Commit | Line | Data |
---|---|---|
ea054059 MW |
1 | #! /usr/bin/python |
2 | ||
09734e51 | 3 | from sys import argv, exit |
50df5733 | 4 | from struct import unpack, pack |
ea054059 MW |
5 | from itertools import izip |
6 | import catacomb as C | |
7 | ||
8 | R = C.FibRand(0) | |
9 | ||
10 | ###-------------------------------------------------------------------------- | |
11 | ### Utilities. | |
12 | ||
13 | def combs(things, k): | |
14 | ii = range(k) | |
15 | n = len(things) | |
16 | while True: | |
17 | yield [things[i] for i in ii] | |
18 | for j in xrange(k): | |
19 | if j == k - 1: lim = n | |
20 | else: lim = ii[j + 1] | |
21 | i = ii[j] + 1 | |
22 | if i < lim: | |
23 | ii[j] = i | |
24 | break | |
25 | ii[j] = j | |
26 | else: | |
27 | return | |
28 | ||
29 | POLYMAP = {} | |
30 | ||
31 | def poly(nbits): | |
32 | try: return POLYMAP[nbits] | |
33 | except KeyError: pass | |
34 | base = C.GF(0).setbit(nbits).setbit(0) | |
35 | for k in xrange(1, nbits, 2): | |
36 | for cc in combs(range(1, nbits), k): | |
601ec68e | 37 | p = base + sum((C.GF(0).setbit(c) for c in cc), C.GF(0)) |
ea054059 MW |
38 | if p.irreduciblep(): POLYMAP[nbits] = p; return p |
39 | raise ValueError, nbits | |
40 | ||
ebb0df1d MW |
41 | def prim(nbits): |
42 | ## No fancy way to do this: I'd need a much cleverer factoring algorithm | |
43 | ## than I have in my pockets. | |
44 | if nbits == 64: cc = [64, 4, 3, 1, 0] | |
45 | elif nbits == 96: cc = [96, 10, 9, 6, 0] | |
46 | elif nbits == 128: cc = [128, 7, 2, 1, 0] | |
47 | elif nbits == 192: cc = [192, 15, 11, 5, 0] | |
48 | elif nbits == 256: cc = [256, 10, 5, 2, 0] | |
49 | else: raise ValueError, 'no field for %d bits' % nbits | |
50 | p = C.GF(0) | |
51 | for c in cc: p = p.setbit(c) | |
52 | return p | |
53 | ||
ea054059 MW |
54 | def Z(n): |
55 | return C.ByteString.zero(n) | |
56 | ||
57 | def mul_blk_gf(m, x, p): return ((C.GF.loadb(m)*x)%p).storeb((p.nbits + 6)/8) | |
58 | ||
59 | def with_lastp(it): | |
60 | it = iter(it) | |
61 | try: j = next(it) | |
62 | except StopIteration: raise ValueError, 'empty iter' | |
63 | lastp = False | |
64 | while not lastp: | |
65 | i = j | |
66 | try: j = next(it) | |
67 | except StopIteration: lastp = True | |
68 | yield i, lastp | |
69 | ||
70 | def safehex(x): | |
71 | if len(x): return hex(x) | |
72 | else: return '""' | |
73 | ||
74 | def keylens(ksz): | |
75 | sel = [] | |
76 | if isinstance(ksz, C.KeySZSet): kk = ksz.set | |
77 | elif isinstance(ksz, C.KeySZRange): kk = range(ksz.min, ksz.max, ksz.mod) | |
78 | elif isinstance(ksz, C.KeySZAny): kk = range(64); sel = [0] | |
79 | kk = list(kk); kk = kk[:] | |
80 | n = len(kk) | |
81 | while n and len(sel) < 4: | |
82 | i = R.range(n) | |
83 | n -= 1 | |
84 | kk[i], kk[n] = kk[n], kk[i] | |
85 | sel.append(kk[n]) | |
86 | return sel | |
87 | ||
88 | def pad0star(m, w): | |
89 | n = len(m) | |
90 | if not n: r = w | |
91 | else: r = (-len(m))%w | |
92 | if r: m += Z(r) | |
93 | return C.ByteString(m) | |
94 | ||
95 | def pad10star(m, w): | |
96 | r = w - len(m)%w | |
97 | if r: m += '\x80' + Z(r - 1) | |
98 | return C.ByteString(m) | |
99 | ||
100 | def ntz(i): | |
101 | j = 0 | |
102 | while (i&1) == 0: i >>= 1; j += 1 | |
103 | return j | |
104 | ||
105 | def blocks(x, w): | |
106 | v, i, n = [], 0, len(x) | |
107 | while n - i > w: | |
108 | v.append(C.ByteString(x[i:i + w])) | |
109 | i += w | |
110 | return v, C.ByteString(x[i:]) | |
111 | ||
112 | EMPTY = C.bytes('') | |
113 | ||
114 | def blocks0(x, w): | |
115 | v, tl = blocks(x, w) | |
116 | if len(tl) == w: v.append(tl); tl = EMPTY | |
117 | return v, tl | |
118 | ||
2964c388 MW |
119 | def dummygen(bc): return [] |
120 | ||
ea054059 MW |
121 | CUSTOM = {} |
122 | ||
123 | ###-------------------------------------------------------------------------- | |
124 | ### RC6. | |
125 | ||
126 | class RC6Cipher (type): | |
127 | def __new__(cls, w, r): | |
128 | name = 'rc6-%d/%d' % (w, r) | |
129 | me = type(name, (RC6Base,), {}) | |
130 | me.name = name | |
131 | me.r = r | |
132 | me.w = w | |
133 | me.blksz = w/2 | |
134 | me.keysz = C.KeySZRange(me.blksz, 1, 255, 1) | |
135 | return me | |
136 | ||
137 | def rotw(w): | |
138 | return w.bit_length() - 1 | |
139 | ||
140 | def rol(w, x, n): | |
141 | m0, m1 = C.MP(0).setbit(w - n) - 1, C.MP(0).setbit(n) - 1 | |
142 | return ((x&m0) << n) | (x >> (w - n))&m1 | |
143 | ||
144 | def ror(w, x, n): | |
145 | m0, m1 = C.MP(0).setbit(n) - 1, C.MP(0).setbit(w - n) - 1 | |
146 | return ((x&m0) << (w - n)) | (x >> n)&m1 | |
147 | ||
148 | class RC6Base (object): | |
