Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/tls/tls_record.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Record Handling
3
* (C) 2012,2013,2014,2015,2016,2019 Jack Lloyd
4
*     2016 Juraj Somorovsky
5
*     2016 Matthias Gierlings
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_ciphersuite.h>
12
#include <botan/tls_exceptn.h>
13
#include <botan/loadstor.h>
14
#include <botan/internal/tls_seq_numbers.h>
15
#include <botan/internal/tls_session_key.h>
16
#include <botan/internal/rounding.h>
17
#include <botan/internal/ct_utils.h>
18
#include <botan/rng.h>
19
20
#if defined(BOTAN_HAS_TLS_CBC)
21
  #include <botan/internal/tls_cbc.h>
22
#endif
23
24
namespace Botan {
25
26
namespace TLS {
27
28
Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
29
                                                 Connection_Side side,
30
                                                 bool our_side,
31
                                                 const Ciphersuite& suite,
32
                                                 const Session_Keys& keys,
33
                                                 bool uses_encrypt_then_mac) :
34
   m_start_time(std::chrono::system_clock::now())
35
2.48k
   {
36
2.48k
   m_nonce_format = suite.nonce_format();
37
2.48k
   m_nonce_bytes_from_record = suite.nonce_bytes_from_record(version);
38
2.48k
   m_nonce_bytes_from_handshake = suite.nonce_bytes_from_handshake();
39
2.48k
40
2.48k
   const secure_vector<uint8_t>& aead_key = keys.aead_key(side);
41
2.48k
   m_nonce = keys.nonce(side);
42
2.48k
43
2.48k
   BOTAN_ASSERT_NOMSG(m_nonce.size() == m_nonce_bytes_from_handshake);
44
2.48k
45
2.48k
   if(nonce_format() == Nonce_Format::CBC_MODE)
46
937
      {
47
937
#if defined(BOTAN_HAS_TLS_CBC)
48
937
      // legacy CBC+HMAC mode
49
937
      auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + suite.mac_algo() + ")");
50
937
      auto cipher = BlockCipher::create_or_throw(suite.cipher_algo());
51
937
52
937
      if(our_side)
53
431
         {
54
431
         m_aead.reset(new TLS_CBC_HMAC_AEAD_Encryption(
55
431
                         std::move(cipher),
56
431
                         std::move(mac),
57
431
                         suite.cipher_keylen(),
58
431
                         suite.mac_keylen(),
59
431
                         version,
60
431
                         uses_encrypt_then_mac));
61
431
         }
62
506
      else
63
506
         {
64
506
         m_aead.reset(new TLS_CBC_HMAC_AEAD_Decryption(
65
506
                         std::move(cipher),
66
506
                         std::move(mac),
67
506
                         suite.cipher_keylen(),
68
506
                         suite.mac_keylen(),
69
506
                         version,
70
506
                         uses_encrypt_then_mac));
71
506
         }
72
937
73
#else
74
      BOTAN_UNUSED(uses_encrypt_then_mac);
75
      throw Internal_Error("Negotiated disabled TLS CBC+HMAC ciphersuite");
76
#endif
77
      }
78
1.55k
   else
79
1.55k
      {
80
1.55k
      m_aead = AEAD_Mode::create_or_throw(suite.cipher_algo(), our_side ? ENCRYPTION : DECRYPTION);
81
1.55k
      }
82
2.48k
83
2.48k
   m_aead->set_key(aead_key);
84
2.48k
   }
85
86
std::vector<uint8_t> Connection_Cipher_State::aead_nonce(uint64_t seq, RandomNumberGenerator& rng)
87
2.08k
   {
88
2.08k
   switch(m_nonce_format)
89
2.08k
      {
90
704
      case Nonce_Format::CBC_MODE:
91
704
         {
92
704
         if(m_nonce.size())
93
431
            {
94
431
            std::vector<uint8_t> nonce;
95
431
            nonce.swap(m_nonce);
96
431
            return nonce;
97
431
            }
98
273
         std::vector<uint8_t> nonce(nonce_bytes_from_record());
99
273
         rng.randomize(nonce.data(), nonce.size());
100
273
         return nonce;
101
273
         }
102
551
      case Nonce_Format::AEAD_XOR_12:
103
551
         {
104
551
         std::vector<uint8_t> nonce(12);
105
551
         store_be(seq, nonce.data() + 4);
106
551
         xor_buf(nonce, m_nonce.data(), m_nonce.size());
