2
0

ocb128.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571
  1. /*
  2. * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/crypto.h>
  11. #include <openssl/err.h>
  12. #include "modes_lcl.h"
  13. #ifndef OPENSSL_NO_OCB
  14. /*
  15. * Calculate the number of binary trailing zero's in any given number
  16. */
  17. static u32 ocb_ntz(u64 n)
  18. {
  19. u32 cnt = 0;
  20. /*
  21. * We do a right-to-left simple sequential search. This is surprisingly
  22. * efficient as the distribution of trailing zeros is not uniform,
  23. * e.g. the number of possible inputs with no trailing zeros is equal to
  24. * the number with 1 or more; the number with exactly 1 is equal to the
  25. * number with 2 or more, etc. Checking the last two bits covers 75% of
  26. * all numbers. Checking the last three covers 87.5%
  27. */
  28. while (!(n & 1)) {
  29. n >>= 1;
  30. cnt++;
  31. }
  32. return cnt;
  33. }
  34. /*
  35. * Shift a block of 16 bytes left by shift bits
  36. */
  37. static void ocb_block_lshift(const unsigned char *in, size_t shift,
  38. unsigned char *out)
  39. {
  40. unsigned char shift_mask;
  41. int i;
  42. unsigned char mask[15];
  43. shift_mask = 0xff;
  44. shift_mask <<= (8 - shift);
  45. for (i = 15; i >= 0; i--) {
  46. if (i > 0) {
  47. mask[i - 1] = in[i] & shift_mask;
  48. mask[i - 1] >>= 8 - shift;
  49. }
  50. out[i] = in[i] << shift;
  51. if (i != 15) {
  52. out[i] ^= mask[i];
  53. }
  54. }
  55. }
  56. /*
  57. * Perform a "double" operation as per OCB spec
  58. */
  59. static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
  60. {
  61. unsigned char mask;
  62. /*
  63. * Calculate the mask based on the most significant bit. There are more
  64. * efficient ways to do this - but this way is constant time
  65. */
  66. mask = in->c[0] & 0x80;
  67. mask >>= 7;
  68. mask *= 135;
  69. ocb_block_lshift(in->c, 1, out->c);
  70. out->c[15] ^= mask;
  71. }
  72. /*
  73. * Perform an xor on in1 and in2 - each of len bytes. Store result in out
  74. */
  75. static void ocb_block_xor(const unsigned char *in1,
  76. const unsigned char *in2, size_t len,
  77. unsigned char *out)
  78. {
  79. size_t i;
  80. for (i = 0; i < len; i++) {
  81. out[i] = in1[i] ^ in2[i];
  82. }
  83. }
  84. /*
  85. * Lookup L_index in our lookup table. If we haven't already got it we need to
  86. * calculate it
  87. */
  88. static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
  89. {
  90. size_t l_index = ctx->l_index;
  91. if (idx <= l_index) {
  92. return ctx->l + idx;
  93. }
  94. /* We don't have it - so calculate it */
  95. if (idx >= ctx->max_l_index) {
  96. void *tmp_ptr;
  97. /*
  98. * Each additional entry allows to process almost double as
  99. * much data, so that in linear world the table will need to
  100. * be expanded with smaller and smaller increments. Originally
  101. * it was doubling in size, which was a waste. Growing it
  102. * linearly is not formally optimal, but is simpler to implement.
  103. * We grow table by minimally required 4*n that would accommodate
  104. * the index.
  105. */
  106. ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
  107. tmp_ptr =
  108. OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
  109. if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
  110. return NULL;
  111. ctx->l = tmp_ptr;
  112. }
  113. while (l_index < idx) {
  114. ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
  115. l_index++;
  116. }
  117. ctx->l_index = l_index;
  118. return ctx->l + idx;
  119. }
  120. /*
  121. * Create a new OCB128_CONTEXT
  122. */
  123. OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
  124. block128_f encrypt, block128_f decrypt,
  125. ocb128_f stream)
  126. {
  127. OCB128_CONTEXT *octx;
  128. int ret;
  129. if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
  130. ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
  131. stream);
  132. if (ret)
  133. return octx;
  134. OPENSSL_free(octx);
  135. }
  136. return NULL;
  137. }
  138. /*
  139. * Initialise an existing OCB128_CONTEXT
  140. */
  141. int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
  142. block128_f encrypt, block128_f decrypt,
  143. ocb128_f stream)
  144. {
  145. memset(ctx, 0, sizeof(*ctx));
  146. ctx->l_index = 0;
  147. ctx->max_l_index = 5;
  148. if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
  149. CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
  150. return 0;
  151. }
  152. /*
  153. * We set both the encryption and decryption key schedules - decryption
  154. * needs both. Don't really need decryption schedule if only doing
  155. * encryption - but it simplifies things to take it anyway
  156. */
  157. ctx->encrypt = encrypt;
  158. ctx->decrypt = decrypt;
  159. ctx->stream = stream;
  160. ctx->keyenc = keyenc;
  161. ctx->keydec = keydec;
  162. /* L_* = ENCIPHER(K, zeros(128)) */
  163. ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
  164. /* L_$ = double(L_*) */
  165. ocb_double(&ctx->l_star, &ctx->l_dollar);
  166. /* L_0 = double(L_$) */
  167. ocb_double(&ctx->l_dollar, ctx->l);
  168. /* L_{i} = double(L_{i-1}) */
  169. ocb_double(ctx->l, ctx->l+1);
  170. ocb_double(ctx->l+1, ctx->l+2);
  171. ocb_double(ctx->l+2, ctx->l+3);
  172. ocb_double(ctx->l+3, ctx->l+4);
  173. ctx->l_index = 4; /* enough to process up to 496 bytes */
  174. return 1;
  175. }
  176. /*
  177. * Copy an OCB128_CONTEXT object
  178. */
  179. int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
  180. void *keyenc, void *keydec)
  181. {
  182. memcpy(dest, src, sizeof(OCB128_CONTEXT));
  183. if (keyenc)
  184. dest->keyenc = keyenc;
  185. if (keydec)
  186. dest->keydec = keydec;
  187. if (src->l) {
  188. if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
  189. CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
  190. return 0;
  191. }
  192. memcpy(dest->l, src->l, (src->l_index + 1) * 16);
  193. }
  194. return 1;
  195. }
  196. /*
  197. * Set the IV to be used for this operation. Must be 1 - 15 bytes.
  198. */
  199. int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
  200. size_t len, size_t taglen)
  201. {
  202. unsigned char ktop[16], tmp[16], mask;
  203. unsigned char stretch[24], nonce[16];
  204. size_t bottom, shift;
  205. /*
  206. * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
  207. * We don't support this at this stage
  208. */
  209. if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
  210. return -1;
  211. }
  212. /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
  213. nonce[0] = ((taglen * 8) % 128) << 1;
  214. memset(nonce + 1, 0, 15);
  215. memcpy(nonce + 16 - len, iv, len);
  216. nonce[15 - len] |= 1;
  217. /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
  218. memcpy(tmp, nonce, 16);
  219. tmp[15] &= 0xc0;
  220. ctx->encrypt(tmp, ktop, ctx->keyenc);
  221. /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
  222. memcpy(stretch, ktop, 16);
  223. ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
  224. /* bottom = str2num(Nonce[123..128]) */
  225. bottom = nonce[15] & 0x3f;
  226. /* Offset_0 = Stretch[1+bottom..128+bottom] */
  227. shift = bottom % 8;
  228. ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c);
  229. mask = 0xff;
  230. mask <<= 8 - shift;
  231. ctx->offset.c[15] |=
  232. (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
  233. return 1;
  234. }
  235. /*
  236. * Provide any AAD. This can be called multiple times. Only the final time can
  237. * have a partial block
  238. */
  239. int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
  240. size_t len)
  241. {
  242. u64 i, all_num_blocks;
  243. size_t num_blocks, last_len;
  244. OCB_BLOCK tmp;
  245. /* Calculate the number of blocks of AAD provided now, and so far */
  246. num_blocks = len / 16;
  247. all_num_blocks = num_blocks + ctx->blocks_hashed;
  248. /* Loop through all full blocks of AAD */
  249. for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) {
  250. OCB_BLOCK *lookup;
