search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
certtool is able to set certificate policies via a template
[gnutls.git] / lib / gnutls_cipher.c
blob248b376a54c2960175fa9a46d0f3acf417d5e227
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Some high level functions to be used in the record encryption are
24 * included here.
25 */
26
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
34 #include "debug.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
41 #include <random.h>
42
43 static int compressed_to_ciphertext (gnutls_session_t session,
44 uint8_t * cipher_data, int cipher_size,
45 gnutls_datum_t *compressed,
46 content_type_t _type,
47 record_parameters_st * params);
48 static int ciphertext_to_compressed (gnutls_session_t session,
49 gnutls_datum_t *ciphertext,
50 uint8_t * compress_data,
51 int compress_size,
52 uint8_t type,
53 record_parameters_st * params, uint64* sequence);
54
55 inline static int
56 is_write_comp_null (record_parameters_st * record_params)
57 {
58 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
59 return 0;
60
61 return 1;
62 }
63
64 inline static int
65 is_read_comp_null (record_parameters_st * record_params)
66 {
67 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
68 return 0;
69
70 return 1;
71 }
72
73
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
76 *
77 * If random pad != 0 then the random pad data will be appended.
78 */
79 int
80 _gnutls_encrypt (gnutls_session_t session, const uint8_t * headers,
81 size_t headers_size, const uint8_t * data,
82 size_t data_size, uint8_t * ciphertext,
83 size_t ciphertext_size, content_type_t type,
84 record_parameters_st * params)
85 {
86 gnutls_datum_t comp;
87 int free_comp = 0;
88 int ret;
89
90 if (data_size == 0 || is_write_comp_null (params) == 0)
91 {
92 comp.data = (uint8_t*)data;
93 comp.size = data_size;
94 }
95 else
96 {
97 /* Here comp is allocated and must be
98 * freed.
99 */
100 free_comp = 1;
101
102 comp.size = ciphertext_size - headers_size;
103 comp.data = gnutls_malloc(comp.size);
104 if (comp.data == NULL)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
106
107 ret = _gnutls_compress(&params->write.compression_state, data, data_size,
108 comp.data, comp.size, session->internals.priorities.stateless_compression);
109 if (ret < 0)
110 {
111 gnutls_free(comp.data);
112 return gnutls_assert_val(ret);
113 }
114
115 comp.size = ret;
116 }
117
118 ret = compressed_to_ciphertext (session, &ciphertext[headers_size],
119 ciphertext_size - headers_size,
120 &comp, type, params);
121
122 if (free_comp)
123 gnutls_free(comp.data);
124
125 if (ret < 0)
126 return gnutls_assert_val(ret);
127
128 /* copy the headers */
129 memcpy (ciphertext, headers, headers_size);
130
131 if(IS_DTLS(session))
132 _gnutls_write_uint16 (ret, &ciphertext[11]);
133 else
134 _gnutls_write_uint16 (ret, &ciphertext[3]);
135
136 return ret + headers_size;
137 }
138
139 /* Decrypts the given data.
140 * Returns the decrypted data length.
141 */
142 int
143 _gnutls_decrypt (gnutls_session_t session, uint8_t * ciphertext,
144 size_t ciphertext_size, uint8_t * data,
145 size_t max_data_size, content_type_t type,
146 record_parameters_st * params, uint64 *sequence)
147 {
148 gnutls_datum_t gcipher;
149 int ret, data_size;
150
151 if (ciphertext_size == 0)
152 return 0;
153
154 gcipher.size = ciphertext_size;
155 gcipher.data = ciphertext;
156
157 if (is_read_comp_null (params) == 0)
158 {
159 ret =
160 ciphertext_to_compressed (session, &gcipher, data, max_data_size,
161 type, params, sequence);
162 if (ret < 0)
163 return gnutls_assert_val(ret);
164
165 return ret;
166 }
167 else
168 {
169 uint8_t* tmp_data;
170
171 tmp_data = gnutls_malloc(max_data_size);
172 if (tmp_data == NULL)
173 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
174
175 ret =
176 ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size,
177 type, params, sequence);
178 if (ret < 0)
179 goto leave;
180
181 data_size = ret;
182
183 if (ret != 0)
184 {
185 ret = _gnutls_decompress( &params->read.compression_state, tmp_data, data_size, data, max_data_size);
186 if (ret < 0)
187 goto leave;
188 }
189
190 leave:
191 gnutls_free(tmp_data);
192 return ret;
193 }
194 }
195
196
197 inline static int
198 calc_enc_length_block (gnutls_session_t session, int data_size,
199 int hash_size, uint8_t * pad,
200 unsigned auth_cipher, uint16_t blocksize)
201 {
202 uint8_t rnd = *pad;
203 unsigned int length;
204
205 *pad = 0;
206
207 /* make rnd a multiple of blocksize */
208 if (session->security_parameters.version == GNUTLS_SSL3)
209 {
210 rnd = 0;
211 }
212
213 if (rnd > 0)
214 {
215 rnd = (rnd / blocksize) * blocksize;
216 /* added to avoid the case of pad calculated 0
217 * seen below for pad calculation.
