2
0

ocb128.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572
  1. /*
  2. * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/crypto.h>
  11. #include <openssl/err.h>
  12. #include "modes_lcl.h"
  13. #ifndef OPENSSL_NO_OCB
  14. /*
  15. * Calculate the number of binary trailing zero's in any given number
  16. */
  17. static u32 ocb_ntz(u64 n)
  18. {
  19. u32 cnt = 0;
  20. /*
  21. * We do a right-to-left simple sequential search. This is surprisingly
  22. * efficient as the distribution of trailing zeros is not uniform,
  23. * e.g. the number of possible inputs with no trailing zeros is equal to
  24. * the number with 1 or more; the number with exactly 1 is equal to the
  25. * number with 2 or more, etc. Checking the last two bits covers 75% of
  26. * all numbers. Checking the last three covers 87.5%
  27. */
  28. while (!(n & 1)) {
  29. n >>= 1;
  30. cnt++;
  31. }
  32. return cnt;
  33. }
  34. /*
  35. * Shift a block of 16 bytes left by shift bits
  36. */
  37. static void ocb_block_lshift(const unsigned char *in, size_t shift,
  38. unsigned char *out)
  39. {
  40. unsigned char shift_mask;
  41. int i;
  42. unsigned char mask[15];
  43. shift_mask = 0xff;
  44. shift_mask <<= (8 - shift);
  45. for (i = 15; i >= 0; i--) {
  46. if (i > 0) {
  47. mask[i - 1] = in[i] & shift_mask;
  48. mask[i - 1] >>= 8 - shift;
  49. }
  50. out[i] = in[i] << shift;
  51. if (i != 15) {
  52. out[i] ^= mask[i];
  53. }
  54. }
  55. }
  56. /*
  57. * Perform a "double" operation as per OCB spec
  58. */
  59. static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out)
  60. {
  61. unsigned char mask;
  62. /*
  63. * Calculate the mask based on the most significant bit. There are more
  64. * efficient ways to do this - but this way is constant time
  65. */
  66. mask = in->c[0] & 0x80;
  67. mask >>= 7;
  68. mask *= 135;
  69. ocb_block_lshift(in->c, 1, out->c);
  70. out->c[15] ^= mask;
  71. }
  72. /*
  73. * Perform an xor on in1 and in2 - each of len bytes. Store result in out
  74. */
  75. static void ocb_block_xor(const unsigned char *in1,
  76. const unsigned char *in2, size_t len,
  77. unsigned char *out)
  78. {
  79. size_t i;
  80. for (i = 0; i < len; i++) {
  81. out[i] = in1[i] ^ in2[i];
  82. }
  83. }
  84. /*
  85. * Lookup L_index in our lookup table. If we haven't already got it we need to
  86. * calculate it
  87. */
  88. static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx)
  89. {
  90. size_t l_index = ctx->l_index;
  91. if (idx <= l_index) {
  92. return ctx->l + idx;
  93. }
  94. /* We don't have it - so calculate it */
  95. if (idx >= ctx->max_l_index) {
  96. void *tmp_ptr;
  97. /*
  98. * Each additional entry allows to process almost double as
  99. * much data, so that in linear world the table will need to
  100. * be expanded with smaller and smaller increments. Originally
  101. * it was doubling in size, which was a waste. Growing it
  102. * linearly is not formally optimal, but is simpler to implement.
  103. * We grow table by minimally required 4*n that would accommodate
  104. * the index.
