xref: /freebsd/contrib/bearssl/src/ssl/ssl_rec_cbc.c (revision cc9e6590773dba57440750c124173ed531349a06)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 static void
in_cbc_init(br_sslrec_in_cbc_context * cc,const br_block_cbcdec_class * bc_impl,const void * bc_key,size_t bc_key_len,const br_hash_class * dig_impl,const void * mac_key,size_t mac_key_len,size_t mac_out_len,const void * iv)28 in_cbc_init(br_sslrec_in_cbc_context *cc,
29 	const br_block_cbcdec_class *bc_impl,
30 	const void *bc_key, size_t bc_key_len,
31 	const br_hash_class *dig_impl,
32 	const void *mac_key, size_t mac_key_len, size_t mac_out_len,
33 	const void *iv)
34 {
35 	cc->vtable = &br_sslrec_in_cbc_vtable;
36 	cc->seq = 0;
37 	bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
38 	br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
39 	cc->mac_len = mac_out_len;
40 	if (iv == NULL) {
41 		memset(cc->iv, 0, sizeof cc->iv);
42 		cc->explicit_IV = 1;
43 	} else {
44 		memcpy(cc->iv, iv, bc_impl->block_size);
45 		cc->explicit_IV = 0;
46 	}
47 }
48 
49 static int
cbc_check_length(const br_sslrec_in_cbc_context * cc,size_t rlen)50 cbc_check_length(const br_sslrec_in_cbc_context *cc, size_t rlen)
51 {
52 	/*
53 	 * Plaintext size: at most 16384 bytes
54 	 * Padding: at most 256 bytes
55 	 * MAC: mac_len extra bytes
56 	 * TLS 1.1+: each record has an explicit IV
57 	 *
58 	 * Minimum length includes at least one byte of padding, and the
59 	 * MAC.
60 	 *
61 	 * Total length must be a multiple of the block size.
62 	 */
63 	size_t blen;
64 	size_t min_len, max_len;
65 
66 	blen = cc->bc.vtable->block_size;
67 	min_len = (blen + cc->mac_len) & ~(blen - 1);
68 	max_len = (16384 + 256 + cc->mac_len) & ~(blen - 1);
69 	if (cc->explicit_IV) {
70 		min_len += blen;
71 		max_len += blen;
72 	}
73 	return min_len <= rlen && rlen <= max_len;
74 }
75 
76 /*
77  * Rotate array buf[] of length 'len' to the left (towards low indices)
78  * by 'num' bytes if ctl is 1; otherwise, leave it unchanged. This is
79  * constant-time. 'num' MUST be lower than 'len'. 'len' MUST be lower
80  * than or equal to 64.
81  */
82 static void
cond_rotate(uint32_t ctl,unsigned char * buf,size_t len,size_t num)83 cond_rotate(uint32_t ctl, unsigned char *buf, size_t len, size_t num)
84 {
85 	unsigned char tmp[64];
86 	size_t u, v;
87 
88 	for (u = 0, v = num; u < len; u ++) {
89 		tmp[u] = MUX(ctl, buf[v], buf[u]);
90 		if (++ v == len) {
91 			v = 0;
92 		}
93 	}
94 	memcpy(buf, tmp, len);
95 }
96 
97 static unsigned char *
cbc_decrypt(br_sslrec_in_cbc_context * cc,int record_type,unsigned version,void * data,size_t * data_len)98 cbc_decrypt(br_sslrec_in_cbc_context *cc,
99 	int record_type, unsigned version, void *data, size_t *data_len)
100 {
101 	/*
102 	 * We represent all lengths on 32-bit integers, because:
103 	 * -- SSL record lengths always fit in 32 bits;
104 	 * -- our constant-time primitives operate on 32-bit integers.
105 	 */
106 	unsigned char *buf;
107 	uint32_t u, v, len, blen, min_len, max_len;
108 	uint32_t good, pad_len, rot_count, len_withmac, len_nomac;
109 	unsigned char tmp1[64], tmp2[64];
110 	int i;
111 	br_hmac_context hc;
112 
113 	buf = data;
114 	len = *data_len;
115 	blen = cc->bc.vtable->block_size;
116 
117 	/*
118 	 * Decrypt data, and skip the explicit IV (if applicable). Note
119 	 * that the total length is supposed to have been verified by
120 	 * the caller. If there is an explicit IV, then we actually
121 	 * "decrypt" it using the implicit IV (from previous record),
122 	 * which is useless but harmless.
