Annotation of embedaddon/strongswan/src/libipsec/esp_packet.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2012-2013 Tobias Brunner
! 3: * Copyright (C) 2012 Giuliano Grassi
! 4: * Copyright (C) 2012 Ralf Sager
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18:
! 19: #include "esp_packet.h"
! 20:
! 21: #include <library.h>
! 22: #include <utils/debug.h>
! 23: #include <crypto/crypters/crypter.h>
! 24: #include <crypto/signers/signer.h>
! 25: #include <bio/bio_reader.h>
! 26: #include <bio/bio_writer.h>
! 27:
! 28: #ifndef WIN32
! 29: #include <netinet/in.h>
! 30: #endif
! 31:
! 32: typedef struct private_esp_packet_t private_esp_packet_t;
! 33:
! 34: /**
! 35: * Private additions to esp_packet_t.
! 36: */
! 37: struct private_esp_packet_t {
! 38:
! 39: /**
! 40: * Public members
! 41: */
! 42: esp_packet_t public;
! 43:
! 44: /**
! 45: * Raw ESP packet
! 46: */
! 47: packet_t *packet;
! 48:
! 49: /**
! 50: * Payload of this packet
! 51: */
! 52: ip_packet_t *payload;
! 53:
! 54: /**
! 55: * Next Header info (e.g. IPPROTO_IPIP)
! 56: */
! 57: uint8_t next_header;
! 58:
! 59: };
! 60:
! 61: /**
! 62: * Forward declaration for clone()
! 63: */
! 64: static private_esp_packet_t *esp_packet_create_internal(packet_t *packet);
! 65:
! 66: METHOD(packet_t, set_source, void,
! 67: private_esp_packet_t *this, host_t *src)
! 68: {
! 69: return this->packet->set_source(this->packet, src);
! 70: }
! 71:
! 72: METHOD2(esp_packet_t, packet_t, get_source, host_t*,
! 73: private_esp_packet_t *this)
! 74: {
! 75: return this->packet->get_source(this->packet);
! 76: }
! 77:
! 78: METHOD(packet_t, set_destination, void,
! 79: private_esp_packet_t *this, host_t *dst)
! 80: {
! 81: return this->packet->set_destination(this->packet, dst);
! 82: }
! 83:
! 84: METHOD2(esp_packet_t, packet_t, get_destination, host_t*,
! 85: private_esp_packet_t *this)
! 86: {
! 87: return this->packet->get_destination(this->packet);
! 88: }
! 89:
! 90: METHOD(packet_t, get_data, chunk_t,
! 91: private_esp_packet_t *this)
! 92: {
! 93: return this->packet->get_data(this->packet);
! 94: }
! 95:
! 96: METHOD(packet_t, set_data, void,
! 97: private_esp_packet_t *this, chunk_t data)
! 98: {
! 99: return this->packet->set_data(this->packet, data);
! 100: }
! 101:
! 102: METHOD(packet_t, get_dscp, uint8_t,
! 103: private_esp_packet_t *this)
! 104: {
! 105: return this->packet->get_dscp(this->packet);
! 106: }
! 107:
! 108: METHOD(packet_t, set_dscp, void,
! 109: private_esp_packet_t *this, uint8_t value)
! 110: {
! 111: this->packet->set_dscp(this->packet, value);
! 112: }
! 113:
! 114: METHOD(packet_t, skip_bytes, void,
! 115: private_esp_packet_t *this, size_t bytes)
! 116: {
! 117: return this->packet->skip_bytes(this->packet, bytes);
! 118: }
! 119:
! 120: METHOD(packet_t, clone_, packet_t*,
! 121: private_esp_packet_t *this)
! 122: {
! 123: private_esp_packet_t *pkt;
! 124:
! 125: pkt = esp_packet_create_internal(this->packet->clone(this->packet));
! 126: pkt->payload = this->payload ? this->payload->clone(this->payload) : NULL;
! 127: pkt->next_header = this->next_header;
! 128: return &pkt->public.packet;
! 129: }
! 130:
! 131: METHOD(esp_packet_t, parse_header, bool,
! 132: private_esp_packet_t *this, uint32_t *spi)
! 133: {
! 134: bio_reader_t *reader;
! 135: uint32_t seq;
! 136:
! 137: reader = bio_reader_create(this->packet->get_data(this->packet));
! 138: if (!reader->read_uint32(reader, spi) ||
