Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/modes/aead/ocb/ocb.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* OCB Mode
3
* (C) 2013,2017 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/ocb.h>
10
#include <botan/block_cipher.h>
11
#include <botan/internal/poly_dbl.h>
12
#include <botan/internal/bit_ops.h>
13
14
namespace Botan {
15
16
// Has to be in Botan namespace so unique_ptr can reference it
17
class L_computer final
18
   {
19
   public:
20
      explicit L_computer(const BlockCipher& cipher) :
21
         m_BS(cipher.block_size()),
22
         m_max_blocks(cipher.parallel_bytes() / m_BS)
23
380
         {
24
380
         m_L_star.resize(m_BS);
25
380
         cipher.encrypt(m_L_star);
26
380
         m_L_dollar = poly_double(star());
27
380
         m_L.push_back(poly_double(dollar()));
28
29
3.04k
         while(m_L.size() < 8)
30
2.66k
            m_L.push_back(poly_double(m_L.back()));
31
32
380
         m_offset_buf.resize(m_BS * m_max_blocks);
33
380
         }
34
35
      void init(const secure_vector<uint8_t>& offset)
36
469
         {
37
469
         m_offset = offset;
38
469
         }
39
40
466
      bool initialized() const { return m_offset.empty() == false; }
41
42
1.11k
      const secure_vector<uint8_t>& star() const { return m_L_star; }
43
849
      const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
44
469
      const secure_vector<uint8_t>& offset() const { return m_offset; }
45
46
      const secure_vector<uint8_t>& get(size_t i) const
47
5.57k
         {
48
5.58k
         while(m_L.size() <= i)
49
15
            m_L.push_back(poly_double(m_L.back()));
50
51
5.57k
         return m_L[i];
52
5.57k
         }
53
54
      const uint8_t*
55
      compute_offsets(size_t block_index, size_t blocks)
56
1.03k
         {
57
1.03k
         BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets");
58
59
1.03k
         uint8_t* offsets = m_offset_buf.data();
60
61
1.03k
         if(block_index % 4 == 0)
62
1.03k
            {
63
1.03k
            const secure_vector<uint8_t>& L0 = get(0);
64
1.03k
            const secure_vector<uint8_t>& L1 = get(1);
65
66
4.14k
            while(blocks >= 4)
67
3.11k
               {
68
               // ntz(4*i+1) == 0
69
               // ntz(4*i+2) == 1
70
               // ntz(4*i+3) == 0
71
3.11k
               block_index += 4;
72
3.11k
               const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index));
73
74
3.11k
               xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
75
3.11k
               offsets += m_BS;
76
77
3.11k
               xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
78
3.11k
               offsets += m_BS;
79
80
3.11k
               xor_buf(m_offset.data(), L1.data(), m_BS);
81
3.11k
               copy_mem(offsets, m_offset.data(), m_BS);
82
3.11k
               offsets += m_BS;
83
84
3.11k
               xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
85
3.11k
               copy_mem(offsets, m_offset.data(), m_BS);
86
3.11k
               offsets += m_BS;
87
88
3.11k
               blocks -= 4;
89
3.11k
               }
90
1.03k
            }
91
92
1.42k
         for(size_t i = 0; i != blocks; ++i)
93
396
            { // could be done in parallel
94
396
            const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1));
95
396
            xor_buf(m_offset.data(), get(ntz).data(), m_BS);
96
396
            copy_mem(offsets, m_offset.data(), m_BS);
97
396
            offsets += m_BS;
98
396
            }
99
100
1.03k
         return m_offset_buf.data();
101
1.03k
         }
102
103
   private:
104
      secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
105
3.43k
         {
106
3.43k
         secure_vector<uint8_t> out(in.size());
107
3.43k
         poly_double_n(out.data(), in.data(), out.size());
108
3.43k
         return out;
109
3.43k
         }
110
111
      const size_t m_BS, m_max_blocks;
112
      secure_vector<uint8_t> m_L_dollar, m_L_star;
113
      secure_vector<uint8_t> m_offset;
114
      mutable std::vector<secure_vector<uint8_t>> m_L;
115
      secure_vector<uint8_t> m_offset_buf;
116
   };
117
118
namespace {
119
120
/*
121
* OCB's HASH
122
*/
123
secure_vector<uint8_t> ocb_hash(const L_computer& L,
124
                                const BlockCipher& cipher,
125
                                const uint8_t ad[], size_t ad_len)
126
469
   {
127
469
   const size_t BS = cipher.block_size();
128
469
   secure_vector<uint8_t> sum(BS);
129
469
   secure_vector<uint8_t> offset(BS);
130
131
469
   secure_vector<uint8_t> buf(BS);
132
133
469
   const size_t ad_blocks = (ad_len / BS);
134
469
   const size_t ad_remainder = (ad_len % BS);
135
136
469
   for(size_t i = 0; i != ad_blocks; ++i)
137
0
      {
138
      // this loop could run in parallel
139
0
      offset ^= L.get(var_ctz32(static_cast<uint32_t>(i+1)));
140
0
      buf = offset;
141
0
      xor_buf(buf.data(), &ad[BS*i], BS);
142
0
      cipher.encrypt(buf);
143
0
      sum ^= buf;
144
0
      }
145
146
469
   if(ad_remainder)
147
469
      {
148
469
      offset ^= L.star();
149
469
      buf = offset;
150
469
      xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder);
151
469
      buf[ad_remainder] ^= 0x80;
152
469
      cipher.encrypt(buf);
153
469
      sum ^= buf;
154
469
      }
155
156
469
   return sum;
157
469
   }
158
159
}
160
161
OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) :
162
   m_cipher(cipher),
163
   m_checksum(m_cipher->parallel_bytes()),
164
   m_ad_hash(m_cipher->block_size()),
165
   m_tag_size(tag_size),
166
   m_block_size(m_cipher->block_size()),
167
   m_par_blocks(m_cipher->parallel_bytes() / m_block_size)
168
380
   {
169
380
   const size_t BS = block_size();
170
171
   /*
172
   * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
173
   * sizes but only 128, 192, 256 and 512 bit are currently supported
174
   * by this implementation.
175
   */
176
380
   BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64,
177
380
                   "Invalid block size for OCB");
178
179
380
   BOTAN_ARG_CHECK(m_tag_size % 4 == 0 &&
180
380
                   m_tag_size >= 8 && m_tag_size <= BS &&
181
380
                   m_tag_size <= 32,
182
380
                   "Invalid OCB tag length");
183
380
   }
184
185
380
OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ }
186
187
void OCB_Mode::clear()
188
0
   {
189
0
   m_cipher->clear();
190
0
   m_L.reset(); // add clear here?
191
0
   reset();
192
0
   }
193
194
void OCB_Mode::reset()
195
0
   {
196
0
   m_block_index = 0;
197
0
   zeroise(m_ad_hash);
198
0
   zeroise(m_checksum);
199
0
   m_last_nonce.clear();
200
0
   m_stretch.clear();
201
0
   }
202
203
bool OCB_Mode::valid_nonce_length(size_t length) const
204
469
   {
205
469
   if(length == 0)
206
0
      return false;
207
469
   if(block_size() == 16)
208
469
      return length < 16;
209
0
   else
210
0
      return length < (block_size() - 1);
211
469
   }
212
213
std::string OCB_Mode::name() const
214
0
   {
215
0
   return m_cipher->name() + "/OCB"; // include tag size?
216
0
   }
217
218
size_t OCB_Mode::update_granularity() const
219
0
   {
220
0
   return (m_par_blocks * block_size());
221
0
   }
222
223
Key_Length_Specification OCB_Mode::key_spec() const
224
380
   {
225
380
   return m_cipher->key_spec();
226
380
   }
227
228
void OCB_Mode::key_schedule(const uint8_t key[], size_t length)
229
380
   {
230
380
   m_cipher->set_key(key, length);
231
380
   m_L.reset(new L_computer(*m_cipher));
232
380
   }
233
234
void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
235
469
   {
236
469
   verify_key_set(m_L != nullptr);
237
469
   m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len);
238
469
   }
239
240
const secure_vector<uint8_t>&
241
OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
242
469
   {
243
469
   const size_t BS = block_size();
244
245
469
   BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64,
246
469
                "OCB block size is supported");
247
248
469
   const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
249
250
469
   const uint8_t BOTTOM_MASK =
251
469
      static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
252
253
469
   m_nonce_buf.resize(BS);
254
469
   clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
255
256
469
   copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
257
469
   m_nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
258
259
469
   m_nonce_buf[BS - nonce_len - 1] ^= 1;
260
261
469
   const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK;
262
469
   m_nonce_buf[BS-1] &= ~BOTTOM_MASK;
263
264
469
   const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
265
266
469
   if(need_new_stretch)
267
325
      {
268
325
      m_last_nonce = m_nonce_buf;
269
270
325
      m_cipher->encrypt(m_nonce_buf);
271
272
      /*
273
      The loop bounds (BS vs BS/2) are derived from the relation
274
      between the block size and the MASKLEN. Using the terminology
275
      of draft-krovetz-ocb-wide, we have to derive enough bits in
276
      ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
277
278
                 +----------+---------+-------+---------+
279
                 | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
280
                 +----------+---------+-------+---------+
281
                 |       32 |     141 |    17 |    4    |
282
                 |       64 |      27 |    25 |    5    |
283
                 |       96 |    1601 |    33 |    6    |
284
                 |      128 |     135 |     8 |    6    |
285
                 |      192 |     135 |    40 |    7    |
286
                 |      256 |    1061 |     1 |    8    |
287
                 |      384 |    4109 |    80 |    8    |
288
                 |      512 |     293 |   176 |    8    |
289
                 |     1024 |  524355 |   352 |    9    |
290
                 +----------+---------+-------+---------+
291
      */
292
325
      if(BS == 16)
293
325
         {
294
2.92k
         for(size_t i = 0; i != BS / 2; ++i)
295
2.60k
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]);
296
325
         }
297
0
      else if(BS == 24)
298
0
         {
299
0
         for(size_t i = 0; i != 16; ++i)
300
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]);
301
0
         }
302
0
      else if(BS == 32)
303
0
         {
304
0
         for(size_t i = 0; i != BS; ++i)
305
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7));
306
0
         }
307
0
      else if(BS == 64)
308
0
         {
309
0
         for(size_t i = 0; i != BS / 2; ++i)
310
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]);
311
0
         }
312
313
325
      m_stretch = m_nonce_buf;
314
325
      }
315
316
   // now set the offset from stretch and bottom
317
469
   const size_t shift_bytes = bottom / 8;
318
469
   const size_t shift_bits  = bottom % 8;
319
320
469
   BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
321
322
469
   m_offset.resize(BS);
323
7.97k
   for(size_t i = 0; i != BS; ++i)
324
7.50k
      {
325
7.50k
      m_offset[i]  = (m_stretch[i+shift_bytes] << shift_bits);
326
7.50k
      m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
327
7.50k
      }
328
329
469
   return m_offset;
330
469
   }
331
332
void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
333
469
   {
334
469
   if(!valid_nonce_length(nonce_len))
335
0
      throw Invalid_IV_Length(name(), nonce_len);
336
337
469
   verify_key_set(m_L != nullptr);
338
339
469
   m_L->init(update_nonce(nonce, nonce_len));
340
469
   zeroise(m_checksum);
341
469
   m_block_index = 0;
342
469
   }
343
344
void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
345
317
   {
346
317
   verify_key_set(m_L != nullptr);
347
317
   BOTAN_STATE_CHECK(m_L->initialized());
348
349
317
   const size_t BS = block_size();
350
351
490
   while(blocks)
352
173
      {
353
173
      const size_t proc_blocks = std::min(blocks, par_blocks());
354
173
      const size_t proc_bytes = proc_blocks * BS;
355
356
173
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
357
358
173
      xor_buf(m_checksum.data(), buffer, proc_bytes);
359
360
173
      m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks);
361
362
173
      buffer += proc_bytes;
363
173
      blocks -= proc_blocks;
364
173
      m_block_index += proc_blocks;
365
173
      }
366
317
   }
367
368
size_t OCB_Encryption::process(uint8_t buf[], size_t sz)
369
0
   {
370
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
371
0
   encrypt(buf, sz / block_size());
372
0
   return sz;
373
0
   }
374
375
void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
376
317
   {
377
317
   verify_key_set(m_L != nullptr);
378
379
317
   const size_t BS = block_size();
380
381
317
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
382
317
   const size_t sz = buffer.size() - offset;
383
317
   uint8_t* buf = buffer.data() + offset;
384
385
317
   secure_vector<uint8_t> mac(BS);
386
387
317
   if(sz)
388
317
      {
389
317
      const size_t final_full_blocks = sz / BS;
390
317
      const size_t remainder_bytes = sz - (final_full_blocks * BS);
391
392
317
      encrypt(buf, final_full_blocks);
393
317
      mac = m_L->offset();
394
395
317
      if(remainder_bytes)
396
144
         {
397
144
         BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
398
144
         uint8_t* remainder = &buf[sz - remainder_bytes];
399
400
144
         xor_buf(m_checksum.data(), remainder, remainder_bytes);
401
144
         m_checksum[remainder_bytes] ^= 0x80;
402
403
         // Offset_*
404
144
         mac ^= m_L->star();
405
406
144
         secure_vector<uint8_t> pad(BS);
407
144
         m_cipher->encrypt(mac, pad);
408
144
         xor_buf(remainder, pad.data(), remainder_bytes);
409
144
         }
410
317
      }
411
0
   else
412
0
      {
413
0
      mac = m_L->offset();
414
0
      }
415
416
   // now compute the tag
417
418
   // fold checksum
419
5.38k
   for(size_t i = 0; i != m_checksum.size(); i += BS)
420
5.07k
      {
421
5.07k
      xor_buf(mac.data(), m_checksum.data() + i, BS);
422
5.07k
      }
423
424
317
   xor_buf(mac.data(), m_L->dollar().data(), BS);
425
317
   m_cipher->encrypt(mac);
426
317
   xor_buf(mac.data(), m_ad_hash.data(), BS);
427
428
317
   buffer += std::make_pair(mac.data(), tag_size());
429
430
317
   zeroise(m_checksum);
431
317
   m_block_index = 0;
432
317
   }
433
434
void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
435
149
   {
436
149
   verify_key_set(m_L != nullptr);
437
149
   BOTAN_STATE_CHECK(m_L->initialized());
438
439
149
   const size_t BS = block_size();
440
441
1.00k
   while(blocks)
442
859
      {
443
859
      const size_t proc_blocks = std::min(blocks, par_blocks());
444
859
      const size_t proc_bytes = proc_blocks * BS;
445
446
859
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
447
448
859
      m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks);
449
450
859
      xor_buf(m_checksum.data(), buffer, proc_bytes);
451
452
859
      buffer += proc_bytes;
453
859
      blocks -= proc_blocks;
454
859
      m_block_index += proc_blocks;
455
859
      }
456
149
   }
457
458
size_t OCB_Decryption::process(uint8_t buf[], size_t sz)
459
0
   {
460
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
461
0
   decrypt(buf, sz / block_size());
462
0
   return sz;
463
0
   }
464
465
void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
466
152
   {
467
152
   verify_key_set(m_L != nullptr);
468
469
152
   const size_t BS = block_size();
470
471
152
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
472
152
   const size_t sz = buffer.size() - offset;
473
152
   uint8_t* buf = buffer.data() + offset;
474
475
152
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
476
477
152
   const size_t remaining = sz - tag_size();
478
479
152
   secure_vector<uint8_t> mac(BS);
480
481
152
   if(remaining)
482
149
      {
483
149
      const size_t final_full_blocks = remaining / BS;
484
149
      const size_t final_bytes = remaining - (final_full_blocks * BS);
485
486
149
      decrypt(buf, final_full_blocks);
487
149
      mac ^= m_L->offset();
488
489
149
      if(final_bytes)
490
125
         {
491
125
         BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
492
493
125
         uint8_t* remainder = &buf[remaining - final_bytes];
494
495
125
         mac ^= m_L->star();
496
125
         secure_vector<uint8_t> pad(BS);
497
125
         m_cipher->encrypt(mac, pad); // P_*
498
125
         xor_buf(remainder, pad.data(), final_bytes);
499
500
125
         xor_buf(m_checksum.data(), remainder, final_bytes);
501
125
         m_checksum[final_bytes] ^= 0x80;
502
125
         }
503
149
      }
504
3
   else
505
3
      mac = m_L->offset();
506
507
   // compute the mac
508
509
   // fold checksum
510
2.58k
   for(size_t i = 0; i != m_checksum.size(); i += BS)
511
2.43k
      {
512
2.43k
      xor_buf(mac.data(), m_checksum.data() + i, BS);
513
2.43k
      }
514
515
152
   mac ^= m_L->dollar();
516
152
   m_cipher->encrypt(mac);
517
152
   mac ^= m_ad_hash;
518
519
   // reset state
520
152
   zeroise(m_checksum);
521
152
   m_block_index = 0;
522
523
   // compare mac
524
152
   const uint8_t* included_tag = &buf[remaining];
525
526
152
   if(!constant_time_compare(mac.data(), included_tag, tag_size()))
527
152
      throw Invalid_Authentication_Tag("OCB tag check failed");
528
529
   // remove tag from end of message
530
0
   buffer.resize(remaining + offset);
531
0
   }
532
533
}