diff --git a/demos/timing.c b/demos/timing.c index e180b0d27..927ad4385 100644 --- a/demos/timing.c +++ b/demos/timing.c @@ -1153,8 +1153,13 @@ static void time_macs(void) static void time_encmacs_(unsigned long MAC_SIZE) { -#if defined(LTC_EAX_MODE) || defined(LTC_OCB_MODE) || defined(LTC_OCB3_MODE) || defined(LTC_CCM_MODE) || defined(LTC_GCM_MODE) - unsigned char *buf, IV[16], key[16], tag[16]; +#if defined(LTC_EAX_MODE) || defined(LTC_OCB_MODE) || defined(LTC_OCB3_MODE) || \ + defined(LTC_CCM_MODE) || defined(LTC_GCM_MODE) || defined(LTC_SIV_MODE) +#if defined(LTC_SIV_MODE) + unsigned char *aad[4]; + unsigned long buflen; +#endif + unsigned char *buf, IV[16], key[32], tag[16]; ulong64 t1, t2; unsigned long x, z; int err, cipher_idx; @@ -1171,8 +1176,8 @@ static void time_encmacs_(unsigned long MAC_SIZE) cipher_idx = find_cipher("aes"); yarrow_read(buf, MAC_SIZE*1024, &yarrow_prng); - yarrow_read(key, 16, &yarrow_prng); - yarrow_read(IV, 16, &yarrow_prng); + yarrow_read(key, sizeof(key), &yarrow_prng); + yarrow_read(IV, sizeof(IV), &yarrow_prng); #ifdef LTC_EAX_MODE t2 = -1; @@ -1308,8 +1313,38 @@ __attribute__ ((aligned (16))) } fprintf(stderr, "GCM (precomp)\t\t%9"PRI64"u\n", t2/(ulong64)(MAC_SIZE*1024)); } +#endif +#ifdef LTC_SIV_MODE + for(z = 0; z < 4; z++) { + aad[z] = IV + z * 4; + } + for(z = 0; z < 4; z++) { + t2 = -1; + for (x = 0; x < 10000; x++) { + buflen = MAC_SIZE*1024; + t_start(); + t1 = t_read(); + if ((err = siv_memory(cipher_idx, LTC_ENCRYPT, + key, 32, + buf, MAC_SIZE*1024 - 16, + buf, &buflen, + aad[0], 16, + aad[1], 12, + aad[2], 8, + aad[3], 4, + NULL)) != CRYPT_OK) { + fprintf(stderr, "\nSIV error... %s\n", error_to_string(err)); + exit(EXIT_FAILURE); + } + t1 = t_read() - t1; + if (t1 < t2) t2 = t1; + } + aad[3-z] = NULL; + fprintf(stderr, "SIV (%lu x AAD)\t\t%9"PRI64"u\n", 4-z, t2/(ulong64)(MAC_SIZE*1024)); + } #endif + XFREE(buf); #else LTC_UNUSED_PARAM(MAC_SIZE); diff --git a/doc/crypt.tex b/doc/crypt.tex index ba31872a9..af9645562 100644 --- a/doc/crypt.tex +++ b/doc/crypt.tex @@ -2576,6 +2576,166 @@ \subsection{One--Shot Packet} In order to enable OpenSSH compatibility, the flag \textit{CHACHA20POLY1305\_OPENSSH\_COMPAT} has to be \textbf{OR}'ed into the \textit{direction} parameter. + +\mysection{SIV} +\label{SIV} + +The SIV (Synthetic Initialization Vector) authenticated encryption is a block cipher mode of encryption +defined by \url{https://tools.ietf.org/html/rfc5297}. + +In contrast to all the other AEAD modes, SIV provides no iterative API. Instead it only provides one--shot APIs. + +AEAD algorithm design usually suggests using a separate Nonce (also called IV) and additional authenticated Data (AAD). +SIV treats this slightly different and does not enforce any of the two, but leaves it up to the user. +Also SIV allows passing multiple sets of data as AAD, up to a maximum of \texttt{126} elements. +In case one wants to use a Nonce in a classical style it is suggested to pass it as the last of the AAD elements, +thereby limiting the number of AAD to \texttt{125}. + +\subsection{Encryption / Decryption} +To encrypt and create a tag resp. decrypt and check the tag, the following API functions can be used. + +\index{siv\_encrypt\_memory()} +\begin{verbatim} +int siv_encrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *pt, unsigned long ptlen, + unsigned char *ct, unsigned long *ctlen); +\end{verbatim} +This encrypts the data where \textit{pt} is the plaintext and \textit{ct} is the ciphertext. +The length of the plaintext is given in \textit{ptlen} and the length of the ciphertext is given in \textit{ctlen}. +\textit{ctlen} shall contain the max buffer size allocated at \textit{ct} on input, and will be updated with the +written length on successful encryption. + +The buffer of \textit{ct} shall be at least \texttt{ptlen + 16} bytes wide. + +The key to the encrypt operation is passed in \textit{key} of length \textit{keylen}. + +The AAD is passed as array of pointers in \textit{ad}. The length of each AAD is passed as array of +\textit{unsigned