Coverage Report

Created: 2025-03-06 06:58

/src/gnutls/lib/cipher.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2000-2013 Free Software Foundation, Inc.
3
 * Copyright (C) 2013 Nikos Mavrogiannopoulos
4
 * Copyright (C) 2017-2018 Red Hat, Inc.
5
 *
6
 * Author: Nikos Mavrogiannopoulos
7
 *
8
 * This file is part of GnuTLS.
9
 *
10
 * The GnuTLS is free software; you can redistribute it and/or
11
 * modify it under the terms of the GNU Lesser General Public License
12
 * as published by the Free Software Foundation; either version 2.1 of
13
 * the License, or (at your option) any later version.
14
 *
15
 * This library is distributed in the hope that it will be useful, but
16
 * WITHOUT ANY WARRANTY; without even the implied warranty of
17
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
18
 * Lesser General Public License for more details.
19
 *
20
 * You should have received a copy of the GNU Lesser General Public License
21
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
22
 *
23
 */
24
25
/* Some high level functions to be used in the record encryption are
26
 * included here.
27
 */
28
29
#include "gnutls_int.h"
30
#include "errors.h"
31
#include "cipher.h"
32
#include "algorithms.h"
33
#include "hash_int.h"
34
#include "cipher_int.h"
35
#include "debug.h"
36
#include "num.h"
37
#include "datum.h"
38
#include "kx.h"
39
#include "record.h"
40
#include "constate.h"
41
#include "mbuffers.h"
42
#include "state.h"
43
#include "random.h"
44
45
#include <nettle/memxor.h>
46
47
static int encrypt_packet(gnutls_session_t session, uint8_t *cipher_data,
48
        int cipher_size, gnutls_datum_t *plain,
49
        size_t min_pad, content_type_t _type,
50
        record_parameters_st *params);
51
52
static int decrypt_packet(gnutls_session_t session, gnutls_datum_t *ciphertext,
53
        gnutls_datum_t *plain, content_type_t type,
54
        record_parameters_st *params, uint64_t sequence);
55
56
static int decrypt_packet_tls13(gnutls_session_t session,
57
        gnutls_datum_t *ciphertext,
58
        gnutls_datum_t *plain, content_type_t *type,
59
        record_parameters_st *params,
60
        uint64_t sequence);
61
62
static int encrypt_packet_tls13(gnutls_session_t session, uint8_t *cipher_data,
63
        size_t cipher_size, gnutls_datum_t *plain,
64
        size_t pad_size, uint8_t type,
65
        record_parameters_st *params);
66
67
/* returns ciphertext which contains the headers too. This also
68
 * calculates the size in the header field.
69
 *
70
 */
71
int _gnutls_encrypt(gnutls_session_t session, const uint8_t *data,
72
        size_t data_size, size_t min_pad, mbuffer_st *bufel,
73
        content_type_t type, record_parameters_st *params)
74
0
{
75
0
  gnutls_datum_t plaintext;
76
0
  const version_entry_st *vers =
77
0
    (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) &&
78
0
        !IS_SERVER(session) ?
79
0
      session->internals.resumed_security_parameters.pversion :
80
0
      get_version(session);
81
0
  int ret;
82
83
0
  plaintext.data = (uint8_t *)data;
84
0
  plaintext.size = data_size;
85
86
0
  if (vers && vers->tls13_sem) {
87
    /* it fills the header, as it is included in the authenticated
88
     * data of the AEAD cipher. */
89
0
    ret = encrypt_packet_tls13(session,
90
0
             _mbuffer_get_udata_ptr(bufel),
91
0
             _mbuffer_get_udata_size(bufel),
92
0
             &plaintext, min_pad, type, params);
93
0
    if (ret < 0)
94
0
      return gnutls_assert_val(ret);
95
0
  } else {
96
0
    ret = encrypt_packet(session, _mbuffer_get_udata_ptr(bufel),
97
0
             _mbuffer_get_udata_size(bufel), &plaintext,
98
0
             min_pad, type, params);
99
0
    if (ret < 0)
100
0
      return gnutls_assert_val(ret);
101
0
  }
102
103
0
  if (IS_DTLS(session))
104
0
    _gnutls_write_uint16(
105
0
      ret, ((uint8_t *)_mbuffer_get_uhead_ptr(bufel)) + 11);
106
0
  else
107
0
    _gnutls_write_uint16(
108
0
      ret, ((uint8_t *)_mbuffer_get_uhead_ptr(bufel)) + 3);
109
110
0
  _mbuffer_set_udata_size(bufel, ret);
111
0
  _mbuffer_set_uhead_size(bufel, 0);
112
113
0
  return _mbuffer_get_udata_size(bufel);
114
0
}
115
116
/* Decrypts the given data.
