tls: Separate TLS protection to abstracted AEAD modes
authorMartin Willi <martin@revosec.ch>
Mon, 3 Feb 2014 12:20:46 +0000 (13:20 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 13:56:12 +0000 (15:56 +0200)
To better separate the code path for different TLS versions and modes of
operation, we introduce a TLS AEAD abstraction. We provide three implementations
using traditional transforms, and get prepared for TLS AEAD modes.

src/libtls/Makefile.am
src/libtls/tls_aead.h [new file with mode: 0644]
src/libtls/tls_aead_expl.c [new file with mode: 0644]
src/libtls/tls_aead_impl.c [new file with mode: 0644]
src/libtls/tls_aead_null.c [new file with mode: 0644]
src/libtls/tls_crypto.c
src/libtls/tls_protection.c
src/libtls/tls_protection.h

index b83ea8e..403a686 100644 (file)
@@ -8,6 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
        tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
        tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
+       tls_aead_expl.c tls_aead_impl.c tls_aead_null.c \
        tls_server.c tls.c
 
 libtls_la_LIBADD = \
@@ -18,5 +19,5 @@ tls_includedir = ${dev_headers}/tls
 nobase_tls_include_HEADERS = \
        tls_protection.h tls_compression.h tls_fragmentation.h tls_alert.h \
        tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \
-       tls_server.h tls_handshake.h tls_application.h tls.h
+       tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h
 endif
diff --git a/src/libtls/tls_aead.h b/src/libtls/tls_aead.h
new file mode 100644 (file)
index 0000000..48b16cc
--- /dev/null
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tls_aead tls_aead
+ * @{ @ingroup tls
+ */
+
+#ifndef TLS_AEAD_H_
+#define TLS_AEAD_H_
+
+typedef struct tls_aead_t tls_aead_t;
+
+#include "tls.h"
+
+/**
+ * TLS specific AEAD interface, includes padding.
+ *
+ * As TLS uses sign-then-encrypt instead of the more modern encrypt-then-sign,
+ * we can't directly abstract traditional transforms using our aead_t interface.
+ * With traditional transforms, the AEAD operation has to manage padding, as
+ * the MAC is calculated over unpadded data.
+ */
+struct tls_aead_t {
+
+       /**
+        * Encrypt and sign a TLS record.
+        *
+        * The plain data chunk gets freed on success, and the data chunk
+        * gets updated with a new allocation of the encrypted data.
+        * If next_iv is given, it must contain the IV for this operation. It
+        * gets updated to the IV for the next record.
+        *
+        * @param version               TLS version
+        * @param type                  TLS content type
+        * @param seq                   record sequence number
+        * @param data                  data to encrypt, encryption result
+        * @return                              TRUE if successfully encrypted
+        */
+       bool (*encrypt)(tls_aead_t *this, tls_version_t version,
+                                       tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+       /**
+        * Decrypt and verify a TLS record.
+        *
+        * The passed encrypted data chunk gets updated to the decrypted record
+        * length, decryption is done inline.
+        *
+        * @param version               TLS version
+        * @param type                  TLS content type
+        * @param seq                   record sequence number
+        * @param data                  data to decrypt, decrypted result
+        * @return                              TRUE if successfully decrypted
+        */
+       bool (*decrypt)(tls_aead_t *this, tls_version_t version,
+                                       tls_content_type_t type, u_int64_t seq, chunk_t *data);
+
+       /**
+        * Get the authentication key size.
+        *
+        * @return              key size, in bytes, 0 if not used
+        */
+       size_t (*get_mac_key_size)(tls_aead_t *this);
+
+       /**
+        * Get the encrytion key size, if used.
+        *
+        * @return              key size, in bytes, 0 if not used
+        */
+       size_t (*get_encr_key_size)(tls_aead_t *this);
+
+       /**
+        * Get the size of implicit IV (or AEAD salt), if used.
+        *
+        * @return              IV/salt size, in bytes, 0 if not used
+        */
+       size_t (*get_iv_size)(tls_aead_t *this);
+
+       /**
+        * Set the keys used by an AEAD transform.
+        *
+        * @param mac           authentication key, if used
+        * @param encr          encryption key, if used
+        * @param iv            initial implicit IV or AEAD salt, if any
+        * @return                      TRUE if key valid and set
+        */
+       bool (*set_keys)(tls_aead_t *this, chunk_t mac, chunk_t ecnr, chunk_t iv);
+
+       /**
+        * Destroy a tls_aead_t.
+        */
+       void (*destroy)(tls_aead_t *this);
+};
+
+/**
+ * Create a tls_aead instance using traditional transforms, explicit IV.
+ *
+ * An explicit IV means that the IV is prepended to each TLS record. This is
+ * the mechanism used in TLS 1.1 and newer.
+ *
+ * @param mac                  integrity protection algorithm
+ * @param encr                 encryption algorithm
+ * @param encr_size            encryption key size, in bytes
+ * @return                             TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+                                                               encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using traditional transforms, implicit IV.
+ *
+ * An implicit IV uses a first IV derived from the TLS keymat, which then
+ * gets replaced by the last encrypted records tail. This is the mechanism
+ * used for TLS 1.0 and older.
+ *
+ * @param mac                  integrity protection algorithm
+ * @param encr                 encryption algorithm
+ * @param encr_size            encryption key size, in bytes
+ * @return                             TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+                                                               encryption_algorithm_t encr, size_t encr_size);
+
+/**
+ * Create a tls_aead instance using NULL encryption.
+ *
+ * As no IV is involved with null encryption, this AEAD works with any
+ * version of TLS.
+ *
+ * @param mac                  integrity protection algorithm
+ * @return                             TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac);
+
+#endif /** TLS_AEAD_H_ @}*/
diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c
new file mode 100644 (file)
index 0000000..f047d65
--- /dev/null
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+       /**
+        * Public tls_aead_t interface.
+        */
+       tls_aead_t public;
+
+       /**
+        * traditional crypter
+        */
+       crypter_t *crypter;
+
+       /**
+        * traditional signer
+        */
+       signer_t *signer;
+
+       /**
+        * IV generator
+        */
+       iv_gen_t *iv_gen;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+       u_int64_t seq;
+       u_int8_t type;
+       u_int16_t version;
+       u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+       private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+       u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac, padding, iv;
+       u_int8_t bs, padlen;
+       sigheader_t hdr;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->allocate_signature(this->signer, *data, &mac))
+       {
+               return FALSE;
+       }
+       bs = this->crypter->get_block_size(this->crypter);
+       padlen = pad_len(data->len + mac.len + 1, bs);
+
+       padding = chunk_alloca(padlen);
+       memset(padding.ptr, padlen, padding.len);
+
+       /* TLSv1.1 uses random IVs, prepended to record */
+       iv.len = this->crypter->get_iv_size(this->crypter);
+       iv = chunk_alloca(iv.len);
+       if (!this->iv_gen->get_iv(this->iv_gen, seq, iv.len, iv.ptr))
+       {
+               return FALSE;
+       }
+       *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+       /* encrypt inline */
+       if (!this->crypter->encrypt(this->crypter, *data, iv, NULL))
+       {
+               free(data->ptr);
+               return FALSE;
+       }
+       /* prepend IV */
+       *data = chunk_cat("cm", iv, *data);
+       return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+       private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+       u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac, iv;
+       u_int8_t bs, padlen;
+       sigheader_t hdr;
+
+       iv.len = this->crypter->get_iv_size(this->crypter);
+       if (data->len < iv.len)
+       {
+               return FALSE;
+       }
+       iv.ptr = data->ptr;
+       *data = chunk_skip(*data, iv.len);
+       bs = this->crypter->get_block_size(this->crypter);
+       if (data->len < bs || data->len % bs)
+       {
+               return FALSE;
+       }
+       if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+       {
+               return FALSE;
+       }
+       padlen = data->ptr[data->len - 1];
+       if (padlen < data->len)
+       {       /* If padding looks valid, remove it */
+               data->len -= padlen + 1;
+       }
+
+       bs = this->signer->get_block_size(this->signer);
+       if (data->len < bs)
+       {
+               return FALSE;
+       }
+       mac = chunk_skip(*data, data->len - bs);
+       data->len -= bs;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->verify_signature(this->signer, *data, mac))
+       {
+               return FALSE;
+       }
