[secnet] / transform-cbcmac.c

/* Transform module - bulk data transformation */

/*
 * This file is part of secnet.
 * See README for full list of copyright holders.
 *
 * secnet is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 * 
 * secnet is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * version 3 along with secnet; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 */

/* For now it's hard-coded to do sequence
   number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
   instance of serpent. We also require key material for the IVs for
   cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
   using 32 bits and encrypting to get the full IV to save space in
   the packets sent over the wire. */

#include <stdio.h>
#include <string.h>
#include "secnet.h"
#include "util.h"
#include "serpent.h"
#include "unaligned.h"
#include "hexdebug.h"

/* Required key length in bytes */
#define REQUIRED_KEYLEN ((512+64+32)/8)

#include "transform-common.h"

struct transform_params {
    SEQNUM_PARAMS_FIELDS;
};

struct transform {
    closure_t cl;
    struct transform_if ops;
    struct transform_params p;
};

struct transform_inst {
    struct transform_inst_if ops;
    struct transform_params p;
    struct keyInstance cryptkey;
    struct keyInstance mackey;
    uint32_t cryptiv;
    uint32_t maciv;
    SEQNUM_KEYED_FIELDS;
};

#define PKCS5_MASK 15

static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen,
			       bool_t direction)
{
    struct transform_inst *ti=sst;

    if (keylen<REQUIRED_KEYLEN) {
	Message(M_ERR,"transform_create: insufficient key material supplied "
		"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	return False;
    }

#if 0
    {
	printf("Setting key to: ");
	hexdebug(stdout,key,keylen);
	printf("\n");
    }
#endif /* 0 */

    serpentbe_makekey(&ti->cryptkey,256,key);
    serpentbe_makekey(&ti->mackey,256,key+32);
    ti->cryptiv=get_uint32(key+64);
    ti->maciv=get_uint32(key+68);
    uint32_t firstseq=get_uint32(key+72);
    SEQNUM_KEYED_INIT(firstseq,firstseq);

    return True;
}

TRANSFORM_VALID;

static void transform_delkey(void *sst)
{
    struct transform_inst *ti=sst;

    FILLZERO(ti->cryptkey);
    FILLZERO(ti->mackey);
    ti->keyed=False;
}

static transform_apply_return transform_forward(void *sst,
            struct buffer_if *buf, const char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    int padlen;
    uint8_t iv[16];
    uint8_t macplain[16];
    uint8_t macacc[16];
    uint8_t *p, *n;
    int i;

    KEYED_CHECK;

    /* Sequence number */
    buf_prepend_uint32(buf,ti->sendseq);
    ti->sendseq++;

    /* PKCS5, stolen from IWJ */
                                    /* eg with blocksize=4 mask=3 mask+2=5   */
                                    /* msgsize    20    21    22    23   24  */
    padlen= PKCS5_MASK-buf->size;   /*           -17   -18   -19   -16  -17  */
    padlen &= PKCS5_MASK;           /*             3     2     1     0    3  */
    padlen++;                       /*             4     3     2     1    4  */

    padp=buf_append(buf,padlen);
    memset(padp,padlen,padlen);

    /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
       one encryption. Then we do the MAC and append the result. We don't
       bother sending the IV - it's the same each time. (If we wanted to send
       it we've have to add 16 bytes to each message, not 4, so that the
       message stays a multiple of 16 bytes long.) */
    FILLZERO(iv);
    put_uint32(iv, ti->maciv);
    serpentbe_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    macplain[i] = macacc[i] ^ n[i];
	serpentbe_encrypt(&ti->mackey,macplain,macacc);
    }
    serpentbe_encrypt(&ti->mackey,macacc,macacc);
    BUF_ADD_BYTES(append,buf,macacc,16);

    /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
       and prepend the IV before increasing it. */
    FILLZERO(iv);
    put_uint32(iv, ti->cryptiv);
    serpentbe_encrypt(&ti->cryptkey,iv,iv);

    /* CBC: each block is XORed with the previous encrypted block (or the IV)
       before being encrypted. */
    p=iv;

    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    n[i] ^= p[i];
	serpentbe_encrypt(&ti->cryptkey,n,n);
	p=n;
    }

    buf_prepend_uint32(buf,ti->cryptiv);
    ti->cryptiv++;
    return 0;
}

static transform_apply_return transform_reverse(void *sst,
                struct buffer_if *buf, const char **errmsg)
{
    struct transform_inst *ti=sst;
    uint8_t *padp;
    int padlen;
    int i;
    uint32_t seqnum;
    uint8_t iv[16];
    uint8_t pct[16];
    uint8_t macplain[16];
    uint8_t macacc[16];
    uint8_t *n;
    uint8_t *macexpected;

