Botan 3.12.0
Crypto and TLS for C&
ocb.cpp
Go to the documentation of this file.
1/*
2* OCB Mode
3* (C) 2013,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/ocb.h>
10
11#include <botan/block_cipher.h>
12#include <botan/exceptn.h>
13#include <botan/mem_ops.h>
14#include <botan/internal/bit_ops.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/internal/poly_dbl.h>
17
18namespace Botan {
19
20// Has to be in Botan namespace so unique_ptr can reference it
21class L_computer final {
22 public:
23 explicit L_computer(const BlockCipher& cipher) :
24 m_BS(cipher.block_size()), m_max_blocks(cipher.parallel_bytes() / m_BS) {
25 m_L_star.resize(m_BS);
26 cipher.encrypt(m_L_star);
27 m_L_dollar = poly_double(star());
28
29 // Preallocate the m_L vector to the maximum expected size to avoid
30 // re-allocations during runtime. This had caused a use-after-free in
31 // earlier versions, due to references into this buffer becoming stale
32 // in `compute_offset()`, after calling `get()` in the hot path.
33 //
34 // Note, that the list member won't be pre-allocated, so the expected
35 // memory overhead is negligible.
36 //
37 // See also https://github.com/randombit/botan/issues/3812
38 m_L.reserve(65);
39 m_L.push_back(poly_double(dollar()));
40
41 while(m_L.size() < 8) {
42 m_L.push_back(poly_double(m_L.back()));
43 }
44
45 m_offset_buf.resize(m_BS * m_max_blocks);
46 }
47
48 void init(const secure_vector<uint8_t>& offset) { m_offset = offset; }
49
50 bool initialized() const { return !m_offset.empty(); }
51
52 const secure_vector<uint8_t>& star() const { return m_L_star; }
53
54 const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
55
56 const secure_vector<uint8_t>& offset() const { return m_offset; }
57
58 const secure_vector<uint8_t>& get(size_t i) const {
59 while(m_L.size() <= i) {
60 m_L.push_back(poly_double(m_L.back()));
61 }
62
63 return m_L[i];
64 }
65
66 const uint8_t* compute_offsets(uint64_t block_index, size_t blocks) {
67 BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets");
68
69 uint8_t* offsets = m_offset_buf.data();
70
71 if(block_index % 4 == 0) {
72 const secure_vector<uint8_t>& L0 = get(0);
73 const secure_vector<uint8_t>& L1 = get(1);
74
75 while(blocks >= 4) {
76 // ntz(4*i+1) == 0
77 // ntz(4*i+2) == 1
78 // ntz(4*i+3) == 0
79 block_index += 4;
80 const size_t ntz4 = var_ctz64(block_index);
81
82 xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
83 offsets += m_BS;
84
85 xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
86 offsets += m_BS;
87
88 xor_buf(m_offset.data(), L1.data(), m_BS);
89 copy_mem(offsets, m_offset.data(), m_BS);
90 offsets += m_BS;
91
92 xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
93 copy_mem(offsets, m_offset.data(), m_BS);
94 offsets += m_BS;
95
96 blocks -= 4;
97 }
98 }
99
100 for(size_t i = 0; i != blocks; ++i) { // could be done in parallel
101 const size_t ntz = var_ctz64(block_index + i + 1);
102 xor_buf(m_offset.data(), get(ntz).data(), m_BS);
103 copy_mem(offsets, m_offset.data(), m_BS);
104 offsets += m_BS;
105 }
106
107 return m_offset_buf.data();
108 }
109
110 private:
111 static secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) {
112 secure_vector<uint8_t> out(in.size());
113 poly_double_n(out.data(), in.data(), out.size());
114 return out;
115 }
116
117 const size_t m_BS, m_max_blocks;
118 secure_vector<uint8_t> m_L_dollar, m_L_star;
119 secure_vector<uint8_t> m_offset;
120 mutable std::vector<secure_vector<uint8_t>> m_L;
121 secure_vector<uint8_t> m_offset_buf;
122};
123
124namespace {
125
126/*
127* OCB's HASH
128*/
129secure_vector<uint8_t> ocb_hash(const L_computer& L, const BlockCipher& cipher, const uint8_t ad[], size_t ad_len) {
130 const size_t BS = cipher.block_size();
131 secure_vector<uint8_t> sum(BS);
132 secure_vector<uint8_t> offset(BS);
133
134 secure_vector<uint8_t> buf(BS);
135
136 const size_t ad_blocks = (ad_len / BS);
137 const size_t ad_remainder = (ad_len % BS);
138
139 for(size_t i = 0; i != ad_blocks; ++i) {
140 // this loop could run in parallel
141 offset ^= L.get(var_ctz64(i + 1));
142 buf = offset;
143 xor_buf(buf.data(), &ad[BS * i], BS);
144 cipher.encrypt(buf);
145 sum ^= buf;
146 }
147
148 if(ad_remainder > 0) {
149 offset ^= L.star();
150 buf = offset;
151 xor_buf(buf.data(), &ad[BS * ad_blocks], ad_remainder);
152 buf[ad_remainder] ^= 0x80;
153 cipher.encrypt(buf);
154 sum ^= buf;
155 }
156
157 return sum;
158}
159
160} // namespace
161
162OCB_Mode::OCB_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) :
163 m_cipher(std::move(cipher)),
164 m_checksum(m_cipher->parallel_bytes()),
165 m_ad_hash(m_cipher->block_size()),
166 m_tag_size(tag_size),
167 m_block_size(m_cipher->block_size()),
168 m_par_blocks(m_cipher->parallel_bytes() / m_block_size) {
169 const size_t BS = block_size();
170
171 /*
172 * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
173 * sizes but only 128, 192, 256 and 512 bit are currently supported
174 * by this implementation.
