[secnet] / transform.c

/* Transform module - bulk data transformation */

/* For now it's hard-coded to do sequence
   number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
   instance of serpent. We also require key material for the IVs for
   cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
   using 32 bits and encrypting to get the full IV to save space in
   the packets sent over the wire. */

#include <stdio.h>
#include <string.h>
#include "secnet.h"
#include "util.h"
#include "serpent.h"
#include "unaligned.h"

/* Required key length in bytes */
#define REQUIRED_KEYLEN ((512+64+32)/8)

#ifdef WORDS_BIGENDIAN
static inline uint32_t byteswap(uint32_t a)
{
    return
	((a&0x000000ff)<<24) |
	((a&0x0000ff00)<<8) |
	((a&0x00ff0000)>>8) |
	((a&0xff000000)>>24);
}
#endif

struct transform {
    closure_t cl;
    uint32_t line;
    struct transform_if ops;
    uint32_t max_seq_skew;
};

struct transform_inst {
    struct transform_inst_if ops;
    struct keyInstance cryptkey;
    struct keyInstance mackey;
    uint32_t cryptiv;
    uint32_t maciv;
    uint32_t sendseq;
    uint32_t lastrecvseq;
    uint32_t max_skew;
    bool_t keyed;
};

#define PKCS5_MASK 15

static bool_t transform_setkey(void *sst, uint8_t *key, uint32_t keylen)
{
    struct transform_inst *ti=sst;

    if (keylen<REQUIRED_KEYLEN) {
	Message(M_ERR,"transform_create: insufficient key material supplied "
		"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	return False;
    }

#if 0
    {
	int i;
	printf("Setting key to: ");
	for (i=0; i<keylen; i++)
	    printf("%02x",key[i]);
	printf("\n");
    }
#endif /* 0 */

    serpent_makekey(&ti->cryptkey,256,key);
    serpent_makekey(&ti->mackey,256,key+32);
    ti->cryptiv=ntohl(*(uint32_t *)(key+64));
    ti->maciv=ntohl(*(uint32_t *)(key+68));
    ti->sendseq=ntohl(*(uint32_t *)(key+72));
    ti->lastrecvseq=ti->sendseq;
    ti->keyed=True;

    return True;
}

static void transform_delkey(void *sst)
{
    struct transform_inst *ti=sst;

    memset(&ti->cryptkey,0,sizeof(ti->cryptkey));
    memset(&ti->mackey,0,sizeof(ti->mackey));
    ti->keyed=False;
}

static uint32_t transform_forward(void *sst, struct buffer_if *buf,
				  char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    int padlen;
    uint32_t iv[4];
    uint32_t macplain[4];
    uint32_t macacc[4];
    uint32_t *n, *p;

    if (!ti->keyed) {
	*errmsg="transform unkeyed";
	return 1;
    }

    /* Sequence number */
    buf_prepend_uint32(buf,ti->sendseq);
    ti->sendseq++;

    /* PKCS5, stolen from IWJ */
                                    /* eg with blocksize=4 mask=3 mask+2=5   */
                                    /* msgsize    20    21    22    23   24  */
    padlen= PKCS5_MASK-buf->size;   /*           -17   -18   -19   -16  -17  */
    padlen &= PKCS5_MASK;           /*             3     2     1     0    3  */
    padlen++;                       /*             4     3     2     1    4  */

    padp=buf_append(buf,padlen);
    memset(padp,padlen,padlen);

