LCOV - code coverage report
Current view: top level - builds/gnutls/coverage/gnutls-git/lib - cipher.c (source / functions) Hit Total Coverage
Test: GnuTLS-3.6.14 Code Coverage Lines: 364 418 87.1 %
Date: 2020-10-30 04:50:48 Functions: 7 7 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*
       2             :  * Copyright (C) 2000-2013 Free Software Foundation, Inc.
       3             :  * Copyright (C) 2013 Nikos Mavrogiannopoulos
       4             :  * Copyright (C) 2017-2018 Red Hat, Inc.
       5             :  *
       6             :  * Author: Nikos Mavrogiannopoulos
       7             :  *
       8             :  * This file is part of GnuTLS.
       9             :  *
      10             :  * The GnuTLS is free software; you can redistribute it and/or
      11             :  * modify it under the terms of the GNU Lesser General Public License
      12             :  * as published by the Free Software Foundation; either version 2.1 of
      13             :  * the License, or (at your option) any later version.
      14             :  *
      15             :  * This library is distributed in the hope that it will be useful, but
      16             :  * WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
      18             :  * Lesser General Public License for more details.
      19             :  *
      20             :  * You should have received a copy of the GNU Lesser General Public License
      21             :  * along with this program.  If not, see <https://www.gnu.org/licenses/>
      22             :  *
      23             :  */
      24             : 
      25             : /* Some high level functions to be used in the record encryption are
      26             :  * included here.
      27             :  */
      28             : 
      29             : #include "gnutls_int.h"
      30             : #include "errors.h"
      31             : #include "cipher.h"
      32             : #include "algorithms.h"
      33             : #include "hash_int.h"
      34             : #include "cipher_int.h"
      35             : #include "debug.h"
      36             : #include "num.h"
      37             : #include "datum.h"
      38             : #include "kx.h"
      39             : #include "record.h"
      40             : #include "constate.h"
      41             : #include "mbuffers.h"
      42             : #include <state.h>
      43             : #include <random.h>
      44             : 
      45             : static int encrypt_packet(gnutls_session_t session,
      46             :                             uint8_t * cipher_data, int cipher_size,
      47             :                             gnutls_datum_t * plain,
      48             :                             size_t min_pad,
      49             :                             content_type_t _type,
      50             :                             record_parameters_st * params);
      51             : 
      52             : static int decrypt_packet(gnutls_session_t session,
      53             :                             gnutls_datum_t * ciphertext,
      54             :                             gnutls_datum_t * plain,
      55             :                             content_type_t type,
      56             :                             record_parameters_st * params,
      57             :                             uint64_t sequence);
      58             : 
      59             : static int
      60             : decrypt_packet_tls13(gnutls_session_t session,
      61             :                      gnutls_datum_t * ciphertext,
      62             :                      gnutls_datum_t * plain,
      63             :                      content_type_t *type, record_parameters_st * params,
      64             :                      uint64_t sequence);
      65             : 
      66             : static int
      67             : encrypt_packet_tls13(gnutls_session_t session,
      68             :                      uint8_t *cipher_data, size_t cipher_size,
      69             :                      gnutls_datum_t *plain,
      70             :                      size_t pad_size,
      71             :                      uint8_t type,
      72             :                      record_parameters_st *params);
      73             : 
      74             : /* returns ciphertext which contains the headers too. This also
      75             :  * calculates the size in the header field.
      76             :  *
      77             :  */
      78             : int
      79     2514720 : _gnutls_encrypt(gnutls_session_t session,
      80             :                 const uint8_t *data, size_t data_size,
      81             :                 size_t min_pad,
      82             :                 mbuffer_st *bufel,
      83             :                 content_type_t type, record_parameters_st *params)
      84             : {
      85     2514720 :         gnutls_datum_t plaintext;
      86     2514720 :         const version_entry_st *vers = get_version(session);
      87     2514720 :         int ret;
      88             : 
      89     2514720 :         plaintext.data = (uint8_t *) data;
      90     2514720 :         plaintext.size = data_size;
      91             : 
      92     2514720 :         if (vers && vers->tls13_sem) {
      93             :                 /* it fills the header, as it is included in the authenticated
      94             :                  * data of the AEAD cipher. */
      95      462930 :                 ret =
      96      462930 :                     encrypt_packet_tls13(session,
      97      462930 :                                          _mbuffer_get_udata_ptr(bufel),
      98             :                                          _mbuffer_get_udata_size(bufel),
      99             :                                          &plaintext, min_pad, type,
     100             :                                          params);
     101      462930 :                 if (ret < 0)
     102           0 :                         return gnutls_assert_val(ret);
     103             :         } else {
     104     2051790 :                 ret =
     105     4103570 :                     encrypt_packet(session,
     106     2051790 :                                    _mbuffer_get_udata_ptr(bufel),
     107     2051790 :                                    _mbuffer_get_udata_size
     108             :                                    (bufel), &plaintext, min_pad, type,
     109             :                                    params);
     110     2051790 :                 if (ret < 0)
     111           2 :                         return gnutls_assert_val(ret);
     112             : 
     113             :         }
     114             : 
     115     2514710 :         if (IS_DTLS(session))
     116        9960 :                 _gnutls_write_uint16(ret,
     117             :                                      ((uint8_t *)
     118        9960 :                                       _mbuffer_get_uhead_ptr(bufel)) + 11);
     119             :         else
     120     2504750 :                 _gnutls_write_uint16(ret,
     121             :                                      ((uint8_t *)
     122     2504750 :                                       _mbuffer_get_uhead_ptr(bufel)) + 3);
     123             : 
     124     2514710 :         _mbuffer_set_udata_size(bufel, ret);
     125     2514710 :         _mbuffer_set_uhead_size(bufel, 0);
     126             : 
     127     2514710 :         return _mbuffer_get_udata_size(bufel);
     128             : }
     129             : 
     130             : /* Decrypts the given data.
