10#include <botan/internal/tls_record.h>
11#include <botan/tls_ciphersuite.h>
12#include <botan/tls_callbacks.h>
13#include <botan/tls_exceptn.h>
14#include <botan/internal/loadstor.h>
15#include <botan/internal/tls_seq_numbers.h>
16#include <botan/internal/tls_session_key.h>
17#include <botan/internal/ct_utils.h>
21#if defined(BOTAN_HAS_TLS_CBC)
22 #include <botan/internal/tls_cbc.h>
32 bool uses_encrypt_then_mac)
39 m_nonce = keys.
nonce(side);
45#if defined(BOTAN_HAS_TLS_CBC)
52 m_aead = std::make_unique<TLS_CBC_HMAC_AEAD_Encryption>(
58 uses_encrypt_then_mac);
62 m_aead = std::make_unique<TLS_CBC_HMAC_AEAD_Decryption>(
68 uses_encrypt_then_mac);
73 throw Internal_Error(
"Negotiated disabled TLS CBC+HMAC ciphersuite");
81 m_aead->set_key(aead_key);
86 switch(m_nonce_format)
92 std::vector<uint8_t> nonce;
97 rng.
randomize(nonce.data(), nonce.size());
102 std::vector<uint8_t> nonce(12);
104 xor_buf(nonce, m_nonce.data(), m_nonce.size());
110 std::vector<uint8_t> nonce(12);
111 copy_mem(&nonce[0], m_nonce.data(), 4);
123 switch(m_nonce_format)
129 std::vector<uint8_t> nonce;
140 std::vector<uint8_t> nonce(12);
142 xor_buf(nonce, m_nonce.data(), m_nonce.size());
149 throw Decoding_Error(
"Invalid AEAD packet too short to be valid");
150 std::vector<uint8_t> nonce(12);
151 copy_mem(&nonce[0], m_nonce.data(), 4);
166 std::vector<uint8_t> ad(13);
169 ad[8] =
static_cast<uint8_t
>(msg_type);
172 ad[11] = get_byte<0>(msg_length);
173 ad[12] = get_byte<1>(msg_length);
182 const uint16_t len16 =
static_cast<uint16_t
>(len_field);
184 output.push_back(get_byte<0>(len16));
185 output.push_back(get_byte<1>(len16));
190 Protocol_Version version,
191 uint64_t record_sequence)
195 output.push_back(
static_cast<uint8_t
>(record_type));
196 output.push_back(version.major_version());
197 output.push_back(version.minor_version());
199 if(version.is_datagram_protocol())
201 for(
size_t i = 0; i != 8; ++i)
211 uint64_t record_sequence,
212 const uint8_t* message,
216 throw Internal_Error(
"Writing an unencrypted TLS application data record");
217 write_record_header(output, record_type, version, record_sequence);
218 append_u16_len(output, message_len);
219 output.insert(output.end(), message, message + message_len);
225 uint64_t record_sequence,
226 const uint8_t* message,
231 write_record_header(output, record_type, version, record_sequence);
234 std::vector<uint8_t> aad = cs.
format_ad(record_sequence, record_type, version,
static_cast<uint16_t
>(message_len));
242 const std::vector<uint8_t> nonce = cs.
aead_nonce(record_sequence, rng);
244 append_u16_len(output, rec_size);
254 const size_t header_size = output.size();
255 output += std::make_pair(message, message_len);
258 aead.
finish(output, header_size);
261 "Produced ciphertext larger than protocol allows");
267 const uint8_t*& input,
269 size_t& input_consumed,
272 if(readbuf.size() >= desired)
275 const size_t taken = std::min(input_size, desired - readbuf.size());
277 readbuf.insert(readbuf.end(), input, input + taken);
278 input_consumed += taken;
282 return (desired - readbuf.size());
285void decrypt_record(secure_vector<uint8_t>& output,
286 uint8_t record_contents[],
size_t record_len,
287 uint64_t record_sequence,
288 Protocol_Version record_version,
290 Connection_Cipher_State& cs)
292 AEAD_Mode& aead = cs.aead();
294 const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
295 const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
296 const size_t msg_length = record_len - cs.nonce_bytes_from_record();
305 if(msg_length < aead.minimum_final_size())
306 throw TLS_Exception(Alert::BadRecordMac,
"AEAD packet is shorter than the tag");
308 const size_t ptext_size = aead.output_length(msg_length);
310 aead.set_associated_data(
311 cs.format_ad(record_sequence,
314 static_cast<uint16_t
>(ptext_size))
319 output.assign(msg, msg + msg_length);
320 aead.finish(output, 0);
323Record_Header read_tls_record(secure_vector<uint8_t>& readbuf,
324 const uint8_t input[],
327 secure_vector<uint8_t>& recbuf,
328 Connection_Sequence_Numbers* sequence_numbers,
333 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE))
335 return Record_Header(needed);
353 const bool bad_record_type = readbuf[0] < 20 || readbuf[0] > 23;
354 const bool bad_record_version = readbuf[1] != 3 || readbuf[2] >= 4;
356 if(bad_record_type || bad_record_version)
359 const std::string first5 = std::string(
reinterpret_cast<const char*
>(readbuf.data()), 5);
361 if(first5 ==
"GET /" ||
366 throw TLS_Exception(Alert::ProtocolVersion,
367 "Client sent plaintext HTTP request instead of TLS handshake");
370 if(first5 ==
"CONNE")
372 throw TLS_Exception(Alert::ProtocolVersion,
373 "Client sent plaintext HTTP proxy CONNECT request instead of TLS handshake");
