From: Miroslav Lichvar Date: Tue, 12 Nov 2024 15:34:40 +0000 (+0100) Subject: siv: drop internal implementation X-Git-Tag: 4.7-pre1~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c85ec4ff0fee295e77238da5bbb3a2c5d90d81b6;p=thirdparty%2Fchrony.git siv: drop internal implementation Nettle (>=3.6) and GnuTLS (>=3.6.14) with the AES-SIV-CMAC support required for NTS are now widely available in operating systems. Drop the internal Nettle-based implementation. --- diff --git a/configure b/configure index eefe5de8..d3e775f3 100755 --- a/configure +++ b/configure @@ -997,7 +997,6 @@ if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then then EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o" add_def HAVE_SIV - add_def HAVE_NETTLE_SIV_CMAC if [ $try_aes_gcm_siv = "1" ] && test_code 'AES-GCM-SIV in nettle' \ 'nettle/siv-gcm.h' "" "$LIBS" \ 'siv_gcm_aes128_encrypt_message((void *)1, 0, NULL, 0, (void *)2, 16, (void *)3, @@ -1025,13 +1024,6 @@ if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then then add_def HAVE_GNUTLS_AEAD_CIPHER_SET_KEY fi - else - if test_code 'AES128 in nettle' 'nettle/aes.h' '' "$LIBS" \ - 'aes128_set_encrypt_key((void *)1, (void *)2);' - then - EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o" - add_def HAVE_SIV - fi fi fi diff --git a/siv_nettle.c b/siv_nettle.c index a8cba490..a7685efc 100644 --- a/siv_nettle.c +++ b/siv_nettle.c @@ -28,12 +28,7 @@ #include "sysincl.h" -#ifdef HAVE_NETTLE_SIV_CMAC #include -#else -#include "siv_nettle_int.c" -#endif - #ifdef HAVE_NETTLE_SIV_GCM #include #endif diff --git a/siv_nettle_int.c b/siv_nettle_int.c deleted file mode 100644 index 714eff6f..00000000 --- a/siv_nettle_int.c +++ /dev/null @@ -1,452 +0,0 @@ -/* This is a single-file implementation of AES-SIV-CMAC-256 based on - a patch for GNU Nettle by Nikos Mavrogiannopoulos */ - -/* - AES-CMAC-128 (rfc 4493) - Copyright (C) Stefan Metzmacher 2012 - Copyright (C) Jeremy Allison 2012 - Copyright (C) Michael Adam 2012 - Copyright (C) 2017, Red Hat Inc. - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ -/* siv-aes128.c, siv-cmac.c, siv.h - - AES-SIV, RFC5297 - SIV-CMAC, RFC5297 - - Copyright (C) 2017 Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ -/* cmac.h, siv-cmac.h, cmac-aes128.c - - CMAC mode, as specified in RFC4493 - SIV-CMAC mode, as specified in RFC5297 - CMAC using AES128 as the underlying cipher. - - Copyright (C) 2017 Red Hat, Inc. - - Contributed by Nikos Mavrogiannopoulos - - This file is part of GNU Nettle. - - GNU Nettle is free software: you can redistribute it and/or - modify it under the terms of either: - - * the GNU Lesser General Public License as published by the Free - Software Foundation; either version 3 of the License, or (at your - option) any later version. - - or - - * the GNU General Public License as published by the Free - Software Foundation; either version 2 of the License, or (at your - option) any later version. - - or both in parallel, as here. - - GNU Nettle is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received copies of the GNU General Public License and - the GNU Lesser General Public License along with this program. If - not, see http://www.gnu.org/licenses/. -*/ - -# include "config.h" - -#include -#include - -#include "nettle/aes.h" -#include "nettle/ctr.h" -#include "nettle/macros.h" -#include "nettle/memxor.h" -#include "nettle/memops.h" - -#include "nettle/nettle-types.h" - -/* For SIV, the block size of the block cipher shall be 128 bits. */ -#define SIV_BLOCK_SIZE 16 -#define SIV_DIGEST_SIZE 16 -#define SIV_MIN_NONCE_SIZE 1 - -/* - * SIV mode requires the aad and plaintext when building the IV, which - * prevents streaming processing and it incompatible with the AEAD API. - */ - -/* AES_SIV_CMAC_256 */ -struct siv_cmac_aes128_ctx { - struct aes128_ctx cipher; - uint8_t s2vk[AES128_KEY_SIZE]; -}; - -struct cmac128_ctx -{ - /* Key */ - union nettle_block16 K1; - union nettle_block16 K2; - - /* MAC state */ - union nettle_block16 X; - - /* Block buffer */ - union nettle_block16 block; - size_t index; -}; - -/* shift one and XOR with 0x87. */ -static void -_cmac128_block_mulx(union nettle_block16 *dst, - const union nettle_block16 *src) -{ - uint64_t b1 = READ_UINT64(src->b); - uint64_t b2 = READ_UINT64(src->b+8); - - b1 = (b1 << 1) | (b2 >> 63); - b2 <<= 1; - - if (src->b[0] & 0x80) - b2 ^= 0x87; - - WRITE_UINT64(dst->b, b1); - WRITE_UINT64(dst->b+8, b2); -} - -static void -cmac128_set_key(struct cmac128_ctx *ctx, const void *cipher, - nettle_cipher_func *encrypt) -{ - static const uint8_t const_zero[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - union nettle_block16 *L = &ctx->block; - memset(ctx, 0, sizeof(*ctx)); - - /* step 1 - generate subkeys k1 and k2 */ - encrypt(cipher, 16, L->b, const_zero); - - _cmac128_block_mulx(&ctx->K1, L); - _cmac128_block_mulx(&ctx->K2, &ctx->K1); -} - -#define MIN(x,y) ((x)<(y)?(x):(y)) - -static void -cmac128_update(struct cmac128_ctx *ctx, const void *cipher, - nettle_cipher_func *encrypt, - size_t msg_len, const uint8_t *msg) -{ - union nettle_block16 Y; - /* - * check if we expand the block - */ - if (ctx->index < 16) - { - size_t len = MIN(16 - ctx->index, msg_len); - memcpy(&ctx->block.b[ctx->index], msg, len); - msg += len; - msg_len -= len; - ctx->index += len; - } - - if (msg_len == 0) { - /* if it is still the last block, we are done */ - return; - } - - /* - * now checksum everything but the last block - */ - memxor3(Y.b, ctx->X.b, ctx->block.b, 16); - encrypt(cipher, 16, ctx->X.b, Y.b); - - while (msg_len > 16) - { - memxor3(Y.b, ctx->X.b, msg, 16); - encrypt(cipher, 16, ctx->X.b, Y.b); - msg += 16; - msg_len -= 16; - } - - /* - * copy the last block, it will be processed in - * cmac128_digest(). - */ - memcpy(ctx->block.b, msg, msg_len); - ctx->index = msg_len; -} - -static void -cmac128_digest(struct cmac128_ctx *ctx, const void *cipher, - nettle_cipher_func *encrypt, - unsigned length, - uint8_t *dst) -{ - union nettle_block16 Y; - - memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index); - - /* re-use ctx->block for memxor output */ - if (ctx->index < 16) - { - ctx->block.b[ctx->index] = 0x80; - memxor(ctx->block.b, ctx->K2.b, 16); - } - else - { - memxor(ctx->block.b, ctx->K1.b, 16); - } - - memxor3(Y.b, ctx->block.b, ctx->X.b, 16); - - assert(length <= 16); - if (length == 16) - { - encrypt(cipher, 16, dst, Y.b); - } - else - { - encrypt(cipher, 16, ctx->block.b, Y.b); - memcpy(dst, ctx->block.b, length); - } - - /* reset state for re-use */ - memset(&ctx->X, 0, sizeof(ctx->X)); - ctx->index = 0; -} - - -#define CMAC128_CTX(type) \ - { struct cmac128_ctx ctx; type cipher; } - -/* NOTE: Avoid using NULL, as we don't include anything defining it. */ -#define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key) \ - do { \ - (set_key)(&(self)->cipher, (cmac_key)); \ - if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0); \ - cmac128_set_key(&(self)->ctx, &(self)->cipher, \ - (nettle_cipher_func *) (encrypt)); \ - } while (0) - -#define CMAC128_UPDATE(self, encrypt, length, src) \ - cmac128_update(&(self)->ctx, &(self)->cipher, \ - (nettle_cipher_func *)encrypt, (length), (src)) - -#define CMAC128_DIGEST(self, encrypt, length, digest) \ - (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ - (uint8_t *) 0, (const uint8_t *) 0) \ - : cmac128_digest(&(self)->ctx, &(self)->cipher, \ - (nettle_cipher_func *) (encrypt), \ - (length), (digest))) - -struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx); - -static