    /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
       one encryption. Then we do the MAC and append the result. We don't
       bother sending the IV - it's the same each time. (If we wanted to send
       it we've have to add 16 bytes to each message, not 4, so that the
       message stays a multiple of 16 bytes long.) */
    memset(iv,0,16);
    iv[0]=ti->maciv;
    serpent_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=(uint32_t *)buf->start; n<(uint32_t *)(buf->start+buf->size); n+=4)
    {
#ifdef WORDS_BIGENDIAN
	macplain[0]=macacc[0]^byteswap(n[0]);
	macplain[1]=macacc[1]^byteswap(n[1]);
	macplain[2]=macacc[2]^byteswap(n[2]);
	macplain[3]=macacc[3]^byteswap(n[3]);
#else
	macplain[0]=macacc[0]^n[0];
	macplain[1]=macacc[1]^n[1];
	macplain[2]=macacc[2]^n[2];
	macplain[3]=macacc[3]^n[3];
#endif
	serpent_encrypt(&ti->mackey,macplain,macacc);
    }
    serpent_encrypt(&ti->mackey,macacc,macacc);
#ifdef WORDS_BIGENDIAN
    macacc[0]=byteswap(macacc[0]);
    macacc[1]=byteswap(macacc[1]);
    macacc[2]=byteswap(macacc[2]);
    macacc[3]=byteswap(macacc[3]);
#endif
    memcpy(buf_append(buf,16),macacc,16);

    /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
       and prepend the IV before increasing it. */
    memset(iv,0,16);
    iv[0]=ti->cryptiv;
    serpent_encrypt(&ti->cryptkey,iv,iv);

    /* CBC: each block is XORed with the previous encrypted block (or the IV)
       before being encrypted. */
    p=iv;
#ifdef WORDS_BIGENDIAN
    /* This counters the byteswap() in the first half of the loop, which in
       turn counters the byteswap() in the second half of the loop. Ick. */
    iv[0]=byteswap(iv[0]);
    iv[1]=byteswap(iv[1]);
    iv[2]=byteswap(iv[2]);
    iv[3]=byteswap(iv[3]);
#endif
    for (n=(uint32_t *)buf->start; n<(uint32_t *)(buf->start+buf->size); n+=4)
    {
#ifdef WORDS_BIGENDIAN
	/* Think of this as byteswap(p[x])^byteswap(n[x]) */
	n[0]=byteswap(p[0]^n[0]);
	n[1]=byteswap(p[1]^n[1]);
	n[2]=byteswap(p[2]^n[2]);
	n[3]=byteswap(p[3]^n[3]);
#else
	n[0]=p[0]^n[0];
	n[1]=p[1]^n[1];
	n[2]=p[2]^n[2];
	n[3]=p[3]^n[3];
#endif
	serpent_encrypt(&ti->cryptkey,n,n);
#ifdef WORDS_BIGENDIAN
	n[0]=byteswap(n[0]);
	n[1]=byteswap(n[1]);
	n[2]=byteswap(n[2]);
	n[3]=byteswap(n[3]);
#endif
	p=n;
    }

    buf_prepend_uint32(buf,ti->cryptiv);
    ti->cryptiv++;
    return 0;
}

static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
				  char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    unsigned padlen;
    int i;
    uint32_t seqnum, skew;
    uint32_t iv[4];
    uint32_t pct[4];
    uint32_t macplain[4];
    uint32_t macacc[4];
    uint32_t *n;
    uint32_t *macexpected;

    if (!ti->keyed) {
	*errmsg="transform unkeyed";
	return 1;
    }


    /* CBC */
    memset(iv,0,16);
    iv[0]=buf_unprepend_uint32(buf);
    /* Assert bufsize is multiple of blocksize */
    if (buf->size&0xf) {
	*errmsg="msg not multiple of cipher blocksize";
    }
    serpent_encrypt(&ti->cryptkey,iv,iv);
    for (n=(uint32_t *)buf->start; n<(uint32_t *)(buf->start+buf->size); n+=4)
    {
#ifdef WORDS_BIGENDIAN
	n[0]=byteswap(n[0]);
	n[1]=byteswap(n[1]);
	n[2]=byteswap(n[2]);
	n[3]=byteswap(n[3]);
#endif
	pct[0]=n[0]; pct[1]=n[1]; pct[2]=n[2]; pct[3]=n[3];
	serpent_decrypt(&ti->cryptkey,n,n);
#ifdef WORDS_BIGENDIAN
	n[0]=byteswap(iv[0]^n[0]);
	n[1]=byteswap(iv[1]^n[1]);
	n[2]=byteswap(iv[2]^n[2]);
	n[3]=byteswap(iv[3]^n[3]);
#else
	n[0]=iv[0]^n[0];
	n[1]=iv[1]^n[1];
	n[2]=iv[2]^n[2];
	n[3]=iv[3]^n[3];
#endif
	iv[0]=pct[0]; iv[1]=pct[1]; iv[2]=pct[2]; iv[3]=pct[3];
    }

    /* CBCMAC */
    macexpected=buf_unappend(buf,16);
    memset(iv,0,16);
    iv[0]=ti->maciv;
    serpent_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=(uint32_t *)buf->start; n<(uint32_t *)(buf->start+buf->size); n+=4)
    {
#ifdef WORDS_BIGENDIAN
	macplain[0]=macacc[0]^byteswap(n[0]);
	macplain[1]=macacc[1]^byteswap(n[1]);
	macplain[2]=macacc[2]^byteswap(n[2]);
	macplain[3]=macacc[3]^byteswap(n[3]);
#else
	macplain[0]=macacc[0]^n[0];
	macplain[1]=macacc[1]^n[1];
	macplain[2]=macacc[2]^n[2];
	macplain[3]=macacc[3]^n[3];
#endif
	serpent_encrypt(&ti->mackey,macplain,macacc);
    }
    serpent_encrypt(&ti->mackey,macacc,macacc);
#ifdef WORDS_BIGENDIAN
    macacc[0]=byteswap(macacc[0]);
    macacc[1]=byteswap(macacc[1]);
    macacc[2]=byteswap(macacc[2]);
    macacc[3]=byteswap(macacc[3]);
#endif
    if (memcmp(macexpected,macacc,16)!=0) {
	*errmsg="invalid MAC";
	return 1;
    }

    /* PKCS5, stolen from IWJ */

    padp=buf_unappend(buf,1);
    padlen=*padp;
    if (!padlen || (padlen > PKCS5_MASK+1)) {
	*errmsg="pkcs5: invalid length";
	return 1;
    }

    padp=buf_unappend(buf,padlen-1);
    for (i=0; i<padlen-1; i++) {
	if (*++padp != padlen) {
	    *errmsg="pkcs5: corrupted padding";
	    return 1;
	}
    }

    /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
       is only allowed to increase. */
    seqnum=buf_unprepend_uint32(buf);
    skew=seqnum-ti->lastrecvseq;
    if (skew<0x8fffffff) {
	/* Ok */
	ti->lastrecvseq=seqnum;
    } else if ((0-skew)<ti->max_skew) {
	/* Ok */
    } else {
	/* Too much skew */
	*errmsg="seqnum: too much skew";
	return 1;
    }
    
    return 0;
}

static void transform_destroy(void *sst)
{
    struct transform_inst *st=sst;

    memset(st,0,sizeof(*st)); /* Destroy key material */
    free(st);
}

static struct transform_inst_if *transform_create(void *sst)
{
    struct transform_inst *ti;
    struct transform *st=sst;

    ti=safe_malloc(sizeof(*ti),"transform_create");
    /* mlock XXX */

    ti->ops.st=ti;
    ti->ops.setkey=transform_setkey;
    ti->ops.delkey=transform_delkey;
    ti->ops.forwards=transform_forward;
    ti->ops.reverse=transform_reverse;
    ti->ops.destroy=transform_destroy;
    ti->max_skew=st->max_seq_skew;
    ti->keyed=False;

    return &ti->ops;
}

static list_t *transform_apply(closure_t *self, struct cloc loc,
			       dict_t *context, list_t *args)
{
    struct transform *st;
    item_t *item;
    dict_t *dict;

    st=safe_malloc(sizeof(*st),"serpent");
    st->cl.description="serpent-cbc256";
    st->cl.type=CL_TRANSFORM;
    st->cl.apply=NULL;
    st->cl.interface=&st->ops;
    st->ops.st=st;
    st->ops.max_start_pad=28; /* 4byte seqnum, 16byte pad, 4byte MACIV,
				 4byte IV */
    st->ops.max_end_pad=16; /* 16byte CBCMAC */

