Line data Source code
1 : /*
2 : * Copyright (C) 2000-2013 Free Software Foundation, Inc.
3 : * Copyright (C) 2013 Nikos Mavrogiannopoulos
4 : * Copyright (C) 2017-2018 Red Hat, Inc.
5 : *
6 : * Author: Nikos Mavrogiannopoulos
7 : *
8 : * This file is part of GnuTLS.
9 : *
10 : * The GnuTLS is free software; you can redistribute it and/or
11 : * modify it under the terms of the GNU Lesser General Public License
12 : * as published by the Free Software Foundation; either version 2.1 of
13 : * the License, or (at your option) any later version.
14 : *
15 : * This library is distributed in the hope that it will be useful, but
16 : * WITHOUT ANY WARRANTY; without even the implied warranty of
17 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 : * Lesser General Public License for more details.
19 : *
20 : * You should have received a copy of the GNU Lesser General Public License
21 : * along with this program. If not, see <https://www.gnu.org/licenses/>
22 : *
23 : */
24 :
25 : /* Some high level functions to be used in the record encryption are
26 : * included here.
27 : */
28 :
29 : #include "gnutls_int.h"
30 : #include "errors.h"
31 : #include "cipher.h"
32 : #include "algorithms.h"
33 : #include "hash_int.h"
34 : #include "cipher_int.h"
35 : #include "debug.h"
36 : #include "num.h"
37 : #include "datum.h"
38 : #include "kx.h"
39 : #include "record.h"
40 : #include "constate.h"
41 : #include "mbuffers.h"
42 : #include <state.h>
43 : #include <random.h>
44 :
45 : static int encrypt_packet(gnutls_session_t session,
46 : uint8_t * cipher_data, int cipher_size,
47 : gnutls_datum_t * plain,
48 : size_t min_pad,
49 : content_type_t _type,
50 : record_parameters_st * params);
51 :
52 : static int decrypt_packet(gnutls_session_t session,
53 : gnutls_datum_t * ciphertext,
54 : gnutls_datum_t * plain,
55 : content_type_t type,
56 : record_parameters_st * params,
57 : uint64_t sequence);
58 :
59 : static int
60 : decrypt_packet_tls13(gnutls_session_t session,
61 : gnutls_datum_t * ciphertext,
62 : gnutls_datum_t * plain,
63 : content_type_t *type, record_parameters_st * params,
64 : uint64_t sequence);
65 :
66 : static int
67 : encrypt_packet_tls13(gnutls_session_t session,
68 : uint8_t *cipher_data, size_t cipher_size,
69 : gnutls_datum_t *plain,
70 : size_t pad_size,
71 : uint8_t type,
72 : record_parameters_st *params);
73 :
74 : /* returns ciphertext which contains the headers too. This also
75 : * calculates the size in the header field.
76 : *
77 : */
78 : int
79 2514720 : _gnutls_encrypt(gnutls_session_t session,
80 : const uint8_t *data, size_t data_size,
81 : size_t min_pad,
82 : mbuffer_st *bufel,
83 : content_type_t type, record_parameters_st *params)
84 : {
85 2514720 : gnutls_datum_t plaintext;
86 2514720 : const version_entry_st *vers = get_version(session);
87 2514720 : int ret;
88 :
89 2514720 : plaintext.data = (uint8_t *) data;
90 2514720 : plaintext.size = data_size;
91 :
92 2514720 : if (vers && vers->tls13_sem) {
93 : /* it fills the header, as it is included in the authenticated
94 : * data of the AEAD cipher. */
95 462930 : ret =
96 462930 : encrypt_packet_tls13(session,
97 462930 : _mbuffer_get_udata_ptr(bufel),
98 : _mbuffer_get_udata_size(bufel),
99 : &plaintext, min_pad, type,
100 : params);
101 462930 : if (ret < 0)
102 0 : return gnutls_assert_val(ret);
103 : } else {
104 2051790 : ret =
105 4103570 : encrypt_packet(session,
106 2051790 : _mbuffer_get_udata_ptr(bufel),
107 2051790 : _mbuffer_get_udata_size
108 : (bufel), &plaintext, min_pad, type,
109 : params);
110 2051790 : if (ret < 0)
111 2 : return gnutls_assert_val(ret);
112 :
113 : }
114 :
115 2514710 : if (IS_DTLS(session))
116 9960 : _gnutls_write_uint16(ret,
117 : ((uint8_t *)
118 9960 : _mbuffer_get_uhead_ptr(bufel)) + 11);
119 : else
120 2504750 : _gnutls_write_uint16(ret,
121 : ((uint8_t *)
122 2504750 : _mbuffer_get_uhead_ptr(bufel)) + 3);
123 :
124 2514710 : _mbuffer_set_udata_size(bufel, ret);
125 2514710 : _mbuffer_set_uhead_size(bufel, 0);
126 :
127 2514710 : return _mbuffer_get_udata_size(bufel);
128 : }
129 :
130 : /* Decrypts the given data.
