1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
|
/*
* TLS CBC Record Handling
* (C) 2012,2013,2014,2015,2016 Jack Lloyd
* 2016 Juraj Somorovsky
* 2016 Matthias Gierlings
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include <botan/internal/tls_cbc.h>
#include <botan/internal/rounding.h>
#include <botan/internal/ct_utils.h>
#include <botan/tls_alert.h>
#include <botan/tls_magic.h>
#include <botan/tls_exceptn.h>
namespace Botan {
namespace TLS {
/*
* TLS_CBC_HMAC_AEAD_Mode Constructor
*/
TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
size_t cipher_keylen,
const std::string& mac_name,
size_t mac_keylen,
bool use_explicit_iv,
bool use_encrypt_then_mac) :
m_cipher_name(cipher_name),
m_mac_name(mac_name),
m_cipher_keylen(cipher_keylen),
m_mac_keylen(mac_keylen),
m_use_encrypt_then_mac(use_encrypt_then_mac)
{
m_cipher = BlockCipher::create(m_cipher_name);
if(!m_cipher)
throw Algorithm_Not_Found(m_cipher_name);
m_mac = MessageAuthenticationCode::create("HMAC(" + m_mac_name + ")");
if(!m_mac)
throw Algorithm_Not_Found("HMAC(" + m_mac_name + ")");
m_tag_size = m_mac->output_length();
m_block_size = m_cipher->block_size();
m_iv_size = use_explicit_iv ? m_block_size : 0;
}
void TLS_CBC_HMAC_AEAD_Mode::clear()
{
cipher().clear();
mac().clear();
cbc_state().clear();
}
std::string TLS_CBC_HMAC_AEAD_Mode::name() const
{
return "TLS_CBC(" + m_cipher_name + "," + m_mac_name + ")";
}
size_t TLS_CBC_HMAC_AEAD_Mode::update_granularity() const
{
return 1; // just buffers anyway
}
bool TLS_CBC_HMAC_AEAD_Mode::valid_nonce_length(size_t nl) const
{
if(m_cbc_state.empty())
return nl == block_size();
return nl == iv_size();
}
Key_Length_Specification TLS_CBC_HMAC_AEAD_Mode::key_spec() const
{
return Key_Length_Specification(m_cipher_keylen + m_mac_keylen);
}
void TLS_CBC_HMAC_AEAD_Mode::key_schedule(const byte key[], size_t keylen)
{
// Both keys are of fixed length specified by the ciphersuite
if(keylen != m_cipher_keylen + m_mac_keylen)
throw Invalid_Key_Length(name(), keylen);
cipher().set_key(&key[0], m_cipher_keylen);
mac().set_key(&key[m_cipher_keylen], m_mac_keylen);
}
void TLS_CBC_HMAC_AEAD_Mode::start_msg(const byte nonce[], size_t nonce_len)
{
if(!valid_nonce_length(nonce_len))
{
throw Invalid_IV_Length(name(), nonce_len);
}
m_msg.clear();
if(nonce_len > 0)
{
m_cbc_state.assign(nonce, nonce + nonce_len);
}
}
size_t TLS_CBC_HMAC_AEAD_Mode::process(byte buf[], size_t sz)
{
m_msg.insert(m_msg.end(), buf, buf + sz);
return 0;
}
std::vector<byte> TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(uint16_t len)
{
std::vector<byte> ad = m_ad;
BOTAN_ASSERT(ad.size() == 13, "Expected AAD size");
ad[11] = get_byte(0, len);
ad[12] = get_byte(1, len);
return ad;
}
void TLS_CBC_HMAC_AEAD_Mode::set_associated_data(const byte ad[], size_t ad_len)
{
if(ad_len != 13)
throw Exception("Invalid TLS AEAD associated data length");
m_ad.assign(ad, ad + ad_len);
}
void TLS_CBC_HMAC_AEAD_Encryption::set_associated_data(const byte ad[], size_t ad_len)
{
TLS_CBC_HMAC_AEAD_Mode::set_associated_data(ad, ad_len);
if(use_encrypt_then_mac())
{
std::vector<byte>& ad = assoc_data();
// AAD hack for EtM
size_t pt_size = make_u16bit(ad[11], ad[12]);
size_t enc_size = round_up(iv_size() + pt_size + 1, block_size());
ad[11] = get_byte<uint16_t>(0, enc_size);
ad[12] = get_byte<uint16_t>(1, enc_size);
}
}
void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(byte buf[], size_t buf_size)
{
const size_t blocks = buf_size / block_size();
BOTAN_ASSERT(buf_size % block_size() == 0, "Valid CBC input");
xor_buf(buf, cbc_state().data(), block_size());
cipher().encrypt(buf);
for(size_t i = 1; i < blocks; ++i)
{
xor_buf(&buf[block_size()*i], &buf[block_size()*(i-1)], block_size());
cipher().encrypt(&buf[block_size()*i]);
}
cbc_state().assign(&buf[block_size()*(blocks-1)],
&buf[block_size()*blocks]);
}
size_t TLS_CBC_HMAC_AEAD_Encryption::output_length(size_t input_length) const
{
return round_up(input_length + 1 + (use_encrypt_then_mac() ? 0 : tag_size()), block_size()) +
(use_encrypt_then_mac() ? tag_size() : 0);
}
void TLS_CBC_HMAC_AEAD_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
{
update(buffer, offset);
buffer.resize(offset); // truncate, leaving just header
const size_t header_size = offset;
buffer.insert(buffer.end(), msg().begin(), msg().end());
const size_t input_size = msg().size() + 1 + (use_encrypt_then_mac() ? 0 : tag_size());
const size_t enc_size = round_up(input_size, block_size());
const size_t pad_val = enc_size - input_size;
const size_t buf_size = enc_size + (use_encrypt_then_mac() ? tag_size() : 0);
BOTAN_ASSERT(enc_size % block_size() == 0,
"Buffer is an even multiple of block size");
mac().update(assoc_data());
if(use_encrypt_then_mac())
{
if(iv_size() > 0)
{
mac().update(cbc_state());
}
for(size_t i = 0; i != pad_val + 1; ++i)
buffer.push_back(static_cast<byte>(pad_val));
cbc_encrypt_record(&buffer[header_size], enc_size);
}
// EtM also uses ciphertext size instead of plaintext size for AEAD input
const byte* mac_input = (use_encrypt_then_mac() ? &buffer[header_size] : msg().data());
const size_t mac_input_len = (use_encrypt_then_mac() ? enc_size : msg().size());
mac().update(mac_input, mac_input_len);
buffer.resize(buffer.size() + tag_size());
mac().final(&buffer[buffer.size() - tag_size()]);
if(use_encrypt_then_mac() == false)
{
for(size_t i = 0; i != pad_val + 1; ++i)
buffer.push_back(static_cast<byte>(pad_val));
cbc_encrypt_record(&buffer[header_size], buf_size);
}
}
namespace {
/*
* Checks the TLS padding. Returns 0 if the padding is invalid (we
* count the padding_length field as part of the padding size so a
* valid padding will always be at least one byte long), or the length
* of the padding otherwise. This is actually padding_length + 1
* because both the padding and padding_length fields are padding from
* our perspective.
*
* Returning 0 in the error case should ensure the MAC check will fail.
* This approach is suggested in section 6.2.3.2 of RFC 5246.
*/
u16bit check_tls_padding(const byte record[], size_t record_len)
{
/*
* TLS v1.0 and up require all the padding bytes be the same value
* and allows up to 255 bytes.
*/
const byte pad_byte = record[(record_len-1)];
byte pad_invalid = 0;
for(size_t i = 0; i != record_len; ++i)
{
const size_t left = record_len - i - 2;
const byte delim_mask = CT::is_less<u16bit>(static_cast<u16bit>(left), pad_byte) & 0xFF;
pad_invalid |= (delim_mask & (record[i] ^ pad_byte));
}
u16bit pad_invalid_mask = CT::expand_mask<u16bit>(pad_invalid);
return CT::select<u16bit>(pad_invalid_mask, 0, pad_byte + 1);
}
}
void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(byte record_contents[], size_t record_len)
{
BOTAN_ASSERT(record_len % block_size() == 0,
"Buffer is an even multiple of block size");
const size_t blocks = record_len / block_size();
BOTAN_ASSERT(blocks >= 1, "At least one ciphertext block");
byte* buf = record_contents;
secure_vector<byte> last_ciphertext(block_size());
copy_mem(last_ciphertext.data(), buf, block_size());
cipher().decrypt(buf);
xor_buf(buf, cbc_state().data(), block_size());
secure_vector<byte> last_ciphertext2;
for(size_t i = 1; i < blocks; ++i)
{
last_ciphertext2.assign(&buf[block_size()*i], &buf[block_size()*(i+1)]);
cipher().decrypt(&buf[block_size()*i]);
xor_buf(&buf[block_size()*i], last_ciphertext.data(), block_size());
std::swap(last_ciphertext, last_ciphertext2);
}
cbc_state().assign(last_ciphertext.begin(), last_ciphertext.end());
}
size_t TLS_CBC_HMAC_AEAD_Decryption::output_length(size_t) const
{
/*
* We don't know this because the padding is arbitrary
*/
return 0;
}
void TLS_CBC_HMAC_AEAD_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
update(buffer, offset);
buffer.resize(offset);
const size_t record_len = msg().size();
byte* record_contents = msg().data();
// This early exit does not leak info because all the values compared are public
if(record_len < tag_size() ||
(record_len - (use_encrypt_then_mac() ? tag_size() : 0)) % block_size() != 0)
{
throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
}
if(use_encrypt_then_mac())
{
const size_t enc_size = record_len - tag_size();
mac().update(assoc_data_with_len(iv_size() + enc_size));
if(iv_size() > 0)
{
mac().update(cbc_state());
}
mac().update(record_contents, enc_size);
std::vector<byte> mac_buf(tag_size());
mac().final(mac_buf.data());
const size_t mac_offset = enc_size;
const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
if(!mac_ok)
{
throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
}
cbc_decrypt_record(record_contents, enc_size);
// 0 if padding was invalid, otherwise 1 + padding_bytes
u16bit pad_size = check_tls_padding(record_contents, enc_size);
// No oracle here, whoever sent us this had the key since MAC check passed
if(pad_size == 0)
{
throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
}
const byte* plaintext_block = &record_contents[0];
const u16bit plaintext_length = enc_size - pad_size;
buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
}
else
{
uint8_t* record_contents = msg().data();
const size_t record_len = msg().size();
CT::poison(record_contents, record_len);
cbc_decrypt_record(record_contents, record_len);
// 0 if padding was invalid, otherwise 1 + padding_bytes
u16bit pad_size = check_tls_padding(record_contents, record_len);
/*
This mask is zero if there is not enough room in the packet to get a valid MAC.
We have to accept empty packets, since otherwise we are not compatible
with how OpenSSL's countermeasure for fixing BEAST in TLS 1.0 CBC works
(sending empty records, instead of 1/(n-1) splitting)
*/
const u16bit size_ok_mask = CT::is_lte<u16bit>(static_cast<u16bit>(tag_size() + pad_size), static_cast<u16bit>(record_len + 1));
pad_size &= size_ok_mask;
CT::unpoison(record_contents, record_len);
/*
This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and
then to the timing channel in the MAC computation described in the Lucky 13 paper.
*/
CT::unpoison(pad_size);
const byte* plaintext_block = &record_contents[0];
const u16bit plaintext_length = static_cast<u16bit>(record_len - tag_size() - pad_size);
mac().update(assoc_data_with_len(plaintext_length));
mac().update(plaintext_block, plaintext_length);
std::vector<byte> mac_buf(tag_size());
mac().final(mac_buf.data());
const size_t mac_offset = record_len - (tag_size() + pad_size);
const bool mac_ok = same_mem(&record_contents[mac_offset], mac_buf.data(), tag_size());
const u16bit ok_mask = size_ok_mask & CT::expand_mask<u16bit>(mac_ok) & CT::expand_mask<u16bit>(pad_size);
CT::unpoison(ok_mask);
if(ok_mask)
{
buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
}
else
{
throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
}
}
}
}
}
|