ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Implemented a gcm plugin providing GCM mode based on CBC crypters

This commit is contained in:
Martin Willi 2010-08-19 17:58:30 +02:00
parent 026355af42
commit 1a64981048
7 changed files with 586 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
configure.in
View File

@ -149,6 +149,7 @@ ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.])
ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.])
ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.])
ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.])
ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.])
ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.])
ARG_ENABL_SET([android], [enable Android specific plugin.])
@ -718,6 +719,7 @@ ADD_PLUGIN([xcbc], [s libcharon])
ADD_PLUGIN([hmac], [s libcharon pluto])
ADD_PLUGIN([ctr], [s libcharon scripts])
ADD_PLUGIN([ccm], [s libcharon scripts])
ADD_PLUGIN([gcm], [s libcharon scripts])
ADD_PLUGIN([xauth], [p pluto])
ADD_PLUGIN([attr], [h libcharon pluto])
ADD_PLUGIN([attr-sql], [h libcharon pluto])
@ -811,6 +813,7 @@ AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
dnl charon plugins
dnl ==============
@ -944,6 +947,7 @@ AC_OUTPUT(
src/libstrongswan/plugins/pkcs11/Makefile
src/libstrongswan/plugins/ctr/Makefile
src/libstrongswan/plugins/ccm/Makefile
src/libstrongswan/plugins/gcm/Makefile
src/libstrongswan/plugins/test_vectors/Makefile
src/libhydra/Makefile
src/libhydra/plugins/attr/Makefile

7
src/libstrongswan/Makefile.am
View File

@ -338,6 +338,13 @@ if MONOLITHIC
endif
endif
if USE_GCM
SUBDIRS += plugins/gcm
if MONOLITHIC
libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la
endif
endif
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
if MONOLITHIC

16
src/libstrongswan/plugins/gcm/Makefile.am Normal file
View File

@ -0,0 +1,16 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-gcm.la
else
plugin_LTLIBRARIES = libstrongswan-gcm.la
endif
libstrongswan_gcm_la_SOURCES = \
gcm_plugin.h gcm_plugin.c \
gcm_aead.h gcm_aead.c
libstrongswan_gcm_la_LDFLAGS = -module -avoid-version