218 */
219 if (rnd > blocksize)
220 rnd -= blocksize;
221 }
222
223 length = data_size + hash_size;
224
225 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
226
227 length += *pad;
228 if (_gnutls_version_has_explicit_iv
229 (session->security_parameters.version))
230 length += blocksize; /* for the IV */
231
232 return length;
233 }
234
235 inline static int
236 calc_enc_length_stream (gnutls_session_t session, int data_size,
237 int hash_size, unsigned auth_cipher)
238 {
239 unsigned int length;
240
241 length = data_size + hash_size;
242 if (auth_cipher)
243 length += AEAD_EXPLICIT_DATA_SIZE;
244
245 return length;
246 }
247
248 #define MAX_PREAMBLE_SIZE 16
249
250 /* generates the authentication data (data to be hashed only
251 * and are not to be sent). Returns their size.
252 */
253 static inline int
254 make_preamble (uint8_t * uint64_data, uint8_t type, unsigned int length,
255 uint8_t ver, uint8_t * preamble)
256 {
257 uint8_t minor = _gnutls_version_get_minor (ver);
258 uint8_t major = _gnutls_version_get_major (ver);
259 uint8_t *p = preamble;
260 uint16_t c_length;
261
262 c_length = _gnutls_conv_uint16 (length);
263
264 memcpy (p, uint64_data, 8);
265 p += 8;
266 *p = type;
267 p++;
268 if (ver != GNUTLS_SSL3)
269 { /* TLS protocols */
270 *p = major;
271 p++;
272 *p = minor;
273 p++;
274 }
275 memcpy (p, &c_length, 2);
276 p += 2;
277 return p - preamble;
278 }
279
280 /* This is the actual encryption
281 * Encrypts the given compressed datum, and puts the result to cipher_data,
282 * which has cipher_size size.
283 * return the actual encrypted data length.
284 */
285 static int
286 compressed_to_ciphertext (gnutls_session_t session,
287 uint8_t * cipher_data, int cipher_size,
288 gnutls_datum_t *compressed,
289 content_type_t type,
290 record_parameters_st * params)
291 {
292 uint8_t * tag_ptr = NULL;
293 uint8_t pad = 0;
294 int length, length_to_encrypt, ret;
295 uint8_t preamble[MAX_PREAMBLE_SIZE];
296 int preamble_size;
297 int tag_size = _gnutls_auth_cipher_tag_len (&params->write.cipher_state);
298 int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
299 unsigned block_algo =
300 _gnutls_cipher_is_block (params->cipher_algorithm);
301 uint8_t *data_ptr;
302 int ver = gnutls_protocol_get_version (session);
303 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
304 int auth_cipher = _gnutls_auth_cipher_is_aead(&params->write.cipher_state);
305 uint8_t nonce[MAX_CIPHER_BLOCK_SIZE+1];
306
307
308 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
309 session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
310 (unsigned int)params->epoch);
311
312 preamble_size =
313 make_preamble (UINT64DATA
314 (params->write.sequence_number),
315 type, compressed->size, ver, preamble);
316
317 /* Calculate the encrypted length (padding etc.)
318 */
319 if (block_algo == CIPHER_BLOCK)
320 {
321 /* Call _gnutls_rnd() once. Get data used for the IV + 1 for
322 * the random padding.
