Implement the encrypt-then-MAC TLS extension.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 1366 matching lines @@
     }
     if (spec->master_secret != NULL) {
         PK11_FreeSymKey(spec->master_secret);
         spec->master_secret = NULL;
     }
     spec->msItem.data = NULL;
     spec->msItem.len  = 0;
     ssl3_CleanupKeyMaterial(&spec->client);
     ssl3_CleanupKeyMaterial(&spec->server);
     spec->bypassCiphers = PR_FALSE;
+    spec->encryptThenMAC = PR_FALSE;
     spec->destroy=NULL;
     spec->destroyCompressContext = NULL;
     spec->destroyDecompressContext = NULL;
 }
 
 /* Fill in the pending cipher spec with info from the selected ciphersuite.
 ** This is as much initialization as we can do without having key material.
 ** Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
 ** Caller must hold the ssl3 handshake lock.
 ** Acquires & releases SpecWriteLock.
@@ skipping 65 matching lines @@
 
     pwSpec->encodeContext = NULL;
     pwSpec->decodeContext = NULL;
 
     pwSpec->mac_size = pwSpec->mac_def->mac_size;
 
     pwSpec->compression_method = ss->ssl3.hs.compression;
     pwSpec->compressContext = NULL;
     pwSpec->decompressContext = NULL;
 
+    pwSpec->encryptThenMAC =
+        ssl3_ExtensionNegotiated(ss, ssl_encrypt_then_mac_xtn);
+
     ssl_ReleaseSpecWriteLock(ss);  /*******************************/
     return SECSuccess;
 }
 
 #ifdef NSS_ENABLE_ZLIB
 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
 
 static SECStatus
 ssl3_MapZlibError(int zlib_error)
 {
@@ skipping 1243 matching lines @@
                 wrBuf->buf + headerLen,                     /* output  */
                 &cipherBytes,                               /* out len */
                 wrBuf->space - headerLen,                   /* max out */
                 pIn, contentLen,                            /* input   */
                 pseudoHeader, pseudoHeaderLen);
         if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
     } else {
-        /*
-         * Add the MAC
-         */
-        rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
-            pseudoHeader, pseudoHeaderLen, pIn, contentLen,
-            wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
-        if (rv != SECSuccess) {
-            ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-            return SECFailure;
+        if (!cwSpec->encryptThenMAC) {
+            /*
+             * Add the MAC
+             */
+            rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
+                pseudoHeader, pseudoHeaderLen, pIn, contentLen,
+                wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+                return SECFailure;
+            }
+            p1Len   = contentLen;
+            p2Len   = macLen;
+            fragLen = contentLen + macLen;      /* needs to be encrypted */
+            PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+        } else {
+            p1Len   = contentLen;
+            p2Len   = 0;
+            fragLen = contentLen;       /* needs to be encrypted */
         }
-        p1Len   = contentLen;
-        p2Len   = macLen;
-        fragLen = contentLen + macLen;  /* needs to be encrypted */
-        PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
 
         /*
          * Pad the text (if we're doing a block cipher)
          * then Encrypt it
          */
         if (cipher_def->type == type_block) {
             unsigned char * pBuf;
             int             padding_length;
             int             i;
 
@@ skipping 47 matching lines @@
                 p2Len,                             /* max outlen */
                 wrBuf->buf + headerLen + ivLen + p1Len,
                 p2Len);                            /* input and inputLen*/
             PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
             if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
                 PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
                 return SECFailure;
             }
             cipherBytes += cipherBytesPart2;
         }
+
+        if (cwSpec->encryptThenMAC) {
+            /*
+             * Add the MAC
+             */
+            pseudoHeaderLen = ssl3_BuildRecordPseudoHeader(
+                pseudoHeader, cwSpec->write_seq_num, type,
+                cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->version,
+                isDTLS, cipherBytes /* + crSpec->mac_size */);
+            PORT_Assert(pseudoHeaderLen <= sizeof(pseudoHeader));
+
+            rv = ssl3_ComputeRecordMAC(cwSpec, isServer,
+                pseudoHeader, pseudoHeaderLen,
+                wrBuf->buf + headerLen, cipherBytes,
+                wrBuf->buf + headerLen + cipherBytes, &macLen);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+                return SECFailure;
+            }
+            PORT_Assert(macLen == cwSpec->mac_size);
+            cipherBytes += macLen;
+            PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
+        }
     }
 
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
     wrBuf->len    = cipherBytes + headerLen;
     wrBuf->buf[0] = type;
     if (isDTLS) {
         SSL3ProtocolVersion version;
 
         version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
@@ skipping 6246 matching lines @@
     rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.compression, 1);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
     if (extensions_len) {
         PRInt32 sent_len;
 
         extensions_len -= 2;
         rv = ssl3_AppendHandshakeNumber(ss, extensions_len, 2);
         if (rv != SECSuccess) 
-            return rv;  /* err set by ssl3_SetupPendingCipherSpec */
+            return rv;  /* err set by AppendHandshake. */
         sent_len = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, extensions_len,
                                            &ss->xtnData.serverSenders[0]);
         PORT_Assert(sent_len == extensions_len);
         if (sent_len != extensions_len) {
             if (sent_len >= 0)
                 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
     }
     rv = ssl3_SetupPendingCipherSpec(ss);
@@ skipping 2821 matching lines @@
     /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
      * This implies that databuf holds a previously deciphered SSL Handshake
      * message.
      */
     if (cText == NULL) {
         SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
                  SSL_GETPID(), ss->fd));
         rType = content_handshake;
         goto process_it;
     }
+    rType = cText->type;
 
     ssl_GetSpecReadLock(ss); /******************************************/
 
     crSpec = ss->ssl3.crSpec;
     cipher_def = crSpec->cipher_def;
 
