aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-08-14 15:32:55 -0400
committerJack Lloyd <[email protected]>2017-09-10 13:11:46 -0400
commit0f1aaaaf76f737fd0b421af00c49b82fd3d17d5b (patch)
treec07f5503583eacc2339e12907f42c2fb4dcd57a4 /src
parent61c1fd71ba406ba387d7077f203a0fe5223537ca (diff)
Support larger block sizes in OCB
This doesn't match the draft-3 test vectors and may be bogus. [ci skip]
Diffstat (limited to 'src')
-rw-r--r--src/lib/modes/aead/ocb/ocb.cpp182
-rw-r--r--src/lib/modes/aead/ocb/ocb.h11
-rw-r--r--src/tests/data/aead/ocb.vec8
-rw-r--r--src/tests/data/ocb_wide.vec31
-rw-r--r--src/tests/data/ocb_wide_long.vec12
-rw-r--r--src/tests/test_ocb.cpp216
6 files changed, 401 insertions, 59 deletions
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index aa8532526..7ebb0a5f0 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -1,6 +1,6 @@
/*
* OCB Mode
-* (C) 2013 Jack Lloyd
+* (C) 2013,2017 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
@@ -30,16 +30,18 @@ class L_computer
const secure_vector<uint8_t>& operator()(size_t i) const { return get(i); }
- const secure_vector<uint8_t>& compute_offsets(secure_vector<uint8_t>& offset,
- size_t block_index,
- size_t blocks) const
+ const secure_vector<uint8_t>&
+ compute_offsets(secure_vector<uint8_t>& offset,
+ size_t block_index,
+ size_t blocks,
+ size_t BS) const
{
- m_offset_buf.resize(blocks * 16);
+ m_offset_buf.resize(blocks * BS);
for(size_t i = 0; i != blocks; ++i)
{ // could be done in parallel
offset ^= get(ctz(block_index + 1 + i));
- copy_mem(&m_offset_buf[16*i], offset.data(), 16);
+ copy_mem(&m_offset_buf[BS*i], offset.data(), BS);
}
return m_offset_buf;
@@ -72,16 +74,17 @@ namespace {
* OCB's HASH
*/
secure_vector<uint8_t> ocb_hash(const L_computer& L,
- const BlockCipher& cipher,
- const uint8_t ad[], size_t ad_len)
+ const BlockCipher& cipher,
+ const uint8_t ad[], size_t ad_len)
{
- secure_vector<uint8_t> sum(16);
- secure_vector<uint8_t> offset(16);
+ const size_t BS = cipher.block_size();
+ secure_vector<uint8_t> sum(BS);
+ secure_vector<uint8_t> offset(BS);
- secure_vector<uint8_t> buf(16);
+ secure_vector<uint8_t> buf(BS);
- const size_t ad_blocks = (ad_len / 16);
- const size_t ad_remainder = (ad_len % 16);
+ const size_t ad_blocks = (ad_len / BS);
+ const size_t ad_remainder = (ad_len % BS);
for(size_t i = 0; i != ad_blocks; ++i)
{
@@ -89,7 +92,7 @@ secure_vector<uint8_t> ocb_hash(const L_computer& L,
offset ^= L(ctz(i+1));
buf = offset;
- xor_buf(buf.data(), &ad[16*i], 16);
+ xor_buf(buf.data(), &ad[BS*i], BS);
cipher.encrypt(buf);
@@ -101,8 +104,8 @@ secure_vector<uint8_t> ocb_hash(const L_computer& L,
offset ^= L.star();
buf = offset;
- xor_buf(buf.data(), &ad[16*ad_blocks], ad_remainder);
- buf[ad_len % 16] ^= 0x80;
+ xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder);
+ buf[ad_len % BS] ^= 0x80;
cipher.encrypt(buf);
@@ -117,14 +120,21 @@ secure_vector<uint8_t> ocb_hash(const L_computer& L,
OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) :
m_cipher(cipher),
m_checksum(m_cipher->parallel_bytes()),
- m_offset(16),
- m_ad_hash(16),
+ m_offset(m_cipher->block_size()),
+ m_ad_hash(m_cipher->block_size()),
m_tag_size(tag_size)
{
- if(m_cipher->block_size() != 16)
- throw Invalid_Argument("OCB requires 128 bit cipher");
+ const size_t BS = m_cipher->block_size();
- if(m_tag_size % 4 != 0 || m_tag_size < 8 || m_tag_size > 16)
+ /*
+ * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
+ * sizes but only 128, 192, 256 and 512 bit are currently supported
+ * by this implementation.
