2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
3 * Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* Some high level functions to be used in the record encryption are
30 #include "gnutls_int.h"
31 #include "gnutls_errors.h"
32 #include "gnutls_compress.h"
33 #include "gnutls_cipher.h"
34 #include "gnutls_algorithms.h"
35 #include "gnutls_hash_int.h"
36 #include "gnutls_cipher_int.h"
38 #include "gnutls_num.h"
39 #include "gnutls_datum.h"
40 #include "gnutls_kx.h"
41 #include "gnutls_record.h"
42 #include "gnutls_constate.h"
43 #include <gnutls_state.h>
46 static int _gnutls_compressed2ciphertext (gnutls_session_t session
,
47 opaque
* cipher_data
, int cipher_size
,
48 gnutls_datum_t compressed
,
50 record_parameters_st
* params
);
51 static int _gnutls_ciphertext2compressed (gnutls_session_t session
,
52 opaque
* compress_data
,
54 gnutls_datum_t ciphertext
, uint8_t type
,
55 record_parameters_st
* params
, uint64
* sequence
);
58 is_write_comp_null (record_parameters_st
* record_params
)
60 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
67 is_read_comp_null (record_parameters_st
* record_params
)
69 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
76 /* returns ciphertext which contains the headers too. This also
77 * calculates the size in the header field.
79 * If random pad != 0 then the random pad data will be appended.
82 _gnutls_encrypt (gnutls_session_t session
, const opaque
* headers
,
83 size_t headers_size
, const opaque
* data
,
84 size_t data_size
, opaque
* ciphertext
,
85 size_t ciphertext_size
, content_type_t type
,
86 record_parameters_st
* params
)
92 record_parameters_st
*cur_record_params
;
94 ret
= _gnutls_epoch_get (session
, EPOCH_WRITE_CURRENT
, &cur_record_params
);
96 return gnutls_assert_val(ret
);
98 plain
.data
= (opaque
*) data
;
99 plain
.size
= data_size
;
101 if (plain
.size
== 0 || is_write_comp_null (cur_record_params
) == 0)
108 /* Here comp is allocated and must be
111 ret
= _gnutls_m_plaintext2compressed (session
, &comp
, &plain
, params
);
113 return gnutls_assert_val(ret
);
116 ret
= _gnutls_compressed2ciphertext (session
, &ciphertext
[headers_size
],
117 ciphertext_size
- headers_size
,
121 _gnutls_free_datum (&comp
);
124 return gnutls_assert_val(ret
);
127 /* copy the headers */
128 memcpy (ciphertext
, headers
, headers_size
);
130 if(_gnutls_is_dtls(session
))
131 _gnutls_write_uint16 (ret
, &ciphertext
[11]);
133 _gnutls_write_uint16 (ret
, &ciphertext
[3]);
135 return ret
+ headers_size
;
138 /* Decrypts the given data.
139 * Returns the decrypted data length.
142 _gnutls_decrypt (gnutls_session_t session
, opaque
* ciphertext
,
143 size_t ciphertext_size
, uint8_t * data
,
144 size_t max_data_size
, content_type_t type
,
145 record_parameters_st
* params
, uint64
*sequence
)
148 gnutls_datum_t gcipher
;
150 record_parameters_st
*cur_record_params
;
152 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &cur_record_params
);
154 return gnutls_assert_val(ret
);
156 if (ciphertext_size
== 0)
159 gcipher
.size
= ciphertext_size
;
160 gcipher
.data
= ciphertext
;
163 _gnutls_ciphertext2compressed (session
, data
, max_data_size
,
164 gcipher
, type
, params
, sequence
);
170 if (ret
== 0 || is_read_comp_null (cur_record_params
) == 0)
177 gnutls_datum_t gcomp
;
179 /* compression has this malloc overhead.
184 ret
= _gnutls_m_compressed2plaintext (session
, >xt
, &gcomp
, params
);
190 if (gtxt
.size
> MAX_RECORD_RECV_SIZE(session
))
192 _gnutls_free_datum (>xt
);
193 /* This shouldn't have happen and
194 * is a TLS fatal error.
196 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
199 /* This check is not really needed */
200 if (max_data_size
< MAX_RECORD_RECV_SIZE(session
))
202 _gnutls_free_datum (>xt
);
203 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
206 memcpy (data
, gtxt
.data
, gtxt
.size
);
209 _gnutls_free_datum (>xt
);
217 calc_enc_length (gnutls_session_t session
, int data_size
,
218 int hash_size
, uint8_t * pad
, int random_pad
,
219 unsigned block_algo
, unsigned auth_cipher
, uint16_t blocksize
)
229 length
= data_size
+ hash_size
;
231 length
+= AEAD_EXPLICIT_DATA_SIZE
;
235 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &rnd
, 1);
237 return gnutls_assert_val(ret
);
239 /* make rnd a multiple of blocksize */
240 if (session
->security_parameters
.version
== GNUTLS_SSL3
||
247 rnd
= (rnd
/ blocksize
) * blocksize
;
248 /* added to avoid the case of pad calculated 0
249 * seen below for pad calculation.
