From: Andreas Steffen Date: Thu, 21 Nov 2013 21:08:16 +0000 (+0100) Subject: Any of the four NTRU parameter sets can be selected X-Git-Tag: 5.1.2dr1~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=802eaf3789404984cbe7e7433d8fda6aed390039;p=thirdparty%2Fstrongswan.git Any of the four NTRU parameter sets can be selected --- diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 93d2d2eb41..3ff61c33ef 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -867,10 +867,10 @@ Enable logging of SQL IP pool leases .BR libstrongswan.plugins.gcrypt.quick_random " [no]" Use faster random numbers in gcrypt; for testing only, produces weak keys! .TP -.BR libstrongswan.plugins.ntru.param_set_selection " [optimum]" +.BR libstrongswan.plugins.ntru.parameter_set " [optimum]" The following parameter sets are available: 'x9_98_speed', 'x9_98_bandwidth', 'x9_98_balance' and 'optimum', the last set not being part of the X9.98 -standard but exhibiting the best performance. +standard but having the best performance. .TP .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" ENGINE ID to use in the OpenSSL plugin diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index 8c2f614f3e..88e6366f76 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -22,6 +22,48 @@ #include typedef struct private_ntru_ke_t private_ntru_ke_t; +typedef struct param_set_t param_set_t; + +/** + * Defines an NTRU parameter set by ID or OID + */ +struct param_set_t { + NTRU_ENCRYPT_PARAM_SET_ID id; + char oid[3]; + char *name; +}; + +/* Best bandwidth and speed, no X9.98 compatibility */ +static param_set_t param_sets_optimum[] = { + { NTRU_EES401EP2, {0x00, 0x02, 0x10}, "ees401ep2" }, + { NTRU_EES439EP1, {0x00, 0x03, 0x10}, "ees439ep1" }, + { NTRU_EES593EP1, {0x00, 0x05, 0x10}, "ees593ep1" }, + { NTRU_EES743EP1, {0x00, 0x06, 0x10}, "ees743ep1" } +}; + +/* X9.98/IEEE 1363.1 parameter sets for best speed */ +static param_set_t param_sets_x9_98_speed[] = { + { NTRU_EES659EP1, {0x00, 0x02, 0x06}, "ees659ep1" }, + { NTRU_EES761EP1, {0x00, 0x03, 0x05}, "ees761ep1" }, + { NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" }, + { NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" } +}; + +/* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ +static param_set_t param_sets_x9_98_bandwidth[] = { + { NTRU_EES401EP1, {0x00, 0x02, 0x04}, "ees401ep1" }, + { NTRU_EES449EP1, {0x00, 0x03, 0x03}, "ees449ep1" }, + { NTRU_EES677EP1, {0x00, 0x05, 0x03}, "ees677ep1" }, + { NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" } +}; + +/* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ +static param_set_t param_sets_x9_98_balance[] = { + { NTRU_EES541EP1, {0x00, 0x02, 0x05}, "ees541ep1" }, + { NTRU_EES613EP1, {0x00, 0x03, 0x04}, "ees613ep1" }, + { NTRU_EES887EP1, {0x00, 0x05, 0x04}, "ees887ep1" }, + { NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" } +}; /** * Private data of an ntru_ke_t object. @@ -38,9 +80,9 @@ struct private_ntru_ke_t { u_int16_t group; /** - * NTRU Parameter Set ID + * NTRU Parameter Set */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_id; + param_set_t *param_set; /** * Cryptographical strength in bits of the NTRU Parameter Set @@ -102,7 +144,7 @@ METHOD(diffie_hellman_t, get_my_public_value, void, if (this->pub_key.len == 0) { /* determine the NTRU public and private key sizes */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id, + if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, &pub_key_len, NULL, &priv_key_len, NULL) != NTRU_OK) { @@ -114,7 +156,7 @@ METHOD(diffie_hellman_t, get_my_public_value, void, this->priv_key = chunk_alloc(priv_key_len); /* generate a random NTRU public/private key pair */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set_id, + if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, &pub_key_len, this->pub_key.ptr, &priv_key_len, this->priv_key.ptr) != NTRU_OK) { @@ -180,6 +222,18 @@ METHOD(diffie_hellman_t, set_other_public_value, void, { /* responder generating and encrypting the shared secret */ this->responder = TRUE; + + /* check the NTRU public key format */ + if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3) + { + DBG1(DBG_LIB, "received NTRU public key with invalid header"); + return; + } + if (!memeq(value.ptr + 2, this->param_set->oid, 3)) + { + DBG1(DBG_LIB, "received NTRU public key with wrong OID"); + return; + } this->pub_key = chunk_clone(value); /* shared secret size is chosen as twice the cryptographical strength */ @@ -247,72 +301,54 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { private_ntru_ke_t *this; char personalization_str[] = "strongSwan NTRU-KE"; - NTRU_ENCRYPT_PARAM_SET_ID *param_set, param_set_id; + param_set_t *param_sets, *param_set; DRBG_HANDLE drbg; - char *param_set_selection; + char *parameter_set; u_int32_t strength; - /* Best bandwidth and speed, no X9.98 compatibility */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_optimum[] = { - NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1 - }; - - /* X9.98/IEEE 1363.1 parameter set for best speed */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_speed[] = { - NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1 - }; + parameter_set = lib->settings->get_str(lib->settings, + "libstrongswan.plugins.ntru.parameter_set", "optimum"); - /* X9.98/IEEE 1363.1 parameter set for best bandwidth (smallest size) */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_bandwidth[] = { - NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP1 - }; - - /* X9.98/IEEE 1363.1 parameter set balancing speed and bandwidth */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_x9_98_balance[] = { - NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1 - }; - - param_set_selection = lib->settings->get_str(lib->settings, - "libstrongswan.plugins.ntru.param__set_selection", "optimum"); - - if (streq(param_set_selection, "x9_98_speed")) + if (streq(parameter_set, "x9_98_speed")) { - param_set = param_set_x9_98_speed; + param_sets = param_sets_x9_98_speed; } - else if (streq(param_set_selection, "x9_98_bandwidth")) + else if (streq(parameter_set, "x9_98_bandwidth")) { - param_set = param_set_x9_98_bandwidth; + param_sets = param_sets_x9_98_bandwidth; } - else if (streq(param_set_selection, "x9_98_balance")) + else if (streq(parameter_set, "x9_98_balance")) { - param_set = param_set_x9_98_balance; + param_sets = param_sets_x9_98_balance; } else { - param_set = param_set_optimum; + param_sets = param_sets_optimum; } switch (group) { case NTRU_112_BIT: strength = 112; - param_set_id = param_set[0]; + param_set = ¶m_sets[0]; break; case NTRU_128_BIT: strength = 128; - param_set_id = param_set[1]; + param_set = ¶m_sets[1]; break; case NTRU_192_BIT: strength = 192; - param_set_id = param_set[2]; + param_set = ¶m_sets[2]; break; case NTRU_256_BIT: strength = 256; - param_set_id = param_set[3]; + param_set = ¶m_sets[3]; break; default: return NULL; } + DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength, + parameter_set, param_set->name); if (ntru_crypto_drbg_instantiate(strength, personalization_str, strlen(personalization_str), @@ -321,10 +357,6 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) DBG1(DBG_LIB, "error instantiating DRBG at %u bit security", strength); return NULL; } - else - { - DBG2(DBG_LIB, "instantiated DRBG at %u bit security", strength); - } INIT(this, .public = { @@ -337,7 +369,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) }, }, .group = group, - .param_set_id = param_set_id, + .param_set = param_set, .strength = strength, .drbg = drbg, ); diff --git a/src/libstrongswan/plugins/ntru/ntru_plugin.c b/src/libstrongswan/plugins/ntru/ntru_plugin.c index 4ec6bc3df0..2f066ce762 100644 --- a/src/libstrongswan/plugins/ntru/ntru_plugin.c +++ b/src/libstrongswan/plugins/ntru/ntru_plugin.c @@ -48,7 +48,6 @@ bool ntru_plugin_get_entropy(ENTROPY_CMD cmd, uint8_t *out) { return FALSE; } - DBG2(DBG_LIB, "read one byte of entropy"); return TRUE; default: return FALSE; diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c index 8687598231..b243508573 100644 --- a/src/libstrongswan/tests/suites/test_ntru.c +++ b/src/libstrongswan/tests/suites/test_ntru.c @@ -31,7 +31,7 @@ static struct { /** * NTRU parameter set selection */ -char *param_set_selection[] = { +char *parameter_sets[] = { "x9_98_speed", "x9_98_bandwidth", "x9_98_balance", "optimum" }; @@ -48,11 +48,11 @@ START_TEST(test_ntru_ke) ck_assert(len == 8); ck_assert(streq(buf, params[_i].group_name)); - for (n = 0; n < countof(param_set_selection); n++) + for (n = 0; n < countof(parameter_sets); n++) { lib->settings->set_str(lib->settings, - "libcharon.plugins.ntru.param_set_selection", - param_set_selection[n]); + "libstrongswan.plugins.ntru.parameter_set", + parameter_sets[n]); i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group); ck_assert(i_ntru != NULL); @@ -94,17 +94,57 @@ START_TEST(test_ntru_ke) } END_TEST -START_TEST(test_ntru_pubkey) +START_TEST(test_ntru_pubkey_oid) { + chunk_t test[] = { + chunk_empty, + chunk_from_chars(0x00), + chunk_from_chars(0x01), + chunk_from_chars(0x02), + chunk_from_chars(0x02, 0x03, 0x00, 0x03, 0x10), + chunk_from_chars(0x01, 0x04, 0x00, 0x03, 0x10), + chunk_from_chars(0x01, 0x03, 0x00, 0x03, 0x10), + chunk_from_chars(0x01, 0x03, 0xff, 0x03, 0x10), + }; + diffie_hellman_t *r_ntru; chunk_t cipher_text; + int i; + + for (i = 0; i < countof(test); i++) + { + r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); + r_ntru->set_other_public_value(r_ntru, test[i]); + r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(cipher_text.len == 0); + r_ntru->destroy(r_ntru); + } +} +END_TEST - r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT); - r_ntru->set_other_public_value(r_ntru, chunk_empty); +START_TEST(test_ntru_wrong_set) +{ + diffie_hellman_t *i_ntru, *r_ntru; + chunk_t pub_key, cipher_text; + + lib->settings->set_str(lib->settings, + "libstrongswan.plugins.ntru.parameter_set", + "x9_98_bandwidth"); + i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT); + i_ntru->get_my_public_value(i_ntru, &pub_key); + + lib->settings->set_str(lib->settings, + "libstrongswan.plugins.ntru.parameter_set", + "optimum"); + r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT); + r_ntru->set_other_public_value(r_ntru, pub_key); r_ntru->get_my_public_value(r_ntru, &cipher_text); ck_assert(cipher_text.len == 0); - r_ntru->destroy(r_ntru); + chunk_free(&pub_key); + chunk_free(&cipher_text); + i_ntru->destroy(i_ntru); + r_ntru->destroy(r_ntru); } END_TEST @@ -119,8 +159,12 @@ Suite *ntru_suite_create() tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params)); suite_add_tcase(s, tc); - tc = tcase_create("pubkey"); - tcase_add_test(tc, test_ntru_pubkey); + tc = tcase_create("pubkey_oid"); + tcase_add_test(tc, test_ntru_pubkey_oid); + suite_add_tcase(s, tc); + + tc = tcase_create("wrong_set"); + tcase_add_test(tc, test_ntru_wrong_set); suite_add_tcase(s, tc); return s; diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index f0432ada1e..f4fd948fd1 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -5,3 +5,11 @@ charon { multiple_authentication = no send_vendor_id = yes } + +libstrongswan { + plugins { + ntru { + parameter_set = optimum + } + } +}