117
 * Returns the decrypted data length.
118
 *
119
 * The output is preallocated with the maximum allowed data size.
120
 */
121
int _gnutls_decrypt(gnutls_session_t session, gnutls_datum_t *ciphertext,
122
        gnutls_datum_t *output, content_type_t *type,
123
        record_parameters_st *params, uint64_t sequence)
124
0
{
125
0
  int ret;
126
0
  const version_entry_st *vers = get_version(session);
127
128
0
  if (ciphertext->size == 0)
129
0
    return 0;
130
131
0
  if (vers && vers->tls13_sem)
132
0
    ret = decrypt_packet_tls13(session, ciphertext, output, type,
133
0
             params, sequence);
134
0
  else
135
0
    ret = decrypt_packet(session, ciphertext, output, *type, params,
136
0
             sequence);
137
0
  if (ret < 0)
138
0
    return gnutls_assert_val(ret);
139
140
0
  return ret;
141
0
}
142
143
inline static int calc_enc_length_block(gnutls_session_t session,
144
          const version_entry_st *ver,
145
          int data_size, int hash_size,
146
          uint8_t *pad, unsigned auth_cipher,
147
          uint16_t blocksize, unsigned etm)
148
0
{
149
  /* pad is the LH pad the user wants us to add. Besides
150
   * this LH pad, we only add minimal padding
151
   */
152
0
  unsigned int pre_length = data_size + *pad;
153
0
  unsigned int length, new_pad;
154
155
0
  if (etm == 0)
156
0
    pre_length += hash_size;
157
158
0
  new_pad = (uint8_t)(blocksize - (pre_length % blocksize)) + *pad;
159
160
0
  if (new_pad > 255)
161
0
    new_pad -= blocksize;
162
0
  *pad = new_pad;
163
164
0
  length = data_size + hash_size + *pad;
165
166
0
  if (_gnutls_version_has_explicit_iv(ver))
167
0
    length += blocksize; /* for the IV */
168
169
0
  return length;
170
0
}
171
172
inline static int calc_enc_length_stream(gnutls_session_t session,
173
           int data_size, int hash_size,
174
           unsigned auth_cipher,
175
           unsigned exp_iv_size)
176
0
{
177
0
  unsigned int length;
178
179
0
  length = data_size + hash_size;
180
0
  if (auth_cipher)
181
0
    length += exp_iv_size;
182
183
0
  return length;
184
0
}
185
186
/* generates the authentication data (data to be hashed only
187
 * and are not to be sent). Returns their size.
188
 */
189
int _gnutls_make_preamble(uint64_t uint64_data, uint8_t type,
190
        unsigned int length, const version_entry_st *ver,
191
        uint8_t preamble[MAX_PREAMBLE_SIZE])
192
0
{
193
0
  uint8_t *p = preamble;
194
0
  uint16_t c_length;
195
196
0
  c_length = _gnutls_conv_uint16(length);
197
198
0
  _gnutls_write_uint64(uint64_data, p);
199
0
  p += 8;
200
0
  *p = type;
201
0
  p++;
202
#ifdef ENABLE_SSL3
203
  if (ver->id != GNUTLS_SSL3)
204
#endif
205
0
  { /* TLS protocols */
206
0
    *p = ver->major;
207
0
    p++;
208
0
    *p = ver->minor;
209
0
    p++;
210
0
  }
211
0
  memcpy(p, &c_length, 2);
212
0
  p += 2;
213
0
  return p - preamble;
214
0
}
215
216
/* This is the actual encryption
217
 * Encrypts the given plaintext datum, and puts the result to cipher_data,
218
 * which has cipher_size size.