255 length
= data_size
+ hash_size
;
257 *pad
= (uint8_t) (blocksize
- (length
% blocksize
)) + rnd
;
260 if (_gnutls_version_has_explicit_iv
261 (session
->security_parameters
.version
))
262 length
+= blocksize
; /* for the IV */
266 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
272 #define MAX_PREAMBLE_SIZE 16
274 /* generates the authentication data (data to be hashed only
275 * and are not to be send). Returns their size.
278 make_preamble (opaque
* uint64_data
, opaque type
, int length
,
279 opaque ver
, opaque
* preamble
)
281 opaque minor
= _gnutls_version_get_minor (ver
);
282 opaque major
= _gnutls_version_get_major (ver
);
283 opaque
*p
= preamble
;
286 c_length
= _gnutls_conv_uint16 (length
);
288 memcpy (p
, uint64_data
, 8);
292 if (ver
!= GNUTLS_SSL3
)
293 { /* TLS protocols */
299 memcpy (p
, &c_length
, 2);
304 /* This is the actual encryption
305 * Encrypts the given compressed datum, and puts the result to cipher_data,
306 * which has cipher_size size.
307 * return the actual encrypted data length.
310 _gnutls_compressed2ciphertext (gnutls_session_t session
,
311 opaque
* cipher_data
, int cipher_size
,
312 gnutls_datum_t compressed
,
314 record_parameters_st
* params
)
316 uint8_t * tag_ptr
= NULL
;
318 int length
, length_to_encrypt
, ret
;
319 opaque preamble
[MAX_PREAMBLE_SIZE
];
321 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->write
.cipher_state
);
322 int blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
323 unsigned block_algo
=
324 _gnutls_cipher_is_block (params
->cipher_algorithm
);
326 int ver
= gnutls_protocol_get_version (session
);
327 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
328 int auth_cipher
= _gnutls_auth_cipher_is_aead(¶ms
->write
.cipher_state
);
331 /* We don't use long padding if requested or if we are in DTLS.
333 if (session
->internals
.priorities
.no_padding
== 0 && (!IS_DTLS(session
)))
338 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
339 session
, gnutls_cipher_get_name(params
->cipher_algorithm
), gnutls_mac_get_name(params
->mac_algorithm
),
340 (unsigned int)params
->epoch
);
342 make_preamble (UINT64DATA
343 (params
->write
.sequence_number
),
344 type
, compressed
.size
, ver
, preamble
);
346 /* Calculate the encrypted length (padding etc.)
348 length_to_encrypt
= length
=
349 calc_enc_length (session
, compressed
.size
, tag_size
, &pad
,
350 random_pad
, block_algo
, auth_cipher
, blocksize
);
353 return gnutls_assert_val(length
);
356 /* copy the encrypted data to cipher_data.
358 if (cipher_size
< length
)
360 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
363 data_ptr
= cipher_data
;
368 if (block_algo
== CIPHER_BLOCK
)
370 /* copy the random IV.
372 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, data_ptr
, blocksize
);
374 return gnutls_assert_val(ret
);
376 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, data_ptr
, blocksize
);
378 data_ptr
+= blocksize
;
379 cipher_data
+= blocksize
;
380 length_to_encrypt
-= blocksize
;
382 else if (auth_cipher
)
384 uint8_t nonce
[blocksize
];
386 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
388 if (params
->write
.IV
.data
== NULL
|| params
->write
.IV
.size
!= AEAD_IMPLICIT_DATA_SIZE
)
389 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
391 /* Instead of generating a new nonce on every packet, we use the
392 * write.sequence_number (It is a MAY on RFC 5288).
394 memcpy(nonce
, params
->write
.IV
.data
, params
->write
.IV
.size
);
395 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], UINT64DATA(params
->write
.sequence_number
), 8);
397 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, nonce
, AEAD_IMPLICIT_DATA_SIZE
+AEAD_EXPLICIT_DATA_SIZE
);
399 /* copy the explicit part */
400 memcpy(data_ptr
, &nonce
[AEAD_IMPLICIT_DATA_SIZE
], AEAD_EXPLICIT_DATA_SIZE
);
402 data_ptr
+= AEAD_EXPLICIT_DATA_SIZE
;
403 cipher_data
+= AEAD_EXPLICIT_DATA_SIZE
;
404 /* In AEAD ciphers we don't encrypt the tag
406 length_to_encrypt
-= AEAD_EXPLICIT_DATA_SIZE
+ tag_size
;
411 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
413 if (auth_cipher
) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
416 memcpy (data_ptr
, compressed
.data
, compressed
.size
);
417 data_ptr
+= compressed
.size
;
422 data_ptr
+= tag_size
;
424 if (block_algo
== CIPHER_BLOCK
&& pad
> 0)
426 memset (data_ptr
, pad
- 1, pad
);
429 /* add the authenticate data */
430 _gnutls_auth_cipher_add_auth(¶ms
->write
.cipher_state
, preamble
, preamble_size
);
432 /* Actual encryption (inplace).
