From 98a233fc402da92331447c7be1619ab54df45cf3 Mon Sep 17 00:00:00 2001 From: mathewmarcus Date: Wed, 4 Jul 2018 12:17:16 -0500 Subject: [PATCH] added support for AES GCM decryption --- ssl/ssl_rec.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 63 insertions(+), 6 deletions(-) diff --git a/ssl/ssl_rec.c b/ssl/ssl_rec.c index ab9ac6c..89a5caa 100644 --- a/ssl/ssl_rec.c +++ b/ssl/ssl_rec.c @@ -61,6 +61,8 @@ static char *RCSSTRING="$Id: ssl_rec.c,v 1.3 2000/11/03 06:38:06 ekr Exp $"; struct ssl_rec_decoder_ { SSL_CipherSuite *cs; Data *mac_key; + Data *implicit_iv; /* for AEAD ciphers */ + Data *write_key; /* for AEAD ciphers */ #ifdef OPENSSL EVP_CIPHER_CTX *evp; #endif @@ -125,8 +127,28 @@ int ssl_create_rec_decoder(dp,cs,mk,sk,iv) ABORT(R_NO_MEMORY); dec->cs=cs; - if(r=r_data_create(&dec->mac_key,mk,cs->dig_len)) + + if(r=r_data_alloc(&dec->mac_key,cs->dig_len)) ABORT(r); + + if(r=r_data_alloc(&dec->implicit_iv,cs->block)) + ABORT(r); + memcpy(dec->implicit_iv->data,iv,cs->block); + + if(r=r_data_create(&dec->write_key,sk,cs->eff_bits/8)) + ABORT(r); + + /* + This is necessary for AEAD ciphers, because we must wait to fully initialize the cipher + in order to include the implicit IV + */ + if(cs->enc==0x3b || cs->enc==0x3c){ + sk=NULL; + iv=NULL; + } + else + memcpy(dec->mac_key->data,mk,cs->dig_len); + if(!(dec->evp=(EVP_CIPHER_CTX *)malloc(sizeof(EVP_CIPHER_CTX)))) ABORT(R_NO_MEMORY); EVP_CIPHER_CTX_init(dec->evp); @@ -152,6 +174,8 @@ int ssl_destroy_rec_decoder(dp) d=*dp; r_data_destroy(&d->mac_key); + r_data_destroy(&d->implicit_iv); + r_data_destroy(&d->write_key); #ifdef OPENSSL if(d->evp){ EVP_CIPHER_CTX_cleanup(d->evp); @@ -165,6 +189,9 @@ int ssl_destroy_rec_decoder(dp) } +#define MSB(a) ((a>>8)&0xff) +#define LSB(a) (a&0xff) + int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl) ssl_obj *ssl; ssl_rec_decoder *d; @@ -177,12 +204,44 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl) { #ifdef OPENSSL int pad; - int r,encpadl; - UCHAR *mac,*iv; + int r,encpadl,x; + UCHAR *mac,*iv,aead_tag[13],aead_nonce[12]; CRDUMP("Ciphertext",in,inl); - if(ssl->extensions->encrypt_then_mac==2){ + if(d->cs->enc==0x3b || d->cs->enc==0x3c){ + memcpy(aead_nonce,d->implicit_iv->data,d->implicit_iv->len); + memcpy(aead_nonce+d->implicit_iv->len,in,12-d->implicit_iv->len); + in+=12-d->implicit_iv->len; + inl-=12-d->implicit_iv->len; + + EVP_DecryptInit(d->evp, + NULL, + d->write_key->data, + aead_nonce); + EVP_CIPHER_CTX_ctrl(d->evp,EVP_CTRL_GCM_SET_TAG,16,in+(inl-16)); + inl-=d->cs->eff_bits/8; + + fmt_seq(d->seq,aead_tag); + d->seq++; + aead_tag[8]=ct; + aead_tag[9]=MSB(version); + aead_tag[10]=LSB(version); + aead_tag[11]=MSB(inl); + aead_tag[12]=LSB(inl); + + EVP_DecryptUpdate(d->evp,NULL,outl,aead_tag,13); + EVP_DecryptUpdate(d->evp,out,outl,in,inl); + + if (!(x=EVP_DecryptFinal(d->evp,NULL,&x))) + ERETURN(SSL_BAD_MAC); + } + + /* + Encrypt-then-MAC is not used with AEAD ciphers, as per: + https://tools.ietf.org/html/rfc7366#section-3 + */ + else if(ssl->extensions->encrypt_then_mac==2){ *outl=inl; /* First strip off the MAC */ @@ -267,8 +326,6 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl) } -#define MSB(a) ((a>>8)&0xff) -#define LSB(a) (a&0xff) #ifdef OPENSSL /* This should go to 2^128, but we're never really going to see