    KEYED_CHECK;

    if (buf->size < 4 + 16 + 16) {
	*errmsg="msg too short";
	return transform_apply_err;
    }

    /* CBC */
    FILLZERO(iv);
    {
	uint32_t ivword = buf_unprepend_uint32(buf);
	put_uint32(iv, ivword);
    }
    /* Assert bufsize is multiple of blocksize */
    if (buf->size&0xf) {
	*errmsg="msg not multiple of cipher blocksize";
	return transform_apply_err;
    }
    serpentbe_encrypt(&ti->cryptkey,iv,iv);
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    pct[i] = n[i];
	serpentbe_decrypt(&ti->cryptkey,n,n);
	for (i = 0; i < 16; i++)
	    n[i] ^= iv[i];
	COPY_OBJ(iv, pct);
    }

    /* CBCMAC */
    macexpected=buf_unappend(buf,16);
    FILLZERO(iv);
    put_uint32(iv, ti->maciv);
    serpentbe_encrypt(&ti->mackey,iv,macacc);

    /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
       block encrypted once again. */
    for (n=buf->start; n<buf->start+buf->size; n+=16)
    {
	for (i = 0; i < 16; i++)
	    macplain[i] = macacc[i] ^ n[i];
	serpentbe_encrypt(&ti->mackey,macplain,macacc);
    }
    serpentbe_encrypt(&ti->mackey,macacc,macacc);
    if (!consttime_memeq(macexpected,macacc,16)) {
	*errmsg="invalid MAC";
	return transform_apply_err;
    }

    /* PKCS5, stolen from IWJ */

    padp=buf_unappend(buf,1);
    padlen=*padp;
    if (!padlen || (padlen > PKCS5_MASK+1)) {
	*errmsg="pkcs5: invalid length";
	return transform_apply_err;
    }

    buf_unappend(buf,padlen-1);

    /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
       is only allowed to increase. */
    seqnum=buf_unprepend_uint32(buf);
    SEQNUM_CHECK(seqnum, &ti->p);
    
    return 0;
}

TRANSFORM_DESTROY;

static struct transform_inst_if *transform_create(void *sst)
{
    struct transform *st=sst;

    TRANSFORM_CREATE_CORE;

    ti->p=st->p;

    return &ti->ops;
}

static list_t *transform_apply(closure_t *self, struct cloc loc,
			       dict_t *context, list_t *args)
{
    struct transform *st;
    item_t *item;
    dict_t *dict;

    NEW(st);
    st->cl.description="serpent-cbc256";
    st->cl.type=CL_TRANSFORM;
    st->cl.apply=NULL;
    st->cl.interface=&st->ops;
    st->ops.st=st;
    update_max_start_pad(&transform_max_start_pad, 28);
        /* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */

    /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
       for CBCMAC-IV, and 32 bits for init sequence number */
    st->ops.keylen=REQUIRED_KEYLEN;
    st->ops.create=transform_create;

    /* First parameter must be a dict */
    item=list_elem(args,0);
    if (!item || item->type!=t_dict)
	cfgfatal(loc,"serpent256-cbc","parameter must be a dictionary\n");
    
    dict=item->data.dict;

    SEQNUM_PARAMS_INIT(dict,&st->p,"serpent-cbc256",loc);

    SET_CAPAB_TRANSFORMNUM(CAPAB_TRANSFORMNUM_SERPENT256CBC);

    return new_closure(&st->cl);
}

void transform_cbcmac_module(dict_t *dict)
{
    struct keyInstance k;
    uint8_t data[32];
    uint8_t plaintext[16];
    uint8_t ciphertext[16];

    /*
     * Serpent self-test.
     * 
     * This test pattern was taken directly from the Serpent test
     * vectors, which results in a big-endian Serpent which is not
     * compatible with other implementations.
     */

    /* Serpent self-test */
    memcpy(data,
           "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
           "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
           32);
    serpentbe_makekey(&k,256,data);

    memcpy(plaintext,
           "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
           16);
    serpentbe_encrypt(&k,plaintext,ciphertext);

    if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
               "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
	fatal("transform_module: serpent failed self-test (encrypt)");
    }
    serpentbe_decrypt(&k,ciphertext,plaintext);
    if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
               "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
	fatal("transform_module: serpent failed self-test (decrypt)");
    }

    add_closure(dict,"serpent256-cbc",transform_apply);