123 	 */
124 	cc->bc.vtable->run(&cc->bc.vtable, cc->iv, data, len);
125 	if (cc->explicit_IV) {
126 		buf += blen;
127 		len -= blen;
128 	}
129 
130 	/*
131 	 * Compute minimum and maximum length of plaintext + MAC. These
132 	 * lengths can be inferred from the outside: they are not secret.
133 	 */
134 	min_len = (cc->mac_len + 256 < len) ? len - 256 : cc->mac_len;
135 	max_len = len - 1;
136 
137 	/*
138 	 * Use the last decrypted byte to compute the actual payload
139 	 * length. Take care not to overflow (we use unsigned types).
140 	 */
141 	pad_len = buf[max_len];
142 	good = LE(pad_len, (uint32_t)(max_len - min_len));
143 	len = MUX(good, (uint32_t)(max_len - pad_len), min_len);
144 
145 	/*
146 	 * Check padding contents: all padding bytes must be equal to
147 	 * the value of pad_len.
148 	 */
149 	for (u = min_len; u < max_len; u ++) {
150 		good &= LT(u, len) | EQ(buf[u], pad_len);
151 	}
152 
153 	/*
154 	 * Extract the MAC value. This is done in one pass, but results
155 	 * in a "rotated" MAC value depending on where it actually
156 	 * occurs. The 'rot_count' value is set to the offset of the
157 	 * first MAC byte within tmp1[].
158 	 *
159 	 * min_len and max_len are also adjusted to the minimum and
160 	 * maximum lengths of the plaintext alone (without the MAC).
161 	 */
162 	len_withmac = (uint32_t)len;
163 	len_nomac = len_withmac - cc->mac_len;
164 	min_len -= cc->mac_len;
165 	rot_count = 0;
166 	memset(tmp1, 0, cc->mac_len);
167 	v = 0;
168 	for (u = min_len; u < max_len; u ++) {
169 		tmp1[v] |= MUX(GE(u, len_nomac) & LT(u, len_withmac),
170 			buf[u], 0x00);
171 		rot_count = MUX(EQ(u, len_nomac), v, rot_count);
172 		if (++ v == cc->mac_len) {
173 			v = 0;
174 		}
175 	}
176 	max_len -= cc->mac_len;
177 
178 	/*
179 	 * Rotate back the MAC value. The loop below does the constant-time
180 	 * rotation in time n*log n for a MAC output of length n. We assume
181 	 * that the MAC output length is no more than 64 bytes, so the
182 	 * rotation count fits on 6 bits.
183 	 */
184 	for (i = 5; i >= 0; i --) {
185 		uint32_t rc;
186 
187 		rc = (uint32_t)1 << i;
188 		cond_rotate(rot_count >> i, tmp1, cc->mac_len, rc);
189 		rot_count &= ~rc;
190 	}
191 
192 	/*
193 	 * Recompute the HMAC value. The input is the concatenation of
194 	 * the sequence number (8 bytes), the record header (5 bytes),
195 	 * and the payload.
196 	 *
197 	 * At that point, min_len is the minimum plaintext length, but
198 	 * max_len still includes the MAC length.
199 	 */
200 	br_enc64be(tmp2, cc->seq ++);
201 	tmp2[8] = (unsigned char)record_type;
202 	br_enc16be(tmp2 + 9, version);
203 	br_enc16be(tmp2 + 11, len_nomac);
204 	br_hmac_init(&hc, &cc->mac, cc->mac_len);
205 	br_hmac_update(&hc, tmp2, 13);
206 	br_hmac_outCT(&hc, buf, len_nomac, min_len, max_len, tmp2);
207 
208 	/*
209 	 * Compare the extracted and recomputed MAC values.
210 	 */
211 	for (u = 0; u < cc->mac_len; u ++) {
212 		good &= EQ0(tmp1[u] ^ tmp2[u]);
213 	}
214 
215 	/*
216 	 * Check that the plaintext length is valid. The previous
217 	 * check was on the encrypted length, but the padding may have
218 	 * turned shorter than expected.
219 	 *
220 	 * Once this final test is done, the critical "constant-time"
221 	 * section ends and we can make conditional jumps again.
222 	 */
223 	good &= LE(len_nomac, 16384);
224 
225 	if (!good) {
226 		return 0;
227 	}
228 	*data_len = len_nomac;
229 	return buf;
230 }
231 
232 /* see bearssl_ssl.h */
233 const br_sslrec_in_cbc_class br_sslrec_in_cbc_vtable = {
234 	{
235 		sizeof(br_sslrec_in_cbc_context),
236 		(int (*)(const br_sslrec_in_class *const *, size_t))
237 			&cbc_check_length,
238 		(unsigned char *(*)(const br_sslrec_in_class **,
239 			int, unsigned, void *, size_t *))
240 			&cbc_decrypt
241 	},
242 	(void (*)(const br_sslrec_in_cbc_class **,
243 		const br_block_cbcdec_class *, const void *, size_t,
244 		const br_hash_class *, const void *, size_t, size_t,
245 		const void *))
246 		&in_cbc_init
247 };
248 
249 /*
250  * For CBC output:
251  *
252  * -- With TLS 1.1+, there is an explicit IV. Generation method uses
253  * HMAC, computed over the current sequence number, and the current MAC
254  * key. The resulting value is truncated to the size of a block, and
255  * added at the head of the plaintext; it will get encrypted along with
256  * the data. This custom generation mechanism is "safe" under the
257  * assumption that HMAC behaves like a random oracle; since the MAC for
258  * a record is computed over the concatenation of the sequence number,
259  * the record header and the plaintext, the HMAC-for-IV will not collide
260  * with the normal HMAC.
261  *
262  * -- With TLS 1.0, for application data, we want to enforce a 1/n-1
263  * split, as a countermeasure against chosen-plaintext attacks. We thus
264  * need to leave some room in the buffer for that extra record.
265  */
266 
267 static void
out_cbc_init(br_sslrec_out_cbc_context * cc,const br_block_cbcenc_class * bc_impl,const void * bc_key,size_t bc_key_len,const br_hash_class * dig_impl,const void * mac_key,size_t mac_key_len,size_t mac_out_len,const void * iv)268 out_cbc_init(br_sslrec_out_cbc_context *cc,
269 	const br_block_cbcenc_class *bc_impl,
270 	const void *bc_key, size_t bc_key_len,
271 	const br_hash_class *dig_impl,
272 	const void *mac_key, size_t mac_key_len, size_t mac_out_len,
273 	const void *iv)
274 {
275 	cc->vtable = &br_sslrec_out_cbc_vtable;
276 	cc->seq = 0;
277 	bc_impl->init(&cc->bc.vtable, bc_key, bc_key_len);
278 	br_hmac_key_init(&cc->mac, dig_impl, mac_key, mac_key_len);
279 	cc->mac_len = mac_out_len;
280 	if (iv == NULL) {
281 		memset(cc->iv, 0, sizeof cc->iv);
282 		cc->explicit_IV = 1;
283 	} else {
284 		memcpy(cc->iv, iv, bc_impl->block_size);
285 		cc->explicit_IV = 0;
286 	}
287 }
288 
289 static void
cbc_max_plaintext(const br_sslrec_out_cbc_context * cc,size_t * start,size_t * end)290 cbc_max_plaintext(const br_sslrec_out_cbc_context *cc,
291 	size_t *start, size_t *end)
292 {
293 	size_t blen, len;
294 
295 	blen = cc->bc.vtable->block_size;
296 	if (cc->explicit_IV) {
297 		*start += blen;
298 	} else {
299 		*start += 4 + ((cc->mac_len + blen + 1) & ~(blen - 1));
300 	}
301 	len = (*end - *start) & ~(blen - 1);
302 	len -= 1 + cc->mac_len;
303 	if (len > 16384) {
304 		len = 16384;
305 	}
306 	*end = *start + len;
307 }
308 
309 static unsigned char *
cbc_encrypt(br_sslrec_out_cbc_context * cc,int record_type,unsigned version,void * data,size_t * data_len)310 cbc_encrypt(br_sslrec_out_cbc_context *cc,
311 	int record_type, unsigned version, void *data, size_t *data_len)
312 {
313 	unsigned char *buf, *rbuf;
314 	size_t len, blen, plen;
315 	unsigned char tmp[13];
316 	br_hmac_context hc;
317 
318 	buf = data;
319 	len = *data_len;
320 	blen = cc->bc.vtable->block_size;
321 
322 	/*
323 	 * If using TLS 1.0, with more than one byte of plaintext, and
324 	 * the record is application data, then we need to compute
325 	 * a "split". We do not perform the split on other record types
326 	 * because it turned out that some existing, deployed
327 	 * implementations of SSL/TLS do not tolerate the splitting of
328 	 * some message types (in particular the Finished message).
329 	 *
330 	 * If using TLS 1.1+, then there is an explicit IV. We produce
331 	 * that IV by adding an extra initial plaintext block, whose
332 	 * value is computed with HMAC over the record sequence number.
333 	 */
334 	if (cc->explicit_IV) {
335 		/*
336 		 * We use here the fact that all the HMAC variants we
337 		 * support can produce at least 16 bytes, while all the
338 		 * block ciphers we support have blocks of no more than
339 		 * 16 bytes. Thus, we can always truncate the HMAC output
340 		 * down to the block size.
341 		 */
342 		br_enc64be(tmp, cc->seq);
343 		br_hmac_init(&hc, &cc->mac, blen);
344 		br_hmac_update(&hc, tmp, 8);
345 		br_hmac_out(&hc, buf - blen);
346 		rbuf = buf - blen - 5;
347 	} else {
348 		if (len > 1 && record_type == BR_SSL_APPLICATION_DATA) {
349 			/*
350 			 * To do the split, we use a recursive invocation;
351 			 * since we only give one byte to the inner call,
352 			 * the recursion stops there.
353 			 *
354 			 * We need to compute the exact size of the extra
355 			 * record, so that the two resulting records end up
356 			 * being sequential in RAM.
357 			 *
358 			 * We use here the fact that cbc_max_plaintext()
359 			 * adjusted the start offset to leave room for the
360 			 * initial fragment.
361 			 */
362 			size_t xlen;
363 
364 			rbuf = buf - 4
365 				- ((cc->mac_len + blen + 1) & ~(blen - 1));
366 			rbuf[0] = buf[0];
367 			xlen = 1;
368 			rbuf = cbc_encrypt(cc, record_type,
369 				version, rbuf, &xlen);
370 			buf ++;
371 			len --;
372 		} else {
373 			rbuf = buf - 5;
374 		}
375 	}
376 
377 	/*
378 	 * Compute MAC.
379 	 */
380 	br_enc64be(tmp, cc->seq ++);
381 	tmp[8] = record_type;
382 	br_enc16be(tmp + 9, version);
383 	br_enc16be(tmp + 11, len);
384 	br_hmac_init(&hc, &cc->mac, cc->mac_len);
385 	br_hmac_update(&hc, tmp, 13);
386 	br_hmac_update(&hc, buf, len);
387 	br_hmac_out(&hc, buf + len);
388 	len += cc->mac_len;
389 
390 	/*
391 	 * Add padding.
392 	 */
393 	plen = blen - (len & (blen - 1));
394 	memset(buf + len, (unsigned)plen - 1, plen);
395 	len += plen;
396 
397 	/*
398 	 * If an explicit IV is used, the corresponding extra block was
399 	 * already put in place earlier; we just have to account for it
400 	 * here.
401 	 */
402 	if (cc->explicit_IV) {
403 		buf -= blen;
404 		len += blen;
405 	}
406 
407 	/*
408 	 * Encrypt the whole thing. If there is an explicit IV, we also
409 	 * encrypt it, which is fine (encryption of a uniformly random
410 	 * block is still a uniformly random block).
411 	 */
412 	cc->bc.vtable->run(&cc->bc.vtable, cc->iv, buf, len);
413 
414 	/*
415 	 * Add the header and return.
416 	 */
417 	buf[-5] = record_type;
418 	br_enc16be(buf - 4, version);
419 	br_enc16be(buf - 2, len);
420 	*data_len = (size_t)((buf + len) - rbuf);
421 	return rbuf;
422 }
423 
424 /* see bearssl_ssl.h */
425 const br_sslrec_out_cbc_class br_sslrec_out_cbc_vtable = {
426 	{
427 		sizeof(br_sslrec_out_cbc_context),
428 		(void (*)(const br_sslrec_out_class *const *,
429 			size_t *, size_t *))
430 			&cbc_max_plaintext,
431 		(unsigned char *(*)(const br_sslrec_out_class **,
432 			int, unsigned, void *, size_t *))
433 			&cbc_encrypt
434 	},
435 	(void (*)(const br_sslrec_out_cbc_class **,
436 		const br_block_cbcenc_class *, const void *, size_t,
437 		const br_hash_class *, const void *, size_t, size_t,
438 		const void *))
439 		&out_cbc_init
440 };
441