tls: Separate TLS protection to abstracted AEAD modes
[strongswan.git] / src / libtls / tls_protection.c
index 0d5df18..b016db2 100644 (file)
@@ -45,74 +45,26 @@ struct private_tls_protection_t {
        tls_alert_t *alert;
 
        /**
-        * RNG if we generate IVs ourself
-        */
-       rng_t *rng;
-
-       /**
         * Sequence number of incoming records
         */
-       u_int32_t seq_in;
+       u_int64_t seq_in;
 
        /**
         * Sequence number for outgoing records
         */
-       u_int32_t seq_out;
-
-       /**
-        * Signer instance for inbound traffic
-        */
-       signer_t *signer_in;
-
-       /**
-        * Signer instance for outbound traffic
-        */
-       signer_t *signer_out;
+       u_int64_t seq_out;
 
        /**
-        * Crypter instance for inbound traffic
+        * AEAD transform for inbound traffic
         */
-       crypter_t *crypter_in;
+       tls_aead_t *aead_in;
 
        /**
-        * Crypter instance for outbound traffic
+        * AEAD transform for outbound traffic
         */
-       crypter_t *crypter_out;
-
-       /**
-        * Current IV for input decryption
-        */
-       chunk_t iv_in;
-
-       /**
-        * Current IV for output decryption
-        */
-       chunk_t iv_out;
+       tls_aead_t *aead_out;
 };
 
-/**
- * Create the header and feed it into a signer for MAC verification
- */
-static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
-                                         u_int16_t version, u_int16_t length)
-{
-       /* we only support 32 bit sequence numbers, but TLS uses 64 bit */
-       struct __attribute__((__packed__)) {
-               u_int32_t seq_high;
-               u_int32_t seq_low;
-               u_int8_t type;
-               u_int16_t version;
-               u_int16_t length;
-       } header = {
-               .type = type,
-       };
-       htoun32(&header.seq_low, seq);
-       htoun16(&header.version, version);
-       htoun16(&header.length, length);
-
-       return signer->get_signature(signer, chunk_from_thing(header), NULL);
-}
-
 METHOD(tls_protection_t, process, status_t,
        private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
@@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t,
                return NEED_MORE;
        }
 
-       if (this->crypter_in)
-       {
-               chunk_t iv, next_iv = chunk_empty;
-               u_int8_t bs, padding_length;
-
-               bs = this->crypter_in->get_block_size(this->crypter_in);
-               if (this->iv_in.len)
-               {       /* < TLSv1.1 uses IV from key derivation/last block */
-                       if (data.len < bs || data.len % bs)
-                       {
-                               DBG1(DBG_TLS, "encrypted TLS record length invalid");
-                               this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                               return NEED_MORE;
-                       }
-                       iv = this->iv_in;
-                       next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
-               }
-               else
-               {       /* TLSv1.1 uses random IVs, prepended to record */
-                       iv.len = this->crypter_in->get_iv_size(this->crypter_in);
-                       iv = chunk_create(data.ptr, iv.len);
-                       data = chunk_skip(data, iv.len);
-                       if (data.len < bs || data.len % bs)
-                       {
-                               DBG1(DBG_TLS, "encrypted TLS record length invalid");
-                               this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                               return NEED_MORE;
-                       }
-               }
-               if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
-               {
-                       free(next_iv.ptr);
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
-               }
-
-               if (next_iv.len)
-               {       /* next record IV is last ciphertext block of this record */
-                       memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
-                       free(next_iv.ptr);
-               }
-
-               padding_length = data.ptr[data.len - 1];
-               if (padding_length < data.len)
-               {       /* remove padding if it looks valid. Continue with no padding, try
-                        * to prevent timing attacks. */
-                       data.len -= padding_length + 1;
-               }
-       }
-       if (this->signer_in)
+       if (this->aead_in)
        {
-               chunk_t mac;
-               u_int8_t bs;
-
-               bs = this->signer_in->get_block_size(this->signer_in);
-               if (data.len < bs)
+               if (!this->aead_in->decrypt(this->aead_in, this->version,
+                                                                       type, this->seq_in, &data))
                {
-                       DBG1(DBG_TLS, "TLS record too short to verify MAC");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
-               }
-               mac = chunk_skip(data, data.len - bs);
-               data.len -= bs;
-
-               if (!sigheader(this->signer_in, this->seq_in, type,
-                                          this->version, data.len) ||
-                       !this->signer_in->verify_signature(this->signer_in, data, mac))
-               {
-                       DBG1(DBG_TLS, "TLS record MAC verification failed");
+                       DBG1(DBG_TLS, "TLS record decryption failed");
                        this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
                        return NEED_MORE;
                }
@@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t,
 
