~mdw / secnet / blob
? search:


1e8a5e9b8acc4bc181f3b9cdbff5b32a2142abb9
[secnet] / transform-cbcmac.c
1 /* Transform module - bulk data transformation */
2
3 /* For now it's hard-coded to do sequence
4 number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
5 instance of serpent. We also require key material for the IVs for
6 cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
7 using 32 bits and encrypting to get the full IV to save space in
8 the packets sent over the wire. */
9
10 #include <stdio.h>
11 #include <string.h>
12 #include "secnet.h"
13 #include "util.h"
14 #include "serpent.h"
15 #include "unaligned.h"
16 #include "hexdebug.h"
17
18 /* Required key length in bytes */
19 #define REQUIRED_KEYLEN ((512+64+32)/8)
20
21 struct transform {
22 closure_t cl;
23 struct transform_if ops;
24 uint32_t max_seq_skew;
25 };
26
27 struct transform_inst {
28 struct transform_inst_if ops;
29 struct keyInstance cryptkey;
30 struct keyInstance mackey;
31 uint32_t cryptiv;
32 uint32_t maciv;
33 uint32_t sendseq;
34 uint32_t lastrecvseq;
35 uint32_t max_skew;
36 bool_t keyed;
37 };
38
39 #include "transform-common.h"
40
41 #define PKCS5_MASK 15
42
43 static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen)
44 {
45 struct transform_inst *ti=sst;
46
47 if (keylen<REQUIRED_KEYLEN) {
48 Message(M_ERR,"transform_create: insufficient key material supplied "
49 "(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
50 return False;
51 }
52
53 #if 0
54 {
55 printf("Setting key to: ");
56 hexdebug(stdout,key,keylen);
57 printf("\n");
58 }
59 #endif /* 0 */
60
61 serpentbe_makekey(&ti->cryptkey,256,key);
62 serpentbe_makekey(&ti->mackey,256,key+32);
63 ti->cryptiv=get_uint32(key+64);
64 ti->maciv=get_uint32(key+68);
65 ti->sendseq=get_uint32(key+72);
66 ti->lastrecvseq=ti->sendseq;
67 ti->keyed=True;
68
69 return True;
70 }
71
72 TRANSFORM_VALID;
73
74 static void transform_delkey(void *sst)
75 {
76 struct transform_inst *ti=sst;
77
78 FILLZERO(ti->cryptkey);
79 FILLZERO(ti->mackey);
80 ti->keyed=False;
81 }
82
83 static uint32_t transform_forward(void *sst, struct buffer_if *buf,
84 const char **errmsg)
85 {
86 struct transform_inst *ti=sst;
87 uint8_t *padp;
88 int padlen;
89 uint8_t iv[16];
90 uint8_t macplain[16];
91 uint8_t macacc[16];
92 uint8_t *p, *n;
93 int i;
94
95 KEYED_CHECK;
96
97 /* Sequence number */
98 buf_prepend_uint32(buf,ti->sendseq);
99 ti->sendseq++;
100
101 /* PKCS5, stolen from IWJ */
102 /* eg with blocksize=4 mask=3 mask+2=5 */
103 /* msgsize 20 21 22 23 24 */
104 padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
105 padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
106 padlen++; /* 4 3 2 1 4 */
107
108 padp=buf_append(buf,padlen);
109 memset(padp,padlen,padlen);
110
111 /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
112 one encryption. Then we do the MAC and append the result. We don't
113 bother sending the IV - it's the same each time. (If we wanted to send
114 it we've have to add 16 bytes to each message, not 4, so that the
115 message stays a multiple of 16 bytes long.) */
116 memset(iv,0,16);
117 put_uint32(iv, ti->maciv);
118 serpentbe_encrypt(&ti->mackey,iv,macacc);
119
120 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
