2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
32 internal class RecordEncryptCBC : RecordEncrypt {
41 internal RecordEncryptCBC(IBlockCipher bc, HMAC hm, byte[] iv)
45 this.iv = new byte[bc.BlockSize];
49 Array.Copy(iv, 0, this.iv, 0, iv.Length);
53 tmp = new byte[Math.Max(13, hm.MACSize)];
56 internal override void GetMaxPlaintext(ref int start, ref int end)
59 * Add room for the record header.
63 int blen = bc.BlockSize;
68 * We reserve room for an automatic 1/n-1 split.
70 start += 4 + ((hm.MACSize + blen + 1) & ~(blen - 1));
72 int len = (end - start) & ~(blen - 1);
73 len -= 1 + hm.MACSize;
76 * We keep a bit of extra room to try out overlong padding.
86 internal override void Encrypt(int recordType, int version,
87 byte[] data, ref int off, ref int len)
90 || recordType != SSL.APPLICATION_DATA
93 EncryptInner(recordType, version,
94 data, ref off, ref len);
99 * Automatic 1/n-1 split. We do it only when there is
100 * no explicit IV (i.e. TLS 1.0, not TLS 1.1+), and there
101 * are at least two plaintext bytes in the record.
103 int blen = bc.BlockSize;
104 int off1 = off - (4 + ((hm.MACSize + blen + 1) & ~(blen - 1)));
106 data[off1] = data[off];
107 EncryptInner(recordType, version, data, ref off1, ref len1);
110 EncryptInner(recordType, version, data, ref off2, ref len2);
111 if (off1 + len1 != off2) {
112 throw new Exception("Split gone wrong");
118 void EncryptInner(int recordType, int version,
119 byte[] data, ref int off, ref int len)
121 int blen = bc.BlockSize;
122 int mlen = hm.MACSize;
128 * To make pseudorandom IV, we reuse HMAC, computed
129 * over the encoded sequence number. Since this
130 * input is distinct from all other HMAC inputs with
131 * the same key, this should be randomish enough
132 * (assuming HMAC is a good imitation of a random
135 IO.Enc64be(seq, tmp, 0);
136 hm.Update(tmp, 0, 8);
138 Array.Copy(tmp, 0, data, off - blen, blen);
146 IO.Enc64be(seq, tmp, 0);
147 IO.WriteHeader(recordType, version, dlen, tmp, 8);
148 hm.Update(tmp, 0, 13);
149 hm.Update(data, doff, dlen);
150 hm.DoFinal(data, off + len);
157 int plen = blen - (len & (blen - 1));
158 for (int i = 0; i < plen; i ++) {
159 data[off + len + i] = (byte)(plen - 1);
164 * Perform CBC encryption. We use our saved IV. If there is
165 * an explicit IV, then it gets encrypted, which is fine
166 * (CBC encryption of randomness is equally good randomness).
168 bc.CBCEncrypt(iv, data, off, len);
169 Array.Copy(data, off + len - blen, iv, 0, blen);
175 IO.WriteHeader(recordType, version, len, data, off);