Botan 3.8.1
Crypto and TLS for C&
ocb.cpp
Go to the documentation of this file.
1/*
2* OCB Mode
3* (C) 2013,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/ocb.h>
10
11#include <botan/block_cipher.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/bit_ops.h>
14#include <botan/internal/ct_utils.h>
15#include <botan/internal/poly_dbl.h>
16
17namespace Botan {
18
19// Has to be in Botan namespace so unique_ptr can reference it
20class L_computer final {
21 public:
22 explicit L_computer(const BlockCipher& cipher) :
23 m_BS(cipher.block_size()), m_max_blocks(cipher.parallel_bytes() / m_BS) {
24 m_L_star.resize(m_BS);
25 cipher.encrypt(m_L_star);
26 m_L_dollar = poly_double(star());
27
28 // Preallocate the m_L vector to the maximum expected size to avoid
29 // re-allocations during runtime. This had caused a use-after-free in
30 // earlier versions, due to references into this buffer becoming stale
31 // in `compute_offset()`, after calling `get()` in the hot path.
32 //
33 // Note, that the list member won't be pre-allocated, so the expected
34 // memory overhead is negligible.
35 //
36 // See also https://github.com/randombit/botan/issues/3812
37 m_L.reserve(31);
38 m_L.push_back(poly_double(dollar()));
39
40 while(m_L.size() < 8) {
41 m_L.push_back(poly_double(m_L.back()));
42 }
43
44 m_offset_buf.resize(m_BS * m_max_blocks);
45 }
46
47 void init(const secure_vector<uint8_t>& offset) { m_offset = offset; }
48
49 bool initialized() const { return m_offset.empty() == false; }
50
51 const secure_vector<uint8_t>& star() const { return m_L_star; }
52
53 const secure_vector<uint8_t>& dollar() const { return m_L_dollar; }
54
55 const secure_vector<uint8_t>& offset() const { return m_offset; }
56
57 const secure_vector<uint8_t>& get(size_t i) const {
58 while(m_L.size() <= i) {
59 m_L.push_back(poly_double(m_L.back()));
60 }
61
62 return m_L[i];
63 }
64
65 const uint8_t* compute_offsets(size_t block_index, size_t blocks) {
66 BOTAN_ASSERT(blocks <= m_max_blocks, "OCB offsets");
67
68 uint8_t* offsets = m_offset_buf.data();
69
70 if(block_index % 4 == 0) {
71 const secure_vector<uint8_t>& L0 = get(0);
72 const secure_vector<uint8_t>& L1 = get(1);
73
74 while(blocks >= 4) {
75 // ntz(4*i+1) == 0
76 // ntz(4*i+2) == 1
77 // ntz(4*i+3) == 0
78 block_index += 4;
79 const size_t ntz4 = var_ctz32(static_cast<uint32_t>(block_index));
80
81 xor_buf(offsets, m_offset.data(), L0.data(), m_BS);
82 offsets += m_BS;
83
84 xor_buf(offsets, offsets - m_BS, L1.data(), m_BS);
85 offsets += m_BS;
86
87 xor_buf(m_offset.data(), L1.data(), m_BS);
88 copy_mem(offsets, m_offset.data(), m_BS);
89 offsets += m_BS;
90
91 xor_buf(m_offset.data(), get(ntz4).data(), m_BS);
92 copy_mem(offsets, m_offset.data(), m_BS);
93 offsets += m_BS;
94
95 blocks -= 4;
96 }
97 }
98
99 for(size_t i = 0; i != blocks; ++i) { // could be done in parallel
100 const size_t ntz = var_ctz32(static_cast<uint32_t>(block_index + i + 1));
101 xor_buf(m_offset.data(), get(ntz).data(), m_BS);
102 copy_mem(offsets, m_offset.data(), m_BS);
103 offsets += m_BS;
104 }
105
106 return m_offset_buf.data();
107 }
108
109 private:
110 static secure_vector<uint8_t> poly_double(const secure_vector<uint8_t>& in) {
111 secure_vector<uint8_t> out(in.size());
112 poly_double_n(out.data(), in.data(), out.size());
113 return out;
114 }
115
116 const size_t m_BS, m_max_blocks;
117 secure_vector<uint8_t> m_L_dollar, m_L_star;
118 secure_vector<uint8_t> m_offset;
119 mutable std::vector<secure_vector<uint8_t>> m_L;
120 secure_vector<uint8_t> m_offset_buf;
121};
122
123namespace {
124
125/*
126* OCB's HASH
127*/
128secure_vector<uint8_t> ocb_hash(const L_computer& L, const BlockCipher& cipher, const uint8_t ad[], size_t ad_len) {
129 const size_t BS = cipher.block_size();
131 secure_vector<uint8_t> offset(BS);
132
134
135 const size_t ad_blocks = (ad_len / BS);
136 const size_t ad_remainder = (ad_len % BS);
137
138 for(size_t i = 0; i != ad_blocks; ++i) {
139 // this loop could run in parallel
140 offset ^= L.get(var_ctz32(static_cast<uint32_t>(i + 1)));
141 buf = offset;
142 xor_buf(buf.data(), &ad[BS * i], BS);
143 cipher.encrypt(buf);
144 sum ^= buf;
145 }
146
147 if(ad_remainder) {
148 offset ^= L.star();
149 buf = offset;
150 xor_buf(buf.data(), &ad[BS * ad_blocks], ad_remainder);
151 buf[ad_remainder] ^= 0x80;
152 cipher.encrypt(buf);
153 sum ^= buf;
154 }
155
156 return sum;
157}
158
159} // namespace
160
161OCB_Mode::OCB_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) :
162 m_cipher(std::move(cipher)),
163 m_checksum(m_cipher->parallel_bytes()),
165 m_tag_size(tag_size),
166 m_block_size(m_cipher->block_size()),
167 m_par_blocks(m_cipher->parallel_bytes() / m_block_size) {
168 const size_t BS = block_size();
169
170 /*
171 * draft-krovetz-ocb-wide-d1 specifies OCB for several other block
172 * sizes but only 128, 192, 256 and 512 bit are currently supported
173 * by this implementation.
174 */
175 BOTAN_ARG_CHECK(BS == 16 || BS == 24 || BS == 32 || BS == 64, "Invalid block size for OCB");
176
177 BOTAN_ARG_CHECK(m_tag_size % 4 == 0 && m_tag_size >= 8 && m_tag_size <= BS && m_tag_size <= 32,
178 "Invalid OCB tag length");
179}
180
181OCB_Mode::~OCB_Mode() = default;
182
184 m_cipher->clear();
185 m_L.reset(); // add clear here?
186 reset();
187}
188
190 m_block_index = 0;
193 m_last_nonce.clear();
194 m_stretch.clear();
195}
196
197bool OCB_Mode::valid_nonce_length(size_t length) const {
198 if(length == 0) {
199 return false;
200 }
201 if(block_size() == 16) {
202 return length < 16;
203 } else {
204 return length < (block_size() - 1);
205 }
206}
207
208std::string OCB_Mode::name() const {
209 return m_cipher->name() + "/OCB"; // include tag size?
210}
211
213 return block_size();
214}
215
217 return (m_par_blocks * block_size());
218}
219
221 return m_cipher->key_spec();
222}
223
225 return m_cipher->has_keying_material();
226}
227
228void OCB_Mode::key_schedule(std::span<const uint8_t> key) {
229 m_cipher->set_key(key);
230 m_L = std::make_unique<L_computer>(*m_cipher);
231}
232
233void OCB_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
234 BOTAN_ARG_CHECK(idx == 0, "OCB: cannot handle non-zero index in set_associated_data_n");
236 m_ad_hash = ocb_hash(*m_L, *m_cipher, ad.data(), ad.size());
237}
238
239const secure_vector<uint8_t>& OCB_Mode::update_nonce(const uint8_t nonce[], size_t nonce_len) {
240 const size_t BS = block_size();
241
242 BOTAN_ASSERT(BS == 16 || BS == 24 || BS == 32 || BS == 64, "OCB block size is supported");
243
244 // NOLINTNEXTLINE(readability-avoid-nested-conditional-operator)
245 const size_t MASKLEN = (BS == 16 ? 6 : ((BS == 24) ? 7 : 8));
246
247 const uint8_t BOTTOM_MASK = static_cast<uint8_t>((static_cast<uint16_t>(1) << MASKLEN) - 1);
248
249 m_nonce_buf.resize(BS);
250 clear_mem(&m_nonce_buf[0], m_nonce_buf.size());
251
252 copy_mem(&m_nonce_buf[BS - nonce_len], nonce, nonce_len);
253 m_nonce_buf[0] = static_cast<uint8_t>(((tag_size() * 8) % (BS * 8)) << (BS <= 16 ? 1 : 0));
254
255 m_nonce_buf[BS - nonce_len - 1] ^= 1;
256
257 const uint8_t bottom = m_nonce_buf[BS - 1] & BOTTOM_MASK;
258 m_nonce_buf[BS - 1] &= ~BOTTOM_MASK;
259
260 const bool need_new_stretch = (m_last_nonce != m_nonce_buf);
261
262 if(need_new_stretch) {
263 m_last_nonce = m_nonce_buf;
264
265 m_cipher->encrypt(m_nonce_buf);
266
267 /*
268 The loop bounds (BS vs BS/2) are derived from the relation
269 between the block size and the MASKLEN. Using the terminology
270 of draft-krovetz-ocb-wide, we have to derive enough bits in
271 ShiftedKtop to read up to BLOCKLEN+bottom bits from Stretch.
272
273 +----------+---------+-------+---------+
274 | BLOCKLEN | RESIDUE | SHIFT | MASKLEN |
275 +----------+---------+-------+---------+
276 | 32 | 141 | 17 | 4 |
277 | 64 | 27 | 25 | 5 |
278 | 96 | 1601 | 33 | 6 |
279 | 128 | 135 | 8 | 6 |
280 | 192 | 135 | 40 | 7 |
281 | 256 | 1061 | 1 | 8 |
282 | 384 | 4109 | 80 | 8 |
283 | 512 | 293 | 176 | 8 |
284 | 1024 | 524355 | 352 | 9 |
285 +----------+---------+-------+---------+
286 */
287 if(BS == 16) {
288 for(size_t i = 0; i != BS / 2; ++i) {
289 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 1]);
290 }
291 } else if(BS == 24) {
292 for(size_t i = 0; i != 16; ++i) {
293 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 5]);
294 }
295 } else if(BS == 32) {
296 for(size_t i = 0; i != BS; ++i) {
297 m_nonce_buf.push_back(m_nonce_buf[i] ^ (m_nonce_buf[i] << 1) ^ (m_nonce_buf[i + 1] >> 7));
298 }
299 } else if(BS == 64) {
300 for(size_t i = 0; i != BS / 2; ++i) {
301 m_nonce_buf.push_back(m_nonce_buf[i] ^ m_nonce_buf[i + 22]);
302 }
303 }
304
305 m_stretch = m_nonce_buf;
306 }
307
308 // now set the offset from stretch and bottom
309 const size_t shift_bytes = bottom / 8;
310 const size_t shift_bits = bottom % 8;
311
312 BOTAN_ASSERT(m_stretch.size() >= BS + shift_bytes + 1, "Size ok");
313
314 m_offset.resize(BS);
315 for(size_t i = 0; i != BS; ++i) {
316 m_offset[i] = (m_stretch[i + shift_bytes] << shift_bits);
317 m_offset[i] |= (m_stretch[i + shift_bytes + 1] >> (8 - shift_bits));
318 }
319
320 return m_offset;
321}
322
323void OCB_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
324 if(!valid_nonce_length(nonce_len)) {
325 throw Invalid_IV_Length(name(), nonce_len);
326 }
327
329
330 m_L->init(update_nonce(nonce, nonce_len));
332 m_block_index = 0;
333}
334
335void OCB_Encryption::encrypt(uint8_t buffer[], size_t blocks) {
337 BOTAN_STATE_CHECK(m_L->initialized());
338
339 const size_t BS = block_size();
340
341 while(blocks) {
342 const size_t proc_blocks = std::min(blocks, par_blocks());
343 const size_t proc_bytes = proc_blocks * BS;
344
345 const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
346
347 xor_buf(m_checksum.data(), buffer, proc_bytes);
348
349 xor_buf(buffer, offsets, proc_bytes);
350 m_cipher->encrypt_n(buffer, buffer, proc_blocks);
351 xor_buf(buffer, offsets, proc_bytes);
352
353 buffer += proc_bytes;
354 blocks -= proc_blocks;
355 m_block_index += proc_blocks;
356 }
357}
358
359size_t OCB_Encryption::process_msg(uint8_t buf[], size_t sz) {
360 BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size");
361 encrypt(buf, sz / block_size());
362 return sz;
363}
364
365void OCB_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
367 BOTAN_STATE_CHECK(m_L->initialized());
368
369 const size_t BS = block_size();
370
371 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
372 const size_t sz = buffer.size() - offset;
373 uint8_t* buf = buffer.data() + offset;
374
376
377 if(sz) {
378 const size_t final_full_blocks = sz / BS;
379 const size_t remainder_bytes = sz - (final_full_blocks * BS);
380
381 encrypt(buf, final_full_blocks);
382 mac = m_L->offset();
383
384 if(remainder_bytes) {
385 BOTAN_ASSERT(remainder_bytes < BS, "Only a partial block left");
386 uint8_t* remainder = &buf[sz - remainder_bytes];
387
388 xor_buf(m_checksum.data(), remainder, remainder_bytes);
389 m_checksum[remainder_bytes] ^= 0x80;
390
391 // Offset_*
392 mac ^= m_L->star();
393
395 m_cipher->encrypt(mac, pad);
396 xor_buf(remainder, pad.data(), remainder_bytes);
397 }
398 } else {
399 mac = m_L->offset();
400 }
401
402 // now compute the tag
403
404 // fold checksum
405 for(size_t i = 0; i != m_checksum.size(); i += BS) {
406 xor_buf(mac.data(), m_checksum.data() + i, BS);
407 }
408
409 xor_buf(mac.data(), m_L->dollar().data(), BS);
410 m_cipher->encrypt(mac);
411 xor_buf(mac.data(), m_ad_hash.data(), BS);
412
413 buffer += std::make_pair(mac.data(), tag_size());
414
416 m_block_index = 0;
417}
418
419void OCB_Decryption::decrypt(uint8_t buffer[], size_t blocks) {
