10#include <botan/internal/tls_record.h>
11#include <botan/tls_ciphersuite.h>
12#include <botan/tls_exceptn.h>
13#include <botan/loadstor.h>
14#include <botan/internal/tls_seq_numbers.h>
15#include <botan/internal/tls_session_key.h>
16#include <botan/internal/rounding.h>
17#include <botan/internal/ct_utils.h>
20#if defined(BOTAN_HAS_TLS_CBC)
21 #include <botan/internal/tls_cbc.h>
33 bool uses_encrypt_then_mac) :
34 m_start_time(
std::chrono::system_clock::now())
41 m_nonce = keys.
nonce(side);
47#if defined(BOTAN_HAS_TLS_CBC)
60 uses_encrypt_then_mac));
70 uses_encrypt_then_mac));
75 throw Internal_Error(
"Negotiated disabled TLS CBC+HMAC ciphersuite");
83 m_aead->set_key(aead_key);
88 switch(m_nonce_format)
94 std::vector<uint8_t> nonce;
99 rng.
randomize(nonce.data(), nonce.size());
104 std::vector<uint8_t> nonce(12);
106 xor_buf(nonce, m_nonce.data(), m_nonce.size());
112 std::vector<uint8_t> nonce(12);
113 copy_mem(&nonce[0], m_nonce.data(), 4);
125 switch(m_nonce_format)
131 std::vector<uint8_t> nonce;
142 std::vector<uint8_t> nonce(12);
144 xor_buf(nonce, m_nonce.data(), m_nonce.size());
151 throw Decoding_Error(
"Invalid AEAD packet too short to be valid");
152 std::vector<uint8_t> nonce(12);
153 copy_mem(&nonce[0], m_nonce.data(), 4);
168 std::vector<uint8_t> ad(13);
184 const uint16_t len16 =
static_cast<uint16_t
>(len_field);
186 output.push_back(
get_byte(0, len16));
187 output.push_back(
get_byte(1, len16));
192 Protocol_Version version,
193 uint64_t record_sequence)
197 output.push_back(record_type);
198 output.push_back(version.major_version());
199 output.push_back(version.minor_version());
201 if(version.is_datagram_protocol())
203 for(
size_t i = 0; i != 8; ++i)
204 output.push_back(
get_byte(i, record_sequence));
213 uint64_t record_sequence,
214 const uint8_t* message,
218 throw Internal_Error(
"Writing an unencrypted TLS application data record");
219 write_record_header(output, record_type, version, record_sequence);
220 append_u16_len(output, message_len);
221 output.insert(output.end(), message, message + message_len);
227 uint64_t record_sequence,
228 const uint8_t* message,
233 write_record_header(output, record_type, version, record_sequence);
236 std::vector<uint8_t> aad = cs.
format_ad(record_sequence, record_type, version,
static_cast<uint16_t
>(message_len));
244 const std::vector<uint8_t> nonce = cs.
aead_nonce(record_sequence, rng);
246 append_u16_len(output, rec_size);
256 const size_t header_size = output.size();
257 output += std::make_pair(message, message_len);
260 aead.
finish(output, header_size);
263 "Produced ciphertext larger than protocol allows");
269 const uint8_t*& input,
271 size_t& input_consumed,
274 if(readbuf.size() >= desired)
277 const size_t taken = std::min(input_size, desired - readbuf.size());
279 readbuf.insert(readbuf.end(), input, input + taken);
280 input_consumed += taken;
284 return (desired - readbuf.size());
287void decrypt_record(secure_vector<uint8_t>& output,
288 uint8_t record_contents[],
size_t record_len,
289 uint64_t record_sequence,
290 Protocol_Version record_version,
292 Connection_Cipher_State& cs)
294 AEAD_Mode& aead = cs.aead();
296 const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
297 const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
298 const size_t msg_length = record_len - cs.nonce_bytes_from_record();
307 if(msg_length < aead.minimum_final_size())
310 const size_t ptext_size = aead.output_length(msg_length);
312 aead.set_associated_data_vec(
313 cs.format_ad(record_sequence,
314 static_cast<uint8_t
>(record_type),
316 static_cast<uint16_t
>(ptext_size))
321 output.assign(msg, msg + msg_length);
322 aead.finish(output, 0);
325Record_Header read_tls_record(secure_vector<uint8_t>& readbuf,
326 const uint8_t input[],
329 secure_vector<uint8_t>& recbuf,
330 Connection_Sequence_Numbers* sequence_numbers,
335 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE))
337 return Record_Header(needed);
346 "Got unexpected TLS record version");
349 const Protocol_Version version(readbuf[1], readbuf[2]);
356 "Received a record that exceeds maximum size");
360 "Received a completely empty record");
362 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE + record_size))
364 return Record_Header(needed);
369 "Have the full record");
375 uint64_t sequence = 0;
378 sequence = sequence_numbers->next_read_sequence();
379 epoch = sequence_numbers->current_read_epoch();
391 return Record_Header(sequence, version,
type);
395 auto cs = get_cipherstate(epoch);
399 decrypt_record(recbuf,
408 sequence_numbers->read_accept(sequence);
411 return Record_Header(sequence, version,
type);
414Record_Header read_dtls_record(secure_vector<uint8_t>& readbuf,
415 const uint8_t input[],
418 secure_vector<uint8_t>& recbuf,
419 Connection_Sequence_Numbers* sequence_numbers,
421 bool allow_epoch0_restart)
428 return Record_Header(0);
434 const Protocol_Version version(readbuf[1], readbuf[2]);
436 if(version.is_datagram_protocol() ==
false)
439 return Record_Header(0);
449 return Record_Header(0);
452 if(fill_buffer_to(readbuf, input, input_len, consumed,
DTLS_HEADER_SIZE + record_size))
456 return Record_Header(0);
460 "Have the full record");
465 const uint16_t epoch = (sequence >> 48);
467 const bool already_seen = sequence_numbers && sequence_numbers->already_seen(sequence);
469 if(already_seen && !(epoch == 0 && allow_epoch0_restart))
472 return Record_Header(0);
480 sequence_numbers->read_accept(sequence);
481 return Record_Header(sequence, version,
type);
487 auto cs = get_cipherstate(epoch);
491 decrypt_record(recbuf,
499 catch(std::exception&)
502 return Record_Header(0);
506 sequence_numbers->read_accept(sequence);
509 return Record_Header(sequence, version,
type);
516 const uint8_t input[],
522 bool allow_epoch0_restart)
525 return read_dtls_record(readbuf, input, input_len, consumed,
526 recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
528 return read_tls_record(readbuf, input, input_len, consumed,
529 recbuf, sequence_numbers, get_cipherstate);
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_UNUSED(...)
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
#define BOTAN_ASSERT(expr, assertion_made)
static std::unique_ptr< AEAD_Mode > create_or_throw(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
void set_ad(const std::vector< uint8_t, Alloc > &ad)
static std::unique_ptr< BlockCipher > create_or_throw(const std::string &algo_spec, const std::string &provider="")
void start(const std::vector< uint8_t, Alloc > &nonce)
virtual size_t output_length(size_t input_length) const =0
virtual void finish(secure_vector< uint8_t > &final_block, size_t offset=0)=0
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(const std::string &algo_spec, const std::string &provider="")
virtual void randomize(uint8_t output[], size_t length)=0
size_t nonce_bytes_from_record(Protocol_Version version) const
Nonce_Format nonce_format() const
size_t mac_keylen() const
size_t cipher_keylen() const
size_t nonce_bytes_from_handshake() const
std::string mac_algo() const
std::string cipher_algo() const
size_t nonce_bytes_from_record() const
Nonce_Format nonce_format() const
size_t nonce_bytes_from_handshake() const
Connection_Cipher_State(Protocol_Version version, Connection_Side which_side, bool is_our_side, const Ciphersuite &suite, const Session_Keys &keys, bool uses_encrypt_then_mac)
std::vector< uint8_t > aead_nonce(uint64_t seq, RandomNumberGenerator &rng)
std::vector< uint8_t > format_ad(uint64_t seq, uint8_t type, Protocol_Version version, uint16_t ptext_length)
uint8_t major_version() const
uint8_t minor_version() const
const std::vector< uint8_t > & nonce(Connection_Side side) const
const secure_vector< uint8_t > & aead_key(Connection_Side side) const
void write_record(secure_vector< uint8_t > &output, uint8_t record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
void write_unencrypted_record(secure_vector< uint8_t > &output, uint8_t record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)
std::function< std::shared_ptr< Connection_Cipher_State >(uint16_t)> get_cipherstate_fn
Record_Header read_record(bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, get_cipherstate_fn get_cipherstate, bool allow_epoch0_restart)
void store_be(uint16_t in, uint8_t out[2])
void copy_mem(T *out, const T *in, size_t n)
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
constexpr uint8_t get_byte(size_t byte_num, T input)
std::vector< T, secure_allocator< T > > secure_vector
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)