107
551
         return nonce;
108
273
         }
109
831
      case Nonce_Format::AEAD_IMPLICIT_4:
110
831
         {
111
831
         BOTAN_ASSERT_NOMSG(m_nonce.size() == 4);
112
831
         std::vector<uint8_t> nonce(12);
113
831
         copy_mem(&nonce[0], m_nonce.data(), 4);
114
831
         store_be(seq, &nonce[nonce_bytes_from_handshake()]);
115
831
         return nonce;
116
0
         }
117
0
      }
118
0
119
0
   throw Invalid_State("Unknown nonce format specified");
120
0
   }
121
122
std::vector<uint8_t>
123
Connection_Cipher_State::aead_nonce(const uint8_t record[], size_t record_len, uint64_t seq)
124
930
   {
125
930
   switch(m_nonce_format)
126
930
      {
127
334
      case Nonce_Format::CBC_MODE:
128
334
         {
129
334
         if(nonce_bytes_from_record() == 0 && m_nonce.size())
130
0
            {
131
0
            std::vector<uint8_t> nonce;
132
0
            nonce.swap(m_nonce);
133
0
            return nonce;
134
0
            }
135
334
         if(record_len < nonce_bytes_from_record())
136
9
            throw Decoding_Error("Invalid CBC packet too short to be valid");
137
325
         std::vector<uint8_t> nonce(record, record + nonce_bytes_from_record());
138
325
         return nonce;
139
325
         }
140
325
      case Nonce_Format::AEAD_XOR_12:
141
242
         {
142
242
         std::vector<uint8_t> nonce(12);
143
242
         store_be(seq, nonce.data() + 4);
144
242
         xor_buf(nonce, m_nonce.data(), m_nonce.size());
145
242
         return nonce;
146
325
         }
147
354
      case Nonce_Format::AEAD_IMPLICIT_4:
148
354
         {
149
354
         BOTAN_ASSERT_NOMSG(m_nonce.size() == 4);
150
354
         if(record_len < nonce_bytes_from_record())
151
6
            throw Decoding_Error("Invalid AEAD packet too short to be valid");
152
348
         std::vector<uint8_t> nonce(12);
153
348
         copy_mem(&nonce[0], m_nonce.data(), 4);
154
348
         copy_mem(&nonce[nonce_bytes_from_handshake()], record, nonce_bytes_from_record());
155
348
         return nonce;
156
348
         }
157
0
      }
158
0
159
0
   throw Invalid_State("Unknown nonce format specified");
160
0
   }
161
162
std::vector<uint8_t>
163
Connection_Cipher_State::format_ad(uint64_t msg_sequence,
164
                                   uint8_t msg_type,
165
                                   Protocol_Version version,
166
                                   uint16_t msg_length)
167
2.98k
   {
168
2.98k
   std::vector<uint8_t> ad(13);
169
2.98k
170
2.98k
   store_be(msg_sequence, &ad[0]);
171
2.98k
   ad[8] = msg_type;
172
2.98k
   ad[9] = version.major_version();
173
2.98k
   ad[10] = version.minor_version();
174
2.98k
   ad[11] = get_byte(0, msg_length);
175
2.98k
   ad[12] = get_byte(1, msg_length);
176
2.98k
177
2.98k
   return ad;
178
2.98k
   }
179
180
namespace {
181
182
inline void append_u16_len(secure_vector<uint8_t>& output, size_t len_field)
183
90.7k
   {
184
90.7k
   const uint16_t len16 = static_cast<uint16_t>(len_field);
185
90.7k
   BOTAN_ASSERT_EQUAL(len_field, len16, "No truncation");
186
90.7k
   output.push_back(get_byte(0, len16));
187
90.7k
   output.push_back(get_byte(1, len16));
188
90.7k
   }
189
190
void write_record_header(secure_vector<uint8_t>& output,
191
                         uint8_t record_type,
192
                         Protocol_Version version,
193
                         uint64_t record_sequence)
194
90.7k
   {
195
90.7k
   output.clear();
196
90.7k
197
90.7k
   output.push_back(record_type);
198
90.7k
   output.push_back(version.major_version());
199
90.7k
   output.push_back(version.minor_version());
200
90.7k
201
90.7k
   if(version.is_datagram_protocol())
202
7.10k
      {
203
63.9k
      for(size_t i = 0; i != 8; ++i)
204
56.8k
         output.push_back(get_byte(i, record_sequence));
205
7.10k
      }
206
90.7k
   }
207
208
}
209
210
void write_unencrypted_record(secure_vector<uint8_t>& output,
211
                              uint8_t record_type,
212
                              Protocol_Version version,
213
