Commit | Line | Data |
---|---|---|
2fe58dfd SE |
1 | /* Transform module - bulk data transformation */ |
2 | ||
c215a4bc IJ |
3 | /* |
4 | * This file is part of secnet. | |
5 | * See README for full list of copyright holders. | |
6 | * | |
7 | * secnet is free software; you can redistribute it and/or modify it | |
8 | * under the terms of the GNU General Public License as published by | |
9c6a8729 | 9 | * the Free Software Foundation; either version 3 of the License, or |
c215a4bc IJ |
10 | * (at your option) any later version. |
11 | * | |
12 | * secnet is distributed in the hope that it will be useful, but | |
13 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 | * General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * version 3 along with secnet; if not, see | |
19 | * https://www.gnu.org/licenses/gpl.html. | |
20 | */ | |
21 | ||
2fe58dfd SE |
22 | /* For now it's hard-coded to do sequence |
23 | number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each | |
24 | instance of serpent. We also require key material for the IVs for | |
25 | cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just | |
26 | using 32 bits and encrypting to get the full IV to save space in | |
27 | the packets sent over the wire. */ | |
28 | ||
29 | #include <stdio.h> | |
469fd1d9 | 30 | #include <string.h> |
2fe58dfd SE |
31 | #include "secnet.h" |
32 | #include "util.h" | |
33 | #include "serpent.h" | |
59635212 | 34 | #include "unaligned.h" |
980d1ab2 | 35 | #include "hexdebug.h" |
2fe58dfd SE |
36 | |
37 | /* Required key length in bytes */ | |
38 | #define REQUIRED_KEYLEN ((512+64+32)/8) | |
39 | ||
35d30aa3 IJ |
40 | #include "transform-common.h" |
41 | ||
9d69120a | 42 | struct transform_params { |
35d30aa3 | 43 | SEQNUM_PARAMS_FIELDS; |
9d69120a IJ |
44 | }; |
45 | ||
2fe58dfd SE |
46 | struct transform { |
47 | closure_t cl; | |
2fe58dfd | 48 | struct transform_if ops; |
9d69120a | 49 | struct transform_params p; |
2fe58dfd SE |
50 | }; |
51 | ||
52 | struct transform_inst { | |
53 | struct transform_inst_if ops; | |
9d69120a | 54 | struct transform_params p; |
2fe58dfd SE |
55 | struct keyInstance cryptkey; |
56 | struct keyInstance mackey; | |
57 | uint32_t cryptiv; | |
58 | uint32_t maciv; | |
35d30aa3 | 59 | SEQNUM_KEYED_FIELDS; |
2fe58dfd SE |
60 | }; |
61 | ||
62 | #define PKCS5_MASK 15 | |
63 | ||
0118121a IJ |
64 | static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen, |
65 | bool_t direction) | |
2fe58dfd SE |
66 | { |
67 | struct transform_inst *ti=sst; | |
68 | ||
69 | if (keylen<REQUIRED_KEYLEN) { | |
469fd1d9 | 70 | Message(M_ERR,"transform_create: insufficient key material supplied " |
2fe58dfd SE |
71 | "(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen); |
72 | return False; | |
73 | } | |
74 | ||
75 | #if 0 | |
76 | { | |
2fe58dfd | 77 | printf("Setting key to: "); |
980d1ab2 | 78 | hexdebug(stdout,key,keylen); |
2fe58dfd SE |
79 | printf("\n"); |
80 | } | |
81 | #endif /* 0 */ | |
82 | ||
af43f0b7 IJ |
83 | serpentbe_makekey(&ti->cryptkey,256,key); |
84 | serpentbe_makekey(&ti->mackey,256,key+32); | |
4a1a5919 IJ |
85 | ti->cryptiv=get_uint32(key+64); |
86 | ti->maciv=get_uint32(key+68); | |
35d30aa3 IJ |
87 | uint32_t firstseq=get_uint32(key+72); |
88 | SEQNUM_KEYED_INIT(firstseq,firstseq); | |
2fe58dfd SE |
89 | |
90 | return True; | |
91 | } | |
92 | ||
92a7d254 | 93 | TRANSFORM_VALID; |
b67dab18 | 94 | |
2fe58dfd SE |
95 | static void transform_delkey(void *sst) |
96 | { | |
97 | struct transform_inst *ti=sst; | |
