1 // Copyright 2005-2019 The Mumble Developers. All rights reserved.
2 // Use of this source code is governed by a BSD-style license
3 // that can be found in the LICENSE file at the root of the
4 // Mumble source tree or at <https://www.mumble.info/LICENSE>.
5
6 /*
7 * This code implements OCB-AES128.
8 * In the US, OCB is covered by patents. The inventor has given a license
9 * to all programs distributed under the GPL.
10 * Mumble is BSD (revised) licensed, meaning you can use the code in a
11 * closed-source program. If you do, you'll have to either replace
12 * OCB with something else or get yourself a license.
13 */
14
15 #ifdef MUMBLE
16 #include "mumble_pch.hpp"
17 #else
18 #include "murmur_pch.h"
19 #endif
20
21 #include "CryptState.h"
22
23 #include "ByteSwap.h"
24
CryptState()25 CryptState::CryptState() {
26 for (int i=0;i<0x100;i++)
27 decrypt_history[i] = 0;
28 bInit = false;
29 memset(raw_key, 0, AES_KEY_SIZE_BYTES);
30 memset(encrypt_iv, 0, AES_BLOCK_SIZE);
31 memset(decrypt_iv, 0, AES_BLOCK_SIZE);
32 uiGood=uiLate=uiLost=uiResync=0;
33 uiRemoteGood=uiRemoteLate=uiRemoteLost=uiRemoteResync=0;
34 }
35
isValid() const36 bool CryptState::isValid() const {
37 return bInit;
38 }
39
genKey()40 void CryptState::genKey() {
41 RAND_bytes(raw_key, AES_KEY_SIZE_BYTES);
42 RAND_bytes(encrypt_iv, AES_BLOCK_SIZE);
43 RAND_bytes(decrypt_iv, AES_BLOCK_SIZE);
44 AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key);
45 AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key);
46 bInit = true;
47 }
48
setKey(const unsigned char * rkey,const unsigned char * eiv,const unsigned char * div)49 void CryptState::setKey(const unsigned char *rkey, const unsigned char *eiv, const unsigned char *div) {
50 memcpy(raw_key, rkey, AES_KEY_SIZE_BYTES);
51 memcpy(encrypt_iv, eiv, AES_BLOCK_SIZE);
52 memcpy(decrypt_iv, div, AES_BLOCK_SIZE);
53 AES_set_encrypt_key(raw_key, AES_KEY_SIZE_BITS, &encrypt_key);
54 AES_set_decrypt_key(raw_key, AES_KEY_SIZE_BITS, &decrypt_key);
55 bInit = true;
56 }
57
setDecryptIV(const unsigned char * iv)58 void CryptState::setDecryptIV(const unsigned char *iv) {
59 memcpy(decrypt_iv, iv, AES_BLOCK_SIZE);
60 }
61
encrypt(const unsigned char * source,unsigned char * dst,unsigned int plain_length)62 bool CryptState::encrypt(const unsigned char *source, unsigned char *dst, unsigned int plain_length) {
63 unsigned char tag[AES_BLOCK_SIZE];
64
65 // First, increase our IV.
66 for (int i=0;i<AES_BLOCK_SIZE;i++)
67 if (++encrypt_iv[i])
68 break;
69
70 if (!ocb_encrypt(source, dst+4, plain_length, encrypt_iv, tag)) {
71 return false;
72 }
73
74 dst[0] = encrypt_iv[0];
75 dst[1] = tag[0];
76 dst[2] = tag[1];
77 dst[3] = tag[2];
78 return true;
79 }
80
decrypt(const unsigned char * source,unsigned char * dst,unsigned int crypted_length)81 bool CryptState::decrypt(const unsigned char *source, unsigned char *dst, unsigned int crypted_length) {
82 if (crypted_length < 4)
83 return false;
84
85 unsigned int plain_length = crypted_length - 4;
86
87 unsigned char saveiv[AES_BLOCK_SIZE];
88 unsigned char ivbyte = source[0];
89 bool restore = false;
90 unsigned char tag[AES_BLOCK_SIZE];
91
92 int lost = 0;
93 int late = 0;
94
95 memcpy(saveiv, decrypt_iv, AES_BLOCK_SIZE);
96
97 if (((decrypt_iv[0] + 1) & 0xFF) == ivbyte) {
98 // In order as expected.
99 if (ivbyte > decrypt_iv[0]) {
100 decrypt_iv[0] = ivbyte;
101 } else if (ivbyte < decrypt_iv[0]) {
102 decrypt_iv[0] = ivbyte;
103 for (int i=1;i<AES_BLOCK_SIZE;i++)
104 if (++decrypt_iv[i])
105 break;
106 } else {
107 return false;
108 }
109 } else {
110 // This is either out of order or a repeat.