+ */
+ if(BS != 16 && BS != 24 && BS != 32 && BS != 64)
+ throw Invalid_Argument("OCB does not support cipher " + m_cipher->name());
+
+ if(m_tag_size % 4 != 0 || m_tag_size < 8 || m_tag_size > BS || m_tag_size > 32)
throw Invalid_Argument("Invalid OCB tag length");
}
@@ -149,12 +159,17 @@ void OCB_Mode::reset()
bool OCB_Mode::valid_nonce_length(size_t length) const
{
- return (length > 0 && length < m_cipher->block_size());
+ if(length == 0)
+ return false;
+ if(m_cipher->block_size() == 16)
+ return length < 16;
+ else
+ return length < (m_cipher->block_size() - 1);
}
std::string OCB_Mode::name() const
{
- return m_cipher->name() + "/OCB"; // include tag size
+ return m_cipher->name() + "/OCB"; // include tag size?
}
size_t OCB_Mode::update_granularity() const
@@ -182,16 +197,24 @@ void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
secure_vector<uint8_t>
OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
{
- BOTAN_ASSERT(nonce_len < 16, "OCB nonce is less than cipher block size");
+ const size_t BS = m_cipher->block_size();
+
+ BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64,
+ "OCB block size is supported");
+
+ const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
+
+ const uint8_t BOTTOM_MASK =
+ static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
- secure_vector<uint8_t> nonce_buf(16);
+ secure_vector<uint8_t> nonce_buf(BS);
- copy_mem(&nonce_buf[16 - nonce_len], nonce, nonce_len);
- nonce_buf[0] = ((tag_size() * 8) % 128) << 1;
- nonce_buf[16 - nonce_len - 1] = 1;
+ copy_mem(&nonce_buf[BS - nonce_len], nonce, nonce_len);
+ nonce_buf[0] = ((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0);
+ nonce_buf[BS - nonce_len - 1] ^= 1;
- const uint8_t bottom = nonce_buf[16-1] & 0x3F;
- nonce_buf[16-1] &= 0xC0;
+ const uint8_t bottom = nonce_buf[BS-1] & BOTTOM_MASK;
+ nonce_buf[BS-1] &= ~BOTTOM_MASK;
const bool need_new_stretch = (m_last_nonce != nonce_buf);
@@ -201,8 +224,47 @@ OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
m_cipher->encrypt(nonce_buf);
- for(size_t i = 0; i != 16 / 2; ++i)
- nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+1]);
+ /*
+ The loop bounds (BS vs BS/2) are derived from the relation
+ between the block size and the MASKLEN. Using the terminology
+ of draft-krovetz-ocb-wide, we have to derive enough bits in
+ ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
+
+ +----------+---------+-------+---------+
+ | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
+ +----------+---------+-------+---------+
+ | 32 | 141 | 17 | 4 |
+ | 64 | 27 | 25 | 5 |
+ | 96 | 1601 | 33 | 6 |
+ | 128 | 135 | 8 | 6 |
+ | 192 | 135 | 40 | 7 |
+ | 256 | 1061 | 1 | 8 |
+ | 384 | 4109 | 80 | 8 |
+ | 512 | 293 | 176 | 8 |
+ | 1024 | 524355 | 352 | 9 |
+ +----------+---------+-------+---------+
+ */
+
+ if(BS == 16)
+ {
+ for(size_t i = 0; i != BS / 2; ++i)
+ nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+1]);
+ }
+ else if(BS == 24)
+ {
+ for(size_t i = 0; i != 16; ++i)
+ nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+5]);
+ }
+ else if(BS == 32)
+ {
+ for(size_t i = 0; i != BS; ++i)
