Ticket #301: 0001-Add-AEAD-cipher-modes.patch

configure.ac

@@ -66 +66 @@
 )
 
 AC_ARG_ENABLE(
+        [aead-modes],
+        [AS_HELP_STRING([--disable-aead-modes], [disable AEAD crypto modes @<:@default=yes@:>@])],
+        ,
+        [enable_aead_modes="yes"]
+)
+
+AC_ARG_ENABLE(
         [ssl],
         [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])],
         ,
@@ -782 +789 @@
                 [have_openssl_engine="no"; break]
         )
 
+        have_openssl_aead_modes="yes"
+        AC_CHECK_FUNCS(
+                [ \
+                        EVP_aes_256_ccm \
+                        EVP_aes_256_gcm \
+                        EVP_aes_256_xts \
+                ],
+                ,
+                [have_openssl_aead_modes="no"; break]
+        )
+
         CFLAGS="${saved_CFLAGS}"
         LIBS="${saved_LIBS}"
 fi
@@ -992 +1010 @@
                 CRYPTO_SSL_LIBS="${OPENSSL_SSL_LIBS}"
                 AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library])
                 test "${have_openssl_engine}" = "yes" && AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [Use crypto library])
+                if test "${enable_aead_modes}" = "yes"; then
+                        test "${have_openssl_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
+                        test "${have_openssl_aead_modes}" != "yes" && AC_MSG_ERROR([AEAD modes required but missing])
+                fi
                 ;;
         polarssl)
                 have_crypto_crypto="${have_polarssl_crypto}"

src/openvpn/crypto.c

@@ -94 +94 @@
   if (buf->len > 0 && opt->key_ctx_bi)
     {
       struct key_ctx *ctx = &opt->key_ctx_bi->encrypt;
+      const unsigned int mode = cipher_ctx_mode (ctx->cipher);
 
       /* Do Encrypt from buf -> work */
       if (ctx->cipher)
         {
           uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
           const int iv_size = cipher_ctx_iv_length (ctx->cipher);
-          const unsigned int mode = cipher_ctx_mode (ctx->cipher);
           int outlen;
 
           if (mode == OPENVPN_MODE_CBC)
@@ -132 +132 @@
               buf_set_write (&b, iv_buf, iv_size);
               ASSERT (packet_id_write (&pin, &b, true, false));
             }
-          else /* We only support CBC, CFB, or OFB modes right now */
+          else if (aead_mode (mode))
+            {
+              struct packet_id_net pin;
+              struct buffer b;
+
+              ASSERT (opt->flags & CO_USE_IV);    /* IV and packet-ID required */
+              ASSERT (opt->packet_id); /*  for this mode. */
+
+              packet_id_alloc_outgoing (&opt->packet_id->send, &pin, true);
+              prng_bytes (iv_buf, iv_size);
+              buf_set_write (&b, iv_buf, iv_size);
+              ASSERT (packet_id_write (&pin, &b, true, false));
+            }
+          else /* We only support CBC, CFB, OFB, or AEAD modes right now */
             {
               ASSERT (0);
             }
@@ -151 +164 @@
           ASSERT (cipher_ctx_reset(ctx->cipher, iv_buf));
 
           /* Buffer overflow check */
-          if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+          int block_size = cipher_ctx_block_size(ctx->cipher);
+          if (!buf_safe (&work, buf->len + block_size))
             {
               msg (D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
                    buf->capacity,
@@ -160 +174 @@
                    work.capacity,
                    work.offset,
                    work.len,
-                   cipher_ctx_block_size (ctx->cipher));
+                   block_size);
               goto err;
             }
 
+          /* For AEAD ciphers, we need to update with the AD before ciphertext */
+          if (aead_mode (mode))
+            {
+              ASSERT (cipher_ctx_update_ad (ctx->cipher, iv_buf, iv_size));
+            }
+
           /* Encrypt packet ID, payload */
           ASSERT (cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)));
           work.len += outlen;
@@ -171 +191 @@
           /* Flush the encryption buffer */
           ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
           work.len += outlen;
-          ASSERT (outlen == iv_size);
+
+          /* Some cipher modes don't need padding */
+          if (block_size != 1)
+            ASSERT (outlen == iv_size);
 
           /* prepend the IV to the ciphertext */
           if (opt->flags & CO_USE_IV)
@@ -206 +229 @@
           ASSERT (output);
           hmac_ctx_final (ctx->hmac, output);
         }
+      else if (aead_mode (mode))
+        {
+          int tag_len = cipher_ctx_tag_length (ctx->cipher);
+          uint8_t* output = NULL;
+
+          output = buf_prepend (&work, tag_len);
+          ASSERT (output);
+          ASSERT (cipher_ctx_get_tag (ctx->cipher, output, tag_len));
+        }
 
       *buf = work;
     }
@@ -275 +307 @@
           const unsigned int mode = cipher_ctx_mode (ctx->cipher);
           const int iv_size = cipher_ctx_iv_length (ctx->cipher);
           uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
+          int tag_size = cipher_ctx_tag_length (ctx->cipher);
+          uint8_t tag_buf[MAX_HMAC_KEY_LENGTH]; /* tag of AEAD ciphertext */
           int outlen;
 
           /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
           ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT)));
 
+          /* for AEAD ciphers, keep the tag value to feed in later */
+          CLEAR (tag_buf);
+          if (aead_mode (mode))
+            {
+              if (buf->len < tag_size)
+                CRYPT_ERROR ("missing tag");
+              memcpy (tag_buf, BPTR (buf), tag_size);
+              ASSERT (buf_advance (buf, tag_size));
+            }
+
           /* use IV if user requested it */
           CLEAR (iv_buf);
           if (opt->flags & CO_USE_IV)
@@ -305 +349 @@
           if (!buf_safe (&work, buf->len))
             CRYPT_ERROR ("buffer overflow");
 
+          /* feed in tag and the authenticated data for AEAD mode ciphers */
+          if (aead_mode (mode))
+            {
+              ASSERT (cipher_ctx_set_tag (ctx->cipher, tag_buf, tag_size));
+              ASSERT (cipher_ctx_update_ad (ctx->cipher, iv_buf, iv_size));
+            }
+
           /* Decrypt packet ID, payload */
           if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)))
             CRYPT_ERROR ("cipher update failed");
@@ -329 +380 @@
                     have_pin = true;
                   }
               }
-            else if (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB)
+            else if (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB || aead_mode (mode))
               {
                 struct buffer b;
 
@@ -338 +389 @@
 
                 buf_set_read (&b, iv_buf, iv_size);
                 if (!packet_id_read (&pin, &b, true))
-                  CRYPT_ERROR ("error reading CFB/OFB packet-id");
+                  CRYPT_ERROR ("error reading CFB/OFB/AEAD packet-id");
                 have_pin = true;
               }
-            else /* We only support CBC, CFB, or OFB modes right now */
+            else /* We only support CBC, CFB, OFB, or AEAD modes right now */
               {
                 ASSERT (0);
               }
@@ -416 +467 @@
                bool authname_defined, int keysize,
                bool cfb_ofb_allowed, bool warn)
 {
+  bool aead_cipher = false;
+
   CLEAR (*kt);
   if (ciphername && ciphername_defined)
     {
@@ -427 +480 @@
       /* check legal cipher mode */
       {
         const unsigned int mode = cipher_kt_mode (kt->cipher);
-        if (!(mode == OPENVPN_MODE_CBC
+        aead_cipher = aead_mode (mode);
+        if (!(mode == OPENVPN_MODE_CBC || aead_cipher
 #ifdef ALLOW_NON_CBC_CIPHERS
               || (cfb_ofb_allowed && (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB))
 #endif
@@ -446 +500 @@
     }
   if (authname && authname_defined)
     {
-      kt->digest = md_kt_get (authname);
-      kt->hmac_length = md_kt_size (kt->digest);
+      if (aead_cipher) {
+        msg (M_FATAL, "AEAD mode cipher '%s' does not need an HMAC algorithm", ciphername);
+      } else {
+        kt->digest = md_kt_get (authname);
+        kt->hmac_length = md_kt_size (kt->digest);
+      }
     }
-  else
+  else if (!aead_cipher)
     {
       if (warn)
         msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used");
@@ -620 +678 @@
   return false;
 }
 
+inline bool
+aead_mode (int mode)
+{
+#ifdef HAVE_AEAD_CIPHER_MODES
+  return mode == OPENVPN_MODE_CCM || mode == OPENVPN_MODE_GCM || mode == OPENVPN_MODE_XTS;
+#else
+  return false;
+#endif
+}
+
 /*
  * Generate a random key.  If key_type is provided, make
  * sure generated key is valid for key_type.

src/openvpn/crypto.h

@@ -191 +191 @@
 
 bool cfb_ofb_mode (const struct key_type* kt);
 
+bool aead_mode (int mode);
+
 void init_key_type (struct key_type *kt, const char *ciphername,
     bool ciphername_defined, const char *authname, bool authname_defined,
     int keysize, bool cfb_ofb_allowed, bool warn);

src/openvpn/crypto_backend.h

@@ -269 +269 @@
 int cipher_ctx_iv_length (const cipher_ctx_t *ctx);
 
