1 /* Transform module - bulk data transformation */
3 /* For now it's hard-coded to do sequence
4 number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
5 instance of serpent. We also require key material for the IVs for
6 cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
7 using 32 bits and encrypting to get the full IV to save space in
8 the packets sent over the wire. */
15 #include "unaligned.h"
18 /* Required key length in bytes */
19 #define REQUIRED_KEYLEN ((512+64+32)/8)
23 struct transform_if ops;
24 uint32_t max_seq_skew;
27 struct transform_inst {
28 struct transform_inst_if ops;
29 struct keyInstance cryptkey;
30 struct keyInstance mackey;
39 #include "transform-common.h"
43 static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen,
46 struct transform_inst *ti=sst;
48 if (keylen<REQUIRED_KEYLEN) {
49 Message(M_ERR,"transform_create: insufficient key material supplied "
50 "(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
56 printf("Setting key to: ");
57 hexdebug(stdout,key,keylen);
62 serpentbe_makekey(&ti->cryptkey,256,key);
63 serpentbe_makekey(&ti->mackey,256,key+32);
64 ti->cryptiv=get_uint32(key+64);
65 ti->maciv=get_uint32(key+68);
66 ti->sendseq=get_uint32(key+72);
67 ti->lastrecvseq=ti->sendseq;
75 static void transform_delkey(void *sst)
77 struct transform_inst *ti=sst;
79 FILLZERO(ti->cryptkey);
84 static uint32_t transform_forward(void *sst, struct buffer_if *buf,
87 struct transform_inst *ti=sst;
99 buf_prepend_uint32(buf,ti->sendseq);
102 /* PKCS5, stolen from IWJ */
103 /* eg with blocksize=4 mask=3 mask+2=5 */
104 /* msgsize 20 21 22 23 24 */
105 padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
106 padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
107 padlen++; /* 4 3 2 1 4 */
109 padp=buf_append(buf,padlen);
110 memset(padp,padlen,padlen);
112 /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
113 one encryption. Then we do the MAC and append the result. We don't
114 bother sending the IV - it's the same each time. (If we wanted to send
115 it we've have to add 16 bytes to each message, not 4, so that the
116 message stays a multiple of 16 bytes long.) */
118 put_uint32(iv, ti->maciv);
119 serpentbe_encrypt(&ti->mackey,iv,macacc);
121 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
122 block encrypted once again. */
123 for (n=buf->start; n<buf->start+buf->size; n+=16)
125 for (i = 0; i < 16; i++)
126 macplain[i] = macacc[i] ^ n[i];
127 serpentbe_encrypt(&ti->mackey,macplain,macacc);
129 serpentbe_encrypt(&ti->mackey,macacc,macacc);
130 memcpy(buf_append(buf,16),macacc,16);
132 /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
133 and prepend the IV before increasing it. */
135 put_uint32(iv, ti->cryptiv);
136 serpentbe_encrypt(&ti->cryptkey,iv,iv);
138 /* CBC: each block is XORed with the previous encrypted block (or the IV)
139 before being encrypted. */
142 for (n=buf->start; n<buf->start+buf->size; n+=16)
144 for (i = 0; i < 16; i++)
146 serpentbe_encrypt(&ti->cryptkey,n,n);
150 buf_prepend_uint32(buf,ti->cryptiv);
155 static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
158 struct transform_inst *ti=sst;
165 uint8_t macplain[16];
168 uint8_t *macexpected;
172 if (buf->size < 4 + 16 + 16) {
173 *errmsg="msg too short";
180 uint32_t ivword = buf_unprepend_uint32(buf);
181 put_uint32(iv, ivword);
183 /* Assert bufsize is multiple of blocksize */
185 *errmsg="msg not multiple of cipher blocksize";
188 serpentbe_encrypt(&ti->cryptkey,iv,iv);
189 for (n=buf->start; n<buf->start+buf->size; n+=16)
191 for (i = 0; i < 16; i++)
193 serpentbe_decrypt(&ti->cryptkey,n,n);
194 for (i = 0; i < 16; i++)
200 macexpected=buf_unappend(buf,16);
202 put_uint32(iv, ti->maciv);
203 serpentbe_encrypt(&ti->mackey,iv,macacc);
205 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
