faaf8d71b7889536ba77cf57a8051f84a3f2e0fc
3 * Bulk crypto transformations
5 * (c) 2014 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Utilities ---------------------------------------------------------*/
33 #define SEQSZ 4 /* Size of sequence number packet */
35 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
36 trace_block(T_CRYPTO, "crypto: initialization vector", \
40 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
41 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
44 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
45 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
48 #define CHECK_MAC(h, pmac, tagsz) do { \
50 const octet *_pmac = (pmac); \
51 size_t _tagsz = (tagsz); \
52 octet *_mac = GH_DONE(_h, 0); \
53 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
54 TRACE_MAC(_mac, _tagsz); \
57 IF_TRACING(T_KEYSET, { \
58 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
59 trace_block(T_CRYPTO, "crypto: expected MAC", _pmac, _tagsz); \
61 return (KSERR_DECRYPT); \
65 /*----- The original transform --------------------------------------------*
67 * We generate a random initialization vector (if the cipher needs one). We
68 * encrypt the input message with the cipher, and format the type, sequence
69 * number, IV, and ciphertext as follows.
71 * +------+ +------+---...---+------...------+
72 * | type | | seq | iv | ciphertext |
73 * +------+ +------+---...---+------...------+
76 * All of this is fed into the MAC to compute a tag. The type is not
77 * transmitted: the other end knows what type of message it expects, and the
78 * type is only here to prevent us from being confused because some other
79 * kind of ciphertext has been substituted. The tag is prepended to the
80 * remainder, to yield the finished cryptogram, as follows.
82 * +---...---+------+---...---+------...------+
83 * | tag | seq | iv | ciphertext |
84 * +---...---+------+---...---+------...------+
87 * Decryption: checks the overall size, verifies the tag, then decrypts the
88 * ciphertext and extracts the sequence number.
91 static int v0_check(const algswitch
*a
, dstr
*e
)
94 static size_t v0_overhead(const algswitch
*a
)
95 { return a
->tagsz
+ SEQSZ
+ a
->c
->blksz
; }
97 static int v0_encrypt(keyset
*ks
, unsigned ty
, buf
*b
, buf
*bb
)
100 gcipher
*c
= ks
->out
.c
;
101 const octet
*p
= BCUR(b
);
102 size_t sz
= BLEFT(b
);
103 octet
*qmac
, *qseq
, *qiv
, *qpk
;
105 size_t ivsz
= GC_CLASS(c
)->blksz
;
106 size_t tagsz
= ks
->tagsz
;
109 /* --- Determine the ciphertext layout --- */
111 if (buf_ensure(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
)) return (0);
112 qmac
= BCUR(bb
); qseq
= qmac
+ tagsz
; qiv
= qseq
+ SEQSZ
; qpk
= qiv
+ ivsz
;
113 BSTEP(bb
, tagsz
+ SEQSZ
+ ivsz
+ sz
);
115 /* --- Store the type --- *
117 * This isn't transmitted, but it's covered by the MAC.
122 /* --- Store the sequence number --- */
127 /* --- Establish an initialization vector if necessary --- */
130 rand_get(RAND_GLOBAL
, qiv
, ivsz
);
135 /* --- Encrypt the packet --- */
137 GC_ENCRYPT(c
, p
, qpk
, sz
);
140 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
143 h
= GM_INIT(ks
->out
.m
);
144 GH_HASH(h
, t
, sizeof(t
));
145 GH_HASH(h
, qseq
, SEQSZ
+ ivsz
+ sz
);
146 memcpy(qmac
, GH_DONE(h
, 0), tagsz
);
148 TRACE_MAC(qmac
, tagsz
);
151 /* --- We're done --- */
156 static int v0_decrypt(keyset
*ks
, unsigned ty
, buf
*b
, buf
*bb
, uint32
*seq
)
158 const octet
*pmac
, *piv
, *pseq
, *ppk
;
159 size_t psz
= BLEFT(b
);
163 gcipher
*c
= ks
->in
.c
;
164 size_t ivsz
= GC_CLASS(c
)->blksz
;
165 size_t tagsz
= ks
->tagsz
;
168 /* --- Break up the packet into its components --- */
170 if (psz
< ivsz
+ SEQSZ
+ tagsz
) {
171 T( trace(T_KEYSET
, "keyset: block too small for keyset %u", ks
->seq
); )
172 return (KSERR_MALFORMED
);
174 sz
= psz
- ivsz
- SEQSZ
- tagsz
;
175 pmac
= BCUR(b
); pseq
= pmac
+ tagsz
; piv
= pseq
+ SEQSZ
; ppk
= piv
+ ivsz
;
178 /* --- Verify the MAC on the packet --- */
181 h
= GM_INIT(ks
->in
.m
);
182 GH_HASH(h
, t
, sizeof(t
));
183 GH_HASH(h
, pseq
, SEQSZ
+ ivsz
+ sz
);
184 CHECK_MAC(h
, pmac
, tagsz
);
187 /* --- Decrypt the packet --- */
193 GC_DECRYPT(c
, ppk
, q
, sz
);
195 /* --- Finished --- */
202 /*----- Bulk crypto transform table ---------------------------------------*/
204 const bulkcrypto bulktab
[] = {
206 #define BULK(name, pre, prim) \
207 { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt }
209 BULK("v0", v0
, BCP_CIPHER
| BCP_MAC
),
215 /*----- That's all, folks -------------------------------------------------*/