131 : * Returns the decrypted data length.
132 : *
133 : * The output is preallocated with the maximum allowed data size.
134 : */
135 : int
136 3185540 : _gnutls_decrypt(gnutls_session_t session,
137 : gnutls_datum_t *ciphertext,
138 : gnutls_datum_t *output,
139 : content_type_t *type,
140 : record_parameters_st *params,
141 : uint64_t sequence)
142 : {
143 3185540 : int ret;
144 3185540 : const version_entry_st *vers = get_version(session);
145 :
146 3185540 : if (ciphertext->size == 0)
147 : return 0;
148 :
149 3185540 : if (vers && vers->tls13_sem)
150 513200 : ret =
151 513200 : decrypt_packet_tls13(session, ciphertext,
152 : output, type, params,
153 : sequence);
154 : else
155 2672340 : ret =
156 2672340 : decrypt_packet(session, ciphertext,
157 : output, *type, params,
158 : sequence);
159 3185540 : if (ret < 0)
160 2985 : return gnutls_assert_val(ret);
161 :
162 : return ret;
163 : }
164 :
165 :
166 : inline static int
167 668570 : calc_enc_length_block(gnutls_session_t session,
168 : const version_entry_st * ver,
169 : int data_size,
170 : int hash_size, uint8_t * pad,
171 : unsigned auth_cipher,
172 : uint16_t blocksize,
173 : unsigned etm)
174 : {
175 : /* pad is the LH pad the user wants us to add. Besides
176 : * this LH pad, we only add minimal padding
177 : */
178 668570 : unsigned int pre_length = data_size + *pad;
179 668570 : unsigned int length, new_pad;
180 :
181 668570 : if (etm == 0)
182 11289 : pre_length += hash_size;
183 :
184 668570 : new_pad = (uint8_t) (blocksize - (pre_length % blocksize)) + *pad;
185 :
186 668570 : if (new_pad > 255)
187 28 : new_pad -= blocksize;
188 668570 : *pad = new_pad;
189 :
190 668570 : length = data_size + hash_size + *pad;
191 :
192 668570 : if (_gnutls_version_has_explicit_iv(ver))
193 323002 : length += blocksize; /* for the IV */
194 :
195 668570 : return length;
196 : }
197 :
198 : inline static int
199 1383220 : calc_enc_length_stream(gnutls_session_t session, int data_size,
200 : int hash_size, unsigned auth_cipher,
201 : unsigned exp_iv_size)
202 : {
203 1383220 : unsigned int length;
204 :
205 1383220 : length = data_size + hash_size;
206 1383220 : if (auth_cipher)
207 764636 : length += exp_iv_size;
208 :
209 1383220 : return length;
210 : }
211 :
212 : /* generates the authentication data (data to be hashed only
213 : * and are not to be sent). Returns their size.
214 : */
215 : int
216 4723510 : _gnutls_make_preamble(uint64_t uint64_data, uint8_t type, unsigned int length,
217 : const version_entry_st * ver, uint8_t preamble[MAX_PREAMBLE_SIZE])
218 : {
219 4723510 : uint8_t *p = preamble;
220 4723510 : uint16_t c_length;
221 :
222 4723510 : c_length = _gnutls_conv_uint16(length);
223 :
224 4723510 : _gnutls_write_uint64(uint64_data, p);
225 4723510 : p += 8;
226 4723510 : *p = type;
227 4723510 : p++;
228 : #ifdef ENABLE_SSL3
229 : if (ver->id != GNUTLS_SSL3)
230 : #endif
231 : { /* TLS protocols */
232 4723510 : *p = ver->major;
233 4723510 : p++;
234 4723510 : *p = ver->minor;
235 4723510 : p++;
236 : }
237 4723510 : memcpy(p, &c_length, 2);
238 4723510 : p += 2;
239 4723510 : return p - preamble;
240 : }
241 :
242 : /* This is the actual encryption
243 : * Encrypts the given plaintext datum, and puts the result to cipher_data,
244 : * which has cipher_size size.
