[secnet] / transform.c

/* Transform module - bulk data transformation */

/* For now it's hard-coded to do sequence
   number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
   instance of serpent. We also require key material for the IVs for
   cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
   using 32 bits and encrypting to get the full IV to save space in
   the packets sent over the wire. */

#include <stdio.h>
#include <string.h>
#include "secnet.h"
#include "util.h"
#include "serpent.h"
#include "unaligned.h"

/* Required key length in bytes */
#define REQUIRED_KEYLEN ((512+64+32)/8)

struct transform {
    closure_t cl;
    struct transform_if ops;
    uint32_t max_seq_skew;
};

struct transform_inst {
    struct transform_inst_if ops;
    struct keyInstance cryptkey;
    struct keyInstance mackey;
    uint32_t cryptiv;
    uint32_t maciv;
    uint32_t sendseq;
    uint32_t lastrecvseq;
    uint32_t max_skew;
    bool_t keyed;
};

#define PKCS5_MASK 15

static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen)
{
    struct transform_inst *ti=sst;

    if (keylen<REQUIRED_KEYLEN) {
	Message(M_ERR,"transform_create: insufficient key material supplied "
		"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	return False;
    }

#if 0
    {
	int i;
	printf("Setting key to: ");
	for (i=0; i<keylen; i++)
	    printf("%02x",key[i]);
	printf("\n");
    }
#endif /* 0 */

    serpentbe_makekey(&ti->cryptkey,256,key);
    serpentbe_makekey(&ti->mackey,256,key+32);
    ti->cryptiv=get_uint32(key+64);
    ti->maciv=get_uint32(key+68);
    ti->sendseq=get_uint32(key+72);
    ti->lastrecvseq=ti->sendseq;
    ti->keyed=True;

    return True;
}

static bool_t transform_valid(void *sst)
{
    struct transform_inst *ti=sst;

    return ti->keyed;
}

static void transform_delkey(void *sst)
{
    struct transform_inst *ti=sst;

    FILLZERO(ti->cryptkey);
    FILLZERO(ti->mackey);
    ti->keyed=False;
}

static uint32_t transform_forward(void *sst, struct buffer_if *buf,
				  const char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    int padlen;
    uint8_t iv[16];
    uint8_t macplain[16];
    uint8_t macacc[16];
    uint8_t *p, *n;
    int i;

    if (!ti->keyed) {
	*errmsg="transform unkeyed";
	return 1;
    }

    /* Sequence number */
    buf_prepend_uint32(buf,ti->sendseq);
    ti->sendseq++;

    /* PKCS5, stolen from IWJ */
                                    /* eg with blocksize=4 mask=3 mask+2=5   */
                                    /* msgsize    20    21    22    23   24  */
    padlen= PKCS5_MASK-buf->size;   /*           -17   -18   -19   -16  -17  */
    padlen &= PKCS5_MASK;           /*             3     2     1     0    3  */
    padlen++;                       /*             4     3     2     1    4  */

    padp=buf_append(buf,padlen);
    memset(padp,padlen,padlen);

    /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
       one encryption. Then we do the MAC and append the result. We don't
       bother sending the IV - it's the same each time. (If we wanted to send
       it we've have to add 16 bytes to each message, not 4, so that the
       message stays a multiple of 16 bytes long.) */
    memset(iv,0,16);
    put_uint32(iv, ti->maciv);
    serpentbe_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    macplain[i] = macacc[i] ^ n[i];
	serpentbe_encrypt(&ti->mackey,macplain,macacc);
    }
    serpentbe_encrypt(&ti->mackey,macacc,macacc);
    memcpy(buf_append(buf,16),macacc,16);

    /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
       and prepend the IV before increasing it. */
    memset(iv,0,16);
    put_uint32(iv, ti->cryptiv);
    serpentbe_encrypt(&ti->cryptkey,iv,iv);

    /* CBC: each block is XORed with the previous encrypted block (or the IV)
       before being encrypted. */
    p=iv;