  251. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  252. lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  253. if (lookup == NULL)
  254. return 0;
  255. ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad);
  256. memcpy(tmp.c, aad, 16);
  257. aad += 16;
  258. /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
  259. ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);
  260. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  261. ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
  262. }
  263. /*
  264. * Check if we have any partial blocks left over. This is only valid in the
  265. * last call to this function
  266. */
  267. last_len = len % 16;
  268. if (last_len > 0) {
  269. /* Offset_* = Offset_m xor L_* */
  270. ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad);
  271. /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
  272. memset(tmp.c, 0, 16);
  273. memcpy(tmp.c, aad, last_len);
  274. tmp.c[last_len] = 0x80;
  275. ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp);
  276. /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
  277. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  278. ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum);
  279. }
  280. ctx->blocks_hashed = all_num_blocks;
  281. return 1;
  282. }
  283. /*
  284. * Provide any data to be encrypted. This can be called multiple times. Only
  285. * the final time can have a partial block
  286. */
  287. int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
  288. const unsigned char *in, unsigned char *out,
  289. size_t len)
  290. {
  291. u64 i, all_num_blocks;
  292. size_t num_blocks, last_len;
  293. /*
  294. * Calculate the number of blocks of data to be encrypted provided now, and
  295. * so far
  296. */
  297. num_blocks = len / 16;
  298. all_num_blocks = num_blocks + ctx->blocks_processed;
  299. if (num_blocks && all_num_blocks == (size_t)all_num_blocks
  300. && ctx->stream != NULL) {
  301. size_t max_idx = 0, top = (size_t)all_num_blocks;
  302. /*
  303. * See how many L_{i} entries we need to process data at hand
  304. * and pre-compute missing entries in the table [if any]...
  305. */
  306. while (top >>= 1)
  307. max_idx++;
  308. if (ocb_lookup_l(ctx, max_idx) == NULL)
  309. return 0;
  310. ctx->stream(in, out, num_blocks, ctx->keyenc,
  311. (size_t)ctx->blocks_processed + 1, ctx->offset.c,
  312. (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
  313. } else {
  314. /* Loop through all full blocks to be encrypted */
  315. for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
  316. OCB_BLOCK *lookup;
  317. OCB_BLOCK tmp;
  318. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  319. lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  320. if (lookup == NULL)
  321. return 0;
  322. ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
  323. memcpy(tmp.c, in, 16);
  324. in += 16;
  325. /* Checksum_i = Checksum_{i-1} xor P_i */
  326. ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);
  327. /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
  328. ocb_block16_xor(&ctx->offset, &tmp, &tmp);
  329. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  330. ocb_block16_xor(&ctx->offset, &tmp, &tmp);
  331. memcpy(out, tmp.c, 16);
  332. out += 16;
  333. }
  334. }
  335. /*
  336. * Check if we have any partial blocks left over. This is only valid in the
  337. * last call to this function
  338. */
  339. last_len = len % 16;
  340. if (last_len > 0) {
  341. OCB_BLOCK pad;
  342. /* Offset_* = Offset_m xor L_* */
  343. ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
  344. /* Pad = ENCIPHER(K, Offset_*) */
  345. ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
  346. /* C_* = P_* xor Pad[1..bitlen(P_*)] */
  347. ocb_block_xor(in, pad.c, last_len, out);
  348. /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
  349. memset(pad.c, 0, 16); /* borrow pad */
  350. memcpy(pad.c, in, last_len);
  351. pad.c[last_len] = 0x80;
  352. ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
  353. }
  354. ctx->blocks_processed = all_num_blocks;
  355. return 1;
  356. }
  357. /*
  358. * Provide any data to be decrypted. This can be called multiple times. Only
  359. * the final time can have a partial block
  360. */
  361. int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
  362. const unsigned char *in, unsigned char *out,
  363. size_t len)
  364. {
  365. u64 i, all_num_blocks;
  366. size_t num_blocks, last_len;
  367. /*
  368. * Calculate the number of blocks of data to be decrypted provided now, and
  369. * so far
  370. */
  371. num_blocks = len / 16;
  372. all_num_blocks = num_blocks + ctx->blocks_processed;
  373. if (num_blocks && all_num_blocks == (size_t)all_num_blocks
  374. && ctx->stream != NULL) {
  375. size_t max_idx = 0, top = (size_t)all_num_blocks;
  376. /*
  377. * See how many L_{i} entries we need to process data at hand
  378. * and pre-compute missing entries in the table [if any]...