245 : * return the actual encrypted data length.
246 : */
247 : static int
248 2051790 : encrypt_packet(gnutls_session_t session,
249 : uint8_t * cipher_data, int cipher_size,
250 : gnutls_datum_t * plain,
251 : size_t min_pad,
252 : content_type_t type,
253 : record_parameters_st * params)
254 : {
255 2051790 : uint8_t pad;
256 2051790 : int length, ret;
257 2051790 : uint8_t preamble[MAX_PREAMBLE_SIZE];
258 2051790 : int preamble_size;
259 2051790 : int tag_size =
260 2051790 : _gnutls_auth_cipher_tag_len(¶ms->write.ctx.tls12);
261 2051790 : int blocksize = _gnutls_cipher_get_block_size(params->cipher);
262 2051790 : unsigned algo_type = _gnutls_cipher_type(params->cipher);
263 2051790 : uint8_t *data_ptr, *full_cipher_ptr;
264 2051790 : const version_entry_st *ver = get_version(session);
265 2051790 : int explicit_iv = _gnutls_version_has_explicit_iv(ver);
266 2051790 : int auth_cipher =
267 2051790 : _gnutls_auth_cipher_is_aead(¶ms->write.ctx.tls12);
268 2051790 : uint8_t nonce[MAX_CIPHER_IV_SIZE];
269 2051790 : unsigned imp_iv_size = 0, exp_iv_size = 0;
270 2051790 : bool etm = 0;
271 :
272 2051790 : if (unlikely(ver == NULL))
273 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
274 :
275 2051790 : if (algo_type == CIPHER_BLOCK && params->etm != 0)
276 657281 : etm = 1;
277 :
278 2051790 : _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
279 : session, _gnutls_cipher_get_name(params->cipher),
280 : _gnutls_mac_get_name(params->mac),
281 : (unsigned int) params->epoch);
282 :
283 : /* Calculate the encrypted length (padding etc.)
284 : */
285 2051790 : if (algo_type == CIPHER_BLOCK) {
286 : /* Call gnutls_rnd() once. Get data used for the IV
287 : */
288 668570 : ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce, blocksize);
289 668570 : if (ret < 0)
290 0 : return gnutls_assert_val(ret);
291 :
292 668570 : pad = min_pad;
293 :
294 668570 : length =
295 1337140 : calc_enc_length_block(session, ver, plain->size,
296 : tag_size, &pad, auth_cipher,
297 : blocksize, etm);
298 : } else { /* AEAD + STREAM */
299 1383220 : imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
300 1383220 : exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
301 :
302 1383220 : pad = 0;
303 1383220 : length =
304 2147850 : calc_enc_length_stream(session, plain->size,
305 : tag_size, auth_cipher,
306 : exp_iv_size);
307 : }
308 :
309 2051790 : if (length < 0)
310 0 : return gnutls_assert_val(length);
311 :
312 : /* copy the encrypted data to cipher_data.
313 : */
314 2051790 : if (cipher_size < length)
315 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
316 :
317 2051790 : data_ptr = cipher_data;
318 2051790 : full_cipher_ptr = data_ptr;
319 :
320 2051790 : if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
321 1287150 : if (algo_type == CIPHER_BLOCK && explicit_iv != 0) {
322 : /* copy the random IV.
323 : */
324 323002 : memcpy(data_ptr, nonce, blocksize);
325 323002 : ret = _gnutls_auth_cipher_setiv(¶ms->write.
326 : ctx.tls12, data_ptr,
327 : blocksize);
328 323002 : if (ret < 0)
329 0 : return gnutls_assert_val(ret);
330 :
331 : /*data_ptr += blocksize;*/
332 323002 : cipher_data += blocksize;
333 : }
334 : } else { /* AEAD */
335 764636 : if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == 0) {
336 : /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
337 : */
338 681343 : if (params->write.iv_size != imp_iv_size)
339 2 : return
340 2 : gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
341 :
342 : /* Instead of generating a new nonce on every packet, we use the
343 : * write.sequence_number (It is a MAY on RFC 5288), and safer
344 : * as it will never reuse a value.
