diff options
Diffstat (limited to 'src/modes/aead/siv')
| -rw-r--r-- | src/modes/aead/siv/info.txt | 3 | ||||
| -rw-r--r-- | src/modes/aead/siv/siv.cpp | 180 | ||||
| -rw-r--r-- | src/modes/aead/siv/siv.h | 114 |
3 files changed, 0 insertions, 297 deletions
diff --git a/src/modes/aead/siv/info.txt b/src/modes/aead/siv/info.txt deleted file mode 100644 index b1e38568e..000000000 --- a/src/modes/aead/siv/info.txt +++ /dev/null @@ -1,3 +0,0 @@ -define AEAD_SIV 20131202 - -load_on auto diff --git a/src/modes/aead/siv/siv.cpp b/src/modes/aead/siv/siv.cpp deleted file mode 100644 index a89c3dd08..000000000 --- a/src/modes/aead/siv/siv.cpp +++ /dev/null @@ -1,180 +0,0 @@ -/* -* SIV Mode Encryption -* (C) 2013 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/siv.h> -#include <botan/cmac.h> -#include <botan/ctr.h> -#include <botan/parsing.h> -#include <botan/internal/xor_buf.h> -#include <algorithm> - -namespace Botan { - -SIV_Mode::SIV_Mode(BlockCipher* cipher) : - m_name(cipher->name() + "/SIV"), - m_ctr(new CTR_BE(cipher->clone())), - m_cmac(new CMAC(cipher)) - { - } - -void SIV_Mode::clear() - { - m_ctr.reset(); - m_nonce.clear(); - m_msg_buf.clear(); - m_ad_macs.clear(); - } - -std::string SIV_Mode::name() const - { - return m_name; - } - -bool SIV_Mode::valid_nonce_length(size_t) const - { - return true; - } - -size_t SIV_Mode::update_granularity() const - { - /* - This value does not particularly matter as regardless SIV_Mode::update - buffers all input, so in theory this could be 1. However as for instance - Transformation_Filter creates update_granularity() byte buffers, use a - somewhat large size to avoid bouncing on a tiny buffer. - */ - return 128; - } - -Key_Length_Specification SIV_Mode::key_spec() const - { - return m_cmac->key_spec().multiple(2); - } - -void SIV_Mode::key_schedule(const byte key[], size_t length) - { - const size_t keylen = length / 2; - m_cmac->set_key(key, keylen); - m_ctr->set_key(key + keylen, keylen); - m_ad_macs.clear(); - } - -void SIV_Mode::set_associated_data_n(size_t n, const byte ad[], size_t length) - { - if(n >= m_ad_macs.size()) - m_ad_macs.resize(n+1); - - m_ad_macs[n] = m_cmac->process(ad, length); - } - -secure_vector<byte> SIV_Mode::start(const byte nonce[], size_t nonce_len) - { - if(!valid_nonce_length(nonce_len)) - throw Invalid_IV_Length(name(), nonce_len); - - if(nonce_len) - m_nonce = m_cmac->process(nonce, nonce_len); - else - m_nonce.clear(); - - m_msg_buf.clear(); - - return secure_vector<byte>(); - } - -void SIV_Mode::update(secure_vector<byte>& buffer, size_t offset) - { - BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); - const size_t sz = buffer.size() - offset; - byte* buf = &buffer[offset]; - - m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz); - buffer.resize(offset); // truncate msg - } - -secure_vector<byte> SIV_Mode::S2V(const byte* text, size_t text_len) - { - const byte zero[16] = { 0 }; - - secure_vector<byte> V = cmac().process(zero, 16); - - for(size_t i = 0; i != m_ad_macs.size(); ++i) - { - V = CMAC::poly_double(V, 0x87); - V ^= m_ad_macs[i]; - } - - if(m_nonce.size()) - { - V = CMAC::poly_double(V, 0x87); - V ^= m_nonce; - } - - if(text_len < 16) - { - V = CMAC::poly_double(V, 0x87); - xor_buf(&V[0], text, text_len); - V[text_len] ^= 0x80; - return cmac().process(V); - } - - cmac().update(text, text_len - 16); - xor_buf(&V[0], &text[text_len - 16], 16); - cmac().update(V); - - return cmac().final(); - } - -void SIV_Mode::set_ctr_iv(secure_vector<byte> V) - { - V[8] &= 0x7F; - V[12] &= 0x7F; - - ctr().set_iv(&V[0], V.size()); - } - -void SIV_Encryption::finish(secure_vector<byte>& buffer, size_t offset) - { - BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); - - buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end()); - - secure_vector<byte> V = S2V(&buffer[offset], buffer.size() - offset); - - buffer.insert(buffer.begin() + offset, V.begin(), V.end()); - - set_ctr_iv(V); - ctr().cipher1(&buffer[offset + V.size()], buffer.size() - offset - V.size()); - } - -void SIV_Decryption::finish(secure_vector<byte>& buffer, size_t offset) - { - BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); - - buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end()); - - const size_t sz = buffer.size() - offset; - - BOTAN_ASSERT(sz >= tag_size(), "We have the tag"); - - secure_vector<byte> V(&buffer[offset], &buffer[offset + 16]); - - set_ctr_iv(V); - - ctr().cipher(&buffer[offset + V.size()], - &buffer[offset], - buffer.size() - offset - V.size()); - - secure_vector<byte> T = S2V(&buffer[offset], buffer.size() - offset - V.size()); - - if(T != V) - throw Integrity_Failure("SIV tag check failed"); - - buffer.resize(buffer.size() - tag_size()); - } - -} diff --git a/src/modes/aead/siv/siv.h b/src/modes/aead/siv/siv.h deleted file mode 100644 index 31df4d049..000000000 --- a/src/modes/aead/siv/siv.h +++ /dev/null @@ -1,114 +0,0 @@ -/* -* SIV Mode -* (C) 2013 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#ifndef BOTAN_AEAD_SIV_H__ -#define BOTAN_AEAD_SIV_H__ - -#include <botan/aead.h> -#include <botan/block_cipher.h> -#include <botan/stream_cipher.h> -#include <botan/mac.h> -#include <memory> - -namespace Botan { - -/** -* Base class for SIV encryption and decryption (@see RFC 5297) -*/ -class BOTAN_DLL SIV_Mode : public AEAD_Mode - { - public: - secure_vector<byte> start(const byte nonce[], size_t nonce_len) override; - - void update(secure_vector<byte>& blocks, size_t offset = 0) override; - - void set_associated_data_n(size_t n, const byte ad[], size_t ad_len); - - void set_associated_data(const byte ad[], size_t ad_len) override - { - set_associated_data_n(0, ad, ad_len); - } - - std::string name() const override; - - size_t update_granularity() const; - - Key_Length_Specification key_spec() const override; - - bool valid_nonce_length(size_t) const override; - - void clear(); - - size_t tag_size() const { return 16; } - - protected: - SIV_Mode(BlockCipher* cipher); - - StreamCipher& ctr() { return *m_ctr; } - - void set_ctr_iv(secure_vector<byte> V); - - secure_vector<byte>& msg_buf() { return m_msg_buf; } - - secure_vector<byte> S2V(const byte text[], size_t text_len); - private: - MessageAuthenticationCode& cmac() { return *m_cmac; } - - void key_schedule(const byte key[], size_t length) override; - - const std::string m_name; - - std::unique_ptr<StreamCipher> m_ctr; - std::unique_ptr<MessageAuthenticationCode> m_cmac; - secure_vector<byte> m_nonce, m_msg_buf; - std::vector<secure_vector<byte>> m_ad_macs; - }; - -/** -* SIV Encryption -*/ -class BOTAN_DLL SIV_Encryption : public SIV_Mode - { - public: - /** - * @param cipher a block cipher - */ - SIV_Encryption(BlockCipher* cipher) : SIV_Mode(cipher) {} - - void finish(secure_vector<byte>& final_block, size_t offset = 0) override; - - size_t output_length(size_t input_length) const override - { return input_length + tag_size(); } - - size_t minimum_final_size() const override { return 0; } - }; - -/** -* SIV Decryption -*/ -class BOTAN_DLL SIV_Decryption : public SIV_Mode - { - public: - /** - * @param cipher a 128-bit block cipher - */ - SIV_Decryption(BlockCipher* cipher) : SIV_Mode(cipher) {} - - void finish(secure_vector<byte>& final_block, size_t offset = 0) override; - - size_t output_length(size_t input_length) const override - { - BOTAN_ASSERT(input_length > tag_size(), "Sufficient input"); - return input_length - tag_size(); - } - - size_t minimum_final_size() const override { return tag_size(); } - }; - -} - -#endif |