  105. */
  106. ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3;
  107. tmp_ptr =
  108. OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK));
  109. if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */
  110. return NULL;
  111. ctx->l = tmp_ptr;
  112. }
  113. while (l_index < idx) {
  114. ocb_double(ctx->l + l_index, ctx->l + l_index + 1);
  115. l_index++;
  116. }
  117. ctx->l_index = l_index;
  118. return ctx->l + idx;
  119. }
  120. /*
  121. * Create a new OCB128_CONTEXT
  122. */
  123. OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec,
  124. block128_f encrypt, block128_f decrypt,
  125. ocb128_f stream)
  126. {
  127. OCB128_CONTEXT *octx;
  128. int ret;
  129. if ((octx = OPENSSL_malloc(sizeof(*octx))) != NULL) {
  130. ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt,
  131. stream);
  132. if (ret)
  133. return octx;
  134. OPENSSL_free(octx);
  135. }
  136. return NULL;
  137. }
  138. /*
  139. * Initialise an existing OCB128_CONTEXT
  140. */
  141. int CRYPTO_ocb128_init(OCB128_CONTEXT *ctx, void *keyenc, void *keydec,
  142. block128_f encrypt, block128_f decrypt,
  143. ocb128_f stream)
  144. {
  145. memset(ctx, 0, sizeof(*ctx));
  146. ctx->l_index = 0;
  147. ctx->max_l_index = 5;
  148. if ((ctx->l = OPENSSL_malloc(ctx->max_l_index * 16)) == NULL) {
  149. CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_INIT, ERR_R_MALLOC_FAILURE);
  150. return 0;
  151. }
  152. /*
  153. * We set both the encryption and decryption key schedules - decryption
  154. * needs both. Don't really need decryption schedule if only doing
  155. * encryption - but it simplifies things to take it anyway
  156. */
  157. ctx->encrypt = encrypt;
  158. ctx->decrypt = decrypt;
  159. ctx->stream = stream;
  160. ctx->keyenc = keyenc;
  161. ctx->keydec = keydec;
  162. /* L_* = ENCIPHER(K, zeros(128)) */
  163. ctx->encrypt(ctx->l_star.c, ctx->l_star.c, ctx->keyenc);
  164. /* L_$ = double(L_*) */
  165. ocb_double(&ctx->l_star, &ctx->l_dollar);
  166. /* L_0 = double(L_$) */
  167. ocb_double(&ctx->l_dollar, ctx->l);
  168. /* L_{i} = double(L_{i-1}) */
  169. ocb_double(ctx->l, ctx->l+1);
  170. ocb_double(ctx->l+1, ctx->l+2);
  171. ocb_double(ctx->l+2, ctx->l+3);
  172. ocb_double(ctx->l+3, ctx->l+4);
  173. ctx->l_index = 4; /* enough to process up to 496 bytes */
  174. return 1;
  175. }
  176. /*
  177. * Copy an OCB128_CONTEXT object
  178. */
  179. int CRYPTO_ocb128_copy_ctx(OCB128_CONTEXT *dest, OCB128_CONTEXT *src,
  180. void *keyenc, void *keydec)
  181. {
  182. memcpy(dest, src, sizeof(OCB128_CONTEXT));
  183. if (keyenc)
  184. dest->keyenc = keyenc;
  185. if (keydec)
  186. dest->keydec = keydec;
  187. if (src->l) {
  188. if ((dest->l = OPENSSL_malloc(src->max_l_index * 16)) == NULL) {
  189. CRYPTOerr(CRYPTO_F_CRYPTO_OCB128_COPY_CTX, ERR_R_MALLOC_FAILURE);
  190. return 0;
  191. }
  192. memcpy(dest->l, src->l, (src->l_index + 1) * 16);
  193. }
  194. return 1;
  195. }
  196. /*
  197. * Set the IV to be used for this operation. Must be 1 - 15 bytes.
  198. */
  199. int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv,
  200. size_t len, size_t taglen)
  201. {
  202. unsigned char ktop[16], tmp[16], mask;
  203. unsigned char stretch[24], nonce[16];
  204. size_t bottom, shift;
  205. /*
  206. * Spec says IV is 120 bits or fewer - it allows non byte aligned lengths.