#ifdef TEST_WHOLE_TRANSFORM
    {
	struct transform *tr;
	void *ti;
	struct buffer_if buf;
	const char text[] = "This is a piece of test text.";
	char keymaterial[76] =
	    "Seventy-six bytes i"
	    "n four rows of 19; "
	    "this looks almost l"
	    "ike a poem but not.";
	const char *errmsg;
	int i;

	NEW(tr);
	tr->max_seq_skew = 20;
	ti = transform_create(tr);

	transform_setkey(ti, keymaterial, 76);

        buf.base = malloc(4096);
	buffer_init(&buf, 2048);
	BUF_ADD_OBJ(append, buf, text, sizeof(text));
	if (transform_forward(ti, &buf, &errmsg)) {
	    fatal("transform_forward test: %s", errmsg);
	}
	printf("transformed text is:\n");
	for (i = 0; i < buf.size; i++)
	    printf("%02x%c", buf.start[i],
		   (i%16==15 || i==buf.size-1 ? '\n' : ' '));
	if (transform_reverse(ti, &buf, &errmsg)) {
	    fatal("transform_reverse test: %s", errmsg);
	}
	printf("transform reversal worked OK\n");
    }
#endif
}
Commit	Line	Data
2fe58dfd SE	1	/* Transform module - bulk data transformation */
2fe58dfd SE	2
c215a4bc IJ	3	/*
	4	* This file is part of secnet.
	5	* See README for full list of copyright holders.
	6	*
	7	* secnet is free software; you can redistribute it and/or modify it
	8	* under the terms of the GNU General Public License as published by
9c6a8729	9	* the Free Software Foundation; either version 3 of the License, or
c215a4bc IJ	10	* (at your option) any later version.
	11	*
	12	* secnet is distributed in the hope that it will be useful, but
	13	* WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	* General Public License for more details.
	16	*
	17	* You should have received a copy of the GNU General Public License
	18	* version 3 along with secnet; if not, see
	19	* https://www.gnu.org/licenses/gpl.html.
	20	*/
	21
2fe58dfd SE	22	/* For now it's hard-coded to do sequence
	23	number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
	24	instance of serpent. We also require key material for the IVs for
	25	cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
	26	using 32 bits and encrypting to get the full IV to save space in
	27	the packets sent over the wire. */
	28
	29	#include <stdio.h>
469fd1d9	30	#include <string.h>
2fe58dfd SE	31	#include "secnet.h"
	32	#include "util.h"
	33	#include "serpent.h"
59635212	34	#include "unaligned.h"
980d1ab2	35	#include "hexdebug.h"
2fe58dfd SE	36
	37	/* Required key length in bytes */
	38	#define REQUIRED_KEYLEN ((512+64+32)/8)
	39
35d30aa3 IJ	40	#include "transform-common.h"
35d30aa3 IJ	41
9d69120a	42	struct transform_params {
35d30aa3	43	SEQNUM_PARAMS_FIELDS;
9d69120a IJ	44	};
9d69120a IJ	45
2fe58dfd SE	46	struct transform {
2fe58dfd SE	47	closure_t cl;
2fe58dfd	48	struct transform_if ops;
9d69120a	49	struct transform_params p;
2fe58dfd SE	50	};
	51
	52	struct transform_inst {
	53	struct transform_inst_if ops;
9d69120a	54	struct transform_params p;
2fe58dfd SE	55	struct keyInstance cryptkey;
	56	struct keyInstance mackey;
	57	uint32_t cryptiv;
	58	uint32_t maciv;
35d30aa3	59	SEQNUM_KEYED_FIELDS;
2fe58dfd SE	60	};
	61
	62	#define PKCS5_MASK 15
	63
0118121a IJ	64	static bool_t transform_setkey(void sst, uint8_t key, int32_t keylen,
0118121a IJ	65	bool_t direction)
2fe58dfd SE	66	{
	67	struct transform_inst *ti=sst;
	68
	69	if (keylen<REQUIRED_KEYLEN) {
469fd1d9	70	Message(M_ERR,"transform_create: insufficient key material supplied "
