|
/**
|
|
* A Javascript implementation of AES Cipher Suites for TLS.
|
|
*
|
|
* @author Dave Longley
|
|
*
|
|
* Copyright (c) 2009-2015 Digital Bazaar, Inc.
|
|
*
|
|
*/
|
|
var forge = require('./forge');
|
|
require('./aes');
|
|
require('./tls');
|
|
|
|
var tls = module.exports = forge.tls;
|
|
|
|
/**
|
|
* Supported cipher suites.
|
|
*/
|
|
tls.CipherSuites['TLS_RSA_WITH_AES_128_CBC_SHA'] = {
|
|
id: [0x00, 0x2f],
|
|
name: 'TLS_RSA_WITH_AES_128_CBC_SHA',
|
|
initSecurityParameters: function(sp) {
|
|
sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
|
|
sp.cipher_type = tls.CipherType.block;
|
|
sp.enc_key_length = 16;
|
|
sp.block_length = 16;
|
|
sp.fixed_iv_length = 16;
|
|
sp.record_iv_length = 16;
|
|
sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
|
|
sp.mac_length = 20;
|
|
sp.mac_key_length = 20;
|
|
},
|
|
initConnectionState: initConnectionState
|
|
};
|
|
tls.CipherSuites['TLS_RSA_WITH_AES_256_CBC_SHA'] = {
|
|
id: [0x00, 0x35],
|
|
name: 'TLS_RSA_WITH_AES_256_CBC_SHA',
|
|
initSecurityParameters: function(sp) {
|
|
sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes;
|
|
sp.cipher_type = tls.CipherType.block;
|
|
sp.enc_key_length = 32;
|
|
sp.block_length = 16;
|
|
sp.fixed_iv_length = 16;
|
|
sp.record_iv_length = 16;
|
|
sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1;
|
|
sp.mac_length = 20;
|
|
sp.mac_key_length = 20;
|
|
},
|
|
initConnectionState: initConnectionState
|
|
};
|
|
|
|
function initConnectionState(state, c, sp) {
|
|
var client = (c.entity === forge.tls.ConnectionEnd.client);
|
|
|
|
// cipher setup
|
|
state.read.cipherState = {
|
|
init: false,
|
|
cipher: forge.cipher.createDecipher('AES-CBC', client ?
|
|
sp.keys.server_write_key : sp.keys.client_write_key),
|
|
iv: client ? sp.keys.server_write_IV : sp.keys.client_write_IV
|
|
};
|
|
state.write.cipherState = {
|
|
init: false,
|
|
cipher: forge.cipher.createCipher('AES-CBC', client ?
|
|
sp.keys.client_write_key : sp.keys.server_write_key),
|
|
iv: client ? sp.keys.client_write_IV : sp.keys.server_write_IV
|
|
};
|
|
state.read.cipherFunction = decrypt_aes_cbc_sha1;
|
|
state.write.cipherFunction = encrypt_aes_cbc_sha1;
|
|
|
|
// MAC setup
|
|
state.read.macLength = state.write.macLength = sp.mac_length;
|
|
state.read.macFunction = state.write.macFunction = tls.hmac_sha1;
|
|
}
|
|
|
|
/**
|
|
* Encrypts the TLSCompressed record into a TLSCipherText record using AES
|
|
* in CBC mode.
|
|
*
|
|
* @param record the TLSCompressed record to encrypt.
|
|
* @param s the ConnectionState to use.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
function encrypt_aes_cbc_sha1(record, s) {
|
|
var rval = false;
|
|
|
|
// append MAC to fragment, update sequence number
|
|
var mac = s.macFunction(s.macKey, s.sequenceNumber, record);
|
|
record.fragment.putBytes(mac);
|
|
s.updateSequenceNumber();
|
|
|
|
// TLS 1.1+ use an explicit IV every time to protect against CBC attacks
|
|
var iv;
|
|
if(record.version.minor === tls.Versions.TLS_1_0.minor) {
|
|
// use the pre-generated IV when initializing for TLS 1.0, otherwise use
|
|
// the residue from the previous encryption
|
|
iv = s.cipherState.init ? null : s.cipherState.iv;
|
|
} else {
|
|
iv = forge.random.getBytesSync(16);
|
|
}
|
|
|
|
s.cipherState.init = true;
|
|
|
|
// start cipher
|
|
var cipher = s.cipherState.cipher;
|
|
cipher.start({iv: iv});
|
|
|
|
// TLS 1.1+ write IV into output
|
|
if(record.version.minor >= tls.Versions.TLS_1_1.minor) {
|
|
cipher.output.putBytes(iv);
|
|
}
|
|
|
|
// do encryption (default padding is appropriate)
|
|
cipher.update(record.fragment);
|
|
if(cipher.finish(encrypt_aes_cbc_sha1_padding)) {
|
|
// set record fragment to encrypted output
|
|
record.fragment = cipher.output;
|
|
record.length = record.fragment.length();
|
|
rval = true;
|
|
}
|
|
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* Handles padding for aes_cbc_sha1 in encrypt mode.
|
|
*
|
|
* @param blockSize the block size.
|
|
* @param input the input buffer.
|
|
* @param decrypt true in decrypt mode, false in encrypt mode.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
function encrypt_aes_cbc_sha1_padding(blockSize, input, decrypt) {
|
|
/* The encrypted data length (TLSCiphertext.length) is one more than the sum
|
|
of SecurityParameters.block_length, TLSCompressed.length,
|
|
SecurityParameters.mac_length, and padding_length.
|
|
|
|
The padding may be any length up to 255 bytes long, as long as it results in
|
|
the TLSCiphertext.length being an integral multiple of the block length.
