aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-09-19 10:02:41 -0400
committerJack Lloyd <[email protected]>2016-10-07 15:56:32 -0400
commit13c9dce65807785f9d0d0f33b94803f9807a009b (patch)
tree168b9efe0b40303a362993621d4f73acc38e6d2e /src/lib/tls
parent36220cebaae551f3e7c22e2abd8a8ce848e56892 (diff)
TLS: Split CBC+HMAC modes to standalone AEAD_Mode
Now record layer only deals with an AEAD, and the weird complications of CBC modes mostly hidden in tls_cbc.cpp
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/info.txt1
-rw-r--r--src/lib/tls/tls_cbc.cpp403
-rw-r--r--src/lib/tls/tls_cbc.h168
-rw-r--r--src/lib/tls/tls_channel.cpp13
-rw-r--r--src/lib/tls/tls_policy.cpp9
-rw-r--r--src/lib/tls/tls_record.cpp393
-rw-r--r--src/lib/tls/tls_record.h34
7 files changed, 683 insertions, 338 deletions
diff --git a/src/lib/tls/info.txt b/src/lib/tls/info.txt
index 667726318..ad0d266fa 100644
--- a/src/lib/tls/info.txt
+++ b/src/lib/tls/info.txt
@@ -22,6 +22,7 @@ tls_version.h
</header:public>
<header:internal>
+tls_cbc.h
tls_extensions.h
tls_handshake_hash.h
tls_handshake_io.h
diff --git a/src/lib/tls/tls_cbc.cpp b/src/lib/tls/tls_cbc.cpp
new file mode 100644
index 000000000..c7203003b
--- /dev/null
+++ b/src/lib/tls/tls_cbc.cpp
@@ -0,0 +1,403 @@
+/*
+* TLS CBC Record Handling
+* (C) 2012,2013,2014,2015,2016 Jack Lloyd
+* 2016 Juraj Somorovsky
+* 2016 Matthias Gierlings
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/internal/tls_cbc.h>
+#include <botan/internal/rounding.h>
+#include <botan/internal/ct_utils.h>
+#include <botan/tls_alert.h>
+#include <botan/tls_magic.h>
+#include <botan/tls_exceptn.h>
+
+namespace Botan {
+
+namespace TLS {
+
+/*
+* TLS_CBC_HMAC_AEAD_Mode Constructor
+*/
+TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
+ size_t cipher_keylen,
+ const std::string& mac_name,
+ size_t mac_keylen,
+ bool use_explicit_iv,
+ bool use_encrypt_then_mac) :
+ m_cipher_name(cipher_name),
+ m_mac_name(mac_name),
+ m_cipher_keylen(cipher_keylen),
+ m_mac_keylen(mac_keylen),
+ m_use_encrypt_then_mac(use_encrypt_then_mac)
+ {
+ m_cipher = BlockCipher::create(m_cipher_name);
+ if(!m_cipher)
+ throw Algorithm_Not_Found(m_cipher_name);
+
+ m_mac = MessageAuthenticationCode::create("HMAC(" + m_mac_name + ")");
+ if(!m_mac)
+ throw Algorithm_Not_Found("HMAC(" + m_mac_name + ")");
+
+ m_tag_size = m_mac->output_length();
+ m_block_size = m_cipher->block_size();
+
+ m_iv_size = use_explicit_iv ? m_block_size : 0;
+ }
+
+void TLS_CBC_HMAC_AEAD_Mode::clear()
+ {
+ cipher().clear();
+ mac().clear();
+ cbc_state().clear();
+ }
+
+std::string TLS_CBC_HMAC_AEAD_Mode::name() const
+ {
+ return "TLS_CBC(" + m_cipher_name + "," + m_mac_name + ")";
+ }
+
+size_t TLS_CBC_HMAC_AEAD_Mode::update_granularity() const
+ {
+ return 1; // just buffers anyway
+ }
+
+bool TLS_CBC_HMAC_AEAD_Mode::valid_nonce_length(size_t nl) const
+ {
+ if(m_cbc_state.empty())
+ return nl == block_size();
+ return nl == iv_size();
+ }
+
+Key_Length_Specification TLS_CBC_HMAC_AEAD_Mode::key_spec() const
+ {
+ return Key_Length_Specification(m_cipher_keylen + m_mac_keylen);
+ }
+
+void TLS_CBC_HMAC_AEAD_Mode::key_schedule(const byte key[], size_t keylen)
+ {
+ // Both keys are of fixed length specified by the ciphersuite
+
+ if(keylen != m_cipher_keylen + m_mac_keylen)
+ throw Invalid_Key_Length(name(), keylen);
+
+ cipher().set_key(&key[0], m_cipher_keylen);
+ mac().set_key(&key[m_cipher_keylen], m_mac_keylen);
+ }
+
+void TLS_CBC_HMAC_AEAD_Mode::start_msg(const byte nonce[], size_t nonce_len)
+ {
+ if(!valid_nonce_length(nonce_len))
+ {
+ throw Invalid_IV_Length(name(), nonce_len);
+ }
+
+ m_msg.clear();
+
+ if(nonce_len > 0)
+ {
+ m_cbc_state.assign(nonce, nonce + nonce_len);
+ }
+ }
+
+size_t TLS_CBC_HMAC_AEAD_Mode::process(byte buf[], size_t sz)
+ {
+ m_msg.insert(m_msg.end(), buf, buf + sz);
+ return 0;
+ }
+
