File Coverage

src/ssl/ssl_rec_cbc.c

Criterion	Covered	Total	%
statement	0	136	0.0
branch	0	42	0.0
condition			n/a
subroutine			n/a
pod			n/a
total	0	178	0.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2016 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			static void
28	0		in_cbc_init(br_sslrec_in_cbc_context *cc,
29			const br_block_cbcdec_class *bc_impl,
30			const void *bc_key, size_t bc_key_len,
31			const br_hash_class *dig_impl,
32			const void *mac_key, size_t mac_key_len, size_t mac_out_len,
33			const void *iv)
34			{
35	0		cc->vtable = &br_sslrec_in_cbc_vtable;
36	0		cc->seq = 0;
37	0		bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
38	0		br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
39	0		cc->mac_len = mac_out_len;
40	0	0	if (iv == NULL) {
41	0		memset(cc->iv, 0, sizeof cc->iv);
42	0		cc->explicit_IV = 1;
43			} else {
44	0		memcpy(cc->iv, iv, bc_impl->block_size);
45	0		cc->explicit_IV = 0;
46			}
47	0		}
48
49			static int
50	0		cbc_check_length(const br_sslrec_in_cbc_context *cc, size_t rlen)
51			{
52			/*
53			* Plaintext size: at most 16384 bytes
54			* Padding: at most 256 bytes
55			* MAC: mac_len extra bytes
56			* TLS 1.1+: each record has an explicit IV
57			*
58			* Minimum length includes at least one byte of padding, and the
59			* MAC.
60			*
61			* Total length must be a multiple of the block size.
62			*/
63			size_t blen;
64			size_t min_len, max_len;
65
66	0		blen = cc->bc.vtable->block_size;
67	0		min_len = (blen + cc->mac_len) & ~(blen - 1);
68	0		max_len = (16384 + 256 + cc->mac_len) & ~(blen - 1);
69	0	0	if (cc->explicit_IV) {
70	0		min_len += blen;
71	0		max_len += blen;
72			}
73	0	0	return min_len <= rlen && rlen <= max_len;
		0
74			}
75
76			/*
77			* Rotate array buf[] of length 'len' to the left (towards low indices)
78			* by 'num' bytes if ctl is 1; otherwise, leave it unchanged. This is
79			* constant-time. 'num' MUST be lower than 'len'. 'len' MUST be lower
80			* than or equal to 64.
81			*/
82			static void
83	0		cond_rotate(uint32_t ctl, unsigned char *buf, size_t len, size_t num)
84			{
85			unsigned char tmp[64];
86			size_t u, v;
87
88	0	0	for (u = 0, v = num; u < len; u ++) {
89	0		tmp[u] = MUX(ctl, buf[v], buf[u]);
90	0	0	if (++ v == len) {
91	0		v = 0;
92			}
93			}
94	0		memcpy(buf, tmp, len);
95	0		}
96
97			static unsigned char *
98	0		cbc_decrypt(br_sslrec_in_cbc_context *cc,
99			int record_type, unsigned version, void data, size_t data_len)
100			{
101			/*
102			* We represent all lengths on 32-bit integers, because:
103			* -- SSL record lengths always fit in 32 bits;
104			* -- our constant-time primitives operate on 32-bit integers.
105			*/
106			unsigned char *buf;
107			uint32_t u, v, len, blen, min_len, max_len;
108			uint32_t good, pad_len, rot_count, len_withmac, len_nomac;
109			unsigned char tmp1[64], tmp2[64];
110			int i;
111			br_hmac_context hc;
112
113	0		buf = data;
114	0		len = *data_len;
115	0		blen = cc->bc.vtable->block_size;
116
117			/*
118			* Decrypt data, and skip the explicit IV (if applicable). Note
119			* that the total length is supposed to have been verified by
120			* the caller. If there is an explicit IV, then we actually
121			* "decrypt" it using the implicit IV (from previous record),
122			* which is useless but harmless.
