Implement AES-GCM in tlslite.

third_party/tlslite/tlslite/tlsrecordlayer.py

 # Authors: 
 #   Trevor Perrin
 #   Google (adapted by Sam Rushing) - NPN support
 #   Martin von Loewis - python 3 port
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """Helper class for TLSConnection."""
 from __future__ import generators
 
 from .utils.compat import *
 from .utils.cryptomath import *
-from .utils.cipherfactory import createAES, createRC4, createTripleDES
+from .utils.cipherfactory import createAESGCM, createAES, createRC4, \
+     createTripleDES
 from .utils.codec import *
 from .errors import *
 from .messages import *
 from .mathtls import *
 from .constants import *
 from .utils.cryptomath import getRandomBytes
 
 import socket
 import struct
 import errno
@@ skipping 560 matching lines @@
                 mac.update(compatHMAC( bytearray([self.version[1]] )))
                 mac.update( compatHMAC( bytearray([len(b)//256] )))
                 mac.update( compatHMAC( bytearray([len(b)%256] )))
             else:
                 raise AssertionError()
             mac.update(compatHMAC(b))
             macBytes = bytearray(mac.digest())
             if self.fault == Fault.badMAC:
                 macBytes[0] = (macBytes[0]+1) % 256
 
         #Encrypt for Block or Stream Cipher

[Ryan Sleevi, 2015/01/29 20:50:48]

comment update?

[davidben, 2015/01/29 21:40:59]

Done.

         if self._writeState.encContext:
+            #Seal (for AEAD)
+            if self._writeState.encContext.isAEAD:
+                #Assemble the AD.

[Ryan Sleevi, 2015/01/29 20:50:49]

expand this acronym?

#Assemble the authenticated data

...
authData = seqNumBytes + ...

[davidben, 2015/01/29 21:40:59]

Done.

+                seqnumBytes = self._writeState.getSeqNumBytes()

[Ryan Sleevi, 2015/01/29 20:50:48]

nit: naming wise, should this be seqNumBytes?

[davidben, 2015/01/29 21:40:59]

Copy-and-paste from MAC block above, but I agree. Done.

+                ad = seqnumBytes + bytearray([contentType, self.version[0],
+                                              self.version[1], len(b)//256,
+                                              len(b)%256])
+
+                #The nonce is always the fixed nonce and the sequence number.
+                nonce = self._writeState.fixedNonce + seqnumBytes
+                assert len(nonce) == self._writeState.encContext.nonceLength
+
+                b = self._writeState.encContext.seal(nonce, b, ad)
+
+                #The only AEAD supported, AES-GCM, has an explicit variable
+                #nonce.

[Ryan Sleevi, 2015/01/29 20:50:49]

"explicit variable nonce" - this is just explicit nonce, right? What does the
"variable" here refer to?

[davidben, 2015/01/29 21:40:59]

As opposed to the fixed half of the nonce. (GCM nonce is concatenation of 4
bytes of fixed nonce, derived from key material, and 8 bytes of variable nonce.)
I'm mostly borrowing these terms from BoringSSL's code.

+                b = seqnumBytes + b
+
             #Add padding and encrypt (for Block Cipher):
-            if self._writeState.encContext.isBlockCipher:
+            elif self._writeState.encContext.isBlockCipher:
 
                 #Add TLS 1.1 fixed block
                 if self.version >= (3,2):
                     b = self.fixedIVBlock + b
 
                 #Add padding: b = b+ (macBytes + paddingBytes)
                 currentLength = len(b) + len(macBytes)
                 blockLength = self._writeState.encContext.block_size
                 paddingLength = blockLength - 1 - (currentLength % blockLength)
 
@@ skipping 351 matching lines @@
 
             #We've moved at least one handshake message into the
             #handshakeBuffer, return the first one
             recordHeader, b = self._handshakeBuffer[0]
             self._handshakeBuffer = self._handshakeBuffer[1:]
             yield (recordHeader, Parser(b))
 
 
     def _decryptRecord(self, recordType, b):
         if self._readState.encContext:
+            #Open if it's an AEAD.
+            if self._readState.encContext.isAEAD:
+                #The only AEAD supported, AES-GCM, has an explicit variable
+                #nonce.
+                explicitNonceLength = 8
+                if explicitNonceLength > len(b):
+                    #Publicly invalid.
+                    for result in self._sendError(
+                            AlertDescription.bad_record_mac,
+                            "MAC failure (or padding failure)"):
+                        yield result
+                nonce = self._readState.fixedNonce + b[:explicitNonceLength]
+                b = b[8:]
+
+                #Assemble the AD.
+                seqnumBytes = self._readState.getSeqNumBytes()
+                plaintextLen = len(b) - self._readState.encContext.tagLength

[agl, 2015/01/29 19:38:17]

This can end up negative, but that doesn't appear to matter.

[davidben, 2015/01/29 21:40:59]

Added a check anyway for good measure. I think a negative value will throw;
bytearray gets grumpy if inputs aren't in range.

