[tripe] / server / bulkcrypto.c

/* -*-c-*-
 *
 * Bulk crypto transformations
 *
 * (c) 2014 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Utilities ---------------------------------------------------------*/

#define SEQSZ 4				/* Size of sequence number packet */

#define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, {			\
  trace_block(T_CRYPTO, "crypto: initialization vector",		\
	      (qiv), (ivsz));						\
}) } while (0)

#define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, {			\
  trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz));	\
}) } while (0)

#define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, {		\
  trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz));	\
}) } while (0)

#define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, {		\
  trace(T_KEYSET, "keyset: incorrect MAC: decryption failed");		\
  trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz));	\
}) } while (0)

#define CHECK_MAC(h, pmac, tagsz) do {					\
  ghash *_h = (h);							\
  const octet *_pmac = (pmac);						\
  size_t _tagsz = (tagsz);						\
  octet *_mac = GH_DONE(_h, 0);						\
  int _eq = ct_memeq(_mac, _pmac, _tagsz);				\
  TRACE_MAC(_mac, _tagsz);						\
  GH_DESTROY(_h);							\
  if (!_eq) {								\
    TRACE_MACERR(_pmac, _tagsz);					\
    return (KSERR_DECRYPT);						\
  }									\
} while (0)

/*----- The original transform --------------------------------------------*
 *
 * We generate a random initialization vector (if the cipher needs one).  We
 * encrypt the input message with the cipher, and format the type, sequence
 * number, IV, and ciphertext as follows.
 *
 *		+------+ +------+---...---+------...------+
 *		| type | | seq	|   iv	  |   ciphertext  |
 *		+------+ +------+---...---+------...------+
 *		   32	    32	   blksz	 sz
 *
 * All of this is fed into the MAC to compute a tag.  The type is not
 * transmitted: the other end knows what type of message it expects, and the
 * type is only here to prevent us from being confused because some other
 * kind of ciphertext has been substituted.  The tag is prepended to the
 * remainder, to yield the finished cryptogram, as follows.
 *
 *		+---...---+------+---...---+------...------+
 *		|   tag	  | seq	 |   iv	   |   ciphertext  |
 *		+---...---+------+---...---+------...------+
 *		   tagsz     32	    blksz	  sz
 *
 * Decryption: checks the overall size, verifies the tag, then decrypts the
 * ciphertext and extracts the sequence number.
 */

static int v0_check(const algswitch *a, dstr *e)
  { return (0); }

static size_t v0_overhead(const algswitch *a)
  { return a->tagsz + SEQSZ + a->c->blksz; }

static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
{
  ghash *h;
  gcipher *c = ks->out.c;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qiv, *qpk;
  uint32 oseq;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
  BSTEP(bb, tagsz + SEQSZ + ivsz + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  oseq = ks->oseq++;
  STORE32(qseq, oseq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    rand_get(RAND_GLOBAL, qiv, ivsz);
    GC_SETIV(c, qiv);
    TRACE_IV(qiv, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(ks->out.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + ivsz + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
{
  const octet *pmac, *piv, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = ks->in.c;
  size_t ivsz = GC_CLASS(c)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < ivsz + SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
    return (KSERR_MALFORMED);
  }
  sz = psz - ivsz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(ks->in.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + ivsz + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    TRACE_IV(piv, ivsz);
    GC_SETIV(c, piv);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- The implicit-IV transform -----------------------------------------*
 *
 * The v0 transform makes everything explicit.  There's an IV because the
 * cipher needs an IV; there's a sequence number because replay prevention
 * needs a sequence number.
 *
 * This new transform works rather differently.  We make use of a block
 * cipher to encrypt the sequence number, and use that as the IV.  We
 * transmit the sequence number in the clear, as before.  This reduces
 * overhead; and it's not a significant privacy leak because the adversary
 * can see the order in which the messages are transmitted -- i.e., the
 * sequence numbers are almost completely predictable anyway.
 *
 * So, a MAC is computed over
 *
 *		+------+ +------+------...------+
 *		| type | | seq	|   ciphertext  |
 *		+------+ +------+------...------+
 *		   32	    32	       sz
 *
 * and we actually transmit the following as the cryptogram.
 *
 *		+---...---+------+------...------+
 *		|   tag	  | seq	 |   ciphertext  |
 *		+---...---+------+------...------+
 *		   tagsz     32		sz
 */

static int iiv_check(const algswitch *a, dstr *e)
{
  if (a->b->blksz < a->c->blksz) {
    a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
	     "blksz-insufficient", A_END);
    return (-1);
  }
  return (0);
}

static size_t iiv_overhead(const algswitch *a)
  { return a->tagsz + SEQSZ; }

#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, {		\
  trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz));	\
}) } while (0)

static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
{
  ghash *h;
  gcipher *c = ks->out.c, *blkc = ks->out.b;
  const octet *p = BCUR(b);
  size_t sz = BLEFT(b);
  octet *qmac, *qseq, *qpk;
  uint32 oseq;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Determine the ciphertext layout --- */

  if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
  qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
  BSTEP(bb, tagsz + SEQSZ + sz);

  /* --- Store the type --- *
   *
   * This isn't transmitted, but it's covered by the MAC.
   */

  STORE32(t, ty);

  /* --- Store the sequence number --- */

  oseq = ks->oseq++;
  STORE32(qseq, oseq);

  /* --- Establish an initialization vector if necessary --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }

  /* --- Encrypt the packet --- */

  GC_ENCRYPT(c, p, qpk, sz);
  TRACE_CT(qpk, sz);

  /* --- Compute a MAC over type, sequence number, and ciphertext --- */

  if (tagsz) {
    h = GM_INIT(ks->out.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, qseq, SEQSZ + sz);
    memcpy(qmac, GH_DONE(h, 0), tagsz);
    GH_DESTROY(h);
    TRACE_MAC(qmac, tagsz);
  }

  /* --- We're done --- */

  return (0);
}

static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
{
  const octet *pmac, *pseq, *ppk;
  size_t psz = BLEFT(b);
  size_t sz;
  octet *q = BCUR(bb);
  ghash *h;
  gcipher *c = ks->in.c, *blkc = ks->in.b;
  size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
  size_t tagsz = ks->tagsz;
  octet t[4];

  /* --- Break up the packet into its components --- */

  if (psz < SEQSZ + tagsz) {
    T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
    return (KSERR_MALFORMED);
  }
  sz = psz - SEQSZ - tagsz;
  pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
  STORE32(t, ty);

  /* --- Verify the MAC on the packet --- */

  if (tagsz) {
    h = GM_INIT(ks->in.m);
    GH_HASH(h, t, sizeof(t));
    GH_HASH(h, pseq, SEQSZ + sz);
    CHECK_MAC(h, pmac, tagsz);
  }

  /* --- Decrypt the packet --- */

  if (ivsz) {
    memset(buf_u, 0, blkcsz - SEQSZ);
    memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
    TRACE_PRESEQ(buf_u, ivsz);
    GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
    GC_SETIV(c, buf_u);
    TRACE_IV(buf_u, ivsz);
  }
  GC_DECRYPT(c, ppk, q, sz);

  /* --- Finished --- */

  *seq = LOAD32(pseq);
  BSTEP(bb, sz);
  return (0);
}

/*----- Bulk crypto transform table ---------------------------------------*/

const bulkops bulktab[] = {

#define BULK(name, pre, prim)						\
  { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }

  BULK("v0", v0, BCP_CIPHER | BCP_MAC),
  BULK("iiv", iiv, BCP_CIPHER | BCP_MAC | BCP_BLKC),

#undef BULK
  { 0 }
};

