2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 in_cbc_init(br_sslrec_in_cbc_context *cc,
29 const br_block_cbcdec_class *bc_impl,
30 const void *bc_key, size_t bc_key_len,
31 const br_hash_class *dig_impl,
32 const void *mac_key, size_t mac_key_len, size_t mac_out_len,
35 cc->vtable = &br_sslrec_in_cbc_vtable;
37 bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
38 br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
39 cc->mac_len = mac_out_len;
41 memset(cc->iv, 0, sizeof cc->iv);
44 memcpy(cc->iv, iv, bc_impl->block_size);
50 cbc_check_length(const br_sslrec_in_cbc_context *cc, size_t rlen)
53 * Plaintext size: at most 16384 bytes
54 * Padding: at most 256 bytes
55 * MAC: mac_len extra bytes
56 * TLS 1.1+: each record has an explicit IV
58 * Minimum length includes at least one byte of padding, and the
61 * Total length must be a multiple of the block size.
64 size_t min_len, max_len;
66 blen = cc->bc.vtable->block_size;
67 min_len = (blen + cc->mac_len) & ~(blen - 1);
68 max_len = (16384 + 256 + cc->mac_len) & ~(blen - 1);
69 if (cc->explicit_IV) {
73 return min_len <= rlen && rlen <= max_len;
77 * Rotate array buf[] of length 'len' to the left (towards low indices)
78 * by 'num' bytes if ctl is 1; otherwise, leave it unchanged. This is
79 * constant-time. 'num' MUST be lower than 'len'. 'len' MUST be lower
80 * than or equal to 64.
83 cond_rotate(uint32_t ctl, unsigned char *buf, size_t len, size_t num)
85 unsigned char tmp[64];
88 for (u = 0, v = num; u < len; u ++) {
89 tmp[u] = MUX(ctl, buf[v], buf[u]);
94 memcpy(buf, tmp, len);
97 static unsigned char *
98 cbc_decrypt(br_sslrec_in_cbc_context *cc,
99 int record_type, unsigned version, void *data, size_t *data_len)
102 * We represent all lengths on 32-bit integers, because:
103 * -- SSL record lengths always fit in 32 bits;
104 * -- our constant-time primitives operate on 32-bit integers.
107 uint32_t u, v, len, blen, min_len, max_len;
108 uint32_t good, pad_len, rot_count, len_withmac, len_nomac;
109 unsigned char tmp1[64], tmp2[64];
115 blen = cc->bc.vtable->block_size;
118 * Decrypt data, and skip the explicit IV (if applicable). Note
119 * that the total length is supposed to have been verified by
120 * the caller. If there is an explicit IV, then we actually
121 * "decrypt" it using the implicit IV (from previous record),
122 * which is useless but harmless.
124 cc->bc.vtable->run(&cc->bc.vtable, cc->iv, data, len);
125 if (cc->explicit_IV) {
131 * Compute minimum and maximum length of plaintext + MAC. These
132 * lengths can be inferred from the outside: they are not secret.
134 min_len = (cc->mac_len + 256 < len) ? len - 256 : cc->mac_len;
138 * Use the last decrypted byte to compute the actual payload
139 * length. Take care not to underflow (we use unsigned types).
141 pad_len = buf[max_len];
142 good = LE(pad_len, (uint32_t)(max_len - min_len));
143 len = MUX(good, (uint32_t)(max_len - pad_len), min_len);
146 * Check padding contents: all padding bytes must be equal to
147 * the value of pad_len.
149 for (u = min_len; u < max_len; u ++) {
150 good &= LT(u, len) | EQ(buf[u], pad_len);
154 * Extract the MAC value. This is done in one pass, but results
155 * in a "rotated" MAC value depending on where it actually
156 * occurs. The 'rot_count' value is set to the offset of the
157 * first MAC byte within tmp1[].
159 * min_len and max_len are also adjusted to the minimum and
160 * maximum lengths of the plaintext alone (without the MAC).
