Merge GH #552 Add Cipher_Mode::reset, better AEAD tests

author: Jack Lloyd <[email protected]> 2016-11-10 22:06:52 -0500
committer: Jack Lloyd <[email protected]> 2016-11-10 22:06:52 -0500
commit: 618f890fd7ede74c728612ca8bc590c72ee353f1 (patch)
tree: 3ac9016fe603525f04c194e8be9aa6152a049c40 /src/lib/modes/aead
parent: b7ae8043e963467eb222a44f48d66a1df36d9371 (diff)
parent: 06b44d8ed339b3a467f10a326fd209b0b9496060 (diff)
12 files changed, 96 insertions, 14 deletions
diff --git a/src/lib/modes/aead/ccm/ccm.cpp b/src/lib/modes/aead/ccm/ccm.cpp
index 81b9f4943..de639f23a 100644
--- a/src/lib/modes/aead/ccm/ccm.cpp
+++ b/src/lib/modes/aead/ccm/ccm.cpp
@@ -1,6 +1,7 @@
 /*
 * CCM Mode Encryption
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -33,7 +34,13 @@ CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
 
 void CCM_Mode::clear()
    {
-   m_cipher.reset();
+   m_cipher->clear();
+   reset();
+   }
+
+void CCM_Mode::reset()
+   {
+   m_nonce.clear();
    m_msg_buf.clear();
    m_ad_buf.clear();
    }
diff --git a/src/lib/modes/aead/ccm/ccm.h b/src/lib/modes/aead/ccm/ccm.h
index 7484b500a..2a17595e7 100644
--- a/src/lib/modes/aead/ccm/ccm.h
+++ b/src/lib/modes/aead/ccm/ccm.h
@@ -1,6 +1,7 @@
 /*
 * CCM Mode
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -38,6 +39,8 @@ class BOTAN_DLL CCM_Mode : public AEAD_Mode
 
       void clear() override;
 
+      void reset() override;
+
       size_t tag_size() const override { return m_tag_size; }
 
    protected:
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
index d2f16c225..197d6f921 100644
--- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
+++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
@@ -1,6 +1,7 @@
 /*
 * ChaCha20Poly1305 AEAD
 * (C) 2014,2016 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -26,8 +27,14 @@ void ChaCha20Poly1305_Mode::clear()
    {
    m_chacha->clear();
    m_poly1305->clear();
+   reset();
+   }
+
+void ChaCha20Poly1305_Mode::reset()
+   {
    m_ad.clear();
    m_ctext_len = 0;
+   m_nonce_len = 0;
    }
 
 void ChaCha20Poly1305_Mode::key_schedule(const byte key[], size_t length)
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h
index 553508854..f58bd48ac 100644
--- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h
+++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h
@@ -1,6 +1,7 @@
 /*
 * ChaCha20Poly1305 AEAD
 * (C) 2014 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -37,6 +38,9 @@ class BOTAN_DLL ChaCha20Poly1305_Mode : public AEAD_Mode
       size_t tag_size() const override { return 16; }
 
       void clear() override;
+
+      void reset() override;
+
    protected:
       std::unique_ptr<StreamCipher> m_chacha;
       std::unique_ptr<MessageAuthenticationCode> m_poly1305;
diff --git a/src/lib/modes/aead/eax/eax.cpp b/src/lib/modes/aead/eax/eax.cpp
index c76f15b48..ba52efcfd 100644
--- a/src/lib/modes/aead/eax/eax.cpp
+++ b/src/lib/modes/aead/eax/eax.cpp
@@ -1,6 +1,7 @@
 /*
 * EAX Mode Encryption
 * (C) 1999-2007 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -22,7 +23,9 @@ secure_vector<byte> eax_prf(byte tag, size_t block_size,
                            const byte in[], size_t length)
    {
    for(size_t i = 0; i != block_size - 1; ++i)
+      {
       mac.update(0);
+      }
    mac.update(tag);
    mac.update(in, length);
    return mac.final();
@@ -45,11 +48,16 @@ EAX_Mode::EAX_Mode(BlockCipher* cipher, size_t tag_size) :
 
 void EAX_Mode::clear()
    {
-   m_cipher.reset();
-   m_ctr.reset();
-   m_cmac.reset();
-   zeroise(m_ad_mac);
-   zeroise(m_nonce_mac);
+   m_cipher->clear();
+   m_ctr->clear();
+   m_cmac->clear();
+   reset();
+   }
+
+void EAX_Mode::reset()
+   {
+   m_ad_mac.clear();
+   m_nonce_mac.clear();
    }
 
 std::string EAX_Mode::name() const
@@ -78,8 +86,6 @@ void EAX_Mode::key_schedule(const byte key[], size_t length)
    */
    m_ctr->set_key(key, length);
    m_cmac->set_key(key, length);
-
-   m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
    }
 
 /*
@@ -117,6 +123,12 @@ void EAX_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
 
    secure_vector<byte> data_mac = m_cmac->final();
    xor_buf(data_mac, m_nonce_mac, data_mac.size());
+
+   if(m_ad_mac.empty())
+      {
+      m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
+      }
+
    xor_buf(data_mac, m_ad_mac, data_mac.size());
 
    buffer += std::make_pair(data_mac.data(), tag_size());
@@ -149,6 +161,12 @@ void EAX_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
 
    secure_vector<byte> mac = m_cmac->final();
    mac ^= m_nonce_mac;
+
+   if(m_ad_mac.empty())
+      {
+      m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
+      }
+
    mac ^= m_ad_mac;
 
    if(!same_mem(mac.data(), included_tag, tag_size()))
diff --git a/src/lib/modes/aead/eax/eax.h b/src/lib/modes/aead/eax/eax.h
index 0dedefe07..c0b6bcf42 100644
--- a/src/lib/modes/aead/eax/eax.h
+++ b/src/lib/modes/aead/eax/eax.h
@@ -1,6 +1,7 @@
 /*
 * EAX Mode
 * (C) 1999-2007,2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -35,6 +36,9 @@ class BOTAN_DLL EAX_Mode : public AEAD_Mode
       size_t tag_size() const override { return m_tag_size; }
 
       void clear() override;
+
+      void reset() override;
+
    protected:
       /**
       * @param cipher the cipher to use
@@ -97,7 +101,7 @@ class BOTAN_DLL EAX_Decryption final : public EAX_Mode
 
       size_t output_length(size_t input_length) const override
          {
-         BOTAN_ASSERT(input_length > tag_size(), "Sufficient input");
+         BOTAN_ASSERT(input_length >= tag_size(), "Sufficient input");
          return input_length - tag_size();
          }
 
diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp
index a73e5ee5b..e0bc59a8d 100644
--- a/src/lib/modes/aead/gcm/gcm.cpp
+++ b/src/lib/modes/aead/gcm/gcm.cpp
@@ -1,6 +1,7 @@
 /*
 * GCM Mode Encryption
 * (C) 2013,2015 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -150,8 +151,14 @@ secure_vector<byte> GHASH::nonce_hash(const byte nonce[], size_t nonce_len)
 void GHASH::clear()
    {
    zeroise(m_H);
+   reset();
+   }
+
+void GHASH::reset()
+   {
    zeroise(m_H_ad);
    m_ghash.clear();
+   m_nonce.clear();
    m_text_len = m_ad_len = 0;
    }
 
@@ -177,11 +184,17 @@ void GCM_Mode::clear()
    {
    m_ctr->clear();
    m_ghash->clear();
+   reset();
+   }
+
+void GCM_Mode::reset()
+   {
+   m_ghash->reset();
    }
 
 std::string GCM_Mode::name() const
    {
-   return (m_cipher_name + "/GCM");
+   return (m_cipher_name + "/GCM(" + std::to_string(tag_size()) + ")");
    }
 
 std::string GCM_Mode::provider() const
@@ -294,7 +307,7 @@ void GCM_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
 
    auto mac = m_ghash->final();
 
