OCBv3: implement RFC7253 compliance

This fixes #256
This commit is contained in:
Steffen Jaeckel 2017-08-02 17:45:59 +02:00
parent 1aaa5abb33
commit d77cf0e248
8 changed files with 608 additions and 531 deletions

View File

@ -420,7 +420,7 @@ void ocb_gen(void)
void ocb3_gen(void)
{
#ifdef LTC_OCB3_MODE
int err, kl, x, y1, z;
int err, kl, x, y1, z, noncelen;
FILE *out;
unsigned char key[MAXBLOCKSIZE], nonce[MAXBLOCKSIZE*2],
plaintext[MAXBLOCKSIZE*2], tag[MAXBLOCKSIZE];
@ -448,7 +448,8 @@ void ocb3_gen(void)
}
/* fixed nonce */
for (z = 0; z < cipher_descriptor[x].block_length; z++) {
noncelen = MIN(15, cipher_descriptor[x].block_length);
for (z = 0; z < noncelen; z++) {
nonce[z] = z;
}
@ -456,8 +457,8 @@ void ocb3_gen(void)
for (z = 0; z < y1; z++) {
plaintext[z] = (unsigned char)(z & 255);
}
len = sizeof(tag);
if ((err = ocb3_encrypt_authenticate_memory(x, key, kl, nonce, cipher_descriptor[x].block_length, (unsigned char*)"AAD", 3, plaintext, y1, plaintext, tag, &len)) != CRYPT_OK) {
len = 16;
if ((err = ocb3_encrypt_authenticate_memory(x, key, kl, nonce, noncelen, (unsigned char*)"AAD", 3, plaintext, y1, plaintext, tag, &len)) != CRYPT_OK) {
printf("Error OCB'ing: %s\n", error_to_string(err));
exit(EXIT_FAILURE);
}

File diff suppressed because it is too large Load Diff

View File

@ -69,7 +69,7 @@ int ocb3_decrypt_verify_memory(int cipher,
return CRYPT_MEM;
}
if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen)) != CRYPT_OK) {
if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen, taglen)) != CRYPT_OK) {
goto LBL_ERR;
}

View File

@ -55,7 +55,7 @@ int ocb3_encrypt_authenticate_memory(int cipher,
return CRYPT_MEM;
}
if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen)) != CRYPT_OK) {
if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen, *taglen)) != CRYPT_OK) {
goto LBL_ERR;
}

View File

@ -41,7 +41,8 @@ static const struct {
*/
int ocb3_init(ocb3_state *ocb, int cipher,
const unsigned char *key, unsigned long keylen,
const unsigned char *nonce, unsigned long noncelen)
const unsigned char *nonce, unsigned long noncelen,
unsigned long taglen)
{
int poly, x, y, m, err;
unsigned char *previous, *current;
@ -62,6 +63,11 @@ int ocb3_init(ocb3_state *ocb, int cipher,
return CRYPT_INVALID_ARG;
}
/* Make sure taglen isn't too long */
if (taglen > (unsigned long)cipher_descriptor[cipher].block_length) {
taglen = cipher_descriptor[cipher].block_length;
}
/* determine which polys to use */
ocb->block_len = cipher_descriptor[cipher].block_length;
x = (int)(sizeof(polys)/sizeof(polys[0]));
@ -114,7 +120,7 @@ int ocb3_init(ocb3_state *ocb, int cipher,
}
/* initialize ocb->Offset_current = Offset_0 */
ocb3_int_calc_offset_zero(ocb, nonce, noncelen);
ocb3_int_calc_offset_zero(ocb, nonce, noncelen, taglen);
/* initialize checksum to all zeros */
zeromem(ocb->checksum, ocb->block_len);

View File

@ -21,7 +21,7 @@
@param nonce The session nonce
@param noncelen The length of the session nonce (octets)
*/
void ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsigned long noncelen)
void ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsigned long noncelen, unsigned long taglen)
{
int x, y, bottom;
int idx, shift;
@ -35,6 +35,7 @@ void ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsi
iNonce[x] = nonce[noncelen-y-1];
}
iNonce[x] = 0x01;
iNonce[0] |= ((taglen*8) % 128) << 1;
/* bottom = str2num(Nonce[123..128]) */
bottom = iNonce[ocb->block_len-1] & 0x3F;

View File

@ -27,7 +27,7 @@ int ocb3_test(void)
/* test vectors from: http://tools.ietf.org/html/draft-krovetz-ocb-03 */
unsigned char key[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F };
unsigned char nonce[12] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B };
static const struct {
const struct {
int ptlen;
int aadlen;
unsigned char pt[64], aad[64], ct[64], tag[16];
@ -163,6 +163,44 @@ int ocb3_test(void)
},
};
/* As of RFC 7253 - 'Appendix A. Sample Results'
* The next tuple shows a result with a tag length of 96 bits and a
different key.
K: 0F0E0D0C0B0A09080706050403020100
N: BBAA9988776655443322110D
A: 000102030405060708090A0B0C0D0E0F1011121314151617
18191A1B1C1D1E1F2021222324252627
P: 000102030405060708090A0B0C0D0E0F1011121314151617
18191A1B1C1D1E1F2021222324252627
C: 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1
A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FD
AC4F02AA
The C has been split up in C and T (tag)
*/
const unsigned char K[] = { 0x0F,0x0E,0x0D,0x0C,0x0B,0x0A,0x09,0x08,
0x07,0x06,0x05,0x04,0x03,0x02,0x01,0x00 };
const unsigned char N[] = { 0xBB,0xAA,0x99,0x88,0x77,0x66,0x55,0x44,
0x33,0x22,0x11,0x0D };
const unsigned char A[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
const unsigned char P[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
const unsigned char C[] = { 0x17,0x92,0xA4,0xE3,0x1E,0x07,0x55,0xFB,
0x03,0xE3,0x1B,0x22,0x11,0x6E,0x6C,0x2D,
0xDF,0x9E,0xFD,0x6E,0x33,0xD5,0x36,0xF1,
0xA0,0x12,0x4B,0x0A,0x55,0xBA,0xE8,0x84,
0xED,0x93,0x48,0x15,0x29,0xC7,0x6B,0x6A };
const unsigned char T[] = { 0xD0,0xC5,0x15,0xF4,0xD1,0xCD,0xD4,0xFD,
0xAC,0x4F,0x02,0xAA };
int err, x, idx, res;
unsigned long len;
@ -206,6 +244,36 @@ int ocb3_test(void)
return CRYPT_FAIL_TESTVECTOR;
}
}
x = 99;
len = 12;
if ((err = ocb3_encrypt_authenticate_memory(idx,
K, sizeof(K),
N, sizeof(N),
A, sizeof(A),
P, sizeof(P),
outct, outtag, &len)) != CRYPT_OK) {
return err;
}
if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag", x) ||
compare_testvector(outct, sizeof(P), C, sizeof(C), "OCB3 CT", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
if ((err = ocb3_decrypt_verify_memory(idx,
K, sizeof(K),
N, sizeof(N),
A, sizeof(A),
C, sizeof(C),
outct, T, sizeof(T), &res)) != CRYPT_OK) {
return err;
}
if ((res != 1) || compare_testvector(outct, sizeof(C), P, sizeof(P), "OCB3", x)) {
#ifdef LTC_TEST_DBG
printf("\n\nOCB3: Failure-decrypt - res = %d\n", res);
#endif
return CRYPT_FAIL_TESTVECTOR;
}
return CRYPT_OK;
#endif /* LTC_TEST */
}

View File

@ -271,7 +271,8 @@ typedef struct {
int ocb3_init(ocb3_state *ocb, int cipher,
const unsigned char *key, unsigned long keylen,
const unsigned char *nonce, unsigned long noncelen);
const unsigned char *nonce, unsigned long noncelen,
unsigned long taglen);
int ocb3_encrypt(ocb3_state *ocb, const unsigned char *pt, unsigned long ptlen, unsigned char *ct);
int ocb3_decrypt(ocb3_state *ocb, const unsigned char *ct, unsigned long ctlen, unsigned char *pt);
@ -302,7 +303,7 @@ int ocb3_test(void);
#ifdef LTC_SOURCE
/* internal helper functions */
int ocb3_int_aad_add_block(ocb3_state *ocb, const unsigned char *aad_block);
void ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsigned long noncelen);
void ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsigned long noncelen, unsigned long taglen);
int ocb3_int_ntz(unsigned long x);
void ocb3_int_xor_blocks(unsigned char *out, const unsigned char *block_a, const unsigned char *block_b, unsigned long block_len);
#endif /* LTC_SOURCE */