[tripe] / server / bulkcrypto.c

/* -*-c-*-
 *
 * Bulk crypto transformations
 *
 * (c) 2014 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Utilities ---------------------------------------------------------*/

#define SEQSZ 4				/* Size of sequence number packet */

#define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, {			\
  trace_block(T_CRYPTO, "crypto: initialization vector",		\
	      (qiv), (ivsz));						\
}) } while (0)

#define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, {			\
  trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz));	\
}) } while (0)

#define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, {		\
  trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz));	\
}) } while (0)

#define CHECK_MAC(h, pmac, tagsz) do {					\
  ghash *_h = (h);							\
  const octet *_pmac = (pmac);						\
  size_t _tagsz = (tagsz);						\
  octet *_mac = GH_DONE(_h, 0);						\
  int _eq = ct_memeq(_mac, _pmac, _tagsz);				\
  TRACE_MAC(_mac, _tagsz);						\
  GH_DESTROY(_h);							\
  if (!_eq) {								\
    IF_TRACING(T_KEYSET, {						\
      trace(T_KEYSET, "keyset: incorrect MAC: decryption failed");	\
      trace_block(T_CRYPTO, "crypto: expected MAC", _pmac, _tagsz);	\
    })									\
    return (KSERR_DECRYPT);						\
  }									\
} while (0)

/*----- The original transform --------------------------------------------*
 *
 * We generate a random initialization vector (if the cipher needs one).  We
 * encrypt the input message with the cipher, and format the type, sequence
 * number, IV, and ciphertext as follows.
 *
 *		+------+ +------+---...---+------...------+
 *		| type | | seq	|   iv	  |   ciphertext  |
 *		+------+ +------+---...---+------...------+
 *		   32	    32	   blksz	 sz
 *
 * All of this is fed into the MAC to compute a tag.  The type is not
 * transmitted: the other end knows what type of message it expects, and the
 * type is only here to prevent us from being confused because some other
 * kind of ciphertext has been substituted.  The tag is prepended to the
 * remainder, to yield the finished cryptogram, as follows.
 *
 *		+---...---+------+---...---+------...------+
 *		|   tag	  | seq	 |   iv	   |   ciphertext  |
 *		+---...---+------+---...---+------...------+
 *		   tagsz     32	    blksz	  sz
 *
 * Decryption: checks the overall size, verifies the tag, then decrypts the
 * ciphertext and extracts the sequence number.
 */

static int v0_check(const algswitch *a, dstr *e)
  { return (0); }

static size_t v0_overhead(const algswitch *a)
  { return a->tagsz + SEQSZ + a->c->blksz; }

static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
{
  ghash *h;
  gcipher *c = ks->out.c;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qiv, *qpk;
  uint32 oseq;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
  BSTEP(bb, tagsz + SEQSZ + ivsz + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  oseq = ks->oseq++;
  STORE32(qseq, oseq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    rand_get(RAND_GLOBAL, qiv, ivsz);
    GC_SETIV(c, qiv);
    TRACE_IV(qiv, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(ks->out.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + ivsz + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
{
  const octet *pmac, *piv, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = ks->in.c;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < ivsz + SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
    return (KSERR_MALFORMED);
  }
  sz = psz - ivsz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(ks->in.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + ivsz + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    TRACE_IV(piv, ivsz);
    GC_SETIV(c, piv);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- The implicit-IV transform -----------------------------------------*
 *
 * The v0 transform makes everything explicit.  There's an IV because the
 * cipher needs an IV; there's a sequence number because replay prevention
 * needs a sequence number.
 *
 * This new transform works rather differently.  We make use of a block
 * cipher to encrypt the sequence number, and use that as the IV.  We
 * transmit the sequence number in the clear, as before.  This reduces
 * overhead; and it's not a significant privacy leak because the adversary
 * can see the order in which the messages are transmitted -- i.e., the
 * sequence numbers are almost completely predictable anyway.
 *
 * So, a MAC is computed over
 *
 *		+------+ +------+------...------+
 *		| type | | seq	|   ciphertext  |
 *		+------+ +------+------...------+
 *		   32	    32	       sz
 *
 * and we actually transmit the following as the cryptogram.
 *
 *		+---...---+------+------...------+
 *		|   tag	  | seq	 |   ciphertext  |
 *		+---...---+------+------...------+
 *		   tagsz     32		sz
 */

