Implemented a gcm plugin providing GCM mode based on CBC crypters
authorMartin Willi <martin@revosec.ch>
Thu, 19 Aug 2010 15:58:30 +0000 (17:58 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 19 Aug 2010 17:05:15 +0000 (19:05 +0200)
configure.in
src/libstrongswan/Makefile.am
src/libstrongswan/plugins/gcm/Makefile.am [new file with mode: 0644]
src/libstrongswan/plugins/gcm/gcm_aead.c [new file with mode: 0644]
src/libstrongswan/plugins/gcm/gcm_aead.h [new file with mode: 0644]
src/libstrongswan/plugins/gcm/gcm_plugin.c [new file with mode: 0644]
src/libstrongswan/plugins/gcm/gcm_plugin.h [new file with mode: 0644]

index e97cea7..3d05410 100644 (file)
@@ -149,6 +149,7 @@ ARG_ENABL_SET([agent],          [enables the ssh-agent signing plugin.])
 ARG_ENABL_SET([pkcs11],         [enables the PKCS11 token support plugin.])
 ARG_ENABL_SET([ctr],            [enables the Counter Mode wrapper crypto plugin.])
 ARG_ENABL_SET([ccm],            [enables the CCM AEAD wrapper crypto plugin.])
+ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([addrblock],      [enables RFC 3779 address block constraint support.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_ENABL_SET([android],        [enable Android specific plugin.])
@@ -718,6 +719,7 @@ ADD_PLUGIN([xcbc],                 [s libcharon])
 ADD_PLUGIN([hmac],                 [s libcharon pluto])
 ADD_PLUGIN([ctr],                  [s libcharon scripts])
 ADD_PLUGIN([ccm],                  [s libcharon scripts])
+ADD_PLUGIN([gcm],                  [s libcharon scripts])
 ADD_PLUGIN([xauth],                [p pluto])
 ADD_PLUGIN([attr],                 [h libcharon pluto])
 ADD_PLUGIN([attr-sql],             [h libcharon pluto])
@@ -811,6 +813,7 @@ AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
 AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
 AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
 AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
+AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
 
 dnl charon plugins
 dnl ==============
@@ -944,6 +947,7 @@ AC_OUTPUT(
        src/libstrongswan/plugins/pkcs11/Makefile
        src/libstrongswan/plugins/ctr/Makefile
        src/libstrongswan/plugins/ccm/Makefile
+       src/libstrongswan/plugins/gcm/Makefile
        src/libstrongswan/plugins/test_vectors/Makefile
        src/libhydra/Makefile
        src/libhydra/plugins/attr/Makefile
index 3b7436b..237550b 100644 (file)
@@ -338,6 +338,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_GCM
+  SUBDIRS += plugins/gcm
+if MONOLITHIC
+  libstrongswan_la_LIBADD += plugins/gcm/libstrongswan-gcm.la
+endif
+endif
+
 if USE_TEST_VECTORS
   SUBDIRS += plugins/test_vectors
 if MONOLITHIC
diff --git a/src/libstrongswan/plugins/gcm/Makefile.am b/src/libstrongswan/plugins/gcm/Makefile.am
new file mode 100644 (file)
index 0000000..ec733fb
--- /dev/null
@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-gcm.la
+else
+plugin_LTLIBRARIES = libstrongswan-gcm.la
+endif
+
+libstrongswan_gcm_la_SOURCES = \
+       gcm_plugin.h gcm_plugin.c \
+       gcm_aead.h gcm_aead.c
+
+libstrongswan_gcm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.c b/src/libstrongswan/plugins/gcm/gcm_aead.c
new file mode 100644 (file)
index 0000000..7c0a2ba
--- /dev/null
@@ -0,0 +1,403 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_aead.h"
+
+#include <debug.h>
+
+#define BLOCK_SIZE 16
+#define NONCE_SIZE 12
+#define IV_SIZE 8
+#define SALT_SIZE (NONCE_SIZE - IV_SIZE)
+
+typedef struct private_gcm_aead_t private_gcm_aead_t;
+
+/**
+ * Private data of an gcm_aead_t object.
