improved signal handling and emitting
[strongswan.git] / src / charon / encoding / payloads / encryption_payload.c
1 /**
2 * @file encryption_payload.c
3 *
4 * @brief Implementation of encryption_payload_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #include <stddef.h>
25 #include <string.h>
26
27 #include "encryption_payload.h"
28
29 #include <daemon.h>
30 #include <encoding/payloads/encodings.h>
31 #include <utils/linked_list.h>
32 #include <encoding/generator.h>
33 #include <encoding/parser.h>
34 #include <utils/iterator.h>
35 #include <utils/randomizer.h>
36 #include <crypto/signers/signer.h>
37
38
39 typedef struct private_encryption_payload_t private_encryption_payload_t;
40
41 /**
42 * Private data of an encryption_payload_t' Object.
43 *
44 */
45 struct private_encryption_payload_t {
46
47 /**
48 * Public encryption_payload_t interface.
49 */
50 encryption_payload_t public;
51
52 /**
53 * There is no next payload for an encryption payload,
54 * since encryption payload MUST be the last one.
55 * next_payload means here the first payload of the
56 * contained, encrypted payload.
57 */
58 u_int8_t next_payload;
59
60 /**
61 * Critical flag.
62 */
63 bool critical;
64
65 /**
66 * Length of this payload
67 */
68 u_int16_t payload_length;
69
70 /**
71 * Chunk containing the iv, data, padding,
72 * and (an eventually not calculated) signature.
73 */
74 chunk_t encrypted;
75
76 /**
77 * Chunk containing the data in decrypted (unpadded) form.
78 */
79 chunk_t decrypted;
80
81 /**
82 * Signer set by set_signer.
83 */
84 signer_t *signer;
85
86 /**
87 * Crypter, supplied by encrypt/decrypt
88 */
89 crypter_t *crypter;
90
91 /**
92 * Contained payloads of this encrpytion_payload.
93 */
94 linked_list_t *payloads;
95 };
96
97 /**
98 * Encoding rules to parse or generate a IKEv2-Encryption Payload.
99 *
100 * The defined offsets are the positions in a object of type
101 * private_encryption_payload_t.
102 *
103 */
104 encoding_rule_t encryption_payload_encodings[] = {
105 /* 1 Byte next payload type, stored in the field next_payload */
106 { U_INT_8, offsetof(private_encryption_payload_t, next_payload) },
107 /* the critical bit */
108 { FLAG, offsetof(private_encryption_payload_t, critical) },
109 /* 7 Bit reserved bits, nowhere stored */
110 { RESERVED_BIT, 0 },
111 { RESERVED_BIT, 0 },
112 { RESERVED_BIT, 0 },
113 { RESERVED_BIT, 0 },
114 { RESERVED_BIT, 0 },
115 { RESERVED_BIT, 0 },
116 { RESERVED_BIT, 0 },
117 /* Length of the whole encryption payload*/
118 { PAYLOAD_LENGTH, offsetof(private_encryption_payload_t, payload_length) },
119 /* encrypted data, stored in a chunk. contains iv, data, padding */
120 { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) },
121 };
122
123 /*
124 1 2 3
125 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
127 ! Next Payload !C! RESERVED ! Payload Length !
128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
129 ! Initialization Vector !
130 ! (length is block size for encryption algorithm) !
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 ! Encrypted IKE Payloads !
133 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
134 ! ! Padding (0-255 octets) !
135 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
136 ! ! Pad Length !
137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
138 ~ Integrity Checksum Data ~
139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
140 */
141
142 /**
143 * Implementation of payload_t.verify.
144 */
145 static status_t verify(private_encryption_payload_t *this)
146 {
147 return SUCCESS;
148 }
149
150 /**
151 * Implementation of payload_t.get_encoding_rules.
152 */
153 static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
154 {
155 *rules = encryption_payload_encodings;
156 *rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
157 }
158
159 /**
160 * Implementation of payload_t.get_type.
161 */
162 static payload_type_t get_type(private_encryption_payload_t *this)
163 {
164 return ENCRYPTED;
165 }
166
167 /**
168 * Implementation of payload_t.get_next_type.
169 */
170 static payload_type_t get_next_type(private_encryption_payload_t *this)
171 {
172 /* returns first contained payload here */
173 return (this->next_payload);
174 }
175
176 /**
177 * Implementation of payload_t.set_next_type.