    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    n[i] ^= p[i];
	serpentbe_encrypt(&ti->cryptkey,n,n);
	p=n;
    }

    buf_prepend_uint32(buf,ti->cryptiv);
    ti->cryptiv++;
    return 0;
}

static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
				  const char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    int padlen;
    int i;
    uint32_t seqnum, skew;
    uint8_t iv[16];
    uint8_t pct[16];
    uint8_t macplain[16];
    uint8_t macacc[16];
    uint8_t *n;
    uint8_t *macexpected;

    if (!ti->keyed) {
	*errmsg="transform unkeyed";
	return 1;
    }

    if (buf->size < 4 + 16 + 16) {
	*errmsg="msg too short";
	return 1;
    }

    /* CBC */
    memset(iv,0,16);
    {
	uint32_t ivword = buf_unprepend_uint32(buf);
	put_uint32(iv, ivword);
    }
    /* Assert bufsize is multiple of blocksize */
    if (buf->size&0xf) {
	*errmsg="msg not multiple of cipher blocksize";
	return 1;
    }
    serpentbe_encrypt(&ti->cryptkey,iv,iv);
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    pct[i] = n[i];
	serpentbe_decrypt(&ti->cryptkey,n,n);
	for (i = 0; i < 16; i++)
	    n[i] ^= iv[i];
	memcpy(iv, pct, 16);
    }

    /* CBCMAC */
    macexpected=buf_unappend(buf,16);
    memset(iv,0,16);
    put_uint32(iv, ti->maciv);
    serpentbe_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    macplain[i] = macacc[i] ^ n[i];
	serpentbe_encrypt(&ti->mackey,macplain,macacc);
    }
    serpentbe_encrypt(&ti->mackey,macacc,macacc);
    if (!consttime_memeq(macexpected,macacc,16)!=0) {
	*errmsg="invalid MAC";
	return 1;
    }

    /* PKCS5, stolen from IWJ */

    padp=buf_unappend(buf,1);
    padlen=*padp;
    if (!padlen || (padlen > PKCS5_MASK+1)) {
	*errmsg="pkcs5: invalid length";
	return 1;
    }

    buf_unappend(buf,padlen-1);

    /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
       is only allowed to increase. */
    seqnum=buf_unprepend_uint32(buf);
    skew=seqnum-ti->lastrecvseq;
    if (skew<0x8fffffff) {
	/* Ok */
	ti->lastrecvseq=seqnum;
    } else if ((0-skew)<ti->max_skew) {
	/* Ok */
    } else {
	/* Too much skew */
	*errmsg="seqnum: too much skew";
	return 2;
    }
    
    return 0;
}

static void transform_destroy(void *sst)
{
    struct transform_inst *st=sst;

    FILLZERO(*st); /* Destroy key material */
    free(st);
}

static struct transform_inst_if *transform_create(void *sst)
{
    struct transform_inst *ti;
    struct transform *st=sst;

    ti=safe_malloc(sizeof(*ti),"transform_create");
    /* mlock XXX */

    ti->ops.st=ti;
    ti->ops.setkey=transform_setkey;
    ti->ops.valid=transform_valid;
    ti->ops.delkey=transform_delkey;
    ti->ops.forwards=transform_forward;
    ti->ops.reverse=transform_reverse;
    ti->ops.destroy=transform_destroy;
    ti->max_skew=st->max_seq_skew;
    ti->keyed=False;

    return &ti->ops;
}

static list_t *transform_apply(closure_t *self, struct cloc loc,
			       dict_t *context, list_t *args)
{
    struct transform *st;
    item_t *item;
    dict_t *dict;

    st=safe_malloc(sizeof(*st),"serpent");
    st->cl.description="serpent-cbc256";
    st->cl.type=CL_TRANSFORM;
    st->cl.apply=NULL;
    st->cl.interface=&st->ops;
    st->ops.st=st;
    st->ops.max_start_pad=28; /* 4byte seqnum, 16byte pad, 4byte MACIV,
				 4byte IV */
    st->ops.max_end_pad=16; /* 16byte CBCMAC */

    /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
       for CBCMAC-IV, and 32 bits for init sequence number */
    st->ops.keylen=REQUIRED_KEYLEN;
    st->ops.create=transform_create;

    /* First parameter must be a dict */
    item=list_elem(args,0);
    if (!item || item->type!=t_dict)
	cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
    
    dict=item->data.dict;
    st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
				      False, "serpent-cbc256", loc, 10);

    return new_closure(&st->cl);
}

void transform_module(dict_t *dict)
{
    struct keyInstance k;
    uint8_t data[32];
    uint8_t plaintext[16];
    uint8_t ciphertext[16];

    /*
     * Serpent self-test.
     * 
     * This test pattern was taken directly from the Serpent test
     * vectors, which results in a big-endian Serpent which is not
     * compatible with other implementations.
     */

    /* Serpent self-test */
    memcpy(data,
           "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
           "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
           32);
    serpentbe_makekey(&k,256,data);

    memcpy(plaintext,
           "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
           16);
    serpentbe_encrypt(&k,plaintext,ciphertext);

    if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
               "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
	fatal("transform_module: serpent failed self-test (encrypt)");
    }
    serpentbe_decrypt(&k,ciphertext,plaintext);
    if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
               "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
	fatal("transform_module: serpent failed self-test (decrypt)");
    }

    add_closure(dict,"serpent256-cbc",transform_apply);

#ifdef TEST_WHOLE_TRANSFORM
    {
	struct transform *tr;
	void *ti;
	struct buffer_if buf;
	const char text[] = "This is a piece of test text.";
	char keymaterial[76] =
	    "Seventy-six bytes i"
	    "n four rows of 19; "
	    "this looks almost l"
	    "ike a poem but not.";
	const char *errmsg;
	int i;

	tr = malloc(sizeof(struct transform));
	tr->max_seq_skew = 20;
	ti = transform_create(tr);

	transform_setkey(ti, keymaterial, 76);

        buf.base = malloc(4096);
	buffer_init(&buf, 2048);
	memcpy(buf_append(&buf, sizeof(text)), text, sizeof(text));
	if (transform_forward(ti, &buf, &errmsg)) {
	    fatal("transform_forward test: %s", errmsg);
	}
	printf("transformed text is:\n");
	for (i = 0; i < buf.size; i++)
	    printf("%02x%c", buf.start[i],
		   (i%16==15 || i==buf.size-1 ? '\n' : ' '));
	if (transform_reverse(ti, &buf, &errmsg)) {
	    fatal("transform_reverse test: %s", errmsg);
	}
	printf("transform reversal worked OK\n");
    }
#endif
}
Commit	Line	Data
2fe58dfd SE	1	/* Transform module - bulk data transformation */
	2
	3	/* For now it's hard-coded to do sequence
	4	number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
	5	instance of serpent. We also require key material for the IVs for
	6	cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
	7	using 32 bits and encrypting to get the full IV to save space in
	8	the packets sent over the wire. */
	9
	10	#include <stdio.h>
469fd1d9	11	#include <string.h>
2fe58dfd SE	12	#include "secnet.h"
	13	#include "util.h"
	14	#include "serpent.h"
59635212	15	#include "unaligned.h"
2fe58dfd SE	16
	17	/* Required key length in bytes */
	18	#define REQUIRED_KEYLEN ((512+64+32)/8)
	19
	20	struct transform {
	21	closure_t cl;
2fe58dfd SE	22	struct transform_if ops;
	23	uint32_t max_seq_skew;
	24	};
	25
	26	struct transform_inst {
	27	struct transform_inst_if ops;
	28	struct keyInstance cryptkey;
	29	struct keyInstance mackey;
	30	uint32_t cryptiv;
	31	uint32_t maciv;
	32	uint32_t sendseq;
	33	uint32_t lastrecvseq;
	34	uint32_t max_skew;
	35	bool_t keyed;
	36	};
	37
	38	#define PKCS5_MASK 15
	39
1caa23ff	40	static bool_t transform_setkey(void sst, uint8_t key, int32_t keylen)
2fe58dfd SE	41	{
	42	struct transform_inst *ti=sst;
	43
	44	if (keylen<REQUIRED_KEYLEN) {
469fd1d9	45	Message(M_ERR,"transform_create: insufficient key material supplied "
2fe58dfd SE	46	"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	47	return False;
	48	}
	49
	50	#if 0
	51	{
	52	int i;
	53	printf("Setting key to: ");
	54	for (i=0; i<keylen; i++)
	55	printf("%02x",key[i]);
	56	printf("\n");
	57	}
	58	#endif /* 0 */
	59
af43f0b7 IJ	60	serpentbe_makekey(&ti->cryptkey,256,key);
af43f0b7 IJ	61	serpentbe_makekey(&ti->mackey,256,key+32);
4a1a5919 IJ	62	ti->cryptiv=get_uint32(key+64);
	63	ti->maciv=get_uint32(key+68);
	64	ti->sendseq=get_uint32(key+72);
2fe58dfd SE	65	ti->lastrecvseq=ti->sendseq;
	66	ti->keyed=True;
	67
	68	return True;
	69	}
	70
b67dab18 IJ	71	static bool_t transform_valid(void *sst)
	72	{
	73	struct transform_inst *ti=sst;
	74
	75	return ti->keyed;
	76	}
	77
2fe58dfd SE	78	static void transform_delkey(void *sst)
	79	{
	80	struct transform_inst *ti=sst;
	81
076bb54e IJ	82	FILLZERO(ti->cryptkey);
076bb54e IJ	83	FILLZERO(ti->mackey);
2fe58dfd SE	84	ti->keyed=False;
	85	}
	86
	87	static uint32_t transform_forward(void sst, struct buffer_if buf,
fe5e9cc4	88	const char **errmsg)
2fe58dfd SE	89	{
	90	struct transform_inst *ti=sst;
	91	uint8_t *padp;
	92	int padlen;
3b83c932 SE	93	uint8_t iv[16];
	94	uint8_t macplain[16];
	95	uint8_t macacc[16];
	96	uint8_t p, n;
	97	int i;
2fe58dfd SE	98
	99	if (!ti->keyed) {
	100	*errmsg="transform unkeyed";
	101	return 1;
	102	}
	103
	104	/* Sequence number */
59635212	105	buf_prepend_uint32(buf,ti->sendseq);
2fe58dfd SE	106	ti->sendseq++;
	107
	108	/* PKCS5, stolen from IWJ */
	109	/* eg with blocksize=4 mask=3 mask+2=5 */
	110	/* msgsize 20 21 22 23 24 */
	111	padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
	112	padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
	113	padlen++; /* 4 3 2 1 4 */
	114
	115	padp=buf_append(buf,padlen);
	116	memset(padp,padlen,padlen);
	117
	118	/* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
	119	one encryption. Then we do the MAC and append the result. We don't
	120	bother sending the IV - it's the same each time. (If we wanted to send
	121	it we've have to add 16 bytes to each message, not 4, so that the
	122	message stays a multiple of 16 bytes long.) */
	123	memset(iv,0,16);
4a1a5919	124	put_uint32(iv, ti->maciv);
af43f0b7	125	serpentbe_encrypt(&ti->mackey,iv,macacc);
2fe58dfd SE	126
	127	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	128	block encrypted once again. */
3b83c932	129	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	130	{
3b83c932 SE	131	for (i = 0; i < 16; i++)
3b83c932 SE	132	macplain[i] = macacc[i] ^ n[i];
af43f0b7	133	serpentbe_encrypt(&ti->mackey,macplain,macacc);
2fe58dfd	134	}
af43f0b7	135	serpentbe_encrypt(&ti->mackey,macacc,macacc);
2fe58dfd SE	136	memcpy(buf_append(buf,16),macacc,16);
	137
	138	/* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
	139	and prepend the IV before increasing it. */
	140	memset(iv,0,16);
4a1a5919	141	put_uint32(iv, ti->cryptiv);
af43f0b7	142	serpentbe_encrypt(&ti->cryptkey,iv,iv);
2fe58dfd SE	143
	144	/* CBC: each block is XORed with the previous encrypted block (or the IV)
	145	before being encrypted. */
	146	p=iv;
3b83c932 SE	147
3b83c932 SE	148	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	149	{
3b83c932 SE	150	for (i = 0; i < 16; i++)
3b83c932 SE	151	n[i] ^= p[i];
af43f0b7	152	serpentbe_encrypt(&ti->cryptkey,n,n);
2fe58dfd SE	153	p=n;
	154	}
	155
59635212	156	buf_prepend_uint32(buf,ti->cryptiv);
2fe58dfd	157	ti->cryptiv++;
2fe58dfd SE	158	return 0;
	159	}
	160
	161	static uint32_t transform_reverse(void sst, struct buffer_if buf,
fe5e9cc4	162	const char **errmsg)
2fe58dfd SE	163	{
	164	struct transform_inst *ti=sst;
	165	uint8_t *padp;
1caa23ff	166	int padlen;
2fe58dfd SE	167	int i;
2fe58dfd SE	168	uint32_t seqnum, skew;