     131             :  * Returns the decrypted data length.
     132             :  *
     133             :  * The output is preallocated with the maximum allowed data size.
     134             :  */
     135             : int
     136     3185540 : _gnutls_decrypt(gnutls_session_t session,
     137             :                 gnutls_datum_t *ciphertext,
     138             :                 gnutls_datum_t *output,
     139             :                 content_type_t *type,
     140             :                 record_parameters_st *params,
     141             :                 uint64_t sequence)
     142             : {
     143     3185540 :         int ret;
     144     3185540 :         const version_entry_st *vers = get_version(session);
     145             : 
     146     3185540 :         if (ciphertext->size == 0)
     147             :                 return 0;
     148             : 
     149     3185540 :         if (vers && vers->tls13_sem)
     150      513200 :                 ret =
     151      513200 :                     decrypt_packet_tls13(session, ciphertext,
     152             :                                          output, type, params,
     153             :                                          sequence);
     154             :         else
     155     2672340 :                 ret =
     156     2672340 :                     decrypt_packet(session, ciphertext,
     157             :                                    output, *type, params,
     158             :                                    sequence);
     159     3185540 :         if (ret < 0)
     160        2985 :                 return gnutls_assert_val(ret);
     161             : 
     162             :         return ret;
     163             : }
     164             : 
     165             : 
     166             : inline static int
     167      668570 : calc_enc_length_block(gnutls_session_t session,
     168             :                       const version_entry_st * ver,
     169             :                       int data_size,
     170             :                       int hash_size, uint8_t * pad,
     171             :                       unsigned auth_cipher,
     172             :                       uint16_t blocksize,
     173             :                       unsigned etm)
     174             : {
     175             :         /* pad is the LH pad the user wants us to add. Besides
     176             :          * this LH pad, we only add minimal padding
     177             :          */
     178      668570 :         unsigned int pre_length = data_size + *pad;
     179      668570 :         unsigned int length, new_pad;
     180             : 
     181      668570 :         if (etm == 0)
     182       11289 :                 pre_length += hash_size;
     183             : 
     184      668570 :         new_pad = (uint8_t) (blocksize - (pre_length % blocksize)) + *pad;
     185             : 
     186      668570 :         if (new_pad > 255)
     187          28 :                 new_pad -= blocksize;
     188      668570 :         *pad = new_pad;
     189             : 
     190      668570 :         length = data_size + hash_size + *pad;
     191             : 
     192      668570 :         if (_gnutls_version_has_explicit_iv(ver))
     193      323002 :                 length += blocksize;    /* for the IV */
     194             : 
     195      668570 :         return length;
     196             : }
     197             : 
     198             : inline static int
     199     1383220 : calc_enc_length_stream(gnutls_session_t session, int data_size,
     200             :                        int hash_size, unsigned auth_cipher,
     201             :                        unsigned exp_iv_size)
     202             : {
     203     1383220 :         unsigned int length;
     204             : 
     205     1383220 :         length = data_size + hash_size;
     206     1383220 :         if (auth_cipher)
     207      764636 :                 length += exp_iv_size;
     208             : 
     209     1383220 :         return length;
     210             : }
     211             : 
     212             : /* generates the authentication data (data to be hashed only
     213             :  * and are not to be sent). Returns their size.
     214             :  */
     215             : int
     216     4723510 : _gnutls_make_preamble(uint64_t uint64_data, uint8_t type, unsigned int length,
     217             :                       const version_entry_st * ver, uint8_t preamble[MAX_PREAMBLE_SIZE])
     218             : {
     219     4723510 :         uint8_t *p = preamble;
     220     4723510 :         uint16_t c_length;
     221             : 
     222     4723510 :         c_length = _gnutls_conv_uint16(length);
     223             : 
     224     4723510 :         _gnutls_write_uint64(uint64_data, p);
     225     4723510 :         p += 8;
     226     4723510 :         *p = type;
     227     4723510 :         p++;
     228             : #ifdef ENABLE_SSL3
     229             :         if (ver->id != GNUTLS_SSL3)
     230             : #endif
     231             :         {       /* TLS protocols */
     232     4723510 :                 *p = ver->major;
     233     4723510 :                 p++;
     234     4723510 :                 *p = ver->minor;
     235     4723510 :                 p++;
     236             :         }
     237     4723510 :         memcpy(p, &c_length, 2);
     238     4723510 :         p += 2;
     239     4723510 :         return p - preamble;
     240             : }
     241             : 
     242             : /* This is the actual encryption
     243             :  * Encrypts the given plaintext datum, and puts the result to cipher_data,
     244             :  * which has cipher_size size.
     245             :  * return the actual encrypted data length.
     246             :  */
     247             : static int
     248     2051790 : encrypt_packet(gnutls_session_t session,
     249             :                          uint8_t * cipher_data, int cipher_size,
     250             :                          gnutls_datum_t * plain,
     251             :                          size_t min_pad,
     252             :                          content_type_t type,
     253             :                          record_parameters_st * params)
     254             : {
     255     2051790 :         uint8_t pad;
     256     2051790 :         int length, ret;
     257     2051790 :         uint8_t preamble[MAX_PREAMBLE_SIZE];
     258     2051790 :         int preamble_size;
     259     2051790 :         int tag_size =
     260     2051790 :             _gnutls_auth_cipher_tag_len(&params->write.ctx.tls12);
     261     2051790 :         int blocksize = _gnutls_cipher_get_block_size(params->cipher);
     262     2051790 :         unsigned algo_type = _gnutls_cipher_type(params->cipher);
     263     2051790 :         uint8_t *data_ptr, *full_cipher_ptr;
     264     2051790 :         const version_entry_st *ver = get_version(session);
     265     2051790 :         int explicit_iv = _gnutls_version_has_explicit_iv(ver);
     266     2051790 :         int auth_cipher =
     267     2051790 :             _gnutls_auth_cipher_is_aead(&params->write.ctx.tls12);
     268     2051790 :         uint8_t nonce[MAX_CIPHER_IV_SIZE];
     269     2051790 :         unsigned imp_iv_size = 0, exp_iv_size = 0;
     270     2051790 :         bool etm = 0;
     271             : 
     272     2051790 :         if (unlikely(ver == NULL))
     273           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     274             : 
     275     2051790 :         if (algo_type == CIPHER_BLOCK && params->etm != 0)
     276      657281 :                 etm = 1;
     277             : 
     278     2051790 :         _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
     279             :                          session, _gnutls_cipher_get_name(params->cipher),
     280             :                          _gnutls_mac_get_name(params->mac),
     281             :                          (unsigned int) params->epoch);
     282             : 
     283             :         /* Calculate the encrypted length (padding etc.)
     284             :          */
     285     2051790 :         if (algo_type == CIPHER_BLOCK) {
     286             :                 /* Call gnutls_rnd() once. Get data used for the IV
     287             :                  */
     288      668570 :                 ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
     289      668570 :                 if (ret < 0)
     290           0 :                         return gnutls_assert_val(ret);
     291             : 
     292      668570 :                 pad = min_pad;
     293             : 
     294      668570 :                 length =
     295     1337140 :                     calc_enc_length_block(session, ver, plain->size,
     296             :                                           tag_size, &pad, auth_cipher,
     297             :                                           blocksize, etm);
     298             :         } else { /* AEAD + STREAM */
     299     1383220 :                 imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
     300     1383220 :                 exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
     301             : 
     302     1383220 :                 pad = 0;
     303     1383220 :                 length =
     304     2147850 :                     calc_enc_length_stream(session, plain->size,
     305             :                                            tag_size, auth_cipher,
     306             :                                            exp_iv_size);
     307             :         }
     308             : 
     309     2051790 :         if (length < 0)
     310           0 :                 return gnutls_assert_val(length);
     311             : 
     312             :         /* copy the encrypted data to cipher_data.
     313             :          */
     314     2051790 :         if (cipher_size < length)
     315           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     316             : 
     317     2051790 :         data_ptr = cipher_data;
     318     2051790 :         full_cipher_ptr = data_ptr;
     319             : 
     320     2051790 :         if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
     321     1287150 :                 if (algo_type == CIPHER_BLOCK && explicit_iv != 0) {
     322             :                         /* copy the random IV.
     323             :                          */
     324      323002 :                         memcpy(data_ptr, nonce, blocksize);
     325      323002 :                         ret = _gnutls_auth_cipher_setiv(&params->write.
     326             :                                                   ctx.tls12, data_ptr,
     327             :                                                   blocksize);
     328      323002 :                         if (ret < 0)
     329           0 :                                 return gnutls_assert_val(ret);
     330             : 
     331             :                         /*data_ptr += blocksize;*/
     332      323002 :                         cipher_data += blocksize;
     333             :                 }
     334             :         } else { /* AEAD */
     335      764636 :                 if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == 0) {
     336             :                         /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
     337             :                          */
     338      681343 :                          if (params->write.iv_size != imp_iv_size)
     339           2 :                                 return
     340           2 :                                     gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     341             : 
     342             :                         /* Instead of generating a new nonce on every packet, we use the
     343             :                          * write.sequence_number (It is a MAY on RFC 5288), and safer
     344             :                          * as it will never reuse a value.
