Improve polynomial doubling code, move to util

Now does 64-bits at a time instead of 8 bits, and avoids conditional timing channel on the XOR carry. Confirmed that at least GCC 7 and Clang 4 on x86-64 compile the functions without conditional jumps. Also removes CMAC as a dependency of OCB, which only needed it in order to call CMAC::poly_double
author: Jack Lloyd <[email protected]> 2017-08-15 14:34:06 -0400
committer: Jack Lloyd <[email protected]> 2017-08-15 14:34:06 -0400
commit: 2266362024009f0364a07dd1bcff5115180f40a7 (patch)
tree: 18804ff157bab625de6c095099f74971e529b566 /src/lib/modes
parent: ba2c6c7b020497178776b4574ed329586f97c211 (diff)
3 files changed, 8 insertions, 9 deletions
diff --git a/src/lib/modes/aead/ocb/info.txt b/src/lib/modes/aead/ocb/info.txt
index 738d7c20e..ab4c5297e 100644
--- a/src/lib/modes/aead/ocb/info.txt
+++ b/src/lib/modes/aead/ocb/info.txt
@@ -1,7 +1,3 @@
 <defines>
 AEAD_OCB -> 20131128
 </defines>
-
-<requires>
-cmac
-</requires>
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index e1fae911b..42118c25c 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -7,7 +7,7 @@
 */
 
 #include <botan/ocb.h>
-#include <botan/cmac.h>
+#include <botan/internal/poly_dbl.h>
 #include <botan/internal/bit_ops.h>
 
 namespace Botan {
@@ -56,7 +56,9 @@ class L_computer
 
       secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
          {
-         return CMAC::poly_double(in);
+         secure_vector<uint8_t> out = in;
+         poly_double_n(out.data(), out.size());
+         return out;
          }
 
       secure_vector<uint8_t> m_L_dollar, m_L_star;
diff --git a/src/lib/modes/aead/siv/siv.cpp b/src/lib/modes/aead/siv/siv.cpp
index c4db3d785..70545243b 100644
--- a/src/lib/modes/aead/siv/siv.cpp
+++ b/src/lib/modes/aead/siv/siv.cpp
@@ -8,6 +8,7 @@
 
 #include <botan/siv.h>
 #include <botan/cmac.h>
+#include <botan/internal/poly_dbl.h>
 #include <botan/ctr.h>
 #include <botan/parsing.h>
 
@@ -106,19 +107,19 @@ secure_vector<uint8_t> SIV_Mode::S2V(const uint8_t* text, size_t text_len)
 
    for(size_t i = 0; i != m_ad_macs.size(); ++i)
       {
-      V = CMAC::poly_double(V);
+      poly_double_n(V.data(), V.size());
       V ^= m_ad_macs[i];
       }
 
    if(m_nonce.size())
       {
-      V = CMAC::poly_double(V);
+      poly_double_n(V.data(), V.size());
       V ^= m_nonce;
       }
 
    if(text_len < 16)
       {
-      V = CMAC::poly_double(V);
+      poly_double_n(V.data(), V.size());
       xor_buf(V.data(), text, text_len);
       V[text_len] ^= 0x80;
       return m_cmac->process(V);
author	Jack Lloyd <[email protected]>	2017-08-15 14:34:06 -0400
committer	Jack Lloyd <[email protected]>	2017-08-15 14:34:06 -0400
commit	2266362024009f0364a07dd1bcff5115180f40a7 (patch)
tree	18804ff157bab625de6c095099f74971e529b566 /src/lib/modes
parent	ba2c6c7b020497178776b4574ed329586f97c211 (diff)