149 | ||
150 | ## Magic constants. | |
151 | P400 = C.MP(0xb7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfef324e7738926cfbe5f4bf8d8d8c31d763da06) | |
152 | Q400 = C.MP(0x9e3779b97f4a7c15f39cc0605cedc8341082276bf3a27251f86c6a11d0c18e952767f0b153d27b7f0347045b5bf1827f0188) | |
153 | ||
154 | def __init__(me, k): | |
155 | ||
156 | ## Build the magic numbers. | |
157 | P = me.P400 >> (400 - me.w) | |
158 | if P%2 == 0: P += 1 | |
159 | Q = me.Q400 >> (400 - me.w) | |
160 | if Q%2 == 0: Q += 1 | |
161 | M = C.MP(0).setbit(me.w) - 1 | |
162 | ||
163 | ## Convert the key into words. | |
164 | wb = me.w/8 | |
165 | c = (len(k) + wb - 1)/wb | |
166 | kb, ktl = blocks(k, me.w/8) | |
167 | L = map(C.MP.loadl, kb + [ktl]) | |
168 | assert c == len(L) | |
169 | ||
170 | ## Build the subkey table. | |
171 | me.d = rotw(me.w) | |
172 | n = 2*me.r + 4 | |
173 | S = [(P + i*Q)&M for i in xrange(n)] | |
174 | ||
175 | ##for j in xrange(c): | |
176 | ## print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0')) | |
177 | ##for i in xrange(n): | |
178 | ## print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0')) | |
179 | ||
180 | i = j = 0 | |
181 | A = B = C.MP(0) | |
182 | ||
183 | for s in xrange(3*max(c, n)): | |
184 | A = S[i] = rol(me.w, S[i] + A + B, 3) | |
185 | B = L[j] = rol(me.w, L[j] + A + B, (A + B)%(1 << me.d)) | |
186 | ##print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0')) | |
187 | ##print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0')) | |
188 | i = (i + 1)%n | |
189 | j = (j + 1)%c | |
190 | ||
191 | ## Done. | |
192 | me.s = S | |
193 | ||
194 | def encrypt(me, x): | |
195 | M = C.MP(0).setbit(me.w) - 1 | |
196 | a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4)[0]) | |
197 | b = (b + me.s[0])&M | |
198 | d = (d + me.s[1])&M | |
199 | ##print 'B = %s' % (hex(b).upper()[2:].rjust(me.w/4, '0')) | |
200 | ##print 'D = %s' % (hex(d).upper()[2:].rjust(me.w/4, '0')) | |
201 | for i in xrange(2, 2*me.r + 2, 2): | |
202 | t = rol(me.w, 2*b*b + b, me.d) | |
203 | u = rol(me.w, 2*d*d + d, me.d) | |
204 | a = (rol(me.w, a ^ t, u%(1 << me.d)) + me.s[i + 0])&M | |
205 | c = (rol(me.w, c ^ u, t%(1 << me.d)) + me.s[i + 1])&M | |
206 | ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0')) | |
207 | ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0')) | |
208 | a, b, c, d = b, c, d, a | |
209 | a = (a + me.s[2*me.r + 2])&M | |
210 | c = (c + me.s[2*me.r + 3])&M | |
211 | ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0')) | |
212 | ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0')) | |
213 | return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) + | |
214 | c.storel(me.blksz/4) + d.storel(me.blksz/4)) | |
215 | ||
216 | def decrypt(me, x): | |
217 | M = C.MP(0).setbit(me.w) - 1 | |
218 | a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4)) | |
219 | c = (c - me.s[2*me.r + 3])&M | |
220 | a = (a - me.s[2*me.r + 2])&M | |
221 | for i in xrange(2*me.r + 1, 1, -2): | |
222 | a, b, c, d = d, a, b, c | |
223 | u = rol(me.w, 2*d*d + d, me.d) | |
224 | t = rol(me.w, 2*b*b + b, me.d) | |
225 | c = ror(me.w, (c - me.s[i + 1])&M, t%(1 << me.d)) ^ u | |
226 | a = ror(me.w, (a - me.s[i + 0])&M, u%(1 << me.d)) ^ t | |
227 | a = (a + s[2*me.r + 2])&M | |
228 | c = (c + s[2*me.r + 3])&M | |
229 | return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) + | |
230 | c.storel(me.blksz/4) + d.storel(me.blksz/4)) | |
231 | ||
232 | for (w, r) in [(8, 16), (16, 16), (24, 16), (32, 16), | |
233 | (32, 20), (48, 16), (64, 16), (96, 16), (128, 16), | |
234 | (192, 16), (256, 16), (400, 16)]: | |
235 | CUSTOM['rc6-%d/%d' % (w, r)] = RC6Cipher(w, r) | |
236 | ||
237 | ###-------------------------------------------------------------------------- | |
238 | ### OMAC (or CMAC). | |
239 | ||
240 | def omac_masks(E): | |
241 | blksz = E.__class__.blksz | |
242 | p = poly(8*blksz) | |
243 | z = Z(blksz) | |
244 | L = E.encrypt(z) | |
601ec68e MW |
245 | m0 = mul_blk_gf(L, C.GF(2), p) |
246 | m1 = mul_blk_gf(m0, C.GF(2), p) | |
ea054059 MW |
247 | return m0, m1 |
248 | ||
249 | def dump_omac(E): | |
250 | blksz = E.__class__.blksz | |
251 | m0, m1 = omac_masks(E) | |
252 | print 'L = %s' % hex(E.encrypt(Z(blksz))) | |
253 | print 'm0 = %s' % hex(m0) | |
254 | print 'm1 = %s' % hex(m1) | |
255 | for t in xrange(3): | |
256 | print 'v%d = %s' % (t, hex(E.encrypt(C.MP(t).storeb(blksz)))) | |
257 | print 'z%d = %s' % (t, hex(omac(E, t, ''))) | |
258 | ||
259 | def omac(E, t, m): | |
260 | blksz = E.__class__.blksz | |
261 | m0, m1 = omac_masks(E) | |
262 | a = Z(blksz) | |
263 | if t is not None: m = C.MP(t).storeb(blksz) + m | |
264 | v, tl = blocks(m, blksz) | |
265 | for x in v: a = E.encrypt(a ^ x) | |
266 | r = blksz - len(tl) | |
267 | if r == 0: | |
268 | a = E.encrypt(a ^ tl ^ m0) | |
269 | else: | |
270 | pad = pad10star(tl, blksz) | |
271 | a = E.encrypt(a ^ pad ^ m1) | |
272 | return a | |
273 | ||
274 | def cmac(E, m): | |
275 | if VERBOSE: dump_omac(E) | |
276 | return omac(E, None, m), | |
277 | ||
278 | def cmacgen(bc): | |
279 | return [(0,), (1,), | |
280 | (3*bc.blksz,), | |
281 | (3*bc.blksz - 5,)] | |
282 | ||
283 | ###-------------------------------------------------------------------------- | |
2964c388 MW |
284 | ### Counter mode. |
285 | ||
286 | def ctr(E, m, c0): | |
287 | blksz = E.__class__.blksz | |
288 | y = C.WriteBuffer() | |
289 | c = C.MP.loadb(c0) | |
290 | while y.size < len(m): | |
291 | y.put(E.encrypt(c.storeb(blksz))) | |
292 | c += 1 | |
293 | return C.ByteString(m) ^ C.ByteString(y)[:len(m)] | |
294 | ||
295 | ###-------------------------------------------------------------------------- | |
50df5733 MW |
296 | ### GCM. |
297 | ||
298 | def gcm_mangle(x): | |
299 | y = C.WriteBuffer() | |
300 | for b in x: | |
301 | b = ord(b) | |
302 | bb = 0 | |
303 | for i in xrange(8): | |
304 | bb <<= 1 | |
305 | if b&1: bb |= 1 | |
306 | b >>= 1 | |
307 | y.putu8(bb) | |
308 | return C.ByteString(y) | |
309 | ||
310 | def gcm_mul(x, y): | |
311 | w = len(x) | |
312 | p = poly(8*w) | |
313 | u, v = C.GF.loadl(gcm_mangle(x)), C.GF.loadl(gcm_mangle(y)) | |
314 | z = (u*v)%p | |
315 | return gcm_mangle(z.storel(w)) | |
316 | ||
317 | def gcm_pow(x, n): | |
318 | w = len(x) | |
319 | p = poly(8*w) | |
320 | u = C.GF.loadl(gcm_mangle(x)) | |
321 | z = pow(u, n, p) | |
322 | return gcm_mangle(z.storel(w)) | |
323 | ||
324 | def gcm_ctr(E, m, c0): | |
325 | y = C.WriteBuffer() | |
326 | pre = c0[:-4] | |
327 | c, = unpack('>L', c0[-4:]) | |
328 | while y.size < len(m): | |
329 | c += 1 | |
330 | y.put(E.encrypt(pre + pack('>L', c))) | |
331 | return C.ByteString(m) ^ C.ByteString(y)[:len(m)] | |
332 | ||
333 | def g(what, x, m, a0 = None): | |
334 | n = len(x) | |
335 | if a0 is None: a = Z(n) | |
336 | else: a = a0 | |
337 | i = 0 | |
338 | for b in blocks0(m, n)[0]: | |
339 | a = gcm_mul(a ^ b, x) | |
340 | if VERBOSE: print '%s[%d] = %s -> %s' % (what, i, hex(b), hex(a)) | |
341 | i += 1 | |
342 | return a | |
343 | ||
344 | def gcm_pad(w, x): | |
345 | return C.ByteString(x + Z(-len(x)%w)) | |
346 | ||
347 | def gcm_lens(w, a, b): | |
348 | if w < 12: n = w | |
349 | else: n = w/2 | |
350 | return C.ByteString(C.MP(a).storeb(n) + C.MP(b).storeb(n)) | |
351 | ||
352 | def ghash(whata, whatb, x, a, b): | |
353 | w = len(x) | |
354 | ha = g(whata, x, gcm_pad(w, a)) | |
355 | hb = g(whatb, x, gcm_pad(w, b)) | |
356 | if a: | |
357 | hc = gcm_mul(ha, gcm_pow(x, (len(b) + w - 1)/w)) ^ hb | |
358 | if VERBOSE: print '%s || %s -> %s' % (whata, whatb, hex(hc)) | |
359 | else: | |
360 | hc = hb | |
361 | return g(whatb, x, gcm_lens(w, 8*len(a), 8*len(b)), hc) | |
362 | ||
363 | def gcmenc(E, n, h, m, tsz = None): | |
364 | w = E.__class__.blksz | |
365 | x = E.encrypt(Z(w)) | |
366 | if VERBOSE: print 'x = %s' % hex(x) | |
367 | if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1)) | |
368 | else: c0 = ghash('?', 'n', x, EMPTY, n) | |
369 | if VERBOSE: print 'c0 = %s' % hex(c0) | |
370 | y = gcm_ctr(E, m, c0) | |
371 | t = ghash('h', 'y', x, h, y) ^ E.encrypt(c0) | |
372 | return y, t | |
373 | ||
374 | def gcmdec(E, n, h, y, t): | |
375 | w = E.__class__.blksz | |
376 | x = E.encrypt(Z(w)) | |
377 | if VERBOSE: print 'x = %s' % hex(x) | |
378 | if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1)) | |
379 | else: c0 = ghash('?', 'n', x, EMPTY, n) | |
380 | if VERBOSE: print 'c0 = %s' % hex(c0) | |
381 | m = gcm_ctr(E, y, c0) | |
382 | tt = ghash('h', 'y', x, h, y) ^ E.encrypt(c0) | |
383 | if t == tt: return m, | |
384 | else: return None, | |
385 | ||
386 | def gcmgen(bc): | |
387 | return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1), | |
388 | (bc.blksz, 3*bc.blksz, 3*bc.blksz), | |
389 | (bc.blksz - 4, bc.blksz + 3, 3*bc.blksz + 9), | |
390 | (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] | |
391 | ||
8f6a5276 MW |
392 | def gcm_mul_tests(nbits): |
393 | print 'gcm-mul%d {' % nbits | |
394 | for i in xrange(64): | |
395 | x = R.block(nbits/8) | |
396 | y = R.block(nbits/8) | |
397 | z = gcm_mul(x, y) | |
398 | print ' %s\n %s\n %s;' % (hex(x), hex(y), hex(z)) | |
399 | print '}' | |
400 | ||
