5e4d33e141318fcabc50359f1ae211c72eaea8ee
[strongswan.git] / src / libtls / tls_aead_expl.c
1 /*
2 * Copyright (C) 2014 Martin Willi
3 * Copyright (C) 2014 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "tls_aead.h"
17
18 #include <crypto/iv/iv_gen_rand.h>
19
20 typedef struct private_tls_aead_t private_tls_aead_t;
21
22 /**
23 * Private data of an tls_aead_t object.
24 */
25 struct private_tls_aead_t {
26
27 /**
28 * Public tls_aead_t interface.
29 */
30 tls_aead_t public;
31
32 /**
33 * traditional crypter
34 */
35 crypter_t *crypter;
36
37 /**
38 * traditional signer
39 */
40 signer_t *signer;
41
42 /**
43 * IV generator
44 */
45 iv_gen_t *iv_gen;
46 };
47
48 /**
49 * Associated header data to create signature over
50 */
51 typedef struct __attribute__((__packed__)) {
52 u_int64_t seq;
53 u_int8_t type;
54 u_int16_t version;
55 u_int16_t length;
56 } sigheader_t;
57
58 METHOD(tls_aead_t, encrypt, bool,
59 private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
60 u_int64_t seq, chunk_t *data)
61 {
62 chunk_t assoc, mac, padding, iv;
63 u_int8_t bs, padlen;
64 sigheader_t hdr;
65
66 hdr.type = type;
67 htoun64(&hdr.seq, seq);
68 htoun16(&hdr.version, version);
69 htoun16(&hdr.length, data->len);
70
71 assoc = chunk_from_thing(hdr);
72 if (!this->signer->get_signature(this->signer, assoc, NULL) ||
73 !this->signer->allocate_signature(this->signer, *data, &mac))
74 {
75 return FALSE;
76 }
77 bs = this->crypter->get_block_size(this->crypter);
78 padlen = pad_len(data->len + mac.len + 1, bs);
79
80 padding = chunk_alloca(padlen);
81 memset(padding.ptr, padlen, padding.len);
82
83 /* TLSv1.1 uses random IVs, prepended to record */
84 iv.len = this->crypter->get_iv_size(this->crypter);
85 iv = chunk_alloca(iv.len);
86 if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
87 {
88 return FALSE;
89 }
90 *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
91 /* encrypt inline */
92 if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
93 {
94 free(data->ptr);
95 return FALSE;
96 }
97 /* prepend IV */
98 *data = chunk_cat("cm", iv, *data);
99 return TRUE;
100 }
101
102 METHOD(tls_aead_t, decrypt, bool,
103 private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
104 u_int64_t seq, chunk_t *data)
105 {
106 chunk_t assoc, mac, iv;
107 u_int8_t bs, padlen;
108 sigheader_t hdr;
109
110 iv.len = this->crypter->get_iv_size(this->crypter);
111 if (data->len < iv.len)
112 {
113 return FALSE;
114 }
115 iv.ptr = data->ptr;
116 *data = chunk_skip(*data, iv.len);
117 bs = this->crypter->get_block_size(this->crypter);
118 if (data->len < bs || data->len % bs)
119 {
120 return FALSE;
121 }
122 if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
123 {
124 return FALSE;
125 }
126 padlen = data->ptr[data->len - 1];
127 if (padlen < data->len)
128 { /* If padding looks valid, remove it */
129 data->len -= padlen + 1;
130 }
131
132 bs = this->signer->get_block_size(this->signer);
133 if (data->len < bs)
134 {
135 return FALSE;
136 }
137 mac = chunk_skip(*data, data->len - bs);
138 data->len -= bs;
139
140 hdr.type = type;
141 htoun64(&hdr.seq, seq);
142 htoun16(&hdr.version, version);
143 htoun16(&hdr.length, data->len);
144
145 assoc = chunk_from_thing(hdr);
146 if (!this->signer->get_signature(this->signer, assoc, NULL) ||
147 !this->signer->verify_signature(this->signer, *data, mac))
148 {
149 return FALSE;
150 }
151 return TRUE;
152 }
153
154 METHOD(tls_aead_t, get_mac_key_size, size_t,
155 private_tls_aead_t *this)
156 {
157 return this->signer->get_key_size(this->signer);
158 }
159
160 METHOD(tls_aead_t, get_encr_key_size, size_t,
161 private_tls_aead_t *this)
162 {
163 return this->crypter->get_key_size(this->crypter);
164 }
165
166 METHOD(tls_aead_t, get_iv_size, size_t,
167 private_tls_aead_t *this)
168 {
169 return 0;
170 }
171
172 METHOD(tls_aead_t, set_keys, bool,
173 private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
174 {
175 if (iv.len)
176 {
177 return FALSE;
178 }
179 return this->signer->set_key(this->signer, mac) &&
180 this->crypter->set_key(this->crypter, encr);
181 }
182
183 METHOD(tls_aead_t, destroy, void,
184 private_tls_aead_t *this)
185 {
186 this->iv_gen->destroy(this->iv_gen);
187 DESTROY_IF(this->crypter);
188 DESTROY_IF(this->signer);
189 free(this);
190 }
191
192 /**
193 * See header
194 */
195 tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
196 encryption_algorithm_t encr, size_t encr_size)
197 {
198 private_tls_aead_t *this;
199
200 INIT(this,
201 .public = {
202 .encrypt = _encrypt,
203 .decrypt = _decrypt,
204 .get_mac_key_size = _get_mac_key_size,
205 .get_encr_key_size = _get_encr_key_size,
206 .get_iv_size = _get_iv_size,
207 .set_keys = _set_keys,
208 .destroy = _destroy,
209 },
210 .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
211 .signer = lib->crypto->create_signer(lib->crypto, mac),
212 .iv_gen = iv_gen_rand_create(),
213 );
214
215 if (!this->crypter || !this->signer)
216 {
217 destroy(this);
218 return NULL;
219 }
220
221 return &this->public;
222 }