source-git / gnutls

Clone
Source Code
GIT

Blame lib/cipher-cbc.c

c8 c8s master
  1.   a5833e423934687d0d6d9e22e45a4bb7a9ef30d1
  2.   lib
  3.   cipher-cbc.c
Blob History Raw
Packit aea12f 
/*
Packit aea12f 
 * Copyright (C) 2000-2013 Free Software Foundation, Inc.
Packit aea12f 
 * Copyright (C) 2013 Nikos Mavrogiannopoulos
Packit aea12f 
 * Copyright (C) 2017-2018 Red Hat, Inc.
Packit aea12f 
 *
Packit aea12f 
 * Author: Nikos Mavrogiannopoulos
Packit aea12f 
 *
Packit aea12f 
 * This file is part of GnuTLS.
Packit aea12f 
 *
Packit aea12f 
 * The GnuTLS is free software; you can redistribute it and/or
Packit aea12f 
 * modify it under the terms of the GNU Lesser General Public License
Packit aea12f 
 * as published by the Free Software Foundation; either version 2.1 of
Packit aea12f 
 * the License, or (at your option) any later version.
Packit aea12f 
 *
Packit aea12f 
 * This library is distributed in the hope that it will be useful, but
Packit aea12f 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit aea12f 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit aea12f 
 * Lesser General Public License for more details.
Packit aea12f 
 *
Packit aea12f 
 * You should have received a copy of the GNU Lesser General Public License
Packit aea12f 
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
Packit aea12f 
 *
Packit aea12f 
 */
Packit aea12f
Packit aea12f 
#include "gnutls_int.h"
Packit aea12f 
#include "cipher.h"
Packit aea12f
Packit aea12f 
static void dummy_wait(record_parameters_st *params,
Packit aea12f 
		       const uint8_t *data, size_t data_size,
Packit aea12f 
		       unsigned int mac_data, unsigned int max_mac_data)
Packit aea12f 
{
Packit aea12f 
	/* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
Packit aea12f 
	 * is not supported by the peer. */
Packit aea12f 
	unsigned v;
Packit aea12f 
	unsigned int tag_size =
Packit aea12f 
	    _gnutls_auth_cipher_tag_len(&params->read.ctx.tls12);
Packit aea12f 
	unsigned hash_block = _gnutls_mac_block_size(params->mac);
Packit aea12f
Packit aea12f 
	/* force additional hash compression function evaluations to prevent timing
Packit aea12f 
	 * attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
Packit aea12f 
	 */
Packit aea12f
Packit aea12f 
	if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
Packit aea12f 
		/* v = 1 for the hash function padding + 16 for message length */
Packit aea12f 
		v = 17;
Packit aea12f 
	else /* v = 1 for the hash function padding + 8 for message length */
Packit aea12f 
		v = 9;
Packit aea12f
Packit aea12f 
	if (hash_block > 0) {
Packit aea12f 
		int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
Packit aea12f 
		int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
Packit aea12f 
		unsigned to_hash;
Packit aea12f
Packit aea12f 
		max_blocks -= hashed_blocks;
Packit aea12f 
		if (max_blocks < 1)
Packit aea12f 
			return;
Packit aea12f
Packit aea12f 
		to_hash = max_blocks * hash_block;
Packit aea12f 
		if ((unsigned)to_hash+1+tag_size < data_size) {
Packit aea12f 
			_gnutls_auth_cipher_add_auth
Packit aea12f 
				    (&params->read.ctx.tls12,
Packit aea12f 
				     data+data_size-tag_size-to_hash-1,
Packit aea12f 
				     to_hash);
Packit aea12f 
		}
Packit aea12f 
	}
Packit aea12f 
}
Packit aea12f
Packit aea12f 
/* Verifies the CBC HMAC. That's a special case as it tries to avoid
Packit aea12f 
 * any leaks which could make CBC ciphersuites without EtM usable as an
Packit aea12f 
 * oracle to attacks.
Packit aea12f 
 */
Packit aea12f 
int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params,
Packit aea12f 