421 BOTAN_STATE_CHECK(m_L->initialized());
422
423 const size_t BS = block_size();
424
425 while(blocks) {
426 const size_t proc_blocks = std::min(blocks, par_blocks());
427 const size_t proc_bytes = proc_blocks * BS;
428
429 const uint8_t* offsets = m_L->compute_offsets(m_block_index, proc_blocks);
430
431 xor_buf(buffer, offsets, proc_bytes);
432 m_cipher->decrypt_n(buffer, buffer, proc_blocks);
433 xor_buf(buffer, offsets, proc_bytes);
434
435 xor_buf(m_checksum.data(), buffer, proc_bytes);
436
437 buffer += proc_bytes;
438 blocks -= proc_blocks;
439 m_block_index += proc_blocks;
440 }
441}
442
443size_t OCB_Decryption::process_msg(uint8_t buf[], size_t sz) {
444 BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid OCB input size");
445 decrypt(buf, sz / block_size());
446 return sz;
447}
448
449void OCB_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
451 BOTAN_STATE_CHECK(m_L->initialized());
452
453 const size_t BS = block_size();
454
455 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
456 const size_t sz = buffer.size() - offset;
457 uint8_t* buf = buffer.data() + offset;
458
459 BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
460
461 const size_t remaining = sz - tag_size();
462
464
465 if(remaining) {
466 const size_t final_full_blocks = remaining / BS;
467 const size_t final_bytes = remaining - (final_full_blocks * BS);
468
469 decrypt(buf, final_full_blocks);
470 mac ^= m_L->offset();
471
472 if(final_bytes) {
473 BOTAN_ASSERT(final_bytes < BS, "Only a partial block left");
474
475 uint8_t* remainder = &buf[remaining - final_bytes];
476
477 mac ^= m_L->star();
479 m_cipher->encrypt(mac, pad); // P_*
480 xor_buf(remainder, pad.data(), final_bytes);
481
482 xor_buf(m_checksum.data(), remainder, final_bytes);
483 m_checksum[final_bytes] ^= 0x80;
484 }
485 } else {
486 mac = m_L->offset();
487 }
488
489 // compute the mac
490
491 // fold checksum
492 for(size_t i = 0; i != m_checksum.size(); i += BS) {
493 xor_buf(mac.data(), m_checksum.data() + i, BS);
494 }
495
496 mac ^= m_L->dollar();
497 m_cipher->encrypt(mac);
498 mac ^= m_ad_hash;
499
500 // reset state
502 m_block_index = 0;
503
504 // compare mac
505 const uint8_t* included_tag = &buf[remaining];
506
507 if(!CT::is_equal(mac.data(), included_tag, tag_size()).as_bool()) {
508 throw Invalid_Authentication_Tag("OCB tag check failed");
509 }
510
511 // remove tag from end of message
512 buffer.resize(remaining + offset);
513}
514
515} // namespace Botan
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:43
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:31
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:52
std::string name() const override final
Definition ocb.cpp:208
size_t block_size() const
Definition ocb.h:64
size_t par_blocks() const
Definition ocb.h:66
size_t tag_size() const override final
Definition ocb.h:47
bool has_keying_material() const override final
Definition ocb.cpp:224
size_t ideal_granularity() const override final
Definition ocb.cpp:216
bool valid_nonce_length(size_t) const override final
Definition ocb.cpp:197
void reset() override final
Definition ocb.cpp:189
secure_vector< uint8_t > m_checksum
Definition ocb.h:76
std::unique_ptr< BlockCipher > m_cipher
Definition ocb.h:71
secure_vector< uint8_t > m_ad_hash
Definition ocb.h:77
void clear() override final
Definition ocb.cpp:183
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) override final
Definition ocb.cpp:233
size_t update_granularity() const override final
Definition ocb.cpp:212
size_t m_block_index
Definition ocb.h:74
Key_Length_Specification key_spec() const override final
Definition ocb.cpp:220
OCB_Mode(std::unique_ptr< BlockCipher > cipher, size_t tag_size)
Definition ocb.cpp:161
std::unique_ptr< L_computer > m_L
Definition ocb.h:72
void assert_key_material_set() const
Definition sym_algo.h:141
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:789
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:115
constexpr size_t var_ctz32(uint32_t n)
Definition bit_ops.h:175
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:344
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:81
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:149
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:123