Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/modes/aead/ocb/ocb.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* OCB Mode
3
* (C) 2013,2017 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/ocb.h>
10
#include <botan/block_cipher.h>
11
#include <botan/internal/poly_dbl.h>
12
#include <botan/internal/bit_ops.h>
13
14
namespace Botan {
15
16
// Has to be in Botan namespace so unique_ptr can reference it
17
class L_computer final
18
   {
19
   public:
20
      explicit L_computer(const BlockCipher& cipher) :
21
         m_BS(cipher.block_size()),
22
         m_max_blocks(cipher.parallel_bytes() / m_BS)
23
518
         {
24
518
         m_L_star.resize(m_BS);
25
518
         cipher.encrypt(m_L_star);
26
518
         m_L_dollar = poly_double(star());
27
518
         m_L.push_back(poly_double(dollar()));
28
518
29
4.14k
         while(m_L.size() < 8)
30
3.62k
            m_L.push_back(poly_double(m_L.back()));
31
518
32
518
         m_offset_buf.resize(m_BS * m_max_blocks);
33
518
         }
34
35
      void init(const secure_vector<uint8_t>& offset)
36
631
         {
37
631
         m_offset = offset;
38
631
         }
39
40
624
      bool initialized() const { return m_offset.empty() == false; }
41
42
1.47k
      const secure_vector<uint8_t>& star() const { return m_L_star; }
43
1.14k
      const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
44
631
      const secure_vector<uint8_t>& offset() const { return m_offset; }
45
46
      const secure_vector<uint8_t>& get(size_t i) const
47
8.14k
         {
48
8.16k
         while(m_L.size() <= i)
49
24
            m_L.push_back(poly_double(m_L.back()));
50
8.14k
51
8.14k
         return m_L[i];
52
8.14k
         }
53
54
      const uint8_t*
55
      compute_offsets(size_t block_index, size_t blocks)
56
1.51k
         {
57
1.51k
         BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets");
58
1.51k
59
1.51k
         uint8_t* offsets = m_offset_buf.data();
60
1.51k
61
1.51k
         if(block_index % 4 == 0)
62
1.51k
            {
63
1.51k
            const secure_vector<uint8_t>& L0 = get(0);
64
1.51k
            const secure_vector<uint8_t>& L1 = get(1);
65
1.51k
66
6.14k
            while(blocks >= 4)
67
4.62k
               {
68
4.62k
               // ntz(4*i+1) == 0
69
4.62k
               // ntz(4*i+2) == 1
70
4.62k
               // ntz(4*i+3) == 0
71
4.62k
               block_index += 4;
72
4.62k
               const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index));
73
4.62k
74
4.62k
               xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
75
4.62k
               offsets += m_BS;
76
4.62k
77
4.62k
               xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
78
4.62k
               offsets += m_BS;
79
4.62k
80
4.62k
               xor_buf(m_offset.data(), L1.data(), m_BS);
81
4.62k
               copy_mem(offsets, m_offset.data(), m_BS);
82
4.62k
               offsets += m_BS;
83
4.62k
84
4.62k
               xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
85
4.62k
               copy_mem(offsets, m_offset.data(), m_BS);
86
4.62k
               offsets += m_BS;
87
4.62k
88
4.62k
               blocks -= 4;
89
4.62k
               }
90
1.51k
            }
91
1.51k
92
2.00k
         for(size_t i = 0; i != blocks; ++i)
93
489
            { // could be done in parallel
94
489
            const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1));
95
489
            xor_buf(m_offset.data(), get(ntz).data(), m_BS);
96
489
            copy_mem(offsets, m_offset.data(), m_BS);
97
489
            offsets += m_BS;
98
489
            }
99
1.51k
100
1.51k
         return m_offset_buf.data();
101
1.51k
         }
102
103
   private:
104
      secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
105
4.68k
         {
106
4.68k
         secure_vector<uint8_t> out(in.size());
107
4.68k
         poly_double_n(out.data(), in.data(), out.size());
108
4.68k
         return out;
109
4.68k
         }
110
111
      const size_t m_BS, m_max_blocks;
112
      secure_vector<uint8_t> m_L_dollar, m_L_star;
113
      secure_vector<uint8_t> m_offset;
114
      mutable std::vector<secure_vector<uint8_t>> m_L;
115
      secure_vector<uint8_t> m_offset_buf;
116
   };
117
118
namespace {
119
120
/*
121
* OCB's HASH
122
*/
123
secure_vector<uint8_t> ocb_hash(const L_computer& L,
124
                                const BlockCipher& cipher,
125
                                const uint8_t ad[], size_t ad_len)
126
631
   {
127
631
   const size_t BS = cipher.block_size();
128
631
   secure_vector<uint8_t> sum(BS);
129
631
   secure_vector<uint8_t> offset(BS);
130
631
131
631
   secure_vector<uint8_t> buf(BS);
132
631
133
631
   const size_t ad_blocks = (ad_len / BS);
134
631
   const size_t ad_remainder = (ad_len % BS);
135
631
136
631
   for(size_t i = 0; i != ad_blocks; ++i)
137
0
      {
138
0
      // this loop could run in parallel
139
0
      offset ^= L.get(var_ctz32(static_cast<uint32_t>(i+1)));
140
0
      buf = offset;
141
0
      xor_buf(buf.data(), &ad[BS*i], BS);
142
0
      cipher.encrypt(buf);
143
0
      sum ^= buf;
144
0
      }
145
631
146
631
   if(ad_remainder)
147
631
      {
148
631
      offset ^= L.star();
149
631
      buf = offset;
150
631
      xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder);
151
631
      buf[ad_remainder] ^= 0x80;
152
631
      cipher.encrypt(buf);
153
631
      sum ^= buf;
154
631
      }
155
631
156
631
   return sum;
157
631
   }
158
159
}
160
161
OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) :
162
   m_cipher(cipher),
163
   m_checksum(m_cipher->parallel_bytes()),
164
   m_ad_hash(m_cipher->block_size()),
165
   m_tag_size(tag_size),
166
   m_block_size(m_cipher->block_size()),
167
   m_par_blocks(m_cipher->parallel_bytes() / m_block_size)
168
518
   {
169
518
   const size_t BS = block_size();
170
518
171
518
   /*
172
518
   * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
173
518
   * sizes but only 128, 192, 256 and 512 bit are currently supported
174
518
   * by this implementation.
175
518
   */
176
518
   BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64,
177
518
                   "Invalid block size for OCB");
178
518
179
518
   BOTAN_ARG_CHECK(m_tag_size % 4 == 0 &&
180
518
                   m_tag_size >= 8 && m_tag_size <= BS &&
181
518
                   m_tag_size <= 32,
182
518
                   "Invalid OCB tag length");
183
518
   }
184
185
518
OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ }
186
187
void OCB_Mode::clear()
188
0
   {
189
0
   m_cipher->clear();
190
0
   m_L.reset(); // add clear here?
191
0
   reset();
192
0
   }
193
194
void OCB_Mode::reset()
195
0
   {
196
0
   m_block_index = 0;
197
0
   zeroise(m_ad_hash);
198
0
   zeroise(m_checksum);
199
0
   m_last_nonce.clear();
200
0
   m_stretch.clear();
201
0
   }
202
203
bool OCB_Mode::valid_nonce_length(size_t length) const
204
631
   {
205
631
   if(length == 0)
206
0
      return false;
207
631
   if(block_size() == 16)
208
631
      return length < 16;
209
0
   else
210
0
      return length < (block_size() - 1);
211
631
   }
212
213
std::string OCB_Mode::name() const
214
0
   {
215
0
   return m_cipher->name() + "/OCB"; // include tag size?
216
0
   }
217
218
size_t OCB_Mode::update_granularity() const
219
0
   {
220
0
   return (m_par_blocks * block_size());
221
0
   }
222
223
Key_Length_Specification OCB_Mode::key_spec() const
224
518
   {
225
518
   return m_cipher->key_spec();
226
518
   }
227
228
void OCB_Mode::key_schedule(const uint8_t key[], size_t length)
229
518
   {
230
518
   m_cipher->set_key(key, length);
231
518
   m_L.reset(new L_computer(*m_cipher));
232
518
   }
233
234
void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
235
631
   {
236
631
   verify_key_set(m_L != nullptr);
237
631
   m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len);
238
631
   }
239
240
const secure_vector<uint8_t>&
241
OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
242
631
   {
243
631
   const size_t BS = block_size();
244
631
245
631
   BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64,
246
631
                "OCB block size is supported");
247
631
248
631
   const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
249
631
250
631
   const uint8_t BOTTOM_MASK =
251
631
      static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
252
631
253
631
   m_nonce_buf.resize(BS);
254
631
   clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
255
631
256
631
   copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
257
631
   m_nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
258
631
259
631
   m_nonce_buf[BS - nonce_len - 1] ^= 1;
260
631
261
631
   const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK;
262
631
   m_nonce_buf[BS-1] &= ~BOTTOM_MASK;
263
631
264
631
   const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
265
631
266
631
   if(need_new_stretch)
267
438
      {
268
438
      m_last_nonce = m_nonce_buf;
269
438
270
438
      m_cipher->encrypt(m_nonce_buf);
271
438
272
438
      /*
273
438
      The loop bounds (BS vs BS/2) are derived from the relation
274
438
      between the block size and the MASKLEN. Using the terminology
275
438
      of draft-krovetz-ocb-wide, we have to derive enough bits in
276
438
      ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
277
438
278
438
                 +----------+---------+-------+---------+
279
438
                 | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
280
438
                 +----------+---------+-------+---------+
281
438
                 |       32 |     141 |    17 |    4    |
282
438
                 |       64 |      27 |    25 |    5    |
283
438
                 |       96 |    1601 |    33 |    6    |
284
438
                 |      128 |     135 |     8 |    6    |
285
438
                 |      192 |     135 |    40 |    7    |
286
438
                 |      256 |    1061 |     1 |    8    |
287
438
                 |      384 |    4109 |    80 |    8    |
288
438
                 |      512 |     293 |   176 |    8    |
289
438
                 |     1024 |  524355 |   352 |    9    |
290
438
                 +----------+---------+-------+---------+
291
438
      */
292
438
      if(BS == 16)
293
438
         {
294
3.94k
         for(size_t i = 0; i != BS / 2; ++i)
295
3.50k
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]);
296
438
         }
297
0
      else if(BS == 24)
298
0
         {
299
0
         for(size_t i = 0; i != 16; ++i)
300
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]);
301
0
         }
302
0
      else if(BS == 32)
303
0
         {
304
0
         for(size_t i = 0; i != BS; ++i)
305
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7));
306
0
         }
307
0
      else if(BS == 64)
308
0
         {
309
0
         for(size_t i = 0; i != BS / 2; ++i)
310
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]);
311
0
         }
312
438
313
438
      m_stretch = m_nonce_buf;
314
438
      }
315
631
316
631
   // now set the offset from stretch and bottom
317
631
   const size_t shift_bytes = bottom / 8;
318
631
   const size_t shift_bits  = bottom % 8;
319
631
320
631
   BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
321
631
322
631
   m_offset.resize(BS);
323
10.7k
   for(size_t i = 0; i != BS; ++i)
324
10.0k
      {
325
10.0k
      m_offset[i]  = (m_stretch[i+shift_bytes] << shift_bits);
326
10.0k
      m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
327
10.0k
      }
328
631
329
631
   return m_offset;
330
631
   }
331
332
void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
333
631
   {
334
631
   if(!valid_nonce_length(nonce_len))
335
0
      throw Invalid_IV_Length(name(), nonce_len);
336
631
337
631
   verify_key_set(m_L != nullptr);
338
631
339
631
   m_L->init(update_nonce(nonce, nonce_len));
340
631
   zeroise(m_checksum);
341
631
   m_block_index = 0;
342
631
   }
343
344
void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
345
444
   {
346
444
   verify_key_set(m_L != nullptr);
347
444
   BOTAN_STATE_CHECK(m_L->initialized());
348
444
349
444
   const size_t BS = block_size();
350
444
351
695
   while(blocks)
352
251
      {
353
251
      const size_t proc_blocks = std::min(blocks, par_blocks());
354
251
      const size_t proc_bytes = proc_blocks * BS;
355
251
356
251
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
357
251
358
251
      xor_buf(m_checksum.data(), buffer, proc_bytes);
359
251
360
251
      m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks);
361
251
362
251
      buffer += proc_bytes;
363
251
      blocks -= proc_blocks;
364
251
      m_block_index += proc_blocks;
365
251
      }
366
444
   }
367
368
size_t OCB_Encryption::process(uint8_t buf[], size_t sz)
369
0
   {
370
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
371
0
   encrypt(buf, sz / block_size());
372
0
   return sz;
373
0
   }
374
375
void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
376
444
   {
377
444
   verify_key_set(m_L != nullptr);
378
444
379
444
   const size_t BS = block_size();
380
444
381
444
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
382
444
   const size_t sz = buffer.size() - offset;
383
444
   uint8_t* buf = buffer.data() + offset;
384
444
385
444
   secure_vector<uint8_t> mac(BS);
386
444
387
444
   if(sz)
388
444
      {
389
444
      const size_t final_full_blocks = sz / BS;
390
444
      const size_t remainder_bytes = sz - (final_full_blocks * BS);
391
444
392
444
      encrypt(buf, final_full_blocks);
393
444
      mac = m_L->offset();
394
444
395
444
      if(remainder_bytes)
396
193
         {
397
193
         BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
398
193
         uint8_t* remainder = &buf[sz - remainder_bytes];
399
193
400
193
         xor_buf(m_checksum.data(), remainder, remainder_bytes);
401
193
         m_checksum[remainder_bytes] ^= 0x80;
402
193
403
193
         // Offset_*
404
193
         mac ^= m_L->star();
405
193
406
193
         secure_vector<uint8_t> pad(BS);
407
193
         m_cipher->encrypt(mac, pad);
408
193
         xor_buf(remainder, pad.data(), remainder_bytes);
409
193
         }
410
444
      }
411
0
   else
412
0
      {
413
0
      mac = m_L->offset();
414
0
      }
415
444
416
444
   // now compute the tag
417
444
418
444
   // fold checksum
419
7.54k
   for(size_t i = 0; i != m_checksum.size(); i += BS)
420
7.10k
      {
421
7.10k
      xor_buf(mac.data(), m_checksum.data() + i, BS);
422
7.10k
      }
423
444
424
444
   xor_buf(mac.data(), m_L->dollar().data(), BS);
425
444
   m_cipher->encrypt(mac);
426
444
   xor_buf(mac.data(), m_ad_hash.data(), BS);
427
444
428
444
   buffer += std::make_pair(mac.data(), tag_size());
429
444
430
444
   zeroise(m_checksum);
431
444
   m_block_index = 0;
432
444
   }
433
434
void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
435
180
   {
436
180
   verify_key_set(m_L != nullptr);
437
180
   BOTAN_STATE_CHECK(m_L->initialized());
438
180
439
180
   const size_t BS = block_size();
440
180
441
1.44k
   while(blocks)
442
1.26k
      {
443
1.26k
      const size_t proc_blocks = std::min(blocks, par_blocks());
444
1.26k
      const size_t proc_bytes = proc_blocks * BS;
445
1.26k
446
1.26k
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
447
1.26k
448
1.26k
      m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks);
449
1.26k
450
1.26k
      xor_buf(m_checksum.data(), buffer, proc_bytes);
451
1.26k
452
1.26k
      buffer += proc_bytes;
453
1.26k
      blocks -= proc_blocks;
454
1.26k
      m_block_index += proc_blocks;
455
1.26k
      }
456
180
   }
457
458
size_t OCB_Decryption::process(uint8_t buf[], size_t sz)
459
0
   {
460
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
461
0
   decrypt(buf, sz / block_size());
462
0
   return sz;
463
0
   }
464
465
void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
466
187
   {
467
187
   verify_key_set(m_L != nullptr);
468
187
469
187
   const size_t BS = block_size();
470
187
471
187
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
472
187
   const size_t sz = buffer.size() - offset;
473
187
   uint8_t* buf = buffer.data() + offset;
474
187
475
187
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
476
187
477
187
   const size_t remaining = sz - tag_size();
478
187
479
187
   secure_vector<uint8_t> mac(BS);
480
187
481
187
   if(remaining)
482
180
      {
483
180
      const size_t final_full_blocks = remaining / BS;
484
180
      const size_t final_bytes = remaining - (final_full_blocks * BS);
485
180
486
180
      decrypt(buf, final_full_blocks);
487
180
      mac ^= m_L->offset();
488
180
489
180
      if(final_bytes)
490
128
         {
491
128
         BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
492
128
493
128
         uint8_t* remainder = &buf[remaining - final_bytes];
494
128
495
128
         mac ^= m_L->star();
496
128
         secure_vector<uint8_t> pad(BS);
497
128
         m_cipher->encrypt(mac, pad); // P_*
498
128
         xor_buf(remainder, pad.data(), final_bytes);
499
128
500
128
         xor_buf(m_checksum.data(), remainder, final_bytes);
501
128
         m_checksum[final_bytes] ^= 0x80;
502
128
         }
503
180
      }
504
7
   else
505
7
      mac = m_L->offset();
506
187
507
187
   // compute the mac
508
187
509
187
   // fold checksum
510
3.17k
   for(size_t i = 0; i != m_checksum.size(); i += BS)
511
2.99k
      {
512
2.99k
      xor_buf(mac.data(), m_checksum.data() + i, BS);
513
2.99k
      }
514
187
515
187
   mac ^= m_L->dollar();
516
187
   m_cipher->encrypt(mac);
517
187
   mac ^= m_ad_hash;
518
187
519
187
   // reset state
520
187
   zeroise(m_checksum);
521
187
   m_block_index = 0;
522
187
523
187
   // compare mac
524
187
   const uint8_t* included_tag = &buf[remaining];
525
187
526
187
   if(!constant_time_compare(mac.data(), included_tag, tag_size()))
527
187
      throw Invalid_Authentication_Tag("OCB tag check failed");
528
0
529
0
   // remove tag from end of message
530
0
   buffer.resize(remaining + offset);
531
0
   }
532
533
}