50df5733 | 401 | ###-------------------------------------------------------------------------- |
55b6b722 MW |
402 | ### CCM. |
403 | ||
404 | def stbe(n, w): return C.MP(n).storeb(w) | |
405 | ||
406 | def ccm_fmthdr(blksz, n, hsz, msz, tsz): | |
407 | b = C.WriteBuffer() | |
408 | if blksz == 8: | |
409 | q = blksz - len(n) - 1 | |
410 | f = 0 | |
411 | if hsz: f |= 0x40 | |
412 | f |= (tsz - 1) << 3 | |
413 | f |= q - 1 | |
414 | b.putu8(f).put(n).put(stbe(msz, q)) | |
415 | elif blksz == 16: | |
416 | q = blksz - len(n) - 1 | |
417 | f = 0 | |
418 | if hsz: f |= 0x40 | |
419 | f |= (tsz - 2)/2 << 3 | |
420 | f |= q - 1 | |
421 | b.putu8(f).put(n).put(stbe(msz, q)) | |
422 | else: | |
423 | q = blksz - len(n) - 2 | |
424 | f0 = f1 = 0 | |
425 | if hsz: f1 |= 0x80 | |
426 | f0 |= tsz | |
427 | f1 |= q | |
428 | b.putu8(f0).putu8(f1).put(n).put(stbe(msz, q)) | |
429 | b = C.ByteString(b) | |
430 | if VERBOSE: print 'hdr = %s' % hex(b) | |
431 | return b | |
432 | ||
433 | def ccm_fmtctr(blksz, n, i = 0): | |
434 | b = C.WriteBuffer() | |
435 | if blksz == 8 or blksz == 16: | |
436 | q = blksz - len(n) - 1 | |
437 | b.putu8(q - 1).put(n).put(stbe(i, q)) | |
438 | else: | |
439 | q = blksz - len(n) - 2 | |
440 | b.putu8(0).putu8(q).put(n).put(stbe(i, q)) | |
441 | b = C.ByteString(b) | |
442 | if VERBOSE: print 'ctr = %s' % hex(b) | |
443 | return b | |
444 | ||
445 | def ccmaad(b, h, blksz): | |
446 | hsz = len(h) | |
447 | if not hsz: pass | |
448 | elif hsz < 0xfffe: b.putu16(hsz) | |
449 | elif hsz <= 0xffffffff: b.putu16(0xfffe).putu32(hsz) | |
450 | else: b.putu16(0xffff).putu64(hsz) | |
451 | b.put(h); b.zero((-b.size)%blksz) | |
452 | ||
453 | def ccmenc(E, n, h, m, tsz = None): | |
454 | blksz = E.__class__.blksz | |
455 | if tsz is None: tsz = blksz | |
456 | b = C.WriteBuffer() | |
457 | b.put(ccm_fmthdr(blksz, n, len(h), len(m), tsz)) | |
458 | ccmaad(b, h, blksz) | |
459 | b.put(m); b.zero((-b.size)%blksz) | |
460 | b = C.ByteString(b) | |
461 | a = Z(blksz) | |
462 | v, _ = blocks0(b, blksz) | |
463 | i = 0 | |
464 | for x in v: | |
465 | a = E.encrypt(a ^ x) | |
466 | if VERBOSE: | |
467 | print 'b[%d] = %s' % (i, hex(x)) | |
468 | print 'a[%d] = %s' % (i + 1, hex(a)) | |
469 | i += 1 | |
470 | y = ctr(E, a + m, ccm_fmtctr(blksz, n)) | |
471 | return C.ByteString(y[blksz:]), C.ByteString(y[0:tsz]) | |
472 | ||
473 | def ccmdec(E, n, h, y, t): | |
474 | blksz = E.__class__.blksz | |
475 | tsz = len(t) | |
476 | b = C.WriteBuffer() | |
477 | b.put(ccm_fmthdr(blksz, n, len(h), len(y), tsz)) | |
478 | ccmaad(b, h, blksz) | |
479 | mm = ctr(E, t + Z(blksz - tsz) + y, ccm_fmtctr(blksz, n)) | |
480 | u, m = C.ByteString(mm[0:tsz]), C.ByteString(mm[blksz:]) | |
481 | b.put(m); b.zero((-b.size)%blksz) | |
482 | b = C.ByteString(b) | |
483 | a = Z(blksz) | |
484 | v, _ = blocks0(b, blksz) | |
485 | i = 0 | |
486 | for x in v: | |
487 | a = E.encrypt(a ^ x) | |
488 | if VERBOSE: | |
489 | print 'b[%d] = %s' % (i, hex(x)) | |
490 | print 'a[%d] = %s' % (i + 1, hex(a)) | |
491 | i += 1 | |
492 | if u == a[:tsz]: return m, | |
493 | else: return None, | |
494 | ||
495 | def ccmgen(bc): | |
496 | bsz = bc.blksz | |
497 | return [(bsz - 5, 0, 0, 4), (bsz - 5, 1, 0, 4), (bsz - 5, 0, 1, 4), | |
498 | (bsz/2 + 1, 3*bc.blksz, 3*bc.blksz), | |
499 | (bsz/2 + 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] | |
500 | ||
501 | ###-------------------------------------------------------------------------- | |
2964c388 MW |
502 | ### EAX. |
503 | ||
504 | def eaxenc(E, n, h, m, tsz = None): | |
505 | if VERBOSE: | |
506 | print 'k = %s' % hex(k) | |
507 | print 'n = %s' % hex(n) | |
508 | print 'h = %s' % hex(h) | |
509 | print 'm = %s' % hex(m) | |
510 | dump_omac(E) | |
511 | if tsz is None: tsz = E.__class__.blksz | |
512 | c0 = omac(E, 0, n) | |
513 | y = ctr(E, m, c0) | |
514 | ht = omac(E, 1, h) | |
515 | yt = omac(E, 2, y) | |
516 | if VERBOSE: | |
517 | print 'c0 = %s' % hex(c0) | |
518 | print 'ht = %s' % hex(ht) | |
519 | print 'yt = %s' % hex(yt) | |
520 | return y, C.ByteString((c0 ^ ht ^ yt)[:tsz]) | |
521 | ||
522 | def eaxdec(E, n, h, y, t): | |
523 | if VERBOSE: | |
524 | print 'k = %s' % hex(k) | |
525 | print 'n = %s' % hex(n) | |
526 | print 'h = %s' % hex(h) | |
527 | print 'y = %s' % hex(y) | |
528 | print 't = %s' % hex(t) | |
529 | dump_omac(E) | |
530 | c0 = omac(E, 0, n) | |
531 | m = ctr(E, y, c0) | |
532 | ht = omac(E, 1, h) | |
533 | yt = omac(E, 2, y) | |
534 | if VERBOSE: | |
535 | print 'c0 = %s' % hex(c0) | |
536 | print 'ht = %s' % hex(ht) | |
537 | print 'yt = %s' % hex(yt) | |
538 | if t == (c0 ^ ht ^ yt)[:len(t)]: return m, | |
539 | else: return None, | |
540 | ||
541 | def eaxgen(bc): | |
542 | return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1), | |
543 | (bc.blksz, 3*bc.blksz, 3*bc.blksz), | |
544 | (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] | |
545 | ||
546 | ###-------------------------------------------------------------------------- | |
b39fadb6 MW |
547 | ### PMAC. |
548 | ||
549 | def ocb_masks(E): | |
550 | blksz = E.__class__.blksz | |
551 | p = poly(8*blksz) | |
552 | x = C.GF(2); xinv = p.modinv(x) | |
553 | z = Z(blksz) | |
554 | L = E.encrypt(z) | |
555 | Lxinv = mul_blk_gf(L, xinv, p) | |
556 | Lgamma = 66*[L] | |
557 | for i in xrange(1, len(Lgamma)): | |
558 | Lgamma[i] = mul_blk_gf(Lgamma[i - 1], x, p) | |
559 | return Lgamma, Lxinv | |
560 | ||
561 | def dump_ocb(E): | |
562 | Lgamma, Lxinv = ocb_masks(E) | |
563 | print 'L x^-1 = %s' % hex(Lxinv) | |
564 | for i, lg in enumerate(Lgamma[:16]): | |
565 | print 'L x^%d = %s' % (i, hex(lg)) | |
566 | ||
567 | def pmac1(E, m): | |
568 | blksz = E.__class__.blksz | |
569 | Lgamma, Lxinv = ocb_masks(E) | |
570 | a = o = Z(blksz) | |
571 | i = 0 | |
572 | v, tl = blocks(m, blksz) | |
573 | for x in v: | |
574 | i += 1 | |
575 | b = ntz(i) | |
576 | o ^= Lgamma[b] | |
577 | a ^= E.encrypt(x ^ o) | |
578 | if VERBOSE: | |
579 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
580 | print 'A[%d]: %s' % (i, hex(a)) | |
581 | if len(tl) == blksz: a ^= tl ^ Lxinv | |
582 | else: a ^= pad10star(tl, blksz) | |
583 | return E.encrypt(a) | |
584 | ||
ebb0df1d MW |
585 | def pmac2(E, m): |
586 | blksz = E.__class__.blksz | |
587 | p = prim(8*blksz) | |
588 | L = E.encrypt(Z(blksz)) | |
601ec68e | 589 | o = mul_blk_gf(L, C.GF(10), p) |
ebb0df1d MW |
590 | a = Z(blksz) |
591 | v, tl = blocks(m, blksz) | |
592 | for x in v: | |
593 | a ^= E.encrypt(x ^ o) | |
601ec68e MW |
594 | o = mul_blk_gf(o, C.GF(2), p) |
595 | if len(tl) == blksz: a ^= tl ^ mul_blk_gf(o, C.GF(3), p) | |
596 | else: a ^= pad10star(tl, blksz) ^ mul_blk_gf(o, C.GF(5), p) | |
ebb0df1d MW |
597 | return E.encrypt(a) |
598 | ||
09734e51 MW |
599 | def ocb3_masks(E): |
600 | Lgamma, _ = ocb_masks(E) | |
601 | Lstar = Lgamma[0] | |
602 | Ldollar = Lgamma[1] | |
603 | return Lstar, Ldollar, Lgamma[2:] | |
604 | ||
605 | def dump_ocb3(E): | |
606 | Lstar, Ldollar, Lgamma = ocb3_masks(E) | |
607 | print 'L_* = %s' % hex(Lstar) | |
608 | print 'L_$ = %s' % hex(Ldollar) | |
609 | for i, lg in enumerate(Lgamma[:16]): | |
610 | print 'L x^%d = %s' % (i, hex(lg)) | |
611 | ||
612 | def pmac3(E, m): | |
613 | ## Note that `PMAC3' is /not/ a secure MAC. It depends on other parts of | |
614 | ## OCB3 to prevent a rather easy linear-algebra attack. | |
615 | blksz = E.__class__.blksz | |
616 | Lstar, Ldollar, Lgamma = ocb3_masks(E) | |
617 | a = o = Z(blksz) | |
618 | i = 0 | |
619 | v, tl = blocks0(m, blksz) | |
620 | for x in v: | |
621 | i += 1 | |
622 | b = ntz(i) | |
623 | o ^= Lgamma[b] | |
624 | a ^= E.encrypt(x ^ o) | |
625 | if VERBOSE: | |
626 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
627 | print 'A[%d]: %s' % (i, hex(a)) | |
628 | if tl: | |
629 | o ^= Lstar | |
630 | a ^= E.encrypt(pad10star(tl, blksz) ^ o) | |
631 | if VERBOSE: | |
632 | print 'Z[%d]: * -> %s' % (i, hex(o)) | |
633 | print 'A[%d]: %s' % (i, hex(a)) | |
634 | return a | |
635 | ||
b39fadb6 MW |
636 | def pmac1_pub(E, m): |
637 | if VERBOSE: dump_ocb(E) | |
638 | return pmac1(E, m), | |
639 | ||
640 | def pmacgen(bc): | |
641 | return [(0,), (1,), | |
642 | (3*bc.blksz,), | |
643 | (3*bc.blksz - 5,)] | |
644 | ||
645 | ###-------------------------------------------------------------------------- | |
646 | ### OCB. | |
647 | ||
648 | def ocb1enc(E, n, h, m, tsz = None): | |
649 | ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with | |
650 | ## Associated-Data'. | |
651 | blksz = E.__class__.blksz | |
652 | if VERBOSE: dump_ocb(E) | |
653 | Lgamma, Lxinv = ocb_masks(E) | |
654 | if tsz is None: tsz = blksz | |
655 | a = Z(blksz) | |
656 | o = E.encrypt(n ^ Lgamma[0]) | |
657 | if VERBOSE: print 'R = %s' % hex(o) | |
658 | i = 0 | |
659 | y = C.WriteBuffer() | |
660 | v, tl = blocks(m, blksz) | |
661 | for x in v: | |
662 | i += 1 | |
663 | b = ntz(i) | |
664 | o ^= Lgamma[b] | |
665 | a ^= x | |
666 | if VERBOSE: | |
667 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
668 | print 'A[%d]: %s' % (i, hex(a)) | |
669 | y.put(E.encrypt(x ^ o) ^ o) | |
670 | i += 1 | |
671 | b = ntz(i) | |
672 | o ^= Lgamma[b] | |
