Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/tls/tls_record.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Record Handling
3
* (C) 2012,2013,2014,2015,2016,2019 Jack Lloyd
4
*     2016 Juraj Somorovsky
5
*     2016 Matthias Gierlings
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_ciphersuite.h>
12
#include <botan/tls_exceptn.h>
13
#include <botan/loadstor.h>
14
#include <botan/internal/tls_seq_numbers.h>
15
#include <botan/internal/tls_session_key.h>
16
#include <botan/internal/rounding.h>
17
#include <botan/internal/ct_utils.h>
18
#include <botan/rng.h>
19
20
#if defined(BOTAN_HAS_TLS_CBC)
21
  #include <botan/internal/tls_cbc.h>
22
#endif
23
24
namespace Botan {
25
26
namespace TLS {
27
28
Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
29
                                                 Connection_Side side,
30
                                                 bool our_side,
31
                                                 const Ciphersuite& suite,
32
                                                 const Session_Keys& keys,
33
                                                 bool uses_encrypt_then_mac) :
34
   m_start_time(std::chrono::system_clock::now())
35
2.66k
   {
36
2.66k
   m_nonce_format = suite.nonce_format();
37
2.66k
   m_nonce_bytes_from_record = suite.nonce_bytes_from_record(version);
38
2.66k
   m_nonce_bytes_from_handshake = suite.nonce_bytes_from_handshake();
39
2.66k
40
2.66k
   const secure_vector<uint8_t>& aead_key = keys.aead_key(side);
41
2.66k
   m_nonce = keys.nonce(side);
42
2.66k
43
2.66k
   BOTAN_ASSERT_NOMSG(m_nonce.size() == m_nonce_bytes_from_handshake);
44
2.66k
45
2.66k
   if(nonce_format() == Nonce_Format::CBC_MODE)
46
1.00k
      {
47
1.00k
#if defined(BOTAN_HAS_TLS_CBC)
48
1.00k
      // legacy CBC+HMAC mode
49
1.00k
      auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + suite.mac_algo() + ")");
50
1.00k
      auto cipher = BlockCipher::create_or_throw(suite.cipher_algo());
51
1.00k
52
1.00k
      if(our_side)
53
461
         {
54
461
         m_aead.reset(new TLS_CBC_HMAC_AEAD_Encryption(
55
461
                         std::move(cipher),
56
461
                         std::move(mac),
57
461
                         suite.cipher_keylen(),
58
461
                         suite.mac_keylen(),
59
461
                         version,
60
461
                         uses_encrypt_then_mac));
61
461
         }
62
542
      else
63
542
         {
64
542
         m_aead.reset(new TLS_CBC_HMAC_AEAD_Decryption(
65
542
                         std::move(cipher),
66
542
                         std::move(mac),
67
542
                         suite.cipher_keylen(),
68
542
                         suite.mac_keylen(),
69
542
                         version,
70
542
                         uses_encrypt_then_mac));
71
542
         }
72
1.00k
73
#else
74
      BOTAN_UNUSED(uses_encrypt_then_mac);
75
      throw Internal_Error("Negotiated disabled TLS CBC+HMAC ciphersuite");
76
#endif
77
      }
78
1.66k
   else
79
1.66k
      {
80
1.66k
      m_aead = AEAD_Mode::create_or_throw(suite.cipher_algo(), our_side ? ENCRYPTION : DECRYPTION);
81
1.66k
      }
82
2.66k
83
2.66k
   m_aead->set_key(aead_key);
84
2.66k
   }
85
86
std::vector<uint8_t> Connection_Cipher_State::aead_nonce(uint64_t seq, RandomNumberGenerator& rng)
87
2.23k
   {
88
2.23k
   switch(m_nonce_format)
89
2.23k
      {
90
2.23k
      case Nonce_Format::CBC_MODE:
91
755
         {
92
755
         if(m_nonce.size())
93
461
            {
94
461
            std::vector<uint8_t> nonce;
95
461
            nonce.swap(m_nonce);
96
461
            return nonce;
97
461
            }
98
294
         std::vector<uint8_t> nonce(nonce_bytes_from_record());
99
294
         rng.randomize(nonce.data(), nonce.size());
