2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Some high level functions to be used in the record encryption are
27 #include "gnutls_int.h"
28 #include "gnutls_errors.h"
29 #include "gnutls_compress.h"
30 #include "gnutls_cipher.h"
31 #include "algorithms.h"
32 #include "gnutls_hash_int.h"
33 #include "gnutls_cipher_int.h"
35 #include "gnutls_num.h"
36 #include "gnutls_datum.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_record.h"
39 #include "gnutls_constate.h"
40 #include <gnutls_state.h>
43 static int compressed_to_ciphertext (gnutls_session_t session,
44 uint8_t * cipher_data, int cipher_size,
45 gnutls_datum_t *compressed,
47 record_parameters_st * params);
48 static int ciphertext_to_compressed (gnutls_session_t session,
49 gnutls_datum_t *ciphertext,
50 uint8_t * compress_data,
53 record_parameters_st * params, uint64* sequence);
56 is_write_comp_null (record_parameters_st * record_params)
58 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
65 is_read_comp_null (record_parameters_st * record_params)
67 if (record_params->compression_algorithm == GNUTLS_COMP_NULL)
74 /* returns ciphertext which contains the headers too. This also
75 * calculates the size in the header field.
77 * If random pad != 0 then the random pad data will be appended.
80 _gnutls_encrypt (gnutls_session_t session, const uint8_t * headers,
81 size_t headers_size, const uint8_t * data,
82 size_t data_size, uint8_t * ciphertext,
83 size_t ciphertext_size, content_type_t type,
84 record_parameters_st * params)
90 if (data_size == 0 || is_write_comp_null (params) == 0)
92 comp.data = (uint8_t*)data;
93 comp.size = data_size;
97 /* Here comp is allocated and must be
102 comp.size = ciphertext_size - headers_size;
103 comp.data = gnutls_malloc(comp.size);
104 if (comp.data == NULL)
105 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
107 ret = _gnutls_compress( ¶ms->write.compression_state, data, data_size, comp.data, comp.size);
110 gnutls_free(comp.data);
111 return gnutls_assert_val(ret);
117 ret = compressed_to_ciphertext (session, &ciphertext[headers_size],
118 ciphertext_size - headers_size,
119 &comp, type, params);
122 gnutls_free(comp.data);
125 return gnutls_assert_val(ret);
127 /* copy the headers */
128 memcpy (ciphertext, headers, headers_size);
131 _gnutls_write_uint16 (ret, &ciphertext[11]);
133 _gnutls_write_uint16 (ret, &ciphertext[3]);
135 return ret + headers_size;
138 /* Decrypts the given data.
139 * Returns the decrypted data length.
142 _gnutls_decrypt (gnutls_session_t session, uint8_t * ciphertext,
143 size_t ciphertext_size, uint8_t * data,
144 size_t max_data_size, content_type_t type,
145 record_parameters_st * params, uint64 *sequence)
147 gnutls_datum_t gcipher;
150 if (ciphertext_size == 0)
153 gcipher.size = ciphertext_size;
154 gcipher.data = ciphertext;
156 if (is_read_comp_null (params) == 0)
159 ciphertext_to_compressed (session, &gcipher, data, max_data_size,
160 type, params, sequence);
162 return gnutls_assert_val(ret);
170 tmp_data = gnutls_malloc(max_data_size);
171 if (tmp_data == NULL)
172 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
175 ciphertext_to_compressed (session, &gcipher, tmp_data, max_data_size,
176 type, params, sequence);
184 ret = _gnutls_decompress( ¶ms->read.compression_state, tmp_data, data_size, data, max_data_size);
190 gnutls_free(tmp_data);
197 calc_enc_length (gnutls_session_t session, int data_size,
198 int hash_size, uint8_t * pad, int random_pad,
199 unsigned block_algo, unsigned auth_cipher, uint16_t blocksize)
210 length = data_size + hash_size;
212 length += AEAD_EXPLICIT_DATA_SIZE;
216 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &rnd, 1);
218 return gnutls_assert_val(ret);
220 /* make rnd a multiple of blocksize */
221 if (session->security_parameters.version == GNUTLS_SSL3 ||
228 rnd = (rnd / blocksize) * blocksize;
229 /* added to avoid the case of pad calculated 0
230 * seen below for pad calculation.
236 length = data_size + hash_size;
238 *pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
241 if (_gnutls_version_has_explicit_iv
242 (session->security_parameters.version))
243 length += blocksize; /* for the IV */
247 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
253 #define MAX_PREAMBLE_SIZE 16
255 /* generates the authentication data (data to be hashed only
256 * and are not to be sent). Returns their size.
