2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Some high level functions to be used in the record encryption are
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
43 static int compressed_to_ciphertext (gnutls_session_t session
,
44 uint8_t * cipher_data
, int cipher_size
,
45 gnutls_datum_t
*compressed
,
47 record_parameters_st
* params
);
48 static int ciphertext_to_compressed (gnutls_session_t session
,
49 gnutls_datum_t
*ciphertext
,
50 uint8_t * compress_data
,
53 record_parameters_st
* params
, uint64
* sequence
);
56 is_write_comp_null (record_parameters_st
* record_params
)
58 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
65 is_read_comp_null (record_parameters_st
* record_params
)
67 if (record_params
->compression_algorithm
== GNUTLS_COMP_NULL
)
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
77 * If random pad != 0 then the random pad data will be appended.
80 _gnutls_encrypt (gnutls_session_t session
, const uint8_t * headers
,
81 size_t headers_size
, const uint8_t * data
,
82 size_t data_size
, uint8_t * ciphertext
,
83 size_t ciphertext_size
, content_type_t type
,
84 record_parameters_st
* params
)
90 if (data_size
== 0 || is_write_comp_null (params
) == 0)
92 comp
.data
= (uint8_t*)data
;
93 comp
.size
= data_size
;
97 /* Here comp is allocated and must be
102 comp
.size
= ciphertext_size
- headers_size
;
103 comp
.data
= gnutls_malloc(comp
.size
);
104 if (comp
.data
== NULL
)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
107 ret
= _gnutls_compress(¶ms
->write
.compression_state
, data
, data_size
,
108 comp
.data
, comp
.size
, session
->internals
.priorities
.stateless_compression
);
111 gnutls_free(comp
.data
);
112 return gnutls_assert_val(ret
);
118 ret
= compressed_to_ciphertext (session
, &ciphertext
[headers_size
],
119 ciphertext_size
- headers_size
,
120 &comp
, type
, params
);
123 gnutls_free(comp
.data
);
126 return gnutls_assert_val(ret
);
128 /* copy the headers */
129 memcpy (ciphertext
, headers
, headers_size
);
132 _gnutls_write_uint16 (ret
, &ciphertext
[11]);
134 _gnutls_write_uint16 (ret
, &ciphertext
[3]);
136 return ret
+ headers_size
;
139 /* Decrypts the given data.
140 * Returns the decrypted data length.
143 _gnutls_decrypt (gnutls_session_t session
, uint8_t * ciphertext
,
144 size_t ciphertext_size
, uint8_t * data
,
145 size_t max_data_size
, content_type_t type
,
146 record_parameters_st
* params
, uint64
*sequence
)
148 gnutls_datum_t gcipher
;
151 if (ciphertext_size
== 0)
154 gcipher
.size
= ciphertext_size
;
155 gcipher
.data
= ciphertext
;
157 if (is_read_comp_null (params
) == 0)
160 ciphertext_to_compressed (session
, &gcipher
, data
, max_data_size
,
161 type
, params
, sequence
);
163 return gnutls_assert_val(ret
);
171 tmp_data
= gnutls_malloc(max_data_size
);
172 if (tmp_data
== NULL
)
173 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
176 ciphertext_to_compressed (session
, &gcipher
, tmp_data
, max_data_size
,
177 type
, params
, sequence
);
185 ret
= _gnutls_decompress( ¶ms
->read
.compression_state
, tmp_data
, data_size
, data
, max_data_size
);
191 gnutls_free(tmp_data
);
198 calc_enc_length_block (gnutls_session_t session
, int data_size
,
199 int hash_size
, uint8_t * pad
,
200 unsigned auth_cipher
, uint16_t blocksize
)
207 /* make rnd a multiple of blocksize */
208 if (session
->security_parameters
.version
== GNUTLS_SSL3
)
215 rnd
= (rnd
/ blocksize
) * blocksize
;
216 /* added to avoid the case of pad calculated 0
217 * seen below for pad calculation.