111
112 int diff = ivbyte - decrypt_iv[0];
113 if (diff > 128)
114 diff = diff-256;
115 else if (diff < -128)
116 diff = diff+256;
117
118 if ((ivbyte < decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
119 // Late packet, but no wraparound.
120 late = 1;
121 lost = -1;
122 decrypt_iv[0] = ivbyte;
123 restore = true;
124 } else if ((ivbyte > decrypt_iv[0]) && (diff > -30) && (diff < 0)) {
125 // Last was 0x02, here comes 0xff from last round
126 late = 1;
127 lost = -1;
128 decrypt_iv[0] = ivbyte;
129 for (int i=1;i<AES_BLOCK_SIZE;i++)
130 if (decrypt_iv[i]--)
131 break;
132 restore = true;
133 } else if ((ivbyte > decrypt_iv[0]) && (diff > 0)) {
134 // Lost a few packets, but beyond that we're good.
135 lost = ivbyte - decrypt_iv[0] - 1;
136 decrypt_iv[0] = ivbyte;
137 } else if ((ivbyte < decrypt_iv[0]) && (diff > 0)) {
138 // Lost a few packets, and wrapped around
139 lost = 256 - decrypt_iv[0] + ivbyte - 1;
140 decrypt_iv[0] = ivbyte;
141 for (int i=1;i<AES_BLOCK_SIZE;i++)
142 if (++decrypt_iv[i])
143 break;
144 } else {
145 return false;
146 }
147
148 if (decrypt_history[decrypt_iv[0]] == decrypt_iv[1]) {
149 memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
150 return false;
151 }
152 }
153
154 bool ocb_success = ocb_decrypt(source+4, dst, plain_length, decrypt_iv, tag);
155
156 if (!ocb_success || memcmp(tag, source+1, 3) != 0) {
157 memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
158 return false;
159 }
160 decrypt_history[decrypt_iv[0]] = decrypt_iv[1];
161
162 if (restore)
163 memcpy(decrypt_iv, saveiv, AES_BLOCK_SIZE);
164
165 uiGood++;
166 uiLate += late;
167 uiLost += lost;
168
169 tLastGood.restart();
170 return true;
171 }
172
173 #if defined(__LP64__)
174
175 #define BLOCKSIZE 2
176 #define SHIFTBITS 63
177 typedef quint64 subblock;
178
179 #define SWAPPED(x) SWAP64(x)
180
181 #else
182 #define BLOCKSIZE 4
183 #define SHIFTBITS 31
184 typedef quint32 subblock;
185 #define SWAPPED(x) htonl(x)
186 #endif
187
188 typedef subblock keyblock[BLOCKSIZE];
189
190 #define HIGHBIT (1<<SHIFTBITS);
191
192
XOR(subblock * dst,const subblock * a,const subblock * b)193 static void inline XOR(subblock *dst, const subblock *a, const subblock *b) {
194 for (int i=0;i<BLOCKSIZE;i++) {
195 dst[i] = a[i] ^ b[i];
196 }
197 }
198
S2(subblock * block)199 static void inline S2(subblock *block) {
200 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
201 for (int i=0;i<BLOCKSIZE-1;i++)
202 block[i] = SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
203 block[BLOCKSIZE-1] = SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
204 }
205
S3(subblock * block)206 static void inline S3(subblock *block) {
207 subblock carry = SWAPPED(block[0]) >> SHIFTBITS;
208 for (int i=0;i<BLOCKSIZE-1;i++)
209 block[i] ^= SWAPPED((SWAPPED(block[i]) << 1) | (SWAPPED(block[i+1]) >> SHIFTBITS));
210 block[BLOCKSIZE-1] ^= SWAPPED((SWAPPED(block[BLOCKSIZE-1]) << 1) ^(carry * 0x87));
211 }
212
ZERO(keyblock & block)213 static void inline ZERO(keyblock &block) {
214 for (int i=0;i<BLOCKSIZE;i++)
215 block[i]=0;
216 }
217
218 #define AESencrypt(src,dst,key) AES_encrypt(reinterpret_cast<const unsigned char *>(src),reinterpret_cast<unsigned char *>(dst), key);
219 #define AESdecrypt(src,dst,key) AES_decrypt(reinterpret_cast<const unsigned char *>(src),reinterpret_cast<unsigned char *>(dst), key);
220
ocb_encrypt(const unsigned char * plain,unsigned char * encrypted,unsigned int len,const unsigned char * nonce,unsigned char * tag)221 bool CryptState::ocb_encrypt(const unsigned char *plain, unsigned char *encrypted, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
222 keyblock checksum, delta, tmp, pad;
223 bool success = true;
224
225 // Initialize
226 AESencrypt(nonce, delta, &encrypt_key);
227 ZERO(checksum);
228
229 while (len > AES_BLOCK_SIZE) {
230 S2(delta);
231 XOR(tmp, delta, reinterpret_cast<const subblock *>(plain));
232 AESencrypt(tmp, tmp, &encrypt_key);
233 XOR(reinterpret_cast<subblock *>(encrypted), delta, tmp);
234 XOR(checksum, checksum, reinterpret_cast<const subblock *>(plain));
235
236 // Counter-cryptanalysis described in section 9 of https://eprint.iacr.org/2019/311
237 // For an attack, the second to last block (i.e. the last iteration of this loop)
238 // must be all 0 except for the last byte (which may be 0 - 128).
