/src/botan/src/lib/tls/tls_cbc/tls_cbc.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS CBC Record Handling |
3 | | * (C) 2012,2013,2014,2015,2016 Jack Lloyd |
4 | | * (C) 2016 Juraj Somorovsky |
5 | | * (C) 2016 Matthias Gierlings |
6 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/internal/tls_cbc.h> |
12 | | #include <botan/cbc.h> |
13 | | |
14 | | #include <botan/internal/rounding.h> |
15 | | #include <botan/internal/ct_utils.h> |
16 | | #include <botan/loadstor.h> |
17 | | #include <botan/tls_alert.h> |
18 | | #include <botan/tls_exceptn.h> |
19 | | |
20 | | namespace Botan { |
21 | | |
22 | | namespace TLS { |
23 | | |
24 | | /* |
25 | | * TLS_CBC_HMAC_AEAD_Mode Constructor |
26 | | */ |
27 | | TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir dir, |
28 | | std::unique_ptr<BlockCipher> cipher, |
29 | | std::unique_ptr<MessageAuthenticationCode> mac, |
30 | | size_t cipher_keylen, |
31 | | size_t mac_keylen, |
32 | | Protocol_Version version, |
33 | | bool use_encrypt_then_mac) : |
34 | | m_cipher_name(cipher->name()), |
35 | | m_mac_name(mac->name()), |
36 | | m_cipher_keylen(cipher_keylen), |
37 | | m_mac_keylen(mac_keylen), |
38 | | m_use_encrypt_then_mac(use_encrypt_then_mac) |
39 | 1.00k | { |
40 | 1.00k | m_tag_size = mac->output_length(); |
41 | 1.00k | m_block_size = cipher->block_size(); |
42 | 1.00k | |
43 | 1.00k | m_iv_size = version.supports_explicit_cbc_ivs() ? m_block_size : 0; |
44 | 1.00k | |
45 | 1.00k | m_is_datagram = version.is_datagram_protocol(); |
46 | 1.00k | |
47 | 1.00k | m_mac = std::move(mac); |
48 | 1.00k | |
49 | 1.00k | if(dir == ENCRYPTION) |
50 | 461 | m_cbc.reset(new CBC_Encryption(cipher.release(), new Null_Padding)); |
51 | 542 | else |
52 | 542 | m_cbc.reset(new CBC_Decryption(cipher.release(), new Null_Padding)); |
53 | 1.00k | } |
54 | | |
55 | | void TLS_CBC_HMAC_AEAD_Mode::clear() |
56 | 0 | { |
57 | 0 | cbc().clear(); |
58 | 0 | mac().clear(); |
59 | 0 | reset(); |
60 | 0 | } |
61 | | |
62 | | void TLS_CBC_HMAC_AEAD_Mode::reset() |
63 | 0 | { |
64 | 0 | cbc_state().clear(); |
65 | 0 | m_ad.clear(); |
66 | 0 | m_msg.clear(); |
67 | 0 | } |
68 | | |
69 | | std::string TLS_CBC_HMAC_AEAD_Mode::name() const |
70 | 0 | { |
71 | 0 | return "TLS_CBC(" + m_cipher_name + "," + m_mac_name + ")"; |
72 | 0 | } |
73 | | |
74 | | size_t TLS_CBC_HMAC_AEAD_Mode::update_granularity() const |
75 | 0 | { |
76 | 0 | return 1; // just buffers anyway |
77 | 0 | } |
78 | | |
79 | | bool TLS_CBC_HMAC_AEAD_Mode::valid_nonce_length(size_t nl) const |
80 | 1.11k | { |
81 | 1.11k | if(m_cbc_state.empty()) |
82 | 820 | return nl == block_size(); |
83 | 294 | return nl == iv_size(); |
84 | 294 | } |
85 | | |
86 | | Key_Length_Specification TLS_CBC_HMAC_AEAD_Mode::key_spec() const |
87 | 1.00k | { |
88 | 1.00k | return Key_Length_Specification(m_cipher_keylen + m_mac_keylen); |
89 | 1.00k | } |
90 | | |
91 | | void TLS_CBC_HMAC_AEAD_Mode::key_schedule(const uint8_t key[], size_t keylen) |
92 | 1.00k | { |
93 | 1.00k | // Both keys are of fixed length specified by the ciphersuite |
94 | 1.00k | |
95 | 1.00k | if(keylen != m_cipher_keylen + m_mac_keylen) |
96 | 0 | throw Invalid_Key_Length(name(), keylen); |
97 | 1.00k | |
98 | 1.00k | mac().set_key(&key[0], m_mac_keylen); |
99 | 1.00k | cbc().set_key(&key[m_mac_keylen], m_cipher_keylen); |
100 | 1.00k | } |
101 | | |
102 | | void TLS_CBC_HMAC_AEAD_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) |
103 | 1.11k | { |
104 | 1.11k | if(!valid_nonce_length(nonce_len)) |
105 | 0 | { |
106 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
107 | 0 | } |
108 | 1.11k | |
109 | 1.11k | m_msg.clear(); |
110 | 1.11k | |
111 | 1.11k | if(nonce_len > 0) |
112 | 1.11k | { |
113 | 1.11k | m_cbc_state.assign(nonce, nonce + nonce_len); |
114 | 1.11k | } |
115 | 1.11k | } |
116 | | |
117 | | size_t TLS_CBC_HMAC_AEAD_Mode::process(uint8_t buf[], size_t sz) |
118 | 1.11k | { |
119 | 1.11k | m_msg.insert(m_msg.end(), buf, buf + sz); |
120 | 1.11k | return 0; |
121 | 1.11k | } |
122 | | |
123 | | std::vector<uint8_t> TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(uint16_t len) |
124 | 304 | { |
125 | 304 | std::vector<uint8_t> ad = m_ad; |
126 | 304 | BOTAN_ASSERT(ad.size() == 13, "Expected AAD size"); |
127 | 304 | ad[11] = get_byte(0, len); |
128 | 304 | ad[12] = get_byte(1, len); |
129 | 304 | return ad; |
130 | 304 | } |
131 | | |
132 | | void TLS_CBC_HMAC_AEAD_Mode::set_associated_data(const uint8_t ad[], size_t ad_len) |
133 | 1.11k | { |
134 | 1.11k | if(ad_len != 13) |
135 | 0 | throw Invalid_Argument("Invalid TLS AEAD associated data length"); |
136 | 1.11k | m_ad.assign(ad, ad + ad_len); |
137 | 1.11k | } |
138 | | |
139 | | void TLS_CBC_HMAC_AEAD_Encryption::set_associated_data(const uint8_t ad[], size_t ad_len) |
140 | 755 | { |
141 | 755 | TLS_CBC_HMAC_AEAD_Mode::set_associated_data(ad, ad_len); |
142 | 755 | |
143 | 755 | if(use_encrypt_then_mac()) |
144 | 70 | { |
145 | 70 | // AAD hack for EtM |
146 | 70 | const uint16_t pt_size = make_uint16(assoc_data()[11], assoc_data()[12]); |
147 | 70 | const uint16_t enc_size = static_cast<uint16_t>(round_up(iv_size() + pt_size + 1, block_size())); |
148 | 70 | assoc_data()[11] = get_byte<uint16_t>(0, enc_size); |
149 | 70 | assoc_data()[12] = get_byte<uint16_t>(1, enc_size); |
150 | 70 | } |
151 | 755 | } |
152 | | |
153 | | void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(uint8_t buf[], size_t buf_size) |
154 | 755 | { |
155 | 755 | cbc().start(cbc_state()); |
156 | 755 | cbc().process(buf, buf_size); |
157 | 755 | |
158 | 755 | cbc_state().assign(buf + buf_size - block_size(), buf + buf_size); |
159 | 755 | } |
160 | | |
161 | | size_t TLS_CBC_HMAC_AEAD_Encryption::output_length(size_t input_length) const |
162 | 755 | { |
163 | 755 | return round_up(input_length + 1 + (use_encrypt_then_mac() ? 0 : tag_size()), block_size()) + |
164 | 755 | (use_encrypt_then_mac() ? tag_size() : 0); |
165 | 755 | } |
166 | | |
167 | | void TLS_CBC_HMAC_AEAD_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
168 | 755 | { |
169 | 755 | update(buffer, offset); |
170 | 755 | buffer.resize(offset); // truncate, leaving just header |
171 | 755 | const size_t header_size = offset; |
172 | 755 | |
173 | 755 | buffer.insert(buffer.end(), msg().begin(), msg().end()); |
174 | 755 | |
175 | 755 | const size_t input_size = msg().size() + 1 + (use_encrypt_then_mac() ? 0 : tag_size()); |
176 | 755 | const size_t enc_size = round_up(input_size, block_size()); |
177 | 755 | const size_t pad_val = enc_size - input_size; |
178 | 755 | const size_t buf_size = enc_size + (use_encrypt_then_mac() ? tag_size() : 0); |
179 | 755 | |
180 | 755 | BOTAN_ASSERT(enc_size % block_size() == 0, |
181 | 755 | "Buffer is an even multiple of block size"); |
182 | 755 | |
183 | 755 | mac().update(assoc_data()); |
184 | 755 | |
185 | 755 | if(use_encrypt_then_mac()) |
186 | 70 | { |
187 | 70 | if(iv_size() > 0) |
188 | 70 | { |
189 | 70 | mac().update(cbc_state()); |
190 | 70 | } |
191 | 70 | |
192 | 1.07k | for(size_t i = 0; i != pad_val + 1; ++i) |
193 | 1.00k | buffer.push_back(static_cast<uint8_t>(pad_val)); |
194 | 70 | cbc_encrypt_record(&buffer[header_size], enc_size); |
195 | 70 | } |
196 | 755 | |
197 | 755 | // EtM also uses ciphertext size instead of plaintext size for AEAD input |
198 | 755 | const uint8_t* mac_input = (use_encrypt_then_mac() ? &buffer[header_size] : msg().data()); |
199 | 755 | const size_t mac_input_len = (use_encrypt_then_mac() ? enc_size : msg().size()); |
200 | 755 | |
201 | 755 | mac().update(mac_input, mac_input_len); |
202 | 755 | |
203 | 755 | buffer.resize(buffer.size() + tag_size()); |
204 | 755 | mac().final(&buffer[buffer.size() - tag_size()]); |
205 | 755 | |
206 | 755 | if(use_encrypt_then_mac() == false) |
207 | 685 | { |
208 | 7.47k | for(size_t i = 0; i != pad_val + 1; ++i) |
209 | 6.78k | buffer.push_back(static_cast<uint8_t>(pad_val)); |
210 | 685 | cbc_encrypt_record(&buffer[header_size], buf_size); |
211 | 685 | } |
212 | 755 | } |
213 | | |
214 | | /* |
215 | | * Checks the TLS padding. Returns 0 if the padding is invalid (we |
216 | | * count the padding_length field as part of the padding size so a |
217 | | * valid padding will always be at least one byte long), or the length |
218 | | * of the padding otherwise. This is actually padding_length + 1 |
219 | | * because both the padding and padding_length fields are padding from |
220 | | * our perspective. |
221 | | * |
222 | | * Returning 0 in the error case should ensure the MAC check will fail. |
223 | | * This approach is suggested in section 6.2.3.2 of RFC 5246. |
224 | | */ |
225 | | uint16_t check_tls_cbc_padding(const uint8_t record[], size_t record_len) |
226 | 516 | { |
227 | 516 | if(record_len == 0 || record_len > 0xFFFF) |
228 | 0 | return 0; |
229 | 516 | |
230 | 516 | const uint16_t rec16 = static_cast<uint16_t>(record_len); |
231 | 516 | |
232 | 516 | /* |
233 | 516 | * TLS v1.0 and up require all the padding bytes be the same value |
234 | 516 | * and allows up to 255 bytes. |
235 | 516 | */ |
236 | 516 | |
237 | 516 | const uint16_t to_check = std::min<uint16_t>(256, static_cast<uint16_t>(record_len)); |
238 | 516 | const uint8_t pad_byte = record[record_len-1]; |
239 | 516 | const uint16_t pad_bytes = 1 + pad_byte; |
240 | 516 | |
241 | 516 | auto pad_invalid = CT::Mask<uint16_t>::is_lt(rec16, pad_bytes); |
242 | 516 | |
243 | 80.0k | for(uint16_t i = rec16 - to_check; i != rec16; ++i) |
244 | 79.5k | { |
245 | 79.5k | const uint16_t offset = rec16 - i; |
246 | 79.5k | const auto in_pad_range = CT::Mask<uint16_t>::is_lte(offset, pad_bytes); |
247 | 79.5k | const auto pad_correct = CT::Mask<uint16_t>::is_equal(record[i], pad_byte); |
248 | 79.5k | pad_invalid |= in_pad_range & ~pad_correct; |
249 | 79.5k | } |
250 | 516 | |
251 | 516 | return pad_invalid.if_not_set_return(pad_bytes); |
252 | 516 | } |
253 | | |
254 | | void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(uint8_t record_contents[], size_t record_len) |
255 | 292 | { |
256 | 292 | if(record_len == 0 || record_len % block_size() != 0) |
257 | 0 | throw Decoding_Error("Received TLS CBC ciphertext with invalid length"); |
258 | 292 | |
259 | 292 | cbc().start(cbc_state()); |
260 | 292 | cbc_state().assign(record_contents + record_len - block_size(), |
261 | 292 | record_contents + record_len); |
262 | 292 | |
263 | 292 | cbc().process(record_contents, record_len); |
264 | 292 | } |
265 | | |
266 | | size_t TLS_CBC_HMAC_AEAD_Decryption::output_length(size_t) const |
267 | 359 | { |
268 | 359 | /* |
269 | 359 | * We don't know this because the padding is arbitrary |
270 | 359 | */ |
271 | 359 | return 0; |
272 | 359 | } |
273 | | |
274 | | /* |
275 | | * This function performs additional compression calls in order |
276 | | * to protect from the Lucky 13 attack. It adds new compression |
277 | | * function calls over dummy data, by computing additional HMAC updates. |
278 | | * |
279 | | * The countermeasure was described (in a similar way) in the Lucky 13 paper. |
280 | | * |
281 | | * Background: |
282 | | * - One SHA-1/SHA-256 compression is performed with 64 bytes of data. |
283 | | * - HMAC adds 8 byte length field and padding (at least 1 byte) so that we have: |
284 | | * - 0 - 55 bytes: 1 compression |
285 | | * - 56 - 55+64 bytes: 2 compressions |
286 | | * - 56+64 - 55+2*64 bytes: 3 compressions ... |
287 | | * - For SHA-384, this works similarly, but we have 128 byte blocks and 16 byte |
288 | | * long length field. This results in: |
289 | | * - 0 - 111 bytes: 1 compression |
290 | | * - 112 - 111+128 bytes: 2 compressions ... |
291 | | * |
292 | | * The implemented countermeasure works as follows: |
293 | | * 1) It computes max_compressions: number of maximum compressions performed on |
294 | | * the decrypted data |
295 | | * 2) It computes current_compressions: number of compressions performed on the |
296 | | * decrypted data, after padding has been removed |
297 | | * 3) If current_compressions != max_compressions: It invokes an HMAC update |
298 | | * over dummy data so that (max_compressions - current_compressions) |
299 | | * compressions are performed. Otherwise, it invokes an HMAC update so that |
300 | | * no compressions are performed. |
301 | | * |
302 | | * Note that the padding validation in Botan is always performed over |
303 | | * min(plen,256) bytes, see the function check_tls_cbc_padding. This differs |
304 | | * from the countermeasure described in the paper. |
305 | | * |
306 | | * Note that the padding length padlen does also count the last byte |
307 | | * of the decrypted plaintext. This is different from the Lucky 13 paper. |
308 | | * |
309 | | * This countermeasure leaves a difference of about 100 clock cycles (in |
310 | | * comparison to >1000 clock cycles observed without it). |
311 | | * |
312 | | * plen represents the length of the decrypted plaintext message P |
313 | | * padlen represents the padding length |
314 | | * |
315 | | */ |
316 | | void TLS_CBC_HMAC_AEAD_Decryption::perform_additional_compressions(size_t plen, size_t padlen) |
317 | 292 | { |
318 | 292 | uint16_t block_size; |
319 | 292 | uint16_t max_bytes_in_first_block; |
320 | 292 | if(mac().name() == "HMAC(SHA-384)") |
321 | 74 | { |
322 | 74 | block_size = 128; |
323 | 74 | max_bytes_in_first_block = 111; |
324 | 74 | } |
325 | 218 | else |
326 | 218 | { |
327 | 218 | block_size = 64; |
328 | 218 | max_bytes_in_first_block = 55; |
329 | 218 | } |
330 | 292 | // number of maximum MACed bytes |
331 | 292 | const uint16_t L1 = static_cast<uint16_t>(13 + plen - tag_size()); |
