From 969dbe9f0cd3386a8188f2c42177433aaa9b8ff1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 10 Dec 2019 18:01:43 +0100 Subject: [PATCH 189/191] lib:crypto: Remove our implementation of AES GCM We require GnuTLS >= 3.4.7 which provides AES GCM. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 337c51c9f503adef58c9b875bfb4f522cfb7d9ae) --- lib/crypto/aes_gcm_128.c | 208 ------------------------ lib/crypto/aes_gcm_128.h | 55 ------- lib/crypto/aes_gcm_128_test.c | 295 ---------------------------------- lib/crypto/crypto.h | 1 - lib/crypto/wscript_build | 11 -- source4/torture/local/local.c | 3 - 6 files changed, 573 deletions(-) delete mode 100644 lib/crypto/aes_gcm_128.c delete mode 100644 lib/crypto/aes_gcm_128.h delete mode 100644 lib/crypto/aes_gcm_128_test.c diff --git a/lib/crypto/aes_gcm_128.c b/lib/crypto/aes_gcm_128.c deleted file mode 100644 index 6b5a385cbd8..00000000000 --- a/lib/crypto/aes_gcm_128.c +++ /dev/null @@ -1,208 +0,0 @@ -/* - AES-GCM-128 - - Copyright (C) Stefan Metzmacher 2014 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "replace.h" -#include "lib/crypto/aes.h" -#include "lib/crypto/aes_gcm_128.h" -#include "lib/util/byteorder.h" - -static inline void aes_gcm_128_inc32(uint8_t inout[AES_BLOCK_SIZE]) -{ - uint32_t v; - - v = RIVAL(inout, AES_BLOCK_SIZE - 4); - v += 1; - RSIVAL(inout, AES_BLOCK_SIZE - 4, v); -} - -static inline void aes_gcm_128_mul(const uint8_t x[AES_BLOCK_SIZE], - const uint8_t y[AES_BLOCK_SIZE], - uint8_t v[AES_BLOCK_SIZE], - uint8_t z[AES_BLOCK_SIZE]) -{ - uint8_t i; - /* 11100001 || 0^120 */ - static const uint8_t r[AES_BLOCK_SIZE] = { - 0xE1, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, - }; - - memset(z, 0, AES_BLOCK_SIZE); - memcpy(v, y, AES_BLOCK_SIZE); - - for (i = 0; i < AES_BLOCK_SIZE; i++) { - uint8_t mask; - for (mask = 0x80; mask != 0 ; mask >>= 1) { - uint8_t v_lsb = v[AES_BLOCK_SIZE-1] & 1; - if (x[i] & mask) { - aes_block_xor(z, v, z); - } - - aes_block_rshift(v, v); - if (v_lsb != 0) { - aes_block_xor(v, r, v); - } - } - } -} - -static inline void aes_gcm_128_ghash_block(struct aes_gcm_128_context *ctx, - const uint8_t in[AES_BLOCK_SIZE]) -{ - aes_block_xor(ctx->Y, in, ctx->y.block); - aes_gcm_128_mul(ctx->y.block, ctx->H, ctx->v.block, ctx->Y); -} - -void aes_gcm_128_init(struct aes_gcm_128_context *ctx, - const uint8_t K[AES_BLOCK_SIZE], - const uint8_t IV[AES_GCM_128_IV_SIZE]) -{ - ZERO_STRUCTP(ctx); - - AES_set_encrypt_key(K, 128, &ctx->aes_key); - - /* - * Step 1: generate H (ctx->Y is the zero block here) - */ - AES_encrypt(ctx->Y, ctx->H, &ctx->aes_key); - - /* - * Step 2: generate J0 - */ - memcpy(ctx->J0, IV, AES_GCM_128_IV_SIZE); - aes_gcm_128_inc32(ctx->J0); - - /* - * We need to prepare CB with J0. - */ - memcpy(ctx->CB, ctx->J0, AES_BLOCK_SIZE); - ctx->c.ofs = AES_BLOCK_SIZE; -} - -static inline void aes_gcm_128_update_tmp(struct aes_gcm_128_context *ctx, - struct aes_gcm_128_tmp *tmp, - const uint8_t *v, size_t v_len) -{ - tmp->total += v_len; - - if (tmp->ofs > 0) { - size_t copy = MIN(AES_BLOCK_SIZE - tmp->ofs, v_len); - - memcpy(tmp->block + tmp->ofs, v, copy); - tmp->ofs += copy; - v += copy; - v_len -= copy; - } - - if (tmp->ofs == AES_BLOCK_SIZE) { - aes_gcm_128_ghash_block(ctx, tmp->block); - tmp->ofs = 0; - } - - while (v_len >= AES_BLOCK_SIZE) { - aes_gcm_128_ghash_block(ctx, v); - v += AES_BLOCK_SIZE; - v_len -= AES_BLOCK_SIZE; - } - - if (v_len == 0) { - return; - } - - ZERO_STRUCT(tmp->block); - memcpy(tmp->block, v, v_len); - tmp->ofs = v_len; -} - -void aes_gcm_128_updateA(struct aes_gcm_128_context *ctx, - const uint8_t *a, size_t a_len) -{ - aes_gcm_128_update_tmp(ctx, &ctx->A, a, a_len); -} - -void aes_gcm_128_updateC(struct aes_gcm_128_context *ctx, - const uint8_t *c, size_t c_len) -{ - if (ctx->A.ofs > 0) { - aes_gcm_128_ghash_block(ctx, ctx->A.block); - ctx->A.ofs = 0; - } - - aes_gcm_128_update_tmp(ctx, &ctx->C, c, c_len); -} - -static inline void aes_gcm_128_crypt_tmp(struct aes_gcm_128_context *ctx, - struct aes_gcm_128_tmp *tmp, - uint8_t *m, size_t m_len) -{ - tmp->total += m_len; - - while (m_len > 0) { - if (tmp->ofs == AES_BLOCK_SIZE) { - aes_gcm_128_inc32(ctx->CB); - AES_encrypt(ctx->CB, tmp->block, &ctx->aes_key); - tmp->ofs = 0; - } - - if (likely(tmp->ofs == 0 && m_len >= AES_BLOCK_SIZE)) { - aes_block_xor(m, tmp->block, m); - m += AES_BLOCK_SIZE; - m_len -= AES_BLOCK_SIZE; - aes_gcm_128_inc32(ctx->CB); - AES_encrypt(ctx->CB, tmp->block, &ctx->aes_key); - continue; - } - - m[0] ^= tmp->block[tmp->ofs]; - m += 1; - m_len -= 1; - tmp->ofs += 1; - } -} - -void aes_gcm_128_crypt(struct aes_gcm_128_context *ctx, - uint8_t *m, size_t m_len) -{ - aes_gcm_128_crypt_tmp(ctx, &ctx->c, m, m_len); -} - -void aes_gcm_128_digest(struct aes_gcm_128_context *ctx, - uint8_t T[AES_BLOCK_SIZE]) -{ - if (ctx->A.ofs > 0) { - aes_gcm_128_ghash_block(ctx, ctx->A.block); - ctx->A.ofs = 0; - } - - if (ctx->C.ofs > 0) { - aes_gcm_128_ghash_block(ctx, ctx->C.block); - ctx->C.ofs = 0; - } - - RSBVAL(ctx->AC, 0, ctx->A.total * 8); - RSBVAL(ctx->AC, 8, ctx->C.total * 8); - aes_gcm_128_ghash_block(ctx, ctx->AC); - - AES_encrypt(ctx->J0, ctx->c.block, &ctx->aes_key); - aes_block_xor(ctx->c.block, ctx->Y, T); - - ZERO_STRUCTP(ctx); -} diff --git a/lib/crypto/aes_gcm_128.h b/lib/crypto/aes_gcm_128.h deleted file mode 100644 index 8df11c2f6bd..00000000000 --- a/lib/crypto/aes_gcm_128.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - AES-GCM-128 - - Copyright (C) Stefan Metzmacher 2014 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#ifndef LIB_CRYPTO_AES_GCM_128_H -#define LIB_CRYPTO_AES_GCM_128_H - -#define AES_GCM_128_IV_SIZE (12) - -struct aes_gcm_128_context { - AES_KEY aes_key; - - uint64_t __align; - - struct aes_gcm_128_tmp { - size_t ofs; - size_t total; - uint8_t block[AES_BLOCK_SIZE]; - } A, C, c, v, y; - - uint8_t H[AES_BLOCK_SIZE]; - uint8_t J0[AES_BLOCK_SIZE]; - uint8_t CB[AES_BLOCK_SIZE]; - uint8_t Y[AES_BLOCK_SIZE]; - uint8_t AC[AES_BLOCK_SIZE]; -}; - -void aes_gcm_128_init(struct aes_gcm_128_context *ctx, - const uint8_t K[AES_BLOCK_SIZE], - const uint8_t IV[AES_GCM_128_IV_SIZE]); -void aes_gcm_128_updateA(struct aes_gcm_128_context *ctx, - const uint8_t *a, size_t a_len); -void aes_gcm_128_updateC(struct aes_gcm_128_context *ctx, - const uint8_t *c, size_t c_len); -void aes_gcm_128_crypt(struct aes_gcm_128_context *ctx, - uint8_t *m, size_t m_len); -void aes_gcm_128_digest(struct aes_gcm_128_context *ctx, - uint8_t T[AES_BLOCK_SIZE]); - -#endif /* LIB_CRYPTO_AES_GCM_128_H */ diff --git a/lib/crypto/aes_gcm_128_test.c b/lib/crypto/aes_gcm_128_test.c deleted file mode 100644 index fdd87ff532d..00000000000 --- a/lib/crypto/aes_gcm_128_test.c +++ /dev/null @@ -1,295 +0,0 @@ -/* - AES-GCM-128 tests - - Copyright (C) Stefan Metzmacher 2014 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ -#include "replace.h" -#include "../lib/util/samba_util.h" -#include "lib/crypto/aes.h" -#include "lib/crypto/aes_gcm_128.h" -#include "lib/crypto/aes_test.h" - -#ifndef AES_GCM_128_ONLY_TESTVECTORS -struct torture_context; -bool torture_local_crypto_aes_gcm_128(struct torture_context *tctx); - -/* - This uses the test values from ... -*/ -bool torture_local_crypto_aes_gcm_128(struct torture_context *tctx) -{ - bool ret = true; - uint32_t i; - struct aes_mode_testvector testarray[] = { -#endif /* AES_GCM_128_ONLY_TESTVECTORS */ -#define AES_GCM_128_TESTVECTOR(_k, _n, _a, _p, _c, _t) \ - AES_MODE_TESTVECTOR(aes_gcm_128, _k, _n, _a, _p, _c, _t) - - AES_GCM_128_TESTVECTOR( - /* K */ - "8BF9FBC2B8149484FF11AB1F3A544FF6", - /* N */ - "010000000000000077F7A8FF", - /* A */ - "010000000000000077F7A80000000000" - "A8000000000001004100002C00980000", - /* P */ - "FE534D4240000100000000000B00811F" - "00000000000000000600000000000000" - "00000000010000004100002C00980000" - "00000000000000000000000000000000" - "3900000094010600FFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFF7800000030000000" - "000000007800000000000000FFFF0000" - "0100000000000000" - "03005C003100370032002E0033003100" - "2E0039002E003100380033005C006E00" - "650074006C006F0067006F006E000000", - /* C */ - "863C07C1FBFA82D741A080C97DF52CFF" - "432A63A37E5ACFA3865AE4E6E422D502" - "FA7C6FBB9A7418F28C43F00A3869F687" - "257CA665E25E62A0F458C42AA9E95DC4" - "6CB351A0A497FABB7DCE58FEE5B20B08" - "522E0E701B112FB93B36E7A0FB084D35" - "62C0F3FDF0421079DD96BBCCA40949B3" - "A7FC1AA635A72384" - "2037DE3CA6385465D1884B29D7140790" - "88AD3E770E2528D527B302536B7E5B1B" - "430E048230AFE785DB89F4D87FC1F816", - /* T */ - "BC9B5871EBFA89ADE21439ACDCD65D22" - ), - AES_GCM_128_TESTVECTOR( - /* K */ - "00000000000000000000000000000000", - /* N */ - "000000000000000000000000", - /* A */ - "", - /* P */ - "", - /* C */ - "", - /* T */ - "58e2fccefa7e3061367f1d57a4e7455a" - ), - AES_GCM_128_TESTVECTOR( - /* K */ - "00000000000000000000000000000000", - /* N */ - "000000000000000000000000", - /* A */ - "", - /* P */ - "00000000000000000000000000000000", - /* C */ - "0388dace60b6a392f328c2b971b2fe78", - /* T */ - "ab6e47d42cec13bdf53a67b21257bddf" - ), - AES_GCM_128_TESTVECTOR( - /* K */ - "feffe9928665731c6d6a8f9467308308", - /* N */ - "cafebabefacedbaddecaf888", - /* A */ - "", - /* P */ - "d9313225f88406e5a55909c5aff5269a" - "86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525" - "b16aedf5aa0de657ba637b391aafd255", - /* C */ - "42831ec2217774244b7221b784d0d49c" - "e3aa212f2c02a4e035c17e2329aca12e" - "21d514b25466931c7d8f6a5aac84aa05" - "1ba30b396a0aac973d58e091473f5985", - /* T */ - "4d5c2af327cd64a62cf35abd2ba6fab4" - ), - AES_GCM_128_TESTVECTOR( - /* K */ - "feffe9928665731c6d6a8f9467308308", - /* N */ - "cafebabefacedbaddecaf888", - /* A */ - "feedfacedeadbeeffeedfacedeadbeef" - "abaddad2", - /* P */ - "d9313225f88406e5a55909c5aff5269a" - "86a7a9531534f7da2e4c303d8a318a72" - "1c3c0c95956809532fcf0e2449a6b525" - "b16aedf5aa0de657ba637b39", - /* C */ - "42831ec2217774244b7221b784d0d49c" - "e3aa212f2c02a4e035c17e2329aca12e" - "21d514b25466931c7d8f6a5aac84aa05" - "1ba30b396a0aac973d58e091", - /* T */ - "5bc94fbc3221a5db94fae95ae7121a47" - ), -#ifndef AES_GCM_128_ONLY_TESTVECTORS - }; - - for (i=0; i < ARRAY_SIZE(testarray); i++) { - struct aes_gcm_128_context ctx; - uint8_t T[AES_BLOCK_SIZE]; - DATA_BLOB _T = data_blob_const(T, sizeof(T)); - DATA_BLOB C; - int e; - - C = data_blob_dup_talloc(tctx, testarray[i].P); - - aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); - aes_gcm_128_updateA(&ctx, - testarray[i].A.data, - testarray[i].A.length); - aes_gcm_128_crypt(&ctx, C.data, C.length); - aes_gcm_128_updateC(&ctx, C.data, C.length); - aes_gcm_128_digest(&ctx, T); - - e = memcmp(testarray[i].T.data, T, sizeof(T)); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); - ret = false; - goto fail; - } - - e = memcmp(testarray[i].C.data, C.data, C.length); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); - ret = false; - goto fail; - } - } - - for (i=0; i < ARRAY_SIZE(testarray); i++) { - struct aes_gcm_128_context ctx; - uint8_t T[AES_BLOCK_SIZE]; - DATA_BLOB _T = data_blob_const(T, sizeof(T)); - DATA_BLOB C; - int e; - size_t j; - - C = data_blob_dup_talloc(tctx, testarray[i].P); - - aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); - for (j=0; j < testarray[i].A.length; j++) { - aes_gcm_128_updateA(&ctx, NULL, 0); - aes_gcm_128_updateA(&ctx, &testarray[i].A.data[j], 1); - aes_gcm_128_updateA(&ctx, NULL, 0); - } - for (j=0; j < C.length; j++) { - aes_gcm_128_crypt(&ctx, NULL, 0); - aes_gcm_128_updateC(&ctx, NULL, 0); - aes_gcm_128_crypt(&ctx, &C.data[j], 1); - aes_gcm_128_updateC(&ctx, &C.data[j], 1); - aes_gcm_128_crypt(&ctx, NULL, 0); - aes_gcm_128_updateC(&ctx, NULL, 0); - } - aes_gcm_128_digest(&ctx, T); - - e = memcmp(testarray[i].T.data, T, sizeof(T)); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); - ret = false; - goto fail; - } - - e = memcmp(testarray[i].C.data, C.data, C.length); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], NULL, &C, &_T); - ret = false; - goto fail; - } - } - - for (i=0; i < ARRAY_SIZE(testarray); i++) { - struct aes_gcm_128_context ctx; - uint8_t T[AES_BLOCK_SIZE]; - DATA_BLOB _T = data_blob_const(T, sizeof(T)); - DATA_BLOB P; - int e; - size_t j; - - P = data_blob_dup_talloc(tctx, testarray[i].C); - - aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); - for (j=0; j < testarray[i].A.length; j++) { - aes_gcm_128_updateA(&ctx, NULL, 0); - aes_gcm_128_updateA(&ctx, &testarray[i].A.data[j], 1); - aes_gcm_128_updateA(&ctx, NULL, 0); - } - for (j=0; j < P.length; j++) { - aes_gcm_128_updateC(&ctx, NULL, 0); - aes_gcm_128_crypt(&ctx, NULL, 0); - aes_gcm_128_updateC(&ctx, &P.data[j], 1); - aes_gcm_128_crypt(&ctx, &P.data[j], 1); - aes_gcm_128_updateC(&ctx, NULL, 0); - aes_gcm_128_crypt(&ctx, NULL, 0); - } - aes_gcm_128_digest(&ctx, T); - - e = memcmp(testarray[i].T.data, T, sizeof(T)); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); - ret = false; - goto fail; - } - - e = memcmp(testarray[i].P.data, P.data, P.length); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); - ret = false; - goto fail; - } - } - - for (i=0; i < ARRAY_SIZE(testarray); i++) { - struct aes_gcm_128_context ctx; - uint8_t T[AES_BLOCK_SIZE]; - DATA_BLOB _T = data_blob_const(T, sizeof(T)); - DATA_BLOB P; - int e; - - P = data_blob_dup_talloc(tctx, testarray[i].C); - - aes_gcm_128_init(&ctx, testarray[i].K.data, testarray[i].N.data); - aes_gcm_128_updateA(&ctx, testarray[i].A.data, testarray[i].A.length); - aes_gcm_128_updateC(&ctx, P.data, P.length); - aes_gcm_128_crypt(&ctx, P.data, P.length); - aes_gcm_128_digest(&ctx, T); - - e = memcmp(testarray[i].T.data, T, sizeof(T)); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); - ret = false; - goto fail; - } - - e = memcmp(testarray[i].P.data, P.data, P.length); - if (e != 0) { - aes_mode_testvector_debug(&testarray[i], &P, NULL, &_T); - ret = false; - goto fail; - } - } - - fail: - return ret; -} -#endif /* AES_GCM_128_ONLY_TESTVECTORS */ diff --git a/lib/crypto/crypto.h b/lib/crypto/crypto.h index 66767935925..d8f13f8fadd 100644 --- a/lib/crypto/crypto.h +++ b/lib/crypto/crypto.h @@ -23,6 +23,5 @@ #include "../lib/crypto/md4.h" #include "../lib/crypto/aes.h" #include "../lib/crypto/aes_cmac_128.h" -#include "../lib/crypto/aes_gcm_128.h" #endif /* _SAMBA_CRYPTO_H_ */ diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build index a019ebe60cf..cd136165a0d 100644 --- a/lib/crypto/wscript_build +++ b/lib/crypto/wscript_build @@ -12,10 +12,6 @@ bld.SAMBA_SUBSYSTEM('GNUTLS_HELPERS', ''', deps='gnutls samba-errors'); -bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES_GCM', - source='aes_gcm_128.c', - deps='talloc') - bld.SAMBA_SUBSYSTEM('LIBCRYPTO_AES', source='aes.c rijndael-alg-fst.c', deps='talloc') @@ -32,15 +28,9 @@ bld.SAMBA_SUBSYSTEM('LIBCRYPTO', deps=''' talloc LIBCRYPTO_AES - LIBCRYPTO_AES_GCM LIBCRYPTO_AES_CMAC ''' + extra_deps) -bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_GCM', - source='aes_gcm_128_test.c', - autoproto='aes_gcm_test_proto.h', - deps='talloc') - bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO_AES_CMAC', source='aes_cmac_128_test.c', autoproto='aes_cmac_test_proto.h', @@ -52,7 +42,6 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', autoproto='test_proto.h', deps=''' LIBCRYPTO - TORTURE_LIBCRYPTO_AES_GCM TORTURE_LIBCRYPTO_AES_CMAC ''') diff --git a/source4/torture/local/local.c b/source4/torture/local/local.c index 8f9148b1988..cd20b1691f5 100644 --- a/source4/torture/local/local.c +++ b/source4/torture/local/local.c @@ -23,7 +23,6 @@ #include "torture/ndr/proto.h" #include "torture/auth/proto.h" #include "../lib/crypto/test_proto.h" -#include "../lib/crypto/aes_gcm_test_proto.h" #ifndef HAVE_GNUTLS_AES_CMAC #include "../lib/crypto/aes_cmac_test_proto.h" #endif @@ -99,8 +98,6 @@ NTSTATUS torture_local_init(TALLOC_CTX *ctx) torture_suite_add_simple_test(suite, "crypto.aes_cmac_128", torture_local_crypto_aes_cmac_128); #endif - torture_suite_add_simple_test(suite, "crypto.aes_gcm_128", - torture_local_crypto_aes_gcm_128); for (i = 0; suite_generators[i]; i++) torture_suite_add_suite(suite, -- 2.23.0