2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Some high level functions to be used in the record encryption are
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
43 static int compressed_to_ciphertext (gnutls_session_t session
,
44 uint8_t * cipher_data
, int cipher_size
,
45 gnutls_datum_t
*compressed
,
47 record_parameters_st
* params
);
48 static int ciphertext_to_compressed (gnutls_session_t session
,
49 gnutls_datum_t
*ciphertext
,
50 uint8_t * compress_data
,
53 record_parameters_st
* params
, uint64
* sequence
);
56 is_write_comp_null (record_parameters_st
* record_params
)
58 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
65 is_read_comp_null (record_parameters_st
* record_params
)
67 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
77 * If random pad != 0 then the random pad data will be appended.
80 _gnutls_encrypt (gnutls_session_t session
, const uint8_t * headers
,
81 size_t headers_size
, const uint8_t * data
,
82 size_t data_size
, uint8_t * ciphertext
,
83 size_t ciphertext_size
, content_type_t type
,
84 record_parameters_st
* params
)
90 if (data_size
== 0 || is_write_comp_null (params
) == 0)
92 comp
.data
= (uint8_t*)data
;
93 comp
.size
= data_size
;
97 /* Here comp is allocated and must be
102 comp
.size
= ciphertext_size
- headers_size
;
103 comp
.data
= gnutls_malloc(comp
.size
);
104 if (comp
.data
== NULL
)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
107 ret
= _gnutls_compress(¶ms
->write
.compression_state
, data
, data_size
,
108 comp
.data
, comp
.size
, session
->internals
.priorities
.stateless_compression
);
111 gnutls_free(comp
.data
);
112 return gnutls_assert_val(ret
);
118 ret
= compressed_to_ciphertext (session
, &ciphertext
[headers_size
],
119 ciphertext_size
- headers_size
,
120 &comp
, type
, params
);
123 gnutls_free(comp
.data
);
126 return gnutls_assert_val(ret
);
128 /* copy the headers */
129 memcpy (ciphertext
, headers
, headers_size
);
132 _gnutls_write_uint16 (ret
, &ciphertext
[11]);
134 _gnutls_write_uint16 (ret
, &ciphertext
[3]);
136 return ret
+ headers_size
;
139 /* Decrypts the given data.
140 * Returns the decrypted data length.
143 _gnutls_decrypt (gnutls_session_t session
, uint8_t * ciphertext
,
144 size_t ciphertext_size
, uint8_t * data
,
145 size_t max_data_size
, content_type_t type
,
146 record_parameters_st
* params
, uint64
*sequence
)
148 gnutls_datum_t gcipher
;
151 if (ciphertext_size
== 0)
154 gcipher
.size
= ciphertext_size
;
155 gcipher
.data
= ciphertext
;
157 if (is_read_comp_null (params
) == 0)
160 ciphertext_to_compressed (session
, &gcipher
, data
, max_data_size
,
161 type
, params
, sequence
);
163 return gnutls_assert_val(ret
);
171 tmp_data
= gnutls_malloc(max_data_size
);
172 if (tmp_data
== NULL
)
173 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
176 ciphertext_to_compressed (session
, &gcipher
, tmp_data
, max_data_size
,
177 type
, params
, sequence
);
185 ret
= _gnutls_decompress( ¶ms
->read
.compression_state
, tmp_data
, data_size
, data
, max_data_size
);
191 gnutls_free(tmp_data
);
198 calc_enc_length (gnutls_session_t session
, int data_size
,
199 int hash_size
, uint8_t * pad
, int random_pad
,
200 unsigned block_algo
, unsigned auth_cipher
, uint16_t blocksize
)
211 length
= data_size
+ hash_size
;
213 length
+= AEAD_EXPLICIT_DATA_SIZE
;
217 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &rnd
, 1);
219 return gnutls_assert_val(ret
);
221 /* make rnd a multiple of blocksize */
222 if (session
->security_parameters
.version
== GNUTLS_SSL3
||
229 rnd
= (rnd
/ blocksize
) * blocksize
;
230 /* added to avoid the case of pad calculated 0
231 * seen below for pad calculation.
237 length
= data_size
+ hash_size
;
239 *pad
= (uint8_t) (blocksize
- (length
% blocksize
)) + rnd
;
242 if (_gnutls_version_has_explicit_iv
243 (session
->security_parameters
.version
))
244 length
+= blocksize
; /* for the IV */
248 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
254 #define MAX_PREAMBLE_SIZE 16
256 /* generates the authentication data (data to be hashed only
257 * and are not to be sent). Returns their size.