! 139: !reader->read_uint32(reader, &seq))
! 140: {
! 141: DBG1(DBG_ESP, "failed to parse ESP header: invalid length");
! 142: reader->destroy(reader);
! 143: return FALSE;
! 144: }
! 145: reader->destroy(reader);
! 146:
! 147: DBG2(DBG_ESP, "parsed ESP header with SPI %.8x [seq %u]", *spi, seq);
! 148: *spi = htonl(*spi);
! 149: return TRUE;
! 150: }
! 151:
! 152: /**
! 153: * Check padding as specified in RFC 4303
! 154: */
! 155: static bool check_padding(chunk_t padding)
! 156: {
! 157: size_t i;
! 158:
! 159: for (i = 0; i < padding.len; ++i)
! 160: {
! 161: if (padding.ptr[i] != (uint8_t)(i + 1))
! 162: {
! 163: return FALSE;
! 164: }
! 165: }
! 166: return TRUE;
! 167: }
! 168:
! 169: /**
! 170: * Remove the padding from the payload and set the next header info
! 171: */
! 172: static bool remove_padding(private_esp_packet_t *this, chunk_t plaintext)
! 173: {
! 174: uint8_t next_header, pad_length;
! 175: chunk_t padding, payload;
! 176: bio_reader_t *reader;
! 177:
! 178: reader = bio_reader_create(plaintext);
! 179: if (!reader->read_uint8_end(reader, &next_header) ||
! 180: !reader->read_uint8_end(reader, &pad_length))
! 181: {
! 182: DBG1(DBG_ESP, "parsing ESP payload failed: invalid length");
! 183: goto failed;
! 184: }
! 185: if (!reader->read_data_end(reader, pad_length, &padding) ||
! 186: !check_padding(padding))
! 187: {
! 188: DBG1(DBG_ESP, "parsing ESP payload failed: invalid padding");
! 189: goto failed;
! 190: }
! 191: this->payload = ip_packet_create(reader->peek(reader));
! 192: reader->destroy(reader);
! 193: if (!this->payload)
! 194: {
! 195: DBG1(DBG_ESP, "parsing ESP payload failed: unsupported payload");
! 196: return FALSE;
! 197: }
! 198: this->next_header = next_header;
! 199: payload = this->payload->get_encoding(this->payload);
! 200:
! 201: DBG3(DBG_ESP, "ESP payload:\n payload %B\n padding %B\n "
! 202: "padding length = %hhu, next header = %hhu", &payload, &padding,
! 203: pad_length, this->next_header);
! 204: return TRUE;
! 205:
! 206: failed:
! 207: reader->destroy(reader);
! 208: chunk_free(&plaintext);
! 209: return FALSE;
! 210: }
! 211:
! 212: METHOD(esp_packet_t, decrypt, status_t,
! 213: private_esp_packet_t *this, esp_context_t *esp_context)
! 214: {
! 215: bio_reader_t *reader;
! 216: uint32_t spi, seq;
! 217: chunk_t data, iv, icv, aad, ciphertext, plaintext;
! 218: aead_t *aead;
! 219:
! 220: DESTROY_IF(this->payload);
! 221: this->payload = NULL;
! 222:
! 223: data = this->packet->get_data(this->packet);
! 224: aead = esp_context->get_aead(esp_context);
! 225:
! 226: reader = bio_reader_create(data);
! 227: if (!reader->read_uint32(reader, &spi) ||
! 228: !reader->read_uint32(reader, &seq) ||
! 229: !reader->read_data(reader, aead->get_iv_size(aead), &iv) ||
! 230: !reader->read_data_end(reader, aead->get_icv_size(aead), &icv) ||
! 231: reader->remaining(reader) % aead->get_block_size(aead))
! 232: {
! 233: DBG1(DBG_ESP, "ESP decryption failed: invalid length");
! 234: return PARSE_ERROR;
! 235: }
! 236: ciphertext = reader->peek(reader);
! 237: reader->destroy(reader);
! 238:
! 239: if (!esp_context->verify_seqno(esp_context, seq))
! 240: {
! 241: DBG1(DBG_ESP, "ESP sequence number verification failed:\n "
! 242: "src %H, dst %H, SPI %.8x [seq %u]",
! 243: get_source(this), get_destination(this), spi, seq);
! 244: return VERIFY_ERROR;
! 245: }
! 246: DBG3(DBG_ESP, "ESP decryption:\n SPI %.8x [seq %u]\n IV %B\n "
