Home | History | Annotate | Download | only in cipher
      1 /*
      2  * aes_icm.c
      3  *
      4  * AES Integer Counter Mode
      5  *
      6  * David A. McGrew
      7  * Cisco Systems, Inc.
      8  */
      9 
     10 /*
     11  *
     12  * Copyright (c) 2001-2006, Cisco Systems, Inc.
     13  * All rights reserved.
     14  *
     15  * Redistribution and use in source and binary forms, with or without
     16  * modification, are permitted provided that the following conditions
     17  * are met:
     18  *
     19  *   Redistributions of source code must retain the above copyright
     20  *   notice, this list of conditions and the following disclaimer.
     21  *
     22  *   Redistributions in binary form must reproduce the above
     23  *   copyright notice, this list of conditions and the following
     24  *   disclaimer in the documentation and/or other materials provided
     25  *   with the distribution.
     26  *
     27  *   Neither the name of the Cisco Systems, Inc. nor the names of its
     28  *   contributors may be used to endorse or promote products derived
     29  *   from this software without specific prior written permission.
     30  *
     31  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     32  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     33  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
     34  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
     35  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
     36  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
     37  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
     38  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     39  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     40  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     41  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     42  * OF THE POSSIBILITY OF SUCH DAMAGE.
     43  *
     44  */
     45 
     46 
     47 #define ALIGN_32 0
     48 
     49 #include "aes_icm.h"
     50 #include "alloc.h"
     51 
     52 
     53 debug_module_t mod_aes_icm = {
     54   0,                 /* debugging is off by default */
     55   "aes icm"          /* printable module name       */
     56 };
     57 
     58 /*
     59  * integer counter mode works as follows:
     60  *
     61  * 16 bits
     62  * <----->
     63  * +------+------+------+------+------+------+------+------+
     64  * |           nonce           |    pakcet index    |  ctr |---+
     65  * +------+------+------+------+------+------+------+------+   |
     66  *                                                             |
     67  * +------+------+------+------+------+------+------+------+   v
     68  * |                      salt                      |000000|->(+)
     69  * +------+------+------+------+------+------+------+------+   |
     70  *                                                             |
     71  *                                                        +---------+
     72  *							  | encrypt |
     73  *							  +---------+
     74  *							       |
     75  * +------+------+------+------+------+------+------+------+   |
     76  * |                    keystream block                    |<--+
     77  * +------+------+------+------+------+------+------+------+
     78  *
     79  * All fields are big-endian
     80  *
     81  * ctr is the block counter, which increments from zero for
     82  * each packet (16 bits wide)
     83  *
     84  * packet index is distinct for each packet (48 bits wide)
     85  *
     86  * nonce can be distinct across many uses of the same key, or
     87  * can be a fixed value per key, or can be per-packet randomness
     88  * (64 bits)
     89  *
     90  */
     91 
     92 err_status_t
     93 aes_icm_alloc_ismacryp(cipher_t **c, int key_len, int forIsmacryp) {
     94   extern cipher_type_t aes_icm;
     95   uint8_t *pointer;
     96   int tmp;
     97 
     98   debug_print(mod_aes_icm,
     99             "allocating cipher with key length %d", key_len);
    100 
    101   /*
    102    * Ismacryp, for example, uses 16 byte key + 8 byte
    103    * salt  so this function is called with key_len = 24.
    104    * The check for key_len = 30/38/46 does not apply. Our usage
    105    * of aes functions with key_len = values other than 30
    106    * has not broken anything. Don't know what would be the
    107    * effect of skipping this check for srtp in general.
