Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2000-2013 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2013 Nikos Mavrogiannopoulos |
4 | | * Copyright (C) 2017-2018 Red Hat, Inc. |
5 | | * |
6 | | * Author: Nikos Mavrogiannopoulos |
7 | | * |
8 | | * This file is part of GnuTLS. |
9 | | * |
10 | | * The GnuTLS is free software; you can redistribute it and/or |
11 | | * modify it under the terms of the GNU Lesser General Public License |
12 | | * as published by the Free Software Foundation; either version 2.1 of |
13 | | * the License, or (at your option) any later version. |
14 | | * |
15 | | * This library is distributed in the hope that it will be useful, but |
16 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 | | * Lesser General Public License for more details. |
19 | | * |
20 | | * You should have received a copy of the GNU Lesser General Public License |
21 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
22 | | * |
23 | | */ |
24 | | |
25 | | /* Some high level functions to be used in the record encryption are |
26 | | * included here. |
27 | | */ |
28 | | |
29 | | #include "gnutls_int.h" |
30 | | #include "errors.h" |
31 | | #include "cipher.h" |
32 | | #include "algorithms.h" |
33 | | #include "hash_int.h" |
34 | | #include "cipher_int.h" |
35 | | #include "debug.h" |
36 | | #include "num.h" |
37 | | #include "datum.h" |
38 | | #include "kx.h" |
39 | | #include "record.h" |
40 | | #include "constate.h" |
41 | | #include "mbuffers.h" |
42 | | #include "state.h" |
43 | | #include "random.h" |
44 | | |
45 | | #include <nettle/memxor.h> |
46 | | |
47 | | static int encrypt_packet(gnutls_session_t session, uint8_t *cipher_data, |
48 | | int cipher_size, gnutls_datum_t *plain, |
49 | | size_t min_pad, content_type_t _type, |
50 | | record_parameters_st *params); |
51 | | |
52 | | static int decrypt_packet(gnutls_session_t session, gnutls_datum_t *ciphertext, |
53 | | gnutls_datum_t *plain, content_type_t type, |
54 | | record_parameters_st *params, uint64_t sequence); |
55 | | |
56 | | static int decrypt_packet_tls13(gnutls_session_t session, |
57 | | gnutls_datum_t *ciphertext, |
58 | | gnutls_datum_t *plain, content_type_t *type, |
59 | | record_parameters_st *params, |
60 | | uint64_t sequence); |
61 | | |
62 | | static int encrypt_packet_tls13(gnutls_session_t session, uint8_t *cipher_data, |
63 | | size_t cipher_size, gnutls_datum_t *plain, |
64 | | size_t pad_size, uint8_t type, |
65 | | record_parameters_st *params); |
66 | | |
67 | | /* returns ciphertext which contains the headers too. This also |
68 | | * calculates the size in the header field. |
69 | | * |
70 | | */ |
71 | | int _gnutls_encrypt(gnutls_session_t session, const uint8_t *data, |
72 | | size_t data_size, size_t min_pad, mbuffer_st *bufel, |
73 | | content_type_t type, record_parameters_st *params) |
74 | 10.7k | { |
75 | 10.7k | gnutls_datum_t plaintext; |
76 | 10.7k | const version_entry_st *vers = |
77 | 10.7k | (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) && |
78 | 10.7k | !IS_SERVER(session) ? |
79 | 0 | session->internals.resumed_security_parameters.pversion : |
80 | 10.7k | get_version(session); |
81 | 10.7k | int ret; |
82 | | |
83 | 10.7k | plaintext.data = (uint8_t *)data; |
84 | 10.7k | plaintext.size = data_size; |
85 | | |
86 | 10.7k | if (vers && vers->tls13_sem) { |
87 | | /* it fills the header, as it is included in the authenticated |
88 | | * data of the AEAD cipher. */ |
89 | 787 | ret = encrypt_packet_tls13(session, |
90 | 787 | _mbuffer_get_udata_ptr(bufel), |
91 | 787 | _mbuffer_get_udata_size(bufel), |
92 | 787 | &plaintext, min_pad, type, params); |
93 | 787 | if (ret < 0) |
94 | 0 | return gnutls_assert_val(ret); |
95 | 9.98k | } else { |
96 | 9.98k | ret = encrypt_packet(session, _mbuffer_get_udata_ptr(bufel), |
97 | 9.98k | _mbuffer_get_udata_size(bufel), &plaintext, |
98 | 9.98k | min_pad, type, params); |
99 | 9.98k | if (ret < 0) |
100 | 40 | return gnutls_assert_val(ret); |
101 | 9.98k | } |