673 | n = len(tl) | |
674 | if VERBOSE: | |
675 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
676 | print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz)) | |
677 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o) | |
678 | cfinal = tl ^ yfinal[:n] | |
679 | a ^= o ^ (tl + yfinal[n:]) | |
680 | y.put(cfinal) | |
681 | t = E.encrypt(a) | |
682 | if h: t ^= pmac1(E, h) | |
683 | return C.ByteString(y), C.ByteString(t[:tsz]) | |
684 | ||
685 | def ocb1dec(E, n, h, y, t): | |
686 | ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with | |
687 | ## Associated-Data'. | |
688 | blksz = E.__class__.blksz | |
689 | if VERBOSE: dump_ocb(E) | |
690 | Lgamma, Lxinv = ocb_masks(E) | |
691 | a = Z(blksz) | |
692 | o = E.encrypt(n ^ Lgamma[0]) | |
693 | if VERBOSE: print 'R = %s' % hex(o) | |
694 | i = 0 | |
695 | m = C.WriteBuffer() | |
696 | v, tl = blocks(y, blksz) | |
697 | for x in v: | |
698 | i += 1 | |
699 | b = ntz(i) | |
700 | o ^= Lgamma[b] | |
701 | if VERBOSE: | |
702 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
703 | print 'A[%d]: %s' % (i, hex(a)) | |
704 | u = E.decrypt(x ^ o) ^ o | |
705 | m.put(u) | |
706 | a ^= u | |
707 | i += 1 | |
708 | b = ntz(i) | |
709 | o ^= Lgamma[b] | |
710 | n = len(tl) | |
711 | if VERBOSE: | |
712 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
713 | print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz)) | |
714 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o) | |
715 | mfinal = tl ^ yfinal[:n] | |
716 | a ^= o ^ (mfinal + yfinal[n:]) | |
717 | m.put(mfinal) | |
718 | u = E.encrypt(a) | |
719 | if h: u ^= pmac1(E, h) | |
720 | if t == u[:len(t)]: return C.ByteString(m), | |
721 | else: return None, | |
722 | ||
ebb0df1d MW |
723 | def ocb2enc(E, n, h, m, tsz = None): |
724 | ## For OCB2, it's important for security that n = log_x (x + 1) is large in | |
725 | ## the field representations of GF(2^w) used -- in fact, we need more, that | |
726 | ## i n (mod 2^w - 1) is large for i in {4, -3, -2, -1, 1, 2, 3, 4}. The | |
727 | ## original paper lists the values for 64 and 128, but we support other | |
728 | ## block sizes, so here's the result of the (rather large, in some cases) | |
729 | ## computation. | |
730 | ## | |
731 | ## Block size log_x (x + 1) | |
732 | ## | |
733 | ## 64 9686038906114705801 | |
734 | ## 96 63214690573408919568138788065 | |
735 | ## 128 338793687469689340204974836150077311399 | |
736 | ## 192 161110085006042185925119981866940491651092686475226538785 | |
737 | ## 256 22928580326165511958494515843249267194111962539778797914076675796261938307298 | |
738 | ||
739 | blksz = E.__class__.blksz | |
740 | if tsz is None: tsz = blksz | |
741 | p = prim(8*blksz) | |
742 | L = E.encrypt(n) | |
601ec68e | 743 | o = mul_blk_gf(L, C.GF(2), p) |
ebb0df1d MW |
744 | a = Z(blksz) |
745 | v, tl = blocks(m, blksz) | |
746 | y = C.WriteBuffer() | |
747 | for x in v: | |
748 | a ^= x | |
749 | y.put(E.encrypt(x ^ o) ^ o) | |
601ec68e | 750 | o = mul_blk_gf(o, C.GF(2), p) |
ebb0df1d MW |
751 | n = len(tl) |
752 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ o) | |
753 | cfinal = tl ^ yfinal[:n] | |
601ec68e | 754 | a ^= (tl + yfinal[n:]) ^ mul_blk_gf(o, C.GF(3), p) |
ebb0df1d MW |
755 | y.put(cfinal) |
756 | t = E.encrypt(a) | |
757 | if h: t ^= pmac2(E, h) | |
758 | return C.ByteString(y), C.ByteString(t[:tsz]) | |
759 | ||
760 | def ocb2dec(E, n, h, y, t): | |
761 | blksz = E.__class__.blksz | |
762 | p = prim(8*blksz) | |
763 | L = E.encrypt(n) | |
601ec68e | 764 | o = mul_blk_gf(L, C.GF(2), p) |
ebb0df1d MW |
765 | a = Z(blksz) |
766 | v, tl = blocks(y, blksz) | |
767 | m = C.WriteBuffer() | |
768 | for x in v: | |
769 | u = E.encrypt(x ^ o) ^ o | |
770 | y.put(u) | |
771 | a ^= u | |
601ec68e | 772 | o = mul_blk_gf(o, C.GF(2), p) |
ebb0df1d MW |
773 | n = len(tl) |
774 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ o) | |
775 | mfinal = tl ^ yfinal[:n] | |
601ec68e | 776 | a ^= (mfinal + yfinal[n:]) ^ mul_blk_gf(o, C.GF(3), p) |
ebb0df1d MW |
777 | m.put(mfinal) |
778 | u = E.encrypt(a) | |
779 | if h: u ^= pmac2(E, h) | |
780 | if t == u[:len(t)]: return C.ByteString(m), | |
781 | else: return None, | |
782 | ||
09734e51 MW |
783 | OCB3_STRETCH = { 4: ( 4, 17), |
784 | 8: ( 5, 25), | |
785 | 12: ( 6, 33), | |
786 | 16: ( 6, 8), | |
787 | 24: ( 7, 40), | |
788 | 32: ( 8, 1), | |
789 | 48: ( 8, 80), | |
790 | 64: ( 8, 176), | |
791 | 96: ( 9, 160), | |
792 | 128: ( 9, 352), | |
793 | 200: (10, 192) } | |
794 | ||
795 | def ocb3nonce(E, n, tsz): | |
796 | ||