    108    */
    109   if (!(forIsmacryp && key_len > 16 && key_len < 30) &&
    110       key_len != 30 && key_len != 38 && key_len != 46)
    111     return err_status_bad_param;
    112 
    113   /* allocate memory a cipher of type aes_icm */
    114   tmp = (sizeof(aes_icm_ctx_t) + sizeof(cipher_t));
    115   pointer = (uint8_t*)crypto_alloc(tmp);
    116   if (pointer == NULL)
    117     return err_status_alloc_fail;
    118 
    119   /* set pointers */
    120   *c = (cipher_t *)pointer;
    121   (*c)->type = &aes_icm;
    122   (*c)->state = pointer + sizeof(cipher_t);
    123 
    124   /* increment ref_count */
    125   aes_icm.ref_count++;
    126 
    127   /* set key size        */
    128   (*c)->key_len = key_len;
    129 
    130   return err_status_ok;
    131 }
    132 
    133 err_status_t aes_icm_alloc(cipher_t **c, int key_len, int forIsmacryp) {
    134   return aes_icm_alloc_ismacryp(c, key_len, 0);
    135 }
    136 
    137 err_status_t
    138 aes_icm_dealloc(cipher_t *c) {
    139   extern cipher_type_t aes_icm;
    140 
    141   /* zeroize entire state*/
    142   octet_string_set_to_zero((uint8_t *)c,
    143 			   sizeof(aes_icm_ctx_t) + sizeof(cipher_t));
    144 
    145   /* free memory */
    146   crypto_free(c);
    147 
    148   /* decrement ref_count */
    149   aes_icm.ref_count--;
    150 
    151   return err_status_ok;
    152 }
    153 
    154 
    155 /*
    156  * aes_icm_context_init(...) initializes the aes_icm_context
    157  * using the value in key[].
    158  *
    159  * the key is the secret key
    160  *
    161  * the salt is unpredictable (but not necessarily secret) data which
    162  * randomizes the starting point in the keystream
    163  */
    164 
    165 err_status_t
    166 aes_icm_context_init(aes_icm_ctx_t *c, const uint8_t *key, int key_len) {
    167   err_status_t status;
    168   int base_key_len, copy_len;
    169 
    170   if (key_len > 16 && key_len < 30) /* Ismacryp */
    171     base_key_len = 16;
    172   else if (key_len == 30 || key_len == 38 || key_len == 46)
    173     base_key_len = key_len - 14;
    174   else
    175     return err_status_bad_param;
    176 
    177   /*
    178    * set counter and initial values to 'offset' value, being careful not to
    179    * go past the end of the key buffer.
    180    */
    181   v128_set_to_zero(&c->counter);
    182   v128_set_to_zero(&c->offset);
    183 
    184   /* force last two octets of the offset to be left zero
    185    * (for srtp compatibility) */
    186   copy_len = key_len - base_key_len;
    187 
    188   memcpy(&c->counter, key + base_key_len, copy_len);
    189   memcpy(&c->offset, key + base_key_len, copy_len);
    190 
    191   debug_print(mod_aes_icm,
    192 	      "key:  %s", octet_string_hex_string(key, base_key_len));
    193   debug_print(mod_aes_icm,
    194 	      "offset: %s", v128_hex_string(&c->offset));
    195 
    196   /* expand key */
    197   status = aes_expand_encryption_key(key, base_key_len, &c->expanded_key);
    198   if (status) {
    199     v128_set_to_zero(&c->counter);
    200     v128_set_to_zero(&c->offset);
    201     return status;
    202   }
    203 
    204   /* indicate that the keystream_buffer is empty */
    205   c->bytes_in_buffer = 0;
    206 
    207   return err_status_ok;
    208 }
    209 
    210 /*
    211  * aes_icm_set_octet(c, i) sets the counter of the context which it is
    212  * passed so that the next octet of keystream that will be generated
    213  * is the ith octet
    214  */
    215 
    216 err_status_t
    217 aes_icm_set_octet(aes_icm_ctx_t *c,
    218 		  uint64_t octet_num) {
    219 
    220 #ifdef NO_64BIT_MATH
    221   int tail_num       = low32(octet_num) & 0x0f;
    222   /* 64-bit right-shift 4 */
    223   uint64_t block_num = make64(high32(octet_num) >> 4,
    224 							  ((high32(octet_num) & 0x0f)<<(32-4)) |
    225 							   (low32(octet_num) >> 4));
    226 #else
    227   int tail_num       = (int)(octet_num % 16);
    228   uint64_t block_num = octet_num / 16;
    229 #endif
    230 
    231 
    232   /* set counter value */
    233   /* FIX - There's no way this is correct */
    234   c->counter.v64[0] = c->offset.v64[0];
    235 #ifdef NO_64BIT_MATH
    236   c->counter.v64[0] = make64(high32(c->offset.v64[0]) ^ high32(block_num),