435 _gnutls_auth_cipher_encrypt_tag (¶ms
->write
.cipher_state
,
436 cipher_data
, length_to_encrypt
, tag_ptr
, tag_size
, compressed
.size
);
438 return gnutls_assert_val(ret
);
444 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
445 * Returns the actual compressed packet size.
448 _gnutls_ciphertext2compressed (gnutls_session_t session
,
449 opaque
* compress_data
,
451 gnutls_datum_t ciphertext
, uint8_t type
,
452 record_parameters_st
* params
, uint64
* sequence
)
454 uint8_t tag
[MAX_HASH_SIZE
];
456 int length
, length_to_decrypt
;
458 int ret
, i
, pad_failed
= 0;
459 opaque preamble
[MAX_PREAMBLE_SIZE
];
461 int ver
= gnutls_protocol_get_version (session
);
462 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->read
.cipher_state
);
463 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
465 blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
467 /* actual decryption (inplace)
469 switch (_gnutls_cipher_is_block (params
->cipher_algorithm
))
472 /* The way AEAD ciphers are defined in RFC5246, it allows
473 * only stream ciphers.
475 if (explicit_iv
&& _gnutls_auth_cipher_is_aead(¶ms
->read
.cipher_state
))
477 uint8_t nonce
[blocksize
];
478 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
480 if (params
->read
.IV
.data
== NULL
|| params
->read
.IV
.size
!= 4)
481 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
483 if (ciphertext
.size
< tag_size
+AEAD_EXPLICIT_DATA_SIZE
)
484 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
486 memcpy(nonce
, params
->read
.IV
.data
, AEAD_IMPLICIT_DATA_SIZE
);
487 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], ciphertext
.data
, AEAD_EXPLICIT_DATA_SIZE
);
489 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
, nonce
, AEAD_EXPLICIT_DATA_SIZE
+AEAD_IMPLICIT_DATA_SIZE
);
491 ciphertext
.data
+= AEAD_EXPLICIT_DATA_SIZE
;
492 ciphertext
.size
-= AEAD_EXPLICIT_DATA_SIZE
;
494 length_to_decrypt
= ciphertext
.size
- tag_size
;
498 if (ciphertext
.size
< tag_size
)
499 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
501 length_to_decrypt
= ciphertext
.size
;
504 length
= ciphertext
.size
- tag_size
;
506 /* Pass the type, version, length and compressed through
510 make_preamble (UINT64DATA(*sequence
), type
,
511 length
, ver
, preamble
);
513 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
516 _gnutls_auth_cipher_decrypt (¶ms
->read
.cipher_state
,
517 ciphertext
.data
, length_to_decrypt
)) < 0)
518 return gnutls_assert_val(ret
);
522 if ((ciphertext
.size
< blocksize
+tag_size
) || (ciphertext
.size
% blocksize
!= 0))
523 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
525 /* ignore the IV in TLS 1.1+
529 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
,
530 ciphertext
.data
, blocksize
);
532 ciphertext
.size
-= blocksize
;
533 ciphertext
.data
+= blocksize
;
535 if (ciphertext
.size
== 0)
538 return GNUTLS_E_DECRYPTION_FAILED
;
542 /* we don't use the auth_cipher interface here, since
543 * TLS with block ciphers is impossible to be used under such
544 * an API. (the length of plaintext is required to calculate
545 * auth_data, but it is not available before decryption).
548 _gnutls_cipher_decrypt (¶ms
->read
.cipher_state
.cipher
,
549 ciphertext
.data
, ciphertext
.size
)) < 0)
550 return gnutls_assert_val(ret
);
552 pad
= ciphertext
.data
[ciphertext
.size
- 1] + 1; /* pad */
554 if ((int) pad
> (int) ciphertext
.size
- tag_size
)
558 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
559 session
, pad
, ciphertext
.size
, tag_size
);
560 /* We do not fail here. We check below for the
561 * the pad_failed. If zero means success.
563 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
566 length
= ciphertext
.size
- tag_size
- pad
;
568 /* Check the pading bytes (TLS 1.x)
570 if (_gnutls_version_has_variable_padding (ver
) && pad_failed
== 0)
571 for (i
= 2; i
< pad
; i
++)
573 if (ciphertext
.data
[ciphertext
.size
- i
] !=
574 ciphertext
.data
[ciphertext
.size
- 1])
575 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
581 /* Pass the type, version, length and compressed through
585 make_preamble (UINT64DATA(*sequence
), type
,
586 length
, ver
, preamble
);
587 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
588 _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, ciphertext
.data
, length
);
592 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
595 ret
= _gnutls_auth_cipher_tag(¶ms
->read
.cipher_state
, tag
, tag_size
);
597 return gnutls_assert_val(ret
);
599 /* This one was introduced to avoid a timing attack against the TLS
603 return gnutls_assert_val(pad_failed
);
605 /* HMAC was not the same.
607 if (memcmp (tag
, &ciphertext
.data
[length
], tag_size
) != 0)
608 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
610 /* copy the decrypted stuff to compress_data.
612 if (compress_size
< length
)
613 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
615 memcpy (compress_data
, ciphertext
.data
, length
);