diff options
author | lloyd <[email protected]> | 2014-11-07 14:55:18 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2014-11-07 14:55:18 +0000 |
commit | ce72ae0073b18f82efe558a3bf44564f0245d6db (patch) | |
tree | d5f3a6616ff5f0e934451a89dded69d790bf4cb0 /src/lib | |
parent | fff58f919f5d142e5b3dd896c747943e92b3e646 (diff) |
OCB cleanup and additional tests
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/modes/aead/ocb/ocb.cpp | 90 | ||||
-rw-r--r-- | src/lib/modes/aead/ocb/ocb.h | 7 |
2 files changed, 46 insertions, 51 deletions
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp index 8bb45f217..f3aa8e06c 100644 --- a/src/lib/modes/aead/ocb/ocb.cpp +++ b/src/lib/modes/aead/ocb/ocb.cpp @@ -13,12 +13,6 @@ namespace Botan { -namespace { - -const size_t BS = 16; // intrinsic to OCB definition - -} - // Has to be in Botan namespace so unique_ptr can reference it class L_computer { @@ -41,7 +35,8 @@ class L_computer size_t block_index, size_t blocks) const { - m_offset_buf.resize(blocks*BS); + const size_t BS = m_L_star.size(); + m_offset_buf.resize(blocks * BS); for(size_t i = 0; i != blocks; ++i) { // could be done in parallel @@ -80,6 +75,8 @@ secure_vector<byte> ocb_hash(const L_computer& L, const BlockCipher& cipher, const byte ad[], size_t ad_len) { + const size_t BS = cipher.block_size(); + secure_vector<byte> sum(BS); secure_vector<byte> offset(BS); @@ -121,16 +118,16 @@ secure_vector<byte> ocb_hash(const L_computer& L, OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) : m_cipher(cipher), + m_BS(m_cipher->block_size()), m_checksum(m_cipher->parallel_bytes()), - m_offset(BS), - m_ad_hash(BS), + m_offset(m_BS), + m_ad_hash(m_BS), m_tag_size(tag_size) { - if(m_cipher->block_size() != BS) - throw std::invalid_argument("OCB requires a 128 bit cipher so cannot be used with " + - m_cipher->name()); + if(BS() != 16) + throw std::invalid_argument("OCB is not compatible with " + m_cipher->name()); - if(m_tag_size != 8 && m_tag_size != 12 && m_tag_size != 16) + if(m_tag_size % 4 != 0 || m_tag_size < 8 || m_tag_size > BS()) throw std::invalid_argument("OCB cannot produce a " + std::to_string(m_tag_size) + " byte tag"); @@ -150,7 +147,7 @@ void OCB_Mode::clear() bool OCB_Mode::valid_nonce_length(size_t length) const { - return (length > 0 && length < 16); + return (length > 0 && length < m_cipher->block_size()); } std::string OCB_Mode::name() const @@ -183,16 +180,16 @@ void OCB_Mode::set_associated_data(const byte ad[], size_t ad_len) secure_vector<byte> OCB_Mode::update_nonce(const byte nonce[], size_t nonce_len) { - BOTAN_ASSERT(nonce_len < BS, "Nonce is less than 128 bits"); + BOTAN_ASSERT(nonce_len < BS(), "OCB nonce is less than cipher block size"); - secure_vector<byte> nonce_buf(BS); + secure_vector<byte> nonce_buf(BS()); - copy_mem(&nonce_buf[BS - nonce_len], nonce, nonce_len); + copy_mem(&nonce_buf[BS() - nonce_len], nonce, nonce_len); nonce_buf[0] = ((tag_size() * 8) % 128) << 1; - nonce_buf[BS - nonce_len - 1] = 1; + nonce_buf[BS() - nonce_len - 1] = 1; - const byte bottom = nonce_buf[15] & 0x3F; - nonce_buf[15] &= 0xC0; + const byte bottom = nonce_buf[BS()-1] & 0x3F; + nonce_buf[BS()-1] &= 0xC0; const bool need_new_stretch = (m_last_nonce != nonce_buf); @@ -202,7 +199,7 @@ OCB_Mode::update_nonce(const byte nonce[], size_t nonce_len) m_cipher->encrypt(nonce_buf); - for(size_t i = 0; i != 8; ++i) + for(size_t i = 0; i != BS() / 2; ++i) nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+1]); m_stretch = nonce_buf; @@ -213,8 +210,8 @@ OCB_Mode::update_nonce(const byte nonce[], size_t nonce_len) const size_t shift_bytes = bottom / 8; const size_t shift_bits = bottom % 8; - secure_vector<byte> offset(BS); - for(size_t i = 0; i != BS; ++i) + secure_vector<byte> offset(BS()); + for(size_t i = 0; i != BS(); ++i) { offset[i] = (m_stretch[i+shift_bytes] << shift_bits); offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits)); @@ -239,16 +236,14 @@ secure_vector<byte> OCB_Mode::start_raw(const byte nonce[], size_t nonce_len) void OCB_Encryption::encrypt(byte buffer[], size_t blocks) { - const L_computer& L = *m_L; // convenient name - - const size_t par_blocks = m_checksum.size() / BS; + const size_t par_blocks = m_checksum.size() / BS(); while(blocks) { const size_t proc_blocks = std::min(blocks, par_blocks); - const size_t proc_bytes = proc_blocks * BS; + const size_t proc_bytes = proc_blocks * BS(); - const auto& offsets = L.compute_offsets(m_offset, m_block_index, proc_blocks); + const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks); xor_buf(&m_checksum[0], &buffer[0], proc_bytes); @@ -268,9 +263,8 @@ void OCB_Encryption::update(secure_vector<byte>& buffer, size_t offset) const size_t sz = buffer.size() - offset; byte* buf = &buffer[offset]; - BOTAN_ASSERT(sz % BS == 0, "Input length is an even number of blocks"); - - encrypt(buf, sz / BS); + BOTAN_ASSERT(sz % BS() == 0, "Input length is an even number of blocks"); + encrypt(buf, sz / BS()); } void OCB_Encryption::finish(secure_vector<byte>& buffer, size_t offset) @@ -281,14 +275,14 @@ void OCB_Encryption::finish(secure_vector<byte>& buffer, size_t offset) if(sz) { - const size_t final_full_blocks = sz / BS; - const size_t remainder_bytes = sz - (final_full_blocks * BS); + const size_t final_full_blocks = sz / BS(); + const size_t remainder_bytes = sz - (final_full_blocks * BS()); encrypt(buf, final_full_blocks); if(remainder_bytes) { - BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left"); + BOTAN_ASSERT(remainder_bytes < BS(), "Only a partial block left"); byte* remainder = &buf[sz - remainder_bytes]; xor_buf(&m_checksum[0], &remainder[0], remainder_bytes); @@ -296,13 +290,13 @@ void OCB_Encryption::finish(secure_vector<byte>& buffer, size_t offset) m_offset ^= m_L->star(); // Offset_* - secure_vector<byte> zeros(BS); + secure_vector<byte> zeros(BS()); m_cipher->encrypt(m_offset, zeros); xor_buf(&remainder[0], &zeros[0], remainder_bytes); } } - secure_vector<byte> checksum(BS); + secure_vector<byte> checksum(BS()); // fold checksum for(size_t i = 0; i != m_checksum.size(); ++i) @@ -326,20 +320,18 @@ void OCB_Encryption::finish(secure_vector<byte>& buffer, size_t offset) void OCB_Decryption::decrypt(byte buffer[], size_t blocks) { - const L_computer& L = *m_L; // convenient name - const size_t par_bytes = m_cipher->parallel_bytes(); - BOTAN_ASSERT(par_bytes % BS == 0, "Cipher is parallel in full blocks"); + BOTAN_ASSERT(par_bytes % BS() == 0, "Cipher is parallel in full blocks"); - const size_t par_blocks = par_bytes / BS; + const size_t par_blocks = par_bytes / BS(); while(blocks) { const size_t proc_blocks = std::min(blocks, par_blocks); - const size_t proc_bytes = proc_blocks * BS; + const size_t proc_bytes = proc_blocks * BS(); - const auto& offsets = L.compute_offsets(m_offset, m_block_index, proc_blocks); + const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks); xor_buf(&buffer[0], &offsets[0], proc_bytes); m_cipher->decrypt_n(&buffer[0], &buffer[0], proc_blocks); @@ -359,9 +351,9 @@ void OCB_Decryption::update(secure_vector<byte>& buffer, size_t offset) const size_t sz = buffer.size() - offset; byte* buf = &buffer[offset]; - BOTAN_ASSERT(sz % BS == 0, "Input length is an even number of blocks"); + BOTAN_ASSERT(sz % BS() == 0, "Input length is an even number of blocks"); - decrypt(buf, sz / BS); + decrypt(buf, sz / BS()); } void OCB_Decryption::finish(secure_vector<byte>& buffer, size_t offset) @@ -376,20 +368,20 @@ void OCB_Decryption::finish(secure_vector<byte>& buffer, size_t offset) if(remaining) { - const size_t final_full_blocks = remaining / BS; - const size_t final_bytes = remaining - (final_full_blocks * BS); + const size_t final_full_blocks = remaining / BS(); + const size_t final_bytes = remaining - (final_full_blocks * BS()); decrypt(&buf[0], final_full_blocks); if(final_bytes) { - BOTAN_ASSERT(final_bytes < BS, "Only a partial block left"); + BOTAN_ASSERT(final_bytes < BS(), "Only a partial block left"); byte* remainder = &buf[remaining - final_bytes]; m_offset ^= m_L->star(); // Offset_* - secure_vector<byte> pad(BS); + secure_vector<byte> pad(BS()); m_cipher->encrypt(m_offset, pad); // P_* xor_buf(&remainder[0], &pad[0], final_bytes); @@ -399,7 +391,7 @@ void OCB_Decryption::finish(secure_vector<byte>& buffer, size_t offset) } } - secure_vector<byte> checksum(BS); + secure_vector<byte> checksum(BS()); // fold checksum for(size_t i = 0; i != m_checksum.size(); ++i) diff --git a/src/lib/modes/aead/ocb/ocb.h b/src/lib/modes/aead/ocb/ocb.h index a7293ffcb..02ea0b0a1 100644 --- a/src/lib/modes/aead/ocb/ocb.h +++ b/src/lib/modes/aead/ocb/ocb.h @@ -1,6 +1,6 @@ /* * OCB Mode -* (C) 2013 Jack Lloyd +* (C) 2013,2014 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -50,12 +50,13 @@ class BOTAN_DLL OCB_Mode : public AEAD_Mode */ OCB_Mode(BlockCipher* cipher, size_t tag_size); - void key_schedule(const byte key[], size_t length) override; + size_t BS() const { return m_BS; } // fixme make these private std::unique_ptr<BlockCipher> m_cipher; std::unique_ptr<L_computer> m_L; + size_t m_BS; size_t m_block_index = 0; secure_vector<byte> m_checksum; @@ -64,6 +65,8 @@ class BOTAN_DLL OCB_Mode : public AEAD_Mode private: secure_vector<byte> start_raw(const byte nonce[], size_t nonce_len) override; + void key_schedule(const byte key[], size_t length) override; + secure_vector<byte> update_nonce(const byte nonce[], size_t nonce_len); size_t m_tag_size = 0; |