+       return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+       private_tls_aead_t *this)
+{
+       return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+       private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+       if (iv.len)
+       {
+               return FALSE;
+       }
+       return this->signer->set_key(this->signer, mac) &&
+                  this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+       private_tls_aead_t *this)
+{
+       this->iv_gen->destroy(this->iv_gen);
+       DESTROY_IF(this->crypter);
+       DESTROY_IF(this->signer);
+       free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac,
+                                                               encryption_algorithm_t encr, size_t encr_size)
+{
+       private_tls_aead_t *this;
+
+       INIT(this,
+               .public = {
+                       .encrypt = _encrypt,
+                       .decrypt = _decrypt,
+                       .get_iv_size = _get_iv_size,
+                       .get_mac_key_size = _get_mac_key_size,
+                       .get_encr_key_size = _get_encr_key_size,
+                       .get_iv_size = _get_iv_size,
+                       .set_keys = _set_keys,
+                       .destroy = _destroy,
+               },
+               .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+               .signer = lib->crypto->create_signer(lib->crypto, mac),
+               .iv_gen = iv_gen_rand_create(),
+       );
+
+       if (!this->crypter || !this->signer)
+       {
+               destroy(this);
+               return NULL;
+       }
+
+       return &this->public;
+}
diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c
new file mode 100644 (file)
index 0000000..9b259fc
--- /dev/null
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+       /**
+        * Public tls_aead_t interface.
+        */
+       tls_aead_t public;
+
+       /**
+        * traditional crypter
+        */
+       crypter_t *crypter;
+
+       /**
+        * traditional signer
+        */
+       signer_t *signer;
+
+       /**
+        * Next implicit IV
+        */
+       chunk_t iv;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+       u_int64_t seq;
+       u_int8_t type;
+       u_int16_t version;
+       u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+       private_tls_aead_t *this, tls_version_t version,
+       tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac, padding;
+       u_int8_t bs, padlen;
+       sigheader_t hdr;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->allocate_signature(this->signer, *data, &mac))
+       {
+               return FALSE;
+       }
+       bs = this->crypter->get_block_size(this->crypter);
+       padlen = pad_len(data->len + mac.len + 1, bs);
+
+       padding = chunk_alloca(padlen);
+       memset(padding.ptr, padlen, padding.len);
+
+       *data = chunk_cat("mmcc", *data, mac, padding, chunk_from_thing(padlen));
+       /* encrypt inline */
+       if (!this->crypter->encrypt(this->crypter, *data, this->iv, NULL))
+       {
+               return FALSE;
+       }
+       if (data->len < this->iv.len)
+       {
+               return FALSE;
+       }
+       /* next record IV is last ciphertext block of this record */
+       memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+       return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+       private_tls_aead_t *this, tls_version_t version,
+       tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac, iv;
+       u_int8_t bs, padlen;
+       sigheader_t hdr;
+
+       bs = this->crypter->get_block_size(this->crypter);
+       if (data->len < bs || data->len < this->iv.len || data->len % bs)
+       {
+               return FALSE;
+       }
+       iv = chunk_alloca(this->iv.len);
+       memcpy(iv.ptr, this->iv.ptr, this->iv.len);
+       memcpy(this->iv.ptr, data->ptr + data->len - this->iv.len, this->iv.len);
+       if (!this->crypter->decrypt(this->crypter, *data, iv, NULL))
+       {
+               return FALSE;
+       }
+       padlen = data->ptr[data->len - 1];
+       if (padlen < data->len)
+       {       /* If padding looks valid, remove it */
+               data->len -= padlen + 1;
+       }
+
+       bs = this->signer->get_block_size(this->signer);
+       if (data->len < bs)
+       {
+               return FALSE;
+       }
+       mac = chunk_skip(*data, data->len - bs);
+       data->len -= bs;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->verify_signature(this->signer, *data, mac))
+       {
+               return FALSE;
+       }
+       return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->crypter->get_key_size(this->crypter);