2fe58dfd SE	71	"(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
	72	return False;
	73	}
	74
	75	#if 0
	76	{
2fe58dfd	77	printf("Setting key to: ");
980d1ab2	78	hexdebug(stdout,key,keylen);
2fe58dfd SE	79	printf("\n");
	80	}
	81	#endif /* 0 */
	82
af43f0b7 IJ	83	serpentbe_makekey(&ti->cryptkey,256,key);
af43f0b7 IJ	84	serpentbe_makekey(&ti->mackey,256,key+32);
4a1a5919 IJ	85	ti->cryptiv=get_uint32(key+64);
4a1a5919 IJ	86	ti->maciv=get_uint32(key+68);
35d30aa3 IJ	87	uint32_t firstseq=get_uint32(key+72);
35d30aa3 IJ	88	SEQNUM_KEYED_INIT(firstseq,firstseq);
2fe58dfd SE	89
	90	return True;
	91	}
	92
92a7d254	93	TRANSFORM_VALID;
b67dab18	94
2fe58dfd SE	95	static void transform_delkey(void *sst)
	96	{
	97	struct transform_inst *ti=sst;
	98
076bb54e IJ	99	FILLZERO(ti->cryptkey);
076bb54e IJ	100	FILLZERO(ti->mackey);
2fe58dfd SE	101	ti->keyed=False;
	102	}
	103
14f78812 IJ	104	static transform_apply_return transform_forward(void *sst,
14f78812 IJ	105	struct buffer_if buf, const char *errmsg)
2fe58dfd SE	106	{
	107	struct transform_inst *ti=sst;
	108	uint8_t *padp;
	109	int padlen;
3b83c932 SE	110	uint8_t iv[16];
	111	uint8_t macplain[16];
	112	uint8_t macacc[16];
	113	uint8_t p, n;
	114	int i;
2fe58dfd	115
92a7d254	116	KEYED_CHECK;
2fe58dfd SE	117
2fe58dfd SE	118	/* Sequence number */
59635212	119	buf_prepend_uint32(buf,ti->sendseq);
2fe58dfd SE	120	ti->sendseq++;
	121
	122	/* PKCS5, stolen from IWJ */
	123	/* eg with blocksize=4 mask=3 mask+2=5 */
	124	/* msgsize 20 21 22 23 24 */
	125	padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
	126	padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
	127	padlen++; /* 4 3 2 1 4 */
	128
	129	padp=buf_append(buf,padlen);
	130	memset(padp,padlen,padlen);
	131
	132	/* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
	133	one encryption. Then we do the MAC and append the result. We don't
	134	bother sending the IV - it's the same each time. (If we wanted to send
	135	it we've have to add 16 bytes to each message, not 4, so that the
	136	message stays a multiple of 16 bytes long.) */
4f28e77e	137	FILLZERO(iv);
4a1a5919	138	put_uint32(iv, ti->maciv);
af43f0b7	139	serpentbe_encrypt(&ti->mackey,iv,macacc);
2fe58dfd SE	140
	141	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	142	block encrypted once again. */
3b83c932	143	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	144	{
3b83c932 SE	145	for (i = 0; i < 16; i++)
3b83c932 SE	146	macplain[i] = macacc[i] ^ n[i];
af43f0b7	147	serpentbe_encrypt(&ti->mackey,macplain,macacc);
2fe58dfd	148	}
af43f0b7	149	serpentbe_encrypt(&ti->mackey,macacc,macacc);
4f28e77e	150	BUF_ADD_BYTES(append,buf,macacc,16);
2fe58dfd SE	151
	152	/* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
	153	and prepend the IV before increasing it. */
4f28e77e	154	FILLZERO(iv);
4a1a5919	155	put_uint32(iv, ti->cryptiv);
af43f0b7	156	serpentbe_encrypt(&ti->cryptkey,iv,iv);
2fe58dfd SE	157
	158	/* CBC: each block is XORed with the previous encrypted block (or the IV)
	159	before being encrypted. */
	160	p=iv;
3b83c932 SE	161
3b83c932 SE	162	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	163	{
3b83c932 SE	164	for (i = 0; i < 16; i++)
3b83c932 SE	165	n[i] ^= p[i];
af43f0b7	166	serpentbe_encrypt(&ti->cryptkey,n,n);
2fe58dfd SE	167	p=n;
	168	}
	169
59635212	170	buf_prepend_uint32(buf,ti->cryptiv);
2fe58dfd	171	ti->cryptiv++;
2fe58dfd SE	172	return 0;
	173	}
	174