259 make_preamble (uint8_t * uint64_data, uint8_t type, unsigned int length,
260 uint8_t ver, uint8_t * preamble)
262 uint8_t minor = _gnutls_version_get_minor (ver);
263 uint8_t major = _gnutls_version_get_major (ver);
264 uint8_t *p = preamble;
267 c_length = _gnutls_conv_uint16 (length);
269 memcpy (p, uint64_data, 8);
273 if (ver != GNUTLS_SSL3)
274 { /* TLS protocols */
280 memcpy (p, &c_length, 2);
285 /* This is the actual encryption
286 * Encrypts the given compressed datum, and puts the result to cipher_data,
287 * which has cipher_size size.
288 * return the actual encrypted data length.
291 compressed_to_ciphertext (gnutls_session_t session,
292 uint8_t * cipher_data, int cipher_size,
293 gnutls_datum_t *compressed,
295 record_parameters_st * params)
297 uint8_t * tag_ptr = NULL;
299 int length, length_to_encrypt, ret;
300 uint8_t preamble[MAX_PREAMBLE_SIZE];
302 int tag_size = _gnutls_auth_cipher_tag_len (¶ms->write.cipher_state);
303 int blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
304 unsigned block_algo =
305 _gnutls_cipher_is_block (params->cipher_algorithm);
307 int ver = gnutls_protocol_get_version (session);
308 int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
309 int auth_cipher = _gnutls_auth_cipher_is_aead(¶ms->write.cipher_state);
312 /* We don't use long padding if requested or if we are in DTLS.
314 if (session->internals.priorities.no_padding == 0 && (!IS_DTLS(session)))
319 _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
320 session, gnutls_cipher_get_name(params->cipher_algorithm), gnutls_mac_get_name(params->mac_algorithm),
321 (unsigned int)params->epoch);
324 make_preamble (UINT64DATA
325 (params->write.sequence_number),
326 type, compressed->size, ver, preamble);
328 /* Calculate the encrypted length (padding etc.)
330 length_to_encrypt = length =
331 calc_enc_length (session, compressed->size, tag_size, &pad,
332 random_pad, block_algo, auth_cipher, blocksize);
335 return gnutls_assert_val(length);
338 /* copy the encrypted data to cipher_data.
340 if (cipher_size < length)
342 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
345 data_ptr = cipher_data;
350 if (block_algo == CIPHER_BLOCK)
352 /* copy the random IV.
354 ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize);
356 return gnutls_assert_val(ret);
358 _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, data_ptr, blocksize);
360 data_ptr += blocksize;
361 cipher_data += blocksize;
362 length_to_encrypt -= blocksize;
364 else if (auth_cipher)
366 uint8_t nonce[blocksize];
368 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
370 if (params->write.IV.data == NULL || params->write.IV.size != AEAD_IMPLICIT_DATA_SIZE)
371 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
373 /* Instead of generating a new nonce on every packet, we use the
374 * write.sequence_number (It is a MAY on RFC 5288).
376 memcpy(nonce, params->write.IV.data, params->write.IV.size);
377 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], UINT64DATA(params->write.sequence_number), 8);
379 _gnutls_auth_cipher_setiv(¶ms->write.cipher_state, nonce, AEAD_IMPLICIT_DATA_SIZE+AEAD_EXPLICIT_DATA_SIZE);
381 /* copy the explicit part */
382 memcpy(data_ptr, &nonce[AEAD_IMPLICIT_DATA_SIZE], AEAD_EXPLICIT_DATA_SIZE);
384 data_ptr += AEAD_EXPLICIT_DATA_SIZE;
385 cipher_data += AEAD_EXPLICIT_DATA_SIZE;
386 /* In AEAD ciphers we don't encrypt the tag
388 length_to_encrypt -= AEAD_EXPLICIT_DATA_SIZE + tag_size;
393 /* AEAD ciphers have an explicit IV. Shouldn't be used otherwise.
395 if (auth_cipher) return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
398 memcpy (data_ptr, compressed->data, compressed->size);
399 data_ptr += compressed->size;
404 data_ptr += tag_size;
406 if (block_algo == CIPHER_BLOCK && pad > 0)
408 memset (data_ptr, pad - 1, pad);
411 /* add the authenticate data */
412 ret = _gnutls_auth_cipher_add_auth(¶ms->write.cipher_state, preamble, preamble_size);
414 return gnutls_assert_val(ret);
416 /* Actual encryption (inplace).
419 _gnutls_auth_cipher_encrypt2_tag (¶ms->write.cipher_state,
420 cipher_data, length_to_encrypt,
421 cipher_data, cipher_size,
422 tag_ptr, tag_size, compressed->size);
424 return gnutls_assert_val(ret);
430 /* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
431 * Returns the actual compressed packet size.