+std::vector<byte> TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(uint16_t len)
+ {
+ std::vector<byte> ad = m_ad;
+ BOTAN_ASSERT(ad.size() == 13, "Expected AAD size");
+ ad[11] = get_byte(0, len);
+ ad[12] = get_byte(1, len);
+ return ad;
+ }
+
+void TLS_CBC_HMAC_AEAD_Mode::set_associated_data(const byte ad[], size_t ad_len)
+ {
+ if(ad_len != 13)
+ throw Exception("Invalid TLS AEAD associated data length");
+ m_ad.assign(ad, ad + ad_len);
+ }
+
+void TLS_CBC_HMAC_AEAD_Encryption::set_associated_data(const byte ad[], size_t ad_len)
+ {
+ TLS_CBC_HMAC_AEAD_Mode::set_associated_data(ad, ad_len);
+
+ if(use_encrypt_then_mac())
+ {
+ std::vector<byte>& ad = assoc_data();
+ // AAD hack for EtM
+ size_t pt_size = make_u16bit(ad[11], ad[12]);
+ size_t enc_size = round_up(iv_size() + pt_size + 1, block_size());
+ ad[11] = get_byte<uint16_t>(0, enc_size);
+ ad[12] = get_byte<uint16_t>(1, enc_size);
+ }
+ }
+
+void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(byte buf[], size_t buf_size)
+ {
+ const size_t blocks = buf_size / block_size();
+ BOTAN_ASSERT(buf_size % block_size() == 0, "Valid CBC input");
+
+ xor_buf(buf, cbc_state().data(), block_size());
+ cipher().encrypt(buf);
+
+ for(size_t i = 1; i < blocks; ++i)
+ {
+ xor_buf(&buf[block_size()*i], &buf[block_size()*(i-1)], block_size());
+ cipher().encrypt(&buf[block_size()*i]);
+ }
+
+ cbc_state().assign(&buf[block_size()*(blocks-1)],
+ &buf[block_size()*blocks]);
+ }
+
+size_t TLS_CBC_HMAC_AEAD_Encryption::output_length(size_t input_length) const
+ {
+ return round_up(input_length + 1 + (use_encrypt_then_mac() ? 0 : tag_size()), block_size()) +
+ (use_encrypt_then_mac() ? tag_size() : 0);
+ }
+
+void TLS_CBC_HMAC_AEAD_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
+ {
+ update(buffer, offset);
+ buffer.resize(offset); // truncate, leaving just header
+ const size_t header_size = offset;
+
+ buffer.insert(buffer.end(), msg().begin(), msg().end());
+
+ const size_t input_size = msg().size() + 1 + (use_encrypt_then_mac() ? 0 : tag_size());
+ const size_t enc_size = round_up(input_size, block_size());
+ const size_t pad_val = enc_size - input_size;
+ const size_t buf_size = enc_size + (use_encrypt_then_mac() ? tag_size() : 0);
+
+ BOTAN_ASSERT(enc_size % block_size() == 0,
+ "Buffer is an even multiple of block size");
+
+ mac().update(assoc_data());
+
+ if(use_encrypt_then_mac())
+ {
+ if(iv_size() > 0)
+ {
+ mac().update(cbc_state());
+ }
+
+ for(size_t i = 0; i != pad_val + 1; ++i)
+ buffer.push_back(static_cast<byte>(pad_val));
+ cbc_encrypt_record(&buffer[header_size], enc_size);
+ }
+
+ // EtM also uses ciphertext size instead of plaintext size for AEAD input
+ const byte* mac_input = (use_encrypt_then_mac() ? &buffer[header_size] : msg().data());
+ const size_t mac_input_len = (use_encrypt_then_mac() ? enc_size : msg().size());
+
+ mac().update(mac_input, mac_input_len);
+
+ buffer.resize(buffer.size() + tag_size());
+ mac().final(&buffer[buffer.size() - tag_size()]);
+
+ if(use_encrypt_then_mac() == false)
+ {
+ for(size_t i = 0; i != pad_val + 1; ++i)
+ buffer.push_back(static_cast<byte>(pad_val));
+ cbc_encrypt_record(&buffer[header_size], buf_size);
+ }
+ }
+
+namespace {
+
+
+/*
+* Checks the TLS padding. Returns 0 if the padding is invalid (we
+* count the padding_length field as part of the padding size so a
+* valid padding will always be at least one byte long), or the length
+* of the padding otherwise. This is actually padding_length + 1
+* because both the padding and padding_length fields are padding from
+* our perspective.
+*
+* Returning 0 in the error case should ensure the MAC check will fail.
+* This approach is suggested in section 6.2.3.2 of RFC 5246.
+*/
+u16bit check_tls_padding(const byte record[], size_t record_len)
+ {
+ /*
+ * TLS v1.0 and up require all the padding bytes be the same value
+ * and allows up to 255 bytes.