797 | ## Figure out how much we need to glue onto the nonce. This ends up being | |
798 | ## [t mod w]_v || 0^p || 1 || N, where w is the block size in bits, t is | |
799 | ## the tag length in bits, v = floor(log_2(w - 1)) + 1, and p = w - l(N) - | |
800 | ## v - 1. But this is an annoying way to think about it because of the | |
801 | ## byte misalignment. Instead, think of it as a byte-aligned prefix | |
802 | ## encoding the tag and an `is the nonce full-length' flag, followed by | |
803 | ## optional padding, and then the nonce: | |
804 | ## | |
805 | ## F || N if l(N) = w - f | |
806 | ## F || 0^p || 1 || N otherwise | |
807 | ## | |
808 | ## where F is [t mod w]_v || 0^{f-v-1} || b; f = floor(log_2(w - 1)) + 2; | |
809 | ## b is 1 if l(N) = w - f, or 0 otherwise; and p = w - f - l(N) - 1. | |
810 | blksz = E.__class__.blksz | |
811 | tszbits = min(C.MP(8*blksz - 1).nbits, 8) | |
812 | fwd = tszbits/8 + 1 | |
813 | f = 8*(tsz%blksz) << + 8*fwd - tszbits | |
814 | ||
815 | ## Form the augmented nonce. | |
816 | nb = C.WriteBuffer() | |
817 | nsz, nwd = len(n), blksz - fwd | |
818 | if nsz == nwd: f |= 1 | |
819 | nb.put(C.MP(f).storeb(fwd)) | |
820 | if nsz < nwd: nb.zero(nwd - nsz - 1).putu8(1) | |
821 | nb.put(n) | |
822 | nn = C.ByteString(nb) | |
823 | if VERBOSE: print 'aug-nonce = %s' % hex(nn) | |
824 | ||
825 | ## Calculate the initial offset. | |
826 | split, shift = OCB3_STRETCH[blksz] | |
827 | t2pw = C.MP(0).setbit(8*blksz) - 1 | |
828 | lomask = (C.MP(0).setbit(split) - 1) | |
829 | himask = ~lomask | |
830 | top, bottom = nn&himask.storeb2c(blksz), C.MP.loadb(nn)&lomask | |
831 | ktop = C.MP.loadb(E.encrypt(top)) | |
832 | stretch = (ktop << 8*blksz) | (ktop ^ (ktop << shift)&t2pw) | |
833 | o = (stretch >> 8*blksz - bottom).storeb(blksz) | |
834 | if VERBOSE: | |
835 | print 'stretch = %s' % hex(stretch.storeb(2*blksz)) | |
836 | print 'Z[0] = %s' % hex(o) | |
837 | ||
838 | return o | |
839 | ||
840 | def ocb3enc(E, n, h, m, tsz = None): | |
841 | blksz = E.__class__.blksz | |
842 | if tsz is None: tsz = blksz | |
843 | Lstar, Ldollar, Lgamma = ocb3_masks(E) | |
844 | if VERBOSE: dump_ocb3(E) | |
845 | ||
846 | ## Set things up. | |
847 | o = ocb3nonce(E, n, tsz) | |
848 | a = C.ByteString.zero(blksz) | |
849 | ||
850 | ## Split the message into blocks. | |
851 | i = 0 | |
852 | y = C.WriteBuffer() | |
853 | v, tl = blocks0(m, blksz) | |
854 | for x in v: | |
855 | i += 1 | |
856 | b = ntz(i) | |
857 | o ^= Lgamma[b] | |
858 | a ^= x | |
859 | if VERBOSE: | |
860 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
861 | print 'A[%d]: %s' % (i, hex(a)) | |
862 | y.put(E.encrypt(x ^ o) ^ o) | |
863 | if tl: | |
864 | o ^= Lstar | |
865 | n = len(tl) | |
866 | pad = E.encrypt(o) | |
867 | a ^= pad10star(tl, blksz) | |
868 | if VERBOSE: | |
869 | print 'Z[%d]: * -> %s' % (i, hex(o)) | |
870 | print 'A[%d]: %s' % (i, hex(a)) | |
871 | y.put(tl ^ pad[0:n]) | |
872 | o ^= Ldollar | |
873 | t = E.encrypt(a ^ o) ^ pmac3(E, h) | |
874 | return C.ByteString(y), C.ByteString(t[:tsz]) | |
875 | ||
876 | def ocb3dec(E, n, h, y, t): | |
877 | blksz = E.__class__.blksz | |
878 | tsz = len(t) | |
879 | Lstar, Ldollar, Lgamma = ocb3_masks(E) | |
880 | if VERBOSE: dump_ocb3(E) | |
881 | ||
882 | ## Set things up. | |
883 | o = ocb3nonce(E, n, tsz) | |
884 | a = C.ByteString.zero(blksz) | |
885 | ||
886 | ## Split the message into blocks. | |
887 | i = 0 | |
888 | m = C.WriteBuffer() | |
889 | v, tl = blocks0(y, blksz) | |
890 | for x in v: | |
891 | i += 1 | |
892 | b = ntz(i) | |
893 | o ^= Lgamma[b] | |
894 | if VERBOSE: | |
895 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) | |
896 | print 'A[%d]: %s' % (i, hex(a)) | |
897 | u = E.encrypt(x ^ o) ^ o | |
898 | m.put(u) | |
899 | a ^= u | |
900 | if tl: | |
901 | o ^= Lstar | |
902 | n = len(tl) | |
903 | pad = E.encrypt(o) | |
904 | if VERBOSE: | |
905 | print 'Z[%d]: * -> %s' % (i, hex(o)) | |
906 | print 'A[%d]: %s' % (i, hex(a)) | |
907 | u = tl ^ pad[0:n] | |
908 | m.put(u) | |
909 | a ^= pad10star(u, blksz) | |
910 | o ^= Ldollar | |
911 | u = E.encrypt(a ^ o) ^ pmac3(E, h) | |
912 | if t == u[:tsz]: return C.ByteString(m), | |
913 | else: return None, | |
914 | ||
b39fadb6 MW |
915 | def ocbgen(bc): |
916 | w = bc.blksz | |
917 | return [(w, 0, 0), (w, 1, 0), (w, 0, 1), | |
918 | (w, 0, 3*w), | |
919 | (w, 3*w, 3*w), | |
920 | (w, 0, 3*w + 5), | |
921 | (w, 3*w - 5, 3*w + 5)] | |
922 | ||
09734e51 MW |
923 | def ocb3gen(bc): |
924 | w = bc.blksz | |
925 | return [(w - 2, 0, 0), (w - 2, 1, 0), (w - 2, 0, 1), | |
926 | (w - 5, 0, 3*w), | |
927 | (w - 3, 3*w, 3*w), | |
