projects / BoarSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial commit.
[BoarSSL] / SSLTLS / RecordEncryptGCM.cs
1 /*
2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 using System;
26 using System.Text;
27
28 using Crypto;
29
30 namespace SSLTLS {
31
32 internal class RecordEncryptGCM : RecordEncrypt {
33
34 IBlockCipher bc;
35 byte[] iv;
36 byte[] h;
37 ulong seq;
38 byte[] tmp, tag;
39
40 internal RecordEncryptGCM(IBlockCipher bc, byte[] iv)
41 {
42 this.bc = bc;
43 this.iv = new byte[12];
44 Array.Copy(iv, 0, this.iv, 0, 4);
45 h = new byte[16];
46 bc.BlockEncrypt(h);
47 seq = 0;
48 tag = new byte[16];
49 tmp = new byte[29];
50 }
51
52 internal override void GetMaxPlaintext(ref int start, ref int end)
53 {
54 /*
55 * We need room at the start for the record header (5 bytes)
56 * and the explicit nonce (8 bytes). We need room at the end
57 * for the MAC (16 bytes).
58 */
59 start += 13;
60 end -= 16;
61 int len = Math.Min(end - start, 16384);
62 end = start + len;
63 }
64
65 internal override void Encrypt(int recordType, int version,
66 byte[] data, ref int off, ref int len)
67 {
68 /*
69 * Explicit nonce is the encoded sequence number. We
70 * encrypt the data itself; the counter starts at 2
71 * (value 1 is for the authentication tag).
72 */
73 IO.Enc64be(seq, data, off - 8);
74 Array.Copy(data, off - 8, iv, 4, 8);
75 bc.CTRRun(iv, 2, data, off, len);
76
77 /*
78 * For the authentication tag:
79 * header = sequence + 5-byte "plain" header
80 * footer = the two relevant lengths (in bits)
81 */
82 IO.Enc64be(seq, tmp, 0);
83 IO.WriteHeader(recordType, version, len, tmp, 8);
84 IO.Enc64be(13 << 3, tmp, 13);
85 IO.Enc64be((ulong)len << 3, tmp, 21);
86
87 /*
88 * Compute clear authentication tag.
89 */
90 for (int i = 0; i < 16; i ++) {
91 tag[i] = 0;
92 }
93 GHASH.Run(tag, h, tmp, 0, 13);
94 GHASH.Run(tag, h, data, off, len);
95 GHASH.Run(tag, h, tmp, 13, 16);
96
97 /*
98 * Copy authentication tag and apply final encryption on it.
99 */
100 Array.Copy(tag, 0, data, off + len, 16);
101 bc.CTRRun(iv, 1, data, off + len, 16);
102
103 /*
104 * Each record uses one sequence number.
105 */
106 seq ++;
107
108 /*
109 * Write encrypted header and return adjusted offset/length.
110 */
111 off -= 13;
112 len += 24;
113 IO.WriteHeader(recordType, version, len, data, off);
114 len += 5;
115 }
116 }
117
118 }
Unnamed repository; edit this file 'description' to name the repository.