219
 * return the actual encrypted data length.
220
 */
221
static int encrypt_packet(gnutls_session_t session, uint8_t *cipher_data,
222
        int cipher_size, gnutls_datum_t *plain,
223
        size_t min_pad, content_type_t type,
224
        record_parameters_st *params)
225
0
{
226
0
  uint8_t pad;
227
0
  int length, ret;
228
0
  uint8_t preamble[MAX_PREAMBLE_SIZE];
229
0
  int preamble_size;
230
0
  int tag_size = _gnutls_auth_cipher_tag_len(&params->write.ctx.tls12);
231
0
  int blocksize = _gnutls_cipher_get_block_size(params->cipher);
232
0
  unsigned algo_type = _gnutls_cipher_type(params->cipher);
233
0
  uint8_t *data_ptr, *full_cipher_ptr;
234
0
  const version_entry_st *ver = get_version(session);
235
0
  int explicit_iv = _gnutls_version_has_explicit_iv(ver);
236
0
  int auth_cipher = _gnutls_auth_cipher_is_aead(&params->write.ctx.tls12);
237
0
  uint8_t nonce[MAX_CIPHER_IV_SIZE];
238
0
  unsigned imp_iv_size = 0, exp_iv_size = 0;
239
0
  bool etm = 0;
240
241
0
  if (unlikely(ver == NULL))
242
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
243
244
0
  if (algo_type == CIPHER_BLOCK && params->etm != 0)
245
0
    etm = 1;
246
247
0
  _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session,
248
0
       _gnutls_cipher_get_name(params->cipher),
249
0
       _gnutls_mac_get_name(params->mac),
250
0
       (unsigned int)params->epoch);
251
252
  /* Calculate the encrypted length (padding etc.)
253
   */
254
0
  if (algo_type == CIPHER_BLOCK) {
255
    /* Call gnutls_rnd() once. Get data used for the IV
256
     */
257
0
    ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
258
0
    if (ret < 0)
259
0
      return gnutls_assert_val(ret);
260
261
0
    pad = min_pad;
262
263
0
    length = calc_enc_length_block(session, ver, plain->size,
264
0
                 tag_size, &pad, auth_cipher,
265
0
                 blocksize, etm);
266
0
  } else { /* AEAD + STREAM */
267
0
    imp_iv_size =
268
0
      _gnutls_cipher_get_implicit_iv_size(params->cipher);
269
0
    exp_iv_size =
270
0
      _gnutls_cipher_get_explicit_iv_size(params->cipher);
271
272
0
    pad = 0;
273
0
    length = calc_enc_length_stream(session, plain->size, tag_size,
274
0
            auth_cipher, exp_iv_size);
275
0
  }
276
277
0
  if (length < 0)
278
0
    return gnutls_assert_val(length);
279
280
  /* copy the encrypted data to cipher_data.
281
   */
282
0
  if (cipher_size < length)
283
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
284
285
0
  data_ptr = cipher_data;
286
0
  full_cipher_ptr = data_ptr;
287
288
0
  if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
289
0
    if (algo_type == CIPHER_BLOCK && explicit_iv != 0) {
290
      /* copy the random IV.
291
       */
292
0
      memcpy(data_ptr, nonce, blocksize);
293
0
      ret = _gnutls_auth_cipher_setiv(
294
0
        &params->write.ctx.tls12, data_ptr, blocksize);
295
0
      if (ret < 0)
296
0
        return gnutls_assert_val(ret);
297
298
      /*data_ptr += blocksize; */
299
0
      cipher_data += blocksize;
300
0
    }
301
0
  } else { /* AEAD */
302
0
    if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) ==
303
0
        0) {
304
      /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
305
       */
306
0
      if (params->write.iv_size != imp_iv_size)
307
0
        return gnutls_assert_val(
308
0
          GNUTLS_E_INTERNAL_ERROR);
309
310
      /* Instead of generating a new nonce on every packet, we use the
311
       * write.sequence_number (It is a MAY on RFC 5288), and safer
312
       * as it will never reuse a value.