+ */
+struct private_gcm_aead_t {
+
+       /**
+        * Public gcm_aead_t interface.
+        */
+       gcm_aead_t public;
+
+       /**
+        * Underlying CBC crypter.
+        */
+       crypter_t *crypter;
+
+       /**
+        * Size of the integrity check value
+        */
+       size_t icv_size;
+
+       /**
+        * Salt value
+        */
+       char salt[SALT_SIZE];
+
+       /**
+        * GHASH subkey H
+        */
+       char h[BLOCK_SIZE];
+};
+
+/**
+ * Bitshift a block right by one bit
+ */
+static void sr_block(u_char *block)
+{
+       int i;
+
+       for (i = BLOCK_SIZE - 1; i >= 0; i--)
+       {
+               block[i] = block[i] >> 1;
+               if (i != 0)
+               {
+                       block[i] |= block[i - 1] << 7;
+               }
+       }
+}
+
+/**
+ * Naive implementation of block multiplication in GF128, no tables
+ */
+static void mult_block(char *x, char *y, char *res)
+{
+       char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
+       int bit, byte;
+
+       r = 0xE1;
+       memset(z, 0, BLOCK_SIZE);
+       memcpy(v, y, BLOCK_SIZE);
+
+       for (byte = 0; byte < BLOCK_SIZE; byte++)
+       {
+               for (bit = 7; bit >= 0; bit--)
+               {
+                       if (x[byte] & (1 << bit))
+                       {
+                               memxor(z, v, BLOCK_SIZE);
+                       }
+                       if (v[BLOCK_SIZE - 1] & 0x01)
+                       {
+                               sr_block(v);
+                               v[0] ^= r;
+                       }
+                       else
+                       {
+                               sr_block(v);
+                       }
+               }
+       }
+       memcpy(res, z, BLOCK_SIZE);
+}
+
+/**
+ * GHASH function
+ */
+static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
+{
+       char y[BLOCK_SIZE];
+
+       memset(y, 0, BLOCK_SIZE);
+
+       while (x.len)
+       {
+               memxor(y, x.ptr, BLOCK_SIZE);
+               mult_block(y, this->h, y);
+               x = chunk_skip(x, BLOCK_SIZE);
+       }
+       memcpy(res, y, BLOCK_SIZE);
+}
+
+/**
+ * GCTR function, en-/decrypts x inline
+ */
+static void gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
+{
+       char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];
+
+       memset(iv, 0, BLOCK_SIZE);
+       memcpy(cb, icb, BLOCK_SIZE);
+
+       while (x.len)
+       {
+               memcpy(tmp, cb, BLOCK_SIZE);
+               this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
+                                                          chunk_from_thing(iv), NULL);
+               memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
+               chunk_increment(chunk_from_thing(cb));
+               x = chunk_skip(x, BLOCK_SIZE);
+       }
+}
+
+/**
+ * Generate the block J0
+ */
+static void create_j(private_gcm_aead_t *this, char *iv, char *j)
+{
+       memcpy(j, this->salt, SALT_SIZE);
+       memcpy(j + SALT_SIZE, iv, IV_SIZE);
+       htoun32(j + SALT_SIZE + IV_SIZE, 1);
+}
+
+/**
+ * Create GHASH subkey H
+ */
+static void create_h(private_gcm_aead_t *this, char *h)
+{
+       char zero[BLOCK_SIZE];
+
+       memset(zero, 0, BLOCK_SIZE);
+       memset(h, 0, BLOCK_SIZE);
+
+       this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
+                                                  chunk_from_thing(zero), NULL);
+}
+
+/**
+ * Encrypt/decrypt
+ */
+static void crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
+{
+       char icb[BLOCK_SIZE];
+
+       memcpy(icb, j, BLOCK_SIZE);
+       chunk_increment(chunk_from_thing(icb));
+
+       out.len = in.len;
+       if (in.ptr != out.ptr)
+       {
+               memcpy(out.ptr, in.ptr, in.len);
+       }
+       gctr(this, icb, out);
+}
+
+/**
+ * Create ICV
+ */
+static void create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+                                          char *j, char *icv)
+{
+       size_t assoc_pad, crypt_pad;
+       chunk_t chunk;
+       char s[BLOCK_SIZE], *pos;
+
+       assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
+       crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;
