[BACK]Return to gcm_aead.c CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / gcm
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / plugins / gcm / gcm_aead.c
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 09:46:44 2020 UTC (4 years, 1 month ago) by misho
Branches: strongswan, MAIN
CVS tags: v5_9_2p0, v5_8_4p7, HEAD
Strongswan

/*
 * Copyright (C) 2010 Martin Willi
 * Copyright (C) 2010 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "gcm_aead.h"

#include <limits.h>
#include <crypto/iv/iv_gen_seq.h>

#define BLOCK_SIZE 16
#define NONCE_SIZE 12
#define IV_SIZE 8
#define SALT_SIZE (NONCE_SIZE - IV_SIZE)

typedef struct private_gcm_aead_t private_gcm_aead_t;

/**
 * Private data of an gcm_aead_t object.
 */
struct private_gcm_aead_t {

	/**
	 * Public gcm_aead_t interface.
	 */
	gcm_aead_t public;

	/**
	 * Underlying CBC crypter.
	 */
	crypter_t *crypter;

	/**
	 * IV generator.
	 */
	iv_gen_t *iv_gen;

	/**
	 * Size of the integrity check value
	 */
	size_t icv_size;

	/**
	 * Salt value
	 */
	char salt[SALT_SIZE];

	/**
	 * GHASH subkey H
	 */
	char h[BLOCK_SIZE];
};

/**
 * Find a suitable word size and network order conversion functions
 */
#if ULONG_MAX == 18446744073709551615UL && defined(htobe64)
#	define htobeword htobe64
#	define bewordtoh be64toh
#	define SHIFT_WORD_TYPE uint64_t
#else
#	define htobeword htonl
#	define bewordtoh ntohl
#	define SHIFT_WORD_TYPE uint32_t
#endif

/**
 * Bitshift a block right by one bit
 */
static void sr_block(char *block)
{
	int i;
	SHIFT_WORD_TYPE *word = (SHIFT_WORD_TYPE*)block;

	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
	{
		word[i] = bewordtoh(word[i]);
	}
	for (i = BLOCK_SIZE / sizeof(*word) - 1; i >= 0; i--)
	{
		word[i] >>= 1;
		if (i != 0)
		{
			word[i] |= word[i - 1] << (sizeof(*word) * 8 - 1);
		}
	}
	for (i = 0; i < BLOCK_SIZE / sizeof(*word); i++)
	{
		word[i] = htobeword(word[i]);
	}
}

/**
 * Naive implementation of block multiplication in GF128, no tables
 */
static void mult_block(char *x, char *y, char *res)
{
	char z[BLOCK_SIZE], v[BLOCK_SIZE], r;
	int bit, byte;

	r = 0xE1;
	memset(z, 0, BLOCK_SIZE);
	memcpy(v, y, BLOCK_SIZE);

	for (byte = 0; byte < BLOCK_SIZE; byte++)
	{
		for (bit = 7; bit >= 0; bit--)
		{
			if (x[byte] & (1 << bit))
			{
				memxor(z, v, BLOCK_SIZE);
			}
			if (v[BLOCK_SIZE - 1] & 0x01)
			{
				sr_block(v);
				v[0] ^= r;
			}
			else
			{
				sr_block(v);
			}
		}
	}
	memcpy(res, z, BLOCK_SIZE);
}

/**
 * GHASH function
 */
static void ghash(private_gcm_aead_t *this, chunk_t x, char *res)
{
	char y[BLOCK_SIZE];

	memset(y, 0, BLOCK_SIZE);

	while (x.len)
	{
		memxor(y, x.ptr, BLOCK_SIZE);
		mult_block(y, this->h, y);
		x = chunk_skip(x, BLOCK_SIZE);
	}
	memcpy(res, y, BLOCK_SIZE);
}