+ */
+
+ const byte pad_byte = record[(record_len-1)];
+
+ byte pad_invalid = 0;
+ for(size_t i = 0; i != record_len; ++i)
+ {
+ const size_t left = record_len - i - 2;
+ const byte delim_mask = CT::is_less<u16bit>(static_cast<u16bit>(left), pad_byte) & 0xFF;
+ pad_invalid |= (delim_mask & (record[i] ^ pad_byte));
+ }
+
+ u16bit pad_invalid_mask = CT::expand_mask<u16bit>(pad_invalid);
+ return CT::select<u16bit>(pad_invalid_mask, 0, pad_byte + 1);
+ }
+
+}
+
+void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(byte record_contents[], size_t record_len)
+ {
+ BOTAN_ASSERT(record_len % block_size() == 0,
+ "Buffer is an even multiple of block size");
+
+ const size_t blocks = record_len / block_size();
+
+ BOTAN_ASSERT(blocks >= 1, "At least one ciphertext block");
+
+ byte* buf = record_contents;
+
+ secure_vector<byte> last_ciphertext(block_size());
+ copy_mem(last_ciphertext.data(), buf, block_size());
+
+ cipher().decrypt(buf);
+ xor_buf(buf, cbc_state().data(), block_size());
+
+ secure_vector<byte> last_ciphertext2;
+
+ for(size_t i = 1; i < blocks; ++i)
+ {
+ last_ciphertext2.assign(&buf[block_size()*i], &buf[block_size()*(i+1)]);
+ cipher().decrypt(&buf[block_size()*i]);
+ xor_buf(&buf[block_size()*i], last_ciphertext.data(), block_size());
+ std::swap(last_ciphertext, last_ciphertext2);
+ }
+
+ cbc_state().assign(last_ciphertext.begin(), last_ciphertext.end());
+ }
+
+size_t TLS_CBC_HMAC_AEAD_Decryption::output_length(size_t) const
+ {
+ /*
+ * We don't know this because the padding is arbitrary
+ */
+ return 0;
+ }
+
+void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
+ {
+ update(buffer, offset);
+ buffer.resize(offset);
+
+ const size_t record_len = msg().size();
+ byte* record_contents = msg().data();
+
+ // This early exit does not leak info because all the values compared are public
+ if(record_len < tag_size() ||
+ (record_len - (use_encrypt_then_mac() ? tag_size() : 0)) % block_size() != 0)
+ {
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
+ }
+
+ if(use_encrypt_then_mac())
+ {
+ const size_t enc_size = record_len - tag_size();
+
+ mac().update(assoc_data_with_len(iv_size() + enc_size));
+ if(iv_size() > 0)
+ {
+ mac().update(cbc_state());
+ }
+ mac().update(record_contents, enc_size);
+
+ std::vector<byte> mac_buf(tag_size());
+ mac().final(mac_buf.data());
+
+ const size_t mac_offset = enc_size;
+
+ const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
+
+ if(!mac_ok)
+ {
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
+ }
+
+ cbc_decrypt_record(record_contents, enc_size);
+
+ // 0 if padding was invalid, otherwise 1 + padding_bytes
+ u16bit pad_size = check_tls_padding(record_contents, enc_size);
+
+ // No oracle here, whoever sent us this had the key since MAC check passed
+ if(pad_size == 0)
+ {
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
+ }
+
+ const byte* plaintext_block = &record_contents[0];
+ const u16bit plaintext_length = enc_size - pad_size;
+
+ buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
+ }
+ else
+ {
+ uint8_t* record_contents = msg().data();
+ const size_t record_len = msg().size();
+
+ CT::poison(record_contents, record_len);
+
+ cbc_decrypt_record(record_contents, record_len);
+
+ // 0 if padding was invalid, otherwise 1 + padding_bytes
+ u16bit pad_size = check_tls_padding(record_contents, record_len);
+
+ /*
+ This mask is zero if there is not enough room in the packet to get a valid MAC.
+
+ We have to accept empty packets, since otherwise we are not compatible
+ with how OpenSSL's countermeasure for fixing BEAST in TLS 1.0 CBC works
+ (sending empty records, instead of 1/(n-1) splitting)
+ */
+
+ const u16bit size_ok_mask = CT::is_lte<u16bit>(static_cast<u16bit>(tag_size() + pad_size), static_cast<u16bit>(record_len + 1));
+ pad_size &= size_ok_mask;
+
+ CT::unpoison(record_contents, record_len);
+
+ /*
+ This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and
+ then to the timing channel in the MAC computation described in the Lucky 13 paper.
+ */
+ CT::unpoison(pad_size);
+
+ const byte* plaintext_block = &record_contents[0];
+ const u16bit plaintext_length = static_cast<u16bit>(record_len - tag_size() - pad_size);
+
+ mac().update(assoc_data_with_len(plaintext_length));
+ mac().update(plaintext_block, plaintext_length);
+
+ std::vector<byte> mac_buf(tag_size());
+ mac().final(mac_buf.data());
+
+ const size_t mac_offset = record_len - (tag_size() + pad_size);
+
+ const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
+
+ const u16bit ok_mask = size_ok_mask & CT::expand_mask<u16bit>(mac_ok) & CT::expand_mask<u16bit>(pad_size);
+
+ CT::unpoison(ok_mask);
+
+ if(ok_mask)
+ {
+ buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
+ }
+ else
+ {
+ throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
+ }
+ }
+ }
+
+}
+
+}
diff --git a/src/lib/tls/tls_cbc.h b/src/lib/tls/tls_cbc.h
new file mode 100644
index 000000000..90b54bb5a
--- /dev/null
+++ b/src/lib/tls/tls_cbc.h
@@ -0,0 +1,168 @@
+/*
+* TLS CBC+HMAC AEAD
+* (C) 2016 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_TLS_CBC_HMAC_AEAD_H__
+#define BOTAN_TLS_CBC_HMAC_AEAD_H__
+
+#include <botan/aead.h>
+#include <botan/block_cipher.h>
+#include <botan/mac.h>
+
+namespace Botan {
+
+namespace TLS {
+
+/**
+* TLS CBC+HMAC AEAD base class (GenericBlockCipher in TLS spec)
+* This is the weird TLS-specific mode, not for general consumption.