+
+       /* concatenate data to a new chunk */
+       chunk = chunk_alloc(assoc.len + assoc_pad +
+                                               crypt.len + crypt_pad + BLOCK_SIZE);
+       pos = chunk.ptr;
+       /* add associated data */
+       memcpy(pos, assoc.ptr, assoc.len);
+       pos += assoc.len;
+       memset(pos, 0, assoc_pad);
+       pos += assoc_pad;
+       /* add encrypted data */
+       memcpy(pos, crypt.ptr, crypt.len);
+       pos += crypt.len;
+       memset(pos, 0, crypt_pad);
+       pos += crypt_pad;
+       /* write associated len */
+       memset(pos, 0, 4);
+       pos += 4;
+       htoun32(pos, assoc.len * 8);
+       pos += 4;
+       /* write encrypted length */
+       memset(pos, 0, 4);
+       pos += 4;
+       htoun32(pos, crypt.len * 8);
+       pos += 4;
+
+       ghash(this, chunk, s);
+       free(chunk.ptr);
+       gctr(this, j, chunk_from_thing(s));
+
+       memcpy(icv, s, this->icv_size);
+}
+
+/**
+ * Verify the ICV value
+ */
+static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
+                                          char *j, char *icv)
+{
+       char tmp[this->icv_size];
+
+       create_icv(this, assoc, crypt, j, tmp);
+
+       return memeq(tmp, icv, this->icv_size);
+}
+
+METHOD(aead_t, encrypt, void,
+       private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
+       chunk_t *encrypted)
+{
+       char j[BLOCK_SIZE];
+
+       create_j(this, iv.ptr, j);
+
+       if (encrypted)
+       {
+               *encrypted = chunk_alloc(plain.len + this->icv_size);
+               crypt(this, j, plain, *encrypted);
+               create_icv(this, assoc,
+                                  chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
+                                  j, encrypted->ptr + encrypted->len - this->icv_size);
+       }
+       else
+       {
+               crypt(this, j, plain, plain);
+               create_icv(this, assoc, plain, j, plain.ptr + plain.len);
+       }
+}
+
+METHOD(aead_t, decrypt, bool,
+       private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
+       chunk_t *plain)
+{
+       char j[BLOCK_SIZE];
+
+       if (encrypted.len < this->icv_size)
+       {
+               return FALSE;
+       }
+
+       create_j(this, iv.ptr, j);
+
+       encrypted.len -= this->icv_size;
+       if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
+       {
+               return FALSE;
+       }
+       if (plain)
+       {
+               *plain = chunk_alloc(encrypted.len);
+               crypt(this, j, encrypted, *plain);
+       }
+       else
+       {
+               crypt(this, j, encrypted, encrypted);
+       }
+       return TRUE;
+}
+
+METHOD(aead_t, get_block_size, size_t,
+       private_gcm_aead_t *this)
+{
+       return 1;
+}
+
+METHOD(aead_t, get_icv_size, size_t,
+       private_gcm_aead_t *this)
+{
+       return this->icv_size;
+}
+
+METHOD(aead_t, get_iv_size, size_t,
+       private_gcm_aead_t *this)
+{
+       return IV_SIZE;
+}
+
+METHOD(aead_t, get_key_size, size_t,
+       private_gcm_aead_t *this)
+{
+       return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
+}
+
+METHOD(aead_t, set_key, void,
+       private_gcm_aead_t *this, chunk_t key)
+{
+       memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
+       key.len -= SALT_SIZE;
+       this->crypter->set_key(this->crypter, key);
+       create_h(this, this->h);
+}
+
+METHOD(aead_t, destroy, void,
+       private_gcm_aead_t *this)
+{
+       this->crypter->destroy(this->crypter);
+       free(this);
+}
+
+/**
+ * See header
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size)
+{
+       private_gcm_aead_t *this;
+       size_t icv_size;
+
+       switch (key_size)
+       {
+               case 0:
+                       key_size = 16;
+                       break;
+               case 16:
+               case 24:
+               case 32:
+                       break;
+               default:
+                       return NULL;
+       }
+       switch (algo)
+       {
+               case ENCR_AES_GCM_ICV8:
+                       algo = ENCR_AES_CBC;
+                       icv_size = 8;
+                       break;
