You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

282 lines
8.9 KiB

4 years ago
  1. /**
  2. * A Javascript implementation of AES Cipher Suites for TLS.
  3. *
  4. * @author Dave Longley
  5. *
  6. * Copyright (c) 2009-2015 Digital Bazaar, Inc.
  7. *
  8. */
  9. var forge = require('./forge');
  10. require('./aes');
  11. require('./tls');
  12. var tls = module.exports = forge.tls;
  13. /**
  14. * Supported cipher suites.
  15. */
  16. tls.CipherSuites['TLS_RSA_WITH_AES_128_CBC_SHA'] = {
  17. id: [0x00, 0x2f],
  18. name: 'TLS_RSA_WITH_AES_128_CBC_SHA',
  19. initSecurityParameters: function(sp) {
  20. sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
  21. sp.cipher_type = tls.CipherType.block;
  22. sp.enc_key_length = 16;
  23. sp.block_length = 16;
  24. sp.fixed_iv_length = 16;
  25. sp.record_iv_length = 16;
  26. sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
  27. sp.mac_length = 20;
  28. sp.mac_key_length = 20;
  29. },
  30. initConnectionState: initConnectionState
  31. };
  32. tls.CipherSuites['TLS_RSA_WITH_AES_256_CBC_SHA'] = {
  33. id: [0x00, 0x35],
  34. name: 'TLS_RSA_WITH_AES_256_CBC_SHA',
  35. initSecurityParameters: function(sp) {
  36. sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
  37. sp.cipher_type = tls.CipherType.block;
  38. sp.enc_key_length = 32;
  39. sp.block_length = 16;
  40. sp.fixed_iv_length = 16;
  41. sp.record_iv_length = 16;
  42. sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
  43. sp.mac_length = 20;
  44. sp.mac_key_length = 20;
  45. },
  46. initConnectionState: initConnectionState
  47. };
  48. function initConnectionState(state, c, sp) {
  49. var client = (c.entity === forge.tls.ConnectionEnd.client);
  50. // cipher setup
  51. state.read.cipherState = {
  52. init: false,
  53. cipher: forge.cipher.createDecipher('AES-CBC', client ?
  54. sp.keys.server_write_key : sp.keys.client_write_key),
  55. iv: client ? sp.keys.server_write_IV : sp.keys.client_write_IV
  56. };
  57. state.write.cipherState = {
  58. init: false,
  59. cipher: forge.cipher.createCipher('AES-CBC', client ?
  60. sp.keys.client_write_key : sp.keys.server_write_key),
  61. iv: client ? sp.keys.client_write_IV : sp.keys.server_write_IV
  62. };
  63. state.read.cipherFunction = decrypt_aes_cbc_sha1;
  64. state.write.cipherFunction = encrypt_aes_cbc_sha1;
  65. // MAC setup
  66. state.read.macLength = state.write.macLength = sp.mac_length;
  67. state.read.macFunction = state.write.macFunction = tls.hmac_sha1;
  68. }
  69. /**
  70. * Encrypts the TLSCompressed record into a TLSCipherText record using AES
  71. * in CBC mode.
  72. *
  73. * @param record the TLSCompressed record to encrypt.
  74. * @param s the ConnectionState to use.
  75. *
  76. * @return true on success, false on failure.
  77. */
  78. function encrypt_aes_cbc_sha1(record, s) {
  79. var rval = false;
  80. // append MAC to fragment, update sequence number
  81. var mac = s.macFunction(s.macKey, s.sequenceNumber, record);
  82. record.fragment.putBytes(mac);
  83. s.updateSequenceNumber();
  84. // TLS 1.1+ use an explicit IV every time to protect against CBC attacks
  85. var iv;
  86. if(record.version.minor === tls.Versions.TLS_1_0.minor) {
  87. // use the pre-generated IV when initializing for TLS 1.0, otherwise use
  88. // the residue from the previous encryption
  89. iv = s.cipherState.init ? null : s.cipherState.iv;
  90. } else {
  91. iv = forge.random.getBytesSync(16);
  92. }
  93. s.cipherState.init = true;
  94. // start cipher
  95. var cipher = s.cipherState.cipher;
  96. cipher.start({iv: iv});
  97. // TLS 1.1+ write IV into output
  98. if(record.version.minor >= tls.Versions.TLS_1_1.minor) {
  99. cipher.output.putBytes(iv);
  100. }
  101. // do encryption (default padding is appropriate)
  102. cipher.update(record.fragment);
  103. if(cipher.finish(encrypt_aes_cbc_sha1_padding)) {
  104. // set record fragment to encrypted output
  105. record.fragment = cipher.output;
  106. record.length = record.fragment.length();
  107. rval = true;
  108. }
  109. return rval;
  110. }
  111. /**
  112. * Handles padding for aes_cbc_sha1 in encrypt mode.
  113. *
  114. * @param blockSize the block size.
  115. * @param input the input buffer.
  116. * @param decrypt true in decrypt mode, false in encrypt mode.
  117. *
  118. * @return true on success, false on failure.
  119. */
  120. function encrypt_aes_cbc_sha1_padding(blockSize, input, decrypt) {
  121. /* The encrypted data length (TLSCiphertext.length) is one more than the sum
  122. of SecurityParameters.block_length, TLSCompressed.length,
  123. SecurityParameters.mac_length, and padding_length.
  124. The padding may be any length up to 255 bytes long, as long as it results in
  125. the TLSCiphertext.length being an integral multiple of the block length.