    /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
       for CBCMAC-IV, and 32 bits for init sequence number */
    st->ops.keylen=REQUIRED_KEYLEN;
    st->ops.create=transform_create;

    /* First parameter must be a dict */
    item=list_elem(args,0);
    if (!item || item->type!=t_dict)
	cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
    
    dict=item->data.dict;
    st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
				      False, "serpent-cbc256", loc, 10);

    return new_closure(&st->cl);
}

init_module transform_module;
void transform_module(dict_t *dict)
{
    struct keyInstance k;
    uint8_t data[32];
    uint32_t plaintext[4];
    uint32_t ciphertext[4];

    /* Serpent self-test */
    memset(data,0,32);
    serpent_makekey(&k,256,data);
    plaintext[0]=0x00000000;
    plaintext[1]=0x00000001;
    plaintext[2]=0x00000002;
    plaintext[3]=0x00000003;
    serpent_encrypt(&k,plaintext,ciphertext);
    if (ciphertext[3]!=0x7ca73bb0 ||
	ciphertext[2]!=0x83C31E69 ||
	ciphertext[1]!=0xec52bd82 ||
	ciphertext[0]!=0x27a46120) {
	fatal("transform_module: serpent failed self-test (encrypt)\n");
    }
    serpent_decrypt(&k,ciphertext,plaintext);
    if (plaintext[0]!=0 ||
	plaintext[1]!=1 ||
	plaintext[2]!=2 ||
	plaintext[3]!=3) {
	fatal("transform_module: serpent failed self-test (decrypt)\n");
    }

    add_closure(dict,"serpent256-cbc",transform_apply);
}
Commit	Line	Data
2fe58dfd SE	1	/* Transform module - bulk data transformation */
	2
	3	/* For now it's hard-coded to do sequence
	4	number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
	5	instance of serpent. We also require key material for the IVs for
	6	cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
	7	using 32 bits and encrypting to get the full IV to save space in
	8	the packets sent over the wire. */
	9
	10	#include <stdio.h>
469fd1d9	11	#include <string.h>
2fe58dfd SE	12	#include "secnet.h"
	13	#include "util.h"
	14	#include "serpent.h"
59635212	15	#include "unaligned.h"
2fe58dfd SE	16
	17	/* Required key length in bytes */
	18	#define REQUIRED_KEYLEN ((512+64+32)/8)
	19
59635212 SE	20	#ifdef WORDS_BIGENDIAN
	21	static inline uint32_t byteswap(uint32_t a)
	22	{
	23	return
	24	((a&0x000000ff)<<24) \|
	25	((a&0x0000ff00)<<8) \|
	26	((a&0x00ff0000)>>8) \|
	27	((a&0xff000000)>>24);
	28	}
	29	#endif
	30
2fe58dfd SE	31	struct transform {
	32	closure_t cl;
	33	uint32_t line;
	34	struct transform_if ops;
	35	uint32_t max_seq_skew;
	36	};
	37
	38	struct transform_inst {
	39	struct transform_inst_if ops;
	40	struct keyInstance cryptkey;
	41	struct keyInstance mackey;
	42	uint32_t cryptiv;
	43	uint32_t maciv;
	44	uint32_t sendseq;
	45	uint32_t lastrecvseq;
	46	uint32_t max_skew;
	47	bool_t keyed;
	48	};
	49
	50	#define PKCS5_MASK 15
	51
	52	static bool_t transform_setkey(void sst, uint8_t key, uint32_t keylen)
	53	{
	54	struct transform_inst *ti=sst;
	55
	56	if (keylen<REQUIRED_KEYLEN) {
469fd1d9	57	Message(M_ERR,"transform_create: insufficient key material supplied "
2fe58dfd SE	58	"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	59	return False;
	60	}
	61
	62	#if 0
	63	{
	64	int i;
	65	printf("Setting key to: ");
	66	for (i=0; i<keylen; i++)
	67	printf("%02x",key[i]);
	68	printf("\n");
	69	}
	70	#endif /* 0 */
	71
	72	serpent_makekey(&ti->cryptkey,256,key);
	73	serpent_makekey(&ti->mackey,256,key+32);
59635212 SE	74	ti->cryptiv=ntohl((uint32_t )(key+64));
	75	ti->maciv=ntohl((uint32_t )(key+68));
	76	ti->sendseq=ntohl((uint32_t )(key+72));
2fe58dfd SE	77	ti->lastrecvseq=ti->sendseq;
	78	ti->keyed=True;
	79
	80	return True;
	81	}
	82
	83	static void transform_delkey(void *sst)
	84	{
	85	struct transform_inst *ti=sst;
	86
	87	memset(&ti->cryptkey,0,sizeof(ti->cryptkey));
	88	memset(&ti->mackey,0,sizeof(ti->mackey));
	89	ti->keyed=False;
	90	}
	91
	92	static uint32_t transform_forward(void sst, struct buffer_if buf,
	93	char **errmsg)
	94	{
	95	struct transform_inst *ti=sst;
	96	uint8_t *padp;
	97	int padlen;
	98	uint32_t iv[4];
	99	uint32_t macplain[4];
	100	uint32_t macacc[4];
	101	uint32_t n, p;
	102
	103	if (!ti->keyed) {
	104	*errmsg="transform unkeyed";
	105	return 1;
	106	}
	107
	108	/* Sequence number */
59635212	109	buf_prepend_uint32(buf,ti->sendseq);
2fe58dfd SE	110	ti->sendseq++;
	111
	112	/* PKCS5, stolen from IWJ */
	113	/* eg with blocksize=4 mask=3 mask+2=5 */
	114	/* msgsize 20 21 22 23 24 */
	115	padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