14f78812 IJ	175	static transform_apply_return transform_reverse(void *sst,
14f78812 IJ	176	struct buffer_if buf, const char *errmsg)
2fe58dfd SE	177	{
	178	struct transform_inst *ti=sst;
	179	uint8_t *padp;
1caa23ff	180	int padlen;
2fe58dfd	181	int i;
92a7d254	182	uint32_t seqnum;
3b83c932 SE	183	uint8_t iv[16];
	184	uint8_t pct[16];
	185	uint8_t macplain[16];
	186	uint8_t macacc[16];
	187	uint8_t *n;
	188	uint8_t *macexpected;
2fe58dfd	189
92a7d254	190	KEYED_CHECK;
2fe58dfd	191
20138876 IJ	192	if (buf->size < 4 + 16 + 16) {
20138876 IJ	193	*errmsg="msg too short";
14f78812	194	return transform_apply_err;
20138876	195	}
8689b3a9	196
2fe58dfd	197	/* CBC */
4f28e77e	198	FILLZERO(iv);
3b83c932 SE	199	{
3b83c932 SE	200	uint32_t ivword = buf_unprepend_uint32(buf);
4a1a5919	201	put_uint32(iv, ivword);
3b83c932	202	}
8689b3a9 SE	203	/* Assert bufsize is multiple of blocksize */
	204	if (buf->size&0xf) {
	205	*errmsg="msg not multiple of cipher blocksize";
14f78812	206	return transform_apply_err;
8689b3a9	207	}
af43f0b7	208	serpentbe_encrypt(&ti->cryptkey,iv,iv);
3b83c932	209	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	210	{
3b83c932 SE	211	for (i = 0; i < 16; i++)
3b83c932 SE	212	pct[i] = n[i];
af43f0b7	213	serpentbe_decrypt(&ti->cryptkey,n,n);
3b83c932 SE	214	for (i = 0; i < 16; i++)
3b83c932 SE	215	n[i] ^= iv[i];
4f28e77e	216	COPY_OBJ(iv, pct);
2fe58dfd SE	217	}
	218
	219	/* CBCMAC */
	220	macexpected=buf_unappend(buf,16);
4f28e77e	221	FILLZERO(iv);
4a1a5919	222	put_uint32(iv, ti->maciv);
af43f0b7	223	serpentbe_encrypt(&ti->mackey,iv,macacc);
2fe58dfd SE	224
	225	/* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
	226	block encrypted once again. */
3b83c932	227	for (n=buf->start; n<buf->start+buf->size; n+=16)
2fe58dfd	228	{
3b83c932 SE	229	for (i = 0; i < 16; i++)
3b83c932 SE	230	macplain[i] = macacc[i] ^ n[i];
af43f0b7	231	serpentbe_encrypt(&ti->mackey,macplain,macacc);
2fe58dfd	232	}
af43f0b7	233	serpentbe_encrypt(&ti->mackey,macacc,macacc);
30ba82a5	234	if (!consttime_memeq(macexpected,macacc,16)) {
2fe58dfd	235	*errmsg="invalid MAC";
14f78812	236	return transform_apply_err;
2fe58dfd SE	237	}
	238
	239	/* PKCS5, stolen from IWJ */
	240
	241	padp=buf_unappend(buf,1);
	242	padlen=*padp;
	243	if (!padlen \|\| (padlen > PKCS5_MASK+1)) {
	244	*errmsg="pkcs5: invalid length";
14f78812	245	return transform_apply_err;
2fe58dfd SE	246	}
2fe58dfd SE	247
46008a7c	248	buf_unappend(buf,padlen-1);
2fe58dfd SE	249
	250	/* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
	251	is only allowed to increase. */
59635212	252	seqnum=buf_unprepend_uint32(buf);
35d30aa3	253	SEQNUM_CHECK(seqnum, &ti->p);
2fe58dfd SE	254
	255	return 0;
	256	}
	257
92a7d254	258	TRANSFORM_DESTROY;
2fe58dfd SE	259
	260	static struct transform_inst_if transform_create(void sst)
	261	{
2fe58dfd SE	262	struct transform *st=sst;
2fe58dfd SE	263
92a7d254	264	TRANSFORM_CREATE_CORE;
2fe58dfd	265
9d69120a	266	ti->p=st->p;
2fe58dfd SE	267
	268	return &ti->ops;
	269	}
	270
	271	static list_t transform_apply(closure_t self, struct cloc loc,
	272	dict_t context, list_t args)
	273	{
	274	struct transform *st;
	275	item_t *item;
	276	dict_t *dict;
	277
b7886fd4	278	NEW(st);
2fe58dfd SE	279	st->cl.description="serpent-cbc256";
	280	st->cl.type=CL_TRANSFORM;
	281	st->cl.apply=NULL;
	282	st->cl.interface=&st->ops;
	283	st->ops.st=st;
3abd18e8 IJ	284	update_max_start_pad(&transform_max_start_pad, 28);
3abd18e8 IJ	285	/* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */
2fe58dfd SE	286
	287	/* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
	288	for CBCMAC-IV, and 32 bits for init sequence number */
	289	st->ops.keylen=REQUIRED_KEYLEN;
	290	st->ops.create=transform_create;
	291
	292	/* First parameter must be a dict */
	293	item=list_elem(args,0);
	294	if (!item \|\| item->type!=t_dict)
68fd6cd7	295	cfgfatal(loc,"serpent256-cbc","parameter must be a dictionary\n");
2fe58dfd SE	296
2fe58dfd SE	297	dict=item->data.dict;
35d30aa3 IJ	298
35d30aa3 IJ	299	SEQNUM_PARAMS_INIT(dict,&st->p,"serpent-cbc256",loc);
2fe58dfd	300
5b5f297f IJ	301	SET_CAPAB_TRANSFORMNUM(CAPAB_TRANSFORMNUM_SERPENT256CBC);
5b5f297f IJ	302
2fe58dfd SE	303	return new_closure(&st->cl);
	304	}
	305
92a7d254	306	void transform_cbcmac_module(dict_t *dict)
2fe58dfd SE	307	{
	308	struct keyInstance k;
	309	uint8_t data[32];
3b83c932 SE	310	uint8_t plaintext[16];
	311	uint8_t ciphertext[16];
	312
	313	/*
	314	* Serpent self-test.
	315	*
af43f0b7 IJ	316	* This test pattern was taken directly from the Serpent test
	317	* vectors, which results in a big-endian Serpent which is not
	318	* compatible with other implementations.
3b83c932	319	*/
2fe58dfd SE	320
2fe58dfd SE	321	/* Serpent self-test */
3b83c932 SE	322	memcpy(data,
	323	"\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
	324	"\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
	325	32);
af43f0b7	326	serpentbe_makekey(&k,256,data);
3b83c932 SE	327
	328	memcpy(plaintext,
	329	"\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
	330	16);
af43f0b7	331	serpentbe_encrypt(&k,plaintext,ciphertext);
3b83c932 SE	332
	333	if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
	334	"\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
4f5e39ec	335	fatal("transform_module: serpent failed self-test (encrypt)");
2fe58dfd	336	}
af43f0b7	337	serpentbe_decrypt(&k,ciphertext,plaintext);
3b83c932 SE	338	if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
3b83c932 SE	339	"\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
4f5e39ec	340	fatal("transform_module: serpent failed self-test (decrypt)");
2fe58dfd SE	341	}
	342
	343	add_closure(dict,"serpent256-cbc",transform_apply);
3b83c932 SE	344
	345	#ifdef TEST_WHOLE_TRANSFORM
	346	{
	347	struct transform *tr;
	348	void *ti;
	349	struct buffer_if buf;
	350	const char text[] = "This is a piece of test text.";
	351	char keymaterial[76] =
	352	"Seventy-six bytes i"
	353	"n four rows of 19; "
	354	"this looks almost l"
	355	"ike a poem but not.";
	356	const char *errmsg;
	357	int i;
	358
952f601f	359	NEW(tr);
3b83c932 SE	360	tr->max_seq_skew = 20;
	361	ti = transform_create(tr);
	362
	363	transform_setkey(ti, keymaterial, 76);
	364
	365	buf.base = malloc(4096);
	366	buffer_init(&buf, 2048);
4f28e77e	367	BUF_ADD_OBJ(append, buf, text, sizeof(text));
3b83c932 SE	368	if (transform_forward(ti, &buf, &errmsg)) {
	369	fatal("transform_forward test: %s", errmsg);
	370	}
	371	printf("transformed text is:\n");
	372	for (i = 0; i < buf.size; i++)
	373	printf("%02x%c", buf.start[i],
	374	(i%16==15 \|\| i==buf.size-1 ? '\n' : ' '));
	375	if (transform_reverse(ti, &buf, &errmsg)) {
	376	fatal("transform_reverse test: %s", errmsg);
	377	}
	378	printf("transform reversal worked OK\n");
	379	}
	380	#endif
2fe58dfd	381	}