src/libtls/tls_aead_expl.c

   1 /*
   2  * Copyright (C) 2014 Martin Willi
   3  * Copyright (C) 2014 revosec AG
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #include "tls_aead.h"
  17
  18 #include <crypto/iv/iv_gen_rand.h>
  19
  20 typedef struct private_tls_aead_t private_tls_aead_t;
  21
  22 /**
  23  * Private data of an tls_aead_t object.
  24  */
  25 struct private_tls_aead_t {
  26
  27         /**
  28          * Public tls_aead_t interface.
  29          */
  30         tls_aead_t public;
  31
  32         /**
  33          * traditional crypter
  34          */
  35         crypter_t *crypter;
  36
  37         /**
  38          * traditional signer
  39          */
  40         signer_t *signer;
  41
  42         /**
  43          * IV generator
  44          */
  45         iv_gen_t *iv_gen;
  46 };
  47
  48 /**
  49  * Associated header data to create signature over
  50  */
  51 typedef struct __attribute__((__packed__)) {
  52         u_int64_t seq;
  53         u_int8_t type;
  54         u_int16_t version;
  55         u_int16_t length;
  56 } sigheader_t;
  57
  58 METHOD(tls_aead_t, encrypt, bool,
  59         private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
  60         u_int64_t seq, chunk_t *data)
  61 {
  62         chunk_t assoc, mac, padding, iv;
  63         u_int8_t bs, padlen;
  64         sigheader_t hdr;
  65
  66         hdr.type = type;
  67         htoun64(&hdr.seq, seq);
  68         htoun16(&hdr.version, version);
  69         htoun16(&hdr.length, data->len);
  70
  71         assoc = chunk_from_thing(hdr);
  72         if (!this->signer->get_signature(this->signer, assoc, NULL) ||
  73                 !this->signer->allocate_signature(this->signer, *data, &mac))
  74         {
  75                 return FALSE;
  76         }
  77         bs = this->crypter->get_block_size(this->crypter);
  78         padlen = pad_len(data->len + mac.len + 1, bs);
  79
  80         padding = chunk_alloca(padlen);
  81         memset(padding.ptr, padlen, padding.len);
  82
  83         /* TLSv1.1 uses random IVs, prepended to record */
  84         iv.len = this->crypter->get_iv_size(this->crypter);
  85         iv = chunk_alloca(iv.len);
  86         if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
  87         {
  88                 return FALSE;
  89         }
  90         *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
  91         /* encrypt inline */
  92         if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
  93         {
  94                 free(data->ptr);
  95                 return FALSE;
  96         }
  97         /* prepend IV */
  98         *data = chunk_cat("cm", iv, *data);
  99         return TRUE;
 100 }
 101
 102 METHOD(tls_aead_t, decrypt, bool,
 103         private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
 104         u_int64_t seq, chunk_t *data)
 105 {
 106         chunk_t assoc, mac, iv;
 107         u_int8_t bs, padlen;
 108         sigheader_t hdr;
 109         size_t i;
 110
 111         iv.len = this->crypter->get_iv_size(this->crypter);
 112         if (data->len < iv.len)
 113         {
 114                 return FALSE;
 115         }
 116         iv.ptr = data->ptr;
 117         *data = chunk_skip(*data, iv.len);
 118         bs = this->crypter->get_block_size(this->crypter);
 119         if (data->len < bs || data->len % bs)
 120         {
 121                 return FALSE;
 122         }
 123         if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
 124         {
 125                 return FALSE;
 126         }
 127         padlen = data->ptr[data->len - 1];
 128         if (padlen < data->len)
 129         {       /* If padding looks valid, remove it */
 130                 for (i = data->len - padlen - 1; i < data->len - 1; i++)
 131                 {
 132                         if (data->ptr[i] != padlen)
 133                         {
 134                                 return FALSE;
 135                         }
 136                 }
 137                 data->len -= padlen + 1;
 138         }
 139
 140         bs = this->signer->get_block_size(this->signer);
 141         if (data->len < bs)
 142         {
 143                 return FALSE;
 144         }
 145         mac = chunk_skip(*data, data->len - bs);
 146         data->len -= bs;
 147
 148         hdr.type = type;
 149         htoun64(&hdr.seq, seq);
 150         htoun16(&hdr.version, version);
 151         htoun16(&hdr.length, data->len);
 152
 153         assoc = chunk_from_thing(hdr);
 154         if (!this->signer->get_signature(this->signer, assoc, NULL) ||
 155                 !this->signer->verify_signature(this->signer, *data, mac))
 156         {
 157                 return FALSE;
 158         }
 159         return TRUE;
 160 }
 161
 162 METHOD(tls_aead_t, get_mac_key_size, size_t,
 163         private_tls_aead_t *this)
 164 {
 165         return this->signer->get_key_size(this->signer);
 166 }
 167
 168 METHOD(tls_aead_t, get_encr_key_size, size_t,
 169         private_tls_aead_t *this)
 170 {
 171         return this->crypter->get_key_size(this->crypter);
 172 }
 173
 174 METHOD(tls_aead_t, get_iv_size, size_t,
 175         private_tls_aead_t *this)
 176 {
 177         return 0;
 178 }
 179
 180 METHOD(tls_aead_t, set_keys, bool,
 181         private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
 182 {
 183         if (iv.len)
 184         {
 185                 return FALSE;
 186         }
 187         return this->signer->set_key(this->signer, mac) &&
 188                    this->crypter->set_key(this->crypter, encr);
 189 }
 190
 191 METHOD(tls_aead_t, destroy, void,
 192         private_tls_aead_t *this)
 193 {
 194         this->iv_gen->destroy(this->iv_gen);
 195         DESTROY_IF(this->crypter);
 196         DESTROY_IF(this->signer);
 197         free(this);
 198 }
 199
 200 /**
 201  * See header
 202  */
 203 tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
 204                                                                 encryption_algorithm_t encr, size_t encr_size)
 205 {
 206         private_tls_aead_t *this;
 207
 208         INIT(this,
 209                 .public = {
 210                         .encrypt = _encrypt,
 211                         .decrypt = _decrypt,
 212                         .get_mac_key_size = _get_mac_key_size,
 213                         .get_encr_key_size = _get_encr_key_size,
 214                         .get_iv_size = _get_iv_size,
 215                         .set_keys = _set_keys,
 216                         .destroy = _destroy,
 217                 },
 218                 .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
 219                 .signer = lib->crypto->create_signer(lib->crypto, mac),
 220                 .iv_gen = iv_gen_rand_create(),
 221         );
 222
 223         if (!this->crypter || !this->signer)
 224         {
 225                 destroy(this);
 226                 return NULL;
 227         }
 228
 229         return &this->public;
 230 }