                              uint64_t record_sequence,
214
                              const uint8_t* message,
215
                              size_t message_len)
216
88.6k
   {
217
88.6k
   if(record_type == APPLICATION_DATA)
218
0
      throw Internal_Error("Writing an unencrypted TLS application data record");
219
88.6k
   write_record_header(output, record_type, version, record_sequence);
220
88.6k
   append_u16_len(output, message_len);
221
88.6k
   output.insert(output.end(), message, message + message_len);
222
88.6k
   }
223
224
void write_record(secure_vector<uint8_t>& output,
225
                  uint8_t record_type,
226
                  Protocol_Version version,
227
                  uint64_t record_sequence,
228
                  const uint8_t* message,
229
                  size_t message_len,
230
                  Connection_Cipher_State& cs,
231
                  RandomNumberGenerator& rng)
232
2.08k
   {
233
2.08k
   write_record_header(output, record_type, version, record_sequence);
234
2.08k
235
2.08k
   AEAD_Mode& aead = cs.aead();
236
2.08k
   std::vector<uint8_t> aad = cs.format_ad(record_sequence, record_type, version, static_cast<uint16_t>(message_len));
237
2.08k
238
2.08k
   const size_t ctext_size = aead.output_length(message_len);
239
2.08k
240
2.08k
   const size_t rec_size = ctext_size + cs.nonce_bytes_from_record();
241
2.08k
242
2.08k
   aead.set_ad(aad);
243
2.08k
244
2.08k
   const std::vector<uint8_t> nonce = cs.aead_nonce(record_sequence, rng);
245
2.08k
246
2.08k
   append_u16_len(output, rec_size);
247
2.08k
248
2.08k
   if(cs.nonce_bytes_from_record() > 0)
249
1.53k
      {
250
1.53k
      if(cs.nonce_format() == Nonce_Format::CBC_MODE)
251
704
         output += nonce;
252
831
      else
253
831
         output += std::make_pair(&nonce[cs.nonce_bytes_from_handshake()], cs.nonce_bytes_from_record());
254
1.53k
      }
255
2.08k
256
2.08k
   const size_t header_size = output.size();
257
2.08k
   output += std::make_pair(message, message_len);
258
2.08k
259
2.08k
   aead.start(nonce);
260
2.08k
   aead.finish(output, header_size);
261
2.08k
262
2.08k
   BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE,
263
2.08k
                "Produced ciphertext larger than protocol allows");
264
2.08k
   }
265
266
namespace {
267
268
size_t fill_buffer_to(secure_vector<uint8_t>& readbuf,
269
                      const uint8_t*& input,
270
                      size_t& input_size,
271
                      size_t& input_consumed,
272
                      size_t desired)
273
290k
   {
274
290k
   if(readbuf.size() >= desired)
275
427
      return 0; // already have it
276
289k
277
289k
   const size_t taken = std::min(input_size, desired - readbuf.size());
278
289k
279
289k
   readbuf.insert(readbuf.end(), input, input + taken);
280
289k
   input_consumed += taken;
281
289k
   input_size -= taken;
282
289k
   input += taken;
283
289k
284
289k
   return (desired - readbuf.size()); // how many bytes do we still need?
285
289k
   }
286
287
void decrypt_record(secure_vector<uint8_t>& output,
288
                    uint8_t record_contents[], size_t record_len,
289
                    uint64_t record_sequence,
290
                    Protocol_Version record_version,
291
                    Record_Type record_type,
292
                    Connection_Cipher_State& cs)
293
930
   {
294
930
   AEAD_Mode& aead = cs.aead();
295
930
296
930
   const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
297
930
   const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
298
930
   const size_t msg_length = record_len - cs.nonce_bytes_from_record();
299
930
300
930
   /*
301
930
   * This early rejection is based just on public information (length of the
302
930
   * encrypted packet) and so does not leak any information. We used to use
303
930
   * decode_error here which really is more appropriate, but that confuses some
304
930
   * tools which are attempting automated detection of padding oracles,
305
930
   * including older versions of TLS-Attacker.
