3 * Bulk crypto transformations
5 * (c) 2014 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Utilities ---------------------------------------------------------*/
33 #define SEQSZ 4 /* Size of sequence number packet */
35 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
36 trace_block(T_CRYPTO, "crypto: initialization vector", \
40 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
41 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
44 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
45 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
48 #define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
49 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
50 trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz)); \
53 #define CHECK_MAC(h, pmac, tagsz) do { \
55 const octet *_pmac = (pmac); \
56 size_t _tagsz = (tagsz); \
57 octet *_mac = GH_DONE(_h, 0); \
58 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
59 TRACE_MAC(_mac, _tagsz); \
62 TRACE_MACERR(_pmac, _tagsz); \
63 return (KSERR_DECRYPT); \
67 /*----- The original transform --------------------------------------------*
69 * We generate a random initialization vector (if the cipher needs one). We
70 * encrypt the input message with the cipher, and format the type, sequence
71 * number, IV, and ciphertext as follows.
73 * +------+ +------+---...---+------...------+
74 * | type | | seq | iv | ciphertext |
75 * +------+ +------+---...---+------...------+
78 * All of this is fed into the MAC to compute a tag. The type is not
79 * transmitted: the other end knows what type of message it expects, and the
80 * type is only here to prevent us from being confused because some other
81 * kind of ciphertext has been substituted. The tag is prepended to the
82 * remainder, to yield the finished cryptogram, as follows.
84 * +---...---+------+---...---+------...------+
85 * | tag | seq | iv | ciphertext |
86 * +---...---+------+---...---+------...------+
89 * Decryption: checks the overall size, verifies the tag, then decrypts the
90 * ciphertext and extracts the sequence number.
93 static int v0_check(const algswitch *a, dstr *e)
96 static size_t v0_overhead(const algswitch *a)
97 { return a->tagsz + SEQSZ + a->c->blksz; }
99 static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
102 gcipher *c = ks->out.c;
103 const octet *p = BCUR(b);
104 size_t sz = BLEFT(b);
105 octet *qmac, *qseq, *qiv, *qpk;
107 size_t ivsz = GC_CLASS(c)->blksz;
108 size_t tagsz = ks->tagsz;
111 /* --- Determine the ciphertext layout --- */
113 if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
114 qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
115 BSTEP(bb, tagsz + SEQSZ + ivsz + sz);
117 /* --- Store the type --- *
119 * This isn't transmitted, but it's covered by the MAC.
124 /* --- Store the sequence number --- */
129 /* --- Establish an initialization vector if necessary --- */
132 rand_get(RAND_GLOBAL, qiv, ivsz);
137 /* --- Encrypt the packet --- */
139 GC_ENCRYPT(c, p, qpk, sz);
142 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
145 h = GM_INIT(ks->out.m);
146 GH_HASH(h, t, sizeof(t));
147 GH_HASH(h, qseq, SEQSZ + ivsz + sz);
148 memcpy(qmac, GH_DONE(h, 0), tagsz);
150 TRACE_MAC(qmac, tagsz);
153 /* --- We're done --- */
158 static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
160 const octet *pmac, *piv, *pseq, *ppk;
161 size_t psz = BLEFT(b);
165 gcipher *c = ks->in.c;
166 size_t ivsz = GC_CLASS(c)->blksz;
167 size_t tagsz = ks->tagsz;
170 /* --- Break up the packet into its components --- */
172 if (psz < ivsz + SEQSZ + tagsz) {
173 T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
174 return (KSERR_MALFORMED);
176 sz = psz - ivsz - SEQSZ - tagsz;
177 pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
180 /* --- Verify the MAC on the packet --- */
183 h = GM_INIT(ks->in.m);
184 GH_HASH(h, t, sizeof(t));
185 GH_HASH(h, pseq, SEQSZ + ivsz + sz);
186 CHECK_MAC(h, pmac, tagsz);
189 /* --- Decrypt the packet --- */
195 GC_DECRYPT(c, ppk, q, sz);
197 /* --- Finished --- */
204 /*----- The implicit-IV transform -----------------------------------------*
206 * The v0 transform makes everything explicit. There's an IV because the
207 * cipher needs an IV; there's a sequence number because replay prevention
208 * needs a sequence number.
210 * This new transform works rather differently. We make use of a block
211 * cipher to encrypt the sequence number, and use that as the IV. We
212 * transmit the sequence number in the clear, as before. This reduces
213 * overhead; and it's not a significant privacy leak because the adversary
214 * can see the order in which the messages are transmitted -- i.e., the
215 * sequence numbers are almost completely predictable anyway.
217 * So, a MAC is computed over
219 * +------+ +------+------...------+
220 * | type | | seq | ciphertext |
221 * +------+ +------+------...------+
224 * and we actually transmit the following as the cryptogram.
226 * +---...---+------+------...------+
227 * | tag | seq | ciphertext |
228 * +---...---+------+------...------+
232 static int iiv_check(const algswitch *a, dstr *e)
234 if (a->b->blksz < a->c->blksz) {
235 a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
236 "blksz-insufficient", A_END);
242 static size_t iiv_overhead(const algswitch *a)
243 { return a->tagsz + SEQSZ; }
245 #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
246 trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
249 static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
252 gcipher *c = ks->out.c, *blkc = ks->out.b;
253 const octet *p = BCUR(b);
254 size_t sz = BLEFT(b);
255 octet *qmac, *qseq, *qpk;
257 size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
258 size_t tagsz = ks->tagsz;
261 /* --- Determine the ciphertext layout --- */
263 if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
264 qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
265 BSTEP(bb, tagsz + SEQSZ + sz);
267 /* --- Store the type --- *
269 * This isn't transmitted, but it's covered by the MAC.
274 /* --- Store the sequence number --- */
279 /* --- Establish an initialization vector if necessary --- */
282 memset(buf_u, 0, blkcsz - SEQSZ);
283 memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
284 TRACE_PRESEQ(buf_u, ivsz);
285 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
287 TRACE_IV(buf_u, ivsz);
290 /* --- Encrypt the packet --- */
292 GC_ENCRYPT(c, p, qpk, sz);
295 /* --- Compute a MAC over type, sequence number, and ciphertext --- */
298 h = GM_INIT(ks->out.m);
299 GH_HASH(h, t, sizeof(t));
300 GH_HASH(h, qseq, SEQSZ + sz);
301 memcpy(qmac, GH_DONE(h, 0), tagsz);
303 TRACE_MAC(qmac, tagsz);
306 /* --- We're done --- */
311 static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
313 const octet *pmac, *pseq, *ppk;
314 size_t psz = BLEFT(b);
318 gcipher *c = ks->in.c, *blkc = ks->in.b;
319 size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz;
320 size_t tagsz = ks->tagsz;
323 /* --- Break up the packet into its components --- */
325 if (psz < SEQSZ + tagsz) {
326 T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); )
327 return (KSERR_MALFORMED);
329 sz = psz - SEQSZ - tagsz;
330 pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
333 /* --- Verify the MAC on the packet --- */
336 h = GM_INIT(ks->in.m);
337 GH_HASH(h, t, sizeof(t));
338 GH_HASH(h, pseq, SEQSZ + sz);
339 CHECK_MAC(h, pmac, tagsz);
342 /* --- Decrypt the packet --- */
345 memset(buf_u, 0, blkcsz - SEQSZ);
346 memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
347 TRACE_PRESEQ(buf_u, ivsz);
348 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
350 TRACE_IV(buf_u, ivsz);
352 GC_DECRYPT(c, ppk, q, sz);
354 /* --- Finished --- */
361 /*----- Bulk crypto transform table ---------------------------------------*/
363 const bulkops bulktab[] = {
365 #define BULK(name, pre, prim) \
366 { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }
368 BULK("v0", v0, BCP_CIPHER | BCP_MAC),
369 BULK("iiv", iiv, BCP_CIPHER | BCP_MAC | BCP_BLKC),
375 /*----- That's all, folks -------------------------------------------------*/