223 length
= data_size
+ hash_size
;
225 *pad
= (uint8_t) (blocksize
- (length
% blocksize
)) + rnd
;
228 if (_gnutls_version_has_explicit_iv
229 (session
->security_parameters
.version
))
230 length
+= blocksize
; /* for the IV */
236 calc_enc_length_stream (gnutls_session_t session
, int data_size
,
237 int hash_size
, unsigned auth_cipher
)
241 length
= data_size
+ hash_size
;
243 length
+= AEAD_EXPLICIT_DATA_SIZE
;
248 #define MAX_PREAMBLE_SIZE 16
250 /* generates the authentication data (data to be hashed only
251 * and are not to be sent). Returns their size.
254 make_preamble (uint8_t * uint64_data
, uint8_t type
, unsigned int length
,
255 uint8_t ver
, uint8_t * preamble
)
257 uint8_t minor
= _gnutls_version_get_minor (ver
);
258 uint8_t major
= _gnutls_version_get_major (ver
);
259 uint8_t *p
= preamble
;
262 c_length
= _gnutls_conv_uint16 (length
);
264 memcpy (p
, uint64_data
, 8);
268 if (ver
!= GNUTLS_SSL3
)
269 { /* TLS protocols */
275 memcpy (p
, &c_length
, 2);
280 /* This is the actual encryption
281 * Encrypts the given compressed datum, and puts the result to cipher_data,
282 * which has cipher_size size.
283 * return the actual encrypted data length.
286 compressed_to_ciphertext (gnutls_session_t session
,
287 uint8_t * cipher_data
, int cipher_size
,
288 gnutls_datum_t
*compressed
,
290 record_parameters_st
* params
)
292 uint8_t * tag_ptr
= NULL
;
294 int length
, length_to_encrypt
, ret
;
295 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
297 int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->write
.cipher_state
);
298 int blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
299 unsigned block_algo
=
300 _gnutls_cipher_is_block (params
->cipher_algorithm
);
302 int ver
= gnutls_protocol_get_version (session
);
303 int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
304 int auth_cipher
= _gnutls_auth_cipher_is_aead(¶ms
->write
.cipher_state
);
305 uint8_t nonce
[MAX_CIPHER_BLOCK_SIZE
+1];
308 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
309 session
, gnutls_cipher_get_name(params
->cipher_algorithm
), gnutls_mac_get_name(params
->mac_algorithm
),
310 (unsigned int)params
->epoch
);
313 make_preamble (UINT64DATA
314 (params
->write
.sequence_number
),
315 type
, compressed
->size
, ver
, preamble
);
317 /* Calculate the encrypted length (padding etc.)
319 if (block_algo
== CIPHER_BLOCK
)
321 /* Call _gnutls_rnd() once. Get data used for the IV + 1 for
322 * the random padding.
324 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, nonce
, blocksize
+1);
326 return gnutls_assert_val(ret
);
328 /* We don't use long padding if requested or if we are in DTLS.
330 if (session
->internals
.priorities
.no_padding
== 0 && !IS_DTLS(session
))
331 pad
= nonce
[blocksize
];
333 length_to_encrypt
= length
=
334 calc_enc_length_block (session
, compressed
->size
, tag_size
, &pad
,
335 auth_cipher
, blocksize
);
338 length_to_encrypt
= length
=
339 calc_enc_length_stream (session
, compressed
->size
, tag_size
,
343 return gnutls_assert_val(length
);
346 /* copy the encrypted data to cipher_data.
348 if (cipher_size
< length
)
350 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
353 data_ptr
= cipher_data
;
357 if (block_algo
== CIPHER_BLOCK
)
359 /* copy the random IV.
361 memcpy(data_ptr
, nonce
, blocksize
);
362 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, data_ptr
, blocksize
);
364 data_ptr
+= blocksize
;
365 cipher_data
+= blocksize
;
366 length_to_encrypt
-= blocksize
;
368 else if (auth_cipher
)
370 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
372 if (params
->write
.IV
.data
== NULL
|| params
->write
.IV
.size
!= AEAD_IMPLICIT_DATA_SIZE
)
373 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
375 /* Instead of generating a new nonce on every packet, we use the
376 * write.sequence_number (It is a MAY on RFC 5288).
