From 1a64981048088383621fe9c282d8ac981b766026 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 19 Aug 2010 17:58:30 +0200 Subject: [PATCH] Implemented a gcm plugin providing GCM mode based on CBC crypters --- configure.in | 4 + src/libstrongswan/Makefile.am | 7 + src/libstrongswan/plugins/gcm/Makefile.am | 16 + src/libstrongswan/plugins/gcm/gcm_aead.c | 403 +++++++++++++++++++++ src/libstrongswan/plugins/gcm/gcm_aead.h | 51 +++ src/libstrongswan/plugins/gcm/gcm_plugin.c | 63 ++++ src/libstrongswan/plugins/gcm/gcm_plugin.h | 42 +++ 7 files changed, 586 insertions(+) create mode 100644 src/libstrongswan/plugins/gcm/Makefile.am create mode 100644 src/libstrongswan/plugins/gcm/gcm_aead.c create mode 100644 src/libstrongswan/plugins/gcm/gcm_aead.h create mode 100644 src/libstrongswan/plugins/gcm/gcm_plugin.c create mode 100644 src/libstrongswan/plugins/gcm/gcm_plugin.h diff --git a/configure.in b/configure.in index e97cea765..3d05410d9 100644 --- a/configure.in +++ b/configure.in @@ -149,6 +149,7 @@ ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.]) ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.]) ARG_ENABL_SET([ctr], [enables the Counter Mode wrapper crypto plugin.]) ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.]) +ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.]) ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.]) ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.]) ARG_ENABL_SET([android], [enable Android specific plugin.]) @@ -718,6 +719,7 @@ ADD_PLUGIN([xcbc], [s libcharon]) ADD_PLUGIN([hmac], [s libcharon pluto]) ADD_PLUGIN([ctr], [s libcharon scripts]) ADD_PLUGIN([ccm], [s libcharon scripts]) +ADD_PLUGIN([gcm], [s libcharon scripts]) ADD_PLUGIN([xauth], [p pluto]) ADD_PLUGIN([attr], [h libcharon pluto]) ADD_PLUGIN([attr-sql], [h libcharon pluto]) @@ -811,6 +813,7 @@ AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue) AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue) AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue) AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) +AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) dnl charon plugins dnl ============== @@ -944,6 +947,7 @@ AC_OUTPUT( src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile + src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 3b7436b3d..237550bf1 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -338,6 +338,13 @@ if MONOLITHIC endif endif +if USE_GCM + SUBDIRS += plugins/gcm +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la +endif +endif + if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors if MONOLITHIC diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am new file mode 100644 index 000000000..ec733fbcc --- /dev/null +++ b/src/libstrongswan/plugins/gcm/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-gcm.la +else +plugin_LTLIBRARIES = libstrongswan-gcm.la +endif + +libstrongswan_gcm_la_SOURCES = \ + gcm_plugin.h gcm_plugin.c \ + gcm_aead.h gcm_aead.c + +libstrongswan_gcm_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c new file mode 100644 index 000000000..7c0a2ba23 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_aead.c @@ -0,0 +1,403 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "gcm_aead.h" + +#include + +#define BLOCK_SIZE 16 +#define NONCE_SIZE 12 +#define IV_SIZE 8 +#define SALT_SIZE (NONCE_SIZE - IV_SIZE) + +typedef struct private_gcm_aead_t private_gcm_aead_t; + +/** + * Private data of an gcm_aead_t object. + */ +struct private_gcm_aead_t { + + /** + * Public gcm_aead_t interface. + */ + gcm_aead_t public; + + /** + * Underlying CBC crypter. + */ + crypter_t *crypter; + + /** + * Size of the integrity check value + */ + size_t icv_size; + + /** + * Salt value + */ + char salt[SALT_SIZE]; + + /** + * GHASH subkey H + */ + char h[BLOCK_SIZE]; +}; + +/** + * Bitshift a block right by one bit + */ +static void sr_block(u_char *block) +{ + int i; + + for (i = BLOCK_SIZE - 1; i >= 0; i--) + { + block[i] = block[i] >> 1; + if (i != 0) + { + block[i] |= block[i - 1] << 7; + } + } +} + +/** + * Naive implementation of block multiplication in GF128, no tables + */ +static void mult_block(char *x, char *y, char *res) +{ + char z[BLOCK_SIZE], v[BLOCK_SIZE], r; + int bit, byte; + + r = 0xE1; + memset(z, 0, BLOCK_SIZE); + memcpy(v, y, BLOCK_SIZE); + + for (byte = 0; byte < BLOCK_SIZE; byte++) + { + for (bit = 7; bit >= 0; bit--) + { + if (x[byte] & (1 << bit)) + { + memxor(z, v, BLOCK_SIZE); + } + if (v[BLOCK_SIZE - 1] & 0x01) + { + sr_block(v); + v[0] ^= r; + } + else + { + sr_block(v); + } + } + } + memcpy(res, z, BLOCK_SIZE); +} + +/** + * GHASH function + */ +static void ghash(private_gcm_aead_t *this, chunk_t x, char *res) +{ + char y[BLOCK_SIZE]; + + memset(y, 0, BLOCK_SIZE); + + while (x.len) + { + memxor(y, x.ptr, BLOCK_SIZE); + mult_block(y, this->h, y); + x = chunk_skip(x, BLOCK_SIZE); + } + memcpy(res, y, BLOCK_SIZE); +} + +/** + * GCTR function, en-/decrypts x inline + */ +static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x) +{ + char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE]; + + memset(iv, 0, BLOCK_SIZE); + memcpy(cb, icb, BLOCK_SIZE); + + while (x.len) + { + memcpy(tmp, cb, BLOCK_SIZE); + this->crypter->encrypt(this->crypter, chunk_from_thing(tmp), + chunk_from_thing(iv), NULL); + memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len)); + chunk_increment(chunk_from_thing(cb)); + x = chunk_skip(x, BLOCK_SIZE); + } +} + +/** + * Generate the block J0 + */ +static void create_j(private_gcm_aead_t *this, char *iv, char *j) +{ + memcpy(j, this->salt, SALT_SIZE); + memcpy(j + SALT_SIZE, iv, IV_SIZE); + htoun32(j + SALT_SIZE + IV_SIZE, 1); +} + +/** + * Create GHASH subkey H + */ +static void create_h(private_gcm_aead_t *this, char *h) +{ + char zero[BLOCK_SIZE]; + + memset(zero, 0, BLOCK_SIZE); + memset(h, 0, BLOCK_SIZE); + + this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE), + chunk_from_thing(zero), NULL); +} + +/** + * Encrypt/decrypt + */ +static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out) +{ + char icb[BLOCK_SIZE]; + + memcpy(icb, j, BLOCK_SIZE); + chunk_increment(chunk_from_thing(icb)); + + out.len = in.len; + if (in.ptr != out.ptr) + { + memcpy(out.ptr, in.ptr, in.len); + } + gctr(this, icb, out); +} + +/** + * Create ICV + */ +static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, + char *j, char *icv) +{ + size_t assoc_pad, crypt_pad; + chunk_t chunk; + char s[BLOCK_SIZE], *pos; + + assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE; + crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE; + + /* concatenate data to a new chunk */ + chunk = chunk_alloc(assoc.len + assoc_pad + + crypt.len + crypt_pad + BLOCK_SIZE); + pos = chunk.ptr; + /* add associated data */ + memcpy(pos, assoc.ptr, assoc.len); + pos += assoc.len; + memset(pos, 0, assoc_pad); + pos += assoc_pad; + /* add encrypted data */ + memcpy(pos, crypt.ptr, crypt.len); + pos += crypt.len; + memset(pos, 0, crypt_pad); + pos += crypt_pad; + /* write associated len */ + memset(pos, 0, 4); + pos += 4; + htoun32(pos, assoc.len * 8); + pos += 4; + /* write encrypted length */ + memset(pos, 0, 4); + pos += 4; + htoun32(pos, crypt.len * 8); + pos += 4; + + ghash(this, chunk, s); + free(chunk.ptr); + gctr(this, j, chunk_from_thing(s)); + + memcpy(icv, s, this->icv_size); +} + +/** + * Verify the ICV value + */ +static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt, + char *j, char *icv) +{ + char tmp[this->icv_size]; + + create_icv(this, assoc, crypt, j, tmp); + + return memeq(tmp, icv, this->icv_size); +} + +METHOD(aead_t, encrypt, void, + private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, + chunk_t *encrypted) +{ + char j[BLOCK_SIZE]; + + create_j(this, iv.ptr, j); + + if (encrypted) + { + *encrypted = chunk_alloc(plain.len + this->icv_size); + crypt(this, j, plain, *encrypted); + create_icv(this, assoc, + chunk_create(encrypted->ptr, encrypted->len - this->icv_size), + j, encrypted->ptr + encrypted->len - this->icv_size); + } + else + { + crypt(this, j, plain, plain); + create_icv(this, assoc, plain, j, plain.ptr + plain.len); + } +} + +METHOD(aead_t, decrypt, bool, + private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, + chunk_t *plain) +{ + char j[BLOCK_SIZE]; + + if (encrypted.len < this->icv_size) + { + return FALSE; + } + + create_j(this, iv.ptr, j); + + encrypted.len -= this->icv_size; + if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len)) + { + return FALSE; + } + if (plain) + { + *plain = chunk_alloc(encrypted.len); + crypt(this, j, encrypted, *plain); + } + else + { + crypt(this, j, encrypted, encrypted); + } + return TRUE; +} + +METHOD(aead_t, get_block_size, size_t, + private_gcm_aead_t *this) +{ + return 1; +} + +METHOD(aead_t, get_icv_size, size_t, + private_gcm_aead_t *this) +{ + return this->icv_size; +} + +METHOD(aead_t, get_iv_size, size_t, + private_gcm_aead_t *this) +{ + return IV_SIZE; +} + +METHOD(aead_t, get_key_size, size_t, + private_gcm_aead_t *this) +{ + return this->crypter->get_key_size(this->crypter) + SALT_SIZE; +} + +METHOD(aead_t, set_key, void, + private_gcm_aead_t *this, chunk_t key) +{ + memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE); + key.len -= SALT_SIZE; + this->crypter->set_key(this->crypter, key); + create_h(this, this->h); +} + +METHOD(aead_t, destroy, void, + private_gcm_aead_t *this) +{ + this->crypter->destroy(this->crypter); + free(this); +} + +/** + * See header + */ +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size) +{ + private_gcm_aead_t *this; + size_t icv_size; + + switch (key_size) + { + case 0: + key_size = 16; + break; + case 16: + case 24: + case 32: + break; + default: + return NULL; + } + switch (algo) + { + case ENCR_AES_GCM_ICV8: + algo = ENCR_AES_CBC; + icv_size = 8; + break; + case ENCR_AES_GCM_ICV12: + algo = ENCR_AES_CBC; + icv_size = 12; + break; + case ENCR_AES_GCM_ICV16: + algo = ENCR_AES_CBC; + icv_size = 16; + break; + default: + return NULL; + } + + INIT(this, + .public = { + .aead = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_icv_size = _get_icv_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size), + .icv_size = icv_size, + ); + + if (!this->crypter) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h new file mode 100644 index 000000000..db4be2442 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_aead.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup gcm_aead gcm_aead + * @{ @ingroup gcm + */ + +#ifndef GCM_AEAD_H_ +#define GCM_AEAD_H_ + +#include + +typedef struct gcm_aead_t gcm_aead_t; + +/** + * Galois/Counter Mode (GCM). + * + * Implements GCM as specified in NIST 800-38D, using AEAD semantics from + * RFC 5282, based on RFC4106. + */ +struct gcm_aead_t { + + /** + * Implements aead_t interface. + */ + aead_t aead; +}; + +/** + * Create a gcm_aead instance. + * + * @param key_size key size in bytes + * @param algo algorithm to implement, a gcm mode + * @return aead, NULL if not supported + */ +gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size); + +#endif /** GCM_AEAD_H_ @}*/ diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c new file mode 100644 index 000000000..061001b30 --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c @@ -0,0 +1,63 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "gcm_plugin.h" + +#include + +#include "gcm_aead.h" + +typedef struct private_gcm_plugin_t private_gcm_plugin_t; + +/** + * private data of gcm_plugin + */ +struct private_gcm_plugin_t { + + /** + * public functions + */ + gcm_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_gcm_plugin_t *this) +{ + lib->crypto->remove_aead(lib->crypto, + (aead_constructor_t)gcm_aead_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *gcm_plugin_create() +{ + private_gcm_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + ); + + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, + (aead_constructor_t)gcm_aead_create); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h new file mode 100644 index 000000000..52676708e --- /dev/null +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup gcm gcm + * @ingroup plugins + * + * @defgroup gcm_plugin gcm_plugin + * @{ @ingroup gcm + */ + +#ifndef GCM_PLUGIN_H_ +#define GCM_PLUGIN_H_ + +#include + +typedef struct gcm_plugin_t gcm_plugin_t; + +/** + * Plugin providing GCM mode operation. + */ +struct gcm_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** GCM_PLUGIN_H_ @}*/