1 /* Transform module - bulk data transformation */
4 * This file is part of secnet.
5 * See README for full list of copyright holders.
7 * secnet is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * secnet is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * version 3 along with secnet; if not, see
19 * https://www.gnu.org/licenses/gpl.html.
22 /* For now it's hard-coded to do sequence
23 number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
24 instance of serpent. We also require key material for the IVs for
25 cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
26 using 32 bits and encrypting to get the full IV to save space in
27 the packets sent over the wire. */
34 #include "unaligned.h"
37 /* Required key length in bytes */
38 #define REQUIRED_KEYLEN ((512+64+32)/8)
40 #include "transform-common.h"
42 struct transform_params
{
48 struct transform_if ops
;
49 struct transform_params p
;
52 struct transform_inst
{
53 struct transform_inst_if ops
;
54 struct transform_params p
;
55 struct keyInstance cryptkey
;
56 struct keyInstance mackey
;
64 static bool_t
transform_setkey(void *sst
, uint8_t *key
, int32_t keylen
,
67 struct transform_inst
*ti
=sst
;
69 if (keylen
<REQUIRED_KEYLEN
) {
70 Message(M_ERR
,"transform_create: insufficient key material supplied "
71 "(need %d bytes, got %d)\n",REQUIRED_KEYLEN
,keylen
);
77 printf("Setting key to: ");
78 hexdebug(stdout
,key
,keylen
);
83 serpentbe_makekey(&ti
->cryptkey
,256,key
);
84 serpentbe_makekey(&ti
->mackey
,256,key
+32);
85 ti
->cryptiv
=get_uint32(key
+64);
86 ti
->maciv
=get_uint32(key
+68);
87 uint32_t firstseq
=get_uint32(key
+72);
88 SEQNUM_KEYED_INIT(firstseq
,firstseq
);
95 static void transform_delkey(void *sst
)
97 struct transform_inst
*ti
=sst
;
99 FILLZERO(ti
->cryptkey
);
100 FILLZERO(ti
->mackey
);
104 static transform_apply_return
transform_forward(void *sst
,
105 struct buffer_if
*buf
, const char **errmsg
)
107 struct transform_inst
*ti
=sst
;
111 uint8_t macplain
[16];
118 /* Sequence number */
119 buf_prepend_uint32(buf
,ti
->sendseq
);
122 /* PKCS5, stolen from IWJ */
123 /* eg with blocksize=4 mask=3 mask+2=5 */
124 /* msgsize 20 21 22 23 24 */
125 padlen
= PKCS5_MASK
-buf
->size
; /* -17 -18 -19 -16 -17 */
126 padlen
&= PKCS5_MASK
; /* 3 2 1 0 3 */
127 padlen
++; /* 4 3 2 1 4 */
129 padp
=buf_append(buf
,padlen
);
130 memset(padp
,padlen
,padlen
);
132 /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
133 one encryption. Then we do the MAC and append the result. We don't
134 bother sending the IV - it's the same each time. (If we wanted to send
135 it we've have to add 16 bytes to each message, not 4, so that the
136 message stays a multiple of 16 bytes long.) */
138 put_uint32(iv
, ti
->maciv
);
139 serpentbe_encrypt(&ti
->mackey
,iv
,macacc
);
141 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
142 block encrypted once again. */
143 for (n
=buf
->start
; n
<buf
->start
+buf
->size
; n
+=16)
145 for (i
= 0; i
< 16; i
++)
146 macplain
[i
] = macacc
[i
] ^ n
[i
];
147 serpentbe_encrypt(&ti
->mackey
,macplain
,macacc
);
149 serpentbe_encrypt(&ti
->mackey
,macacc
,macacc
);
150 BUF_ADD_BYTES(append
,buf
,macacc
,16);
152 /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
153 and prepend the IV before increasing it. */
155 put_uint32(iv
, ti
->cryptiv
);
156 serpentbe_encrypt(&ti
->cryptkey
,iv
,iv
);
158 /* CBC: each block is XORed with the previous encrypted block (or the IV)
159 before being encrypted. */
162 for (n
=buf
->start
; n
<buf
->start
+buf
->size
; n
+=16)
164 for (i
= 0; i
< 16; i
++)
166 serpentbe_encrypt(&ti
->cryptkey
,n
,n
);
170 buf_prepend_uint32(buf
,ti
->cryptiv
);
175 static transform_apply_return
transform_reverse(void *sst
,
176 struct buffer_if
*buf
, const char **errmsg
)
178 struct transform_inst
*ti
=sst
;
185 uint8_t macplain
[16];
188 uint8_t *macexpected
;
192 if (buf
->size
< 4 + 16 + 16) {
193 *errmsg
="msg too short";
194 return transform_apply_err
;
200 uint32_t ivword
= buf_unprepend_uint32(buf
);
201 put_uint32(iv
, ivword
);
203 /* Assert bufsize is multiple of blocksize */
205 *errmsg
="msg not multiple of cipher blocksize";
206 return transform_apply_err
;
208 serpentbe_encrypt(&ti
->cryptkey
,iv
