From cb42b5b1fa81969e6d4056e0220374e8ded09651 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Tue, 5 Nov 2013 16:29:57 +0100 Subject: Generalize cipher/MAC key/IV lengths --- .../aes128_ctr/nacl/cipher_aes128_ctr_nacl.c | 16 ++++++- .../cipher/blowfish_ctr/builtin/blowfish_ctr.c | 14 +++++- src/crypto/cipher/ciphers.c.in | 2 +- src/crypto/mac/ghash/builtin/ghash_builtin.c | 7 +++ src/crypto/mac/macs.c.in | 2 +- src/fastd.h | 15 ++++-- src/methods/generic_gcm/generic_gcm.c | 53 ++++++++++++++-------- src/methods/null/null.c | 2 +- src/methods/xsalsa20_poly1305/xsalsa20_poly1305.c | 2 +- src/protocols/ec25519_fhmqvc/handshake.c | 2 +- 10 files changed, 83 insertions(+), 32 deletions(-) diff --git a/src/crypto/cipher/aes128_ctr/nacl/cipher_aes128_ctr_nacl.c b/src/crypto/cipher/aes128_ctr/nacl/cipher_aes128_ctr_nacl.c index f63e46f..60c8743 100644 --- a/src/crypto/cipher/aes128_ctr/nacl/cipher_aes128_ctr_nacl.c +++ b/src/crypto/cipher/aes128_ctr/nacl/cipher_aes128_ctr_nacl.c @@ -37,6 +37,10 @@ static fastd_cipher_context_t* aes128_ctr_initialize(fastd_context_t *ctx UNUSED return NULL; } +static size_t aes128_ctr_key_length(fastd_context_t *ctx UNUSED, const fastd_cipher_context_t *cctx UNUSED) { + return 16; +} + static fastd_cipher_state_t* aes128_ctr_init_state(fastd_context_t *ctx, const fastd_cipher_context_t *cctx UNUSED, const uint8_t *key) { fastd_block128_t k; memcpy(k.b, key, sizeof(fastd_block128_t)); @@ -49,8 +53,12 @@ static fastd_cipher_state_t* aes128_ctr_init_state(fastd_context_t *ctx, const f return state; } -static bool aes128_ctr_crypt(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const fastd_block128_t *iv) { - crypto_stream_aes128ctr_xor_afternm(out->b, in->b, len, iv->b, state->d.data); +static size_t aes128_ctr_iv_length(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state UNUSED) { + return 16; +} + +static bool aes128_ctr_crypt(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const uint8_t *iv) { + crypto_stream_aes128ctr_xor_afternm(out->b, in->b, len, iv, state->d.data); return true; } @@ -68,7 +76,11 @@ const fastd_cipher_t fastd_cipher_aes128_ctr_nacl = { .name = "nacl", .initialize = aes128_ctr_initialize, + + .key_length = aes128_ctr_key_length, .init_state = aes128_ctr_init_state, + + .iv_length = aes128_ctr_iv_length, .crypt = aes128_ctr_crypt, .free_state = aes128_ctr_free_state, diff --git a/src/crypto/cipher/blowfish_ctr/builtin/blowfish_ctr.c b/src/crypto/cipher/blowfish_ctr/builtin/blowfish_ctr.c index 04ac1f0..1d29a4c 100644 --- a/src/crypto/cipher/blowfish_ctr/builtin/blowfish_ctr.c +++ b/src/crypto/cipher/blowfish_ctr/builtin/blowfish_ctr.c @@ -223,6 +223,10 @@ static fastd_cipher_context_t* blowfish_ctr_initialize(fastd_context_t *ctx UNUS return NULL; } +static size_t blowfish_ctr_key_length(fastd_context_t *ctx UNUSED, const fastd_cipher_context_t *cctx UNUSED) { + return 56; +} + static inline void bf_swap(uint32_t *L, uint32_t *R) { uint32_t tmp = *L; *L = *R; @@ -292,7 +296,11 @@ static fastd_cipher_state_t* blowfish_ctr_init_state(fastd_context_t *ctx UNUSED return state; } -static bool