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->iv.len;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+       private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+       if (iv.len != this->iv.len)
+       {
+               return FALSE;
+       }
+       memcpy(this->iv.ptr, iv.ptr, this->iv.len);
+       return this->signer->set_key(this->signer, mac) &&
+                  this->crypter->set_key(this->crypter, encr);
+}
+
+METHOD(tls_aead_t, destroy, void,
+       private_tls_aead_t *this)
+{
+       DESTROY_IF(this->crypter);
+       DESTROY_IF(this->signer);
+       chunk_free(&this->iv);
+       free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
+                                                               encryption_algorithm_t encr, size_t encr_size)
+{
+       private_tls_aead_t *this;
+
+       INIT(this,
+               .public = {
+                       .encrypt = _encrypt,
+                       .decrypt = _decrypt,
+                       .get_iv_size = _get_iv_size,
+                       .get_mac_key_size = _get_mac_key_size,
+                       .get_encr_key_size = _get_encr_key_size,
+                       .get_iv_size = _get_iv_size,
+                       .set_keys = _set_keys,
+                       .destroy = _destroy,
+               },
+               .crypter = lib->crypto->create_crypter(lib->crypto, encr, encr_size),
+               .signer = lib->crypto->create_signer(lib->crypto, mac),
+       );
+
+       if (!this->crypter || !this->signer)
+       {
+               destroy(this);
+               return NULL;
+       }
+
+       this->iv = chunk_alloc(this->crypter->get_iv_size(this->crypter));
+
+       return &this->public;
+}
diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c
new file mode 100644 (file)
index 0000000..b80a0bc
--- /dev/null
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+       /**
+        * Public tls_aead_t interface.
+        */
+       tls_aead_t public;
+
+       /**
+        * traditional signer
+        */
+       signer_t *signer;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+       u_int64_t seq;
+       u_int8_t type;
+       u_int16_t version;
+       u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+       private_tls_aead_t *this, tls_version_t version,
+       tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac;
+       sigheader_t hdr;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->allocate_signature(this->signer, *data, &mac))
+       {
+               return FALSE;
+       }
+       *data = chunk_cat("mm", *data, mac);
+       return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+       private_tls_aead_t *this, tls_version_t version,
+       tls_content_type_t type, u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, mac;
+       sigheader_t hdr;
+
+       mac.len = this->signer->get_block_size(this->signer);
+       if (data->len < mac.len)
+       {
+               return FALSE;
+       }
+       mac = chunk_skip(*data, data->len - mac.len);
+       data->len -= mac.len;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->signer->get_signature(this->signer, assoc, NULL) ||
+               !this->signer->verify_signature(this->signer, *data, mac))
+       {
+               return FALSE;
+       }
+       return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->signer->get_key_size(this->signer);
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return 0;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+       private_tls_aead_t *this)
+{
+       return 0;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+       private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+       if (iv.len || encr.len)
+       {
+               return FALSE;
+       }
+       return this->signer->set_key(this->signer, mac);
+}
+
+METHOD(tls_aead_t, destroy, void,
+       private_tls_aead_t *this)
+{
+       this->signer->destroy(this->signer);
+       free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg)
+{
+       private_tls_aead_t *this;
+
+       INIT(this,
+               .public = {
+                       .encrypt = _encrypt,
+                       .decrypt = _decrypt,
+                       .get_iv_size = _get_iv_size,
+                       .get_mac_key_size = _get_mac_key_size,
+                       .get_encr_key_size = _get_encr_key_size,
+                       .get_iv_size = _get_iv_size,
+                       .set_keys = _set_keys,
+                       .destroy = _destroy,
+               },
+               .signer = lib->crypto->create_signer(lib->crypto, alg),
+       );
+
+       if (!this->signer)
+       {
+               free(this);
+               return NULL;
+       }
+
+       return &this->public;
+}
index cc73eba..03d19fa 100644 (file)
@@ -385,34 +385,14 @@ struct private_tls_crypto_t {
        tls_prf_t *prf;
 
        /**
-        * Signer instance for inbound traffic
+        * AEAD transform for inbound traffic
         */
-       signer_t *signer_in;
+       tls_aead_t *aead_in;
 
        /**
-        * Signer instance for outbound traffic
+        * AEAD transform for outbound traffic
         */
-       signer_t *signer_out;
-
-       /**
-        * Crypter instance for inbound traffic
-        */
-       crypter_t *crypter_in;
-
-       /**
-        * Crypter instance for outbound traffic
-        */
-       crypter_t *crypter_out;
-
-       /**
-        * IV for input decryption, if < TLSv1.2
-        */
-       chunk_t iv_in;
-
-       /**
-        * IV for output decryption, if < TLSv1.2
-        */
-       chunk_t iv_out;
+       tls_aead_t *aead_out;
 
        /**
         * EAP-[T]TLS MSK
@@ -969,10 +949,66 @@ METHOD(tls_crypto_t, get_cipher_suites, int,
 }
 
 /**
+ * Create NULL encryption transforms
+ */
+static bool create_null(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+       this->aead_in = tls_aead_create_null(algs->mac);
+       this->aead_out = tls_aead_create_null(algs->mac);
+       if (!this->aead_in || !this->aead_out)
+       {
+               DBG1(DBG_TLS, "selected TLS MAC %N not supported",
+                        integrity_algorithm_names, algs->mac);
+               return FALSE;
+       }
+       return TRUE;
+}
+
+/**
+ * Create traditional transforms
+ */
+static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+       if (this->tls->get_version(this->tls) < TLS_1_1)
+       {
+               this->aead_in = tls_aead_create_implicit(algs->mac,
+                                                               algs->encr, algs->encr_size);
+               this->aead_out = tls_aead_create_implicit(algs->mac,
+                                                               algs->encr, algs->encr_size);
+       }
+       else
+       {
+               this->aead_in = tls_aead_create_explicit(algs->mac,
+                                                               algs->encr, algs->encr_size);
+               this->aead_out = tls_aead_create_explicit(algs->mac,
+                                                               algs->encr, algs->encr_size);
+       }
+       if (!this->aead_in || !this->aead_out)
+       {
+               DBG1(DBG_TLS, "selected TLS transforms %N-%u-%N not supported",
+                        encryption_algorithm_names, algs->encr, algs->encr_size * 8,
+                        integrity_algorithm_names, algs->mac);
+               return FALSE;
+       }
+       return TRUE;
+}
+
+/**
+ * Clean up and unset AEAD transforms
+ */
+static void destroy_aeads(private_tls_crypto_t *this)
+{
+       DESTROY_IF(this->aead_in);
+       DESTROY_IF(this->aead_out);
+       this->aead_in = this->aead_out = NULL;
+}
+
+/**
  * Create crypto primitives
  */
 static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
 {
+       destroy_aeads(this);
        DESTROY_IF(this->prf);
        if (this->tls->get_version(this->tls) < TLS_1_2)
        {
@@ -987,38 +1023,22 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
                DBG1(DBG_TLS, "selected TLS PRF not supported");
                return FALSE;
        }
-
-       DESTROY_IF(this->signer_in);
-       DESTROY_IF(this->signer_out);
-       this->signer_in = lib->crypto->create_signer(lib->crypto, algs->mac);
-       this->signer_out = lib->crypto->create_signer(lib->crypto, algs->mac);
-       if (!this->signer_in || !this->signer_out)
-       {
-               DBG1(DBG_TLS, "selected TLS MAC %N not supported",
-                        integrity_algorithm_names, algs->mac);
-               return FALSE;
-       }
-
-       DESTROY_IF(this->crypter_in);
-       DESTROY_IF(this->crypter_out);
        if (algs->encr == ENCR_NULL)
        {
-               this->crypter_in = this->crypter_out = NULL;
+               if (create_null(this, algs))
+               {
+                       return TRUE;
+               }
        }
        else
        {
-               this->crypter_in = lib->crypto->create_crypter(lib->crypto,
-                                                                                               algs->encr, algs->encr_size);
-               this->crypter_out = lib->crypto->create_crypter(lib->crypto,
-                                                                                               algs->encr, algs->encr_size);
-               if (!this->crypter_in || !this->crypter_out)
+               if (create_traditional(this, algs))
                {
-                       DBG1(DBG_TLS, "selected TLS crypter %N not supported",
-                                encryption_algorithm_names, algs->encr);
-                       return FALSE;
+                       return TRUE;
                }
        }
-       return TRUE;
+       destroy_aeads(this);
+       return FALSE;
 }
 
 METHOD(tls_crypto_t, select_cipher_suite, tls_cipher_suite_t,
@@ -1512,93 +1532,63 @@ static bool derive_master(private_tls_crypto_t *this, chunk_t premaster,
 static bool expand_keys(private_tls_crypto_t *this,
                                                chunk_t client_random, chunk_t server_random)
 {
-       chunk_t seed, block, client_write, server_write;
-       int mks, eks = 0, ivs = 0;
+       chunk_t seed, block;
+       chunk_t cw_mac, cw, cw_iv;
+       chunk_t sw_mac, sw, sw_iv;
+       int mklen, eklen, ivlen;
 
-       /* derive key block for key expansion */
-       mks = this->signer_out->get_key_size(this->signer_out);
-       if (this->crypter_out)
+       if (!this->aead_in || !this->aead_out)
        {
-               eks = this->crypter_out->get_key_size(this->crypter_out);
-               if (this->tls->get_version(this->tls) < TLS_1_1)
-               {
-                       ivs = this->crypter_out->get_iv_size(this->crypter_out);
-               }
+               return FALSE;
        }
+
+       /* derive key block for key expansion */
+       mklen = this->aead_in->get_mac_key_size(this->aead_in);
+       eklen = this->aead_in->get_encr_key_size(this->aead_in);
+       ivlen = this->aead_in->get_iv_size(this->aead_in);
        seed = chunk_cata("cc", server_random, client_random);
-       block = chunk_alloca((mks + eks + ivs) * 2);
+       block = chunk_alloca((mklen + eklen + ivlen) * 2);
        if (!this->prf->get_bytes(this->prf, "key expansion", seed,
                                                          block.len, block.ptr))
        {
                return FALSE;
        }
 