  379. */
  380. while (top >>= 1)
  381. max_idx++;
  382. if (ocb_lookup_l(ctx, max_idx) == NULL)
  383. return 0;
  384. ctx->stream(in, out, num_blocks, ctx->keydec,
  385. (size_t)ctx->blocks_processed + 1, ctx->offset.c,
  386. (const unsigned char (*)[16])ctx->l, ctx->checksum.c);
  387. } else {
  388. OCB_BLOCK tmp;
  389. /* Loop through all full blocks to be decrypted */
  390. for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) {
  391. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  392. OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  393. if (lookup == NULL)
  394. return 0;
  395. ocb_block16_xor(&ctx->offset, lookup, &ctx->offset);
  396. memcpy(tmp.c, in, 16);
  397. in += 16;
  398. /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
  399. ocb_block16_xor(&ctx->offset, &tmp, &tmp);
  400. ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
  401. ocb_block16_xor(&ctx->offset, &tmp, &tmp);
  402. /* Checksum_i = Checksum_{i-1} xor P_i */
  403. ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum);
  404. memcpy(out, tmp.c, 16);
  405. out += 16;
  406. }
  407. }
  408. /*
  409. * Check if we have any partial blocks left over. This is only valid in the
  410. * last call to this function
  411. */
  412. last_len = len % 16;
  413. if (last_len > 0) {
  414. OCB_BLOCK pad;
  415. /* Offset_* = Offset_m xor L_* */
  416. ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset);
  417. /* Pad = ENCIPHER(K, Offset_*) */
  418. ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc);
  419. /* P_* = C_* xor Pad[1..bitlen(C_*)] */
  420. ocb_block_xor(in, pad.c, last_len, out);
  421. /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
  422. memset(pad.c, 0, 16); /* borrow pad */
  423. memcpy(pad.c, out, last_len);
  424. pad.c[last_len] = 0x80;
  425. ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum);
  426. }
  427. ctx->blocks_processed = all_num_blocks;
  428. return 1;
  429. }
  430. /*
  431. * Calculate the tag and verify it against the supplied tag
  432. */
  433. int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
  434. size_t len)
  435. {
  436. OCB_BLOCK tmp;
  437. /*
  438. * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
  439. */
  440. ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp);
  441. ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
  442. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  443. ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag);
  444. if (len > 16 || len < 1) {
  445. return -1;
  446. }
  447. /* Compare the tag if we've been given one */
  448. if (tag)
  449. return CRYPTO_memcmp(&ctx->tag, tag, len);
  450. else
  451. return -1;
  452. }
  453. /*
  454. * Retrieve the calculated tag
  455. */
  456. int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
  457. {
  458. if (len > 16 || len < 1) {
  459. return -1;
  460. }
  461. /* Calculate the tag */
  462. CRYPTO_ocb128_finish(ctx, NULL, 0);
  463. /* Copy the tag into the supplied buffer */
  464. memcpy(tag, ctx->tag.c, len);
  465. return 1;
  466. }
  467. /*
  468. * Release all resources
  469. */
  470. void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
  471. {
  472. if (ctx) {
  473. OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
  474. OPENSSL_cleanse(ctx, sizeof(*ctx));
  475. }
  476. }
  477. #endif /* OPENSSL_NO_OCB */