long} in \textit{adlen}. +As soon as an array element of \textit{ad} is hit which equals \texttt{NULL} or an array element of \textit{adlen} +is hit which equals \texttt{0}, processing of the AAD is stopped. + +\index{siv\_decrypt\_memory()} +\begin{verbatim} +int siv_decrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *ct, unsigned long ctlen, + unsigned char *pt, unsigned long *ptlen); +\end{verbatim} +This decrypts the data where \textit{ct} is the ciphertext of length \textit{ctlen} and \textit{pt} is the plaintext of length \textit{ptlen}. +\textit{ptlen} shall contain the max buffer size allocated at \textit{pt} on input, and will be updated with the +written lenth on successful decryption. + +The buffer of \textit{pt} shall be at least \texttt{ctlen - 16} bytes wide. + +The AAD is processed in the same way as in the encrypt function. + +An example of encryption and decryption with SIV using multiple AAD and a Nonce is given below. + +\begin{small} +\begin{verbatim} +#include + +int main(void) +{ + int err; + unsigned char plain[16] = {0}; + unsigned char ct[sizeof(plain) + 16] = {0}; + unsigned long plainlen = sizeof(plain), ctlen = sizeof(ct); + + register_cipher(&aes_desc); + + /* We need to cast the AAD strings because the API asks for an `unsigned char*` + * but a string is on most platforms defined as a "signed" `char*`. */ + if ((err = siv_encrypt_memory(find_cipher("aes"), + ((unsigned char[32]) {0x0}), 32, + ((const unsigned char*[]) {(void*)"aad0", (void*)"aad1", + (void*)"NONCE", NULL}), + ((unsigned long[]) {4, 4, 5, 0}), + plain, plainlen, + ct, &ctlen)) != CRYPT_OK) { + whine_and_pout(err); + } + + if ((err = siv_decrypt_memory(find_cipher("aes"), + ((unsigned char[32]) {0x0}), 32, + ((const unsigned char*[]) {(void*)"aad0", (void*)"aad1", + (void*)"NONCE", NULL}), + ((unsigned long[]) {4, 4, 5, 0}), + ct, ctlen, + plain, &plainlen)) != CRYPT_OK) { + whine_and_pout(err); + } + + return EXIT_SUCCESS; +} +\end{verbatim} +\end{small} + +\subsection{One--Shot Packet} +To process a single packet under any given key the following helper function can be used. + +\index{siv\_memory()} +\begin{verbatim} +int siv_memory( int cipher, int direction, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + ...); +\end{verbatim} + +This will execute a SIV operation of the \textit{direction} (\texttt{LTC\_ENCRYPT} resp. \texttt{LTC\_DECRYPT}) +using the \textit{cipher} with the \textit{key} of len \textit{keylen}. +The AAD is optionally passed as varargs of the form \textit{(const unsigned char*, unsigned long)}, which musst be +NULL terminated. +The input is passed via the \textit{in} argument of length \textit{inlen}. +The output is stored in the buffer pointer to by the \textit{out} argument where the length is passed as \textit{outlen}. +\textit{outlen} shall contain the initial size of the buffer behind \textit{out} when calling the function and on +return it will contain the written size. + +In case the operation is \textit{encryption} the buffer of \textit{out} shall be at least \texttt{inlen + 16} bytes wide. +In the case of \textit{decryption} the buffer of \textit{out} shall be at least \texttt{inlen - 16} bytes wide. + +An example of encryption and decryption with the one--shot API of SIV using multiple AAD is given below. + +\begin{small} +\begin{verbatim} +#include + +int main(void) +{ + int err; + unsigned char plain[16] = {0}; + unsigned char ct[sizeof(plain) + 16] = {0}; + unsigned long plainlen = sizeof(plain), ctlen = sizeof(ct); + + register_cipher(&aes_desc); + + /* Note that constant length values must be suffixed by `uL` in order + * to operate correctly cross-platform. */ + if ((err = siv_memory(find_cipher("aes"), LTC_ENCRYPT, + ((unsigned char[32]) {0x0}), 32, + plain, plainlen, + ct, &ctlen, + "aad0", 4uL, "aad1", 4uL, "NONCE", 5uL, NULL)) != CRYPT_OK) { + whine_and_pout(err); + } + + if ((err = siv_memory(find_cipher("aes"), LTC_DECRYPT, + ((unsigned char[32]) {0x0}), 32, + ct, ctlen, + plain, &plainlen, + "aad0", 4uL, "aad1", 4uL, "NONCE", 