345 : */
346 681341 : memcpy(nonce, params->write.iv,
347 : params->write.iv_size);
348 681341 : _gnutls_write_uint64(params->write.sequence_number, &nonce[imp_iv_size]);
349 :
350 681341 : memcpy(data_ptr, &nonce[imp_iv_size],
351 : exp_iv_size);
352 :
353 : /*data_ptr += exp_iv_size;*/
354 681341 : cipher_data += exp_iv_size;
355 : } else { /* XOR nonce with IV */
356 83293 : if (unlikely(params->write.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
357 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
358 :
359 83293 : memset(nonce, 0, 4);
360 83293 : _gnutls_write_uint64(params->write.sequence_number, &nonce[4]);
361 :
362 83293 : memxor(nonce, params->write.iv, 12);
363 : }
364 : }
365 :
366 2051780 : if (etm)
367 657281 : ret = length-tag_size;
368 : else
369 1394500 : ret = plain->size;
370 :
371 2051780 : preamble_size =
372 2051780 : _gnutls_make_preamble(params->write.sequence_number,
373 : type, ret, ver, preamble);
374 :
375 2051780 : if (algo_type == CIPHER_BLOCK || algo_type == CIPHER_STREAM) {
376 : /* add the authenticated data */
377 1287150 : ret =
378 1287150 : _gnutls_auth_cipher_add_auth(¶ms->write.ctx.tls12,
379 : preamble, preamble_size);
380 1287150 : if (ret < 0)
381 0 : return gnutls_assert_val(ret);
382 :
383 1287150 : if (etm && explicit_iv) {
384 : /* In EtM we need to hash the IV as well */
385 312855 : ret =
386 312855 : _gnutls_auth_cipher_add_auth(¶ms->write.ctx.tls12,
387 : full_cipher_ptr, blocksize);
388 312855 : if (ret < 0)
389 0 : return gnutls_assert_val(ret);
390 : }
391 :
392 : /* Actual encryption.
393 : */
394 1287150 : ret =
395 2574300 : _gnutls_auth_cipher_encrypt2_tag(¶ms->write.ctx.tls12,
396 1287150 : plain->data,
397 1287150 : plain->size, cipher_data,
398 : cipher_size, pad);
399 1287150 : if (ret < 0)
400 0 : return gnutls_assert_val(ret);
401 : } else { /* AEAD */
402 1529270 : ret = _gnutls_aead_cipher_encrypt(¶ms->write.ctx.tls12.cipher,
403 764634 : nonce, imp_iv_size + exp_iv_size,
404 : preamble, preamble_size,
405 : tag_size,
406 764634 : plain->data, plain->size,
407 : cipher_data, cipher_size);
408 764634 : if (ret < 0)
409 0 : return gnutls_assert_val(ret);
410 : }
411 :
412 : return length;
413 : }
414 :
415 : static int
416 462930 : encrypt_packet_tls13(gnutls_session_t session,
417 : uint8_t *cipher_data, size_t cipher_size,
418 : gnutls_datum_t *plain,
419 : size_t pad_size,
420 : uint8_t type,
421 : record_parameters_st *params)
422 : {
423 462930 : int ret;
424 462930 : unsigned int tag_size = params->write.aead_tag_size;
425 462930 : const version_entry_st *ver = get_version(session);
426 462930 : uint8_t nonce[MAX_CIPHER_IV_SIZE];
427 462930 : unsigned iv_size = 0;
428 462930 : ssize_t max, total;
429 462930 : uint8_t aad[5];
430 462930 : giovec_t auth_iov[1];
431 462930 : giovec_t iov[2];
432 :
433 462930 : if (unlikely(ver == NULL))
434 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
435 :
436 462930 : _gnutls_hard_log("ENC[%p]: cipher: %s, MAC: %s, Epoch: %u\n",
437 : session, _gnutls_cipher_get_name(params->cipher),
438 : _gnutls_mac_get_name(params->mac),
439 : (unsigned int) params->epoch);
440 :
441 462930 : iv_size = params->write.iv_size;
442 :
443 462930 : if (params->cipher->id == GNUTLS_CIPHER_NULL) {
444 11852 : if (cipher_size < plain->size+1)
445 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
446 11852 : memcpy(cipher_data, plain->data, plain->size);
447 11852 : return plain->size;
448 : }
449 :
450 451078 : if (unlikely(iv_size < 8))
451 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
452 :
453 451078 : memset(nonce, 0, iv_size - 8);
454 451078 : _gnutls_write_uint64(params->write.sequence_number, &nonce[iv_size-8]);
455 451078 : memxor(nonce, params->write.iv, iv_size);