static int iiv_check(const algswitch *a, dstr *e)
{
  if (a->b->blksz < a->c->blksz) {
    a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
	     "blksz-insufficient", A_END);
    return (-1);
  }
  return (0);
}

static size_t iiv_overhead(const algswitch *a)
  { return a->tagsz + SEQSZ; }

#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, {		\
  trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz));	\
}) } while (0)

static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
{
  ghash *h;
  gcipher *c = ks->out.c, *blkc = ks->out.b;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qpk;
  uint32 oseq;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
  BSTEP(bb, tagsz + SEQSZ + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  oseq = ks->oseq++;
  STORE32(qseq, oseq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(ks->out.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
{
  const octet *pmac, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = ks->in.c, *blkc = ks->in.b;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
    return (KSERR_MALFORMED);
  }
  sz = psz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(ks->in.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- Bulk crypto transform table ---------------------------------------*/

const bulkcrypto bulktab[] = {

#define BULK(name, pre, prim)						\
  { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }

  BULK("v0", v0, BCP_CIPHER | BCP_MAC),
  BULK("iiv", iiv, BCP_CIPHER | BCP_MAC | BCP_BLKC),

#undef BULK
  { 0 }
};

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
a93aacce MW	1	/* --c--
	2	*
	3	* Bulk crypto transformations
	4	*
	5	* (c) 2014 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Trivial IP Encryption (TrIPE).
	11	*
	12	* TrIPE is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* TrIPE is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with TrIPE; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
	27	/----- Header files ------------------------------------------------------/
	28
	29	#include "tripe.h"
	30
	31	/----- Utilities ---------------------------------------------------------/
	32
	33	#define SEQSZ 4 /* Size of sequence number packet */
	34
	35	#define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
	36	trace_block(T_CRYPTO, "crypto: initialization vector", \
	37	(qiv), (ivsz)); \
	38	}) } while (0)
	39
	40	#define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
	41	trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
	42	}) } while (0)
	43
	44	#define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
	45	trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
	46	}) } while (0)
	47
	48	#define CHECK_MAC(h, pmac, tagsz) do { \
	49	ghash *_h = (h); \
	50	const octet *_pmac = (pmac); \
	51	size_t _tagsz = (tagsz); \
	52	octet *_mac = GH_DONE(_h, 0); \
	53	int _eq = ct_memeq(_mac, _pmac, _tagsz); \
	54	TRACE_MAC(_mac, _tagsz); \
	55	GH_DESTROY(_h); \
	56	if (!_eq) { \
	57	IF_TRACING(T_KEYSET, { \
	58	trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
	59	trace_block(T_CRYPTO, "crypto: expected MAC", _pmac, _tagsz); \
	60	}) \
	61	return (KSERR_DECRYPT); \
	62	} \
	63	} while (0)
	64
65	/----- The original transform --------------------------------------------
66	*
67	* We generate a random initialization vector (if the cipher needs one). We
68	* encrypt the input message with the cipher, and format the type, sequence
69	* number, IV, and ciphertext as follows.
70	*
71	* +------+ +------+---...---+------...------+
72	* \| type \| \| seq \| iv \| ciphertext \|
73	* +------+ +------+---...---+------...------+
74	* 32 32 blksz sz
75	*
76	* All of this is fed into the MAC to compute a tag. The type is not
77	* transmitted: the other end knows what type of message it expects, and the
78	* type is only here to prevent us from being confused because some other
79	* kind of ciphertext has been substituted. The tag is prepended to the