-   const byte* included_tag = &buffer[remaining];
+   const byte* included_tag = &buffer[remaining+offset];
 
    if(!same_mem(mac.data(), included_tag, tag_size()))
       throw Integrity_Failure("GCM tag check failed");
diff --git a/src/lib/modes/aead/gcm/gcm.h b/src/lib/modes/aead/gcm/gcm.h
index 6468cbd9c..463e69a3b 100644
--- a/src/lib/modes/aead/gcm/gcm.h
+++ b/src/lib/modes/aead/gcm/gcm.h
@@ -1,6 +1,7 @@
 /*
 * GCM Mode
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -37,6 +38,8 @@ class BOTAN_DLL GCM_Mode : public AEAD_Mode
 
       void clear() override;
 
+      void reset() override;
+
       std::string provider() const override;
    protected:
       GCM_Mode(BlockCipher* cipher, size_t tag_size);
@@ -128,6 +131,8 @@ class BOTAN_DLL GHASH : public SymmetricAlgorithm
 
       void clear() override;
 
+      void reset();
+
       std::string name() const override { return "GHASH"; }
    protected:
       void ghash_update(secure_vector<byte>& x,
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index 0ce2b6f00..c530dda5d 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -1,6 +1,7 @@
 /*
 * OCB Mode
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -129,12 +130,19 @@ OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ }
 
 void OCB_Mode::clear()
    {
-   m_cipher.reset();
-   m_L.reset();
+   m_cipher->clear();
+   m_L.reset(); // add clear here?
+   reset();
+   }
 
+void OCB_Mode::reset()
+   {
+   m_block_index = 0;
    zeroise(m_ad_hash);
    zeroise(m_offset);
    zeroise(m_checksum);
+   m_last_nonce.clear();
+   m_stretch.clear();
    }
 
 bool OCB_Mode::valid_nonce_length(size_t length) const
diff --git a/src/lib/modes/aead/ocb/ocb.h b/src/lib/modes/aead/ocb/ocb.h
index 4daa7a81b..ce9d29f1b 100644
--- a/src/lib/modes/aead/ocb/ocb.h
+++ b/src/lib/modes/aead/ocb/ocb.h
@@ -1,6 +1,7 @@
 /*
 * OCB Mode
 * (C) 2013,2014 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -41,6 +42,8 @@ class BOTAN_DLL OCB_Mode : public AEAD_Mode
 
       void clear() override;
 
+      void reset() override;
+
       ~OCB_Mode();
    protected:
       /**
diff --git a/src/lib/modes/aead/siv/siv.cpp b/src/lib/modes/aead/siv/siv.cpp
index ce20f3ada..373a2627c 100644
--- a/src/lib/modes/aead/siv/siv.cpp
+++ b/src/lib/modes/aead/siv/siv.cpp
@@ -1,6 +1,7 @@
 /*
 * SIV Mode Encryption
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -23,7 +24,13 @@ SIV_Mode::SIV_Mode(BlockCipher* cipher) :
 
 void SIV_Mode::clear()
    {
-   m_ctr.reset();
+   m_ctr->clear();
+   m_cmac->clear();
+   reset();
+   }
+
+void SIV_Mode::reset()
+   {
    m_nonce.clear();
    m_msg_buf.clear();
    m_ad_macs.clear();
diff --git a/src/lib/modes/aead/siv/siv.h b/src/lib/modes/aead/siv/siv.h
index ca3e7df37..71990ef96 100644
--- a/src/lib/modes/aead/siv/siv.h
+++ b/src/lib/modes/aead/siv/siv.h
@@ -1,6 +1,7 @@
 /*
 * SIV Mode
 * (C) 2013 Jack Lloyd
+* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -46,6 +47,8 @@ class BOTAN_DLL SIV_Mode : public AEAD_Mode
 
       void clear() override;
 
+      void reset() override;
+
       size_t tag_size() const override { return 16; }
 
    protected:
author	Jack Lloyd <[email protected]>	2016-11-10 22:06:52 -0500
committer	Jack Lloyd <[email protected]>	2016-11-10 22:06:52 -0500
commit	618f890fd7ede74c728612ca8bc590c72ee353f1 (patch)
tree	3ac9016fe603525f04c194e8be9aa6152a049c40 /src/lib/modes/aead
parent	b7ae8043e963467eb222a44f48d66a1df36d9371 (diff)
parent	06b44d8ed339b3a467f10a326fd209b0b9496060 (diff)