306
930
   */
307
930
   if(msg_length < aead.minimum_final_size())
308
19
      throw TLS_Exception(Alert::BAD_RECORD_MAC, "AEAD packet is shorter than the tag");
309
911
310
911
   const size_t ptext_size = aead.output_length(msg_length);
311
911
312
911
   aead.set_associated_data_vec(
313
911
      cs.format_ad(record_sequence,
314
911
                   static_cast<uint8_t>(record_type),
315
911
                   record_version,
316
911
                   static_cast<uint16_t>(ptext_size))
317
911
      );
318
911
319
911
   aead.start(nonce);
320
911
321
911
   output.assign(msg, msg + msg_length);
322
911
   aead.finish(output, 0);
323
911
   }
324
325
Record_Header read_tls_record(secure_vector<uint8_t>& readbuf,
326
                              const uint8_t input[],
327
                              size_t input_len,
328
                              size_t& consumed,
329
                              secure_vector<uint8_t>& recbuf,
330
                              Connection_Sequence_Numbers* sequence_numbers,
331
                              get_cipherstate_fn get_cipherstate)
332
144k
   {
333
144k
   if(readbuf.size() < TLS_HEADER_SIZE) // header incomplete?
334
144k
      {
335
144k
      if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE))
336
583
         {
337
583
         return Record_Header(needed);
338
583
         }
339
144k
340
144k
      BOTAN_ASSERT_EQUAL(readbuf.size(), TLS_HEADER_SIZE, "Have an entire header");
341
144k
      }
342
144k
343
144k
   const Protocol_Version version(readbuf[1], readbuf[2]);
344
144k
345
144k
   if(version.is_datagram_protocol())
346
90
      throw TLS_Exception(Alert::PROTOCOL_VERSION,
347
90
                          "Expected TLS but got a record with DTLS version");
348
143k
349
143k
   const size_t record_size = make_uint16(readbuf[TLS_HEADER_SIZE-2],
350
143k
                                          readbuf[TLS_HEADER_SIZE-1]);
351
143k
352
143k
   if(record_size > MAX_CIPHERTEXT_SIZE)
353
309
      throw TLS_Exception(Alert::RECORD_OVERFLOW,
354
309
                          "Received a record that exceeds maximum size");
355
143k
356
143k
   if(record_size == 0)
357
87
      throw TLS_Exception(Alert::DECODE_ERROR,
358
87
                          "Received a completely empty record");
359
143k
360
143k
   if(size_t needed = fill_buffer_to(readbuf, input, input_len, consumed, TLS_HEADER_SIZE + record_size))
361
451
      {
362
451
      return Record_Header(needed);
363
451
      }
364
143k
365
143k
   BOTAN_ASSERT_EQUAL(static_cast<size_t>(TLS_HEADER_SIZE) + record_size,
366
143k
                      readbuf.size(),
367
143k
                      "Have the full record");
368
143k
369
143k
   const Record_Type type = static_cast<Record_Type>(readbuf[0]);
370
143k
371
143k
   uint16_t epoch = 0;
372
143k
373
143k
   uint64_t sequence = 0;
374
143k
   if(sequence_numbers)
375
136k
      {
376
136k
      sequence = sequence_numbers->next_read_sequence();
377
136k
      epoch = sequence_numbers->current_read_epoch();
378
136k
      }
379
6.89k
   else
380
6.89k
      {
381
6.89k
      // server initial handshake case
382
6.89k
      epoch = 0;
383
6.89k
      }
384
143k
385
143k
   if(epoch == 0) // Unencrypted initial handshake
386
142k
      {
387
142k
      recbuf.assign(readbuf.begin() + TLS_HEADER_SIZE, readbuf.begin() + TLS_HEADER_SIZE + record_size);
388
142k
      readbuf.clear();
389
142k
      return Record_Header(sequence, version, type);
390
142k
      }
391
930
392
930
   // Otherwise, decrypt, check MAC, return plaintext
393
930
   auto cs = get_cipherstate(epoch);
394
930
395
930
   BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
396
930
397
930
   decrypt_record(recbuf,
398
930
                  &readbuf[TLS_HEADER_SIZE],
399
930
                  record_size,
400
930
                  sequence,
401
930
                  version,
402
930
                  type,
403
930
                  *cs);
404
930
405
930
   if(sequence_numbers)
406
0
      sequence_numbers->read_accept(sequence);
407
930
408
930
   readbuf.clear();
409
930
   return Record_Header(sequence, version, type);
410
930
   }
411
412
Record_Header read_dtls_record(secure_vector<uint8_t>& readbuf,
413
                               const uint8_t input[],
414
                               size_t input_len,
415
                               size_t& consumed,
416
                               secure_vector<uint8_t>& recbuf,
417
                               Connection_Sequence_Numbers* sequence_numbers,
418
                               get_cipherstate_fn get_cipherstate,
419
                               bool allow_epoch0_restart)
420
971
   {
421
971
   if(readbuf.size() < DTLS_HEADER_SIZE) // header incomplete?
