search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add `gnutls/dtls.h' to the distribution.
[gnutls.git] / lib / gnutls_cipher.c
blob5952813340bdbc73dc5969c4061871ab513d8039
1 /*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GnuTLS.
8 *
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* Some high level functions to be used in the record encryption are
27 * included here.
28 */
29
30 #include "gnutls_int.h"
31 #include "gnutls_errors.h"
32 #include "gnutls_compress.h"
33 #include "gnutls_cipher.h"
34 #include "gnutls_algorithms.h"
35 #include "gnutls_hash_int.h"
36 #include "gnutls_cipher_int.h"
37 #include "debug.h"
38 #include "gnutls_num.h"
39 #include "gnutls_datum.h"
40 #include "gnutls_kx.h"
41 #include "gnutls_record.h"
42 #include "gnutls_constate.h"
43 #include <gnutls_state.h>
44 #include <random.h>
45
46 static int _gnutls_compressed2ciphertext (gnutls_session_t session,
47 opaque * cipher_data, int cipher_size,
48 gnutls_datum_t compressed,
49 content_type_t _type,
50 record_parameters_st * params);
51 static int _gnutls_ciphertext2compressed (gnutls_session_t session,
52 opaque * compress_data,
53 int compress_size,
54 gnutls_datum_t ciphertext, uint8_t type,
55 record_parameters_st * params, uint64* sequence);
56
57 inline static int
58 is_write_comp_null (record_parameters_st * record_params)
59 {
60 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
61 return 0;
62
63 return 1;
64 }
65
66 inline static int
67 is_read_comp_null (record_parameters_st * record_params)
68 {
69 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
70 return 0;
71
72 return 1;
73 }
74
75
76 /* returns ciphertext which contains the headers too. This also
77 * calculates the size in the header field.
78 *
79 * If random pad != 0 then the random pad data will be appended.
80 */
81 int
82 _gnutls_encrypt (gnutls_session_t session, const opaque * headers,
83 size_t headers_size, const opaque * data,
84 size_t data_size, opaque * ciphertext,
85 size_t ciphertext_size, content_type_t type,
86 record_parameters_st * params)
87 {
88 gnutls_datum_t plain;
89 gnutls_datum_t comp;
90 int ret;
91 int free_comp = 1;
92 record_parameters_st *cur_record_params;
93
94 ret = _gnutls_epoch_get (session, EPOCH_WRITE_CURRENT, &cur_record_params);
95 if (ret < 0)
96 return gnutls_assert_val(ret);
97
98 plain.data = (opaque *) data;
99 plain.size = data_size;
100
101 if (plain.size == 0 || is_write_comp_null (cur_record_params) == 0)
102 {
103 comp = plain;
104 free_comp = 0;
105 }
106 else
107 {
108 /* Here comp is allocated and must be
109 * freed.
110 */
111 ret = _gnutls_m_plaintext2compressed (session, &comp, &plain, params);
112 if (ret < 0)
113 return gnutls_assert_val(ret);
114 }
115
116 ret = _gnutls_compressed2ciphertext (session, &ciphertext[headers_size],
117 ciphertext_size - headers_size,
118 comp, type, params);
119
120 if (free_comp)
121 _gnutls_free_datum (&comp);
122
123 if (ret < 0)
124 return gnutls_assert_val(ret);
125
126
127 /* copy the headers */
128 memcpy (ciphertext, headers, headers_size);
129
130 if(_gnutls_is_dtls(session))
131 _gnutls_write_uint16 (ret, &ciphertext[11]);
132 else
133 _gnutls_write_uint16 (ret, &ciphertext[3]);
134
135 return ret + headers_size;
136 }
137
138 /* Decrypts the given data.
139 * Returns the decrypted data length.
140 */
141 int
142 _gnutls_decrypt (gnutls_session_t session, opaque * ciphertext,
143 size_t ciphertext_size, uint8_t * data,
144 size_t max_data_size, content_type_t type,
145 record_parameters_st * params, uint64 *sequence)
146 {
147 gnutls_datum_t gtxt;
148 gnutls_datum_t gcipher;
149 int ret;
150 record_parameters_st *cur_record_params;
151
152 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &cur_record_params);
153 if (ret < 0)
154 return gnutls_assert_val(ret);
155
156 if (ciphertext_size == 0)
157 return 0;
158
159 gcipher.size = ciphertext_size;
160 gcipher.data = ciphertext;
161
162 ret =
163 _gnutls_ciphertext2compressed (session, data, max_data_size,
164 gcipher, type, params, sequence);
165 if (ret < 0)
166 {
167 return ret;
168 }
169
170 if (ret == 0 || is_read_comp_null (cur_record_params) == 0)
171 {
172 /* ret == ret */
173
174 }
175 else
176 {
177 gnutls_datum_t gcomp;
178
179 /* compression has this malloc overhead.
