11#include <botan/internal/tls_cbc.h>
14#include <botan/internal/rounding.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/loadstor.h>
17#include <botan/tls_alert.h>
18#include <botan/tls_exceptn.h>
28 std::unique_ptr<BlockCipher> cipher,
29 std::unique_ptr<MessageAuthenticationCode> mac,
33 bool use_encrypt_then_mac) :
35 m_mac_name(mac->
name()),
36 m_cipher_keylen(cipher_keylen),
37 m_mac_keylen(mac_keylen),
38 m_use_encrypt_then_mac(use_encrypt_then_mac)
41 m_block_size = cipher->block_size();
47 m_mac = std::move(
mac);
71 return "TLS_CBC(" + m_cipher_name +
"," + m_mac_name +
")";
81 if(m_cbc_state.empty())
91void TLS_CBC_HMAC_AEAD_Mode::key_schedule(
const uint8_t key[],
size_t keylen)
95 if(keylen != m_cipher_keylen + m_mac_keylen)
99 cbc().
set_key(&key[m_mac_keylen], m_cipher_keylen);
102void TLS_CBC_HMAC_AEAD_Mode::start_msg(
const uint8_t nonce[],
size_t nonce_len)
113 m_cbc_state.assign(nonce, nonce + nonce_len);
119 m_msg.insert(m_msg.end(), buf, buf + sz);
125 std::vector<uint8_t> ad = m_ad;
136 m_ad.assign(ad, ad + ad_len);
149 assoc_data()[11] = get_byte<uint16_t>(0, enc_size);
150 assoc_data()[12] = get_byte<uint16_t>(1, enc_size);
154void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(
160 buffer.resize(buffer.size() + padding_length);
162 const uint8_t padding_val =
static_cast<uint8_t
>(padding_length - 1);
168 const size_t last_block_starts = buffer.size() -
block_size();
169 const size_t padding_starts = buffer.size() - padding_length;
170 for(
size_t i = last_block_starts; i != buffer.size(); ++i)
173 buffer[i] = add_padding.select(padding_val, buffer[i]);
181 cbc().
process(&buffer[offset], buffer.size() - offset);
183 cbc_state().assign(buffer.data() + (buffer.size() -
block_size()), buffer.data() + buffer.size());
196 const size_t msg_size =
msg().size();
202 const uint8_t padding_val =
static_cast<uint8_t
>(enc_size - input_size);
203 const size_t padding_length =
static_cast<size_t>(padding_val) + 1;
205 buffer.reserve(offset + msg_size + padding_length +
tag_size());
206 buffer.resize(offset + msg_size);
218 cbc_encrypt_record(buffer, offset, padding_length);
220 buffer.resize(buffer.size() +
tag_size());
226 buffer.resize(buffer.size() +
tag_size());
228 cbc_encrypt_record(buffer, offset, padding_length);
245 if(record_len == 0 || record_len > 0xFFFF)
248 const uint16_t rec16 =
static_cast<uint16_t
>(record_len);
255 const uint16_t to_check = std::min<uint16_t>(256,
static_cast<uint16_t
>(record_len));
256 const uint8_t pad_byte = record[record_len-1];
257 const uint16_t pad_bytes = 1 + pad_byte;
261 for(uint16_t i = rec16 - to_check; i != rec16; ++i)
263 const uint16_t offset = rec16 - i;
266 pad_invalid |= in_pad_range & ~pad_correct;
269 return pad_invalid.if_not_set_return(pad_bytes);
272void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(uint8_t record_contents[],
size_t record_len)
274 if(record_len == 0 || record_len %
block_size() != 0)
275 throw Decoding_Error(
"Received TLS CBC ciphertext with invalid length");
279 record_contents + record_len);
334void TLS_CBC_HMAC_AEAD_Decryption::perform_additional_compressions(
size_t plen,
size_t padlen)
337 uint16_t max_bytes_in_first_block;
338 if(
mac().
name() ==
"HMAC(SHA-384)")
341 max_bytes_in_first_block = 111;
346 max_bytes_in_first_block = 55;
349 const uint16_t L1 =
static_cast<uint16_t
>(13 + plen -
tag_size());
353 const uint16_t L2 =
static_cast<uint16_t
>(13 + plen - padlen -
tag_size());
357 const uint16_t max_compresssions = ( (L1 +
block_size - 1 - max_bytes_in_first_block) /
block_size);
358 const uint16_t current_compressions = ((L2 +
block_size - 1 - max_bytes_in_first_block) /
block_size);
360 const uint16_t add_compressions = max_compresssions - current_compressions;
365 const uint16_t data_len =
block_size * add_compressions + equal * max_bytes_in_first_block;
366 std::vector<uint8_t> data(data_len);
374 buffer.resize(offset);
376 const size_t record_len =
msg().size();
377 uint8_t* record_contents =
msg().data();
388 const size_t enc_size = record_len -
tag_size();
389 const size_t enc_iv_size = enc_size +
iv_size();
400 std::vector<uint8_t> mac_buf(
tag_size());
403 const size_t mac_offset = enc_size;
412 cbc_decrypt_record(record_contents, enc_size);
423 const uint8_t* plaintext_block = &record_contents[0];
424 const size_t plaintext_length = enc_size - pad_size;
426 buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
430 cbc_decrypt_record(record_contents, record_len);
447 static_cast<uint16_t
>(
tag_size() + pad_size),
448 static_cast<uint16_t
>(record_len));
450 pad_size = size_ok_mask.if_set_return(pad_size);
460 const uint8_t* plaintext_block = &record_contents[0];
461 const uint16_t plaintext_length =
static_cast<uint16_t
>(record_len -
tag_size() - pad_size);
464 mac().
update(plaintext_block, plaintext_length);
466 std::vector<uint8_t> mac_buf(
tag_size());
469 const size_t mac_offset = record_len - (
tag_size() + pad_size);
479 buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
483 perform_additional_compressions(record_len, pad_size);
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_DEBUG_ASSERT(expr)
#define BOTAN_ASSERT(expr, assertion_made)
void update(const uint8_t in[], size_t length)
virtual size_t output_length() const =0
void final(uint8_t out[])
static Mask< T > is_equal(T x, T y)
static Mask< T > expand(T v)
static Mask< T > is_lt(T x, T y)
static Mask< T > is_lte(T x, T y)
virtual size_t process(uint8_t msg[], size_t msg_len)=0
void start(const std::vector< uint8_t, Alloc > &nonce)
void set_key(const SymmetricKey &key)
bool supports_explicit_cbc_ivs() const
bool is_datagram_protocol() const
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
size_t output_length(size_t input_length) const override
void set_associated_data(const uint8_t ad[], size_t ad_len) override
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
size_t output_length(size_t input_length) const override
size_t block_size() const
secure_vector< uint8_t > & cbc_state()
void set_associated_data(const uint8_t ad[], size_t ad_len) override
std::vector< uint8_t > assoc_data_with_len(uint16_t len)
bool valid_nonce_length(size_t nl) const override final
Key_Length_Specification key_spec() const override final
bool use_encrypt_then_mac() const
void reset() override final
bool is_datagram_protocol() const
std::vector< uint8_t > & assoc_data()
secure_vector< uint8_t > & msg()
TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir direction, std::unique_ptr< BlockCipher > cipher, std::unique_ptr< MessageAuthenticationCode > mac, size_t cipher_keylen, size_t mac_keylen, Protocol_Version version, bool use_encrypt_then_mac)
size_t process(uint8_t buf[], size_t sz) override final
size_t tag_size() const override final
MessageAuthenticationCode & mac() const
std::string name() const override final
void clear() override final
Cipher_Mode & cbc() const
size_t update_granularity() const override final
std::string m_cipher_name
int(* update)(CTX *, const void *, CC_LONG len)
void poison(const T *p, size_t n)
void unpoison(const T *p, size_t n)
uint16_t check_tls_cbc_padding(const uint8_t record[], size_t record_len)
void copy_mem(T *out, const T *in, size_t n)
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
constexpr uint8_t get_byte(size_t byte_num, T input)
std::vector< T, secure_allocator< T > > secure_vector
size_t round_up(size_t n, size_t align_to)
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)