239 if (len - AES_BLOCK_SIZE <= AES_BLOCK_SIZE) {
240 unsigned char sum = 0;
241 for (int i = 0; i < AES_BLOCK_SIZE - 1; ++i) {
242 sum |= plain[i];
243 }
244 success &= sum != 0;
245 }
246
247 len -= AES_BLOCK_SIZE;
248 plain += AES_BLOCK_SIZE;
249 encrypted += AES_BLOCK_SIZE;
250 }
251
252 S2(delta);
253 ZERO(tmp);
254 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
255 XOR(tmp, tmp, delta);
256 AESencrypt(tmp, pad, &encrypt_key);
257 memcpy(tmp, plain, len);
258 memcpy(reinterpret_cast<unsigned char *>(tmp)+len, reinterpret_cast<const unsigned char *>(pad)+len, AES_BLOCK_SIZE - len);
259 XOR(checksum, checksum, tmp);
260 XOR(tmp, pad, tmp);
261 memcpy(encrypted, tmp, len);
262
263 S3(delta);
264 XOR(tmp, delta, checksum);
265 AESencrypt(tmp, tag, &encrypt_key);
266
267 return success;
268 }
269
ocb_decrypt(const unsigned char * encrypted,unsigned char * plain,unsigned int len,const unsigned char * nonce,unsigned char * tag)270 bool CryptState::ocb_decrypt(const unsigned char *encrypted, unsigned char *plain, unsigned int len, const unsigned char *nonce, unsigned char *tag) {
271 keyblock checksum, delta, tmp, pad;
272 bool success = true;
273
274 // Initialize
275 AESencrypt(nonce, delta, &encrypt_key);
276 ZERO(checksum);
277
278 while (len > AES_BLOCK_SIZE) {
279 S2(delta);
280 XOR(tmp, delta, reinterpret_cast<const subblock *>(encrypted));
281 AESdecrypt(tmp, tmp, &decrypt_key);
282 XOR(reinterpret_cast<subblock *>(plain), delta, tmp);
283 XOR(checksum, checksum, reinterpret_cast<const subblock *>(plain));
284 len -= AES_BLOCK_SIZE;
285 plain += AES_BLOCK_SIZE;
286 encrypted += AES_BLOCK_SIZE;
287 }
288
289 S2(delta);
290 ZERO(tmp);
291 tmp[BLOCKSIZE - 1] = SWAPPED(len * 8);
292 XOR(tmp, tmp, delta);
293 AESencrypt(tmp, pad, &encrypt_key);
294 memset(tmp, 0, AES_BLOCK_SIZE);
295 memcpy(tmp, encrypted, len);
296 XOR(tmp, tmp, pad);
297 XOR(checksum, checksum, tmp);
298 memcpy(plain, tmp, len);
299
300 // Counter-cryptanalysis described in section 9 of https://eprint.iacr.org/2019/311
301 // In an attack, the decrypted last block would need to equal `delta ^ len(128)`.
302 // With a bit of luck (or many packets), smaller values than 128 (i.e. non-full blocks) are also
303 // feasible, so we check `tmp` instead of `plain`.
304 // Since our `len` only ever modifies the last byte, we simply check all remaining ones.
305 if (memcmp(tmp, delta, AES_BLOCK_SIZE - 1) == 0) {
306 success = false;
307 }
308
309 S3(delta);
310 XOR(tmp, delta, checksum);
311 AESencrypt(tmp, tag, &encrypt_key);
312
313 return success;
314 }
315