Botan  2.1.0
Crypto and TLS for C++11
ocb.cpp
Go to the documentation of this file.
1 /*
2 * OCB Mode
3 * (C) 2013 Jack Lloyd
4 * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/ocb.h>
10 #include <botan/cmac.h>
11 #include <botan/internal/bit_ops.h>
12 
13 namespace Botan {
14 
15 // Has to be in Botan namespace so unique_ptr can reference it
16 class L_computer
17  {
18  public:
19  explicit L_computer(const BlockCipher& cipher)
20  {
21  m_L_star.resize(cipher.block_size());
22  cipher.encrypt(m_L_star);
23  m_L_dollar = poly_double(star());
24  m_L.push_back(poly_double(dollar()));
25  }
26 
27  const secure_vector<uint8_t>& star() const { return m_L_star; }
28 
29  const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
30 
31  const secure_vector<uint8_t>& operator()(size_t i) const { return get(i); }
32 
33  const secure_vector<uint8_t>& compute_offsets(secure_vector<uint8_t>& offset,
34  size_t block_index,
35  size_t blocks) const
36  {
37  m_offset_buf.resize(blocks * 16);
38 
39  for(size_t i = 0; i != blocks; ++i)
40  { // could be done in parallel
41  offset ^= get(ctz(block_index + 1 + i));
42  copy_mem(&m_offset_buf[16*i], offset.data(), 16);
43  }
44 
45  return m_offset_buf;
46  }
47 
48  private:
49  const secure_vector<uint8_t>& get(size_t i) const
50  {
51  while(m_L.size() <= i)
52  m_L.push_back(poly_double(m_L.back()));
53 
54  return m_L.at(i);
55  }
56 
57  secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) const
58  {
59  return CMAC::poly_double(in);
60  }
61 
62  secure_vector<uint8_t> m_L_dollar, m_L_star;
63  mutable std::vector<secure_vector<uint8_t>> m_L;
64  mutable secure_vector<uint8_t> m_offset_buf;
65  };
66 
67 namespace {
68 
69 /*
70 * OCB's HASH
71 */
72 secure_vector<uint8_t> ocb_hash(const L_computer& L,
73  const BlockCipher& cipher,
74  const uint8_t ad[], size_t ad_len)
75  {
76  secure_vector<uint8_t> sum(16);
77  secure_vector<uint8_t> offset(16);
78 
79  secure_vector<uint8_t> buf(16);
80 
81  const size_t ad_blocks = (ad_len / 16);
82  const size_t ad_remainder = (ad_len % 16);
83 
84  for(size_t i = 0; i != ad_blocks; ++i)
85  {
86  // this loop could run in parallel
87  offset ^= L(ctz(i+1));
88 
89  buf = offset;
90  xor_buf(buf.data(), &ad[16*i], 16);
91 
92  cipher.encrypt(buf);
93 
94  sum ^= buf;
95  }
96 
97  if(ad_remainder)
98  {
99  offset ^= L.star();
100 
101  buf = offset;
102  xor_buf(buf.data(), &ad[16*ad_blocks], ad_remainder);
103  buf[ad_len % 16] ^= 0x80;
104 
105  cipher.encrypt(buf);
106 
107  sum ^= buf;
108  }
109 
110  return sum;
111  }
112 
113 }
114 
115 OCB_Mode::OCB_Mode(BlockCipher* cipher, size_t tag_size) :
116  m_cipher(cipher),
117  m_checksum(m_cipher->parallel_bytes()),
118  m_offset(16),
119  m_ad_hash(16),
120  m_tag_size(tag_size)
121  {
122  if(m_cipher->block_size() != 16)
123  throw Invalid_Argument("OCB requires 128 bit cipher");
124 
125  if(m_tag_size % 4 != 0 || m_tag_size < 8 || m_tag_size > 16)
126  throw Invalid_Argument("Invalid OCB tag length");
127  }
128 
129 OCB_Mode::~OCB_Mode() { /* for unique_ptr destructor */ }
130 
132  {
133  m_cipher->clear();
134  m_L.reset(); // add clear here?