332 | 292 | // number of current MACed bytes (L1 - padlen) |
333 | 292 | // Here the Lucky 13 paper is different because the padlen length in the paper |
334 | 292 | // does not count the last message byte. |
335 | 292 | const uint16_t L2 = static_cast<uint16_t>(13 + plen - padlen - tag_size()); |
336 | 292 | // From the paper, for SHA-256/SHA-1 compute: ceil((L1-55)/64) and ceil((L2-55)/64) |
337 | 292 | // ceil((L1-55)/64) = floor((L1+64-1-55)/64) |
338 | 292 | // Here we compute number of compressions for SHA-* in general |
339 | 292 | const uint16_t max_compresssions = ( (L1 + block_size - 1 - max_bytes_in_first_block) / block_size); |
340 | 292 | const uint16_t current_compressions = ((L2 + block_size - 1 - max_bytes_in_first_block) / block_size); |
341 | 292 | // number of additional compressions we have to perform |
342 | 292 | const uint16_t add_compressions = max_compresssions - current_compressions; |
343 | 292 | const uint16_t equal = CT::Mask<uint16_t>::is_equal(max_compresssions, current_compressions).if_set_return(1); |
344 | 292 | // We compute the data length we need to achieve the number of compressions. |
345 | 292 | // If there are no compressions, we just add 55/111 dummy bytes so that no |
346 | 292 | // compression is performed. |
347 | 292 | const uint16_t data_len = block_size * add_compressions + equal * max_bytes_in_first_block; |
348 | 292 | std::vector<uint8_t> data(data_len); |
349 | 292 | mac().update(data); |
350 | 292 | // we do not need to clear the MAC since the connection is broken anyway |
351 | 292 | } |
352 | | |
353 | | void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
354 | 359 | { |
355 | 359 | update(buffer, offset); |
356 | 359 | buffer.resize(offset); |
357 | 359 | |
358 | 359 | const size_t record_len = msg().size(); |
359 | 359 | uint8_t* record_contents = msg().data(); |
360 | 359 | |
361 | 359 | // This early exit does not leak info because all the values compared are public |
362 | 359 | if(record_len < tag_size() || |
363 | 359 | (record_len - (use_encrypt_then_mac() ? tag_size() : 0)) % block_size() != 0) |
364 | 55 | { |
365 | 55 | throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); |
366 | 55 | } |
367 | 304 | |
368 | 304 | if(use_encrypt_then_mac()) |
369 | 12 | { |
370 | 12 | const size_t enc_size = record_len - tag_size(); |
371 | 12 | const size_t enc_iv_size = enc_size + iv_size(); |
372 | 12 | |
373 | 12 | BOTAN_ASSERT_NOMSG(enc_iv_size <= 0xFFFF); |
374 | 12 | |
375 | 12 | mac().update(assoc_data_with_len(static_cast<uint16_t>(enc_iv_size))); |
376 | 12 | if(iv_size() > 0) |
377 | 12 | { |
378 | 12 | mac().update(cbc_state()); |
379 | 12 | } |
380 | 12 | mac().update(record_contents, enc_size); |
381 | 12 | |
382 | 12 | std::vector<uint8_t> mac_buf(tag_size()); |
383 | 12 | mac().final(mac_buf.data()); |
384 | 12 | |
385 | 12 | const size_t mac_offset = enc_size; |
386 | 12 | |
387 | 12 | const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size()); |
388 | 12 | |
389 | 12 | if(!mac_ok) |
390 | 12 | { |
391 | 12 | throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); |
392 | 12 | } |
393 | 0 | |
394 | 0 | cbc_decrypt_record(record_contents, enc_size); |
395 | 0 |
|
396 | 0 | // 0 if padding was invalid, otherwise 1 + padding_bytes |
397 | 0 | const uint16_t pad_size = check_tls_cbc_padding(record_contents, enc_size); |
398 | 0 |
|
399 | 0 | // No oracle here, whoever sent us this had the key since MAC check passed |