378 memcpy(nonce
, params
->write
.IV
.data
, params
->write
.IV
.size
);
379 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], UINT64DATA(params
->write
.sequence_number
), 8);
381 _gnutls_auth_cipher_setiv(¶ms
->write
.cipher_state
, nonce
, AEAD_IMPLICIT_DATA_SIZE
+AEAD_EXPLICIT_DATA_SIZE
);
383 /* copy the explicit part */
384 memcpy(data_ptr
, &nonce
[AEAD_IMPLICIT_DATA_SIZE
], AEAD_EXPLICIT_DATA_SIZE
);
386 data_ptr
+= AEAD_EXPLICIT_DATA_SIZE
;
387 cipher_data
+= AEAD_EXPLICIT_DATA_SIZE
;
388 /* In AEAD ciphers we don't encrypt the tag
390 length_to_encrypt
-= AEAD_EXPLICIT_DATA_SIZE
+ tag_size
;
395 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
397 if (auth_cipher
) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
400 memcpy (data_ptr
, compressed
->data
, compressed
->size
);
401 data_ptr
+= compressed
->size
;
406 data_ptr
+= tag_size
;
408 if (block_algo
== CIPHER_BLOCK
&& pad
> 0)
410 memset (data_ptr
, pad
- 1, pad
);
413 /* add the authenticate data */
414 ret
= _gnutls_auth_cipher_add_auth(¶ms
->write
.cipher_state
, preamble
, preamble_size
);
416 return gnutls_assert_val(ret
);
418 /* Actual encryption (inplace).
421 _gnutls_auth_cipher_encrypt2_tag (¶ms
->write
.cipher_state
,
422 cipher_data
, length_to_encrypt
,
423 cipher_data
, cipher_size
,
424 tag_ptr
, tag_size
, compressed
->size
);
426 return gnutls_assert_val(ret
);
432 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
433 * Returns the actual compressed packet size.
436 ciphertext_to_compressed (gnutls_session_t session
,
437 gnutls_datum_t
*ciphertext
,
438 uint8_t * compress_data
,
440 uint8_t type
, record_parameters_st
* params
,
443 uint8_t tag
[MAX_HASH_SIZE
];
445 int length
, length_to_decrypt
;
447 int ret
, pad_failed
= 0;
448 uint8_t preamble
[MAX_PREAMBLE_SIZE
];
449 unsigned int preamble_size
;
450 unsigned int ver
= gnutls_protocol_get_version (session
);
451 unsigned int tag_size
= _gnutls_auth_cipher_tag_len (¶ms
->read
.cipher_state
);
452 unsigned int explicit_iv
= _gnutls_version_has_explicit_iv (session
->security_parameters
.version
);
454 blocksize
= gnutls_cipher_get_block_size (params
->cipher_algorithm
);
456 /* actual decryption (inplace)
458 switch (_gnutls_cipher_is_block (params
->cipher_algorithm
))
461 /* The way AEAD ciphers are defined in RFC5246, it allows
462 * only stream ciphers.