98 | ||
076bb54e IJ |
99 | FILLZERO(ti->cryptkey); |
100 | FILLZERO(ti->mackey); | |
2fe58dfd SE |
101 | ti->keyed=False; |
102 | } | |
103 | ||
14f78812 IJ |
104 | static transform_apply_return transform_forward(void *sst, |
105 | struct buffer_if *buf, const char **errmsg) | |
2fe58dfd SE |
106 | { |
107 | struct transform_inst *ti=sst; | |
108 | uint8_t *padp; | |
109 | int padlen; | |
3b83c932 SE |
110 | uint8_t iv[16]; |
111 | uint8_t macplain[16]; | |
112 | uint8_t macacc[16]; | |
113 | uint8_t *p, *n; | |
114 | int i; | |
2fe58dfd | 115 | |
92a7d254 | 116 | KEYED_CHECK; |
2fe58dfd SE |
117 | |
118 | /* Sequence number */ | |
59635212 | 119 | buf_prepend_uint32(buf,ti->sendseq); |
2fe58dfd SE |
120 | ti->sendseq++; |
121 | ||
122 | /* PKCS5, stolen from IWJ */ | |
123 | /* eg with blocksize=4 mask=3 mask+2=5 */ | |
124 | /* msgsize 20 21 22 23 24 */ | |
125 | padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */ | |
126 | padlen &= PKCS5_MASK; /* 3 2 1 0 3 */ | |
127 | padlen++; /* 4 3 2 1 4 */ | |
128 | ||
129 | padp=buf_append(buf,padlen); | |
130 | memset(padp,padlen,padlen); | |
131 | ||
132 | /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using | |
133 | one encryption. Then we do the MAC and append the result. We don't | |
134 | bother sending the IV - it's the same each time. (If we wanted to send | |
135 | it we've have to add 16 bytes to each message, not 4, so that the | |
136 | message stays a multiple of 16 bytes long.) */ | |
4f28e77e | 137 | FILLZERO(iv); |
4a1a5919 | 138 | put_uint32(iv, ti->maciv); |
af43f0b7 | 139 | serpentbe_encrypt(&ti->mackey,iv,macacc); |
2fe58dfd SE |
140 | |
141 | /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted | |
142 | block encrypted once again. */ | |
3b83c932 | 143 | for (n=buf->start; n<buf->start+buf->size; n+=16) |
2fe58dfd | 144 | { |
3b83c932 SE |
145 | for (i = 0; i < 16; i++) |
146 | macplain[i] = macacc[i] ^ n[i]; | |
af43f0b7 | 147 | serpentbe_encrypt(&ti->mackey,macplain,macacc); |
2fe58dfd | 148 | } |
af43f0b7 | 149 | serpentbe_encrypt(&ti->mackey,macacc,macacc); |
4f28e77e | 150 | BUF_ADD_BYTES(append,buf,macacc,16); |
2fe58dfd SE |
151 | |
152 | /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption, | |
153 | and prepend the IV before increasing it. */ | |
4f28e77e | 154 | FILLZERO(iv); |
4a1a5919 | 155 | put_uint32(iv, ti->cryptiv); |
af43f0b7 | 156 | serpentbe_encrypt(&ti->cryptkey,iv,iv); |
2fe58dfd SE |
157 | |
158 | /* CBC: each block is XORed with the previous encrypted block (or the IV) | |
159 | before being encrypted. */ | |
160 | p=iv; | |
3b83c932 SE |
161 | |
162 | for (n=buf->start; n<buf->start+buf->size; n+=16) | |
2fe58dfd | 163 | { |
3b83c932 SE |
164 | for (i = 0; i < 16; i++) |
165 | n[i] ^= p[i]; | |
af43f0b7 | 166 | serpentbe_encrypt(&ti->cryptkey,n,n); |
2fe58dfd SE |
167 | p=n; |
168 | } | |
169 | ||
59635212 | 170 | buf_prepend_uint32(buf,ti->cryptiv); |
2fe58dfd | 171 | ti->cryptiv++; |
2fe58dfd SE |
172 | return 0; |
173 | } | |
174 | ||
14f78812 IJ |
175 | static transform_apply_return transform_reverse(void *sst, |
176 | struct buffer_if *buf, const char **errmsg) | |
2fe58dfd SE |
177 | { |
178 | struct transform_inst *ti=sst; | |
179 | uint8_t *padp; | |
1caa23ff | 180 | int padlen; |
2fe58dfd | 181 | int i; |
92a7d254 | 182 | uint32_t seqnum; |
3b83c932 SE |
183 | uint8_t iv[16]; |
184 | uint8_t pct[16]; | |
185 | uint8_t macplain[16]; | |
186 | uint8_t macacc[16]; | |
187 | uint8_t *n; | |
188 | uint8_t *macexpected; | |
2fe58dfd | 189 | |
92a7d254 | 190 | KEYED_CHECK; |
2fe58dfd | 191 | |
20138876 IJ |
192 | if (buf->size < 4 + 16 + 16) { |
193 | *errmsg="msg too short"; | |
14f78812 | 194 | return transform_apply_err; |
20138876 | 195 | } |
8689b3a9 | 196 | |
2fe58dfd | 197 | /* CBC */ |
4f28e77e | 198 | FILLZERO(iv); |
3b83c932 SE |
199 | { |
200 | uint32_t ivword = buf_unprepend_uint32(buf); | |
4a1a5919 | 201 | put_uint32(iv, ivword); |
3b83c932 | 202 | } |
8689b3a9 SE |
203 | /* Assert bufsize is multiple of blocksize */ |
204 | if (buf->size&0xf) { | |
205 | *errmsg="msg not multiple of cipher blocksize"; | |
14f78812 | 206 | return transform_apply_err; |
8689b3a9 | 207 | } |
af43f0b7 | 208 | serpentbe_encrypt(&ti->cryptkey,iv,iv); |
3b83c932 | 209 | for (n=buf->start; n<buf->start+buf->size; n+=16) |
2fe58dfd | 210 | { |
3b83c932 SE |
211 | for (i = 0; i < 16; i++) |
212 | pct[i] = n[i]; | |
af43f0b7 | 213 | serpentbe_decrypt(&ti->cryptkey,n,n); |
3b83c932 SE |
214 | for (i = 0; i < 16; i++) |
215 | n[i] ^= iv[i]; | |
4f28e77e | 216 | COPY_OBJ(iv, pct); |
2fe58dfd SE |
217 | } |
218 | ||
219 | /* CBCMAC */ | |
220 | macexpected=buf_unappend(buf,16); | |
4f28e77e | 221 | FILLZERO(iv); |
4a1a5919 | 222 | put_uint32(iv, ti->maciv); |
af43f0b7 | 223 | serpentbe_encrypt(&ti->mackey,iv,macacc); |
2fe58dfd SE |
224 | |
225 | /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted | |
226 | block encrypted once again. */ | |
3b83c932 | 227 | for (n=buf->start; n<buf->start+buf->size; n+=16) |
2fe58dfd | 228 | { |
3b83c932 SE |
229 | for (i = 0; i < 16; i++) |
230 | macplain[i] = macacc[i] ^ n[i]; | |
af43f0b7 | 231 | serpentbe_encrypt(&ti->mackey,macplain,macacc); |
2fe58dfd | 232 | } |
af43f0b7 | 233 | serpentbe_encrypt(&ti->mackey,macacc,macacc); |
30ba82a5 | 234 | if (!consttime_memeq(macexpected,macacc,16)) { |
2fe58dfd | 235 | *errmsg="invalid MAC"; |
14f78812 | 236 | return transform_apply_err; |
2fe58dfd SE |
237 | } |
238 | ||
239 | /* PKCS5, stolen from IWJ */ | |
240 | ||
241 | padp=buf_unappend(buf,1); | |
242 | padlen=*padp; | |
243 | if (!padlen || (padlen > PKCS5_MASK+1)) { | |
244 | *errmsg="pkcs5: invalid length"; | |
14f78812 | 245 | return transform_apply_err; |
2fe58dfd SE |
246 | } |
247 | ||
46008a7c | 248 | buf_unappend(buf,padlen-1); |
2fe58dfd SE |
249 | |
250 | /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq | |
251 | is only allowed to increase. */ | |
59635212 | 252 | seqnum=buf_unprepend_uint32(buf); |
35d30aa3 | 253 | SEQNUM_CHECK(seqnum, &ti->p); |
2fe58dfd SE |
254 | |
255 | return 0; | |
256 | } | |
257 | ||
92a7d254 | 258 | TRANSFORM_DESTROY; |
2fe58dfd SE |
259 | |
260 | static struct transform_inst_if *transform_create(void *sst) | |
261 | { | |
2fe58dfd SE |
262 | struct transform *st=sst; |
263 | ||
92a7d254 | 264 | TRANSFORM_CREATE_CORE; |
2fe58dfd | 265 | |
9d69120a | 266 | ti->p=st->p; |
2fe58dfd SE |
267 | |
268 | return &ti->ops; | |
269 | } | |
270 | ||
271 | static list_t *transform_apply(closure_t *self, struct cloc loc, | |
272 | dict_t *context, list_t *args) | |
273 | { | |
274 | struct transform *st; | |
275 | item_t *item; | |
276 | dict_t *dict; | |
277 | ||
b7886fd4 | 278 | NEW(st); |
2fe58dfd SE |
279 | st->cl.description="serpent-cbc256"; |
280 | st->cl.type=CL_TRANSFORM; | |
281 | st->cl.apply=NULL; | |
282 | st->cl.interface=&st->ops; | |
283 | st->ops.st=st; | |
3abd18e8 IJ |
284 | update_max_start_pad(&transform_max_start_pad, 28); |
285 | /* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */ | |
2fe58dfd | 286 | |