+*/
+class TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
+ {
+ public:
+ size_t process(uint8_t buf[], size_t sz) override final;
+
+ std::string name() const override final;
+
+ void set_associated_data(const byte ad[], size_t ad_len) override;
+
+ size_t update_granularity() const override final;
+
+ Key_Length_Specification key_spec() const override final;
+
+ bool valid_nonce_length(size_t nl) const override final;
+
+ size_t tag_size() const override final { return m_tag_size; }
+
+ size_t default_nonce_length() const override final { return m_iv_size; }
+
+ void clear() override final;
+
+ protected:
+ TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
+ size_t cipher_keylen,
+ const std::string& mac_name,
+ size_t mac_keylen,
+ bool use_explicit_iv,
+ bool use_encrypt_then_mac);
+
+ size_t cipher_keylen() const { return m_cipher_keylen; }
+ size_t mac_keylen() const { return m_mac_keylen; }
+ size_t iv_size() const { return m_iv_size; }
+ size_t block_size() const { return m_block_size; }
+
+ bool use_encrypt_then_mac() const { return m_use_encrypt_then_mac; }
+
+ BlockCipher& cipher() const
+ {
+ BOTAN_ASSERT_NONNULL(m_cipher);
+ return *m_cipher;
+ }
+
+ MessageAuthenticationCode& mac() const
+ {
+ BOTAN_ASSERT_NONNULL(m_mac);
+ return *m_mac;
+ }
+
+ secure_vector<byte>& cbc_state() { return m_cbc_state; }
+ std::vector<byte>& assoc_data() { return m_ad; }
+ secure_vector<byte>& msg() { return m_msg; }
+
+ std::vector<byte> assoc_data_with_len(uint16_t len);
+
+ private:
+ void start_msg(const byte nonce[], size_t nonce_len) override final;
+
+ void key_schedule(const byte key[], size_t length) override final;
+
+ const std::string m_cipher_name;
+ const std::string m_mac_name;
+ size_t m_cipher_keylen;
+ size_t m_mac_keylen;
+ size_t m_iv_size;
+ size_t m_tag_size;
+ size_t m_block_size;
+ bool m_use_encrypt_then_mac;
+
+ std::unique_ptr<BlockCipher> m_cipher;
+ std::unique_ptr<MessageAuthenticationCode> m_mac;
+
+ secure_vector<byte> m_cbc_state;
+ std::vector<byte> m_ad;
+ secure_vector<byte> m_msg;
+ };
+
+/**
+* TLS_CBC_HMAC_AEAD Encryption
+*/
+class BOTAN_DLL TLS_CBC_HMAC_AEAD_Encryption final : public TLS_CBC_HMAC_AEAD_Mode
+ {
+ public:
+ /**
+ */
+ TLS_CBC_HMAC_AEAD_Encryption(const std::string& cipher_algo,
+ const size_t cipher_keylen,
+ const std::string& mac_algo,
+ const size_t mac_keylen,
+ bool use_explicit_iv,
+ bool use_encrypt_then_mac) :
+ TLS_CBC_HMAC_AEAD_Mode(cipher_algo,
+ cipher_keylen,
+ mac_algo,
+ mac_keylen,
+ use_explicit_iv,
+ use_encrypt_then_mac)
+ {}
+
+ void set_associated_data(const byte ad[], size_t ad_len) override;
+
+ size_t output_length(size_t input_length) const override;
+
+ size_t minimum_final_size() const override { return 0; }
+
+ void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
+ private:
+ void cbc_encrypt_record(byte record_contents[], size_t record_len);
+ };
+
+/**
+* TLS_CBC_HMAC_AEAD Decryption
+*/
+class BOTAN_DLL TLS_CBC_HMAC_AEAD_Decryption final : public TLS_CBC_HMAC_AEAD_Mode
+ {
+ public:
+ /**
+ */
+ TLS_CBC_HMAC_AEAD_Decryption(const std::string& cipher_algo,
+ const size_t cipher_keylen,
+ const std::string& mac_algo,
+ const size_t mac_keylen,
+ bool use_explicit_iv,
+ bool use_encrypt_then_mac) :
+ TLS_CBC_HMAC_AEAD_Mode(cipher_algo,
+ cipher_keylen,
+ mac_algo,
+ mac_keylen,
+ use_explicit_iv,
+ use_encrypt_then_mac)
+ {}
+
+ size_t output_length(size_t input_length) const override;
+
+ size_t minimum_final_size() const override { return tag_size(); }
+
+ void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
+
+ private:
+ void cbc_decrypt_record(byte record_contents[], size_t record_len);
+ };
+
+}
+
+}
+
+#endif
diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp
index 5e9207da7..574be8a46 100644
--- a/src/lib/tls/tls_channel.cpp
+++ b/src/lib/tls/tls_channel.cpp
@@ -276,7 +276,7 @@ void Channel::activate_session()
if(!m_active_state->version().is_datagram_protocol())
{
// TLS is easy just remove all but the current state
- auto current_epoch = sequence_numbers().current_write_epoch();
+ const u16bit current_epoch = sequence_numbers().current_write_epoch();
const auto not_current_epoch =
[current_epoch](u16bit epoch) { return (epoch != current_epoch); };
@@ -502,10 +502,11 @@ void Channel::send_record_array(u16bit epoch, byte type, const byte input[], siz
return;
/*
- * If using CBC mode without an explicit IV (SSL v3 or TLS v1.0),
- * send a single byte of plaintext to randomize the (implicit) IV of
- * the following main block. If using a stream cipher, or TLS v1.1
- * or higher, this isn't necessary.
+ * In versions without an explicit IV field (only TLS v1.0 now that
+ * SSLv3 has been removed) send a single byte record first to randomize
+ * the following (implicit) IV of the following record.
+ *
+ * This isn't needed in TLS v1.1 or higher.
