added API for random number generators, served through credential factory
[strongswan.git] / src / charon / encoding / payloads / encryption_payload.c
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <stddef.h>
20 #include <string.h>
21
22 #include "encryption_payload.h"
23
24 #include <daemon.h>
25 #include <encoding/payloads/encodings.h>
26 #include <utils/linked_list.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/iterator.h>
30 #include <crypto/signers/signer.h>
31
32
33 typedef struct private_encryption_payload_t private_encryption_payload_t;
34
35 /**
36 * Private data of an encryption_payload_t' Object.
37 *
38 */
39 struct private_encryption_payload_t {
40
41 /**
42 * Public encryption_payload_t interface.
43 */
44 encryption_payload_t public;
45
46 /**
47 * There is no next payload for an encryption payload,
48 * since encryption payload MUST be the last one.
49 * next_payload means here the first payload of the
50 * contained, encrypted payload.
51 */
52 u_int8_t next_payload;
53
54 /**
55 * Critical flag.
56 */
57 bool critical;
58
59 /**
60 * Length of this payload
61 */
62 u_int16_t payload_length;
63
64 /**
65 * Chunk containing the iv, data, padding,
66 * and (an eventually not calculated) signature.
67 */
68 chunk_t encrypted;
69
70 /**
71 * Chunk containing the data in decrypted (unpadded) form.
72 */
73 chunk_t decrypted;
74
75 /**
76 * Signer set by set_signer.
77 */
78 signer_t *signer;
79
80 /**
81 * Crypter, supplied by encrypt/decrypt
82 */
83 crypter_t *crypter;
84
85 /**
86 * Contained payloads of this encrpytion_payload.
87 */
88 linked_list_t *payloads;
89 };
90
91 /**
92 * Encoding rules to parse or generate a IKEv2-Encryption Payload.
93 *
94 * The defined offsets are the positions in a object of type
95 * private_encryption_payload_t.
96 *
97 */
98 encoding_rule_t encryption_payload_encodings[] = {
99 /* 1 Byte next payload type, stored in the field next_payload */
100 { U_INT_8, offsetof(private_encryption_payload_t, next_payload) },
101 /* the critical bit */
102 { FLAG, offsetof(private_encryption_payload_t, critical) },
103 /* 7 Bit reserved bits, nowhere stored */
104 { RESERVED_BIT, 0 },
105 { RESERVED_BIT, 0 },
106 { RESERVED_BIT, 0 },
107 { RESERVED_BIT, 0 },
108 { RESERVED_BIT, 0 },
109 { RESERVED_BIT, 0 },
110 { RESERVED_BIT, 0 },
111 /* Length of the whole encryption payload*/
112 { PAYLOAD_LENGTH, offsetof(private_encryption_payload_t, payload_length) },
113 /* encrypted data, stored in a chunk. contains iv, data, padding */
114 { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) },
115 };
116
117 /*
118 1 2 3
119 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
121 ! Next Payload !C! RESERVED ! Payload Length !
122 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
123 ! Initialization Vector !
124 ! (length is block size for encryption algorithm) !
125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 ! Encrypted IKE Payloads !
127 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
128 ! ! Padding (0-255 octets) !
129 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
130 ! ! Pad Length !
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 ~ Integrity Checksum Data ~
133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
134 */
135
136 /**
137 * Implementation of payload_t.verify.
138 */
139 static status_t verify(private_encryption_payload_t *this)
140 {
141 return SUCCESS;
142 }
143
144 /**
145 * Implementation of payload_t.get_encoding_rules.
146 */
147 static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
148 {
149 *rules = encryption_payload_encodings;
150 *rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
151 }
152
153 /**
154 * Implementation of payload_t.get_type.
155 */
156 static payload_type_t get_type(private_encryption_payload_t *this)
157 {
158 return ENCRYPTED;
159 }
160
161 /**
162 * Implementation of payload_t.get_next_type.
163 */
164 static payload_type_t get_next_type(private_encryption_payload_t *this)
165 {
166 /* returns first contained payload here */
167 return (this->next_payload);
168 }
169
170 /**
171 * Implementation of payload_t.set_next_type.
172 */
173 static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
174 {
175 /* set next type is not allowed, since this payload MUST be the last one
176 * and so nothing is done in here*/
177 }
178
179 /**
180 * (re-)compute the lenght of the whole payload
181 */
182 static void compute_length(private_encryption_payload_t *this)
183 {
184 iterator_t *iterator;
185 payload_t *current_payload;
186 size_t block_size, length = 0;
187 iterator = this->payloads->create_iterator(this->payloads, TRUE);
188
189 /* count payload length */
190 while (iterator->iterate(iterator, (void **) &current_payload))
191 {
192 length += current_payload->get_length(current_payload);
193 }
194 iterator->destroy(iterator);
195
196 if (this->crypter && this->signer)
197 {
198 /* append one byte for padding length */
199 length++;
200 /* append padding */
201 block_size = this->crypter->get_block_size(this->crypter);
202 length += block_size - length % block_size;
203 /* add iv */
204 length += block_size;
205 /* add signature */
206 length += this->signer->get_block_size(this->signer);
207 }
208 length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
209 this->payload_length = length;
210 }
211
212 /**
213 * Implementation of payload_t.get_length.
214 */
215 static size_t get_length(private_encryption_payload_t *this)
216 {
217 compute_length(this);
218 return this->payload_length;
219 }
220
221 /**
222 * Implementation of payload_t.create_payload_iterator.
223 */
224 static iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
225 {
226 return (this->payloads->create_iterator(this->payloads, forward));
227 }
228
229 /**
230 * Implementation of payload_t.add_payload.
231 */
232 static void add_payload(private_encryption_payload_t *this, payload_t *payload)
233 {
234 payload_t *last_payload;
235 if (this->payloads->get_count(this->payloads) > 0)
236 {
237 this->payloads->get_last(this->payloads,(void **) &last_payload);
238 last_payload->set_next_type(last_payload, payload->get_type(payload));
239 }
240 else
241 {
242 this->next_payload = payload->get_type(payload);
243 }
244 payload->set_next_type(payload, NO_PAYLOAD);
245 this->payloads->insert_last(this->payloads, (void*)payload);
246 compute_length(this);
247 }
248
249 /**
250 * Implementation of encryption_payload_t.remove_first_payload.
251 */
252 static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
253 {
254 return this->payloads->remove_first(this->payloads, (void**)payload);
255 }
256
257 /**
258 * Implementation of encryption_payload_t.get_payload_count.
259 */
260 static size_t get_payload_count(private_encryption_payload_t *this)
261 {
262 return this->payloads->get_count(this->payloads);
263 }
264
265 /**
266 * Generate payload before encryption.
267 */
268 static void generate(private_encryption_payload_t *this)
269 {
270 payload_t *current_payload, *next_payload;
271 generator_t *generator;
272 iterator_t *iterator;
273
274 /* recalculate length before generating */
275 compute_length(this);
276
277 /* create iterator */
278 iterator = this->payloads->create_iterator(this->payloads, TRUE);
279
280 /* get first payload */
281 if (iterator->iterate(iterator, (void**)&current_payload))
282 {
283 this->next_payload = current_payload->get_type(current_payload);
284 }
285 else
286 {
287 /* no paylads? */
288 DBG2(DBG_ENC, "generating contained payloads, but none available");
289 free(this->decrypted.ptr);
290 this->decrypted = chunk_empty;
291 iterator->destroy(iterator);
292 return;
293 }
294
295 generator = generator_create();
296
297 /* build all payload, except last */
298 while(iterator->iterate(iterator, (void**)&next_payload))
299 {
300 current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
301 generator->generate_payload(generator, current_payload);
302 current_payload = next_payload;
303 }
304 iterator->destroy(iterator);
305
306 /* build last payload */
307 current_payload->set_next_type(current_payload, NO_PAYLOAD);
308 generator->generate_payload(generator, current_payload);
309
310 /* free already generated data */
311 free(this->decrypted.ptr);
312
313 generator->write_to_chunk(generator, &(this->decrypted));
314 generator->destroy(generator);
315 DBG2(DBG_ENC, "successfully generated content in encryption payload");
316 }
317
318 /**
319 * Implementation of encryption_payload_t.encrypt.
320 */
321 static status_t encrypt(private_encryption_payload_t *this)
322 {
323 chunk_t iv, padding, to_crypt, result;
324 rng_t *rng;
325 status_t status;
326 size_t block_size;
327
328 if (this->signer == NULL || this->crypter == NULL)
329 {
330 DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
331 return INVALID_STATE;
332 }
333
334 /* for random data in iv and padding */
335 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
336 if (!rng)
337 {
338 DBG1(DBG_ENC, "could not encrypt, no RNG found");
339 return FAILED;
340 }
341 /* build payload chunk */
342 generate(this);
343
344 DBG2(DBG_ENC, "encrypting payloads");
345 DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
346
347 /* build padding */
348 block_size = this->crypter->get_block_size(this->crypter);
349 padding.len = block_size - ((this->decrypted.len + 1) % block_size);
350 rng->allocate_bytes(rng, padding.len, &padding);
351
352 /* concatenate payload data, padding, padding len */
353 to_crypt.len = this->decrypted.len + padding.len + 1;
354 to_crypt.ptr = malloc(to_crypt.len);
355
356 memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
357 memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
358 *(to_crypt.ptr + to_crypt.len - 1) = padding.len;
359
360 /* build iv */
361 iv.len = block_size;
362 rng->allocate_bytes(rng, iv.len, &iv);
363 rng->destroy(rng);
364
365 DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
366
367 /* encrypt to_crypt chunk */
368 free(this->encrypted.ptr);
369 status = this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
370 free(padding.ptr);
371 free(to_crypt.ptr);
372 if (status != SUCCESS)
373 {
374 DBG2(DBG_ENC, "encryption failed");
375 free(iv.ptr);
376 return status;
377 }
378 DBG3(DBG_ENC, "data after encryption %B", &result);
379
380 /* build encrypted result with iv and signature */
381 this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
382 free(this->encrypted.ptr);
383 this->encrypted.ptr = malloc(this->encrypted.len);
384
385 /* fill in result, signature is left out */
386 memcpy(this->encrypted.ptr, iv.ptr, iv.len);
387 memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
388
389 free(result.ptr);
390 free(iv.ptr);
391 DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
392 &this->encrypted);
393
394 return SUCCESS;
395 }
396
397 /**
398 * Parse the payloads after decryption.
399 */
400 static status_t parse(private_encryption_payload_t *this)
401 {
402 parser_t *parser;
403 status_t status;
404 payload_type_t current_payload_type;
405
406 /* build a parser on the decrypted data */
407 parser = parser_create(this->decrypted);
408
409 current_payload_type = this->next_payload;
410 /* parse all payloads */
411 while (current_payload_type != NO_PAYLOAD)
412 {
413 payload_t *current_payload;
414
415 status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
416 if (status != SUCCESS)
417 {
418 parser->destroy(parser);
419 return PARSE_ERROR;
420 }
421
422 status = current_payload->verify(current_payload);
423 if (status != SUCCESS)
424 {
425 DBG1(DBG_ENC, "%N verification failed",
426 payload_type_names, current_payload->get_type(current_payload));
427 current_payload->destroy(current_payload);
428 parser->destroy(parser);
429 return VERIFY_ERROR;
430 }
431
432 /* get next payload type */
433 current_payload_type = current_payload->get_next_type(current_payload);
434
435 this->payloads->insert_last(this->payloads,current_payload);
436 }
437 parser->destroy(parser);
438 DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
439 return SUCCESS;
440 }
441
442 /**
443 * Implementation of encryption_payload_t.encrypt.
444 */
445 static status_t decrypt(private_encryption_payload_t *this)
446 {
447 chunk_t iv, concatenated;
448 u_int8_t padding_length;
449 status_t status;
450
451 DBG2(DBG_ENC, "decrypting encryption payload");
452 DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
453 &this->encrypted);
454
455 if (this->signer == NULL || this->crypter == NULL)
456 {
457 DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
458 return INVALID_STATE;
459 }
460
461 /* get IV */
462 iv.len = this->crypter->get_block_size(this->crypter);
463
464 iv.ptr = this->encrypted.ptr;
465
466 /* point concatenated to data + padding + padding_length*/
467 concatenated.ptr = this->encrypted.ptr + iv.len;
468 concatenated.len = this->encrypted.len - iv.len - this->signer->get_block_size(this->signer);
469
470 /* check the size of input:
471 * concatenated must be at least on block_size of crypter
472 */
473 if (concatenated.len < iv.len)
474 {
475 DBG1(DBG_ENC, "could not decrypt, invalid input");
476 return FAILED;
477 }
478
479 /* free previus data, if any */
480 free(this->decrypted.ptr);
481
482 DBG3(DBG_ENC, "data before decryption %B", &concatenated);
483
484 status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
485 if (status != SUCCESS)
486 {
487 DBG1(DBG_ENC, "could not decrypt, decryption failed");
488 return FAILED;
489 }
490 DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
491
492
493 /* get padding length, sits just bevore signature */
494 padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
495 /* add one byte to the padding length, since the padding_length field is not included */
496 padding_length++;
497 this->decrypted.len -= padding_length;
498
499 /* check size again */
500 if (padding_length > concatenated.len || this->decrypted.len < 0)
501 {
502 DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
503 /* decryption failed :-/ */
504 return FAILED;
505 }
506
507 /* free padding */
508 this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
509 DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
510 DBG2(DBG_ENC, "decryption successful, trying to parse content");
511 return parse(this);
512 }
513
514 /**
515 * Implementation of encryption_payload_t.set_transforms.
516 */
517 static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
518 {
519 this->signer = signer;
520 this->crypter = crypter;
521 }
522
523 /**
524 * Implementation of encryption_payload_t.build_signature.
525 */
526 static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
527 {
528 chunk_t data_without_sig = data;
529 chunk_t sig;
530
531 if (this->signer == NULL)
532 {
533 DBG1(DBG_ENC, "unable to build signature, no signer set");
534 return INVALID_STATE;
535 }
536
537 sig.len = this->signer->get_block_size(this->signer);
538 data_without_sig.len -= sig.len;
539 sig.ptr = data.ptr + data_without_sig.len;
540 DBG2(DBG_ENC, "building signature");
541 this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
542 return SUCCESS;
543 }
544
545 /**
546 * Implementation of encryption_payload_t.verify_signature.
547 */
548 static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
549 {
550 chunk_t sig, data_without_sig;
551 bool valid;
552
553 if (this->signer == NULL)
554 {
555 DBG1(DBG_ENC, "unable to verify signature, no signer set");
556 return INVALID_STATE;
557 }
558 /* find signature in data chunk */
559 sig.len = this->signer->get_block_size(this->signer);
560 if (data.len <= sig.len)
561 {
562 DBG1(DBG_ENC, "unable to verify signature, invalid input");
563 return FAILED;
564 }
565 sig.ptr = data.ptr + data.len - sig.len;
566
567 /* verify it */
568 data_without_sig.len = data.len - sig.len;
569 data_without_sig.ptr = data.ptr;
570 valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
571
572 if (!valid)
573 {
574 DBG1(DBG_ENC, "signature verification failed");
575 return FAILED;
576 }
577
578 DBG2(DBG_ENC, "signature verification successful");
579 return SUCCESS;
580 }
581
582 /**
583 * Implementation of payload_t.destroy.
584 */
585 static void destroy(private_encryption_payload_t *this)
586 {
587 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
588 free(this->encrypted.ptr);
589 free(this->decrypted.ptr);
590 free(this);
591 }
592
593 /*
594 * Described in header
595 */
596 encryption_payload_t *encryption_payload_create()
597 {
598 private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
599
600 /* payload_t interface functions */
601 this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
602 this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
603 this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
604 this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
605 this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
606 this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
607 this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
608
609 /* public functions */
610 this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
611 this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
612 this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
613 this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
614
615 this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
616 this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
617 this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
618 this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
619 this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
620 this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
621
622 /* set default values of the fields */
623 this->critical = FALSE;
624 this->next_payload = NO_PAYLOAD;
625 this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
626 this->encrypted = chunk_empty;
627 this->decrypted = chunk_empty;
628 this->signer = NULL;
629 this->crypter = NULL;
630 this->payloads = linked_list_create();
631
632 return (&(this->public));
633 }