Implemented a ccm plugin providing CCM mode based on CBC crypters

configure.in

@@ -148,6 +148,7 @@ ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
 ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
 ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
+ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
@@ -716,6 +717,7 @@ ADD_PLUGIN([pkcs11],               [s libcharon pki])
 ADD_PLUGIN([xcbc],                 [s libcharon])
 ADD_PLUGIN([hmac],                 [s libcharon pluto])
 ADD_PLUGIN([ctr],                  [s libcharon])
+ADD_PLUGIN([ccm],                  [s libcharon])
 ADD_PLUGIN([xauth],                [p pluto])
 ADD_PLUGIN([attr],                 [h libcharon pluto])
 ADD_PLUGIN([attr-sql],             [h libcharon pluto])
@@ -808,6 +810,7 @@ AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
 AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
 AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
 AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
+AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -940,6 +943,7 @@ AC_OUTPUT(
 	src/libstrongswan/plugins/agent/Makefile
 	src/libstrongswan/plugins/pkcs11/Makefile
 	src/libstrongswan/plugins/ctr/Makefile
+	src/libstrongswan/plugins/ccm/Makefile
 	src/libstrongswan/plugins/test_vectors/Makefile
 	src/libhydra/Makefile
 	src/libhydra/plugins/attr/Makefile

src/libstrongswan/Makefile.am

@@ -331,6 +331,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_CCM
+  SUBDIRS += plugins/ccm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/ccm/libstrongswan-ccm.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC

src/libstrongswan/plugins/ccm/Makefile.am

@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-ccm.la
+else
+plugin_LTLIBRARIES = libstrongswan-ccm.la
+endif
+
+libstrongswan_ccm_la_SOURCES = \
+	ccm_plugin.h ccm_plugin.c \
+	ccm_aead.h ccm_aead.c
+
+libstrongswan_ccm_la_LDFLAGS = -module -avoid-version

