~mdw / secnet / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
polypath: Log pid of long-running interface monitor
[secnet] / transform-cbcmac.c
1 /* Transform module - bulk data transformation */
2
3 /* For now it's hard-coded to do sequence
4 number/pkcs5/serpent-cbcmac/serpent with a 256 bit key for each
5 instance of serpent. We also require key material for the IVs for
6 cbcmac and cbc. Hack: we're not using full 128-bit IVs, we're just
7 using 32 bits and encrypting to get the full IV to save space in
8 the packets sent over the wire. */
9
10 #include <stdio.h>
11 #include <string.h>
12 #include "secnet.h"
13 #include "util.h"
14 #include "serpent.h"
15 #include "unaligned.h"
16 #include "hexdebug.h"
17
18 /* Required key length in bytes */
19 #define REQUIRED_KEYLEN ((512+64+32)/8)
20
21 #include "transform-common.h"
22
23 struct transform_params {
24 SEQNUM_PARAMS_FIELDS;
25 };
26
27 struct transform {
28 closure_t cl;
29 struct transform_if ops;
30 struct transform_params p;
31 };
32
33 struct transform_inst {
34 struct transform_inst_if ops;
35 struct transform_params p;
36 struct keyInstance cryptkey;
37 struct keyInstance mackey;
38 uint32_t cryptiv;
39 uint32_t maciv;
40 SEQNUM_KEYED_FIELDS;
41 };
42
43 #define PKCS5_MASK 15
44
45 static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen,
46 bool_t direction)
47 {
48 struct transform_inst *ti=sst;
49
50 if (keylen<REQUIRED_KEYLEN) {
51 Message(M_ERR,"transform_create: insufficient key material supplied "
52 "(need %d bytes, got %d)\n",REQUIRED_KEYLEN,keylen);
53 return False;
54 }
55
56 #if 0
57 {
58 printf("Setting key to: ");
59 hexdebug(stdout,key,keylen);
60 printf("\n");
61 }
62 #endif /* 0 */
63
64 serpentbe_makekey(&ti->cryptkey,256,key);
65 serpentbe_makekey(&ti->mackey,256,key+32);
66 ti->cryptiv=get_uint32(key+64);
67 ti->maciv=get_uint32(key+68);
68 uint32_t firstseq=get_uint32(key+72);
69 SEQNUM_KEYED_INIT(firstseq,firstseq);
70
71 return True;
72 }
73
74 TRANSFORM_VALID;
75
76 static void transform_delkey(void *sst)
77 {
78 struct transform_inst *ti=sst;
79
80 FILLZERO(ti->cryptkey);
81 FILLZERO(ti->mackey);
82 ti->keyed=False;
83 }
84
85 static uint32_t transform_forward(void *sst, struct buffer_if *buf,
86 const char **errmsg)
87 {
88 struct transform_inst *ti=sst;
89 uint8_t *padp;
90 int padlen;
91 uint8_t iv[16];
92 uint8_t macplain[16];
93 uint8_t macacc[16];
94 uint8_t *p, *n;
95 int i;
96
97 KEYED_CHECK;
98
99 /* Sequence number */
100 buf_prepend_uint32(buf,ti->sendseq);
101 ti->sendseq++;
102
103 /* PKCS5, stolen from IWJ */
104 /* eg with blocksize=4 mask=3 mask+2=5 */
105 /* msgsize 20 21 22 23 24 */
106 padlen= PKCS5_MASK-buf->size; /* -17 -18 -19 -16 -17 */
107 padlen &= PKCS5_MASK; /* 3 2 1 0 3 */
108 padlen++; /* 4 3 2 1 4 */
109
110 padp=buf_append(buf,padlen);
111 memset(padp,padlen,padlen);
112
113 /* Serpent-CBCMAC. We expand the IV from 32-bit to 128-bit using
114 one encryption. Then we do the MAC and append the result. We don't
115 bother sending the IV - it's the same each time. (If we wanted to send
116 it we've have to add 16 bytes to each message, not 4, so that the
117 message stays a multiple of 16 bytes long.) */
118 FILLZERO(iv);
119 put_uint32(iv, ti->maciv);
120 serpentbe_encrypt(&ti->mackey,iv,macacc);
121
122 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
123 block encrypted once again. */
124 for (n=buf->start; n<buf->start+buf->size; n+=16)
125 {
126 for (i = 0; i < 16; i++)
127 macplain[i] = macacc[i] ^ n[i];
128 serpentbe_encrypt(&ti->mackey,macplain,macacc);
129 }
130 serpentbe_encrypt(&ti->mackey,macacc,macacc);
131 BUF_ADD_BYTES(append,buf,macacc,16);
132
133 /* Serpent-CBC. We expand the ID as for CBCMAC, do the encryption,
134 and prepend the IV before increasing it. */
135 FILLZERO(iv);
136 put_uint32(iv, ti->cryptiv);
137 serpentbe_encrypt(&ti->cryptkey,iv,iv);
138
139 /* CBC: each block is XORed with the previous encrypted block (or the IV)
140 before being encrypted. */
141 p=iv;
142
143 for (n=buf->start; n<buf->start+buf->size; n+=16)
144 {
145 for (i = 0; i < 16; i++)
146 n[i] ^= p[i];
147 serpentbe_encrypt(&ti->cryptkey,n,n);
148 p=n;
149 }
150
151 buf_prepend_uint32(buf,ti->cryptiv);
152 ti->cryptiv++;
153 return 0;
154 }
155
156 static uint32_t transform_reverse(void *sst, struct buffer_if *buf,
157 const char **errmsg)
158 {
159 struct transform_inst *ti=sst;
160 uint8_t *padp;
161 int padlen;
162 int i;
163 uint32_t seqnum;
164 uint8_t iv[16];
165 uint8_t pct[16];
166 uint8_t macplain[16];
167 uint8_t macacc[16];
168 uint8_t *n;
169 uint8_t *macexpected;
170
171 KEYED_CHECK;
172
173 if (buf->size < 4 + 16 + 16) {
174 *errmsg="msg too short";
175 return 1;
176 }
177
178 /* CBC */
179 FILLZERO(iv);
180 {
181 uint32_t ivword = buf_unprepend_uint32(buf);
182 put_uint32(iv, ivword);
183 }
184 /* Assert bufsize is multiple of blocksize */
185 if (buf->size&0xf) {
186 *errmsg="msg not multiple of cipher blocksize";
187 return 1;
188 }
189 serpentbe_encrypt(&ti->cryptkey,iv,iv);
190 for (n=buf->start; n<buf->start+buf->size; n+=16)
191 {
192 for (i = 0; i < 16; i++)
193 pct[i] = n[i];
194 serpentbe_decrypt(&ti->cryptkey,n,n);
195 for (i = 0; i < 16; i++)
196 n[i] ^= iv[i];
197 COPY_OBJ(iv, pct);
198 }
199
200 /* CBCMAC */
201 macexpected=buf_unappend(buf,16);
202 FILLZERO(iv);
203 put_uint32(iv, ti->maciv);
204 serpentbe_encrypt(&ti->mackey,iv,macacc);
205
206 /* CBCMAC: encrypt in CBC mode. The MAC is the last encrypted
207 block encrypted once again. */
208 for (n=buf->start; n<buf->start+buf->size; n+=16)
209 {
210 for (i = 0; i < 16; i++)
211 macplain[i] = macacc[i] ^ n[i];
212 serpentbe_encrypt(&ti->mackey,macplain,macacc);
213 }
214 serpentbe_encrypt(&ti->mackey,macacc,macacc);
215 if (!consttime_memeq(macexpected,macacc,16)!=0) {
216 *errmsg="invalid MAC";
217 return 1;
218 }
219
220 /* PKCS5, stolen from IWJ */
221
222 padp=buf_unappend(buf,1);
223 padlen=*padp;
224 if (!padlen || (padlen > PKCS5_MASK+1)) {
225 *errmsg="pkcs5: invalid length";
226 return 1;
227 }
228
229 buf_unappend(buf,padlen-1);
230
231 /* Sequence number must be within max_skew of lastrecvseq; lastrecvseq
232 is only allowed to increase. */
233 seqnum=buf_unprepend_uint32(buf);
234 SEQNUM_CHECK(seqnum, &ti->p);
235
236 return 0;
237 }
238
239 TRANSFORM_DESTROY;
240
241 static struct transform_inst_if *transform_create(void *sst)
242 {
243 struct transform *st=sst;
244
245 TRANSFORM_CREATE_CORE;
246
247 ti->p=st->p;
248
249 return &ti->ops;
250 }
251
252 static list_t *transform_apply(closure_t *self, struct cloc loc,
253 dict_t *context, list_t *args)
254 {
255 struct transform *st;
256 item_t *item;
257 dict_t *dict;
258
259 st=safe_malloc(sizeof(*st),"serpent");
260 st->cl.description="serpent-cbc256";
261 st->cl.type=CL_TRANSFORM;
262 st->cl.apply=NULL;
263 st->cl.interface=&st->ops;
264 st->ops.st=st;
265 update_max_start_pad(&transform_max_start_pad, 28);
266 /* 4byte seqnum, 16byte pad, 4byte MACIV, 4byte IV */
267
268 /* We need 256*2 bits for serpent keys, 32 bits for CBC-IV and 32 bits
269 for CBCMAC-IV, and 32 bits for init sequence number */
270 st->ops.keylen=REQUIRED_KEYLEN;
271 st->ops.create=transform_create;
272
273 /* First parameter must be a dict */
274 item=list_elem(args,0);
275 if (!item || item->type!=t_dict)
276 cfgfatal(loc,"userv-ipif","parameter must be a dictionary\n");
277
278 dict=item->data.dict;
279
280 SEQNUM_PARAMS_INIT(dict,&st->p,"serpent-cbc256",loc);
281
282 SET_CAPAB_TRANSFORMNUM(CAPAB_TRANSFORMNUM_SERPENT256CBC);
283
284 return new_closure(&st->cl);
285 }
286
287 void transform_cbcmac_module(dict_t *dict)
288 {
289 struct keyInstance k;
290 uint8_t data[32];
291 uint8_t plaintext[16];
292 uint8_t ciphertext[16];
293
294 /*
295 * Serpent self-test.
296 *
297 * This test pattern was taken directly from the Serpent test
298 * vectors, which results in a big-endian Serpent which is not
299 * compatible with other implementations.
300 */
301
302 /* Serpent self-test */
303 memcpy(data,
304 "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff"
305 "\xff\xee\xdd\xcc\xbb\xaa\x99\x88\x77\x66\x55\x44\x33\x22\x11\x00",
306 32);
307 serpentbe_makekey(&k,256,data);
308
309 memcpy(plaintext,
310 "\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10",
311 16);
312 serpentbe_encrypt(&k,plaintext,ciphertext);
313
314 if (memcmp(ciphertext, "\xca\x7f\xa1\x93\xe3\xeb\x9e\x99"
315 "\xbd\x87\xe3\xaf\x3c\x9a\xdf\x93", 16)) {
316 fatal("transform_module: serpent failed self-test (encrypt)");
317 }
318 serpentbe_decrypt(&k,ciphertext,plaintext);
319 if (memcmp(plaintext, "\x01\x23\x45\x67\x89\xab\xcd\xef"
320 "\xfe\xdc\xba\x98\x76\x54\x32\x10", 16)) {
321 fatal("transform_module: serpent failed self-test (decrypt)");
322 }
323
324 add_closure(dict,"serpent256-cbc",transform_apply);
325
326 #ifdef TEST_WHOLE_TRANSFORM
327 {
328 struct transform *tr;
329 void *ti;
330 struct buffer_if buf;
331 const char text[] = "This is a piece of test text.";
332 char keymaterial[76] =
333 "Seventy-six bytes i"
334 "n four rows of 19; "
335 "this looks almost l"
336 "ike a poem but not.";
337 const char *errmsg;
338 int i;
339
340 tr = safe_malloc(sizeof(struct transform),"test transform");
341 tr->max_seq_skew = 20;
342 ti = transform_create(tr);
343
344 transform_setkey(ti, keymaterial, 76);
345
346 buf.base = malloc(4096);
347 buffer_init(&buf, 2048);
348 BUF_ADD_OBJ(append, buf, text, sizeof(text));
349 if (transform_forward(ti, &buf, &errmsg)) {
350 fatal("transform_forward test: %s", errmsg);
351 }
352 printf("transformed text is:\n");
353 for (i = 0; i < buf.size; i++)
354 printf("%02x%c", buf.start[i],
355 (i%16==15 || i==buf.size-1 ? '\n' : ' '));
356 if (transform_reverse(ti, &buf, &errmsg)) {
357 fatal("transform_reverse test: %s", errmsg);
358 }
359 printf("transform reversal worked OK\n");
360 }
361 #endif
362 }
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/