456 :
457 451078 : max = MAX_RECORD_SEND_SIZE(session);
458 :
459 : /* make TLS 1.3 form of data */
460 451078 : total = plain->size + 1 + pad_size;
461 :
462 : /* check whether padding would exceed max */
463 451078 : if (total > max) {
464 0 : if (unlikely(max < (ssize_t)plain->size+1))
465 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
466 :
467 0 : pad_size = max - plain->size - 1;
468 0 : total = max;
469 : }
470 :
471 : /* create authenticated data header */
472 451078 : aad[0] = GNUTLS_APPLICATION_DATA;
473 451078 : aad[1] = 0x03;
474 451078 : aad[2] = 0x03;
475 451078 : _gnutls_write_uint16(total+tag_size, &aad[3]);
476 :
477 451078 : auth_iov[0].iov_base = aad;
478 451078 : auth_iov[0].iov_len = sizeof(aad);
479 :
480 451078 : iov[0].iov_base = plain->data;
481 451078 : iov[0].iov_len = plain->size;
482 :
483 451114 : if (pad_size || (session->internals.flags & GNUTLS_SAFE_PADDING_CHECK)) {
484 36 : uint8_t *pad = gnutls_calloc(1, 1+pad_size);
485 36 : if (pad == NULL)
486 0 : return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
487 :
488 36 : pad[0] = type;
489 :
490 36 : iov[1].iov_base = pad;
491 36 : iov[1].iov_len = 1+pad_size;
492 :
493 36 : ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead,
494 : nonce, iv_size,
495 : auth_iov, 1,
496 : tag_size,
497 : iov, 2,
498 : cipher_data, &cipher_size);
499 36 : gnutls_free(pad);
500 : } else {
501 451042 : iov[1].iov_base = &type;
502 451042 : iov[1].iov_len = 1;
503 :
504 451042 : ret = gnutls_aead_cipher_encryptv(¶ms->write.ctx.aead,
505 : nonce, iv_size,
506 : auth_iov, 1,
507 : tag_size,
508 : iov, 2,
509 : cipher_data, &cipher_size);
510 : }
511 :
512 451078 : if (ret < 0)
513 0 : return gnutls_assert_val(ret);
514 :
515 451078 : return cipher_size;
516 : }
517 :
518 :
519 : /* Deciphers the ciphertext packet, and puts the result to plain.
520 : * Returns the actual plaintext packet size.
521 : */
522 : static int
523 2672340 : decrypt_packet(gnutls_session_t session,
524 : gnutls_datum_t * ciphertext,
525 : gnutls_datum_t * plain,
526 : content_type_t type, record_parameters_st * params,
527 : uint64_t sequence)
528 : {
529 2672340 : uint8_t tag[MAX_HASH_SIZE];
530 2672340 : uint8_t nonce[MAX_CIPHER_IV_SIZE];
531 2672340 : const uint8_t *tag_ptr = NULL;
532 2672340 : unsigned int pad = 0;
533 2672340 : int length, length_to_decrypt;
534 2672340 : uint16_t blocksize;
535 2672340 : int ret;
536 2672340 : uint8_t preamble[MAX_PREAMBLE_SIZE];
537 2672340 : unsigned int preamble_size = 0;
538 2672340 : const version_entry_st *ver = get_version(session);
539 2672340 : unsigned int tag_size =
540 2672340 : _gnutls_auth_cipher_tag_len(¶ms->read.ctx.tls12);
541 2672340 : unsigned int explicit_iv = _gnutls_version_has_explicit_iv(ver);
542 2672340 : unsigned imp_iv_size, exp_iv_size;
543 2672340 : unsigned cipher_type = _gnutls_cipher_type(params->cipher);
544 2672340 : bool etm = 0;
545 :
546 2672340 : if (unlikely(ver == NULL))
547 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
548 :
549 2672340 : imp_iv_size = _gnutls_cipher_get_implicit_iv_size(params->cipher);
550 2672340 : exp_iv_size = _gnutls_cipher_get_explicit_iv_size(params->cipher);
551 2672340 : blocksize = _gnutls_cipher_get_block_size(params->cipher);
552 :
553 2672340 : if (params->etm !=0 && cipher_type == CIPHER_BLOCK)
554 657654 : etm = 1;
555 :
556 : /* if EtM mode and not AEAD */
557 657654 : if (etm) {
558 657654 : if (unlikely(ciphertext->size < tag_size))
559 342 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
560 :
561 657312 : preamble_size = _gnutls_make_preamble(sequence,
562 : type, ciphertext->size-tag_size,
563 : ver, preamble);
564 :
565 657312 : ret = _gnutls_auth_cipher_add_auth(¶ms->read.