102 | | |
103 | 10.7k | if (IS_DTLS(session)) |
104 | 0 | _gnutls_write_uint16( |
105 | 0 | ret, ((uint8_t *)_mbuffer_get_uhead_ptr(bufel)) + 11); |
106 | 10.7k | else |
107 | 10.7k | _gnutls_write_uint16( |
108 | 10.7k | ret, ((uint8_t *)_mbuffer_get_uhead_ptr(bufel)) + 3); |
109 | | |
110 | 10.7k | _mbuffer_set_udata_size(bufel, ret); |
111 | 10.7k | _mbuffer_set_uhead_size(bufel, 0); |
112 | | |
113 | 10.7k | return _mbuffer_get_udata_size(bufel); |
114 | 10.7k | } |
115 | | |
116 | | /* Decrypts the given data. |
117 | | * Returns the decrypted data length. |
118 | | * |
119 | | * The output is preallocated with the maximum allowed data size. |
120 | | */ |
121 | | int _gnutls_decrypt(gnutls_session_t session, gnutls_datum_t *ciphertext, |
122 | | gnutls_datum_t *output, content_type_t *type, |
123 | | record_parameters_st *params, uint64_t sequence) |
124 | 200k | { |
125 | 200k | int ret; |
126 | 200k | const version_entry_st *vers = get_version(session); |
127 | | |
128 | 200k | if (ciphertext->size == 0) |
129 | 0 | return 0; |
130 | | |
131 | 200k | if (vers && vers->tls13_sem) |
132 | 10.7k | ret = decrypt_packet_tls13(session, ciphertext, output, type, |
133 | 10.7k | params, sequence); |
134 | 189k | else |
135 | 189k | ret = decrypt_packet(session, ciphertext, output, *type, params, |
136 | 189k | sequence); |
137 | 200k | if (ret < 0) |
138 | 185 | return gnutls_assert_val(ret); |
139 | | |
140 | 200k | return ret; |
141 | 200k | } |
142 | | |
143 | | inline static int calc_enc_length_block(gnutls_session_t session, |
144 | | const version_entry_st *ver, |
145 | | int data_size, int hash_size, |
146 | | uint8_t *pad, unsigned auth_cipher, |
147 | | uint16_t blocksize, unsigned etm) |
148 | 364 | { |
149 | | /* pad is the LH pad the user wants us to add. Besides |
150 | | * this LH pad, we only add minimal padding |
151 | | */ |
152 | 364 | unsigned int pre_length = data_size + *pad; |
153 | 364 | unsigned int length, new_pad; |
154 | | |
155 | 364 | if (etm == 0) |
156 | 354 | pre_length += hash_size; |
157 | | |
158 | 364 | new_pad = (uint8_t)(blocksize - (pre_length % blocksize)) + *pad; |
159 | | |
160 | 364 | if (new_pad > 255) |
161 | 0 | new_pad -= blocksize; |
162 | 364 | *pad = new_pad; |
163 | | |
164 | 364 | length = data_size + hash_size + *pad; |
165 | | |
166 | 364 | if (_gnutls_version_has_explicit_iv(ver)) |
167 | 118 | length += blocksize; /* for the IV */ |
168 | | |
169 | 364 | return length; |
170 | 364 | } |
171 | | |
172 | | inline static int calc_enc_length_stream(gnutls_session_t session, |
173 | | int data_size, int hash_size, |
174 | | unsigned auth_cipher, |
175 | | unsigned exp_iv_size) |
176 | 9.61k | { |
177 | 9.61k | unsigned int length; |
178 | | |
179 | 9.61k | length = data_size + hash_size; |
180 | 9.61k | if (auth_cipher) |
181 | 179 | length += exp_iv_size; |
182 | | |
183 | 9.61k | return length; |
184 | 9.61k | } |
185 | | |
186 | | /* generates the authentication data (data to be hashed only |
187 | | * and are not to be sent). Returns their size. |
188 | | */ |
189 | | int _gnutls_make_preamble(uint64_t uint64_data, uint8_t type, |
190 | | unsigned int length, const version_entry_st *ver, |
191 | | uint8_t preamble[MAX_PREAMBLE_SIZE]) |
192 | 199k | { |
193 | 199k | uint8_t *p = preamble; |
194 | 199k | uint16_t c_length; |
195 | | |
196 | 199k | c_length = _gnutls_conv_uint16(length); |
197 | | |
198 | 199k | _gnutls_write_uint64(uint64_data, p); |
199 | 199k | p += 8; |
200 | 199k | *p = type; |
201 | 199k | p++; |
202 | | #ifdef ENABLE_SSL3 |
203 | | if (ver->id != GNUTLS_SSL3) |
204 | | #endif |
205 | 199k | { /* TLS protocols */ |
206 | 199k | *p = ver->major; |
207 | 199k | p++; |
208 | 199k | *p = ver->minor; |
209 | 199k | p++; |
210 | 199k | } |
211 | 199k | memcpy(p, &c_length, 2); |
212 | 199k | p += 2; |
213 | 199k | return p - preamble; |
214 | 199k | } |
215 | | |
216 | | /* This is the actual encryption |
217 | | * Encrypts the given plaintext datum, and puts the result to cipher_data, |
