void Montgomery_Params::square_this(BigInt& x,
secure_vector<word>& ws) const
{
const size_t output_size = 2*m_p_words + 2;
if(ws.size() < 2*output_size)
ws.resize(2*output_size);
word* z_data = &ws[0];
word* ws_data = &ws[output_size];
BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
bigint_sqr(z_data, output_size,
x.data(), x.size(), std::min(m_p_words, x.size()),
ws_data, output_size);
bigint_monty_redc(z_data,
m_p.data(), m_p_words, m_p_dash,
ws_data, output_size);
if(x.size() < output_size)
x.grow_to(output_size);
copy_mem(x.mutable_data(), z_data, output_size);
}
void EAX_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
byte* buf = buffer.data() + offset;
BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input");
const size_t remaining = sz - tag_size();
if(remaining)
{
m_cmac->update(buf, remaining);
m_ctr->cipher(buf, buf, remaining);
}
const byte* included_tag = &buf[remaining];
secure_vector<byte> mac = m_cmac->final();
mac ^= m_nonce_mac;
mac ^= m_ad_mac;
if(!same_mem(mac.data(), included_tag, tag_size()))
throw Integrity_Failure("EAX tag check failed");
buffer.resize(offset + remaining);
}
void CCM_Mode::update(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
byte* buf = buffer.data() + offset;
m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
buffer.resize(offset); // truncate msg
}
void CCM_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
const size_t sz = buffer.size() - offset;
byte* buf = buffer.data() + offset;
BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
const secure_vector<byte>& ad = ad_buf();
BOTAN_ASSERT(ad.size() % BS == 0, "AD is block size multiple");
const BlockCipher& E = cipher();
secure_vector<byte> T(BS);
E.encrypt(format_b0(sz - tag_size()), T);
for(size_t i = 0; i != ad.size(); i += BS)
{
xor_buf(T.data(), &ad[i], BS);
E.encrypt(T);
}
secure_vector<byte> C = format_c0();
secure_vector<byte> S0(BS);
E.encrypt(C, S0);
inc(C);
secure_vector<byte> X(BS);
const byte* buf_end = &buf[sz - tag_size()];
while(buf != buf_end)
{
const size_t to_proc = std::min<size_t>(BS, buf_end - buf);
E.encrypt(C, X);
xor_buf(buf, X.data(), to_proc);
inc(C);
xor_buf(T.data(), buf, to_proc);
E.encrypt(T);
buf += to_proc;
}
T ^= S0;
if(!same_mem(T.data(), buf_end, tag_size()))
throw Integrity_Failure("CCM tag check failed");
buffer.resize(buffer.size() - tag_size());
}
void ECB_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
const size_t BS = cipher().block_size();
if(sz == 0 || sz % BS)
throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
update(buffer, offset);
const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
buffer.resize(buffer.size() - pad_bytes); // remove padding
}
BigInt Montgomery_Params::redc(const BigInt& x, secure_vector<word>& ws) const
{
const size_t output_size = 2*m_p_words + 2;
if(ws.size() < output_size)
ws.resize(output_size);
BigInt z = x;
z.grow_to(output_size);
bigint_monty_redc(z.mutable_data(),
m_p.data(), m_p_words, m_p_dash,
ws.data(), ws.size());
return z;
}
void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
const size_t BS = cipher().block_size();
if(sz < BS + 1)
throw Encoding_Error(name() + ": insufficient data to decrypt");
if(sz % BS == 0)
{
// swap last two blocks
for(size_t i = 0; i != BS; ++i)
std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
update(buffer, offset);
}
else
{
const size_t full_blocks = ((sz / BS) - 1) * BS;