+                ad = seqnumBytes + bytearray([recordType, self.version[0],
+                                              self.version[1],
+                                              plaintextLen//256,
+                                              plaintextLen%256])
+
+                b = self._readState.encContext.open(nonce, b, ad)
+                if b is None:
+                    for result in self._sendError(
+                            AlertDescription.bad_record_mac,
+                            "MAC failure (or padding failure)"):
+                        yield result
+                yield b
+                return
 
             #Decrypt if it's a block cipher
             if self._readState.encContext.isBlockCipher:
                 blockLength = self._readState.encContext.block_size
                 if len(b) % blockLength != 0:
                     for result in self._sendError(\
                             AlertDescription.decryption_failed,
                             "Encrypted data not a multiple of blocksize"):
                         yield result
                 b = self._readState.encContext.decrypt(b)
@@ skipping 77 matching lines @@
         self._handshakeBuffer = []
         self.allegedSrpUsername = None
         self._refCount = 1
 
     def _handshakeDone(self, resumed):
         self.resumed = resumed
         self.closed = False
 
     def _calcPendingStates(self, cipherSuite, masterSecret,
             clientRandom, serverRandom, implementations):
-        if cipherSuite in CipherSuite.aes128Suites:
+        if cipherSuite in CipherSuite.aes128GcmSuites:
+            keyLength = 16
+            ivLength = 4
+            createCipherFunc = createAESGCM
+        elif cipherSuite in CipherSuite.aes128Suites:
             keyLength = 16
             ivLength = 16
             createCipherFunc = createAES
         elif cipherSuite in CipherSuite.aes256Suites:
             keyLength = 32
             ivLength = 16
             createCipherFunc = createAES
         elif cipherSuite in CipherSuite.rc4Suites:
             keyLength = 16
             ivLength = 0
             createCipherFunc = createRC4
         elif cipherSuite in CipherSuite.tripleDESSuites:
             keyLength = 24
             ivLength = 8
             createCipherFunc = createTripleDES
         else:
             raise AssertionError()
             
-        if cipherSuite in CipherSuite.shaSuites:
+        if cipherSuite in CipherSuite.aeadSuites:
+            macLength = 0
+            digestmod = None
+        elif cipherSuite in CipherSuite.shaSuites:
             macLength = 20
             digestmod = hashlib.sha1        
         elif cipherSuite in CipherSuite.sha256Suites:
             macLength = 32
             digestmod = hashlib.sha256
         elif cipherSuite in CipherSuite.md5Suites:
             macLength = 16
             digestmod = hashlib.md5
+        else:
+            raise AssertionError()
 
-        if self.version == (3,0):
+        if not digestmod:
+            createMACFunc = None
+        elif self.version == (3,0):
             createMACFunc = createMAC_SSL
         elif self.version in ((3,1), (3,2), (3,3)):
             createMACFunc = createHMAC
 
         outputLength = (macLength*2) + (keyLength*2) + (ivLength*2)
 
         #Calculate Keying Material from Master Secret
         if self.version == (3,0):
             keyBlock = PRF_SSL(masterSecret,
                                serverRandom + clientRandom,
@@ skipping 14 matching lines @@
         #Slice up Keying Material
         clientPendingState = _ConnectionState()
         serverPendingState = _ConnectionState()
         p = Parser(keyBlock)
         clientMACBlock = p.getFixBytes(macLength)
         serverMACBlock = p.getFixBytes(macLength)
         clientKeyBlock = p.getFixBytes(keyLength)
         serverKeyBlock = p.getFixBytes(keyLength)
         clientIVBlock  = p.getFixBytes(ivLength)
         serverIVBlock  = p.getFixBytes(ivLength)
-        clientPendingState.macContext = createMACFunc(
-            compatHMAC(clientMACBlock), digestmod=digestmod)
-        serverPendingState.macContext = createMACFunc(
-            compatHMAC(serverMACBlock), digestmod=digestmod)
-        clientPendingState.encContext = createCipherFunc(clientKeyBlock,
-                                                         clientIVBlock,
-                                                         implementations)
-        serverPendingState.encContext = createCipherFunc(serverKeyBlock,
-                                                         serverIVBlock,
-                                                         implementations)
+        if digestmod:
+            # Legacy cipher.
+            clientPendingState.macContext = createMACFunc(
+                compatHMAC(clientMACBlock), digestmod=digestmod)
+            serverPendingState.macContext = createMACFunc(
+                compatHMAC(serverMACBlock), digestmod=digestmod)
+            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
+                                                             clientIVBlock,
+                                                             implementations)
+            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
+                                                             serverIVBlock,
+                                                             implementations)
+        else:
+            # AEAD.
+            clientPendingState.macContext = None
+            serverPendingState.macContext = None
+            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
+                                                             implementations)
+            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
+                                                             implementations)
+            clientPendingState.fixedNonce = clientIVBlock
+            serverPendingState.fixedNonce = serverIVBlock
 
         #Assign new connection states to pending states
         if self._client:
             self._pendingWriteState = clientPendingState
             self._pendingReadState = serverPendingState
         else:
             self._pendingWriteState = serverPendingState
             self._pendingReadState = clientPendingState
 
         if self.version >= (3,2) and ivLength:
@@ skipping 17 matching lines @@
         imac_md5.update(compatHMAC(label + masterSecret + bytearray([0x36]*48)))
         imac_sha.update(compatHMAC(label + masterSecret + bytearray([0x36]*40)))
 
         md5Bytes = MD5(masterSecret + bytearray([0x5c]*48) + \
                          bytearray(imac_md5.digest()))
         shaBytes = SHA1(masterSecret + bytearray([0x5c]*40) + \
                          bytearray(imac_sha.digest()))
 
         return md5Bytes + shaBytes