From bbb02a5b6d27f76931c3385321b2c594781c7a1b Mon Sep 17 00:00:00 2001 From: Mingtao Yang Date: Wed, 6 Jun 2018 09:34:18 -0700 Subject: [PATCH] modes/ocb128.c: Reset nonce-dependent variables on setiv Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent variables in the OCB_CTX. Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6420) --- crypto/modes/modes_lcl.h | 15 ++--- crypto/modes/ocb128.c | 121 ++++++++++++++++++++------------------- 2 files changed, 69 insertions(+), 67 deletions(-) diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_lcl.h index fa8546038d..f2ae01d11a 100644 --- a/crypto/modes/modes_lcl.h +++ b/crypto/modes/modes_lcl.h @@ -178,12 +178,13 @@ struct ocb128_context { OCB_BLOCK l_dollar; OCB_BLOCK *l; /* Must be reset for each session */ - u64 blocks_hashed; - u64 blocks_processed; - OCB_BLOCK tag; - OCB_BLOCK offset_aad; - OCB_BLOCK sum; - OCB_BLOCK offset; - OCB_BLOCK checksum; + struct { + u64 blocks_hashed; + u64 blocks_processed; + OCB_BLOCK offset_aad; + OCB_BLOCK sum; + OCB_BLOCK offset; + OCB_BLOCK checksum; + } sess; }; #endif /* OPENSSL_NO_OCB */ diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c index 96f21f658a..76591e6992 100644 --- a/crypto/modes/ocb128.c +++ b/crypto/modes/ocb128.c @@ -239,6 +239,9 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, return -1; } + /* Reset nonce-dependent variables */ + memset(&ctx->sess, 0, sizeof(ctx->sess)); + /* Nonce = num2str(TAGLEN mod 128,7) || zeros(120-bitlen(N)) || 1 || N */ nonce[0] = ((taglen * 8) % 128) << 1; memset(nonce + 1, 0, 15); @@ -259,10 +262,10 @@ int CRYPTO_ocb128_setiv(OCB128_CONTEXT *ctx, const unsigned char *iv, /* Offset_0 = Stretch[1+bottom..128+bottom] */ shift = bottom % 8; - ocb_block_lshift(stretch + (bottom / 8), shift, ctx->offset.c); + ocb_block_lshift(stretch + (bottom / 8), shift, ctx->sess.offset.c); mask = 0xff; mask <<= 8 - shift; - ctx->offset.c[15] |= + ctx->sess.offset.c[15] |= (*(stretch + (bottom / 8) + 16) & mask) >> (8 - shift); return 1; @@ -281,25 +284,25 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, /* Calculate the number of blocks of AAD provided now, and so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_hashed; + all_num_blocks = num_blocks + ctx->sess.blocks_hashed; /* Loop through all full blocks of AAD */ - for (i = ctx->blocks_hashed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_hashed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset_aad, lookup, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, lookup, &ctx->sess.offset_aad); memcpy(tmp.c, aad, 16); aad += 16; /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } /* @@ -310,20 +313,21 @@ int CRYPTO_ocb128_aad(OCB128_CONTEXT *ctx, const unsigned char *aad, if (last_len > 0) { /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset_aad, &ctx->l_star, &ctx->offset_aad); + ocb_block16_xor(&ctx->sess.offset_aad, &ctx->l_star, + &ctx->sess.offset_aad); /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */ memset(tmp.c, 0, 16); memcpy(tmp.c, aad, last_len); tmp.c[last_len] = 0x80; - ocb_block16_xor(&ctx->offset_aad, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset_aad, &tmp, &tmp); /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */ ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->sum); + ocb_block16_xor(&tmp, &ctx->sess.sum, &ctx->sess.sum); } - ctx->blocks_hashed = all_num_blocks; + ctx->sess.blocks_hashed = all_num_blocks; return 1; } @@ -344,7 +348,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -360,11 +364,11 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keyenc, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { /* Loop through all full blocks to be encrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { OCB_BLOCK *lookup; OCB_BLOCK tmp; @@ -372,18 +376,18 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); /* C_i = Offset_i xor ENCIPHER(K, P_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); memcpy(out, tmp.c, 16); out += 16; @@ -400,10 +404,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* C_* = P_* xor Pad[1..bitlen(P_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -412,10 +416,10 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, in, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } @@ -436,7 +440,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, * so far */ num_blocks = len / 16; - all_num_blocks = num_blocks + ctx->blocks_processed; + all_num_blocks = num_blocks + ctx->sess.blocks_processed; if (num_blocks && all_num_blocks == (size_t)all_num_blocks && ctx->stream != NULL) { @@ -452,30 +456,30 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, return 0; ctx->stream(in, out, num_blocks, ctx->keydec, - (size_t)ctx->blocks_processed + 1, ctx->offset.c, - (const unsigned char (*)[16])ctx->l, ctx->checksum.c); + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); } else { OCB_BLOCK tmp; /* Loop through all full blocks to be decrypted */ - for (i = ctx->blocks_processed + 1; i <= all_num_blocks; i++) { + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ OCB_BLOCK *lookup = ocb_lookup_l(ctx, ocb_ntz(i)); if (lookup == NULL) return 0; - ocb_block16_xor(&ctx->offset, lookup, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, lookup, &ctx->sess.offset); memcpy(tmp.c, in, 16); in += 16; /* P_i = Offset_i xor DECIPHER(K, C_i xor Offset_i) */ - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); ctx->decrypt(tmp.c, tmp.c, ctx->keydec); - ocb_block16_xor(&ctx->offset, &tmp, &tmp); + ocb_block16_xor(&ctx->sess.offset, &tmp, &tmp); /* Checksum_i = Checksum_{i-1} xor P_i */ - ocb_block16_xor(&tmp, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&tmp, &ctx->sess.checksum, &ctx->sess.checksum); memcpy(out, tmp.c, 16); out += 16; @@ -492,10 +496,10 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, OCB_BLOCK pad; /* Offset_* = Offset_m xor L_* */ - ocb_block16_xor(&ctx->offset, &ctx->l_star, &ctx->offset); + ocb_block16_xor(&ctx->sess.offset, &ctx->l_star, &ctx->sess.offset); /* Pad = ENCIPHER(K, Offset_*) */ - ctx->encrypt(ctx->offset.c, pad.c, ctx->keyenc); + ctx->encrypt(ctx->sess.offset.c, pad.c, ctx->keyenc); /* P_* = C_* xor Pad[1..bitlen(C_*)] */ ocb_block_xor(in, pad.c, last_len, out); @@ -504,39 +508,46 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, memset(pad.c, 0, 16); /* borrow pad */ memcpy(pad.c, out, last_len); pad.c[last_len] = 0x80; - ocb_block16_xor(&pad, &ctx->checksum, &ctx->checksum); + ocb_block16_xor(&pad, &ctx->sess.checksum, &ctx->sess.checksum); } - ctx->blocks_processed = all_num_blocks; + ctx->sess.blocks_processed = all_num_blocks; return 1; } -/* - * Calculate the tag and verify it against the supplied tag - */ -int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, - size_t len) +static int ocb_finish(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len, + int write) { OCB_BLOCK tmp; + if (len > 16 || len < 1) { + return -1; + } + /* * Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) */ - ocb_block16_xor(&ctx->checksum, &ctx->offset, &tmp); + ocb_block16_xor(&ctx->sess.checksum, &ctx->sess.offset, &tmp); ocb_block16_xor(&ctx->l_dollar, &tmp, &tmp); ctx->encrypt(tmp.c, tmp.c, ctx->keyenc); - ocb_block16_xor(&tmp, &ctx->sum, &ctx->tag); + ocb_block16_xor(&tmp, &ctx->sess.sum, &tmp); - if (len > 16 || len < 1) { - return -1; + if (write) { + memcpy(tag, &tmp, len); + return 1; + } else { + return CRYPTO_memcmp(&tmp, tag, len); } +} - /* Compare the tag if we've been given one */ - if (tag) - return CRYPTO_memcmp(&ctx->tag, tag, len); - else - return -1; +/* + * Calculate the tag and verify it against the supplied tag + */ +int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, + size_t len) +{ + return ocb_finish(ctx, (unsigned char*)tag, len, 0); } /* @@ -544,17 +555,7 @@ int CRYPTO_ocb128_finish(OCB128_CONTEXT *ctx, const unsigned char *tag, */ int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len) { - if (len > 16 || len < 1) { - return -1; - } - - /* Calculate the tag */ - CRYPTO_ocb128_finish(ctx, NULL, 0); - - /* Copy the tag into the supplied buffer */ - memcpy(tag, ctx->tag.c, len); - - return 1; + return ocb_finish(ctx, tag, len, 1); } /* -- 2.25.1