323 */
324 ret = _gnutls_rnd (GNUTLS_RND_NONCE, nonce, blocksize+1);
325 if (ret < 0)
326 return gnutls_assert_val(ret);
327
328 /* We don't use long padding if requested or if we are in DTLS.
329 */
330 if (session->internals.priorities.no_padding == 0 && !IS_DTLS(session))
331 pad = nonce[blocksize];
332
333 length_to_encrypt = length =
334 calc_enc_length_block (session, compressed->size, tag_size, &pad,
335 auth_cipher, blocksize);
336 }
337 else
338 length_to_encrypt = length =
339 calc_enc_length_stream (session, compressed->size, tag_size,
340 auth_cipher);
341 if (length < 0)
342 {
343 return gnutls_assert_val(length);
344 }
345
346 /* copy the encrypted data to cipher_data.
347 */
348 if (cipher_size < length)
349 {
350 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
351 }
352
353 data_ptr = cipher_data;
354
355 if (explicit_iv)
356 {
357 if (block_algo == CIPHER_BLOCK)
358 {
359 /* copy the random IV.
360 */
361 memcpy(data_ptr, nonce, blocksize);
362 _gnutls_auth_cipher_setiv(&params->write.cipher_state, data_ptr, blocksize);
363
364 data_ptr += blocksize;
365 cipher_data += blocksize;
366 length_to_encrypt -= blocksize;
367 }
368 else if (auth_cipher)
369 {
370 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
371 */
372 if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE)
373 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
374
375 /* Instead of generating a new nonce on every packet, we use the
376 * write.sequence_number (It is a MAY on RFC 5288).
377 */
378 memcpy(nonce, params->write.IV.data, params->write.IV.size);
379 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8);
380
381 _gnutls_auth_cipher_setiv(&params->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE);
382
383 /* copy the explicit part */
384 memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE);
385
386 data_ptr += AEAD_EXPLICIT_DATA_SIZE;
387 cipher_data += AEAD_EXPLICIT_DATA_SIZE;
388 /* In AEAD ciphers we don't encrypt the tag
389 */
390 length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size;
391 }
392 }
393 else
394 {
395 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
396 */
397 if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
398 }
399
400 memcpy (data_ptr, compressed->data, compressed->size);
401 data_ptr += compressed->size;
402
403 if (tag_size > 0)
404 {
405 tag_ptr = data_ptr;
406 data_ptr += tag_size;
407 }
408 if (block_algo == CIPHER_BLOCK && pad > 0)
409 {
410 memset (data_ptr, pad - 1, pad);
411 }
412
413 /* add the authenticate data */
414 ret = _gnutls_auth_cipher_add_auth(&params->write.cipher_state, preamble, preamble_size);
415 if (ret < 0)
416 return gnutls_assert_val(ret);
417
418 /* Actual encryption (inplace).
419 */
420 ret =
421 _gnutls_auth_cipher_encrypt2_tag (&params->write.cipher_state,
422 cipher_data, length_to_encrypt,
423 cipher_data, cipher_size,
424 tag_ptr, tag_size, compressed->size);
425 if (ret < 0)
426 return gnutls_assert_val(ret);
427
428 return length;
429 }
430
431
432 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
433 * Returns the actual compressed packet size.
434 */
435 static int
436 ciphertext_to_compressed (gnutls_session_t session,
437 gnutls_datum_t *ciphertext,
438 uint8_t * compress_data,
439 int compress_size,
440 uint8_t type, record_parameters_st * params,
441 uint64* sequence)
442 {
443 uint8_t tag[MAX_HASH_SIZE];
444 uint8_t pad;
445 int length, length_to_decrypt;
446 uint16_t blocksize;
447 int ret, i, pad_failed = 0;
448 uint8_t preamble[MAX_PREAMBLE_SIZE];
449 unsigned int preamble_size;
450 unsigned int ver = gnutls_protocol_get_version (session);
451 unsigned int tag_size = _gnutls_auth_cipher_tag_len (&params->read.cipher_state);
452 unsigned int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
453
454 blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
455
456 /* actual decryption (inplace)
457 */
458 switch (_gnutls_cipher_is_block (params->cipher_algorithm))
459 {
460 case CIPHER_STREAM:
461 /* The way AEAD ciphers are defined in RFC5246, it allows
462 * only stream ciphers.