313
       */
314
0
      memcpy(nonce, params->write.iv, params->write.iv_size);
315
0
      _gnutls_write_uint64(params->write.sequence_number,
316
0
               &nonce[imp_iv_size]);
317
318
0
      memcpy(data_ptr, &nonce[imp_iv_size], exp_iv_size);
319
320
      /*data_ptr += exp_iv_size; */
321
0
      cipher_data += exp_iv_size;
322
0
    } else { /* XOR nonce with IV */
323
0
      if (unlikely(params->write.iv_size != 12 ||
324
0
             imp_iv_size != 12 || exp_iv_size != 0))
325
0
        return gnutls_assert_val(
326
0
          GNUTLS_E_INTERNAL_ERROR);
327
328
0
      memset(nonce, 0, 4);
329
0
      _gnutls_write_uint64(params->write.sequence_number,
330
0
               &nonce[4]);
331
332
0
      memxor(nonce, params->write.iv, 12);
333
0
    }
334
0
  }
335
336
0
  if (etm)
337
0
    ret = length - tag_size;
338
0
  else
339
0
    ret = plain->size;
340
341
0
  preamble_size = _gnutls_make_preamble(params->write.sequence_number,
342
0
                type, ret, ver, preamble);
343
344
0
  if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
345
    /* add the authenticated data */
346
0
    ret = _gnutls_auth_cipher_add_auth(&params->write.ctx.tls12,
347
0
               preamble, preamble_size);
348
0
    if (ret < 0)
349
0
      return gnutls_assert_val(ret);
350
351
0
    if (etm && explicit_iv) {
352
      /* In EtM we need to hash the IV as well */
353
0
      ret = _gnutls_auth_cipher_add_auth(
354
0
        &params->write.ctx.tls12, full_cipher_ptr,
355
0
        blocksize);
356
0
      if (ret < 0)
357
0
        return gnutls_assert_val(ret);
358
0
    }
359
360
    /* Actual encryption.
361
     */
362
0
    ret = _gnutls_auth_cipher_encrypt2_tag(&params->write.ctx.tls12,
363
0
                   plain->data, plain->size,
364
0
                   cipher_data, cipher_size,
365
0
                   pad);
366
0
    if (ret < 0)
367
0
      return gnutls_assert_val(ret);
368
0
  } else { /* AEAD */
369
0
    ret = _gnutls_aead_cipher_encrypt(
370
0
      &params->write.ctx.tls12.cipher, nonce,
371
0
      imp_iv_size + exp_iv_size, preamble, preamble_size,
372
0
      tag_size, plain->data, plain->size, cipher_data,
373
0
      cipher_size);
374
0
    if (ret < 0)
375
0
      return gnutls_assert_val(ret);
376
0
  }
377
378
0
  return length;
379
0
}
380
381
static int encrypt_packet_tls13(gnutls_session_t session, uint8_t *cipher_data,
382
        size_t cipher_size, gnutls_datum_t *plain,
383
        size_t pad_size, uint8_t type,
384
        record_parameters_st *params)
385
0
{
386
0
  int ret;
387
0
  unsigned int tag_size = params->write.aead_tag_size;
388
0
  const version_entry_st *ver = get_version(session);
389
0
  uint8_t nonce[MAX_CIPHER_IV_SIZE];
390
0
  unsigned iv_size = 0;
391
0
  ssize_t max, total;
392
0
  uint8_t aad[5];
393
0
  giovec_t auth_iov[1];
394
0
  giovec_t iov[2];
395
396
0
  if (unlikely(ver == NULL))
397
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
398
399
0
  _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n", session,
400
0
       _gnutls_cipher_get_name(params->cipher),
401
0
       _gnutls_mac_get_name(params->mac),
402
0
       (unsigned int)params->epoch);
403
404
0
  iv_size = params->write.iv_size;
405
406
0
  if (params->cipher->id == GNUTLS_CIPHER_NULL) {
407
0
    if (cipher_size < plain->size + 1)
408
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
409
0
    memcpy(cipher_data, plain->data, plain->size);
410
0
    return plain->size;
411
0
  }
412
413
0
  if (unlikely(iv_size < 8))
414
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
415
416
0
  memset(nonce, 0, iv_size - 8);
417
0
  _gnutls_write_uint64(params->write.sequence_number,
418
0