/**
 * GCTR function, en-/decrypts x inline
 */
static bool gctr(private_gcm_aead_t *this, char *icb, chunk_t x)
{
	char cb[BLOCK_SIZE], iv[BLOCK_SIZE], tmp[BLOCK_SIZE];

	memset(iv, 0, BLOCK_SIZE);
	memcpy(cb, icb, BLOCK_SIZE);

	while (x.len)
	{
		memcpy(tmp, cb, BLOCK_SIZE);
		if (!this->crypter->encrypt(this->crypter, chunk_from_thing(tmp),
									chunk_from_thing(iv), NULL))
		{
			return FALSE;
		}
		memxor(x.ptr, tmp, min(BLOCK_SIZE, x.len));
		chunk_increment(chunk_from_thing(cb));
		x = chunk_skip(x, BLOCK_SIZE);
	}
	return TRUE;
}

/**
 * Generate the block J0
 */
static void create_j(private_gcm_aead_t *this, char *iv, char *j)
{
	memcpy(j, this->salt, SALT_SIZE);
	memcpy(j + SALT_SIZE, iv, IV_SIZE);
	htoun32(j + SALT_SIZE + IV_SIZE, 1);
}

/**
 * Create GHASH subkey H
 */
static bool create_h(private_gcm_aead_t *this, char *h)
{
	char zero[BLOCK_SIZE];

	memset(zero, 0, BLOCK_SIZE);
	memset(h, 0, BLOCK_SIZE);

	return this->crypter->encrypt(this->crypter, chunk_create(h, BLOCK_SIZE),
								  chunk_from_thing(zero), NULL);
}

/**
 * Encrypt/decrypt
 */
static bool crypt(private_gcm_aead_t *this, char *j, chunk_t in, chunk_t out)
{
	char icb[BLOCK_SIZE];

	memcpy(icb, j, BLOCK_SIZE);
	chunk_increment(chunk_from_thing(icb));

	out.len = in.len;
	if (in.ptr != out.ptr)
	{
		memcpy(out.ptr, in.ptr, in.len);
	}
	return gctr(this, icb, out);
}

/**
 * Create ICV
 */
static bool create_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
					   char *j, char *icv)
{
	size_t assoc_pad, crypt_pad;
	chunk_t chunk;
	char s[BLOCK_SIZE], *pos;

	assoc_pad = (BLOCK_SIZE - (assoc.len % BLOCK_SIZE)) % BLOCK_SIZE;
	crypt_pad = (BLOCK_SIZE - (crypt.len % BLOCK_SIZE)) % BLOCK_SIZE;

	/* concatenate data to a new chunk */
	chunk = chunk_alloc(assoc.len + assoc_pad +
						crypt.len + crypt_pad + BLOCK_SIZE);
	pos = chunk.ptr;
	/* add associated data */
	memcpy(pos, assoc.ptr, assoc.len);
	pos += assoc.len;
	memset(pos, 0, assoc_pad);
	pos += assoc_pad;
	/* add encrypted data */
	memcpy(pos, crypt.ptr, crypt.len);
	pos += crypt.len;
	memset(pos, 0, crypt_pad);
	pos += crypt_pad;
	/* write associated len */
	memset(pos, 0, 4);
	pos += 4;
	htoun32(pos, assoc.len * 8);
	pos += 4;
	/* write encrypted length */
	memset(pos, 0, 4);
	pos += 4;
	htoun32(pos, crypt.len * 8);
	pos += 4;

	ghash(this, chunk, s);
	free(chunk.ptr);
	if (!gctr(this, j, chunk_from_thing(s)))
	{
		return FALSE;
	}
	memcpy(icv, s, this->icv_size);
	return TRUE;
}

/**
 * Verify the ICV value
 */
static bool verify_icv(private_gcm_aead_t *this, chunk_t assoc, chunk_t crypt,
					   char *j, char *icv)
{
	char tmp[this->icv_size];

	return create_icv(this, assoc, crypt, j, tmp) &&
		   memeq_const(tmp, icv, this->icv_size);
}