		   uint8_t preamble[MAX_PREAMBLE_SIZE],
Packit aea12f 
		   content_type_t type,
Packit Service 991b93 
		   uint64_t sequence,
Packit aea12f 
		   const uint8_t *data, size_t data_size,
Packit aea12f 
		   size_t tag_size)
Packit aea12f 
{
Packit aea12f 
	int ret;
Packit aea12f 
	const version_entry_st *ver = get_version(session);
Packit aea12f 
	unsigned int tmp_pad_failed = 0;
Packit aea12f 
	unsigned int pad_failed = 0;
Packit aea12f 
	unsigned int pad, i, length;
Packit aea12f 
	const uint8_t *tag_ptr = NULL;
Packit aea12f 
	unsigned preamble_size;
Packit aea12f 
	uint8_t tag[MAX_HASH_SIZE];
Packit aea12f 
#ifdef ENABLE_SSL3
Packit aea12f 
	unsigned blocksize = _gnutls_cipher_get_block_size(params->cipher);
Packit aea12f 
#endif
Packit aea12f
Packit aea12f 
	pad = data[data_size - 1];	/* pad */
Packit aea12f
Packit aea12f 
	/* Check the padding bytes (TLS 1.x).
Packit aea12f 
	 * Note that we access all 256 bytes of ciphertext for padding check
Packit aea12f 
	 * because there is a timing channel in that memory access (in certain CPUs).
Packit aea12f 
	 */
Packit aea12f 
#ifdef ENABLE_SSL3
Packit aea12f 
	if (ver->id == GNUTLS_SSL3) {
Packit aea12f 
		if (pad >= blocksize)
Packit aea12f 
			pad_failed = 1;
Packit aea12f 
	} else
Packit aea12f 
#endif
Packit aea12f 
	{
Packit aea12f 
		for (i = 2; i <= MIN(256, data_size); i++) {
Packit aea12f 
			tmp_pad_failed |=
Packit aea12f 
			    (data[data_size - i] != pad);
Packit aea12f 
			pad_failed |=
Packit aea12f 
			    ((i <= (1 + pad)) & (tmp_pad_failed));
Packit aea12f 
		}
Packit aea12f 
	}
Packit aea12f
Packit aea12f 
	if (unlikely
Packit aea12f 
	    (pad_failed != 0
Packit aea12f 
	     || (1 + pad > ((int) data_size - tag_size)))) {
Packit aea12f 
		/* We do not fail here. We check below for the
Packit aea12f 
		 * the pad_failed. If zero means success.
Packit aea12f 
		 */
Packit aea12f 
		pad_failed = 1;
Packit aea12f 
		pad = 0;
Packit aea12f 
	}
Packit aea12f
Packit aea12f 
	length = data_size - tag_size - pad - 1;
Packit aea12f 
	tag_ptr = &data[length];
Packit aea12f
Packit aea12f 
	/* Pass the type, version, length and plain through
Packit aea12f 
	 * MAC.
Packit aea12f 
	 */
Packit aea12f 
	preamble_size =
Packit Service 991b93 
	    _gnutls_make_preamble(sequence, type,
Packit aea12f 
				  length, ver, preamble);
Packit aea12f
Packit aea12f 
	ret =
Packit aea12f 
	    _gnutls_auth_cipher_add_auth(&params->read.
Packit aea12f 
					 ctx.tls12, preamble,
Packit aea12f 
					 preamble_size);
Packit aea12f 
	if (unlikely(ret < 0))
Packit aea12f 
		return gnutls_assert_val(ret);
Packit aea12f
Packit aea12f 
	ret =
Packit aea12f 
	    _gnutls_auth_cipher_add_auth(&params->read.
Packit aea12f 
					 ctx.tls12,
Packit aea12f 
					 data, length);
Packit aea12f 
	if (unlikely(ret < 0))
Packit aea12f 
		return gnutls_assert_val(ret);
Packit aea12f
Packit aea12f 
	ret =
Packit aea12f 
	    _gnutls_auth_cipher_tag(&params->read.ctx.tls12, tag,
Packit aea12f 
				    tag_size);
Packit aea12f 
	if (unlikely(ret < 0))
Packit aea12f 
		return gnutls_assert_val(ret);
Packit aea12f
Packit aea12f 
	if (unlikely
Packit aea12f 
	    (gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
Packit aea12f 
		/* HMAC was not the same. */
Packit aea12f 
		dummy_wait(params, data, data_size,
Packit aea12f 
			   length + preamble_size,
Packit aea12f 
			   preamble_size + data_size - tag_size - 1);
Packit aea12f
Packit aea12f 
		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
Packit aea12f 
	}
Packit aea12f
Packit aea12f 
	return length;
Packit aea12f 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation