1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
/*
* SIV Mode Encryption
* (C) 2013 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#include <botan/internal/mode_utils.h>
#include <botan/siv.h>
#include <botan/cmac.h>
#include <botan/ctr.h>
#include <botan/parsing.h>
namespace Botan {
BOTAN_REGISTER_BLOCK_CIPHER_MODE(SIV_Encryption, SIV_Decryption);
SIV_Mode::SIV_Mode(BlockCipher* cipher) :
m_name(cipher->name() + "/SIV"),
m_ctr(new CTR_BE(cipher->clone())),
m_cmac(new CMAC(cipher))
{
}
void SIV_Mode::clear()
{
m_ctr.reset();
m_nonce.clear();
m_msg_buf.clear();
m_ad_macs.clear();
}
std::string SIV_Mode::name() const
{
return m_name;
}
bool SIV_Mode::valid_nonce_length(size_t) const
{
return true;
}
size_t SIV_Mode::update_granularity() const
{
/*
This value does not particularly matter as regardless SIV_Mode::update
buffers all input, so in theory this could be 1. However as for instance
Transform_Filter creates update_granularity() byte buffers, use a
somewhat large size to avoid bouncing on a tiny buffer.
*/
return 128;
}
Key_Length_Specification SIV_Mode::key_spec() const
{
return m_cmac->key_spec().multiple(2);
}
void SIV_Mode::key_schedule(const byte key[], size_t length)
{
const size_t keylen = length / 2;
m_cmac->set_key(key, keylen);
m_ctr->set_key(key + keylen, keylen);
m_ad_macs.clear();
}
void SIV_Mode::set_associated_data_n(size_t n, const byte ad[], size_t length)
{
if(n >= m_ad_macs.size())
m_ad_macs.resize(n+1);
m_ad_macs[n] = m_cmac->process(ad, length);
}
secure_vector<byte> SIV_Mode::start_raw(const byte nonce[], size_t nonce_len)
{
if(!valid_nonce_length(nonce_len))
throw Invalid_IV_Length(name(), nonce_len);
if(nonce_len)
m_nonce = m_cmac->process(nonce, nonce_len);
else
m_nonce.clear();
m_msg_buf.clear();
return secure_vector<byte>();
}
void SIV_Mode::update(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
byte* buf = &buffer[offset];
m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
buffer.resize(offset); // truncate msg
}
secure_vector<byte> SIV_Mode::S2V(const byte* text, size_t text_len)
{
const byte zero[16] = { 0 };
secure_vector<byte> V = m_cmac->process(zero, 16);
for(size_t i = 0; i != m_ad_macs.size(); ++i)
{
V = CMAC::poly_double(V);
V ^= m_ad_macs[i];
}
if(m_nonce.size())
{
V = CMAC::poly_double(V);
V ^= m_nonce;
}
if(text_len < 16)
{
V = CMAC::poly_double(V);
xor_buf(&V[0], text, text_len);
V[text_len] ^= 0x80;
return m_cmac->process(V);
}
m_cmac->update(text, text_len - 16);
xor_buf(&V[0], &text[text_len - 16], 16);
m_cmac->update(V);
return m_cmac->final();
}
void SIV_Mode::set_ctr_iv(secure_vector<byte> V)
{
V[8] &= 0x7F;
V[12] &= 0x7F;
ctr().set_iv(&V[0], V.size());
}
void SIV_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
secure_vector<byte> V = S2V(&buffer[offset], buffer.size() - offset);
buffer.insert(buffer.begin() + offset, V.begin(), V.end());
set_ctr_iv(V);
ctr().cipher1(&buffer[offset + V.size()], buffer.size() - offset - V.size());
}
void SIV_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
const size_t sz = buffer.size() - offset;
BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
secure_vector<byte> V(&buffer[offset], &buffer[offset + 16]);
set_ctr_iv(V);
ctr().cipher(&buffer[offset + V.size()],
&buffer[offset],
buffer.size() - offset - V.size());
secure_vector<byte> T = S2V(&buffer[offset], buffer.size() - offset - V.size());
if(T != V)
throw Integrity_Failure("SIV tag check failed");
buffer.resize(buffer.size() - tag_size());
}
}
|