3b83c932 SE	169	uint8_t iv[16];
	170	uint8_t pct[16];
	171	uint8_t macplain[16];
	172	uint8_t macacc[16];
	173	uint8_t *n;
	174	uint8_t *macexpected;
2fe58dfd SE	175
	176	if (!ti->keyed) {
	177	*errmsg="transform unkeyed";
	178	return 1;
	179	}
	180
20138876 IJ	181	if (buf->size < 4 + 16 + 16) {
	182	*errmsg="msg too short";
	183	return 1;
	184	}
8689b3a9	185
2fe58dfd SE	186	/* CBC */
2fe58dfd SE	187	memset(iv,0,16);
3b83c932 SE	188	{
3b83c932 SE	189	uint32_t ivword = buf_unprepend_uint32(buf);
4a1a5919	190	put_uint32(iv, ivword);
3b83c932	191	}
8689b3a9 SE	192	/* Assert bufsize is multiple of blocksize */
	193	if (buf->size&0xf) {
	194	*errmsg="msg not multiple of cipher blocksize";
20138876	195	return 1;
8689b3a9	196	}
af43f0b7	197	serpentbe_encrypt(&ti->cryptkey,iv,iv);
3b83c932	198	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	199	{
3b83c932 SE	200	for (i = 0; i < 16; i++)
3b83c932 SE	201	pct[i] = n[i];
af43f0b7	202	serpentbe_decrypt(&ti->cryptkey,n,n);
3b83c932 SE	203	for (i = 0; i < 16; i++)
	204	n[i] ^= iv[i];
	205	memcpy(iv, pct, 16);
2fe58dfd SE	206	}
	207
	208	/* CBCMAC */
	209	macexpected=buf_unappend(buf,16);
	210	memset(iv,0,16);
4a1a5919	211	put_uint32(iv, ti->maciv);
af43f0b7	212	serpentbe_encrypt(&ti->mackey,iv,macacc);
2fe58dfd SE	213
	214	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	215	block encrypted once again. */
3b83c932	216	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	217	{
3b83c932 SE	218	for (i = 0; i < 16; i++)
3b83c932 SE	219	macplain[i] = macacc[i] ^ n[i];
af43f0b7	220	serpentbe_encrypt(&ti->mackey,macplain,macacc);
2fe58dfd	221	}
af43f0b7	222	serpentbe_encrypt(&ti->mackey,macacc,macacc);
5ad34db2	223	if (!consttime_memeq(macexpected,macacc,16)!=0) {
2fe58dfd SE	224	*errmsg="invalid MAC";
	225	return 1;
	226	}
	227
	228	/* PKCS5, stolen from IWJ */
	229
	230	padp=buf_unappend(buf,1);
	231	padlen=*padp;
	232	if (!padlen \|\| (padlen > PKCS5_MASK+1)) {
	233	*errmsg="pkcs5: invalid length";
	234	return 1;
	235	}
	236
46008a7c	237	buf_unappend(buf,padlen-1);
2fe58dfd SE	238
	239	/* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
	240	is only allowed to increase. */
59635212	241	seqnum=buf_unprepend_uint32(buf);
2fe58dfd	242	skew=seqnum-ti->lastrecvseq;
c6f79b17	243	if (skew<0x8fffffff) {
2fe58dfd SE	244	/* Ok */
2fe58dfd SE	245	ti->lastrecvseq=seqnum;
c6f79b17	246	} else if ((0-skew)<ti->max_skew) {
2fe58dfd SE	247	/* Ok */
	248	} else {
	249	/* Too much skew */
	250	*errmsg="seqnum: too much skew";
07e4774c	251	return 2;
2fe58dfd SE	252	}
	253
	254	return 0;
	255	}
	256
	257	static void transform_destroy(void *sst)
	258	{
	259	struct transform_inst *st=sst;
	260
076bb54e	261	FILLZERO(st); / Destroy key material */
2fe58dfd SE	262	free(st);
	263	}
	264
	265	static struct transform_inst_if transform_create(void sst)
	266	{
	267	struct transform_inst *ti;
	268	struct transform *st=sst;
	269
	270	ti=safe_malloc(sizeof(*ti),"transform_create");
	271	/* mlock XXX */
	272
	273	ti->ops.st=ti;
	274	ti->ops.setkey=transform_setkey;
b67dab18	275	ti->ops.valid=transform_valid;
2fe58dfd SE	276	ti->ops.delkey=transform_delkey;
	277	ti->ops.forwards=transform_forward;
	278	ti->ops.reverse=transform_reverse;
	279	ti->ops.destroy=transform_destroy;
	280	ti->max_skew=st->max_seq_skew;
	281	ti->keyed=False;
	282
	283	return &ti->ops;
	284	}
	285
	286	static list_t transform_apply(closure_t self, struct cloc loc,
	287	dict_t context, list_t args)
	288	{
	289	struct transform *st;