const size_t final_bytes = sz - full_blocks;
BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
buffer.resize(full_blocks + offset);
update(buffer, offset);
cipher().decrypt(last.data());
xor_buf(last.data(), &last[BS], final_bytes - BS);
for(size_t i = 0; i != final_bytes - BS; ++i)
std::swap(last[i], last[i + BS]);
cipher().decrypt(last.data());
xor_buf(last.data(), state_ptr(), BS);
buffer += last;
}
}
void XTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
{
BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
const size_t sz = buffer.size() - offset;
uint8_t* buf = buffer.data() + offset;
BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input in XTS decrypt");
const size_t BS = cipher().block_size();
if(sz % BS == 0)
{
update(buffer, offset);
}
else
{
// steal ciphertext
const size_t full_blocks = ((sz / BS) - 1) * BS;
const size_t final_bytes = sz - full_blocks;
BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
buffer.resize(full_blocks + offset);
update(buffer, offset);
xor_buf(last, tweak() + BS, BS);
cipher().decrypt(last);
xor_buf(last, tweak() + BS, BS);
for(size_t i = 0; i != final_bytes - BS; ++i)
{
last[i] ^= last[i + BS];
last[i + BS] ^= last[i];
last[i] ^= last[i + BS];
}
xor_buf(last, tweak(), BS);
cipher().decrypt(last);
xor_buf(last, tweak(), BS);
buffer += last;
}
}
BigInt Montgomery_Params::sqr(const BigInt& x, secure_vector<word>& ws) const
{
const size_t output_size = 2*m_p_words + 2;
if(ws.size() < output_size)
ws.resize(output_size);
BigInt z(BigInt::Positive, output_size);
BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
bigint_sqr(z.mutable_data(), z.size(),
x.data(), x.size(), std::min(m_p_words, x.size()),
ws.data(), ws.size());
bigint_monty_redc(z.mutable_data(),
m_p.data(), m_p_words, m_p_dash,
ws.data(), ws.size());
return z;
}
void aes_key_schedule(const byte key[], size_t length,
secure_vector<u32bit>& EK,
secure_vector<u32bit>& DK,
secure_vector<byte>& ME,
secure_vector<byte>& MD)
{
static const u32bit RC[10] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000 };
const size_t rounds = (length / 4) + 6;
secure_vector<u32bit> XEK(length + 32), XDK(length + 32);
const size_t X = length / 4;
for(size_t i = 0; i != X; ++i)
XEK[i] = load_be<u32bit>(key, i);
for(size_t i = X; i < 4*(rounds+1); i += X)
{
XEK[i] = XEK[i-X] ^ RC[(i-X)/X] ^
make_u32bit(SE[get_byte(1, XEK[i-1])],
SE[get_byte(2, XEK[i-1])],
SE[get_byte(3, XEK[i-1])],
SE[get_byte(0, XEK[i-1])]);
for(size_t j = 1; j != X; ++j)
{
XEK[i+j] = XEK[i+j-X];
if(X == 8 && j == 4)
XEK[i+j] ^= make_u32bit(SE[get_byte(0, XEK[i+j-1])],
SE[get_byte(1, XEK[i+j-1])],
SE[get_byte(2, XEK[i+j-1])],
SE[get_byte(3, XEK[i+j-1])]);
else
XEK[i+j] ^= XEK[i+j-1];
}
}
const std::vector<u32bit>& TD = AES_TD();
for(size_t i = 0; i != 4*(rounds+1); i += 4)
{
XDK[i ] = XEK[4*rounds-i ];
XDK[i+1] = XEK[4*rounds-i+1];
XDK[i+2] = XEK[4*rounds-i+2];
XDK[i+3] = XEK[4*rounds-i+3];
}
for(size_t i = 4; i != length + 24; ++i)
XDK[i] = TD[SE[get_byte(0, XDK[i])] + 0] ^
TD[SE[get_byte(1, XDK[i])] + 256] ^
TD[SE[get_byte(2, XDK[i])] + 512] ^
TD[SE[get_byte(3, XDK[i])] + 768];
ME.resize(16);
MD.resize(16);
for(size_t i = 0; i != 4; ++i)
{
store_be(XEK[i+4*rounds], &ME[4*i]);
store_be(XEK[i], &MD[4*i]);
}
EK.resize(length + 24);
DK.resize(length + 24);
copy_mem(EK.data(), XEK.data(), EK.size());
copy_mem(DK.data(), XDK.data(), DK.size());
}