80	* remainder, to yield the finished cryptogram, as follows.
81	*
82	* +---...---+------+---...---+------...------+
83	* \| tag \| seq \| iv \| ciphertext \|
84	* +---...---+------+---...---+------...------+
85	* tagsz 32 blksz sz
86	*
87	* Decryption: checks the overall size, verifies the tag, then decrypts the
88	* ciphertext and extracts the sequence number.
89	*/
90
91	static int v0_check(const algswitch a, dstr e)
92	{ return (0); }
93
94	static size_t v0_overhead(const algswitch *a)
95	{ return a->tagsz + SEQSZ + a->c->blksz; }
96
97	static int v0_encrypt(keyset ks, unsigned ty, buf b, buf *bb)
98	{
99	ghash *h;
100	gcipher *c = ks->out.c;
101	const octet *p = BCUR(b);
102	size_t sz = BLEFT(b);
103	octet qmac, qseq, qiv, qpk;
104	uint32 oseq;
105	size_t ivsz = GC_CLASS(c)->blksz;
106	size_t tagsz = ks->tagsz;
107	octet t[4];
108
109	/* --- Determine the ciphertext layout --- */
110
111	if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
112	qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
113	BSTEP(bb, tagsz + SEQSZ + ivsz + sz);
114
115	/* --- Store the type --- *
116	*
117	* This isn't transmitted, but it's covered by the MAC.
118	*/
119
120	STORE32(t, ty);
121
122	/* --- Store the sequence number --- */
123
124	oseq = ks->oseq++;
125	STORE32(qseq, oseq);
126
127	/* --- Establish an initialization vector if necessary --- */
128
129	if (ivsz) {
130	rand_get(RAND_GLOBAL, qiv, ivsz);
131	GC_SETIV(c, qiv);
132	TRACE_IV(qiv, ivsz);
133	}
134
135	/* --- Encrypt the packet --- */
136
137	GC_ENCRYPT(c, p, qpk, sz);
138	TRACE_CT(qpk, sz);
139
140	/* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
141
142	if (tagsz) {
143	h = GM_INIT(ks->out.m);
144	GH_HASH(h, t, sizeof(t));
145	GH_HASH(h, qseq, SEQSZ + ivsz + sz);
146	memcpy(qmac, GH_DONE(h, 0), tagsz);
147	GH_DESTROY(h);
148	TRACE_MAC(qmac, tagsz);
149	}
150
151	/* --- We're done --- */
152
153	return (0);
154	}
155
156	static int v0_decrypt(keyset ks, unsigned ty, buf b, buf bb, uint32 seq)
157	{
158	const octet pmac, piv, pseq, ppk;
159	size_t psz = BLEFT(b);
160	size_t sz;
161	octet *q = BCUR(bb);
162	ghash *h;
163	gcipher *c = ks->in.c;
164	size_t ivsz = GC_CLASS(c)->blksz;
165	size_t tagsz = ks->tagsz;
166	octet t[4];
167
168	/* --- Break up the packet into its components --- */
169
170	if (psz < ivsz + SEQSZ + tagsz) {
171	T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
172	return (KSERR_MALFORMED);
173	}
174	sz = psz - ivsz - SEQSZ - tagsz;
175	pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
176	STORE32(t, ty);
177
178	/* --- Verify the MAC on the packet --- */
179
180	if (tagsz) {
181	h = GM_INIT(ks->in.m);
182	GH_HASH(h, t, sizeof(t));
183	GH_HASH(h, pseq, SEQSZ + ivsz + sz);
184	CHECK_MAC(h, pmac, tagsz);
185	}
186
187	/* --- Decrypt the packet --- */
188
189	if (ivsz) {
190	TRACE_IV(piv, ivsz);
191	GC_SETIV(c, piv);
192	}
193	GC_DECRYPT(c, ppk, q, sz);
194
195	/* --- Finished --- */
196
197	*seq = LOAD32(pseq);
198	BSTEP(bb, sz);
199	return (0);
200	}
201
b87bffcb MW	202	/----- The implicit-IV transform -----------------------------------------
	203	*
	204	* The v0 transform makes everything explicit. There's an IV because the
	205	* cipher needs an IV; there's a sequence number because replay prevention
	206	* needs a sequence number.
	207	*
	208	* This new transform works rather differently. We make use of a block
	209	* cipher to encrypt the sequence number, and use that as the IV. We
	210	* transmit the sequence number in the clear, as before. This reduces
	211	* overhead; and it's not a significant privacy leak because the adversary
	212	* can see the order in which the messages are transmitted -- i.e., the
	213	* sequence numbers are almost completely predictable anyway.
	214	*
	215	* So, a MAC is computed over
	216	*
	217	* +------+ +------+------...------+
	218	* \| type \| \| seq \| ciphertext \|
	219	* +------+ +------+------...------+
	220	* 32 32 sz
	221	*
	222	* and we actually transmit the following as the cryptogram.
	223	*