blowfish_ctr_crypt(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const fastd_block128_t *iv) { +static size_t blowfish_ctr_iv_length(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state UNUSED) { + return 8; +} + +static bool blowfish_ctr_crypt(fastd_context_t *ctx UNUSED, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const uint8_t *iv) { uint32_t ctr[2]; fastd_block128_t block; @@ -329,7 +337,11 @@ const fastd_cipher_t fastd_cipher_blowfish_ctr_builtin = { .name = "builtin", .initialize = blowfish_ctr_initialize, + + .key_length = blowfish_ctr_key_length, .init_state = blowfish_ctr_init_state, + + .iv_length = blowfish_ctr_iv_length, .crypt = blowfish_ctr_crypt, .free_state = blowfish_ctr_free_state, diff --git a/src/crypto/cipher/ciphers.c.in b/src/crypto/cipher/ciphers.c.in index 5bedc75..667cfac 100644 --- a/src/crypto/cipher/ciphers.c.in +++ b/src/crypto/cipher/ciphers.c.in @@ -102,7 +102,7 @@ bool fastd_cipher_available(const char *name) { return false; } -const fastd_cipher_t* fastd_cipher_get_by_name(fastd_context_t *ctx, const char *name, fastd_cipher_context_t **cctx) { +const fastd_cipher_t* fastd_cipher_get_by_name(fastd_context_t *ctx, const char *name, const fastd_cipher_context_t **cctx) { size_t i; for (i = 0; i < array_size(ciphers); i++) { if (!strcmp(ciphers[i].name, name)) { diff --git a/src/crypto/mac/ghash/builtin/ghash_builtin.c b/src/crypto/mac/ghash/builtin/ghash_builtin.c index 2eb7fed..34e118a 100644 --- a/src/crypto/mac/ghash/builtin/ghash_builtin.c +++ b/src/crypto/mac/ghash/builtin/ghash_builtin.c @@ -65,6 +65,10 @@ static fastd_mac_context_t* ghash_initialize(fastd_context_t *ctx UNUSED) { return NULL; } +static size_t ghash_key_length(fastd_context_t *ctx UNUSED, const fastd_mac_context_t *cctx UNUSED) { + return sizeof(fastd_block128_t); +} + static fastd_mac_state_t* ghash_init_state(fastd_context_t *ctx UNUSED, const fastd_mac_context_t *mctx UNUSED, const uint8_t *key) { fastd_mac_state_t *state = malloc(sizeof(fastd_mac_state_t)); @@ -132,7 +136,10 @@ const fastd_mac_t fastd_mac_ghash_builtin = { .name = "builtin", .initialize = ghash_initialize, + + .key_length = ghash_key_length, .init_state = ghash_init_state, + .hash = ghash_hash, .free_state = ghash_free_state, diff --git a/src/crypto/mac/macs.c.in b/src/crypto/mac/macs.c.in index 7d8a5ff..5adca10 100644 --- a/src/crypto/mac/macs.c.in +++ b/src/crypto/mac/macs.c.in @@ -102,7 +102,7 @@ bool fastd_mac_available(const char *name) { return false; } -const fastd_mac_t* fastd_mac_get_by_name(fastd_context_t *ctx, const char *name, fastd_mac_context_t **cctx) { +const fastd_mac_t* fastd_mac_get_by_name(fastd_context_t *ctx, const char *name, const fastd_mac_context_t **cctx) { size_t i; for (i = 0; i < array_size(macs); i++) { if (!strcmp(macs[i].name, name)) { diff --git a/src/fastd.h b/src/fastd.h index 0f62445..4e17cb5 100644 --- a/src/fastd.h +++ b/src/fastd.h @@ -87,7 +87,7 @@ struct fastd_method { size_t (*min_encrypt_tail_space)(fastd_context_t *ctx); size_t (*min_decrypt_tail_space)(fastd_context_t *ctx); - size_t (*key_length)(fastd_context_t *ctx); + size_t (*key_length)(fastd_context_t *ctx, const char *name); fastd_method_session_state_t* (*session_init)(fastd_context_t *ctx, const char *name, const uint8_t *secret, bool initiator); fastd_method_session_state_t* (*session_init_compat)(fastd_context_t *ctx, const char *name, const uint8_t *secret, size_t length, bool initiator); bool (*session_is_valid)(fastd_context_t *ctx, fastd_method_session_state_t *session); @@ -104,8 +104,12 @@ struct fastd_cipher { const char *name; fastd_cipher_context_t* (*initialize)(fastd_context_t *ctx); + + size_t (*key_length)(fastd_context_t *ctx, const fastd_cipher_context_t *cctx); fastd_cipher_state_t* (*init_state)(fastd_context_t *ctx, const fastd_cipher_context_t *cctx, const uint8_t *key); - bool (*crypt)(fastd_context_t *ctx, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const fastd_block128_t *iv); + + size_t (*iv_length)(fastd_context_t *ctx, const fastd_cipher_state_t *state); + bool (*crypt)(fastd_context_t *ctx, const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const uint8_t *iv); void (*free_state)(fastd_context_t *ctx, fastd_cipher_state_t *state); void (*free)(fastd_context_t *ctx, fastd_cipher_context_t *cctx); @@ -115,7 +119,10 @@ struct fastd_mac { const char *name; fastd_mac_context_t* (*initialize)(fastd_context_t *ctx); + + size_t (*key_length)(fastd_context_t *ctx, const fastd_mac_context_t *mctx); fastd_mac_state_t* (*init_state)(fastd_context_t *ctx, const fastd_mac_context_t *mctx, const uint8_t *key); + bool (*hash)(fastd_context_t *ctx, const fastd_mac_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t n_blocks); void (*free_state)(fastd_context_t *ctx, fastd_mac_state_t *state); @@ -366,12 +373,12 @@ const fastd_method_t* fastd_method_get_by_name(const char *name); void fastd_cipher_init(fastd_context_t *ctx); void fastd_cipher_free(fastd_context_t *ctx); bool fastd_cipher_available(const char *name); -const fastd_cipher_t* fastd_cipher_get_by_name(fastd_context_t *ctx, const char *name, fastd_cipher_context_t **cctx); +const fastd_cipher_t* fastd_cipher_get_by_name(fastd_context_t *ctx, const char *name, const fastd_cipher_context_t **cctx); void fastd_mac_init(fastd_context_t *ctx); void fastd_mac_free(fastd_context_t *ctx); bool fastd_mac_available(const char *name); -const fastd_mac_t* fastd_mac_get_by_name(fastd_context_t *ctx, const char *name, fastd_mac_context_t **cctx); +const fastd_mac_t* fastd_mac_get_by_name(fastd_context_t *ctx, const char *name, const fastd_mac_context_t **cctx); void fastd_tuntap_open(fastd_context_t *ctx); fastd_buffer_t fastd_tuntap_read(fastd_context_t *ctx); diff --git a/src/methods/generic_gcm/generic_gcm.c b/src/methods/generic_gcm/generic_gcm.c index ba8729a..8ae9dbe 100644 --- a/src/methods/generic_gcm/generic_gcm.c +++ b/src/methods/generic_gcm/generic_gcm.c @@ -32,16 +32,17 @@ struct fastd_method_session_state { fastd_method_common_t common; const fastd_cipher_t *cipher; - fastd_cipher_context_t *cipher_ctx; + const fastd_cipher_context_t *cipher_ctx; fastd_cipher_state_t *cipher_state; + size_t ivlen; const fastd_mac_t *ghash; - fastd_mac_context_t *ghash_ctx; + const fastd_mac_context_t *ghash_ctx; fastd_mac_state_t *ghash_state; }; -static bool cipher_get(fastd_context_t *ctx, const char *name, const fastd_cipher_t **cipher, fastd_cipher_context_t **cctx) { +static bool cipher_get(fastd_context_t *ctx, const char *name, const fastd_cipher_t **cipher, const fastd_cipher_context_t **cctx) { if (!fastd_mac_available("ghash")) return false; @@ -93,8 +94,13 @@ static size_t method_min_decrypt_tail_space(fastd_context_t *ctx UNUSED) { } -static size_t method_key_length(fastd_context_t *ctx UNUSED) { - return sizeof(fastd_block128_t); +static size_t method_key_length(fastd_context_t *ctx, const char *name) { + const fastd_cipher_t *cipher; + const fastd_cipher_context_t *cctx; + if (!cipher_get(ctx, name, &cipher, &cctx)) + exit_bug(ctx, "generic-gcm: can't get cipher key length"); + + return cipher->key_length(ctx, cctx); } static fastd_method_session_state_t* method_session_init(fastd_context_t *ctx, const char *name, const uint8_t *secret, bool initiator) { @@ -110,7 +116,14 @@ static fastd_method_session_state_t* method_session_init(fastd_context_t *ctx, c static const fastd_block128_t zeroblock = {}; fastd_block128_t H; - session->cipher->crypt(ctx, session->cipher_state, &H, &zeroblock, sizeof(fastd_block128_t), &zeroblock); + session->ivlen = session->cipher->iv_length(ctx, session->cipher_state); + if (session->ivlen <= COMMON_NONCEBYTES) + exit_bug(ctx, "generic-gcm: iv_length to small"); + + uint8_t zeroiv[session->ivlen]; + memset(zeroiv, 0, session->ivlen); + + session->cipher->crypt(ctx, session->cipher_state, &H, &zeroblock, sizeof(fastd_block128_t), zeroiv); session->ghash = fastd_mac_get_by_name(ctx, "ghash", &session->ghash_ctx); if (!session->ghash) @@ -173,18 +186,18 @@ static bool method_encrypt(fastd_context_t *ctx, fastd_peer_t *peer UNUSED, fast if (tail_len) memset(in.data+in.len, 0, tail_len); - fastd_block128_t nonce; - memcpy(nonce.b, session->common.send_nonce, COMMON_NONCEBYTES); - memset(nonce.b+COMMON_NONCEBYTES, 0, sizeof(fastd_block128_t)-COMMON_NONCEBYTES-1); - nonce.b[sizeof(fastd_block128_t)-1] = 1; + uint8_t nonce[session->ivlen]; + memset(nonce, 0, session->ivlen); + memcpy(nonce, session->common.send_nonce, COMMON_NONCEBYTES); + nonce[session->ivlen-1] = 1; - int n_blocks = (in.len+sizeof(fastd_block128_t)-1)/sizeof(fastd_block128_t); + int n_blocks = block_count(in.len, sizeof(fastd_block128_t)); fastd_block128_t *inblocks = in.data; fastd_block128_t *outblocks = out->data; fastd_block128_t sig; - bool ok = session->cipher->crypt(ctx, session->cipher_state, outblocks, inblocks, n_blocks*sizeof(fastd_block128_t), &nonce); + bool ok = session->cipher->crypt(ctx, session->cipher_state, outblocks, inblocks, n_blocks*sizeof(fastd_block128_t), nonce); if (ok) { if (tail_len) @@ -220,13 +233,13 @@ static bool method_decrypt(fastd_context_t *ctx, fastd_peer_t *peer, fastd_metho if (!method_session_is_valid(ctx, session)) return false; - fastd_block128_t nonce; - memcpy(nonce.b, in.data, COMMON_NONCEBYTES); - memset(nonce.b+COMMON_NONCEBYTES, 0, sizeof(fastd_block128_t)-COMMON_NONCEBYTES-1); - nonce.b[sizeof(fastd_block128_t)-1] = 1; + uint8_t nonce[session->ivlen]; + memset(nonce, 0, session->ivlen); + memcpy(nonce, in.data, COMMON_NONCEBYTES); + nonce[session->ivlen-1] = 1; int64_t age; - if (!fastd_method_is_nonce_valid(ctx, &session->common, nonce.b, &age)) + if (!fastd_method_is_nonce_valid(ctx, &session->common, nonce, &age)) return false; fastd_buffer_push_head(ctx, &in, COMMON_NONCEBYTES); @@ -234,13 +247,13 @@ static bool method_decrypt(fastd_context_t *ctx, fastd_peer_t *peer, fastd_metho size_t tail_len = alignto(in.len, sizeof(fastd_block128_t))-in.len; *out = fastd_buffer_alloc(ctx, in.len, 0, tail_len); - int n_blocks = (in.len+sizeof(fastd_block128_t)-1)/sizeof(fastd_block128_t); + int n_blocks = block_count(in.len, sizeof(fastd_block128_t)); fastd_block128_t *inblocks = in.data; fastd_block128_t *outblocks = out->data; fastd_block128_t sig; - bool ok = session->cipher->crypt(ctx, session->cipher_state, outblocks, inblocks, n_blocks*sizeof(fastd_block128_t), &nonce); + bool ok = session->cipher->crypt(ctx, session->cipher_state, outblocks, inblocks, n_blocks*sizeof(fastd_block128_t), nonce); if (ok) { if (tail_len) @@ -260,7 +273,7 @@ static bool method_decrypt(fastd_context_t *ctx, fastd_peer_t *peer, fastd_metho fastd_buffer_push_head(ctx, out, sizeof(fastd_block128_t)); - if (!fastd_method_reorder_check(ctx, peer, &session->common, nonce.b, age)) { + if (!fastd_method_reorder_check(ctx, peer, &session->common, nonce, age)) { fastd_buffer_free(*out); *out = fastd_buffer_alloc(ctx, 0, 0, 0); } diff --git a/src/methods/null/null.c b/src/methods/null/null.c index e93f0cf..6874124 100644 --- a/src/methods/null/null.c +++ b/src/methods/null/null.c @@ -45,7 +45,7 @@ static size_t method_min_head_tail_space(fastd_context_t *ctx UNUSED) { return 0; } -static size_t method_key_length(fastd_context_t *ctx UNUSED) { +static size_t method_key_length(fastd_context_t *ctx UNUSED, const char *name UNUSED) { return 0; } diff --git a/src/methods/xsalsa20_poly1305/xsalsa20_poly1305.c b/src/methods/xsalsa20_poly1305/xsalsa20_poly1305.c index 45bdc14..f7709bb 100644 --- a/src/methods/xsalsa20_poly1305/xsalsa20_poly1305.c +++ b/src/methods/xsalsa20_poly1305/xsalsa20_poly1305.c @@ -58,7 +58,7 @@ static size_t method_min_tail_space(fastd_context_t *ctx UNUSED) { } -static size_t method_key_length(fastd_context_t *ctx UNUSED) { +static size_t method_key_length(fastd_context_t *ctx UNUSED, const char *name UNUSED) { return crypto_secretbox_xsalsa20poly1305_KEYBYTES; } diff --git a/src/protocols/ec25519_fhmqvc/handshake.c b/src/protocols/ec25519_fhmqvc/handshake.c index 909d011..182abca 100644 --- a/src/protocols/ec25519_fhmqvc/handshake.c +++ b/src/protocols/ec25519_fhmqvc/handshake.c @@ -98,7 +98,7 @@ static inline void new_session(fastd_context_t *ctx, fastd_peer_t *peer, const c supersede_session(ctx, peer, method); if (salt) { - size_t blocks = block_count(method->key_length(ctx), sizeof(fastd_sha256_t)); + size_t blocks = block_count(method->key_length(ctx, method_name), sizeof(fastd_sha256_t)); fastd_sha256_t secret[blocks]; derive_key(secret, blocks, salt, method_name, A, B, X, Y, sigma); -- cgit v1.2.3