2
* Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2008, 2009, 2010
3
* Free Software Foundation, Inc.
5
* Author: Nikos Mavrogiannopoulos
7
* This file is part of GnuTLS.
9
* The GnuTLS is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU Lesser General Public License
11
* as published by the Free Software Foundation; either version 2.1 of
12
* the License, or (at your option) any later version.
14
* This library is distributed in the hope that it will be useful, but
15
* WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17
* Lesser General Public License for more details.
19
* You should have received a copy of the GNU Lesser General Public
20
* License along with this library; if not, write to the Free Software
21
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26
/* Some high level functions to be used in the record encryption are
30
#include "gnutls_int.h"
31
#include "gnutls_errors.h"
32
#include "gnutls_compress.h"
33
#include "gnutls_cipher.h"
34
#include "gnutls_algorithms.h"
35
#include "gnutls_hash_int.h"
36
#include "gnutls_cipher_int.h"
38
#include "gnutls_num.h"
39
#include "gnutls_datum.h"
40
#include "gnutls_kx.h"
41
#include "gnutls_record.h"
42
#include "gnutls_constate.h"
46
is_write_comp_null (gnutls_session_t session)
48
if (session->security_parameters.write_compression_algorithm ==
56
is_read_comp_null (gnutls_session_t session)
58
if (session->security_parameters.read_compression_algorithm ==
66
/* returns ciphertext which contains the headers too. This also
67
* calculates the size in the header field.
69
* If random pad != 0 then the random pad data will be appended.
72
_gnutls_encrypt (gnutls_session_t session, const opaque * headers,
73
size_t headers_size, const opaque * data,
74
size_t data_size, opaque * ciphertext,
75
size_t ciphertext_size, content_type_t type, int random_pad)
82
plain.data = (opaque *) data;
83
plain.size = data_size;
85
if (plain.size == 0 || is_write_comp_null (session) == 0)
92
/* Here comp is allocated and must be
95
ret = _gnutls_m_plaintext2compressed (session, &comp, &plain);
103
ret = _gnutls_compressed2ciphertext (session, &ciphertext[headers_size],
104
ciphertext_size - headers_size,
105
comp, type, random_pad);
108
_gnutls_free_datum (&comp);
117
/* copy the headers */
118
memcpy (ciphertext, headers, headers_size);
119
_gnutls_write_uint16 (ret, &ciphertext[3]);
121
return ret + headers_size;
124
/* Decrypts the given data.
125
* Returns the decrypted data length.
128
_gnutls_decrypt (gnutls_session_t session, opaque * ciphertext,
129
size_t ciphertext_size, uint8_t * data,
130
size_t max_data_size, content_type_t type)
133
gnutls_datum_t gcipher;
136
if (ciphertext_size == 0)
139
gcipher.size = ciphertext_size;
140
gcipher.data = ciphertext;
143
_gnutls_ciphertext2compressed (session, data, max_data_size,
150
if (ret == 0 || is_read_comp_null (session) == 0)
157
gnutls_datum_t gcomp;
159
/* compression has this malloc overhead.
164
ret = _gnutls_m_compressed2plaintext (session, >xt, &gcomp);
170
if (gtxt.size > MAX_RECORD_RECV_SIZE)
173
_gnutls_free_datum (>xt);
174
/* This shouldn't have happen and
175
* is a TLS fatal error.