	290	item_t *item;
	291	dict_t *dict;
	292
	293	st=safe_malloc(sizeof(*st),"serpent");
	294	st->cl.description="serpent-cbc256";
	295	st->cl.type=CL_TRANSFORM;
	296	st->cl.apply=NULL;
	297	st->cl.interface=&st->ops;
	298	st->ops.st=st;
	299	st->ops.max_start_pad=28; /* 4byte seqnum, 16byte pad, 4byte MACIV,
	300	4byte IV */
	301	st->ops.max_end_pad=16; /* 16byte CBCMAC */
	302
	303	/* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
	304	for CBCMAC-IV, and 32 bits for init sequence number */
	305	st->ops.keylen=REQUIRED_KEYLEN;
	306	st->ops.create=transform_create;
	307
	308	/* First parameter must be a dict */
	309	item=list_elem(args,0);
	310	if (!item \|\| item->type!=t_dict)
	311	cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
	312
	313	dict=item->data.dict;
	314	st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
	315	False, "serpent-cbc256", loc, 10);
	316
	317	return new_closure(&st->cl);
	318	}
	319
2fe58dfd SE	320	void transform_module(dict_t *dict)
	321	{
	322	struct keyInstance k;
	323	uint8_t data[32];
3b83c932 SE	324	uint8_t plaintext[16];
	325	uint8_t ciphertext[16];
	326
	327	/*
	328	* Serpent self-test.
	329	*
af43f0b7 IJ	330	* This test pattern was taken directly from the Serpent test
	331	* vectors, which results in a big-endian Serpent which is not
	332	* compatible with other implementations.
3b83c932	333	*/
2fe58dfd SE	334
2fe58dfd SE	335	/* Serpent self-test */
3b83c932 SE	336	memcpy(data,
	337	"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
	338	"\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
	339	32);
af43f0b7	340	serpentbe_makekey(&k,256,data);
3b83c932 SE	341
	342	memcpy(plaintext,
	343	"\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
	344	16);
af43f0b7	345	serpentbe_encrypt(&k,plaintext,ciphertext);
3b83c932 SE	346
	347	if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
	348	"\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
4f5e39ec	349	fatal("transform_module: serpent failed self-test (encrypt)");
2fe58dfd	350	}
af43f0b7	351	serpentbe_decrypt(&k,ciphertext,plaintext);
3b83c932 SE	352	if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
3b83c932 SE	353	"\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
4f5e39ec	354	fatal("transform_module: serpent failed self-test (decrypt)");
2fe58dfd SE	355	}
	356
	357	add_closure(dict,"serpent256-cbc",transform_apply);
3b83c932 SE	358
	359	#ifdef TEST_WHOLE_TRANSFORM
	360	{
	361	struct transform *tr;
	362	void *ti;
	363	struct buffer_if buf;
	364	const char text[] = "This is a piece of test text.";
	365	char keymaterial[76] =
	366	"Seventy-six bytes i"
	367	"n four rows of 19; "
	368	"this looks almost l"
	369	"ike a poem but not.";
	370	const char *errmsg;
	371	int i;
	372
	373	tr = malloc(sizeof(struct transform));
	374	tr->max_seq_skew = 20;
	375	ti = transform_create(tr);
	376
	377	transform_setkey(ti, keymaterial, 76);
	378
	379	buf.base = malloc(4096);
	380	buffer_init(&buf, 2048);
	381	memcpy(buf_append(&buf, sizeof(text)), text, sizeof(text));
	382	if (transform_forward(ti, &buf, &errmsg)) {
	383	fatal("transform_forward test: %s", errmsg);
	384	}
	385	printf("transformed text is:\n");
	386	for (i = 0; i < buf.size; i++)
	387	printf("%02x%c", buf.start[i],
	388	(i%16==15 \|\| i==buf.size-1 ? '\n' : ' '));
	389	if (transform_reverse(ti, &buf, &errmsg)) {
	390	fatal("transform_reverse test: %s", errmsg);
	391	}
	392	printf("transform reversal worked OK\n");
	393	}
	394	#endif
2fe58dfd	395	}