*
* An empty record also works but apparently some implementations do
* not like this (https://bugzilla.mozilla.org/show_bug.cgi?id=665814)
@@ -515,7 +516,7 @@ void Channel::send_record_array(u16bit epoch, byte type, const byte input[], siz
auto cipher_state = write_cipher_state_epoch(epoch);
- if(type == APPLICATION_DATA && cipher_state->cbc_without_explicit_iv())
+ if(type == APPLICATION_DATA && m_active_state->version().supports_explicit_cbc_ivs() == false)
{
write_record(cipher_state.get(), epoch, type, input, 1);
input += 1;
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 9646aa320..53ef8e46d 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -352,12 +352,19 @@ std::vector<u16bit> Policy::ciphersuite_list(Protocol_Version version,
for(auto&& suite : Ciphersuite::all_known_ciphersuites())
{
- if(!acceptable_ciphersuite(suite))
+ // Can we use it?
+ if(suite.valid() == false)
continue;
+ // Is it acceptable to the policy?
+ if(!this->acceptable_ciphersuite(suite))
+ continue;
+
+ // Are we doing SRP?
if(!have_srp && suite.kex_algo() == "SRP_SHA")
continue;
+ // Are we doing AEAD in a non-AEAD version
if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD")
continue;
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index 88609ca26..0bee24e34 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -13,6 +13,7 @@
#include <botan/loadstor.h>
#include <botan/internal/tls_seq_numbers.h>
#include <botan/internal/tls_session_key.h>
+#include <botan/internal/tls_cbc.h>
#include <botan/internal/rounding.h>
#include <botan/internal/ct_utils.h>
#include <botan/rng.h>
@@ -29,8 +30,7 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
bool uses_encrypt_then_mac) :
m_start_time(std::chrono::system_clock::now()),
m_nonce_bytes_from_handshake(suite.nonce_bytes_from_handshake()),
- m_nonce_bytes_from_record(suite.nonce_bytes_from_record()),
- m_uses_encrypt_then_mac(uses_encrypt_then_mac)
+ m_nonce_bytes_from_record(suite.nonce_bytes_from_record())
{
SymmetricKey mac_key, cipher_key;
InitializationVector iv;
@@ -48,46 +48,75 @@ Connection_Cipher_State::Connection_Cipher_State(Protocol_Version version,
mac_key = keys.server_mac_key();
}
- const std::string cipher_algo = suite.cipher_algo();
- const std::string mac_algo = suite.mac_algo();
+ BOTAN_ASSERT_EQUAL(iv.length(), nonce_bytes_from_handshake(), "Matching nonce sizes");
- if(AEAD_Mode* aead = get_aead(cipher_algo, our_side ? ENCRYPTION : DECRYPTION))
+ m_nonce = unlock(iv.bits_of());
+
+ if(suite.mac_algo() == "AEAD")
{
- m_aead.reset(aead);
- m_aead->set_key(cipher_key + mac_key);
+ m_aead.reset(get_aead(suite.cipher_algo(), our_side ? ENCRYPTION : DECRYPTION));
+ BOTAN_ASSERT(m_aead, "Have AEAD");
- BOTAN_ASSERT_EQUAL(iv.length(), nonce_bytes_from_handshake(), "Matching nonce sizes");
- m_nonce = unlock(iv.bits_of());
+ m_aead->set_key(cipher_key + mac_key);
BOTAN_ASSERT(nonce_bytes_from_record() == 0 || nonce_bytes_from_record() == 8,
"Ciphersuite uses implemented IV length");
+ m_cbc_nonce = false;
if(m_nonce.size() != 12)
{
m_nonce.resize(m_nonce.size() + 8);
}
-
- return;
}
+ else
+ {
+ // legacy CBC+HMAC mode
+ if(our_side)
+ {
+ m_aead.reset(new TLS_CBC_HMAC_AEAD_Encryption(
+ suite.cipher_algo(),
+ suite.cipher_keylen(),
+ suite.mac_algo(),
+ suite.mac_keylen(),
+ version.supports_explicit_cbc_ivs(),
+ uses_encrypt_then_mac));
+ }
+ else
+ {
+ m_aead.reset(new TLS_CBC_HMAC_AEAD_Decryption(
+ suite.cipher_algo(),
+ suite.cipher_keylen(),
+ suite.mac_algo(),
+ suite.mac_keylen(),
+ version.supports_explicit_cbc_ivs(),
+ uses_encrypt_then_mac));
+ }
- m_block_cipher = BlockCipher::create(cipher_algo);
- m_mac = MessageAuthenticationCode::create("HMAC(" + mac_algo + ")");
- if(!m_block_cipher)
- throw Invalid_Argument("Unknown TLS cipher " + cipher_algo);
-
- m_block_cipher->set_key(cipher_key);
- m_block_cipher_cbc_state = iv.bits_of();
- m_block_size = m_block_cipher->block_size();
-
- if(version.supports_explicit_cbc_ivs())
- m_iv_size = m_block_size;
+ m_aead->set_key(cipher_key + mac_key);
- m_mac->set_key(mac_key);
+ m_cbc_nonce = true;
+ if(version.supports_explicit_cbc_ivs())
+ m_nonce_bytes_from_record = m_nonce_bytes_from_handshake;
+ else if(our_side == false)
+ m_aead->start(iv.bits_of());
+ }
}
-std::vector<byte> Connection_Cipher_State::aead_nonce(u64bit seq)
+std::vector<byte> Connection_Cipher_State::aead_nonce(u64bit seq, RandomNumberGenerator& rng)
{
- if(nonce_bytes_from_handshake() == 12)
+ if(m_cbc_nonce)
+ {
+ if(m_nonce.size())
+ {
+ std::vector<byte> nonce;
+ nonce.swap(m_nonce);
+ return nonce;
+ }
+ std::vector<byte> nonce(nonce_bytes_from_record());
+ rng.randomize(nonce.data(), nonce.size());
+ return nonce;
+ }
+ else if(nonce_bytes_from_handshake() == 12)
{
std::vector<byte> nonce(12);
store_be(seq, nonce.data() + 4);
@@ -105,7 +134,14 @@ std::vector<byte> Connection_Cipher_State::aead_nonce(u64bit seq)
std::vector<byte>
Connection_Cipher_State::aead_nonce(const byte record[], size_t record_len, u64bit seq)
{
- if(nonce_bytes_from_handshake() == 12)
+ if(m_cbc_nonce)
+ {
+ if(record_len < nonce_bytes_from_record())