377 std::ostringstream oss;
378 oss <<
"TLS record ";
383 oss <<
" had unexpected value";
385 throw TLS_Exception(Alert::ProtocolVersion, oss.str());
388 const Protocol_Version version(readbuf[1], readbuf[2]);
390 if(version.is_datagram_protocol())
391 throw TLS_Exception(Alert::ProtocolVersion,
392 "Expected TLS but got a record with DTLS version");
398 throw TLS_Exception(Alert::RecordOverflow,
399 "Received a record that exceeds maximum size");
402 throw TLS_Exception(Alert::DecodeError,
403 "Received a completely empty record");
405 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE + record_size))
407 return Record_Header(needed);
412 "Have the full record");
418 uint64_t sequence = 0;
421 sequence = sequence_numbers->next_read_sequence();
422 epoch = sequence_numbers->current_read_epoch();
434 return Record_Header(sequence, version, type);
438 auto cs = get_cipherstate(epoch);
442 decrypt_record(recbuf,
451 sequence_numbers->read_accept(sequence);
454 return Record_Header(sequence, version, type);
457Record_Header read_dtls_record(secure_vector<uint8_t>& readbuf,
458 const uint8_t input[],
461 secure_vector<uint8_t>& recbuf,
462 Connection_Sequence_Numbers* sequence_numbers,
464 bool allow_epoch0_restart)
471 return Record_Header(0);
477 const Protocol_Version version(readbuf[1], readbuf[2]);
479 if(version.is_datagram_protocol() ==
false)
482 return Record_Header(0);
492 return Record_Header(0);
495 if(fill_buffer_to(readbuf, input, input_len, consumed,
DTLS_HEADER_SIZE + record_size))
499 return Record_Header(0);
503 "Have the full record");
508 const uint16_t epoch = (sequence >> 48);
510 const bool already_seen = sequence_numbers && sequence_numbers->already_seen(sequence);
512 if(already_seen && !(epoch == 0 && allow_epoch0_restart))
515 return Record_Header(0);
523 sequence_numbers->read_accept(sequence);
524 return Record_Header(sequence, version, type);
530 auto cs = get_cipherstate(epoch);
534 decrypt_record(recbuf,
542 catch(std::exception&)
545 return Record_Header(0);
549 sequence_numbers->read_accept(sequence);
552 return Record_Header(sequence, version, type);
559 const uint8_t input[],
565 bool allow_epoch0_restart)
568 return read_dtls_record(readbuf, input, input_len, consumed,
569 recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
571 return read_tls_record(readbuf, input, input_len, consumed,
572 recbuf, sequence_numbers, get_cipherstate);
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_UNUSED(...)
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
#define BOTAN_ASSERT(expr, assertion_made)
void set_associated_data(std::span< const uint8_t > ad)
static std::unique_ptr< AEAD_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
void start(std::span< const uint8_t > nonce)
void finish(secure_vector< uint8_t > &final_block, size_t offset=0)
virtual size_t output_length(size_t input_length) const =0
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
void randomize(std::span< uint8_t > output)
size_t nonce_bytes_from_record(Protocol_Version version) const
Nonce_Format nonce_format() const
size_t mac_keylen() const
size_t cipher_keylen() const
size_t nonce_bytes_from_handshake() const
std::string mac_algo() const
std::string cipher_algo() const
size_t nonce_bytes_from_record() const
Nonce_Format nonce_format() const
size_t nonce_bytes_from_handshake() const
Connection_Cipher_State(Protocol_Version version, Connection_Side which_side, bool is_our_side, const Ciphersuite &suite, const Session_Keys &keys, bool uses_encrypt_then_mac)
std::vector< uint8_t > aead_nonce(uint64_t seq, RandomNumberGenerator &rng)
std::vector< uint8_t > format_ad(uint64_t seq, Record_Type type, Protocol_Version version, uint16_t ptext_length)
uint8_t major_version() const
uint8_t minor_version() const
const std::vector< uint8_t > & nonce(Connection_Side side) const
const secure_vector< uint8_t > & aead_key(Connection_Side side) const
Record_Header read_record(bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, const get_cipherstate_fn &get_cipherstate, bool allow_epoch0_restart)
void write_unencrypted_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)
std::function< std::shared_ptr< Connection_Cipher_State >(uint16_t)> get_cipherstate_fn
void write_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
constexpr uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
constexpr void copy_mem(T *out, const T *in, size_t n)
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
constexpr void store_be(uint16_t in, uint8_t out[2])
constexpr uint8_t get_byte_var(size_t byte_num, T input)
std::vector< T, secure_allocator< T > > secure_vector
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)