aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/mac/cmac/cmac.cpp8
-rw-r--r--src/lib/modes/aead/ocb/ocb.cpp4
-rw-r--r--src/lib/modes/xts/xts.cpp56
-rw-r--r--src/lib/utils/poly_dbl.cpp152
-rw-r--r--src/lib/utils/poly_dbl.h18
5 files changed, 82 insertions, 156 deletions
diff --git a/src/lib/mac/cmac/cmac.cpp b/src/lib/mac/cmac/cmac.cpp
index 4d76e4a20..665bfe3c0 100644
--- a/src/lib/mac/cmac/cmac.cpp
+++ b/src/lib/mac/cmac/cmac.cpp
@@ -15,8 +15,8 @@ namespace Botan {
*/
secure_vector<uint8_t> CMAC::poly_double(const secure_vector<uint8_t>& in)
{
- secure_vector<uint8_t> out = in;
- poly_double_n(out.data(), out.size());
+ secure_vector<uint8_t> out(in.size());
+ poly_double_n(out.data(), in.data(), out.size());
return out;
}
@@ -81,9 +81,7 @@ void CMAC::key_schedule(const uint8_t key[], size_t length)
m_cipher->set_key(key, length);
m_cipher->encrypt(m_B);
poly_double_n(m_B.data(), m_B.size());
-
- m_P = m_B;
- poly_double_n(m_P.data(), m_P.size());
+ poly_double_n(m_P.data(), m_B.data(), m_P.size());
}
/*
diff --git a/src/lib/modes/aead/ocb/ocb.cpp b/src/lib/modes/aead/ocb/ocb.cpp
index 42118c25c..aa8532526 100644
--- a/src/lib/modes/aead/ocb/ocb.cpp
+++ b/src/lib/modes/aead/ocb/ocb.cpp
@@ -56,8 +56,8 @@ class L_computer
secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
{
- secure_vector<uint8_t> out = in;
- poly_double_n(out.data(), out.size());
+ secure_vector<uint8_t> out(in.size());
+ poly_double_n(out.data(), in.data(), out.size());
return out;
}
diff --git a/src/lib/modes/xts/xts.cpp b/src/lib/modes/xts/xts.cpp
index 9487bd835..4a4250f84 100644
--- a/src/lib/modes/xts/xts.cpp
+++ b/src/lib/modes/xts/xts.cpp
@@ -8,51 +8,19 @@
#include <botan/xts.h>
#include <botan/loadstor.h>
+#include <botan/internal/poly_dbl.h>
namespace Botan {
-namespace {
-
-void poly_double_128(uint8_t out[], const uint8_t in[])
- {
- uint64_t X0 = load_le<uint64_t>(in, 0);
- uint64_t X1 = load_le<uint64_t>(in, 1);
-
- const bool carry = static_cast<bool>((X1 >> 63) != 0);
-
- X1 = (X1 << 1) | (X0 >> 63);
- X0 = (X0 << 1);
-
- if(carry)
- X0 ^= 0x87;
-
- store_le(out, X0, X1);
- }
-
-void poly_double_64(uint8_t out[], const uint8_t in[])
- {
- uint64_t X = load_le<uint64_t>(in, 0);
- const bool carry = static_cast<bool>((X >> 63) != 0);
- X <<= 1;
- if(carry)
- X ^= 0x1B;
- store_le(X, out);
- }
-
-inline void poly_double(uint8_t out[], const uint8_t in[], size_t size)
- {
- if(size == 8)
- poly_double_64(out, in);
- else
- poly_double_128(out, in);
- }
-
-}
-
XTS_Mode::XTS_Mode(BlockCipher* cipher) : m_cipher(cipher)
{
- if(m_cipher->block_size() != 8 && m_cipher->block_size() != 16)
- throw Invalid_Argument("Bad cipher for XTS: " + cipher->name());
+ if(m_cipher->block_size() != 8 &&
+ m_cipher->block_size() != 16 &&
+ m_cipher->block_size() != 32 &&
+ m_cipher->block_size() != 64)
+ {
+ throw Invalid_Argument("Cannot use " + cipher->name() + " with XTS");
+ }
m_tweak_cipher.reset(m_cipher->clone());
m_tweak.resize(update_granularity());
@@ -127,12 +95,12 @@ void XTS_Mode::update_tweak(size_t which)
const size_t BS = m_tweak_cipher->block_size();
if(which > 0)
- poly_double(m_tweak.data(), &m_tweak[(which-1)*BS], BS);
+ poly_double_n_le(m_tweak.data(), &m_tweak[(which-1)*BS], BS);
const size_t blocks_in_tweak = update_granularity() / BS;
for(size_t i = 1; i < blocks_in_tweak; ++i)
- poly_double(&m_tweak[i*BS], &m_tweak[(i-1)*BS], BS);
+ poly_double_n_le(&m_tweak[i*BS], &m_tweak[(i-1)*BS], BS);
}
size_t XTS_Encryption::output_length(size_t input_length) const
@@ -173,7 +141,7 @@ void XTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
- BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input");
+ BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input in XTS encrypt");
const size_t BS = cipher().block_size();
@@ -249,7 +217,7 @@ void XTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
- BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input");
+ BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input in XTS decrypt");
const size_t BS = cipher().block_size();
diff --git a/src/lib/utils/poly_dbl.cpp b/src/lib/utils/poly_dbl.cpp
index 0cea4957b..2b989db57 100644
--- a/src/lib/utils/poly_dbl.cpp
+++ b/src/lib/utils/poly_dbl.cpp
@@ -10,120 +10,74 @@
namespace Botan {
-void poly_double_n(uint8_t b[], size_t n)
- {
- if(n == 8)
- return poly_double_8(b);
- else if(n == 16)
- return poly_double_16(b);
- else if(n == 24)
- return poly_double_24(b);
- else if(n == 32)
- return poly_double_32(b);
- else if(n == 64)
- return poly_double_64(b);
- else
- throw Invalid_Argument("Unsupported size for poly_double_n");
- }
-
-void poly_double_8(uint8_t b[8])
- {
- const uint64_t poly = 0x1B;
- uint64_t b0 = load_be<uint64_t>(b, 0);
- const uint64_t carry0 = (b0 >> 63);
- b0 = (b0 << 1) ^ (carry0 * poly);
- store_be(b0, b);
- }
+namespace {
-void poly_double_16(uint8_t b[16])
+template<size_t LIMBS, uint64_t POLY>
+void poly_double(uint8_t out[], const uint8_t in[])
{
- const uint64_t poly = 0x87;
+ uint64_t W[LIMBS];
+ load_be(W, in, LIMBS);
- uint64_t b0 = load_be<uint64_t>(b, 0);
- uint64_t b1 = load_be<uint64_t>(b, 1);
+ const uint64_t carry = POLY * (W[0] >> 63);
+ for(size_t i = 0; i != LIMBS - 1; ++i)
+ W[i] = (W[i] << 1) ^ (W[i+1] >> 63);
+ W[LIMBS-1] = (W[LIMBS-1] << 1) ^ carry;
- const uint64_t carry0 = (b0 >> 63);
-
- b0 = (b0 << 1) ^ (b1 >> 63);
- b1 = (b1 << 1) ^ (carry0 * poly);
-
- store_be(b0, b);
- store_be(b1, b+8);
+ copy_out_be(out, LIMBS*8, W);
}
-void poly_double_24(uint8_t b[24])
+template<size_t LIMBS, uint64_t POLY>
+void poly_double_le(uint8_t out[], const uint8_t in[])
{
- const uint64_t poly = 0x87;
-
- uint64_t b0 = load_be<uint64_t>(b, 0);
- uint64_t b1 = load_be<uint64_t>(b, 1);
- uint64_t b2 = load_be<uint64_t>(b, 2);
+ uint64_t W[LIMBS];
+ load_le(W, in, LIMBS);
- const uint64_t carry0 = (b0 >> 63);
+ const uint64_t carry = POLY * (W[LIMBS-1] >> 63);
+ for(size_t i = 0; i != LIMBS - 1; ++i)
+ W[LIMBS-1-i] = (W[LIMBS-1-i] << 1) ^ (W[LIMBS-2-i] >> 63);
+ W[0] = (W[0] << 1) ^ carry;
- b0 = (b0 << 1) ^ (b1 >> 63);
- b1 = (b1 << 1) ^ (b2 >> 63);
- b2 = (b2 << 1) ^ (carry0 * poly);
-
- store_be(b0, b);
- store_be(b1, b+8);
- store_be(b2, b+16);
+ copy_out_le(out, LIMBS*8, W);
}
-void poly_double_32(uint8_t b[32])
- {
- const uint64_t poly = 0x425;
-
- uint64_t b0 = load_be<uint64_t>(b, 0);
- uint64_t b1 = load_be<uint64_t>(b, 1);
- uint64_t b2 = load_be<uint64_t>(b, 2);
- uint64_t b3 = load_be<uint64_t>(b, 3);
-
- const uint64_t carry0 = (b0 >> 63);
-
- b0 = (b0 << 1) ^ (b1 >> 63);
- b1 = (b1 << 1) ^ (b2 >> 63);
- b2 = (b2 << 1) ^ (b3 >> 63);
- b3 = (b3 << 1) ^ (carry0 * poly);
+}
- store_be(b0, b);
- store_be(b1, b+8);
- store_be(b2, b+16);
- store_be(b3, b+24);
+void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
+ {
+ switch(n)
+ {
+ case 8:
+ return poly_double<1, 0x1B>(out, in);
+ case 16:
+ return poly_double<2, 0x87>(out, in);
+ case 24:
+ return poly_double<3, 0x87>(out, in);
+ case 32:
+ return poly_double<4, 0x425>(out, in);
+ case 64:
+ return poly_double<8, 0x125>(out, in);
+ default:
+ throw Invalid_Argument("Unsupported size for poly_double_n");
+ }
}
-void poly_double_64(uint8_t b[64])
+void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
{
- const uint64_t poly = 0x125;
-
- uint64_t b0 = load_be<uint64_t>(b, 0);
- uint64_t b1 = load_be<uint64_t>(b, 1);
- uint64_t b2 = load_be<uint64_t>(b, 2);
- uint64_t b3 = load_be<uint64_t>(b, 3);
- uint64_t b4 = load_be<uint64_t>(b, 4);
- uint64_t b5 = load_be<uint64_t>(b, 5);
- uint64_t b6 = load_be<uint64_t>(b, 6);
- uint64_t b7 = load_be<uint64_t>(b, 7);
-
- const uint64_t carry0 = (b0 >> 63);
-
- b0 = (b0 << 1) ^ (b1 >> 63);
- b1 = (b1 << 1) ^ (b2 >> 63);
- b2 = (b2 << 1) ^ (b3 >> 63);
- b3 = (b3 << 1) ^ (b4 >> 63);
- b4 = (b4 << 1) ^ (b5 >> 63);
- b5 = (b5 << 1) ^ (b6 >> 63);
- b6 = (b6 << 1) ^ (b7 >> 63);
- b7 = (b7 << 1) ^ (carry0 * poly);
-
- store_be(b0, b);
- store_be(b1, b+8);
- store_be(b2, b+16);
- store_be(b3, b+24);
- store_be(b4, b+32);
- store_be(b5, b+40);
- store_be(b6, b+48);
- store_be(b7, b+56);
+ switch(n)
+ {
+ case 8:
+ return poly_double_le<1, 0x1B>(out, in);
+ case 16:
+ return poly_double_le<2, 0x87>(out, in);
+ case 24:
+ return poly_double_le<3, 0x87>(out, in);
+ case 32:
+ return poly_double_le<4, 0x425>(out, in);
+ case 64:
+ return poly_double_le<8, 0x125>(out, in);
+ default:
+ throw Invalid_Argument("Unsupported size for poly_double_n_le");
+ }
}
}
diff --git a/src/lib/utils/poly_dbl.h b/src/lib/utils/poly_dbl.h
index df3b419c3..c79af3ada 100644
--- a/src/lib/utils/poly_dbl.h
+++ b/src/lib/utils/poly_dbl.h
@@ -11,14 +11,20 @@
namespace Botan {
-void BOTAN_DLL poly_double_n(uint8_t b[], size_t n);
+/**
+* Polynomial doubling in GF(2^n)
+*/
+void BOTAN_DLL poly_double_n(uint8_t out[], const uint8_t in[], size_t n);
-void poly_double_8(uint8_t b[8]);
-void poly_double_16(uint8_t b[16]);
-void poly_double_24(uint8_t b[24]);
-void poly_double_32(uint8_t b[32]);
-void poly_double_64(uint8_t b[64]);
+inline void poly_double_n(uint8_t buf[], size_t n)
+ {
+ return poly_double_n(buf, buf, n);
+ }
+/*
+* Little endian convention - used for XTS
+*/
+void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n);
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 07:08:25 +0000