METHOD(aead_t, encrypt, bool,
	private_gcm_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
	chunk_t *encrypted)
{
	char j[BLOCK_SIZE];

	create_j(this, iv.ptr, j);

	if (encrypted)
	{
		*encrypted = chunk_alloc(plain.len + this->icv_size);
		return crypt(this, j, plain, *encrypted) &&
			   create_icv(this, assoc,
					chunk_create(encrypted->ptr, encrypted->len - this->icv_size),
					j, encrypted->ptr + encrypted->len - this->icv_size);
	}
	return crypt(this, j, plain, plain) &&
		   create_icv(this, assoc, plain, j, plain.ptr + plain.len);
}

METHOD(aead_t, decrypt, bool,
	private_gcm_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
	chunk_t *plain)
{
	char j[BLOCK_SIZE];

	if (encrypted.len < this->icv_size)
	{
		return FALSE;
	}

	create_j(this, iv.ptr, j);

	encrypted.len -= this->icv_size;
	if (!verify_icv(this, assoc, encrypted, j, encrypted.ptr + encrypted.len))
	{
		return FALSE;
	}
	if (plain)
	{
		*plain = chunk_alloc(encrypted.len);
		return crypt(this, j, encrypted, *plain);
	}
	return crypt(this, j, encrypted, encrypted);
}

METHOD(aead_t, get_block_size, size_t,
	private_gcm_aead_t *this)
{
	return 1;
}

METHOD(aead_t, get_icv_size, size_t,
	private_gcm_aead_t *this)
{
	return this->icv_size;
}

METHOD(aead_t, get_iv_size, size_t,
	private_gcm_aead_t *this)
{
	return IV_SIZE;
}

METHOD(aead_t, get_iv_gen, iv_gen_t*,
	private_gcm_aead_t *this)
{
	return this->iv_gen;
}

METHOD(aead_t, get_key_size, size_t,
	private_gcm_aead_t *this)
{
	return this->crypter->get_key_size(this->crypter) + SALT_SIZE;
}

METHOD(aead_t, set_key, bool,
	private_gcm_aead_t *this, chunk_t key)
{
	memcpy(this->salt, key.ptr + key.len - SALT_SIZE, SALT_SIZE);
	key.len -= SALT_SIZE;
	return this->crypter->set_key(this->crypter, key) &&
		   create_h(this, this->h);
}

METHOD(aead_t, destroy, void,
	private_gcm_aead_t *this)
{
	this->crypter->destroy(this->crypter);
	this->iv_gen->destroy(this->iv_gen);
	free(this);
}

/**
 * See header
 */
gcm_aead_t *gcm_aead_create(encryption_algorithm_t algo,
							size_t key_size, size_t salt_size)
{
	private_gcm_aead_t *this;
	size_t icv_size;

	switch (key_size)
	{
		case 0:
			key_size = 16;
			break;
		case 16:
		case 24:
		case 32:
			break;
		default:
			return NULL;
	}
	if (salt_size && salt_size != SALT_SIZE)
	{
		/* currently not supported */
		return NULL;
	}
	switch (algo)
	{
		case ENCR_AES_GCM_ICV8:
			algo = ENCR_AES_CBC;
			icv_size = 8;
			break;
		case ENCR_AES_GCM_ICV12:
			algo = ENCR_AES_CBC;
			icv_size = 12;
			break;
		case ENCR_AES_GCM_ICV16:
			algo = ENCR_AES_CBC;
			icv_size = 16;
			break;
		default:
			return NULL;
	}

	INIT(this,
		.public = {
			.aead = {
				.encrypt = _encrypt,
				.decrypt = _decrypt,
				.get_block_size = _get_block_size,
				.get_icv_size = _get_icv_size,
				.get_iv_size = _get_iv_size,
				.get_iv_gen = _get_iv_gen,
				.get_key_size = _get_key_size,
				.set_key = _set_key,
				.destroy = _destroy,
			},
		},
		.crypter = lib->crypto->create_crypter(lib->crypto, algo, key_size),
		.iv_gen = iv_gen_seq_create(),
		.icv_size = icv_size,
	);

	if (!this->crypter)
	{
		free(this);
		return NULL;
	}

	return &this->public;
}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>