void -cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key) -{ - CMAC128_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); -} - -static void -cmac_aes128_update (struct cmac_aes128_ctx *ctx, - size_t length, const uint8_t *data) -{ - CMAC128_UPDATE (ctx, aes128_encrypt, length, data); -} - -static void -cmac_aes128_digest(struct cmac_aes128_ctx *ctx, - size_t length, uint8_t *digest) -{ - CMAC128_DIGEST(ctx, aes128_encrypt, length, digest); -} - -static const uint8_t const_one[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 -}; - -static const uint8_t const_zero[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -}; - -static -void _siv_s2v(nettle_set_key_func *cmac_set_key, - nettle_hash_update_func *cmac_update, - nettle_hash_digest_func *cmac_digest, - size_t cmac_ctx_size, - const uint8_t *s2vk, size_t alength, const uint8_t *adata, - size_t nlength, const uint8_t *nonce, - size_t plength, const uint8_t *pdata, - uint8_t *v) -{ - uint8_t ctx[sizeof(struct cmac128_ctx)+sizeof(struct aes_ctx)]; - union nettle_block16 D, S, T; - - assert(cmac_ctx_size <= sizeof (ctx)); - - cmac_set_key(ctx, s2vk); - - if (nlength == 0 && alength == 0) { - cmac_update(ctx, 16, const_one); - cmac_digest(ctx, 16, v); - return; - } - - cmac_update(ctx, 16, const_zero); - cmac_digest(ctx, 16, D.b); - - if (1) { - _cmac128_block_mulx(&D, &D); - cmac_update(ctx, alength, adata); - cmac_digest(ctx, 16, S.b); - - memxor(D.b, S.b, 16); - } - - if (nlength > 0) { - _cmac128_block_mulx(&D, &D); - cmac_update(ctx, nlength, nonce); - cmac_digest(ctx, 16, S.b); - - memxor(D.b, S.b, 16); - } - - /* Sn */ - if (plength >= 16) { - cmac_update(ctx, plength-16, pdata); - - pdata += plength-16; - - memxor3(T.b, pdata, D.b, 16); - } else { - union nettle_block16 pad; - - _cmac128_block_mulx(&T, &D); - memcpy(pad.b, pdata, plength); - pad.b[plength] = 0x80; - if (plength+1 < 16) - memset(&pad.b[plength+1], 0, 16-plength-1); - - memxor(T.b, pad.b, 16); - } - - cmac_update(ctx, 16, T.b); - cmac_digest(ctx, 16, v); -} - -static void -siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) -{ - memcpy(ctx->s2vk, key, 16); - aes128_set_encrypt_key(&ctx->cipher, key+16); -} - -static void -siv_cmac_aes128_encrypt_message(struct siv_cmac_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t clength, uint8_t *dst, const uint8_t *src) -{ - union nettle_block16 siv; - size_t slength; - - assert (clength >= SIV_DIGEST_SIZE); - slength = clength - SIV_DIGEST_SIZE; - - /* create CTR nonce */ - _siv_s2v((nettle_set_key_func*)cmac_aes128_set_key, - (nettle_hash_update_func*)cmac_aes128_update, - (nettle_hash_digest_func*)cmac_aes128_digest, - sizeof(struct cmac_aes128_ctx), ctx->s2vk, alength, adata, - nlength, nonce, slength, src, siv.b); - memcpy(dst, siv.b, SIV_DIGEST_SIZE); - siv.b[8] &= ~0x80; - siv.b[12] &= ~0x80; - - ctr_crypt(&ctx->cipher, (nettle_cipher_func *)aes128_encrypt, AES_BLOCK_SIZE, - siv.b, slength, dst+SIV_DIGEST_SIZE, src); -} - -static int -siv_cmac_aes128_decrypt_message(struct siv_cmac_aes128_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t mlength, uint8_t *dst, const uint8_t *src) -{ - union nettle_block16 siv; - union nettle_block16 ctr; - - memcpy(ctr.b, src, SIV_DIGEST_SIZE); - ctr.b[8] &= ~0x80; - ctr.b[12] &= ~0x80; - - ctr_crypt(&ctx->cipher, (nettle_cipher_func *)aes128_encrypt, AES_BLOCK_SIZE, - ctr.b, mlength, dst, src+SIV_DIGEST_SIZE); - - /* create CTR nonce */ - _siv_s2v((nettle_set_key_func*)cmac_aes128_set_key, - (nettle_hash_update_func*)cmac_aes128_update, - (nettle_hash_digest_func*)cmac_aes128_digest, - sizeof(struct cmac_aes128_ctx), ctx->s2vk, alength, adata, - nlength, nonce, mlength, dst, siv.b); - - return memeql_sec(siv.b, src, SIV_DIGEST_SIZE); -} -