3 * Bulk crypto transformations
5 * (c) 2014 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Utilities ---------------------------------------------------------*/
33 #define SEQSZ 4 /* Size of sequence number packet */
35 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
36 trace_block(T_CRYPTO, "crypto: initialization vector", \
40 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
41 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
44 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
45 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
48 #define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
49 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
50 trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz)); \
53 /*----- Common functionality for generic-composition transforms -----------*/
55 #define CHECK_MAC(h, pmac, tagsz) do { \
57 const octet *_pmac = (pmac); \
58 size_t _tagsz = (tagsz); \
59 octet *_mac = GH_DONE(_h, 0); \
60 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
61 TRACE_MAC(_mac, _tagsz); \
64 TRACE_MACERR(_pmac, _tagsz); \
65 return (KSERR_DECRYPT); \
69 typedef struct gencomp_algs
{
70 const gccipher
*c
; size_t cksz
;
71 const gcmac
*m
; size_t mksz
; size_t tagsz
;
74 typedef struct gencomp_chal
{
76 gmac
*m
; size_t tagsz
;
79 static int gencomp_getalgs(gencomp_algs
*a
, const algswitch
*asw
,
80 dstr
*e
, key_file
*kf
, key
*k
)
88 /* --- Symmetric encryption --- */
90 if ((p
= key_getattr(kf
, k
, "cipher")) == 0) p
= "blowfish-cbc";
91 if ((a
->c
= gcipher_byname(p
)) == 0) {
92 a_format(e
, "unknown-cipher", "%s", p
, A_END
);
96 /* --- Message authentication --- */
98 if ((p
= key_getattr(kf
, k
, "mac")) != 0) {
101 if ((q
= strchr(d
.buf
, '/')) != 0)
103 if ((a
->m
= gmac_byname(d
.buf
)) == 0) {
104 a_format(e
, "unknown-mac", "%s", d
.buf
, A_END
);
108 a
->tagsz
= a
->m
->hashsz
;
110 n
= strtoul(q
, &qq
, 0);
112 a_format(e
, "bad-tag-length-string", "%s", q
, A_END
);
115 if (n
%8 || n
/8 > a
->m
->hashsz
) {
116 a_format(e
, "bad-tag-length", "%lu", n
, A_END
);
123 dstr_putf(&d
, "%s-hmac", asw
->h
->name
);
124 if ((a
->m
= gmac_byname(d
.buf
)) == 0) {
125 a_format(e
, "no-hmac-for-hash", "%s", asw
->h
->name
, A_END
);
128 a
->tagsz
= asw
->h
->hashsz
/2;
138 static void gencomp_tracealgs(const gencomp_algs
*a
)
140 trace(T_CRYPTO
, "crypto: cipher = %s", a
->c
->name
);
141 trace(T_CRYPTO
, "crypto: mac = %s/%lu",
142 a
->m
->name
, (unsigned long)a
->tagsz
* 8);
146 static int gencomp_checkalgs(gencomp_algs
*a
, const algswitch
*asw
, dstr
*e
)
148 /* --- Derive the key sizes --- *
150 * Must ensure that we have non-empty keys. This isn't ideal, but it
151 * provides a handy sanity check. Also must be based on a 64- or 128-bit
152 * block cipher or we can't do the data expiry properly.
155 if ((a
->cksz
= keysz(asw
->hashsz
, a
->c
->keysz
)) == 0) {
156 a_format(e
, "cipher", "%s", a
->c
->name
,
157 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
161 if ((a
->mksz
= keysz(asw
->hashsz
, a
->m
->keysz
)) == 0) {
162 a_format(e
, "mac", "%s", a
->m
->name
,
163 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
171 static void gencomp_alginfo(const gencomp_algs
*a
, admin
*adm
)
174 "cipher=%s", a
->c
->name
,
175 "cipher-keysz=%lu", (unsigned long)a
->cksz
,
176 "cipher-blksz=%lu", (unsigned long)a
->c
->blksz
,
179 "mac=%s", a
->m
->name
,
180 "mac-keysz=%lu", (unsigned long)a
->mksz
,
181 "mac-tagsz=%lu", (unsigned long)a
->tagsz
,
185 static int gencomp_samealgsp(const gencomp_algs
*a
, const gencomp_algs
*aa
)
187 return (a
->c
== aa
->c
&&
188 a
->m
== aa
->m
&& a
->tagsz
== aa
->tagsz
);
191 static size_t gencomp_expsz(const gencomp_algs
*a
)
192 { return (a
->c
->blksz
< 16 ?