260 make_preamble (uint8_t * uint64_data
, uint8_t type
, unsigned int length
,
261 uint8_t ver
, uint8_t * preamble
)
263 uint8_t minor
= _gnutls_version_get_minor (ver
);
264 uint8_t major
= _gnutls_version_get_major (ver
);
265 uint8_t *p
= preamble
;
268 c_length
= _gnutls_conv_uint16 (length
);
270 memcpy (p
, uint64_data
, 8);
274 if (ver
!= GNUTLS_SSL3
)
275 { /* TLS protocols */
281 memcpy (p
, &c_length
, 2);
286 /* This is the actual encryption
287 * Encrypts the given compressed datum, and puts the result to cipher_data,
288 * which has cipher_size size.
289 * return the actual encrypted data length.
292 compressed_to_ciphertext (gnutls_session_t session
,
293 uint8_t * cipher_data
, int cipher_size
,
294 gnutls_datum_t
*compressed
,
296 record_parameters_st
* params
)
298 uint8_t * tag_ptr
= NULL
;
300 int length
, length_to_encrypt
, ret
;
301 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
303 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->write
.cipher_state
);
304 int blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
305 unsigned block_algo
=
306 _gnutls_cipher_is_block (params
->cipher_algorithm
);
308 int ver
= gnutls_protocol_get_version (session
);
309 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
310 int auth_cipher
= _gnutls_auth_cipher_is_aead(¶ms
->write
.cipher_state
);
313 /* We don't use long padding if requested or if we are in DTLS.
315 if (session
->internals
.priorities
.no_padding
== 0 && (!IS_DTLS(session
)))
320 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
321 session
, gnutls_cipher_get_name(params
->cipher_algorithm
), gnutls_mac_get_name(params
->mac_algorithm
),
322 (unsigned int)params
->epoch
);
325 make_preamble (UINT64DATA
326 (params
->write
.sequence_number
),
327 type
, compressed
->size
, ver
, preamble
);
329 /* Calculate the encrypted length (padding etc.)
331 length_to_encrypt
= length
=
332 calc_enc_length (session
, compressed
->size
, tag_size
, &pad
,
333 random_pad
, block_algo
, auth_cipher
, blocksize
);
336 return gnutls_assert_val(length
);
339 /* copy the encrypted data to cipher_data.
341 if (cipher_size
< length
)
343 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
346 data_ptr
= cipher_data
;
351 if (block_algo
== CIPHER_BLOCK
)
353 /* copy the random IV.
355 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, data_ptr
, blocksize
);
357 return gnutls_assert_val(ret
);
359 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, data_ptr
, blocksize
);
361 data_ptr
+= blocksize
;
362 cipher_data
+= blocksize
;
363 length_to_encrypt
-= blocksize
;
365 else if (auth_cipher
)
367 uint8_t nonce
[blocksize
];
369 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
371 if (params
->write
.IV
.data
== NULL
|| params
->write
.IV
.size
!= AEAD_IMPLICIT_DATA_SIZE
)
372 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
374 /* Instead of generating a new nonce on every packet, we use the
375 * write.sequence_number (It is a MAY on RFC 5288).
377 memcpy(nonce
, params
->write
.IV
.data
, params
->write
.IV
.size
);
378 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], UINT64DATA(params
->write
.sequence_number
), 8);
380 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, nonce
, AEAD_IMPLICIT_DATA_SIZE
+AEAD_EXPLICIT_DATA_SIZE
);
382 /* copy the explicit part */
383 memcpy(data_ptr
, &nonce
[AEAD_IMPLICIT_DATA_SIZE
], AEAD_EXPLICIT_DATA_SIZE
);
385 data_ptr
+= AEAD_EXPLICIT_DATA_SIZE
;
386 cipher_data
+= AEAD_EXPLICIT_DATA_SIZE
;
387 /* In AEAD ciphers we don't encrypt the tag
389 length_to_encrypt
-= AEAD_EXPLICIT_DATA_SIZE
+ tag_size
;
394 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
396 if (auth_cipher
) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
399 memcpy (data_ptr
, compressed
->data
, compressed
->size
);
400 data_ptr
+= compressed
->size
;
405 data_ptr
+= tag_size
;
407 if (block_algo
== CIPHER_BLOCK
&& pad
> 0)
409 memset (data_ptr
, pad
- 1, pad
);
412 /* add the authenticate data */
413 ret
= _gnutls_auth_cipher_add_auth(¶ms
->write
.cipher_state
, preamble
, preamble_size
);
415 return gnutls_assert_val(ret
);
417 /* Actual encryption (inplace).
420 _gnutls_auth_cipher_encrypt2_tag (¶ms
->write
.cipher_state
,
421 cipher_data
, length_to_encrypt
,
422 cipher_data
, cipher_size
,
423 tag_ptr
, tag_size
, compressed
->size
);
425 return gnutls_assert_val(ret
);
431 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
432 * Returns the actual compressed packet size.