178 */
179 static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
180 {
181 /* set next type is not allowed, since this payload MUST be the last one
182 * and so nothing is done in here*/
183 }
184
185 /**
186 * (re-)compute the lenght of the whole payload
187 */
188 static void compute_length(private_encryption_payload_t *this)
189 {
190 iterator_t *iterator;
191 payload_t *current_payload;
192 size_t block_size, length = 0;
193 iterator = this->payloads->create_iterator(this->payloads, TRUE);
194
195 /* count payload length */
196 while (iterator->iterate(iterator, (void **) &current_payload))
197 {
198 length += current_payload->get_length(current_payload);
199 }
200 iterator->destroy(iterator);
201
202 if (this->crypter && this->signer)
203 {
204 /* append one byte for padding length */
205 length++;
206 /* append padding */
207 block_size = this->crypter->get_block_size(this->crypter);
208 length += block_size - length % block_size;
209 /* add iv */
210 length += block_size;
211 /* add signature */
212 length += this->signer->get_block_size(this->signer);
213 }
214 length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
215 this->payload_length = length;
216 }
217
218 /**
219 * Implementation of payload_t.get_length.
220 */
221 static size_t get_length(private_encryption_payload_t *this)
222 {
223 compute_length(this);
224 return this->payload_length;
225 }
226
227 /**
228 * Implementation of payload_t.create_payload_iterator.
229 */
230 static iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
231 {
232 return (this->payloads->create_iterator(this->payloads, forward));
233 }
234
235 /**
236 * Implementation of payload_t.add_payload.
237 */
238 static void add_payload(private_encryption_payload_t *this, payload_t *payload)
239 {
240 payload_t *last_payload;
241 if (this->payloads->get_count(this->payloads) > 0)
242 {
243 this->payloads->get_last(this->payloads,(void **) &last_payload);
244 last_payload->set_next_type(last_payload, payload->get_type(payload));
245 }
246 else
247 {
248 this->next_payload = payload->get_type(payload);
249 }
250 payload->set_next_type(payload, NO_PAYLOAD);
251 this->payloads->insert_last(this->payloads, (void*)payload);
252 compute_length(this);
253 }
254
255 /**
256 * Implementation of encryption_payload_t.remove_first_payload.
257 */
258 static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
259 {
260 return this->payloads->remove_first(this->payloads, (void**)payload);
261 }
262
263 /**
264 * Implementation of encryption_payload_t.get_payload_count.
265 */
266 static size_t get_payload_count(private_encryption_payload_t *this)
267 {
268 return this->payloads->get_count(this->payloads);
269 }
270
271 /**
272 * Generate payload before encryption.
273 */
274 static void generate(private_encryption_payload_t *this)
275 {
276 payload_t *current_payload, *next_payload;
277 generator_t *generator;
278 iterator_t *iterator;
279
280 /* recalculate length before generating */
281 compute_length(this);
282
283 /* create iterator */
284 iterator = this->payloads->create_iterator(this->payloads, TRUE);
285
286 /* get first payload */
287 if (iterator->iterate(iterator, (void**)&current_payload))
288 {
289 this->next_payload = current_payload->get_type(current_payload);
290 }
291 else
292 {
293 /* no paylads? */
294 DBG2(DBG_ENC, "generating contained payloads, but none available");
295 free(this->decrypted.ptr);
296 this->decrypted = CHUNK_INITIALIZER;
297 iterator->destroy(iterator);
298 return;
299 }
300
301 generator = generator_create();
302
303 /* build all payload, except last */
304 while(iterator->iterate(iterator, (void**)&next_payload))
305 {
306 current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
307 generator->generate_payload(generator, current_payload);
308 current_payload = next_payload;
309 }
310 iterator->destroy(iterator);
311
312 /* build last payload */
313 current_payload->set_next_type(current_payload, NO_PAYLOAD);
314 generator->generate_payload(generator, current_payload);
315
316 /* free already generated data */
317 free(this->decrypted.ptr);
318
319 generator->write_to_chunk(generator, &(this->decrypted));
320 generator->destroy(generator);
321 DBG2(DBG_ENC, "successfully generated content in encryption payload");
322 }
323
324 /**
325 * Implementation of encryption_payload_t.encrypt.
326 */
327 static status_t encrypt(private_encryption_payload_t *this)
328 {
329 chunk_t iv, padding, to_crypt, result;
330 randomizer_t *randomizer;
331 status_t status;
332 size_t block_size;
333
334 if (this->signer == NULL || this->crypter == NULL)
335 {
336 DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
337 return INVALID_STATE;
338 }
339
340 /* for random data in iv and padding */
341 randomizer = randomizer_create();
342
343 /* build payload chunk */
344 generate(this);
345
346 DBG2(DBG_ENC, "encrypting payloads");
347 DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
348
349 /* build padding */
350 block_size = this->crypter->get_block_size(this->crypter);
351 padding.len = block_size - ((this->decrypted.len + 1) % block_size);
352 status = randomizer->allocate_pseudo_random_bytes(randomizer, padding.len, &padding);
353 if (status != SUCCESS)
354 {
355 randomizer->destroy(randomizer);
356 return status;
357 }
358
359 /* concatenate payload data, padding, padding len */
360 to_crypt.len = this->decrypted.len + padding.len + 1;
361 to_crypt.ptr = malloc(to_crypt.len);
362
363 memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
364 memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
365 *(to_crypt.ptr + to_crypt.len - 1) = padding.len;
366
367 /* build iv */
368 iv.len = block_size;
369 status = randomizer->allocate_pseudo_random_bytes(randomizer, iv.len, &iv);
370 randomizer->destroy(randomizer);
371 if (status != SUCCESS)
372 {
373 chunk_free(&to_crypt);
374 chunk_free(&padding);
375 return status;
376 }
377
378 DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
379
380 /* encrypt to_crypt chunk */
381 free(this->encrypted.ptr);
382 status = this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
383 free(padding.ptr);
384 free(to_crypt.ptr);
385 if (status != SUCCESS)
386 {
387 DBG2(DBG_ENC, "encryption failed");
388 free(iv.ptr);
389 return status;
390 }
391 DBG3(DBG_ENC, "data after encryption %B", &result);
392
393 /* build encrypted result with iv and signature */
394 this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
395 free(this->encrypted.ptr);
396 this->encrypted.ptr = malloc(this->encrypted.len);
397
398 /* fill in result, signature is left out */
399 memcpy(this->encrypted.ptr, iv.ptr, iv.len);
400 memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
401
402 free(result.ptr);
403 free(iv.ptr);
404 DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
405 &this->encrypted);
406
407 return SUCCESS;
408 }
409
410 /**
411 * Parse the payloads after decryption.
412 */
413 static status_t parse(private_encryption_payload_t *this)
414 {
415 parser_t *parser;
416 status_t status;
417 payload_type_t current_payload_type;
418
419 /* build a parser on the decrypted data */
420 parser = parser_create(this->decrypted);
421
422 current_payload_type = this->next_payload;
423 /* parse all payloads */
424 while (current_payload_type != NO_PAYLOAD)
425 {
426 payload_t *current_payload;
427
428 status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
429 if (status != SUCCESS)
430 {
431 parser->destroy(parser);
432 return PARSE_ERROR;
433 }
434
435 status = current_payload->verify(current_payload);
436 if (status != SUCCESS)
437 {
438 DBG1(DBG_ENC, "%N verification failed",
439 payload_type_names, current_payload->get_type(current_payload));
440 current_payload->destroy(current_payload);
441 parser->destroy(parser);
442 return VERIFY_ERROR;
443 }
444
445 /* get next payload type */
446 current_payload_type = current_payload->get_next_type(current_payload);
447
448 this->payloads->insert_last(this->payloads,current_payload);
449 }
450 parser->destroy(parser);
451 DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
452 return SUCCESS;
453 }
454
455 /**
456 * Implementation of encryption_payload_t.encrypt.
457 */
458 static status_t decrypt(private_encryption_payload_t *this)
459 {
460 chunk_t iv, concatenated;
461 u_int8_t padding_length;
462 status_t status;
463
464 DBG2(DBG_ENC, "decrypting encryption payload");
465 DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
466 &this->encrypted);
467
468 if (this->signer == NULL || this->crypter == NULL)
469 {
470 DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
471 return INVALID_STATE;
472 }
473
474 /* get IV */
475 iv.len = this->crypter->get_block_size(this->crypter);
476
477 iv.ptr = this->encrypted.ptr;
478
479 /* point concatenated to data + padding + padding_length*/
480 concatenated.ptr = this->encrypted.ptr + iv.len;
481 concatenated.len = this->encrypted.len - iv.len - this->signer->get_block_size(this->signer);
482
483 /* check the size of input:
484 * concatenated must be at least on block_size of crypter
485 */
486 if (concatenated.len < iv.len)
487 {
488 DBG1(DBG_ENC, "could not decrypt, invalid input");
489 return FAILED;
490 }
491
492 /* free previus data, if any */
493 free(this->decrypted.ptr);
494
495 DBG3(DBG_ENC, "data before decryption %B", &concatenated);
496
497 status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
498 if (status != SUCCESS)
499 {
500 DBG1(DBG_ENC, "could not decrypt, decryption failed");
501 return FAILED;
502 }
503 DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
504
505
506 /* get padding length, sits just bevore signature */
507 padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
508 /* add one byte to the padding length, since the padding_length field is not included */
509 padding_length++;
510 this->decrypted.len -= padding_length;
511
512 /* check size again */
513 if (padding_length > concatenated.len || this->decrypted.len < 0)
514 {
515 DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
516 /* decryption failed :-/ */
517 return FAILED;
518 }
519
520 /* free padding */
521 this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
522 DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
523 DBG2(DBG_ENC, "decryption successful, trying to parse content");
524 return parse(this);
525 }
526
527 /**
528 * Implementation of encryption_payload_t.set_transforms.
529 */
530 static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
531 {
532 this->signer = signer;
533 this->crypter = crypter;
534 }
535
536 /**
537 * Implementation of encryption_payload_t.build_signature.
538 */
539 static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
540 {
541 chunk_t data_without_sig = data;
542 chunk_t sig;
543
544 if (this->signer == NULL)
545 {
546 DBG1(DBG_ENC, "unable to build signature, no signer set");
547 return INVALID_STATE;
548 }
549
550 sig.len = this->signer->get_block_size(this->signer);
551 data_without_sig.len -= sig.len;
552 sig.ptr = data.ptr + data_without_sig.len;
553 DBG2(DBG_ENC, "building signature");
554 this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
555 return SUCCESS;
556 }
557
558 /**
559 * Implementation of encryption_payload_t.verify_signature.
560 */
561 static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
562 {
563 chunk_t sig, data_without_sig;
564 bool valid;
565
566 if (this->signer == NULL)
567 {
568 DBG1(DBG_ENC, "unable to verify signature, no signer set");
569 return INVALID_STATE;
570 }
571 /* find signature in data chunk */
572 sig.len = this->signer->get_block_size(this->signer);
573 if (data.len <= sig.len)
574 {
575 DBG1(DBG_ENC, "unable to verify signature, invalid input");
576 return FAILED;
577 }
578 sig.ptr = data.ptr + data.len - sig.len;
579
580 /* verify it */
581 data_without_sig.len = data.len - sig.len;
582 data_without_sig.ptr = data.ptr;
583 valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
584
585 if (!valid)
586 {
587 DBG1(DBG_ENC, "signature verification failed");
588 return FAILED;
589 }
590
591 DBG2(DBG_ENC, "signature verification successful");
592 return SUCCESS;
593 }
594
595 /**
596 * Implementation of payload_t.destroy.
597 */
598 static void destroy(private_encryption_payload_t *this)
599 {
600 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
601 free(this->encrypted.ptr);
602 free(this->decrypted.ptr);
603 free(this);
604 }
605
606 /*
607 * Described in header
608 */
609 encryption_payload_t *encryption_payload_create()
610 {
611 private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
612
613 /* payload_t interface functions */
614 this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
615 this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
616 this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
617 this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
618 this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
619 this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
620 this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
621
622 /* public functions */
623 this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
624 this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
625 this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
626 this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
627
628 this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
629 this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
630 this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
631 this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
632 this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
633 this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
634
635 /* set default values of the fields */
636 this->critical = FALSE;
637 this->next_payload = NO_PAYLOAD;
638 this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
639 this->encrypted = CHUNK_INITIALIZER;
640 this->decrypted = CHUNK_INITIALIZER;
641 this->signer = NULL;
642 this->crypter = NULL;
643 this->payloads = linked_list_create();
644
645 return (&(this->public));
646 }