218 | | * which has cipher_size size. |
219 | | * return the actual encrypted data length. |
220 | | */ |
221 | | static int encrypt_packet(gnutls_session_t session, uint8_t *cipher_data, |
222 | | int cipher_size, gnutls_datum_t *plain, |
223 | | size_t min_pad, content_type_t type, |
224 | | record_parameters_st *params) |
225 | 9.98k | { |
226 | 9.98k | uint8_t pad; |
227 | 9.98k | int length, ret; |
228 | 9.98k | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
229 | 9.98k | int preamble_size; |
230 | 9.98k | int tag_size = _gnutls_auth_cipher_tag_len(¶ms->write.ctx.tls12); |
231 | 9.98k | int blocksize = _gnutls_cipher_get_block_size(params->cipher); |
232 | 9.98k | unsigned algo_type = _gnutls_cipher_type(params->cipher); |
233 | 9.98k | uint8_t *data_ptr, *full_cipher_ptr; |
234 | 9.98k | const version_entry_st *ver = get_version(session); |
235 | 9.98k | int explicit_iv = _gnutls_version_has_explicit_iv(ver); |
236 | 9.98k | int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.ctx.tls12); |
237 | 9.98k | uint8_t nonce[MAX_CIPHER_IV_SIZE]; |
238 | 9.98k | unsigned imp_iv_size = 0, exp_iv_size = 0; |
239 | 9.98k | bool etm = 0; |
240 | | |
241 | 9.98k | if (unlikely(ver == NULL)) |
242 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
243 | | |
244 | 9.98k | if (algo_type == CIPHER_BLOCK && params->etm != 0) |
245 | 10 | etm = 1; |
246 | | |
247 | 9.98k | _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, |
248 | 9.98k | _gnutls_cipher_get_name(params->cipher), |
249 | 9.98k | _gnutls_mac_get_name(params->mac), |
250 | 9.98k | (unsigned int)params->epoch); |
251 | | |
252 | | /* Calculate the encrypted length (padding etc.) |
253 | | */ |
254 | 9.98k | if (algo_type == CIPHER_BLOCK) { |
255 | | /* Call gnutls_rnd() once. Get data used for the IV |
256 | | */ |
257 | 364 | ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize); |
258 | 364 | if (ret < 0) |
259 | 0 | return gnutls_assert_val(ret); |
260 | | |
261 | 364 | pad = min_pad; |
262 | | |
263 | 364 | length = calc_enc_length_block(session, ver, plain->size, |
264 | 364 | tag_size, &pad, auth_cipher, |
265 | 364 | blocksize, etm); |
266 | 9.61k | } else { /* AEAD + STREAM */ |
267 | 9.61k | imp_iv_size = |
268 | 9.61k | _gnutls_cipher_get_implicit_iv_size(params->cipher); |
269 | 9.61k | exp_iv_size = |
270 | 9.61k | _gnutls_cipher_get_explicit_iv_size(params->cipher); |
271 | | |
272 | 9.61k | pad = 0; |
273 | 9.61k | length = calc_enc_length_stream(session, plain->size, tag_size, |
274 | 9.61k | auth_cipher, exp_iv_size); |
275 | 9.61k | } |
276 | | |
277 | 9.98k | if (length < 0) |
278 | 0 | return gnutls_assert_val(length); |
279 | | |
280 | | /* copy the encrypted data to cipher_data. |
281 | | */ |
282 | 9.98k | if (cipher_size < length) |
283 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
284 | | |
285 | 9.98k | data_ptr = cipher_data; |
286 | 9.98k | full_cipher_ptr = data_ptr; |
287 | | |
288 | 9.98k | if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { |
289 | 9.80k | if (algo_type == CIPHER_BLOCK && explicit_iv != 0) { |
290 | | /* copy the random IV. |
291 | | */ |
292 | 118 | memcpy(data_ptr, nonce, blocksize); |
293 | 118 | ret = _gnutls_auth_cipher_setiv( |
294 | 118 | ¶ms->write.ctx.tls12, data_ptr, blocksize); |
295 | 118 | if (ret < 0) |
296 | 0 | return gnutls_assert_val(ret); |
297 | | |
298 | | /*data_ptr += blocksize; */ |
299 | 118 | cipher_data += blocksize; |
300 | 118 | } |
301 | 9.80k | } else { /* AEAD */ |
302 | 179 | if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == |
303 | 179 | 0) { |
304 | | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
305 | | */ |
306 | 179 | if (params->write.iv_size != imp_iv_size) |
307 | 40 | return gnutls_assert_val( |
308 | 179 | GNUTLS_E_INTERNAL_ERROR); |
309 | | |
310 | | /* Instead of generating a new nonce on every packet, we use the |
311 | | * write.sequence_number (It is a MAY on RFC 5288), and safer |
312 | | * as it will never reuse a value. |
313 | | */ |