     345             :                          */
     346      681341 :                         memcpy(nonce, params->write.iv,
     347             :                                params->write.iv_size);
     348      681341 :                         _gnutls_write_uint64(params->write.sequence_number, &nonce[imp_iv_size]);
     349             : 
     350      681341 :                         memcpy(data_ptr, &nonce[imp_iv_size],
     351             :                                exp_iv_size);
     352             : 
     353             :                         /*data_ptr += exp_iv_size;*/
     354      681341 :                         cipher_data += exp_iv_size;
     355             :                 } else { /* XOR nonce with IV */
     356       83293 :                         if (unlikely(params->write.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
     357           0 :                                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     358             : 
     359       83293 :                         memset(nonce, 0, 4);
     360       83293 :                         _gnutls_write_uint64(params->write.sequence_number, &nonce[4]);
     361             : 
     362       83293 :                         memxor(nonce, params->write.iv, 12);
     363             :                 }
     364             :         }
     365             : 
     366     2051780 :         if (etm)
     367      657281 :                 ret = length-tag_size;
     368             :         else
     369     1394500 :                 ret = plain->size;
     370             : 
     371     2051780 :         preamble_size =
     372     2051780 :             _gnutls_make_preamble(params->write.sequence_number,
     373             :                                   type, ret, ver, preamble);
     374             : 
     375     2051780 :         if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
     376             :                 /* add the authenticated data */
     377     1287150 :                 ret =
     378     1287150 :                     _gnutls_auth_cipher_add_auth(&params->write.ctx.tls12,
     379             :                                          preamble, preamble_size);
     380     1287150 :                 if (ret < 0)
     381           0 :                         return gnutls_assert_val(ret);
     382             : 
     383     1287150 :                 if (etm && explicit_iv) {
     384             :                         /* In EtM we need to hash the IV as well */
     385      312855 :                         ret =
     386      312855 :                             _gnutls_auth_cipher_add_auth(&params->write.ctx.tls12,
     387             :                                                  full_cipher_ptr, blocksize);
     388      312855 :                         if (ret < 0)
     389           0 :                                 return gnutls_assert_val(ret);
     390             :                 }
     391             : 
     392             :                 /* Actual encryption.
     393             :                  */
     394     1287150 :                 ret =
     395     2574300 :                     _gnutls_auth_cipher_encrypt2_tag(&params->write.ctx.tls12,
     396     1287150 :                                                      plain->data,
     397     1287150 :                                                      plain->size, cipher_data,
     398             :                                                      cipher_size, pad);
     399     1287150 :                 if (ret < 0)
     400           0 :                         return gnutls_assert_val(ret);
     401             :         } else { /* AEAD */
     402     1529270 :                 ret = _gnutls_aead_cipher_encrypt(&params->write.ctx.tls12.cipher,
     403      764634 :                                                   nonce, imp_iv_size + exp_iv_size,
     404             :                                                   preamble, preamble_size,
     405             :                                                   tag_size,
     406      764634 :                                                   plain->data, plain->size,
     407             :                                                   cipher_data, cipher_size);
     408      764634 :                 if (ret < 0)
     409           0 :                         return gnutls_assert_val(ret);
     410             :         }
     411             : 
     412             :         return length;
     413             : }
     414             : 
     415             : static int
     416      462930 : encrypt_packet_tls13(gnutls_session_t session,
     417             :                      uint8_t *cipher_data, size_t cipher_size,
     418             :                      gnutls_datum_t *plain,
     419             :                      size_t pad_size,
     420             :                      uint8_t type,
     421             :                      record_parameters_st *params)
     422             : {
     423      462930 :         int ret;
     424      462930 :         unsigned int tag_size = params->write.aead_tag_size;
     425      462930 :         const version_entry_st *ver = get_version(session);
     426      462930 :         uint8_t nonce[MAX_CIPHER_IV_SIZE];
     427      462930 :         unsigned iv_size = 0;
     428      462930 :         ssize_t max, total;
     429      462930 :         uint8_t aad[5];
     430      462930 :         giovec_t auth_iov[1];
     431      462930 :         giovec_t iov[2];
     432             : 
     433      462930 :         if (unlikely(ver == NULL))
     434           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     435             : 
     436      462930 :         _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
     437             :                          session, _gnutls_cipher_get_name(params->cipher),
     438             :                          _gnutls_mac_get_name(params->mac),
     439             :                          (unsigned int) params->epoch);
     440             : 
     441      462930 :         iv_size = params->write.iv_size;
     442             : 
     443      462930 :         if (params->cipher->id == GNUTLS_CIPHER_NULL) {
     444       11852 :                 if (cipher_size < plain->size+1)
     445           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     446       11852 :                 memcpy(cipher_data, plain->data, plain->size);
     447       11852 :                 return plain->size;
     448             :         }
     449             : 
     450      451078 :         if (unlikely(iv_size < 8))
     451           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     452             : 