    237 							 low32(c->offset.v64[0])  ^ low32(block_num));
    238 #else
    239   c->counter.v64[0] = c->offset.v64[0] ^ block_num;
    240 #endif
    241 
    242   debug_print(mod_aes_icm,
    243 	      "set_octet: %s", v128_hex_string(&c->counter));
    244 
    245   /* fill keystream buffer, if needed */
    246   if (tail_num) {
    247     v128_copy(&c->keystream_buffer, &c->counter);
    248     aes_encrypt(&c->keystream_buffer, &c->expanded_key);
    249     c->bytes_in_buffer = sizeof(v128_t);
    250 
    251     debug_print(mod_aes_icm, "counter:    %s",
    252 	      v128_hex_string(&c->counter));
    253     debug_print(mod_aes_icm, "ciphertext: %s",
    254 	      v128_hex_string(&c->keystream_buffer));
    255 
    256     /*  indicate number of bytes in keystream_buffer  */
    257     c->bytes_in_buffer = sizeof(v128_t) - tail_num;
    258 
    259   } else {
    260 
    261     /* indicate that keystream_buffer is empty */
    262     c->bytes_in_buffer = 0;
    263   }
    264 
    265   return err_status_ok;
    266 }
    267 
    268 /*
    269  * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with
    270  * the offset
    271  */
    272 
    273 err_status_t
    274 aes_icm_set_iv(aes_icm_ctx_t *c, void *iv) {
    275   v128_t *nonce = (v128_t *) iv;
    276 
    277   debug_print(mod_aes_icm,
    278 	      "setting iv: %s", v128_hex_string(nonce));
    279 
    280   v128_xor(&c->counter, &c->offset, nonce);
    281 
    282   debug_print(mod_aes_icm,
    283 	      "set_counter: %s", v128_hex_string(&c->counter));
    284 
    285   /* indicate that the keystream_buffer is empty */
    286   c->bytes_in_buffer = 0;
    287 
    288   return err_status_ok;
    289 }
    290 
    291 
    292 
    293 /*
    294  * aes_icm_advance(...) refills the keystream_buffer and
    295  * advances the block index of the sicm_context forward by one
    296  *
    297  * this is an internal, hopefully inlined function
    298  */
    299 
    300 static INLINE void
    301 aes_icm_advance_ismacryp(aes_icm_ctx_t *c, uint8_t forIsmacryp) {
    302   /* fill buffer with new keystream */
    303   v128_copy(&c->keystream_buffer, &c->counter);
    304   aes_encrypt(&c->keystream_buffer, &c->expanded_key);
    305   c->bytes_in_buffer = sizeof(v128_t);
    306 
    307   debug_print(mod_aes_icm, "counter:    %s",
    308 	      v128_hex_string(&c->counter));
    309   debug_print(mod_aes_icm, "ciphertext: %s",
    310 	      v128_hex_string(&c->keystream_buffer));
    311 
    312   /* clock counter forward */
    313 
    314   if (forIsmacryp) {
    315     uint32_t temp;
    316     //alex's clock counter forward
    317     temp = ntohl(c->counter.v32[3]);
    318     c->counter.v32[3] = htonl(++temp);
    319   } else {
    320     if (!++(c->counter.v8[15]))
    321       ++(c->counter.v8[14]);
    322   }
    323 }
    324 
    325 static INLINE void aes_icm_advance(aes_icm_ctx_t *c) {
    326   aes_icm_advance_ismacryp(c, 0);
    327 }
    328 
    329 
    330 /*e
    331  * icm_encrypt deals with the following cases:
    332  *
    333  * bytes_to_encr < bytes_in_buffer
    334  *  - add keystream into data
    335  *
    336  * bytes_to_encr > bytes_in_buffer
    337  *  - add keystream into data until keystream_buffer is depleted
    338  *  - loop over blocks, filling keystream_buffer and then
    339  *    adding keystream into data
    340  *  - fill buffer then add in remaining (< 16) bytes of keystream
    341  */
    342 
    343 err_status_t
    344 aes_icm_encrypt_ismacryp(aes_icm_ctx_t *c,
    345               unsigned char *buf, unsigned int *enc_len,
    346               int forIsmacryp) {
    347   unsigned int bytes_to_encr = *enc_len;
    348   unsigned int i;
    349   uint32_t *b;
    350 
    351   /* check that there's enough segment left but not for ismacryp*/
    352   if (!forIsmacryp && (bytes_to_encr + htons(c->counter.v16[7])) > 0xffff)
    353     return err_status_terminus;
    354 
    355  debug_print(mod_aes_icm, "block index: %d",
    356            htons(c->counter.v16[7]));
    357   if (bytes_to_encr <= (unsigned int)c->bytes_in_buffer) {
    358 
    359     /* deal with odd case of small bytes_to_encr */
    360     for (i = (sizeof(v128_t) - c->bytes_in_buffer);
    361 		 i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++)
