e31b438d574b9e56f2e9d022c7d564b3686052b0
[strongswan.git] / src / libcharon / encoding / payloads / encryption_payload.c
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <stddef.h>
18 #include <string.h>
19
20 #include "encryption_payload.h"
21
22 #include <daemon.h>
23 #include <encoding/payloads/encodings.h>
24 #include <utils/linked_list.h>
25 #include <encoding/generator.h>
26 #include <encoding/parser.h>
27 #include <utils/iterator.h>
28 #include <crypto/signers/signer.h>
29
30
31 typedef struct private_encryption_payload_t private_encryption_payload_t;
32
33 /**
34 * Private data of an encryption_payload_t' Object.
35 *
36 */
37 struct private_encryption_payload_t {
38
39 /**
40 * Public encryption_payload_t interface.
41 */
42 encryption_payload_t public;
43
44 /**
45 * There is no next payload for an encryption payload,
46 * since encryption payload MUST be the last one.
47 * next_payload means here the first payload of the
48 * contained, encrypted payload.
49 */
50 u_int8_t next_payload;
51
52 /**
53 * Critical flag.
54 */
55 bool critical;
56
57 /**
58 * Length of this payload
59 */
60 u_int16_t payload_length;
61
62 /**
63 * Chunk containing the iv, data, padding,
64 * and (an eventually not calculated) signature.
65 */
66 chunk_t encrypted;
67
68 /**
69 * Chunk containing the data in decrypted (unpadded) form.
70 */
71 chunk_t decrypted;
72
73 /**
74 * Signer set by set_signer.
75 */
76 signer_t *signer;
77
78 /**
79 * Crypter, supplied by encrypt/decrypt
80 */
81 crypter_t *crypter;
82
83 /**
84 * Contained payloads of this encrpytion_payload.
85 */
86 linked_list_t *payloads;
87 };
88
89 /**
90 * Encoding rules to parse or generate a IKEv2-Encryption Payload.
91 *
92 * The defined offsets are the positions in a object of type
93 * private_encryption_payload_t.
94 *
95 */
96 encoding_rule_t encryption_payload_encodings[] = {
97 /* 1 Byte next payload type, stored in the field next_payload */
98 { U_INT_8, offsetof(private_encryption_payload_t, next_payload) },
99 /* the critical bit */
100 { FLAG, offsetof(private_encryption_payload_t, critical) },
101 /* 7 Bit reserved bits, nowhere stored */
102 { RESERVED_BIT, 0 },
103 { RESERVED_BIT, 0 },
104 { RESERVED_BIT, 0 },
105 { RESERVED_BIT, 0 },
106 { RESERVED_BIT, 0 },
107 { RESERVED_BIT, 0 },
108 { RESERVED_BIT, 0 },
109 /* Length of the whole encryption payload*/
110 { PAYLOAD_LENGTH, offsetof(private_encryption_payload_t, payload_length) },
111 /* encrypted data, stored in a chunk. contains iv, data, padding */
112 { ENCRYPTED_DATA, offsetof(private_encryption_payload_t, encrypted) },
113 };
114
115 /*
116 1 2 3
117 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
118 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
119 ! Next Payload !C! RESERVED ! Payload Length !
120 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
121 ! Initialization Vector !
122 ! (length is block size for encryption algorithm) !
123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
124 ! Encrypted IKE Payloads !
125 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
126 ! ! Padding (0-255 octets) !
127 +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
128 ! ! Pad Length !
129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130 ~ Integrity Checksum Data ~
131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
132 */
133
134 /**
135 * Implementation of payload_t.verify.
136 */
137 static status_t verify(private_encryption_payload_t *this)
138 {
139 return SUCCESS;
140 }
141
142 /**
143 * Implementation of payload_t.get_encoding_rules.
144 */
145 static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
146 {
147 *rules = encryption_payload_encodings;
148 *rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
149 }
150
151 /**
152 * Implementation of payload_t.get_type.
153 */
154 static payload_type_t get_type(private_encryption_payload_t *this)
155 {
156 return ENCRYPTED;
157 }
158
159 /**
160 * Implementation of payload_t.get_next_type.
161 */
162 static payload_type_t get_next_type(private_encryption_payload_t *this)
163 {
164 /* returns first contained payload here */
165 return (this->next_payload);
166 }
167
168 /**
169 * Implementation of payload_t.set_next_type.
170 */
171 static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
172 {
173 /* set next type is not allowed, since this payload MUST be the last one
174 * and so nothing is done in here*/
175 }
176
177 /**
178 * (re-)compute the lenght of the whole payload
179 */
180 static void compute_length(private_encryption_payload_t *this)
181 {
182 iterator_t *iterator;
183 payload_t *current_payload;
184 size_t block_size, length = 0;
185 iterator = this->payloads->create_iterator(this->payloads, TRUE);
186
187 /* count payload length */
188 while (iterator->iterate(iterator, (void **) &current_payload))
189 {
190 length += current_payload->get_length(current_payload);
191 }
192 iterator->destroy(iterator);
193
194 if (this->crypter && this->signer)
195 {
196 /* append one byte for padding length */
197 length++;
198 /* append padding */
199 block_size = this->crypter->get_block_size(this->crypter);
200 length += block_size - length % block_size;
201 /* add iv */
202 length += this->crypter->get_iv_size(this->crypter);
203 /* add signature */
204 length += this->signer->get_block_size(this->signer);
205 }
206 length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
207 this->payload_length = length;
208 }
209
210 /**
211 * Implementation of payload_t.get_length.
212 */
213 static size_t get_length(private_encryption_payload_t *this)
214 {
215 compute_length(this);
216 return this->payload_length;
217 }
218
219 /**
220 * Implementation of payload_t.create_payload_iterator.
221 */
222 static iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
223 {
224 return (this->payloads->create_iterator(this->payloads, forward));
225 }
226
227 /**
228 * Implementation of payload_t.add_payload.
229 */
230 static void add_payload(private_encryption_payload_t *this, payload_t *payload)
231 {
232 payload_t *last_payload;
233 if (this->payloads->get_count(this->payloads) > 0)
234 {
235 this->payloads->get_last(this->payloads,(void **) &last_payload);
236 last_payload->set_next_type(last_payload, payload->get_type(payload));
237 }
238 else
239 {
240 this->next_payload = payload->get_type(payload);
241 }
242 payload->set_next_type(payload, NO_PAYLOAD);
243 this->payloads->insert_last(this->payloads, (void*)payload);
244 compute_length(this);
245 }
246
247 /**
248 * Implementation of encryption_payload_t.remove_first_payload.
249 */
250 static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
251 {
252 return this->payloads->remove_first(this->payloads, (void**)payload);
253 }
254
255 /**
256 * Implementation of encryption_payload_t.get_payload_count.
257 */
258 static size_t get_payload_count(private_encryption_payload_t *this)
259 {
260 return this->payloads->get_count(this->payloads);
261 }
262
263 /**
264 * Generate payload before encryption.
265 */
266 static void generate(private_encryption_payload_t *this)
267 {
268 payload_t *current_payload, *next_payload;
269 generator_t *generator;
270 iterator_t *iterator;
271
272 /* recalculate length before generating */
273 compute_length(this);
274
275 /* create iterator */
276 iterator = this->payloads->create_iterator(this->payloads, TRUE);
277
278 /* get first payload */
279 if (iterator->iterate(iterator, (void**)&current_payload))
280 {
281 this->next_payload = current_payload->get_type(current_payload);
282 }
283 else
284 {
285 /* no paylads? */
286 DBG2(DBG_ENC, "generating contained payloads, but none available");
287 free(this->decrypted.ptr);
288 this->decrypted = chunk_empty;
289 iterator->destroy(iterator);
290 return;
291 }
292
293 generator = generator_create();
294
295 /* build all payload, except last */
296 while(iterator->iterate(iterator, (void**)&next_payload))
297 {
298 current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
299 generator->generate_payload(generator, current_payload);
300 current_payload = next_payload;
301 }
302 iterator->destroy(iterator);
303
304 /* build last payload */
305 current_payload->set_next_type(current_payload, NO_PAYLOAD);
306 generator->generate_payload(generator, current_payload);
307
308 /* free already generated data */
309 free(this->decrypted.ptr);
310
311 generator->write_to_chunk(generator, &(this->decrypted));
312 generator->destroy(generator);
313 DBG2(DBG_ENC, "successfully generated content in encryption payload");
314 }
315
316 /**
317 * Implementation of encryption_payload_t.encrypt.