     453      451078 :         memset(nonce, 0, iv_size - 8);
     454      451078 :         _gnutls_write_uint64(params->write.sequence_number, &nonce[iv_size-8]);
     455      451078 :         memxor(nonce, params->write.iv, iv_size);
     456             : 
     457      451078 :         max = MAX_RECORD_SEND_SIZE(session);
     458             : 
     459             :         /* make TLS 1.3 form of data */
     460      451078 :         total = plain->size + 1 + pad_size;
     461             : 
     462             :         /* check whether padding would exceed max */
     463      451078 :         if (total > max) {
     464           0 :                 if (unlikely(max < (ssize_t)plain->size+1))
     465           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     466             : 
     467           0 :                 pad_size = max - plain->size - 1;
     468           0 :                 total = max;
     469             :         }
     470             : 
     471             :         /* create authenticated data header */
     472      451078 :         aad[0] = GNUTLS_APPLICATION_DATA;
     473      451078 :         aad[1] = 0x03;
     474      451078 :         aad[2] = 0x03;
     475      451078 :         _gnutls_write_uint16(total+tag_size, &aad[3]);
     476             : 
     477      451078 :         auth_iov[0].iov_base = aad;
     478      451078 :         auth_iov[0].iov_len = sizeof(aad);
     479             : 
     480      451078 :         iov[0].iov_base = plain->data;
     481      451078 :         iov[0].iov_len = plain->size;
     482             : 
     483      451114 :         if (pad_size || (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) {
     484          36 :                 uint8_t *pad = gnutls_calloc(1, 1+pad_size);
     485          36 :                 if (pad == NULL)
     486           0 :                         return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
     487             : 
     488          36 :                 pad[0] = type;
     489             : 
     490          36 :                 iov[1].iov_base = pad;
     491          36 :                 iov[1].iov_len = 1+pad_size;
     492             : 
     493          36 :                 ret = gnutls_aead_cipher_encryptv(&params->write.ctx.aead,
     494             :                                                   nonce, iv_size,
     495             :                                                   auth_iov, 1,
     496             :                                                   tag_size,
     497             :                                                   iov, 2,
     498             :                                                   cipher_data, &cipher_size);
     499          36 :                 gnutls_free(pad);
     500             :         } else {
     501      451042 :                 iov[1].iov_base = &type;
     502      451042 :                 iov[1].iov_len = 1;
     503             : 
     504      451042 :                 ret = gnutls_aead_cipher_encryptv(&params->write.ctx.aead,
     505             :                                                   nonce, iv_size,
     506             :                                                   auth_iov, 1,
     507             :                                                   tag_size,
     508             :                                                   iov, 2,
     509             :                                                   cipher_data, &cipher_size);
     510             :         }
     511             : 
     512      451078 :         if (ret < 0)
     513           0 :                 return gnutls_assert_val(ret);
     514             : 
     515      451078 :         return cipher_size;
     516             : }
     517             : 
     518             : 
     519             : /* Deciphers the ciphertext packet, and puts the result to plain.
     520             :  * Returns the actual plaintext packet size.
     521             :  */
     522             : static int
     523     2672340 : decrypt_packet(gnutls_session_t session,
     524             :                 gnutls_datum_t * ciphertext,
     525             :                 gnutls_datum_t * plain,
     526             :                 content_type_t type, record_parameters_st * params,
     527             :                 uint64_t sequence)
     528             : {
     529     2672340 :         uint8_t tag[MAX_HASH_SIZE];
     530     2672340 :         uint8_t nonce[MAX_CIPHER_IV_SIZE];
     531     2672340 :         const uint8_t *tag_ptr = NULL;
     532     2672340 :         unsigned int pad = 0;
     533     2672340 :         int length, length_to_decrypt;
     534     2672340 :         uint16_t blocksize;
     535     2672340 :         int ret;
     536     2672340 :         uint8_t preamble[MAX_PREAMBLE_SIZE];
     537     2672340 :         unsigned int preamble_size = 0;
     538     2672340 :         const version_entry_st *ver = get_version(session);
     539     2672340 :         unsigned int tag_size =
     540     2672340 :             _gnutls_auth_cipher_tag_len(&params->read.ctx.tls12);
     541     2672340 :         unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
     542     2672340 :         unsigned imp_iv_size, exp_iv_size;
     543     2672340 :         unsigned cipher_type = _gnutls_cipher_type(params->cipher);
     544     2672340 :         bool etm = 0;
     545             : 
     546     2672340 :         if (unlikely(ver == NULL))
     547           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     548             : 
     549     2672340 :         imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
     550     2672340 :         exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
     551     2672340 :         blocksize = _gnutls_cipher_get_block_size(params->cipher);
     552             : 
     553     2672340 :         if (params->etm !=0 && cipher_type == CIPHER_BLOCK)
     554      657654 :                 etm = 1;
     555             : 
     556             :         /* if EtM mode and not AEAD */
     557      657654 :         if (etm) {
     558      657654 :                 if (unlikely(ciphertext->size < tag_size))
     559         342 :                         return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     560             : 
     561      657312 :                 preamble_size = _gnutls_make_preamble(sequence,
     562             :                                                       type, ciphertext->size-tag_size,
     563             :                                                       ver, preamble);
     564             : 
     565      657312 :                 ret = _gnutls_auth_cipher_add_auth(&params->read.