        if (status == NEED_MORE)
        {
-               if (this->signer_out)
+               if (this->aead_out)
                {
-                       chunk_t mac;
-
-                       if (!sigheader(this->signer_out, this->seq_out, *type,
-                                                  this->version, data->len) ||
-                               !this->signer_out->allocate_signature(this->signer_out,
-                                                  *data, &mac))
+                       if (!this->aead_out->encrypt(this->aead_out, this->version,
+                                                                                *type, this->seq_out, data))
                        {
+                               DBG1(DBG_TLS, "TLS record encryption failed");
+                               chunk_free(data);
                                return FAILED;
                        }
-                       if (this->crypter_out)
-                       {
-                               chunk_t padding, iv;
-                               u_int8_t bs, padding_length;
-
-                               bs = this->crypter_out->get_block_size(this->crypter_out);
-                               padding_length = bs - ((data->len + mac.len + 1) % bs);
-
-                               padding = chunk_alloca(padding_length);
-                               memset(padding.ptr, padding_length, padding.len);
-
-                               if (this->iv_out.len)
-                               {       /* < TLSv1.1 uses IV from key derivation/last block */
-                                       iv = this->iv_out;
-                               }
-                               else
-                               {       /* TLSv1.1 uses random IVs, prepended to record */
-                                       iv.len = this->crypter_out->get_iv_size(this->crypter_out);
-                                       if (!this->rng ||
-                                               !this->rng->allocate_bytes(this->rng, iv.len, &iv))
-                                       {
-                                               DBG1(DBG_TLS, "failed to generate TLS IV");
-                                               free(data->ptr);
-                                               return FAILED;
-                                       }
-                               }
-
-                               *data = chunk_cat("mmcc", *data, mac, padding,
-                                                                 chunk_from_thing(padding_length));
-                               /* encrypt inline */
-                               if (!this->crypter_out->encrypt(this->crypter_out, *data,
-                                                                                               iv, NULL))
-                               {
-                                       if (!this->iv_out.len)
-                                       {
-                                               free(iv.ptr);
-                                       }
-                                       free(data->ptr);
-                                       return FAILED;
-                               }
-
-                               if (this->iv_out.len)
-                               {       /* next record IV is last ciphertext block of this record */
-                                       memcpy(this->iv_out.ptr, data->ptr + data->len -
-                                                  this->iv_out.len, this->iv_out.len);
-                               }
-                               else
-                               {       /* prepend IV */
-                                       *data = chunk_cat("mm", iv, *data);
-                               }
-                       }
-                       else
-                       {       /* NULL encryption */
-                               *data = chunk_cat("mm", *data, mac);
-                       }
                }
                this->seq_out++;
        }
@@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t,
 }
 
 METHOD(tls_protection_t, set_cipher, void,
-       private_tls_protection_t *this, bool inbound, signer_t *signer,
-       crypter_t *crypter, chunk_t iv)
+       private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
 {
        if (inbound)
        {
-               this->signer_in = signer;
-               this->crypter_in = crypter;
-               this->iv_in = iv;
+               this->aead_in = aead;
        }
        else
        {
-               this->signer_out = signer;
-               this->crypter_out = crypter;
-               this->iv_out = iv;
-               if (!iv.len)
-               {       /* generate IVs if none given */
-                       this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-               }
+               this->aead_out = aead;
        }
 }
 
@@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void,
 METHOD(tls_protection_t, destroy, void,
        private_tls_protection_t *this)
 {
-       DESTROY_IF(this->rng);
        free(this);
 }