121 block encrypted once again. */
122 for (n=buf->start; n<buf->start+buf->size; n+=16)
123 {
124 for (i = 0; i < 16; i++)
125 macplain[i] = macacc[i] ^ n[i];
126 serpentbe_encrypt(&ti->mackey,macplain,macacc);
127 }
128 serpentbe_encrypt(&ti->mackey,macacc,macacc);
129 memcpy(buf_append(buf,16),macacc,16);
130
131 /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
132 and prepend the IV before increasing it. */
133 memset(iv,0,16);
134 put_uint32(iv, ti->cryptiv);
135 serpentbe_encrypt(&ti->cryptkey,iv,iv);
136
137 /* CBC: each block is XORed with the previous encrypted block (or the IV)
138 before being encrypted. */
139 p=iv;
140
141 for (n=buf->start; n<buf->start+buf->size; n+=16)
142 {
143 for (i = 0; i < 16; i++)
144 n[i] ^= p[i];
145 serpentbe_encrypt(&ti->cryptkey,n,n);
146 p=n;
147 }
148
149 buf_prepend_uint32(buf,ti->cryptiv);
150 ti->cryptiv++;
151 return 0;
152 }
153
154 static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
155 const char **errmsg)
156 {
157 struct transform_inst *ti=sst;
158 uint8_t *padp;
159 int padlen;
160 int i;
161 uint32_t seqnum;
162 uint8_t iv[16];
163 uint8_t pct[16];
164 uint8_t macplain[16];
165 uint8_t macacc[16];
166 uint8_t *n;
167 uint8_t *macexpected;
168
169 KEYED_CHECK;
170
171 if (buf->size < 4 + 16 + 16) {
172 *errmsg="msg too short";
173 return 1;
174 }
175
176 /* CBC */
177 memset(iv,0,16);
178 {
179 uint32_t ivword = buf_unprepend_uint32(buf);
180 put_uint32(iv, ivword);
181 }
182 /* Assert bufsize is multiple of blocksize */
183 if (buf->size&0xf) {
184 *errmsg="msg not multiple of cipher blocksize";
185 return 1;
186 }
187 serpentbe_encrypt(&ti->cryptkey,iv,iv);
188 for (n=buf->start; n<buf->start+buf->size; n+=16)
189 {
190 for (i = 0; i < 16; i++)
191 pct[i] = n[i];
192 serpentbe_decrypt(&ti->cryptkey,n,n);
193 for (i = 0; i < 16; i++)
194 n[i] ^= iv[i];
195 memcpy(iv, pct, 16);
196 }
197
198 /* CBCMAC */
199 macexpected=buf_unappend(buf,16);
200 memset(iv,0,16);
201 put_uint32(iv, ti->maciv);
202 serpentbe_encrypt(&ti->mackey,iv,macacc);
203
204 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
205 block encrypted once again. */
206 for (n=buf->start; n<buf->start+buf->size; n+=16)
207 {
208 for (i = 0; i < 16; i++)
209 macplain[i] = macacc[i] ^ n[i];
210 serpentbe_encrypt(&ti->mackey,macplain,macacc);
211 }
212 serpentbe_encrypt(&ti->mackey,macacc,macacc);
213 if (!consttime_memeq(macexpected,macacc,16)!=0) {
214 *errmsg="invalid MAC";
215 return 1;
216 }
217
218 /* PKCS5, stolen from IWJ */
219
220 padp=buf_unappend(buf,1);
221 padlen=*padp;
222 if (!padlen || (padlen > PKCS5_MASK+1)) {
223 *errmsg="pkcs5: invalid length";
224 return 1;
225 }
226
227 buf_unappend(buf,padlen-1);
228
229 /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
230 is only allowed to increase. */
231 seqnum=buf_unprepend_uint32(buf);
232 SEQNUM_CHECK(seqnum, ti->max_skew);
233
234 return 0;
235 }
236
237 TRANSFORM_DESTROY;
238
239 static struct transform_inst_if *transform_create(void *sst)
240 {
241 struct transform *st=sst;
242
243 TRANSFORM_CREATE_CORE;
244
245 ti->max_skew=st->max_seq_skew;
246
247 return &ti->ops;
248 }
249
250 static list_t *transform_apply(closure_t *self, struct cloc loc,
251 dict_t *context, list_t *args)
252 {
253 struct transform *st;
254 item_t *item;
255 dict_t *dict;
256
257 st=safe_malloc(sizeof(*st),"serpent");
258 st->cl.description="serpent-cbc256";
259 st->cl.type=CL_TRANSFORM;
260 st->cl.apply=NULL;
261 st->cl.interface=&st->ops;
262 st->ops.st=st;
263 st->ops.max_start_pad=28; /* 4byte seqnum, 16byte pad, 4byte MACIV,
264 4byte IV */
265 st->ops.max_end_pad=16; /* 16byte CBCMAC */
266
267 /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
268 for CBCMAC-IV, and 32 bits for init sequence number */
269 st->ops.keylen=REQUIRED_KEYLEN;
270 st->ops.create=transform_create;
271
272 /* First parameter must be a dict */
273 item=list_elem(args,0);
274 if (!item || item->type!=t_dict)
275 cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
276
277 dict=item->data.dict;
278 st->max_seq_skew=dict_read_number(dict, "max-sequence-skew",
279 False, "serpent-cbc256", loc, 10);
280
281 return new_closure(&st->cl);
282 }
283
284 void transform_cbcmac_module(dict_t *dict)
285 {
286 struct keyInstance k;
287 uint8_t data[32];
288 uint8_t plaintext[16];
289 uint8_t ciphertext[16];
290
291 /*
292 * Serpent self-test.
293 *
294 * This test pattern was taken directly from the Serpent test
295 * vectors, which results in a big-endian Serpent which is not
296 * compatible with other implementations.
297 */
298
299 /* Serpent self-test */
300 memcpy(data,
301 "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
302 "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
303 32);
304 serpentbe_makekey(&k,256,data);
305
306 memcpy(plaintext,
307 "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
308 16);
309 serpentbe_encrypt(&k,plaintext,ciphertext);
310
311 if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
312 "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
313 fatal("transform_module: serpent failed self-test (encrypt)");
314 }
315 serpentbe_decrypt(&k,ciphertext,plaintext);
316 if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
317 "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
318 fatal("transform_module: serpent failed self-test (decrypt)");
319 }
320
321 add_closure(dict,"serpent256-cbc",transform_apply);
322
323 #ifdef TEST_WHOLE_TRANSFORM
324 {
325 struct transform *tr;
326 void *ti;
327 struct buffer_if buf;
328 const char text[] = "This is a piece of test text.";
329 char keymaterial[76] =
330 "Seventy-six bytes i"
331 "n four rows of 19; "
332 "this looks almost l"
333 "ike a poem but not.";
334 const char *errmsg;
335 int i;
336
337 tr = malloc(sizeof(struct transform));
338 tr->max_seq_skew = 20;
339 ti = transform_create(tr);
340
341 transform_setkey(ti, keymaterial, 76);
342
343 buf.base = malloc(4096);
344 buffer_init(&buf, 2048);
345 memcpy(buf_append(&buf, sizeof(text)), text, sizeof(text));
346 if (transform_forward(ti, &buf, &errmsg)) {
347 fatal("transform_forward test: %s", errmsg);
348 }
349 printf("transformed text is:\n");
350 for (i = 0; i < buf.size; i++)
351 printf("%02x%c", buf.start[i],
352 (i%16==15 || i==buf.size-1 ? '\n' : ' '));
353 if (transform_reverse(ti, &buf, &errmsg)) {
354 fatal("transform_reverse test: %s", errmsg);
355 }
356 printf("transform reversal worked OK\n");
357 }
358 #endif
359 }
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/