           &nonce[iv_size - 8]);
419
0
  memxor(nonce, params->write.iv, iv_size);
420
421
0
  max = max_record_send_size(session) + MAX_RECORD_SEND_OVERHEAD(session);
422
423
  /* make TLS 1.3 form of data */
424
0
  total = plain->size + 1 + pad_size;
425
426
  /* check whether padding would exceed max */
427
0
  if (total > max) {
428
0
    if (unlikely(max < (ssize_t)plain->size + 1))
429
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
430
431
0
    pad_size = max - plain->size - 1;
432
0
    total = max;
433
0
  }
434
435
  /* create authenticated data header */
436
0
  aad[0] = GNUTLS_APPLICATION_DATA;
437
0
  aad[1] = 0x03;
438
0
  aad[2] = 0x03;
439
0
  _gnutls_write_uint16(total + tag_size, &aad[3]);
440
441
0
  auth_iov[0].iov_base = aad;
442
0
  auth_iov[0].iov_len = sizeof(aad);
443
444
0
  iov[0].iov_base = plain->data;
445
0
  iov[0].iov_len = plain->size;
446
447
0
  if (pad_size ||
448
0
      (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) {
449
0
    uint8_t *pad = gnutls_calloc(1, 1 + pad_size);
450
0
    if (pad == NULL)
451
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
452
453
0
    pad[0] = type;
454
455
0
    iov[1].iov_base = pad;
456
0
    iov[1].iov_len = 1 + pad_size;
457
458
0
    ret = gnutls_aead_cipher_encryptv(&params->write.ctx.aead,
459
0
              nonce, iv_size, auth_iov, 1,
460
0
              tag_size, iov, 2, cipher_data,
461
0
              &cipher_size);
462
0
    gnutls_free(pad);
463
0
  } else {
464
0
    iov[1].iov_base = &type;
465
0
    iov[1].iov_len = 1;
466
467
0
    ret = gnutls_aead_cipher_encryptv(&params->write.ctx.aead,
468
0
              nonce, iv_size, auth_iov, 1,
469
0
              tag_size, iov, 2, cipher_data,
470
0
              &cipher_size);
471
0
  }
472
473
0
  if (ret < 0)
474
0
    return gnutls_assert_val(ret);
475
476
0
  return cipher_size;
477
0
}
478
479
/* Deciphers the ciphertext packet, and puts the result to plain.
480
 * Returns the actual plaintext packet size.
481
 */
482
static int decrypt_packet(gnutls_session_t session, gnutls_datum_t *ciphertext,
483
        gnutls_datum_t *plain, content_type_t type,
484
        record_parameters_st *params, uint64_t sequence)
485
0
{
486
0
  uint8_t tag[MAX_HASH_SIZE];
487
0
  uint8_t nonce[MAX_CIPHER_IV_SIZE];
488
0
  const uint8_t *tag_ptr = NULL;
489
0
  unsigned int pad = 0;
490
0
  int length, length_to_decrypt;
491
0
  uint16_t blocksize;
492
0
  int ret;
493
0
  uint8_t preamble[MAX_PREAMBLE_SIZE];
494
0
  unsigned int preamble_size = 0;
495
0
  const version_entry_st *ver = get_version(session);
496
0
  unsigned int tag_size =
497
0
    _gnutls_auth_cipher_tag_len(&params->read.ctx.tls12);
498
0
  unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
499
0
  unsigned imp_iv_size, exp_iv_size;
500
0
  unsigned cipher_type = _gnutls_cipher_type(params->cipher);
501
0
  bool etm = 0;
502
503
0
  if (unlikely(ver == NULL))
504
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
505
506
0
  imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
507
0
  exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
508
0
  blocksize = _gnutls_cipher_get_block_size(params->cipher);
509
510
0
  if (params->etm != 0 && cipher_type == CIPHER_BLOCK)
511
0
    etm = 1;
512
513
  /* if EtM mode and not AEAD */
514
0
  if (etm) {
515
0
    if (unlikely(ciphertext->size < tag_size))
516
0
      return gnutls_assert_val(
517
0
        GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
518
519
0
    preamble_size = _gnutls_make_preamble(
520
0
      sequence, type, ciphertext->size - tag_size, ver,
521
0
      preamble);
522
523
0
    ret = _gnutls_auth_cipher_add_auth(&params->read.ctx.tls12,
524
0
               preamble, preamble_size);