123			*/
124	0		cc->bc.vtable->run(&cc->bc.vtable, cc->iv, data, len);
125	0	0	if (cc->explicit_IV) {
126	0		buf += blen;
127	0		len -= blen;
128			}
129
130			/*
131			* Compute minimum and maximum length of plaintext + MAC. These
132			* lengths can be inferred from the outside: they are not secret.
133			*/
134	0	0	min_len = (cc->mac_len + 256 < len) ? len - 256 : cc->mac_len;
135	0		max_len = len - 1;
136
137			/*
138			* Use the last decrypted byte to compute the actual payload
139			* length. Take care not to overflow (we use unsigned types).
140			*/
141	0		pad_len = buf[max_len];
142	0		good = LE(pad_len, (uint32_t)(max_len - min_len));
143	0		len = MUX(good, (uint32_t)(max_len - pad_len), min_len);
144
145			/*
146			* Check padding contents: all padding bytes must be equal to
147			* the value of pad_len.
148			*/
149	0	0	for (u = min_len; u < max_len; u ++) {
150	0		good &= LT(u, len) \| EQ(buf[u], pad_len);
151			}
152
153			/*
154			* Extract the MAC value. This is done in one pass, but results
155			* in a "rotated" MAC value depending on where it actually
156			* occurs. The 'rot_count' value is set to the offset of the
157			* first MAC byte within tmp1[].
158			*
159			* min_len and max_len are also adjusted to the minimum and
160			* maximum lengths of the plaintext alone (without the MAC).
161			*/
162	0		len_withmac = (uint32_t)len;
163	0		len_nomac = len_withmac - cc->mac_len;
164	0		min_len -= cc->mac_len;
165	0		rot_count = 0;
166	0		memset(tmp1, 0, cc->mac_len);
167	0		v = 0;
168	0	0	for (u = min_len; u < max_len; u ++) {
169	0		tmp1[v] \|= MUX(GE(u, len_nomac) & LT(u, len_withmac),
170	0		buf[u], 0x00);
171	0		rot_count = MUX(EQ(u, len_nomac), v, rot_count);
172	0	0	if (++ v == cc->mac_len) {
173	0		v = 0;
174			}
175			}
176	0		max_len -= cc->mac_len;
177
178			/*
179			* Rotate back the MAC value. The loop below does the constant-time
180			* rotation in time n*log n for a MAC output of length n. We assume
181			* that the MAC output length is no more than 64 bytes, so the
182			* rotation count fits on 6 bits.
183			*/
184	0	0	for (i = 5; i >= 0; i --) {
185			uint32_t rc;
186
187	0		rc = (uint32_t)1 << i;
188	0		cond_rotate(rot_count >> i, tmp1, cc->mac_len, rc);
189	0		rot_count &= ~rc;
190			}
191
192			/*
193			* Recompute the HMAC value. The input is the concatenation of
194			* the sequence number (8 bytes), the record header (5 bytes),
195			* and the payload.
196			*
197			* At that point, min_len is the minimum plaintext length, but
198			* max_len still includes the MAC length.
199			*/
200	0		br_enc64be(tmp2, cc->seq ++);
201	0		tmp2[8] = (unsigned char)record_type;
202	0		br_enc16be(tmp2 + 9, version);
203	0		br_enc16be(tmp2 + 11, len_nomac);
204	0		br_hmac_init(&hc, &cc->mac, cc->mac_len);
205	0		br_hmac_update(&hc, tmp2, 13);
206	0		br_hmac_outCT(&hc, buf, len_nomac, min_len, max_len, tmp2);
207
208			/*
209			* Compare the extracted and recomputed MAC values.
210			*/
211	0	0	for (u = 0; u < cc->mac_len; u ++) {
212	0		good &= EQ0(tmp1[u] ^ tmp2[u]);
213			}
214
215			/*
216			* Check that the plaintext length is valid. The previous
217			* check was on the encrypted length, but the padding may have
218			* turned shorter than expected.
219			*
220			* Once this final test is done, the critical "constant-time"
221			* section ends and we can make conditional jumps again.
