Spaces:
Configuration error
Configuration error
| /** | |
| * A Javascript implementation of AES Cipher Suites for TLS. | |
| * | |
| * @author Dave Longley | |
| * | |
| * Copyright (c) 2009-2015 Digital Bazaar, Inc. | |
| * | |
| */ | |
| var forge = require('./forge'); | |
| require('./aes'); | |
| require('./tls'); | |
| var tls = module.exports = forge.tls; | |
| /** | |
| * Supported cipher suites. | |
| */ | |
| tls.CipherSuites['TLS_RSA_WITH_AES_128_CBC_SHA'] = { | |
| id: [0x00, 0x2f], | |
| name: 'TLS_RSA_WITH_AES_128_CBC_SHA', | |
| initSecurityParameters: function(sp) { | |
| sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes; | |
| sp.cipher_type = tls.CipherType.block; | |
| sp.enc_key_length = 16; | |
| sp.block_length = 16; | |
| sp.fixed_iv_length = 16; | |
| sp.record_iv_length = 16; | |
| sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1; | |
| sp.mac_length = 20; | |
| sp.mac_key_length = 20; | |
| }, | |
| initConnectionState: initConnectionState | |
| }; | |
| tls.CipherSuites['TLS_RSA_WITH_AES_256_CBC_SHA'] = { | |
| id: [0x00, 0x35], | |
| name: 'TLS_RSA_WITH_AES_256_CBC_SHA', | |
| initSecurityParameters: function(sp) { | |
| sp.bulk_cipher_algorithm = tls.BulkCipherAlgorithm.aes; | |
| sp.cipher_type = tls.CipherType.block; | |
| sp.enc_key_length = 32; | |
| sp.block_length = 16; | |
| sp.fixed_iv_length = 16; | |
| sp.record_iv_length = 16; | |
| sp.mac_algorithm = tls.MACAlgorithm.hmac_sha1; | |
| sp.mac_length = 20; | |
| sp.mac_key_length = 20; | |
| }, | |
| initConnectionState: initConnectionState | |
| }; | |
| function initConnectionState(state, c, sp) { | |
| var client = (c.entity === forge.tls.ConnectionEnd.client); | |
| // cipher setup | |
| state.read.cipherState = { | |
| init: false, | |
| cipher: forge.cipher.createDecipher('AES-CBC', client ? | |
| sp.keys.server_write_key : sp.keys.client_write_key), | |
| iv: client ? sp.keys.server_write_IV : sp.keys.client_write_IV | |
| }; | |
| state.write.cipherState = { | |
| init: false, | |
| cipher: forge.cipher.createCipher('AES-CBC', client ? | |
| sp.keys.client_write_key : sp.keys.server_write_key), | |
| iv: client ? sp.keys.client_write_IV : sp.keys.server_write_IV | |
| }; | |
| state.read.cipherFunction = decrypt_aes_cbc_sha1; | |
| state.write.cipherFunction = encrypt_aes_cbc_sha1; | |
| // MAC setup | |
| state.read.macLength = state.write.macLength = sp.mac_length; | |
| state.read.macFunction = state.write.macFunction = tls.hmac_sha1; | |
| } | |
| /** | |
| * Encrypts the TLSCompressed record into a TLSCipherText record using AES | |
| * in CBC mode. | |
| * | |
| * @param record the TLSCompressed record to encrypt. | |
| * @param s the ConnectionState to use. | |
| * | |
| * @return true on success, false on failure. | |
| */ | |
| function encrypt_aes_cbc_sha1(record, s) { | |
| var rval = false; | |
| // append MAC to fragment, update sequence number | |
| var mac = s.macFunction(s.macKey, s.sequenceNumber, record); | |
| record.fragment.putBytes(mac); | |
| s.updateSequenceNumber(); | |
| // TLS 1.1+ use an explicit IV every time to protect against CBC attacks | |
| var iv; | |
| if(record.version.minor === tls.Versions.TLS_1_0.minor) { | |
| // use the pre-generated IV when initializing for TLS 1.0, otherwise use | |
| // the residue from the previous encryption | |
| iv = s.cipherState.init ? null : s.cipherState.iv; | |
| } else { | |
| iv = forge.random.getBytesSync(16); | |
| } | |
| s.cipherState.init = true; | |
| // start cipher | |
| var cipher = s.cipherState.cipher; | |
| cipher.start({iv: iv}); | |
| // TLS 1.1+ write IV into output | |
| if(record.version.minor >= tls.Versions.TLS_1_1.minor) { | |
| cipher.output.putBytes(iv); | |
| } | |
| // do encryption (default padding is appropriate) | |
| cipher.update(record.fragment); | |
| if(cipher.finish(encrypt_aes_cbc_sha1_padding)) { | |
| // set record fragment to encrypted output | |
| record.fragment = cipher.output; | |
| record.length = record.fragment.length(); | |
| rval = true; | |
| } | |
| return rval; | |
| } | |
| /** | |
| * Handles padding for aes_cbc_sha1 in encrypt mode. | |
| * | |
| * @param blockSize the block size. | |
| * @param input the input buffer. | |
| * @param decrypt true in decrypt mode, false in encrypt mode. | |
| * | |
| * @return true on success, false on failure. | |
| */ | |
| function encrypt_aes_cbc_sha1_padding(blockSize, input, decrypt) { | |
| /* The encrypted data length (TLSCiphertext.length) is one more than the sum | |
| of SecurityParameters.block_length, TLSCompressed.length, | |
| SecurityParameters.mac_length, and padding_length. | |
| The padding may be any length up to 255 bytes long, as long as it results in | |
| the TLSCiphertext.length being an integral multiple of the block length. | |
| Lengths longer than necessary might be desirable to frustrate attacks on a | |
| protocol based on analysis of the lengths of exchanged messages. Each uint8 | |
| in the padding data vector must be filled with the padding length value. | |