566 : ctx.tls12, preamble,
567 : preamble_size);
568 657312 : if (unlikely(ret < 0))
569 0 : return gnutls_assert_val(ret);
570 :
571 1314620 : ret = _gnutls_auth_cipher_add_auth(¶ms->read.
572 : ctx.tls12,
573 657312 : ciphertext->data,
574 657312 : ciphertext->size-tag_size);
575 657312 : if (unlikely(ret < 0))
576 0 : return gnutls_assert_val(ret);
577 :
578 657312 : ret = _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag, tag_size);
579 657312 : if (unlikely(ret < 0))
580 0 : return gnutls_assert_val(ret);
581 :
582 657312 : if (unlikely(gnutls_memcmp(tag, &ciphertext->data[ciphertext->size-tag_size], tag_size) != 0)) {
583 : /* HMAC was not the same. */
584 533 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
585 : }
586 : }
587 :
588 : /* actual decryption (inplace)
589 : */
590 2671460 : switch (cipher_type) {
591 764839 : case CIPHER_AEAD:
592 : /* The way AEAD ciphers are defined in RFC5246, it allows
593 : * only stream ciphers.
594 : */
595 1529680 : if (unlikely(_gnutls_auth_cipher_is_aead(¶ms->read.
596 : ctx.tls12) == 0))
597 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
598 :
599 :
600 764839 : if (unlikely(ciphertext->size < (tag_size + exp_iv_size)))
601 285 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
602 :
603 764579 : if ((params->cipher->flags & GNUTLS_CIPHER_FLAG_XOR_NONCE) == 0) {
604 : /* Values in AEAD are pretty fixed in TLS 1.2 for 128-bit block
605 : */
606 681350 : if (unlikely(params->read.iv_size != 4))
607 0 : return
608 0 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
609 :
610 681350 : memcpy(nonce, params->read.iv,
611 : imp_iv_size);
612 :
613 681350 : memcpy(&nonce[imp_iv_size],
614 681350 : ciphertext->data, exp_iv_size);
615 :
616 681350 : ciphertext->data += exp_iv_size;
617 681350 : ciphertext->size -= exp_iv_size;
618 : } else { /* XOR nonce with IV */
619 83229 : if (unlikely(params->read.iv_size != 12 || imp_iv_size != 12 || exp_iv_size != 0))
620 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
621 :
622 83229 : memset(nonce, 0, 4);
623 83229 : _gnutls_write_uint64(sequence, &nonce[4]);
624 :
625 83229 : memxor(nonce, params->read.iv, 12);
626 : }
627 :
628 764579 : length =
629 764579 : ciphertext->size - tag_size;
630 :
631 764579 : length_to_decrypt = ciphertext->size;
632 :
633 : /* Pass the type, version, length and plain through
634 : * MAC.
635 : */
636 1529160 : preamble_size =
637 764579 : _gnutls_make_preamble(sequence, type,
638 : length, ver, preamble);
639 :
640 :
641 764579 : if (unlikely
642 : ((unsigned) length_to_decrypt > plain->size)) {
643 0 : _gnutls_audit_log(session,
644 : "Received %u bytes, while expecting less than %u\n",
645 : (unsigned int) length_to_decrypt,
646 : (unsigned int) plain->size);
647 0 : return
648 0 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
649 : }
650 :
651 1529160 : ret = _gnutls_aead_cipher_decrypt(¶ms->read.ctx.tls12.cipher,
652 764579 : nonce, exp_iv_size + imp_iv_size,
653 : preamble, preamble_size,
654 : tag_size,
655 764579 : ciphertext->data, length_to_decrypt,
656 764579 : plain->data, plain->size);
657 764579 : if (unlikely(ret < 0))
658 1570 : return gnutls_assert_val(ret);
659 :
660 : return length;
661 :
662 1241270 : break;
663 1241270 : case CIPHER_STREAM:
664 1241270 : if (unlikely(ciphertext->size < tag_size))
665 0 : return
666 0 : gnutls_assert_val
667 : (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
668 :
669 1241270 : length_to_decrypt = ciphertext->size;
670 1241270 : length = ciphertext->size - tag_size;
671 1241270 : tag_ptr = plain->data + length;
672 :
673 : /* Pass the type, version, length and plain through
674 : * MAC.
675 : */
676 2482540 : preamble_size =
677 1241270 : _gnutls_make_preamble(sequence, type,
678 : length, ver, preamble);
679 :
680 1241270 : ret =
681 1241270 : _gnutls_auth_cipher_add_auth(¶ms->read.
682 : ctx.tls12, preamble,
683 : preamble_size);
684 1241270 : if (unlikely(ret < 0))
685 0 : return gnutls_assert_val(ret);
686 :
687 1241270 : if (unlikely
688 : ((unsigned) length_to_decrypt > plain->size)) {
689 0 : _gnutls_audit_log(session,
690 : "Received %u bytes, while expecting less than %u\n",
691 : (unsigned int) length_to_decrypt,
692 : (unsigned int) plain->size);
693 0 : return
694 0 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
695 : }
696 :
697 1241270 : ret =
698 2482540 : _gnutls_auth_cipher_decrypt2(¶ms->read.
699 : ctx.tls12,
700 1241270 : ciphertext->data,
701 : length_to_decrypt,
702 1241270 : plain->data,
703 : plain->size);
704 :
705 1241270 : if (unlikely(ret < 0))
706 0 : return gnutls_assert_val(ret);
707 :
708 1241270 : ret =
709 1241270 : _gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag,
710 : tag_size);
711 1241270 : if (unlikely(ret < 0))
712 0 : return gnutls_assert_val(ret);
713 :
714 1241270 : if (unlikely
715 : (gnutls_memcmp(tag, tag_ptr, tag_size) != 0)) {
716 48 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
717 : }
718 :
719 : break;
720 665353 : case CIPHER_BLOCK:
721 665353 : if (unlikely(ciphertext->size < blocksize))
722 5 : return
723 5 : gnutls_assert_val
724 : (GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
725 :
726 665348 : if (etm == 0) {
727 8569 : if (unlikely(ciphertext->size % blocksize != 0))
728 4 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
729 : } else {
730 656779 : if (unlikely((ciphertext->size - tag_size) % blocksize != 0))
731 0 : return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
732 : }
733 :
734 : /* ignore the IV in TLS 1.1+
735 : */
736 665344 : if (explicit_iv) {
737 640366 : ret = _gnutls_auth_cipher_setiv(¶ms->read.
738 : ctx.tls12,
739 320183 : ciphertext->data,
740 : blocksize);
741 320183 : if (ret < 0)
742 0 : return gnutls_assert_val(ret);
743 :
744 320183 : memcpy(nonce, ciphertext->data, blocksize);
745 320183 : ciphertext->size -= blocksize;
746 320183 : ciphertext->data += blocksize;
747 : }
748 :
749 665344 : if (unlikely(ciphertext->size < tag_size + 1))
750 4 : return
751 4 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
752 :
753 : /* we don't use the auth_cipher interface here, since
754 : * TLS with block ciphers is impossible to be used under such
755 : * an API. (the length of plaintext is required to calculate
756 : * auth_data, but it is not available before decryption).
757 : */
758 665340 : if (unlikely(ciphertext->size > plain->size))
759 0 : return
760 0 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
761 :
762 665340 : if (etm == 0) {
763 8561 : ret =
764 17122 : _gnutls_cipher_decrypt2(¶ms->read.ctx.tls12.
765 8561 : cipher, ciphertext->data,
766 : ciphertext->size,
767 8561 : plain->data,
768 : plain->size);
769 8561 : if (unlikely(ret < 0))
770 0 : return gnutls_assert_val(ret);
771 :
772 17122 : ret = cbc_mac_verify(session, params, preamble, type,
773 8561 : sequence, plain->data, ciphertext->size,
774 : tag_size);
775 8561 : if (unlikely(ret < 0))
776 139 : return gnutls_assert_val(ret);
777 :
778 : length = ret;
779 : } else { /* EtM */
780 656779 : ret =
781 1313560 : _gnutls_cipher_decrypt2(¶ms->read.ctx.tls12.
782 656779 : cipher, ciphertext->data,
783 656779 : ciphertext->size - tag_size,
784 656779 : plain->data,
785 : plain->size);
786 656779 : if (unlikely(ret < 0))
787 0 : return gnutls_assert_val(ret);
788 :
789 656779 : pad = plain->data[ciphertext->size - tag_size - 1]; /* pad */
790 656779 : length = ciphertext->size - tag_size - pad - 1;
791 :
792 656779 : if (unlikely(length < 0))
793 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
794 : }
795 : break;
796 : default:
797 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
798 : }
799 :
800 :
801 : return length;
802 : }
803 :
804 : static int
805 513200 : decrypt_packet_tls13(gnutls_session_t session,
806 : gnutls_datum_t *ciphertext,
807 : gnutls_datum_t *plain,
808 : content_type_t *type, record_parameters_st *params,
809 : uint64_t sequence)
810 : {
811 513200 : uint8_t nonce[MAX_CIPHER_IV_SIZE];
812 513200 : size_t length, length_to_decrypt;
813 513200 : int ret;
814 513200 : const version_entry_st *ver = get_version(session);
815 513200 : unsigned int tag_size = params->read.aead_tag_size;
816 513200 : unsigned iv_size;
817 513200 : unsigned j;
818 513200 : volatile unsigned length_set;
819 513200 : uint8_t aad[5];
820 :
821 513200 : if (unlikely(ver == NULL))
822 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
823 :
824 513200 : if (params->cipher->id == GNUTLS_CIPHER_NULL) {
825 83038 : if (plain->size < ciphertext->size)
826 0 : return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
827 :
828 83038 : length = ciphertext->size;
829 83038 : memcpy(plain->data, ciphertext->data, length);
830 :
831 83038 : return length;
832 : }
833 :
834 430162 : iv_size = _gnutls_cipher_get_iv_size(params->cipher);
835 :
836 : /* The way AEAD ciphers are defined in RFC5246, it allows
837 : * only stream ciphers.
838 : */
839 430162 : if (unlikely(ciphertext->size < tag_size))
840 1 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
841 :
842 430161 : if (unlikely(params->read.iv_size != iv_size || iv_size < 8))
843 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
844 :
845 430161 : memset(nonce, 0, iv_size - 8);
846 430161 : _gnutls_write_uint64(sequence, &nonce[iv_size-8]);
847 430161 : memxor(nonce, params->read.iv, params->read.iv_size);
848 :
849 430161 : length =
850 430161 : ciphertext->size - tag_size;
851 :
852 430161 : length_to_decrypt = ciphertext->size;
853 :
854 430161 : if (unlikely
855 : ((unsigned) length_to_decrypt > plain->size)) {
856 0 : _gnutls_audit_log(session,
857 : "Received %u bytes, while expecting less than %u\n",
858 : (unsigned int) length_to_decrypt,
859 : (unsigned int) plain->size);
860 0 : return
861 0 : gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
862 : }
863 :
864 430161 : aad[0] = GNUTLS_APPLICATION_DATA;
865 430161 : aad[1] = 0x03;
866 430161 : aad[2] = 0x03;
867 430161 : _gnutls_write_uint16(ciphertext->size, &aad[3]);
868 :
869 860322 : ret = gnutls_aead_cipher_decrypt(¶ms->read.ctx.aead,
870 : nonce, iv_size,
871 : aad, sizeof(aad),
872 : tag_size,
873 430161 : ciphertext->data, length_to_decrypt,
874 430161 : plain->data, &length);
875 430161 : if (unlikely(ret < 0))
876 42 : return gnutls_assert_val(ret);
877 :
878 : /* 1 octet for content type */
879 430133 : if (length > max_decrypted_size(session) + 1) {
880 6 : _gnutls_audit_log
881 : (session, "Received packet with illegal length: %u\n",
882 : (unsigned int) length);
883 :
884 12 : return gnutls_assert_val(GNUTLS_E_RECORD_OVERFLOW);
885 : }
886 :
887 430127 : length_set = 0;
888 :
889 : /* now figure the actual data size. We intentionally iterate through all data,
890 : * to avoid leaking the padding length due to timing differences in processing.
891 : */
892 561684 : for (j=length;j>0;j--) {
893 561679 : if (plain->data[j-1]!=0 && length_set == 0) {
894 430127 : *type = plain->data[j-1];
895 430127 : length = j-1;
896 430127 : length_set = 1;
897 430127 : if (!(session->internals.flags & GNUTLS_SAFE_PADDING_CHECK))
898 : break;
899 : }
900 : }
901 :
902 430127 : if (!length_set)
903 0 : return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
904 :
905 430127 : return length;
906 : }
|