222			*/
223	0		good &= LE(len_nomac, 16384);
224
225	0	0	if (!good) {
226	0		return 0;
227			}
228	0		*data_len = len_nomac;
229	0		return buf;
230			}
231
232			/* see bearssl_ssl.h */
233			const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable = {
234			{
235			sizeof(br_sslrec_in_cbc_context),
236			(int ()(const br_sslrec_in_class const *, size_t))
237			&cbc_check_length,
238			(unsigned char ()(const br_sslrec_in_class **,
239			int, unsigned, void , size_t ))
240			&cbc_decrypt
241			},
242			(void ()(const br_sslrec_in_cbc_class *,
243			const br_block_cbcdec_class , const void , size_t,
244			const br_hash_class , const void , size_t, size_t,
245			const void *))
246			&in_cbc_init
247			};
248
249			/*
250			* For CBC output:
251			*
252			* -- With TLS 1.1+, there is an explicit IV. Generation method uses
253			* HMAC, computed over the current sequence number, and the current MAC
254			* key. The resulting value is truncated to the size of a block, and
255			* added at the head of the plaintext; it will get encrypted along with
256			* the data. This custom generation mechanism is "safe" under the
257			* assumption that HMAC behaves like a random oracle; since the MAC for
258			* a record is computed over the concatenation of the sequence number,
259			* the record header and the plaintext, the HMAC-for-IV will not collide
260			* with the normal HMAC.
261			*
262			* -- With TLS 1.0, for application data, we want to enforce a 1/n-1
263			* split, as a countermeasure against chosen-plaintext attacks. We thus
264			* need to leave some room in the buffer for that extra record.
265			*/
266
267			static void
268	0		out_cbc_init(br_sslrec_out_cbc_context *cc,
269			const br_block_cbcenc_class *bc_impl,
270			const void *bc_key, size_t bc_key_len,
271			const br_hash_class *dig_impl,
272			const void *mac_key, size_t mac_key_len, size_t mac_out_len,
273			const void *iv)
274			{
275	0		cc->vtable = &br_sslrec_out_cbc_vtable;
276	0		cc->seq = 0;
277	0		bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
278	0		br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
279	0		cc->mac_len = mac_out_len;
280	0	0	if (iv == NULL) {
281	0		memset(cc->iv, 0, sizeof cc->iv);
282	0		cc->explicit_IV = 1;
283			} else {
284	0		memcpy(cc->iv, iv, bc_impl->block_size);
285	0		cc->explicit_IV = 0;
286			}
287	0		}
288
289			static void
290	0		cbc_max_plaintext(const br_sslrec_out_cbc_context *cc,
291			size_t start, size_t end)
292			{
293			size_t blen, len;
294
295	0		blen = cc->bc.vtable->block_size;
296	0	0	if (cc->explicit_IV) {
297	0		*start += blen;
298			} else {
299	0		*start += 4 + ((cc->mac_len + blen + 1) & ~(blen - 1));
300			}
301	0		len = (end - start) & ~(blen - 1);
302	0		len -= 1 + cc->mac_len;
303	0	0	if (len > 16384) {
304	0		len = 16384;
305			}
306	0		end = start + len;
307	0		}
308
309			static unsigned char *
310	0		cbc_encrypt(br_sslrec_out_cbc_context *cc,
311			int record_type, unsigned version, void data, size_t data_len)
312			{
313			unsigned char buf, rbuf;
314			size_t len, blen, plen;
315			unsigned char tmp[13];
316			br_hmac_context hc;
317
318	0		buf = data;
319	0		len = *data_len;
320	0		blen = cc->bc.vtable->block_size;
321
322			/*
323			* If using TLS 1.0, with more than one byte of plaintext, and
324			* the record is application data, then we need to compute
325			* a "split". We do not perform the split on other record types
326			* because it turned out that some existing, deployed
327			* implementations of SSL/TLS do not tolerate the splitting of
328			* some message types (in particular the Finished message).
