/src/botan/src/lib/modes/aead/ocb/ocb.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCB Mode |
3 | | * (C) 2013,2017 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/ocb.h> |
10 | | #include <botan/block_cipher.h> |
11 | | #include <botan/internal/poly_dbl.h> |
12 | | #include <botan/internal/bit_ops.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | // Has to be in Botan namespace so unique_ptr can reference it |
17 | | class L_computer final |
18 | | { |
19 | | public: |
20 | | explicit L_computer(const BlockCipher& cipher) : |
21 | | m_BS(cipher.block_size()), |
22 | | m_max_blocks(cipher.parallel_bytes() / m_BS) |
23 | 518 | { |
24 | 518 | m_L_star.resize(m_BS); |
25 | 518 | cipher.encrypt(m_L_star); |
26 | 518 | m_L_dollar = poly_double(star()); |
27 | 518 | m_L.push_back(poly_double(dollar())); |
28 | 518 | |
29 | 4.14k | while(m_L.size() < 8) |
30 | 3.62k | m_L.push_back(poly_double(m_L.back())); |
31 | 518 | |
32 | 518 | m_offset_buf.resize(m_BS * m_max_blocks); |
33 | 518 | } |
34 | | |
35 | | void init(const secure_vector<uint8_t>& offset) |
36 | 631 | { |
37 | 631 | m_offset = offset; |
38 | 631 | } |
39 | | |
40 | 624 | bool initialized() const { return m_offset.empty() == false; } |
41 | | |
42 | 1.47k | const secure_vector<uint8_t>& star() const { return m_L_star; } |
43 | 1.14k | const secure_vector<uint8_t>& dollar() const { return m_L_dollar; } |
44 | 631 | const secure_vector<uint8_t>& offset() const { return m_offset; } |
45 | | |
46 | | const secure_vector<uint8_t>& get(size_t i) const |
47 | 8.14k | { |
48 | 8.16k | while(m_L.size() <= i) |
49 | 24 | m_L.push_back(poly_double(m_L.back())); |
50 | 8.14k | |
51 | 8.14k | return m_L[i]; |
52 | 8.14k | } |
53 | | |
54 | | const uint8_t* |
55 | | compute_offsets(size_t block_index, size_t blocks) |
56 | 1.51k | { |
57 | 1.51k | BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets"); |
58 | 1.51k | |
59 | 1.51k | uint8_t* offsets = m_offset_buf.data(); |
60 | 1.51k | |
61 | 1.51k | if(block_index % 4 == 0) |
62 | 1.51k | { |
63 | 1.51k | const secure_vector<uint8_t>& L0 = get(0); |
64 | 1.51k | const secure_vector<uint8_t>& L1 = get(1); |
65 | 1.51k | |
66 | 6.14k | while(blocks >= 4) |
67 | 4.62k | { |
68 | 4.62k | // ntz(4*i+1) == 0 |
69 | 4.62k | // ntz(4*i+2) == 1 |
70 | 4.62k | // ntz(4*i+3) == 0 |
71 | 4.62k | block_index += 4; |
72 | 4.62k | const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index)); |
73 | 4.62k | |
74 | 4.62k | xor_buf(offsets, m_offset.data(), L0.data(), m_BS); |
75 | 4.62k | offsets += m_BS; |
76 | 4.62k | |
77 | 4.62k | xor_buf(offsets, offsets - m_BS, L1.data(), m_BS); |
78 | 4.62k | offsets += m_BS; |
79 | 4.62k | |
80 | 4.62k | xor_buf(m_offset.data(), L1.data(), m_BS); |
81 | 4.62k | copy_mem(offsets, m_offset.data(), m_BS); |
82 | 4.62k | offsets += m_BS; |
83 | 4.62k | |
84 | 4.62k | xor_buf(m_offset.data(), get(ntz4).data(), m_BS); |
85 | 4.62k | copy_mem(offsets, m_offset.data(), m_BS); |
86 | 4.62k | offsets += m_BS; |
87 | 4.62k | |
88 | 4.62k | blocks -= 4; |
89 | 4.62k | } |
90 | 1.51k | } |
91 | 1.51k | |
92 | 2.00k | for(size_t i = 0; i != blocks; ++i) |
93 | 489 | { // could be done in parallel |
94 | 489 | const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1)); |
95 | 489 | xor_buf(m_offset.data(), get(ntz).data(), m_BS); |
96 | 489 | copy_mem(offsets, m_offset.data(), m_BS); |
97 | 489 | offsets += m_BS; |
98 | 489 | } |
99 | 1.51k | |
100 | 1.51k | return m_offset_buf.data(); |
101 | 1.51k | } |
102 | | |
103 | | private: |
104 | | secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const |
105 | 4.68k | { |
106 | 4.68k | secure_vector<uint8_t> out(in.size()); |
107 | 4.68k | poly_double_n(out.data(), in.data(), out.size()); |
108 | 4.68k | return out; |
109 | 4.68k | } |
110 | | |
111 | | const size_t m_BS, m_max_blocks; |
112 | | secure_vector<uint8_t> m_L_dollar, m_L_star; |
113 | | secure_vector<uint8_t> m_offset; |
114 | | mutable std::vector<secure_vector<uint8_t>> m_L; |
115 | | secure_vector<uint8_t> m_offset_buf; |
116 | | }; |
117 | | |
118 | | namespace { |
119 | | |
120 | | /* |
121 | | * OCB's HASH |
122 | | */ |
123 | | secure_vector<uint8_t> ocb_hash(const L_computer& L, |
124 | | const BlockCipher& cipher, |
125 | | const uint8_t ad[], size_t ad_len) |
126 | 631 | { |
127 | 631 | const size_t BS = cipher.block_size(); |
128 | 631 | secure_vector<uint8_t> sum(BS); |
129 | 631 | secure_vector<uint8_t> offset(BS); |
130 | 631 | |
131 | 631 | secure_vector<uint8_t> buf(BS); |
132 | 631 | |
133 | 631 | const size_t ad_blocks = (ad_len / BS); |
134 | 631 | const size_t ad_remainder = (ad_len % BS); |
135 | 631 | |
136 | 631 | for(size_t i = 0; i != ad_blocks; ++i) |
137 | 0 | { |
138 | 0 | // this loop could run in parallel |
139 | 0 | offset ^= L.get(var_ctz32(static_cast<uint32_t>(i+1))); |
140 | 0 | buf = offset; |
141 | 0 | xor_buf(buf.data(), &ad[BS*i], BS); |
142 | 0 | cipher.encrypt(buf); |
143 | 0 | sum ^= buf; |
144 | 0 | } |
145 | 631 | |
146 | 631 | if(ad_remainder) |
147 | 631 | { |
148 | 631 | offset ^= L.star(); |
149 | 631 | buf = offset; |
150 | 631 | xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder); |
151 | 631 | buf[ad_remainder] ^= 0x80; |
152 | 631 | cipher.encrypt(buf); |
153 | 631 | sum ^= buf; |
154 | 631 | } |
155 | 631 | |
156 | 631 | return sum; |
157 | 631 | } |
158 | | |
159 | | } |
160 | | |
161 | | OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) : |
162 | | m_cipher(cipher), |
163 | | m_checksum(m_cipher->parallel_bytes()), |
164 | | m_ad_hash(m_cipher->block_size()), |
165 | | m_tag_size(tag_size), |
166 | | m_block_size(m_cipher->block_size()), |
167 | | m_par_blocks(m_cipher->parallel_bytes() / m_block_size) |
168 | 518 | { |
169 | 518 | const size_t BS = block_size(); |
170 | 518 | |
171 | 518 | /* |
172 | 518 | * draft-krovetz-ocb-wide-d1 specifies OCB for several other block |
173 | 518 | * sizes but only 128, 192, 256 and 512 bit are currently supported |
174 | 518 | * by this implementation. |
175 | 518 | */ |
176 | 518 | BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64, |
177 | 518 | "Invalid block size for OCB"); |
178 | 518 | |
179 | 518 | BOTAN_ARG_CHECK(m_tag_size % 4 == 0 && |
180 | 518 | m_tag_size >= 8 && m_tag_size <= BS && |
181 | 518 | m_tag_size <= 32, |
182 | 518 | "Invalid OCB tag length"); |
183 | 518 | } |
184 | | |
185 | 518 | OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ } |
186 | | |
187 | | void OCB_Mode::clear() |
188 | 0 | { |
189 | 0 | m_cipher->clear(); |
190 | 0 | m_L.reset(); // add clear here? |
191 | 0 | reset(); |
192 | 0 | } |
193 | | |
194 | | void OCB_Mode::reset() |
195 | 0 | { |
196 | 0 | m_block_index = 0; |
197 | 0 | zeroise(m_ad_hash); |
198 | 0 | zeroise(m_checksum); |
199 | 0 | m_last_nonce.clear(); |
200 | 0 | m_stretch.clear(); |
201 | 0 | } |
202 | | |
203 | | bool OCB_Mode::valid_nonce_length(size_t length) const |
204 | 631 | { |
205 | 631 | if(length == 0) |
206 | 0 | return false; |
207 | 631 | if(block_size() == 16) |
208 | 631 | return length < 16; |
209 | 0 | else |
210 | 0 | return length < (block_size() - 1); |
211 | 631 | } |
212 | | |
213 | | std::string OCB_Mode::name() const |
214 | 0 | { |
215 | 0 | return m_cipher->name() + "/OCB"; // include tag size? |
216 | 0 | } |
217 | | |
218 | | size_t OCB_Mode::update_granularity() const |
219 | 0 | { |
220 | 0 | return (m_par_blocks * block_size()); |
221 | 0 | } |
222 | | |
223 | | Key_Length_Specification OCB_Mode::key_spec() const |
224 | 518 | { |
225 | 518 | return m_cipher->key_spec(); |
226 | 518 | } |
227 | | |
228 | | void OCB_Mode::key_schedule(const uint8_t key[], size_t length) |
229 | 518 | { |
230 | 518 | m_cipher->set_key(key, length); |
231 | 518 | m_L.reset(new L_computer(*m_cipher)); |
232 | 518 | } |
233 | | |
234 | | void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len) |
235 | 631 | { |
236 | 631 | verify_key_set(m_L != nullptr); |
237 | 631 | m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len); |
238 | 631 | } |
239 | | |
240 | | const secure_vector<uint8_t>& |
241 | | OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len) |
242 | 631 | { |
243 | 631 | const size_t BS = block_size(); |
244 | 631 | |
245 | 631 | BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64, |
246 | 631 | "OCB block size is supported"); |
247 | 631 | |
248 | 631 | const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8)); |
249 | 631 | |
250 | 631 | const uint8_t BOTTOM_MASK = |
251 | 631 | static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1); |
252 | 631 | |
253 | 631 | m_nonce_buf.resize(BS); |
254 | 631 | clear_mem(&m_nonce_buf[0], m_nonce_buf.size()); |
255 | 631 | |
256 | 631 | copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len); |
257 | 631 | m_nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0)); |
258 | 631 | |
259 | 631 | m_nonce_buf[BS - nonce_len - 1] ^= 1; |
260 | 631 | |
261 | 631 | const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK; |
262 | 631 | m_nonce_buf[BS-1] &= ~BOTTOM_MASK; |
263 | 631 | |
264 | 631 | const bool need_new_stretch = (m_last_nonce != m_nonce_buf); |
265 | 631 | |
266 | 631 | if(need_new_stretch) |
267 | 438 | { |
268 | 438 | m_last_nonce = m_nonce_buf; |
269 | 438 | |
270 | 438 | m_cipher->encrypt(m_nonce_buf); |
271 | 438 | |
272 | 438 | /* |
273 | 438 | The loop bounds (BS vs BS/2) are derived from the relation |
274 | 438 | between the block size and the MASKLEN. Using the terminology |
275 | 438 | of draft-krovetz-ocb-wide, we have to derive enough bits in |
276 | 438 | ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch. |
277 | 438 | |
278 | 438 | +----------+---------+-------+---------+ |
279 | 438 | | BLOCKLEN | RESIDUE | SHIFT | MASKLEN | |
280 | 438 | +----------+---------+-------+---------+ |
281 | 438 | | 32 | 141 | 17 | 4 | |
282 | 438 | | 64 | 27 | 25 | 5 | |
283 | 438 | | 96 | 1601 | 33 | 6 | |
284 | 438 | | 128 | 135 | 8 | 6 | |
285 | 438 | | 192 | 135 | 40 | 7 | |
286 | 438 | | 256 | 1061 | 1 | 8 | |
287 | 438 | | 384 | 4109 | 80 | 8 | |
288 | 438 | | 512 | 293 | 176 | 8 | |
289 | 438 | | 1024 | 524355 | 352 | 9 | |
290 | 438 | +----------+---------+-------+---------+ |
291 | 438 | */ |
292 | 438 | if(BS == 16) |
293 | 438 | { |
294 | 3.94k | for(size_t i = 0; i != BS / 2; ++i) |
295 | 3.50k | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]); |
296 | 438 | } |
297 | 0 | else if(BS == 24) |
298 | 0 | { |
299 | 0 | for(size_t i = 0; i != 16; ++i) |
300 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]); |
301 | 0 | } |
302 | 0 | else if(BS == 32) |
303 | 0 | { |
304 | 0 | for(size_t i = 0; i != BS; ++i) |
305 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7)); |
306 | 0 | } |
307 | 0 | else if(BS == 64) |
308 | 0 | { |
309 | 0 | for(size_t i = 0; i != BS / 2; ++i) |
310 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]); |
311 | 0 | } |
312 | 438 | |
313 | 438 | m_stretch = m_nonce_buf; |
314 | 438 | } |
315 | 631 | |
316 | 631 | // now set the offset from stretch and bottom |
317 | 631 | const size_t shift_bytes = bottom / 8; |
318 | 631 | const size_t shift_bits = bottom % 8; |
319 | 631 | |
320 | 631 | BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok"); |
321 | 631 | |
322 | 631 | m_offset.resize(BS); |
323 | 10.7k | for(size_t i = 0; i != BS; ++i) |
324 | 10.0k | { |
325 | 10.0k | m_offset[i] = (m_stretch[i+shift_bytes] << shift_bits); |
326 | 10.0k | m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits)); |
327 | 10.0k | } |
328 | 631 | |
329 | 631 | return m_offset; |
330 | 631 | } |
331 | | |
332 | | void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) |
333 | 631 | { |
334 | 631 | if(!valid_nonce_length(nonce_len)) |
335 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
336 | 631 | |
337 | 631 | verify_key_set(m_L != nullptr); |
338 | 631 | |
339 | 631 | m_L->init(update_nonce(nonce, nonce_len)); |
340 | 631 | zeroise(m_checksum); |
341 | 631 | m_block_index = 0; |
342 | 631 | } |
343 | | |
344 | | void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks) |
345 | 444 | { |
346 | 444 | verify_key_set(m_L != nullptr); |
347 | 444 | BOTAN_STATE_CHECK(m_L->initialized()); |
348 | 444 | |
349 | 444 | const size_t BS = block_size(); |
350 | 444 | |
351 | 695 | while(blocks) |
352 | 251 | { |
353 | 251 | const size_t proc_blocks = std::min(blocks, par_blocks()); |
354 | 251 | const size_t proc_bytes = proc_blocks * BS; |
355 | 251 | |
356 | 251 | const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks); |
357 | 251 | |
358 | 251 | xor_buf(m_checksum.data(), buffer, proc_bytes); |
359 | 251 | |
360 | 251 | m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks); |
361 | 251 | |
362 | 251 | buffer += proc_bytes; |
363 | 251 | blocks -= proc_blocks; |
364 | 251 | m_block_index += proc_blocks; |
365 | 251 | } |
366 | 444 | } |
367 | | |
368 | | size_t OCB_Encryption::process(uint8_t buf[], size_t sz) |
369 | 0 | { |
370 | 0 | BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size"); |
371 | 0 | encrypt(buf, sz / block_size()); |
372 | 0 | return sz; |
373 | 0 | } |
374 | | |
375 | | void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
376 | 444 | { |
377 | 444 | verify_key_set(m_L != nullptr); |
378 | 444 | |
379 | 444 | const size_t BS = block_size(); |
380 | 444 | |
381 | 444 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
382 | 444 | const size_t sz = buffer.size() - offset; |
383 | 444 | uint8_t* buf = buffer.data() + offset; |
384 | 444 | |
385 | 444 | secure_vector<uint8_t> mac(BS); |
386 | 444 | |
387 | 444 | if(sz) |
388 | 444 | { |
389 | 444 | const size_t final_full_blocks = sz / BS; |
390 | 444 | const size_t remainder_bytes = sz - (final_full_blocks * BS); |
391 | 444 | |
392 | 444 | encrypt(buf, final_full_blocks); |
393 | 444 | mac = m_L->offset(); |
394 | 444 | |
395 | 444 | if(remainder_bytes) |
396 | 193 | { |
397 | 193 | BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left"); |
398 | 193 | uint8_t* remainder = &buf[sz - remainder_bytes]; |
399 | 193 | |
400 | 193 | xor_buf(m_checksum.data(), remainder, remainder_bytes); |
401 | 193 | m_checksum[remainder_bytes] ^= 0x80; |
402 | 193 | |
403 | 193 | // Offset_* |
404 | 193 | mac ^= m_L->star(); |
405 | 193 | |
406 | 193 | secure_vector<uint8_t> pad(BS); |
407 | 193 | m_cipher->encrypt(mac, pad); |
408 | 193 | xor_buf(remainder, pad.data(), remainder_bytes); |
409 | 193 | } |
410 | 444 | } |
411 | 0 | else |
412 | 0 | { |
413 | 0 | mac = m_L->offset(); |
414 | 0 | } |
415 | 444 | |
416 | 444 | // now compute the tag |
417 | 444 | |
418 | 444 | // fold checksum |
419 | 7.54k | for(size_t i = 0; i != m_checksum.size(); i += BS) |
420 | 7.10k | { |
421 | 7.10k | xor_buf(mac.data(), m_checksum.data() + i, BS); |
422 | 7.10k | } |
423 | 444 | |
424 | 444 | xor_buf(mac.data(), m_L->dollar().data(), BS); |
425 | 444 | m_cipher->encrypt(mac); |
426 | 444 | xor_buf(mac.data(), m_ad_hash.data(), BS); |
427 | 444 | |
428 | 444 | buffer += std::make_pair(mac.data(), tag_size()); |
429 | 444 | |
430 | 444 | zeroise(m_checksum); |
431 | 444 | m_block_index = 0; |
432 | 444 | } |
433 | | |
434 | | void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks) |
435 | 180 | { |
436 | 180 | verify_key_set(m_L != nullptr); |
437 | 180 | BOTAN_STATE_CHECK(m_L->initialized()); |
438 | 180 | |
439 | 180 | const size_t BS = block_size(); |
440 | 180 | |
441 | 1.44k | while(blocks) |
442 | 1.26k | { |
443 | 1.26k | const size_t proc_blocks = std::min(blocks, par_blocks()); |
444 | 1.26k | const size_t proc_bytes = proc_blocks * BS; |
445 | 1.26k | |
446 | 1.26k | const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks); |
447 | 1.26k | |
448 | 1.26k | m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks); |
449 | 1.26k | |
450 | 1.26k | xor_buf(m_checksum.data(), buffer, proc_bytes); |
451 | 1.26k | |
452 | 1.26k | buffer += proc_bytes; |
453 | 1.26k | blocks -= proc_blocks; |
454 | 1.26k | m_block_index += proc_blocks; |
455 | 1.26k | } |
456 | 180 | } |
457 | | |
458 | | size_t OCB_Decryption::process(uint8_t buf[], size_t sz) |
459 | 0 | { |
460 | 0 | BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size"); |
461 | 0 | decrypt(buf, sz / block_size()); |
462 | 0 | return sz; |
463 | 0 | } |
464 | | |
465 | | void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
466 | 187 | { |
467 | 187 | verify_key_set(m_L != nullptr); |
468 | 187 | |
469 | 187 | const size_t BS = block_size(); |
470 | 187 | |
471 | 187 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
472 | 187 | const size_t sz = buffer.size() - offset; |
473 | 187 | uint8_t* buf = buffer.data() + offset; |
474 | 187 | |
475 | 187 | BOTAN_ASSERT(sz >= tag_size(), "We have the tag"); |
476 | 187 | |
477 | 187 | const size_t remaining = sz - tag_size(); |
478 | 187 | |
479 | 187 | secure_vector<uint8_t> mac(BS); |
480 | 187 | |
481 | 187 | if(remaining) |
482 | 180 | { |
483 | 180 | const size_t final_full_blocks = remaining / BS; |
484 | 180 | const size_t final_bytes = remaining - (final_full_blocks * BS); |
485 | 180 | |
486 | 180 | decrypt(buf, final_full_blocks); |
487 | 180 | mac ^= m_L->offset(); |
488 | 180 | |
489 | 180 | if(final_bytes) |
490 | 128 | { |
491 | 128 | BOTAN_ASSERT(final_bytes < BS, "Only a partial block left"); |
492 | 128 | |
493 | 128 | uint8_t* remainder = &buf[remaining - final_bytes]; |
494 | 128 | |
495 | 128 | mac ^= m_L->star(); |
496 | 128 | secure_vector<uint8_t> pad(BS); |
497 | 128 | m_cipher->encrypt(mac, pad); // P_* |
498 | 128 | xor_buf(remainder, pad.data(), final_bytes); |
499 | 128 | |
500 | 128 | xor_buf(m_checksum.data(), remainder, final_bytes); |
501 | 128 | m_checksum[final_bytes] ^= 0x80; |
502 | 128 | } |
503 | 180 | } |
504 | 7 | else |
505 | 7 | mac = m_L->offset(); |
506 | 187 | |
507 | 187 | // compute the mac |
508 | 187 | |
509 | 187 | // fold checksum |
510 | 3.17k | for(size_t i = 0; i != m_checksum.size(); i += BS) |
511 | 2.99k | { |
512 | 2.99k | xor_buf(mac.data(), m_checksum.data() + i, BS); |
513 | 2.99k | } |
514 | 187 | |
515 | 187 | mac ^= m_L->dollar(); |
516 | 187 | m_cipher->encrypt(mac); |
517 | 187 | mac ^= m_ad_hash; |
518 | 187 | |
519 | 187 | // reset state |
520 | 187 | zeroise(m_checksum); |
521 | 187 | m_block_index = 0; |
522 | 187 | |
523 | 187 | // compare mac |
524 | 187 | const uint8_t* included_tag = &buf[remaining]; |
525 | 187 | |
526 | 187 | if(!constant_time_compare(mac.data(), included_tag, tag_size())) |
527 | 187 | throw Invalid_Authentication_Tag("OCB tag check failed"); |
528 | 0 | |
529 | 0 | // remove tag from end of message |
530 | 0 | buffer.resize(remaining + offset); |
531 | 0 | } |
532 | | |
533 | | } |