422
971
      {
423
971
      if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE))
424
28
         {
425
28
         readbuf.clear();
426
28
         return Record_Header(0);
427
28
         }
428
943
429
943
      BOTAN_ASSERT_EQUAL(readbuf.size(), DTLS_HEADER_SIZE, "Have an entire header");
430
943
      }
431
971
432
971
   const Protocol_Version version(readbuf[1], readbuf[2]);
433
943
434
943
   if(version.is_datagram_protocol() == false)
435
4
      {
436
4
      readbuf.clear();
437
4
      return Record_Header(0);
438
4
      }
439
939
440
939
   const size_t record_size = make_uint16(readbuf[DTLS_HEADER_SIZE-2],
441
939
                                          readbuf[DTLS_HEADER_SIZE-1]);
442
939
443
939
   if(record_size > MAX_CIPHERTEXT_SIZE)
444
4
      {
445
4
      // Too large to be valid, ignore it
446
4
      readbuf.clear();
447
4
      return Record_Header(0);
448
4
      }
449
935
450
935
   if(fill_buffer_to(readbuf, input, input_len, consumed, DTLS_HEADER_SIZE + record_size))
451
19
      {
452
19
      // Truncated packet?
453
19
      readbuf.clear();
454
19
      return Record_Header(0);
455
19
      }
456
916
457
916
   BOTAN_ASSERT_EQUAL(static_cast<size_t>(DTLS_HEADER_SIZE) + record_size, readbuf.size(),
458
916
                      "Have the full record");
459
916
460
916
   const Record_Type type = static_cast<Record_Type>(readbuf[0]);
461
916
462
916
   const uint64_t sequence = load_be<uint64_t>(&readbuf[3], 0);
463
916
   const uint16_t epoch = (sequence >> 48);
464
916
465
916
   const bool already_seen = sequence_numbers && sequence_numbers->already_seen(sequence);
466
916
467
916
   if(already_seen && !(epoch == 0 && allow_epoch0_restart))
468
42
      {
469
42
      readbuf.clear();
470
42
      return Record_Header(0);
471
42
      }
472
874
473
874
   if(epoch == 0) // Unencrypted initial handshake
474
800
      {
475
800
      recbuf.assign(readbuf.begin() + DTLS_HEADER_SIZE, readbuf.begin() + DTLS_HEADER_SIZE + record_size);
476
800
      readbuf.clear();
477
800
      if(sequence_numbers)
478
216
         sequence_numbers->read_accept(sequence);
479
800
      return Record_Header(sequence, version, type);
480
800
      }
481
74
482
74
   try
483
74
      {
484
74
      // Otherwise, decrypt, check MAC, return plaintext
485
74
      auto cs = get_cipherstate(epoch);
486
74
487
74
      BOTAN_ASSERT(cs, "Have cipherstate for this epoch");
488
74
489
74
      decrypt_record(recbuf,
490
74
                     &readbuf[DTLS_HEADER_SIZE],
491
74
                     record_size,
492
74
                     sequence,
493
74
                     version,
494
74
                     type,
495
74
                     *cs);
496
74
      }
497
74
   catch(std::exception&)
498
74
      {
499
74
      readbuf.clear();
500
74
      return Record_Header(0);
501
74
      }
502
0
503
0
   if(sequence_numbers)
504
0
      sequence_numbers->read_accept(sequence);
505
0
506
0
   readbuf.clear();
507
0
   return Record_Header(sequence, version, type);
508
0
   }
509
510
}
511
512
Record_Header read_record(bool is_datagram,
513
                          secure_vector<uint8_t>& readbuf,
514
                          const uint8_t input[],
515
                          size_t input_len,
516
                          size_t& consumed,
517
                          secure_vector<uint8_t>& recbuf,
518
                          Connection_Sequence_Numbers* sequence_numbers,
519
                          get_cipherstate_fn get_cipherstate,
520
                          bool allow_epoch0_restart)
521
145k
   {
522
145k
   if(is_datagram)
523
971
      return read_dtls_record(readbuf, input, input_len, consumed,
524
971
                              recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
525
144k
   else
526
144k
      return read_tls_record(readbuf, input, input_len, consumed,
527
144k
                             recbuf, sequence_numbers, get_cipherstate);
528
145k
   }
529
530
}
531
532
}