! 247: "encrypted %B\n ICV %B", spi, seq, &iv, &ciphertext, &icv);
! 248:
! 249: /* include ICV in ciphertext for decryption/verification */
! 250: ciphertext.len += icv.len;
! 251: /* aad = spi + seq */
! 252: aad = chunk_create(data.ptr, 8);
! 253:
! 254: if (!aead->decrypt(aead, ciphertext, aad, iv, &plaintext))
! 255: {
! 256: DBG1(DBG_ESP, "ESP decryption or ICV verification failed");
! 257: return FAILED;
! 258: }
! 259: esp_context->set_authenticated_seqno(esp_context, seq);
! 260:
! 261: if (!remove_padding(this, plaintext))
! 262: {
! 263: return PARSE_ERROR;
! 264: }
! 265: return SUCCESS;
! 266: }
! 267:
! 268: /**
! 269: * Generate the padding as specified in RFC4303
! 270: */
! 271: static void generate_padding(chunk_t padding)
! 272: {
! 273: size_t i;
! 274:
! 275: for (i = 0; i < padding.len; ++i)
! 276: {
! 277: padding.ptr[i] = (uint8_t)(i + 1);
! 278: }
! 279: }
! 280:
! 281: METHOD(esp_packet_t, encrypt, status_t,
! 282: private_esp_packet_t *this, esp_context_t *esp_context, uint32_t spi)
! 283: {
! 284: chunk_t iv, icv, aad, padding, payload, ciphertext;
! 285: bio_writer_t *writer;
! 286: uint32_t next_seqno;
! 287: size_t blocksize, plainlen;
! 288: aead_t *aead;
! 289: iv_gen_t *iv_gen;
! 290:
! 291: this->packet->set_data(this->packet, chunk_empty);
! 292:
! 293: if (!esp_context->next_seqno(esp_context, &next_seqno))
! 294: {
! 295: DBG1(DBG_ESP, "ESP encapsulation failed: sequence numbers cycled");
! 296: return FAILED;
! 297: }
! 298:
! 299: aead = esp_context->get_aead(esp_context);
! 300: iv_gen = aead->get_iv_gen(aead);
! 301: if (!iv_gen)
! 302: {
! 303: DBG1(DBG_ESP, "ESP encryption failed: no IV generator");
! 304: return NOT_FOUND;
! 305: }
! 306:
! 307: blocksize = aead->get_block_size(aead);
! 308: iv.len = aead->get_iv_size(aead);
! 309: icv.len = aead->get_icv_size(aead);
! 310:
! 311: /* plaintext = payload, padding, pad_length, next_header */
! 312: payload = this->payload ? this->payload->get_encoding(this->payload)
! 313: : chunk_empty;
! 314: plainlen = payload.len + 2;
! 315: padding.len = pad_len(plainlen, blocksize);
! 316: /* ICV must be on a 4-byte boundary */
! 317: padding.len += pad_len(iv.len + plainlen + padding.len, 4);
! 318: plainlen += padding.len;
! 319:
! 320: /* len = spi, seq, IV, plaintext, ICV */
! 321: writer = bio_writer_create(2 * sizeof(uint32_t) + iv.len + plainlen +
! 322: icv.len);
! 323: writer->write_uint32(writer, ntohl(spi));
! 324: writer->write_uint32(writer, next_seqno);
! 325:
! 326: iv = writer->skip(writer, iv.len);
! 327: if (!iv_gen->get_iv(iv_gen, next_seqno, iv.len, iv.ptr))
! 328: {
! 329: DBG1(DBG_ESP, "ESP encryption failed: could not generate IV");
! 330: writer->destroy(writer);
! 331: return FAILED;
! 332: }
! 333:
! 334: /* plain-/ciphertext will start here */
! 335: ciphertext = writer->get_buf(writer);
! 336: ciphertext.ptr += ciphertext.len;
! 337: ciphertext.len = plainlen;
! 338:
! 339: writer->write_data(writer, payload);
! 340:
! 341: padding = writer->skip(writer, padding.len);
! 342: generate_padding(padding);
! 343:
! 344: writer->write_uint8(writer, padding.len);
! 345: writer->write_uint8(writer, this->next_header);
! 346:
! 347: /* aad = spi + seq */
! 348: aad = writer->get_buf(writer);
! 349: aad.len = 8;
! 350: icv = writer->skip(writer, icv.len);
! 351:
! 352: DBG3(DBG_ESP, "ESP before encryption:\n payload = %B\n padding = %B\n "
! 353: "padding length = %hhu, next header = %hhu", &payload, &padding,
! 354: (uint8_t)padding.len, this->next_header);
! 355:
! 356: /* encrypt/authenticate the content inline */
! 357: if (!aead->encrypt(aead, ciphertext, aad, iv, NULL))
! 358: {
! 359: DBG1(DBG_ESP, "ESP encryption or ICV generation failed");
! 360: writer->destroy(writer);
! 361: return FAILED;
! 362: }
! 363:
! 364: DBG3(DBG_ESP, "ESP packet:\n SPI %.8x [seq %u]\n IV %B\n "
! 365: "encrypted %B\n ICV %B", ntohl(spi), next_seqno, &iv,
! 366: &ciphertext, &icv);
! 367:
! 368: this->packet->set_data(this->packet, writer->extract_buf(writer));
! 369: writer->destroy(writer);
! 370: return SUCCESS;
! 371: }
! 372:
! 373: METHOD(esp_packet_t, get_next_header, uint8_t,
! 374: private_esp_packet_t *this)
! 375: {
! 376: return this->next_header;
! 377: }
! 378:
! 379: METHOD(esp_packet_t, get_payload, ip_packet_t*,
! 380: private_esp_packet_t *this)
! 381: {
! 382: return this->payload;
! 383: }
! 384:
! 385: METHOD(esp_packet_t, extract_payload, ip_packet_t*,
! 386: private_esp_packet_t *this)
! 387: {
! 388: ip_packet_t *payload;
! 389:
! 390: payload = this->payload;
! 391: this->payload = NULL;
! 392: return payload;
! 393: }
! 394:
! 395: METHOD2(esp_packet_t, packet_t, destroy, void,
! 396: private_esp_packet_t *this)
! 397: {
! 398: DESTROY_IF(this->payload);
! 399: this->packet->destroy(this->packet);
! 400: free(this);
! 401: }
! 402:
! 403: static private_esp_packet_t *esp_packet_create_internal(packet_t *packet)
! 404: {
! 405: private_esp_packet_t *this;
! 406:
! 407: INIT(this,
! 408: .public = {
! 409: .packet = {
! 410: .set_source = _set_source,
! 411: .get_source = _get_source,
! 412: .set_destination = _set_destination,
! 413: .get_destination = _get_destination,
! 414: .get_data = _get_data,
! 415: .set_data = _set_data,
! 416: .get_dscp = _get_dscp,
! 417: .set_dscp = _set_dscp,
! 418: .skip_bytes = _skip_bytes,
! 419: .clone = _clone_,
! 420: .destroy = _destroy,
! 421: },
! 422: .get_source = _get_source,
! 423: .get_destination = _get_destination,
! 424: .get_next_header = _get_next_header,
! 425: .parse_header = _parse_header,
! 426: .decrypt = _decrypt,
! 427: .encrypt = _encrypt,
! 428: .get_payload = _get_payload,
! 429: .extract_payload = _extract_payload,
! 430: .destroy = _destroy,
! 431: },
! 432: .packet = packet,
! 433: .next_header = IPPROTO_NONE,
! 434: );
! 435: return this;
! 436: }
! 437:
! 438: /**
! 439: * Described in header.
! 440: */
! 441: esp_packet_t *esp_packet_create_from_packet(packet_t *packet)
! 442: {
! 443: private_esp_packet_t *this;
! 444:
! 445: this = esp_packet_create_internal(packet);
! 446:
! 447: return &this->public;
! 448: }
! 449:
! 450: /**
! 451: * Described in header.
! 452: */
! 453: esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst,
! 454: ip_packet_t *payload)
! 455: {
! 456: private_esp_packet_t *this;
! 457: packet_t *packet;
! 458:
! 459: packet = packet_create_from_data(src, dst, chunk_empty);
! 460: this = esp_packet_create_internal(packet);
! 461: this->payload = payload;
! 462: if (payload)
! 463: {
! 464: this->next_header = payload->get_version(payload) == 4 ? IPPROTO_IPIP
! 465: : IPPROTO_IPV6;
! 466: }
! 467: else
! 468: {
! 469: this->next_header = IPPROTO_NONE;
! 470: }
! 471: return &this->public;
! 472: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to esp_packet.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libipsec