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
a93aacce MW	1	/* --c--
	2	*
	3	* Bulk crypto transformations
	4	*
	5	* (c) 2014 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Trivial IP Encryption (TrIPE).
	11	*
	12	* TrIPE is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU General Public License as published by
	14	* the Free Software Foundation; either version 2 of the License, or
	15	* (at your option) any later version.
	16	*
	17	* TrIPE is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU General Public License
	23	* along with TrIPE; if not, write to the Free Software Foundation,
	24	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	25	*/
	26
	27	/----- Header files ------------------------------------------------------/
	28
	29	#include "tripe.h"
	30
	31	/----- Utilities ---------------------------------------------------------/
	32
	33	#define SEQSZ 4 /* Size of sequence number packet */
	34
	35	#define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
	36	trace_block(T_CRYPTO, "crypto: initialization vector", \
	37	(qiv), (ivsz)); \
	38	}) } while (0)
	39
	40	#define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
	41	trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
	42	}) } while (0)
	43
	44	#define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
	45	trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
	46	}) } while (0)
	47
9a361a98 MW	48	#define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
	49	trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
	50	trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz)); \
	51	}) } while (0)
	52
a93aacce MW	53	#define CHECK_MAC(h, pmac, tagsz) do { \
	54	ghash *_h = (h); \
	55	const octet *_pmac = (pmac); \
	56	size_t _tagsz = (tagsz); \
	57	octet *_mac = GH_DONE(_h, 0); \
	58	int _eq = ct_memeq(_mac, _pmac, _tagsz); \
	59	TRACE_MAC(_mac, _tagsz); \
	60	GH_DESTROY(_h); \
	61	if (!_eq) { \
9a361a98	62	TRACE_MACERR(_pmac, _tagsz); \
a93aacce MW	63	return (KSERR_DECRYPT); \
	64	} \
	65	} while (0)
	66
	67	/----- The original transform --------------------------------------------
	68	*
	69	* We generate a random initialization vector (if the cipher needs one). We
	70	* encrypt the input message with the cipher, and format the type, sequence
	71	* number, IV, and ciphertext as follows.
	72	*
	73	* +------+ +------+---...---+------...------+
	74	* \| type \| \| seq \| iv \| ciphertext \|
	75	* +------+ +------+---...---+------...------+
	76	* 32 32 blksz sz
	77	*
	78	* All of this is fed into the MAC to compute a tag. The type is not
	79	* transmitted: the other end knows what type of message it expects, and the
	80	* type is only here to prevent us from being confused because some other
	81	* kind of ciphertext has been substituted. The tag is prepended to the
	82	* remainder, to yield the finished cryptogram, as follows.
	83	*
	84	* +---...---+------+---...---+------...------+
	85	* \| tag \| seq \| iv \| ciphertext \|
	86	* +---...---+------+---...---+------...------+
	87	* tagsz 32 blksz sz
	88	*
	89	* Decryption: checks the overall size, verifies the tag, then decrypts the
	90	* ciphertext and extracts the sequence number.
	91	*/
	92
	93	static int v0_check(const algswitch a, dstr e)
	94	{ return (0); }
	95
	96	static size_t v0_overhead(const algswitch *a)
	97	{ return a->tagsz + SEQSZ + a->c->blksz; }
	98
	99	static int v0_encrypt(keyset ks, unsigned ty, buf b, buf *bb)
	100	{
	101	ghash *h;
	102	gcipher *c = ks->out.c;
	103	const octet *p = BCUR(b);
	104	size_t sz = BLEFT(b);
	105	octet qmac, qseq, qiv, qpk;
	106	uint32 oseq;
	107	size_t ivsz = GC_CLASS(c)->blksz;
	108	size_t tagsz = ks->tagsz;
	109	octet t[4];
	110
	111	/* --- Determine the ciphertext layout --- */
	112
	113	if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
	114	qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
	115	BSTEP(bb, tagsz + SEQSZ + ivsz + sz);
	116
	117	/* --- Store the type --- *
	118	*
	119	* This isn't transmitted, but it's covered by the MAC.
	120	*/
	121
	122	STORE32(t, ty);
	123
	124	/* --- Store the sequence number --- */
	125
	126	oseq = ks->oseq++;
127	STORE32(qseq, oseq);
128
129	/* --- Establish an initialization vector if necessary --- */
130
131	if (ivsz) {
132	rand_get(RAND_GLOBAL, qiv, ivsz);
133	GC_SETIV(c, qiv);
134	TRACE_IV(qiv, ivsz);
135	}
136
137	/* --- Encrypt the packet --- */
138
139	GC_ENCRYPT(c, p, qpk, sz);
140	TRACE_CT(qpk, sz);
141
142	/* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
143
144	if (tagsz) {
145	h = GM_INIT(ks->out.m);
146	GH_HASH(h, t, sizeof(t));
147	GH_HASH(h, qseq, SEQSZ + ivsz + sz);
148	memcpy(qmac, GH_DONE(h, 0), tagsz);
149	GH_DESTROY(h);
150	TRACE_MAC(qmac, tagsz);
151	}
152
153	/* --- We're done --- */
154
155	return (0);
156	}
157
158	static int v0_decrypt(keyset ks, unsigned ty, buf b, buf bb, uint32 seq)
159	{
160	const octet pmac, piv, pseq, ppk;
161	size_t psz = BLEFT(b);
162	size_t sz;
163	octet *q = BCUR(bb);
164	ghash *h;
165	gcipher *c = ks->in.c;
166	size_t ivsz = GC_CLASS(c)->blksz;
167	size_t tagsz = ks->tagsz;
168	octet t[4];
169
170	/* --- Break up the packet into its components --- */
171
172	if (psz < ivsz + SEQSZ + tagsz) {
173	T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
174	return (KSERR_MALFORMED);
175	}
176	sz = psz - ivsz - SEQSZ - tagsz;
177	pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
178	STORE32(t, ty);
179
180	/* --- Verify the MAC on the packet --- */
181
182	if (tagsz) {
183	h = GM_INIT(ks->in.m);
184	GH_HASH(h, t, sizeof(t));
185	GH_HASH(h, pseq, SEQSZ + ivsz + sz);
186	CHECK_MAC(h, pmac, tagsz);
187	}
188
189	/* --- Decrypt the packet --- */
190
191	if (ivsz) {
192	TRACE_IV(piv, ivsz);
193	GC_SETIV(c, piv);
194	}
195	GC_DECRYPT(c, ppk, q, sz);
196
197	/* --- Finished --- */
198
199	*seq = LOAD32(pseq);
200	BSTEP(bb, sz);
201	return (0);
202	}
203
b87bffcb MW	204	/----- The implicit-IV transform -----------------------------------------
	205	*
	206	* The v0 transform makes everything explicit. There's an IV because the
	207	* cipher needs an IV; there's a sequence number because replay prevention
	208	* needs a sequence number.
	209	*
	210	* This new transform works rather differently. We make use of a block
	211	* cipher to encrypt the sequence number, and use that as the IV. We
	212	* transmit the sequence number in the clear, as before. This reduces
	213	* overhead; and it's not a significant privacy leak because the adversary
	214	* can see the order in which the messages are transmitted -- i.e., the
	215	* sequence numbers are almost completely predictable anyway.
	216	*
	217	* So, a MAC is computed over
	218	*
	219	* +------+ +------+------...------+
	220	* \| type \| \| seq \| ciphertext \|
	221	* +------+ +------+------...------+
	222	* 32 32 sz
	223	*
	224	* and we actually transmit the following as the cryptogram.
	225	*
	226	* +---...---+------+------...------+
	227	* \| tag \| seq \| ciphertext \|
	228	* +---...---+------+------...------+
	229	* tagsz 32 sz
	230	*/
	231
	232	static int iiv_check(const algswitch a, dstr e)
	233	{
	234	if (a->b->blksz < a->c->blksz) {
	235	a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
	236	"blksz-insufficient", A_END);
	237	return (-1);
	238	}
	239	return (0);
	240	}
	241