     566             :                                                    ctx.tls12, preamble,
     567             :                                                    preamble_size);
     568      657312 :                 if (unlikely(ret < 0))
     569           0 :                         return gnutls_assert_val(ret);
     570             : 
     571     1314620 :                 ret = _gnutls_auth_cipher_add_auth(&params->read.
     572             :                                                    ctx.tls12,
     573      657312 :                                                    ciphertext->data,
     574      657312 :                                                    ciphertext->size-tag_size);
     575      657312 :                 if (unlikely(ret < 0))
     576           0 :                         return gnutls_assert_val(ret);
     577             : 
     578      657312 :                 ret = _gnutls_auth_cipher_tag(&params->read.ctx.tls12, tag, tag_size);
     579      657312 :                 if (unlikely(ret < 0))
     580           0 :                         return gnutls_assert_val(ret);
     581             : 
     582      657312 :                 if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) {
     583             :                         /* HMAC was not the same. */
     584         533 :                         return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     585             :                 }
     586             :         }
     587             : 
     588             :         /* actual decryption (inplace)
     589             :          */
     590     2671460 :         switch (cipher_type) {
     591      764839 :         case CIPHER_AEAD:
     592             :                 /* The way AEAD ciphers are defined in RFC5246, it allows
     593             :                  * only stream ciphers.
     594             :                  */
     595     1529680 :                 if (unlikely(_gnutls_auth_cipher_is_aead(&params->read.
     596             :                                                    ctx.tls12) == 0))
     597           0 :                         return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     598             : 
     599             : 
     600      764839 :                 if (unlikely(ciphertext->size < (tag_size + exp_iv_size)))
     601         285 :                         return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     602             : 
     603      764579 :                 if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == 0) {
     604             :                         /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
     605             :                          */
     606      681350 :                          if (unlikely(params->read.iv_size != 4))
     607           0 :                                 return
     608           0 :                                     gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     609             : 
     610      681350 :                         memcpy(nonce, params->read.iv,
     611             :                                imp_iv_size);
     612             : 
     613      681350 :                         memcpy(&nonce[imp_iv_size],
     614      681350 :                                ciphertext->data, exp_iv_size);
     615             : 
     616      681350 :                         ciphertext->data += exp_iv_size;
     617      681350 :                         ciphertext->size -= exp_iv_size;
     618             :                 } else { /* XOR nonce with IV */
     619       83229 :                         if (unlikely(params->read.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
     620           0 :                                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     621             : 
     622       83229 :                         memset(nonce, 0, 4);
     623       83229 :                         _gnutls_write_uint64(sequence, &nonce[4]);
     624             : 
     625       83229 :                         memxor(nonce, params->read.iv, 12);
     626             :                 }
     627             : 
     628      764579 :                 length =
     629      764579 :                     ciphertext->size - tag_size;
     630             : 
     631      764579 :                 length_to_decrypt = ciphertext->size;
     632             : 
     633             :                 /* Pass the type, version, length and plain through
     634             :                  * MAC.
     635             :                  */
     636     1529160 :                 preamble_size =
     637      764579 :                     _gnutls_make_preamble(sequence, type,
     638             :                                           length, ver, preamble);
     639             : 
     640             : 
     641      764579 :                 if (unlikely
     642             :                     ((unsigned) length_to_decrypt > plain->size)) {
     643           0 :                         _gnutls_audit_log(session,
     644             :                                           "Received %u bytes, while expecting less than %u\n",
     645             :                                           (unsigned int) length_to_decrypt,
     646             :                                           (unsigned int) plain->size);
     647           0 :                         return
     648           0 :                             gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     649             :                 }
     650             : 
     651     1529160 :                 ret = _gnutls_aead_cipher_decrypt(&params->read.ctx.tls12.cipher,
     652      764579 :                                                   nonce, exp_iv_size + imp_iv_size,
     653             :                                                   preamble, preamble_size,
     654             :                                                   tag_size,
     655      764579 :                                                   ciphertext->data, length_to_decrypt,
     656      764579 :                                                   plain->data, plain->size);
     657      764579 :                 if (unlikely(ret < 0))
     658        1570 :                         return gnutls_assert_val(ret);
     659             : 
     660             :                 return length;
     661             : 
     662     1241270 :                 break;
     663     1241270 :         case CIPHER_STREAM:
     664     1241270 :                 if (unlikely(ciphertext->size < tag_size))
     665           0 :                         return
     666           0 :                             gnutls_assert_val
     667             :                             (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     668             : 
     669     1241270 :                 length_to_decrypt = ciphertext->size;
     670     1241270 :                 length = ciphertext->size - tag_size;
     671     1241270 :                 tag_ptr = plain->data + length;
     672             : 
     673             :                 /* Pass the type, version, length and plain through
     674             :                  * MAC.
     675             :                  */
     676     2482540 :                 preamble_size =
     677     1241270 :                     _gnutls_make_preamble(sequence, type,
     678             :                                           length, ver, preamble);
     679             : 
     680     1241270 :                 ret =
     681     1241270 :                     _gnutls_auth_cipher_add_auth(&params->read.
     682             :                                                  ctx.tls12, preamble,
     683             :                                                  preamble_size);
     684     1241270 :                 if (unlikely(ret < 0))
     685           0 :                         return gnutls_assert_val(ret);
     686             : 
     687     1241270 :                 if (unlikely
     688             :                     ((unsigned) length_to_decrypt > plain->size)) {
     689           0 :                         _gnutls_audit_log(session,
     690             :                                           "Received %u bytes, while expecting less than %u\n",
     691             :                                           (unsigned int) length_to_decrypt,
     692             :                                           (unsigned int) plain->size);
     693           0 :                         return
     694           0 :                             gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     695             :                 }
     696             : 
     697     1241270 :                 ret =
     698     2482540 :                     _gnutls_auth_cipher_decrypt2(&params->read.
     699             :                                                  ctx.tls12,
     700     1241270 :                                                  ciphertext->data,
     701             :                                                  length_to_decrypt,
     702     1241270 :                                                  plain->data,
     703             :                                                  plain->size);
     704             : 
     705     1241270 :                 if (unlikely(ret < 0))
     706           0 :                         return gnutls_assert_val(ret);
     707             : 
     708     1241270 :                 ret =
     709     1241270 :                     _gnutls_auth_cipher_tag(&params->read.ctx.tls12, tag,
     710             :                                             tag_size);
     711     1241270 :                 if (unlikely(ret < 0))
     712           0 :                         return gnutls_assert_val(ret);
     713             : 
     714     1241270 :                 if (unlikely
     715             :                     (gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) {
     716          48 :                         return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     717             :                 }
     718             : 
     719             :                 break;
     720      665353 :         case CIPHER_BLOCK:
     721      665353 :                 if (unlikely(ciphertext->size < blocksize))
     722           5 :                         return
     723           5 :                             gnutls_assert_val
     724             :                             (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     725             : 
     726      665348 :                 if (etm == 0) {
     727        8569 :                         if (unlikely(ciphertext->size % blocksize != 0))
     728           4 :                                 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     729             :                 } else {
     730      656779 :                         if (unlikely((ciphertext->size - tag_size) % blocksize != 0))
     731           0 :                                 return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
     732             :                 }
     733             : 
     734             :                 /* ignore the IV in TLS 1.1+
     735             :                  */
     736      665344 :                 if (explicit_iv) {
     737      640366 :                         ret = _gnutls_auth_cipher_setiv(&params->read.
     738             :                                                   ctx.tls12,
     739      320183 :                                                   ciphertext->data,
     740             :                                                   blocksize);
     741      320183 :                         if (ret < 0)
     742           0 :                                 return gnutls_assert_val(ret);
     743             : 
     744      320183 :                         memcpy(nonce, ciphertext->data, blocksize);
     745      320183 :                         ciphertext->size -= blocksize;
     746      320183 :                         ciphertext->data += blocksize;
     747             :                 }
     748             : 
     749      665344 :                 if (unlikely(ciphertext->size < tag_size + 1))
     750           4 :                         return
     751           4 :                             gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     752             : 
     753             :                 /* we don't use the auth_cipher interface here, since
     754             :                  * TLS with block ciphers is impossible to be used under such
     755             :                  * an API. (the length of plaintext is required to calculate
     756             :                  * auth_data, but it is not available before decryption).
     757             :                  */
     758      665340 :                 if (unlikely(ciphertext->size > plain->size))
     759           0 :                         return
     760           0 :                             gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     761             : 
     762      665340 :                 if (etm == 0) {
     763        8561 :                         ret =
     764       17122 :                             _gnutls_cipher_decrypt2(&params->read.ctx.tls12.
     765        8561 :                                                     cipher, ciphertext->data,
     766             :                                                     ciphertext->size,
     767        8561 :                                                     plain->data,
     768             :                                                     plain->size);
     769        8561 :                         if (unlikely(ret < 0))
     770           0 :                                 return gnutls_assert_val(ret);
     771             : 
     772       17122 :                         ret = cbc_mac_verify(session, params, preamble, type,
     773        8561 :                                              sequence, plain->data, ciphertext->size,
     774             :                                              tag_size);
     775        8561 :                         if (unlikely(ret < 0))
     776         139 :                                 return gnutls_assert_val(ret);
     777             : 
     778             :                         length = ret;
     779             :                 } else { /* EtM */
     780      656779 :                         ret =
     781     1313560 :                             _gnutls_cipher_decrypt2(&params->read.ctx.tls12.