525
0
    if (unlikely(ret < 0))
526
0
      return gnutls_assert_val(ret);
527
528
0
    ret = _gnutls_auth_cipher_add_auth(&params->read.ctx.tls12,
529
0
               ciphertext->data,
530
0
               ciphertext->size - tag_size);
531
0
    if (unlikely(ret < 0))
532
0
      return gnutls_assert_val(ret);
533
534
0
    ret = _gnutls_auth_cipher_tag(&params->read.ctx.tls12, tag,
535
0
                tag_size);
536
0
    if (unlikely(ret < 0))
537
0
      return gnutls_assert_val(ret);
538
539
0
    if (unlikely(gnutls_memcmp(tag,
540
0
             &ciphertext->data[ciphertext->size -
541
0
                   tag_size],
542
0
             tag_size) != 0)) {
543
      /* HMAC was not the same. */
544
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
545
0
    }
546
0
  }
547
548
  /* actual decryption (inplace)
549
   */
550
0
  switch (cipher_type) {
551
0
  case CIPHER_AEAD:
552
    /* The way AEAD ciphers are defined in RFC5246, it allows
553
     * only stream ciphers.
554
     */
555
0
    if (unlikely(_gnutls_auth_cipher_is_aead(
556
0
             &params->read.ctx.tls12) == 0))
557
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
558
559
0
    if (unlikely(ciphertext->size < (tag_size + exp_iv_size)))
560
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
561
562
0
    if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) ==
563
0
        0) {
564
      /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
565
       */
566
0
      if (unlikely(params->read.iv_size != 4))
567
0
        return gnutls_assert_val(
568
0
          GNUTLS_E_DECRYPTION_FAILED);
569
570
0
      memcpy(nonce, params->read.iv, imp_iv_size);
571
572
0
      memcpy(&nonce[imp_iv_size], ciphertext->data,
573
0
             exp_iv_size);
574
575
0
      ciphertext->data += exp_iv_size;
576
0
      ciphertext->size -= exp_iv_size;
577
0
    } else { /* XOR nonce with IV */
578
0
      if (unlikely(params->read.iv_size != 12 ||
579
0
             imp_iv_size != 12 || exp_iv_size != 0))
580
0
        return gnutls_assert_val(
581
0
          GNUTLS_E_DECRYPTION_FAILED);
582
583
0
      memset(nonce, 0, 4);
584
0
      _gnutls_write_uint64(sequence, &nonce[4]);
585
586
0
      memxor(nonce, params->read.iv, 12);
587
0
    }
588
589
0
    length = ciphertext->size - tag_size;
590
591
0
    length_to_decrypt = ciphertext->size;
592
593
    /* Pass the type, version, length and plain through
594
     * MAC.
595
     */
596
0
    preamble_size = _gnutls_make_preamble(sequence, type, length,
597
0
                  ver, preamble);
598
599
0
    if (unlikely((unsigned)length_to_decrypt > plain->size)) {
600
0
      _gnutls_audit_log(
601
0
        session,
602
0
        "Received %u bytes, while expecting less than %u\n",
603
0
        (unsigned int)length_to_decrypt,
604
0
        (unsigned int)plain->size);
605
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
606
0
    }
607
608
0
    ret = _gnutls_aead_cipher_decrypt(
609
0
      &params->read.ctx.tls12.cipher, nonce,
610
0
      exp_iv_size + imp_iv_size, preamble, preamble_size,
611
0
      tag_size, ciphertext->data, length_to_decrypt,
612
0
      plain->data, plain->size);
613
0
    if (unlikely(ret < 0))
614
0
      return gnutls_assert_val(ret);
615
616
0
    return length;
617
618
0
    break;
619
0
  case CIPHER_STREAM:
620
0
    if (unlikely(ciphertext->size < tag_size))
621
0
      return gnutls_assert_val(
622
0
        GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
623
624
0
    length_to_decrypt = ciphertext->size;
625
0
    length = ciphertext->size - tag_size;
626
0
    tag_ptr = plain->data + length;
627
628
    /* Pass the type, version, length and plain through
629
     * MAC.