| The padding length should be such that the total size of the | |
| GenericBlockCipher structure is a multiple of the cipher's block length. | |
| Legal values range from zero to 255, inclusive. This length specifies the | |
| length of the padding field exclusive of the padding_length field itself. | |
| This is slightly different from PKCS#7 because the padding value is 1 | |
| less than the actual number of padding bytes if you include the | |
| padding_length uint8 itself as a padding byte. */ | |
| if(!decrypt) { | |
| // get the number of padding bytes required to reach the blockSize and | |
| // subtract 1 for the padding value (to make room for the padding_length | |
| // uint8) | |
| var padding = blockSize - (input.length() % blockSize); | |
| input.fillWithByte(padding - 1, padding); | |
| } | |
| return true; | |
| } | |
| /** | |
| * Handles padding for aes_cbc_sha1 in decrypt mode. | |
| * | |
| * @param blockSize the block size. | |
| * @param output the output buffer. | |
| * @param decrypt true in decrypt mode, false in encrypt mode. | |
| * | |
| * @return true on success, false on failure. | |
| */ | |
| function decrypt_aes_cbc_sha1_padding(blockSize, output, decrypt) { | |
| var rval = true; | |
| if(decrypt) { | |
| /* The last byte in the output specifies the number of padding bytes not | |
| including itself. Each of the padding bytes has the same value as that | |
| last byte (known as the padding_length). Here we check all padding | |
| bytes to ensure they have the value of padding_length even if one of | |
| them is bad in order to ward-off timing attacks. */ | |
| var len = output.length(); | |
| var paddingLength = output.last(); | |
| for(var i = len - 1 - paddingLength; i < len - 1; ++i) { | |
| rval = rval && (output.at(i) == paddingLength); | |
| } | |
| if(rval) { | |
| // trim off padding bytes and last padding length byte | |
| output.truncate(paddingLength + 1); | |
| } | |
| } | |
| return rval; | |
| } | |
| /** | |
| * Decrypts a TLSCipherText record into a TLSCompressed record using | |
| * AES in CBC mode. | |
| * | |
| * @param record the TLSCipherText record to decrypt. | |
| * @param s the ConnectionState to use. | |
| * | |
| * @return true on success, false on failure. | |
| */ | |
| function decrypt_aes_cbc_sha1(record, s) { | |
| var rval = false; | |
| var iv; | |
| if(record.version.minor === tls.Versions.TLS_1_0.minor) { | |
| // use pre-generated IV when initializing for TLS 1.0, otherwise use the | |
| // residue from the previous decryption | |
| iv = s.cipherState.init ? null : s.cipherState.iv; | |
| } else { | |
| // TLS 1.1+ use an explicit IV every time to protect against CBC attacks | |
| // that is appended to the record fragment | |
| iv = record.fragment.getBytes(16); | |
| } | |
| s.cipherState.init = true; | |
| // start cipher | |
| var cipher = s.cipherState.cipher; | |
| cipher.start({iv: iv}); | |
| // do decryption | |
| cipher.update(record.fragment); | |
| rval = cipher.finish(decrypt_aes_cbc_sha1_padding); | |
| // even if decryption fails, keep going to minimize timing attacks | |
| // decrypted data: | |
| // first (len - 20) bytes = application data | |
| // last 20 bytes = MAC | |
| var macLen = s.macLength; | |
| // create a random MAC to check against should the mac length check fail | |
| // Note: do this regardless of the failure to keep timing consistent | |
| var mac = forge.random.getBytesSync(macLen); | |
| // get fragment and mac | |
| var len = cipher.output.length(); | |
| if(len >= macLen) { | |
| record.fragment = cipher.output.getBytes(len - macLen); | |
| mac = cipher.output.getBytes(macLen); | |
| } else { | |
| // bad data, but get bytes anyway to try to keep timing consistent | |
| record.fragment = cipher.output.getBytes(); | |
| } | |
| record.fragment = forge.util.createBuffer(record.fragment); | |
| record.length = record.fragment.length(); | |
| // see if data integrity checks out, update sequence number | |
| var mac2 = s.macFunction(s.macKey, s.sequenceNumber, record); | |
| s.updateSequenceNumber(); | |
| rval = compareMacs(s.macKey, mac, mac2) && rval; | |
| return rval; | |
| } | |
| /** | |
| * Safely compare two MACs. This function will compare two MACs in a way | |
| * that protects against timing attacks. | |
| * | |
| * TODO: Expose elsewhere as a utility API. | |
| * | |
| * See: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/ | |
| * | |
| * @param key the MAC key to use. | |
| * @param mac1 as a binary-encoded string of bytes. | |
| * @param mac2 as a binary-encoded string of bytes. | |
| * | |
| * @return true if the MACs are the same, false if not. | |
| */ | |
| function compareMacs(key, mac1, mac2) { | |
| var hmac = forge.hmac.create(); | |
| hmac.start('SHA1', key); | |
| hmac.update(mac1); | |
| mac1 = hmac.digest().getBytes(); | |
| hmac.start(null, null); | |
| hmac.update(mac2); | |
| mac2 = hmac.digest().getBytes(); | |
| return mac1 === mac2; | |
| } | |