diff options
-rw-r--r-- | lib/accelerated/x86/Makefile.am | 2 | ||||
-rw-r--r-- | lib/accelerated/x86/aes-x86.h | 9 | ||||
-rw-r--r-- | lib/accelerated/x86/aes-xts-x86-aesni.c | 160 | ||||
-rw-r--r-- | lib/accelerated/x86/x86-common.c | 16 | ||||
-rw-r--r-- | src/benchmark-cipher.c | 8 | ||||
-rw-r--r-- | src/cli-args.def | 6 | ||||
-rw-r--r-- | src/cli.c | 21 |
7 files changed, 215 insertions, 7 deletions
diff --git a/lib/accelerated/x86/Makefile.am b/lib/accelerated/x86/Makefile.am index 9ee9d0ac2e..58698af300 100644 --- a/lib/accelerated/x86/Makefile.am +++ b/lib/accelerated/x86/Makefile.am @@ -39,7 +39,7 @@ noinst_LTLIBRARIES = libx86.la libx86_la_SOURCES = x86-common.c aes-x86.h x86-common.h sha-x86-ssse3.c sha-x86.h hmac-x86-ssse3.c \ aes-gcm-x86-ssse3.c aes-gcm-x86-aesni.c aes-cbc-x86-ssse3.c aes-cbc-x86-aesni.c aes-gcm-aead.h \ - aes-ccm-x86-aesni.c + aes-ccm-x86-aesni.c aes-xts-x86-aesni.c if ENABLE_PADLOCK libx86_la_SOURCES += sha-padlock.c hmac-padlock.c aes-padlock.c aes-gcm-padlock.c \ diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h index 92f54a6a90..023b5f7be6 100644 --- a/lib/accelerated/x86/aes-x86.h +++ b/lib/accelerated/x86/aes-x86.h @@ -45,6 +45,14 @@ size_t aesni_gcm_encrypt(const void *inp, void *out, size_t len, size_t aesni_gcm_decrypt(const void *inp, void *out, size_t len, const AES_KEY *key, const unsigned char iv[16], uint64_t* Xi); +void aesni_xts_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const AES_KEY * key, const AES_KEY * key2, + const unsigned char iv[16]); + +void aesni_xts_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const AES_KEY * key, const AES_KEY * key2, + const unsigned char iv[16]); + int vpaes_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); int vpaes_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key); void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out, @@ -56,6 +64,7 @@ extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_pclmul; extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_pclmul_avx; extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_x86_aesni; extern const gnutls_crypto_cipher_st _gnutls_aes_ccm_x86_aesni; +extern const gnutls_crypto_cipher_st _gnutls_aes_xts_x86_aesni; extern const gnutls_crypto_cipher_st _gnutls_aes_gcm_x86_ssse3; extern const gnutls_crypto_cipher_st _gnutls_aes_ssse3; diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c new file mode 100644 index 0000000000..3371d0812d --- /dev/null +++ b/lib/accelerated/x86/aes-xts-x86-aesni.c @@ -0,0 +1,160 @@ +/* + * Copyright (C) 2011-2012 Free Software Foundation, Inc. + * Copyright (C) 2020 Red Hat, Inc. + * + * Authors: Nikos Mavrogiannopoulos, Anderson Toshiyuki Sasaki + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +/* + * The following code wraps the CRYPTOGAMS implementation of the AES-XTS cipher + * using Intel's AES instruction set. + */ + +#include "errors.h" +#include "gnutls_int.h" +#include "fips.h" +#include <gnutls/crypto.h> +#include <aes-x86.h> +#include <x86-common.h> + +struct x86_aes_xts_ctx { + AES_KEY block_key; + AES_KEY tweak_key; + uint8_t iv[16]; + int enc; +}; + +static int +x86_aes_xts_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, + int enc) +{ + if (algorithm != GNUTLS_CIPHER_AES_128_XTS && + algorithm != GNUTLS_CIPHER_AES_256_XTS) + return GNUTLS_E_INVALID_REQUEST; + + *_ctx = gnutls_calloc(1, sizeof(struct x86_aes_xts_ctx)); + if (*_ctx == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ((struct x86_aes_xts_ctx *) (*_ctx))->enc = enc; + + return 0; +} + +static int +x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize) +{ + struct x86_aes_xts_ctx *ctx = _ctx; + int ret; + size_t keybits; + const uint8_t *key = userkey; + + if ((keysize != 32) && (keysize != 64)) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + /* Check key block according to FIPS-140-2 IG A.9 */ + if (_gnutls_fips_mode_enabled()){ + if (safe_memcmp(key, key + (keysize / 2), keysize / 2) == 0) { + _gnutls_switch_lib_state(LIB_STATE_ERROR); + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } + } + + /* Size in bits of each half for block and tweak (=keysize * 8 / 2) */ + keybits = keysize * 4; + + if (ctx->enc) + ret = + aesni_set_encrypt_key(key, keybits, + ALIGN16(&ctx->block_key)); + else + ret = + aesni_set_decrypt_key(key, keybits, + ALIGN16(&ctx->block_key)); + + if (ret != 0) + return gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED); + + ret = + aesni_set_encrypt_key(key + (keysize / 2), keybits, + ALIGN16(&ctx->tweak_key)); + if (ret != 0) + return gnutls_assert_val(GNUTLS_E_ENCRYPTION_FAILED); + + return 0; +} + +static int x86_aes_xts_setiv(void *_ctx, const void *iv, size_t iv_size) +{ + struct x86_aes_xts_ctx *ctx = _ctx; + + if (iv_size != 16) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + memcpy(ctx->iv, iv, 16); + return 0; +} + +static int +x86_aes_xts_encrypt(void *_ctx, const void *src, size_t src_size, + void *dst, size_t dst_size) +{ + struct x86_aes_xts_ctx *ctx = _ctx; + + if (src_size < 16) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + aesni_xts_encrypt(src, dst, src_size, ALIGN16(&ctx->block_key), + ALIGN16(&ctx->tweak_key), ctx->iv); + return 0; +} + +static int +x86_aes_xts_decrypt(void *_ctx, const void *src, size_t src_size, + void *dst, size_t dst_size) +{ + struct x86_aes_xts_ctx *ctx = _ctx; + + if (src_size < 16) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + + aesni_xts_decrypt(src, dst, src_size, ALIGN16(&ctx->block_key), + ALIGN16(&ctx->tweak_key), ctx->iv); + return 0; +} + +static void x86_aes_xts_deinit(void *_ctx) +{ + struct x86_aes_xts_ctx *ctx = _ctx; + + zeroize_temp_key(ctx, sizeof(*ctx)); + gnutls_free(ctx); +} + +const gnutls_crypto_cipher_st _gnutls_aes_xts_x86_aesni = { + .init = x86_aes_xts_cipher_init, + .setkey = x86_aes_xts_cipher_setkey, + .setiv = x86_aes_xts_setiv, + .encrypt = x86_aes_xts_encrypt, + .decrypt = x86_aes_xts_decrypt, + .deinit = x86_aes_xts_deinit, +}; + diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c index 516d6776c5..459397c118 100644 --- a/lib/accelerated/x86/x86-common.c +++ b/lib/accelerated/x86/x86-common.c @@ -723,6 +723,22 @@ void register_x86_intel_crypto(unsigned capabilities) gnutls_assert(); } + ret = + gnutls_crypto_single_cipher_register + (GNUTLS_CIPHER_AES_128_XTS, 80, + &_gnutls_aes_xts_x86_aesni, 0); + if (ret < 0) { + gnutls_assert(); + } + + ret = + gnutls_crypto_single_cipher_register + (GNUTLS_CIPHER_AES_256_XTS, 80, + &_gnutls_aes_xts_x86_aesni, 0); + if (ret < 0) { + gnutls_assert(); + } + #ifdef ASM_X86_64 if (check_pclmul()) { /* register GCM ciphers */ diff --git a/src/benchmark-cipher.c b/src/benchmark-cipher.c index 26d2c63c22..03e1d45fef 100644 --- a/src/benchmark-cipher.c +++ b/src/benchmark-cipher.c @@ -153,6 +153,12 @@ static void cipher_bench(int algo, int size, int aead) return; memset(_key, 0xf0, keysize); + /* For AES-XTS, the block and tweak key must be different */ + if (algo == GNUTLS_CIPHER_AES_128_XTS || + algo == GNUTLS_CIPHER_AES_256_XTS) { + memset((uint8_t *)_key + (keysize / 2), 0x0f, (keysize / 2)); + } + _iv = malloc(ivsize); if (_iv == NULL) { free(_key); @@ -303,6 +309,8 @@ void benchmark_cipher(int debug_level) printf("\nChecking ciphers, payload size: %u\n", size * 1024); cipher_bench(GNUTLS_CIPHER_3DES_CBC, size, 0); cipher_bench(GNUTLS_CIPHER_AES_128_CBC, size, 0); + cipher_bench(GNUTLS_CIPHER_AES_128_XTS, size, 0); + cipher_bench(GNUTLS_CIPHER_AES_256_XTS, size, 0); cipher_bench(GNUTLS_CIPHER_SALSA20_256, size, 0); cipher_bench(GNUTLS_CIPHER_NULL, size, 1); #ifdef ENABLE_GOST diff --git a/src/cli-args.def b/src/cli-args.def index a8760fab90..56ae77b077 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -471,6 +471,12 @@ flag = { doc = ""; }; +flag = { + name = waitresumption; + descrip = "Block waiting for the resumption data under TLS1.3"; + doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; +}; + doc-section = { ds-type = 'SEE ALSO'; // or anything else ds-format = 'texi'; // or texi or mdoc format @@ -78,7 +78,7 @@ /* global stuff here */ int resume, starttls, insecure, ranges, rehandshake, udp, mtu, - inline_commands; + inline_commands, waitresumption; unsigned int global_vflags = 0; char *hostname = NULL; char service[32]=""; @@ -992,11 +992,19 @@ static int try_resume(socket_st * hd) gnutls_datum_t edata = {NULL, 0}; if (gnutls_session_is_resumed(hd->session) == 0) { - /* not resumed - obtain the session data */ - ret = gnutls_session_get_data2(hd->session, &rdata); - if (ret < 0) { - rdata.data = NULL; - } + do { + /* not resumed - obtain the session data */ + ret = gnutls_session_get_data2(hd->session, &rdata); + if (ret < 0) { + rdata.data = NULL; + } + + if ((gnutls_protocol_get_version(hd->session) != GNUTLS_TLS1_3) || + ((gnutls_session_get_flags(hd->session) & + GNUTLS_SFLAGS_SESSION_TICKET))) { + break; + } + } while (waitresumption); } else { /* resumed - try to reuse the previous session data */ rdata.data = hd->rdata.data; @@ -1688,6 +1696,7 @@ static void cmd_parser(int argc, char **argv) rehandshake = HAVE_OPT(REHANDSHAKE); insecure = HAVE_OPT(INSECURE); ranges = HAVE_OPT(RANGES); + waitresumption = HAVE_OPT(WAITRESUMPTION); if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) { global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN; |