	224	* +---...---+------+------...------+
	225	* \| tag \| seq \| ciphertext \|
	226	* +---...---+------+------...------+
	227	* tagsz 32 sz
	228	*/
	229
	230	static int iiv_check(const algswitch a, dstr e)
	231	{
	232	if (a->b->blksz < a->c->blksz) {
	233	a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
	234	"blksz-insufficient", A_END);
	235	return (-1);
	236	}
	237	return (0);
	238	}
	239
	240	static size_t iiv_overhead(const algswitch *a)
	241	{ return a->tagsz + SEQSZ; }
	242
	243	#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
	244	trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
	245	}) } while (0)
	246
	247	static int iiv_encrypt(keyset ks, unsigned ty, buf b, buf *bb)
	248	{
	249	ghash *h;
	250	gcipher c = ks->out.c, blkc = ks->out.b;
	251	const octet *p = BCUR(b);
	252	size_t sz = BLEFT(b);
	253	octet qmac, qseq, *qpk;
	254	uint32 oseq;
	255	size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
	256	size_t tagsz = ks->tagsz;
	257	octet t[4];
	258
	259	/* --- Determine the ciphertext layout --- */
	260
	261	if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
	262	qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
	263	BSTEP(bb, tagsz + SEQSZ + sz);
	264
	265	/* --- Store the type --- *
266	*
267	* This isn't transmitted, but it's covered by the MAC.
268	*/
269
270	STORE32(t, ty);
271
272	/* --- Store the sequence number --- */
273
274	oseq = ks->oseq++;
275	STORE32(qseq, oseq);
276
277	/* --- Establish an initialization vector if necessary --- */
278
279	if (ivsz) {
280	memset(buf_u, 0, blkcsz - SEQSZ);
281	memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
282	TRACE_PRESEQ(buf_u, ivsz);
283	GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
284	GC_SETIV(c, buf_u);
285	TRACE_IV(buf_u, ivsz);
286	}
287
288	/* --- Encrypt the packet --- */
289
290	GC_ENCRYPT(c, p, qpk, sz);
291	TRACE_CT(qpk, sz);
292
293	/* --- Compute a MAC over type, sequence number, and ciphertext --- */
294
295	if (tagsz) {
296	h = GM_INIT(ks->out.m);
297	GH_HASH(h, t, sizeof(t));
298	GH_HASH(h, qseq, SEQSZ + sz);
299	memcpy(qmac, GH_DONE(h, 0), tagsz);
300	GH_DESTROY(h);
301	TRACE_MAC(qmac, tagsz);
302	}
303
304	/* --- We're done --- */
305
306	return (0);
307	}
308
309	static int iiv_decrypt(keyset ks, unsigned ty, buf b, buf bb, uint32 seq)
310	{
311	const octet pmac, pseq, *ppk;
312	size_t psz = BLEFT(b);
313	size_t sz;
314	octet *q = BCUR(bb);
315	ghash *h;
316	gcipher c = ks->in.c, blkc = ks->in.b;
317	size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
318	size_t tagsz = ks->tagsz;
319	octet t[4];
320
321	/* --- Break up the packet into its components --- */
322
323	if (psz < SEQSZ + tagsz) {
324	T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
325	return (KSERR_MALFORMED);
326	}
327	sz = psz - SEQSZ - tagsz;
328	pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
329	STORE32(t, ty);
330
331	/* --- Verify the MAC on the packet --- */
332
333	if (tagsz) {
334	h = GM_INIT(ks->in.m);
335	GH_HASH(h, t, sizeof(t));
336	GH_HASH(h, pseq, SEQSZ + sz);
337	CHECK_MAC(h, pmac, tagsz);
338	}
339
340	/* --- Decrypt the packet --- */
341
342	if (ivsz) {
343	memset(buf_u, 0, blkcsz - SEQSZ);
344	memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
345	TRACE_PRESEQ(buf_u, ivsz);
346	GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
347	GC_SETIV(c, buf_u);
348	TRACE_IV(buf_u, ivsz);
349	}
350	GC_DECRYPT(c, ppk, q, sz);
351
352	/* --- Finished --- */
353
354	*seq = LOAD32(pseq);
355	BSTEP(bb, sz);
356	return (0);
357	}
358
a93aacce MW	359	/----- Bulk crypto transform table ---------------------------------------/
	360
	361	const bulkcrypto bulktab[] = {
	362
	363	#define BULK(name, pre, prim) \
	364	{ name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }
	365
	366	BULK("v0", v0, BCP_CIPHER \| BCP_MAC),
b87bffcb	367	BULK("iiv", iiv, BCP_CIPHER \| BCP_MAC \| BCP_BLKC),
a93aacce MW	368
	369	#undef BULK
	370	{ 0 }
	371	};
	372
	373	/----- That's all, folks -------------------------------------------------/