tls: Check all bytes of the padding if they equal the padding length
[strongswan.git] / src / libtls / tls_aead_expl.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_aead.h"
17
18 #include <crypto/iv/iv_gen_rand.h>
19
20 typedef struct private_tls_aead_t private_tls_aead_t;
21
22 /**
23 * Private data of an tls_aead_t object.
24 */
25 struct private_tls_aead_t {
26
27 /**
28 * Public tls_aead_t interface.
29 */
30 tls_aead_t public;
31
32 /**
33 * traditional crypter
34 */
35 crypter_t *crypter;
36
37 /**
38 * traditional signer
39 */
40 signer_t *signer;
41
42 /**
43 * IV generator
44 */
45 iv_gen_t *iv_gen;
46 };
47
48 /**
49 * Associated header data to create signature over
50 */
51 typedef struct __attribute__((__packed__)) {
52 u_int64_t seq;
53 u_int8_t type;
54 u_int16_t version;
55 u_int16_t length;
56 } sigheader_t;
57
58 METHOD(tls_aead_t, encrypt, bool,
59 private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
60 u_int64_t seq, chunk_t *data)
61 {
62 chunk_t assoc, mac, padding, iv;
63 u_int8_t bs, padlen;
64 sigheader_t hdr;
65
66 hdr.type = type;
67 htoun64(&hdr.seq, seq);
68 htoun16(&hdr.version, version);
69 htoun16(&hdr.length, data->len);
70
71 assoc = chunk_from_thing(hdr);
72 if (!this->signer->get_signature(this->signer, assoc, NULL) ||
73 !this->signer->allocate_signature(this->signer, *data, &mac))
74 {
75 return FALSE;
76 }
77 bs = this->crypter->get_block_size(this->crypter);
78 padlen = pad_len(data->len + mac.len + 1, bs);
79
80 padding = chunk_alloca(padlen);
81 memset(padding.ptr, padlen, padding.len);
82
83 /* TLSv1.1 uses random IVs, prepended to record */
84 iv.len = this->crypter->get_iv_size(this->crypter);
85 iv = chunk_alloca(iv.len);
86 if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
87 {
88 return FALSE;
89 }
90 *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
91 /* encrypt inline */
92 if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
93 {
94 free(data->ptr);
95 return FALSE;
96 }
97 /* prepend IV */
98 *data = chunk_cat("cm", iv, *data);
99 return TRUE;
100 }
101
102 METHOD(tls_aead_t, decrypt, bool,
103 private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
104 u_int64_t seq, chunk_t *data)
105 {
106 chunk_t assoc, mac, iv;
107 u_int8_t bs, padlen;
108 sigheader_t hdr;
109 size_t i;
110
111 iv.len = this->crypter->get_iv_size(this->crypter);
112 if (data->len < iv.len)
113 {
114 return FALSE;
115 }
116 iv.ptr = data->ptr;
117 *data = chunk_skip(*data, iv.len);
118 bs = this->crypter->get_block_size(this->crypter);
119 if (data->len < bs || data->len % bs)
120 {
121 return FALSE;
122 }
123 if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
124 {
125 return FALSE;
126 }
127 padlen = data->ptr[data->len - 1];
128 if (padlen < data->len)
129 { /* If padding looks valid, remove it */
130 for (i = data->len - padlen - 1; i < data->len - 1; i++)
131 {
132 if (data->ptr[i] != padlen)
133 {
134 return FALSE;
135 }
136 }
137 data->len -= padlen + 1;
138 }
139
140 bs = this->signer->get_block_size(this->signer);
141 if (data->len < bs)
142 {
143 return FALSE;
144 }
145 mac = chunk_skip(*data, data->len - bs);
146 data->len -= bs;
147
148 hdr.type = type;
149 htoun64(&hdr.seq, seq);
150 htoun16(&hdr.version, version);
151 htoun16(&hdr.length, data->len);
152
153 assoc = chunk_from_thing(hdr);
154 if (!this->signer->get_signature(this->signer, assoc, NULL) ||
155 !this->signer->verify_signature(this->signer, *data, mac))
156 {
157 return FALSE;
158 }
159 return TRUE;
160 }
161
162 METHOD(tls_aead_t, get_mac_key_size, size_t,
163 private_tls_aead_t *this)
164 {
165 return this->signer->get_key_size(this->signer);
166 }
167
168 METHOD(tls_aead_t, get_encr_key_size, size_t,
169 private_tls_aead_t *this)
170 {
171 return this->crypter->get_key_size(this->crypter);
172 }
173
174 METHOD(tls_aead_t, get_iv_size, size_t,
175 private_tls_aead_t *this)
176 {
177 return 0;
178 }
179
180 METHOD(tls_aead_t, set_keys, bool,
181 private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
182 {
183 if (iv.len)
184 {
185 return FALSE;
186 }
187 return this->signer->set_key(this->signer, mac) &&
188 this->crypter->set_key(this->crypter, encr);
189 }
190
191 METHOD(tls_aead_t, destroy, void,
192 private_tls_aead_t *this)
193 {
194 this->iv_gen->destroy(this->iv_gen);
195 DESTROY_IF(this->crypter);
196 DESTROY_IF(this->signer);
197 free(this);
198 }
199
200 /**
201 * See header
202 */
203 tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
204 encryption_algorithm_t encr, size_t encr_size)
205 {
206 private_tls_aead_t *this;
207
208 INIT(this,
209 .public = {
210 .encrypt = _encrypt,
211 .decrypt = _decrypt,
212 .get_mac_key_size = _get_mac_key_size,
213 .get_encr_key_size = _get_encr_key_size,
214 .get_iv_size = _get_iv_size,
215 .set_keys = _set_keys,
216 .destroy = _destroy,
217 },
218 .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
219 .signer = lib->crypto->create_signer(lib->crypto, mac),
220 .iv_gen = iv_gen_rand_create(),
221 );
222
223 if (!this->crypter || !this->signer)
224 {
225 destroy(this);
226 return NULL;
227 }
228
229 return &this->public;
230 }