177
return GNUTLS_E_DECOMPRESSION_FAILED;
180
/* This check is not really needed */
181
if (max_data_size < MAX_RECORD_RECV_SIZE)
184
_gnutls_free_datum (>xt);
185
return GNUTLS_E_INTERNAL_ERROR;
188
memcpy (data, gtxt.data, gtxt.size);
191
_gnutls_free_datum (>xt);
198
mac_init (digest_hd_st * td, gnutls_mac_algorithm_t mac, opaque * secret,
199
int secret_size, int ver)
203
if (mac == GNUTLS_MAC_NULL)
205
return GNUTLS_E_HASH_FAILED;
208
if (ver == GNUTLS_SSL3)
210
ret = _gnutls_mac_init_ssl3 (td, mac, secret, secret_size);
214
ret = _gnutls_hmac_init (td, mac, secret, secret_size);
221
mac_hash (digest_hd_st * td, void *data, int data_size, int ver)
223
if (ver == GNUTLS_SSL3)
225
_gnutls_hash (td, data, data_size);
229
_gnutls_hmac (td, data, data_size);
234
mac_deinit (digest_hd_st * td, opaque * res, int ver)
236
if (ver == GNUTLS_SSL3)
238
_gnutls_mac_deinit_ssl3 (td, res);
242
_gnutls_hmac_deinit (td, res);
247
calc_enc_length (gnutls_session_t session, int data_size,
248
int hash_size, uint8_t * pad, int random_pad,
249
cipher_type_t block_algo, uint16_t blocksize)
259
length = data_size + hash_size;
263
ret = _gnutls_rnd (GNUTLS_RND_NONCE, &rnd, 1);
270
/* make rnd a multiple of blocksize */
271
if (session->security_parameters.version == GNUTLS_SSL3 ||
278
rnd = (rnd / blocksize) * blocksize;
279
/* added to avoid the case of pad calculated 0
280
* seen below for pad calculation.
286
length = data_size + hash_size;
288
*pad = (uint8_t) (blocksize - (length % blocksize)) + rnd;
291
if (_gnutls_version_has_explicit_iv
292
(session->security_parameters.version))
293
length += blocksize; /* for the IV */
298
return GNUTLS_E_INTERNAL_ERROR;
304
#define PREAMBLE_SIZE 16
306
make_preamble (opaque * uint64_data, opaque type, uint16_t c_length,
307
opaque ver, opaque * preamble)
309
opaque minor = _gnutls_version_get_minor (ver);
310
opaque major = _gnutls_version_get_major (ver);
311
opaque *p = preamble;
313
memcpy (p, uint64_data, 8);
317
if (_gnutls_version_has_variable_padding (ver))
318
{ /* TLS 1.0 or higher */
324
memcpy (p, &c_length, 2);
329
/* This is the actual encryption
330
* Encrypts the given compressed datum, and puts the result to cipher_data,
331
* which has cipher_size size.
332
* return the actual encrypted data length.
335
_gnutls_compressed2ciphertext (gnutls_session_t session,
336
opaque * cipher_data, int cipher_size,
337
gnutls_datum_t compressed,
338
content_type_t _type, int random_pad)
340
uint8_t MAC[MAX_HASH_SIZE];
344
uint8_t type = _type;
345
opaque preamble[PREAMBLE_SIZE];
348
_gnutls_hash_get_algo_len (session->
349
security_parameters.write_mac_algorithm);
351
gnutls_cipher_get_block_size (session->
352
security_parameters.write_bulk_cipher_algorithm);
353
cipher_type_t block_algo =
354
_gnutls_cipher_is_block (session->
355
security_parameters.write_bulk_cipher_algorithm);
357
int ver = gnutls_protocol_get_version (session);
362
c_length = _gnutls_conv_uint16 (compressed.size);
364
if (session->security_parameters.write_mac_algorithm != GNUTLS_MAC_NULL)
365
{ /* actually when the algorithm in not the NULL one */
368
ret = mac_init (&td, session->security_parameters.write_mac_algorithm,
369
session->connection_state.write_mac_secret.data,
370
session->connection_state.write_mac_secret.size, ver);
378
make_preamble (UINT64DATA
379
(session->connection_state.write_sequence_number),
380
type, c_length, ver, preamble);
381
mac_hash (&td, preamble, preamble_size, ver);
382
mac_hash (&td, compressed.data, compressed.size, ver);
383
mac_deinit (&td, MAC, ver);
387
/* Calculate the encrypted length (padding etc.)
390
calc_enc_length (session, compressed.size, hash_size, &pad,
391
random_pad, block_algo, blocksize);
398
/* copy the encrypted data to cipher_data.
400
if (cipher_size < length)
403
return GNUTLS_E_MEMORY_ERROR;
406
data_ptr = cipher_data;
407
if (block_algo == CIPHER_BLOCK &&
408
_gnutls_version_has_explicit_iv (session->security_parameters.version))
410
/* copy the random IV.
