[thirdparty/strongswan.git] / src / libtls / tls_aead_impl.c

/*
 * Copyright (C) 2014 Martin Willi
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "tls_aead.h"

typedef struct private_tls_aead_t private_tls_aead_t;

/**
 * Private data of an tls_aead_t object.
 */
struct private_tls_aead_t {

	/**
	 * Public tls_aead_t interface.
	 */
	tls_aead_t public;

	/**
	 * traditional crypter
	 */
	crypter_t *crypter;

	/**
	 * traditional signer
	 */
	signer_t *signer;

	/**
	 * Next implicit IV
	 */
	chunk_t iv;
};

/**
 * Associated header data to create signature over
 */
typedef struct __attribute__((__packed__)) {
	uint64_t seq;
	uint8_t type;
	uint16_t version;
	uint16_t length;
} sigheader_t;

METHOD(tls_aead_t, encrypt, bool,
	private_tls_aead_t *this, tls_version_t version,
	tls_content_type_t *type, uint64_t seq, chunk_t *data)
{
	chunk_t assoc, mac, padding;
	uint8_t bs, padlen;
	sigheader_t hdr;

	hdr.type = *type;
	htoun64(&hdr.seq, seq);
	htoun16(&hdr.version, version);
	htoun16(&hdr.length, data->len);

	assoc = chunk_from_thing(hdr);
	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
		!this->signer->allocate_signature(this->signer, *data, &mac))
	{
		return FALSE;
	}
	bs = this->crypter->get_block_size(this->crypter);
	padlen = pad_len(data->len + mac.len + 1, bs);

	padding = chunk_alloca(padlen);
	memset(padding.ptr, padlen, padding.len);

	*data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
	/* encrypt inline */
	if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
	{
		return FALSE;
	}
	if (data->len < this->iv.len)
	{
		return FALSE;
	}
	/* next record IV is last ciphertext block of this record */
	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
	return TRUE;
}

METHOD(tls_aead_t, decrypt, bool,
	private_tls_aead_t *this, tls_version_t version,
	tls_content_type_t *type, uint64_t seq, chunk_t *data)
{
	chunk_t assoc, mac, iv;
	uint8_t bs, padlen;
	sigheader_t hdr;
	size_t i;

	bs = this->crypter->get_block_size(this->crypter);
	if (data->len < bs || data->len < this->iv.len || data->len % bs)
	{
		return FALSE;
	}
	iv = chunk_alloca(this->iv.len);
	memcpy(iv.ptr, this->iv.ptr, this->iv.len);
	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
	{
		return FALSE;
	}
	padlen = data->ptr[data->len - 1];
	if (padlen < data->len)
	{	/* If padding looks valid, remove it */
		for (i = data->len - padlen - 1; i < data->len - 1; i++)
		{
			if (data->ptr[i] != padlen)
			{
				return FALSE;
			}
		}
		data->len -= padlen + 1;
	}

	bs = this->signer->get_block_size(this->signer);
	if (data->len < bs)
	{
		return FALSE;
	}
	mac = chunk_skip(*data, data->len - bs);
	data->len -= bs;

	hdr.type = *type;
	htoun64(&hdr.seq, seq);
	htoun16(&hdr.version, version);
	htoun16(&hdr.length, data->len);

	assoc = chunk_from_thing(hdr);
	if (!this->signer->get_signature(this->signer, assoc, NULL) ||
		!this->signer->verify_signature(this->signer, *data, mac))
	{
		return FALSE;
	}
	return TRUE;
}

METHOD(tls_aead_t, get_mac_key_size, size_t,
	private_tls_aead_t *this)
{
	return this->signer->get_key_size(this->signer);
}

METHOD(tls_aead_t, get_encr_key_size, size_t,
	private_tls_aead_t *this)
{
	return this->crypter->get_key_size(this->crypter);
}

METHOD(tls_aead_t, get_iv_size, size_t,
	private_tls_aead_t *this)
{
	return this->iv.len;
}

METHOD(tls_aead_t, set_keys, bool,
	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
{
	if (iv.len != this->iv.len)
	{
		return FALSE;
	}
	memcpy(this->iv.ptr, iv.ptr, this->iv.len);
	return this->signer->set_key(this->signer, mac) &&
		   this->crypter->set_key(this->crypter, encr);
}

