tls: Implement the TLS AEAD abstraction for real AEAD modes
authorMartin Willi <martin@revosec.ch>
Mon, 3 Feb 2014 17:03:41 +0000 (18:03 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 13:56:12 +0000 (15:56 +0200)
src/libtls/Makefile.am
src/libtls/tls_aead.c [new file with mode: 0644]
src/libtls/tls_aead.h
src/libtls/tls_crypto.c

index 403a686..e5e3b8b 100644 (file)
@@ -8,7 +8,7 @@ ipseclib_LTLIBRARIES = libtls.la
 libtls_la_SOURCES = \
        tls_protection.c tls_compression.c tls_fragmentation.c tls_alert.c \
        tls_crypto.c tls_prf.c tls_socket.c tls_eap.c tls_cache.c tls_peer.c \
-       tls_aead_expl.c tls_aead_impl.c tls_aead_null.c \
+       tls_aead_expl.c tls_aead_impl.c tls_aead_null.c tls_aead.c \
        tls_server.c tls.c
 
 libtls_la_LIBADD = \
diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c
new file mode 100644 (file)
index 0000000..be44cc0
--- /dev/null
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tls_aead.h"
+
+#include <crypto/iv/iv_gen_rand.h>
+
+typedef struct private_tls_aead_t private_tls_aead_t;
+
+/**
+ * Private data of an tls_aead_t object.
+ */
+struct private_tls_aead_t {
+
+       /**
+        * Public tls_aead_t interface.
+        */
+       tls_aead_t public;
+
+       /**
+        * AEAD transform
+        */
+       aead_t *aead;
+
+       /**
+        * Size of salt, the implicit nonce
+        */
+       size_t salt;
+};
+
+/**
+ * Associated header data to create signature over
+ */
+typedef struct __attribute__((__packed__)) {
+       u_int64_t seq;
+       u_int8_t type;
+       u_int16_t version;
+       u_int16_t length;
+} sigheader_t;
+
+METHOD(tls_aead_t, encrypt, bool,
+       private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+       u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, encrypted, iv, plain;
+       u_int8_t icvlen;
+       sigheader_t hdr;
+       iv_gen_t *gen;
+
+       gen = this->aead->get_iv_gen(this->aead);
+       iv.len = this->aead->get_iv_size(this->aead);
+       icvlen = this->aead->get_icv_size(this->aead);
+
+       encrypted = chunk_alloc(iv.len + data->len + icvlen);
+       iv.ptr = encrypted.ptr;
+       if (!gen->get_iv(gen, seq, iv.len, iv.ptr))
+       {
+               chunk_free(&encrypted);
+               return FALSE;
+       }
+       memcpy(encrypted.ptr + iv.len, data->ptr, data->len);
+       plain = chunk_skip(encrypted, iv.len);
+       plain.len -= icvlen;
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, plain.len);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL))
+       {
+               return FALSE;
+       }
+       chunk_free(data);
+       *data = encrypted;
+       return TRUE;
+}
+
+METHOD(tls_aead_t, decrypt, bool,
+       private_tls_aead_t *this, tls_version_t version, tls_content_type_t type,
+       u_int64_t seq, chunk_t *data)
+{
+       chunk_t assoc, iv;
+       u_int8_t icvlen;
+       sigheader_t hdr;
+
+       iv.len = this->aead->get_iv_size(this->aead);
+       if (data->len < iv.len)
+       {
+               return FALSE;
+       }
+       iv.ptr = data->ptr;
+       *data = chunk_skip(*data, iv.len);
+       icvlen = this->aead->get_icv_size(this->aead);
+       if (data->len < icvlen)
+       {
+               return FALSE;
+       }
+
+       hdr.type = type;
+       htoun64(&hdr.seq, seq);
+       htoun16(&hdr.version, version);
+       htoun16(&hdr.length, data->len - icvlen);
+
+       assoc = chunk_from_thing(hdr);
+       if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL))
+       {
+               return FALSE;
+       }
+       data->len -= icvlen;
+       return TRUE;
+}
+
+METHOD(tls_aead_t, get_mac_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return 0;
+}
+
+METHOD(tls_aead_t, get_encr_key_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->aead->get_key_size(this->aead) - this->salt;
+}
+
+METHOD(tls_aead_t, get_iv_size, size_t,
+       private_tls_aead_t *this)
+{
+       return this->salt;
+}
+
+METHOD(tls_aead_t, set_keys, bool,
+       private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
+{
+       chunk_t key;
+
+       if (mac.len)
+       {
+               return FALSE;
+       }
+       key = chunk_cata("cc", encr, iv);
+       return this->aead->set_key(this->aead, key);
+}
+
+METHOD(tls_aead_t, destroy, void,
+       private_tls_aead_t *this)
+{
+       this->aead->destroy(this->aead);
+       free(this);
+}
+
+/**
+ * See header
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size)
+{
+       private_tls_aead_t *this;
+       size_t salt;
+
+       switch (encr)
+       {
+               case ENCR_AES_GCM_ICV8:
+               case ENCR_AES_GCM_ICV12:
+               case ENCR_AES_GCM_ICV16:
+               case ENCR_AES_CCM_ICV8:
+               case ENCR_AES_CCM_ICV12:
+               case ENCR_AES_CCM_ICV16:
+               case ENCR_CAMELLIA_CCM_ICV8:
+               case ENCR_CAMELLIA_CCM_ICV12:
+               case ENCR_CAMELLIA_CCM_ICV16:
+                       salt = 4;
+                       break;
+               default:
+                       return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .encrypt = _encrypt,
+                       .decrypt = _decrypt,
+                       .get_iv_size = _get_iv_size,
+                       .get_mac_key_size = _get_mac_key_size,
+                       .get_encr_key_size = _get_encr_key_size,
+                       .get_iv_size = _get_iv_size,
+                       .set_keys = _set_keys,
+                       .destroy = _destroy,
+               },
+               .aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt),
+               .salt = salt,
+       );
+
+       if (!this->aead)
+       {
+               free(this);
+               return NULL;
+       }
+
+       if (this->aead->get_block_size(this->aead) != 1)
+       {       /* TLS does not define any padding scheme for AEAD */
+               destroy(this);
+               return NULL;
+       }
+
+       return &this->public;
+}
index 48b16cc..1d5ba92 100644 (file)
@@ -144,4 +144,13 @@ tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac,
  */
 tls_aead_t *tls_aead_create_null(integrity_algorithm_t mac);
 
+/**
+ * Create a tls_aead instance using real a AEAD cipher.
+ *
+ * @param encr                 AEAD encryption algorithm
+ * @param encr_size            encryption key size, in bytes
+ * @return                             TLS AEAD transform
+ */
+tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size);
+
 #endif /** TLS_AEAD_H_ @}*/
index 03d19fa..82b4b4c 100644 (file)
@@ -607,7 +607,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite)
 /**
  * Filter a suite list using a transform enumerator
  */
-static void filter_suite(private_tls_crypto_t *this,
+static void filter_suite(private_tls_crypto_t *this, bool aead,
                                                 suite_algs_t suites[], int *count, int offset,
                                                 enumerator_t*(*create_enumerator)(crypto_factory_t*))
 {
@@ -625,8 +625,10 @@ static void filter_suite(private_tls_crypto_t *this,
                while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
                {
                        if ((suites[i].encr == ENCR_NULL ||
+                                aead != encryption_algorithm_is_aead(suites[i].encr) ||
                                 !current.encr || current.encr == suites[i].encr) &&
-                               (!current.mac  || current.mac  == suites[i].mac) &&
+                               (suites[i].mac == AUTH_UNDEFINED ||
+                                !current.mac  || current.mac  == suites[i].mac) &&
                                (!current.prf  || current.prf  == suites[i].prf) &&
                                (!current.hash || current.hash == suites[i].hash) &&
                                (suites[i].dh == MODP_NONE ||
@@ -912,15 +914,17 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
        }
 
        /* filter suite list by each algorithm */
-       filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
+       filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, encr),
                                 lib->crypto->create_crypter_enumerator);
-       filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
+       filter_suite(this, TRUE, suites, &count, offsetof(suite_algs_t, encr),
+                                lib->crypto->create_aead_enumerator);
+       filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, mac),
                                 lib->crypto->create_signer_enumerator);
-       filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
+       filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, prf),
                                 lib->crypto->create_prf_enumerator);
-       filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
+       filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, hash),
                                 lib->crypto->create_hasher_enumerator);
-       filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
+       filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, dh),
                                 lib->crypto->create_dh_enumerator);
 
        /* filter suites with strongswan.conf options */
@@ -994,6 +998,22 @@ static bool create_traditional(private_tls_crypto_t *this, suite_algs_t *algs)
 }
 
 /**
+ * Create AEAD transforms
+ */
+static bool create_aead(private_tls_crypto_t *this, suite_algs_t *algs)
+{
+       this->aead_in = tls_aead_create_aead(algs->encr, algs->encr_size);
+       this->aead_out = tls_aead_create_aead(algs->encr, algs->encr_size);
+       if (!this->aead_in || !this->aead_out)
+       {
+               DBG1(DBG_TLS, "selected TLS transforms %N-%u not supported",
+                        encryption_algorithm_names, algs->encr, algs->encr_size * 8);
+               return FALSE;
+       }
+       return TRUE;
+}
+
+/**
  * Clean up and unset AEAD transforms
  */
 static void destroy_aeads(private_tls_crypto_t *this)
@@ -1030,6 +1050,13 @@ static bool create_ciphers(private_tls_crypto_t *this, suite_algs_t *algs)
                        return TRUE;
                }
        }
+       else if (encryption_algorithm_is_aead(algs->encr))
+       {
+               if (create_aead(this, algs))
+               {
+                       return TRUE;
+               }
+       }
        else
        {
                if (create_traditional(this, algs))