403
src/libstrongswan/plugins/gcm/gcm_aead.c Normal file
View File

@ -0,0 +1,403 @@
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "gcm_aead.h"
#include <debug.h>
#define BLOCK_SIZE 16
#define NONCE_SIZE 12
#define IV_SIZE 8
#define SALT_SIZE (NONCE_SIZE - IV_SIZE)
typedef struct private_gcm_aead_t private_gcm_aead_t;
/**
* Private data of an gcm_aead_t object.
*/
struct private_gcm_aead_t {
/**
* Public gcm_aead_t interface.
*/
gcm_aead_t public;
/**
* Underlying CBC crypter.
*/
crypter_t *crypter;
/**
* Size of the integrity check value
*/
size_t icv_size;
/**
* Salt value
*/
char salt[SALT_SIZE];
/**
* GHASH subkey H
*/
char h[BLOCK_SIZE];
};
/**
* Bitshift a block right by one bit
*/
static void sr_block(u_char *block)
{
int i;
for (i = BLOCK_SIZE - 1; i >= 0; i--)
{
block[i] = block[i] >> 1;
if (i != 0)
{
block[i] |= block[i - 1] << 7;
}
}
}
/**
* Naive implementation of block multiplication in GF128, no tables
*/
static void mult_block(char *x, char *y, char *res)
{
char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
int bit, byte;
r = 0xE1;
memset(z, 0, BLOCK_SIZE);
memcpy(v, y, BLOCK_SIZE);
for (byte = 0; byte < BLOCK_SIZE; byte++)
{
for (bit = 7; bit >= 0; bit--)
{
if (x[byte] & (1 << bit))
{
memxor(z, v, BLOCK_SIZE);
}
if (v[BLOCK_SIZE - 1] & 0x01)
{
sr_block(v);
v[0] ^= r;
}
else
{
sr_block(v);
}
}
}
memcpy(res, z, BLOCK_SIZE);
}
/**
* GHASH function
*/
static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
{
char y[BLOCK_SIZE];
memset(y, 0, BLOCK_SIZE);
while (x.len)
{
memxor(y, x.ptr, BLOCK_SIZE);
mult_block(y, this->h, y);
x = chunk_skip(x, BLOCK_SIZE);
}
memcpy(res, y, BLOCK_SIZE);
}
/**
* GCTR function, en-/decrypts x inline
*/
static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
{
char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
memset(iv, 0, BLOCK_SIZE);
memcpy(cb, icb, BLOCK_SIZE);
while (x.len)
{
memcpy(tmp, cb, BLOCK_SIZE);
this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
chunk_from_thing(iv), NULL);
memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
chunk_increment(chunk_from_thing(cb));
x = chunk_skip(x, BLOCK_SIZE);
}
}
/**
* Generate the block J0
*/
static void create_j(private_gcm_aead_t *this, char *iv, char *j)
{
memcpy(j, this->salt, SALT_SIZE);
memcpy(j + SALT_SIZE, iv, IV_SIZE);
htoun32(j + SALT_SIZE + IV_SIZE, 1);
}
/**
* Create GHASH subkey H
*/
static void create_h(private_gcm_aead_t *this, char *h)
{
char zero[BLOCK_SIZE];
memset(zero, 0, BLOCK_SIZE);
memset(h, 0, BLOCK_SIZE);
this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
chunk_from_thing(zero), NULL);
}
/**
* Encrypt/decrypt
*/
static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
{
char icb[BLOCK_SIZE];
memcpy(icb, j, BLOCK_SIZE);
chunk_increment(chunk_from_thing(icb));
out.len = in.len;
if (in.ptr != out.ptr)
{
memcpy(out.ptr, in.ptr, in.len);
}
gctr(this, icb, out);
}
/**
* Create ICV
*/
static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
char *j, char *icv)
{
size_t assoc_pad, crypt_pad;
chunk_t chunk;
char s[BLOCK_SIZE], *pos;
assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;
/* concatenate data to a new chunk */
chunk = chunk_alloc(assoc.len + assoc_pad +
crypt.len + crypt_pad + BLOCK_SIZE);
pos = chunk.ptr;
/* add associated data */
memcpy(pos, assoc.ptr, assoc.len);
pos += assoc.len;
memset(pos, 0, assoc_pad);
pos += assoc_pad;
/* add encrypted data */
memcpy(pos, crypt.ptr, crypt.len);
pos += crypt.len;
memset(pos, 0, crypt_pad);
pos += crypt_pad;
/* write associated len */
memset(pos, 0, 4);
pos += 4;
htoun32(pos, assoc.len * 8);
pos += 4;
/* write encrypted length */
memset(pos, 0, 4);
pos += 4;
htoun32(pos, crypt.len * 8);
pos += 4;
ghash(this, chunk, s);
free(chunk.ptr);
gctr(this, j, chunk_from_thing(s));
memcpy(icv, s, this->icv_size);
}
/**
* Verify the ICV value
*/
static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
char *j, char *icv)
{
char tmp[this->icv_size];
create_icv(this, assoc, crypt, j, tmp);
return memeq(tmp, icv, this->icv_size);
}
METHOD(aead_t, encrypt, void,
private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
chunk_t *encrypted)
{
char j[BLOCK_SIZE];
create_j(this, iv.ptr, j);
if (encrypted)
{
*encrypted = chunk_alloc(plain.len + this->icv_size);
crypt(this, j, plain, *encrypted);
create_icv(this, assoc,
chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
j, encrypted->ptr + encrypted->len - this->icv_size);
}
else
{
crypt(this, j, plain, plain);
create_icv(this, assoc, plain, j, plain.ptr + plain.len);
}
}
METHOD(aead_t, decrypt, bool,
private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
chunk_t *plain)
{
char j[BLOCK_SIZE];
if (encrypted.len < this->icv_size)
{
return FALSE;
}
create_j(this, iv.ptr, j);
encrypted.len -= this->icv_size;
if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
{
return FALSE;
}
if (plain)
{
*plain = chunk_alloc(encrypted.len);
crypt(this, j, encrypted, *plain);
}
else
{
crypt(this, j, encrypted, encrypted);
}
return TRUE;
}
METHOD(aead_t, get_block_size, size_t,
private_gcm_aead_t *this)
{
return 1;
}
METHOD(aead_t, get_icv_size, size_t,
private_gcm_aead_t *this)
{
return this->icv_size;
}
METHOD(aead_t, get_iv_size, size_t,
private_gcm_aead_t *this)
{
return IV_SIZE;
}
METHOD(aead_t, get_key_size, size_t,
private_gcm_aead_t *this)
{
return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
}
METHOD(aead_t, set_key, void,
private_gcm_aead_t *this, chunk_t key)
{
memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
key.len -= SALT_SIZE;
this->crypter->set_key(this->crypter, key);
create_h(this, this->h);
}
METHOD(aead_t, destroy, void,
private_gcm_aead_t *this)
{
this->crypter->destroy(this->crypter);
free(this);
}
/**
* See header
*/
gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
{
private_gcm_aead_t *this;
size_t icv_size;
switch (key_size)
{
case 0:
key_size = 16;
break;
case 16:
case 24:
case 32:
break;
default:
return NULL;
}
switch (algo)
{
case ENCR_AES_GCM_ICV8:
algo = ENCR_AES_CBC;
icv_size = 8;
break;
case ENCR_AES_GCM_ICV12:
algo = ENCR_AES_CBC;
icv_size = 12;
break;
case ENCR_AES_GCM_ICV16:
algo = ENCR_AES_CBC;
icv_size = 16;
break;
default:
return NULL;
}
INIT(this,
.public = {
.aead = {
.encrypt = _encrypt,
.decrypt = _decrypt,
.get_block_size = _get_block_size,
.get_icv_size = _get_icv_size,
.get_iv_size = _get_iv_size,
.get_key_size = _get_key_size,
.set_key = _set_key,
.destroy = _destroy,
},
},
.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
.icv_size = icv_size,
);
if (!this->crypter)
{
free(this);
return NULL;
}
return &this->public;
}