928 | (w - 2, 0, 3*w + 5), | |
929 | (w - 2, 3*w - 5, 3*w + 5)] | |
930 | ||
931 | def ocb3_mct(bc, ksz, tsz): | |
932 | k = C.ByteString(C.WriteBuffer().zero(ksz - 4).putu32(8*tsz)) | |
933 | E = bc(k) | |
934 | n = C.MP(1) | |
935 | nw = bc.blksz - 4 | |
936 | cbuf = C.WriteBuffer() | |
937 | for i in xrange(128): | |
938 | s = C.ByteString.zero(i) | |
939 | y, t = ocb3enc(E, n.storeb(nw), s, s, tsz); n += 1; cbuf.put(y).put(t) | |
940 | y, t = ocb3enc(E, n.storeb(nw), EMPTY, s, tsz); n += 1; cbuf.put(y).put(t) | |
941 | y, t = ocb3enc(E, n.storeb(nw), s, EMPTY, tsz); n += 1; cbuf.put(y).put(t) | |
942 | _, t = ocb3enc(E, n.storeb(nw), C.ByteString(cbuf), EMPTY, tsz) | |
943 | print hex(t) | |
944 | ||
945 | def ocb3_mct2(bc): | |
946 | k = C.bytes('000102030405060708090a0b0c0d0e0f') | |
947 | E = bc(k) | |
948 | tsz = min(E.blksz, 32) | |
949 | n = C.MP(1) | |
950 | cbuf = C.WriteBuffer() | |
951 | for i in xrange(128): | |
952 | sbuf = C.WriteBuffer() | |
953 | for j in xrange(i): sbuf.putu8(j) | |
954 | s = C.ByteString(sbuf) | |
955 | y, t = ocb3enc(E, n.storeb(2), s, s, tsz); n += 1; cbuf.put(y).put(t) | |
956 | y, t = ocb3enc(E, n.storeb(2), EMPTY, s, tsz); n += 1; cbuf.put(y).put(t) | |
957 | y, t = ocb3enc(E, n.storeb(2), s, EMPTY, tsz); n += 1; cbuf.put(y).put(t) | |
958 | _, t = ocb3enc(E, n.storeb(2), C.ByteString(cbuf), EMPTY, tsz) | |
959 | print hex(t) | |
960 | ||
b39fadb6 | 961 | ###-------------------------------------------------------------------------- |
ea054059 MW |
962 | ### Main program. |
963 | ||
964 | class struct (object): | |
965 | def __init__(me, **kw): | |
966 | me.__dict__.update(kw) | |
967 | ||
968 | binarg = struct(mk = R.block, parse = C.bytes, show = safehex) | |
969 | intarg = struct(mk = lambda x: x, parse = int, show = None) | |
970 | ||
2964c388 MW |
971 | MODEMAP = { 'eax-enc': (eaxgen, 3*[binarg] + [intarg], eaxenc), |
972 | 'eax-dec': (dummygen, 4*[binarg], eaxdec), | |
55b6b722 MW |
973 | 'ccm-enc': (ccmgen, 3*[binarg] + [intarg], ccmenc), |
974 | 'ccm-dec': (dummygen, 4*[binarg], ccmdec), | |
50df5733 MW |
975 | 'cmac': (cmacgen, [binarg], cmac), |
976 | 'gcm-enc': (gcmgen, 3*[binarg] + [intarg], gcmenc), | |
b39fadb6 MW |
977 | 'gcm-dec': (dummygen, 4*[binarg], gcmdec), |
978 | 'ocb1-enc': (ocbgen, 3*[binarg] + [intarg], ocb1enc), | |
979 | 'ocb1-dec': (dummygen, 4*[binarg], ocb1dec), | |
ebb0df1d MW |
980 | 'ocb2-enc': (ocbgen, 3*[binarg] + [intarg], ocb2enc), |
981 | 'ocb2-dec': (dummygen, 4*[binarg], ocb2dec), | |
09734e51 MW |
982 | 'ocb3-enc': (ocb3gen, 3*[binarg] + [intarg], ocb3enc), |
983 | 'ocb3-dec': (dummygen, 4*[binarg], ocb3dec), | |
b39fadb6 | 984 | 'pmac1': (pmacgen, [binarg], pmac1_pub) } |
ea054059 MW |
985 | |
986 | mode = argv[1] | |
8f6a5276 MW |
987 | if len(argv) == 3 and mode == 'gcm-mul': |
988 | VERBOSE = False | |
989 | nbits = int(argv[2]) | |
990 | gcm_mul_tests(nbits) | |
991 | exit(0) | |
ea054059 MW |
992 | bc = None |
993 | for d in CUSTOM, C.gcprps: | |
994 | try: bc = d[argv[2]] | |
995 | except KeyError: pass | |
996 | else: break | |
997 | if bc is None: raise KeyError, argv[2] | |
09734e51 MW |
998 | if len(argv) == 5 and mode == 'ocb3-mct': |
999 | VERBOSE = False | |
1000 | ksz, tsz = int(argv[3]), int(argv[4]) | |
1001 | ocb3_mct(bc, ksz, tsz) | |
1002 | exit(0) | |
1003 | if len(argv) == 3 and mode == 'ocb3-mct2': | |
1004 | VERBOSE = False | |
1005 | ocb3_mct2(bc) | |
1006 | exit(0) | |
ea054059 MW |
1007 | if len(argv) == 3: |
1008 | VERBOSE = False | |
1009 | gen, argty, func = MODEMAP[mode] | |
2964c388 | 1010 | if mode.endswith('-enc'): mode = mode[:-4] |
ea054059 MW |
1011 | print '%s-%s {' % (bc.name, mode) |
1012 | for ksz in keylens(bc.keysz): | |
1013 | for argvals in gen(bc): | |
1014 | k = R.block(ksz) | |
1015 | args = [t.mk(a) for t, a in izip(argty, argvals)] | |
1016 | rets = func(bc(k), *args) | |
1017 | print ' %s' % safehex(k) | |
1018 | for t, a in izip(argty, args): | |
1019 | if t.show: print ' %s' % t.show(a) | |
1020 | for r, lastp in with_lastp(rets): | |
1021 | print ' %s%s' % (safehex(r), lastp and ';' or '') | |
1022 | print '}' | |
1023 | else: | |
1024 | VERBOSE = True | |
1025 | k = C.bytes(argv[3]) | |
1026 | gen, argty, func = MODEMAP[mode] | |
1027 | args = [t.parse(a) for t, a in izip(argty, argv[4:])] | |
1028 | rets = func(bc(k), *args) | |
2964c388 MW |
1029 | for r in rets: |
1030 | if r is None: print "X" | |
1031 | else: print hex(r) | |
ea054059 MW |
1032 | |
1033 | ###----- That's all, folks -------------------------------------------------- |