463 */
464 if (explicit_iv && _gnutls_auth_cipher_is_aead(&params->read.cipher_state))
465 {
466 uint8_t nonce[blocksize];
467 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
468 */
469 if (params->read.IV.data == NULL || params->read.IV.size != 4)
470 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
471
472 if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
473 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
474
475 memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
476 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE);
477
478 _gnutls_auth_cipher_setiv(&params->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
479
480 ciphertext->data += AEAD_EXPLICIT_DATA_SIZE;
481 ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE;
482
483 length_to_decrypt = ciphertext->size - tag_size;
484 }
485 else
486 {
487 if (ciphertext->size < tag_size)
488 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
489
490 length_to_decrypt = ciphertext->size;
491 }
492
493 length = ciphertext->size - tag_size;
494
495 /* Pass the type, version, length and compressed through
496 * MAC.
497 */
498 preamble_size =
499 make_preamble (UINT64DATA(*sequence), type,
500 length, ver, preamble);
501
502 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
503 if (ret < 0)
504 return gnutls_assert_val(ret);
505
506 if ((ret =
507 _gnutls_auth_cipher_decrypt2 (&params->read.cipher_state,
508 ciphertext->data, length_to_decrypt,
509 ciphertext->data, ciphertext->size)) < 0)
510 return gnutls_assert_val(ret);
511
512 break;
513 case CIPHER_BLOCK:
514 if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))
515 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
516
517 /* ignore the IV in TLS 1.1+
518 */
519 if (explicit_iv)
520 {
521 _gnutls_auth_cipher_setiv(&params->read.cipher_state,
522 ciphertext->data, blocksize);
523
524 ciphertext->size -= blocksize;
525 ciphertext->data += blocksize;
526 }
527
528 if (ciphertext->size < tag_size)
529 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
530
531 /* we don't use the auth_cipher interface here, since
532 * TLS with block ciphers is impossible to be used under such
533 * an API. (the length of plaintext is required to calculate
534 * auth_data, but it is not available before decryption).
535 */
536 if ((ret =
537 _gnutls_cipher_decrypt (&params->read.cipher_state.cipher,
538 ciphertext->data, ciphertext->size)) < 0)
539 return gnutls_assert_val(ret);
540
541 pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
542
543
544 if ((int) pad > (int) ciphertext->size - tag_size)
545 {
546 gnutls_assert ();
547 _gnutls_record_log
548 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
549 session, pad, ciphertext->size, tag_size);
550 /* We do not fail here. We check below for the
551 * the pad_failed. If zero means success.
552 */
553 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
554 pad %= blocksize;
555 }
556
557 length = ciphertext->size - tag_size - pad;
558
559 /* Check the pading bytes (TLS 1.x)
560 */
561 if (ver != GNUTLS_SSL3)
562 for (i = 2; i < pad; i++)
563 {
564 if (ciphertext->data[ciphertext->size - i] !=
565 ciphertext->data[ciphertext->size - 1])
566 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
567 }
568
569 if (length < 0)
570 {
571 /* Setting a proper length to prevent timing differences in
572 * processing of records with invalid encryption.
573 */
574 length = ciphertext->size - tag_size;
575 }
576
577 /* Pass the type, version, length and compressed through
578 * MAC.
579 */
580 preamble_size =
581 make_preamble (UINT64DATA(*sequence), type,
582 length, ver, preamble);
583 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
584 if (ret < 0)
585 return gnutls_assert_val(ret);
586
587 ret = _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext->data, length);
588 if (ret < 0)
589 return gnutls_assert_val(ret);
590
591 break;
592 default:
593 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
594 }
595
596 ret = _gnutls_auth_cipher_tag(&params->read.cipher_state, tag, tag_size);
597 if (ret < 0)
598 return gnutls_assert_val(ret);
599
600 /* This one was introduced to avoid a timing attack against the TLS
601 * 1.0 protocol.
602 */
603 /* HMAC was not the same.
604 */
605 if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0)
606 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
607
608 /* copy the decrypted stuff to compress_data.
609 */
610 if (compress_size < length)
611 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
612
613 if (compress_data != ciphertext->data)
614 memcpy (compress_data, ciphertext->data, length);
615
616 return length;
617 }
Implementation of the SSL/TLS protocol