    362 	{
    363       *buf++ ^= c->keystream_buffer.v8[i];
    364 	}
    365 
    366     c->bytes_in_buffer -= bytes_to_encr;
    367 
    368     /* return now to avoid the main loop */
    369     return err_status_ok;
    370 
    371   } else {
    372 
    373     /* encrypt bytes until the remaining data is 16-byte aligned */
    374     for (i=(sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t); i++)
    375       *buf++ ^= c->keystream_buffer.v8[i];
    376 
    377     bytes_to_encr -= c->bytes_in_buffer;
    378     c->bytes_in_buffer = 0;
    379 
    380   }
    381 
    382   /* now loop over entire 16-byte blocks of keystream */
    383   for (i=0; i < (bytes_to_encr/sizeof(v128_t)); i++) {
    384 
    385     /* fill buffer with new keystream */
    386     aes_icm_advance_ismacryp(c, forIsmacryp);
    387 
    388     /*
    389      * add keystream into the data buffer (this would be a lot faster
    390      * if we could assume 32-bit alignment!)
    391      */
    392 
    393 #if ALIGN_32
    394     b = (uint32_t *)buf;
    395     *b++ ^= c->keystream_buffer.v32[0];
    396     *b++ ^= c->keystream_buffer.v32[1];
    397     *b++ ^= c->keystream_buffer.v32[2];
    398     *b++ ^= c->keystream_buffer.v32[3];
    399     buf = (uint8_t *)b;
    400 #else
    401     if ((((unsigned long) buf) & 0x03) != 0) {
    402       *buf++ ^= c->keystream_buffer.v8[0];
    403       *buf++ ^= c->keystream_buffer.v8[1];
    404       *buf++ ^= c->keystream_buffer.v8[2];
    405       *buf++ ^= c->keystream_buffer.v8[3];
    406       *buf++ ^= c->keystream_buffer.v8[4];
    407       *buf++ ^= c->keystream_buffer.v8[5];
    408       *buf++ ^= c->keystream_buffer.v8[6];
    409       *buf++ ^= c->keystream_buffer.v8[7];
    410       *buf++ ^= c->keystream_buffer.v8[8];
    411       *buf++ ^= c->keystream_buffer.v8[9];
    412       *buf++ ^= c->keystream_buffer.v8[10];
    413       *buf++ ^= c->keystream_buffer.v8[11];
    414       *buf++ ^= c->keystream_buffer.v8[12];
    415       *buf++ ^= c->keystream_buffer.v8[13];
    416       *buf++ ^= c->keystream_buffer.v8[14];
    417       *buf++ ^= c->keystream_buffer.v8[15];
    418     } else {
    419       b = (uint32_t *)buf;
    420       *b++ ^= c->keystream_buffer.v32[0];
    421       *b++ ^= c->keystream_buffer.v32[1];
    422       *b++ ^= c->keystream_buffer.v32[2];
    423       *b++ ^= c->keystream_buffer.v32[3];
    424       buf = (uint8_t *)b;
    425     }
    426 #endif /* #if ALIGN_32 */
    427 
    428   }
    429 
    430   /* if there is a tail end of the data, process it */
    431   if ((bytes_to_encr & 0xf) != 0) {
    432 
    433     /* fill buffer with new keystream */
    434     aes_icm_advance_ismacryp(c, forIsmacryp);
    435 
    436     for (i=0; i < (bytes_to_encr & 0xf); i++)
    437       *buf++ ^= c->keystream_buffer.v8[i];
    438 
    439     /* reset the keystream buffer size to right value */
    440     c->bytes_in_buffer = sizeof(v128_t) - i;
    441   } else {
    442 
    443     /* no tail, so just reset the keystream buffer size to zero */
    444     c->bytes_in_buffer = 0;
    445 
    446   }
    447 
    448   return err_status_ok;
    449 }
    450 
    451 err_status_t
    452 aes_icm_encrypt(aes_icm_ctx_t *c, unsigned char *buf, unsigned int *enc_len) {
    453   return aes_icm_encrypt_ismacryp(c, buf, enc_len, 0);
    454 }
    455 
    456 err_status_t
    457 aes_icm_output(aes_icm_ctx_t *c, uint8_t *buffer, int num_octets_to_output) {
    458   unsigned int len = num_octets_to_output;
    459 
    460   /* zeroize the buffer */
    461   octet_string_set_to_zero(buffer, num_octets_to_output);
    462 
    463   /* exor keystream into buffer */
    464   return aes_icm_encrypt(c, buffer, &len);
    465 }
    466 
    467 
    468 char
    469 aes_icm_description[] = "aes integer counter mode";
    470 
    471 uint8_t aes_icm_test_case_0_key[30] = {
    472   0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
    473   0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
    474   0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
    475   0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
    476 };
    477 
    478 uint8_t aes_icm_test_case_0_nonce[16] = {
    479   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    480   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
    481 };
    482 
    483 uint8_t aes_icm_test_case_0_plaintext[32] =  {
    484   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    485   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    486   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    487   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    488 };
    489 
    490 uint8_t aes_icm_test_case_0_ciphertext[32] = {
    491   0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80,
    492   0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4,
    493   0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7,
    494   0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab
    495 };
    496 
    497 cipher_test_case_t aes_icm_test_case_0 = {
    498   30,                                    /* octets in key            */
    499   aes_icm_test_case_0_key,               /* key                      */
    500   aes_icm_test_case_0_nonce,             /* packet index             */
    501   32,                                    /* octets in plaintext      */
    502   aes_icm_test_case_0_plaintext,         /* plaintext                */
    503   32,                                    /* octets in ciphertext     */
    504   aes_icm_test_case_0_ciphertext,        /* ciphertext               */
    505   NULL                                   /* pointer to next testcase */
    506 };
    507 
    508 uint8_t aes_icm_test_case_1_key[46] = {
    509   0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70,
    510   0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92,
    511   0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82,
    512   0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98,
    513   0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
    514   0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
    515 };
    516 
    517 uint8_t aes_icm_test_case_1_nonce[16] = {
    518   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    519   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
    520 };
    521 
    522 uint8_t aes_icm_test_case_1_plaintext[32] =  {
    523   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    524   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    525   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    526   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    527 };
    528 
    529 uint8_t aes_icm_test_case_1_ciphertext[32] = {
    530   0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25,
    531   0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4,
    532   0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6,
    533   0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac
    534 };
    535 
    536 cipher_test_case_t aes_icm_test_case_1 = {
    537   46,                                    /* octets in key            */
    538   aes_icm_test_case_1_key,               /* key                      */
    539   aes_icm_test_case_1_nonce,             /* packet index             */
    540   32,                                    /* octets in plaintext      */
    541   aes_icm_test_case_1_plaintext,         /* plaintext                */
    542   32,                                    /* octets in ciphertext     */
    543   aes_icm_test_case_1_ciphertext,        /* ciphertext               */
    544   &aes_icm_test_case_0                   /* pointer to next testcase */
    545 };
    546 
    547 
    548 
    549 /*
    550  * note: the encrypt function is identical to the decrypt function
    551  */
    552 
    553 cipher_type_t aes_icm = {
    554   (cipher_alloc_func_t)          aes_icm_alloc,
    555   (cipher_dealloc_func_t)        aes_icm_dealloc,
    556   (cipher_init_func_t)           aes_icm_context_init,
    557   (cipher_encrypt_func_t)        aes_icm_encrypt,
    558   (cipher_decrypt_func_t)        aes_icm_encrypt,
    559   (cipher_set_iv_func_t)         aes_icm_set_iv,
    560   (char *)                       aes_icm_description,
    561   (int)                          0,   /* instance count */
    562   (cipher_test_case_t *)        &aes_icm_test_case_1,
    563   (debug_module_t *)            &mod_aes_icm,
    564   (cipher_type_id_t)             AES_ICM
    565 };
    566 
    567