/src/botan/src/lib/modes/aead/ocb/ocb.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * OCB Mode |
3 | | * (C) 2013,2017 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/ocb.h> |
10 | | |
11 | | #include <botan/block_cipher.h> |
12 | | #include <botan/internal/bit_ops.h> |
13 | | #include <botan/internal/ct_utils.h> |
14 | | #include <botan/internal/poly_dbl.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | // Has to be in Botan namespace so unique_ptr can reference it |
19 | | class L_computer final { |
20 | | public: |
21 | | explicit L_computer(const BlockCipher& cipher) : |
22 | 0 | m_BS(cipher.block_size()), m_max_blocks(cipher.parallel_bytes() / m_BS) { |
23 | 0 | m_L_star.resize(m_BS); |
24 | 0 | cipher.encrypt(m_L_star); |
25 | 0 | m_L_dollar = poly_double(star()); |
26 | | |
27 | | // Preallocate the m_L vector to the maximum expected size to avoid |
28 | | // re-allocations during runtime. This had caused a use-after-free in |
29 | | // earlier versions, due to references into this buffer becoming stale |
30 | | // in `compute_offset()`, after calling `get()` in the hot path. |
31 | | // |
32 | | // Note, that the list member won't be pre-allocated, so the expected |
33 | | // memory overhead is negligible. |
34 | | // |
35 | | // See also https://github.com/randombit/botan/issues/3812 |
36 | 0 | m_L.reserve(31); |
37 | 0 | m_L.push_back(poly_double(dollar())); |
38 | |
|
39 | 0 | while(m_L.size() < 8) { |
40 | 0 | m_L.push_back(poly_double(m_L.back())); |
41 | 0 | } |
42 | |
|
43 | 0 | m_offset_buf.resize(m_BS * m_max_blocks); |
44 | 0 | } |
45 | | |
46 | 0 | void init(const secure_vector<uint8_t>& offset) { m_offset = offset; } |
47 | | |
48 | 0 | bool initialized() const { return m_offset.empty() == false; } |
49 | | |
50 | 0 | const secure_vector<uint8_t>& star() const { return m_L_star; } |
51 | | |
52 | 0 | const secure_vector<uint8_t>& dollar() const { return m_L_dollar; } |
53 | | |
54 | 0 | const secure_vector<uint8_t>& offset() const { return m_offset; } |
55 | | |
56 | 0 | const secure_vector<uint8_t>& get(size_t i) const { |
57 | 0 | while(m_L.size() <= i) { |
58 | 0 | m_L.push_back(poly_double(m_L.back())); |
59 | 0 | } |
60 | |
|
61 | 0 | return m_L[i]; |
62 | 0 | } |
63 | | |
64 | 0 | const uint8_t* compute_offsets(size_t block_index, size_t blocks) { |
65 | 0 | BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets"); |
66 | |
|
67 | 0 | uint8_t* offsets = m_offset_buf.data(); |
68 | |
|
69 | 0 | if(block_index % 4 == 0) { |
70 | 0 | const secure_vector<uint8_t>& L0 = get(0); |
71 | 0 | const secure_vector<uint8_t>& L1 = get(1); |
72 | |
|
73 | 0 | while(blocks >= 4) { |
74 | | // ntz(4*i+1) == 0 |
75 | | // ntz(4*i+2) == 1 |
76 | | // ntz(4*i+3) == 0 |
77 | 0 | block_index += 4; |
78 | 0 | const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index)); |
79 | |
|
80 | 0 | xor_buf(offsets, m_offset.data(), L0.data(), m_BS); |
81 | 0 | offsets += m_BS; |
82 | |
|
83 | 0 | xor_buf(offsets, offsets - m_BS, L1.data(), m_BS); |
84 | 0 | offsets += m_BS; |
85 | |
|
86 | 0 | xor_buf(m_offset.data(), L1.data(), m_BS); |
87 | 0 | copy_mem(offsets, m_offset.data(), m_BS); |
88 | 0 | offsets += m_BS; |
89 | |
|
90 | 0 | xor_buf(m_offset.data(), get(ntz4).data(), m_BS); |
91 | 0 | copy_mem(offsets, m_offset.data(), m_BS); |
92 | 0 | offsets += m_BS; |
93 | |
|
94 | 0 | blocks -= 4; |
95 | 0 | } |
96 | 0 | } |
97 | |
|
98 | 0 | for(size_t i = 0; i != blocks; ++i) { // could be done in parallel |
99 | 0 | const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1)); |
100 | 0 | xor_buf(m_offset.data(), get(ntz).data(), m_BS); |
101 | 0 | copy_mem(offsets, m_offset.data(), m_BS); |
102 | 0 | offsets += m_BS; |
103 | 0 | } |
104 | |
|
105 | 0 | return m_offset_buf.data(); |
106 | 0 | } |
107 | | |
108 | | private: |
109 | 0 | static secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) { |
110 | 0 | secure_vector<uint8_t> out(in.size()); |
111 | 0 | poly_double_n(out.data(), in.data(), out.size()); |
112 | 0 | return out; |
113 | 0 | } |
114 | | |
115 | | const size_t m_BS, m_max_blocks; |
116 | | secure_vector<uint8_t> m_L_dollar, m_L_star; |
117 | | secure_vector<uint8_t> m_offset; |
118 | | mutable std::vector<secure_vector<uint8_t>> m_L; |
119 | | secure_vector<uint8_t> m_offset_buf; |
120 | | }; |
121 | | |
122 | | namespace { |
123 | | |
124 | | /* |
125 | | * OCB's HASH |
126 | | */ |
127 | 0 | secure_vector<uint8_t> ocb_hash(const L_computer& L, const BlockCipher& cipher, const uint8_t ad[], size_t ad_len) { |
128 | 0 | const size_t BS = cipher.block_size(); |
129 | 0 | secure_vector<uint8_t> sum(BS); |
130 | 0 | secure_vector<uint8_t> offset(BS); |
131 | |
|
132 | 0 | secure_vector<uint8_t> buf(BS); |
133 | |
|
134 | 0 | const size_t ad_blocks = (ad_len / BS); |
135 | 0 | const size_t ad_remainder = (ad_len % BS); |
136 | |
|
137 | 0 | for(size_t i = 0; i != ad_blocks; ++i) { |
138 | | // this loop could run in parallel |
139 | 0 | offset ^= L.get(var_ctz32(static_cast<uint32_t>(i + 1))); |
140 | 0 | buf = offset; |
141 | 0 | xor_buf(buf.data(), &ad[BS * i], BS); |
142 | 0 | cipher.encrypt(buf); |
143 | 0 | sum ^= buf; |
144 | 0 | } |
145 | |
|
146 | 0 | if(ad_remainder) { |
147 | 0 | offset ^= L.star(); |
148 | 0 | buf = offset; |
149 | 0 | xor_buf(buf.data(), &ad[BS * ad_blocks], ad_remainder); |
150 | 0 | buf[ad_remainder] ^= 0x80; |
151 | 0 | cipher.encrypt(buf); |
152 | 0 | sum ^= buf; |
153 | 0 | } |
154 | |
|
155 | 0 | return sum; |
156 | 0 | } |
157 | | |
158 | | } // namespace |
159 | | |
160 | | OCB_Mode::OCB_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) : |
161 | | m_cipher(std::move(cipher)), |
162 | | m_checksum(m_cipher->parallel_bytes()), |
163 | | m_ad_hash(m_cipher->block_size()), |
164 | | m_tag_size(tag_size), |
165 | | m_block_size(m_cipher->block_size()), |
166 | 0 | m_par_blocks(m_cipher->parallel_bytes() / m_block_size) { |
167 | 0 | const size_t BS = block_size(); |
168 | | |
169 | | /* |
170 | | * draft-krovetz-ocb-wide-d1 specifies OCB for several other block |
171 | | * sizes but only 128, 192, 256 and 512 bit are currently supported |
172 | | * by this implementation. |
173 | | */ |
174 | 0 | BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64, "Invalid block size for OCB"); |
175 | |
|
176 | 0 | BOTAN_ARG_CHECK(m_tag_size % 4 == 0 && m_tag_size >= 8 && m_tag_size <= BS && m_tag_size <= 32, |
177 | 0 | "Invalid OCB tag length"); |
178 | 0 | } |
179 | | |
180 | 0 | OCB_Mode::~OCB_Mode() = default; |
181 | | |
182 | 0 | void OCB_Mode::clear() { |
183 | 0 | m_cipher->clear(); |
184 | 0 | m_L.reset(); // add clear here? |
185 | 0 | reset(); |
186 | 0 | } |
187 | | |
188 | 0 | void OCB_Mode::reset() { |
189 | 0 | m_block_index = 0; |
190 | 0 | zeroise(m_ad_hash); |
191 | 0 | zeroise(m_checksum); |
192 | 0 | m_last_nonce.clear(); |
193 | 0 | m_stretch.clear(); |
194 | 0 | } |
195 | | |
196 | 0 | bool OCB_Mode::valid_nonce_length(size_t length) const { |
197 | 0 | if(length == 0) { |
198 | 0 | return false; |
199 | 0 | } |
200 | 0 | if(block_size() == 16) { |
201 | 0 | return length < 16; |
202 | 0 | } else { |
203 | 0 | return length < (block_size() - 1); |
204 | 0 | } |
205 | 0 | } |
206 | | |
207 | 0 | std::string OCB_Mode::name() const { |
208 | 0 | return m_cipher->name() + "/OCB"; // include tag size? |
209 | 0 | } |
210 | | |
211 | 0 | size_t OCB_Mode::update_granularity() const { |
212 | 0 | return block_size(); |
213 | 0 | } |
214 | | |
215 | 0 | size_t OCB_Mode::ideal_granularity() const { |
216 | 0 | return (m_par_blocks * block_size()); |
217 | 0 | } |
218 | | |
219 | 0 | Key_Length_Specification OCB_Mode::key_spec() const { |
220 | 0 | return m_cipher->key_spec(); |
221 | 0 | } |
222 | | |
223 | 0 | bool OCB_Mode::has_keying_material() const { |
224 | 0 | return m_cipher->has_keying_material(); |
225 | 0 | } |
226 | | |
227 | 0 | void OCB_Mode::key_schedule(std::span<const uint8_t> key) { |
228 | 0 | m_cipher->set_key(key); |
229 | 0 | m_L = std::make_unique<L_computer>(*m_cipher); |
230 | 0 | } |
231 | | |
232 | 0 | void OCB_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) { |
233 | 0 | BOTAN_ARG_CHECK(idx == 0, "OCB: cannot handle non-zero index in set_associated_data_n"); |
234 | 0 | assert_key_material_set(); |
235 | 0 | m_ad_hash = ocb_hash(*m_L, *m_cipher, ad.data(), ad.size()); |
236 | 0 | } |
237 | | |
238 | 0 | const secure_vector<uint8_t>& OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len) { |
239 | 0 | const size_t BS = block_size(); |
240 | |
|
241 | 0 | BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64, "OCB block size is supported"); |
242 | | |
243 | | // NOLINTNEXTLINE(readability-avoid-nested-conditional-operator) |
244 | 0 | const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8)); |
245 | |
|
246 | 0 | const uint8_t BOTTOM_MASK = static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1); |
247 | |
|
248 | 0 | m_nonce_buf.resize(BS); |
249 | 0 | clear_mem(&m_nonce_buf[0], m_nonce_buf.size()); |
250 | |
|
251 | 0 | copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len); |
252 | 0 | m_nonce_buf[0] = static_cast<uint8_t>(((tag_size() * 8) % (BS * 8)) << (BS <= 16 ? 1 : 0)); |
253 | |
|
254 | 0 | m_nonce_buf[BS - nonce_len - 1] ^= 1; |
255 | |
|
256 | 0 | const uint8_t bottom = m_nonce_buf[BS - 1] & BOTTOM_MASK; |
257 | 0 | m_nonce_buf[BS - 1] &= ~BOTTOM_MASK; |
258 | |
|
259 | 0 | const bool need_new_stretch = (m_last_nonce != m_nonce_buf); |
260 | |
|
261 | 0 | if(need_new_stretch) { |
262 | 0 | m_last_nonce = m_nonce_buf; |
263 | |
|
264 | 0 | m_cipher->encrypt(m_nonce_buf); |
265 | | |
266 | | /* |
267 | | The loop bounds (BS vs BS/2) are derived from the relation |
268 | | between the block size and the MASKLEN. Using the terminology |
269 | | of draft-krovetz-ocb-wide, we have to derive enough bits in |
270 | | ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch. |
271 | | |
272 | | +----------+---------+-------+---------+ |
273 | | | BLOCKLEN | RESIDUE | SHIFT | MASKLEN | |
274 | | +----------+---------+-------+---------+ |
275 | | | 32 | 141 | 17 | 4 | |
276 | | | 64 | 27 | 25 | 5 | |
277 | | | 96 | 1601 | 33 | 6 | |
278 | | | 128 | 135 | 8 | 6 | |
279 | | | 192 | 135 | 40 | 7 | |
280 | | | 256 | 1061 | 1 | 8 | |
281 | | | 384 | 4109 | 80 | 8 | |
282 | | | 512 | 293 | 176 | 8 | |
283 | | | 1024 | 524355 | 352 | 9 | |
284 | | +----------+---------+-------+---------+ |
285 | | */ |
286 | 0 | if(BS == 16) { |
287 | 0 | for(size_t i = 0; i != BS / 2; ++i) { |
288 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 1]); |
289 | 0 | } |
290 | 0 | } else if(BS == 24) { |
291 | 0 | for(size_t i = 0; i != 16; ++i) { |
292 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 5]); |
293 | 0 | } |
294 | 0 | } else if(BS == 32) { |
295 | 0 | for(size_t i = 0; i != BS; ++i) { |
296 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i + 1] >> 7)); |
297 | 0 | } |
298 | 0 | } else if(BS == 64) { |
299 | 0 | for(size_t i = 0; i != BS / 2; ++i) { |
300 | 0 | m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 22]); |
301 | 0 | } |
302 | 0 | } |
303 | |
|
304 | 0 | m_stretch = m_nonce_buf; |
305 | 0 | } |
306 | | |
307 | | // now set the offset from stretch and bottom |
308 | 0 | const size_t shift_bytes = bottom / 8; |
309 | 0 | const size_t shift_bits = bottom % 8; |
310 | |
|
311 | 0 | BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok"); |
312 | |
|
313 | 0 | m_offset.resize(BS); |
314 | 0 | for(size_t i = 0; i != BS; ++i) { |
315 | 0 | m_offset[i] = (m_stretch[i + shift_bytes] << shift_bits); |
316 | 0 | m_offset[i] |= (m_stretch[i + shift_bytes + 1] >> (8 - shift_bits)); |
317 | 0 | } |
318 | |
|
319 | 0 | return m_offset; |
320 | 0 | } |
321 | | |
322 | 0 | void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) { |
323 | 0 | if(!valid_nonce_length(nonce_len)) { |
324 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
325 | 0 | } |
326 | | |
327 | 0 | assert_key_material_set(); |
328 | |
|
329 | 0 | m_L->init(update_nonce(nonce, nonce_len)); |
330 | 0 | zeroise(m_checksum); |
331 | 0 | m_block_index = 0; |
332 | 0 | } |
333 | | |
334 | 0 | void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks) { |