314 | 139 | memcpy(nonce, params->write.iv, params->write.iv_size); |
315 | 139 | _gnutls_write_uint64(params->write.sequence_number, |
316 | 139 | &nonce[imp_iv_size]); |
317 | | |
318 | 139 | memcpy(data_ptr, &nonce[imp_iv_size], exp_iv_size); |
319 | | |
320 | | /*data_ptr += exp_iv_size; */ |
321 | 139 | cipher_data += exp_iv_size; |
322 | 139 | } else { /* XOR nonce with IV */ |
323 | 0 | if (unlikely(params->write.iv_size != 12 || |
324 | 0 | imp_iv_size != 12 || exp_iv_size != 0)) |
325 | 0 | return gnutls_assert_val( |
326 | 0 | GNUTLS_E_INTERNAL_ERROR); |
327 | | |
328 | 0 | memset(nonce, 0, 4); |
329 | 0 | _gnutls_write_uint64(params->write.sequence_number, |
330 | 0 | &nonce[4]); |
331 | |
|
332 | 0 | memxor(nonce, params->write.iv, 12); |
333 | 0 | } |
334 | 179 | } |
335 | | |
336 | 9.94k | if (etm) |
337 | 10 | ret = length - tag_size; |
338 | 9.93k | else |
339 | 9.93k | ret = plain->size; |
340 | | |
341 | 9.94k | preamble_size = _gnutls_make_preamble(params->write.sequence_number, |
342 | 9.94k | type, ret, ver, preamble); |
343 | | |
344 | 9.94k | if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) { |
345 | | /* add the authenticated data */ |
346 | 9.80k | ret = _gnutls_auth_cipher_add_auth(¶ms->write.ctx.tls12, |
347 | 9.80k | preamble, preamble_size); |
348 | 9.80k | if (ret < 0) |
349 | 0 | return gnutls_assert_val(ret); |
350 | | |
351 | 9.80k | if (etm && explicit_iv) { |
352 | | /* In EtM we need to hash the IV as well */ |
353 | 2 | ret = _gnutls_auth_cipher_add_auth( |
354 | 2 | ¶ms->write.ctx.tls12, full_cipher_ptr, |
355 | 2 | blocksize); |
356 | 2 | if (ret < 0) |
357 | 0 | return gnutls_assert_val(ret); |
358 | 2 | } |
359 | | |
360 | | /* Actual encryption. |
361 | | */ |
362 | 9.80k | ret = _gnutls_auth_cipher_encrypt2_tag(¶ms->write.ctx.tls12, |
363 | 9.80k | plain->data, plain->size, |
364 | 9.80k | cipher_data, cipher_size, |
365 | 9.80k | pad); |
366 | 9.80k | if (ret < 0) |
367 | 0 | return gnutls_assert_val(ret); |
368 | 9.80k | } else { /* AEAD */ |
369 | 139 | ret = _gnutls_aead_cipher_encrypt( |
370 | 139 | ¶ms->write.ctx.tls12.cipher, nonce, |
371 | 139 | imp_iv_size + exp_iv_size, preamble, preamble_size, |
372 | 139 | tag_size, plain->data, plain->size, cipher_data, |
373 | 139 | cipher_size); |
374 | 139 | if (ret < 0) |
375 | 0 | return gnutls_assert_val(ret); |
376 | 139 | } |
377 | | |
378 | 9.94k | return length; |
379 | 9.94k | } |
380 | | |
381 | | static int encrypt_packet_tls13(gnutls_session_t session, uint8_t *cipher_data, |
382 | | size_t cipher_size, gnutls_datum_t *plain, |
383 | | size_t pad_size, uint8_t type, |
384 | | record_parameters_st *params) |
385 | 787 | { |
386 | 787 | int ret; |
387 | 787 | unsigned int tag_size = params->write.aead_tag_size; |
388 | 787 | const version_entry_st *ver = get_version(session); |
389 | 787 | uint8_t nonce[MAX_CIPHER_IV_SIZE]; |
390 | 787 | unsigned iv_size = 0; |
391 | 787 | ssize_t max, total; |
392 | 787 | uint8_t aad[5]; |
393 | 787 | giovec_t auth_iov[1]; |
394 | 787 | giovec_t iov[2]; |
395 | | |
396 | 787 | if (unlikely(ver == NULL)) |
397 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
398 | | |
399 | 787 | _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session, |
400 | 787 | _gnutls_cipher_get_name(params->cipher), |
401 | 787 | _gnutls_mac_get_name(params->mac), |
402 | 787 | (unsigned int)params->epoch); |
403 | | |
404 | 787 | iv_size = params->write.iv_size; |
405 | | |
406 | 787 | if (params->cipher->id == GNUTLS_CIPHER_NULL) { |
407 | 787 | if (cipher_size < plain->size + 1) |
408 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
409 | 787 | memcpy(cipher_data, plain->data, plain->size); |
410 | 787 | return plain->size; |
411 | 787 | } |
412 | | |
413 | 0 | if (unlikely(iv_size < 8)) |
414 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
415 | | |
416 | 0 | memset(nonce, 0, iv_size - 8); |
417 | 0 | _gnutls_write_uint64(params->write.sequence_number, |
418 | 0 | &nonce[iv_size - 8]); |