MEG(64) : MEG(2048)); }
194 static bulkchal
*gencomp_genchal(const gencomp_algs
*a
)
196 gencomp_chal
*gc
= CREATE(gencomp_chal
);
198 rand_get(RAND_GLOBAL
, buf_t
, a
->mksz
);
199 gc
->m
= GM_KEY(a
->m
, buf_t
, a
->mksz
);
200 gc
->_b
.tagsz
= a
->tagsz
;
202 trace(T_CHAL
, "chal: generated new challenge key");
203 trace_block(T_CRYPTO
, "chal: new key", buf_t
, a
->mksz
);
208 static int gencomp_chaltag(bulkchal
*bc
, const void *m
, size_t msz
, void *t
)
210 gencomp_chal
*gc
= (gencomp_chal
*)bc
;
211 ghash
*h
= GM_INIT(gc
->m
);
214 memcpy(t
, GH_DONE(h
, 0), bc
->tagsz
);
219 static int gencomp_chalvrf(bulkchal
*bc
, const void *m
, size_t msz
,
222 gencomp_chal
*gc
= (gencomp_chal
*)bc
;
223 ghash
*h
= GM_INIT(gc
->m
);
227 ok
= ct_memeq(GH_DONE(h
, 0), t
, gc
->_b
.tagsz
);
229 return (ok ?
0 : -1);
232 static void gencomp_freechal(bulkchal
*bc
)
233 { gencomp_chal
*gc
= (gencomp_chal
*)bc
; GM_DESTROY(gc
->m
); DESTROY(gc
); }
235 /*----- The original transform --------------------------------------------*
237 * We generate a random initialization vector (if the cipher needs one). We
238 * encrypt the input message with the cipher, and format the type, sequence
239 * number, IV, and ciphertext as follows.
241 * +------+ +------+---...---+------...------+
242 * | type | | seq | iv | ciphertext |
243 * +------+ +------+---...---+------...------+
246 * All of this is fed into the MAC to compute a tag. The type is not
247 * transmitted: the other end knows what type of message it expects, and the
248 * type is only here to prevent us from being confused because some other
249 * kind of ciphertext has been substituted. The tag is prepended to the
250 * remainder, to yield the finished cryptogram, as follows.
252 * +---...---+------+---...---+------...------+
253 * | tag | seq | iv | ciphertext |
254 * +---...---+------+---...---+------...------+
257 * Decryption: checks the overall size, verifies the tag, then decrypts the
258 * ciphertext and extracts the sequence number.
261 typedef struct v0_algs
{
266 typedef struct v0_ctx
{
275 static bulkalgs
*v0_getalgs(const algswitch
*asw
, dstr
*e
,
276 key_file
*kf
, key
*k
)
278 v0_algs
*a
= CREATE(v0_algs
);
279 if (gencomp_getalgs(&a
->ga
, asw
, e
, kf
, k
)) { DESTROY(a
); return (0); }
284 static void v0_tracealgs(const bulkalgs
*aa
)
285 { const v0_algs
*a
= (const v0_algs
*)aa
; gencomp_tracealgs(&a
->ga
); }
288 static int v0_checkalgs(bulkalgs
*aa
, const algswitch
*asw
, dstr
*e
)
290 v0_algs
*a
= (v0_algs
*)aa
;
291 if (gencomp_checkalgs(&a
->ga
, asw
, e
)) return (-1);
295 static int v0_samealgsp(const bulkalgs
*aa
, const bulkalgs
*bb
)
297 const v0_algs
*a
= (const v0_algs
*)aa
, *b
= (const v0_algs
*)bb
;
298 return (gencomp_samealgsp(&a
->ga
, &b
->ga
));
301 static void v0_alginfo(const bulkalgs
*aa
, admin
*adm
)
302 { const v0_algs
*a
= (const v0_algs
*)aa
; gencomp_alginfo(&a
->ga
, adm
); }
304 static size_t v0_overhead(const bulkalgs
*aa
)
306 const v0_algs
*a
= (const v0_algs
*)aa
;
307 return (a
->ga
.tagsz
+ SEQSZ
+ a
->ga
.c
->blksz
);
310 static size_t v0_expsz(const bulkalgs
*aa
)
311 { const v0_algs
*a
= (const v0_algs
*)aa
; return (gencomp_expsz(&a
->ga
)); }
313 static bulkctx
*v0_genkeys(const bulkalgs
*aa
, const struct rawkey
*rk
)
315 const v0_algs
*a
= (const v0_algs
*)aa
;
316 v0_ctx
*bc
= CREATE(v0_ctx
);
320 bc
->tagsz
= a
->ga
.tagsz
;
321 for (i
= 0; i
< NDIR
; i
++) {
322 ks_derivekey(k
, a
->ga
.cksz
, rk
, i
, "encryption");
323 bc
->d
[i
].c
= GC_INIT(a
->ga
.c
, k
, a
->ga
.cksz
);
324 ks_derivekey(k
, a
->ga
.mksz
, rk
, i
, "integrity");
325 bc
->d
[i
].m
= GM_KEY(a
->ga
.m
, k
, a
->ga
.mksz
);
330 static bulkchal
*v0_genchal(const bulkalgs
*aa
)
332 const v0_algs
*a
= (const v0_algs
*)aa
;
333 return (gencomp_genchal(&a
->ga
));
335 #define v0_chaltag gencomp_chaltag
336 #define v0_chalvrf gencomp_chalvrf
337 #define v0_freechal gencomp_freechal
339 static void v0_freealgs(bulkalgs
*aa
)
340 { v0_algs
*a
= (v0_algs
*)aa
; DESTROY(a
); }
342 static void v0_freectx(bulkctx
*bbc
)
344 v0_ctx
*bc
= (v0_ctx
*)bbc
;
347 for (i
= 0; i
< NDIR
; i
++) {
348 GC_DESTROY(bc
->d
[i
].c
);
349 GM_DESTROY(bc
->d
[i
].m
);
354 static int v0_encrypt(bulkctx
*bbc
, unsigned ty
,
355 buf
*b
, buf
*bb
, uint32 seq
)
357 v0_ctx
*bc
= (v0_ctx
*)bbc
;
359 gcipher
*c
= bc
->d
[DIR_OUT
].c
;
360 const octet
*p
= BCUR(b
);
361 size_t sz
= BLEFT(b
);
362 octet
*qmac
, *qseq
, *qiv
, *qpk
;
363 size_t ivsz
= GC_CLASS(c
)->blksz
;
364 size_t tagsz
= bc
->tagsz
;
367 /* --- Determine the ciphertext layout --- */
369 if (buf_ensure(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
)) return (0);
370 qmac
= BCUR(bb
); qseq
= qmac
+ tagsz
; qiv
= qseq
+ SEQSZ
; qpk
= qiv
+ ivsz
;
371 BSTEP(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
);
373 /* --- Store the type --- *
375 * This isn't transmitted, but it's covered by the MAC.