|
|
Lengths longer than necessary might be desirable to frustrate attacks on a
|
|
protocol based on analysis of the lengths of exchanged messages. Each uint8
|
|
in the padding data vector must be filled with the padding length value.
|
|
|
|
The padding length should be such that the total size of the
|
|
GenericBlockCipher structure is a multiple of the cipher's block length.
|
|
Legal values range from zero to 255, inclusive. This length specifies the
|
|
length of the padding field exclusive of the padding_length field itself.
|
|
|
|
This is slightly different from PKCS#7 because the padding value is 1
|
|
less than the actual number of padding bytes if you include the
|
|
padding_length uint8 itself as a padding byte. */
|
|
if(!decrypt) {
|
|
// get the number of padding bytes required to reach the blockSize and
|
|
// subtract 1 for the padding value (to make room for the padding_length
|
|
// uint8)
|
|
var padding = blockSize - (input.length() % blockSize);
|
|
input.fillWithByte(padding - 1, padding);
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Handles padding for aes_cbc_sha1 in decrypt mode.
|
|
*
|
|
* @param blockSize the block size.
|
|
* @param output the output buffer.
|
|
* @param decrypt true in decrypt mode, false in encrypt mode.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
function decrypt_aes_cbc_sha1_padding(blockSize, output, decrypt) {
|
|
var rval = true;
|
|
if(decrypt) {
|
|
/* The last byte in the output specifies the number of padding bytes not
|
|
including itself. Each of the padding bytes has the same value as that
|
|
last byte (known as the padding_length). Here we check all padding
|
|
bytes to ensure they have the value of padding_length even if one of
|
|
them is bad in order to ward-off timing attacks. */
|
|
var len = output.length();
|
|
var paddingLength = output.last();
|
|
for(var i = len - 1 - paddingLength; i < len - 1; ++i) {
|
|
rval = rval && (output.at(i) == paddingLength);
|
|
}
|
|
if(rval) {
|
|
// trim off padding bytes and last padding length byte
|
|
output.truncate(paddingLength + 1);
|
|
}
|
|
}
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* Decrypts a TLSCipherText record into a TLSCompressed record using
|
|
* AES in CBC mode.
|
|
*
|
|
* @param record the TLSCipherText record to decrypt.
|
|
* @param s the ConnectionState to use.
|
|
*
|
|
* @return true on success, false on failure.
|
|
*/
|
|
function decrypt_aes_cbc_sha1(record, s) {
|
|
var rval = false;
|
|
|
|
var iv;
|
|
if(record.version.minor === tls.Versions.TLS_1_0.minor) {
|
|
// use pre-generated IV when initializing for TLS 1.0, otherwise use the
|
|
// residue from the previous decryption
|
|
iv = s.cipherState.init ? null : s.cipherState.iv;
|
|
} else {
|
|
// TLS 1.1+ use an explicit IV every time to protect against CBC attacks
|
|
// that is appended to the record fragment
|
|
iv = record.fragment.getBytes(16);
|
|
}
|
|
|
|
s.cipherState.init = true;
|
|
|
|
// start cipher
|
|
var cipher = s.cipherState.cipher;
|
|
cipher.start({iv: iv});
|
|
|
|
// do decryption
|
|
cipher.update(record.fragment);
|
|
rval = cipher.finish(decrypt_aes_cbc_sha1_padding);
|
|
|
|
// even if decryption fails, keep going to minimize timing attacks
|
|
|
|
// decrypted data:
|
|
// first (len - 20) bytes = application data
|
|
// last 20 bytes = MAC
|
|
var macLen = s.macLength;
|
|
|
|
// create a random MAC to check against should the mac length check fail
|
|
// Note: do this regardless of the failure to keep timing consistent
|
|
var mac = forge.random.getBytesSync(macLen);
|
|
|
|
// get fragment and mac
|
|
var len = cipher.output.length();
|
|
if(len >= macLen) {
|
|
record.fragment = cipher.output.getBytes(len - macLen);
|
|
mac = cipher.output.getBytes(macLen);
|
|
} else {
|
|
// bad data, but get bytes anyway to try to keep timing consistent
|
|
record.fragment = cipher.output.getBytes();
|
|
}
|
|
record.fragment = forge.util.createBuffer(record.fragment);
|
|
record.length = record.fragment.length();
|
|
|
|
// see if data integrity checks out, update sequence number
|
|
var mac2 = s.macFunction(s.macKey, s.sequenceNumber, record);
|
|
s.updateSequenceNumber();
|
|
rval = compareMacs(s.macKey, mac, mac2) && rval;
|
|
return rval;
|
|
}
|
|
|
|
/**
|
|
* Safely compare two MACs. This function will compare two MACs in a way
|
|
* that protects against timing attacks.
|
|
*
|
|
* TODO: Expose elsewhere as a utility API.
|
|
*
|
|
* See: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/
|
|
*
|
|
* @param key the MAC key to use.
|
|
* @param mac1 as a binary-encoded string of bytes.
|
|
* @param mac2 as a binary-encoded string of bytes.
|
|
*
|
|
* @return true if the MACs are the same, false if not.
|
|
*/
|
|
function compareMacs(key, mac1, mac2) {
|
|
var hmac = forge.hmac.create();
|
|
|
|
hmac.start('SHA1', key);
|
|
hmac.update(mac1);
|
|
mac1 = hmac.digest().getBytes();
|
|
|
|
hmac.start(null, null);
|
|
hmac.update(mac2);
|
|
mac2 = hmac.digest().getBytes();
|
|
|
|
return mac1 === mac2;
|
|
}
|