419 | 0 | memxor(nonce, params->write.iv, iv_size); |
420 | |
|
421 | 0 | max = max_record_send_size(session) + MAX_RECORD_SEND_OVERHEAD(session); |
422 | | |
423 | | /* make TLS 1.3 form of data */ |
424 | 0 | total = plain->size + 1 + pad_size; |
425 | | |
426 | | /* check whether padding would exceed max */ |
427 | 0 | if (total > max) { |
428 | 0 | if (unlikely(max < (ssize_t)plain->size + 1)) |
429 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
430 | | |
431 | 0 | pad_size = max - plain->size - 1; |
432 | 0 | total = max; |
433 | 0 | } |
434 | | |
435 | | /* create authenticated data header */ |
436 | 0 | aad[0] = GNUTLS_APPLICATION_DATA; |
437 | 0 | aad[1] = 0x03; |
438 | 0 | aad[2] = 0x03; |
439 | 0 | _gnutls_write_uint16(total + tag_size, &aad[3]); |
440 | |
|
441 | 0 | auth_iov[0].iov_base = aad; |
442 | 0 | auth_iov[0].iov_len = sizeof(aad); |
443 | |
|
444 | 0 | iov[0].iov_base = plain->data; |
445 | 0 | iov[0].iov_len = plain->size; |
446 | |
|
447 | 0 | if (pad_size || |
448 | 0 | (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) { |
449 | 0 | uint8_t *pad = gnutls_calloc(1, 1 + pad_size); |
450 | 0 | if (pad == NULL) |
451 | 0 | return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); |
452 | | |
453 | 0 | pad[0] = type; |
454 | |
|
455 | 0 | iov[1].iov_base = pad; |
456 | 0 | iov[1].iov_len = 1 + pad_size; |
457 | |
|
458 | 0 | ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead, |
459 | 0 | nonce, iv_size, auth_iov, 1, |
460 | 0 | tag_size, iov, 2, cipher_data, |
461 | 0 | &cipher_size); |
462 | 0 | gnutls_free(pad); |
463 | 0 | } else { |
464 | 0 | iov[1].iov_base = &type; |
465 | 0 | iov[1].iov_len = 1; |
466 | |
|
467 | 0 | ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead, |
468 | 0 | nonce, iv_size, auth_iov, 1, |
469 | 0 | tag_size, iov, 2, cipher_data, |
470 | 0 | &cipher_size); |
471 | 0 | } |
472 | | |
473 | 0 | if (ret < 0) |
474 | 0 | return gnutls_assert_val(ret); |
475 | | |
476 | 0 | return cipher_size; |
477 | 0 | } |
478 | | |
479 | | /* Deciphers the ciphertext packet, and puts the result to plain. |
480 | | * Returns the actual plaintext packet size. |
481 | | */ |
482 | | static int decrypt_packet(gnutls_session_t session, gnutls_datum_t *ciphertext, |
483 | | gnutls_datum_t *plain, content_type_t type, |
484 | | record_parameters_st *params, uint64_t sequence) |
485 | 189k | { |
486 | 189k | uint8_t tag[MAX_HASH_SIZE]; |
487 | 189k | uint8_t nonce[MAX_CIPHER_IV_SIZE]; |
488 | 189k | const uint8_t *tag_ptr = NULL; |
489 | 189k | unsigned int pad = 0; |
490 | 189k | int length, length_to_decrypt; |
491 | 189k | uint16_t blocksize; |
492 | 189k | int ret; |
493 | 189k | uint8_t preamble[MAX_PREAMBLE_SIZE]; |
494 | 189k | unsigned int preamble_size = 0; |
495 | 189k | const version_entry_st *ver = get_version(session); |
496 | 189k | unsigned int tag_size = |
497 | 189k | _gnutls_auth_cipher_tag_len(¶ms->read.ctx.tls12); |
498 | 189k | unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver); |
499 | 189k | unsigned imp_iv_size, exp_iv_size; |
500 | 189k | unsigned cipher_type = _gnutls_cipher_type(params->cipher); |
501 | 189k | bool etm = 0; |
502 | | |
503 | 189k | if (unlikely(ver == NULL)) |
504 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
505 | | |
506 | 189k | imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher); |
507 | 189k | exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher); |
508 | 189k | blocksize = _gnutls_cipher_get_block_size(params->cipher); |
509 | | |
510 | 189k | if (params->etm != 0 && cipher_type == CIPHER_BLOCK) |
511 | 4 | etm = 1; |
512 | | |
513 | | /* if EtM mode and not AEAD */ |
514 | 189k | if (etm) { |
515 | 4 | if (unlikely(ciphertext->size < tag_size)) |
516 | 0 | return gnutls_assert_val( |
517 | 4 | GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
518 | | |
519 | 4 | preamble_size = _gnutls_make_preamble( |
520 | 4 | sequence, type, ciphertext->size - tag_size, ver, |
521 | 4 | preamble); |
522 | | |
