CEF/grumble
1
0
Fork 0
forked from External/grumble
Code Pull requests Activity

pkg/cryptstate, pkg/cryptstate/ocb2: move OCB2 tag verification into ocb2.Decrypt.

Browse source
This commit is contained in:
Mikkel Krautz 2012-12-08 22:56:05 +01:00
parent 2b12adc014
commit 154b7938d3
3 changed files with 453 additions and 450 deletions
Download patch file Download diff file Expand all files Collapse all files

13
pkg/cryptstate/cryptstate.go
View file

@ -92,8 +92,8 @@ func (cs *CryptState) Decrypt(dst, src []byte) error {
return errors.New("cryptstate: plain_len and src len mismatch") return errors.New("cryptstate: plain_len and src len mismatch")
} }
var tag [ocb2.TagSize]byte
ivbyte := src[0] ivbyte := src[0]
tag := src[1:4]
restore := false restore := false
lost := 0 lost := 0
late := 0 late := 0
@ -167,13 +167,10 @@ func (cs *CryptState) Decrypt(dst, src []byte) error {
} }
} }
ocb2.Decrypt(cs.cipher, dst, src[4:], cs.DecryptIV, tag[:]) ok := ocb2.Decrypt(cs.cipher, dst, src[4:], cs.DecryptIV, tag[:])
if !ok {
for i := 0; i < 3; i++ { cs.DecryptIV = saveiv
if tag[i] != src[i+1] { return errors.New("cryptstate: tag mismatch")
cs.DecryptIV = saveiv
return errors.New("tag mismatch")
}
} }
cs.decryptHistory[cs.DecryptIV[0]] = cs.DecryptIV[0] cs.decryptHistory[cs.DecryptIV[0]] = cs.DecryptIV[0]

42
pkg/cryptstate/ocb2/ocb2.go
View file

@ -16,7 +16,10 @@
// free basis. // free basis.
package ocb2 package ocb2
import "crypto/cipher" import (
"crypto/cipher"
"crypto/subtle"
)
const ( const (
// BlockSize defines the block size that this particular implementation // BlockSize defines the block size that this particular implementation
@ -122,10 +125,10 @@ func Encrypt(cipher cipher.Block, dst []byte, src []byte, nonce []byte, tag []by
var ( var (
checksum [BlockSize]byte checksum [BlockSize]byte
delta [BlockSize]byte delta [BlockSize]byte
tmp [BlockSize]byte tmp [BlockSize]byte
pad [BlockSize]byte pad [BlockSize]byte
off int off int
) )
cipher.Encrypt(delta[0:], nonce[0:]) cipher.Encrypt(delta[0:], nonce[0:])
@ -167,8 +170,9 @@ func Encrypt(cipher cipher.Block, dst []byte, src []byte, nonce []byte, tag []by
cipher.Encrypt(tag[0:], tmp[0:]) cipher.Encrypt(tag[0:], tmp[0:])
} }
// Decrypt takes a ciphertext and a nonce as its input and outputs a decrypted plaintext // Decrypt takes a ciphertext, a nonce, and a tag as its input and outputs a decrypted
// and corresponding authentication tag. // plaintext (if successful) and a boolean flag that determines whether the function
// successfully decrypted the given ciphertext.
// //
// Before using the decrpyted plaintext, the application // Before using the decrpyted plaintext, the application
// should verify that the computed authentication tag matches the tag that was produced when // should verify that the computed authentication tag matches the tag that was produced when
@ -179,23 +183,21 @@ func Encrypt(cipher cipher.Block, dst []byte, src []byte, nonce []byte, tag []by
// The tag slice used in this function must have a length equal to ocb2.TagSize. // The tag slice used in this function must have a length equal to ocb2.TagSize.
// The nonce slice used in this function must have a length equal to ocb2.NonceSize. // The nonce slice used in this function must have a length equal to ocb2.NonceSize.
// If any of the above are violated, Encrypt will panic. // If any of the above are violated, Encrypt will panic.
func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte, tag []byte) { func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte, tag []byte) bool {
if cipher.BlockSize() != BlockSize { if cipher.BlockSize() != BlockSize {
panic("ocb2: cipher blocksize is not equal to ocb2.BlockSize") panic("ocb2: cipher blocksize is not equal to ocb2.BlockSize")
} }
if len(nonce) != NonceSize { if len(nonce) != NonceSize {
panic("ocb2: nonce length is not equal to ocb2.NonceSize") panic("ocb2: nonce length is not equal to ocb2.NonceSize")
} }
if len(tag) != TagSize {
panic("ocb2: tag length is not equal to ocb2.TagSize")
}
var ( var (
checksum [BlockSize]byte checksum [BlockSize]byte
delta [BlockSize]byte delta [BlockSize]byte
tmp [BlockSize]byte tmp [BlockSize]byte
pad [BlockSize]byte pad [BlockSize]byte
off int calcTag [NonceSize]byte
off int
) )
cipher.Encrypt(delta[0:], nonce[0:]) cipher.Encrypt(delta[0:], nonce[0:])
@ -233,5 +235,13 @@ func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte,
times3(delta[0:]) times3(delta[0:])
xor(tmp[0:], delta[0:], checksum[0:]) xor(tmp[0:], delta[0:], checksum[0:])
cipher.Encrypt(tag[0:], tmp[0:]) cipher.Encrypt(calcTag[0:], tmp[0:])
// Compare the calculated tag with the expected tag. Truncate
// the computed tag if necessary.
if subtle.ConstantTimeCompare(calcTag[:len(tag)], tag) != 1 {
return false
}
return true
} }

96
pkg/cryptstate/ocb2/ocb2_test.go
View file

@ -20,13 +20,13 @@ func MustDecodeHex(s string) []byte {
} }
type ocbVector struct { type ocbVector struct {
Name string Name string
Key string Key string
Nonce string Nonce string
Header string Header string
PlainText string PlainText string
CipherText string CipherText string
Tag string Tag string
} }
func (v ocbVector) KeyBytes() []byte { func (v ocbVector) KeyBytes() []byte {
@ -56,52 +56,52 @@ func (v ocbVector) TagBytes() []byte {
// as this implementation does not implement header authentication. // as this implementation does not implement header authentication.
var ocb128Vectors = []ocbVector{ var ocb128Vectors = []ocbVector{
{ {
Name: "OCB2-AES-128-001", Name: "OCB2-AES-128-001",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "", PlainText: "",
CipherText: "", CipherText: "",
Tag: "BF3108130773AD5EC70EC69E7875A7B0", Tag: "BF3108130773AD5EC70EC69E7875A7B0",
}, },
{ {
Name: "OCB2-AES-128-002", Name: "OCB2-AES-128-002",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "0001020304050607", PlainText: "0001020304050607",
CipherText: "C636B3A868F429BB", CipherText: "C636B3A868F429BB",
Tag: "A45F5FDEA5C088D1D7C8BE37CABC8C5C", Tag: "A45F5FDEA5C088D1D7C8BE37CABC8C5C",
}, },
{ {
Name: "OCB2-AES-128-003", Name: "OCB2-AES-128-003",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "000102030405060708090A0B0C0D0E0F", PlainText: "000102030405060708090A0B0C0D0E0F",
CipherText: "52E48F5D19FE2D9869F0C4A4B3D2BE57", CipherText: "52E48F5D19FE2D9869F0C4A4B3D2BE57",
Tag: "F7EE49AE7AA5B5E6645DB6B3966136F9", Tag: "F7EE49AE7AA5B5E6645DB6B3966136F9",
}, },
{ {
Name: "OCB2-AES-128-003", Name: "OCB2-AES-128-003",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "000102030405060708090A0B0C0D0E0F1011121314151617", PlainText: "000102030405060708090A0B0C0D0E0F1011121314151617",
CipherText: "F75D6BC8B4DC8D66B836A2B08B32A636CC579E145D323BEB", CipherText: "F75D6BC8B4DC8D66B836A2B08B32A636CC579E145D323BEB",
Tag: "A1A50F822819D6E0A216784AC24AC84C", Tag: "A1A50F822819D6E0A216784AC24AC84C",
}, },
{ {
Name: "OCB2-AES-128-004", Name: "OCB2-AES-128-004",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F", PlainText: "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
CipherText: "F75D6BC8B4DC8D66B836A2B08B32A636CEC3C555037571709DA25E1BB0421A27", CipherText: "F75D6BC8B4DC8D66B836A2B08B32A636CEC3C555037571709DA25E1BB0421A27",
Tag: "09CA6C73F0B5C6C5FD587122D75F2AA3", Tag: "09CA6C73F0B5C6C5FD587122D75F2AA3",
}, },
{ {
Name: "OCB2-AES-128-005", Name: "OCB2-AES-128-005",
Key: "000102030405060708090A0B0C0D0E0F", Key: "000102030405060708090A0B0C0D0E0F",
Nonce: "000102030405060708090A0B0C0D0E0F", Nonce: "000102030405060708090A0B0C0D0E0F",
PlainText: "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627", PlainText: "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627",
CipherText: "F75D6BC8B4DC8D66B836A2B08B32A6369F1CD3C5228D79FD6C267F5F6AA7B231C7DFB9D59951AE9C", CipherText: "F75D6BC8B4DC8D66B836A2B08B32A6369F1CD3C5228D79FD6C267F5F6AA7B231C7DFB9D59951AE9C",
Tag: "9DB0CDF880F73E3E10D4EB3217766688", Tag: "9DB0CDF880F73E3E10D4EB3217766688",
}, },
} }
@ -189,17 +189,13 @@ func TestDecryptOCBAES128Vectors(t *testing.T) {
cipherText := vector.CipherTextBytes() cipherText := vector.CipherTextBytes()
plainText := make([]byte, len(cipherText)) plainText := make([]byte, len(cipherText))
tag := make([]byte, TagSize) if Decrypt(cipher, plainText, cipherText, vector.NonceBytes(), vector.TagBytes()) == false {
Decrypt(cipher, plainText, cipherText, vector.NonceBytes(), tag) t.Fatalf("expected decrypt success; got failure. tag mismatch?")
}
expectedPlainText := vector.PlainTextBytes() expectedPlainText := vector.PlainTextBytes()
if !bytes.Equal(plainText, expectedPlainText) { if !bytes.Equal(plainText, expectedPlainText) {
t.Fatalf("expected PlainText %#v, got %#v", expectedPlainText, plainText) t.Fatalf("expected PlainText %#v, got %#v", expectedPlainText, plainText)
} }
expectedTag := vector.TagBytes()
if !bytes.Equal(tag, expectedTag) {
t.Fatalf("expected tag %#v, got %#v", expectedTag, tag)
}
} }
} }