630
     */
631
0
    preamble_size = _gnutls_make_preamble(sequence, type, length,
632
0
                  ver, preamble);
633
634
0
    ret = _gnutls_auth_cipher_add_auth(&params->read.ctx.tls12,
635
0
               preamble, preamble_size);
636
0
    if (unlikely(ret < 0))
637
0
      return gnutls_assert_val(ret);
638
639
0
    if (unlikely((unsigned)length_to_decrypt > plain->size)) {
640
0
      _gnutls_audit_log(
641
0
        session,
642
0
        "Received %u bytes, while expecting less than %u\n",
643
0
        (unsigned int)length_to_decrypt,
644
0
        (unsigned int)plain->size);
645
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
646
0
    }
647
648
0
    ret = _gnutls_auth_cipher_decrypt2(&params->read.ctx.tls12,
649
0
               ciphertext->data,
650
0
               length_to_decrypt,
651
0
               plain->data, plain->size);
652
653
0
    if (unlikely(ret < 0))
654
0
      return gnutls_assert_val(ret);
655
656
0
    ret = _gnutls_auth_cipher_tag(&params->read.ctx.tls12, tag,
657
0
                tag_size);
658
0
    if (unlikely(ret < 0))
659
0
      return gnutls_assert_val(ret);
660
661
0
    if (unlikely(gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) {
662
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
663
0
    }
664
665
0
    break;
666
0
  case CIPHER_BLOCK:
667
0
    if (unlikely(ciphertext->size < blocksize))
668
0
      return gnutls_assert_val(
669
0
        GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
670
671
0
    if (etm == 0) {
672
0
      if (unlikely(ciphertext->size % blocksize != 0))
673
0
        return gnutls_assert_val(
674
0
          GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
675
0
    } else {
676
0
      if (unlikely((ciphertext->size - tag_size) %
677
0
               blocksize !=
678
0
             0))
679
0
        return gnutls_assert_val(
680
0
          GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
681
0
    }
682
683
    /* ignore the IV in TLS 1.1+
684
     */
685
0
    if (explicit_iv) {
686
0
      ret = _gnutls_auth_cipher_setiv(&params->read.ctx.tls12,
687
0
              ciphertext->data,
688
0
              blocksize);
689
0
      if (ret < 0)
690
0
        return gnutls_assert_val(ret);
691
692
0
      memcpy(nonce, ciphertext->data, blocksize);
693
0
      ciphertext->size -= blocksize;
694
0
      ciphertext->data += blocksize;
695
0
    }
696
697
0
    if (unlikely(ciphertext->size < tag_size + 1))
698
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
699
700
    /* we don't use the auth_cipher interface here, since
701
     * TLS with block ciphers is impossible to be used under such
702
     * an API. (the length of plaintext is required to calculate
703
     * auth_data, but it is not available before decryption).
704
     */
705
0
    if (unlikely(ciphertext->size > plain->size))
706
0
      return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
707
708
0
    if (etm == 0) {
709
0
      ret = _gnutls_cipher_decrypt2(
710
0
        &params->read.ctx.tls12.cipher,
711
0
        ciphertext->data, ciphertext->size, plain->data,
712
0
        plain->size);
713
0
      if (unlikely(ret < 0))
714
0
        return gnutls_assert_val(ret);
715
716
0
      ret = cbc_mac_verify(session, params, preamble, type,
717
0
               sequence, plain->data,
718
0
               ciphertext->size, tag_size);
719
0
      if (unlikely(ret < 0))
720
0
        return gnutls_assert_val(ret);
721
722
0
      length = ret;
723
0
    } else { /* EtM */
724
0
      ret = _gnutls_cipher_decrypt2(
725
0
        &params->read.ctx.tls12.cipher,
726
0
        ciphertext->data, ciphertext->size - tag_size,
727
0
        plain->data, plain->size);
728
0
      if (unlikely(ret < 0))
729
0
        return gnutls_assert_val(ret);
730
731
0
