Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/tls/tls_cbc/tls_cbc.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS CBC Record Handling
3
* (C) 2012,2013,2014,2015,2016 Jack Lloyd
4
* (C) 2016 Juraj Somorovsky
5
* (C) 2016 Matthias Gierlings
6
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
7
*
8
* Botan is released under the Simplified BSD License (see license.txt)
9
*/
10
11
#include <botan/internal/tls_cbc.h>
12
#include <botan/cbc.h>
13
14
#include <botan/internal/rounding.h>
15
#include <botan/internal/ct_utils.h>
16
#include <botan/loadstor.h>
17
#include <botan/tls_alert.h>
18
#include <botan/tls_exceptn.h>
19
20
namespace Botan {
21
22
namespace TLS {
23
24
/*
25
* TLS_CBC_HMAC_AEAD_Mode Constructor
26
*/
27
TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir dir,
28
                                               std::unique_ptr<BlockCipher> cipher,
29
                                               std::unique_ptr<MessageAuthenticationCode> mac,
30
                                               size_t cipher_keylen,
31
                                               size_t mac_keylen,
32
                                               Protocol_Version version,
33
                                               bool use_encrypt_then_mac) :
34
   m_cipher_name(cipher->name()),
35
   m_mac_name(mac->name()),
36
   m_cipher_keylen(cipher_keylen),
37
   m_mac_keylen(mac_keylen),
38
   m_use_encrypt_then_mac(use_encrypt_then_mac)
39
1.00k
   {
40
1.00k
   m_tag_size = mac->output_length();
41
1.00k
   m_block_size = cipher->block_size();
42
1.00k
43
1.00k
   m_iv_size = version.supports_explicit_cbc_ivs() ? m_block_size : 0;
44
1.00k
45
1.00k
   m_is_datagram = version.is_datagram_protocol();
46
1.00k
47
1.00k
   m_mac = std::move(mac);
48
1.00k
49
1.00k
   if(dir == ENCRYPTION)
50
461
      m_cbc.reset(new CBC_Encryption(cipher.release(), new Null_Padding));
51
542
   else
52
542
      m_cbc.reset(new CBC_Decryption(cipher.release(), new Null_Padding));
53
1.00k
   }
54
55
void TLS_CBC_HMAC_AEAD_Mode::clear()
56
0
   {
57
0
   cbc().clear();
58
0
   mac().clear();
59
0
   reset();
60
0
   }
61
62
void TLS_CBC_HMAC_AEAD_Mode::reset()
63
0
   {
64
0
   cbc_state().clear();
65
0
   m_ad.clear();
66
0
   m_msg.clear();
67
0
   }
68
69
std::string TLS_CBC_HMAC_AEAD_Mode::name() const
70
0
   {
71
0
   return "TLS_CBC(" + m_cipher_name + "," + m_mac_name + ")";
72
0
   }
73
74
size_t TLS_CBC_HMAC_AEAD_Mode::update_granularity() const
75
0
   {
76
0
   return 1; // just buffers anyway
77
0
   }
78
79
bool TLS_CBC_HMAC_AEAD_Mode::valid_nonce_length(size_t nl) const
80
1.11k
   {
81
1.11k
   if(m_cbc_state.empty())
82
820
      return nl == block_size();
83
294
   return nl == iv_size();
84
294
   }
85
86
Key_Length_Specification TLS_CBC_HMAC_AEAD_Mode::key_spec() const
87
1.00k
   {
88
1.00k
   return Key_Length_Specification(m_cipher_keylen + m_mac_keylen);
89
1.00k
   }
90
91
void TLS_CBC_HMAC_AEAD_Mode::key_schedule(const uint8_t key[], size_t keylen)
92
1.00k
   {
93
1.00k
   // Both keys are of fixed length specified by the ciphersuite
94
1.00k
95
1.00k
   if(keylen != m_cipher_keylen + m_mac_keylen)
96
0
      throw Invalid_Key_Length(name(), keylen);
97
1.00k
98
1.00k
   mac().set_key(&key[0], m_mac_keylen);
99
1.00k
   cbc().set_key(&key[m_mac_keylen], m_cipher_keylen);
100
1.00k
   }
101
102
void TLS_CBC_HMAC_AEAD_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
103
1.11k
   {
104
1.11k
   if(!valid_nonce_length(nonce_len))
105
0
      {
106
0
      throw Invalid_IV_Length(name(), nonce_len);
107
0
      }
108
1.11k
109
1.11k
   m_msg.clear();
110
1.11k
111
1.11k
   if(nonce_len > 0)
112
1.11k
      {
113
1.11k
      m_cbc_state.assign(nonce, nonce + nonce_len);
114
1.11k
      }
115
1.11k
   }
116
117
size_t TLS_CBC_HMAC_AEAD_Mode::process(uint8_t buf[], size_t sz)
118
1.11k
   {
119
1.11k
   m_msg.insert(m_msg.end(), buf, buf + sz);
120
1.11k
   return 0;
121
1.11k
   }
122
123
std::vector<uint8_t> TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(uint16_t len)
124
304
   {
125
304
   std::vector<uint8_t> ad = m_ad;
126
304
   BOTAN_ASSERT(ad.size() == 13, "Expected AAD size");
127
304
   ad[11] = get_byte(0, len);
128
304
   ad[12] = get_byte(1, len);
129
304
   return ad;
130
304
   }
131
132
void TLS_CBC_HMAC_AEAD_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
133
1.11k
   {
134
1.11k
   if(ad_len != 13)
135
0
      throw Invalid_Argument("Invalid TLS AEAD associated data length");
136
1.11k
   m_ad.assign(ad, ad + ad_len);
137
1.11k
   }
138
139
void TLS_CBC_HMAC_AEAD_Encryption::set_associated_data(const uint8_t ad[], size_t ad_len)
140
755
   {
141
755
   TLS_CBC_HMAC_AEAD_Mode::set_associated_data(ad, ad_len);
142
755
143
755
   if(use_encrypt_then_mac())
144
70
      {
145
70
      // AAD hack for EtM
146
70
      const uint16_t pt_size = make_uint16(assoc_data()[11], assoc_data()[12]);
147
70
      const uint16_t enc_size = static_cast<uint16_t>(round_up(iv_size() + pt_size + 1, block_size()));
148
70
      assoc_data()[11] = get_byte<uint16_t>(0, enc_size);
149
70
      assoc_data()[12] = get_byte<uint16_t>(1, enc_size);
150
70
      }
151
755
   }
152
153
void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(uint8_t buf[], size_t buf_size)
154
755
   {
155
755
   cbc().start(cbc_state());
156
755
   cbc().process(buf, buf_size);
157
755
158
755
   cbc_state().assign(buf + buf_size - block_size(), buf + buf_size);
159
755
   }
160
161
size_t TLS_CBC_HMAC_AEAD_Encryption::output_length(size_t input_length) const
162
755
   {
163
755
   return round_up(input_length + 1 + (use_encrypt_then_mac() ? 0 : tag_size()), block_size()) +
164
755
      (use_encrypt_then_mac() ? tag_size() : 0);
165
755
   }
166
167
void TLS_CBC_HMAC_AEAD_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
168
755
   {
169
755
   update(buffer, offset);
170
755
   buffer.resize(offset); // truncate, leaving just header
171
755
   const size_t header_size = offset;
172
755
173
755
   buffer.insert(buffer.end(), msg().begin(), msg().end());
174
755
175
755
   const size_t input_size = msg().size() + 1 + (use_encrypt_then_mac() ? 0 : tag_size());
176
755
   const size_t enc_size = round_up(input_size, block_size());
177
755
   const size_t pad_val = enc_size - input_size;
178
755
   const size_t buf_size = enc_size + (use_encrypt_then_mac() ? tag_size() : 0);
179
755
180
755
   BOTAN_ASSERT(enc_size % block_size() == 0,
181
755
                "Buffer is an even multiple of block size");
182
755
183
755
   mac().update(assoc_data());
184
755
185
755
   if(use_encrypt_then_mac())
186
70
      {
187
70
      if(iv_size() > 0)
188
70
         {
189
70
         mac().update(cbc_state());
190
70
         }
191
70
192
1.07k
      for(size_t i = 0; i != pad_val + 1; ++i)
193
1.00k
         buffer.push_back(static_cast<uint8_t>(pad_val));
194
70
      cbc_encrypt_record(&buffer[header_size], enc_size);
195
70
      }
196
755
197
755
   // EtM also uses ciphertext size instead of plaintext size for AEAD input
198
755
   const uint8_t* mac_input = (use_encrypt_then_mac() ? &buffer[header_size] : msg().data());
199
755
   const size_t mac_input_len = (use_encrypt_then_mac() ? enc_size : msg().size());
200
755
201
755
   mac().update(mac_input, mac_input_len);
202
755
203
755
   buffer.resize(buffer.size() + tag_size());
204
755
   mac().final(&buffer[buffer.size() - tag_size()]);
205
755
206
755
   if(use_encrypt_then_mac() == false)
207
685
      {
208
7.47k
      for(size_t i = 0; i != pad_val + 1; ++i)
209
6.78k
         buffer.push_back(static_cast<uint8_t>(pad_val));
210
685
      cbc_encrypt_record(&buffer[header_size], buf_size);
211
685
      }
212
755
   }
213
214
/*
215
* Checks the TLS padding. Returns 0 if the padding is invalid (we
216
* count the padding_length field as part of the padding size so a
217
* valid padding will always be at least one byte long), or the length
218
* of the padding otherwise. This is actually padding_length + 1
219
* because both the padding and padding_length fields are padding from
220
* our perspective.