206 block encrypted once again. */
207 for (n=buf->start; n<buf->start+buf->size; n+=16)
209 for (i = 0; i < 16; i++)
210 macplain[i] = macacc[i] ^ n[i];
211 serpentbe_encrypt(&ti->mackey,macplain,macacc);
213 serpentbe_encrypt(&ti->mackey,macacc,macacc);
214 if (!consttime_memeq(macexpected,macacc,16)!=0) {
215 *errmsg="invalid MAC";
219 /* PKCS5, stolen from IWJ */
221 padp=buf_unappend(buf,1);
223 if (!padlen || (padlen > PKCS5_MASK+1)) {
224 *errmsg="pkcs5: invalid length";
228 buf_unappend(buf,padlen-1);
230 /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
231 is only allowed to increase. */
232 seqnum=buf_unprepend_uint32(buf);
233 SEQNUM_CHECK(seqnum, ti->max_skew);
240 static struct transform_inst_if *transform_create(void *sst)
242 struct transform *st=sst;
244 TRANSFORM_CREATE_CORE;
246 ti->max_skew=st->max_seq_skew;
251 static list_t *transform_apply(closure_t *self, struct cloc loc,
252 dict_t *context, list_t *args)
254 struct transform *st;
258 st=safe_malloc(sizeof(*st),"serpent");
259 st->cl.description="serpent-cbc256";
260 st->cl.type=CL_TRANSFORM;
262 st->cl.interface=&st->ops;
264 update_max_start_pad(&transform_max_start_pad, 28);
265 /* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */
267 /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
268 for CBCMAC-IV, and 32 bits for init sequence number */
269 st->ops.keylen=REQUIRED_KEYLEN;
270 st->ops.create=transform_create;
272 /* First parameter must be a dict */
273 item=list_elem(args,0);
274 if (!item || item->type!=t_dict)
275 cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
277 dict=item->data.dict;
278 st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
279 False, "serpent-cbc256", loc, 10);
281 SET_CAPAB_TRANSFORMNUM(CAPAB_TRANSFORMNUM_SERPENT256CBC);
283 return new_closure(&st->cl);
286 void transform_cbcmac_module(dict_t *dict)
288 struct keyInstance k;
290 uint8_t plaintext[16];
291 uint8_t ciphertext[16];
296 * This test pattern was taken directly from the Serpent test
297 * vectors, which results in a big-endian Serpent which is not
298 * compatible with other implementations.
301 /* Serpent self-test */
303 "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
304 "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
306 serpentbe_makekey(&k,256,data);
309 "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
311 serpentbe_encrypt(&k,plaintext,ciphertext);
313 if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
314 "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
315 fatal("transform_module: serpent failed self-test (encrypt)");
317 serpentbe_decrypt(&k,ciphertext,plaintext);
318 if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
319 "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
320 fatal("transform_module: serpent failed self-test (decrypt)");
323 add_closure(dict,"serpent256-cbc",transform_apply);
325 #ifdef TEST_WHOLE_TRANSFORM
327 struct transform *tr;
329 struct buffer_if buf;
330 const char text[] = "This is a piece of test text.";
331 char keymaterial[76] =
332 "Seventy-six bytes i"
333 "n four rows of 19; "
334 "this looks almost l"
335 "ike a poem but not.";
339 tr = malloc(sizeof(struct transform));
340 tr->max_seq_skew = 20;
341 ti = transform_create(tr);
343 transform_setkey(ti, keymaterial, 76);
345 buf.base = malloc(4096);
346 buffer_init(&buf, 2048);
347 memcpy(buf_append(&buf, sizeof(text)), text, sizeof(text));
348 if (transform_forward(ti, &buf, &errmsg)) {
349 fatal("transform_forward test: %s", errmsg);
351 printf("transformed text is:\n");
352 for (i = 0; i < buf.size; i++)
353 printf("%02x%c", buf.start[i],
354 (i%16==15 || i==buf.size-1 ? '\n' : ' '));
355 if (transform_reverse(ti, &buf, &errmsg)) {
356 fatal("transform_reverse test: %s", errmsg);
358 printf("transform reversal worked OK\n");