+ nonce_buf.push_back(nonce_buf[i] ^ (nonce_buf[i] << 1) ^ (nonce_buf[i+1] >> 7));
+ }
+ else if(BS == 64)
+ {
+ for(size_t i = 0; i != BS / 2; ++i)
+ nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+22]);
+ }
m_stretch = nonce_buf;
}
@@ -212,8 +274,10 @@ OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
const size_t shift_bytes = bottom / 8;
const size_t shift_bits = bottom % 8;
- secure_vector<uint8_t> offset(16);
- for(size_t i = 0; i != 16; ++i)
+ BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
+
+ secure_vector<uint8_t> offset(BS);
+ for(size_t i = 0; i != BS; ++i)
{
offset[i] = (m_stretch[i+shift_bytes] << shift_bits);
offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
@@ -236,16 +300,17 @@ void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
{
- const size_t par_blocks = m_checksum.size() / 16;
+ const size_t BS = m_cipher->block_size();
+ const size_t par_blocks = m_checksum.size() / BS;
while(blocks)
{
const size_t proc_blocks = std::min(blocks, par_blocks);
- const size_t proc_bytes = proc_blocks * 16;
+ const size_t proc_bytes = proc_blocks * BS;
BOTAN_ASSERT(m_L, "A key was set");
- const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks);
+ const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks, BS);
xor_buf(m_checksum.data(), buffer, proc_bytes);
@@ -261,27 +326,30 @@ void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
size_t OCB_Encryption::process(uint8_t buf[], size_t sz)
{
- BOTAN_ASSERT(sz % 16 == 0, "Invalid OCB input size");
- encrypt(buf, sz / 16);
+ const size_t BS = m_cipher->block_size();
+ BOTAN_ASSERT(sz % BS == 0, "Invalid OCB input size");
+ encrypt(buf, sz / BS);
return sz;
}
void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
{
+ const size_t BS = m_cipher->block_size();
+
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
if(sz)
{
- const size_t final_full_blocks = sz / 16;
- const size_t remainder_bytes = sz - (final_full_blocks * 16);
+ const size_t final_full_blocks = sz / BS;
+ const size_t remainder_bytes = sz - (final_full_blocks * BS);
encrypt(buf, final_full_blocks);
if(remainder_bytes)
{
- BOTAN_ASSERT(remainder_bytes < 16, "Only a partial block left");
+ BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
uint8_t* remainder = &buf[sz - remainder_bytes];
xor_buf(m_checksum.data(), remainder, remainder_bytes);
@@ -289,13 +357,13 @@ void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
m_offset ^= m_L->star(); // Offset_*
- secure_vector<uint8_t> zeros(16);
+ secure_vector<uint8_t> zeros(BS);
m_cipher->encrypt(m_offset, zeros);
xor_buf(remainder, zeros.data(), remainder_bytes);
}
}
- secure_vector<uint8_t> checksum(16);
+ secure_vector<uint8_t> checksum(BS);
// fold checksum
for(size_t i = 0; i != m_checksum.size(); ++i)
@@ -319,18 +387,19 @@ void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
{
+ const size_t BS = m_cipher->block_size();
const size_t par_bytes = m_cipher->parallel_bytes();
- BOTAN_ASSERT(par_bytes % 16 == 0, "Cipher is parallel in full blocks");
+ BOTAN_ASSERT(par_bytes % BS == 0, "Cipher is parallel in full blocks");
- const size_t par_blocks = par_bytes / 16;
+ const size_t par_blocks = par_bytes / BS;