,iv
);
209 for (n
=buf
->start
; n
<buf
->start
+buf
->size
; n
+=16)
211 for (i
= 0; i
< 16; i
++)
213 serpentbe_decrypt(&ti
->cryptkey
,n
,n
);
214 for (i
= 0; i
< 16; i
++)
220 macexpected
=buf_unappend(buf
,16);
222 put_uint32(iv
, ti
->maciv
);
223 serpentbe_encrypt(&ti
->mackey
,iv
,macacc
);
225 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
226 block encrypted once again. */
227 for (n
=buf
->start
; n
<buf
->start
+buf
->size
; n
+=16)
229 for (i
= 0; i
< 16; i
++)
230 macplain
[i
] = macacc
[i
] ^ n
[i
];
231 serpentbe_encrypt(&ti
->mackey
,macplain
,macacc
);
233 serpentbe_encrypt(&ti
->mackey
,macacc
,macacc
);
234 if (!consttime_memeq(macexpected
,macacc
,16)!=0) {
235 *errmsg
="invalid MAC";
236 return transform_apply_err
;
239 /* PKCS5, stolen from IWJ */
241 padp
=buf_unappend(buf
,1);
243 if (!padlen
|| (padlen
> PKCS5_MASK
+1)) {
244 *errmsg
="pkcs5: invalid length";
245 return transform_apply_err
;
248 buf_unappend(buf
,padlen
-1);
250 /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
251 is only allowed to increase. */
252 seqnum
=buf_unprepend_uint32(buf
);
253 SEQNUM_CHECK(seqnum
, &ti
->p
);
260 static struct transform_inst_if
*transform_create(void *sst
)
262 struct transform
*st
=sst
;
264 TRANSFORM_CREATE_CORE
;
271 static list_t
*transform_apply(closure_t
*self
, struct cloc loc
,
272 dict_t
*context
, list_t
*args
)
274 struct transform
*st
;
279 st
->cl
.description
="serpent-cbc256";
280 st
->cl
.type
=CL_TRANSFORM
;
282 st
->cl
.interface
=&st
->ops
;
284 update_max_start_pad(&transform_max_start_pad
, 28);
285 /* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */
287 /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
288 for CBCMAC-IV, and 32 bits for init sequence number */
289 st
->ops
.keylen
=REQUIRED_KEYLEN
;
290 st
->ops
.create
=transform_create
;
292 /* First parameter must be a dict */
293 item
=list_elem(args
,0);
294 if (!item
|| item
->type
!=t_dict
)
295 cfgfatal(loc
,"serpent256-cbc","parameter must be a dictionary\n");
297 dict
=item
->data
.dict
;
299 SEQNUM_PARAMS_INIT(dict
,&st
->p
,"serpent-cbc256",loc
);
301 SET_CAPAB_TRANSFORMNUM(CAPAB_TRANSFORMNUM_SERPENT256CBC
);
303 return new_closure(&st
->cl
);
306 void transform_cbcmac_module(dict_t
*dict
)
308 struct keyInstance k
;
310 uint8_t plaintext
[16];
311 uint8_t ciphertext
[16];
316 * This test pattern was taken directly from the Serpent test
317 * vectors, which results in a big-endian Serpent which is not
318 * compatible with other implementations.
321 /* Serpent self-test */
323 "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
324 "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
326 serpentbe_makekey(&k
,256,data
);
329 "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
331 serpentbe_encrypt(&k
,plaintext
,ciphertext
);
333 if (memcmp(ciphertext
, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
334 "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
335 fatal("transform_module: serpent failed self-test (encrypt)");
337 serpentbe_decrypt(&k
,ciphertext
,plaintext
);
338 if (memcmp(plaintext
, "\x01\x23\x45\x67\x89\xab\xcd\xef"
339 "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
340 fatal("transform_module: serpent failed self-test (decrypt)");
343 add_closure(dict
,"serpent256-cbc",transform_apply
);
345 #ifdef TEST_WHOLE_TRANSFORM
347 struct transform
*tr
;
349 struct buffer_if buf
;
350 const char text
[] = "This is a piece of test text.";
351 char keymaterial
[76] =
352 "Seventy-six bytes i"
353 "n four rows of 19; "
354 "this looks almost l"
355 "ike a poem but not.";
360 tr
->max_seq_skew
= 20;
361 ti
= transform_create(tr
);
363 transform_setkey(ti
, keymaterial
, 76);
365 buf
.base
= malloc(4096);
366 buffer_init(&buf
, 2048);
367 BUF_ADD_OBJ(append
, buf
, text
, sizeof(text
));
368 if (transform_forward(ti
, &buf
, &errmsg
)) {
369 fatal("transform_forward test: %s", errmsg
);
371 printf("transformed text is:\n");
372 for (i
= 0; i
< buf
.size
; i
++)
373 printf("%02x%c", buf
.start
[i
],
374 (i
%16==15 || i
==buf
.size
-1 ?
'\n' : ' '));
375 if (transform_reverse(ti
, &buf
, &errmsg
)) {
376 fatal("transform_reverse test: %s", errmsg
);
378 printf("transform reversal worked OK\n");