400 | 0 | if(pad_size == 0) |
401 | 0 | { |
402 | 0 | throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); |
403 | 0 | } |
404 | 0 | |
405 | 0 | const uint8_t* plaintext_block = &record_contents[0]; |
406 | 0 | const size_t plaintext_length = enc_size - pad_size; |
407 | 0 |
|
408 | 0 | buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length); |
409 | 0 | } |
410 | 292 | else |
411 | 292 | { |
412 | 292 | cbc_decrypt_record(record_contents, record_len); |
413 | 292 | |
414 | 292 | CT::poison(record_contents, record_len); |
415 | 292 | |
416 | 292 | // 0 if padding was invalid, otherwise 1 + padding_bytes |
417 | 292 | uint16_t pad_size = check_tls_cbc_padding(record_contents, record_len); |
418 | 292 | |
419 | 292 | /* |
420 | 292 | This mask is zero if there is not enough room in the packet to get a valid MAC. |
421 | 292 | |
422 | 292 | We have to accept empty packets, since otherwise we are not compatible |
423 | 292 | with how OpenSSL's countermeasure for fixing BEAST in TLS 1.0 CBC works |
424 | 292 | (sending empty records, instead of 1/(n-1) splitting) |
425 | 292 | */ |
426 | 292 | |
427 | 292 | // We know the cast cannot overflow as pad_size <= 256 && tag_size <= 32 |
428 | 292 | const auto size_ok_mask = CT::Mask<uint16_t>::is_lte( |
429 | 292 | static_cast<uint16_t>(tag_size() + pad_size), |
430 | 292 | static_cast<uint16_t>(record_len)); |
431 | 292 | |
432 | 292 | pad_size = size_ok_mask.if_set_return(pad_size); |
433 | 292 | |
434 | 292 | CT::unpoison(record_contents, record_len); |
435 | 292 | |
436 | 292 | /* |
437 | 292 | This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and |
438 | 292 | then to the timing channel in the MAC computation described in the Lucky 13 paper. |
439 | 292 | */ |
440 | 292 | CT::unpoison(pad_size); |
441 | 292 | |
442 | 292 | const uint8_t* plaintext_block = &record_contents[0]; |
443 | 292 | const uint16_t plaintext_length = static_cast<uint16_t>(record_len - tag_size() - pad_size); |
444 | 292 | |
445 | 292 | mac().update(assoc_data_with_len(plaintext_length)); |
446 | 292 | mac().update(plaintext_block, plaintext_length); |
447 | 292 | |
448 | 292 | std::vector<uint8_t> mac_buf(tag_size()); |
449 | 292 | mac().final(mac_buf.data()); |
450 | 292 | |
451 | 292 | const size_t mac_offset = record_len - (tag_size() + pad_size); |
452 | 292 | |
453 | 292 | const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size()); |
454 | 292 | |
455 | 292 | const auto ok_mask = size_ok_mask & CT::Mask<uint16_t>::expand(mac_ok) & CT::Mask<uint16_t>::expand(pad_size); |
456 | 292 | |
457 | 292 | CT::unpoison(ok_mask); |
458 | 292 | |
459 | 292 | if(ok_mask.is_set()) |
460 | 0 | { |
461 | 0 | buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length); |
462 | 0 | } |
463 | 292 | else |
464 | 292 | { |
465 | 292 | perform_additional_compressions(record_len, pad_size); |
466 | 292 | |
467 | 292 | /* |
468 | 292 | * In DTLS case we have to finish computing the MAC since we require the |
469 | 292 | * MAC state be reset for future packets. This extra timing channel may |
470 | 292 | * be exploitable in a Lucky13 variant. |
471 | 292 | */ |
472 | 292 | if(is_datagram_protocol()) |
473 | 0 | mac().final(mac_buf); |
474 | 292 | throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure"); |
475 | 292 | } |
476 | 292 | } |
477 | 304 | } |
478 | | |
479 | | } |
480 | | |
481 | | } |