180 */
181
182 gcomp.data = data;
183 gcomp.size = ret;
184 ret = _gnutls_m_compressed2plaintext (session, &gtxt, &gcomp, params);
185 if (ret < 0)
186 {
187 return ret;
188 }
189
190 if (gtxt.size > MAX_RECORD_RECV_SIZE(session))
191 {
192 _gnutls_free_datum (&gtxt);
193 /* This shouldn't have happen and
194 * is a TLS fatal error.
195 */
196 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
197 }
198
199 /* This check is not really needed */
200 if (max_data_size < MAX_RECORD_RECV_SIZE(session))
201 {
202 _gnutls_free_datum (&gtxt);
203 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
204 }
205
206 memcpy (data, gtxt.data, gtxt.size);
207 ret = gtxt.size;
208
209 _gnutls_free_datum (&gtxt);
210 }
211
212 return ret;
213 }
214
215
216 inline static int
217 calc_enc_length (gnutls_session_t session, int data_size,
218 int hash_size, uint8_t * pad, int random_pad,
219 unsigned block_algo, unsigned auth_cipher, uint16_t blocksize)
220 {
221 uint8_t rnd;
222 int length, ret;
223
224 *pad = 0;
225
226 switch (block_algo)
227 {
228 case CIPHER_STREAM:
229 length = data_size + hash_size;
230 if (auth_cipher)
231 length += AEAD_EXPLICIT_DATA_SIZE;
232
233 break;
234 case CIPHER_BLOCK:
235 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &rnd, 1);
236 if (ret < 0)
237 return gnutls_assert_val(ret);
238
239 /* make rnd a multiple of blocksize */
240 if (session->security_parameters.version == GNUTLS_SSL3 ||
241 random_pad == 0)
242 {
243 rnd = 0;
244 }
245 else
246 {
247 rnd = (rnd / blocksize) * blocksize;
248 /* added to avoid the case of pad calculated 0
249 * seen below for pad calculation.
250 */
251 if (rnd > blocksize)
252 rnd -= blocksize;
253 }
254
255 length = data_size + hash_size;
256
257 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
258
259 length += *pad;
260 if (_gnutls_version_has_explicit_iv
261 (session->security_parameters.version))
262 length += blocksize; /* for the IV */
263
264 break;
265 default:
266 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
267 }
268
269 return length;
270 }
271
272 #define MAX_PREAMBLE_SIZE 16
273
274 /* generates the authentication data (data to be hashed only
275 * and are not to be send). Returns their size.
276 */
277 static inline int
278 make_preamble (opaque * uint64_data, opaque type, int length,
279 opaque ver, opaque * preamble)
280 {
281 opaque minor = _gnutls_version_get_minor (ver);
282 opaque major = _gnutls_version_get_major (ver);
283 opaque *p = preamble;
284 uint16_t c_length;
285
286 c_length = _gnutls_conv_uint16 (length);
287
288 memcpy (p, uint64_data, 8);
289 p += 8;
290 *p = type;
291 p++;
292 if (ver != GNUTLS_SSL3)
293 { /* TLS protocols */
294 *p = major;
295 p++;
296 *p = minor;
297 p++;
298 }
299 memcpy (p, &c_length, 2);
300 p += 2;
301 return p - preamble;
302 }
303
304 /* This is the actual encryption
305 * Encrypts the given compressed datum, and puts the result to cipher_data,
306 * which has cipher_size size.
307 * return the actual encrypted data length.
308 */
309 static int
310 _gnutls_compressed2ciphertext (gnutls_session_t session,
311 opaque * cipher_data, int cipher_size,
312 gnutls_datum_t compressed,
313 content_type_t type,
314 record_parameters_st * params)
315 {
316 uint8_t * tag_ptr = NULL;
317 uint8_t pad;
318 int length, length_to_encrypt, ret;
319 opaque preamble[MAX_PREAMBLE_SIZE];
320 int preamble_size;
321 int tag_size = _gnutls_auth_cipher_tag_len (&params->write.cipher_state);
322 int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
323 unsigned block_algo =
324 _gnutls_cipher_is_block (params->cipher_algorithm);
325 opaque *data_ptr;
326 int ver = gnutls_protocol_get_version (session);
327 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
328 int auth_cipher = _gnutls_auth_cipher_is_aead(&params->write.cipher_state);
329 int random_pad;
330
331 /* We don't use long padding if requested or if we are in DTLS.
332 */
333 if (session->internals.priorities.no_padding == 0 && (!IS_DTLS(session)))
334 random_pad = 1;
335 else
336 random_pad = 0;
337
338 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
339 session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
340 (unsigned int)params->epoch);
341 preamble_size =
342 make_preamble (UINT64DATA
343 (params->write.sequence_number),
344 type, compressed.size, ver, preamble);
345
346 /* Calculate the encrypted length (padding etc.)
347 */
348 length_to_encrypt = length =
349 calc_enc_length (session, compressed.size, tag_size, &pad,
350 random_pad, block_algo, auth_cipher, blocksize);
351 if (length < 0)
352 {
353 return gnutls_assert_val(length);
354 }
355
356 /* copy the encrypted data to cipher_data.
357 */
358 if (cipher_size < length)
359 {
360 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
361 }
362
363 data_ptr = cipher_data;
364
365 if (explicit_iv)
366 {
367
368 if (block_algo == CIPHER_BLOCK)
369 {
370 /* copy the random IV.
371 */
372 ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize);
373 if (ret < 0)
374 return gnutls_assert_val(ret);
375
376 _gnutls_auth_cipher_setiv(&params->write.cipher_state, data_ptr, blocksize);
377
378 data_ptr += blocksize;
379 cipher_data += blocksize;
380 length_to_encrypt -= blocksize;
381 }
382 else if (auth_cipher)
383 {
384 uint8_t nonce[blocksize];
385
386 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
387 */
388 if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE)
389 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
390
391 /* Instead of generating a new nonce on every packet, we use the
392 * write.sequence_number (It is a MAY on RFC 5288).
393 */
394 memcpy(nonce, params->write.IV.data, params->write.IV.size);
395 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8);
396
397 _gnutls_auth_cipher_setiv(&params->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE);
398
399 /* copy the explicit part */
400 memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE);
401
402 data_ptr += AEAD_EXPLICIT_DATA_SIZE;
403 cipher_data += AEAD_EXPLICIT_DATA_SIZE;
404 /* In AEAD ciphers we don't encrypt the tag
405 */
406 length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size;
407 }
408 }
409 else
410 {
411 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
412 */
413 if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
414 }
415
416 memcpy (data_ptr, compressed.data, compressed.size);
417 data_ptr += compressed.size;
418
419 if (tag_size > 0)
420 {
421 tag_ptr = data_ptr;
422 data_ptr += tag_size;
423 }
424 if (block_algo == CIPHER_BLOCK && pad > 0)
425 {
426 memset (data_ptr, pad - 1, pad);
427 }
428
429 /* add the authenticate data */
430 _gnutls_auth_cipher_add_auth(&params->write.cipher_state, preamble, preamble_size);
431
432 /* Actual encryption (inplace).
433 */
434 ret =
435 _gnutls_auth_cipher_encrypt_tag (&params->write.cipher_state,
436 cipher_data, length_to_encrypt, tag_ptr, tag_size, compressed.size);
437 if (ret < 0)
438 return gnutls_assert_val(ret);
439
440 return length;
441 }
442
443
444 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
445 * Returns the actual compressed packet size.
446 */
447 static int
448 _gnutls_ciphertext2compressed (gnutls_session_t session,
449 opaque * compress_data,
450 int compress_size,
451 gnutls_datum_t ciphertext, uint8_t type,
452 record_parameters_st * params, uint64* sequence)
453 {
454 uint8_t tag[MAX_HASH_SIZE];
455 uint8_t pad;
456 int length, length_to_decrypt;
457 uint16_t blocksize;
458 int ret, i, pad_failed = 0;
459 opaque preamble[MAX_PREAMBLE_SIZE];
460 int preamble_size;
461 int ver = gnutls_protocol_get_version (session);
462 int tag_size = _gnutls_auth_cipher_tag_len (&params->read.cipher_state);
463 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
464
465 blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
466
467 /* actual decryption (inplace)
468 */
469 switch (_gnutls_cipher_is_block (params->cipher_algorithm))
470 {
471 case CIPHER_STREAM:
472 /* The way AEAD ciphers are defined in RFC5246, it allows
473 * only stream ciphers.
474 */
475 if (explicit_iv && _gnutls_auth_cipher_is_aead(&params->read.cipher_state))
476 {
477 uint8_t nonce[blocksize];
478 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
479 */
480 if (params->read.IV.data == NULL || params->read.IV.size != 4)
481 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
482
483 if (ciphertext.size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
484 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
485
486 memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
487 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext.data, AEAD_EXPLICIT_DATA_SIZE);
488
489 _gnutls_auth_cipher_setiv(&params->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
490
491 ciphertext.data += AEAD_EXPLICIT_DATA_SIZE;
492 ciphertext.size -= AEAD_EXPLICIT_DATA_SIZE;
493
494 length_to_decrypt = ciphertext.size - tag_size;
495 }
496 else
497 {
498 if (ciphertext.size < tag_size)
499 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
500
501 length_to_decrypt = ciphertext.size;
502 }
503
504 length = ciphertext.size - tag_size;
505
506 /* Pass the type, version, length and compressed through
507 * MAC.
508 */
509 preamble_size =
510 make_preamble (UINT64DATA(*sequence), type,
511 length, ver, preamble);
512
513 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
514
515 if ((ret =
516 _gnutls_auth_cipher_decrypt (&params->read.cipher_state,
517 ciphertext.data, length_to_decrypt)) < 0)
518 return gnutls_assert_val(ret);
519
520 break;
521 case CIPHER_BLOCK:
522 if ((ciphertext.size < blocksize+tag_size) || (ciphertext.size % blocksize != 0))
523 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
524
525 /* ignore the IV in TLS 1.1+
526 */
527 if (explicit_iv)
528 {
529 _gnutls_auth_cipher_setiv(&params->read.cipher_state,
530 ciphertext.data, blocksize);
531
532 ciphertext.size -= blocksize;
533 ciphertext.data += blocksize;
534
535 if (ciphertext.size == 0)
536 {
537 gnutls_assert ();
538 return GNUTLS_E_DECRYPTION_FAILED;
539 }
540 }
541
542 /* we don't use the auth_cipher interface here, since
543 * TLS with block ciphers is impossible to be used under such
544 * an API. (the length of plaintext is required to calculate
545 * auth_data, but it is not available before decryption).
546 */
547 if ((ret =
548 _gnutls_cipher_decrypt (&params->read.cipher_state.cipher,
549 ciphertext.data, ciphertext.size)) < 0)
550 return gnutls_assert_val(ret);
551
552 pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
553
554 if ((int) pad > (int) ciphertext.size - tag_size)
555 {
556 gnutls_assert ();
557 _gnutls_record_log
558 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
559 session, pad, ciphertext.size, tag_size);
560 /* We do not fail here. We check below for the
561 * the pad_failed. If zero means success.
562 */
563 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
564 }
565
566 length = ciphertext.size - tag_size - pad;
567
568 /* Check the pading bytes (TLS 1.x)
569 */
570 if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
571 for (i = 2; i < pad; i++)
572 {
573 if (ciphertext.data[ciphertext.size - i] !=
574 ciphertext.data[ciphertext.size - 1])
575 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
576 }
577
578 if (length < 0)
579 length = 0;
580
581 /* Pass the type, version, length and compressed through
582 * MAC.
583 */
584 preamble_size =
585 make_preamble (UINT64DATA(*sequence), type,
586 length, ver, preamble);
587 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, preamble, preamble_size);
588 _gnutls_auth_cipher_add_auth (&params->read.cipher_state, ciphertext.data, length);
589
590 break;
591 default:
592 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
593 }
594
595 ret = _gnutls_auth_cipher_tag(&params->read.cipher_state, tag, tag_size);
596 if (ret < 0)
597 return gnutls_assert_val(ret);
598
599 /* This one was introduced to avoid a timing attack against the TLS
600 * 1.0 protocol.
601 */
602 if (pad_failed != 0)
603 return gnutls_assert_val(pad_failed);
604
605 /* HMAC was not the same.
606 */
607 if (memcmp (tag, &ciphertext.data[length], tag_size) != 0)
608 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
609
610 /* copy the decrypted stuff to compress_data.
611 */
612 if (compress_size < length)
613 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
614
615 memcpy (compress_data, ciphertext.data, length);
616
617 return length;
618 }
Implementation of the SSL/TLS protocol