5uL, NULL)) != CRYPT_OK) { + whine_and_pout(err); + } + + return EXIT_SUCCESS; +} +\end{verbatim} +\end{small} + \chapter{One-Way Cryptographic Hash Functions} \mysection{Core Functions} Like the ciphers, there are hash core functions and a universal data type to hold the hash state called \textit{hash\_state}. To initialize hash diff --git a/libtomcrypt_VS2008.vcproj b/libtomcrypt_VS2008.vcproj index 972d32ac5..0cb96ce3f 100644 --- a/libtomcrypt_VS2008.vcproj +++ b/libtomcrypt_VS2008.vcproj @@ -835,6 +835,14 @@ > + + + + + +/** + @file siv.c + RFC 5297 SIV - Synthetic Initialization Vector, Steffen Jaeckel +*/ + +#ifdef LTC_SIV_MODE + +/* RFC 5297 - Chapter 7 - Security Considerations + * + * [...] S2V must not be + * passed more than 127 components. Since SIV includes the plaintext as + * a component to S2V, that limits the number of components of + * associated data that can be safely passed to SIV to 126. + */ +static const unsigned long s_siv_max_aad_components = 126; + +static LTC_INLINE void s_siv_dbl(unsigned char *inout) +{ + int y, mask, msb, len; + + /* setup the system */ + mask = 0x87; + len = 16; + + /* if msb(L * u^(x+1)) = 0 then just shift, otherwise shift and xor constant mask */ + msb = inout[0] >> 7; + + /* shift left */ + for (y = 0; y < (len - 1); y++) { + inout[y] = ((inout[y] << 1) | (inout[y + 1] >> 7)) & 255; + } + inout[len - 1] = ((inout[len - 1] << 1) ^ (msb ? mask : 0)) & 255; +} + +static LTC_INLINE int s_siv_S2V_one(int cipher, + const unsigned char *key, unsigned long keylen, + unsigned char *V, unsigned long *Vlen) +{ + /* if n = 0 then + * return V = AES-CMAC(K, ) + */ + unsigned char zero_or_one[16] = {0}; + zero_or_one[0] = 1; + return omac_memory(cipher, key, keylen, zero_or_one, sizeof(zero_or_one), V, Vlen); +} + +typedef struct siv_omac_ctx_t { + omac_state omac; + int cipher; +} siv_omac_ctx_t; + +static LTC_INLINE int s_siv_ctx_init(int cipher, + const unsigned char *key, unsigned long keylen, + siv_omac_ctx_t *ctx) +{ + ctx->cipher = cipher; + return omac_init(&ctx->omac, cipher, key, keylen); +} + +static LTC_INLINE int s_siv_omac_memory(siv_omac_ctx_t *ctx, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen) +{ + int err; + omac_state omac = ctx->omac; + if ((err = omac_process(&omac, in, inlen)) != CRYPT_OK) { + return err; + } + err = omac_done(&omac, out, outlen); + zeromem(&omac, sizeof(omac)); + return err; +} + +static LTC_INLINE int s_siv_S2V_zero(siv_omac_ctx_t *ctx, + unsigned char *D, unsigned long *Dlen) +{ + /* D = AES-CMAC(K, ) */ + const unsigned char zero_or_one[16] = {0}; + return s_siv_omac_memory(ctx, zero_or_one, sizeof(zero_or_one), D, Dlen); +} + +static LTC_INLINE int s_siv_S2V_dbl_xor_cmac(siv_omac_ctx_t *ctx, + const unsigned char *aad, unsigned long aadlen, + unsigned char *D, unsigned long Dlen) +{ + /* for i = 1 to n-1 do + * D = dbl(D) xor AES-CMAC(K, Si) + * done + */ + int err; + unsigned char TMP[16]; + unsigned long i, TMPlen = sizeof(TMP); + s_siv_dbl(D); + if ((err = s_siv_omac_memory(ctx, aad, aadlen, TMP, &TMPlen)) != CRYPT_OK) { + return err; + } + for (i = 0; i < Dlen; ++i) { + D[i] ^= TMP[i]; + } + return err; +} + +static LTC_INLINE int s_siv_omac_memory_multi(siv_omac_ctx_t *ctx, + unsigned char *out, unsigned long *outlen, + const unsigned char *in, unsigned long inlen, + ...) +{ + int err; + va_list args; + omac_state omac = ctx->omac; + va_start(args, inlen); + + if ((err = omac_vprocess(&omac, in, inlen, args)) != CRYPT_OK) { + return err; + } + err = omac_done(&omac, out, outlen); + zeromem(&omac, sizeof(omac)); + return err; +} + +static LTC_INLINE int s_siv_S2V_T(siv_omac_ctx_t *ctx, + const unsigned char *in, unsigned long inlen, + unsigned char *D, + unsigned char *V, unsigned long *Vlen) +{ + int err; + unsigned long i; + unsigned char T[16]; + + /* if len(Sn) >= 128 then + * T = Sn xorend D + * else + * T = dbl(D) xor pad(Sn) + * fi + */ + if (inlen >= 16) { + XMEMCPY(T, &in[inlen - 16], 16); + for(i = 0; i < 16; ++i) { + T[i] ^= D[i]; + } + err = s_siv_omac_memory_multi(ctx, V, Vlen, in, inlen - 16, T, 16uL, NULL); + } else { + s_siv_dbl(D); + XMEMCPY(T, in, inlen); + T[inlen] = 0x80; + for (i = inlen + 1; i < 16; ++i) { + T[i] = 0x0; + } + for(i = 0; i < 16; ++i) { + T[i] ^= D[i]; + } + + err = s_siv_omac_memory(ctx, T, 16, V, Vlen); + } + return err; +} + +static int s_siv_S2V(int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char **ad, unsigned long *adlen, + const unsigned char *in, unsigned long inlen, + unsigned char *V, unsigned long *Vlen) +{ + int err; + unsigned char D[16]; + unsigned long Dlen = sizeof(D), n = 0; + siv_omac_ctx_t ctx; + + if(ad == NULL || adlen == NULL || ad[0] == NULL || adlen[0] == 0) { + err = s_siv_S2V_one(cipher, key, keylen, V, Vlen); + } else { + if ((err = s_siv_ctx_init(cipher, key, keylen, &ctx)) != CRYPT_OK) { + return err; + } + Dlen = sizeof(D); + if ((err = s_siv_S2V_zero(&ctx, D, &Dlen)) != CRYPT_OK) { + return err; + } + + while(ad[n] != NULL && adlen[n] != 0) { + if (n >= s_siv_max_aad_components) { + return CRYPT_INPUT_TOO_LONG; + } + if ((err = s_siv_S2V_dbl_xor_cmac(&ctx, ad[n], adlen[n], D, Dlen)) != CRYPT_OK) { + return err; + } + n++; + } + + err = s_siv_S2V_T(&ctx, in, inlen, D, V, Vlen); + } + + return err; +} + +static LTC_INLINE void s_siv_bitand(const unsigned char* V, unsigned char* Q) +{ + int n; + XMEMSET(Q, 0xff, 16); + Q[8] = Q[12] = 0x7f; + for (n = 0; n < 16; ++n) { + Q[n] &= V[n]; + } +} + +static LTC_INLINE int s_ctr_crypt_memory(int cipher, + const unsigned char *IV, + const unsigned char *key, int keylen, + const unsigned char *in, + unsigned char *out, unsigned long len) +{ + int err; + symmetric_CTR ctr; + + if ((err = ctr_start(cipher, IV, key, keylen, 0, CTR_COUNTER_BIG_ENDIAN | 16, &ctr)) != CRYPT_OK) { + goto out; + } + if ((err = ctr_encrypt(in, out, len, &ctr)) != CRYPT_OK) { + goto out; + } + if ((err = ctr_done(&ctr)) != CRYPT_OK) { + goto out; + } + +out: + zeromem(&ctr, sizeof(ctr)); + return err; +} + +typedef struct { + unsigned char Q[16], V[16]; +} siv_state; + +/** + SIV encrypt + + @param cipher The index of the cipher desired + @param key The secret key to use + @param keylen The length of the secret key (octets) + @param ad An array of Associated Data pointers (must be NULL terminated) + @param adlen An array with the lengths of the Associated Data + @param pt The plaintext + @param ptlen The length of the plaintext + @param ct The ciphertext + @param ctlen [in/out] The length of the ciphertext + @return CRYPT_OK if successful +*/ +int siv_encrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *pt, unsigned long ptlen, + unsigned char *ct, unsigned long *ctlen) +{ + int err; + const unsigned char *K1, *K2; + unsigned long Vlen; + siv_state siv; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(ad != NULL); + LTC_ARGCHK(adlen != NULL); + LTC_ARGCHK(pt != NULL); + LTC_ARGCHK(ct != NULL); + LTC_ARGCHK(ctlen != NULL); + + if (ptlen + 16 < ptlen) { + return CRYPT_OVERFLOW; + } + if (*ctlen < ptlen + 16) { + *ctlen = ptlen + 16; + return CRYPT_BUFFER_OVERFLOW; + } + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + + + K1 = key; + K2 = &key[keylen/2]; + + Vlen = sizeof(siv.V); + err = s_siv_S2V(cipher, K1, keylen/2, ad, adlen, pt, ptlen, siv.V, &Vlen); +#ifdef LTC_CLEAN_STACK + burn_stack(3 * 16 + 7 * sizeof(unsigned long) + 1 * sizeof(void*)); +#endif + if (err != CRYPT_OK) { + return err; + } + + s_siv_bitand(siv.V, siv.Q); + XMEMCPY(ct, siv.V, 16); + ct += 16; + + if ((err = s_ctr_crypt_memory(cipher, siv.Q, K2, keylen/2, pt, ct, ptlen)) != CRYPT_OK) { + zeromem(ct, ptlen + 16); + goto out; + } + *ctlen = ptlen + 16; + +out: +#ifdef LTC_CLEAN_STACK + zeromem(&siv, sizeof(siv)); +#endif + + return err; +} + +/** + SIV decrypt + + @param cipher The index of the cipher desired + @param key The secret key to use + @param keylen The length of the secret key (octets) + @param ad An array of Associated Data pointers (must be NULL terminated) + @param adlen An array with the lengths of the Associated Data + @param ct The ciphertext + @param ctlen The length of the