while(blocks)
{
const size_t proc_blocks = std::min(blocks, par_blocks);
- const size_t proc_bytes = proc_blocks * 16;
+ const size_t proc_bytes = proc_blocks * BS;
- const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks);
+ const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks, BS);
xor_buf(buffer, offsets.data(), proc_bytes);
m_cipher->decrypt_n(buffer, buffer, proc_blocks);
@@ -346,13 +415,16 @@ void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
size_t OCB_Decryption::process(uint8_t buf[], size_t sz)
{
- BOTAN_ASSERT(sz % 16 == 0, "Invalid OCB input size");
- decrypt(buf, sz / 16);
+ const size_t BS = m_cipher->block_size();
+ BOTAN_ASSERT(sz % BS == 0, "Invalid OCB input size");
+ decrypt(buf, sz / BS);
return sz;
}
void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
{
+ const size_t BS = m_cipher->block_size();
+
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
@@ -363,20 +435,20 @@ void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
if(remaining)
{
- const size_t final_full_blocks = remaining / 16;
- const size_t final_bytes = remaining - (final_full_blocks * 16);
+ const size_t final_full_blocks = remaining / BS;
+ const size_t final_bytes = remaining - (final_full_blocks * BS);
decrypt(buf, final_full_blocks);
if(final_bytes)
{
- BOTAN_ASSERT(final_bytes < 16, "Only a partial block left");
+ BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
uint8_t* remainder = &buf[remaining - final_bytes];
m_offset ^= m_L->star(); // Offset_*
- secure_vector<uint8_t> pad(16);
+ secure_vector<uint8_t> pad(BS);
m_cipher->encrypt(m_offset, pad); // P_*
xor_buf(remainder, pad.data(), final_bytes);
@@ -386,7 +458,7 @@ void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
}
}
- secure_vector<uint8_t> checksum(16);
+ secure_vector<uint8_t> checksum(BS);
// fold checksum
for(size_t i = 0; i != m_checksum.size(); ++i)
diff --git a/src/lib/modes/aead/ocb/ocb.h b/src/lib/modes/aead/ocb/ocb.h
index 174812ee3..69f5fde60 100644
--- a/src/lib/modes/aead/ocb/ocb.h
+++ b/src/lib/modes/aead/ocb/ocb.h
@@ -22,6 +22,9 @@ class L_computer;
*
* @see "The OCB Authenticated-Encryption Algorithm" RFC 7253
* https://tools.ietf.org/html/rfc7253
+* @see "OCB For Block Ciphers Without 128-Bit Blocks"
+* (draft-krovetz-ocb-wide-d3) for the extension of OCB to
+* block ciphers with larger block sizes.
* @see Free Licenses http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm
* @see OCB home page http://www.cs.ucdavis.edu/~rogaway/ocb
*/
@@ -47,7 +50,7 @@ class BOTAN_DLL OCB_Mode : public AEAD_Mode
~OCB_Mode();
protected:
/**
- * @param cipher the 128-bit block cipher to use
+ * @param cipher the block cipher to use
* @param tag_size is how big the auth tag will be
*/
OCB_Mode(BlockCipher* cipher, size_t tag_size);
@@ -68,7 +71,7 @@ class BOTAN_DLL OCB_Mode : public AEAD_Mode
secure_vector<uint8_t> update_nonce(const uint8_t nonce[], size_t nonce_len);
- size_t m_tag_size = 0;
+ const size_t m_tag_size = 0;
secure_vector<uint8_t> m_last_nonce;
secure_vector<uint8_t> m_stretch;
};
@@ -77,7 +80,7 @@ class BOTAN_DLL OCB_Encryption final : public OCB_Mode
{
public:
/**
- * @param cipher the 128-bit block cipher to use
+ * @param cipher the block cipher to use
* @param tag_size is how big the auth tag will be
*/
OCB_Encryption(BlockCipher* cipher, size_t tag_size = 16) :
@@ -99,7 +102,7 @@ class BOTAN_DLL OCB_Decryption final : public OCB_Mode
{
public:
/**
- * @param cipher the 128-bit block cipher to use
+ * @param cipher the block cipher to use
* @param tag_size is how big the auth tag will be
*/
OCB_Decryption(BlockCipher* cipher, size_t tag_size = 16) :
diff --git a/src/tests/data/aead/ocb.vec b/src/tests/data/aead/ocb.vec
index f0fbb3646..176dcb2b8 100644
--- a/src/tests/data/aead/ocb.vec
+++ b/src/tests/data/aead/ocb.vec
@@ -248,3 +248,11 @@ Nonce = BBAA9988776655443322110D
AD = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
In = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627
Out = 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FDAC4F02AA
+
+# Generated by Botan, unconfirmed result
+[Threefish-512/OCB(32)]
+Key = 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE8841792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1A0124B0A55BAE884
+Nonce = D5CA91748410C1751FF8A2F61825
+AD = C5CD9D1850C141E358649994EE701B68
+In = 2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973
+Out = 45EEFFF01CDA61695EA24B036074491FE61B96C94337F0F947FB4E10E679A9F2A825DF8CEA530A2784E5640A768DE536C76A79157E
diff --git a/src/tests/data/ocb_wide.vec b/src/tests/data/ocb_wide.vec
new file mode 100644
index 000000000..d8cede352
--- /dev/null
+++ b/src/tests/data/ocb_wide.vec
@@ -0,0 +1,31 @@
+
+
+Key = 8182838485868788898A8B8C8D8E8F909192939495969798
+Nonce = F0F1F2F3F4F5F6F7F8F9FAFB
+AD =
+In =
+Out = F00F1A7125DACF8B57D0F50E6B44615C9996D209B50A1ED7
+
+Key = 9192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8
+Nonce = F1F2F3F4F5F6F7F8F9FAFBFC
+AD = 05060708090A0B0C0D0E0F10
+In = 0102030405060708090A0B0C
+Out = 9AFC5E331177D5A4534506C8670BAFC0E4882C6F9E82C72BD79BDF9E5AD6D4C83955F021
+
+Key = A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8
+Nonce = F2F3F4F5F6F7F8F9FAFBFCFD
+AD = 060708090A0B0C0D0E0F101112131415161718191A1B1C1D
+In = 02030405060708090A0B0C0D0E0F10111213141516171819
+Out = 92A7C0C02A1F6E154762A3C3885DAFF1FAED6ACB59EC9E625995C61B5E92C5254F63D449CD41F4F2F6F9EAF61CD08670
+
+Key = B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8
+Nonce = F3F4F5F6F7F8F9FAFBFCFDFE
+AD = 0708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A
+In = 030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223242526
+Out = 2070BEDB155997BFA6DE55F27CD45AA8223B16312965A814D347CC7EF551DA09E7BCB1806D9418BB37C64AB851272D0D193F32BCB7B081A149C84723
+
+Key = C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8
+Nonce = F4F5F6F7F8F9FAFBFCFDFEFF
+AD = 08090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F3031323334353637
+In = 0405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30313233
+Out = 70E46BCD56C24DCBFC2A280C3C2A26A9AAB9A097AA3EB37352EE799774C85F517E809AF6FEC0D5524972730C09B52555889E94B2D0C6CCF2079291B49B8E86F9D4C7D6EE081E165A
diff --git a/src/tests/data/ocb_wide_long.vec b/src/tests/data/ocb_wide_long.vec
new file mode 100644
index 000000000..7c17f00bf