     /* 
      * DTLS relevance checks:
      * Note that this code currently ignores all out-of-epoch packets,
      * which means we lose some in the case of rehandshake +
@@ skipping 38 matching lines @@
     } else if (cipher_def->type == type_aead) {
         minLength = cipher_def->explicit_nonce_size + cipher_def->tag_size;
     }
 
     /* We can perform this test in variable time because the record's total
      * length and the ciphersuite are both public knowledge. */
     if (cText->buf->len < minLength) {
         goto decrypt_loser;
     }
 
+    if (crSpec->encryptThenMAC) {
+        /* compute the MAC */
+        headerLen = ssl3_BuildRecordPseudoHeader(
+            header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
+            rType, isTLS, cText->version, IS_DTLS(ss),
+            cText->buf->len - crSpec->mac_size);
+        PORT_Assert(headerLen <= sizeof(header));
+        /* This is safe because we checked the minLength above. */
+        cText->buf->len -= crSpec->mac_size;
+
+        rv = ssl3_ComputeRecordMAC(
+            crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
+            cText->buf->buf, cText->buf->len, hash, &hashBytes);
+
+        /* We can read the MAC directly from the record because its location
+         * is public when a stream cipher is used. */
+        givenHash = cText->buf->buf + cText->buf->len;
+
+        if (hashBytes != (unsigned)crSpec->mac_size ||
+            NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
+            /* We're allowed to leak whether or not the MAC check was correct */
+            goto decrypt_loser;
+        }
+    }
+
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
         SSL3Opaque iv[MAX_IV_LENGTH];
         int decoded;
@@ skipping 45 matching lines @@
 
     isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
         ssl_ReleaseSpecReadLock(ss);
         SSL3_SendAlert(ss, alert_fatal, record_overflow);
         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
         return SECFailure;
     }
 
-    rType = cText->type;
     if (cipher_def->type == type_aead) {
         /* XXX For many AEAD ciphers, the plaintext is shorter than the
          * ciphertext by a fixed byte count, but it is not true in general.
          * Each AEAD cipher should provide a function that returns the
          * plaintext length for a given ciphertext. */
         unsigned int decryptedLen =
             cText->buf->len - cipher_def->explicit_nonce_size -
             cipher_def->tag_size;
         headerLen = ssl3_BuildRecordPseudoHeader(
             header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
@@ skipping 25 matching lines @@
             goto decrypt_loser;
         }
 
         PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
 
         originalLen = plaintext->len;
 
         /* If it's a block cipher, check and strip the padding. */
         if (cipher_def->type == type_block) {
             const unsigned int blockSize = cipher_def->block_size;
-            const unsigned int macSize = crSpec->mac_size;
+            const unsigned int macSize =
+                crSpec->encryptThenMAC ? 0 : crSpec->mac_size;
 
             if (!isTLS) {
                 good &= SECStatusToMask(ssl_RemoveSSLv3CBCPadding(
                             plaintext, blockSize, macSize));
             } else {
                 good &= SECStatusToMask(ssl_RemoveTLSCBCPadding(
                             plaintext, macSize));
             }
         }
 
+        if (!crSpec->encryptThenMAC) {
         /* compute the MAC */
         headerLen = ssl3_BuildRecordPseudoHeader(
             header, IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
             rType, isTLS, cText->version, IS_DTLS(ss),
             plaintext->len - crSpec->mac_size);
         PORT_Assert(headerLen <= sizeof(header));
         if (cipher_def->type == type_block) {
             rv = ssl3_ComputeRecordMACConstantTime(
                 crSpec, (PRBool)(!ss->sec.isServer), header, headerLen,
                 plaintext->buf, plaintext->len, originalLen,
@@ skipping 21 matching lines @@
             givenHash = plaintext->buf + plaintext->len;
         }
 
         good &= SECStatusToMask(rv);
 
         if (hashBytes != (unsigned)crSpec->mac_size ||
             NSS_SecureMemcmp(givenHash, hash, crSpec->mac_size) != 0) {
             /* We're allowed to leak whether or not the MAC check was correct */
             good = 0;
         }
+        }
     }
 
     if (good == 0) {
 decrypt_loser:
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
 
         SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
 
         if (!IS_DTLS(ss)) {
@@ skipping 155 matching lines @@
     spec->encode                   = Null_Cipher;
     spec->decode                   = Null_Cipher;
     spec->destroy                  = NULL;
     spec->compressor               = NULL;
     spec->decompressor             = NULL;
     spec->destroyCompressContext   = NULL;
     spec->destroyDecompressContext = NULL;
     spec->mac_size                 = 0;
     spec->master_secret            = NULL;
     spec->bypassCiphers            = PR_FALSE;
+    spec->encryptThenMAC           = PR_FALSE;
 
     spec->msItem.data              = NULL;
     spec->msItem.len               = 0;
 
     spec->client.write_key         = NULL;
     spec->client.write_mac_key     = NULL;
     spec->client.write_mac_context = NULL;
 
     spec->server.write_key         = NULL;
     spec->server.write_mac_key     = NULL;
@@ skipping 511 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */