265 lines
5.6 KiB
C
265 lines
5.6 KiB
C
/*
|
|
* Copyright (C) 2020 Tobias Brunner
|
|
* HSR Hochschule fuer Technik Rapperswil
|
|
*
|
|
* Copyright (C) 2014 Martin Willi
|
|
* Copyright (C) 2014 revosec AG
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
#include "tls_aead.h"
|
|
|
|
#include <bio/bio_writer.h>
|
|
|
|
typedef struct private_tls_aead_t private_tls_aead_t;
|
|
|
|
/**
|
|
* Private data of an tls_aead_t object.
|
|
*/
|
|
struct private_tls_aead_t {
|
|
|
|
/**
|
|
* Public tls_aead_t interface.
|
|
*/
|
|
tls_aead_t public;
|
|
|
|
/**
|
|
* AEAD transform.
|
|
*/
|
|
aead_t *aead;
|
|
|
|
/**
|
|
* IV derived from key material.
|
|
*/
|
|
chunk_t iv;
|
|
|
|
/**
|
|
* Size of the salt that's internally used by the AEAD implementation.
|
|
*/
|
|
size_t salt;
|
|
};
|
|
|
|
/**
|
|
* Additional data for AEAD (record header)
|
|
*/
|
|
typedef struct __attribute__((__packed__)) {
|
|
uint8_t type;
|
|
uint16_t version;
|
|
uint16_t length;
|
|
} sigheader_t;
|
|
|
|
/**
|
|
* Generate the IV from the given sequence number.
|
|
*/
|
|
static bool generate_iv(private_tls_aead_t *this, uint64_t seq, chunk_t iv)
|
|
{
|
|
if (iv.len < sizeof(uint64_t) ||
|
|
iv.len < this->iv.len)
|
|
{
|
|
return FALSE;
|
|
}
|
|
memset(iv.ptr, 0, iv.len);
|
|
htoun64(iv.ptr + iv.len - sizeof(uint64_t), seq);
|
|
memxor(iv.ptr + iv.len - this->iv.len, this->iv.ptr, this->iv.len);
|
|
return TRUE;
|
|
}
|
|
|
|
METHOD(tls_aead_t, encrypt, bool,
|
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
|
uint64_t seq, chunk_t *data)
|
|
{
|
|
bio_writer_t *writer;
|
|
chunk_t assoc, encrypted, iv, padding, plain;
|
|
uint8_t icvlen;
|
|
sigheader_t hdr;
|
|
|
|
iv = chunk_alloca(this->aead->get_iv_size(this->aead));
|
|
if (!generate_iv(this, seq, iv))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
/* no padding for now */
|
|
padding = chunk_empty;
|
|
icvlen = this->aead->get_icv_size(this->aead);
|
|
|
|
writer = bio_writer_create(data->len + 1 + padding.len + icvlen);
|
|
writer->write_data(writer, *data);
|
|
writer->write_uint8(writer, *type);
|
|
writer->write_data(writer, padding);
|
|
writer->skip(writer, icvlen);
|
|
encrypted = writer->extract_buf(writer);
|
|
writer->destroy(writer);
|
|
|
|
plain = encrypted;
|
|
plain.len -= icvlen;
|
|
|
|
hdr.type = TLS_APPLICATION_DATA;
|
|
htoun16(&hdr.version, TLS_1_2);
|
|
htoun16(&hdr.length, encrypted.len);
|
|
|
|
assoc = chunk_from_thing(hdr);
|
|
if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL))
|
|
{
|
|
chunk_free(&encrypted);
|
|
return FALSE;
|
|
}
|
|
chunk_free(data);
|
|
*type = TLS_APPLICATION_DATA;
|
|
*data = encrypted;
|
|
return TRUE;
|
|
}
|
|
|
|
METHOD(tls_aead_t, decrypt, bool,
|
|
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
|
|
uint64_t seq, chunk_t *data)
|
|
{
|
|
chunk_t assoc, iv;
|
|
uint8_t icvlen;
|
|
sigheader_t hdr;
|
|
|
|
iv = chunk_alloca(this->aead->get_iv_size(this->aead));
|
|
if (!generate_iv(this, seq, iv))
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