src/libstrongswan/plugins/ccm/ccm_aead.c

@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_aead.h"
+
+#define BLOCK_SIZE 16
+#define SALT_SIZE 3
+#define IV_SIZE 8
+#define NONCE_SIZE (SALT_SIZE + IV_SIZE) /* 11 */
+#define Q_SIZE (BLOCK_SIZE - NONCE_SIZE - 1) /* 4 */
+
+typedef struct private_ccm_aead_t private_ccm_aead_t;
+
+/**
+ * Private data of an ccm_aead_t object.
+ */
+struct private_ccm_aead_t {
+
+	/**
+	 * Public ccm_aead_t interface.
+	 */
+	ccm_aead_t public;
+
+	/**
+	 * Underlying CBC crypter.
+	 */
+	crypter_t *crypter;
+
+	/**
+	 * Length of the integrity check value
+	 */
+	size_t icv_size;
+
+	/**
+	 * salt to add to nonce
+	 */
+	u_char salt[SALT_SIZE];
+};
+
+/**
+ * First block with control information
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD4(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		/* size of our ICV t, as (t-2)/2 */
+		t_len: 3,
+		/* do we have associated data */
+		assoc: 1,
+		reserved: 1,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* lenght of plain text, q */
+	u_char q[Q_SIZE];
+} b0_t;
+
+/**
+ * Counter block
+ */
+typedef struct __attribute__((packed)) {
+	BITFIELD3(u_int8_t,
+		/* size of p length field q, as q-1 */
+		q_len: 3,
+		zero: 3,
+		reserved: 2,
+	) flags;
+	/* nonce value */
+	struct __attribute__((packed)) {
+		u_char salt[SALT_SIZE];
+		u_char iv[IV_SIZE];
+	} nonce;
+	/* counter value */
+	u_char i[Q_SIZE];
+} ctr_t;
+
+/**
+ * Build the first block B0
+ */
+static void build_b0(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					 chunk_t iv, char *out)
+{
+	b0_t *block = (b0_t*)out;
+
+	block->flags.reserved = 0;
+	block->flags.assoc = assoc.len ? 1 : 0;
+	block->flags.t_len = (this->icv_size - 2) / 2;
+	block->flags.q_len = Q_SIZE - 1;
+	memcpy(block->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(block->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(block->q, plain.len);
+}
+
+/**
+ * Build a counter block for counter i
+ */
+static void build_ctr(private_ccm_aead_t *this, u_int32_t i, chunk_t iv,
+					  char *out)
+{
+	ctr_t *ctr = (ctr_t*)out;
+
+	ctr->flags.reserved = 0;
+	ctr->flags.zero = 0;
+	ctr->flags.q_len = Q_SIZE - 1;
+	memcpy(ctr->nonce.salt, this->salt, SALT_SIZE);
+	memcpy(ctr->nonce.iv, iv.ptr, IV_SIZE);
+	htoun32(ctr->i, i);
+}
+
+/**
+ * En-/Decrypt data
+ */
+static void crypt_data(private_ccm_aead_t *this, chunk_t iv,
+					   chunk_t in, chunk_t out)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+	char block[BLOCK_SIZE];
+
+	build_ctr(this, 1, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	while (in.len > 0)
+	{
+		memcpy(block, ctr, BLOCK_SIZE);
+		this->crypter->encrypt(this->crypter, chunk_from_thing(block),
+							   chunk_from_thing(zero), NULL);
+		chunk_increment(chunk_from_thing(ctr));
+
+		if (in.ptr != out.ptr)
+		{
+			memcpy(out.ptr, in.ptr, min(in.len, BLOCK_SIZE));
+		}
+		memxor(out.ptr, block, min(in.len, BLOCK_SIZE));
+		in = chunk_skip(in, BLOCK_SIZE);
+		out = chunk_skip(out, BLOCK_SIZE);
+	}
+}
+
+/**
+ * En-/Decrypt the ICV
+ */
+static void crypt_icv(private_ccm_aead_t *this, chunk_t iv, char *icv)
+{
+	char ctr[BLOCK_SIZE];
+	char zero[BLOCK_SIZE];
+
+	build_ctr(this, 0, iv, ctr);
+	memset(zero, 0, BLOCK_SIZE);
+
+	this->crypter->encrypt(this->crypter, chunk_from_thing(ctr),
+						   chunk_from_thing(zero), NULL);
+	memxor(icv, ctr, this->icv_size);
+}
+
+/**
+ * Create the ICV
+ */
+static void create_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char zero[BLOCK_SIZE];
+	chunk_t chunk;
+	char *pos;
+	int r, len;
+
+	memset(zero, 0, BLOCK_SIZE);
+
+	/* calculate number of blocks, including b0 */
+	r = 1;
+	if (assoc.len)
+	{	/* assoc gets a 2 byte length header, gets padded to BLOCK_SIZE */
+		r += (2 + assoc.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+	}
+	/* plain text gets padded to BLOCK_SIZE */
+	r += (plain.len + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+	/* concatenate data to a new chunk */
+	chunk = chunk_alloc(r * BLOCK_SIZE);
+	/* write control block */
+	build_b0(this, plain, assoc, iv, chunk.ptr);
+	pos = chunk.ptr + BLOCK_SIZE;
+	/* append associated data, with length header */
+	if (assoc.len)
+	{
+		/* currently we support two byte headers only (up to 2^16-2^8 bytes) */
+		htoun16(pos, assoc.len);
+		memcpy(pos + 2, assoc.ptr, assoc.len);
+		pos += 2 + assoc.len;
+		/* padding */
+		len = (BLOCK_SIZE - ((2 + assoc.len) % BLOCK_SIZE)) % BLOCK_SIZE;
+		memset(pos, 0, len);
+		pos += len;
+	}
+	/* write plain data */
+	memcpy(pos, plain.ptr, plain.len);
+	pos += plain.len;
+	/* padding */
+	len = (BLOCK_SIZE - (plain.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+	memset(pos, 0, len);
+
+	/* encrypt inline with CBC, zero IV */
+	this->crypter->encrypt(this->crypter, chunk, chunk_from_thing(zero), NULL);
+	/* copy last icv_size bytes as ICV to output */
+	memcpy(icv, chunk.ptr + chunk.len - BLOCK_SIZE, this->icv_size);
+
+	/* encrypt the ICV value */
+	crypt_icv(this, iv, icv);
+
+	free(chunk.ptr);
+}
+
+/**
+ * Verify the ICV
+ */
+static bool verify_icv(private_ccm_aead_t *this, chunk_t plain, chunk_t assoc,
+					   chunk_t iv, char *icv)
+{
+	char buf[this->icv_size];
+
+	create_icv(this, plain, assoc, iv, buf);
+
+	return memeq(buf, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+	private_ccm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+	chunk_t *encrypted)
+{
+	if (encrypted)
+	{
+		*encrypted = chunk_alloc(plain.len + this->icv_size);
+		create_icv(this, plain, assoc, iv, encrypted->ptr + plain.len);
+		crypt_data(this, iv, plain, *encrypted);
+	}
+	else
+	{
+		create_icv(this, plain, assoc, iv, plain.ptr + plain.len);
+		crypt_data(this, iv, plain, plain);
+	}
+}
+
+METHOD(aead_t, decrypt, bool,
+	private_ccm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+	chunk_t *plain)
+{
+	if (encrypted.len < this->icv_size)
+	{
+		return FALSE;
+	}
+	encrypted.len -= this->icv_size;
+	if (plain)
+	{
+		*plain = chunk_alloc(encrypted.len);
+		crypt_data(this, iv, encrypted, *plain);
+		return verify_icv(this, *plain, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+	else
+	{
+		crypt_data(this, iv, encrypted, encrypted);
+		return verify_icv(this, encrypted, assoc, iv,
+						  encrypted.ptr + encrypted.len);
+	}
+}
+
+METHOD(aead_t, get_block_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+	private_ccm_aead_t *this)
+{
+	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+	private_ccm_aead_t *this, chunk_t key)
+{
+	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+	key.len -= SALT_SIZE;
+	this->crypter->set_key(this->crypter, key);
+}
+
+METHOD(aead_t, destroy, void,
+	private_ccm_aead_t *this)
+{
+	this->crypter->destroy(this->crypter);
+	free(this);
+}
+
+/**
+ * See header
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+	private_ccm_aead_t *this;
+	size_t icv_size;
+
+	switch (key_size)
+	{
+		case 0:
+			key_size = 16;
+			break;
+		case 16:
+		case 24:
+		case 32:
+			break;
+		default:
+			return NULL;
+	}
+	switch (algo)
+	{
+		case ENCR_AES_CCM_ICV8:
+			algo = ENCR_AES_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_AES_CCM_ICV12:
+			algo = ENCR_AES_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_AES_CCM_ICV16:
+			algo = ENCR_AES_CBC;
+			icv_size = 16;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV8:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 8;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV12:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 12;
+			break;
+		case ENCR_CAMELLIA_CCM_ICV16:
+			algo = ENCR_CAMELLIA_CBC;
+			icv_size = 16;
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.aead = {
+				.encrypt = _encrypt,
+				.decrypt = _decrypt,
+				.get_block_size = _get_block_size,
+				.get_icv_size = _get_icv_size,
+				.get_iv_size = _get_iv_size,
+				.get_key_size = _get_key_size,
+				.set_key = _set_key,
+				.destroy = _destroy,
+			},
+		},
+		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+		.icv_size = icv_size,
+	);
+
+	if (!this->crypter)
+	{
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}

src/libstrongswan/plugins/ccm/ccm_aead.h

@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm_aead ccm_aead
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_AEAD_H_
+#define CCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct ccm_aead_t ccm_aead_t;
+
+/**
+ * Counter with Cipher Block Chaining-Message Authentication Code (CCM).
+ *
+ * Implements CCM as specified in NIST 800-38B, using AEAD semantics from
+ * RFC 5282, based on RFC4309.
+ */
+struct ccm_aead_t {
+
+	/**
+	 * Implements aead_t interface.
+	 */
+	aead_t aead;
+};
+
+/**
+ * Create a ccm_aead instance.
+ *
+ * @param key_size		key size in bytes
+ * @param algo			algorithm to implement, a CCM mode
+ * @return				aead, NULL if not supported
+ */
+ccm_aead_t *ccm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** CCM_AEAD_H_ @}*/

src/libstrongswan/plugins/ccm/ccm_plugin.c

@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ccm_plugin.h"
+
+#include <library.h>
+
+#include "ccm_aead.h"
+
+typedef struct private_ccm_plugin_t private_ccm_plugin_t;
+
+/**
+ * private data of ccm_plugin
+ */
+struct private_ccm_plugin_t {
+
+	/**
+	 * public functions
+	 */
+	ccm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+	private_ccm_plugin_t *this)
+{
+	lib->crypto->remove_aead(lib->crypto,
+					(aead_constructor_t)ccm_aead_create);
+
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *ccm_plugin_create()
+{
+	private_ccm_plugin_t *this;
+
+	INIT(this,
+		.public.plugin.destroy = _destroy,
+	);
+
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12,
+					(aead_constructor_t)ccm_aead_create);
+	lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16,
+					(aead_constructor_t)ccm_aead_create);
+
+	return &this->public.plugin;
+}

src/libstrongswan/plugins/ccm/ccm_plugin.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ccm ccm
+ * @ingroup plugins
+ *
+ * @defgroup ccm_plugin ccm_plugin
+ * @{ @ingroup ccm
+ */
+
+#ifndef CCM_PLUGIN_H_
+#define CCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct ccm_plugin_t ccm_plugin_t;
+
+/**
+ * Plugin providing CCM mode operation.
+ */
+struct ccm_plugin_t {
+
+	/**
+	 * Implements plugin interface.
+	 */
+	plugin_t plugin;
+};
+
+#endif /** CCM_PLUGIN_H_ @}*/