  207. * We don't support this at this stage
  208. */
  209. if ((len > 15) || (len < 1) || (taglen > 16) || (taglen < 1)) {
  210. return -1;
  211. }
  212. /* Reset nonce-dependent variables */
  213. memset(&ctx->sess, 0, sizeof(ctx->sess));
  214. /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */
  215. nonce[0] = ((taglen * 8) % 128) << 1;
  216. memset(nonce + 1, 0, 15);
  217. memcpy(nonce + 16 - len, iv, len);
  218. nonce[15 - len] |= 1;
  219. /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
  220. memcpy(tmp, nonce, 16);
  221. tmp[15] &= 0xc0;
  222. ctx->encrypt(tmp, ktop, ctx->keyenc);
  223. /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
  224. memcpy(stretch, ktop, 16);
  225. ocb_block_xor(ktop, ktop + 1, 8, stretch + 16);
  226. /* bottom = str2num(Nonce[123..128]) */
  227. bottom = nonce[15] & 0x3f;
  228. /* Offset_0 = Stretch[1+bottom..128+bottom] */
  229. shift = bottom % 8;
  230. ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c);
  231. mask = 0xff;
  232. mask <<= 8 - shift;
  233. ctx->sess.offset.c[15] |=
  234. (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift);
  235. return 1;
  236. }
  237. /*
  238. * Provide any AAD. This can be called multiple times. Only the final time can
  239. * have a partial block
  240. */
  241. int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad,
  242. size_t len)
  243. {
  244. u64 i, all_num_blocks;
  245. size_t num_blocks, last_len;
  246. OCB_BLOCK tmp;
  247. /* Calculate the number of blocks of AAD provided now, and so far */
  248. num_blocks = len / 16;
  249. all_num_blocks = num_blocks + ctx->sess.blocks_hashed;
  250. /* Loop through all full blocks of AAD */
  251. for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) {
  252. OCB_BLOCK *lookup;
  253. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  254. lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  255. if (lookup == NULL)
  256. return 0;
  257. ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad);
  258. memcpy(tmp.c, aad, 16);
  259. aad += 16;
  260. /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
  261. ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);
  262. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  263. ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
  264. }
  265. /*
  266. * Check if we have any partial blocks left over. This is only valid in the
  267. * last call to this function
  268. */
  269. last_len = len % 16;
  270. if (last_len > 0) {
  271. /* Offset_* = Offset_m xor L_* */
  272. ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star,
  273. &ctx->sess.offset_aad);
  274. /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
  275. memset(tmp.c, 0, 16);
  276. memcpy(tmp.c, aad, last_len);
  277. tmp.c[last_len] = 0x80;
  278. ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp);
  279. /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
  280. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  281. ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum);
  282. }
  283. ctx->sess.blocks_hashed = all_num_blocks;
  284. return 1;
  285. }
  286. /*
  287. * Provide any data to be encrypted. This can be called multiple times. Only
  288. * the final time can have a partial block
  289. */
  290. int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
  291. const unsigned char *in, unsigned char *out,
  292. size_t len)
  293. {
  294. u64 i, all_num_blocks;
  295. size_t num_blocks, last_len;
  296. /*
  297. * Calculate the number of blocks of data to be encrypted provided now, and
  298. * so far
  299. */
  300. num_blocks = len / 16;
  301. all_num_blocks = num_blocks + ctx->sess.blocks_processed;
  302. if (num_blocks && all_num_blocks == (size_t)all_num_blocks
  303. && ctx->stream != NULL) {
  304. size_t max_idx = 0, top = (size_t)all_num_blocks;
  305. /*
  306. * See how many L_{i} entries we need to process data at hand
  307. * and pre-compute missing entries in the table [if any]...
  308. */
  309. while (top >>= 1)
  310. max_idx++;
  311. if (ocb_lookup_l(ctx, max_idx) == NULL)
  312. return 0;
  313. ctx->stream(in, out, num_blocks, ctx->keyenc,
  314. (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
  315. (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
  316. } else {
  317. /* Loop through all full blocks to be encrypted */
  318. for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
  319. OCB_BLOCK *lookup;
  320. OCB_BLOCK tmp;
  321. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  322. lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  323. if (lookup == NULL)
  324. return 0;
  325. ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);
  326. memcpy(tmp.c, in, 16);
  327. in += 16;
  328. /* Checksum_i = Checksum_{i-1} xor P_i */
  329. ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);
  330. /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */
  331. ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
  332. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  333. ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
  334. memcpy(out, tmp.c, 16);
  335. out += 16;
  336. }
  337. }
  338. /*
  339. * Check if we have any partial blocks left over. This is only valid in the
  340. * last call to this function
  341. */
  342. last_len = len % 16;
  343. if (last_len > 0) {
  344. OCB_BLOCK pad;
  345. /* Offset_* = Offset_m xor L_* */
  346. ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);
  347. /* Pad = ENCIPHER(K, Offset_*) */
  348. ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);
  349. /* C_* = P_* xor Pad[1..bitlen(P_*)] */
  350. ocb_block_xor(in, pad.c, last_len, out);
  351. /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
  352. memset(pad.c, 0, 16); /* borrow pad */
  353. memcpy(pad.c, in, last_len);
  354. pad.c[last_len] = 0x80;
  355. ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
  356. }
  357. ctx->sess.blocks_processed = all_num_blocks;
  358. return 1;
  359. }
  360. /*
  361. * Provide any data to be decrypted. This can be called multiple times. Only
  362. * the final time can have a partial block
  363. */
  364. int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
  365. const unsigned char *in, unsigned char *out,
  366. size_t len)
  367. {
  368. u64 i, all_num_blocks;
  369. size_t num_blocks, last_len;
  370. /*
  371. * Calculate the number of blocks of data to be decrypted provided now, and
  372. * so far
  373. */
  374. num_blocks = len / 16;
  375. all_num_blocks = num_blocks + ctx->sess.blocks_processed;
  376. if (num_blocks && all_num_blocks == (size_t)all_num_blocks
  377. && ctx->stream != NULL) {
  378. size_t max_idx = 0, top = (size_t)all_num_blocks;
  379. /*
  380. * See how many L_{i} entries we need to process data at hand
  381. * and pre-compute missing entries in the table [if any]...
  382. */
  383. while (top >>= 1)
  384. max_idx++;
  385. if (ocb_lookup_l(ctx, max_idx) == NULL)
  386. return 0;
  387. ctx->stream(in, out, num_blocks, ctx->keydec,
  388. (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
  389. (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
  390. } else {
  391. OCB_BLOCK tmp;
  392. /* Loop through all full blocks to be decrypted */
  393. for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
  394. /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
  395. OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i));
  396. if (lookup == NULL)
  397. return 0;
  398. ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset);
  399. memcpy(tmp.c, in, 16);
  400. in += 16;
  401. /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */
  402. ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
  403. ctx->decrypt(tmp.c, tmp.c, ctx->keydec);
  404. ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp);
  405. /* Checksum_i = Checksum_{i-1} xor P_i */
  406. ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum);
  407. memcpy(out, tmp.c, 16);
  408. out += 16;
  409. }
  410. }
  411. /*
  412. * Check if we have any partial blocks left over. This is only valid in the
  413. * last call to this function
  414. */
  415. last_len = len % 16;
  416. if (last_len > 0) {
  417. OCB_BLOCK pad;
  418. /* Offset_* = Offset_m xor L_* */
  419. ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset);
  420. /* Pad = ENCIPHER(K, Offset_*) */
  421. ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc);
  422. /* P_* = C_* xor Pad[1..bitlen(C_*)] */
  423. ocb_block_xor(in, pad.c, last_len, out);
  424. /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
  425. memset(pad.c, 0, 16); /* borrow pad */
  426. memcpy(pad.c, out, last_len);
  427. pad.c[last_len] = 0x80;
  428. ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum);
  429. }
  430. ctx->sess.blocks_processed = all_num_blocks;
  431. return 1;
  432. }
  433. static int ocb_finish(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len,
  434. int write)
  435. {
  436. OCB_BLOCK tmp;
  437. if (len > 16 || len < 1) {
  438. return -1;
  439. }
  440. /*
  441. * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A)
  442. */
  443. ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp);
  444. ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp);
  445. ctx->encrypt(tmp.c, tmp.c, ctx->keyenc);
  446. ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp);
  447. if (write) {
  448. memcpy(tag, &tmp, len);
  449. return 1;
  450. } else {
  451. return CRYPTO_memcmp(&tmp, tag, len);
  452. }
  453. }
  454. /*
  455. * Calculate the tag and verify it against the supplied tag
  456. */
  457. int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag,
  458. size_t len)
  459. {
  460. return ocb_finish(ctx, (unsigned char*)tag, len, 0);
  461. }
  462. /*
  463. * Retrieve the calculated tag
  464. */
  465. int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len)
  466. {
  467. return ocb_finish(ctx, tag, len, 1);
  468. }
  469. /*
  470. * Release all resources
  471. */
  472. void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx)
  473. {
  474. if (ctx) {
  475. OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16);
  476. OPENSSL_cleanse(ctx, sizeof(*ctx));
  477. }
  478. }
  479. #endif /* OPENSSL_NO_OCB */