ciphertext + @param pt The plaintext + @param ptlen [in/out] The length of the plaintext + @return CRYPT_OK if successful +*/ +int siv_decrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *ct, unsigned long ctlen, + unsigned char *pt, unsigned long *ptlen) +{ + int err; + unsigned char *pt_work; + const unsigned char *K1, *K2, *ct_work; + unsigned long Vlen; + siv_state siv; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(ad != NULL); + LTC_ARGCHK(adlen != NULL); + LTC_ARGCHK(ct != NULL); + LTC_ARGCHK(pt != NULL); + LTC_ARGCHK(ptlen != NULL); + + if (ctlen < 16) { + return CRYPT_INVALID_ARG; + } + if (*ptlen < (ctlen - 16)) { + *ptlen = ctlen - 16; + return CRYPT_BUFFER_OVERFLOW; + } + + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + *ptlen = ctlen - 16; + pt_work = XMALLOC(*ptlen); + if (pt_work == NULL) { + return CRYPT_MEM; + } + + K1 = key; + K2 = &key[keylen/2]; + + ct_work = ct; + s_siv_bitand(ct_work, siv.Q); + ct_work += 16; + + if ((err = s_ctr_crypt_memory(cipher, siv.Q, K2, keylen/2, ct_work, pt_work, *ptlen)) != CRYPT_OK) { + goto out; + } + Vlen = sizeof(siv.V); + if ((err = s_siv_S2V(cipher, K1, keylen/2, ad, adlen, pt_work, *ptlen, siv.V, &Vlen)) != CRYPT_OK) { + goto out; + } + + err = XMEM_NEQ(siv.V, ct, Vlen); + copy_or_zeromem(pt_work, pt, *ptlen, err); +out: +#ifdef LTC_CLEAN_STACK + zeromem(&siv, sizeof(siv)); +#endif + zeromem(pt_work, *ptlen); + XFREE(pt_work); + + return err; +} + +/** + Process an entire SIV packet in one call. + + @param cipher The index of the cipher desired + @param direction Encrypt or Decrypt mode (LTC_ENCRYPT or LTC_DECRYPT) + @param key The secret key to use + @param keylen The length of the secret key (octets) + @param in The input + @param inlen The length of the input + @param out The output + @param outlen [in/out] The max size and resulting size of the output + @remark <...> is of the form (void*, unsigned long) and contains the Associated Data + @return CRYPT_OK on success + */ +int siv_memory( int cipher, int direction, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + ...) +{ + int err; + va_list args; + siv_state siv; + unsigned char D[16], *in_buf = NULL, *out_work; + const unsigned char *aad, *K1, *K2, *in_work; + unsigned long n = 0, aadlen, Dlen = sizeof(D), Vlen = sizeof(siv.V), in_work_len; + + LTC_ARGCHK(key != NULL); + LTC_ARGCHK(in != NULL); + LTC_ARGCHK(out != NULL); + LTC_ARGCHK(outlen != NULL); + + if ((err = cipher_is_valid(cipher)) != CRYPT_OK) { + return err; + } + if (direction == LTC_ENCRYPT && *outlen < inlen + 16) { + *outlen = inlen + 16; + return CRYPT_BUFFER_OVERFLOW; + } else if (direction == LTC_DECRYPT && (inlen < 16 || *outlen < inlen - 16)) { + *outlen = inlen - 16; + return CRYPT_BUFFER_OVERFLOW; + } + + K1 = key; + K2 = &key[keylen/2]; + in_work = in; + in_work_len = inlen; + out_work = out; + + if (direction == LTC_DECRYPT) { + in_work_len -= 16; + in_buf = XMALLOC(in_work_len); + if (in_buf == NULL) + return CRYPT_MEM; + s_siv_bitand(in_work, siv.Q); + in_work += 16; + + if ((err = s_ctr_crypt_memory(cipher, siv.Q, K2, keylen/2, in_work, in_buf, in_work_len)) != CRYPT_OK) { + goto err_out; + } + in_work = in_buf; + } + + va_start(args, outlen); + aad = va_arg(args, const unsigned char*); + aadlen = aad ? va_arg(args, unsigned long) : 0; + if (aad == NULL || aadlen == 0) { + if ((err = s_siv_S2V_one(cipher, K1, keylen/2, siv.V, &Vlen)) != CRYPT_OK) { + goto err_out; + } + } else { + siv_omac_ctx_t ctx; + if ((err = s_siv_ctx_init(cipher, K1, keylen/2, &ctx)) != CRYPT_OK) { + goto err_out; + } + if ((err = s_siv_S2V_zero(&ctx, D, &Dlen)) != CRYPT_OK) { + goto err_out; + } + + do { + if (n >= s_siv_max_aad_components) { + err = CRYPT_INPUT_TOO_LONG; + goto err_out; + } + if ((err = s_siv_S2V_dbl_xor_cmac(&ctx, aad, aadlen, D, Dlen)) != CRYPT_OK) { + goto err_out; + } + aad = va_arg(args, const unsigned char*); + if (aad == NULL) + break; + aadlen = va_arg(args, unsigned long); + n++; + } while (aadlen); + + if ((err = s_siv_S2V_T(&ctx, in_work, in_work_len, D, siv.V, &Vlen)) != CRYPT_OK) { + goto err_out; + } + } + + if (direction == LTC_DECRYPT) { + err = XMEM_NEQ(siv.V, in, Vlen); + copy_or_zeromem(in_work, out, in_work_len, err); + *outlen = in_work_len; + } else { + s_siv_bitand(siv.V, siv.Q); + XMEMCPY(out_work, siv.V, 16); + out_work += 16; + + if ((err = s_ctr_crypt_memory(cipher, siv.Q, K2, keylen/2, in, out_work, inlen)) != CRYPT_OK) { + zeromem(out, inlen + 16); + goto err_out; + } + *outlen = inlen + 16; + } +err_out: + if (in_buf) { + zeromem(in_buf, in_work_len); + XFREE(in_buf); + } + va_end(args); +#ifdef LTC_CLEAN_STACK + zeromem(D, sizeof(D)); + zeromem(&siv, sizeof(siv)); +#endif + return err; +} + +int siv_test(void) +{ +#ifndef LTC_TEST + return CRYPT_NOP; +#else + /* + * RFC5297 - A.1. Deterministic Authenticated Encryption Example + */ + const unsigned char Key_A1[] = + { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, + 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, + 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff }; + const unsigned char AD_A1[] = + { 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27 }; + const unsigned char Plaintext_A1[] = + { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, + 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee }; + const unsigned char output_A1[] = + { 0x85, 0x63, 0x2d, 0x07, 0xc6, 0xe8, 0xf3, 0x7f, + 0x95, 0x0a, 0xcd, 0x32, 0x0a, 0x2e, 0xcc, 0x93, + 0x40, 0xc0, 0x2b, 0x96, 0x90, 0xc4, 0xdc, 0x04, + 0xda, 0xef, 0x7f, 0x6a, 0xfe, 0x5c }; + const unsigned char *ad_A1[] = + { AD_A1, NULL }; + unsigned long adlen_A1[] = + { sizeof(AD_A1), 0 }; + + const unsigned char Key_A2[] = + { 0x7f, 0x7e, 0x7d, 0x7c, 0x7b, 0x7a, 0x79, 0x78, + 0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f }; + const unsigned char AD1_A2[] = + { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, + 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, + 0xde, 0xad, 0xda, 0xda, 0xde, 0xad, 0xda, 0xda, + 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88, + 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00 }; + const unsigned char AD2_A2[] = + { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80, + 0x90, 0xa0 }; + const unsigned char AD3_A2[] = + { 0x09, 0xf9, 0x11, 0x02, 0x9d, 0x74, 0xe3, 0x5b, + 0xd8, 0x41, 0x56, 0xc5, 0x63, 0x56, 0x88, 0xc0 }; + const unsigned char Plaintext_A2[] = + { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, + 0x73, 0x6f, 0x6d, 0x65, 0x20, 0x70, 0x6c, 0x61, + 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x20, 0x74, + 0x6f, 0x20, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, + 0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20, + 0x53, 0x49, 0x56, 0x2d, 0x41, 0x45, 0x53 }; + const unsigned char output_A2[] = + { 0x7b, 0xdb, 0x6e, 0x3b, 0x43, 0x26, 0x67, 0xeb, + 0x06, 0xf4, 0xd1, 0x4b, 0xff, 0x2f, 0xbd, 0x0f, + 0xcb, 0x90, 0x0f, 0x2f, 0xdd, 0xbe, 0x40, 0x43, + 0x26, 0x60, 0x19, 0x65, 0xc8, 0x89, 0xbf, 0x17, + 0xdb, 0xa7, 0x7c, 0xeb, 0x09, 0x4f, 0xa6, 0x63, + 0xb7, 0xa3, 0xf7, 0x48, 0xba, 0x8a, 0xf8, 0x29, + 0xea, 0x64, 0xad, 0x54, 0x4a, 0x27, 0x2e, 0x9c, + 0x48, 0x5b, 0x62, 0xa3, 0xfd, 0x5c, 0x0d }; + const unsigned char *ad_A2[] = + { AD1_A2, AD2_A2, AD3_A2, NULL }; + unsigned long adlen_A2[] = + { sizeof(AD1_A2), sizeof(AD2_A2), sizeof(AD3_A2), 0 }; + +#define PL_PAIR(n) n, sizeof(n) + struct { + const unsigned char* Key; + unsigned long Keylen; + const unsigned char* Plaintext; + unsigned long Plaintextlen; + const void* ADs; + void* ADlens; + const unsigned char* output; + unsigned long outputlen; + const char* name; + } siv_tests[] = { + { PL_PAIR(Key_A1), PL_PAIR(Plaintext_A1), &ad_A1, &adlen_A1, PL_PAIR(output_A1), "RFC5297 - A.1. Deterministic Authenticated Encryption Example" }, + { PL_PAIR(Key_A2), PL_PAIR(Plaintext_A2), &ad_A2, &adlen_A2, PL_PAIR(output_A2), "RFC5297 - A.2. Nonce-Based Authenticated Encryption Example" } + }; +#undef PL_PAIR + + int err, cipher; + unsigned n; + unsigned long buflen, tmplen; + unsigned char buf[MAX(sizeof(output_A1), sizeof(output_A2))]; + const unsigned long niter = 1000; + unsigned char *tmpe, *tmpd; + const unsigned long tmpmax = 16 + niter * 16; + + cipher = find_cipher("aes"); + + for (n = 0; n < sizeof(siv_tests)/sizeof(siv_tests[0]); ++n) { + buflen = sizeof(buf); + if ((err = siv_encrypt_memory(cipher, + siv_tests[n].Key, siv_tests[n].Keylen, + (const unsigned char **)siv_tests[n].ADs, siv_tests[n].ADlens, + siv_tests[n].Plaintext, siv_tests[n].Plaintextlen, + buf, &buflen)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[n].output, siv_tests[n].outputlen, siv_tests[n].name, n) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + buflen = sizeof(buf); + if ((err = siv_decrypt_memory(cipher, + siv_tests[n].Key, siv_tests[n].Keylen, + (const unsigned char **)siv_tests[n].ADs, siv_tests[n].ADlens, + siv_tests[n].output, siv_tests[n].outputlen, + buf, &buflen)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[n].Plaintext, siv_tests[n].Plaintextlen, siv_tests[n].name, n + 0x1000) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + } + + /* Testcase 0x2 */ + buflen = sizeof(buf); + if ((err = siv_memory(cipher, LTC_ENCRYPT, + siv_tests[0].Key, siv_tests[0].Keylen, + siv_tests[0].Plaintext, siv_tests[0].Plaintextlen, + buf, &buflen, + AD_A1, sizeof(AD_A1), + NULL)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[0].output, siv_tests[0].outputlen, siv_tests[0].name, n) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + /* Testcase 0x1002 */ + buflen = sizeof(buf); + if ((err = siv_memory(cipher, LTC_DECRYPT, + siv_tests[0].Key, siv_tests[0].Keylen, + siv_tests[0].output, siv_tests[0].outputlen, + buf, &buflen, + AD_A1, sizeof(AD_A1), + NULL)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[0].Plaintext, siv_tests[0].Plaintextlen, siv_tests[0].name, n + 0x1000) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + + n++; + + /* Testcase 0x3 */ + buflen = sizeof(buf); + if ((err = siv_memory(cipher, LTC_ENCRYPT, + siv_tests[1].Key, siv_tests[1].Keylen, + siv_tests[1].Plaintext, siv_tests[1].Plaintextlen, + buf, &buflen, + ad_A2[0], adlen_A2[0], + ad_A2[1], adlen_A2[1], + ad_A2[2], adlen_A2[2], + NULL)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[1].output, siv_tests[1].outputlen, siv_tests[1].name, n) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + /* Testcase 0x1003 */ + buflen = sizeof(buf); + if ((err = siv_memory(cipher, LTC_DECRYPT, + siv_tests[1].Key, siv_tests[1].Keylen, + siv_tests[1].output, siv_tests[1].outputlen, + buf, &buflen, + ad_A2[0], adlen_A2[0], + ad_A2[1], adlen_A2[1], + ad_A2[2], adlen_A2[2], + NULL)) != CRYPT_OK) { + return err; + } + if (compare_testvector(buf, buflen, siv_tests[1].Plaintext, siv_tests[1].Plaintextlen, siv_tests[1].name, n + 0x1000) != 0) { + return CRYPT_FAIL_TESTVECTOR; + } + + tmpe = XCALLOC(1, tmpmax); + if (tmpe == NULL) { + return CRYPT_MEM; + } + tmpd = XCALLOC(1, tmpmax); + if (tmpd == NULL) { + err = CRYPT_MEM; + goto out_tmpd; + } + tmplen = 16; + for (n = 0; n < niter; ++n) { + buflen = tmpmax; + if ((err = siv_memory(cipher, LTC_ENCRYPT, + siv_tests[0].Key, siv_tests[0].Keylen, + tmpe, tmplen, + tmpe, &buflen, + NULL)) != CRYPT_OK) { + goto out; + } + tmplen = buflen; + } + if (compare_testvector(&buflen, sizeof(buflen), &tmpmax, sizeof(tmpmax), "Multiple encrypt length", -(int)niter)) { + err = CRYPT_FAIL_TESTVECTOR; + goto out; + } + XMEMCPY(tmpd, tmpe, buflen); + for (n = 0; n < niter; ++n) { + buflen = tmpmax; + if ((err = siv_memory(cipher, LTC_DECRYPT, + siv_tests[0].Key, siv_tests[0].Keylen, + tmpd, tmplen, + tmpd, &buflen, + NULL)) != CRYPT_OK) { + goto out; + } + tmplen = buflen; + } + if (compare_testvector(tmpd, tmplen, tmpe, tmplen, "Multi decrypt", niter + 0x2000)) { + err = CRYPT_FAIL_TESTVECTOR; + } + +out: + XFREE(tmpd); +out_tmpd: + XFREE(tmpe); + + return err; +#endif +} + +#endif diff --git a/src/headers/tomcrypt_custom.h b/src/headers/tomcrypt_custom.h index 7ce348e2a..e12740dde 100644 --- a/src/headers/tomcrypt_custom.h +++ b/src/headers/tomcrypt_custom.h @@ -301,6 +301,7 @@ #define LTC_CCM_MODE #define LTC_GCM_MODE #define