 /**
+ * Returns the MAC tag size of the cipher, in bytes.
+ *
+ * @param ctx           The cipher's context
+ *
+ * @return              Tag size, in bytes, or 0 if the cipher is not an
+ *                      authenticated encryption mode or ctx was NULL.
+ */
+int cipher_ctx_tag_length (const cipher_ctx_t *ctx);
+
+/**
+ * Sets the expected message authenticated code (MAC) tag for this cipher.
+ *
+ * @param ctx           The cipher's context
+ * @param tag           The expected MAC tag
+ * @param tag_size      The tag's size, in bytes.
+ */
+int cipher_ctx_set_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len);
+
+/**
  * Returns the block size of the cipher, in bytes.
  *
  * @param ctx           The cipher's context
@@ -299 +318 @@
 int cipher_ctx_reset (cipher_ctx_t *ctx, uint8_t *iv_buf);
 
 /**
+ * Updates the given cipher context, setting the additional data (AD) used
+ * with authenticated encryption with additional data (AEAD) cipher modes.
+ *
+ * @param ctx           Cipher's context. May not be NULL.
+ * @param src           Source buffer
+ * @param src_len       Length of the source buffer, in bytes
+ *
+ * @return              \c 0 on failure, \c 1 on success.
+ */
+int cipher_ctx_update_ad (cipher_ctx_t *ctx, uint8_t *src, int src_len);
+
+/**
  * Updates the given cipher context, encrypting data in the source buffer, and
  * placing any complete blocks in the destination buffer.
  *

src/openvpn/crypto_openssl.c

@@ -316 +316 @@
         {
           const unsigned int mode = EVP_CIPHER_mode (cipher);
           if (mode == EVP_CIPH_CBC_MODE
+#ifdef HAVE_AEAD_CIPHER_MODES
+              || mode == EVP_CIPH_CCM_MODE || mode == EVP_CIPH_GCM_MODE || mode == EVP_CIPH_XTS_MODE
+#endif
 #ifdef ALLOW_NON_CBC_CIPHERS
               || mode == EVP_CIPH_CFB_MODE || mode == EVP_CIPH_OFB_MODE
 #endif
@@ -578 +581 @@
 }
 
 int
+cipher_ctx_tag_length (const EVP_CIPHER_CTX *ctx)
+{
+  /* add something better here? */
+  return 16;
+}
+
+int
+cipher_ctx_set_tag (EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
+{
+#ifdef HAVE_AEAD_CIPHER_MODES
+  return EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, tag_size, tag_buf);
+#else
+  ASSERT (0);
+#endif
+}
+
+int cipher_ctx_get_tag (EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
+{
+#ifdef HAVE_AEAD_CIPHER_MODES
+  return EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf);
+#else
+  ASSERT (0);
+#endif
+}
+
+int
 cipher_ctx_block_size(const EVP_CIPHER_CTX *ctx)
 {
   return EVP_CIPHER_CTX_block_size (ctx);
@@ -596 +625 @@
 }
 
 int
+cipher_ctx_update_ad (EVP_CIPHER_CTX *ctx, uint8_t* src, int src_len)
+{
+#ifdef HAVE_AEAD_CIPHER_MODES
+  int len;
+  return EVP_CipherUpdate_ov (ctx, NULL, &len, src, src_len);
+#else
+  ASSERT (0);
+#endif
+}
+
+int
 cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
     uint8_t *src, int src_len)
 {

src/openvpn/crypto_openssl.h

@@ -61 +61 @@
 /** Cipher is in CFB mode */
 #define OPENVPN_MODE_CFB        EVP_CIPH_CFB_MODE
 
+#ifdef HAVE_AEAD_CIPHER_MODES
+
+/** Cipher is in CCM mode */
+#define OPENVPN_MODE_CCM        EVP_CIPH_CCM_MODE
+
+/** Cipher is in GCM mode */
+#define OPENVPN_MODE_GCM        EVP_CIPH_GCM_MODE
+
+/** Cipher is in XTS mode */
+#define OPENVPN_MODE_XTS        EVP_CIPH_XTS_MODE
+
+#endif /* HAVE_AEAD_CIPHER_MODES */
+
 /** Cipher should encrypt */
 #define OPENVPN_OP_ENCRYPT      1
 

src/openvpn/crypto_polarssl.c

@@ -452 +452 @@
   return cipher_get_iv_size(ctx);
 }
 
+int cipher_ctx_tag_length (const cipher_context_t *ctx)
+{
+  ASSERT (0);
+}
+
+int cipher_ctx_set_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len)
+{
+  ASSERT (0);
+}
+
 int cipher_ctx_block_size(const cipher_context_t *ctx)
 {
   return cipher_get_block_size(ctx);
@@ -469 +479 @@
   return 0 == cipher_reset(ctx, iv_buf);
 }
 
+int cipher_ctx_update_ad (cipher_ctx_t *ctx, uint8_t *src, int src_len)
+{
+  ASSERT (0);
+}
+
 int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
     uint8_t *src, int src_len)
 {