	242	static size_t iiv_overhead(const algswitch *a)
	243	{ return a->tagsz + SEQSZ; }
	244
	245	#define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
	246	trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
	247	}) } while (0)
	248
	249	static int iiv_encrypt(keyset ks, unsigned ty, buf b, buf *bb)
	250	{
	251	ghash *h;
	252	gcipher c = ks->out.c, blkc = ks->out.b;
	253	const octet *p = BCUR(b);
	254	size_t sz = BLEFT(b);
	255	octet qmac, qseq, *qpk;
	256	uint32 oseq;
	257	size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
	258	size_t tagsz = ks->tagsz;
	259	octet t[4];
	260
	261	/* --- Determine the ciphertext layout --- */
	262
	263	if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
	264	qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
	265	BSTEP(bb, tagsz + SEQSZ + sz);
	266
	267	/* --- Store the type --- *
268	*
269	* This isn't transmitted, but it's covered by the MAC.
270	*/
271
272	STORE32(t, ty);
273
274	/* --- Store the sequence number --- */
275
276	oseq = ks->oseq++;
277	STORE32(qseq, oseq);
278
279	/* --- Establish an initialization vector if necessary --- */
280
281	if (ivsz) {
282	memset(buf_u, 0, blkcsz - SEQSZ);
283	memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
284	TRACE_PRESEQ(buf_u, ivsz);
285	GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
286	GC_SETIV(c, buf_u);
287	TRACE_IV(buf_u, ivsz);
288	}
289
290	/* --- Encrypt the packet --- */
291
292	GC_ENCRYPT(c, p, qpk, sz);
293	TRACE_CT(qpk, sz);
294
295	/* --- Compute a MAC over type, sequence number, and ciphertext --- */
296
297	if (tagsz) {
298	h = GM_INIT(ks->out.m);
299	GH_HASH(h, t, sizeof(t));
300	GH_HASH(h, qseq, SEQSZ + sz);
301	memcpy(qmac, GH_DONE(h, 0), tagsz);
302	GH_DESTROY(h);
303	TRACE_MAC(qmac, tagsz);
304	}
305
306	/* --- We're done --- */
307
308	return (0);
309	}
310
311	static int iiv_decrypt(keyset ks, unsigned ty, buf b, buf bb, uint32 seq)
312	{
313	const octet pmac, pseq, *ppk;
314	size_t psz = BLEFT(b);
315	size_t sz;
316	octet *q = BCUR(bb);
317	ghash *h;
318	gcipher c = ks->in.c, blkc = ks->in.b;
319	size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
320	size_t tagsz = ks->tagsz;
321	octet t[4];
322
323	/* --- Break up the packet into its components --- */
324
325	if (psz < SEQSZ + tagsz) {
326	T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
327	return (KSERR_MALFORMED);
328	}
329	sz = psz - SEQSZ - tagsz;
330	pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
331	STORE32(t, ty);
332
333	/* --- Verify the MAC on the packet --- */
334
335	if (tagsz) {
336	h = GM_INIT(ks->in.m);
337	GH_HASH(h, t, sizeof(t));
338	GH_HASH(h, pseq, SEQSZ + sz);
339	CHECK_MAC(h, pmac, tagsz);
340	}
341
342	/* --- Decrypt the packet --- */
343
344	if (ivsz) {
345	memset(buf_u, 0, blkcsz - SEQSZ);
346	memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
347	TRACE_PRESEQ(buf_u, ivsz);
348	GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
349	GC_SETIV(c, buf_u);
350	TRACE_IV(buf_u, ivsz);
351	}
352	GC_DECRYPT(c, ppk, q, sz);
353
354	/* --- Finished --- */
355
356	*seq = LOAD32(pseq);
357	BSTEP(bb, sz);
358	return (0);
359	}
360
a93aacce MW	361	/----- Bulk crypto transform table ---------------------------------------/
a93aacce MW	362
fddd7fb7	363	const bulkops bulktab[] = {
a93aacce MW	364
	365	#define BULK(name, pre, prim) \
	366	{ name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }
	367
	368	BULK("v0", v0, BCP_CIPHER \| BCP_MAC),
b87bffcb	369	BULK("iiv", iiv, BCP_CIPHER \| BCP_MAC \| BCP_BLKC),
a93aacce MW	370
	371	#undef BULK
	372	{ 0 }
	373	};
	374
	375	/----- That's all, folks -------------------------------------------------/