175 */
176 BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64, "Invalid block size for OCB");
177
178 BOTAN_ARG_CHECK(m_tag_size % 4 == 0 && m_tag_size >= 8 && m_tag_size <= BS && m_tag_size <= 32,
179 "Invalid OCB tag length");
180}
181
182OCB_Mode::~OCB_Mode() = default;
183
184void OCB_Mode::clear() {
185 m_cipher->clear();
186 m_L.reset(); // add clear here?
187 reset();
188}
189
190void OCB_Mode::reset() {
191 m_block_index = 0;
192 zeroise(m_ad_hash);
193 zeroise(m_checksum);
194 m_last_nonce.clear();
195 m_stretch.clear();
196 zeroise(m_nonce_buf);
197 zeroise(m_offset);
198}
199
200bool OCB_Mode::valid_nonce_length(size_t length) const {
201 if(length == 0) {
202 return false;
203 }
204 if(block_size() == 16) {
205 return length < 16;
206 } else {
207 return length < (block_size() - 1);
208 }
209}
210
211std::string OCB_Mode::name() const {
212 return m_cipher->name() + "/OCB"; // include tag size?
213}
214
215size_t OCB_Mode::update_granularity() const {
216 return block_size();
217}
218
219size_t OCB_Mode::ideal_granularity() const {
220 return (m_par_blocks * block_size());
221}
222
223Key_Length_Specification OCB_Mode::key_spec() const {
224 return m_cipher->key_spec();
225}
226
227bool OCB_Mode::has_keying_material() const {
228 return m_cipher->has_keying_material();
229}
230
231void OCB_Mode::key_schedule(std::span<const uint8_t> key) {
232 m_cipher->set_key(key);
233 m_L = std::make_unique<L_computer>(*m_cipher);
234}
235
236void OCB_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
237 BOTAN_ARG_CHECK(idx == 0, "OCB: cannot handle non-zero index in set_associated_data_n");
238 assert_key_material_set();
239 m_ad_hash = ocb_hash(*m_L, *m_cipher, ad.data(), ad.size());
240}
241
242const secure_vector<uint8_t>& OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len) {
243 const size_t BS = block_size();
244
245 BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64, "OCB block size is supported");
246
247 // NOLINTNEXTLINE(readability-avoid-nested-conditional-operator)
248 const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
249
250 const uint8_t BOTTOM_MASK = static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
251
252 m_nonce_buf.resize(BS);
253 clear_mem(m_nonce_buf.data(), m_nonce_buf.size());
254
255 copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
256 m_nonce_buf[0] = static_cast<uint8_t>(((tag_size() * 8) % (BS * 8)) << (BS <= 16 ? 1 : 0));
257
258 m_nonce_buf[BS - nonce_len - 1] ^= 1;
259
260 const uint8_t bottom = m_nonce_buf[BS - 1] & BOTTOM_MASK;
261 m_nonce_buf[BS - 1] &= ~BOTTOM_MASK;
262
263 const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
264
265 if(need_new_stretch) {
266 m_last_nonce = m_nonce_buf;
267
268 m_cipher->encrypt(m_nonce_buf);
269
270 /*
271 The loop bounds (BS vs BS/2) are derived from the relation
272 between the block size and the MASKLEN. Using the terminology
273 of draft-krovetz-ocb-wide, we have to derive enough bits in
274 ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
275
276 +----------+---------+-------+---------+
277 | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
278 +----------+---------+-------+---------+
279 | 32 | 141 | 17 | 4 |
280 | 64 | 27 | 25 | 5 |
281 | 96 | 1601 | 33 | 6 |
282 | 128 | 135 | 8 | 6 |
283 | 192 | 135 | 40 | 7 |
284 | 256 | 1061 | 1 | 8 |
285 | 384 | 4109 | 80 | 8 |
286 | 512 | 293 | 176 | 8 |
287 | 1024 | 524355 | 352 | 9 |
288 +----------+---------+-------+---------+
289 */
290 if(BS == 16) {
291 for(size_t i = 0; i != BS / 2; ++i) {
292 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 1]);
293 }
294 } else if(BS == 24) {
295 for(size_t i = 0; i != 16; ++i) {
296 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 5]);
297 }
298 } else if(BS == 32) {
299 for(size_t i = 0; i != BS; ++i) {
300 m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i + 1] >> 7));
301 }
302 } else if(BS == 64) {
303 for(size_t i = 0; i != BS / 2; ++i) {
304 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 22]);
305 }
306 }
307
308 m_stretch = m_nonce_buf;