icvlen = this->aead->get_icv_size(this->aead);
|
|
if (data->len < icvlen)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
hdr.type = TLS_APPLICATION_DATA;
|
|
htoun16(&hdr.version, TLS_1_2);
|
|
htoun16(&hdr.length, data->len);
|
|
|
|
assoc = chunk_from_thing(hdr);
|
|
if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL))
|
|
{
|
|
return FALSE;
|
|
}
|
|
data->len -= icvlen;
|
|
|
|
while (data->len && !data->ptr[data->len-1])
|
|
{ /* ignore any padding */
|
|
data->len--;
|
|
}
|
|
if (data->len < 1)
|
|
{
|
|
return FALSE;
|
|
}
|
|
*type = data->ptr[data->len-1];
|
|
data->len--;
|
|
return TRUE;
|
|
}
|
|
|
|
METHOD(tls_aead_t, get_mac_key_size, size_t,
|
|
private_tls_aead_t *this)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
METHOD(tls_aead_t, get_encr_key_size, size_t,
|
|
private_tls_aead_t *this)
|
|
{
|
|
/* our AEAD implementations add the salt length here, so subtract it */
|
|
return this->aead->get_key_size(this->aead) - this->salt;
|
|
}
|
|
|
|
METHOD(tls_aead_t, get_iv_size, size_t,
|
|
private_tls_aead_t *this)
|
|
{
|
|
/* analogous to the change above, we add the salt length here */
|
|
return this->aead->get_iv_size(this->aead) + this->salt;
|
|
}
|
|
|
|
METHOD(tls_aead_t, set_keys, bool,
|
|
private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
|
|
{
|
|
chunk_t key, salt;
|
|
bool success;
|
|
|
|
if (mac.len || iv.len < this->salt)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
/* we have to recombine the keys as our AEAD implementations expect the
|
|
* salt as part of the key */
|
|
chunk_clear(&this->iv);
|
|
chunk_split(iv, "ma", this->salt, &salt, iv.len - this->salt, &this->iv);
|
|
key = chunk_cata("cc", encr, salt);
|
|
success = this->aead->set_key(this->aead, key);
|
|
memwipe(key.ptr, key.len);
|
|
return success;
|
|
}
|
|
|
|
METHOD(tls_aead_t, destroy, void,
|
|
private_tls_aead_t *this)
|
|
{
|
|
this->aead->destroy(this->aead);
|
|
chunk_clear(&this->iv);
|
|
free(this);
|
|
}
|
|
|
|
/*
|
|
* Described in header
|
|
*/
|
|
tls_aead_t *tls_aead_create_seq(encryption_algorithm_t encr, size_t encr_size)
|
|
{
|
|
private_tls_aead_t *this;
|
|
size_t salt;
|
|
|
|
switch (encr)
|
|
{
|
|
case ENCR_AES_GCM_ICV16:
|
|
case ENCR_CHACHA20_POLY1305:
|
|
salt = 4;
|
|
break;
|
|
case ENCR_AES_CCM_ICV8:
|
|
case ENCR_AES_CCM_ICV16:
|
|
salt = 3;
|
|
break;
|
|
default:
|
|
return NULL;
|
|
}
|
|
|
|
INIT(this,
|
|
.public = {
|
|
.encrypt = _encrypt,
|
|
.decrypt = _decrypt,
|
|
.get_mac_key_size = _get_mac_key_size,
|
|
.get_encr_key_size = _get_encr_key_size,
|
|
.get_iv_size = _get_iv_size,
|
|
.set_keys = _set_keys,
|
|
.destroy = _destroy,
|
|
},
|
|
.aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt),
|
|
.salt = salt,
|
|
);
|
|
|
|
if (!this->aead)
|
|
{
|
|
free(this);
|
|
return NULL;
|
|
}
|
|
|
|
if (this->aead->get_block_size(this->aead) != 1)
|
|
{ /* TLS does not define any padding scheme for AEAD */
|
|
destroy(this);
|
|
return NULL;
|
|
}
|
|
|
|
return &this->public;
|
|
}
|