Merge branch 'openssl-chapoly'

Adds support for ChaCha20-Poly1305 via OpenSSL.

Fixes #2946.

src/libstrongswan/plugins/openssl/Makefile.am

@@ -29,7 +29,7 @@ libstrongswan_openssl_la_SOURCES = \
 	openssl_pkcs12.c openssl_pkcs12.h \
 	openssl_rng.c openssl_rng.h \
 	openssl_hmac.c openssl_hmac.h \
-	openssl_gcm.c openssl_gcm.h \
+	openssl_aead.c openssl_aead.h \
 	openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
 	openssl_ed_private_key.c openssl_ed_private_key.h \
 	openssl_ed_public_key.c openssl_ed_public_key.h

src/libstrongswan/plugins/openssl/openssl_aead.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2019 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,11 +17,18 @@
 
 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
 
-#include "openssl_gcm.h"
+#include "openssl_aead.h"
 
 #include <openssl/evp.h>
 #include <crypto/iv/iv_gen_seq.h>
 
+/* the generic AEAD identifiers were added with 1.1.0 */
+#ifndef EVP_CTRL_AEAD_SET_IVLEN
+#define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
+#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+#endif
+
 /** as defined in RFC 4106 */
 #define IV_LEN		8
 #define SALT_LEN	4
@@ -82,12 +89,12 @@ static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
 	ctx = EVP_CIPHER_CTX_new();
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
 	if (!EVP_CipherInit_ex(ctx, this->cipher, NULL, NULL, NULL, enc) ||
-		!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, NONCE_LEN, NULL) ||
+		!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, NONCE_LEN, NULL) ||
 		!EVP_CipherInit_ex(ctx, NULL, NULL, this->key.ptr, nonce, enc))
 	{
 		goto done;
 	}
-	if (!enc && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, this->icv_size,
+	if (!enc && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, this->icv_size,
 									 data.ptr + data.len))
 	{	/* set ICV for verification on decryption */
 		goto done;
@@ -101,7 +108,7 @@ static bool crypt(private_aead_t *this, chunk_t data, chunk_t assoc, chunk_t iv,
 	{	/* EVP_CipherFinal_ex fails if ICV is incorrect on decryption */
 		goto done;
 	}
-	if (enc && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, this->icv_size,
+	if (enc && !EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, this->icv_size,
 									out + data.len))
 	{	/* copy back the ICV when encrypting */
 		goto done;
@@ -202,8 +209,8 @@ METHOD(aead_t, destroy, void,
 /*
  * Described in header
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo,
-						   size_t key_size, size_t salt_size)
+aead_t *openssl_aead_create(encryption_algorithm_t algo,
+							size_t key_size, size_t salt_size)
 {
 	private_aead_t *this;
 
@@ -232,6 +239,9 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo,
 		case ENCR_AES_GCM_ICV16:
 			this->icv_size = 16;
 			break;
+		case ENCR_CHACHA20_POLY1305:
+			this->icv_size = 16;
+			break;
 		default:
 			free(this);
 			return NULL;
@@ -268,6 +278,22 @@ aead_t *openssl_gcm_create(encryption_algorithm_t algo,
 					return NULL;
 			}
 			break;
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA)
+		case ENCR_CHACHA20_POLY1305:
+			switch (key_size)
+			{
+				case 0:
+					key_size = 32;
+					/* FALL */
+				case 32:
+					this->cipher = EVP_chacha20_poly1305();
+					break;
+				default:
+					free(this);
+					return NULL;
+			}
+			break;
+#endif /* OPENSSL_NO_CHACHA */
 		default:
 			free(this);
 			return NULL;

src/libstrongswan/plugins/openssl/openssl_aead.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2019 Tobias Brunner
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -14,14 +14,14 @@
  */
 
 /**
- * Implements the aead_t interface using OpenSSL in GCM mode.
+ * Implements the aead_t interface using OpenSSL.
  *
- * @defgroup openssl_gcm openssl_gcm
+ * @defgroup openssl_aead openssl_aead
  * @{ @ingroup openssl_p
  */
 
-#ifndef OPENSSL_GCM_H_
-#define OPENSSL_GCM_H_
+#ifndef OPENSSL_AEAD_H_
+#define OPENSSL_AEAD_H_
 
 #include <crypto/aead.h>
 
@@ -33,7 +33,7 @@
  * @param salt_size		size of implicit salt length
  * @return				aead_t object, NULL if not supported
  */
-aead_t *openssl_gcm_create(encryption_algorithm_t algo, size_t key_size,
+aead_t *openssl_aead_create(encryption_algorithm_t algo, size_t key_size,
 							size_t salt_size);
 
-#endif /** OPENSSL_GCM_H_ @}*/
+#endif /** OPENSSL_AEAD_H_ @}*/

src/libstrongswan/plugins/openssl/openssl_plugin.c

@@ -46,7 +46,7 @@
 #include "openssl_pkcs12.h"
 #include "openssl_rng.h"
 #include "openssl_hmac.h"
-#include "openssl_gcm.h"
+#include "openssl_aead.h"
 #include "openssl_x_diffie_hellman.h"
 #include "openssl_ed_public_key.h"
 #include "openssl_ed_private_key.h"
@@ -580,10 +580,11 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
 #endif
 #endif /* OPENSSL_NO_HMAC */
-#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
+#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_AES)) || \
+	(OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA))
+		/* AEAD (AES GCM since 1.0.1, ChaCha20-Poly1305 since 1.1.0) */
+		PLUGIN_REGISTER(AEAD, openssl_aead_create),
 #ifndef OPENSSL_NO_AES
-		/* AES GCM */
-		PLUGIN_REGISTER(AEAD, openssl_gcm_create),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
@@ -594,6 +595,9 @@ METHOD(plugin_t, get_features, int,
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  24),
 			PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8,  32),
 #endif /* OPENSSL_NO_AES */
+#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA)
+			PLUGIN_PROVIDE(AEAD, ENCR_CHACHA20_POLY1305, 32),
+#endif /* OPENSSL_NO_CHACHA */
 #endif /* OPENSSL_VERSION_NUMBER */
 #ifndef OPENSSL_NO_ECDH
 		/* EC DH groups */