100
294
         return nonce;
101
294
         }
102
566
      case Nonce_Format::AEAD_XOR_12:
103
566
         {
104
566
         std::vector<uint8_t> nonce(12);
105
566
         store_be(seq, nonce.data() + 4);
106
566
         xor_buf(nonce, m_nonce.data(), m_nonce.size());
107
566
         return nonce;
108
294
         }
109
918
      case Nonce_Format::AEAD_IMPLICIT_4:
110
918
         {
111
918
         BOTAN_ASSERT_NOMSG(m_nonce.size() == 4);
112
918
         std::vector<uint8_t> nonce(12);
113
918
         copy_mem(&nonce[0], m_nonce.data(), 4);
114
918
         store_be(seq, &nonce[nonce_bytes_from_handshake()]);
115
918
         return nonce;
116
0
         }
117
0
      }
118
0
119
0
   throw Invalid_State("Unknown nonce format specified");
120
0
   }
121
122
std::vector<uint8_t>
123
Connection_Cipher_State::aead_nonce(const uint8_t record[], size_t record_len, uint64_t seq)
124
1.02k
   {
125
1.02k
   switch(m_nonce_format)
126
1.02k
      {
127
1.02k
      case Nonce_Format::CBC_MODE:
128
374
         {
129
374
         if(nonce_bytes_from_record() == 0 && m_nonce.size())
130
0
            {
131
0
            std::vector<uint8_t> nonce;
132
0
            nonce.swap(m_nonce);
133
0
            return nonce;
134
0
            }
135
374
         if(record_len < nonce_bytes_from_record())
136
9
            throw Decoding_Error("Invalid CBC packet too short to be valid");
137
365
         std::vector<uint8_t> nonce(record, record + nonce_bytes_from_record());
138
365
         return nonce;
139
365
         }
140
365
      case Nonce_Format::AEAD_XOR_12:
141
256
         {
142
256
         std::vector<uint8_t> nonce(12);
143
256
         store_be(seq, nonce.data() + 4);
144
256
         xor_buf(nonce, m_nonce.data(), m_nonce.size());
145
256
         return nonce;
146
365
         }
147
399
      case Nonce_Format::AEAD_IMPLICIT_4:
148
399
         {
149
399
         BOTAN_ASSERT_NOMSG(m_nonce.size() == 4);
150
399
         if(record_len < nonce_bytes_from_record())
151
11
            throw Decoding_Error("Invalid AEAD packet too short to be valid");
152
388
         std::vector<uint8_t> nonce(12);
153
388
         copy_mem(&nonce[0], m_nonce.data(), 4);
154
388
         copy_mem(&nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record());
155
388
         return nonce;
156
388
         }
157
0
      }
158
0
159
0
   throw Invalid_State("Unknown nonce format specified");
160
0
   }
161
162
std::vector<uint8_t>
163
Connection_Cipher_State::format_ad(uint64_t msg_sequence,
164
                                   uint8_t msg_type,
165
                                   Protocol_Version version,
166
                                   uint16_t msg_length)
167
3.23k
   {
168
3.23k
   std::vector<uint8_t> ad(13);
169
3.23k
170
3.23k
   store_be(msg_sequence, &ad[0]);
171
3.23k
   ad[8] = msg_type;
172
3.23k
   ad[9] = version.major_version();
173
3.23k
   ad[10] = version.minor_version();
174
3.23k
   ad[11] = get_byte(0, msg_length);
175
3.23k
   ad[12] = get_byte(1, msg_length);
176
3.23k
177
3.23k
   return ad;
178
3.23k
   }
179
180
namespace {
181
182
inline void append_u16_len(secure_vector<uint8_t>& output, size_t len_field)
183
94.1k
   {
184
94.1k
   const uint16_t len16 = static_cast<uint16_t>(len_field);
185
94.1k
   BOTAN_ASSERT_EQUAL(len_field, len16, "No truncation");
186
94.1k
   output.push_back(get_byte(0, len16));
187
94.1k
   output.push_back(get_byte(1, len16));
188
94.1k
   }
189
190
}
191
192
void write_record(secure_vector<uint8_t>& output,
193
                  uint8_t record_type,
194
                  Protocol_Version version,
195
                  uint64_t record_sequence,
196
                  const uint8_t* message,
197
                  size_t message_len,
198
                  Connection_Cipher_State* cs,
199
                  RandomNumberGenerator& rng)
200
94.1k
   {
201
94.1k
   output.clear();
202
94.1k
203
94.1k
   output.push_back(record_type);
204
94.1k
   output.push_back(version.major_version());
205
94.1k
   output.push_back(version.minor_version());
206
94.1k
207
94.1k
   if(version.is_datagram_protocol())
208
7.00k
      {
209
63.0k
      for(size_t i = 0; i != 8; ++i)
210
56.0k
         output.push_back(get_byte(i, record_sequence));
211
7.00k
      }
212
94.1k
213
94.1k
   if(!cs) // initial unencrypted handshake records
214
91.9k
      {
215
91.9k
      append_u16_len(output, message_len);
216
91.9k
      output.insert(output.end(), message, message + message_len);
217
91.9k
      return;
218
91.9k
      }
219
2.23k
220
2.23k
   AEAD_Mode& aead = cs->aead();
221
2.23k
   std::vector<uint8_t> aad = cs->format_ad(record_sequence, record_type, version, static_cast<uint16_t>(message_len));
222
2.23k
223
2.23k
   const size_t ctext_size = aead.output_length(message_len);
224
2.23k
225
2.23k
   const size_t rec_size = ctext_size + cs->nonce_bytes_from_record();
226
2.23k
227
2.23k
   aead.set_ad(aad);
228
2.23k
229
2.23k
   const std::vector<uint8_t> nonce = cs->aead_nonce(record_sequence, rng);
230
2.23k
231
2.23k
   append_u16_len(output, rec_size);
232
2.23k
233
2.23k
   if(cs->nonce_bytes_from_record() > 0)
234
1.67k
      {
235
1.67k
      if(cs->nonce_format() == Nonce_Format::CBC_MODE)
236
755
         output += nonce;
237
918
      else
238
918
         output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
239
1.67k
      }
240
2.23k
241
2.23k
   const size_t header_size = output.size();
242
2.23k
   output += std::make_pair(message, message_len);
243
2.23k
244
2.23k
   aead.start(nonce);
245
2.23k
   aead.finish(output, header_size);
246
2.23k
247
2.23k
   BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE,
248
2.23k
                "Produced ciphertext larger than protocol allows");
249
2.23k
   }
250
251
namespace {
252
253
size_t fill_buffer_to(secure_vector<uint8_t>& readbuf,
254
                      const uint8_t*& input,
255
                      size_t& input_size,
256
                      size_t& input_consumed,
257
                      size_t desired)
258
302k
   {
259
302k
   if(readbuf.size() >= desired)
260
441
      return 0; // already have it
261
302k
262
302k
   const size_t taken = std::min(input_size, desired - readbuf.size());
263
302k
264
302k
   readbuf.insert(readbuf.end(), input, input + taken);
265
302k
   input_consumed += taken;
266
302k
   input_size -= taken;
267
302k
   input += taken;
268
302k
269
302k
   return (desired - readbuf.size()); // how many bytes do we still need?
270
302k
   }
271
272
void decrypt_record(secure_vector<uint8_t>& output,
273
                    uint8_t record_contents[], size_t record_len,
274
                    uint64_t record_sequence,
275
                    Protocol_Version record_version,
276
                    Record_Type record_type,
277
                    Connection_Cipher_State& cs)
278
1.02k
   {
279
1.02k
   AEAD_Mode& aead = cs.aead();
280
1.02k
281
1.02k
   const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
282
1.02k
   const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
283
1.02k
   const size_t msg_length = record_len - cs.nonce_bytes_from_record();
284
1.02k
285
1.02k
   /*
286
1.02k
   * This early rejection is based just on public information (length of the
287
1.02k
   * encrypted packet) and so does not leak any information. We used to use
288
1.02k
   * decode_error here which really is more appropriate, but that confuses some
289
1.02k
   * tools which are attempting automated detection of padding oracles,
290
1.02k
   * including older versions of TLS-Attacker.
291
1.02k
   */
292
1.02k
   if(msg_length < aead.minimum_final_size())
293
17
      throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag");
294
1.01k
295
1.01k
   const size_t ptext_size = aead.output_length(msg_length);
296
1.01k
297
1.01k
   aead.set_associated_data_vec(
298
1.01k
      cs.format_ad(record_sequence,
299
1.01k
                   static_cast<uint8_t>(record_type),
300
1.01k
                   record_version,
301
1.01k
                   static_cast<uint16_t>(ptext_size))
302
1.01k
      );
303
1.01k
304
1.01k
   aead.start(nonce);
305
1.01k
306
1.01k
   output.assign(msg, msg + msg_length);
307
1.01k
   aead.finish(output, 0);
308
1.01k
   }
309
310
Record_Header read_tls_record(secure_vector<uint8_t>& readbuf,
311
                              const uint8_t input[],
312
                              size_t input_len,
313
                              size_t& consumed,
314
                              secure_vector<uint8_t>& recbuf,
315
                              Connection_Sequence_Numbers* sequence_numbers,
316
                              get_cipherstate_fn get_cipherstate)
317
150k
   {
318
150k
   if(readbuf.size() < TLS_HEADER_SIZE) // header incomplete?
319
150k
      {
320
150k
      if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE))
321
617
         {
322
617
         return Record_Header(needed);
323
617
         }
324
150k
325
150k
      BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE, "Have an entire header");
326
150k
      }
327
150k
328
150k
   const Protocol_Version version(readbuf[1], readbuf[2]);
329
150k
330
150k
   if(version.is_datagram_protocol())
331
81
      throw TLS_Exception(Alert::PROTOCOL_VERSION,
332
81
                          "Expected TLS but got a record with DTLS version");
333
150k
334
150k
   const size_t record_size = make_uint16(readbuf[TLS_HEADER_SIZE-2],
335
150k
                                          readbuf[TLS_HEADER_SIZE-1]);
336
150k
337
150k
   if(record_size > MAX_CIPHERTEXT_SIZE)
338
339
      throw TLS_Exception(Alert::RECORD_OVERFLOW,
339
339
                          "Received a record that exceeds maximum size");
340
149k
341
149k
   if(record_size == 0)
342
91
      throw TLS_Exception(Alert::DECODE_ERROR,
343
91
                          "Received a completely empty record");
344
149k
345
149k
   if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE + record_size))
346
543
      {
347
543
      return Record_Header(needed);
348
543
      }
349
149k
350
149k
   BOTAN_ASSERT_EQUAL(static_cast<size_t>(TLS_HEADER_SIZE) + record_size,
351
149k
                      readbuf.size(),
352
149k
                      "Have the full record");
353
149k
354
149k
   const Record_Type type = static_cast<Record_Type>(readbuf[0]);
355
149k
356
149k
   uint16_t epoch = 0;
357
149k
358
149k
   uint64_t sequence = 0;
359
149k
   if(sequence_numbers)
360
141k
      {
361
141k
      sequence = sequence_numbers->next_read_sequence();
362
141k
      epoch = sequence_numbers->current_read_epoch();
363
141k
      }
364
7.36k
   else
365
7.36k
      {
366
7.36k
      // server initial handshake case
367
7.36k
      epoch = 0;
368
7.36k
      }
369
149k
370
149k
   if(epoch == 0) // Unencrypted initial handshake
371
148k
      {
372
148k
      recbuf.assign(readbuf.begin() + TLS_HEADER_SIZE, readbuf.begin() + TLS_HEADER_SIZE + record_size);
373
148k
      readbuf.clear();
374
148k
      return Record_Header(sequence, version, type);
375
148k
      }
376
1.02k
377
1.02k
   // Otherwise, decrypt, check MAC, return plaintext
378
1.02k
   auto cs = get_cipherstate(epoch);
379
1.02k
380
1.02k
   BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
381
1.02k
382
1.02k
   decrypt_record(recbuf,
383
1.02k
                  &readbuf[TLS_HEADER_SIZE],
384
1.02k
                  record_size,
385
1.02k
                  sequence,
386
1.02k
                  version,
387
1.02k
                  type,
388
1.02k
                  *cs);
389
1.02k
390
1.02k
   if(sequence_numbers)
391
0
      sequence_numbers->read_accept(sequence);
392
1.02k
393
1.02k
   readbuf.clear();
394
1.02k
   return Record_Header(sequence, version, type);
395
1.02k
   }
396
397
Record_Header read_dtls_record(secure_vector<uint8_t>& readbuf,
398
                               const uint8_t input[],
399
                               size_t input_len,
400
                               size_t& consumed,
401
                               secure_vector<uint8_t>& recbuf,
402
                               Connection_Sequence_Numbers* sequence_numbers,
403
                               get_cipherstate_fn get_cipherstate,
404
                               bool allow_epoch0_restart)
405
1.01k
   {
406
1.01k
   if(readbuf.size() < DTLS_HEADER_SIZE) // header incomplete?
407
1.01k
      {
408
1.01k
      if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE))
409
23
         {
410
23
         readbuf.clear();
411
23
         return Record_Header(0);
412
23
         }
413
988
414
988
      BOTAN_ASSERT_EQUAL(readbuf.size(), DTLS_HEADER_SIZE, "Have an entire header");
415
988
      }
416
1.01k
417
1.01k
   const Protocol_Version version(readbuf[1], readbuf[2]);
418
988
419
988
   if(version.is_datagram_protocol() == false)
420
3
      {
421
3
      readbuf.clear();
422
3
      return Record_Header(0);
423
3
      }
424
985
425
985
   const size_t record_size = make_uint16(readbuf[DTLS_HEADER_SIZE-2],
426
985
                                          readbuf[DTLS_HEADER_SIZE-1]);
427
985
428
985
   if(record_size > MAX_CIPHERTEXT_SIZE)
429
2
      {
430
2
      // Too large to be valid, ignore it
431
2
      readbuf.clear();
432
2
      return Record_Header(0);
433
2
      }
434
983
435
983
   if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE + record_size))
436
23
      {
437
23
      // Truncated packet?
438
23
      readbuf.clear();
439
23
      return Record_Header(0);
440
23
      }
441
960
442
960
   BOTAN_ASSERT_EQUAL(static_cast<size_t>(DTLS_HEADER_SIZE) + record_size, readbuf.size(),
443
960
                      "Have the full record");
444
960
445
960
   const Record_Type type = static_cast<Record_Type>(readbuf[0]);
446
960
447
960
   const uint64_t sequence = load_be<uint64_t>(&readbuf[3], 0);
448
960
   const uint16_t epoch = (sequence >> 48);
449
960
450
960
   const bool already_seen = sequence_numbers && sequence_numbers->already_seen(sequence);
451
960
452
960
   if(already_seen && !(epoch == 0 && allow_epoch0_restart))
453
40
      {
454
40
      readbuf.clear();
455
40
      return Record_Header(0);
456
40
      }
457
920
458
920
   if(epoch == 0) // Unencrypted initial handshake
459
840
      {
460
840
      recbuf.assign(readbuf.begin() + DTLS_HEADER_SIZE, readbuf.begin() + DTLS_HEADER_SIZE + record_size);
461
840
      readbuf.clear();
462
840
      if(sequence_numbers)
463
226
         sequence_numbers->read_accept(sequence);
464
840
      return Record_Header(sequence, version, type);
465
840
      }
466
80
467
80
   try
468
80
      {
469
80
      // Otherwise, decrypt, check MAC, return plaintext
470
80
      auto cs = get_cipherstate(epoch);
471
80
472
80
      BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
473
80
474
80
      decrypt_record(recbuf,
475
80
                     &readbuf[DTLS_HEADER_SIZE],
476
80
                     record_size,
477
80
                     sequence,
478
80
                     version,
479
80
                     type,
480
80
                     *cs);
481
80
      }
482
80
   catch(std::exception&)
483
80
      {
484
80
      readbuf.clear();
485
80
      return Record_Header(0);
486
80
      }
487
0
488
0
   if(sequence_numbers)
489
0
      sequence_numbers->read_accept(sequence);
490
0
491
0
   readbuf.clear();
492
0
   return Record_Header(sequence, version, type);
493
0
   }
494
495
}
496
497
Record_Header read_record(bool is_datagram,
498
                          secure_vector<uint8_t>& readbuf,
499
                          const uint8_t input[],
500
                          size_t input_len,
501
                          size_t& consumed,
502
                          secure_vector<uint8_t>& recbuf,
503
                          Connection_Sequence_Numbers* sequence_numbers,
504
                          get_cipherstate_fn get_cipherstate,
505
                          bool allow_epoch0_restart)
506
151k
   {
507
151k
   if(is_datagram)
508
1.01k
      return read_dtls_record(readbuf, input, input_len, consumed,
509
1.01k
                              recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
510
150k
   else
511
150k
      return read_tls_record(readbuf, input, input_len, consumed,
512
150k
                             recbuf, sequence_numbers, get_cipherstate);
513
151k
   }
514
515
}
516
517
}