523 | 4 | ret = _gnutls_auth_cipher_add_auth(¶ms->read.ctx.tls12, |
524 | 4 | preamble, preamble_size); |
525 | 4 | if (unlikely(ret < 0)) |
526 | 0 | return gnutls_assert_val(ret); |
527 | | |
528 | 4 | ret = _gnutls_auth_cipher_add_auth(¶ms->read.ctx.tls12, |
529 | 4 | ciphertext->data, |
530 | 4 | ciphertext->size - tag_size); |
531 | 4 | if (unlikely(ret < 0)) |
532 | 0 | return gnutls_assert_val(ret); |
533 | | |
534 | 4 | ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, |
535 | 4 | tag_size); |
536 | 4 | if (unlikely(ret < 0)) |
537 | 0 | return gnutls_assert_val(ret); |
538 | | |
539 | 4 | if (unlikely(gnutls_memcmp(tag, |
540 | 4 | &ciphertext->data[ciphertext->size - |
541 | 4 | tag_size], |
542 | 4 | tag_size) != 0)) { |
543 | | /* HMAC was not the same. */ |
544 | 4 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
545 | 4 | } |
546 | 4 | } |
547 | | |
548 | | /* actual decryption (inplace) |
549 | | */ |
550 | 189k | switch (cipher_type) { |
551 | 22 | case CIPHER_AEAD: |
552 | | /* The way AEAD ciphers are defined in RFC5246, it allows |
553 | | * only stream ciphers. |
554 | | */ |
555 | 22 | if (unlikely(_gnutls_auth_cipher_is_aead( |
556 | 22 | ¶ms->read.ctx.tls12) == 0)) |
557 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
558 | | |
559 | 22 | if (unlikely(ciphertext->size < (tag_size + exp_iv_size))) |
560 | 1 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
561 | | |
562 | 21 | if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == |
563 | 21 | 0) { |
564 | | /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block |
565 | | */ |
566 | 21 | if (unlikely(params->read.iv_size != 4)) |
567 | 0 | return gnutls_assert_val( |
568 | 21 | GNUTLS_E_DECRYPTION_FAILED); |
569 | | |
570 | 21 | memcpy(nonce, params->read.iv, imp_iv_size); |
571 | | |
572 | 21 | memcpy(&nonce[imp_iv_size], ciphertext->data, |
573 | 21 | exp_iv_size); |
574 | | |
575 | 21 | ciphertext->data += exp_iv_size; |
576 | 21 | ciphertext->size -= exp_iv_size; |
577 | 21 | } else { /* XOR nonce with IV */ |
578 | 0 | if (unlikely(params->read.iv_size != 12 || |
579 | 0 | imp_iv_size != 12 || exp_iv_size != 0)) |
580 | 0 | return gnutls_assert_val( |
581 | 0 | GNUTLS_E_DECRYPTION_FAILED); |
582 | | |
583 | 0 | memset(nonce, 0, 4); |
584 | 0 | _gnutls_write_uint64(sequence, &nonce[4]); |
585 | |
|
586 | 0 | memxor(nonce, params->read.iv, 12); |
587 | 0 | } |
588 | | |
589 | 21 | length = ciphertext->size - tag_size; |
590 | | |
591 | 21 | length_to_decrypt = ciphertext->size; |
592 | | |
593 | | /* Pass the type, version, length and plain through |
594 | | * MAC. |
595 | | */ |
596 | 21 | preamble_size = _gnutls_make_preamble(sequence, type, length, |
597 | 21 | ver, preamble); |
598 | | |
599 | 21 | if (unlikely((unsigned)length_to_decrypt > plain->size)) { |
600 | 0 | _gnutls_audit_log( |
601 | 0 | session, |
602 | 0 | "Received %u bytes, while expecting less than %u\n", |
603 | 0 | (unsigned int)length_to_decrypt, |
604 | 0 | (unsigned int)plain->size); |
605 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
606 | 0 | } |
607 | | |
608 | 21 | ret = _gnutls_aead_cipher_decrypt( |
609 | 21 | ¶ms->read.ctx.tls12.cipher, nonce, |
610 | 21 | exp_iv_size + imp_iv_size, preamble, preamble_size, |
611 | 21 | tag_size, ciphertext->data, length_to_decrypt, |
612 | 21 | plain->data, plain->size); |
613 | 21 | if (unlikely(ret < 0)) |
614 | 21 | return gnutls_assert_val(ret); |
615 | | |
616 | 0 | return length; |
617 | | |
618 | 0 | break; |
619 | 189k | case CIPHER_STREAM: |
620 | 189k | if (unlikely(ciphertext->size < tag_size)) |
621 | 0 | return gnutls_assert_val( |
622 | 189k | GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
623 | | |
624 | 189k | length_to_decrypt = ciphertext->size; |
625 | 189k | length = ciphertext->size - tag_size; |
626 | 189k | tag_ptr = plain->data + length; |
627 | | |
628 | | /* Pass the type, version, length and plain through |
629 | | * MAC. |
630 | | */ |
631 | 189k | preamble_size = _gnutls_make_preamble(sequence, type, length, |
632 | 189k | ver, preamble); |
633 | | |
634 | 189k | ret = _gnutls_auth_cipher_add_auth(¶ms->read.ctx.tls12, |
635 | 189k | preamble, preamble_size); |
636 | 189k | if (unlikely(ret < 0)) |
637 | 0 | return gnutls_assert_val(ret); |
638 | | |
639 | 189k | if (unlikely((unsigned)length_to_decrypt > plain->size)) { |
640 | 0 | _gnutls_audit_log( |
641 | 0 | session, |
642 | 0 | "Received %u bytes, while expecting less than %u\n", |
643 | 0 | (unsigned int)length_to_decrypt, |
644 | 0 | (unsigned int)plain->size); |
645 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
646 | 0 | } |
647 | | |
648 | 189k | ret = _gnutls_auth_cipher_decrypt2(¶ms->read.ctx.tls12, |
649 | 189k | ciphertext->data, |
650 | 189k | length_to_decrypt, |
651 | 189k | plain->data, plain->size); |
652 | | |
653 | 189k | if (unlikely(ret < 0)) |
654 | 0 | return gnutls_assert_val(ret); |
655 | | |
656 | 189k | ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, |
657 | 189k | tag_size); |
658 | 189k | if (unlikely(ret < 0)) |
659 | 0 | return gnutls_assert_val(ret); |
660 | | |
661 | 189k | if (unlikely(gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) { |
662 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
663 | 0 | } |
664 | | |
665 | 189k | break; |
666 | 189k | case CIPHER_BLOCK: |
667 | 25 | if (unlikely(ciphertext->size < blocksize)) |
668 | 2 | return gnutls_assert_val( |
669 | 25 | GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
670 | | |
671 | 23 | if (etm == 0) { |
672 | 23 | if (unlikely(ciphertext->size % blocksize != 0)) |
673 | 3 | return gnutls_assert_val( |
674 | 23 | GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
675 | 23 | } else { |
676 | 0 | if (unlikely((ciphertext->size - tag_size) % |
677 | 0 | blocksize != |
678 | 0 | 0)) |
679 | 0 | return gnutls_assert_val( |
680 | 0 | GNUTLS_E_UNEXPECTED_PACKET_LENGTH); |
681 | 0 | } |
682 | | |
683 | | /* ignore the IV in TLS 1.1+ |
684 | | */ |
685 | 20 | if (explicit_iv) { |
686 | 14 | ret = _gnutls_auth_cipher_setiv(¶ms->read.ctx.tls12, |
687 | 14 | ciphertext->data, |
688 | 14 | blocksize); |
689 | 14 | if (ret < 0) |
690 | 0 | return gnutls_assert_val(ret); |
691 | | |
692 | 14 | memcpy(nonce, ciphertext->data, blocksize); |
693 | 14 | ciphertext->size -= blocksize; |
694 | 14 | ciphertext->data += blocksize; |
695 | 14 | } |
696 | | |
697 | 20 | if (unlikely(ciphertext->size < tag_size + 1)) |
698 | 2 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
699 | | |
700 | | /* we don't use the auth_cipher interface here, since |
701 | | * TLS with block ciphers is impossible to be used under such |
702 | | * an API. (the length of plaintext is required to calculate |
703 | | * auth_data, but it is not available before decryption). |
704 | | */ |
705 | 18 | if (unlikely(ciphertext->size > plain->size)) |
706 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
707 | | |
708 | 18 | if (etm == 0) { |
709 | 18 | ret = _gnutls_cipher_decrypt2( |
710 | 18 | ¶ms->read.ctx.tls12.cipher, |
711 | 18 | ciphertext->data, ciphertext->size, plain->data, |
712 | 18 | plain->size); |
713 | 18 | if (unlikely(ret < 0)) |
714 | 0 | return gnutls_assert_val(ret); |
715 | | |
716 | 18 | ret = cbc_mac_verify(session, params, preamble, type, |
717 | 18 | sequence, plain->data, |
718 | 18 | ciphertext->size, tag_size); |
719 | 18 | if (unlikely(ret < 0)) |
720 | 18 | return gnutls_assert_val(ret); |
721 | | |
722 | 0 | length = ret; |
723 | 0 | } else { /* EtM */ |
724 | 0 | ret = _gnutls_cipher_decrypt2( |
725 | 0 | ¶ms->read.ctx.tls12.cipher, |
726 | 0 | ciphertext->data, ciphertext->size - tag_size, |
727 | 0 | plain->data, plain->size); |
728 | 0 | if (unlikely(ret < 0)) |
729 | 0 | return gnutls_assert_val(ret); |
730 | | |
731 | 0 | pad = plain->data[ciphertext->size - tag_size - |
732 | 0 | 1]; /* pad */ |
733 | 0 | length = ciphertext->size - tag_size - pad - 1; |
734 | |
|
735 | 0 | if (unlikely(length < 0)) |
736 | 0 | return gnutls_assert_val( |
737 | 0 | GNUTLS_E_DECRYPTION_FAILED); |
738 | 0 | } |
739 | 0 | break; |
740 | 0 | default: |
741 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
742 | 189k | } |
743 | | |
744 | 189k | return length; |
745 | 189k | } |
746 | | |
747 | | static int decrypt_packet_tls13(gnutls_session_t session, |
748 | | gnutls_datum_t *ciphertext, |
749 | | gnutls_datum_t *plain, content_type_t *type, |
750 | | record_parameters_st *params, uint64_t sequence) |
751 | 10.7k | { |
752 | 10.7k | uint8_t nonce[MAX_CIPHER_IV_SIZE]; |
753 | 10.7k | size_t length, length_to_decrypt; |
754 | 10.7k | int ret; |
755 | 10.7k | const version_entry_st *ver = get_version(session); |
756 | 10.7k | unsigned int tag_size = params->read.aead_tag_size; |
757 | 10.7k | unsigned iv_size; |
758 | 10.7k | unsigned j; |
759 | 10.7k | volatile unsigned length_set; |
760 | 10.7k | uint8_t aad[5]; |
761 | | |
762 | 10.7k | if (unlikely(ver == NULL)) |
763 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
764 | | |
765 | 10.7k | if (params->cipher->id == GNUTLS_CIPHER_NULL) { |
766 | 10.6k | if (plain->size < ciphertext->size) |
767 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
768 | | |
769 | 10.6k | length = ciphertext->size; |
770 | 10.6k | memcpy(plain->data, ciphertext->data, length); |
771 | | |
772 | 10.6k | return length; |
773 | 10.6k | } |
774 | | |
775 | 134 | iv_size = _gnutls_cipher_get_iv_size(params->cipher); |
776 | | |
777 | | /* The way AEAD ciphers are defined in RFC5246, it allows |
778 | | * only stream ciphers. |
779 | | */ |
780 | 134 | if (unlikely(ciphertext->size < tag_size)) |
781 | 4 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
782 | | |
783 | 130 | if (unlikely(params->read.iv_size != iv_size || iv_size < 8)) |
784 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
785 | | |
786 | 130 | memset(nonce, 0, iv_size - 8); |
787 | 130 | _gnutls_write_uint64(sequence, &nonce[iv_size - 8]); |
788 | 130 | memxor(nonce, params->read.iv, params->read.iv_size); |
789 | | |
790 | 130 | length = ciphertext->size - tag_size; |
791 | | |
792 | 130 | length_to_decrypt = ciphertext->size; |
793 | | |
794 | 130 | if (unlikely((unsigned)length_to_decrypt > plain->size)) { |
795 | 0 | _gnutls_audit_log( |
796 | 0 | session, |
797 | 0 | "Received %u bytes, while expecting less than %u\n", |
798 | 0 | (unsigned int)length_to_decrypt, |
799 | 0 | (unsigned int)plain->size); |
800 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
801 | 0 | } |
802 | | |
803 | 130 | aad[0] = GNUTLS_APPLICATION_DATA; |
804 | 130 | aad[1] = 0x03; |
805 | 130 | aad[2] = 0x03; |
806 | 130 | _gnutls_write_uint16(ciphertext->size, &aad[3]); |
807 | | |
808 | 130 | ret = gnutls_aead_cipher_decrypt(¶ms->read.ctx.aead, nonce, iv_size, |
809 | 130 | aad, sizeof(aad), tag_size, |
810 | 130 | ciphertext->data, length_to_decrypt, |
811 | 130 | plain->data, &length); |
812 | 130 | if (unlikely(ret < 0)) |
813 | 130 | return gnutls_assert_val(ret); |
814 | | |
815 | | /* 1 octet for content type */ |
816 | 0 | if (length > max_decrypted_size(session) + 1) { |
817 | 0 | _gnutls_audit_log(session, |
818 | 0 | "Received packet with illegal length: %u\n", |
819 | 0 | (unsigned int)length); |
820 | |
|
821 | 0 | return gnutls_assert_val(GNUTLS_E_RECORD_OVERFLOW); |
822 | 0 | } |
823 | | |
824 | 0 | length_set = 0; |
825 | | |
826 | | /* now figure the actual data size. We intentionally iterate through all data, |
827 | | * to avoid leaking the padding length due to timing differences in processing. |
828 | | */ |
829 | 0 | for (j = length; j > 0; j--) { |
830 | 0 | if (plain->data[j - 1] != 0 && length_set == 0) { |
831 | 0 | *type = plain->data[j - 1]; |
832 | 0 | length = j - 1; |
833 | 0 | length_set = 1; |
834 | 0 | if (!(session->internals.flags & |
835 | 0 | GNUTLS_SAFE_PADDING_CHECK)) |
836 | 0 | break; |
837 | 0 | } |
838 | 0 | } |
839 | |
|
840 | 0 | if (!length_set) |
841 | 0 | return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); |
842 | | |
843 | 0 | return length; |
844 | 0 | } |