162 len_withmac = (uint32_t)len;
163 len_nomac = len_withmac - cc->mac_len;
164 min_len -= cc->mac_len;
166 memset(tmp1, 0, cc->mac_len);
168 for (u = min_len; u < max_len; u ++) {
169 tmp1[v] |= MUX(GE(u, len_nomac) & LT(u, len_withmac),
171 rot_count = MUX(EQ(u, len_nomac), v, rot_count);
172 if (++ v == cc->mac_len) {
176 max_len -= cc->mac_len;
179 * Rotate back the MAC value. The loop below does the constant-time
180 * rotation in time n*log n for a MAC output of length n. We assume
181 * that the MAC output length is no more than 64 bytes, so the
182 * rotation count fits on 6 bits.
184 for (i = 5; i >= 0; i --) {
187 rc = (uint32_t)1 << i;
188 cond_rotate(rot_count >> i, tmp1, cc->mac_len, rc);
193 * Recompute the HMAC value. The input is the concatenation of
194 * the sequence number (8 bytes), the record header (5 bytes),
197 * At that point, min_len is the minimum plaintext length, but
198 * max_len still includes the MAC length.
200 br_enc64be(tmp2, cc->seq ++);
201 tmp2[8] = (unsigned char)record_type;
202 br_enc16be(tmp2 + 9, version);
203 br_enc16be(tmp2 + 11, len_nomac);
204 br_hmac_init(&hc, &cc->mac, cc->mac_len);
205 br_hmac_update(&hc, tmp2, 13);
206 br_hmac_outCT(&hc, buf, len_nomac, min_len, max_len, tmp2);
209 * Compare the extracted and recomputed MAC values.
211 for (u = 0; u < cc->mac_len; u ++) {
212 good &= EQ0(tmp1[u] ^ tmp2[u]);
216 * Check that the plaintext length is valid. The previous
217 * check was on the encrypted length, but the padding may have
218 * turned shorter than expected.
220 * Once this final test is done, the critical "constant-time"
221 * section ends and we can make conditional jumps again.
223 good &= LE(len_nomac, 16384);
228 *data_len = len_nomac;
232 /* see bearssl_ssl.h */
233 const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable = {
235 sizeof(br_sslrec_in_cbc_context),
236 (int (*)(const br_sslrec_in_class *const *, size_t))
238 (unsigned char *(*)(const br_sslrec_in_class **,
239 int, unsigned, void *, size_t *))
242 (void (*)(const br_sslrec_in_cbc_class **,
243 const br_block_cbcdec_class *, const void *, size_t,
244 const br_hash_class *, const void *, size_t, size_t,
252 * -- With TLS 1.1+, there is an explicit IV. Generation method uses
253 * HMAC, computed over the current sequence number, and the current MAC
254 * key. The resulting value is truncated to the size of a block, and
255 * added at the head of the plaintext; it will get encrypted along with
256 * the data. This custom generation mechanism is "safe" under the
257 * assumption that HMAC behaves like a random oracle; since the MAC for
258 * a record is computed over the concatenation of the sequence number,
259 * the record header and the plaintext, the HMAC-for-IV will not collide
260 * with the normal HMAC.
262 * -- With TLS 1.0, for application data, we want to enforce a 1/n-1
263 * split, as a countermeasure against chosen-plaintext attacks. We thus
264 * need to leave some room in the buffer for that extra record.
