pkg/cryptstate, pkg/cryptstate/ocb2: move OCB2 tag verification into ocb2.Decrypt.

pkg/cryptstate/cryptstate.go

@@ -92,8 +92,8 @@ func (cs *CryptState) Decrypt(dst, src []byte) error {
 		return errors.New("cryptstate: plain_len and src len mismatch")
 	}
 
-	var tag [ocb2.TagSize]byte
 	ivbyte := src[0]
+	tag := src[1:4]
 	restore := false
 	lost := 0
 	late := 0
@@ -167,13 +167,10 @@ func (cs *CryptState) Decrypt(dst, src []byte) error {
 		}
 	}
 
-	ocb2.Decrypt(cs.cipher, dst, src[4:], cs.DecryptIV, tag[:])
-
-	for i := 0; i < 3; i++ {
-		if tag[i] != src[i+1] {
+	ok := ocb2.Decrypt(cs.cipher, dst, src[4:], cs.DecryptIV, tag[:])
+	if !ok {
 		cs.DecryptIV = saveiv
-			return errors.New("tag mismatch")
-		}
+		return errors.New("cryptstate: tag mismatch")
 	}
 
 	cs.decryptHistory[cs.DecryptIV[0]] = cs.DecryptIV[0]

pkg/cryptstate/ocb2/ocb2.go

@@ -16,7 +16,10 @@
 // free basis.
 package ocb2
 
-import "crypto/cipher"
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+)
 
 const (
 	// BlockSize defines the block size that this particular implementation
@@ -167,8 +170,9 @@ func Encrypt(cipher cipher.Block, dst []byte, src []byte, nonce []byte, tag []by
 	cipher.Encrypt(tag[0:], tmp[0:])
 }
 
-// Decrypt takes a ciphertext and a nonce as its input and outputs a decrypted plaintext
-// and corresponding authentication tag.
+// Decrypt takes a ciphertext, a nonce, and a tag as its input and outputs a decrypted
+// plaintext (if successful) and a boolean flag that determines whether the function
+// successfully decrypted the given ciphertext.
 //
 // Before using the decrpyted plaintext, the application
 // should verify that the computed authentication tag matches the tag that was produced when
@@ -179,22 +183,20 @@ func Encrypt(cipher cipher.Block, dst []byte, src []byte, nonce []byte, tag []by
 // The tag slice used in this function must have a length equal to ocb2.TagSize.
 // The nonce slice used in this function must have a length equal to ocb2.NonceSize.
 // If any of the above are violated, Encrypt will panic.
-func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte, tag []byte) {
+func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte, tag []byte) bool {
 	if cipher.BlockSize() != BlockSize {
 		panic("ocb2: cipher blocksize is not equal to ocb2.BlockSize")
 	}
 	if len(nonce) != NonceSize {
 		panic("ocb2: nonce length is not equal to ocb2.NonceSize")
 	}
-	if len(tag) != TagSize {
-		panic("ocb2: tag length is not equal to ocb2.TagSize")
-	}
 
 	var (
 		checksum [BlockSize]byte
 		delta    [BlockSize]byte
 		tmp      [BlockSize]byte
 		pad      [BlockSize]byte
+		calcTag  [NonceSize]byte
 		off      int
 	)
 
@@ -233,5 +235,13 @@ func Decrypt(cipher cipher.Block, plain []byte, encrypted []byte, nonce []byte,
 
 	times3(delta[0:])
 	xor(tmp[0:], delta[0:], checksum[0:])
-	cipher.Encrypt(tag[0:], tmp[0:])
+	cipher.Encrypt(calcTag[0:], tmp[0:])
+
+	// Compare the calculated tag with the expected tag. Truncate
+	// the computed tag if necessary.
+	if subtle.ConstantTimeCompare(calcTag[:len(tag)], tag) != 1 {
+		return false
+	}
+
+	return true
 }

pkg/cryptstate/ocb2/ocb2_test.go

@@ -189,17 +189,13 @@ func TestDecryptOCBAES128Vectors(t *testing.T) {
 
 		cipherText := vector.CipherTextBytes()
 		plainText := make([]byte, len(cipherText))
-		tag := make([]byte, TagSize)
-		Decrypt(cipher, plainText, cipherText, vector.NonceBytes(), tag)
+		if Decrypt(cipher, plainText, cipherText, vector.NonceBytes(), vector.TagBytes()) == false {
+			t.Fatalf("expected decrypt success; got failure. tag mismatch?")
+		}
 
 		expectedPlainText := vector.PlainTextBytes()
 		if !bytes.Equal(plainText, expectedPlainText) {
 			t.Fatalf("expected PlainText %#v, got %#v", expectedPlainText, plainText)
 		}
-
-		expectedTag := vector.TagBytes()
-		if !bytes.Equal(tag, expectedTag) {
-			t.Fatalf("expected tag %#v, got %#v", expectedTag, tag)
-		}
 	}
 }