/*
* Copyright (C) 2020 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "tls_aead.h"
#include <bio/bio_writer.h>
typedef struct private_tls_aead_t private_tls_aead_t;
/**
* Private data of an tls_aead_t object.
*/
struct private_tls_aead_t {
/**
* Public tls_aead_t interface.
*/
tls_aead_t public;
/**
* AEAD transform.
*/
aead_t *aead;
/**
* IV derived from key material.
*/
chunk_t iv;
/**
* Size of the salt that's internally used by the AEAD implementation.
*/
size_t salt;
};
/**
* Additional data for AEAD (record header)
*/
typedef struct __attribute__((__packed__)) {
uint8_t type;
uint16_t version;
uint16_t length;
} sigheader_t;
/**
* Generate the IV from the given sequence number.
*/
static bool generate_iv(private_tls_aead_t *this, uint64_t seq, chunk_t iv)
{
if (iv.len < sizeof(uint64_t) ||
iv.len < this->iv.len)
{
return FALSE;
}
memset(iv.ptr, 0, iv.len);
htoun64(iv.ptr + iv.len - sizeof(uint64_t), seq);
memxor(iv.ptr + iv.len - this->iv.len, this->iv.ptr, this->iv.len);
return TRUE;
}
METHOD(tls_aead_t, encrypt, bool,
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
uint64_t seq, chunk_t *data)
{
bio_writer_t *writer;
chunk_t assoc, encrypted, iv, padding, plain;
uint8_t icvlen;
sigheader_t hdr;
iv = chunk_alloca(this->aead->get_iv_size(this->aead));
if (!generate_iv(this, seq, iv))
{
return FALSE;
}
/* no padding for now */
padding = chunk_empty;
icvlen = this->aead->get_icv_size(this->aead);
writer = bio_writer_create(data->len + 1 + padding.len + icvlen);
writer->write_data(writer, *data);
writer->write_uint8(writer, *type);
writer->write_data(writer, padding);
writer->skip(writer, icvlen);
encrypted = writer->extract_buf(writer);
writer->destroy(writer);
plain = encrypted;
plain.len -= icvlen;
hdr.type = TLS_APPLICATION_DATA;
htoun16(&hdr.version, TLS_1_2);
htoun16(&hdr.length, encrypted.len);
assoc = chunk_from_thing(hdr);
if (!this->aead->encrypt(this->aead, plain, assoc, iv, NULL))
{
chunk_free(&encrypted);
return FALSE;
}
chunk_free(data);
*type = TLS_APPLICATION_DATA;
*data = encrypted;
return TRUE;
}
METHOD(tls_aead_t, decrypt, bool,
private_tls_aead_t *this, tls_version_t version, tls_content_type_t *type,
uint64_t seq, chunk_t *data)
{
chunk_t assoc, iv;
uint8_t icvlen;
sigheader_t hdr;
iv = chunk_alloca(this->aead->get_iv_size(this->aead));
if (!generate_iv(this, seq, iv))
{
return FALSE;
}
icvlen = this->aead->get_icv_size(this->aead);
if (data->len < icvlen)
{
return FALSE;
}
hdr.type = TLS_APPLICATION_DATA;
htoun16(&hdr.version, TLS_1_2);
htoun16(&hdr.length, data->len);
assoc = chunk_from_thing(hdr);
if (!this->aead->decrypt(this->aead, *data, assoc, iv, NULL))
{
return FALSE;
}
data->len -= icvlen;
while (data->len && !data->ptr[data->len-1])
{ /* ignore any padding */
data->len--;
}
if (data->len < 1)
{
return FALSE;
}
*type = data->ptr[data->len-1];
data->len--;
return TRUE;
}
METHOD(tls_aead_t, get_mac_key_size, size_t,
private_tls_aead_t *this)
{
return 0;
}
METHOD(tls_aead_t, get_encr_key_size, size_t,
private_tls_aead_t *this)
{
/* our AEAD implementations add the salt length here, so subtract it */
return this->aead->get_key_size(this->aead) - this->salt;
}
METHOD(tls_aead_t, get_iv_size, size_t,
private_tls_aead_t *this)
{
/* analogous to the change above, we add the salt length here */
return this->aead->get_iv_size(this->aead) + this->salt;
}
METHOD(tls_aead_t, set_keys, bool,
private_tls_aead_t *this, chunk_t mac, chunk_t encr, chunk_t iv)
{
chunk_t key, salt;
bool success;
if (mac.len || iv.len < this->salt)
{
return FALSE;
}
/* we have to recombine the keys as our AEAD implementations expect the
* salt as part of the key */
chunk_clear(&this->iv);
chunk_split(iv, "ma", this->salt, &salt, iv.len - this->salt, &this->iv);
key = chunk_cata("cc", encr, salt);
success = this->aead->set_key(this->aead, key);
memwipe(key.ptr, key.len);
return success;
}
METHOD(tls_aead_t, destroy, void,
private_tls_aead_t *this)
{
this->aead->destroy(this->aead);
chunk_clear(&this->iv);
free(this);
}
/*
* Described in header
*/
tls_aead_t *tls_aead_create_seq(encryption_algorithm_t encr, size_t encr_size)
{
private_tls_aead_t *this;
size_t salt;
switch (encr)
{
case ENCR_AES_GCM_ICV16:
case ENCR_CHACHA20_POLY1305:
salt = 4;
break;
case ENCR_AES_CCM_ICV8:
case ENCR_AES_CCM_ICV16:
salt = 3;
break;
default:
return NULL;
}
INIT(this,
.public = {
.encrypt = _encrypt,
.decrypt = _decrypt,
.get_mac_key_size = _get_mac_key_size,
.get_encr_key_size = _get_encr_key_size,
.get_iv_size = _get_iv_size,
.set_keys = _set_keys,
.destroy = _destroy,
},
.aead = lib->crypto->create_aead(lib->crypto, encr, encr_size, salt),
.salt = salt,
);
if (!this->aead)
{
free(this);
return NULL;
}
if (this->aead->get_block_size(this->aead) != 1)
{ /* TLS does not define any padding scheme for AEAD */
destroy(this);
return NULL;
}
return &this->public;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tls_aead_seq.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtls