Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/modes/aead/ocb/ocb.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* OCB Mode
3
* (C) 2013,2017 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/ocb.h>
10
#include <botan/block_cipher.h>
11
#include <botan/internal/poly_dbl.h>
12
#include <botan/internal/bit_ops.h>
13
14
namespace Botan {
15
16
// Has to be in Botan namespace so unique_ptr can reference it
17
class L_computer final
18
   {
19
   public:
20
      explicit L_computer(const BlockCipher& cipher) :
21
         m_BS(cipher.block_size()),
22
         m_max_blocks(cipher.parallel_bytes() / m_BS)
23
230
         {
24
230
         m_L_star.resize(m_BS);
25
230
         cipher.encrypt(m_L_star);
26
230
         m_L_dollar = poly_double(star());
27
230
         m_L.push_back(poly_double(dollar()));
28
29
1.84k
         while(m_L.size() < 8)
30
1.61k
            m_L.push_back(poly_double(m_L.back()));
31
32
230
         m_offset_buf.resize(m_BS * m_max_blocks);
33
230
         }
34
35
      void init(const secure_vector<uint8_t>& offset)
36
231
         {
37
231
         m_offset = offset;
38
231
         }
39
40
230
      bool initialized() const { return m_offset.empty() == false; }
41
42
588
      const secure_vector<uint8_t>& star() const { return m_L_star; }
43
461
      const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
44
231
      const secure_vector<uint8_t>& offset() const { return m_offset; }
45
46
      const secure_vector<uint8_t>& get(size_t i) const
47
1.12k
         {
48
1.13k
         while(m_L.size() <= i)
49
3
            m_L.push_back(poly_double(m_L.back()));
50
51
1.12k
         return m_L[i];
52
1.12k
         }
53
54
      const uint8_t*
55
      compute_offsets(size_t block_index, size_t blocks)
56
241
         {
57
241
         BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets");
58
59
241
         uint8_t* offsets = m_offset_buf.data();
60
61
241
         if(block_index % 4 == 0)
62
241
            {
63
241
            const secure_vector<uint8_t>& L0 = get(0);
64
241
            const secure_vector<uint8_t>& L1 = get(1);
65
66
718
            while(blocks >= 4)
67
477
               {
68
               // ntz(4*i+1) == 0
69
               // ntz(4*i+2) == 1
70
               // ntz(4*i+3) == 0
71
477
               block_index += 4;
72
477
               const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index));
73
74
477
               xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
75
477
               offsets += m_BS;
76
77
477
               xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
78
477
               offsets += m_BS;
79
80
477
               xor_buf(m_offset.data(), L1.data(), m_BS);
81
477
               copy_mem(offsets, m_offset.data(), m_BS);
82
477
               offsets += m_BS;
83
84
477
               xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
85
477
               copy_mem(offsets, m_offset.data(), m_BS);
86
477
               offsets += m_BS;
87
88
477
               blocks -= 4;
89
477
               }
90
241
            }
91
92
410
         for(size_t i = 0; i != blocks; ++i)
93
169
            { // could be done in parallel
94
169
            const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1));
95
169
            xor_buf(m_offset.data(), get(ntz).data(), m_BS);
96
169
            copy_mem(offsets, m_offset.data(), m_BS);
97
169
            offsets += m_BS;
98
169
            }
99
100
241
         return m_offset_buf.data();
101
241
         }
102
103
   private:
104
      secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
105
2.07k
         {
106
2.07k
         secure_vector<uint8_t> out(in.size());
107
2.07k
         poly_double_n(out.data(), in.data(), out.size());
108
2.07k
         return out;
109
2.07k
         }
110
111
      const size_t m_BS, m_max_blocks;
112
      secure_vector<uint8_t> m_L_dollar, m_L_star;
113
      secure_vector<uint8_t> m_offset;
114
      mutable std::vector<secure_vector<uint8_t>> m_L;
115
      secure_vector<uint8_t> m_offset_buf;
116
   };
117
118
namespace {
119
120
/*
121
* OCB's HASH
122
*/
123
secure_vector<uint8_t> ocb_hash(const L_computer& L,
124
                                const BlockCipher& cipher,
125
                                const uint8_t ad[], size_t ad_len)
126
231
   {
127
231
   const size_t BS = cipher.block_size();