335 | 0 | assert_key_material_set(); |
336 | 0 | BOTAN_STATE_CHECK(m_L->initialized()); |
337 | |
|
338 | 0 | const size_t BS = block_size(); |
339 | |
|
340 | 0 | while(blocks) { |
341 | 0 | const size_t proc_blocks = std::min(blocks, par_blocks()); |
342 | 0 | const size_t proc_bytes = proc_blocks * BS; |
343 | |
|
344 | 0 | const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks); |
345 | |
|
346 | 0 | xor_buf(m_checksum.data(), buffer, proc_bytes); |
347 | |
|
348 | 0 | m_cipher->encrypt_n_xex(buffer, offsets, proc_blocks); |
349 | |
|
350 | 0 | buffer += proc_bytes; |
351 | 0 | blocks -= proc_blocks; |
352 | 0 | m_block_index += proc_blocks; |
353 | 0 | } |
354 | 0 | } |
355 | | |
356 | 0 | size_t OCB_Encryption::process_msg(uint8_t buf[], size_t sz) { |
357 | 0 | BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size"); |
358 | 0 | encrypt(buf, sz / block_size()); |
359 | 0 | return sz; |
360 | 0 | } |
361 | | |
362 | 0 | void OCB_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
363 | 0 | assert_key_material_set(); |
364 | 0 | BOTAN_STATE_CHECK(m_L->initialized()); |
365 | |
|
366 | 0 | const size_t BS = block_size(); |
367 | |
|
368 | 0 | BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range"); |
369 | 0 | const size_t sz = buffer.size() - offset; |
370 | 0 | uint8_t* buf = buffer.data() + offset; |
371 | |
|
372 | 0 | secure_vector<uint8_t> mac(BS); |
373 | |
|
374 | 0 | if(sz) { |
375 | 0 | const size_t final_full_blocks = sz / BS; |
376 | 0 | const size_t remainder_bytes = sz - (final_full_blocks * BS); |
377 | |
|
378 | 0 | encrypt(buf, final_full_blocks); |
379 | 0 | mac = m_L->offset(); |
380 | |
|
381 | 0 | if(remainder_bytes) { |
382 | 0 | BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left"); |
383 | 0 | uint8_t* remainder = &buf[sz - remainder_bytes]; |
384 | |
|
385 | 0 | xor_buf(m_checksum.data(), remainder, remainder_bytes); |
386 | 0 | m_checksum[remainder_bytes] ^= 0x80; |
387 | | |
388 | | // Offset_* |
389 | 0 | mac ^= m_L->star(); |
390 | |
|
391 | 0 | secure_vector<uint8_t> pad(BS); |
392 | 0 | m_cipher->encrypt(mac, pad); |
393 | 0 | xor_buf(remainder, pad.data(), remainder_bytes); |
394 | 0 | } |
395 | 0 | } else { |
396 | 0 | mac = m_L->offset(); |
397 | 0 | } |
398 | | |
399 | | // now compute the tag |
400 | | |
401 | | // fold checksum |
402 | 0 | for(size_t i = 0; i != m_checksum.size(); i += BS) { |
403 | 0 | xor_buf(mac.data(), m_checksum.data() + i, BS); |
404 | 0 | } |
405 | |
|
406 | 0 | xor_buf(mac.data(), m_L->dollar().data(), BS); |
407 | 0 | m_cipher->encrypt(mac); |
408 | 0 | xor_buf(mac.data(), m_ad_hash.data(), BS); |
409 | |
|
410 | 0 | buffer += std::make_pair(mac.data(), tag_size()); |
411 | |
|
412 | 0 | zeroise(m_checksum); |
413 | 0 | m_block_index = 0; |
414 | 0 | } |
415 | | |
416 | 0 | void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks) { |
417 | 0 | assert_key_material_set(); |
418 | 0 | BOTAN_STATE_CHECK(m_L->initialized()); |
419 | |
|
420 | 0 | const size_t BS = block_size(); |
421 | |
|
422 | 0 | while(blocks) { |
423 | 0 | const size_t proc_blocks = std::min(blocks, par_blocks()); |
424 | 0 | const size_t proc_bytes = proc_blocks * BS; |
425 | |
|
426 | 0 | const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks); |
427 | |
|
428 | 0 | m_cipher->decrypt_n_xex(buffer, offsets, proc_blocks); |
429 | |
|
430 | 0 | xor_buf(m_checksum.data(), buffer, proc_bytes); |
431 | |
|
432 | 0 | buffer += proc_bytes; |
433 | 0 | blocks -= proc_blocks; |
434 | 0 | m_block_index += proc_blocks; |
435 | 0 | } |
436 | 0 | } |
437 | | |
438 | 0 | size_t OCB_Decryption::process_msg(uint8_t buf[], size_t sz) { |
439 | 0 | BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size"); |
440 | 0 | decrypt(buf, sz / block_size()); |
441 | 0 | return sz; |
442 | 0 | } |
443 | | |
444 | 0 | void OCB_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
445 | 0 | assert_key_material_set(); |
446 | 0 | BOTAN_STATE_CHECK(m_L->initialized()); |
447 | |
|
448 | 0 | const size_t BS = block_size(); |
449 | |
|
450 | 0 | BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range"); |
451 | 0 | const size_t sz = buffer.size() - offset; |
452 | 0 | uint8_t* buf = buffer.data() + offset; |
453 | |
|
454 | 0 | BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag"); |
455 | |
|
456 | 0 | const size_t remaining = sz - tag_size(); |
457 | |
|
458 | 0 | secure_vector<uint8_t> mac(BS); |
459 | |
|
460 | 0 | if(remaining) { |
461 | 0 | const size_t final_full_blocks = remaining / BS; |
462 | 0 | const size_t final_bytes = remaining - (final_full_blocks * BS); |
463 | |
|
464 | 0 | decrypt(buf, final_full_blocks); |
465 | 0 | mac ^= m_L->offset(); |
466 | |
|
467 | 0 | if(final_bytes) { |
468 | 0 | BOTAN_ASSERT(final_bytes < BS, "Only a partial block left"); |
469 | |
|
470 | 0 | uint8_t* remainder = &buf[remaining - final_bytes]; |
471 | |
|
472 | 0 | mac ^= m_L->star(); |
473 | 0 | secure_vector<uint8_t> pad(BS); |
474 | 0 | m_cipher->encrypt(mac, pad); // P_* |
475 | 0 | xor_buf(remainder, pad.data(), final_bytes); |
476 | |
|
477 | 0 | xor_buf(m_checksum.data(), remainder, final_bytes); |
478 | 0 | m_checksum[final_bytes] ^= 0x80; |
479 | 0 | } |
480 | 0 | } else { |
481 | 0 | mac = m_L->offset(); |
482 | 0 | } |
483 | | |
484 | | // compute the mac |
485 | | |
486 | | // fold checksum |
487 | 0 | for(size_t i = 0; i != m_checksum.size(); i += BS) { |
488 | 0 | xor_buf(mac.data(), m_checksum.data() + i, BS); |
489 | 0 | } |
490 | |
|
491 | 0 | mac ^= m_L->dollar(); |
492 | 0 | m_cipher->encrypt(mac); |
493 | 0 | mac ^= m_ad_hash; |
494 | | |
495 | | // reset state |
496 | 0 | zeroise(m_checksum); |
497 | 0 | m_block_index = 0; |
498 | | |
499 | | // compare mac |
500 | 0 | const uint8_t* included_tag = &buf[remaining]; |
501 | |
|
502 | 0 | if(!CT::is_equal(mac.data(), included_tag, tag_size()).as_bool()) { |
503 | 0 | throw Invalid_Authentication_Tag("OCB tag check failed"); |
504 | 0 | } |
505 | | |
506 | | // remove tag from end of message |
507 | 0 | buffer.resize(remaining + offset); |
508 | 0 | } |
509 | | |
510 | | } // namespace Botan |