
221 if (session
->security_parameters
.version
== GNUTLS_SSL3
||
228 rnd
= (rnd
/ blocksize
) * blocksize
;
229 /* added to avoid the case of pad calculated 0
230 * seen below for pad calculation.
236 length
= data_size
+ hash_size
;
238 *pad
= (uint8_t) (blocksize
- (length
% blocksize
)) + rnd
;
241 if (_gnutls_version_has_explicit_iv
242 (session
->security_parameters
.version
))
243 length
+= blocksize
; /* for the IV */
247 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
253 #define MAX_PREAMBLE_SIZE 16
255 /* generates the authentication data (data to be hashed only
256 * and are not to be send). Returns their size.
259 make_preamble (opaque
* uint64_data
, opaque type
, int length
,
260 opaque ver
, opaque
* preamble
)
262 opaque minor
= _gnutls_version_get_minor (ver
);
263 opaque major
= _gnutls_version_get_major (ver
);
264 opaque
*p
= preamble
;
267 c_length
= _gnutls_conv_uint16 (length
);
269 memcpy (p
, uint64_data
, 8);
273 if (ver
!= GNUTLS_SSL3
)
274 { /* TLS protocols */
280 memcpy (p
, &c_length
, 2);
285 /* This is the actual encryption
286 * Encrypts the given compressed datum, and puts the result to cipher_data,
287 * which has cipher_size size.
288 * return the actual encrypted data length.
291 compressed_to_ciphertext (gnutls_session_t session
,
292 opaque
* cipher_data
, int cipher_size
,
293 gnutls_datum_t
*compressed
,
295 record_parameters_st
* params
)
297 uint8_t * tag_ptr
= NULL
;
299 int length
, length_to_encrypt
, ret
;
300 opaque preamble
[MAX_PREAMBLE_SIZE
];
302 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->write
.cipher_state
);
303 int blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
304 unsigned block_algo
=
305 _gnutls_cipher_is_block (params
->cipher_algorithm
);
307 int ver
= gnutls_protocol_get_version (session
);
308 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
309 int auth_cipher
= _gnutls_auth_cipher_is_aead(¶ms
->write
.cipher_state
);
312 /* We don't use long padding if requested or if we are in DTLS.
314 if (session
->internals
.priorities
.no_padding
== 0 && (!IS_DTLS(session
)))
319 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
320 session
, gnutls_cipher_get_name(params
->cipher_algorithm
), gnutls_mac_get_name(params
->mac_algorithm
),
321 (unsigned int)params
->epoch
);
324 make_preamble (UINT64DATA
325 (params
->write
.sequence_number
),
326 type
, compressed
->size
, ver
, preamble
);
328 /* Calculate the encrypted length (padding etc.)
330 length_to_encrypt
= length
=
331 calc_enc_length (session
, compressed
->size
, tag_size
, &pad
,
332 random_pad
, block_algo
, auth_cipher
, blocksize
);
335 return gnutls_assert_val(length
);
338 /* copy the encrypted data to cipher_data.
340 if (cipher_size
< length
)
342 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
345 data_ptr
= cipher_data
;
350 if (block_algo
== CIPHER_BLOCK
)
352 /* copy the random IV.
354 ret
= gnutls_rnd (GNUTLS_RND_NONCE
, data_ptr
, blocksize
);
356 return gnutls_assert_val(ret
);
358 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, data_ptr
, blocksize
);
360 data_ptr
+= blocksize
;
361 cipher_data
+= blocksize
;
362 length_to_encrypt
-= blocksize
;
364 else if (auth_cipher
)
366 uint8_t nonce
[blocksize
];
368 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
370 if (params
->write
.IV
.data
== NULL
|| params
->write
.IV
.size
!= AEAD_IMPLICIT_DATA_SIZE
)
371 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
373 /* Instead of generating a new nonce on every packet, we use the
374 * write.sequence_number (It is a MAY on RFC 5288).
376 memcpy(nonce
, params
->write
.IV
.data
, params
->write
.IV
.size
);
377 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], UINT64DATA(params
->write
.sequence_number
), 8);
379 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, nonce
, AEAD_IMPLICIT_DATA_SIZE
+AEAD_EXPLICIT_DATA_SIZE
);
381 /* copy the explicit part */
382 memcpy(data_ptr
, &nonce
[AEAD_IMPLICIT_DATA_SIZE
], AEAD_EXPLICIT_DATA_SIZE
);
384 data_ptr
+= AEAD_EXPLICIT_DATA_SIZE
;
385 cipher_data
+= AEAD_EXPLICIT_DATA_SIZE
;
386 /* In AEAD ciphers we don't encrypt the tag
388 length_to_encrypt
-= AEAD_EXPLICIT_DATA_SIZE
+ tag_size
;
393 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
395 if (auth_cipher
) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
398 memcpy (data_ptr
, compressed
->data
, compressed
->size
);
399 data_ptr
+= compressed
->size
;
404 data_ptr
+= tag_size
;
406 if (block_algo
== CIPHER_BLOCK
&& pad
> 0)
408 memset (data_ptr
, pad
- 1, pad
);
411 /* add the authenticate data */
412 _gnutls_auth_cipher_add_auth(¶ms
->write
.cipher_state
, preamble
, preamble_size
);
414 /* Actual encryption (inplace).
417 _gnutls_auth_cipher_encrypt_tag (¶ms
->write
.cipher_state
,
418 cipher_data
, length_to_encrypt
, tag_ptr
, tag_size
, compressed
->size
);
420 return gnutls_assert_val(ret
);
426 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
427 * Returns the actual compressed packet size.
430 ciphertext_to_compressed (gnutls_session_t session
,
431 gnutls_datum_t
*ciphertext
,
432 opaque
* compress_data
,
434 uint8_t type
, record_parameters_st
* params
,
437 uint8_t tag
[MAX_HASH_SIZE
];
439 int length
, length_to_decrypt
;
441 int ret
, i
, pad_failed
= 0;
442 opaque preamble
[MAX_PREAMBLE_SIZE
];
444 int ver
= gnutls_protocol_get_version (session
);
445 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->read
.cipher_state
);
446 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
448 blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
450 /* actual decryption (inplace)
452 switch (_gnutls_cipher_is_block (params
->cipher_algorithm
))
455 /* The way AEAD ciphers are defined in RFC5246, it allows
456 * only stream ciphers.
458 if (explicit_iv
&& _gnutls_auth_cipher_is_aead(¶ms
->read
.cipher_state
))
460 uint8_t nonce
[blocksize
];
461 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
463 if (params
->read
.IV
.data
== NULL
|| params
->read
.IV
.size
!= 4)
464 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
466 if (ciphertext
->size
< tag_size
+AEAD_EXPLICIT_DATA_SIZE
)
467 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
469 memcpy(nonce
, params
->read
.IV
.data
, AEAD_IMPLICIT_DATA_SIZE
);
470 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], ciphertext
->data
, AEAD_EXPLICIT_DATA_SIZE
);
472 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
, nonce
, AEAD_EXPLICIT_DATA_SIZE
+AEAD_IMPLICIT_DATA_SIZE
);
474 ciphertext
->data
+= AEAD_EXPLICIT_DATA_SIZE
;
475 ciphertext
->size
-= AEAD_EXPLICIT_DATA_SIZE
;
477 length_to_decrypt
= ciphertext
->size
- tag_size
;
481 if (ciphertext
->size
< tag_size
)
482 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
484 length_to_decrypt
= ciphertext
->size
;
487 length
= ciphertext
->size
- tag_size
;
489 /* Pass the type, version, length and compressed through
493 make_preamble (UINT64DATA(*sequence
), type
,
494 length
, ver
, preamble
);
496 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
499 _gnutls_auth_cipher_decrypt (¶ms
->read
.cipher_state
,
500 ciphertext
->data
, length_to_decrypt
)) < 0)
501 return gnutls_assert_val(ret
);
505 if (ciphertext
->size
< MAX(blocksize
, tag_size
) || (ciphertext
->size
% blocksize
!= 0))
506 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
508 /* ignore the IV in TLS 1.1+
512 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
,
513 ciphertext
->data
, blocksize
);
515 ciphertext
->size
-= blocksize
;
516 ciphertext
->data
+= blocksize
;
518 if (ciphertext
->size
== 0)
521 return GNUTLS_E_DECRYPTION_FAILED
;
525 /* we don't use the auth_cipher interface here, since
526 * TLS with block ciphers is impossible to be used under such
527 * an API. (the length of plaintext is required to calculate
528 * auth_data, but it is not available before decryption).
531 _gnutls_cipher_decrypt (¶ms
->read
.cipher_state
.cipher
,
532 ciphertext
->data
, ciphertext
->size
)) < 0)
533 return gnutls_assert_val(ret
);
535 pad
= ciphertext
->data
[ciphertext
->size
- 1] + 1; /* pad */
537 if ((int) pad
> (int) ciphertext
->size
- tag_size
)
541 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
542 session
, pad
, ciphertext
->size
, tag_size
);
543 /* We do not fail here. We check below for the
544 * the pad_failed. If zero means success.
546 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
549 length
= ciphertext
->size
- tag_size
- pad
;
551 /* Check the pading bytes (TLS 1.x)
553 if (ver
!= GNUTLS_SSL3
&& pad_failed
== 0)
554 for (i
= 2; i
< pad
; i
++)
556 if (ciphertext
->data
[ciphertext
->size
- i
] !=
557 ciphertext
->data
[ciphertext
->size
- 1])
558 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
564 /* Pass the type, version, length and compressed through
568 make_preamble (UINT64DATA(*sequence
), type
,
569 length
, ver
, preamble
);
570 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
571 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, ciphertext
->data
, length
);
575 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
578 ret
= _gnutls_auth_cipher_tag(¶ms
->read
.cipher_state
, tag
, tag_size
);
580 return gnutls_assert_val(ret
);
582 /* This one was introduced to avoid a timing attack against the TLS
586 return gnutls_assert_val(pad_failed
);
588 /* HMAC was not the same.
590 if (memcmp (tag
, &ciphertext
->data
[length
], tag_size
) != 0)
591 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
593 /* copy the decrypted stuff to compress_data.
595 if (compress_size
< length
)
596 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
598 if (compress_data
!= ciphertext
->data
)
599 memcpy (compress_data
, ciphertext
->data
, length
);