464 if (explicit_iv
&& _gnutls_auth_cipher_is_aead(¶ms
->read
.cipher_state
))
466 uint8_t nonce
[blocksize
];
467 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
469 if (params
->read
.IV
.data
== NULL
|| params
->read
.IV
.size
!= 4)
470 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
472 if (ciphertext
->size
< tag_size
+AEAD_EXPLICIT_DATA_SIZE
)
473 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
475 memcpy(nonce
, params
->read
.IV
.data
, AEAD_IMPLICIT_DATA_SIZE
);
476 memcpy(&nonce
[AEAD_IMPLICIT_DATA_SIZE
], ciphertext
->data
, AEAD_EXPLICIT_DATA_SIZE
);
478 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
, nonce
, AEAD_EXPLICIT_DATA_SIZE
+AEAD_IMPLICIT_DATA_SIZE
);
480 ciphertext
->data
+= AEAD_EXPLICIT_DATA_SIZE
;
481 ciphertext
->size
-= AEAD_EXPLICIT_DATA_SIZE
;
483 length_to_decrypt
= ciphertext
->size
- tag_size
;
487 if (ciphertext
->size
< tag_size
)
488 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
490 length_to_decrypt
= ciphertext
->size
;
493 length
= ciphertext
->size
- tag_size
;
495 /* Pass the type, version, length and compressed through
499 make_preamble (UINT64DATA(*sequence
), type
,
500 length
, ver
, preamble
);
502 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
504 return gnutls_assert_val(ret
);
507 _gnutls_auth_cipher_decrypt2 (¶ms
->read
.cipher_state
,
508 ciphertext
->data
, length_to_decrypt
,
509 ciphertext
->data
, ciphertext
->size
)) < 0)
510 return gnutls_assert_val(ret
);
514 if (ciphertext
->size
< blocksize
|| (ciphertext
->size
% blocksize
!= 0))
515 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH
);
517 /* ignore the IV in TLS 1.1+
521 _gnutls_auth_cipher_setiv(¶ms
->read
.cipher_state
,
522 ciphertext
->data
, blocksize
);
524 ciphertext
->size
-= blocksize
;
525 ciphertext
->data
+= blocksize
;
528 if (ciphertext
->size
< tag_size
)
529 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
531 /* we don't use the auth_cipher interface here, since
532 * TLS with block ciphers is impossible to be used under such
533 * an API. (the length of plaintext is required to calculate
534 * auth_data, but it is not available before decryption).
537 _gnutls_cipher_decrypt (¶ms
->read
.cipher_state
.cipher
,
538 ciphertext
->data
, ciphertext
->size
)) < 0)
539 return gnutls_assert_val(ret
);
541 pad
= ciphertext
->data
[ciphertext
->size
- 1] + 1; /* pad */
544 if (pad
> (int) ciphertext
->size
- tag_size
)
548 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
549 session
, pad
, ciphertext
->size
, tag_size
);
550 /* We do not fail here. We check below for the
551 * the pad_failed. If zero means success.
553 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
557 length
= ciphertext
->size
- tag_size
- pad
;
559 /* Check the pading bytes (TLS 1.x)
561 if (ver
!= GNUTLS_SSL3
)
562 for (i
= 2; i
<= pad
; i
++)
564 if (ciphertext
->data
[ciphertext
->size
- i
] !=
565 ciphertext
->data
[ciphertext
->size
- 1])
566 pad_failed
= GNUTLS_E_DECRYPTION_FAILED
;
571 /* Setting a proper length to prevent timing differences in
572 * processing of records with invalid encryption.
574 length
= ciphertext
->size
- tag_size
;
577 /* Pass the type, version, length and compressed through
581 make_preamble (UINT64DATA(*sequence
), type
,
582 length
, ver
, preamble
);
583 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, preamble
, preamble_size
);
585 return gnutls_assert_val(ret
);
587 ret
= _gnutls_auth_cipher_add_auth (¶ms
->read
.cipher_state
, ciphertext
->data
, length
);
589 return gnutls_assert_val(ret
);
593 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR
);
596 ret
= _gnutls_auth_cipher_tag(¶ms
->read
.cipher_state
, tag
, tag_size
);
598 return gnutls_assert_val(ret
);
600 /* This one was introduced to avoid a timing attack against the TLS
603 /* HMAC was not the same.
605 if (memcmp (tag
, &ciphertext
->data
[length
], tag_size
) != 0 || pad_failed
!= 0)
606 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED
);
608 /* copy the decrypted stuff to compress_data.
610 if (compress_size
< length
)
611 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED
);
613 if (compress_data
!= ciphertext
->data
)
614 memcpy (compress_data
, ciphertext
->data
, length
);