434 ciphertext_to_compressed (gnutls_session_t session,
435 gnutls_datum_t *ciphertext,
436 uint8_t * compress_data,
438 uint8_t type, record_parameters_st * params,
441 uint8_t tag[MAX_HASH_SIZE];
443 int length, length_to_decrypt;
445 int ret, i, pad_failed = 0;
446 uint8_t preamble[MAX_PREAMBLE_SIZE];
447 unsigned int preamble_size;
448 unsigned int ver = gnutls_protocol_get_version (session);
449 unsigned int tag_size = _gnutls_auth_cipher_tag_len (¶ms->read.cipher_state);
450 unsigned int explicit_iv = _gnutls_version_has_explicit_iv (session->security_parameters.version);
452 blocksize = gnutls_cipher_get_block_size (params->cipher_algorithm);
454 /* actual decryption (inplace)
456 switch (_gnutls_cipher_is_block (params->cipher_algorithm))
459 /* The way AEAD ciphers are defined in RFC5246, it allows
460 * only stream ciphers.
462 if (explicit_iv && _gnutls_auth_cipher_is_aead(¶ms->read.cipher_state))
464 uint8_t nonce[blocksize];
465 /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
467 if (params->read.IV.data == NULL || params->read.IV.size != 4)
468 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
470 if (ciphertext->size < tag_size+AEAD_EXPLICIT_DATA_SIZE)
471 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
473 memcpy(nonce, params->read.IV.data, AEAD_IMPLICIT_DATA_SIZE);
474 memcpy(&nonce[AEAD_IMPLICIT_DATA_SIZE], ciphertext->data, AEAD_EXPLICIT_DATA_SIZE);
476 _gnutls_auth_cipher_setiv(¶ms->read.cipher_state, nonce, AEAD_EXPLICIT_DATA_SIZE+AEAD_IMPLICIT_DATA_SIZE);
478 ciphertext->data += AEAD_EXPLICIT_DATA_SIZE;
479 ciphertext->size -= AEAD_EXPLICIT_DATA_SIZE;
481 length_to_decrypt = ciphertext->size - tag_size;
485 if (ciphertext->size < tag_size)
486 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
488 length_to_decrypt = ciphertext->size;
491 length = ciphertext->size - tag_size;
493 /* Pass the type, version, length and compressed through
497 make_preamble (UINT64DATA(*sequence), type,
498 length, ver, preamble);
500 ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size);
502 return gnutls_assert_val(ret);
505 _gnutls_auth_cipher_decrypt2 (¶ms->read.cipher_state,
506 ciphertext->data, length_to_decrypt,
507 ciphertext->data, ciphertext->size)) < 0)
508 return gnutls_assert_val(ret);
512 if (ciphertext->size < blocksize || (ciphertext->size % blocksize != 0))
513 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
515 /* ignore the IV in TLS 1.1+
519 _gnutls_auth_cipher_setiv(¶ms->read.cipher_state,
520 ciphertext->data, blocksize);
522 ciphertext->size -= blocksize;
523 ciphertext->data += blocksize;
526 if (ciphertext->size < tag_size)
527 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
529 /* we don't use the auth_cipher interface here, since
530 * TLS with block ciphers is impossible to be used under such
531 * an API. (the length of plaintext is required to calculate
532 * auth_data, but it is not available before decryption).
535 _gnutls_cipher_decrypt (¶ms->read.cipher_state.cipher,
536 ciphertext->data, ciphertext->size)) < 0)
537 return gnutls_assert_val(ret);
539 pad = ciphertext->data[ciphertext->size - 1] + 1; /* pad */
542 if ((int) pad > (int) ciphertext->size - tag_size)
546 ("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
547 session, pad, ciphertext->size, tag_size);
548 /* We do not fail here. We check below for the
549 * the pad_failed. If zero means success.
551 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
555 length = ciphertext->size - tag_size - pad;
557 /* Check the pading bytes (TLS 1.x)
559 if (ver != GNUTLS_SSL3)
560 for (i = 2; i < pad; i++)
562 if (ciphertext->data[ciphertext->size - i] !=
563 ciphertext->data[ciphertext->size - 1])
564 pad_failed = GNUTLS_E_DECRYPTION_FAILED;
569 /* Setting a proper length to prevent timing differences in
570 * processing of records with invalid encryption.
572 length = ciphertext->size - tag_size;
575 /* Pass the type, version, length and compressed through
579 make_preamble (UINT64DATA(*sequence), type,
580 length, ver, preamble);
581 ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, preamble, preamble_size);
583 return gnutls_assert_val(ret);
585 ret = _gnutls_auth_cipher_add_auth (¶ms->read.cipher_state, ciphertext->data, length);
587 return gnutls_assert_val(ret);
591 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
594 ret = _gnutls_auth_cipher_tag(¶ms->read.cipher_state, tag, tag_size);
596 return gnutls_assert_val(ret);
598 /* This one was introduced to avoid a timing attack against the TLS
601 /* HMAC was not the same.
603 if (memcmp (tag, &ciphertext->data[length], tag_size) != 0 || pad_failed != 0)
604 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
606 /* copy the decrypted stuff to compress_data.
608 if (compress_size < length)
609 return gnutls_assert_val(GNUTLS_E_DECOMPRESSION_FAILED);
611 if (compress_data != ciphertext->data)
612 memcpy (compress_data, ciphertext->data, length);