cdfda3d5e5ad4bbef1deee998290e75d2fdd8f75
[strongswan.git] / src / charon / encoding / payloads / encryption_payload.c
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <stddef.h>
20 #include <string.h>
21
22 #include "encryption_payload.h"
23
24 #include <daemon.h>
25 #include <encoding/payloads/encodings.h>
26 #include <utils/linked_list.h>
27 #include <encoding/generator.h>
28 #include <encoding/parser.h>
29 #include <utils/iterator.h>
30 #include <utils/randomizer.h>
31 #include <crypto/signers/signer.h>
32
33
34 typedef struct private_encryption_payload_t private_encryption_payload_t;
35
36 /**
37 * Private data of an encryption_payload_t' Object.
38 *
39 */
40 struct private_encryption_payload_t {
41
42 /**
43 * Public encryption_payload_t interface.
44 */
45 encryption_payload_t public;
46
47 /**
48 * There is no next payload for an encryption payload,
49 * since encryption payload MUST be the last one.
50 * next_payload means here the first payload of the
51 * contained, encrypted payload.
52 */
53 u_int8_t next_payload;
54
55 /**
56 * Critical flag.
57 */
58 bool critical;
59
60 /**
61 * Length of this payload
62 */
63 u_int16_t payload_length;
64
65 /**
66 * Chunk containing the iv, data, padding,
67 * and (an eventually not calculated) signature.
68 */
69 chunk_t encrypted;
70
71 /**
72 * Chunk containing the data in decrypted (unpadded) form.
73 */
74 chunk_t decrypted;
75
76 /**
77 * Signer set by set_signer.
78 */
79 signer_t *signer;
80
81 /**
82 * Crypter, supplied by encrypt/decrypt
83 */
84 crypter_t *crypter;
85
86 /**
87 * Contained payloads of this encrpytion_payload.
88 */
89 linked_list_t *payloads;
90 };
91
92 /**
93 * Encoding rules to parse or generate a IKEv2-Encryption Payload.
94 *
95 * The defined offsets are the positions in a object of type
96 * private_encryption_payload_t.
97 *
98 */
99 encoding_rule_t encryption_payload_encodings[] = {
100 /* 1 Byte next payload type, stored in the field next_payload */
101 { U_INT_8, offsetof(private_encryption_payload_t, next_payload) },
102 /* the critical bit */
103 { FLAG, offsetof(private_encryption_payload_t, critical) },
104 /* 7 Bit reserved bits, nowhere stored */
105 { RESERVED_BIT, 0 },
106 { RESERVED_BIT, 0 },
107 { RESERVED_BIT, 0 },
108 { RESERVED_BIT, 0 },
109 { RESERVED_BIT, 0 },
110 { RESERVED_BIT, 0 },
111 { RESERVED_BIT, 0 },
112 /* Length of the whole encryption payload*/
113 { PAYLOAD_LENGTH, offsetof(private_encryption_payload_t, payload_length) },
114 /* encrypted data, stored in a chunk. contains iv, data, padding */
115 { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) },
116 };
117
118 /*
119 1 2 3
120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
122 ! Next Payload !C! RESERVED ! Payload Length !
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Initialization Vector !
125 ! (length is block size for encryption algorithm) !
126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
127 ! Encrypted IKE Payloads !
128 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
129 ! ! Padding (0-255 octets) !
130 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
131 ! ! Pad Length !
132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
133 ~ Integrity Checksum Data ~
134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
135 */
136
137 /**
138 * Implementation of payload_t.verify.
139 */
140 static status_t verify(private_encryption_payload_t *this)
141 {
142 return SUCCESS;
143 }
144
145 /**
146 * Implementation of payload_t.get_encoding_rules.
147 */
148 static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
149 {
150 *rules = encryption_payload_encodings;
151 *rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
152 }
153
154 /**
155 * Implementation of payload_t.get_type.
156 */
157 static payload_type_t get_type(private_encryption_payload_t *this)
158 {
159 return ENCRYPTED;
160 }
161
162 /**
163 * Implementation of payload_t.get_next_type.
164 */
165 static payload_type_t get_next_type(private_encryption_payload_t *this)
166 {
167 /* returns first contained payload here */
168 return (this->next_payload);
169 }
170
171 /**
172 * Implementation of payload_t.set_next_type.
173 */
174 static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
175 {
176 /* set next type is not allowed, since this payload MUST be the last one
177 * and so nothing is done in here*/
178 }
179
180 /**
181 * (re-)compute the lenght of the whole payload
182 */
183 static void compute_length(private_encryption_payload_t *this)
184 {
185 iterator_t *iterator;
186 payload_t *current_payload;
187 size_t block_size, length = 0;
188 iterator = this->payloads->create_iterator(this->payloads, TRUE);
189
190 /* count payload length */
191 while (iterator->iterate(iterator, (void **) &current_payload))
192 {
193 length += current_payload->get_length(current_payload);
194 }
195 iterator->destroy(iterator);
196
197 if (this->crypter && this->signer)
198 {
199 /* append one byte for padding length */
200 length++;
201 /* append padding */
202 block_size = this->crypter->get_block_size(this->crypter);
203 length += block_size - length % block_size;
204 /* add iv */
205 length += block_size;
206 /* add signature */
207 length += this->signer->get_block_size(this->signer);
208 }
209 length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
210 this->payload_length = length;
211 }
212
213 /**
214 * Implementation of payload_t.get_length.
215 */
216 static size_t get_length(private_encryption_payload_t *this)
217 {
218 compute_length(this);
219 return this->payload_length;
220 }
221
222 /**
223 * Implementation of payload_t.create_payload_iterator.
224 */
225 static iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
226 {
227 return (this->payloads->create_iterator(this->payloads, forward));
228 }
229
230 /**
231 * Implementation of payload_t.add_payload.
232 */
233 static void add_payload(private_encryption_payload_t *this, payload_t *payload)
234 {
235 payload_t *last_payload;
236 if (this->payloads->get_count(this->payloads) > 0)
237 {
238 this->payloads->get_last(this->payloads,(void **) &last_payload);
239 last_payload->set_next_type(last_payload, payload->get_type(payload));
240 }
241 else
242 {
243 this->next_payload = payload->get_type(payload);
244 }
245 payload->set_next_type(payload, NO_PAYLOAD);
246 this->payloads->insert_last(this->payloads, (void*)payload);
247 compute_length(this);
248 }
249
250 /**
251 * Implementation of encryption_payload_t.remove_first_payload.
252 */
253 static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
254 {
255 return this->payloads->remove_first(this->payloads, (void**)payload);
256 }
257
258 /**
259 * Implementation of encryption_payload_t.get_payload_count.
260 */
261 static size_t get_payload_count(private_encryption_payload_t *this)
262 {
263 return this->payloads->get_count(this->payloads);
264 }
265
266 /**
267 * Generate payload before encryption.
268 */
269 static void generate(private_encryption_payload_t *this)
270 {
271 payload_t *current_payload, *next_payload;
272 generator_t *generator;
273 iterator_t *iterator;
274
275 /* recalculate length before generating */
276 compute_length(this);
277
278 /* create iterator */
279 iterator = this->payloads->create_iterator(this->payloads, TRUE);
280
281 /* get first payload */
282 if (iterator->iterate(iterator, (void**)&current_payload))
283 {
284 this->next_payload = current_payload->get_type(current_payload);
285 }
286 else
287 {
288 /* no paylads? */
289 DBG2(DBG_ENC, "generating contained payloads, but none available");
290 free(this->decrypted.ptr);
291 this->decrypted = chunk_empty;
292 iterator->destroy(iterator);
293 return;
294 }
295
296 generator = generator_create();
297
298 /* build all payload, except last */
299 while(iterator->iterate(iterator, (void**)&next_payload))
300 {
301 current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
302 generator->generate_payload(generator, current_payload);
303 current_payload = next_payload;
304 }
305 iterator->destroy(iterator);
306
307 /* build last payload */
308 current_payload->set_next_type(current_payload, NO_PAYLOAD);
309 generator->generate_payload(generator, current_payload);
310
311 /* free already generated data */
312 free(this->decrypted.ptr);
313
314 generator->write_to_chunk(generator, &(this->decrypted));
315 generator->destroy(generator);
316 DBG2(DBG_ENC, "successfully generated content in encryption payload");
317 }
318
319 /**
320 * Implementation of encryption_payload_t.encrypt.
321 */
322 static status_t encrypt(private_encryption_payload_t *this)
323 {
324 chunk_t iv, padding, to_crypt, result;
325 randomizer_t *randomizer;
326 status_t status;
327 size_t block_size;
328
329 if (this->signer == NULL || this->crypter == NULL)
330 {
331 DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
332 return INVALID_STATE;
333 }
334
335 /* for random data in iv and padding */
336 randomizer = randomizer_create();
337
338 /* build payload chunk */
339 generate(this);
340
341 DBG2(DBG_ENC, "encrypting payloads");
342 DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
343
344 /* build padding */
345 block_size = this->crypter->get_block_size(this->crypter);
346 padding.len = block_size - ((this->decrypted.len + 1) % block_size);
347 status = randomizer->allocate_pseudo_random_bytes(randomizer, padding.len, &padding);
348 if (status != SUCCESS)
349 {
350 randomizer->destroy(randomizer);
351 return status;
352 }
353
354 /* concatenate payload data, padding, padding len */
355 to_crypt.len = this->decrypted.len + padding.len + 1;
356 to_crypt.ptr = malloc(to_crypt.len);
357
358 memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
359 memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
360 *(to_crypt.ptr + to_crypt.len - 1) = padding.len;
361
362 /* build iv */
363 iv.len = block_size;
364 status = randomizer->allocate_pseudo_random_bytes(randomizer, iv.len, &iv);
365 randomizer->destroy(randomizer);
366 if (status != SUCCESS)
367 {
368 chunk_free(&to_crypt);
369 chunk_free(&padding);
370 return status;
371 }
372
373 DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
374
375 /* encrypt to_crypt chunk */
376 free(this->encrypted.ptr);
377 status = this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
378 free(padding.ptr);
379 free(to_crypt.ptr);
380 if (status != SUCCESS)
381 {
382 DBG2(DBG_ENC, "encryption failed");
383 free(iv.ptr);
384 return status;
385 }
386 DBG3(DBG_ENC, "data after encryption %B", &result);
387
388 /* build encrypted result with iv and signature */
389 this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
390 free(this->encrypted.ptr);
391 this->encrypted.ptr = malloc(this->encrypted.len);
392
393 /* fill in result, signature is left out */
394 memcpy(this->encrypted.ptr, iv.ptr, iv.len);
395 memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
396
397 free(result.ptr);
398 free(iv.ptr);
399 DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
400 &this->encrypted);
401
402 return SUCCESS;
403 }
404
405 /**
406 * Parse the payloads after decryption.
407 */
408 static status_t parse(private_encryption_payload_t *this)
409 {
410 parser_t *parser;
411 status_t status;
412 payload_type_t current_payload_type;
413
414 /* build a parser on the decrypted data */
415 parser = parser_create(this->decrypted);
416
417 current_payload_type = this->next_payload;
418 /* parse all payloads */
419 while (current_payload_type != NO_PAYLOAD)
420 {
421 payload_t *current_payload;
422
423 status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
424 if (status != SUCCESS)
425 {
426 parser->destroy(parser);
427 return PARSE_ERROR;
428 }
429
430 status = current_payload->verify(current_payload);
431 if (status != SUCCESS)
432 {
433 DBG1(DBG_ENC, "%N verification failed",
434 payload_type_names, current_payload->get_type(current_payload));
435 current_payload->destroy(current_payload);
436 parser->destroy(parser);
437 return VERIFY_ERROR;
438 }
439
440 /* get next payload type */
441 current_payload_type = current_payload->get_next_type(current_payload);
442
443 this->payloads->insert_last(this->payloads,current_payload);
444 }
445 parser->destroy(parser);
446 DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
447 return SUCCESS;
448 }
449
450 /**
451 * Implementation of encryption_payload_t.encrypt.
452 */
453 static status_t decrypt(private_encryption_payload_t *this)
454 {
455 chunk_t iv, concatenated;
456 u_int8_t padding_length;
457 status_t status;
458
459 DBG2(DBG_ENC, "decrypting encryption payload");
460 DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
461 &this->encrypted);
462
463 if (this->signer == NULL || this->crypter == NULL)
464 {
465 DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
466 return INVALID_STATE;
467 }
468
469 /* get IV */
470 iv.len = this->crypter->get_block_size(this->crypter);
471
472 iv.ptr = this->encrypted.ptr;
473
474 /* point concatenated to data + padding + padding_length*/
475 concatenated.ptr = this->encrypted.ptr + iv.len;
476 concatenated.len = this->encrypted.len - iv.len - this->signer->get_block_size(this->signer);
477
478 /* check the size of input:
479 * concatenated must be at least on block_size of crypter
480 */
481 if (concatenated.len < iv.len)
482 {
483 DBG1(DBG_ENC, "could not decrypt, invalid input");
484 return FAILED;
485 }
486
487 /* free previus data, if any */
488 free(this->decrypted.ptr);
489
490 DBG3(DBG_ENC, "data before decryption %B", &concatenated);
491
492 status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
493 if (status != SUCCESS)
494 {
495 DBG1(DBG_ENC, "could not decrypt, decryption failed");
496 return FAILED;
497 }
498 DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
499
500
501 /* get padding length, sits just bevore signature */
502 padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
503 /* add one byte to the padding length, since the padding_length field is not included */
504 padding_length++;
505 this->decrypted.len -= padding_length;
506
507 /* check size again */
508 if (padding_length > concatenated.len || this->decrypted.len < 0)
509 {
510 DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
511 /* decryption failed :-/ */
512 return FAILED;
513 }
514
515 /* free padding */
516 this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
517 DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
518 DBG2(DBG_ENC, "decryption successful, trying to parse content");
519 return parse(this);
520 }
521
522 /**
523 * Implementation of encryption_payload_t.set_transforms.
524 */
525 static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
526 {
527 this->signer = signer;
528 this->crypter = crypter;
529 }
530
531 /**
532 * Implementation of encryption_payload_t.build_signature.
533 */
534 static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
535 {
536 chunk_t data_without_sig = data;
537 chunk_t sig;
538
539 if (this->signer == NULL)
540 {
541 DBG1(DBG_ENC, "unable to build signature, no signer set");
542 return INVALID_STATE;
543 }
544
545 sig.len = this->signer->get_block_size(this->signer);
546 data_without_sig.len -= sig.len;
547 sig.ptr = data.ptr + data_without_sig.len;
548 DBG2(DBG_ENC, "building signature");
549 this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
550 return SUCCESS;
551 }
552
553 /**
554 * Implementation of encryption_payload_t.verify_signature.
555 */
556 static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
557 {
558 chunk_t sig, data_without_sig;
559 bool valid;
560
561 if (this->signer == NULL)
562 {
563 DBG1(DBG_ENC, "unable to verify signature, no signer set");
564 return INVALID_STATE;
565 }
566 /* find signature in data chunk */
567 sig.len = this->signer->get_block_size(this->signer);
568 if (data.len <= sig.len)
569 {
570 DBG1(DBG_ENC, "unable to verify signature, invalid input");
571 return FAILED;
572 }
573 sig.ptr = data.ptr + data.len - sig.len;
574
575 /* verify it */
576 data_without_sig.len = data.len - sig.len;
577 data_without_sig.ptr = data.ptr;
578 valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
579
580 if (!valid)
581 {
582 DBG1(DBG_ENC, "signature verification failed");
583 return FAILED;
584 }
585
586 DBG2(DBG_ENC, "signature verification successful");
587 return SUCCESS;
588 }
589
590 /**
591 * Implementation of payload_t.destroy.
592 */
593 static void destroy(private_encryption_payload_t *this)
594 {
595 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
596 free(this->encrypted.ptr);
597 free(this->decrypted.ptr);
598 free(this);
599 }
600
601 /*
602 * Described in header
603 */
604 encryption_payload_t *encryption_payload_create()
605 {
606 private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
607
608 /* payload_t interface functions */
609 this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
610 this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
611 this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
612 this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
613 this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
614 this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
615 this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
616
617 /* public functions */
618 this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
619 this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
620 this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
621 this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
622
623 this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
624 this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
625 this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
626 this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
627 this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
628 this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
629
630 /* set default values of the fields */
631 this->critical = FALSE;
632 this->next_payload = NO_PAYLOAD;
633 this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
634 this->encrypted = chunk_empty;
635 this->decrypted = chunk_empty;
636 this->signer = NULL;
637 this->crypter = NULL;
638 this->payloads = linked_list_create();
639
640 return (&(this->public));
641 }