	116	padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
	117	padlen++; /* 4 3 2 1 4 */
	118
	119	padp=buf_append(buf,padlen);
	120	memset(padp,padlen,padlen);
	121
	122	/* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
	123	one encryption. Then we do the MAC and append the result. We don't
	124	bother sending the IV - it's the same each time. (If we wanted to send
	125	it we've have to add 16 bytes to each message, not 4, so that the
	126	message stays a multiple of 16 bytes long.) */
	127	memset(iv,0,16);
	128	iv[0]=ti->maciv;
	129	serpent_encrypt(&ti->mackey,iv,macacc);
	130
	131	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	132	block encrypted once again. */
	133	for (n=(uint32_t )buf->start; n<(uint32_t )(buf->start+buf->size); n+=4)
	134	{
59635212 SE	135	#ifdef WORDS_BIGENDIAN
	136	macplain[0]=macacc[0]^byteswap(n[0]);
	137	macplain[1]=macacc[1]^byteswap(n[1]);
	138	macplain[2]=macacc[2]^byteswap(n[2]);
	139	macplain[3]=macacc[3]^byteswap(n[3]);
	140	#else
2fe58dfd SE	141	macplain[0]=macacc[0]^n[0];
	142	macplain[1]=macacc[1]^n[1];
	143	macplain[2]=macacc[2]^n[2];
	144	macplain[3]=macacc[3]^n[3];
59635212	145	#endif
2fe58dfd SE	146	serpent_encrypt(&ti->mackey,macplain,macacc);
	147	}
	148	serpent_encrypt(&ti->mackey,macacc,macacc);
59635212 SE	149	#ifdef WORDS_BIGENDIAN
	150	macacc[0]=byteswap(macacc[0]);
	151	macacc[1]=byteswap(macacc[1]);
	152	macacc[2]=byteswap(macacc[2]);
	153	macacc[3]=byteswap(macacc[3]);
	154	#endif
2fe58dfd SE	155	memcpy(buf_append(buf,16),macacc,16);
	156
	157	/* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
	158	and prepend the IV before increasing it. */
	159	memset(iv,0,16);
	160	iv[0]=ti->cryptiv;
	161	serpent_encrypt(&ti->cryptkey,iv,iv);
	162
	163	/* CBC: each block is XORed with the previous encrypted block (or the IV)
	164	before being encrypted. */
	165	p=iv;
8689b3a9 SE	166	#ifdef WORDS_BIGENDIAN
	167	/* This counters the byteswap() in the first half of the loop, which in
	168	turn counters the byteswap() in the second half of the loop. Ick. */
	169	iv[0]=byteswap(iv[0]);
	170	iv[1]=byteswap(iv[1]);
	171	iv[2]=byteswap(iv[2]);
	172	iv[3]=byteswap(iv[3]);
	173	#endif
2fe58dfd SE	174	for (n=(uint32_t )buf->start; n<(uint32_t )(buf->start+buf->size); n+=4)
2fe58dfd SE	175	{
59635212	176	#ifdef WORDS_BIGENDIAN
8689b3a9	177	/* Think of this as byteswap(p[x])^byteswap(n[x]) */
59635212 SE	178	n[0]=byteswap(p[0]^n[0]);
	179	n[1]=byteswap(p[1]^n[1]);
	180	n[2]=byteswap(p[2]^n[2]);
	181	n[3]=byteswap(p[3]^n[3]);
	182	#else
2fe58dfd SE	183	n[0]=p[0]^n[0];
	184	n[1]=p[1]^n[1];
	185	n[2]=p[2]^n[2];
	186	n[3]=p[3]^n[3];
59635212	187	#endif
2fe58dfd	188	serpent_encrypt(&ti->cryptkey,n,n);
8689b3a9 SE	189	#ifdef WORDS_BIGENDIAN
	190	n[0]=byteswap(n[0]);
	191	n[1]=byteswap(n[1]);
	192	n[2]=byteswap(n[2]);
	193	n[3]=byteswap(n[3]);
	194	#endif
2fe58dfd SE	195	p=n;
	196	}
	197
59635212	198	buf_prepend_uint32(buf,ti->cryptiv);
2fe58dfd	199	ti->cryptiv++;
2fe58dfd SE	200	return 0;
	201	}
	202
	203	static uint32_t transform_reverse(void sst, struct buffer_if buf,
	204	char **errmsg)
	205	{
	206	struct transform_inst *ti=sst;
	207	uint8_t *padp;
	208	unsigned padlen;
	209	int i;
	210	uint32_t seqnum, skew;
	211	uint32_t iv[4];
	212	uint32_t pct[4];
	213	uint32_t macplain[4];
	214	uint32_t macacc[4];
	215	uint32_t *n;
	216	uint32_t *macexpected;
	217
	218	if (!ti->keyed) {
	219	*errmsg="transform unkeyed";
	220	return 1;
	221	}
	222
8689b3a9	223
2fe58dfd SE	224	/* CBC */
2fe58dfd SE	225	memset(iv,0,16);
59635212	226	iv[0]=buf_unprepend_uint32(buf);
8689b3a9 SE	227	/* Assert bufsize is multiple of blocksize */
	228	if (buf->size&0xf) {
	229	*errmsg="msg not multiple of cipher blocksize";
	230	}
2fe58dfd	231	serpent_encrypt(&ti->cryptkey,iv,iv);
2fe58dfd SE	232	for (n=(uint32_t )buf->start; n<(uint32_t )(buf->start+buf->size); n+=4)
2fe58dfd SE	233	{
8689b3a9 SE	234	#ifdef WORDS_BIGENDIAN
	235	n[0]=byteswap(n[0]);
	236	n[1]=byteswap(n[1]);
	237	n[2]=byteswap(n[2]);
	238	n[3]=byteswap(n[3]);
	239	#endif
2fe58dfd SE	240	pct[0]=n[0]; pct[1]=n[1]; pct[2]=n[2]; pct[3]=n[3];
2fe58dfd SE	241	serpent_decrypt(&ti->cryptkey,n,n);
59635212 SE	242	#ifdef WORDS_BIGENDIAN
	243	n[0]=byteswap(iv[0]^n[0]);
	244	n[1]=byteswap(iv[1]^n[1]);
	245	n[2]=byteswap(iv[2]^n[2]);
	246	n[3]=byteswap(iv[3]^n[3]);
	247	#else
2fe58dfd SE	248	n[0]=iv[0]^n[0];
	249	n[1]=iv[1]^n[1];
	250	n[2]=iv[2]^n[2];
	251	n[3]=iv[3]^n[3];
59635212	252	#endif
2fe58dfd SE	253	iv[0]=pct[0]; iv[1]=pct[1]; iv[2]=pct[2]; iv[3]=pct[3];
	254	}
	255
	256	/* CBCMAC */
	257	macexpected=buf_unappend(buf,16);
	258	memset(iv,0,16);
	259	iv[0]=ti->maciv;
	260	serpent_encrypt(&ti->mackey,iv,macacc);
	261
	262	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	263	block encrypted once again. */
	264	for (n=(uint32_t )buf->start; n<(uint32_t )(buf->start+buf->size); n+=4)
	265	{
59635212 SE	266	#ifdef WORDS_BIGENDIAN
	267	macplain[0]=macacc[0]^byteswap(n[0]);
	268	macplain[1]=macacc[1]^byteswap(n[1]);
	269	macplain[2]=macacc[2]^byteswap(n[2]);
	270	macplain[3]=macacc[3]^byteswap(n[3]);
	271	#else
2fe58dfd SE	272	macplain[0]=macacc[0]^n[0];
	273	macplain[1]=macacc[1]^n[1];
	274	macplain[2]=macacc[2]^n[2];
	275	macplain[3]=macacc[3]^n[3];
59635212	276	#endif
2fe58dfd SE	277	serpent_encrypt(&ti->mackey,macplain,macacc);
	278	}
	279	serpent_encrypt(&ti->mackey,macacc,macacc);
59635212 SE	280	#ifdef WORDS_BIGENDIAN
	281	macacc[0]=byteswap(macacc[0]);
	282	macacc[1]=byteswap(macacc[1]);
	283	macacc[2]=byteswap(macacc[2]);
	284	macacc[3]=byteswap(macacc[3]);
	285	#endif
2fe58dfd SE	286	if (memcmp(macexpected,macacc,16)!=0) {
	287	*errmsg="invalid MAC";
	288	return 1;
	289	}
	290
	291	/* PKCS5, stolen from IWJ */
	292
	293	padp=buf_unappend(buf,1);
	294	padlen=*padp;
	295	if (!padlen \|\| (padlen > PKCS5_MASK+1)) {
	296	*errmsg="pkcs5: invalid length";
	297	return 1;
	298	}
	299
	300	padp=buf_unappend(buf,padlen-1);
	301	for (i=0; i<padlen-1; i++) {
	302	if (*++padp != padlen) {
	303	*errmsg="pkcs5: corrupted padding";
	304	return 1;
	305	}
	306	}
	307
	308	/* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
	309	is only allowed to increase. */