135  reset();
136  }
137 
139  {
140  m_block_index = 0;
142  zeroise(m_offset);
144  m_last_nonce.clear();
145  m_stretch.clear();
146  }
147 
148 bool OCB_Mode::valid_nonce_length(size_t length) const
149  {
150  return (length > 0 && length < m_cipher->block_size());
151  }
152 
153 std::string OCB_Mode::name() const
154  {
155  return m_cipher->name() + "/OCB"; // include tag size
156  }
157 
159  {
160  return m_cipher->parallel_bytes();
161  }
162 
164  {
165  return m_cipher->key_spec();
166  }
167 
168 void OCB_Mode::key_schedule(const uint8_t key[], size_t length)
169  {
170  m_cipher->set_key(key, length);
171  m_L.reset(new L_computer(*m_cipher));
172  }
173 
174 void OCB_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
175  {
176  BOTAN_ASSERT(m_L, "A key was set");
177  m_ad_hash = ocb_hash(*m_L, *m_cipher, ad, ad_len);
178  }
179 
181 OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len)
182  {
183  BOTAN_ASSERT(nonce_len < 16, "OCB nonce is less than cipher block size");
184 
185  secure_vector<uint8_t> nonce_buf(16);
186 
187  copy_mem(&nonce_buf[16 - nonce_len], nonce, nonce_len);
188  nonce_buf[0] = ((tag_size() * 8) % 128) << 1;
189  nonce_buf[16 - nonce_len - 1] = 1;
190 
191  const uint8_t bottom = nonce_buf[16-1] & 0x3F;
192  nonce_buf[16-1] &= 0xC0;
193 
194  const bool need_new_stretch = (m_last_nonce != nonce_buf);
195 
196  if(need_new_stretch)
197  {
198  m_last_nonce = nonce_buf;
199 
200  m_cipher->encrypt(nonce_buf);
201 
202  for(size_t i = 0; i != 16 / 2; ++i)
203  nonce_buf.push_back(nonce_buf[i] ^ nonce_buf[i+1]);
204 
205  m_stretch = nonce_buf;
206  }
207 
208  // now set the offset from stretch and bottom
209 
210  const size_t shift_bytes = bottom / 8;
211  const size_t shift_bits = bottom % 8;
212 
213  secure_vector<uint8_t> offset(16);
214  for(size_t i = 0; i != 16; ++i)
215  {
216  offset[i] = (m_stretch[i+shift_bytes] << shift_bits);
217  offset[i] |= (m_stretch[i+shift_bytes+1] >> (8-shift_bits));
218  }
219 
220  return offset;
221  }
222 
223 void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
224  {
225  if(!valid_nonce_length(nonce_len))
226  throw Invalid_IV_Length(name(), nonce_len);
227 
228  BOTAN_ASSERT(m_L, "A key was set");
229 
230  m_offset = update_nonce(nonce, nonce_len);
232  m_block_index = 0;
233  }
234 
235 void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks)
236  {
237  const size_t par_blocks = m_checksum.size() / 16;
238 
239  while(blocks)
240  {
241  const size_t proc_blocks = std::min(blocks, par_blocks);
242  const size_t proc_bytes = proc_blocks * 16;
243 
244  const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks);
245 
246  xor_buf(m_checksum.data(), buffer, proc_bytes);
247 
248  xor_buf(buffer, offsets.data(), proc_bytes);
249  m_cipher->encrypt_n(buffer, buffer, proc_blocks);
250  xor_buf(buffer, offsets.data(), proc_bytes);
251 
252  buffer += proc_bytes;
253  blocks -= proc_blocks;
254  m_block_index += proc_blocks;
255  }
256  }
257 
258 size_t OCB_Encryption::process(uint8_t buf[], size_t sz)
259  {
260  BOTAN_ASSERT(sz % 16 == 0, "Invalid OCB input size");
261  encrypt(buf, sz / 16);
262  return sz;
263  }
264 
265 void OCB_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
266  {
267  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
268  const size_t sz = buffer.size() - offset;
269  uint8_t* buf = buffer.data() + offset;
270 
271  if(sz)
272  {
273  const size_t final_full_blocks = sz / 16;
274  const size_t remainder_bytes = sz - (final_full_blocks * 16);
275 
276  encrypt(buf, final_full_blocks);
277 
278  if(remainder_bytes)
279  {
280  BOTAN_ASSERT(remainder_bytes < 16, "Only a partial block left");
281  uint8_t* remainder = &buf[sz - remainder_bytes];
282 
283  xor_buf(m_checksum.data(), remainder, remainder_bytes);
284  m_checksum[remainder_bytes] ^= 0x80;
285 
286  m_offset ^= m_L->star(); // Offset_*
287 
288  secure_vector<uint8_t> zeros(16);
289  m_cipher->encrypt(m_offset, zeros);
290  xor_buf(remainder, zeros.data(), remainder_bytes);
291  }
292  }
293 
294  secure_vector<uint8_t> checksum(16);
295 
296  // fold checksum
297  for(size_t i = 0; i != m_checksum.size(); ++i)
298  checksum[i % checksum.size()] ^= m_checksum[i];
299 
300  // now compute the tag
302  mac ^= checksum;
303  mac ^= m_L->dollar();
304 
305  m_cipher->encrypt(mac);
306 
307  mac ^= m_ad_hash;
308 
309  buffer += std::make_pair(mac.data(), tag_size());
310 
312  zeroise(m_offset);
313  m_block_index = 0;
314  }
315 
316 void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks)
317  {
318  const size_t par_bytes = m_cipher->parallel_bytes();
319 
320  BOTAN_ASSERT(par_bytes % 16 == 0, "Cipher is parallel in full blocks");
321 
322  const size_t par_blocks = par_bytes / 16;
323 
324  while(blocks)
325  {
326  const size_t proc_blocks = std::min(blocks, par_blocks);
327  const size_t proc_bytes = proc_blocks * 16;
328 
329  const auto& offsets = m_L->compute_offsets(m_offset, m_block_index, proc_blocks);
330 
331  xor_buf(buffer, offsets.data(), proc_bytes);
332  m_cipher->decrypt_n(buffer, buffer, proc_blocks);
333  xor_buf(buffer, offsets.data(), proc_bytes);
334 
335  xor_buf(m_checksum.data(), buffer, proc_bytes);
336 
337  buffer += proc_bytes;
338  blocks -= proc_blocks;
339  m_block_index += proc_blocks;
340  }
341  }
342 
343 size_t OCB_Decryption::process(uint8_t buf[], size_t sz)
344  {
345  BOTAN_ASSERT(sz % 16 == 0, "Invalid OCB input size");
346  decrypt(buf, sz / 16);
347  return sz;
348  }
349 
350 void OCB_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
351  {
352  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
353  const size_t sz = buffer.size() - offset;
354  uint8_t* buf = buffer.data() + offset;
355 
356  BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
357 
358  const size_t remaining = sz - tag_size();
359 
360  if(remaining)
361  {
362  const size_t final_full_blocks = remaining / 16;
363  const size_t final_bytes = remaining - (final_full_blocks * 16);
364 
365  decrypt(buf, final_full_blocks);
366 
367  if(final_bytes)
368  {
369  BOTAN_ASSERT(final_bytes < 16, "Only a partial block left");
370 
371  uint8_t* remainder = &buf[remaining - final_bytes];
372 
373  m_offset ^= m_L->star(); // Offset_*
374 
375  secure_vector<uint8_t> pad(16);
376  m_cipher->encrypt(m_offset, pad); // P_*
377 
378  xor_buf(remainder, pad.data(), final_bytes);
379 
380  xor_buf(m_checksum.data(), remainder, final_bytes);
381  m_checksum[final_bytes] ^= 0x80;
382  }
383  }
384 
385  secure_vector<uint8_t> checksum(16);
386 
387  // fold checksum
388  for(size_t i = 0; i != m_checksum.size(); ++i)
389  checksum[i % checksum.size()] ^= m_checksum[i];
390 
391  // compute the mac
393  mac ^= checksum;
394  mac ^= m_L->dollar();
395 
396  m_cipher->encrypt(mac);
397 
398  mac ^= m_ad_hash;
399 
400  // reset state
402  zeroise(m_offset);
403  m_block_index = 0;
404 
405  // compare mac
406  const uint8_t* included_tag = &buf[remaining];
407 
408  if(!same_mem(mac.data(), included_tag, tag_size()))
409  throw Integrity_Failure("OCB tag check failed");
410 
411  // remove tag from end of message
412  buffer.resize(remaining + offset);
413  }
414 
415 }
void xor_buf(T out[], const T in[], size_t length)
Definition: mem_ops.h:115
std::unique_ptr< BlockCipher > m_cipher
Definition: ocb.h:56
size_t ctz(T n)
Definition: bit_ops.h:97
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: ocb.cpp:265
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:98
bool valid_nonce_length(size_t) const override
Definition: ocb.cpp:148
void set_associated_data(const uint8_t ad[], size_t ad_len) override
Definition: ocb.cpp:174
size_t tag_size() const override
Definition: ocb.h:41
void reset() override
Definition: ocb.cpp:138
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: ocb.cpp:350
size_t update_granularity() const override
Definition: ocb.cpp:158
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:68
Definition: alg_id.cpp:13
std::unique_ptr< L_computer > m_L
Definition: ocb.h:57
static secure_vector< uint8_t > poly_double(const secure_vector< uint8_t > &in)
Definition: cmac.cpp:15
secure_vector< uint8_t > m_ad_hash
Definition: ocb.h:63
OCB_Mode(BlockCipher *cipher, size_t tag_size)
Definition: ocb.cpp:115
T min(T a, T b)
Definition: ct_utils.h:180
secure_vector< uint8_t > m_checksum
Definition: ocb.h:61
size_t process(uint8_t buf[], size_t size) override
Definition: ocb.cpp:258
size_t m_block_index
Definition: ocb.h:59
void clear() override
Definition: ocb.cpp:131
std::string name() const override
Definition: ocb.cpp:153
secure_vector< uint8_t > m_offset
Definition: ocb.h:62
size_t process(uint8_t buf[], size_t size) override
Definition: ocb.cpp:343
Key_Length_Specification key_spec() const override
Definition: ocb.cpp:163
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:211