128
231
   secure_vector<uint8_t> sum(BS);
129
231
   secure_vector<uint8_t> offset(BS);
130
131
231
   secure_vector<uint8_t> buf(BS);
132
133
231
   const size_t ad_blocks = (ad_len / BS);
134
231
   const size_t ad_remainder = (ad_len % BS);
135
136
231
   for(size_t i = 0; i != ad_blocks; ++i)
137
0
      {
138
      // this loop could run in parallel
139
0
      offset ^= L.get(var_ctz32(static_cast<uint32_t>(i+1)));
140
0
      buf = offset;
141
0
      xor_buf(buf.data(), &ad[BS*i], BS);
142
0
      cipher.encrypt(buf);
143
0
      sum ^= buf;
144
0
      }
145
146
231
   if(ad_remainder)
147
231
      {
148
231
      offset ^= L.star();
149
231
      buf = offset;
150
231
      xor_buf(buf.data(), &ad[BS*ad_blocks], ad_remainder);
151
231
      buf[ad_remainder] ^= 0x80;
152
231
      cipher.encrypt(buf);
153
231
      sum ^= buf;
154
231
      }
155
156
231
   return sum;
157
231
   }
158
159
}
160
161
OCB_Mode::OCB_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) :
162
   m_cipher(std::move(cipher)),
163
   m_checksum(m_cipher->parallel_bytes()),
164
   m_ad_hash(m_cipher->block_size()),
165
   m_tag_size(tag_size),
166
   m_block_size(m_cipher->block_size()),
167
   m_par_blocks(m_cipher->parallel_bytes() / m_block_size)
168
230
   {
169
230
   const size_t BS = block_size();
170
171
   /*
172
   * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
173
   * sizes but only 128, 192, 256 and 512 bit are currently supported
174
   * by this implementation.
175
   */
176
230
   BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64,
177
230
                   "Invalid block size for OCB");
178
179
230
   BOTAN_ARG_CHECK(m_tag_size % 4 == 0 &&
180
230
                   m_tag_size >= 8 && m_tag_size <= BS &&
181
230
                   m_tag_size <= 32,
182
230
                   "Invalid OCB tag length");
183
230
   }
184
185
230
OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ }
186
187
void OCB_Mode::clear()
188
0
   {
189
0
   m_cipher->clear();
190
0
   m_L.reset(); // add clear here?
191
0
   reset();
192
0
   }
193
194
void OCB_Mode::reset()
195
0
   {
196
0
   m_block_index = 0;
197
0
   zeroise(m_ad_hash);
198
0
   zeroise(m_checksum);
199
0
   m_last_nonce.clear();
200
0
   m_stretch.clear();
201
0
   }
202
203
bool OCB_Mode::valid_nonce_length(size_t length) const
204
231
   {
205
231
   if(length == 0)
206
0
      return false;
207
231
   if(block_size() == 16)
208
231
      return length < 16;
209
0
   else
210
0
      return length < (block_size() - 1);
211
231
   }
212
213
std::string OCB_Mode::name() const
214
0
   {
215
0
   return m_cipher->name() + "/OCB"; // include tag size?
216
0
   }
217
218
size_t OCB_Mode::update_granularity() const
219
0
   {
220
0
   return (m_par_blocks * block_size());
221
0
   }
222
223
Key_Length_Specification OCB_Mode::key_spec() const
224
230
   {
225
230
   return m_cipher->key_spec();
226
230
   }
227
228
void OCB_Mode::key_schedule(const uint8_t key[], size_t length)
229
230
   {
230
230
   m_cipher->set_key(key, length);
231
230
   m_L.reset(new L_computer(*m_cipher));
232
230
   }
233
234
void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
235
231
   {
236
231
   verify_key_set(m_L != nullptr);
237
231
   m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len);
238
231
   }
239
240
const secure_vector<uint8_t>&
241
OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
242
231
   {
243
231
   const size_t BS = block_size();
244
245
231
   BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64,
246
231
                "OCB block size is supported");
247
248
231
   const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
249
250
231
   const uint8_t BOTTOM_MASK =
251
231
      static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
252
253
231
   m_nonce_buf.resize(BS);
254
231
   clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
255
256
231
   copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
257
231
   m_nonce_buf[0] = static_cast<uint8_t>(((tag_size()*8) % (BS*8)) << (BS <= 16 ? 1 : 0));
258
259
231
   m_nonce_buf[BS - nonce_len - 1] ^= 1;
260
261
231
   const uint8_t bottom = m_nonce_buf[BS-1] & BOTTOM_MASK;
262
231
   m_nonce_buf[BS-1] &= ~BOTTOM_MASK;
263
264
231
   const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
265
266
231
   if(need_new_stretch)
267
142
      {
268
142
      m_last_nonce = m_nonce_buf;
269
270
142
      m_cipher->encrypt(m_nonce_buf);
271
272
      /*
273
      The loop bounds (BS vs BS/2) are derived from the relation
274
      between the block size and the MASKLEN. Using the terminology
275
      of draft-krovetz-ocb-wide, we have to derive enough bits in
276
      ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
277
278
                 +----------+---------+-------+---------+
279
                 | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
280
                 +----------+---------+-------+---------+
281
                 |       32 |     141 |    17 |    4    |
282
                 |       64 |      27 |    25 |    5    |
283
                 |       96 |    1601 |    33 |    6    |
284
                 |      128 |     135 |     8 |    6    |
285
                 |      192 |     135 |    40 |    7    |
286
                 |      256 |    1061 |     1 |    8    |
287
                 |      384 |    4109 |    80 |    8    |
288
                 |      512 |     293 |   176 |    8    |
289
                 |     1024 |  524355 |   352 |    9    |
290
                 +----------+---------+-------+---------+
291
      */
292
142
      if(BS == 16)
293
142
         {
294
1.27k
         for(size_t i = 0; i != BS / 2; ++i)
295
1.13k
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+1]);
296
142
         }
297
0
      else if(BS == 24)
298
0
         {
299
0
         for(size_t i = 0; i != 16; ++i)
300
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+5]);
301
0
         }
302
0
      else if(BS == 32)
303
0
         {
304
0
         for(size_t i = 0; i != BS; ++i)
305
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i+1] >> 7));
306
0
         }
307
0
      else if(BS == 64)
308
0
         {
309
0
         for(size_t i = 0; i != BS / 2; ++i)
310
0
            m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i+22]);
311
0
         }
312
313
142
      m_stretch = m_nonce_buf;
314
142
      }
315
316
   // now set the offset from stretch and bottom
317
231
   const size_t shift_bytes = bottom / 8;
318
231
   const size_t shift_bits  = bottom % 8;
319
320
231
   BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
321
322
231
   m_offset.resize(BS);
323
3.92k
   for(size_t i = 0; i != BS; ++i)
324
3.69k
      {
325
3.69k
      m_offset[i]  = (m_stretch[i+shift_bytes] << shift_bits);
326
3.69k
      m_offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
327
3.69k
      }
328
329
231
   return m_offset;
330
231
   }
331
332
void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
333
231
   {
334
231
   if(!valid_nonce_length(nonce_len))
335
0
      throw Invalid_IV_Length(name(), nonce_len);
336
337
231
   verify_key_set(m_L != nullptr);
338
339
231
   m_L->init(update_nonce(nonce, nonce_len));
340
231
   zeroise(m_checksum);
341
231
   m_block_index = 0;
342
231
   }
343
344
void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
345
191
   {
346
191
   verify_key_set(m_L != nullptr);
347
191
   BOTAN_STATE_CHECK(m_L->initialized());
348
349
191
   const size_t BS = block_size();
350
351
293
   while(blocks)
352
102
      {
353
102
      const size_t proc_blocks = std::min(blocks, par_blocks());
354
102
      const size_t proc_bytes = proc_blocks * BS;
355
356
102
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
357
358
102
      xor_buf(m_checksum.data(), buffer, proc_bytes);
359
360
102
      m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks);
361
362
102
      buffer += proc_bytes;
363
102
      blocks -= proc_blocks;
364
102
      m_block_index += proc_blocks;
365
102
      }
366
191
   }
367
368
size_t OCB_Encryption::process(uint8_t buf[], size_t sz)
369
0
   {
370
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
371
0
   encrypt(buf, sz / block_size());
372
0
   return sz;
373
0
   }
374
375
void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
376
191
   {
377
191
   verify_key_set(m_L != nullptr);
378
379
191
   const size_t BS = block_size();
380
381
191
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
382
191
   const size_t sz = buffer.size() - offset;
383
191
   uint8_t* buf = buffer.data() + offset;
384
385
191
   secure_vector<uint8_t> mac(BS);
386
387
191
   if(sz)
388
191
      {
389
191
      const size_t final_full_blocks = sz / BS;
390
191
      const size_t remainder_bytes = sz - (final_full_blocks * BS);