59635212	310	seqnum=buf_unprepend_uint32(buf);
2fe58dfd	311	skew=seqnum-ti->lastrecvseq;
c6f79b17	312	if (skew<0x8fffffff) {
2fe58dfd SE	313	/* Ok */
2fe58dfd SE	314	ti->lastrecvseq=seqnum;
c6f79b17	315	} else if ((0-skew)<ti->max_skew) {
2fe58dfd SE	316	/* Ok */
	317	} else {
	318	/* Too much skew */
	319	*errmsg="seqnum: too much skew";
	320	return 1;
	321	}
	322
	323	return 0;
	324	}
	325
	326	static void transform_destroy(void *sst)
	327	{
	328	struct transform_inst *st=sst;
	329
	330	memset(st,0,sizeof(st)); / Destroy key material */
	331	free(st);
	332	}
	333
	334	static struct transform_inst_if transform_create(void sst)
	335	{
	336	struct transform_inst *ti;
	337	struct transform *st=sst;
	338
	339	ti=safe_malloc(sizeof(*ti),"transform_create");
	340	/* mlock XXX */
	341
	342	ti->ops.st=ti;
	343	ti->ops.setkey=transform_setkey;
	344	ti->ops.delkey=transform_delkey;
	345	ti->ops.forwards=transform_forward;
	346	ti->ops.reverse=transform_reverse;
	347	ti->ops.destroy=transform_destroy;
	348	ti->max_skew=st->max_seq_skew;
	349	ti->keyed=False;
	350
	351	return &ti->ops;
	352	}
	353
	354	static list_t transform_apply(closure_t self, struct cloc loc,
	355	dict_t context, list_t args)
	356	{
	357	struct transform *st;
	358	item_t *item;
	359	dict_t *dict;
	360
	361	st=safe_malloc(sizeof(*st),"serpent");
	362	st->cl.description="serpent-cbc256";
	363	st->cl.type=CL_TRANSFORM;
	364	st->cl.apply=NULL;
	365	st->cl.interface=&st->ops;
	366	st->ops.st=st;
	367	st->ops.max_start_pad=28; /* 4byte seqnum, 16byte pad, 4byte MACIV,
	368	4byte IV */
	369	st->ops.max_end_pad=16; /* 16byte CBCMAC */
	370
	371	/* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
	372	for CBCMAC-IV, and 32 bits for init sequence number */
	373	st->ops.keylen=REQUIRED_KEYLEN;
	374	st->ops.create=transform_create;
	375
	376	/* First parameter must be a dict */
	377	item=list_elem(args,0);
	378	if (!item \|\| item->type!=t_dict)
	379	cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
380
381	dict=item->data.dict;
382	st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
383	False, "serpent-cbc256", loc, 10);
384
385	return new_closure(&st->cl);
386	}
387
388	init_module transform_module;
389	void transform_module(dict_t *dict)
390	{
391	struct keyInstance k;
392	uint8_t data[32];
393	uint32_t plaintext[4];
394	uint32_t ciphertext[4];
395
396	/* Serpent self-test */
397	memset(data,0,32);
398	serpent_makekey(&k,256,data);
399	plaintext[0]=0x00000000;
400	plaintext[1]=0x00000001;
401	plaintext[2]=0x00000002;
402	plaintext[3]=0x00000003;
403	serpent_encrypt(&k,plaintext,ciphertext);
404	if (ciphertext[3]!=0x7ca73bb0 \|\|
405	ciphertext[2]!=0x83C31E69 \|\|
406	ciphertext[1]!=0xec52bd82 \|\|
407	ciphertext[0]!=0x27a46120) {
408	fatal("transform_module: serpent failed self-test (encrypt)\n");
409	}
410	serpent_decrypt(&k,ciphertext,plaintext);
411	if (plaintext[0]!=0 \|\|
412	plaintext[1]!=1 \|\|
413	plaintext[2]!=2 \|\|
414	plaintext[3]!=3) {
415	fatal("transform_module: serpent failed self-test (decrypt)\n");
416	}
417
418	add_closure(dict,"serpent256-cbc",transform_apply);
419	}