--- /dev/null
+++ b/src/tests/data/ocb_wide_long.vec
@@ -0,0 +1,12 @@
+
+Blocklen = 128
+Output = 0D099181BE37171BF94582877D6D4693
+
+Blocklen = 192
+Output = C6B3449A7A5C174253720B65198779C0E1758794C023F567
+
+Blocklen = 256
+Output = 87F321F24B0554565BEB6C994AD04F8F95F1A808E67EAFBD60E0E86152AFB37C
+
+Blocklen = 512
+Output = 6748655A0A83543D8AA6287AE9FFC37C9A433332DDFD4E8B42F94D741944D440
diff --git a/src/tests/test_ocb.cpp b/src/tests/test_ocb.cpp
index ede15fb82..cacf9a0d4 100644
--- a/src/tests/test_ocb.cpp
+++ b/src/tests/test_ocb.cpp
@@ -9,6 +9,7 @@
#if defined(BOTAN_HAS_AEAD_OCB)
#include <botan/ocb.h>
#include <botan/loadstor.h>
+ #include <botan/internal/poly_dbl.h>
#endif
namespace Botan_Tests {
@@ -17,6 +18,221 @@ namespace {
#if defined(BOTAN_HAS_AEAD_OCB)
+// Toy cipher used for wide block tests
+
+class OCB_Wide_Test_Block_Cipher : public Botan::BlockCipher
+ {
+ public:
+ OCB_Wide_Test_Block_Cipher(size_t bs) : m_bs(bs) {}
+
+ std::string name() const override { return "OCB_ToyCipher"; }
+ size_t block_size() const override { return m_bs; }
+ void clear() override { m_key.clear(); }
+
+ Botan::BlockCipher* clone() const { return new OCB_Wide_Test_Block_Cipher(m_bs); }
+
+ void key_schedule(const uint8_t key[], size_t length) override
+ {
+ m_key.assign(key, key + length);
+ }
+
+ Botan::Key_Length_Specification key_spec() const override
+ {
+ return Botan::Key_Length_Specification(m_bs);
+ }
+
+ void encrypt_n(const uint8_t in[], uint8_t out[],
+ size_t blocks) const override
+ {
+ while(blocks)
+ {
+ Botan::copy_mem(out, in, m_bs);
+ Botan::poly_double_n(out, m_bs);
+
+ for(size_t i = 0; i != m_bs; ++i)
+ out[i] ^= m_key[i];
+
+ blocks--;
+ in += block_size();
+ out += block_size();
+ }
+ }
+
+ void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
+ {
+ while(blocks)
+ {
+ for(size_t i = 0; i != m_bs; ++i)
+ out[i] = in[i] ^ m_key[i];
+
+ const uint8_t bottom_carry = in[m_bs-1] & 0x01;
+
+ if(bottom_carry)
+ {
+ if(m_bs == 16 || m_bs == 24)
+ {
+ out[m_bs-1] ^= 0x87;
+ }
+ else if(m_bs == 32)
+ {
+ out[m_bs-2] ^= 0x4;
+ out[m_bs-1] ^= 0x25;
+ }
+ else if(m_bs == 64)
+ {
+ out[m_bs-2] ^= 0x1;
+ out[m_bs-1] ^= 0x25;
+ }
+ else
+ throw Test_Error("Bad OCB test block size");
+ }
+
+ uint8_t carry = bottom_carry << 7;
+
+ for(size_t i = 0; i != m_bs; ++i)
+ {
+ uint8_t temp = out[i];
+ out[i] = (temp >> 1) | carry;
+ carry = (temp & 0x1) << 7;
+ }
+
+ blocks--;
+ in += block_size();
+ out += block_size();
+ }
+ }
+ private:
+ size_t m_bs;
+ std::vector<uint8_t> m_key;
+ };
+
+class OCB_Wide_KAT_Tests : public Text_Based_Test
+ {
+ public:
+ OCB_Wide_KAT_Tests()
+ : Text_Based_Test("ocb_wide.vec", "Key,Nonce,AD,In,Out") {}
+
+ Test::Result run_one_test(const std::string&, const VarMap& vars) override
+ {
+ Test::Result result("OCB wide block KAT");
+
+ const std::vector<uint8_t> key = get_req_bin(vars, "Key");
+ const std::vector<uint8_t> nonce = get_req_bin(vars, "Nonce");
+ const std::vector<uint8_t> ad = get_req_bin(vars, "AD");
+ const std::vector<uint8_t> input = get_req_bin(vars, "In");
+ const std::vector<uint8_t> expected = get_req_bin(vars, "Out");
+