380 /* --- Store the sequence number --- */
384 /* --- Establish an initialization vector if necessary --- */
387 rand_get(RAND_GLOBAL
, qiv
, ivsz
);
392 /* --- Encrypt the packet --- */
394 GC_ENCRYPT(c
, p
, qpk
, sz
);
397 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
400 h
= GM_INIT(bc
->d
[DIR_OUT
].m
);
401 GH_HASH(h
, t
, sizeof(t
));
402 GH_HASH(h
, qseq
, SEQSZ
+ ivsz
+ sz
);
403 memcpy(qmac
, GH_DONE(h
, 0), tagsz
);
405 TRACE_MAC(qmac
, tagsz
);
408 /* --- We're done --- */
413 static int v0_decrypt(bulkctx
*bbc
, unsigned ty
,
414 buf
*b
, buf
*bb
, uint32
*seq
)
416 v0_ctx
*bc
= (v0_ctx
*)bbc
;
417 const octet
*pmac
, *piv
, *pseq
, *ppk
;
418 size_t psz
= BLEFT(b
);
422 gcipher
*c
= bc
->d
[DIR_IN
].c
;
423 size_t ivsz
= GC_CLASS(c
)->blksz
;
424 size_t tagsz
= bc
->tagsz
;
427 /* --- Break up the packet into its components --- */
429 if (psz
< ivsz
+ SEQSZ
+ tagsz
) {
430 T( trace(T_KEYSET
, "keyset: block too small for keyset"); )
431 return (KSERR_MALFORMED
);
433 sz
= psz
- ivsz
- SEQSZ
- tagsz
;
434 pmac
= BCUR(b
); pseq
= pmac
+ tagsz
; piv
= pseq
+ SEQSZ
; ppk
= piv
+ ivsz
;
437 /* --- Verify the MAC on the packet --- */
440 h
= GM_INIT(bc
->d
[DIR_IN
].m
);
441 GH_HASH(h
, t
, sizeof(t
));
442 GH_HASH(h
, pseq
, SEQSZ
+ ivsz
+ sz
);
443 CHECK_MAC(h
, pmac
, tagsz
);
446 /* --- Decrypt the packet --- */
452 GC_DECRYPT(c
, ppk
, q
, sz
);
454 /* --- Finished --- */
461 /*----- The implicit-IV transform -----------------------------------------*
463 * The v0 transform makes everything explicit. There's an IV because the
464 * cipher needs an IV; there's a sequence number because replay prevention
465 * needs a sequence number.
467 * This new transform works rather differently. We make use of a block
468 * cipher to encrypt the sequence number, and use that as the IV. We
469 * transmit the sequence number in the clear, as before. This reduces
470 * overhead; and it's not a significant privacy leak because the adversary
471 * can see the order in which the messages are transmitted -- i.e., the
472 * sequence numbers are almost completely predictable anyway.
474 * So, a MAC is computed over
476 * +------+ +------+------...------+
477 * | type | | seq | ciphertext |
478 * +------+ +------+------...------+
481 * and we actually transmit the following as the cryptogram.
483 * +---...---+------+------...------+
484 * | tag | seq | ciphertext |
485 * +---...---+------+------...------+
489 typedef struct iiv_algs
{
492 const gccipher
*b
; size_t bksz
;
495 typedef struct iiv_ctx
{
505 static bulkalgs
*iiv_getalgs(const algswitch
*asw
, dstr
*e
,
506 key_file
*kf
, key
*k
)
508 iiv_algs
*a
= CREATE(iiv_algs
);
509 dstr d
= DSTR_INIT
, dd
= DSTR_INIT
;
513 if (gencomp_getalgs(&a
->ga
, asw
, e
, kf
, k
)) goto fail
;
515 if ((p
= key_getattr(kf
, k
, "blkc")) == 0) {
516 dstr_puts(&dd
, a
->ga
.c
->name
);
517 if ((q
= strrchr(dd
.buf
, '-')) != 0) *q
= 0;
520 dstr_putf(&d
, "%s-ecb", p
);
521 if ((a
->b
= gcipher_byname(d
.buf
)) == 0) {
522 a_format(e
, "unknown-blkc", "%s", p
, A_END
);
526 dstr_destroy(&d
); dstr_destroy(&dd
);
529 dstr_destroy(&d
); dstr_destroy(&dd
);
535 static void iiv_tracealgs(const bulkalgs
*aa
)
537 const iiv_algs
*a
= (const iiv_algs
*)aa
;
539 gencomp_tracealgs(&a
->ga
);
540 trace(T_CRYPTO
, "crypto: blkc = %.*s", strlen(a
->b
->name
) - 4, a
->b
->name
);
544 static int iiv_checkalgs(bulkalgs
*aa
, const algswitch
*asw
, dstr
*e
)
546 iiv_algs
*a
= (iiv_algs
*)aa
;
548 if (gencomp_checkalgs(&a
->ga
, asw
, e
)) return (-1);
550 if ((a
->bksz
= keysz(asw
->hashsz
, a
->b
->keysz
)) == 0) {
551 a_format(e
, "blkc", "%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
552 "no-key-size", "%lu", (unsigned long)asw
->hashsz
,
556 if (a
->b
->blksz
< a
->ga
.c
->blksz
) {
557 a_format(e
, "blkc", "%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
558 "blksz-insufficient", A_END
);
564 static int iiv_samealgsp(const bulkalgs
*aa
, const bulkalgs
*bb
)
566 const iiv_algs
*a
= (const iiv_algs
*)aa
, *b
= (const iiv_algs
*)bb
;
567 return (gencomp_samealgsp(&a
->ga
, &b
->ga
) && a
->b
== b
->b
);
570 static void iiv_alginfo(const bulkalgs
*aa
, admin
*adm
)
572 const iiv_algs
*a
= (const iiv_algs
*)aa
;
573 gencomp_alginfo(&a
->ga
, adm
);
575 "blkc=%.*s", strlen(a
->b
->name
) - 4, a
->b
->name
,
576 "blkc-keysz=%lu", (unsigned long)a
->bksz
,
577 "blkc-blksz=%lu", (unsigned long)a
->b
->blksz
,
581 static size_t iiv_overhead(const bulkalgs
*aa
)
582 { const iiv_algs
*a
= (const iiv_algs
*)aa
; return (a
->ga
.tagsz
+ SEQSZ
); }
584 static size_t iiv_expsz(const bulkalgs
*aa
)
586 const iiv_algs
*a
= (const iiv_algs
*)aa
;
587 return (gencomp_expsz(&a
->ga
));
590 static bulkctx
*iiv_genkeys(const bulkalgs
*aa
, const struct rawkey
*rk
)
592 const iiv_algs
*a
= (const iiv_algs
*)aa
;
593 iiv_ctx
*bc
= CREATE(iiv_ctx
);
597 bc
->tagsz
= a
->ga
.tagsz
;
598 for (i
= 0; i
< NDIR
; i
++) {
599 ks_derivekey(k
, a
->ga
.cksz
, rk
, i
, "encryption");
600 bc
->d
[i
].c
= GC_INIT(a
->ga
.c
, k
, a
->ga
.cksz
);
601 ks_derivekey(k
, a
->bksz
, rk
, i
, "blkc");
602 bc
->d
[i
].b
= GC_INIT(a
->b
, k
, a
->bksz
);
603 ks_derivekey(k
, a
->ga
.mksz
, rk
, i
, "integrity");
604 bc
->d
[i
].m
= GM_KEY(a
->ga
.m
, k
, a
->ga
.mksz
);
609 static bulkchal
*iiv_genchal(const bulkalgs
*aa
)
611 const iiv_algs
*a
= (const iiv_algs
*)aa
;
612 return (gencomp_genchal(&a
->ga
));
614 #define iiv_chaltag gencomp_chaltag
615 #define iiv_chalvrf gencomp_chalvrf
616 #define iiv_freechal gencomp_freechal
618 static void iiv_freealgs(bulkalgs
*aa
)
619 { iiv_algs
*a
= (iiv_algs
*)aa
; DESTROY(a
); }
621 static void iiv_freectx(bulkctx
*bbc
)
623 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
626 for (i
= 0; i
< NDIR
; i
++) {
627 GC_DESTROY(bc
->d
[i
].c
);
628 GC_DESTROY(bc
->d
[i
].b
);
629 GM_DESTROY(bc
->d
[i
].m
);
634 #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
635 trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
638 static int iiv_encrypt(bulkctx
*bbc
, unsigned ty
,
639 buf
*b
, buf
*bb
, uint32 seq
)
641 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
643 gcipher
*c
= bc
->d
[DIR_OUT
].c
, *blkc
= bc
->d
[DIR_OUT
].b
;
644 const octet
*p
= BCUR(b
);
645 size_t sz
= BLEFT(b
);
646 octet
*qmac
, *qseq
, *qpk
;
647 size_t ivsz
= GC_CLASS(c
)->blksz
, blkcsz
= GC_CLASS(blkc
)->blksz
;
648 size_t tagsz
= bc
->tagsz
;
651 /* --- Determine the ciphertext layout --- */
653 if (buf_ensure(bb
, tagsz
+ SEQSZ
+ sz
)) return (0);
654 qmac
= BCUR(bb
); qseq
= qmac
+ tagsz
; qpk
= qseq
+ SEQSZ
;
655 BSTEP(bb
, tagsz
+ SEQSZ
+ sz
);
657 /* --- Store the type --- *
659 * This isn't transmitted, but it's covered by the MAC.
664 /* --- Store the sequence number --- */
668 /* --- Establish an initialization vector if necessary --- */
671 memset(buf_u
, 0, blkcsz
- SEQSZ
);
672 memcpy(buf_u
+ blkcsz
- SEQSZ
, qseq
, SEQSZ
);
673 TRACE_PRESEQ(buf_u
, ivsz
);
674 GC_ENCRYPT(blkc
, buf_u
, buf_u
, blkcsz
);
676 TRACE_IV(buf_u
, ivsz
);
679 /* --- Encrypt the packet --- */
681 GC_ENCRYPT(c
, p
, qpk
, sz
);
684 /* --- Compute a MAC over type, sequence number, and ciphertext --- */
687 h
= GM_INIT(bc
->d
[DIR_OUT
].m
);
688 GH_HASH(h
, t
, sizeof(t
));
689 GH_HASH(h
, qseq
, SEQSZ
+ sz
);
690 memcpy(qmac
, GH_DONE(h
, 0), tagsz
);
692 TRACE_MAC(qmac
, tagsz
);
695 /* --- We're done --- */
700 static int iiv_decrypt(bulkctx
*bbc
, unsigned ty
,
701 buf
*b
, buf
*bb
, uint32
*seq
)
703 iiv_ctx
*bc
= (iiv_ctx
*)bbc
;
704 const octet
*pmac
, *pseq
, *ppk
;
705 size_t psz
= BLEFT(b
);
709 gcipher
*c
= bc
->d
[DIR_IN
].c
, *blkc
= bc
->d
[DIR_IN
].b
;
710 size_t ivsz
= GC_CLASS(c
)->blksz
, blkcsz
= GC_CLASS(blkc
)->blksz
;
711 size_t tagsz
= bc
->tagsz
;
714 /* --- Break up the packet into its components --- */
716 if (psz
< SEQSZ
+ tagsz
) {
717 T( trace(T_KEYSET
, "keyset: block too small for keyset"); )
718 return (KSERR_MALFORMED
);
720 sz
= psz
- SEQSZ
- tagsz
;
721 pmac
= BCUR(b
); pseq
= pmac
+ tagsz
; ppk
= pseq
+ SEQSZ
;
724 /* --- Verify the MAC on the packet --- */
727 h
= GM_INIT(bc
->d
[DIR_IN
].m
);
728 GH_HASH(h
, t
, sizeof(t
));
729 GH_HASH(h
, pseq
, SEQSZ
+ sz
);
730 CHECK_MAC(h
, pmac
, tagsz
);
733 /* --- Decrypt the packet --- */
736 memset(buf_u
, 0, blkcsz
- SEQSZ
);
737 memcpy(buf_u
+ blkcsz
- SEQSZ
, pseq
, SEQSZ
);
738 TRACE_PRESEQ(buf_u
, ivsz
);
739 GC_ENCRYPT(blkc
, buf_u
, buf_u
, blkcsz
);
741 TRACE_IV(buf_u
, ivsz
);
743 GC_DECRYPT(c
, ppk
, q
, sz
);
745 /* --- Finished --- */
752 /*----- Bulk crypto transform table ---------------------------------------*/
754 const bulkops bulktab
[] = {
758 #define BULK(name, pre) \
759 { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \
760 pre##_checkalgs, pre##_samealgsp, \
761 pre##_alginfo, pre##_overhead, pre##_expsz, \
762 pre##_genkeys, pre##_genchal, pre##_freealgs, \
763 pre##_encrypt, pre##_decrypt, pre##_freectx, \
764 pre##_chaltag, pre##_chalvrf, pre##_freechal }
773 /*----- That's all, folks -------------------------------------------------*/