  126. Lengths longer than necessary might be desirable to frustrate attacks on a
  127. protocol based on analysis of the lengths of exchanged messages. Each uint8
  128. in the padding data vector must be filled with the padding length value.
  129. The padding length should be such that the total size of the
  130. GenericBlockCipher structure is a multiple of the cipher's block length.
  131. Legal values range from zero to 255, inclusive. This length specifies the
  132. length of the padding field exclusive of the padding_length field itself.
  133. This is slightly different from PKCS#7 because the padding value is 1
  134. less than the actual number of padding bytes if you include the
  135. padding_length uint8 itself as a padding byte. */
  136. if(!decrypt) {
  137. // get the number of padding bytes required to reach the blockSize and
  138. // subtract 1 for the padding value (to make room for the padding_length
  139. // uint8)
  140. var padding = blockSize - (input.length() % blockSize);
  141. input.fillWithByte(padding - 1, padding);
  142. }
  143. return true;
  144. }
  145. /**
  146. * Handles padding for aes_cbc_sha1 in decrypt mode.
  147. *
  148. * @param blockSize the block size.
  149. * @param output the output buffer.
  150. * @param decrypt true in decrypt mode, false in encrypt mode.
  151. *
  152. * @return true on success, false on failure.
  153. */
  154. function decrypt_aes_cbc_sha1_padding(blockSize, output, decrypt) {
  155. var rval = true;
  156. if(decrypt) {
  157. /* The last byte in the output specifies the number of padding bytes not
  158. including itself. Each of the padding bytes has the same value as that
  159. last byte (known as the padding_length). Here we check all padding
  160. bytes to ensure they have the value of padding_length even if one of
  161. them is bad in order to ward-off timing attacks. */
  162. var len = output.length();
  163. var paddingLength = output.last();
  164. for(var i = len - 1 - paddingLength; i < len - 1; ++i) {
  165. rval = rval && (output.at(i) == paddingLength);
  166. }
  167. if(rval) {
  168. // trim off padding bytes and last padding length byte
  169. output.truncate(paddingLength + 1);
  170. }
  171. }
  172. return rval;
  173. }
  174. /**
  175. * Decrypts a TLSCipherText record into a TLSCompressed record using
  176. * AES in CBC mode.
  177. *
  178. * @param record the TLSCipherText record to decrypt.
  179. * @param s the ConnectionState to use.
  180. *
  181. * @return true on success, false on failure.
  182. */
  183. function decrypt_aes_cbc_sha1(record, s) {
  184. var rval = false;
  185. var iv;
  186. if(record.version.minor === tls.Versions.TLS_1_0.minor) {
  187. // use pre-generated IV when initializing for TLS 1.0, otherwise use the
  188. // residue from the previous decryption
  189. iv = s.cipherState.init ? null : s.cipherState.iv;
  190. } else {
  191. // TLS 1.1+ use an explicit IV every time to protect against CBC attacks
  192. // that is appended to the record fragment
  193. iv = record.fragment.getBytes(16);
  194. }
  195. s.cipherState.init = true;
  196. // start cipher
  197. var cipher = s.cipherState.cipher;
  198. cipher.start({iv: iv});
  199. // do decryption
  200. cipher.update(record.fragment);
  201. rval = cipher.finish(decrypt_aes_cbc_sha1_padding);
  202. // even if decryption fails, keep going to minimize timing attacks
  203. // decrypted data:
  204. // first (len - 20) bytes = application data
  205. // last 20 bytes = MAC
  206. var macLen = s.macLength;
  207. // create a random MAC to check against should the mac length check fail
  208. // Note: do this regardless of the failure to keep timing consistent
  209. var mac = forge.random.getBytesSync(macLen);
  210. // get fragment and mac
  211. var len = cipher.output.length();
  212. if(len >= macLen) {
  213. record.fragment = cipher.output.getBytes(len - macLen);
  214. mac = cipher.output.getBytes(macLen);
  215. } else {
  216. // bad data, but get bytes anyway to try to keep timing consistent
  217. record.fragment = cipher.output.getBytes();
  218. }
  219. record.fragment = forge.util.createBuffer(record.fragment);
  220. record.length = record.fragment.length();
  221. // see if data integrity checks out, update sequence number
  222. var mac2 = s.macFunction(s.macKey, s.sequenceNumber, record);
  223. s.updateSequenceNumber();
  224. rval = compareMacs(s.macKey, mac, mac2) && rval;
  225. return rval;
  226. }
  227. /**
  228. * Safely compare two MACs. This function will compare two MACs in a way
  229. * that protects against timing attacks.
  230. *
  231. * TODO: Expose elsewhere as a utility API.
  232. *
  233. * See: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
  234. *
  235. * @param key the MAC key to use.
  236. * @param mac1 as a binary-encoded string of bytes.
  237. * @param mac2 as a binary-encoded string of bytes.
  238. *
  239. * @return true if the MACs are the same, false if not.
  240. */
  241. function compareMacs(key, mac1, mac2) {
  242. var hmac = forge.hmac.create();
  243. hmac.start('SHA1', key);
  244. hmac.update(mac1);
  245. mac1 = hmac.digest().getBytes();
  246. hmac.start(null, null);
  247. hmac.update(mac2);
  248. mac2 = hmac.digest().getBytes();
  249. return mac1 === mac2;
  250. }