+ throw Decoding_Error("Invalid CBC packet too short to be valid");
+ std::vector<byte> nonce(record, record + nonce_bytes_from_record());
+ return nonce;
+ }
+ else if(nonce_bytes_from_handshake() == 12)
{
/*
Assumes if the suite specifies 12 bytes come from the handshake then
@@ -157,29 +193,6 @@ Connection_Cipher_State::format_ad(u64bit msg_sequence,
namespace {
-void cbc_encrypt_record(const BlockCipher& bc,
- secure_vector<byte>& cbc_state,
- byte buf[],
- size_t buf_size)
- {
- const size_t block_size = bc.block_size();
- const size_t blocks = buf_size / block_size;
- BOTAN_ASSERT(buf_size % block_size == 0, "CBC input");
- BOTAN_ASSERT(blocks > 0, "Expected at least 1 block");
-
- xor_buf(buf, cbc_state.data(), block_size);
- bc.encrypt(buf);
-
- for(size_t i = 1; i < blocks; ++i)
- {
- xor_buf(&buf[block_size*i], &buf[block_size*(i-1)], block_size);
- bc.encrypt(&buf[block_size*i]);
- }
-
- cbc_state.assign(&buf[block_size*(blocks-1)],
- &buf[block_size*blocks]);
- }
-
inline void append_u16_len(secure_vector<byte>& output, size_t len_field)
{
const uint16_t len16 = len_field;
@@ -213,99 +226,38 @@ void write_record(secure_vector<byte>& output,
{
append_u16_len(output, msg.get_size());
output.insert(output.end(), msg.get_data(), msg.get_data() + msg.get_size());
-
return;
}
+ AEAD_Mode* aead = cs->aead();
std::vector<byte> aad = cs->format_ad(seq, msg.get_type(), version, static_cast<u16bit>(msg.get_size()));
- if(AEAD_Mode* aead = cs->aead())
- {
- const size_t ctext_size = aead->output_length(msg.get_size());
-
- const std::vector<byte> nonce = cs->aead_nonce(seq);
+ const size_t ctext_size = aead->output_length(msg.get_size());
- const size_t rec_size = ctext_size + cs->nonce_bytes_from_record();
+ const size_t rec_size = ctext_size + cs->nonce_bytes_from_record();
- BOTAN_ASSERT(rec_size <= 0xFFFF, "Ciphertext length fits in field");
- append_u16_len(output, rec_size);
+ aead->set_ad(aad);
- aead->set_ad(aad);
+ const std::vector<byte> nonce = cs->aead_nonce(seq, rng);
- if(cs->nonce_bytes_from_record() > 0)
- {
- output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
- }
- const size_t header_size = output.size();
- output += std::make_pair(msg.get_data(), msg.get_size());
+ append_u16_len(output, rec_size);
- aead->start(nonce);
- aead->finish(output, header_size);
-
- BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE,
- "Produced ciphertext larger than protocol allows");
- return;
- }
-
- const size_t block_size = cs->block_size();
- const size_t iv_size = cs->iv_size();
- const size_t mac_size = cs->mac_size();
-
- const size_t input_size =
- iv_size + msg.get_size() + 1 + (cs->uses_encrypt_then_mac() ? 0 : mac_size);
- const size_t enc_size = round_up(input_size, block_size);
- const size_t pad_val = enc_size - input_size;
- const size_t buf_size = enc_size + (cs->uses_encrypt_then_mac() ? mac_size : 0);
-
- if(cs->uses_encrypt_then_mac())
+ if(cs->nonce_bytes_from_record() > 0)
{
- aad[11] = get_byte<uint16_t>(0, enc_size);
- aad[12] = get_byte<uint16_t>(1, enc_size);
+ if(cs->cbc_nonce())
+ output += nonce;
+ else
+ output += std::make_pair(&nonce[cs->nonce_bytes_from_handshake()], cs->nonce_bytes_from_record());
}
- BOTAN_ASSERT(enc_size % block_size == 0,
- "Buffer is an even multiple of block size");
-
- append_u16_len(output, buf_size);
-
const size_t header_size = output.size();
+ output += std::make_pair(msg.get_data(), msg.get_size());
- if(iv_size)
- {
- output.resize(output.size() + iv_size);
- rng.randomize(&output[output.size() - iv_size], iv_size);
- }
-
- output.insert(output.end(), msg.get_data(), msg.get_data() + msg.get_size());
-
- // EtM also uses ciphertext size instead of plaintext size for AEAD input
- const byte* mac_input = (cs->uses_encrypt_then_mac() ? &output[header_size] : msg.get_data());
- const size_t mac_input_len = (cs->uses_encrypt_then_mac() ? enc_size : msg.get_size());
-
- if(cs->uses_encrypt_then_mac())
- {
- for(size_t i = 0; i != pad_val + 1; ++i)
- output.push_back(static_cast<byte>(pad_val));
- cbc_encrypt_record(*cs->block_cipher(), cs->cbc_state(), &output[header_size], enc_size);
- }
-
- output.resize(output.size() + mac_size);
- cs->mac()->update(aad);
- cs->mac()->update(mac_input, mac_input_len);
- cs->mac()->final(&output[output.size() - mac_size]);
-
- if(cs->uses_encrypt_then_mac() == false)
- {
- for(size_t i = 0; i != pad_val + 1; ++i)
- output.push_back(static_cast<byte>(pad_val));
- cbc_encrypt_record(*cs->block_cipher(), cs->cbc_state(), &output[header_size], buf_size);
- }
-
- if(buf_size > MAX_CIPHERTEXT_SIZE)
- throw Internal_Error("Output record is larger than allowed by protocol");
+ aead->start(nonce);
+ aead->finish(output, header_size);
- BOTAN_ASSERT_EQUAL(buf_size + header_size, output.size(),
- "Output buffer is sized properly");
+ BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE,
+ "Produced ciphertext larger than protocol allows");
}
namespace {
@@ -329,72 +281,6 @@ size_t fill_buffer_to(secure_vector<byte>& readbuf,
return (desired - readbuf.size()); // how many bytes do we still need?
}
-/*
-* Checks the TLS padding. Returns 0 if the padding is invalid (we
-* count the padding_length field as part of the padding size so a
-* valid padding will always be at least one byte long), or the length
-* of the padding otherwise. This is actually padding_length + 1
-* because both the padding and padding_length fields are padding from
-* our perspective.
-*
-* Returning 0 in the error case should ensure the MAC check will fail.
-* This approach is suggested in section 6.2.3.2 of RFC 5246.
-*/
-u16bit tls_padding_check(const byte record[], size_t record_len)
- {
- /*
- * TLS v1.0 and up require all the padding bytes be the same value
- * and allows up to 255 bytes.
- */
-
- const byte pad_byte = record[(record_len-1)];
-
- byte pad_invalid = 0;
- for(size_t i = 0; i != record_len; ++i)
- {
- const size_t left = record_len - i - 2;
- const byte delim_mask = CT::is_less<u16bit>(static_cast<u16bit>(left), pad_byte) & 0xFF;
- pad_invalid |= (delim_mask & (record[i] ^ pad_byte));
- }
-
- u16bit pad_invalid_mask = CT::expand_mask<u16bit>(pad_invalid);
- return CT::select<u16bit>(pad_invalid_mask, 0, pad_byte + 1);
- }
-
-void cbc_decrypt_record(byte record_contents[], size_t record_len,
- Connection_Cipher_State& cs,
- const BlockCipher& bc)
- {
- const size_t block_size = cs.block_size();
-
- BOTAN_ASSERT(record_len % block_size == 0,
- "Buffer is an even multiple of block size");
-
- const size_t blocks = record_len / block_size;
-
- BOTAN_ASSERT(blocks >= 1, "At least one ciphertext block");
-
- byte* buf = record_contents;
-
- secure_vector<byte> last_ciphertext(block_size);
- copy_mem(last_ciphertext.data(), buf, block_size);
-
- bc.decrypt(buf);
- xor_buf(buf, &cs.cbc_state()[0], block_size);
-
- secure_vector<byte> last_ciphertext2;
-
- for(size_t i = 1; i < blocks; ++i)
- {
- last_ciphertext2.assign(&buf[block_size*i], &buf[block_size*(i+1)]);
- bc.decrypt(&buf[block_size*i]);
- xor_buf(&buf[block_size*i], last_ciphertext.data(), block_size);
- std::swap(last_ciphertext, last_ciphertext2);
- }
-
- cs.cbc_state() = last_ciphertext;
- }
-
void decrypt_record(secure_vector<byte>& output,
byte record_contents[], size_t record_len,
u64bit record_sequence,
@@ -402,121 +288,24 @@ void decrypt_record(secure_vector<byte>& output,
Record_Type record_type,
Connection_Cipher_State& cs)
{
- if(AEAD_Mode* aead = cs.aead())
- {
- const std::vector<byte> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
- const byte* msg = &record_contents[cs.nonce_bytes_from_record()];
- const size_t msg_length = record_len - cs.nonce_bytes_from_record();
-
- const size_t ptext_size = aead->output_length(msg_length);
-
- aead->set_associated_data_vec(
- cs.format_ad(record_sequence, record_type, record_version, static_cast<u16bit>(ptext_size))
- );
-
- aead->start(nonce);
-
- const size_t offset = output.size();
- output += std::make_pair(msg, msg_length);
- aead->finish(output, offset);
+ AEAD_Mode* aead = cs.aead();
+ BOTAN_ASSERT(aead, "Cannot decrypt without cipher");
- BOTAN_ASSERT(output.size() == ptext_size + offset, "Produced expected size");
- }
- else
- {
- // GenericBlockCipher case
- BlockCipher* bc = cs.block_cipher();
- BOTAN_ASSERT(bc != nullptr, "No cipher state set but needed to decrypt");
-
- const size_t mac_size = cs.mac_size();
- const size_t iv_size = cs.iv_size();
-
- if(!cs.uses_encrypt_then_mac())
- {
- // This early exit does not leak info because all the values are public
- if((record_len < mac_size + iv_size) || (record_len % cs.block_size() != 0))
- throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
-
- CT::poison(record_contents, record_len);
-
- cbc_decrypt_record(record_contents, record_len, cs, *bc);
-
- // 0 if padding was invalid, otherwise 1 + padding_bytes
- u16bit pad_size = tls_padding_check(record_contents, record_len);
-
- // This mask is zero if there is not enough room in the packet to get
- // a valid MAC. We have to accept empty packets, since otherwise we
- // are not compatible with the BEAST countermeasure (thus record_len+1).
- const u16bit size_ok_mask = CT::is_lte<u16bit>(static_cast<u16bit>(mac_size + pad_size + iv_size), static_cast<u16bit>(record_len + 1));
- pad_size &= size_ok_mask;
-
- CT::unpoison(record_contents, record_len);
-
- /*
- This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and
- then to the timing channel in the MAC computation described in the Lucky 13 paper.
- */
- CT::unpoison(pad_size);
-
- const byte* plaintext_block = &record_contents[iv_size];
- const u16bit plaintext_length = static_cast<u16bit>(record_len - mac_size - iv_size - pad_size);
-
- cs.mac()->update(cs.format_ad(record_sequence, record_type, record_version, plaintext_length));
- cs.mac()->update(plaintext_block, plaintext_length);
-
- std::vector<byte> mac_buf(mac_size);
- cs.mac()->final(mac_buf.data());
+ const std::vector<byte> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
+ const byte* msg = &record_contents[cs.nonce_bytes_from_record()];
+ const size_t msg_length = record_len - cs.nonce_bytes_from_record();
- const size_t mac_offset = record_len - (mac_size + pad_size);
+ const size_t ptext_size = aead->output_length(msg_length);
- const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), mac_size);
+ aead->set_associated_data_vec(
+ cs.format_ad(record_sequence, record_type, record_version, static_cast<u16bit>(ptext_size))
+ );
- const u16bit ok_mask = size_ok_mask & CT::expand_mask<u16bit>(mac_ok) & CT::expand_mask<u16bit>(pad_size);
+ aead->start(nonce);
- CT::unpoison(ok_mask);
-
- if(ok_mask)
- {
- output.assign(plaintext_block, plaintext_block + plaintext_length);
- }
- else
- {
- throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
- }
- }
- else
- {
- const size_t enc_size = record_len - mac_size;
- // This early exit does not leak info because all the values are public
- if((record_len < mac_size + iv_size) || ( enc_size % cs.block_size() != 0))
- throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
-
- cs.mac()->update(cs.format_ad(record_sequence, record_type, record_version, enc_size));
- cs.mac()->update(record_contents, enc_size);
-
- std::vector<byte> mac_buf(mac_size);
- cs.mac()->final(mac_buf.data());
-
- const size_t mac_offset = enc_size;
-
- const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), mac_size);
-
- if(!mac_ok)
- {
- throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
- }
-
- cbc_decrypt_record(record_contents, enc_size, cs, *bc);
-
- // 0 if padding was invalid, otherwise 1 + padding_bytes
- u16bit pad_size = tls_padding_check(record_contents, enc_size);
-
- const byte* plaintext_block = &record_contents[iv_size];
- const u16bit plaintext_length = enc_size - iv_size - pad_size;
-
- output.assign(plaintext_block, plaintext_block + plaintext_length);
- }
- }
+ const size_t offset = output.size();
+ output += std::make_pair(msg, msg_length);
+ aead->finish(output, offset);
}
size_t read_tls_record(secure_vector<byte>& readbuf,
diff --git a/src/lib/tls/tls_record.h b/src/lib/tls/tls_record.h
index 4420a9c66..b17d0a7b6 100644
--- a/src/lib/tls/tls_record.h
+++ b/src/lib/tls/tls_record.h
@@ -44,7 +44,7 @@ class Connection_Cipher_State
AEAD_Mode* aead() { return m_aead.get(); }
- std::vector<byte> aead_nonce(u64bit seq);
+ std::vector<byte> aead_nonce(u64bit seq, RandomNumberGenerator& rng);
std::vector<byte> aead_nonce(const byte record[], size_t record_len, u64bit seq);
@@ -52,26 +52,9 @@ class Connection_Cipher_State
Protocol_Version version,
u16bit ptext_length);
- BlockCipher* block_cipher() { return m_block_cipher.get(); }
-
- MessageAuthenticationCode* mac() { return m_mac.get(); }
-
- secure_vector<byte>& cbc_state() { return m_block_cipher_cbc_state; }
-
- size_t block_size() const { return m_block_size; }
-
- size_t mac_size() const { return m_mac->output_length(); }
-
- size_t iv_size() const { return m_iv_size; }
-
- size_t nonce_bytes_from_record() const { return m_nonce_bytes_from_record; }
-
size_t nonce_bytes_from_handshake() const { return m_nonce_bytes_from_handshake; }
-
- bool uses_encrypt_then_mac() const { return m_uses_encrypt_then_mac; }
-
- bool cbc_without_explicit_iv() const
- { return (m_block_size > 0) && (m_iv_size == 0); }
+ size_t nonce_bytes_from_record() const { return m_nonce_bytes_from_record; }
+ bool cbc_nonce() const { return m_cbc_nonce; }
std::chrono::seconds age() const
{
@@ -81,19 +64,12 @@ class Connection_Cipher_State
private:
std::chrono::system_clock::time_point m_start_time;
- std::unique_ptr<BlockCipher> m_block_cipher;
- secure_vector<byte> m_block_cipher_cbc_state;
- std::unique_ptr<MessageAuthenticationCode> m_mac;
-
std::unique_ptr<AEAD_Mode> m_aead;
- std::vector<byte> m_nonce;
- size_t m_block_size = 0;
+ std::vector<byte> m_nonce;
size_t m_nonce_bytes_from_handshake;
size_t m_nonce_bytes_from_record;
- size_t m_iv_size = 0;
-
- bool m_uses_encrypt_then_mac;
+ bool m_cbc_nonce;
};
class Record