51
src/libstrongswan/plugins/gcm/gcm_aead.h Normal file
View File

@ -0,0 +1,51 @@
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup gcm_aead gcm_aead
* @{ @ingroup gcm
*/
#ifndef GCM_AEAD_H_
#define GCM_AEAD_H_
#include <crypto/aead.h>
typedef struct gcm_aead_t gcm_aead_t;
/**
* Galois/Counter Mode (GCM).
*
* Implements GCM as specified in NIST 800-38D, using AEAD semantics from
* RFC 5282, based on RFC4106.
*/
struct gcm_aead_t {
/**
* Implements aead_t interface.
*/
aead_t aead;
};
/**
* Create a gcm_aead instance.
*
* @param key_size key size in bytes
* @param algo algorithm to implement, a gcm mode
* @return aead, NULL if not supported
*/
gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
#endif /** GCM_AEAD_H_ @}*/

63
src/libstrongswan/plugins/gcm/gcm_plugin.c Normal file
View File

@ -0,0 +1,63 @@
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "gcm_plugin.h"
#include <library.h>
#include "gcm_aead.h"
typedef struct private_gcm_plugin_t private_gcm_plugin_t;
/**
* private data of gcm_plugin
*/
struct private_gcm_plugin_t {
/**
* public functions
*/
gcm_plugin_t public;
};
METHOD(plugin_t, destroy, void,
private_gcm_plugin_t *this)
{
lib->crypto->remove_aead(lib->crypto,
(aead_constructor_t)gcm_aead_create);
free(this);
}
/*
* see header file
*/
plugin_t *gcm_plugin_create()
{
private_gcm_plugin_t *this;
INIT(this,
.public.plugin.destroy = _destroy,
);
lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
(aead_constructor_t)gcm_aead_create);
lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
(aead_constructor_t)gcm_aead_create);
lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
(aead_constructor_t)gcm_aead_create);
return &this->public.plugin;
}

42
src/libstrongswan/plugins/gcm/gcm_plugin.h Normal file
View File

@ -0,0 +1,42 @@
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup gcm gcm
* @ingroup plugins
*
* @defgroup gcm_plugin gcm_plugin
* @{ @ingroup gcm
*/
#ifndef GCM_PLUGIN_H_
#define GCM_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct gcm_plugin_t gcm_plugin_t;
/**
* Plugin providing GCM mode operation.
*/
struct gcm_plugin_t {
/**
* Implements plugin interface.
*/
plugin_t plugin;
};
#endif /** GCM_PLUGIN_H_ @}*/