     782      656779 :                                                     cipher, ciphertext->data,
     783      656779 :                                                     ciphertext->size - tag_size,
     784      656779 :                                                     plain->data,
     785             :                                                     plain->size);
     786      656779 :                         if (unlikely(ret < 0))
     787           0 :                                 return gnutls_assert_val(ret);
     788             : 
     789      656779 :                         pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */
     790      656779 :                         length = ciphertext->size - tag_size - pad - 1;
     791             : 
     792      656779 :                         if (unlikely(length < 0))
     793           0 :                                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     794             :                 }
     795             :                 break;
     796             :         default:
     797           0 :                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     798             :         }
     799             : 
     800             : 
     801             :         return length;
     802             : }
     803             : 
     804             : static int
     805      513200 : decrypt_packet_tls13(gnutls_session_t session,
     806             :                      gnutls_datum_t *ciphertext,
     807             :                      gnutls_datum_t *plain,
     808             :                      content_type_t *type, record_parameters_st *params,
     809             :                      uint64_t sequence)
     810             : {
     811      513200 :         uint8_t nonce[MAX_CIPHER_IV_SIZE];
     812      513200 :         size_t length, length_to_decrypt;
     813      513200 :         int ret;
     814      513200 :         const version_entry_st *ver = get_version(session);
     815      513200 :         unsigned int tag_size = params->read.aead_tag_size;
     816      513200 :         unsigned iv_size;
     817      513200 :         unsigned j;
     818      513200 :         volatile unsigned length_set;
     819      513200 :         uint8_t aad[5];
     820             : 
     821      513200 :         if (unlikely(ver == NULL))
     822           0 :                 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     823             : 
     824      513200 :         if (params->cipher->id == GNUTLS_CIPHER_NULL) {
     825       83038 :                 if (plain->size < ciphertext->size)
     826           0 :                         return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
     827             : 
     828       83038 :                 length = ciphertext->size;
     829       83038 :                 memcpy(plain->data, ciphertext->data, length);
     830             : 
     831       83038 :                 return length;
     832             :         }
     833             : 
     834      430162 :         iv_size = _gnutls_cipher_get_iv_size(params->cipher);
     835             : 
     836             :         /* The way AEAD ciphers are defined in RFC5246, it allows
     837             :          * only stream ciphers.
     838             :          */
     839      430162 :         if (unlikely(ciphertext->size < tag_size))
     840           1 :                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     841             : 
     842      430161 :         if (unlikely(params->read.iv_size != iv_size || iv_size < 8))
     843           0 :                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     844             : 
     845      430161 :         memset(nonce, 0, iv_size - 8);
     846      430161 :         _gnutls_write_uint64(sequence, &nonce[iv_size-8]);
     847      430161 :         memxor(nonce, params->read.iv, params->read.iv_size);
     848             : 
     849      430161 :         length =
     850      430161 :             ciphertext->size - tag_size;
     851             : 
     852      430161 :         length_to_decrypt = ciphertext->size;
     853             : 
     854      430161 :         if (unlikely
     855             :             ((unsigned) length_to_decrypt > plain->size)) {
     856           0 :                         _gnutls_audit_log(session,
     857             :                                   "Received %u bytes, while expecting less than %u\n",
     858             :                                   (unsigned int) length_to_decrypt,
     859             :                                   (unsigned int) plain->size);
     860           0 :                 return
     861           0 :                     gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     862             :         }
     863             : 
     864      430161 :         aad[0] = GNUTLS_APPLICATION_DATA;
     865      430161 :         aad[1] = 0x03;
     866      430161 :         aad[2] = 0x03;
     867      430161 :         _gnutls_write_uint16(ciphertext->size, &aad[3]);
     868             : 
     869      860322 :         ret = gnutls_aead_cipher_decrypt(&params->read.ctx.aead,
     870             :                                          nonce, iv_size,
     871             :                                          aad, sizeof(aad),
     872             :                                          tag_size,
     873      430161 :                                          ciphertext->data, length_to_decrypt,
     874      430161 :                                          plain->data, &length);
     875      430161 :         if (unlikely(ret < 0))
     876          42 :                 return gnutls_assert_val(ret);
     877             : 
     878             :         /* 1 octet for content type */
     879      430133 :         if (length > max_decrypted_size(session) + 1) {
     880           6 :                 _gnutls_audit_log
     881             :                     (session, "Received packet with illegal length: %u\n",
     882             :                      (unsigned int) length);
     883             : 
     884          12 :                 return gnutls_assert_val(GNUTLS_E_RECORD_OVERFLOW);
     885             :         }
     886             : 
     887      430127 :         length_set = 0;
     888             : 
     889             :         /* now figure the actual data size. We intentionally iterate through all data,
     890             :          * to avoid leaking the padding length due to timing differences in processing.
     891             :          */
     892      561684 :         for (j=length;j>0;j--) {
     893      561679 :                 if (plain->data[j-1]!=0 && length_set == 0) {
     894      430127 :                         *type = plain->data[j-1];
     895      430127 :                         length = j-1;
     896      430127 :                         length_set = 1;
     897      430127 :                         if (!(session->internals.flags & GNUTLS_SAFE_PADDING_CHECK))
     898             :                                 break;
     899             :                 }
     900             :         }
     901             : 
     902      430127 :         if (!length_set)
     903           0 :                 return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
     904             : 
     905      430127 :         return length;
     906             : }

Generated by: LCOV version 1.14