-       /* signer keys */
-       client_write = chunk_create(block.ptr, mks);
-       block = chunk_skip(block, mks);
-       server_write = chunk_create(block.ptr, mks);
-       block = chunk_skip(block, mks);
+       /* client/server write signer keys */
+       cw_mac = chunk_create(block.ptr, mklen);
+       block = chunk_skip(block, mklen);
+       sw_mac = chunk_create(block.ptr, mklen);
+       block = chunk_skip(block, mklen);
+
+       /* client/server write encryption keys */
+       cw = chunk_create(block.ptr, eklen);
+       block = chunk_skip(block, eklen);
+       sw = chunk_create(block.ptr, eklen);
+       block = chunk_skip(block, eklen);
+
+       /* client/server write IV; TLS 1.0 implicit IVs or AEAD salt, if any */
+       cw_iv = chunk_create(block.ptr, ivlen);
+       block = chunk_skip(block, ivlen);
+       sw_iv = chunk_create(block.ptr, ivlen);
+       block = chunk_skip(block, ivlen);
+
        if (this->tls->is_server(this->tls))
        {
-               if (!this->signer_in->set_key(this->signer_in, client_write) ||
-                       !this->signer_out->set_key(this->signer_out, server_write))
+               if (!this->aead_in->set_keys(this->aead_in, cw_mac, cw, cw_iv) ||
+                       !this->aead_out->set_keys(this->aead_out, sw_mac, sw, sw_iv))
                {
                        return FALSE;
                }
        }
        else
        {
-               if (!this->signer_out->set_key(this->signer_out, client_write) ||
-                       !this->signer_in->set_key(this->signer_in, server_write))
+               if (!this->aead_out->set_keys(this->aead_out, cw_mac, cw, cw_iv) ||
+                       !this->aead_in->set_keys(this->aead_in, sw_mac, sw, sw_iv))
                {
                        return FALSE;
                }
        }
 
-       /* crypter keys, and IVs if < TLSv1.2 */
-       if (this->crypter_out && this->crypter_in)
-       {
-               client_write = chunk_create(block.ptr, eks);
-               block = chunk_skip(block, eks);
-               server_write = chunk_create(block.ptr, eks);
-               block = chunk_skip(block, eks);
-
-               if (this->tls->is_server(this->tls))
-               {
-                       if (!this->crypter_in->set_key(this->crypter_in, client_write) ||
-                               !this->crypter_out->set_key(this->crypter_out, server_write))
-                       {
-                               return FALSE;
-                       }
-               }
-               else
-               {
-                       if (!this->crypter_out->set_key(this->crypter_out, client_write) ||
-                               !this->crypter_in->set_key(this->crypter_in, server_write))
-                       {
-                               return FALSE;
-                       }
-               }
-               if (ivs)
-               {
-                       client_write = chunk_create(block.ptr, ivs);
-                       block = chunk_skip(block, ivs);
-                       server_write = chunk_create(block.ptr, ivs);
-                       block = chunk_skip(block, ivs);
-
-                       if (this->tls->is_server(this->tls))
-                       {
-                               this->iv_in = chunk_clone(client_write);
-                               this->iv_out = chunk_clone(server_write);
-                       }
-                       else
-                       {
-                               this->iv_out = chunk_clone(client_write);
-                               this->iv_in = chunk_clone(server_write);
-                       }
-               }
-       }
-
        /* EAP-MSK */
        if (this->msk_label)
        {
@@ -1666,13 +1656,11 @@ METHOD(tls_crypto_t, change_cipher, void,
        {
                if (inbound)
                {
-                       this->protection->set_cipher(this->protection, TRUE,
-                                                       this->signer_in, this->crypter_in, this->iv_in);
+                       this->protection->set_cipher(this->protection, TRUE, this->aead_in);
                }
                else
                {
-                       this->protection->set_cipher(this->protection, FALSE,
-                                                       this->signer_out, this->crypter_out, this->iv_out);
+                       this->protection->set_cipher(this->protection, FALSE, this->aead_out);
                }
        }
 }
@@ -1686,12 +1674,7 @@ METHOD(tls_crypto_t, get_eap_msk, chunk_t,
 METHOD(tls_crypto_t, destroy, void,
        private_tls_crypto_t *this)
 {
-       DESTROY_IF(this->signer_in);
-       DESTROY_IF(this->signer_out);
-       DESTROY_IF(this->crypter_in);
-       DESTROY_IF(this->crypter_out);
-       free(this->iv_in.ptr);
-       free(this->iv_out.ptr);
+       destroy_aeads(this);
        free(this->handshake.ptr);
        free(this->msk.ptr);
        DESTROY_IF(this->prf);
index 0d5df18..b016db2 100644 (file)
@@ -45,74 +45,26 @@ struct private_tls_protection_t {
        tls_alert_t *alert;
 
        /**
-        * RNG if we generate IVs ourself
-        */
-       rng_t *rng;
-
-       /**
         * Sequence number of incoming records
         */
-       u_int32_t seq_in;
+       u_int64_t seq_in;
 
        /**
         * Sequence number for outgoing records
         */
-       u_int32_t seq_out;
-
-       /**
-        * Signer instance for inbound traffic
-        */
-       signer_t *signer_in;
-
-       /**
-        * Signer instance for outbound traffic
-        */
-       signer_t *signer_out;
+       u_int64_t seq_out;
 