318 */
319 static status_t encrypt(private_encryption_payload_t *this)
320 {
321 chunk_t iv, padding, to_crypt, result;
322 rng_t *rng;
323 size_t block_size;
324
325 if (this->signer == NULL || this->crypter == NULL)
326 {
327 DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
328 return INVALID_STATE;
329 }
330
331 /* for random data in iv and padding */
332 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
333 if (!rng)
334 {
335 DBG1(DBG_ENC, "could not encrypt, no RNG found");
336 return FAILED;
337 }
338 /* build payload chunk */
339 generate(this);
340
341 DBG2(DBG_ENC, "encrypting payloads");
342 DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
343
344 /* build padding */
345 block_size = this->crypter->get_block_size(this->crypter);
346 padding.len = block_size - ((this->decrypted.len + 1) % block_size);
347 rng->allocate_bytes(rng, padding.len, &padding);
348
349 /* concatenate payload data, padding, padding len */
350 to_crypt.len = this->decrypted.len + padding.len + 1;
351 to_crypt.ptr = malloc(to_crypt.len);
352
353 memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
354 memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
355 *(to_crypt.ptr + to_crypt.len - 1) = padding.len;
356
357 /* build iv */
358 iv.len = this->crypter->get_iv_size(this->crypter);
359 rng->allocate_bytes(rng, iv.len, &iv);
360 rng->destroy(rng);
361
362 DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
363
364 /* encrypt to_crypt chunk */
365 free(this->encrypted.ptr);
366 this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
367 free(padding.ptr);
368 free(to_crypt.ptr);
369
370 DBG3(DBG_ENC, "data after encryption %B", &result);
371
372 /* build encrypted result with iv and signature */
373 this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
374 free(this->encrypted.ptr);
375 this->encrypted.ptr = malloc(this->encrypted.len);
376
377 /* fill in result, signature is left out */
378 memcpy(this->encrypted.ptr, iv.ptr, iv.len);
379 memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
380
381 free(result.ptr);
382 free(iv.ptr);
383 DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
384 &this->encrypted);
385
386 return SUCCESS;
387 }
388
389 /**
390 * Parse the payloads after decryption.
391 */
392 static status_t parse(private_encryption_payload_t *this)
393 {
394 parser_t *parser;
395 status_t status;
396 payload_type_t current_payload_type;
397
398 /* build a parser on the decrypted data */
399 parser = parser_create(this->decrypted);
400
401 current_payload_type = this->next_payload;
402 /* parse all payloads */
403 while (current_payload_type != NO_PAYLOAD)
404 {
405 payload_t *current_payload;
406
407 status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
408 if (status != SUCCESS)
409 {
410 parser->destroy(parser);
411 return PARSE_ERROR;
412 }
413
414 status = current_payload->verify(current_payload);
415 if (status != SUCCESS)
416 {
417 DBG1(DBG_ENC, "%N verification failed",
418 payload_type_names, current_payload->get_type(current_payload));
419 current_payload->destroy(current_payload);
420 parser->destroy(parser);
421 return VERIFY_ERROR;
422 }
423
424 /* get next payload type */
425 current_payload_type = current_payload->get_next_type(current_payload);
426
427 this->payloads->insert_last(this->payloads,current_payload);
428 }
429 parser->destroy(parser);
430 DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
431 return SUCCESS;
432 }
433
434 /**
435 * Implementation of encryption_payload_t.encrypt.
436 */
437 static status_t decrypt(private_encryption_payload_t *this)
438 {
439 chunk_t iv, concatenated;
440 u_int8_t padding_length;
441
442 DBG2(DBG_ENC, "decrypting encryption payload");
443 DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
444 &this->encrypted);
445
446 if (this->signer == NULL || this->crypter == NULL)
447 {
448 DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
449 return INVALID_STATE;
450 }
451
452 /* get IV */
453 iv.len = this->crypter->get_iv_size(this->crypter);
454 if (iv.len > this->encrypted.len)
455 {
456 DBG1(DBG_ENC, "could not decrypt, input too short");
457 return FAILED;
458 }
459 iv.ptr = this->encrypted.ptr;
460
461 /* point concatenated to data + padding + padding_length */
462 concatenated.ptr = this->encrypted.ptr + iv.len;
463 concatenated.len = this->encrypted.len - iv.len -
464 this->signer->get_block_size(this->signer);
465
466 /* concatenated must be a multiple of block_size of crypter */
467 if (concatenated.len < iv.len ||
468 concatenated.len % this->crypter->get_block_size(this->crypter))
469 {
470 DBG1(DBG_ENC, "could not decrypt, invalid input");
471 return FAILED;
472 }
473
474 /* free previus data, if any */
475 free(this->decrypted.ptr);
476
477 DBG3(DBG_ENC, "data before decryption %B", &concatenated);
478
479 this->crypter->decrypt(this->crypter, concatenated, iv, &this->decrypted);
480
481 DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
482
483 /* get padding length, sits just bevore signature */
484 padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
485 /* add one byte to the padding length, since the padding_length field is
486 * not included */
487 padding_length++;
488
489 /* check size again */
490 if (padding_length > concatenated.len || padding_length > this->decrypted.len)
491 {
492 DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
493 /* decryption failed :-/ */
494 return FAILED;
495 }
496 this->decrypted.len -= padding_length;
497
498 /* free padding */
499 this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
500 DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
501 DBG2(DBG_ENC, "decryption successful, trying to parse content");
502 return parse(this);
503 }
504
505 /**
506 * Implementation of encryption_payload_t.set_transforms.
507 */
508 static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
509 {
510 this->signer = signer;
511 this->crypter = crypter;
512 }
513
514 /**
515 * Implementation of encryption_payload_t.build_signature.
516 */
517 static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
518 {
519 chunk_t data_without_sig = data;
520 chunk_t sig;
521
522 if (this->signer == NULL)
523 {
524 DBG1(DBG_ENC, "unable to build signature, no signer set");
525 return INVALID_STATE;
526 }
527
528 sig.len = this->signer->get_block_size(this->signer);
529 data_without_sig.len -= sig.len;
530 sig.ptr = data.ptr + data_without_sig.len;
531 DBG2(DBG_ENC, "building signature");
532 this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
533 return SUCCESS;
534 }
535
536 /**
537 * Implementation of encryption_payload_t.verify_signature.
538 */
539 static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
540 {
541 chunk_t sig, data_without_sig;
542 bool valid;
543
544 if (this->signer == NULL)
545 {
546 DBG1(DBG_ENC, "unable to verify signature, no signer set");
547 return INVALID_STATE;
548 }
549 /* find signature in data chunk */
550 sig.len = this->signer->get_block_size(this->signer);
551 if (data.len <= sig.len)
552 {
553 DBG1(DBG_ENC, "unable to verify signature, invalid input");
554 return FAILED;
555 }
556 sig.ptr = data.ptr + data.len - sig.len;
557
558 /* verify it */
559 data_without_sig.len = data.len - sig.len;
560 data_without_sig.ptr = data.ptr;
561 valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
562
563 if (!valid)
564 {
565 DBG1(DBG_ENC, "signature verification failed");
566 return FAILED;
567 }
568
569 DBG2(DBG_ENC, "signature verification successful");
570 return SUCCESS;
571 }
572
573 /**
574 * Implementation of payload_t.destroy.
575 */
576 static void destroy(private_encryption_payload_t *this)
577 {
578 this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
579 free(this->encrypted.ptr);
580 free(this->decrypted.ptr);
581 free(this);
582 }
583
584 /*
585 * Described in header
586 */
587 encryption_payload_t *encryption_payload_create()
588 {
589 private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
590
591 /* payload_t interface functions */
592 this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
593 this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
594 this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
595 this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
596 this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
597 this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
598 this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
599
600 /* public functions */
601 this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
602 this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
603 this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
604 this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
605
606 this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
607 this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
608 this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
609 this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
610 this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
611 this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
612
613 /* set default values of the fields */
614 this->critical = FALSE;
615 this->next_payload = NO_PAYLOAD;
616 this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
617 this->encrypted = chunk_empty;
618 this->decrypted = chunk_empty;
619 this->signer = NULL;
620 this->crypter = NULL;
621 this->payloads = linked_list_create();
622
623 return (&(this->public));
624 }