10#include <botan/block_cipher.h>
11#include <botan/internal/poly_dbl.h>
12#include <botan/internal/bit_ops.h>
20 explicit L_computer(
const BlockCipher& cipher) :
21 m_BS(cipher.block_size()),
22 m_max_blocks(cipher.parallel_bytes() / m_BS)
24 m_L_star.resize(m_BS);
25 cipher.encrypt(m_L_star);
26 m_L_dollar = poly_double(star());
27 m_L.push_back(poly_double(dollar()));
30 m_L.push_back(poly_double(m_L.back()));
32 m_offset_buf.resize(m_BS * m_max_blocks);
35 void init(
const secure_vector<uint8_t>& offset)
40 bool initialized()
const {
return m_offset.empty() ==
false; }
42 const secure_vector<uint8_t>& star()
const {
return m_L_star; }
43 const secure_vector<uint8_t>& dollar()
const {
return m_L_dollar; }
44 const secure_vector<uint8_t>& offset()
const {
return m_offset; }
46 const secure_vector<uint8_t>& get(
size_t i)
const
48 while(m_L.size() <= i)
49 m_L.push_back(poly_double(m_L.back()));
55 compute_offsets(
size_t block_index,
size_t blocks)
59 uint8_t* offsets = m_offset_buf.data();
61 if(block_index % 4 == 0)
63 const secure_vector<uint8_t>& L0 = get(0);
64 const secure_vector<uint8_t>& L1 = get(1);
72 const size_t ntz4 =
var_ctz32(
static_cast<uint32_t
>(block_index));
74 xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
77 xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
80 xor_buf(m_offset.data(), L1.data(), m_BS);
81 copy_mem(offsets, m_offset.data(), m_BS);
84 xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
85 copy_mem(offsets, m_offset.data(), m_BS);
92 for(
size_t i = 0; i != blocks; ++i)
94 const size_t ntz =
var_ctz32(
static_cast<uint32_t
>(block_index + i + 1));
95 xor_buf(m_offset.data(), get(ntz).data(), m_BS);
96 copy_mem(offsets, m_offset.data(), m_BS);
100 return m_offset_buf.data();
104 secure_vector<uint8_t> poly_double(
const secure_vector<uint8_t>& in)
const
106 secure_vector<uint8_t> out(in.size());
111 const size_t m_BS, m_max_blocks;
112 secure_vector<uint8_t> m_L_dollar, m_L_star;
113 secure_vector<uint8_t> m_offset;
114 mutable std::vector<secure_vector<uint8_t>> m_L;
115 secure_vector<uint8_t> m_offset_buf;
123secure_vector<uint8_t> ocb_hash(
const L_computer& L,
124 const BlockCipher& cipher,
125 const uint8_t ad[],
size_t ad_len)
127 const size_t BS = cipher.block_size();
128 secure_vector<uint8_t> sum(BS);
129 secure_vector<uint8_t> offset(BS);
131 secure_vector<uint8_t> buf(BS);
133 const size_t ad_blocks = (ad_len / BS);
134 const size_t ad_remainder = (ad_len % BS);
136 for(
size_t i = 0; i != ad_blocks; ++i)
139 offset ^= L.get(
var_ctz32(
static_cast<uint32_t
>(i+1)));
141 xor_buf(buf.data(), &ad[BS*i], BS);
150 xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder);
151 buf[ad_remainder] ^= 0x80;
163 m_checksum(m_cipher->parallel_bytes()),
164 m_ad_hash(m_cipher->block_size()),
165 m_tag_size(tag_size),
166 m_block_size(m_cipher->block_size()),
167 m_par_blocks(m_cipher->parallel_bytes() / m_block_size)
177 "Invalid block size for OCB");
180 m_tag_size >= 8 && m_tag_size <= BS &&
182 "Invalid OCB tag length");
199 m_last_nonce.clear();
228void OCB_Mode::key_schedule(
const uint8_t key[],
size_t length)
241OCB_Mode::update_nonce(
const uint8_t nonce[],
size_t nonce_len)
245 BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64,
246 "OCB block size is supported");
248 const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
250 const uint8_t BOTTOM_MASK =
251 static_cast<uint8_t
>((
static_cast<uint16_t
>(1) << MASKLEN) - 1);
253 m_nonce_buf.resize(BS);
254 clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
256 copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
257 m_nonce_buf[0] =
static_cast<uint8_t
>(((
tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
259 m_nonce_buf[BS - nonce_len - 1] ^= 1;
261 const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK;
262 m_nonce_buf[BS-1] &= ~BOTTOM_MASK;
264 const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
268 m_last_nonce = m_nonce_buf;
294 for(
size_t i = 0; i != BS / 2; ++i)