        /**
-        * Crypter instance for inbound traffic
+        * AEAD transform for inbound traffic
         */
-       crypter_t *crypter_in;
+       tls_aead_t *aead_in;
 
        /**
-        * Crypter instance for outbound traffic
+        * AEAD transform for outbound traffic
         */
-       crypter_t *crypter_out;
-
-       /**
-        * Current IV for input decryption
-        */
-       chunk_t iv_in;
-
-       /**
-        * Current IV for output decryption
-        */
-       chunk_t iv_out;
+       tls_aead_t *aead_out;
 };
 
-/**
- * Create the header and feed it into a signer for MAC verification
- */
-static bool sigheader(signer_t *signer, u_int32_t seq, u_int8_t type,
-                                         u_int16_t version, u_int16_t length)
-{
-       /* we only support 32 bit sequence numbers, but TLS uses 64 bit */
-       struct __attribute__((__packed__)) {
-               u_int32_t seq_high;
-               u_int32_t seq_low;
-               u_int8_t type;
-               u_int16_t version;
-               u_int16_t length;
-       } header = {
-               .type = type,
-       };
-       htoun32(&header.seq_low, seq);
-       htoun16(&header.version, version);
-       htoun16(&header.length, length);
-
-       return signer->get_signature(signer, chunk_from_thing(header), NULL);
-}
-
 METHOD(tls_protection_t, process, status_t,
        private_tls_protection_t *this, tls_content_type_t type, chunk_t data)
 {
@@ -121,75 +73,12 @@ METHOD(tls_protection_t, process, status_t,
                return NEED_MORE;
        }
 
-       if (this->crypter_in)
-       {
-               chunk_t iv, next_iv = chunk_empty;
-               u_int8_t bs, padding_length;
-
-               bs = this->crypter_in->get_block_size(this->crypter_in);
-               if (this->iv_in.len)
-               {       /* < TLSv1.1 uses IV from key derivation/last block */
-                       if (data.len < bs || data.len % bs)
-                       {
-                               DBG1(DBG_TLS, "encrypted TLS record length invalid");
-                               this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                               return NEED_MORE;
-                       }
-                       iv = this->iv_in;
-                       next_iv = chunk_clone(chunk_create(data.ptr + data.len - bs, bs));
-               }
-               else
-               {       /* TLSv1.1 uses random IVs, prepended to record */
-                       iv.len = this->crypter_in->get_iv_size(this->crypter_in);
-                       iv = chunk_create(data.ptr, iv.len);
-                       data = chunk_skip(data, iv.len);
-                       if (data.len < bs || data.len % bs)
-                       {
-                               DBG1(DBG_TLS, "encrypted TLS record length invalid");
-                               this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                               return NEED_MORE;
-                       }
-               }
-               if (!this->crypter_in->decrypt(this->crypter_in, data, iv, NULL))
-               {
-                       free(next_iv.ptr);
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
-               }
-
-               if (next_iv.len)
-               {       /* next record IV is last ciphertext block of this record */
-                       memcpy(this->iv_in.ptr, next_iv.ptr, next_iv.len);
-                       free(next_iv.ptr);
-               }
-
-               padding_length = data.ptr[data.len - 1];
-               if (padding_length < data.len)
-               {       /* remove padding if it looks valid. Continue with no padding, try
-                        * to prevent timing attacks. */
-                       data.len -= padding_length + 1;
-               }
-       }
-       if (this->signer_in)
+       if (this->aead_in)
        {
-               chunk_t mac;
-               u_int8_t bs;
-
-               bs = this->signer_in->get_block_size(this->signer_in);
-               if (data.len < bs)
+               if (!this->aead_in->decrypt(this->aead_in, this->version,
+                                                                       type, this->seq_in, &data))
                {
-                       DBG1(DBG_TLS, "TLS record too short to verify MAC");
-                       this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
-                       return NEED_MORE;
-               }
-               mac = chunk_skip(data, data.len - bs);
-               data.len -= bs;
-
-               if (!sigheader(this->signer_in, this->seq_in, type,
-                                          this->version, data.len) ||
-                       !this->signer_in->verify_signature(this->signer_in, data, mac))
-               {
-                       DBG1(DBG_TLS, "TLS record MAC verification failed");
+                       DBG1(DBG_TLS, "TLS record decryption failed");
                        this->alert->add(this->alert, TLS_FATAL, TLS_BAD_RECORD_MAC);
                        return NEED_MORE;
                }
@@ -220,72 +109,15 @@ METHOD(tls_protection_t, build, status_t,
 
        if (status == NEED_MORE)
        {
-               if (this->signer_out)
+               if (this->aead_out)
                {
-                       chunk_t mac;
-
-                       if (!sigheader(this->signer_out, this->seq_out, *type,
-                                                  this->version, data->len) ||
-                               !this->signer_out->allocate_signature(this->signer_out,
-                                                  *data, &mac))
+                       if (!this->aead_out->encrypt(this->aead_out, this->version,
+                                                                                *type, this->seq_out, data))
                        {
+                               DBG1(DBG_TLS, "TLS record encryption failed");
+                               chunk_free(data);
                                return FAILED;
                        }
-                       if (this->crypter_out)
-                       {
-                               chunk_t padding, iv;
-                               u_int8_t bs, padding_length;
-
-                               bs = this->crypter_out->get_block_size(this->crypter_out);
-                               padding_length = bs - ((data->len + mac.len + 1) % bs);
-
-                               padding = chunk_alloca(padding_length);
-                               memset(padding.ptr, padding_length, padding.len);
-
-                               if (this->iv_out.len)
-                               {       /* < TLSv1.1 uses IV from key derivation/last block */
-                                       iv = this->iv_out;
-                               }
-                               else
-                               {       /* TLSv1.1 uses random IVs, prepended to record */
-                                       iv.len = this->crypter_out->get_iv_size(this->crypter_out);
-                                       if (!this->rng ||
-                                               !this->rng->allocate_bytes(this->rng, iv.len, &iv))
-                                       {
-                                               DBG1(DBG_TLS, "failed to generate TLS IV");
-                                               free(data->ptr);
-                                               return FAILED;
-                                       }
-                               }
-
-                               *data = chunk_cat("mmcc", *data, mac, padding,
-                                                                 chunk_from_thing(padding_length));
-                               /* encrypt inline */
-                               if (!this->crypter_out->encrypt(this->crypter_out, *data,
-                                                                                               iv, NULL))
-                               {
-                                       if (!this->iv_out.len)
-                                       {
-                                               free(iv.ptr);
-                                       }
-                                       free(data->ptr);
-                                       return FAILED;
-                               }
-
-                               if (this->iv_out.len)
-                               {       /* next record IV is last ciphertext block of this record */
-                                       memcpy(this->iv_out.ptr, data->ptr + data->len -
-                                                  this->iv_out.len, this->iv_out.len);
-                               }
-                               else
-                               {       /* prepend IV */
-                                       *data = chunk_cat("mm", iv, *data);
-                               }
-                       }
-                       else
-                       {       /* NULL encryption */
-                               *data = chunk_cat("mm", *data, mac);
-                       }
                }
                this->seq_out++;
        }
@@ -293,24 +125,15 @@ METHOD(tls_protection_t, build, status_t,
 }
 
 METHOD(tls_protection_t, set_cipher, void,
-       private_tls_protection_t *this, bool inbound, signer_t *signer,
-       crypter_t *crypter, chunk_t iv)
+       private_tls_protection_t *this, bool inbound, tls_aead_t *aead)
 {
        if (inbound)
        {
-               this->signer_in = signer;
-               this->crypter_in = crypter;
-               this->iv_in = iv;
+               this->aead_in = aead;
        }
        else
        {
-               this->signer_out = signer;
-               this->crypter_out = crypter;
-               this->iv_out = iv;
-               if (!iv.len)
-               {       /* generate IVs if none given */
-                       this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-               }
+               this->aead_out = aead;
        }
 }
 
@@ -323,7 +146,6 @@ METHOD(tls_protection_t, set_version, void,
 METHOD(tls_protection_t, destroy, void,
        private_tls_protection_t *this)
 {
-       DESTROY_IF(this->rng);
        free(this);
 }
 
index 05cf3df..3280fb5 100644 (file)
@@ -26,6 +26,7 @@
 typedef struct tls_protection_t tls_protection_t;
 
 #include "tls.h"
+#include "tls_aead.h"
 #include "tls_alert.h"
 #include "tls_compression.h"
 
@@ -62,15 +63,12 @@ struct tls_protection_t {
                                          tls_content_type_t *type, chunk_t *data);
 
        /**
-        * Set a new cipher, including encryption and integrity algorithms.
+        * Set a new transforms to use at protection layer
         *
         * @param inbound       TRUE to use cipher for inbound data, FALSE for outbound
-        * @param signer        new signer to use, gets owned by protection layer
-        * @param crypter       new crypter to use, gets owned by protection layer
-        * @param iv            initial IV for crypter, gets owned by protection layer
+        * @param aead          new AEAD transform
         */
-       void (*set_cipher)(tls_protection_t *this, bool inbound, signer_t *signer,
-                                          crypter_t *crypter, chunk_t iv);
+       void (*set_cipher)(tls_protection_t *this, bool inbound, tls_aead_t *aead);
 
        /**
         * Set the TLS version negotiated, used for MAC calculation.