+ const size_t bs = key.size();
+ Botan::secure_vector<uint8_t> buf(input.begin(), input.end());
+
+ Botan::OCB_Encryption enc(new OCB_Wide_Test_Block_Cipher(bs), std::min<size_t>(bs, 32));
+ enc.set_key(key);
+ enc.set_ad(ad);
+ enc.start(nonce);
+ enc.finish(buf);
+ result.test_eq("Ciphertext matches", buf, expected);
+
+ Botan::OCB_Decryption dec(new OCB_Wide_Test_Block_Cipher(bs), std::min<size_t>(bs, 32));
+ dec.set_key(key);
+ dec.set_ad(ad);
+ dec.start(nonce);
+ dec.finish(buf);
+ result.test_eq("Decryption correct", buf, input);
+
+ return result;
+ }
+ };
+
+BOTAN_REGISTER_TEST("ocb_wide", OCB_Wide_KAT_Tests);
+
+class OCB_Wide_Long_KAT_Tests : public Text_Based_Test
+ {
+ public:
+ OCB_Wide_Long_KAT_Tests()
+ : Text_Based_Test("ocb_wide_long.vec", "Blocklen,Output") {}
+
+ Test::Result run_one_test(const std::string&, const VarMap& vars) override
+ {
+ Test::Result result("OCB wide block long test");
+
+ const size_t bs = get_req_sz(vars, "Blocklen") / 8;
+ const std::vector<uint8_t> expected = get_req_bin(vars, "Output");
+
+ if(bs != 16 && bs != 24 && bs != 32 && bs != 64)
+ throw Test_Error("Unsupported Blocklen in OCB wide block test");
+
+ Botan::OCB_Encryption enc(new OCB_Wide_Test_Block_Cipher(bs), std::min<size_t>(bs, 32));
+
+ /*
+ Y, string of length min(B, 256) bits
+
+ Y is defined as follows.
+
+ K = (0xA0 || 0xA1 || 0xA2 || ...)[1..B]
+ C = <empty string>
+ for i = 0 to 127 do
+ S = (0x50 || 0x51 || 0x52 || ...)[1..8i]
+ N = num2str(3i+1,16)
+ C = C || OCB-ENCRYPT(K,N,S,S)
+ N = num2str(3i+2,16)
+ C = C || OCB-ENCRYPT(K,N,<empty string>,S)
+ N = num2str(3i+3,16)
+ C = C || OCB-ENCRYPT(K,N,S,<empty string>)
+ end for
+ N = num2str(385,16)
+ Y = OCB-ENCRYPT(K,N,C,<empty string>)
+ */
+
+ std::vector<uint8_t> key(bs);
+ for(size_t i = 0; i != bs; ++i)
+ key[i] = 0xA0 + i;
+
+ enc.set_key(key);
+
+ const std::vector<uint8_t> empty;
+ std::vector<uint8_t> N(2);
+ std::vector<uint8_t> C;
+
+ for(size_t i = 0; i != 128; ++i)
+ {
+ const std::vector<uint8_t> S(i);
+
+ Botan::store_be(static_cast<uint32_t>(3 * i + 1), &N[8]);
+
+ ocb_encrypt(result, C, enc, N, S, S);
+ Botan::store_be(static_cast<uint32_t>(3 * i + 2), &N[8]);
+ ocb_encrypt(result, C, enc, N, S, empty);
+ Botan::store_be(static_cast<uint32_t>(3 * i + 3), &N[8]);
+ ocb_encrypt(result, C, enc, N, empty, S);
+ }
+
+ Botan::store_be(static_cast<uint32_t>(385), &N[8]);
+ std::vector<uint8_t> final_result;
+ ocb_encrypt(result, final_result, enc, N, empty, C);
+
+ result.test_eq("correct value", final_result, expected);
+
+ return result;
+ }
+
+ private:
+ void ocb_encrypt(Test::Result& result,
+ std::vector<uint8_t>& output_to,
+ Botan::OCB_Encryption& enc,
+ const std::vector<uint8_t>& nonce,
+ const std::vector<uint8_t>& pt,
+ const std::vector<uint8_t>& ad)
+ {
+ enc.set_associated_data(ad.data(), ad.size());
+ enc.start(nonce.data(), nonce.size());
+ Botan::secure_vector<uint8_t> buf(pt.begin(), pt.end());
+ enc.finish(buf, 0);
+ output_to.insert(output_to.end(), buf.begin(), buf.end());
+ }
+ };
+
+BOTAN_REGISTER_TEST("ocb_long_wide", OCB_Wide_Long_KAT_Tests);
+
class OCB_Long_KAT_Tests : public Text_Based_Test
{
public: