summaryrefslogtreecommitdiffhomepage
path: root/libtomcrypt/src/encauth
diff options
context:
space:
mode:
authorMatt Johnston <matt@ucc.asn.au>2018-02-09 21:44:05 +0800
committerMatt Johnston <matt@ucc.asn.au>2018-02-09 21:44:05 +0800
commit4f2eb1914bdac3ed3ee504ad86061281dbe0d074 (patch)
tree078293375c3f3ee2d485cf9559a08d65d460786a /libtomcrypt/src/encauth
parentd72f50ff3284e15124a0f233c26339229fe305ac (diff)
Update to libtomcrypt 1.18.1, merged with Dropbear changes
Diffstat (limited to 'libtomcrypt/src/encauth')
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_add_aad.c63
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_add_nonce.c113
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_done.c65
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_init.c81
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_memory.c128
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_process.c88
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_reset.c35
-rw-r--r--libtomcrypt/src/encauth/ccm/ccm_test.c183
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_add_aad.c38
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_decrypt.c49
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_done.c46
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_encrypt.c48
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_init.c30
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_memory.c74
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv.c68
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c40
-rw-r--r--libtomcrypt/src/encauth/chachapoly/chacha20poly1305_test.c134
-rw-r--r--libtomcrypt/src/encauth/eax/eax_addheader.c18
-rw-r--r--libtomcrypt/src/encauth/eax/eax_decrypt.c16
-rw-r--r--libtomcrypt/src/encauth/eax/eax_decrypt_verify_memory.c17
-rw-r--r--libtomcrypt/src/encauth/eax/eax_done.c12
-rw-r--r--libtomcrypt/src/encauth/eax/eax_encrypt.c14
-rw-r--r--libtomcrypt/src/encauth/eax/eax_encrypt_authenticate_memory.c18
-rw-r--r--libtomcrypt/src/encauth/eax/eax_init.c40
-rw-r--r--libtomcrypt/src/encauth/eax/eax_test.c69
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_add_aad.c20
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_add_iv.c18
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_done.c19
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_gf_mult.c34
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_init.c14
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_memory.c19
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_mult_h.c17
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_process.c44
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_reset.c10
-rw-r--r--libtomcrypt/src/encauth/gcm/gcm_test.c249
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_decrypt.c12
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_decrypt_verify_memory.c20
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_done_decrypt.c16
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_done_encrypt.c12
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_encrypt.c10
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_encrypt_authenticate_memory.c12
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_init.c66
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_ntz.c8
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_shift_xor.c12
-rw-r--r--libtomcrypt/src/encauth/ocb/ocb_test.c66
-rw-r--r--libtomcrypt/src/encauth/ocb/s_ocb_done.c24
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_add_aad.c106
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_decrypt.c86
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_decrypt_last.c110
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_decrypt_verify_memory.c110
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_done.c92
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_encrypt.c86
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_encrypt_authenticate_memory.c82
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_encrypt_last.c112
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_init.c196
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_int_ntz.c39
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_int_xor_blocks.c40
-rw-r--r--libtomcrypt/src/encauth/ocb3/ocb3_test.c309
58 files changed, 2970 insertions, 587 deletions
diff --git a/libtomcrypt/src/encauth/ccm/ccm_add_aad.c b/libtomcrypt/src/encauth/ccm/ccm_add_aad.c
new file mode 100644
index 0000000..9744c57
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_add_aad.c
@@ -0,0 +1,63 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Add AAD to the CCM state
+ @param ccm The CCM state
+ @param adata The additional authentication data to add to the CCM state
+ @param adatalen The length of the AAD data.
+ @return CRYPT_OK on success
+ */
+int ccm_add_aad(ccm_state *ccm,
+ const unsigned char *adata, unsigned long adatalen)
+{
+ unsigned long y;
+ int err;
+
+ LTC_ARGCHK(ccm != NULL);
+ LTC_ARGCHK(adata != NULL);
+
+ if (ccm->aadlen < ccm->current_aadlen + adatalen) {
+ return CRYPT_INVALID_ARG;
+ }
+ ccm->current_aadlen += adatalen;
+
+ /* now add the data */
+ for (y = 0; y < adatalen; y++) {
+ if (ccm->x == 16) {
+ /* full block so let's encrypt it */
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ ccm->x = 0;
+ }
+ ccm->PAD[ccm->x++] ^= adata[y];
+ }
+
+ /* remainder? */
+ if (ccm->aadlen == ccm->current_aadlen) {
+ if (ccm->x != 0) {
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ }
+ ccm->x = 0;
+ }
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_add_nonce.c b/libtomcrypt/src/encauth/ccm/ccm_add_nonce.c
new file mode 100644
index 0000000..ceffb8e
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_add_nonce.c
@@ -0,0 +1,113 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Add nonce data to the CCM state
+ @param ccm The CCM state
+ @param nonce The nonce data to add
+ @param noncelen The length of the nonce
+ @return CRYPT_OK on success
+ */
+int ccm_add_nonce(ccm_state *ccm,
+ const unsigned char *nonce, unsigned long noncelen)
+{
+ unsigned long x, y, len;
+ int err;
+
+ LTC_ARGCHK(ccm != NULL);
+ LTC_ARGCHK(nonce != NULL);
+
+ /* increase L to match the nonce len */
+ ccm->noncelen = (noncelen > 13) ? 13 : noncelen;
+ if ((15 - ccm->noncelen) > ccm->L) {
+ ccm->L = 15 - ccm->noncelen;
+ }
+
+ /* decrease noncelen to match L */
+ if ((ccm->noncelen + ccm->L) > 15) {
+ ccm->noncelen = 15 - ccm->L;
+ }
+
+ /* form B_0 == flags | Nonce N | l(m) */
+ x = 0;
+ ccm->PAD[x++] = (unsigned char)(((ccm->aadlen > 0) ? (1<<6) : 0) |
+ (((ccm->taglen - 2)>>1)<<3) |
+ (ccm->L-1));
+
+ /* nonce */
+ for (y = 0; y < (16 - (ccm->L + 1)); y++) {
+ ccm->PAD[x++] = nonce[y];
+ }
+
+ /* store len */
+ len = ccm->ptlen;
+
+ /* shift len so the upper bytes of len are the contents of the length */
+ for (y = ccm->L; y < 4; y++) {
+ len <<= 8;
+ }
+
+ /* store l(m) (only store 32-bits) */
+ for (y = 0; ccm->L > 4 && (ccm->L-y)>4; y++) {
+ ccm->PAD[x++] = 0;
+ }
+ for (; y < ccm->L; y++) {
+ ccm->PAD[x++] = (unsigned char)((len >> 24) & 255);
+ len <<= 8;
+ }
+
+ /* encrypt PAD */
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+
+ /* handle header */
+ ccm->x = 0;
+ if (ccm->aadlen > 0) {
+ /* store length */
+ if (ccm->aadlen < ((1UL<<16) - (1UL<<8))) {
+ ccm->PAD[ccm->x++] ^= (ccm->aadlen>>8) & 255;
+ ccm->PAD[ccm->x++] ^= ccm->aadlen & 255;
+ } else {
+ ccm->PAD[ccm->x++] ^= 0xFF;
+ ccm->PAD[ccm->x++] ^= 0xFE;
+ ccm->PAD[ccm->x++] ^= (ccm->aadlen>>24) & 255;
+ ccm->PAD[ccm->x++] ^= (ccm->aadlen>>16) & 255;
+ ccm->PAD[ccm->x++] ^= (ccm->aadlen>>8) & 255;
+ ccm->PAD[ccm->x++] ^= ccm->aadlen & 255;
+ }
+ }
+
+ /* setup the ctr counter */
+ x = 0;
+
+ /* flags */
+ ccm->ctr[x++] = (unsigned char)ccm->L-1;
+
+ /* nonce */
+ for (y = 0; y < (16 - (ccm->L+1)); ++y) {
+ ccm->ctr[x++] = nonce[y];
+ }
+ /* offset */
+ while (x < 16) {
+ ccm->ctr[x++] = 0;
+ }
+
+ ccm->CTRlen = 16;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_done.c b/libtomcrypt/src/encauth/ccm/ccm_done.c
new file mode 100644
index 0000000..797b7d9
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_done.c
@@ -0,0 +1,65 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Terminate a CCM stream
+ @param ccm The CCM state
+ @param tag [out] The destination for the MAC tag
+ @param taglen [in/out] The length of the MAC tag
+ @return CRYPT_OK on success
+ */
+int ccm_done(ccm_state *ccm,
+ unsigned char *tag, unsigned long *taglen)
+{
+ unsigned long x, y;
+ int err;
+
+ LTC_ARGCHK(ccm != NULL);
+
+ /* Check all data have been processed */
+ if (ccm->ptlen != ccm->current_ptlen) {
+ return CRYPT_ERROR;
+ }
+
+ LTC_ARGCHK(tag != NULL);
+ LTC_ARGCHK(taglen != NULL);
+
+ if (ccm->x != 0) {
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ }
+
+ /* setup CTR for the TAG (zero the count) */
+ for (y = 15; y > 15 - ccm->L; y--) {
+ ccm->ctr[y] = 0x00;
+ }
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->ctr, ccm->CTRPAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+
+ cipher_descriptor[ccm->cipher].done(&ccm->K);
+
+ /* store the TAG */
+ for (x = 0; x < 16 && x < *taglen; x++) {
+ tag[x] = ccm->PAD[x] ^ ccm->CTRPAD[x];
+ }
+ *taglen = x;
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_init.c b/libtomcrypt/src/encauth/ccm/ccm_init.c
new file mode 100644
index 0000000..b24e33e
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_init.c
@@ -0,0 +1,81 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Initialize a CCM state
+ @param ccm The CCM state to initialize
+ @param cipher The index of the cipher to use
+ @param key The secret key
+ @param keylen The length of the secret key
+ @param ptlen The length of the plain/cipher text that will be processed
+ @param taglen The max length of the MAC tag
+ @param aadlen The length of the AAD
+
+ @return CRYPT_OK on success
+ */
+int ccm_init(ccm_state *ccm, int cipher,
+ const unsigned char *key, int keylen, int ptlen, int taglen, int aadlen)
+{
+ int err;
+
+ LTC_ARGCHK(ccm != NULL);
+ LTC_ARGCHK(key != NULL);
+ LTC_ARGCHK(taglen != 0);
+
+ XMEMSET(ccm, 0, sizeof(ccm_state));
+
+ /* check cipher input */
+ if ((err = cipher_is_valid(cipher)) != CRYPT_OK) {
+ return err;
+ }
+ if (cipher_descriptor[cipher].block_length != 16) {
+ return CRYPT_INVALID_CIPHER;
+ }
+
+ /* make sure the taglen is even and <= 16 */
+ ccm->taglen = taglen;
+ ccm->taglen &= ~1;
+ if (ccm->taglen > 16) {
+ ccm->taglen = 16;
+ }
+
+ /* can't use < 4 */
+ if (ccm->taglen < 4) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ /* schedule key */
+ if ((err = cipher_descriptor[cipher].setup(key, keylen, 0, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ ccm->cipher = cipher;
+
+ /* let's get the L value */
+ ccm->ptlen = ptlen;
+ ccm->L = 0;
+ while (ptlen) {
+ ++ccm->L;
+ ptlen >>= 8;
+ }
+ if (ccm->L <= 1) {
+ ccm->L = 2;
+ }
+
+ ccm->aadlen = aadlen;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_memory.c b/libtomcrypt/src/encauth/ccm/ccm_memory.c
index abd8653..3326ce5 100644
--- a/libtomcrypt/src/encauth/ccm/ccm_memory.c
+++ b/libtomcrypt/src/encauth/ccm/ccm_memory.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
@@ -19,6 +17,9 @@
/**
CCM encrypt/decrypt and produce an authentication tag
+
+ *1 'pt', 'ct' and 'tag' can both be 'in' or 'out', depending on 'direction'
+
@param cipher The index of the cipher desired
@param key The secret key to use
@param keylen The length of the secret key (octets)
@@ -27,11 +28,11 @@
@param noncelen The length of the nonce
@param header The header for the session
@param headerlen The length of the header (octets)
- @param pt [out] The plaintext
+ @param pt [*1] The plaintext
@param ptlen The length of the plaintext (octets)
- @param ct [out] The ciphertext
- @param tag [out] The destination tag
- @param taglen [in/out] The max size and resulting size of the authentication tag
+ @param ct [*1] The ciphertext
+ @param tag [*1] The destination tag
+ @param taglen The max size and resulting size of the authentication tag
@param direction Encrypt or Decrypt direction (0 or 1)
@return CRYPT_OK if successful
*/
@@ -45,10 +46,15 @@ int ccm_memory(int cipher,
unsigned char *tag, unsigned long *taglen,
int direction)
{
- unsigned char PAD[16], ctr[16], CTRPAD[16], b;
+ unsigned char PAD[16], ctr[16], CTRPAD[16], ptTag[16], b, *pt_real;
+ unsigned char *pt_work = NULL;
symmetric_key *skey;
int err;
unsigned long len, L, x, y, z, CTRlen;
+#ifdef LTC_FAST
+ LTC_FAST_TYPE fastMask = ~0; /* initialize fastMask at all zeroes */
+#endif
+ unsigned char mask = 0xff; /* initialize mask at all zeroes */
if (uskey == NULL) {
LTC_ARGCHK(key != NULL);
@@ -62,6 +68,8 @@ int ccm_memory(int cipher,
LTC_ARGCHK(tag != NULL);
LTC_ARGCHK(taglen != NULL);
+ pt_real = pt;
+
#ifdef LTC_FAST
if (16 % sizeof(LTC_FAST_TYPE)) {
return CRYPT_INVALID_ARG;
@@ -95,7 +103,7 @@ int ccm_memory(int cipher,
nonce, noncelen,
header, headerlen,
pt, ptlen,
- ct,
+ ct,
tag, taglen,
direction);
}
@@ -117,11 +125,6 @@ int ccm_memory(int cipher,
L = 15 - noncelen;
}
- /* decrease noncelen to match L */
- if ((noncelen + L) > 15) {
- noncelen = 15 - L;
- }
-
/* allocate mem for the symmetric key */
if (uskey == NULL) {
skey = XMALLOC(sizeof(*skey));
@@ -138,6 +141,15 @@ int ccm_memory(int cipher,
skey = uskey;
}
+ /* initialize buffer for pt */
+ if (direction == CCM_DECRYPT && ptlen > 0) {
+ pt_work = XMALLOC(ptlen);
+ if (pt_work == NULL) {
+ goto error;
+ }
+ pt = pt_work;
+ }
+
/* form B_0 == flags | Nonce N | l(m) */
x = 0;
PAD[x++] = (unsigned char)(((headerlen > 0) ? (1<<6) : 0) |
@@ -174,7 +186,7 @@ int ccm_memory(int cipher,
/* handle header */
if (headerlen > 0) {
x = 0;
-
+
/* store length */
if (headerlen < ((1UL<<16) - (1UL<<8))) {
PAD[x++] ^= (headerlen>>8) & 255;
@@ -200,11 +212,9 @@ int ccm_memory(int cipher,
PAD[x++] ^= header[y];
}
- /* remainder? */
- if (x != 0) {
- if ((err = cipher_descriptor[cipher].ecb_encrypt(PAD, PAD, skey)) != CRYPT_OK) {
- goto error;
- }
+ /* remainder */
+ if ((err = cipher_descriptor[cipher].ecb_encrypt(PAD, PAD, skey)) != CRYPT_OK) {
+ goto error;
}
}
@@ -213,7 +223,7 @@ int ccm_memory(int cipher,
/* flags */
ctr[x++] = (unsigned char)L-1;
-
+
/* nonce */
for (y = 0; y < (16 - (L+1)); ++y) {
ctr[x++] = nonce[y];
@@ -244,14 +254,14 @@ int ccm_memory(int cipher,
/* xor the PT against the pad first */
for (z = 0; z < 16; z += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&PAD[z])) ^= *((LTC_FAST_TYPE*)(&pt[y+z]));
- *((LTC_FAST_TYPE*)(&ct[y+z])) = *((LTC_FAST_TYPE*)(&pt[y+z])) ^ *((LTC_FAST_TYPE*)(&CTRPAD[z]));
+ *(LTC_FAST_TYPE_PTR_CAST(&PAD[z])) ^= *(LTC_FAST_TYPE_PTR_CAST(&pt[y+z]));
+ *(LTC_FAST_TYPE_PTR_CAST(&ct[y+z])) = *(LTC_FAST_TYPE_PTR_CAST(&pt[y+z])) ^ *(LTC_FAST_TYPE_PTR_CAST(&CTRPAD[z]));
}
if ((err = cipher_descriptor[cipher].ecb_encrypt(PAD, PAD, skey)) != CRYPT_OK) {
goto error;
}
}
- } else {
+ } else { /* direction == CCM_DECRYPT */
for (; y < (ptlen & ~15); y += 16) {
/* increment the ctr? */
for (z = 15; z > 15-L; z--) {
@@ -264,15 +274,15 @@ int ccm_memory(int cipher,
/* xor the PT against the pad last */
for (z = 0; z < 16; z += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&pt[y+z])) = *((LTC_FAST_TYPE*)(&ct[y+z])) ^ *((LTC_FAST_TYPE*)(&CTRPAD[z]));
- *((LTC_FAST_TYPE*)(&PAD[z])) ^= *((LTC_FAST_TYPE*)(&pt[y+z]));
+ *(LTC_FAST_TYPE_PTR_CAST(&pt[y+z])) = *(LTC_FAST_TYPE_PTR_CAST(&ct[y+z])) ^ *(LTC_FAST_TYPE_PTR_CAST(&CTRPAD[z]));
+ *(LTC_FAST_TYPE_PTR_CAST(&PAD[z])) ^= *(LTC_FAST_TYPE_PTR_CAST(&pt[y+z]));
}
if ((err = cipher_descriptor[cipher].ecb_encrypt(PAD, PAD, skey)) != CRYPT_OK) {
goto error;
}
}
- }
- }
+ }
+ }
#endif
for (; y < ptlen; y++) {
@@ -305,7 +315,7 @@ int ccm_memory(int cipher,
}
PAD[x++] ^= b;
}
-
+
if (x != 0) {
if ((err = cipher_descriptor[cipher].ecb_encrypt(PAD, PAD, skey)) != CRYPT_OK) {
goto error;
@@ -323,20 +333,66 @@ int ccm_memory(int cipher,
if (skey != uskey) {
cipher_descriptor[cipher].done(skey);
+#ifdef LTC_CLEAN_STACK
+ zeromem(skey, sizeof(*skey));
+#endif
}
- /* store the TAG */
- for (x = 0; x < 16 && x < *taglen; x++) {
- tag[x] = PAD[x] ^ CTRPAD[x];
+ if (direction == CCM_ENCRYPT) {
+ /* store the TAG */
+ for (x = 0; x < 16 && x < *taglen; x++) {
+ tag[x] = PAD[x] ^ CTRPAD[x];
+ }
+ *taglen = x;
+ } else { /* direction == CCM_DECRYPT */
+ /* decrypt the tag */
+ for (x = 0; x < 16 && x < *taglen; x++) {
+ ptTag[x] = tag[x] ^ CTRPAD[x];
+ }
+ *taglen = x;
+
+ /* check validity of the decrypted tag against the computed PAD (in constant time) */
+ /* HACK: the boolean value of XMEM_NEQ becomes either 0 (CRYPT_OK) or 1 (CRYPT_ERR).
+ * there should be a better way of setting the correct error code in constant
+ * time.
+ */
+ err = XMEM_NEQ(ptTag, PAD, *taglen);
+
+ /* Zero the plaintext if the tag was invalid (in constant time) */
+ if (ptlen > 0) {
+ y = 0;
+ mask *= 1 - err; /* mask = ( err ? 0 : 0xff ) */
+#ifdef LTC_FAST
+ fastMask *= 1 - err;
+ if (ptlen & ~15) {
+ for (; y < (ptlen & ~15); y += 16) {
+ for (z = 0; z < 16; z += sizeof(LTC_FAST_TYPE)) {
+ *(LTC_FAST_TYPE_PTR_CAST(&pt_real[y+z])) = *(LTC_FAST_TYPE_PTR_CAST(&pt[y+z])) & fastMask;
+ }
+ }
+ }
+#endif
+ for (; y < ptlen; y++) {
+ pt_real[y] = pt[y] & mask;
+ }
+ }
}
- *taglen = x;
#ifdef LTC_CLEAN_STACK
- zeromem(skey, sizeof(*skey));
+#ifdef LTC_FAST
+ fastMask = 0;
+#endif
+ mask = 0;
zeromem(PAD, sizeof(PAD));
zeromem(CTRPAD, sizeof(CTRPAD));
+ if (pt_work != NULL) {
+ zeromem(pt_work, ptlen);
+ }
#endif
error:
+ if (pt_work) {
+ XFREE(pt_work);
+ }
if (skey != uskey) {
XFREE(skey);
}
@@ -346,6 +402,6 @@ error:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_process.c b/libtomcrypt/src/encauth/ccm/ccm_process.c
new file mode 100644
index 0000000..8346d22
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_process.c
@@ -0,0 +1,88 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Process plaintext/ciphertext through CCM
+ @param ccm The CCM state
+ @param pt The plaintext
+ @param ptlen The plaintext length (ciphertext length is the same)
+ @param ct The ciphertext
+ @param direction Encrypt or Decrypt mode (CCM_ENCRYPT or CCM_DECRYPT)
+ @return CRYPT_OK on success
+ */
+int ccm_process(ccm_state *ccm,
+ unsigned char *pt, unsigned long ptlen,
+ unsigned char *ct,
+ int direction)
+{
+ unsigned char z, b;
+ unsigned long y;
+ int err;
+
+ LTC_ARGCHK(ccm != NULL);
+
+ /* Check aad has been correctly added */
+ if (ccm->aadlen != ccm->current_aadlen) {
+ return CRYPT_ERROR;
+ }
+
+ /* Check we do not process too much data */
+ if (ccm->ptlen < ccm->current_ptlen + ptlen) {
+ return CRYPT_ERROR;
+ }
+ ccm->current_ptlen += ptlen;
+
+ /* now handle the PT */
+ if (ptlen > 0) {
+ LTC_ARGCHK(pt != NULL);
+ LTC_ARGCHK(ct != NULL);
+
+ for (y = 0; y < ptlen; y++) {
+ /* increment the ctr? */
+ if (ccm->CTRlen == 16) {
+ for (z = 15; z > 15-ccm->L; z--) {
+ ccm->ctr[z] = (ccm->ctr[z] + 1) & 255;
+ if (ccm->ctr[z]) break;
+ }
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->ctr, ccm->CTRPAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ ccm->CTRlen = 0;
+ }
+
+ /* if we encrypt we add the bytes to the MAC first */
+ if (direction == CCM_ENCRYPT) {
+ b = pt[y];
+ ct[y] = b ^ ccm->CTRPAD[ccm->CTRlen++];
+ } else {
+ b = ct[y] ^ ccm->CTRPAD[ccm->CTRlen++];
+ pt[y] = b;
+ }
+
+ if (ccm->x == 16) {
+ if ((err = cipher_descriptor[ccm->cipher].ecb_encrypt(ccm->PAD, ccm->PAD, &ccm->K)) != CRYPT_OK) {
+ return err;
+ }
+ ccm->x = 0;
+ }
+ ccm->PAD[ccm->x++] ^= b;
+ }
+ }
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_reset.c b/libtomcrypt/src/encauth/ccm/ccm_reset.c
new file mode 100644
index 0000000..c2d0cae
--- /dev/null
+++ b/libtomcrypt/src/encauth/ccm/ccm_reset.c
@@ -0,0 +1,35 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt.h"
+
+#ifdef LTC_CCM_MODE
+
+/**
+ Reset a CCM state to as if you just called ccm_init(). This saves the initialization time.
+ @param ccm The CCM state to reset
+ @return CRYPT_OK on success
+*/
+int ccm_reset(ccm_state *ccm)
+{
+ LTC_ARGCHK(ccm != NULL);
+ zeromem(ccm->PAD, sizeof(ccm->PAD));
+ zeromem(ccm->ctr, sizeof(ccm->ctr));
+ zeromem(ccm->CTRPAD, sizeof(ccm->CTRPAD));
+ ccm->CTRlen = 0;
+ ccm->current_ptlen = 0;
+ ccm->current_aadlen = 0;
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ccm/ccm_test.c b/libtomcrypt/src/encauth/ccm/ccm_test.c
index 9b63ffc..6d1e1e6 100644
--- a/libtomcrypt/src/encauth/ccm/ccm_test.c
+++ b/libtomcrypt/src/encauth/ccm/ccm_test.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
#include "tomcrypt.h"
@@ -32,14 +30,14 @@ int ccm_test(void)
int ptlen;
unsigned char ct[64];
unsigned char tag[16];
- int taglen;
+ unsigned long taglen;
} tests[] = {
/* 13 byte nonce, 8 byte auth, 23 byte pt */
{
- { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
+ { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF },
- { 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xA0,
+ { 0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5 },
13,
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 },
@@ -57,20 +55,20 @@ int ccm_test(void)
/* 13 byte nonce, 12 byte header, 19 byte pt */
{
- { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
+ { 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF },
- { 0x00, 0x00, 0x00, 0x06, 0x05, 0x04, 0x03, 0xA0,
+ { 0x00, 0x00, 0x00, 0x06, 0x05, 0x04, 0x03, 0xA0,
0xA1, 0xA2, 0xA3, 0xA4, 0xA5 },
13,
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B },
12,
- { 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13,
- 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B,
+ { 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13,
+ 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B,
0x1C, 0x1D, 0x1E },
19,
- { 0xA2, 0x8C, 0x68, 0x65, 0x93, 0x9A, 0x9A, 0x79,
- 0xFA, 0xAA, 0x5C, 0x4C, 0x2A, 0x9D, 0x4A, 0x91,
+ { 0xA2, 0x8C, 0x68, 0x65, 0x93, 0x9A, 0x9A, 0x79,
+ 0xFA, 0xAA, 0x5C, 0x4C, 0x2A, 0x9D, 0x4A, 0x91,
0xCD, 0xAC, 0x8C },
{ 0x96, 0xC8, 0x61, 0xB9, 0xC9, 0xE6, 0x1E, 0xF1 },
8
@@ -78,7 +76,7 @@ int ccm_test(void)
/* supplied by Brian Gladman */
{
- { 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+ { 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f },
{ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 },
7,
@@ -92,31 +90,34 @@ int ccm_test(void)
},
{
- { 0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85,
+ { 0xc9, 0x7c, 0x1f, 0x67, 0xce, 0x37, 0x11, 0x85,
0x51, 0x4a, 0x8a, 0x19, 0xf2, 0xbd, 0xd5, 0x2f },
- { 0x00, 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xb5,
+ { 0x00, 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xb5,
0x03, 0x97, 0x76, 0xe7, 0x0c },
13,
- { 0x08, 0x40, 0x0f, 0xd2, 0xe1, 0x28, 0xa5, 0x7c,
- 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xab, 0xae,
+ { 0x08, 0x40, 0x0f, 0xd2, 0xe1, 0x28, 0xa5, 0x7c,
+ 0x50, 0x30, 0xf1, 0x84, 0x44, 0x08, 0xab, 0xae,
0xa5, 0xb8, 0xfc, 0xba, 0x00, 0x00 },
22,
- { 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
- 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
+ { 0xf8, 0xba, 0x1a, 0x55, 0xd0, 0x2f, 0x85, 0xae,
+ 0x96, 0x7b, 0xb6, 0x2f, 0xb6, 0xcd, 0xa8, 0xeb,
0x7e, 0x78, 0xa0, 0x50 },
20,
- { 0xf3, 0xd0, 0xa2, 0xfe, 0x9a, 0x3d, 0xbf, 0x23,
- 0x42, 0xa6, 0x43, 0xe4, 0x32, 0x46, 0xe8, 0x0c,
+ { 0xf3, 0xd0, 0xa2, 0xfe, 0x9a, 0x3d, 0xbf, 0x23,
+ 0x42, 0xa6, 0x43, 0xe4, 0x32, 0x46, 0xe8, 0x0c,
0x3c, 0x04, 0xd0, 0x19 },
{ 0x78, 0x45, 0xce, 0x0b, 0x16, 0xf9, 0x76, 0x23 },
8
},
};
- unsigned long taglen, x;
- unsigned char buf[64], buf2[64], tag2[16], tag[16];
+ unsigned long taglen, x, y;
+ unsigned char buf[64], buf2[64], tag[16], tag2[16], tag3[16], zero[64];
int err, idx;
symmetric_key skey;
+ ccm_state ccm;
+
+ zeromem(zero, 64);
idx = find_cipher("aes");
if (idx == -1) {
@@ -127,54 +128,130 @@ int ccm_test(void)
}
for (x = 0; x < (sizeof(tests)/sizeof(tests[0])); x++) {
+ for (y = 0; y < 2; y++) {
taglen = tests[x].taglen;
- if ((err = cipher_descriptor[idx].setup(tests[x].key, 16, 0, &skey)) != CRYPT_OK) {
- return err;
- }
-
- if ((err = ccm_memory(idx,
- tests[x].key, 16,
- &skey,
- tests[x].nonce, tests[x].noncelen,
- tests[x].header, tests[x].headerlen,
- (unsigned char*)tests[x].pt, tests[x].ptlen,
- buf,
- tag, &taglen, 0)) != CRYPT_OK) {
- return err;
+ if (y == 0) {
+ if ((err = cipher_descriptor[idx].setup(tests[x].key, 16, 0, &skey)) != CRYPT_OK) {
+ return err;
+ }
+
+ if ((err = ccm_memory(idx,
+ tests[x].key, 16,
+ &skey,
+ tests[x].nonce, tests[x].noncelen,
+ tests[x].header, tests[x].headerlen,
+ (unsigned char*)tests[x].pt, tests[x].ptlen,
+ buf,
+ tag, &taglen, 0)) != CRYPT_OK) {
+ return err;
+ }
+ /* run a second time to make sure skey is not touched */
+ if ((err = ccm_memory(idx,
+ tests[x].key, 16,
+ &skey,
+ tests[x].nonce, tests[x].noncelen,
+ tests[x].header, tests[x].headerlen,
+ (unsigned char*)tests[x].pt, tests[x].ptlen,
+ buf,
+ tag, &taglen, 0)) != CRYPT_OK) {
+ return err;
+ }
+ } else {
+ if ((err = ccm_init(&ccm, idx, tests[x].key, 16, tests[x].ptlen, tests[x].taglen, tests[x].headerlen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_add_nonce(&ccm, tests[x].nonce, tests[x].noncelen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_add_aad(&ccm, tests[x].header, tests[x].headerlen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_process(&ccm, (unsigned char*)tests[x].pt, tests[x].ptlen, buf, CCM_ENCRYPT)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_done(&ccm, tag, &taglen)) != CRYPT_OK) {
+ return err;
+ }
}
- if (XMEMCMP(buf, tests[x].ct, tests[x].ptlen)) {
+ if (compare_testvector(buf, tests[x].ptlen, tests[x].ct, tests[x].ptlen, "CCM encrypt data", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
- if (XMEMCMP(tag, tests[x].tag, tests[x].taglen)) {
+ if (compare_testvector(tag, taglen, tests[x].tag, tests[x].taglen, "CCM encrypt tag", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
- if ((err = ccm_memory(idx,
- tests[x].key, 16,
- NULL,
- tests[x].nonce, tests[x].noncelen,
- tests[x].header, tests[x].headerlen,
- buf2, tests[x].ptlen,
- buf,
- tag2, &taglen, 1 )) != CRYPT_OK) {
- return err;
+ if (y == 0) {
+ XMEMCPY(tag3, tests[x].tag, tests[x].taglen);
+ taglen = tests[x].taglen;
+ if ((err = ccm_memory(idx,
+ tests[x].key, 16,
+ NULL,
+ tests[x].nonce, tests[x].noncelen,
+ tests[x].header, tests[x].headerlen,
+ buf2, tests[x].ptlen,
+ buf,
+ tag3, &taglen, 1 )) != CRYPT_OK) {
+ return err;
+ }
+ } else {
+ if ((err = ccm_init(&ccm, idx, tests[x].key, 16, tests[x].ptlen, tests[x].taglen, tests[x].headerlen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_add_nonce(&ccm, tests[x].nonce, tests[x].noncelen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_add_aad(&ccm, tests[x].header, tests[x].headerlen)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_process(&ccm, buf2, tests[x].ptlen, buf, CCM_DECRYPT)) != CRYPT_OK) {
+ return err;
+ }
+ if ((err = ccm_done(&ccm, tag2, &taglen)) != CRYPT_OK) {
+ return err;
+ }
}
- if (XMEMCMP(buf2, tests[x].pt, tests[x].ptlen)) {
+
+ if (compare_testvector(buf2, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "CCM decrypt data", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
- if (XMEMCMP(tag2, tests[x].tag, tests[x].taglen)) {
- return CRYPT_FAIL_TESTVECTOR;
+ if (y == 0) {
+ /* check if decryption with the wrong tag does not reveal the plaintext */
+ XMEMCPY(tag3, tests[x].tag, tests[x].taglen);
+ tag3[0] ^= 0xff; /* set the tag to the wrong value */
+ taglen = tests[x].taglen;
+ if ((err = ccm_memory(idx,
+ tests[x].key, 16,
+ NULL,
+ tests[x].nonce, tests[x].noncelen,
+ tests[x].header, tests[x].headerlen,
+ buf2, tests[x].ptlen,
+ buf,
+ tag3, &taglen, 1 )) != CRYPT_ERROR) {
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+ if (compare_testvector(buf2, tests[x].ptlen, zero, tests[x].ptlen, "CCM decrypt wrong tag", x)) {
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+ } else {
+ if (compare_testvector(tag2, taglen, tests[x].tag, tests[x].taglen, "CCM decrypt tag", x)) {
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+ }
+
+ if (y == 0) {
+ cipher_descriptor[idx].done(&skey);
}
- cipher_descriptor[idx].done(&skey);
+ }
}
+
return CRYPT_OK;
#endif
}
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_add_aad.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_add_aad.c
new file mode 100644
index 0000000..0c0cf9d
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_add_aad.c
@@ -0,0 +1,38 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Add AAD to the ChaCha20Poly1305 state
+ @param st The ChaCha20Poly1305 state
+ @param in The additional authentication data to add to the ChaCha20Poly1305 state
+ @param inlen The length of the ChaCha20Poly1305 data.
+ @return CRYPT_OK on success
+ */
+int chacha20poly1305_add_aad(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen)
+{
+ int err;
+
+ if (inlen == 0) return CRYPT_OK; /* nothing to do */
+ LTC_ARGCHK(st != NULL);
+
+ if (st->aadflg == 0) return CRYPT_ERROR;
+ if ((err = poly1305_process(&st->poly, in, inlen)) != CRYPT_OK) return err;
+ st->aadlen += (ulong64)inlen;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_decrypt.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_decrypt.c
new file mode 100644
index 0000000..1797932
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_decrypt.c
@@ -0,0 +1,49 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Decrypt bytes of ciphertext with ChaCha20Poly1305
+ @param st The ChaCha20Poly1305 state
+ @param in The ciphertext
+ @param inlen The length of the input (octets)
+ @param out [out] The plaintext (length inlen)
+ @return CRYPT_OK if successful
+*/
+int chacha20poly1305_decrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
+{
+ unsigned char padzero[16] = { 0 };
+ unsigned long padlen;
+ int err;
+
+ if (inlen == 0) return CRYPT_OK; /* nothing to do */
+ LTC_ARGCHK(st != NULL);
+
+ if (st->aadflg) {
+ padlen = 16 - (unsigned long)(st->aadlen % 16);
+ if (padlen < 16) {
+ if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
+ }
+ st->aadflg = 0; /* no more AAD */
+ }
+ if (st->aadflg) st->aadflg = 0; /* no more AAD */
+ if ((err = poly1305_process(&st->poly, in, inlen)) != CRYPT_OK) return err;
+ if ((err = chacha_crypt(&st->chacha, in, inlen, out)) != CRYPT_OK) return err;
+ st->ctlen += (ulong64)inlen;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_done.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_done.c
new file mode 100644
index 0000000..127a7f0
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_done.c
@@ -0,0 +1,46 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Terminate a ChaCha20Poly1305 stream
+ @param st The ChaCha20Poly1305 state
+ @param tag [out] The destination for the MAC tag
+ @param taglen [in/out] The length of the MAC tag
+ @return CRYPT_OK on success
+ */
+int chacha20poly1305_done(chacha20poly1305_state *st, unsigned char *tag, unsigned long *taglen)
+{
+ unsigned char padzero[16] = { 0 };
+ unsigned long padlen;
+ unsigned char buf[16];
+ int err;
+
+ LTC_ARGCHK(st != NULL);
+
+ padlen = 16 - (unsigned long)(st->ctlen % 16);
+ if (padlen < 16) {
+ if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
+ }
+ STORE64L(st->aadlen, buf);
+ STORE64L(st->ctlen, buf + 8);
+ if ((err = poly1305_process(&st->poly, buf, 16)) != CRYPT_OK) return err;
+ if ((err = poly1305_done(&st->poly, tag, taglen)) != CRYPT_OK) return err;
+ if ((err = chacha_done(&st->chacha)) != CRYPT_OK) return err;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_encrypt.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_encrypt.c
new file mode 100644
index 0000000..c53c4a6
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_encrypt.c
@@ -0,0 +1,48 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Encrypt bytes of ciphertext with ChaCha20Poly1305
+ @param st The ChaCha20Poly1305 state
+ @param in The plaintext
+ @param inlen The length of the input (octets)
+ @param out [out] The ciphertext (length inlen)
+ @return CRYPT_OK if successful
+*/
+int chacha20poly1305_encrypt(chacha20poly1305_state *st, const unsigned char *in, unsigned long inlen, unsigned char *out)
+{
+ unsigned char padzero[16] = { 0 };
+ unsigned long padlen;
+ int err;
+
+ if (inlen == 0) return CRYPT_OK; /* nothing to do */
+ LTC_ARGCHK(st != NULL);
+
+ if ((err = chacha_crypt(&st->chacha, in, inlen, out)) != CRYPT_OK) return err;
+ if (st->aadflg) {
+ padlen = 16 - (unsigned long)(st->aadlen % 16);
+ if (padlen < 16) {
+ if ((err = poly1305_process(&st->poly, padzero, padlen)) != CRYPT_OK) return err;
+ }
+ st->aadflg = 0; /* no more AAD */
+ }
+ if ((err = poly1305_process(&st->poly, out, inlen)) != CRYPT_OK) return err;
+ st->ctlen += (ulong64)inlen;
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_init.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_init.c
new file mode 100644
index 0000000..2799e98
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_init.c
@@ -0,0 +1,30 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Initialize an ChaCha20Poly1305 context (only the key)
+ @param st [out] The destination of the ChaCha20Poly1305 state
+ @param key The secret key
+ @param keylen The length of the secret key (octets)
+ @return CRYPT_OK if successful
+*/
+int chacha20poly1305_init(chacha20poly1305_state *st, const unsigned char *key, unsigned long keylen)
+{
+ return chacha_setup(&st->chacha, key, keylen, 20);
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_memory.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_memory.c
new file mode 100644
index 0000000..54e2011
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_memory.c
@@ -0,0 +1,74 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Process an entire GCM packet in one call.
+ @param key The secret key
+ @param keylen The length of the secret key
+ @param iv The initialization vector
+ @param ivlen The length of the initialization vector
+ @param aad The additional authentication data (header)
+ @param aadlen The length of the aad
+ @param in The plaintext
+ @param inlen The length of the plaintext (ciphertext length is the same)
+ @param out The ciphertext
+ @param tag [out] The MAC tag
+ @param taglen [in/out] The MAC tag length
+ @param direction Encrypt or Decrypt mode (CHACHA20POLY1305_ENCRYPT or CHACHA20POLY1305_DECRYPT)
+ @return CRYPT_OK on success
+ */
+int chacha20poly1305_memory(const unsigned char *key, unsigned long keylen,
+ const unsigned char *iv, unsigned long ivlen,
+ const unsigned char *aad, unsigned long aadlen,
+ const unsigned char *in, unsigned long inlen,
+ unsigned char *out,
+ unsigned char *tag, unsigned long *taglen,
+ int direction)
+{
+ chacha20poly1305_state st;
+ int err;
+
+ LTC_ARGCHK(key != NULL);
+ LTC_ARGCHK(iv != NULL);
+ LTC_ARGCHK(in != NULL);
+ LTC_ARGCHK(out != NULL);
+ LTC_ARGCHK(tag != NULL);
+
+ if ((err = chacha20poly1305_init(&st, key, keylen)) != CRYPT_OK) { goto LBL_ERR; }
+ if ((err = chacha20poly1305_setiv(&st, iv, ivlen)) != CRYPT_OK) { goto LBL_ERR; }
+ if (aad && aadlen > 0) {
+ if ((err = chacha20poly1305_add_aad(&st, aad, aadlen)) != CRYPT_OK) { goto LBL_ERR; }
+ }
+ if (direction == CHACHA20POLY1305_ENCRYPT) {
+ if ((err = chacha20poly1305_encrypt(&st, in, inlen, out)) != CRYPT_OK) { goto LBL_ERR; }
+ }
+ else if (direction == CHACHA20POLY1305_DECRYPT) {
+ if ((err = chacha20poly1305_decrypt(&st, in, inlen, out)) != CRYPT_OK) { goto LBL_ERR; }
+ }
+ else {
+ err = CRYPT_INVALID_ARG;
+ goto LBL_ERR;
+ }
+ err = chacha20poly1305_done(&st, tag, taglen);
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(&st, sizeof(chacha20poly1305_state));
+#endif
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv.c
new file mode 100644
index 0000000..b87666e
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv.c
@@ -0,0 +1,68 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Set IV + counter data to the ChaCha20Poly1305 state and reset the context
+ @param st The ChaCha20Poly1305 state
+ @param iv The IV data to add
+ @param ivlen The length of the IV (must be 12 or 8)
+ @return CRYPT_OK on success
+ */
+int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen)
+{
+ chacha_state tmp_st;
+ int i, err;
+ unsigned char polykey[32];
+
+ LTC_ARGCHK(st != NULL);
+ LTC_ARGCHK(iv != NULL);
+ LTC_ARGCHK(ivlen == 12 || ivlen == 8);
+
+ /* set IV for chacha20 */
+ if (ivlen == 12) {
+ /* IV 96bit */
+ if ((err = chacha_ivctr32(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
+ }
+ else {
+ /* IV 64bit */
+ if ((err = chacha_ivctr64(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
+ }
+
+ /* copy chacha20 key to temporary state */
+ for(i = 0; i < 12; i++) tmp_st.input[i] = st->chacha.input[i];
+ tmp_st.rounds = 20;
+ /* set IV */
+ if (ivlen == 12) {
+ /* IV 32bit */
+ if ((err = chacha_ivctr32(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
+ }
+ else {
+ /* IV 64bit */
+ if ((err = chacha_ivctr64(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
+ }
+ /* (re)generate new poly1305 key */
+ if ((err = chacha_keystream(&tmp_st, polykey, 32)) != CRYPT_OK) return err;
+ /* (re)initialise poly1305 */
+ if ((err = poly1305_init(&st->poly, polykey, 32)) != CRYPT_OK) return err;
+ st->ctlen = 0;
+ st->aadlen = 0;
+ st->aadflg = 1;
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c
new file mode 100644
index 0000000..7136a1e
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_setiv_rfc7905.c
@@ -0,0 +1,40 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+/**
+ Set IV + counter data (with RFC7905-magic) to the ChaCha20Poly1305 state and reset the context
+ @param st The ChaCha20Poly1305 state
+ @param iv The IV data to add
+ @param ivlen The length of the IV (must be 12 or 8)
+ @param sequence_number 64bit sequence number which is incorporated into IV as described in RFC7905
+ @return CRYPT_OK on success
+ */
+int chacha20poly1305_setiv_rfc7905(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen, ulong64 sequence_number)
+{
+ int i;
+ unsigned char combined_iv[12] = { 0 };
+
+ LTC_ARGCHK(st != NULL);
+ LTC_ARGCHK(iv != NULL);
+ LTC_ARGCHK(ivlen == 12);
+
+ STORE64L(sequence_number, combined_iv + 4);
+ for (i = 0; i < 12; i++) combined_iv[i] = iv[i] ^ combined_iv[i];
+ return chacha20poly1305_setiv(st, combined_iv, 12);
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_test.c b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_test.c
new file mode 100644
index 0000000..2ba88dd
--- /dev/null
+++ b/libtomcrypt/src/encauth/chachapoly/chacha20poly1305_test.c
@@ -0,0 +1,134 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_CHACHA20POLY1305_MODE
+
+int chacha20poly1305_test(void)
+{
+#ifndef LTC_TEST
+ return CRYPT_NOP;
+#else
+ chacha20poly1305_state st1, st2;
+ unsigned char k[] = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f };
+ unsigned char i12[] = { 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 };
+ unsigned char i8[] = { 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43 };
+ unsigned char aad[] = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 };
+ unsigned char enc[] = { 0xD3, 0x1A, 0x8D, 0x34, 0x64, 0x8E, 0x60, 0xDB, 0x7B, 0x86, 0xAF, 0xBC, 0x53, 0xEF, 0x7E, 0xC2,
+ 0xA4, 0xAD, 0xED, 0x51, 0x29, 0x6E, 0x08, 0xFE, 0xA9, 0xE2, 0xB5, 0xA7, 0x36, 0xEE, 0x62, 0xD6,
+ 0x3D, 0xBE, 0xA4, 0x5E, 0x8C, 0xA9, 0x67, 0x12, 0x82, 0xFA, 0xFB, 0x69, 0xDA, 0x92, 0x72, 0x8B,
+ 0x1A, 0x71, 0xDE, 0x0A, 0x9E, 0x06, 0x0B, 0x29, 0x05, 0xD6, 0xA5, 0xB6, 0x7E, 0xCD, 0x3B, 0x36,
+ 0x92, 0xDD, 0xBD, 0x7F, 0x2D, 0x77, 0x8B, 0x8C, 0x98, 0x03, 0xAE, 0xE3, 0x28, 0x09, 0x1B, 0x58,
+ 0xFA, 0xB3, 0x24, 0xE4, 0xFA, 0xD6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8B, 0x48, 0x31, 0xD7, 0xBC,
+ 0x3F, 0xF4, 0xDE, 0xF0, 0x8E, 0x4B, 0x7A, 0x9D, 0xE5, 0x76, 0xD2, 0x65, 0x86, 0xCE, 0xC6, 0x4B,
+ 0x61, 0x16 };
+ unsigned char tag[] = { 0x1A, 0xE1, 0x0B, 0x59, 0x4F, 0x09, 0xE2, 0x6A, 0x7E, 0x90, 0x2E, 0xCB, 0xD0, 0x60, 0x06, 0x91 };
+ char m[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.";
+ unsigned long mlen = strlen(m);
+ unsigned long len;
+ unsigned char rfc7905_pt[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };
+ unsigned char rfc7905_enc[] = { 0xE4, 0x62, 0x85, 0xB4, 0x29, 0x95, 0x34, 0x96, 0xAB, 0xFB, 0x67, 0xCD, 0xAE, 0xAC, 0x94, 0x1E };
+ unsigned char rfc7905_tag[] = { 0x16, 0x2C, 0x92, 0x48, 0x2A, 0xDB, 0xD3, 0x5D, 0x48, 0xBE, 0xC6, 0xFF, 0x10, 0x9C, 0xBA, 0xE4 };
+ unsigned char ct[1000], pt[1000], emac[16], dmac[16];
+ int err;
+
+ /* encrypt IV 96bit */
+ if ((err = chacha20poly1305_init(&st1, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv(&st1, i12, sizeof(i12))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st1, aad, sizeof(aad))) != CRYPT_OK) return err;
+ /* encrypt piece by piece */
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m, 25, ct)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m + 25, 10, ct + 25)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m + 35, 35, ct + 35)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m + 70, 5, ct + 70)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m + 75, 5, ct + 75)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m + 80, mlen - 80, ct + 80)) != CRYPT_OK) return err;
+ len = sizeof(emac);
+ if ((err = chacha20poly1305_done(&st1, emac, &len)) != CRYPT_OK) return err;
+
+ if (compare_testvector(ct, mlen, enc, sizeof(enc), "ENC-CT", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(emac, len, tag, sizeof(tag), "ENC-TAG", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* decrypt IV 96bit */
+ if ((err = chacha20poly1305_init(&st2, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv(&st2, i12, sizeof(i12))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st2, aad, sizeof(aad))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_decrypt(&st2, ct, 21, pt)) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_decrypt(&st2, ct + 21, mlen - 21, pt + 21)) != CRYPT_OK) return err;
+ len = sizeof(dmac);
+ if ((err = chacha20poly1305_done(&st2, dmac, &len)) != CRYPT_OK) return err;
+
+ if (compare_testvector(pt, mlen, m, mlen, "DEC-PT", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(dmac, len, tag, sizeof(tag), "DEC-TAG", 4) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* chacha20poly1305_memory - encrypt */
+ len = sizeof(emac);
+ if ((err = chacha20poly1305_memory(k, sizeof(k), i12, sizeof(i12), aad, sizeof(aad), (unsigned char *)m,
+ mlen, ct, emac, &len, CHACHA20POLY1305_ENCRYPT)) != CRYPT_OK) return err;
+ if (compare_testvector(ct, mlen, enc, sizeof(enc), "ENC-CT2", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(emac, len, tag, sizeof(tag), "ENC-TAG2", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* chacha20poly1305_memory - decrypt */
+ len = sizeof(dmac);
+ if ((err = chacha20poly1305_memory(k, sizeof(k), i12, sizeof(i12), aad, sizeof(aad),
+ ct, mlen, pt, dmac, &len, CHACHA20POLY1305_DECRYPT)) != CRYPT_OK) return err;
+ if (compare_testvector(pt, mlen, m, mlen, "DEC-PT2", 3) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(dmac, len, tag, sizeof(tag), "DEC-TAG2", 4) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* encrypt - rfc7905 */
+ if ((err = chacha20poly1305_init(&st1, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv_rfc7905(&st1, i12, sizeof(i12), CONST64(0x1122334455667788))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st1, aad, sizeof(aad))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, rfc7905_pt, 16, ct)) != CRYPT_OK) return err;
+ len = sizeof(emac);
+ if ((err = chacha20poly1305_done(&st1, emac, &len)) != CRYPT_OK) return err;
+
+ if (compare_testvector(ct, 16, rfc7905_enc, 16, "ENC-CT3", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(emac, len, rfc7905_tag, 16, "ENC-TAG3", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* decrypt - rfc7905 */
+ if ((err = chacha20poly1305_init(&st1, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv_rfc7905(&st1, i12, sizeof(i12), CONST64(0x1122334455667788))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st1, aad, sizeof(aad))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_decrypt(&st1, ct, 16, pt)) != CRYPT_OK) return err;
+ len = sizeof(dmac);
+ if ((err = chacha20poly1305_done(&st1, dmac, &len)) != CRYPT_OK) return err;
+
+ if (compare_testvector(pt, 16, rfc7905_pt, 16, "DEC-CT3", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(dmac, len, rfc7905_tag, 16, "DEC-TAG3", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ /* encrypt IV 64bit */
+ if ((err = chacha20poly1305_init(&st1, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv(&st1, i8, sizeof(i8))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st1, aad, sizeof(aad))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_encrypt(&st1, (unsigned char *)m, mlen, ct)) != CRYPT_OK) return err;
+ len = sizeof(emac);
+ if ((err = chacha20poly1305_done(&st1, emac, &len)) != CRYPT_OK) return err;
+
+ /* decrypt IV 64bit */
+ if ((err = chacha20poly1305_init(&st2, k, sizeof(k))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_setiv(&st2, i8, sizeof(i8))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_add_aad(&st2, aad, sizeof(aad))) != CRYPT_OK) return err;
+ if ((err = chacha20poly1305_decrypt(&st2, ct, mlen, pt)) != CRYPT_OK) return err;
+ len = sizeof(dmac);
+ if ((err = chacha20poly1305_done(&st2, dmac, &len)) != CRYPT_OK) return err;
+
+ if (compare_testvector(pt, mlen, m, mlen, "DEC-PT4", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(dmac, len, emac, len, "DEC-TAG4", 2) != 0) return CRYPT_FAIL_TESTVECTOR;
+
+ return CRYPT_OK;
+#endif
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_addheader.c b/libtomcrypt/src/encauth/eax/eax_addheader.c
index d06e921..5545336 100644
--- a/libtomcrypt/src/encauth/eax/eax_addheader.c
+++ b/libtomcrypt/src/encauth/eax/eax_addheader.c
@@ -5,25 +5,23 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file eax_addheader.c
- EAX implementation, add meta-data, by Tom St Denis
+ EAX implementation, add meta-data, by Tom St Denis
*/
#include "tomcrypt.h"
#ifdef LTC_EAX_MODE
-/**
- add header (metadata) to the stream
+/**
+ add header (metadata) to the stream
@param eax The current EAX state
@param header The header (meta-data) data you wish to add to the state
@param length The length of the header data
@return CRYPT_OK if successful
*/
-int eax_addheader(eax_state *eax, const unsigned char *header,
+int eax_addheader(eax_state *eax, const unsigned char *header,
unsigned long length)
{
LTC_ARGCHK(eax != NULL);
@@ -33,6 +31,6 @@ int eax_addheader(eax_state *eax, const unsigned char *header,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_decrypt.c b/libtomcrypt/src/encauth/eax/eax_decrypt.c
index 185330f..b140716 100644
--- a/libtomcrypt/src/encauth/eax/eax_decrypt.c
+++ b/libtomcrypt/src/encauth/eax/eax_decrypt.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file eax_decrypt.c
EAX implementation, decrypt block, by Tom St Denis
*/
@@ -17,7 +15,7 @@
#ifdef LTC_EAX_MODE
-/**
+/**
Decrypt data with the EAX protocol
@param eax The EAX state
@param ct The ciphertext
@@ -25,11 +23,11 @@
@param length The length (octets) of the ciphertext
@return CRYPT_OK if successful
*/
-int eax_decrypt(eax_state *eax, const unsigned char *ct, unsigned char *pt,
+int eax_decrypt(eax_state *eax, const unsigned char *ct, unsigned char *pt,
unsigned long length)
{
int err;
-
+
LTC_ARGCHK(eax != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
@@ -45,6 +43,6 @@ int eax_decrypt(eax_state *eax, const unsigned char *ct, unsigned char *pt,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_decrypt_verify_memory.c b/libtomcrypt/src/encauth/eax/eax_decrypt_verify_memory.c
index 7956142..8c6540f 100644
--- a/libtomcrypt/src/encauth/eax/eax_decrypt_verify_memory.c
+++ b/libtomcrypt/src/encauth/eax/eax_decrypt_verify_memory.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -57,6 +55,9 @@ int eax_decrypt_verify_memory(int cipher,
/* default to zero */
*stat = 0;
+ /* limit taglen */
+ taglen = MIN(taglen, MAXBLOCKSIZE);
+
/* allocate ram */
buf = XMALLOC(taglen);
eax = XMALLOC(sizeof(*eax));
@@ -77,17 +78,17 @@ int eax_decrypt_verify_memory(int cipher,
if ((err = eax_decrypt(eax, ct, pt, ctlen)) != CRYPT_OK) {
goto LBL_ERR;
}
-
+
buflen = taglen;
if ((err = eax_done(eax, buf, &buflen)) != CRYPT_OK) {
goto LBL_ERR;
}
/* compare tags */
- if (buflen >= taglen && XMEMCMP(buf, tag, taglen) == 0) {
+ if (buflen >= taglen && XMEM_NEQ(buf, tag, taglen) == 0) {
*stat = 1;
}
-
+
err = CRYPT_OK;
LBL_ERR:
#ifdef LTC_CLEAN_STACK
@@ -103,6 +104,6 @@ LBL_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_done.c b/libtomcrypt/src/encauth/eax/eax_done.c
index 0bb0b33..b00bfe0 100644
--- a/libtomcrypt/src/encauth/eax/eax_done.c
+++ b/libtomcrypt/src/encauth/eax/eax_done.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -51,7 +49,7 @@ int eax_done(eax_state *eax, unsigned char *tag, unsigned long *taglen)
/* finish ctomac */
len = MAXBLOCKSIZE;
if ((err = omac_done(&eax->ctomac, ctmac, &len)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* finish headeromac */
@@ -59,7 +57,7 @@ int eax_done(eax_state *eax, unsigned char *tag, unsigned long *taglen)
/* note we specifically don't reset len so the two lens are minimal */
if ((err = omac_done(&eax->headeromac, headermac, &len)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* terminate the CTR chain */
@@ -89,6 +87,6 @@ LBL_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_encrypt.c b/libtomcrypt/src/encauth/eax/eax_encrypt.c
index 79f9dc5..174f263 100644
--- a/libtomcrypt/src/encauth/eax/eax_encrypt.c
+++ b/libtomcrypt/src/encauth/eax/eax_encrypt.c
@@ -5,13 +5,11 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@file eax_encrypt.c
- EAX implementation, encrypt block by Tom St Denis
+ EAX implementation, encrypt block by Tom St Denis
*/
#include "tomcrypt.h"
@@ -25,11 +23,11 @@
@param length The length of the plaintext (octets)
@return CRYPT_OK if successful
*/
-int eax_encrypt(eax_state *eax, const unsigned char *pt, unsigned char *ct,
+int eax_encrypt(eax_state *eax, const unsigned char *pt, unsigned char *ct,
unsigned long length)
{
int err;
-
+
LTC_ARGCHK(eax != NULL);
LTC_ARGCHK(pt != NULL);
LTC_ARGCHK(ct != NULL);
@@ -46,6 +44,6 @@ int eax_encrypt(eax_state *eax, const unsigned char *pt, unsigned char *ct,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_encrypt_authenticate_memory.c b/libtomcrypt/src/encauth/eax/eax_encrypt_authenticate_memory.c
index fc58ce6..9980fc0 100644
--- a/libtomcrypt/src/encauth/eax/eax_encrypt_authenticate_memory.c
+++ b/libtomcrypt/src/encauth/eax/eax_encrypt_authenticate_memory.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -53,15 +51,15 @@ int eax_encrypt_authenticate_memory(int cipher,
eax = XMALLOC(sizeof(*eax));
if ((err = eax_init(eax, cipher, key, keylen, nonce, noncelen, header, headerlen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
if ((err = eax_encrypt(eax, pt, ct, ptlen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
-
+
if ((err = eax_done(eax, tag, taglen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
err = CRYPT_OK;
@@ -72,11 +70,11 @@ LBL_ERR:
XFREE(eax);
- return err;
+ return err;
}
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_init.c b/libtomcrypt/src/encauth/eax/eax_init.c
index 563eabf..154d7a9 100644
--- a/libtomcrypt/src/encauth/eax/eax_init.c
+++ b/libtomcrypt/src/encauth/eax/eax_init.c
@@ -5,19 +5,17 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file eax_init.c
- EAX implementation, initialized EAX state, by Tom St Denis
+ EAX implementation, initialized EAX state, by Tom St Denis
*/
#include "tomcrypt.h"
#ifdef LTC_EAX_MODE
-/**
+/**
Initialized an EAX state
@param eax [out] The EAX state to initialize
@param cipher The index of the desired cipher
@@ -29,7 +27,7 @@
@param headerlen The header length (octets)
@return CRYPT_OK if successful
*/
-int eax_init(eax_state *eax, int cipher,
+int eax_init(eax_state *eax, int cipher,
const unsigned char *key, unsigned long keylen,
const unsigned char *nonce, unsigned long noncelen,
const unsigned char *header, unsigned long headerlen)
@@ -69,21 +67,21 @@ int eax_init(eax_state *eax, int cipher,
/* N = LTC_OMAC_0K(nonce) */
zeromem(buf, MAXBLOCKSIZE);
if ((err = omac_init(omac, cipher, key, keylen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* omac the [0]_n */
if ((err = omac_process(omac, buf, blklen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* omac the nonce */
if ((err = omac_process(omac, nonce, noncelen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* store result */
len = sizeof(eax->N);
if ((err = omac_done(omac, eax->N, &len)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* H = LTC_OMAC_1K(header) */
@@ -91,17 +89,17 @@ int eax_init(eax_state *eax, int cipher,
buf[blklen - 1] = 1;
if ((err = omac_init(&eax->headeromac, cipher, key, keylen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* omac the [1]_n */
if ((err = omac_process(&eax->headeromac, buf, blklen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* omac the header */
if (headerlen != 0) {
if ((err = omac_process(&eax->headeromac, header, headerlen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
}
@@ -109,19 +107,19 @@ int eax_init(eax_state *eax, int cipher,
/* setup the CTR mode */
if ((err = ctr_start(cipher, eax->N, key, keylen, 0, CTR_COUNTER_BIG_ENDIAN, &eax->ctr)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
/* setup the LTC_OMAC for the ciphertext */
- if ((err = omac_init(&eax->ctomac, cipher, key, keylen)) != CRYPT_OK) {
- goto LBL_ERR;
+ if ((err = omac_init(&eax->ctomac, cipher, key, keylen)) != CRYPT_OK) {
+ goto LBL_ERR;
}
/* omac [2]_n */
zeromem(buf, MAXBLOCKSIZE);
buf[blklen-1] = 2;
if ((err = omac_process(&eax->ctomac, buf, blklen)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
err = CRYPT_OK;
@@ -137,8 +135,8 @@ LBL_ERR:
return err;
}
-#endif
+#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/eax/eax_test.c b/libtomcrypt/src/encauth/eax/eax_test.c
index 5babef2..7d29ee7 100644
--- a/libtomcrypt/src/encauth/eax/eax_test.c
+++ b/libtomcrypt/src/encauth/eax/eax_test.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file eax_test.c
EAX implementation, self-test, by Tom St Denis
*/
@@ -27,16 +25,16 @@ int eax_test(void)
return CRYPT_NOP;
#else
static const struct {
- int keylen,
- noncelen,
- headerlen,
+ int keylen,
+ noncelen,
+ headerlen,
msglen;
- unsigned char key[MAXBLOCKSIZE],
- nonce[MAXBLOCKSIZE],
- header[MAXBLOCKSIZE],
+ unsigned char key[MAXBLOCKSIZE],
+ nonce[MAXBLOCKSIZE],
+ header[MAXBLOCKSIZE],
plaintext[MAXBLOCKSIZE],
- ciphertext[MAXBLOCKSIZE],
+ ciphertext[MAXBLOCKSIZE],
tag[MAXBLOCKSIZE];
} tests[] = {
@@ -107,7 +105,7 @@ int eax_test(void)
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* header */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -134,7 +132,7 @@ int eax_test(void)
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
/* nonce */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e },
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e },
/* header */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d },
@@ -176,7 +174,7 @@ int eax_test(void)
{
16, 16, 8, 2,
- /* key */
+ /* key */
{ 0x91, 0x94, 0x5d, 0x3f, 0x4d, 0xcb, 0xee, 0x0b,
0xf4, 0x5e, 0xf5, 0x22, 0x55, 0xf0, 0x95, 0xa4 },
/* nonce */
@@ -210,14 +208,14 @@ int eax_test(void)
/* Tag */
{ 0x3a, 0x59, 0xf2, 0x38, 0xa2, 0x3e, 0x39, 0x19,
0x9d, 0xc9, 0x26, 0x66, 0x26, 0xc4, 0x0f, 0x80 }
-}
+}
};
int err, x, idx, res;
unsigned long len;
unsigned char outct[MAXBLOCKSIZE], outtag[MAXBLOCKSIZE];
- /* AES can be under rijndael or aes... try to find it */
+ /* AES can be under rijndael or aes... try to find it */
if ((idx = find_cipher("aes")) == -1) {
if ((idx = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
@@ -231,22 +229,8 @@ int eax_test(void)
tests[x].plaintext, tests[x].msglen, outct, outtag, &len)) != CRYPT_OK) {
return err;
}
- if (XMEMCMP(outct, tests[x].ciphertext, tests[x].msglen) || XMEMCMP(outtag, tests[x].tag, len)) {
-#if 0
- unsigned long y;
- printf("\n\nFailure: \nCT:\n");
- for (y = 0; y < (unsigned long)tests[x].msglen; ) {
- printf("0x%02x", outct[y]);
- if (y < (unsigned long)(tests[x].msglen-1)) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
- printf("\nTAG:\n");
- for (y = 0; y < len; ) {
- printf("0x%02x", outtag[y]);
- if (y < len-1) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
-#endif
+ if (compare_testvector(outtag, len, tests[x].tag, len, "EAX Tag", x) ||
+ compare_testvector(outct, tests[x].msglen, tests[x].ciphertext, tests[x].msglen, "EAX CT", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
@@ -256,27 +240,20 @@ int eax_test(void)
outct, tests[x].msglen, outct, outtag, len, &res)) != CRYPT_OK) {
return err;
}
- if ((res != 1) || XMEMCMP(outct, tests[x].plaintext, tests[x].msglen)) {
-#if 0
- unsigned long y;
- printf("\n\nFailure (res == %d): \nPT:\n", res);
- for (y = 0; y < (unsigned long)tests[x].msglen; ) {
- printf("0x%02x", outct[y]);
- if (y < (unsigned long)(tests[x].msglen-1)) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
- printf("\n\n");
+ if ((res != 1) || compare_testvector(outct, tests[x].msglen, tests[x].plaintext, tests[x].msglen, "EAX", x)) {
+#ifdef LTC_TEST_DBG
+ printf("\n\nEAX: Failure-decrypt - res = %d\n", res);
#endif
return CRYPT_FAIL_TESTVECTOR;
}
- }
- return CRYPT_OK;
+ }
+ return CRYPT_OK;
#endif /* LTC_TEST */
}
#endif /* LTC_EAX_MODE */
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_add_aad.c b/libtomcrypt/src/encauth/gcm/gcm_add_aad.c
index 26e47f6..cacc15b 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_add_aad.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_add_aad.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -48,6 +46,8 @@ int gcm_add_aad(gcm_state *gcm,
/* in IV mode? */
if (gcm->mode == LTC_GCM_MODE_IV) {
+ /* IV length must be > 0 */
+ if (gcm->buflen == 0 && gcm->totlen == 0) return CRYPT_ERROR;
/* let's process the IV */
if (gcm->ivmode || gcm->buflen != 12) {
for (x = 0; x < (unsigned long)gcm->buflen; x++) {
@@ -66,7 +66,7 @@ int gcm_add_aad(gcm_state *gcm,
}
gcm_mult_h(gcm, gcm->X);
- /* copy counter out */
+ /* copy counter out */
XMEMCPY(gcm->Y, gcm->X, 16);
zeromem(gcm->X, 16);
} else {
@@ -92,7 +92,7 @@ int gcm_add_aad(gcm_state *gcm,
if (gcm->buflen == 0) {
for (x = 0; x < (adatalen & ~15); x += 16) {
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&gcm->X[y])) ^= *((LTC_FAST_TYPE*)(&adata[x + y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&adata[x + y]));
}
gcm_mult_h(gcm, gcm->X);
gcm->totlen += 128;
@@ -104,9 +104,9 @@ int gcm_add_aad(gcm_state *gcm,
/* start adding AAD data to the state */
for (; x < adatalen; x++) {
- gcm->X[gcm->buflen++] ^= *adata++;
+ gcm->X[gcm->buflen++] ^= *adata++;
- if (gcm->buflen == 16) {
+ if (gcm->buflen == 16) {
/* GF mult it */
gcm_mult_h(gcm, gcm->X);
gcm->buflen = 0;
@@ -117,8 +117,8 @@ int gcm_add_aad(gcm_state *gcm,
return CRYPT_OK;
}
#endif
-
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_add_iv.c b/libtomcrypt/src/encauth/gcm/gcm_add_iv.c
index 0ac79b6..3fd3861 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_add_iv.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_add_iv.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -24,7 +22,7 @@
@param IVlen The length of the IV
@return CRYPT_OK on success
*/
-int gcm_add_iv(gcm_state *gcm,
+int gcm_add_iv(gcm_state *gcm,
const unsigned char *IV, unsigned long IVlen)
{
unsigned long x, y;
@@ -39,7 +37,7 @@ int gcm_add_iv(gcm_state *gcm,
if (gcm->mode != LTC_GCM_MODE_IV) {
return CRYPT_INVALID_ARG;
}
-
+
if (gcm->buflen >= 16 || gcm->buflen < 0) {
return CRYPT_INVALID_ARG;
}
@@ -59,7 +57,7 @@ int gcm_add_iv(gcm_state *gcm,
if (gcm->buflen == 0) {
for (x = 0; x < (IVlen & ~15); x += 16) {
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&gcm->X[y])) ^= *((LTC_FAST_TYPE*)(&IV[x + y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&IV[x + y]));
}
gcm_mult_h(gcm, gcm->X);
gcm->totlen += 128;
@@ -72,7 +70,7 @@ int gcm_add_iv(gcm_state *gcm,
for (; x < IVlen; x++) {
gcm->buf[gcm->buflen++] = *IV++;
- if (gcm->buflen == 16) {
+ if (gcm->buflen == 16) {
/* GF mult it */
for (y = 0; y < 16; y++) {
gcm->X[y] ^= gcm->buf[y];
@@ -87,8 +85,8 @@ int gcm_add_iv(gcm_state *gcm,
}
#endif
-
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_done.c b/libtomcrypt/src/encauth/gcm/gcm_done.c
index bbc9bbe..ffd551e 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_done.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_done.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -24,7 +22,7 @@
@param taglen [in/out] The length of the MAC tag
@return CRYPT_OK on success
*/
-int gcm_done(gcm_state *gcm,
+int gcm_done(gcm_state *gcm,
unsigned char *tag, unsigned long *taglen)
{
unsigned long x;
@@ -42,6 +40,15 @@ int gcm_done(gcm_state *gcm,
return err;
}
+ if (gcm->mode == LTC_GCM_MODE_IV) {
+ /* let's process the IV */
+ if ((err = gcm_add_aad(gcm, NULL, 0)) != CRYPT_OK) return err;
+ }
+
+ if (gcm->mode == LTC_GCM_MODE_AAD) {
+ /* let's process the AAD */
+ if ((err = gcm_process(gcm, NULL, 0, NULL, 0)) != CRYPT_OK) return err;
+ }
if (gcm->mode != LTC_GCM_MODE_TEXT) {
return CRYPT_INVALID_ARG;
@@ -78,6 +85,6 @@ int gcm_done(gcm_state *gcm,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_gf_mult.c b/libtomcrypt/src/encauth/gcm/gcm_gf_mult.c
index 72e0624..2e7a906 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_gf_mult.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_gf_mult.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -15,9 +13,9 @@
*/
#include "tomcrypt.h"
-#if defined(LTC_GCM_TABLES) || defined(LRW_TABLES) || ((defined(LTC_GCM_MODE) || defined(LTC_GCM_MODE)) && defined(LTC_FAST))
+#if defined(LTC_GCM_TABLES) || defined(LTC_LRW_TABLES) || ((defined(LTC_GCM_MODE) || defined(LTC_GCM_MODE)) && defined(LTC_FAST))
-/* this is x*2^128 mod p(x) ... the results are 16 bytes each stored in a packed format. Since only the
+/* this is x*2^128 mod p(x) ... the results are 16 bytes each stored in a packed format. Since only the
* lower 16 bits are not zero'ed I removed the upper 14 bytes */
const unsigned char gcm_shift_table[256*2] = {
0x00, 0x00, 0x01, 0xc2, 0x03, 0x84, 0x02, 0x46, 0x07, 0x08, 0x06, 0xca, 0x04, 0x8c, 0x05, 0x4e,
@@ -60,7 +58,7 @@ const unsigned char gcm_shift_table[256*2] = {
#ifndef LTC_FAST
/* right shift */
-static void gcm_rightshift(unsigned char *a)
+static void _gcm_rightshift(unsigned char *a)
{
int x;
for (x = 15; x > 0; x--) {
@@ -73,28 +71,28 @@ static void gcm_rightshift(unsigned char *a)
static const unsigned char mask[] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
static const unsigned char poly[] = { 0x00, 0xE1 };
-
+
/**
GCM GF multiplier (internal use only) bitserial
@param a First value
@param b Second value
@param c Destination for a * b
- */
+ */
void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)
{
unsigned char Z[16], V[16];
- unsigned x, y, z;
+ unsigned char x, y, z;
zeromem(Z, 16);
XMEMCPY(V, a, 16);
for (x = 0; x < 128; x++) {
if (b[x>>3] & mask[x&7]) {
for (y = 0; y < 16; y++) {
- Z[y] ^= V[y];
+ Z[y] ^= V[y];
}
}
z = V[15] & 0x01;
- gcm_rightshift(V);
+ _gcm_rightshift(V);
V[0] ^= poly[z];
}
XMEMCPY(c, Z, 16);
@@ -113,7 +111,7 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
@param a First value
@param b Second value
@param c Destination for a * b
- */
+ */
void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *c)
{
int i, j, k, u;
@@ -129,7 +127,7 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
LOAD32H(B[M(1)][i], a + (i<<2));
LOAD32L(pB[i], b + (i<<2));
}
-#else
+#else
for (i = 0; i < 2; i++) {
LOAD64H(B[M(1)][i], a + (i<<3));
LOAD64L(pB[i], b + (i<<3));
@@ -154,7 +152,7 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
B[M(9)][i] = B[M(1)][i] ^ B[M(8)][i];
B[M(10)][i] = B[M(2)][i] ^ B[M(8)][i];
B[M(12)][i] = B[M(8)][i] ^ B[M(4)][i];
-
+
/* now all 3 bit values and the only 4 bit value: 7, 11, 13, 14, 15 */
B[M(7)][i] = B[M(3)][i] ^ B[M(4)][i];
B[M(11)][i] = B[M(3)][i] ^ B[M(8)][i];
@@ -193,7 +191,7 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
for (i = 0; i < 8; i++) {
STORE32H(tmp[i], pTmp + (i<<2));
}
-#else
+#else
for (i = 0; i < 4; i++) {
STORE64H(tmp[i], pTmp + (i<<3));
}
@@ -215,7 +213,7 @@ void gcm_gf_mult(const unsigned char *a, const unsigned char *b, unsigned char *
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
-
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
+
diff --git a/libtomcrypt/src/encauth/gcm/gcm_init.c b/libtomcrypt/src/encauth/gcm/gcm_init.c
index 8e1c496..072870d 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_init.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_init.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -25,7 +23,7 @@
@param keylen The length of the secret key
@return CRYPT_OK on success
*/
-int gcm_init(gcm_state *gcm, int cipher,
+int gcm_init(gcm_state *gcm, int cipher,
const unsigned char *key, int keylen)
{
int err;
@@ -92,8 +90,8 @@ int gcm_init(gcm_state *gcm, int cipher,
}
gcm->PC[x][y][0] = gcm_shift_table[t<<1];
gcm->PC[x][y][1] ^= gcm_shift_table[(t<<1)+1];
- }
- }
+ }
+ }
#endif
@@ -102,6 +100,6 @@ int gcm_init(gcm_state *gcm, int cipher,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_memory.c b/libtomcrypt/src/encauth/gcm/gcm_memory.c
index 451e3fa..7b59960 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_memory.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_memory.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -22,8 +20,8 @@
@param cipher Index of cipher to use
@param key The secret key
@param keylen The length of the secret key
- @param IV The initial vector
- @param IVlen The length of the initial vector
+ @param IV The initialization vector
+ @param IVlen The length of the initialization vector
@param adata The additional authentication data (header)
@param adatalen The length of the adata
@param pt The plaintext
@@ -39,7 +37,7 @@ int gcm_memory( int cipher,
const unsigned char *IV, unsigned long IVlen,
const unsigned char *adata, unsigned long adatalen,
unsigned char *pt, unsigned long ptlen,
- unsigned char *ct,
+ unsigned char *ct,
unsigned char *tag, unsigned long *taglen,
int direction)
{
@@ -50,10 +48,9 @@ int gcm_memory( int cipher,
if ((err = cipher_is_valid(cipher)) != CRYPT_OK) {
return err;
}
-
+
if (cipher_descriptor[cipher].accel_gcm_memory != NULL) {
- return
- cipher_descriptor[cipher].accel_gcm_memory
+ return cipher_descriptor[cipher].accel_gcm_memory
(key, keylen,
IV, IVlen,
adata, adatalen,
@@ -104,6 +101,6 @@ LTC_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_mult_h.c b/libtomcrypt/src/encauth/gcm/gcm_mult_h.c
index 2cda6a4..181d1d1 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_mult_h.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_mult_h.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -25,7 +23,7 @@ void gcm_mult_h(gcm_state *gcm, unsigned char *I)
{
unsigned char T[16];
#ifdef LTC_GCM_TABLES
- int x, y;
+ int x;
#ifdef LTC_GCM_TABLES_SSE2
asm("movdqa (%0),%%xmm0"::"r"(&gcm->PC[0][I[0]][0]));
for (x = 1; x < 16; x++) {
@@ -33,11 +31,12 @@ void gcm_mult_h(gcm_state *gcm, unsigned char *I)
}
asm("movdqa %%xmm0,(%0)"::"r"(&T));
#else
+ int y;
XMEMCPY(T, &gcm->PC[0][I[0]][0], 16);
for (x = 1; x < 16; x++) {
#ifdef LTC_FAST
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE *)(T + y)) ^= *((LTC_FAST_TYPE *)(&gcm->PC[x][I[x]][y]));
+ *(LTC_FAST_TYPE_PTR_CAST(T + y)) ^= *(LTC_FAST_TYPE_PTR_CAST(&gcm->PC[x][I[x]][y]));
}
#else
for (y = 0; y < 16; y++) {
@@ -46,13 +45,13 @@ void gcm_mult_h(gcm_state *gcm, unsigned char *I)
#endif /* LTC_FAST */
}
#endif /* LTC_GCM_TABLES_SSE2 */
-#else
- gcm_gf_mult(gcm->H, I, T);
+#else
+ gcm_gf_mult(gcm->H, I, T);
#endif
XMEMCPY(I, T, 16);
}
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_process.c b/libtomcrypt/src/encauth/gcm/gcm_process.c
index af0444d..b1ec20c 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_process.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_process.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -17,9 +15,9 @@
#ifdef LTC_GCM_MODE
-/**
+/**
Process plaintext/ciphertext through GCM
- @param gcm The GCM state
+ @param gcm The GCM state
@param pt The plaintext
@param ptlen The plaintext length (ciphertext length is the same)
@param ct The ciphertext
@@ -44,11 +42,21 @@ int gcm_process(gcm_state *gcm,
if (gcm->buflen > 16 || gcm->buflen < 0) {
return CRYPT_INVALID_ARG;
}
-
+
if ((err = cipher_is_valid(gcm->cipher)) != CRYPT_OK) {
return err;
}
+ /* 0xFFFFFFFE0 = ((2^39)-256)/8 */
+ if (gcm->pttotlen / 8 + (ulong64)gcm->buflen + (ulong64)ptlen >= CONST64(0xFFFFFFFE0)) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ if (gcm->mode == LTC_GCM_MODE_IV) {
+ /* let's process the IV */
+ if ((err = gcm_add_aad(gcm, NULL, 0)) != CRYPT_OK) return err;
+ }
+
/* in AAD mode? */
if (gcm->mode == LTC_GCM_MODE_AAD) {
/* let's process the AAD */
@@ -77,12 +85,12 @@ int gcm_process(gcm_state *gcm,
x = 0;
#ifdef LTC_FAST
if (gcm->buflen == 0) {
- if (direction == GCM_ENCRYPT) {
+ if (direction == GCM_ENCRYPT) {
for (x = 0; x < (ptlen & ~15); x += 16) {
/* ctr encrypt */
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&ct[x + y])) = *((LTC_FAST_TYPE*)(&pt[x+y])) ^ *((LTC_FAST_TYPE*)(&gcm->buf[y]));
- *((LTC_FAST_TYPE*)(&gcm->X[y])) ^= *((LTC_FAST_TYPE*)(&ct[x+y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&ct[x + y])) = *(LTC_FAST_TYPE_PTR_CAST(&pt[x+y])) ^ *(LTC_FAST_TYPE_PTR_CAST(&gcm->buf[y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&ct[x+y]));
}
/* GMAC it */
gcm->pttotlen += 128;
@@ -99,8 +107,8 @@ int gcm_process(gcm_state *gcm,
for (x = 0; x < (ptlen & ~15); x += 16) {
/* ctr encrypt */
for (y = 0; y < 16; y += sizeof(LTC_FAST_TYPE)) {
- *((LTC_FAST_TYPE*)(&gcm->X[y])) ^= *((LTC_FAST_TYPE*)(&ct[x+y]));
- *((LTC_FAST_TYPE*)(&pt[x + y])) = *((LTC_FAST_TYPE*)(&ct[x+y])) ^ *((LTC_FAST_TYPE*)(&gcm->buf[y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&gcm->X[y])) ^= *(LTC_FAST_TYPE_PTR_CAST(&ct[x+y]));
+ *(LTC_FAST_TYPE_PTR_CAST(&pt[x + y])) = *(LTC_FAST_TYPE_PTR_CAST(&ct[x+y])) ^ *(LTC_FAST_TYPE_PTR_CAST(&gcm->buf[y]));
}
/* GMAC it */
gcm->pttotlen += 128;
@@ -113,16 +121,16 @@ int gcm_process(gcm_state *gcm,
return err;
}
}
- }
+ }
}
-#endif
+#endif
/* process text */
for (; x < ptlen; x++) {
if (gcm->buflen == 16) {
gcm->pttotlen += 128;
gcm_mult_h(gcm, gcm->X);
-
+
/* increment counter */
for (y = 15; y >= 12; y--) {
if (++gcm->Y[y] & 255) { break; }
@@ -134,12 +142,12 @@ int gcm_process(gcm_state *gcm,
}
if (direction == GCM_ENCRYPT) {
- b = ct[x] = pt[x] ^ gcm->buf[gcm->buflen];
+ b = ct[x] = pt[x] ^ gcm->buf[gcm->buflen];
} else {
b = ct[x];
pt[x] = ct[x] ^ gcm->buf[gcm->buflen];
}
- gcm->X[gcm->buflen++] ^= b;
+ gcm->X[gcm->buflen++] ^= b;
}
return CRYPT_OK;
@@ -147,6 +155,6 @@ int gcm_process(gcm_state *gcm,
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_reset.c b/libtomcrypt/src/encauth/gcm/gcm_reset.c
index c9e13d9..3bd1088 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_reset.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_reset.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -33,12 +31,12 @@ int gcm_reset(gcm_state *gcm)
gcm->buflen = 0;
gcm->totlen = 0;
gcm->pttotlen = 0;
-
+
return CRYPT_OK;
}
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/gcm/gcm_test.c b/libtomcrypt/src/encauth/gcm/gcm_test.c
index 7380c81..5f68b30 100644
--- a/libtomcrypt/src/encauth/gcm/gcm_test.c
+++ b/libtomcrypt/src/encauth/gcm/gcm_test.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -17,7 +15,7 @@
#ifdef LTC_GCM_MODE
-/**
+/**
Test the GCM code
@return CRYPT_OK on success
*/
@@ -100,18 +98,18 @@ int gcm_test(void)
/* test case #3 */
{
/* key */
- { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
- { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
- 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
- 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
- 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
- 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
- 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
- 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55, },
64,
@@ -120,66 +118,66 @@ int gcm_test(void)
0,
/* IV */
- { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
0xde, 0xca, 0xf8, 0x88, },
12,
-
+
/* CT */
- { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
- 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
- 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
- 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
- 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
- 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
- 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+ { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+ 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+ 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+ 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+ 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+ 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+ 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85, },
/* TAG */
- { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+ { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4, }
},
/* test case #4 */
{
/* key */
- { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
- { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
- 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
- 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
- 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
- 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
- 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
- 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
- { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
- 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
/* IV */
- { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
0xde, 0xca, 0xf8, 0x88, },
12,
/* CT */
- { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
- 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
- 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
- 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
- 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
- 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
- 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+ { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+ 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+ 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+ 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+ 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+ 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+ 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
0x3d, 0x58, 0xe0, 0x91, },
/* TAG */
- { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+ { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47, }
},
@@ -187,24 +185,24 @@ int gcm_test(void)
/* test case #5 */
{
/* key */
- { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
- { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
- 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
- 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
- 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
- 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
- 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
- 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
- { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
- 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
@@ -213,112 +211,112 @@ int gcm_test(void)
8,
/* CT */
- { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
- 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
- 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
- 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
- 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
- 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
- 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+ { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+ 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+ 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+ 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+ 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+ 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+ 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
0xc2, 0x3f, 0x45, 0x98, },
/* TAG */
- { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+ { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb, }
},
/* test case #6 */
{
/* key */
- { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, },
16,
/* PT */
- { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
- 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
- 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
- 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
- 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
- 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
- 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+ { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+ 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+ 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+ 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+ 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+ 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+ 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
0xba, 0x63, 0x7b, 0x39, },
60,
/* ADATA */
- { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
- 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
0xab, 0xad, 0xda, 0xd2, },
20,
/* IV */
- { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
- 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
- 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
- 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
- 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
- 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
- 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+ { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+ 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+ 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+ 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+ 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+ 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+ 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
0xa6, 0x37, 0xb3, 0x9b, },
60,
/* CT */
- { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
- 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
- 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
- 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
- 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
- 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
- 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+ { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+ 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+ 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+ 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+ 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+ 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+ 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
0x4c, 0x34, 0xae, 0xe5, },
/* TAG */
- { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+ { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50, }
},
/* test case #46 from BG (catches the LTC bug of v1.15) */
{
/* key */
- { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
16,
/* PT */
- { 0xa2, 0xaa, 0xb3, 0xad, 0x8b, 0x17, 0xac, 0xdd,
- 0xa2, 0x88, 0x42, 0x6c, 0xd7, 0xc4, 0x29, 0xb7,
- 0xca, 0x86, 0xb7, 0xac, 0xa0, 0x58, 0x09, 0xc7,
+ { 0xa2, 0xaa, 0xb3, 0xad, 0x8b, 0x17, 0xac, 0xdd,
+ 0xa2, 0x88, 0x42, 0x6c, 0xd7, 0xc4, 0x29, 0xb7,
+ 0xca, 0x86, 0xb7, 0xac, 0xa0, 0x58, 0x09, 0xc7,
0x0c, 0xe8, 0x2d, 0xb2, 0x57, 0x11, 0xcb, 0x53,
- 0x02, 0xeb, 0x27, 0x43, 0xb0, 0x36, 0xf3, 0xd7,
- 0x50, 0xd6, 0xcf, 0x0d, 0xc0, 0xac, 0xb9, 0x29,
- 0x50, 0xd5, 0x46, 0xdb, 0x30, 0x8f, 0x93, 0xb4,
+ 0x02, 0xeb, 0x27, 0x43, 0xb0, 0x36, 0xf3, 0xd7,
+ 0x50, 0xd6, 0xcf, 0x0d, 0xc0, 0xac, 0xb9, 0x29,
+ 0x50, 0xd5, 0x46, 0xdb, 0x30, 0x8f, 0x93, 0xb4,
0xff, 0x24, 0x4a, 0xfa, 0x9d, 0xc7, 0x2b, 0xcd,
0x75, 0x8d, 0x2c },
67,
/* ADATA */
- { 0x68, 0x8e, 0x1a, 0xa9, 0x84, 0xde, 0x92, 0x6d,
+ { 0x68, 0x8e, 0x1a, 0xa9, 0x84, 0xde, 0x92, 0x6d,
0xc7, 0xb4, 0xc4, 0x7f, 0x44 },
- 13,
+ 13,
/* IV */
- { 0xb7, 0x21, 0x38, 0xb5, 0xa0, 0x5f, 0xf5, 0x07,
+ { 0xb7, 0x21, 0x38, 0xb5, 0xa0, 0x5f, 0xf5, 0x07,
0x0e, 0x8c, 0xd9, 0x41, 0x83, 0xf7, 0x61, 0xd8 },
16,
/* CT */
- { 0xcb, 0xc8, 0xd2, 0xf1, 0x54, 0x81, 0xa4, 0xcc,
- 0x7d, 0xd1, 0xe1, 0x9a, 0xaa, 0x83, 0xde, 0x56,
- 0x78, 0x48, 0x3e, 0xc3, 0x59, 0xae, 0x7d, 0xec,
+ { 0xcb, 0xc8, 0xd2, 0xf1, 0x54, 0x81, 0xa4, 0xcc,
+ 0x7d, 0xd1, 0xe1, 0x9a, 0xaa, 0x83, 0xde, 0x56,
+ 0x78, 0x48, 0x3e, 0xc3, 0x59, 0xae, 0x7d, 0xec,
0x2a, 0xb8, 0xd5, 0x34, 0xe0, 0x90, 0x6f, 0x4b,
- 0x46, 0x63, 0xfa, 0xff, 0x58, 0xa8, 0xb2, 0xd7,
- 0x33, 0xb8, 0x45, 0xee, 0xf7, 0xc9, 0xb3, 0x31,
- 0xe9, 0xe1, 0x0e, 0xb2, 0x61, 0x2c, 0x99, 0x5f,
+ 0x46, 0x63, 0xfa, 0xff, 0x58, 0xa8, 0xb2, 0xd7,
+ 0x33, 0xb8, 0x45, 0xee, 0xf7, 0xc9, 0xb3, 0x31,
+ 0xe9, 0xe1, 0x0e, 0xb2, 0x61, 0x2c, 0x99, 0x5f,
0xeb, 0x1a, 0xc1, 0x5a, 0x62, 0x86, 0xcc, 0xe8,
0xb2, 0x97, 0xa8 },
/* TAG */
- { 0x8d, 0x2d, 0x2a, 0x93, 0x72, 0x62, 0x6f, 0x6b,
+ { 0x8d, 0x2d, 0x2a, 0x93, 0x72, 0x62, 0x6f, 0x6b,
0xee, 0x85, 0x80, 0x27, 0x6a, 0x63, 0x66, 0xbf }
}
@@ -327,6 +325,7 @@ int gcm_test(void)
int idx, err;
unsigned long x, y;
unsigned char out[2][128], T[2][16];
+ gcm_state gcm;
/* find aes */
idx = find_cipher("aes");
@@ -337,6 +336,14 @@ int gcm_test(void)
}
}
+ /* Special test case for empty AAD + empty PT */
+ y = sizeof(T[0]);
+ if ((err = gcm_init(&gcm, idx, tests[0].K, tests[0].keylen)) != CRYPT_OK) return err;
+ if ((err = gcm_add_iv(&gcm, tests[0].IV, tests[0].IVlen)) != CRYPT_OK) return err;
+ /* intentionally skip gcm_add_aad + gcm_process */
+ if ((err = gcm_done(&gcm, T[0], &y)) != CRYPT_OK) return err;
+ if (compare_testvector(T[0], y, tests[0].T, 16, "GCM Encrypt Tag-special", 0)) return CRYPT_FAIL_TESTVECTOR;
+
for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
y = sizeof(T[0]);
if ((err = gcm_memory(idx, tests[x].K, tests[x].keylen,
@@ -347,25 +354,11 @@ int gcm_test(void)
return err;
}
- if (XMEMCMP(out[0], tests[x].C, tests[x].ptlen)) {
-#if 0
- printf("\nCiphertext wrong %lu\n", x);
- for (y = 0; y < tests[x].ptlen; y++) {
- printf("%02x", out[0][y] & 255);
- }
- printf("\n");
-#endif
+ if (compare_testvector(out[0], tests[x].ptlen, tests[x].C, tests[x].ptlen, "GCM CT", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
- if (XMEMCMP(T[0], tests[x].T, 16)) {
-#if 0
- printf("\nTag on plaintext wrong %lu\n", x);
- for (y = 0; y < 16; y++) {
- printf("%02x", T[0][y] & 255);
- }
- printf("\n");
-#endif
+ if (compare_testvector(T[0], y, tests[x].T, 16, "GCM Encrypt Tag", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
@@ -378,25 +371,11 @@ int gcm_test(void)
return err;
}
- if (XMEMCMP(out[1], tests[x].P, tests[x].ptlen)) {
-#if 0
- printf("\nplaintext wrong %lu\n", x);
- for (y = 0; y < tests[x].ptlen; y++) {
- printf("%02x", out[0][y] & 255);
- }
- printf("\n");
-#endif
+ if (compare_testvector(out[1], tests[x].ptlen, tests[x].P, tests[x].ptlen, "GCM PT", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
- if (XMEMCMP(T[1], tests[x].T, 16)) {
-#if 0
- printf("\nTag on ciphertext wrong %lu\n", x);
- for (y = 0; y < 16; y++) {
- printf("%02x", T[1][y] & 255);
- }
- printf("\n");
-#endif
+ if (compare_testvector(T[1], y, tests[x].T, 16, "GCM Decrypt Tag", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
@@ -408,6 +387,6 @@ int gcm_test(void)
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_decrypt.c b/libtomcrypt/src/encauth/ocb/ocb_decrypt.c
index 61003db..5dc8dad 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_decrypt.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_decrypt.c
@@ -5,13 +5,11 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@file ocb_decrypt.c
- OCB implementation, decrypt data, by Tom St Denis
+ OCB implementation, decrypt data, by Tom St Denis
*/
#include "tomcrypt.h"
@@ -38,7 +36,7 @@ int ocb_decrypt(ocb_state *ocb, const unsigned char *ct, unsigned char *pt)
return err;
}
LTC_ARGCHK(cipher_descriptor[ocb->cipher].ecb_decrypt != NULL);
-
+
/* check length */
if (ocb->block_len != cipher_descriptor[ocb->cipher].block_length) {
return CRYPT_INVALID_ARG;
@@ -74,6 +72,6 @@ int ocb_decrypt(ocb_state *ocb, const unsigned char *ct, unsigned char *pt)
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_decrypt_verify_memory.c b/libtomcrypt/src/encauth/ocb/ocb_decrypt_verify_memory.c
index 6644618..a7a47f0 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_decrypt_verify_memory.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_decrypt_verify_memory.c
@@ -5,13 +5,11 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_decrypt_verify_memory.c
- OCB implementation, helper to decrypt block of memory, by Tom St Denis
+ OCB implementation, helper to decrypt block of memory, by Tom St Denis
*/
#include "tomcrypt.h"
@@ -33,7 +31,7 @@
*/
int ocb_decrypt_verify_memory(int cipher,
const unsigned char *key, unsigned long keylen,
- const unsigned char *nonce,
+ const unsigned char *nonce,
const unsigned char *ct, unsigned long ctlen,
unsigned char *pt,
const unsigned char *tag, unsigned long taglen,
@@ -56,12 +54,12 @@ int ocb_decrypt_verify_memory(int cipher,
}
if ((err = ocb_init(ocb, cipher, key, keylen, nonce)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
while (ctlen > (unsigned long)ocb->block_len) {
if ((err = ocb_decrypt(ocb, ct, pt)) != CRYPT_OK) {
- goto LBL_ERR;
+ goto LBL_ERR;
}
ctlen -= ocb->block_len;
pt += ocb->block_len;
@@ -73,7 +71,7 @@ LBL_ERR:
#ifdef LTC_CLEAN_STACK
zeromem(ocb, sizeof(ocb_state));
#endif
-
+
XFREE(ocb);
return err;
@@ -81,6 +79,6 @@ LBL_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_done_decrypt.c b/libtomcrypt/src/encauth/ocb/ocb_done_decrypt.c
index d604b36..357bd84 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_done_decrypt.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_done_decrypt.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_done_decrypt.c
OCB implementation, terminate decryption, by Tom St Denis
*/
@@ -28,9 +26,9 @@
@param stat [out] The result of the tag comparison
@return CRYPT_OK if the process was successful regardless if the tag is valid
*/
-int ocb_done_decrypt(ocb_state *ocb,
+int ocb_done_decrypt(ocb_state *ocb,
const unsigned char *ct, unsigned long ctlen,
- unsigned char *pt,
+ unsigned char *pt,
const unsigned char *tag, unsigned long taglen, int *stat)
{
int err;
@@ -57,7 +55,7 @@ int ocb_done_decrypt(ocb_state *ocb,
goto LBL_ERR;
}
- if (taglen <= tagbuflen && XMEMCMP(tagbuf, tag, taglen) == 0) {
+ if (taglen <= tagbuflen && XMEM_NEQ(tagbuf, tag, taglen) == 0) {
*stat = 1;
}
@@ -75,6 +73,6 @@ LBL_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_done_encrypt.c b/libtomcrypt/src/encauth/ocb/ocb_done_encrypt.c
index 276d50e..12ea68f 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_done_encrypt.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_done_encrypt.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_done_encrypt.c
OCB implementation, terminate encryption, by Tom St Denis
*/
@@ -17,7 +15,7 @@
#ifdef LTC_OCB_MODE
-/**
+/**
Terminate an encryption OCB state
@param ocb The OCB state
@param pt Remaining plaintext (if any)
@@ -41,6 +39,6 @@ int ocb_done_encrypt(ocb_state *ocb, const unsigned char *pt, unsigned long ptle
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_encrypt.c b/libtomcrypt/src/encauth/ocb/ocb_encrypt.c
index 84afa66..aad76a0 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_encrypt.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_encrypt.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_encrypt.c
OCB implementation, encrypt data, by Tom St Denis
*/
@@ -67,6 +65,6 @@ int ocb_encrypt(ocb_state *ocb, const unsigned char *pt, unsigned char *ct)
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_encrypt_authenticate_memory.c b/libtomcrypt/src/encauth/ocb/ocb_encrypt_authenticate_memory.c
index f81cc4b..1793a64 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_encrypt_authenticate_memory.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_encrypt_authenticate_memory.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_encrypt_authenticate_memory.c
OCB implementation, encrypt block of memory, by Tom St Denis
*/
@@ -32,7 +30,7 @@
*/
int ocb_encrypt_authenticate_memory(int cipher,
const unsigned char *key, unsigned long keylen,
- const unsigned char *nonce,
+ const unsigned char *nonce,
const unsigned char *pt, unsigned long ptlen,
unsigned char *ct,
unsigned char *tag, unsigned long *taglen)
@@ -79,6 +77,6 @@ LBL_ERR:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_init.c b/libtomcrypt/src/encauth/ocb/ocb_init.c
index 604ae0e..e008a44 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_init.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_init.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -19,7 +17,7 @@
static const struct {
int len;
- unsigned char poly_div[MAXBLOCKSIZE],
+ unsigned char poly_div[MAXBLOCKSIZE],
poly_mul[MAXBLOCKSIZE];
} polys[] = {
{
@@ -27,7 +25,7 @@ static const struct {
{ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D },
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B }
}, {
- 16,
+ 16,
{ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43 },
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -44,7 +42,7 @@ static const struct {
@param nonce The session nonce (length of the block size of the cipher)
@return CRYPT_OK if successful
*/
-int ocb_init(ocb_state *ocb, int cipher,
+int ocb_init(ocb_state *ocb, int cipher,
const unsigned char *key, unsigned long keylen, const unsigned char *nonce)
{
int poly, x, y, m, err;
@@ -60,20 +58,24 @@ int ocb_init(ocb_state *ocb, int cipher,
/* determine which polys to use */
ocb->block_len = cipher_descriptor[cipher].block_length;
- for (poly = 0; poly < (int)(sizeof(polys)/sizeof(polys[0])); poly++) {
- if (polys[poly].len == ocb->block_len) {
+ x = (int)(sizeof(polys)/sizeof(polys[0]));
+ for (poly = 0; poly < x; poly++) {
+ if (polys[poly].len == ocb->block_len) {
break;
}
}
+ if (poly == x) {
+ return CRYPT_INVALID_ARG; /* block_len not found in polys */
+ }
if (polys[poly].len != ocb->block_len) {
return CRYPT_INVALID_ARG;
- }
+ }
/* schedule the key */
if ((err = cipher_descriptor[cipher].setup(key, keylen, 0, &ocb->key)) != CRYPT_OK) {
return err;
}
-
+
/* find L = E[0] */
zeromem(ocb->L, ocb->block_len);
if ((err = cipher_descriptor[cipher].ecb_encrypt(ocb->L, ocb->L, &ocb->key)) != CRYPT_OK) {
@@ -102,36 +104,36 @@ int ocb_init(ocb_state *ocb, int cipher,
ocb->Ls[x][y] ^= polys[poly].poly_mul[y];
}
}
- }
+ }
- /* find Lr = L / x */
- m = ocb->L[ocb->block_len-1] & 1;
+ /* find Lr = L / x */
+ m = ocb->L[ocb->block_len-1] & 1;
- /* shift right */
- for (x = ocb->block_len - 1; x > 0; x--) {
- ocb->Lr[x] = ((ocb->L[x] >> 1) | (ocb->L[x-1] << 7)) & 255;
- }
- ocb->Lr[0] = ocb->L[0] >> 1;
+ /* shift right */
+ for (x = ocb->block_len - 1; x > 0; x--) {
+ ocb->Lr[x] = ((ocb->L[x] >> 1) | (ocb->L[x-1] << 7)) & 255;
+ }
+ ocb->Lr[0] = ocb->L[0] >> 1;
- if (m == 1) {
- for (x = 0; x < ocb->block_len; x++) {
- ocb->Lr[x] ^= polys[poly].poly_div[x];
- }
- }
+ if (m == 1) {
+ for (x = 0; x < ocb->block_len; x++) {
+ ocb->Lr[x] ^= polys[poly].poly_div[x];
+ }
+ }
- /* set Li, checksum */
- zeromem(ocb->Li, ocb->block_len);
- zeromem(ocb->checksum, ocb->block_len);
+ /* set Li, checksum */
+ zeromem(ocb->Li, ocb->block_len);
+ zeromem(ocb->checksum, ocb->block_len);
- /* set other params */
- ocb->block_index = 1;
- ocb->cipher = cipher;
+ /* set other params */
+ ocb->block_index = 1;
+ ocb->cipher = cipher;
- return CRYPT_OK;
+ return CRYPT_OK;
}
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_ntz.c b/libtomcrypt/src/encauth/ocb/ocb_ntz.c
index c3e42f1..cfdc667 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_ntz.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_ntz.c
@@ -5,8 +5,6 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
/**
@@ -37,6 +35,6 @@ int ocb_ntz(unsigned long x)
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_shift_xor.c b/libtomcrypt/src/encauth/ocb/ocb_shift_xor.c
index 145f4c4..8a8ad2d 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_shift_xor.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_shift_xor.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_shift_xor.c
OCB implementation, internal function, by Tom St Denis
*/
@@ -19,7 +17,7 @@
/**
Compute the shift/xor for OCB (internal function)
- @param ocb The OCB state
+ @param ocb The OCB state
@param Z The destination of the shift
*/
void ocb_shift_xor(ocb_state *ocb, unsigned char *Z)
@@ -34,6 +32,6 @@ void ocb_shift_xor(ocb_state *ocb, unsigned char *Z)
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/ocb_test.c b/libtomcrypt/src/encauth/ocb/ocb_test.c
index 8de1a57..74431f7 100644
--- a/libtomcrypt/src/encauth/ocb/ocb_test.c
+++ b/libtomcrypt/src/encauth/ocb/ocb_test.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file ocb_test.c
OCB implementation, self-test by Tom St Denis
*/
@@ -17,7 +15,7 @@
#ifdef LTC_OCB_MODE
-/**
+/**
Test the OCB protocol
@return CRYPT_OK if successful
*/
@@ -52,7 +50,7 @@ int ocb_test(void)
/* OCB-AES-128-3B */
{
- 3,
+ 3,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -70,7 +68,7 @@ int ocb_test(void)
/* OCB-AES-128-16B */
{
- 16,
+ 16,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -90,7 +88,7 @@ int ocb_test(void)
/* OCB-AES-128-20B */
{
- 20,
+ 20,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -99,7 +97,7 @@ int ocb_test(void)
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
/* pt */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13 },
/* ct */
{ 0x01, 0xa0, 0x75, 0xf0, 0xd8, 0x15, 0xb1, 0xa4,
@@ -112,7 +110,7 @@ int ocb_test(void)
/* OCB-AES-128-32B */
{
- 32,
+ 32,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -121,7 +119,7 @@ int ocb_test(void)
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
/* pt */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
/* ct */
@@ -137,7 +135,7 @@ int ocb_test(void)
/* OCB-AES-128-34B */
{
- 34,
+ 34,
/* key */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
@@ -146,7 +144,7 @@ int ocb_test(void)
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
/* pt */
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x20, 0x21 },
@@ -168,7 +166,7 @@ int ocb_test(void)
unsigned long len;
unsigned char outct[MAXBLOCKSIZE], outtag[MAXBLOCKSIZE];
- /* AES can be under rijndael or aes... try to find it */
+ /* AES can be under rijndael or aes... try to find it */
if ((idx = find_cipher("aes")) == -1) {
if ((idx = find_cipher("rijndael")) == -1) {
return CRYPT_NOP;
@@ -181,41 +179,21 @@ int ocb_test(void)
tests[x].nonce, tests[x].pt, tests[x].ptlen, outct, outtag, &len)) != CRYPT_OK) {
return err;
}
-
- if (XMEMCMP(outtag, tests[x].tag, len) || XMEMCMP(outct, tests[x].ct, tests[x].ptlen)) {
-#if 0
- unsigned long y;
- printf("\n\nFailure: \nCT:\n");
- for (y = 0; y < (unsigned long)tests[x].ptlen; ) {
- printf("0x%02x", outct[y]);
- if (y < (unsigned long)(tests[x].ptlen-1)) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
- printf("\nTAG:\n");
- for (y = 0; y < len; ) {
- printf("0x%02x", outtag[y]);
- if (y < len-1) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
-#endif
+
+ if (compare_testvector(outtag, len, tests[x].tag, sizeof(tests[x].tag), "OCB Tag", x) ||
+ compare_testvector(outct, tests[x].ptlen, tests[x].ct, tests[x].ptlen, "OCB CT", x)) {
return CRYPT_FAIL_TESTVECTOR;
}
-
+
if ((err = ocb_decrypt_verify_memory(idx, tests[x].key, 16, tests[x].nonce, outct, tests[x].ptlen,
outct, tests[x].tag, len, &res)) != CRYPT_OK) {
return err;
}
- if ((res != 1) || XMEMCMP(tests[x].pt, outct, tests[x].ptlen)) {
-#if 0
- unsigned long y;
- printf("\n\nFailure-decrypt: \nPT:\n");
- for (y = 0; y < (unsigned long)tests[x].ptlen; ) {
- printf("0x%02x", outct[y]);
- if (y < (unsigned long)(tests[x].ptlen-1)) printf(", ");
- if (!(++y % 8)) printf("\n");
- }
- printf("\nres = %d\n\n", res);
+ if ((res != 1) || compare_testvector(outct, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "OCB", x)) {
+#ifdef LTC_TEST_DBG
+ printf("\n\nOCB: Failure-decrypt - res = %d\n", res);
#endif
+ return CRYPT_FAIL_TESTVECTOR;
}
}
return CRYPT_OK;
@@ -232,6 +210,6 @@ int ocb_test(void)
-- The setup is somewhat complicated...
*/
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb/s_ocb_done.c b/libtomcrypt/src/encauth/ocb/s_ocb_done.c
index 37a7cb7..e0501ed 100644
--- a/libtomcrypt/src/encauth/ocb/s_ocb_done.c
+++ b/libtomcrypt/src/encauth/ocb/s_ocb_done.c
@@ -5,11 +5,9 @@
*
* The library is free for all purposes without any express
* guarantee it works.
- *
- * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/**
+/**
@file s_ocb_done.c
OCB implementation, internal helper, by Tom St Denis
*/
@@ -22,7 +20,7 @@
* is we XOR the final ciphertext into the checksum so we have to xor it
* before we CTR [decrypt] or after [encrypt]
*
- * the names pt/ptlen/ct really just mean in/inlen/out but this is the way I wrote it...
+ * the names pt/ptlen/ct really just mean in/inlen/out but this is the way I wrote it...
*/
/**
@@ -74,13 +72,13 @@ int s_ocb_done(ocb_state *ocb, const unsigned char *pt, unsigned long ptlen,
}
/* compute X[m] = len(pt[m]) XOR Lr XOR Z[m] */
- ocb_shift_xor(ocb, X);
+ ocb_shift_xor(ocb, X);
XMEMCPY(Z, X, ocb->block_len);
X[ocb->block_len-1] ^= (ptlen*8)&255;
X[ocb->block_len-2] ^= ((ptlen*8)>>8)&255;
for (x = 0; x < ocb->block_len; x++) {
- X[x] ^= ocb->Lr[x];
+ X[x] ^= ocb->Lr[x];
}
/* Y[m] = E(X[m])) */
@@ -93,7 +91,7 @@ int s_ocb_done(ocb_state *ocb, const unsigned char *pt, unsigned long ptlen,
/* xor C[m] into checksum */
for (x = 0; x < (int)ptlen; x++) {
ocb->checksum[x] ^= ct[x];
- }
+ }
}
/* C[m] = P[m] xor Y[m] */
@@ -102,7 +100,7 @@ int s_ocb_done(ocb_state *ocb, const unsigned char *pt, unsigned long ptlen,
}
if (mode == 0) {
- /* encrypt mode */
+ /* encrypt mode */
/* xor C[m] into checksum */
for (x = 0; x < (int)ptlen; x++) {
ocb->checksum[x] ^= ct[x];
@@ -113,7 +111,7 @@ int s_ocb_done(ocb_state *ocb, const unsigned char *pt, unsigned long ptlen,
for (x = 0; x < ocb->block_len; x++) {
ocb->checksum[x] ^= Y[x] ^ Z[x];
}
-
+
/* encrypt checksum, er... tag!! */
if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(ocb->checksum, X, &ocb->key)) != CRYPT_OK) {
goto error;
@@ -132,7 +130,7 @@ int s_ocb_done(ocb_state *ocb, const unsigned char *pt, unsigned long ptlen,
zeromem(Z, MAXBLOCKSIZE);
zeromem(ocb, sizeof(*ocb));
#endif
-error:
+error:
XFREE(X);
XFREE(Y);
XFREE(Z);
@@ -143,6 +141,6 @@ error:
#endif
-/* $Source$ */
-/* $Revision$ */
-/* $Date$ */
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_add_aad.c b/libtomcrypt/src/encauth/ocb3/ocb3_add_aad.c
new file mode 100644
index 0000000..70e3211
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_add_aad.c
@@ -0,0 +1,106 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_add_aad.c
+ OCB implementation, add AAD data, by Karel Miko
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Add one block of AAD data (internal function)
+ @param ocb The OCB state
+ @param aad_block [in] AAD data (block_len size)
+ @return CRYPT_OK if successful
+*/
+static int _ocb3_int_aad_add_block(ocb3_state *ocb, const unsigned char *aad_block)
+{
+ unsigned char tmp[MAXBLOCKSIZE];
+ int err;
+
+ /* Offset_i = Offset_{i-1} xor L_{ntz(i)} */
+ ocb3_int_xor_blocks(ocb->aOffset_current, ocb->aOffset_current, ocb->L_[ocb3_int_ntz(ocb->ablock_index)], ocb->block_len);
+
+ /* Sum_i = Sum_{i-1} xor ENCIPHER(K, A_i xor Offset_i) */
+ ocb3_int_xor_blocks(tmp, aad_block, ocb->aOffset_current, ocb->block_len);
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(tmp, tmp, &ocb->key)) != CRYPT_OK) {
+ return err;
+ }
+ ocb3_int_xor_blocks(ocb->aSum_current, ocb->aSum_current, tmp, ocb->block_len);
+
+ ocb->ablock_index++;
+
+ return CRYPT_OK;
+}
+
+/**
+ Add AAD - additional associated data
+ @param ocb The OCB state
+ @param aad The AAD data
+ @param aadlen The size of AAD data (octets)
+ @return CRYPT_OK if successful
+*/
+int ocb3_add_aad(ocb3_state *ocb, const unsigned char *aad, unsigned long aadlen)
+{
+ int err, x, full_blocks, full_blocks_len, last_block_len;
+ unsigned char *data;
+ unsigned long datalen, l;
+
+ LTC_ARGCHK(ocb != NULL);
+ if (aadlen == 0) return CRYPT_OK;
+ LTC_ARGCHK(aad != NULL);
+
+ if (ocb->adata_buffer_bytes > 0) {
+ l = ocb->block_len - ocb->adata_buffer_bytes;
+ if (l > aadlen) l = aadlen;
+ XMEMCPY(ocb->adata_buffer+ocb->adata_buffer_bytes, aad, l);
+ ocb->adata_buffer_bytes += l;
+
+ if (ocb->adata_buffer_bytes == ocb->block_len) {
+ if ((err = _ocb3_int_aad_add_block(ocb, ocb->adata_buffer)) != CRYPT_OK) {
+ return err;
+ }
+ ocb->adata_buffer_bytes = 0;
+ }
+
+ data = (unsigned char *)aad + l;
+ datalen = aadlen - l;
+ }
+ else {
+ data = (unsigned char *)aad;
+ datalen = aadlen;
+ }
+
+ if (datalen == 0) return CRYPT_OK;
+
+ full_blocks = datalen/ocb->block_len;
+ full_blocks_len = full_blocks * ocb->block_len;
+ last_block_len = datalen - full_blocks_len;
+
+ for (x=0; x<full_blocks; x++) {
+ if ((err = _ocb3_int_aad_add_block(ocb, data+x*ocb->block_len)) != CRYPT_OK) {
+ return err;
+ }
+ }
+
+ if (last_block_len>0) {
+ XMEMCPY(ocb->adata_buffer, data+full_blocks_len, last_block_len);
+ ocb->adata_buffer_bytes = last_block_len;
+ }
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_decrypt.c b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt.c
new file mode 100644
index 0000000..4973bd2
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt.c
@@ -0,0 +1,86 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_decrypt.c
+ OCB implementation, decrypt data, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Decrypt blocks of ciphertext with OCB
+ @param ocb The OCB state
+ @param ct The ciphertext (length multiple of the block size of the block cipher)
+ @param ctlen The length of the input (octets)
+ @param pt [out] The plaintext (length of ct)
+ @return CRYPT_OK if successful
+*/
+int ocb3_decrypt(ocb3_state *ocb, const unsigned char *ct, unsigned long ctlen, unsigned char *pt)
+{
+ unsigned char tmp[MAXBLOCKSIZE];
+ int err, i, full_blocks;
+ unsigned char *pt_b, *ct_b;
+
+ LTC_ARGCHK(ocb != NULL);
+ if (ctlen == 0) return CRYPT_OK; /* no data, nothing to do */
+ LTC_ARGCHK(ct != NULL);
+ LTC_ARGCHK(pt != NULL);
+
+ if ((err = cipher_is_valid(ocb->cipher)) != CRYPT_OK) {
+ return err;
+ }
+ if (ocb->block_len != cipher_descriptor[ocb->cipher].block_length) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ if (ctlen % ocb->block_len) { /* ctlen has to bu multiple of block_len */
+ return CRYPT_INVALID_ARG;
+ }
+
+ full_blocks = ctlen/ocb->block_len;
+ for(i=0; i<full_blocks; i++) {
+ pt_b = (unsigned char *)pt+i*ocb->block_len;
+ ct_b = (unsigned char *)ct+i*ocb->block_len;
+
+ /* ocb->Offset_current[] = ocb->Offset_current[] ^ Offset_{ntz(block_index)} */
+ ocb3_int_xor_blocks(ocb->Offset_current, ocb->Offset_current, ocb->L_[ocb3_int_ntz(ocb->block_index)], ocb->block_len);
+
+ /* tmp[] = ct[] XOR ocb->Offset_current[] */
+ ocb3_int_xor_blocks(tmp, ct_b, ocb->Offset_current, ocb->block_len);
+
+ /* decrypt */
+ if ((err = cipher_descriptor[ocb->cipher].ecb_decrypt(tmp, tmp, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* pt[] = tmp[] XOR ocb->Offset_current[] */
+ ocb3_int_xor_blocks(pt_b, tmp, ocb->Offset_current, ocb->block_len);
+
+ /* ocb->checksum[] = ocb->checksum[] XOR pt[] */
+ ocb3_int_xor_blocks(ocb->checksum, ocb->checksum, pt_b, ocb->block_len);
+
+ ocb->block_index++;
+ }
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(tmp, sizeof(tmp));
+#endif
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_last.c b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_last.c
new file mode 100644
index 0000000..70608dc
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_last.c
@@ -0,0 +1,110 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_decrypt_last.c
+ OCB implementation, internal helper, by Karel Miko
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Finish an OCB (decryption) stream
+ @param ocb The OCB state
+ @param ct The remaining ciphertext
+ @param ctlen The length of the ciphertext (octets)
+ @param pt [out] The output buffer
+ @return CRYPT_OK if successful
+*/
+int ocb3_decrypt_last(ocb3_state *ocb, const unsigned char *ct, unsigned long ctlen, unsigned char *pt)
+{
+ unsigned char iOffset_star[MAXBLOCKSIZE];
+ unsigned char iPad[MAXBLOCKSIZE];
+ int err, x, full_blocks, full_blocks_len, last_block_len;
+
+ LTC_ARGCHK(ocb != NULL);
+ if (ct == NULL) LTC_ARGCHK(ctlen == 0);
+ if (ctlen != 0) {
+ LTC_ARGCHK(ct != NULL);
+ LTC_ARGCHK(pt != NULL);
+ }
+
+ if ((err = cipher_is_valid(ocb->cipher)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ full_blocks = ctlen/ocb->block_len;
+ full_blocks_len = full_blocks * ocb->block_len;
+ last_block_len = ctlen - full_blocks_len;
+
+ /* process full blocks first */
+ if (full_blocks>0) {
+ if ((err = ocb3_decrypt(ocb, ct, full_blocks_len, pt)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ if (last_block_len>0) {
+ /* Offset_* = Offset_m xor L_* */
+ ocb3_int_xor_blocks(iOffset_star, ocb->Offset_current, ocb->L_star, ocb->block_len);
+
+ /* Pad = ENCIPHER(K, Offset_*) */
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(iOffset_star, iPad, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* P_* = C_* xor Pad[1..bitlen(C_*)] */
+ ocb3_int_xor_blocks(pt+full_blocks_len, (unsigned char *)ct+full_blocks_len, iPad, last_block_len);
+
+ /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
+ ocb3_int_xor_blocks(ocb->checksum, ocb->checksum, pt+full_blocks_len, last_block_len);
+ for(x=last_block_len; x<ocb->block_len; x++) {
+ if (x == last_block_len)
+ ocb->checksum[x] ^= 0x80;
+ else
+ ocb->checksum[x] ^= 0x00;
+ }
+
+ /* Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) */
+ /* at this point we calculate only: Tag_part = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) */
+ for(x=0; x<ocb->block_len; x++) {
+ ocb->tag_part[x] = (ocb->checksum[x] ^ iOffset_star[x]) ^ ocb->L_dollar[x];
+ }
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(ocb->tag_part, ocb->tag_part, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+ else {
+ /* Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A) */
+ /* at this point we calculate only: Tag_part = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) */
+ for(x=0; x<ocb->block_len; x++) {
+ ocb->tag_part[x] = (ocb->checksum[x] ^ ocb->Offset_current[x]) ^ ocb->L_dollar[x];
+ }
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(ocb->tag_part, ocb->tag_part, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(iOffset_star, MAXBLOCKSIZE);
+ zeromem(iPad, MAXBLOCKSIZE);
+#endif
+
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_verify_memory.c b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_verify_memory.c
new file mode 100644
index 0000000..066b62c
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_decrypt_verify_memory.c
@@ -0,0 +1,110 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_decrypt_verify_memory.c
+ OCB implementation, helper to decrypt block of memory, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Decrypt and compare the tag with OCB
+ @param cipher The index of the cipher desired
+ @param key The secret key
+ @param keylen The length of the secret key (octets)
+ @param nonce The session nonce (length of the block size of the block cipher)
+ @param noncelen The length of the nonce (octets)
+ @param adata The AAD - additional associated data
+ @param adatalen The length of AAD (octets)
+ @param ct The ciphertext
+ @param ctlen The length of the ciphertext (octets)
+ @param pt [out] The plaintext
+ @param tag The tag to compare against
+ @param taglen The length of the tag (octets)
+ @param stat [out] The result of the tag comparison (1==valid, 0==invalid)
+ @return CRYPT_OK if successful regardless of the tag comparison
+*/
+int ocb3_decrypt_verify_memory(int cipher,
+ const unsigned char *key, unsigned long keylen,
+ const unsigned char *nonce, unsigned long noncelen,
+ const unsigned char *adata, unsigned long adatalen,
+ const unsigned char *ct, unsigned long ctlen,
+ unsigned char *pt,
+ const unsigned char *tag, unsigned long taglen,
+ int *stat)
+{
+ int err;
+ ocb3_state *ocb;
+ unsigned char *buf;
+ unsigned long buflen;
+
+ LTC_ARGCHK(stat != NULL);
+
+ /* default to zero */
+ *stat = 0;
+
+ /* limit taglen */
+ taglen = MIN(taglen, MAXBLOCKSIZE);
+
+ /* allocate memory */
+ buf = XMALLOC(taglen);
+ ocb = XMALLOC(sizeof(ocb3_state));
+ if (ocb == NULL || buf == NULL) {
+ if (ocb != NULL) {
+ XFREE(ocb);
+ }
+ if (buf != NULL) {
+ XFREE(buf);
+ }
+ return CRYPT_MEM;
+ }
+
+ if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen, taglen)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ if (adata != NULL || adatalen != 0) {
+ if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ if ((err = ocb3_decrypt_last(ocb, ct, ctlen, pt)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ buflen = taglen;
+ if ((err = ocb3_done(ocb, buf, &buflen)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* compare tags */
+ if (buflen >= taglen && XMEM_NEQ(buf, tag, taglen) == 0) {
+ *stat = 1;
+ }
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(ocb, sizeof(ocb3_state));
+#endif
+
+ XFREE(ocb);
+ XFREE(buf);
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_done.c b/libtomcrypt/src/encauth/ocb3/ocb3_done.c
new file mode 100644
index 0000000..b913d3a
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_done.c
@@ -0,0 +1,92 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_done.c
+ OCB implementation, INTERNAL ONLY helper, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Finish OCB processing and compute the tag
+ @param ocb The OCB state
+ @param tag [out] The destination for the authentication tag
+ @param taglen [in/out] The max size and resulting size of the authentication tag
+ @return CRYPT_OK if successful
+*/
+int ocb3_done(ocb3_state *ocb, unsigned char *tag, unsigned long *taglen)
+{
+ unsigned char tmp[MAXBLOCKSIZE];
+ int err, x;
+
+ LTC_ARGCHK(ocb != NULL);
+ LTC_ARGCHK(tag != NULL);
+ LTC_ARGCHK(taglen != NULL);
+ if ((err = cipher_is_valid(ocb->cipher)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* check taglen */
+ if ((int)*taglen < ocb->tag_len) {
+ *taglen = (unsigned long)ocb->tag_len;
+ return CRYPT_BUFFER_OVERFLOW;
+ }
+
+ /* finalize AAD processing */
+
+ if (ocb->adata_buffer_bytes>0) {
+ /* Offset_* = Offset_m xor L_* */
+ ocb3_int_xor_blocks(ocb->aOffset_current, ocb->aOffset_current, ocb->L_star, ocb->block_len);
+
+ /* CipherInput = (A_* || 1 || zeros(127-bitlen(A_*))) xor Offset_* */
+ ocb3_int_xor_blocks(tmp, ocb->adata_buffer, ocb->aOffset_current, ocb->adata_buffer_bytes);
+ for(x=ocb->adata_buffer_bytes; x<ocb->block_len; x++) {
+ if (x == ocb->adata_buffer_bytes) {
+ tmp[x] = 0x80 ^ ocb->aOffset_current[x];
+ }
+ else {
+ tmp[x] = 0x00 ^ ocb->aOffset_current[x];
+ }
+ }
+
+ /* Sum = Sum_m xor ENCIPHER(K, CipherInput) */
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(tmp, tmp, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ ocb3_int_xor_blocks(ocb->aSum_current, ocb->aSum_current, tmp, ocb->block_len);
+ }
+
+ /* finalize TAG computing */
+
+ /* at this point ocb->aSum_current = HASH(K, A) */
+ /* tag = tag ^ HASH(K, A) */
+ ocb3_int_xor_blocks(tmp, ocb->tag_part, ocb->aSum_current, ocb->block_len);
+
+ /* copy tag bytes */
+ for(x = 0; x < ocb->tag_len; x++) tag[x] = tmp[x];
+ *taglen = (unsigned long)ocb->tag_len;
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(tmp, MAXBLOCKSIZE);
+ zeromem(ocb, sizeof(*ocb));
+#endif
+
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_encrypt.c b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt.c
new file mode 100644
index 0000000..337b025
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt.c
@@ -0,0 +1,86 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_encrypt.c
+ OCB implementation, encrypt data, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Encrypt blocks of data with OCB
+ @param ocb The OCB state
+ @param pt The plaintext (length multiple of the block size of the block cipher)
+ @param ptlen The length of the input (octets)
+ @param ct [out] The ciphertext (same size as the pt)
+ @return CRYPT_OK if successful
+*/
+int ocb3_encrypt(ocb3_state *ocb, const unsigned char *pt, unsigned long ptlen, unsigned char *ct)
+{
+ unsigned char tmp[MAXBLOCKSIZE];
+ int err, i, full_blocks;
+ unsigned char *pt_b, *ct_b;
+
+ LTC_ARGCHK(ocb != NULL);
+ if (ptlen == 0) return CRYPT_OK; /* no data, nothing to do */
+ LTC_ARGCHK(pt != NULL);
+ LTC_ARGCHK(ct != NULL);
+
+ if ((err = cipher_is_valid(ocb->cipher)) != CRYPT_OK) {
+ return err;
+ }
+ if (ocb->block_len != cipher_descriptor[ocb->cipher].block_length) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ if (ptlen % ocb->block_len) { /* ptlen has to bu multiple of block_len */
+ return CRYPT_INVALID_ARG;
+ }
+
+ full_blocks = ptlen/ocb->block_len;
+ for(i=0; i<full_blocks; i++) {
+ pt_b = (unsigned char *)pt+i*ocb->block_len;
+ ct_b = (unsigned char *)ct+i*ocb->block_len;
+
+ /* ocb->Offset_current[] = ocb->Offset_current[] ^ Offset_{ntz(block_index)} */
+ ocb3_int_xor_blocks(ocb->Offset_current, ocb->Offset_current, ocb->L_[ocb3_int_ntz(ocb->block_index)], ocb->block_len);
+
+ /* tmp[] = pt[] XOR ocb->Offset_current[] */
+ ocb3_int_xor_blocks(tmp, pt_b, ocb->Offset_current, ocb->block_len);
+
+ /* encrypt */
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(tmp, tmp, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* ct[] = tmp[] XOR ocb->Offset_current[] */
+ ocb3_int_xor_blocks(ct_b, tmp, ocb->Offset_current, ocb->block_len);
+
+ /* ocb->checksum[] = ocb->checksum[] XOR pt[] */
+ ocb3_int_xor_blocks(ocb->checksum, ocb->checksum, pt_b, ocb->block_len);
+
+ ocb->block_index++;
+ }
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(tmp, sizeof(tmp));
+#endif
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_authenticate_memory.c b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_authenticate_memory.c
new file mode 100644
index 0000000..efc1a8f
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_authenticate_memory.c
@@ -0,0 +1,82 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_encrypt_authenticate_memory.c
+ OCB implementation, encrypt block of memory, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Encrypt and generate an authentication code for a buffer of memory
+ @param cipher The index of the cipher desired
+ @param key The secret key
+ @param keylen The length of the secret key (octets)
+ @param nonce The session nonce (length of the block ciphers block size)
+ @param noncelen The length of the nonce (octets)
+ @param adata The AAD - additional associated data
+ @param adatalen The length of AAD (octets)
+ @param pt The plaintext
+ @param ptlen The length of the plaintext (octets)
+ @param ct [out] The ciphertext
+ @param tag [out] The authentication tag
+ @param taglen [in/out] The max size and resulting size of the authentication tag
+ @return CRYPT_OK if successful
+*/
+int ocb3_encrypt_authenticate_memory(int cipher,
+ const unsigned char *key, unsigned long keylen,
+ const unsigned char *nonce, unsigned long noncelen,
+ const unsigned char *adata, unsigned long adatalen,
+ const unsigned char *pt, unsigned long ptlen,
+ unsigned char *ct,
+ unsigned char *tag, unsigned long *taglen)
+{
+ int err;
+ ocb3_state *ocb;
+
+ LTC_ARGCHK(taglen != NULL);
+
+ /* allocate memory */
+ ocb = XMALLOC(sizeof(ocb3_state));
+ if (ocb == NULL) {
+ return CRYPT_MEM;
+ }
+
+ if ((err = ocb3_init(ocb, cipher, key, keylen, nonce, noncelen, *taglen)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ if (adata != NULL || adatalen != 0) {
+ if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ if ((err = ocb3_encrypt_last(ocb, pt, ptlen, ct)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ err = ocb3_done(ocb, tag, taglen);
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(ocb, sizeof(ocb3_state));
+#endif
+
+ XFREE(ocb);
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_last.c b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_last.c
new file mode 100644
index 0000000..8110a3c
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_encrypt_last.c
@@ -0,0 +1,112 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_encrypt_last.c
+ OCB implementation, internal helper, by Karel Miko
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Finish an OCB (encryption) stream
+ @param ocb The OCB state
+ @param pt The remaining plaintext
+ @param ptlen The length of the plaintext (octets)
+ @param ct [out] The output buffer
+ @return CRYPT_OK if successful
+*/
+int ocb3_encrypt_last(ocb3_state *ocb, const unsigned char *pt, unsigned long ptlen, unsigned char *ct)
+{
+ unsigned char iOffset_star[MAXBLOCKSIZE];
+ unsigned char iPad[MAXBLOCKSIZE];
+ int err, x, full_blocks, full_blocks_len, last_block_len;
+
+ LTC_ARGCHK(ocb != NULL);
+ if (pt == NULL) LTC_ARGCHK(ptlen == 0);
+ if (ptlen != 0) {
+ LTC_ARGCHK(pt != NULL);
+ LTC_ARGCHK(ct != NULL);
+ }
+
+ if ((err = cipher_is_valid(ocb->cipher)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ full_blocks = ptlen/ocb->block_len;
+ full_blocks_len = full_blocks * ocb->block_len;
+ last_block_len = ptlen - full_blocks_len;
+
+ /* process full blocks first */
+ if (full_blocks>0) {
+ if ((err = ocb3_encrypt(ocb, pt, full_blocks_len, ct)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ /* at this point: m = ocb->block_index (last block index), Offset_m = ocb->Offset_current */
+
+ if (last_block_len>0) {
+ /* Offset_* = Offset_m xor L_* */
+ ocb3_int_xor_blocks(iOffset_star, ocb->Offset_current, ocb->L_star, ocb->block_len);
+
+ /* Pad = ENCIPHER(K, Offset_*) */
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(iOffset_star, iPad, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+
+ /* C_* = P_* xor Pad[1..bitlen(P_*)] */
+ ocb3_int_xor_blocks(ct+full_blocks_len, pt+full_blocks_len, iPad, last_block_len);
+
+ /* Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) */
+ ocb3_int_xor_blocks(ocb->checksum, ocb->checksum, pt+full_blocks_len, last_block_len);
+ for(x=last_block_len; x<ocb->block_len; x++) {
+ if (x == last_block_len)
+ ocb->checksum[x] ^= 0x80;
+ else
+ ocb->checksum[x] ^= 0x00;
+ }
+
+ /* Tag = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) xor HASH(K,A) */
+ /* at this point we calculate only: Tag_part = ENCIPHER(K, Checksum_* xor Offset_* xor L_$) */
+ for(x=0; x<ocb->block_len; x++) {
+ ocb->tag_part[x] = (ocb->checksum[x] ^ iOffset_star[x]) ^ ocb->L_dollar[x];
+ }
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(ocb->tag_part, ocb->tag_part, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+ else {
+ /* Tag = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) xor HASH(K,A) */
+ /* at this point we calculate only: Tag_part = ENCIPHER(K, Checksum_m xor Offset_m xor L_$) */
+ for(x=0; x<ocb->block_len; x++) {
+ ocb->tag_part[x] = (ocb->checksum[x] ^ ocb->Offset_current[x]) ^ ocb->L_dollar[x];
+ }
+ if ((err = cipher_descriptor[ocb->cipher].ecb_encrypt(ocb->tag_part, ocb->tag_part, &ocb->key)) != CRYPT_OK) {
+ goto LBL_ERR;
+ }
+ }
+
+ err = CRYPT_OK;
+
+LBL_ERR:
+#ifdef LTC_CLEAN_STACK
+ zeromem(iOffset_star, MAXBLOCKSIZE);
+ zeromem(iPad, MAXBLOCKSIZE);
+#endif
+
+ return err;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_init.c b/libtomcrypt/src/encauth/ocb3/ocb3_init.c
new file mode 100644
index 0000000..a3cabae
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_init.c
@@ -0,0 +1,196 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_init.c
+ OCB implementation, initialize state, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+static void _ocb3_int_calc_offset_zero(ocb3_state *ocb, const unsigned char *nonce, unsigned long noncelen, unsigned long taglen)
+{
+ int x, y, bottom;
+ int idx, shift;
+ unsigned char iNonce[MAXBLOCKSIZE];
+ unsigned char iKtop[MAXBLOCKSIZE];
+ unsigned char iStretch[MAXBLOCKSIZE+8];
+
+ /* Nonce = zeros(127-bitlen(N)) || 1 || N */
+ zeromem(iNonce, sizeof(iNonce));
+ for (x = ocb->block_len-1, y=0; y<(int)noncelen; x--, y++) {
+ iNonce[x] = nonce[noncelen-y-1];
+ }
+ iNonce[x] = 0x01;
+ iNonce[0] |= ((taglen*8) % 128) << 1;
+
+ /* bottom = str2num(Nonce[123..128]) */
+ bottom = iNonce[ocb->block_len-1] & 0x3F;
+
+ /* Ktop = ENCIPHER(K, Nonce[1..122] || zeros(6)) */
+ iNonce[ocb->block_len-1] = iNonce[ocb->block_len-1] & 0xC0;
+ if ((cipher_descriptor[ocb->cipher].ecb_encrypt(iNonce, iKtop, &ocb->key)) != CRYPT_OK) {
+ zeromem(ocb->Offset_current, ocb->block_len);
+ return;
+ }
+
+ /* Stretch = Ktop || (Ktop[1..64] xor Ktop[9..72]) */
+ for (x = 0; x < ocb->block_len; x++) {
+ iStretch[x] = iKtop[x];
+ }
+ for (y = 0; y < 8; y++) {
+ iStretch[x+y] = iKtop[y] ^ iKtop[y+1];
+ }
+
+ /* Offset_0 = Stretch[1+bottom..128+bottom] */
+ idx = bottom / 8;
+ shift = (bottom % 8);
+ for (x = 0; x < ocb->block_len; x++) {
+ ocb->Offset_current[x] = iStretch[idx+x] << shift;
+ if (shift > 0) {
+ ocb->Offset_current[x] |= iStretch[idx+x+1] >> (8-shift);
+ }
+ }
+}
+
+static const struct {
+ int len;
+ unsigned char poly_mul[MAXBLOCKSIZE];
+} polys[] = {
+{
+ 8,
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B }
+}, {
+ 16,
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 }
+}
+};
+
+/**
+ Initialize an OCB context
+ @param ocb [out] The destination of the OCB state
+ @param cipher The index of the desired cipher
+ @param key The secret key
+ @param keylen The length of the secret key (octets)
+ @param nonce The session nonce
+ @param noncelen The length of the session nonce (octets, up to 15)
+ @param taglen The length of the tag (octets, up to 16)
+ @return CRYPT_OK if successful
+*/
+int ocb3_init(ocb3_state *ocb, int cipher,
+ const unsigned char *key, unsigned long keylen,
+ const unsigned char *nonce, unsigned long noncelen,
+ unsigned long taglen)
+{
+ int poly, x, y, m, err;
+ unsigned char *previous, *current;
+
+ LTC_ARGCHK(ocb != NULL);
+ LTC_ARGCHK(key != NULL);
+ LTC_ARGCHK(nonce != NULL);
+
+ /* valid cipher? */
+ if ((err = cipher_is_valid(cipher)) != CRYPT_OK) {
+ return err;
+ }
+ ocb->cipher = cipher;
+
+ /* Valid Nonce?
+ * As of RFC7253: "string of no more than 120 bits" */
+ if (noncelen > (120/8)) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ /* The blockcipher must have a 128-bit blocksize */
+ if (cipher_descriptor[cipher].block_length != 16) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ /* The TAGLEN may be any value up to 128 (bits) */
+ if (taglen > 16) {
+ return CRYPT_INVALID_ARG;
+ }
+ ocb->tag_len = taglen;
+
+ /* determine which polys to use */
+ ocb->block_len = cipher_descriptor[cipher].block_length;
+ x = (int)(sizeof(polys)/sizeof(polys[0]));
+ for (poly = 0; poly < x; poly++) {
+ if (polys[poly].len == ocb->block_len) {
+ break;
+ }
+ }
+ if (poly == x) {
+ return CRYPT_INVALID_ARG; /* block_len not found in polys */
+ }
+ if (polys[poly].len != ocb->block_len) {
+ return CRYPT_INVALID_ARG;
+ }
+
+ /* schedule the key */
+ if ((err = cipher_descriptor[cipher].setup(key, keylen, 0, &ocb->key)) != CRYPT_OK) {
+ return err;
+ }
+
+ /* L_* = ENCIPHER(K, zeros(128)) */
+ zeromem(ocb->L_star, ocb->block_len);
+ if ((err = cipher_descriptor[cipher].ecb_encrypt(ocb->L_star, ocb->L_star, &ocb->key)) != CRYPT_OK) {
+ return err;
+ }
+
+ /* compute L_$, L_0, L_1, ... */
+ for (x = -1; x < 32; x++) {
+ if (x == -1) { /* gonna compute: L_$ = double(L_*) */
+ current = ocb->L_dollar;
+ previous = ocb->L_star;
+ }
+ else if (x == 0) { /* gonna compute: L_0 = double(L_$) */
+ current = ocb->L_[0];
+ previous = ocb->L_dollar;
+ }
+ else { /* gonna compute: L_i = double(L_{i-1}) for every integer i > 0 */
+ current = ocb->L_[x];
+ previous = ocb->L_[x-1];
+ }
+ m = previous[0] >> 7;
+ for (y = 0; y < ocb->block_len-1; y++) {
+ current[y] = ((previous[y] << 1) | (previous[y+1] >> 7)) & 255;
+ }
+ current[ocb->block_len-1] = (previous[ocb->block_len-1] << 1) & 255;
+ if (m == 1) {
+ /* current[] = current[] XOR polys[poly].poly_mul[]*/
+ ocb3_int_xor_blocks(current, current, polys[poly].poly_mul, ocb->block_len);
+ }
+ }
+
+ /* initialize ocb->Offset_current = Offset_0 */
+ _ocb3_int_calc_offset_zero(ocb, nonce, noncelen, taglen);
+
+ /* initialize checksum to all zeros */
+ zeromem(ocb->checksum, ocb->block_len);
+
+ /* set block index */
+ ocb->block_index = 1;
+
+ /* initialize AAD related stuff */
+ ocb->ablock_index = 1;
+ ocb->adata_buffer_bytes = 0;
+ zeromem(ocb->aOffset_current, ocb->block_len);
+ zeromem(ocb->aSum_current, ocb->block_len);
+
+ return CRYPT_OK;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_int_ntz.c b/libtomcrypt/src/encauth/ocb3/ocb3_int_ntz.c
new file mode 100644
index 0000000..3c5b18d
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_int_ntz.c
@@ -0,0 +1,39 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_int_ntz.c
+ OCB implementation, INTERNAL ONLY helper, by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Returns the number of leading zero bits [from lsb up] (internal function)
+ @param x The 32-bit value to observe
+ @return The number of bits [from the lsb up] that are zero
+*/
+int ocb3_int_ntz(unsigned long x)
+{
+ int c;
+ x &= 0xFFFFFFFFUL;
+ c = 0;
+ while ((x & 1) == 0) {
+ ++c;
+ x >>= 1;
+ }
+ return c;
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_int_xor_blocks.c b/libtomcrypt/src/encauth/ocb3/ocb3_int_xor_blocks.c
new file mode 100644
index 0000000..798bddc
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_int_xor_blocks.c
@@ -0,0 +1,40 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_int_xor_blocks.c
+ OCB implementation, INTERNAL ONLY helper, by Karel Miko
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Compute xor for two blocks of bytes 'out = block_a XOR block_b' (internal function)
+ @param out The block of bytes (output)
+ @param block_a The block of bytes (input)
+ @param block_b The block of bytes (input)
+ @param block_len The size of block_a, block_b, out
+*/
+void ocb3_int_xor_blocks(unsigned char *out, const unsigned char *block_a, const unsigned char *block_b, unsigned long block_len)
+{
+ int x;
+ if (out == block_a) {
+ for (x = 0; x < (int)block_len; x++) out[x] ^= block_b[x];
+ }
+ else {
+ for (x = 0; x < (int)block_len; x++) out[x] = block_a[x] ^ block_b[x];
+ }
+}
+
+#endif
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/libtomcrypt/src/encauth/ocb3/ocb3_test.c b/libtomcrypt/src/encauth/ocb3/ocb3_test.c
new file mode 100644
index 0000000..a3e5062
--- /dev/null
+++ b/libtomcrypt/src/encauth/ocb3/ocb3_test.c
@@ -0,0 +1,309 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+/**
+ @file ocb3_test.c
+ OCB implementation, self-test by Tom St Denis
+*/
+#include "tomcrypt.h"
+
+#ifdef LTC_OCB3_MODE
+
+/**
+ Test the OCB protocol
+ @return CRYPT_OK if successful
+*/
+int ocb3_test(void)
+{
+#ifndef LTC_TEST
+ return CRYPT_NOP;
+#else
+ /* test vectors from: http://tools.ietf.org/html/draft-krovetz-ocb-03 */
+ unsigned char key[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F };
+ unsigned char nonce[12] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B };
+ const struct {
+ int ptlen;
+ int aadlen;
+ unsigned char pt[64], aad[64], ct[64], tag[16];
+ } tests[] = {
+
+ { /* index:0 */
+ 0, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0x19,0x7b,0x9c,0x3c,0x44,0x1d,0x3c,0x83,0xea,0xfb,0x2b,0xef,0x63,0x3b,0x91,0x82 }, /* TAG */
+ },
+ { /* index:1 */
+ 8, /* PLAINTEXT length */
+ 8, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* AAD */
+ { 0x92,0xb6,0x57,0x13,0x0a,0x74,0xb8,0x5a }, /* CIPHERTEXT */
+ { 0x16,0xdc,0x76,0xa4,0x6d,0x47,0xe1,0xea,0xd5,0x37,0x20,0x9e,0x8a,0x96,0xd1,0x4e }, /* TAG */
+ },
+ { /* index:2 */
+ 0, /* PLAINTEXT length */
+ 8, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0x98,0xb9,0x15,0x52,0xc8,0xc0,0x09,0x18,0x50,0x44,0xe3,0x0a,0x6e,0xb2,0xfe,0x21 }, /* TAG */
+ },
+ { /* index:3 */
+ 8, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0x92,0xb6,0x57,0x13,0x0a,0x74,0xb8,0x5a }, /* CIPHERTEXT */
+ { 0x97,0x1e,0xff,0xca,0xe1,0x9a,0xd4,0x71,0x6f,0x88,0xe8,0x7b,0x87,0x1f,0xbe,0xed }, /* TAG */
+ },
+ { /* index:4 */
+ 16, /* PLAINTEXT length */
+ 16, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22 }, /* CIPHERTEXT */
+ { 0x77,0x6c,0x99,0x24,0xd6,0x72,0x3a,0x1f,0xc4,0x52,0x45,0x32,0xac,0x3e,0x5b,0xeb }, /* TAG */
+ },
+ { /* index:5 */
+ 0, /* PLAINTEXT length */
+ 16, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0x7d,0xdb,0x8e,0x6c,0xea,0x68,0x14,0x86,0x62,0x12,0x50,0x96,0x19,0xb1,0x9c,0xc6 }, /* TAG */
+ },
+ { /* index:6 */
+ 16, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22 }, /* CIPHERTEXT */
+ { 0x13,0xcc,0x8b,0x74,0x78,0x07,0x12,0x1a,0x4c,0xbb,0x3e,0x4b,0xd6,0xb4,0x56,0xaf }, /* TAG */
+ },
+ { /* index:7 */
+ 24, /* PLAINTEXT length */
+ 24, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xfc,0xfc,0xee,0x7a,0x2a,0x8d,0x4d,0x48 }, /* CIPHERTEXT */
+ { 0x5f,0xa9,0x4f,0xc3,0xf3,0x88,0x20,0xf1,0xdc,0x3f,0x3d,0x1f,0xd4,0xe5,0x5e,0x1c }, /* TAG */
+ },
+ { /* index:8 */
+ 0, /* PLAINTEXT length */
+ 24, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0x28,0x20,0x26,0xda,0x30,0x68,0xbc,0x9f,0xa1,0x18,0x68,0x1d,0x55,0x9f,0x10,0xf6 }, /* TAG */
+ },
+ { /* index:9 */
+ 24, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17 }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xfc,0xfc,0xee,0x7a,0x2a,0x8d,0x4d,0x48 }, /* CIPHERTEXT */
+ { 0x6e,0xf2,0xf5,0x25,0x87,0xfd,0xa0,0xed,0x97,0xdc,0x7e,0xed,0xe2,0x41,0xdf,0x68 }, /* TAG */
+ },
+ { /* index:10 */
+ 32, /* PLAINTEXT length */
+ 32, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb }, /* CIPHERTEXT */
+ { 0xb2,0xa0,0x40,0xdd,0x3b,0xd5,0x16,0x43,0x72,0xd7,0x6d,0x7b,0xb6,0x82,0x42,0x40 }, /* TAG */
+ },
+ { /* index:11 */
+ 0, /* PLAINTEXT length */
+ 32, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0xe1,0xe0,0x72,0x63,0x3b,0xad,0xe5,0x1a,0x60,0xe8,0x59,0x51,0xd9,0xc4,0x2a,0x1b }, /* TAG */
+ },
+ { /* index:12 */
+ 32, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb }, /* CIPHERTEXT */
+ { 0x4a,0x3b,0xae,0x82,0x44,0x65,0xcf,0xda,0xf8,0xc4,0x1f,0xc5,0x0c,0x7d,0xf9,0xd9 }, /* TAG */
+ },
+ { /* index:13 */
+ 40, /* PLAINTEXT length */
+ 40, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb,0x68,0xc6,0x57,0x78,0xb0,0x58,0xa6,0x35 }, /* CIPHERTEXT */
+ { 0x65,0x9c,0x62,0x32,0x11,0xde,0xea,0x0d,0xe3,0x0d,0x2c,0x38,0x18,0x79,0xf4,0xc8 }, /* TAG */
+ },
+ { /* index:14 */
+ 0, /* PLAINTEXT length */
+ 40, /* AAD length */
+ { 0 }, /* PLAINTEXT */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* AAD */
+ { 0 }, /* CIPHERTEXT */
+ { 0x7a,0xeb,0x7a,0x69,0xa1,0x68,0x7d,0xd0,0x82,0xca,0x27,0xb0,0xd9,0xa3,0x70,0x96 }, /* TAG */
+ },
+ { /* index:15 */
+ 40, /* PLAINTEXT length */
+ 0, /* AAD length */
+ { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 }, /* PLAINTEXT */
+ { 0 }, /* AAD */
+ { 0xbe,0xa5,0xe8,0x79,0x8d,0xbe,0x71,0x10,0x03,0x1c,0x14,0x4d,0xa0,0xb2,0x61,0x22,0xce,0xaa,0xb9,0xb0,0x5d,0xf7,0x71,0xa6,0x57,0x14,0x9d,0x53,0x77,0x34,0x63,0xcb,0x68,0xc6,0x57,0x78,0xb0,0x58,0xa6,0x35 }, /* CIPHERTEXT */
+ { 0x06,0x0c,0x84,0x67,0xf4,0xab,0xab,0x5e,0x8b,0x3c,0x20,0x67,0xa2,0xe1,0x15,0xdc }, /* TAG */
+ },
+
+};
+ /* As of RFC 7253 - 'Appendix A. Sample Results'
+ * The next tuple shows a result with a tag length of 96 bits and a
+ different key.
+
+ K: 0F0E0D0C0B0A09080706050403020100
+
+ N: BBAA9988776655443322110D
+ A: 000102030405060708090A0B0C0D0E0F1011121314151617
+ 18191A1B1C1D1E1F2021222324252627
+ P: 000102030405060708090A0B0C0D0E0F1011121314151617
+ 18191A1B1C1D1E1F2021222324252627
+ C: 1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1
+ A0124B0A55BAE884ED93481529C76B6AD0C515F4D1CDD4FD
+ AC4F02AA
+
+ The C has been split up in C and T (tag)
+ */
+ const unsigned char K[] = { 0x0F,0x0E,0x0D,0x0C,0x0B,0x0A,0x09,0x08,
+ 0x07,0x06,0x05,0x04,0x03,0x02,0x01,0x00 };
+ const unsigned char N[] = { 0xBB,0xAA,0x99,0x88,0x77,0x66,0x55,0x44,
+ 0x33,0x22,0x11,0x0D };
+ const unsigned char A[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+ 0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
+ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
+ const unsigned char P[] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+ 0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F,
+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+ 0x18,0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,
+ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27 };
+ const unsigned char C[] = { 0x17,0x92,0xA4,0xE3,0x1E,0x07,0x55,0xFB,
+ 0x03,0xE3,0x1B,0x22,0x11,0x6E,0x6C,0x2D,
+ 0xDF,0x9E,0xFD,0x6E,0x33,0xD5,0x36,0xF1,
+ 0xA0,0x12,0x4B,0x0A,0x55,0xBA,0xE8,0x84,
+ 0xED,0x93,0x48,0x15,0x29,0xC7,0x6B,0x6A };
+ const unsigned char T[] = { 0xD0,0xC5,0x15,0xF4,0xD1,0xCD,0xD4,0xFD,
+ 0xAC,0x4F,0x02,0xAA };
+
+ int err, x, idx, res;
+ unsigned long len;
+ unsigned char outct[MAXBLOCKSIZE] = { 0 };
+ unsigned char outtag[MAXBLOCKSIZE] = { 0 };
+ ocb3_state ocb;
+
+ /* AES can be under rijndael or aes... try to find it */
+ if ((idx = find_cipher("aes")) == -1) {
+ if ((idx = find_cipher("rijndael")) == -1) {
+ return CRYPT_NOP;
+ }
+ }
+
+ for (x = 0; x < (int)(sizeof(tests)/sizeof(tests[0])); x++) {
+ len = 16; /* must be the same as the required taglen */
+ if ((err = ocb3_encrypt_authenticate_memory(idx,
+ key, sizeof(key),
+ nonce, sizeof(nonce),
+ tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
+ tests[x].ptlen != 0 ? tests[x].pt : NULL, tests[x].ptlen,
+ tests[x].ptlen != 0 ? outct : NULL, outtag, &len)) != CRYPT_OK) {
+ return err;
+ }
+
+ if (compare_testvector(outtag, len, tests[x].tag, sizeof(tests[x].tag), "OCB3 Tag", x) ||
+ compare_testvector(outct, tests[x].ptlen, tests[x].ct, tests[x].ptlen, "OCB3 CT", x)) {
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+
+ if ((err = ocb3_decrypt_verify_memory(idx,
+ key, sizeof(key),
+ nonce, sizeof(nonce),
+ tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
+ tests[x].ptlen != 0 ? outct : NULL, tests[x].ptlen,
+ tests[x].ptlen != 0 ? outct : NULL, tests[x].tag, len, &res)) != CRYPT_OK) {
+ return err;
+ }
+ if ((res != 1) || compare_testvector(outct, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "OCB3", x)) {
+#ifdef LTC_TEST_DBG
+ printf("\n\nOCB3: Failure-decrypt - res = %d\n", res);
+#endif
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+ }
+
+ /* RFC 7253 - test vector with a tag length of 96 bits - part 1 */
+ x = 99;
+ len = 12;
+ if ((err = ocb3_encrypt_authenticate_memory(idx,
+ K, sizeof(K),
+ N, sizeof(N),
+ A, sizeof(A),
+ P, sizeof(P),
+ outct, outtag, &len)) != CRYPT_OK) {
+ return err;
+ }
+
+ if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag", x) ||
+ compare_testvector(outct, sizeof(P), C, sizeof(C), "OCB3 CT", x)) {
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+
+ if ((err = ocb3_decrypt_verify_memory(idx,
+ K, sizeof(K),
+ N, sizeof(N),
+ A, sizeof(A),
+ C, sizeof(C),
+ outct, T, sizeof(T), &res)) != CRYPT_OK) {
+ return err;
+ }
+ if ((res != 1) || compare_testvector(outct, sizeof(C), P, sizeof(P), "OCB3", x)) {
+#ifdef LTC_TEST_DBG
+ printf("\n\nOCB3: Failure-decrypt - res = %d\n", res);
+#endif
+ return CRYPT_FAIL_TESTVECTOR;
+ }
+
+ /* RFC 7253 - test vector with a tag length of 96 bits - part 2 */
+ x = 100;
+ if ((err = ocb3_init(&ocb, idx, K, sizeof(K), N, sizeof(N), 12)) != CRYPT_OK) return err;
+ if ((err = ocb3_add_aad(&ocb, A, sizeof(A))) != CRYPT_OK) return err;
+ if ((err = ocb3_encrypt(&ocb, P, 32, outct)) != CRYPT_OK) return err;
+ if ((err = ocb3_encrypt_last(&ocb, P+32, sizeof(P)-32, outct+32)) != CRYPT_OK) return err;
+ len = sizeof(outtag); /* intentionally more than 12 */
+ if ((err = ocb3_done(&ocb, outtag, &len)) != CRYPT_OK) return err;
+ if (compare_testvector(outct, sizeof(P), C, sizeof(C), "OCB3 CT", x)) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag.enc", x)) return CRYPT_FAIL_TESTVECTOR;
+ if ((err = ocb3_init(&ocb, idx, K, sizeof(K), N, sizeof(N), 12)) != CRYPT_OK) return err;
+ if ((err = ocb3_add_aad(&ocb, A, sizeof(A))) != CRYPT_OK) return err;
+ if ((err = ocb3_decrypt(&ocb, C, 32, outct)) != CRYPT_OK) return err;
+ if ((err = ocb3_decrypt_last(&ocb, C+32, sizeof(C)-32, outct+32)) != CRYPT_OK) return err;
+ len = sizeof(outtag); /* intentionally more than 12 */
+ if ((err = ocb3_done(&ocb, outtag, &len)) != CRYPT_OK) return err;
+ if (compare_testvector(outct, sizeof(C), P, sizeof(P), "OCB3 PT", x)) return CRYPT_FAIL_TESTVECTOR;
+ if (compare_testvector(outtag, len, T, sizeof(T), "OCB3 Tag.dec", x)) return CRYPT_FAIL_TESTVECTOR;
+
+ return CRYPT_OK;
+#endif /* LTC_TEST */
+}
+
+#endif /* LTC_OCB3_MODE */
+
+/* ref: $Format:%D$ */
+/* git commit: $Format:%H$ */
+/* commit time: $Format:%ai$ */