391
392
191
      encrypt(buf, final_full_blocks);
393
191
      mac = m_L->offset();
394
395
191
      if(remainder_bytes)
396
89
         {
397
89
         BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
398
89
         uint8_t* remainder = &buf[sz - remainder_bytes];
399
400
89
         xor_buf(m_checksum.data(), remainder, remainder_bytes);
401
89
         m_checksum[remainder_bytes] ^= 0x80;
402
403
         // Offset_*
404
89
         mac ^= m_L->star();
405
406
89
         secure_vector<uint8_t> pad(BS);
407
89
         m_cipher->encrypt(mac, pad);
408
89
         xor_buf(remainder, pad.data(), remainder_bytes);
409
89
         }
410
191
      }
411
0
   else
412
0
      {
413
0
      mac = m_L->offset();
414
0
      }
415
416
   // now compute the tag
417
418
   // fold checksum
419
3.24k
   for(size_t i = 0; i != m_checksum.size(); i += BS)
420
3.05k
      {
421
3.05k
      xor_buf(mac.data(), m_checksum.data() + i, BS);
422
3.05k
      }
423
424
191
   xor_buf(mac.data(), m_L->dollar().data(), BS);
425
191
   m_cipher->encrypt(mac);
426
191
   xor_buf(mac.data(), m_ad_hash.data(), BS);
427
428
191
   buffer += std::make_pair(mac.data(), tag_size());
429
430
191
   zeroise(m_checksum);
431
191
   m_block_index = 0;
432
191
   }
433
434
void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
435
39
   {
436
39
   verify_key_set(m_L != nullptr);
437
39
   BOTAN_STATE_CHECK(m_L->initialized());
438
439
39
   const size_t BS = block_size();
440
441
178
   while(blocks)
442
139
      {
443
139
      const size_t proc_blocks = std::min(blocks, par_blocks());
444
139
      const size_t proc_bytes = proc_blocks * BS;
445
446
139
      const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
447
448
139
      m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks);
449
450
139
      xor_buf(m_checksum.data(), buffer, proc_bytes);
451
452
139
      buffer += proc_bytes;
453
139
      blocks -= proc_blocks;
454
139
      m_block_index += proc_blocks;
455
139
      }
456
39
   }
457
458
size_t OCB_Decryption::process(uint8_t buf[], size_t sz)
459
0
   {
460
0
   BOTAN_ASSERT(sz % update_granularity() == 0, "Invalid OCB input size");
461
0
   decrypt(buf, sz / block_size());
462
0
   return sz;
463
0
   }
464
465
void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
466
40
   {
467
40
   verify_key_set(m_L != nullptr);
468
469
40
   const size_t BS = block_size();
470
471
40
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
472
40
   const size_t sz = buffer.size() - offset;
473
40
   uint8_t* buf = buffer.data() + offset;
474
475
40
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
476
477
40
   const size_t remaining = sz - tag_size();
478
479
40
   secure_vector<uint8_t> mac(BS);
480
481
40
   if(remaining)
482
39
      {
483
39
      const size_t final_full_blocks = remaining / BS;
484
39
      const size_t final_bytes = remaining - (final_full_blocks * BS);
485
486
39
      decrypt(buf, final_full_blocks);
487
39
      mac ^= m_L->offset();
488
489
39
      if(final_bytes)
490
38
         {
491
38
         BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
492
493
38
         uint8_t* remainder = &buf[remaining - final_bytes];
494
495
38
         mac ^= m_L->star();
496
38
         secure_vector<uint8_t> pad(BS);
497
38
         m_cipher->encrypt(mac, pad); // P_*
498
38
         xor_buf(remainder, pad.data(), final_bytes);
499
500
38
         xor_buf(m_checksum.data(), remainder, final_bytes);
501
38
         m_checksum[final_bytes] ^= 0x80;
502
38
         }
503
39
      }
504
1
   else
505
1
      mac = m_L->offset();
506
507
   // compute the mac
508
509
   // fold checksum
510
680
   for(size_t i = 0; i != m_checksum.size(); i += BS)
511
640
      {
512
640
      xor_buf(mac.data(), m_checksum.data() + i, BS);
513
640
      }
514
515
40
   mac ^= m_L->dollar();
516
40
   m_cipher->encrypt(mac);
517
40
   mac ^= m_ad_hash;
518
519
   // reset state
520
40
   zeroise(m_checksum);
521
40
   m_block_index = 0;
522
523
   // compare mac
524
40
   const uint8_t* included_tag = &buf[remaining];
525
526
40
   if(!constant_time_compare(mac.data(), included_tag, tag_size()))
527
40
      throw Invalid_Authentication_Tag("OCB tag check failed");
528
529
   // remove tag from end of message
530
0
   buffer.resize(remaining + offset);
531
0
   }
532
533
}