268 out_cbc_init(br_sslrec_out_cbc_context *cc,
269 const br_block_cbcenc_class *bc_impl,
270 const void *bc_key, size_t bc_key_len,
271 const br_hash_class *dig_impl,
272 const void *mac_key, size_t mac_key_len, size_t mac_out_len,
275 cc->vtable = &br_sslrec_out_cbc_vtable;
277 bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
278 br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
279 cc->mac_len = mac_out_len;
281 memset(cc->iv, 0, sizeof cc->iv);
284 memcpy(cc->iv, iv, bc_impl->block_size);
290 cbc_max_plaintext(const br_sslrec_out_cbc_context *cc,
291 size_t *start, size_t *end)
295 blen = cc->bc.vtable->block_size;
296 if (cc->explicit_IV) {
299 *start += 4 + ((cc->mac_len + blen + 1) & ~(blen - 1));
301 len = (*end - *start) & ~(blen - 1);
302 len -= 1 + cc->mac_len;
309 static unsigned char *
310 cbc_encrypt(br_sslrec_out_cbc_context *cc,
311 int record_type, unsigned version, void *data, size_t *data_len)
313 unsigned char *buf, *rbuf;
314 size_t len, blen, plen;
315 unsigned char tmp[13];
320 blen = cc->bc.vtable->block_size;
323 * If using TLS 1.0, with more than one byte of plaintext, and
324 * the record is application data, then we need to compute
325 * a "split". We do not perform the split on other record types
326 * because it turned out that some existing, deployed
327 * implementations of SSL/TLS do not tolerate the splitting of
328 * some message types (in particular the Finished message).
330 * If using TLS 1.1+, then there is an explicit IV. We produce
331 * that IV by adding an extra initial plaintext block, whose
332 * value is computed with HMAC over the record sequence number.
334 if (cc->explicit_IV) {
336 * We use here the fact that all the HMAC variants we
337 * support can produce at least 16 bytes, while all the
338 * block ciphers we support have blocks of no more than
339 * 16 bytes. Thus, we can always truncate the HMAC output
340 * down to the block size.
342 br_enc64be(tmp, cc->seq);
343 br_hmac_init(&hc, &cc->mac, blen);
344 br_hmac_update(&hc, tmp, 8);
345 br_hmac_out(&hc, buf - blen);
346 rbuf = buf - blen - 5;
348 if (len > 1 && record_type == BR_SSL_APPLICATION_DATA) {
350 * To do the split, we use a recursive invocation;
351 * since we only give one byte to the inner call,
352 * the recursion stops there.
354 * We need to compute the exact size of the extra
355 * record, so that the two resulting records end up
356 * being sequential in RAM.
358 * We use here the fact that cbc_max_plaintext()
359 * adjusted the start offset to leave room for the
365 - ((cc->mac_len + blen + 1) & ~(blen - 1));
368 rbuf = cbc_encrypt(cc, record_type,
369 version, rbuf, &xlen);
380 br_enc64be(tmp, cc->seq ++);
381 tmp[8] = record_type;
382 br_enc16be(tmp + 9, version);
383 br_enc16be(tmp + 11, len);
384 br_hmac_init(&hc, &cc->mac, cc->mac_len);
385 br_hmac_update(&hc, tmp, 13);
386 br_hmac_update(&hc, buf, len);
387 br_hmac_out(&hc, buf + len);
393 plen = blen - (len & (blen - 1));
394 memset(buf + len, (unsigned)plen - 1, plen);
398 * If an explicit IV is used, the corresponding extra block was
399 * already put in place earlier; we just have to account for it
402 if (cc->explicit_IV) {
408 * Encrypt the whole thing. If there is an explicit IV, we also
409 * encrypt it, which is fine (encryption of a uniformly random
410 * block is still a uniformly random block).
412 cc->bc.vtable->run(&cc->bc.vtable, cc->iv, buf, len);
415 * Add the header and return.
417 buf[-5] = record_type;
418 br_enc16be(buf - 4, version);
419 br_enc16be(buf - 2, len);
420 *data_len = (size_t)((buf + len) - rbuf);
424 /* see bearssl_ssl.h */
425 const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable = {
427 sizeof(br_sslrec_out_cbc_context),
428 (void (*)(const br_sslrec_out_class *const *,
431 (unsigned char *(*)(const br_sslrec_out_class **,
432 int, unsigned, void *, size_t *))
435 (void (*)(const br_sslrec_out_cbc_class **,
436 const br_block_cbcenc_class *, const void *, size_t,
437 const br_hash_class *, const void *, size_t, size_t,