221
*
222
* Returning 0 in the error case should ensure the MAC check will fail.
223
* This approach is suggested in section 6.2.3.2 of RFC 5246.
224
*/
225
uint16_t check_tls_cbc_padding(const uint8_t record[], size_t record_len)
226
516
   {
227
516
   if(record_len == 0 || record_len > 0xFFFF)
228
0
      return 0;
229
516
230
516
   const uint16_t rec16 = static_cast<uint16_t>(record_len);
231
516
232
516
   /*
233
516
   * TLS v1.0 and up require all the padding bytes be the same value
234
516
   * and allows up to 255 bytes.
235
516
   */
236
516
237
516
   const uint16_t to_check = std::min<uint16_t>(256, static_cast<uint16_t>(record_len));
238
516
   const uint8_t pad_byte = record[record_len-1];
239
516
   const uint16_t pad_bytes = 1 + pad_byte;
240
516
241
516
   auto pad_invalid = CT::Mask<uint16_t>::is_lt(rec16, pad_bytes);
242
516
243
80.0k
   for(uint16_t i = rec16 - to_check; i != rec16; ++i)
244
79.5k
      {
245
79.5k
      const uint16_t offset = rec16 - i;
246
79.5k
      const auto in_pad_range = CT::Mask<uint16_t>::is_lte(offset, pad_bytes);
247
79.5k
      const auto pad_correct = CT::Mask<uint16_t>::is_equal(record[i], pad_byte);
248
79.5k
      pad_invalid |= in_pad_range & ~pad_correct;
249
79.5k
      }
250
516
251
516
   return pad_invalid.if_not_set_return(pad_bytes);
252
516
   }
253
254
void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(uint8_t record_contents[], size_t record_len)
255
292
   {
256
292
   if(record_len == 0 || record_len % block_size() != 0)
257
0
      throw Decoding_Error("Received TLS CBC ciphertext with invalid length");
258
292
259
292
   cbc().start(cbc_state());
260
292
   cbc_state().assign(record_contents + record_len - block_size(),
261
292
                      record_contents + record_len);
262
292
263
292
   cbc().process(record_contents, record_len);
264
292
   }
265
266
size_t TLS_CBC_HMAC_AEAD_Decryption::output_length(size_t) const
267
359
   {
268
359
   /*
269
359
   * We don't know this because the padding is arbitrary
270
359
   */
271
359
   return 0;
272
359
   }
273
274
/*
275
* This function performs additional compression calls in order
276
* to protect from the Lucky 13 attack. It adds new compression
277
* function calls over dummy data, by computing additional HMAC updates.
278
*
279
* The countermeasure was described (in a similar way) in the Lucky 13 paper.
280
*
281
* Background:
282
* - One SHA-1/SHA-256 compression is performed with 64 bytes of data.
283
* - HMAC adds 8 byte length field and padding (at least 1 byte) so that we have:
284
*   - 0 - 55 bytes: 1 compression
285
*   - 56 - 55+64 bytes: 2 compressions
286
*   - 56+64 - 55+2*64 bytes: 3 compressions ...
287
* - For SHA-384, this works similarly, but we have 128 byte blocks and 16 byte
288
*   long length field. This results in:
289
*   - 0 - 111 bytes: 1 compression
290
*   - 112 - 111+128 bytes: 2 compressions ...
291
*
292
* The implemented countermeasure works as follows:
293
* 1) It computes max_compressions: number of maximum compressions performed on
294
*    the decrypted data
295
* 2) It computes current_compressions: number of compressions performed on the
296
*    decrypted data, after padding has been removed
297
* 3) If current_compressions != max_compressions: It invokes an HMAC update
298
*    over dummy data so that (max_compressions - current_compressions)
299
*    compressions are performed. Otherwise, it invokes an HMAC update so that
300
*    no compressions are performed.
301
*
302
* Note that the padding validation in Botan is always performed over
303
* min(plen,256) bytes, see the function check_tls_cbc_padding. This differs
304
* from the countermeasure described in the paper.
305
*
306
* Note that the padding length padlen does also count the last byte
307
* of the decrypted plaintext. This is different from the Lucky 13 paper.
308
*
309
* This countermeasure leaves a difference of about 100 clock cycles (in
310
* comparison to >1000 clock cycles observed without it).
311
*
312
* plen represents the length of the decrypted plaintext message P
313
* padlen represents the padding length
314
*
315
*/
316
void TLS_CBC_HMAC_AEAD_Decryption::perform_additional_compressions(size_t plen, size_t padlen)
317
292
   {
318
292
   uint16_t block_size;
319
292
   uint16_t max_bytes_in_first_block;
320
292
   if(mac().name() == "HMAC(SHA-384)")
321
74
      {
322
74
      block_size = 128;
323
74
      max_bytes_in_first_block = 111;
324
74
      }
325
218
   else
326
218
      {
327
218
      block_size = 64;
328
218
      max_bytes_in_first_block = 55;
329
218
      }
330
292
   // number of maximum MACed bytes
331
292
   const uint16_t L1 = static_cast<uint16_t>(13 + plen - tag_size());
332
292
   // number of current MACed bytes (L1 - padlen)
333
292
   // Here the Lucky 13 paper is different because the padlen length in the paper
334
292
   // does not count the last message byte.
335
292
   const uint16_t L2 = static_cast<uint16_t>(13 + plen - padlen - tag_size());
336
292
   // From the paper, for SHA-256/SHA-1 compute: ceil((L1-55)/64) and ceil((L2-55)/64)
337
292
   // ceil((L1-55)/64) = floor((L1+64-1-55)/64)
338
292
   // Here we compute number of compressions for SHA-* in general
339
292
   const uint16_t max_compresssions = ( (L1 + block_size - 1 - max_bytes_in_first_block) / block_size);
340
292
   const uint16_t current_compressions = ((L2 + block_size - 1 - max_bytes_in_first_block) / block_size);
341
292
   // number of additional compressions we have to perform
342
292
   const uint16_t add_compressions = max_compresssions - current_compressions;
343
292
   const uint16_t equal = CT::Mask<uint16_t>::is_equal(max_compresssions, current_compressions).if_set_return(1);
344
292
   // We compute the data length we need to achieve the number of compressions.
345
292
   // If there are no compressions, we just add 55/111 dummy bytes so that no
346
292
   // compression is performed.
347
292
   const uint16_t data_len = block_size * add_compressions + equal * max_bytes_in_first_block;
348
292
   std::vector<uint8_t> data(data_len);
349
292
   mac().update(data);
350
292
   // we do not need to clear the MAC since the connection is broken anyway
351
292
   }
352
353
void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
354
359
   {
355
359
   update(buffer, offset);
356
359
   buffer.resize(offset);
357
359
358
359
   const size_t record_len = msg().size();
359
359
   uint8_t* record_contents = msg().data();
360
359
361
359
   // This early exit does not leak info because all the values compared are public
362
359
   if(record_len < tag_size() ||
363
359
      (record_len - (use_encrypt_then_mac() ? tag_size() : 0)) % block_size() != 0)
364
55
      {
365
55
      throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
366
55
      }
367
304
368
304
   if(use_encrypt_then_mac())
369
12
      {
370
12
      const size_t enc_size = record_len - tag_size();
371
12
      const size_t enc_iv_size = enc_size + iv_size();
372
12
373
12
      BOTAN_ASSERT_NOMSG(enc_iv_size <= 0xFFFF);
374
12
375
12
      mac().update(assoc_data_with_len(static_cast<uint16_t>(enc_iv_size)));
376
12
      if(iv_size() > 0)
377
12
         {
378
12
         mac().update(cbc_state());
379
12
         }
380
12
      mac().update(record_contents, enc_size);
381
12
382
12
      std::vector<uint8_t> mac_buf(tag_size());
383
12
      mac().final(mac_buf.data());
384
12
385
12
      const size_t mac_offset = enc_size;
386
12
387
12
      const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
388
12
389
12
      if(!mac_ok)
390
12
         {
391
12
         throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
392
12
         }
393
0
394
0
      cbc_decrypt_record(record_contents, enc_size);
395
0
396
0
      // 0 if padding was invalid, otherwise 1 + padding_bytes
397
0
      const uint16_t pad_size = check_tls_cbc_padding(record_contents, enc_size);
398
0
399
0
      // No oracle here, whoever sent us this had the key since MAC check passed
400
0
      if(pad_size == 0)
401
0
         {
402
0
         throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
403
0
         }
404
0
405
0
      const uint8_t* plaintext_block = &record_contents[0];
406
0
      const size_t plaintext_length = enc_size - pad_size;
407
0
408
0
      buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
409
0
      }
410
292
   else
411
292
      {
412
292
      cbc_decrypt_record(record_contents, record_len);
413
292
414
292
      CT::poison(record_contents, record_len);
415
292
416
292
      // 0 if padding was invalid, otherwise 1 + padding_bytes
417
292
      uint16_t pad_size = check_tls_cbc_padding(record_contents, record_len);
418
292
419
292
      /*
420
292
      This mask is zero if there is not enough room in the packet to get a valid MAC.
421
292
422
292
      We have to accept empty packets, since otherwise we are not compatible
423
292
      with how OpenSSL's countermeasure for fixing BEAST in TLS 1.0 CBC works
424
292
      (sending empty records, instead of 1/(n-1) splitting)
425
292
      */
426
292
427
292
      // We know the cast cannot overflow as pad_size <= 256 && tag_size <= 32
428
292
      const auto size_ok_mask = CT::Mask<uint16_t>::is_lte(
429
292
         static_cast<uint16_t>(tag_size() + pad_size),
430
292
         static_cast<uint16_t>(record_len));
431
292
432
292
      pad_size = size_ok_mask.if_set_return(pad_size);
433
292
434
292
      CT::unpoison(record_contents, record_len);
435
292
436
292
      /*
437
292
      This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and
438
292
      then to the timing channel in the MAC computation described in the Lucky 13 paper.
439
292
      */
440
292
      CT::unpoison(pad_size);
441
292
442
292
      const uint8_t* plaintext_block = &record_contents[0];
443
292
      const uint16_t plaintext_length = static_cast<uint16_t>(record_len - tag_size() - pad_size);
444
292
445
292
      mac().update(assoc_data_with_len(plaintext_length));
446
292
      mac().update(plaintext_block, plaintext_length);
447
292
448
292
      std::vector<uint8_t> mac_buf(tag_size());
449
292
      mac().final(mac_buf.data());
450
292
451
292
      const size_t mac_offset = record_len - (tag_size() + pad_size);
452
292
453
292
      const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
454
292
455
292
      const auto ok_mask = size_ok_mask & CT::Mask<uint16_t>::expand(mac_ok) & CT::Mask<uint16_t>::expand(pad_size);
456
292
457
292
      CT::unpoison(ok_mask);
458
292
459
292
      if(ok_mask.is_set())
460
0
         {
461
0
         buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
462
0
         }
463
292
      else
464
292
         {
465
292
         perform_additional_compressions(record_len, pad_size);
466
292
467
292
         /*
468
292
         * In DTLS case we have to finish computing the MAC since we require the
469
292
         * MAC state be reset for future packets. This extra timing channel may
470
292
         * be exploitable in a Lucky13 variant.
471
292
         */
472
292
         if(is_datagram_protocol())
473
0
            mac().final(mac_buf);
474
292
         throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
475
292
         }
476
292
      }
477
304
   }
478
479
}
480
481
}