2fe58dfd SE |
287 | st->ops.create=transform_create; |
288 | ||
289 | /* First parameter must be a dict */ | |
290 | item=list_elem(args,0); | |
291 | if (!item || item->type!=t_dict) | |
68fd6cd7 | 292 | cfgfatal(loc,"serpent256-cbc","parameter must be a dictionary\n"); |
2fe58dfd SE |
293 | |
294 | dict=item->data.dict; | |
35d30aa3 IJ |
295 | |
296 | SEQNUM_PARAMS_INIT(dict,&st->p,"serpent-cbc256",loc); | |
2fe58dfd | 297 | |
92cc0bca | 298 | SET_CAPAB_BIT(CAPAB_BIT_SERPENT256CBC); |
5b5f297f | 299 | |
2fe58dfd SE |
300 | return new_closure(&st->cl); |
301 | } | |
302 | ||
92a7d254 | 303 | void transform_cbcmac_module(dict_t *dict) |
2fe58dfd SE |
304 | { |
305 | struct keyInstance k; | |
306 | uint8_t data[32]; | |
3b83c932 SE |
307 | uint8_t plaintext[16]; |
308 | uint8_t ciphertext[16]; | |
309 | ||
310 | /* | |
311 | * Serpent self-test. | |
312 | * | |
af43f0b7 IJ |
313 | * This test pattern was taken directly from the Serpent test |
314 | * vectors, which results in a big-endian Serpent which is not | |
315 | * compatible with other implementations. | |
3b83c932 | 316 | */ |
2fe58dfd SE |
317 | |
318 | /* Serpent self-test */ | |
3b83c932 SE |
319 | memcpy(data, |
320 | "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff" | |
321 | "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00", | |
322 | 32); | |
af43f0b7 | 323 | serpentbe_makekey(&k,256,data); |
3b83c932 SE |
324 | |
325 | memcpy(plaintext, | |
326 | "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10", | |
327 | 16); | |
af43f0b7 | 328 | serpentbe_encrypt(&k,plaintext,ciphertext); |
3b83c932 SE |
329 | |
330 | if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99" | |
331 | "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) { | |
4f5e39ec | 332 | fatal("transform_module: serpent failed self-test (encrypt)"); |
2fe58dfd | 333 | } |
af43f0b7 | 334 | serpentbe_decrypt(&k,ciphertext,plaintext); |
3b83c932 SE |
335 | if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef" |
336 | "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) { | |
4f5e39ec | 337 | fatal("transform_module: serpent failed self-test (decrypt)"); |
2fe58dfd SE |
338 | } |
339 | ||
340 | add_closure(dict,"serpent256-cbc",transform_apply); | |
3b83c932 SE |
341 | |
342 | #ifdef TEST_WHOLE_TRANSFORM | |
343 | { | |
344 | struct transform *tr; | |
345 | void *ti; | |
346 | struct buffer_if buf; | |
347 | const char text[] = "This is a piece of test text."; | |
348 | char keymaterial[76] = | |
349 | "Seventy-six bytes i" | |
350 | "n four rows of 19; " | |
351 | "this looks almost l" | |
352 | "ike a poem but not."; | |
353 | const char *errmsg; | |
354 | int i; | |
355 | ||
952f601f | 356 | NEW(tr); |
3b83c932 SE |
357 | tr->max_seq_skew = 20; |
358 | ti = transform_create(tr); | |
359 | ||
360 | transform_setkey(ti, keymaterial, 76); | |
361 | ||
362 | buf.base = malloc(4096); | |
363 | buffer_init(&buf, 2048); | |
4f28e77e | 364 | BUF_ADD_OBJ(append, buf, text, sizeof(text)); |
3b83c932 SE |
365 | if (transform_forward(ti, &buf, &errmsg)) { |
366 | fatal("transform_forward test: %s", errmsg); | |
367 | } | |
368 | printf("transformed text is:\n"); | |
369 | for (i = 0; i < buf.size; i++) | |
370 | printf("%02x%c", buf.start[i], | |
371 | (i%16==15 || i==buf.size-1 ? '\n' : ' ')); | |
372 | if (transform_reverse(ti, &buf, &errmsg)) { | |
373 | fatal("transform_reverse test: %s", errmsg); | |
374 | } | |
375 | printf("transform reversal worked OK\n"); | |
376 | } | |
377 | #endif | |
2fe58dfd | 378 | } |