435 ciphertext_to_compressed (gnutls_session_t session
,
436 gnutls_datum_t
*ciphertext
,
437 uint8_t * compress_data
,
439 uint8_t type
, record_parameters_st
* params
,
442 uint8_t tag
[MAX_HASH_SIZE
];
444 int length
, length_to_decrypt
;
446 int ret
, i
, pad_failed
= 0;
447 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
448 unsigned int preamble_size
;
449 unsigned int ver
= gnutls_protocol_get_version (session
);
450 unsigned int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->read
.cipher_state
);
451 unsigned int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
453 blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
455 /* actual decryption (inplace)
457 switch (_gnutls_cipher_is_block (params
->cipher_algorithm
))
460 /* The way AEAD ciphers are defined in RFC5246, it allows
461 * only stream ciphers.
463 if (explicit_iv
&& _gnutls_auth_cipher_is_aead(¶ms
->read
.cipher_state
))
465 uint8_t nonce
[blocksize
];
466 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
468 if (params
->read
.IV
.data
== NULL
|| params
->read
.IV
.size
!= 4)
469 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
471 if (ciphertext
->size
< tag_size
+AEAD_EXPLICIT_DATA_SIZE
)
472 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
474 memcpy(nonce
, params
->read
.IV
.data
, AEAD_IMPLICIT_DATA_SIZE
);
475 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], ciphertext
->data
, AEAD_EXPLICIT_DATA_SIZE
);
477 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
, nonce
, AEAD_EXPLICIT_DATA_SIZE
+AEAD_IMPLICIT_DATA_SIZE
);
479 ciphertext
->data
+= AEAD_EXPLICIT_DATA_SIZE
;
480 ciphertext
->size
-= AEAD_EXPLICIT_DATA_SIZE
;
482 length_to_decrypt
= ciphertext
->size
- tag_size
;
486 if (ciphertext
->size
< tag_size
)
487 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
489 length_to_decrypt
= ciphertext
->size
;
492 length
= ciphertext
->size
- tag_size
;
494 /* Pass the type, version, length and compressed through
498 make_preamble (UINT64DATA(*sequence
), type
,
499 length
, ver
, preamble
);
501 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
503 return gnutls_assert_val(ret
);
506 _gnutls_auth_cipher_decrypt2 (¶ms
->read
.cipher_state
,
507 ciphertext
->data
, length_to_decrypt
,
508 ciphertext
->data
, ciphertext
->size
)) < 0)
509 return gnutls_assert_val(ret
);
513 if (ciphertext
->size
< blocksize
|| (ciphertext
->size
% blocksize
!= 0))
514 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
516 /* ignore the IV in TLS 1.1+
520 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
,
521 ciphertext
->data
, blocksize
);
523 ciphertext
->size
-= blocksize
;
524 ciphertext
->data
+= blocksize
;
527 if (ciphertext
->size
< tag_size
)
528 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
530 /* we don't use the auth_cipher interface here, since
531 * TLS with block ciphers is impossible to be used under such
532 * an API. (the length of plaintext is required to calculate
533 * auth_data, but it is not available before decryption).
536 _gnutls_cipher_decrypt (¶ms
->read
.cipher_state
.cipher
,
537 ciphertext
->data
, ciphertext
->size
)) < 0)
538 return gnutls_assert_val(ret
);
540 pad
= ciphertext
->data
[ciphertext
->size
- 1] + 1; /* pad */
543 if ((int) pad
> (int) ciphertext
->size
- tag_size
)
547 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
548 session
, pad
, ciphertext
->size
, tag_size
);
549 /* We do not fail here. We check below for the
550 * the pad_failed. If zero means success.
552 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
556 length
= ciphertext
->size
- tag_size
- pad
;
558 /* Check the pading bytes (TLS 1.x)
560 if (ver
!= GNUTLS_SSL3
)
561 for (i
= 2; i
< pad
; i
++)
563 if (ciphertext
->data
[ciphertext
->size
- i
] !=
564 ciphertext
->data
[ciphertext
->size
- 1])
565 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
570 /* Setting a proper length to prevent timing differences in
571 * processing of records with invalid encryption.
573 length
= ciphertext
->size
- tag_size
;
576 /* Pass the type, version, length and compressed through
580 make_preamble (UINT64DATA(*sequence
), type
,
581 length
, ver
, preamble
);
582 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
584 return gnutls_assert_val(ret
);
586 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, ciphertext
->data
, length
);
588 return gnutls_assert_val(ret
);
592 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
595 ret
= _gnutls_auth_cipher_tag(¶ms
->read
.cipher_state
, tag
, tag_size
);
597 return gnutls_assert_val(ret
);
599 /* This one was introduced to avoid a timing attack against the TLS
602 /* HMAC was not the same.
604 if (memcmp (tag
, &ciphertext
->data
[length
], tag_size
) != 0 || pad_failed
!= 0)
605 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
607 /* copy the decrypted stuff to compress_data.
609 if (compress_size
< length
)
610 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
612 if (compress_data
!= ciphertext
->data
)
613 memcpy (compress_data
, ciphertext
->data
, length
);