329			*
330			* If using TLS 1.1+, then there is an explicit IV. We produce
331			* that IV by adding an extra initial plaintext block, whose
332			* value is computed with HMAC over the record sequence number.
333			*/
334	0	0	if (cc->explicit_IV) {
335			/*
336			* We use here the fact that all the HMAC variants we
337			* support can produce at least 16 bytes, while all the
338			* block ciphers we support have blocks of no more than
339			* 16 bytes. Thus, we can always truncate the HMAC output
340			* down to the block size.
341			*/
342	0		br_enc64be(tmp, cc->seq);
343	0		br_hmac_init(&hc, &cc->mac, blen);
344	0		br_hmac_update(&hc, tmp, 8);
345	0		br_hmac_out(&hc, buf - blen);
346	0		rbuf = buf - blen - 5;
347			} else {
348	0	0	if (len > 1 && record_type == BR_SSL_APPLICATION_DATA) {
		0
349			/*
350			* To do the split, we use a recursive invocation;
351			* since we only give one byte to the inner call,
352			* the recursion stops there.
353			*
354			* We need to compute the exact size of the extra
355			* record, so that the two resulting records end up
356			* being sequential in RAM.
357			*
358			* We use here the fact that cbc_max_plaintext()
359			* adjusted the start offset to leave room for the
360			* initial fragment.
361			*/
362			size_t xlen;
363
364	0		rbuf = buf - 4
365	0		- ((cc->mac_len + blen + 1) & ~(blen - 1));
366	0		rbuf[0] = buf[0];
367	0		xlen = 1;
368	0		rbuf = cbc_encrypt(cc, record_type,
369			version, rbuf, &xlen);
370	0		buf ++;
371	0		len --;
372			} else {
373	0		rbuf = buf - 5;
374			}
375			}
376
377			/*
378			* Compute MAC.
379			*/
380	0		br_enc64be(tmp, cc->seq ++);
381	0		tmp[8] = record_type;
382	0		br_enc16be(tmp + 9, version);
383	0		br_enc16be(tmp + 11, len);
384	0		br_hmac_init(&hc, &cc->mac, cc->mac_len);
385	0		br_hmac_update(&hc, tmp, 13);
386	0		br_hmac_update(&hc, buf, len);
387	0		br_hmac_out(&hc, buf + len);
388	0		len += cc->mac_len;
389
390			/*
391			* Add padding.
392			*/
393	0		plen = blen - (len & (blen - 1));
394	0		memset(buf + len, (unsigned)plen - 1, plen);
395	0		len += plen;
396
397			/*
398			* If an explicit IV is used, the corresponding extra block was
399			* already put in place earlier; we just have to account for it
400			* here.
401			*/
402	0	0	if (cc->explicit_IV) {
403	0		buf -= blen;
404	0		len += blen;
405			}
406
407			/*
408			* Encrypt the whole thing. If there is an explicit IV, we also
409			* encrypt it, which is fine (encryption of a uniformly random
410			* block is still a uniformly random block).
411			*/
412	0		cc->bc.vtable->run(&cc->bc.vtable, cc->iv, buf, len);
413
414			/*
415			* Add the header and return.
416			*/
417	0		buf[-5] = record_type;
418	0		br_enc16be(buf - 4, version);
419	0		br_enc16be(buf - 2, len);
420	0		*data_len = (size_t)((buf + len) - rbuf);
421	0		return rbuf;
422			}
423
424			/* see bearssl_ssl.h */
425			const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable = {
426			{
427			sizeof(br_sslrec_out_cbc_context),
428			(void ()(const br_sslrec_out_class const *,
429			size_t , size_t ))
430			&cbc_max_plaintext,
431			(unsigned char ()(const br_sslrec_out_class **,
432			int, unsigned, void , size_t ))
433			&cbc_encrypt
434			},
435			(void ()(const br_sslrec_out_cbc_class *,
436			const br_block_cbcenc_class , const void , size_t,
437			const br_hash_class , const void , size_t, size_t,
438			const void *))
439			&out_cbc_init
440			};