295 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]);
299 for(
size_t i = 0; i != 16; ++i)
300 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]);
304 for(
size_t i = 0; i != BS; ++i)
305 m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7));
309 for(
size_t i = 0; i != BS / 2; ++i)
310 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]);
313 m_stretch = m_nonce_buf;
317 const size_t shift_bytes = bottom / 8;
318 const size_t shift_bits = bottom % 8;
320 BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1,
"Size ok");
323 for(
size_t i = 0; i != BS; ++i)
325 m_offset[i] = (m_stretch[i+shift_bytes] << shift_bits);
326 m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
332void OCB_Mode::start_msg(
const uint8_t nonce[],
size_t nonce_len)
335 throw Invalid_IV_Length(
name(), nonce_len);
339 m_L->init(update_nonce(nonce, nonce_len));
344void OCB_Encryption::encrypt(uint8_t buffer[],
size_t blocks)
353 const size_t proc_blocks = std::min(blocks,
par_blocks());
354 const size_t proc_bytes = proc_blocks * BS;
360 m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks);
362 buffer += proc_bytes;
363 blocks -= proc_blocks;
381 BOTAN_ASSERT(buffer.size() >= offset,
"Offset is sane");
382 const size_t sz = buffer.size() - offset;
383 uint8_t* buf = buffer.data() + offset;
389 const size_t final_full_blocks = sz / BS;
390 const size_t remainder_bytes = sz - (final_full_blocks * BS);
392 encrypt(buf, final_full_blocks);
397 BOTAN_ASSERT(remainder_bytes < BS,
"Only a partial block left");
398 uint8_t* remainder = &buf[sz - remainder_bytes];
408 xor_buf(remainder, pad.data(), remainder_bytes);
419 for(
size_t i = 0; i !=
m_checksum.size(); i += BS)
424 xor_buf(mac.data(),
m_L->dollar().data(), BS);
428 buffer += std::make_pair(mac.data(),
tag_size());
434void OCB_Decryption::decrypt(uint8_t buffer[],
size_t blocks)
443 const size_t proc_blocks = std::min(blocks,
par_blocks());
444 const size_t proc_bytes = proc_blocks * BS;
448 m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks);
452 buffer += proc_bytes;
453 blocks -= proc_blocks;
471 BOTAN_ASSERT(buffer.size() >= offset,
"Offset is sane");
472 const size_t sz = buffer.size() - offset;
473 uint8_t* buf = buffer.data() + offset;
477 const size_t remaining = sz -
tag_size();
483 const size_t final_full_blocks = remaining / BS;
484 const size_t final_bytes = remaining - (final_full_blocks * BS);
486 decrypt(buf, final_full_blocks);
487 mac ^=
m_L->offset();
491 BOTAN_ASSERT(final_bytes < BS,
"Only a partial block left");
493 uint8_t* remainder = &buf[remaining - final_bytes];
498 xor_buf(remainder, pad.data(), final_bytes);
510 for(
size_t i = 0; i !=
m_checksum.size(); i += BS)
515 mac ^=
m_L->dollar();
524 const uint8_t* included_tag = &buf[remaining];
530 buffer.resize(remaining + offset);
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ARG_CHECK(expr, msg)
#define BOTAN_ASSERT(expr, assertion_made)
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
size_t process(uint8_t buf[], size_t size) override
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
size_t process(uint8_t buf[], size_t size) override
size_t block_size() const
void set_associated_data(const uint8_t ad[], size_t ad_len) override
size_t par_blocks() const
secure_vector< uint8_t > m_checksum
size_t tag_size() const override
std::string name() const override
std::unique_ptr< BlockCipher > m_cipher
bool valid_nonce_length(size_t) const override
secure_vector< uint8_t > m_ad_hash
size_t update_granularity() const override
OCB_Mode(BlockCipher *cipher, size_t tag_size)
Key_Length_Specification key_spec() const override
std::unique_ptr< L_computer > m_L
void verify_key_set(bool cond) const
int(* final)(unsigned char *, CTX *)
void zeroise(std::vector< T, Alloc > &vec)
void copy_mem(T *out, const T *in, size_t n)
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
size_t var_ctz32(uint32_t n)
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
std::vector< T, secure_allocator< T > > secure_vector
void clear_mem(T *ptr, size_t n)