309 }
310
311 // now set the offset from stretch and bottom
312 const size_t shift_bytes = bottom / 8;
313 const size_t shift_bits = bottom % 8;
314
315 BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
316
317 m_offset.resize(BS);
318 for(size_t i = 0; i != BS; ++i) {
319 m_offset[i] = (m_stretch[i + shift_bytes] << shift_bits);
320 m_offset[i] |= (m_stretch[i + shift_bytes + 1] >> (8 - shift_bits));
321 }
322
323 return m_offset;
324}
325
326void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
327 if(!valid_nonce_length(nonce_len)) {
328 throw Invalid_IV_Length(name(), nonce_len);
329 }
330
331 assert_key_material_set();
332
333 m_L->init(update_nonce(nonce, nonce_len));
334 zeroise(m_checksum);
335 m_block_index = 0;
336}
337
338void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks) {
339 assert_key_material_set();
340 BOTAN_STATE_CHECK(m_L->initialized());
341
342 const size_t BS = block_size();
343
344 while(blocks > 0) {
345 const size_t proc_blocks = std::min(blocks, par_blocks());
346 const size_t proc_bytes = proc_blocks * BS;
347
348 const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
349
350 xor_buf(m_checksum.data(), buffer, proc_bytes);
351
352 xor_buf(buffer, offsets, proc_bytes);
353 m_cipher->encrypt_n(buffer, buffer, proc_blocks);
354 xor_buf(buffer, offsets, proc_bytes);
355
356 buffer += proc_bytes;
357 blocks -= proc_blocks;
358 m_block_index += proc_blocks;
359 }
360}
361
362size_t OCB_Encryption::process_msg(uint8_t buf[], size_t sz) {
363 BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size");
364 encrypt(buf, sz / block_size());
365 return sz;
366}
367
368void OCB_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
369 assert_key_material_set();
370 BOTAN_STATE_CHECK(m_L->initialized());
371
372 const size_t BS = block_size();
373
374 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
375 const size_t sz = buffer.size() - offset;
376 uint8_t* buf = buffer.data() + offset;
377
378 secure_vector<uint8_t> mac(BS);
379
380 if(sz > 0) {
381 const size_t final_full_blocks = sz / BS;
382 const size_t remainder_bytes = sz - (final_full_blocks * BS);
383
384 encrypt(buf, final_full_blocks);
385 mac = m_L->offset();
386
387 if(remainder_bytes > 0) {
388 BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
389 uint8_t* remainder = &buf[sz - remainder_bytes];
390
391 xor_buf(m_checksum.data(), remainder, remainder_bytes);
392 m_checksum[remainder_bytes] ^= 0x80;
393
394 // Offset_*
395 mac ^= m_L->star();
396
397 secure_vector<uint8_t> pad(BS);
398 m_cipher->encrypt(mac, pad);
399 xor_buf(remainder, pad.data(), remainder_bytes);
400 }
401 } else {
402 mac = m_L->offset();
403 }
404
405 // now compute the tag
406
407 // fold checksum
408 for(size_t i = 0; i != m_checksum.size(); i += BS) {
409 xor_buf(mac.data(), m_checksum.data() + i, BS);
410 }
411
412 xor_buf(mac.data(), m_L->dollar().data(), BS);
413 m_cipher->encrypt(mac);
414 xor_buf(mac.data(), m_ad_hash.data(), BS);
415
416 buffer += std::make_pair(mac.data(), tag_size());
417
418 zeroise(m_checksum);
419 m_block_index = 0;
420}
421
422void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks) {
423 assert_key_material_set();
424 BOTAN_STATE_CHECK(m_L->initialized());
425
426 const size_t BS = block_size();
427
428 while(blocks > 0) {
429 const size_t proc_blocks = std::min(blocks, par_blocks());
430 const size_t proc_bytes = proc_blocks * BS;
431
432 const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
433
434 xor_buf(buffer, offsets, proc_bytes);
435 m_cipher->decrypt_n(buffer, buffer, proc_blocks);
436 xor_buf(buffer, offsets, proc_bytes);
437
438 xor_buf(m_checksum.data(), buffer, proc_bytes);
439
440 buffer += proc_bytes;
441 blocks -= proc_blocks;
442 m_block_index += proc_blocks;
443 }
444}
445
446size_t OCB_Decryption::process_msg(uint8_t buf[], size_t sz) {
447 BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size");
448 decrypt(buf, sz / block_size());
449 return sz;
450}
451
452void OCB_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
453 assert_key_material_set();
454 BOTAN_STATE_CHECK(m_L->initialized());
455
456 const size_t BS = block_size();
457
458 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
459 const size_t sz = buffer.size() - offset;
460 uint8_t* buf = buffer.data() + offset;
461
462 BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
463
464 const size_t remaining = sz - tag_size();
465
466 secure_vector<uint8_t> mac(BS);
467
468 if(remaining > 0) {
469 const size_t final_full_blocks = remaining / BS;
470 const size_t final_bytes = remaining - (final_full_blocks * BS);
471
472 decrypt(buf, final_full_blocks);
473 mac ^= m_L->offset();
474
475 if(final_bytes > 0) {
476 BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
477
478 uint8_t* remainder = &buf[remaining - final_bytes];
479
480 mac ^= m_L->star();
481 secure_vector<uint8_t> pad(BS);
482 m_cipher->encrypt(mac, pad); // P_*
483 xor_buf(remainder, pad.data(), final_bytes);
484
485 xor_buf(m_checksum.data(), remainder, final_bytes);
486 m_checksum[final_bytes] ^= 0x80;
487 }
488 } else {
489 mac = m_L->offset();
490 }
491
492 // compute the mac
493
494 // fold checksum
495 for(size_t i = 0; i != m_checksum.size(); i += BS) {
496 xor_buf(mac.data(), m_checksum.data() + i, BS);
497 }
498
499 mac ^= m_L->dollar();
500 m_cipher->encrypt(mac);
501 mac ^= m_ad_hash;
502
503 // reset state
504 zeroise(m_checksum);
505 m_block_index = 0;
506
507 // compare mac
508 const uint8_t* included_tag = &buf[remaining];
509
510 if(!CT::is_equal(mac.data(), included_tag, tag_size()).as_bool()) {
511 clear_mem(std::span{buffer}.subspan(offset, remaining));
512 throw Invalid_Authentication_Tag("OCB tag check failed");
513 }
514
515 // remove tag from end of message
516 buffer.resize(remaining + offset);
517}
518
519} // namespace Botan
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Key_Length_Specification
Definition sym_algo.h:22
Botan::OCB_Mode::m_block_index
uint64_t m_block_index
Definition ocb.h:74
Botan::OCB_Mode::block_size
size_t block_size() const
Definition ocb.h:64
Botan::OCB_Mode::par_blocks
size_t par_blocks() const
Definition ocb.h:66
Botan::OCB_Mode::key_spec
Key_Length_Specification key_spec() const final
Definition ocb.cpp:223
Botan::OCB_Mode::tag_size
size_t tag_size() const final
Definition ocb.h:47
Botan::OCB_Mode::m_checksum
secure_vector< uint8_t > m_checksum
Definition ocb.h:76
Botan::OCB_Mode::~OCB_Mode
~OCB_Mode() override
Botan::OCB_Mode::name
std::string name() const final
Definition ocb.cpp:211
Botan::OCB_Mode::valid_nonce_length
bool valid_nonce_length(size_t length) const final
Definition ocb.cpp:200
Botan::OCB_Mode::m_cipher
std::unique_ptr< BlockCipher > m_cipher
Definition ocb.h:71
Botan::OCB_Mode::m_ad_hash
secure_vector< uint8_t > m_ad_hash
Definition ocb.h:77
Botan::OCB_Mode::ideal_granularity
size_t ideal_granularity() const final
Definition ocb.cpp:219
Botan::OCB_Mode::has_keying_material
bool has_keying_material() const final
Definition ocb.cpp:227
Botan::OCB_Mode::clear
void clear() final
Definition ocb.cpp:184
Botan::OCB_Mode::reset
void reset() final
Definition ocb.cpp:190
Botan::OCB_Mode::OCB_Mode
OCB_Mode(std::unique_ptr< BlockCipher > cipher, size_t tag_size)
Definition ocb.cpp:162
Botan::OCB_Mode::set_associated_data_n
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
Definition ocb.cpp:236
Botan::OCB_Mode::update_granularity
size_t update_granularity() const final
Definition ocb.cpp:215
Botan::OCB_Mode::m_L
std::unique_ptr< L_computer > m_L
Definition ocb.h:72
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:145
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:798
Botan::zeroise
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:137
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::var_ctz64
BOTAN_FORCE_INLINE constexpr size_t var_ctz64(uint64_t n)
Definition bit_ops.h:180
Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::poly_double_n
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:81
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:118
Generated by doxygen 1.16.1