LTC_CHACHA20POLY1305_MODE +#define LTC_SIV_MODE /* Use 64KiB tables */ #ifndef LTC_NO_TABLES diff --git a/src/headers/tomcrypt_mac.h b/src/headers/tomcrypt_mac.h index 7f394b82c..3ca09ff52 100644 --- a/src/headers/tomcrypt_mac.h +++ b/src/headers/tomcrypt_mac.h @@ -565,3 +565,24 @@ int chacha20poly1305_memory(const unsigned char *key, unsigned long keylen, int chacha20poly1305_test(void); #endif /* LTC_CHACHA20POLY1305_MODE */ +#ifdef LTC_SIV_MODE + +int siv_encrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *pt, unsigned long ptlen, + unsigned char *ct, unsigned long *ctlen); +int siv_decrypt_memory( int cipher, + const unsigned char *key, unsigned long keylen, + const unsigned char *ad[], unsigned long adlen[], + const unsigned char *ct, unsigned long ctlen, + unsigned char *pt, unsigned long *ptlen); +int siv_memory( int cipher, int direction, + const unsigned char *key, unsigned long keylen, + const unsigned char *in, unsigned long inlen, + unsigned char *out, unsigned long *outlen, + ...) LTC_NULL_TERMINATED; +int siv_test(void); + +#endif + diff --git a/src/headers/tomcrypt_private.h b/src/headers/tomcrypt_private.h index 8c6d8a7ba..ecf90c1d3 100644 --- a/src/headers/tomcrypt_private.h +++ b/src/headers/tomcrypt_private.h @@ -168,6 +168,7 @@ int func_name (hash_state * md, const unsigned char *in, unsigned long inlen) int ocb3_int_ntz(unsigned long x); void ocb3_int_xor_blocks(unsigned char *out, const unsigned char *block_a, const unsigned char *block_b, unsigned long block_len); +int omac_vprocess(omac_state *omac, const unsigned char *in, unsigned long inlen, va_list args); /* tomcrypt_math.h */ diff --git a/src/mac/omac/omac_memory_multi.c b/src/mac/omac/omac_memory_multi.c index 4f3b708ea..8c355718f 100644 --- a/src/mac/omac/omac_memory_multi.c +++ b/src/mac/omac/omac_memory_multi.c @@ -10,6 +10,31 @@ #ifdef LTC_OMAC +static LTC_INLINE int s_omac_vprocess(omac_state *omac, const unsigned char *in, unsigned long inlen, va_list args) +{ + const unsigned char * curptr = in; + unsigned long curlen = inlen; + int err; + for (;;) { + /* process buf */ + if ((err = omac_process(omac, curptr, curlen)) != CRYPT_OK) { + return err; + } + /* step to next */ + curptr = va_arg(args, const unsigned char*); + if (curptr == NULL) { + break; + } + curlen = va_arg(args, unsigned long); + } + return CRYPT_OK; +} + +int omac_vprocess(omac_state *omac, const unsigned char *in, unsigned long inlen, va_list args) +{ + return s_omac_vprocess(omac, in, inlen, args); +} + /** OMAC multiple blocks of memory @param cipher The index of the desired cipher @@ -30,8 +55,6 @@ int omac_memory_multi(int cipher, int err; omac_state *omac; va_list args; - const unsigned char *curptr; - unsigned long curlen; LTC_ARGCHK(key != NULL); LTC_ARGCHK(in != NULL); @@ -49,23 +72,10 @@ int omac_memory_multi(int cipher, goto LBL_ERR; } va_start(args, inlen); - curptr = in; - curlen = inlen; - for (;;) { - /* process buf */ - if ((err = omac_process(omac, curptr, curlen)) != CRYPT_OK) { - goto LBL_ERR; - } - /* step to next */ - curptr = va_arg(args, const unsigned char*); - if (curptr == NULL) { - break; - } - curlen = va_arg(args, unsigned long); - } - if ((err = omac_done(omac, out, outlen)) != CRYPT_OK) { + if ((err = s_omac_vprocess(omac, in, inlen, args)) != CRYPT_OK) { goto LBL_ERR; } + err = omac_done(omac, out, outlen); LBL_ERR: #ifdef LTC_CLEAN_STACK zeromem(omac, sizeof(omac_state)); diff --git a/src/misc/crypt/crypt.c b/src/misc/crypt/crypt.c index 69f213542..c4675de6e 100644 --- a/src/misc/crypt/crypt.c +++ b/src/misc/crypt/crypt.c @@ -303,6 +303,9 @@ const char *crypt_build_settings = #if defined(LTC_CHACHA20POLY1305_MODE) " CHACHA20POLY1305\n" #endif +#if defined(LTC_SIV_MODE) + " SIV\n" +#endif "\nPRNG:\n" #if defined(LTC_YARROW) diff --git a/tests/mac_test.c b/tests/mac_test.c index 012199324..da1d95372 100644 --- a/tests/mac_test.c +++ b/tests/mac_test.c @@ -49,6 +49,9 @@ int mac_test(void) #endif #ifdef LTC_BLAKE2BMAC DO(blake2bmac_test()); +#endif +#ifdef LTC_SIV_MODE + DO(siv_test()); #endif return 0; }