OCB optimizations

Mostly avoiding/caching dynamic allocations. Also in speed, increment the IV from the low end which demonstrates OCB's enhanced handling of that case.
author: Jack Lloyd <[email protected]> 2019-09-28 06:41:49 -0400
committer: Jack Lloyd <[email protected]> 2019-09-28 06:47:17 -0400
commit: 455bbd7e91cbbf92c8bc7b3db1fef0e7015f2bb3 (patch)
tree: 8224c781f40d02764fa5976a1b894c36b05629ce /src/lib/modes/aead/ocb
parent: 5befd710a9ba2a40c0998c3e0a87943e4b8f829b (diff)
2 files changed, 23 insertions, 20 deletions
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index 87361ef11..6c1620329 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -237,7 +237,7 @@ void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
    m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len);
    }
 
-secure_vector<uint8_t>
+const secure_vector<uint8_t>&
 OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
    {
    const size_t BS = block_size();
@@ -250,23 +250,24 @@ OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
    const uint8_t BOTTOM_MASK =
       static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
 
-   secure_vector<uint8_t> nonce_buf(BS);
+   m_nonce_buf.resize(BS);
+   clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
 
-   copy_mem(&nonce_buf[BS - nonce_len], nonce, nonce_len);
-   nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
+   copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
+   m_nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
 
-   nonce_buf[BS - nonce_len - 1] ^= 1;
+   m_nonce_buf[BS - nonce_len - 1] ^= 1;
 
-   const uint8_t bottom = nonce_buf[BS-1] & BOTTOM_MASK;
-   nonce_buf[BS-1] &= ~BOTTOM_MASK;
+   const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK;
+   m_nonce_buf[BS-1] &= ~BOTTOM_MASK;
 
-   const bool need_new_stretch = (m_last_nonce != nonce_buf);
+   const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
 
    if(need_new_stretch)
       {
-      m_last_nonce = nonce_buf;
+      m_last_nonce = m_nonce_buf;
 
-      m_cipher->encrypt(nonce_buf);
+      m_cipher->encrypt(m_nonce_buf);
 
       /*
       The loop bounds (BS vs BS/2) are derived from the relation
@@ -291,25 +292,25 @@ OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
       if(BS == 16)
          {
          for(size_t i = 0; i != BS / 2; ++i)
-            nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+1]);
+            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]);
          }
       else if(BS == 24)
          {
          for(size_t i = 0; i != 16; ++i)
-            nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+5]);
+            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]);
          }
       else if(BS == 32)
          {
          for(size_t i = 0; i != BS; ++i)
-            nonce_buf.push_back(nonce_buf[i] ^ (nonce_buf[i] << 1) ^ (nonce_buf[i+1] >> 7));
+            m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7));
          }
       else if(BS == 64)
          {
          for(size_t i = 0; i != BS / 2; ++i)
-            nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+22]);
+            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]);
          }
 
-      m_stretch = nonce_buf;
+      m_stretch = m_nonce_buf;
       }
 
    // now set the offset from stretch and bottom
@@ -318,14 +319,14 @@ OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
 
    BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
 
-   secure_vector<uint8_t> offset(BS);
+   m_offset.resize(BS);
    for(size_t i = 0; i != BS; ++i)
       {
-      offset[i]  = (m_stretch[i+shift_bytes] << shift_bits);
-      offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
+      m_offset[i]  = (m_stretch[i+shift_bytes] << shift_bits);
+      m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
       }
 
-   return offset;
+   return m_offset;
    }
 
 void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
diff --git a/src/lib/modes/aead/ocb/ocb.h b/src/lib/modes/aead/ocb/ocb.h
index d38122593..4029fcda2 100644
--- a/src/lib/modes/aead/ocb/ocb.h
+++ b/src/lib/modes/aead/ocb/ocb.h
@@ -74,13 +74,15 @@ class BOTAN_PUBLIC_API(2,0) OCB_Mode : public AEAD_Mode
 
       void key_schedule(const uint8_t key[], size_t length) override;
 
-      secure_vector<uint8_t> update_nonce(const uint8_t nonce[], size_t nonce_len);
+      const secure_vector<uint8_t>& update_nonce(const uint8_t nonce[], size_t nonce_len);
 
       const size_t m_tag_size;
       const size_t m_block_size;
       const size_t m_par_blocks;
       secure_vector<uint8_t> m_last_nonce;
       secure_vector<uint8_t> m_stretch;
+      secure_vector<uint8_t> m_nonce_buf;
+      secure_vector<uint8_t> m_offset;
    };
 
 class BOTAN_PUBLIC_API(2,0) OCB_Encryption final : public OCB_Mode
author	Jack Lloyd <[email protected]>	2019-09-28 06:41:49 -0400
committer	Jack Lloyd <[email protected]>	2019-09-28 06:47:17 -0400
commit	455bbd7e91cbbf92c8bc7b3db1fef0e7015f2bb3 (patch)
tree	8224c781f40d02764fa5976a1b894c36b05629ce /src/lib/modes/aead/ocb
parent	5befd710a9ba2a40c0998c3e0a87943e4b8f829b (diff)