      pad = plain->data[ciphertext->size - tag_size -
732
0
            1]; /* pad */
733
0
      length = ciphertext->size - tag_size - pad - 1;
734
735
0
      if (unlikely(length < 0))
736
0
        return gnutls_assert_val(
737
0
          GNUTLS_E_DECRYPTION_FAILED);
738
0
    }
739
0
    break;
740
0
  default:
741
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
742
0
  }
743
744
0
  return length;
745
0
}
746
747
static int decrypt_packet_tls13(gnutls_session_t session,
748
        gnutls_datum_t *ciphertext,
749
        gnutls_datum_t *plain, content_type_t *type,
750
        record_parameters_st *params, uint64_t sequence)
751
0
{
752
0
  uint8_t nonce[MAX_CIPHER_IV_SIZE];
753
0
  size_t length, length_to_decrypt;
754
0
  int ret;
755
0
  const version_entry_st *ver = get_version(session);
756
0
  unsigned int tag_size = params->read.aead_tag_size;
757
0
  unsigned iv_size;
758
0
  unsigned j;
759
0
  volatile unsigned length_set;
760
0
  uint8_t aad[5];
761
762
0
  if (unlikely(ver == NULL))
763
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
764
765
0
  if (params->cipher->id == GNUTLS_CIPHER_NULL) {
766
0
    if (plain->size < ciphertext->size)
767
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
768
769
0
    length = ciphertext->size;
770
0
    memcpy(plain->data, ciphertext->data, length);
771
772
0
    return length;
773
0
  }
774
775
0
  iv_size = _gnutls_cipher_get_iv_size(params->cipher);
776
777
  /* The way AEAD ciphers are defined in RFC5246, it allows
778
   * only stream ciphers.
779
   */
780
0
  if (unlikely(ciphertext->size < tag_size))
781
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
782
783
0
  if (unlikely(params->read.iv_size != iv_size || iv_size < 8))
784
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
785
786
0
  memset(nonce, 0, iv_size - 8);
787
0
  _gnutls_write_uint64(sequence, &nonce[iv_size - 8]);
788
0
  memxor(nonce, params->read.iv, params->read.iv_size);
789
790
0
  length = ciphertext->size - tag_size;
791
792
0
  length_to_decrypt = ciphertext->size;
793
794
0
  if (unlikely((unsigned)length_to_decrypt > plain->size)) {
795
0
    _gnutls_audit_log(
796
0
      session,
797
0
      "Received %u bytes, while expecting less than %u\n",
798
0
      (unsigned int)length_to_decrypt,
799
0
      (unsigned int)plain->size);
800
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
801
0
  }
802
803
0
  aad[0] = GNUTLS_APPLICATION_DATA;
804
0
  aad[1] = 0x03;
805
0
  aad[2] = 0x03;
806
0
  _gnutls_write_uint16(ciphertext->size, &aad[3]);
807
808
0
  ret = gnutls_aead_cipher_decrypt(&params->read.ctx.aead, nonce, iv_size,
809
0
           aad, sizeof(aad), tag_size,
810
0
           ciphertext->data, length_to_decrypt,
811
0
           plain->data, &length);
812
0
  if (unlikely(ret < 0))
813
0
    return gnutls_assert_val(ret);
814
815
  /* 1 octet for content type */
816
0
  if (length > max_decrypted_size(session) + 1) {
817
0
    _gnutls_audit_log(session,
818
0
          "Received packet with illegal length: %u\n",
819
0
          (unsigned int)length);
820
821
0
    return gnutls_assert_val(GNUTLS_E_RECORD_OVERFLOW);
822
0
  }
823
824
0
  length_set = 0;
825
826
  /* now figure the actual data size. We intentionally iterate through all data,
827
   * to avoid leaking the padding length due to timing differences in processing.
828
   */
829
0
  for (j = length; j > 0; j--) {
830
0
    if (plain->data[j - 1] != 0 && length_set == 0) {
831
0
      *type = plain->data[j - 1];
832
0
      length = j - 1;
833
0
      length_set = 1;
834
0
      if (!(session->internals.flags &
835
0
            GNUTLS_SAFE_PADDING_CHECK))
836
0
        break;
837
0
    }
838
0
  }
839
840
0
  if (!length_set)
841
0
    return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
842
843
0
  return length;
844
0
}