METHOD(tls_aead_t, destroy, void,
	private_tls_aead_t *this)
{
	DESTROY_IF(this->crypter);
	DESTROY_IF(this->signer);
	chunk_free(&this->iv);
	free(this);
}

/**
 * See header
 */
tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
								encryption_algorithm_t encr, size_t encr_size)
{
	private_tls_aead_t *this;

	INIT(this,
		.public = {
			.encrypt = _encrypt,
			.decrypt = _decrypt,
			.get_mac_key_size = _get_mac_key_size,
			.get_encr_key_size = _get_encr_key_size,
			.get_iv_size = _get_iv_size,
			.set_keys = _set_keys,
			.destroy = _destroy,
		},
		.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
		.signer = lib->crypto->create_signer(lib->crypto, mac),
	);

	if (!this->crypter || !this->signer)
	{
		destroy(this);
		return NULL;
	}

	this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));

	return &this->public;
}
Commit	Line	Data
d3204677 MW	1	/*
d3204677 MW	2	* Copyright (C) 2014 Martin Willi
19ef2aec TB	3	*
19ef2aec TB	4	* Copyright (C) secunet Security Networks AG
d3204677 MW	5	*
	6	* This program is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2 of the License, or (at your
	9	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	10	*
	11	* This program is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	13	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	14	* for more details.
	15	*/
	16
	17	#include "tls_aead.h"
	18
	19	typedef struct private_tls_aead_t private_tls_aead_t;
	20
	21	/**
	22	* Private data of an tls_aead_t object.
	23	*/
	24	struct private_tls_aead_t {
	25
	26	/**
	27	* Public tls_aead_t interface.
	28	*/
	29	tls_aead_t public;
	30
	31	/**
	32	* traditional crypter
	33	*/
	34	crypter_t *crypter;
	35
	36	/**
	37	* traditional signer
	38	*/
	39	signer_t *signer;
	40
	41	/**
	42	* Next implicit IV
	43	*/
	44	chunk_t iv;
	45	};
	46
	47	/**
	48	* Associated header data to create signature over
	49	*/
	50	typedef struct __attribute__((__packed__)) {
b12c53ce AS	51	uint64_t seq;
	52	uint8_t type;
	53	uint16_t version;
	54	uint16_t length;
d3204677 MW	55	} sigheader_t;
	56
	57	METHOD(tls_aead_t, encrypt, bool,
	58	private_tls_aead_t *this, tls_version_t version,
ba2bcdd8	59	tls_content_type_t type, uint64_t seq, chunk_t data)
d3204677 MW	60	{
d3204677 MW	61	chunk_t assoc, mac, padding;
b12c53ce	62	uint8_t bs, padlen;
d3204677 MW	63	sigheader_t hdr;
d3204677 MW	64
ba2bcdd8	65	hdr.type = *type;
d3204677 MW	66	htoun64(&hdr.seq, seq);
	67	htoun16(&hdr.version, version);
	68	htoun16(&hdr.length, data->len);
	69
	70	assoc = chunk_from_thing(hdr);
	71	if (!this->signer->get_signature(this->signer, assoc, NULL) \|\|
	72	!this->signer->allocate_signature(this->signer, *data, &mac))
	73	{
	74	return FALSE;
	75	}
	76	bs = this->crypter->get_block_size(this->crypter);
	77	padlen = pad_len(data->len + mac.len + 1, bs);
	78
	79	padding = chunk_alloca(padlen);
	80	memset(padding.ptr, padlen, padding.len);
	81
	82	data = chunk_cat("mmcc", data, mac, padding, chunk_from_thing(padlen));
	83	/* encrypt inline */
	84	if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
	85	{
	86	return FALSE;
	87	}
	88	if (data->len < this->iv.len)
	89	{
	90	return FALSE;
	91	}
	92	/* next record IV is last ciphertext block of this record */
	93	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
	94	return TRUE;
	95	}
	96
	97	METHOD(tls_aead_t, decrypt, bool,
	98	private_tls_aead_t *this, tls_version_t version,
ba2bcdd8	99	tls_content_type_t type, uint64_t seq, chunk_t data)
d3204677 MW	100	{
d3204677 MW	101	chunk_t assoc, mac, iv;
b12c53ce	102	uint8_t bs, padlen;
d3204677	103	sigheader_t hdr;
c0bf7213	104	size_t i;
d3204677 MW	105
	106	bs = this->crypter->get_block_size(this->crypter);
	107	if (data->len < bs \|\| data->len < this->iv.len \|\| data->len % bs)
	108	{
	109	return FALSE;
	110	}
	111	iv = chunk_alloca(this->iv.len);
	112	memcpy(iv.ptr, this->iv.ptr, this->iv.len);
	113	memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
	114	if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
	115	{
	116	return FALSE;
	117	}
	118	padlen = data->ptr[data->len - 1];
	119	if (padlen < data->len)
	120	{ /* If padding looks valid, remove it */
c0bf7213 MW	121	for (i = data->len - padlen - 1; i < data->len - 1; i++)
	122	{
	123	if (data->ptr[i] != padlen)
	124	{
	125	return FALSE;
	126	}
	127	}
d3204677 MW	128	data->len -= padlen + 1;
	129	}
	130
	131	bs = this->signer->get_block_size(this->signer);
	132	if (data->len < bs)
	133	{
	134	return FALSE;
	135	}
	136	mac = chunk_skip(*data, data->len - bs);
	137	data->len -= bs;
	138
ba2bcdd8	139	hdr.type = *type;
d3204677 MW	140	htoun64(&hdr.seq, seq);
	141	htoun16(&hdr.version, version);
	142	htoun16(&hdr.length, data->len);
	143
	144	assoc = chunk_from_thing(hdr);
	145	if (!this->signer->get_signature(this->signer, assoc, NULL) \|\|
	146	!this->signer->verify_signature(this->signer, *data, mac))
	147	{
	148	return FALSE;
	149	}
	150	return TRUE;
	151	}
	152
	153	METHOD(tls_aead_t, get_mac_key_size, size_t,
	154	private_tls_aead_t *this)
	155	{
	156	return this->signer->get_key_size(this->signer);
	157	}
	158
	159	METHOD(tls_aead_t, get_encr_key_size, size_t,
	160	private_tls_aead_t *this)
	161	{
	162	return this->crypter->get_key_size(this->crypter);
	163	}
	164
	165	METHOD(tls_aead_t, get_iv_size, size_t,
	166	private_tls_aead_t *this)
	167	{
	168	return this->iv.len;
	169	}
	170
	171	METHOD(tls_aead_t, set_keys, bool,
	172	private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
	173	{
	174	if (iv.len != this->iv.len)
	175	{
	176	return FALSE;
	177	}
	178	memcpy(this->iv.ptr, iv.ptr, this->iv.len);
	179	return this->signer->set_key(this->signer, mac) &&
	180	this->crypter->set_key(this->crypter, encr);
	181	}
	182
	183	METHOD(tls_aead_t, destroy, void,
	184	private_tls_aead_t *this)
	185	{
	186	DESTROY_IF(this->crypter);
	187	DESTROY_IF(this->signer);
	188	chunk_free(&this->iv);
	189	free(this);
	190	}
	191
	192	/**
	193	* See header
	194	*/
	195	tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
	196	encryption_algorithm_t encr, size_t encr_size)
	197	{
	198	private_tls_aead_t *this;
	199
	200	INIT(this,
	201	.public = {
	202	.encrypt = _encrypt,
	203	.decrypt = _decrypt,
d3204677 MW	204	.get_mac_key_size = _get_mac_key_size,
	205	.get_encr_key_size = _get_encr_key_size,
	206	.get_iv_size = _get_iv_size,
	207	.set_keys = _set_keys,
	208	.destroy = _destroy,
	209	},
	210	.crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
	211	.signer = lib->crypto->create_signer(lib->crypto, mac),
	212	);
	213
	214	if (!this->crypter \|\| !this->signer)
	215	{
	216	destroy(this);
	217	return NULL;
	218	}
	219
	220	this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));
	221
	222	return &this->public;
	223	}