412
ret = _gnutls_rnd (GNUTLS_RND_NONCE, data_ptr, blocksize);
419
data_ptr += blocksize;
422
memcpy (data_ptr, compressed.data, compressed.size);
423
data_ptr += compressed.size;
427
memcpy (data_ptr, MAC, hash_size);
428
data_ptr += hash_size;
430
if (block_algo == CIPHER_BLOCK && pad > 0)
432
memset (data_ptr, pad - 1, pad);
436
/* Actual encryption (inplace).
439
_gnutls_cipher_encrypt (&session->connection_state.write_cipher_state,
440
cipher_data, length);
450
/* Deciphers the ciphertext packet, and puts the result to compress_data, of compress_size.
451
* Returns the actual compressed packet size.
454
_gnutls_ciphertext2compressed (gnutls_session_t session,
455
opaque * compress_data,
457
gnutls_datum_t ciphertext, uint8_t type)
459
uint8_t MAC[MAX_HASH_SIZE];
464
int ret, i, pad_failed = 0;
465
opaque preamble[PREAMBLE_SIZE];
467
int ver = gnutls_protocol_get_version (session);
469
_gnutls_hash_get_algo_len (session->
470
security_parameters.read_mac_algorithm);
473
gnutls_cipher_get_block_size (session->
474
security_parameters.read_bulk_cipher_algorithm);
477
/* actual decryption (inplace)
479
switch (_gnutls_cipher_is_block
480
(session->security_parameters.read_bulk_cipher_algorithm))
484
_gnutls_cipher_decrypt (&session->
485
connection_state.read_cipher_state,
486
ciphertext.data, ciphertext.size)) < 0)
492
length = ciphertext.size - hash_size;
496
if ((ciphertext.size < blocksize) || (ciphertext.size % blocksize != 0))
499
return GNUTLS_E_DECRYPTION_FAILED;
503
_gnutls_cipher_decrypt (&session->
504
connection_state.read_cipher_state,
505
ciphertext.data, ciphertext.size)) < 0)
511
/* ignore the IV in TLS 1.1.
513
if (_gnutls_version_has_explicit_iv
514
(session->security_parameters.version))
516
ciphertext.size -= blocksize;
517
ciphertext.data += blocksize;
520
if (ciphertext.size < hash_size)
523
return GNUTLS_E_DECRYPTION_FAILED;
525
pad = ciphertext.data[ciphertext.size - 1] + 1; /* pad */
527
if ((int) pad > (int) ciphertext.size - hash_size)
531
("REC[%p]: Short record length %d > %d - %d (under attack?)\n",
532
session, pad, ciphertext.size, hash_size);
533
/* We do not fail here. We check below for the
534
* the pad_failed. If zero means success.
536
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
539
length = ciphertext.size - hash_size - pad;
541
/* Check the pading bytes (TLS 1.x)
543
if (_gnutls_version_has_variable_padding (ver) && pad_failed == 0)
544
for (i = 2; i < pad; i++)
546
if (ciphertext.data[ciphertext.size - i] !=
547
ciphertext.data[ciphertext.size - 1])
548
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
553
return GNUTLS_E_INTERNAL_ERROR;
558
c_length = _gnutls_conv_uint16 ((uint16_t) length);
560
/* Pass the type, version, length and compressed through
563
if (session->security_parameters.read_mac_algorithm != GNUTLS_MAC_NULL)
567
ret = mac_init (&td, session->security_parameters.read_mac_algorithm,
568
session->connection_state.read_mac_secret.data,
569
session->connection_state.read_mac_secret.size, ver);
574
return GNUTLS_E_INTERNAL_ERROR;
578
make_preamble (UINT64DATA
579
(session->connection_state.read_sequence_number), type,
580
c_length, ver, preamble);
581
mac_hash (&td, preamble, preamble_size, ver);
583
mac_hash (&td, ciphertext.data, length, ver);
585
mac_deinit (&td, MAC, ver);
588
/* This one was introduced to avoid a timing attack against the TLS
597
/* HMAC was not the same.
599
if (memcmp (MAC, &ciphertext.data[length], hash_size) != 0)
602
return GNUTLS_E_DECRYPTION_FAILED;
605
/* copy the decrypted stuff to compress_data.
607
if (compress_size < length)
610
return GNUTLS_E_DECOMPRESSION_FAILED;
612
memcpy (compress_data, ciphertext.data, length);