+               case ENCR_AES_GCM_ICV12:
+                       algo = ENCR_AES_CBC;
+                       icv_size = 12;
+                       break;
+               case ENCR_AES_GCM_ICV16:
+                       algo = ENCR_AES_CBC;
+                       icv_size = 16;
+                       break;
+               default:
+                       return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .aead = {
+                               .encrypt = _encrypt,
+                               .decrypt = _decrypt,
+                               .get_block_size = _get_block_size,
+                               .get_icv_size = _get_icv_size,
+                               .get_iv_size = _get_iv_size,
+                               .get_key_size = _get_key_size,
+                               .set_key = _set_key,
+                               .destroy = _destroy,
+                       },
+               },
+               .crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
+               .icv_size = icv_size,
+       );
+
+       if (!this->crypter)
+       {
+               free(this);
+               return NULL;
+       }
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_aead.h b/src/libstrongswan/plugins/gcm/gcm_aead.h
new file mode 100644 (file)
index 0000000..db4be24
--- /dev/null
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm_aead gcm_aead
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_AEAD_H_
+#define GCM_AEAD_H_
+
+#include <crypto/aead.h>
+
+typedef struct gcm_aead_t gcm_aead_t;
+
+/**
+ * Galois/Counter Mode (GCM).
+ *
+ * Implements GCM as specified in NIST 800-38D, using AEAD semantics from
+ * RFC 5282, based on RFC4106.
+ */
+struct gcm_aead_t {
+
+       /**
+        * Implements aead_t interface.
+        */
+       aead_t aead;
+};
+
+/**
+ * Create a gcm_aead instance.
+ *
+ * @param key_size             key size in bytes
+ * @param algo                 algorithm to implement, a gcm mode
+ * @return                             aead, NULL if not supported
+ */
+gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo, size_t key_size);
+
+#endif /** GCM_AEAD_H_ @}*/
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c
new file mode 100644 (file)
index 0000000..061001b
--- /dev/null
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "gcm_plugin.h"
+
+#include <library.h>
+
+#include "gcm_aead.h"
+
+typedef struct private_gcm_plugin_t private_gcm_plugin_t;
+
+/**
+ * private data of gcm_plugin
+ */
+struct private_gcm_plugin_t {
+
+       /**
+        * public functions
+        */
+       gcm_plugin_t public;
+};
+
+METHOD(plugin_t, destroy, void,
+       private_gcm_plugin_t *this)
+{
+       lib->crypto->remove_aead(lib->crypto,
+                                       (aead_constructor_t)gcm_aead_create);
+
+       free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *gcm_plugin_create()
+{
+       private_gcm_plugin_t *this;
+
+       INIT(this,
+               .public.plugin.destroy = _destroy,
+       );
+
+       lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8,
+                                       (aead_constructor_t)gcm_aead_create);
+       lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12,
+                                       (aead_constructor_t)gcm_aead_create);
+       lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16,
+                                       (aead_constructor_t)gcm_aead_create);
+
+       return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.h b/src/libstrongswan/plugins/gcm/gcm_plugin.h
new file mode 100644 (file)
index 0000000..5267670
--- /dev/null
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Martin Willi
+ * Copyright (C) 2010 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup gcm gcm
+ * @ingroup plugins
+ *
+ * @defgroup gcm_plugin gcm_plugin
+ * @{ @ingroup gcm
+ */
+
+#ifndef GCM_PLUGIN_H_
+#define GCM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct gcm_plugin_t gcm_plugin_t;
+
+/**
+ * Plugin providing GCM mode operation.
+ */
+struct gcm_plugin_t {
+
+       /**
+        * Implements plugin interface.
+        */
+       plugin_t plugin;
+};
+
+#endif /** GCM_PLUGIN_H_ @}*/