| 1 | #! /usr/bin/python |
| 2 | |
| 3 | from sys import argv, exit |
| 4 | from struct import unpack, pack |
| 5 | from itertools import izip |
| 6 | import catacomb as C |
| 7 | |
| 8 | R = C.FibRand(0) |
| 9 | |
| 10 | ###-------------------------------------------------------------------------- |
| 11 | ### Utilities. |
| 12 | |
| 13 | def combs(things, k): |
| 14 | ii = range(k) |
| 15 | n = len(things) |
| 16 | while True: |
| 17 | yield [things[i] for i in ii] |
| 18 | for j in xrange(k): |
| 19 | if j == k - 1: lim = n |
| 20 | else: lim = ii[j + 1] |
| 21 | i = ii[j] + 1 |
| 22 | if i < lim: |
| 23 | ii[j] = i |
| 24 | break |
| 25 | ii[j] = j |
| 26 | else: |
| 27 | return |
| 28 | |
| 29 | POLYMAP = {} |
| 30 | |
| 31 | def poly(nbits): |
| 32 | try: return POLYMAP[nbits] |
| 33 | except KeyError: pass |
| 34 | base = C.GF(0).setbit(nbits).setbit(0) |
| 35 | for k in xrange(1, nbits, 2): |
| 36 | for cc in combs(range(1, nbits), k): |
| 37 | p = base + sum((C.GF(0).setbit(c) for c in cc), C.GF(0)) |
| 38 | if p.irreduciblep(): POLYMAP[nbits] = p; return p |
| 39 | raise ValueError, nbits |
| 40 | |
| 41 | def prim(nbits): |
| 42 | ## No fancy way to do this: I'd need a much cleverer factoring algorithm |
| 43 | ## than I have in my pockets. |
| 44 | if nbits == 64: cc = [64, 4, 3, 1, 0] |
| 45 | elif nbits == 96: cc = [96, 10, 9, 6, 0] |
| 46 | elif nbits == 128: cc = [128, 7, 2, 1, 0] |
| 47 | elif nbits == 192: cc = [192, 15, 11, 5, 0] |
| 48 | elif nbits == 256: cc = [256, 10, 5, 2, 0] |
| 49 | else: raise ValueError, 'no field for %d bits' % nbits |
| 50 | p = C.GF(0) |
| 51 | for c in cc: p = p.setbit(c) |
| 52 | return p |
| 53 | |
| 54 | def Z(n): |
| 55 | return C.ByteString.zero(n) |
| 56 | |
| 57 | def mul_blk_gf(m, x, p): return ((C.GF.loadb(m)*x)%p).storeb((p.nbits + 6)/8) |
| 58 | |
| 59 | def with_lastp(it): |
| 60 | it = iter(it) |
| 61 | try: j = next(it) |
| 62 | except StopIteration: raise ValueError, 'empty iter' |
| 63 | lastp = False |
| 64 | while not lastp: |
| 65 | i = j |
| 66 | try: j = next(it) |
| 67 | except StopIteration: lastp = True |
| 68 | yield i, lastp |
| 69 | |
| 70 | def safehex(x): |
| 71 | if len(x): return hex(x) |
| 72 | else: return '""' |
| 73 | |
| 74 | def keylens(ksz): |
| 75 | sel = [] |
| 76 | if isinstance(ksz, C.KeySZSet): kk = ksz.set |
| 77 | elif isinstance(ksz, C.KeySZRange): kk = range(ksz.min, ksz.max, ksz.mod) |
| 78 | elif isinstance(ksz, C.KeySZAny): kk = range(64); sel = [0] |
| 79 | kk = list(kk); kk = kk[:] |
| 80 | n = len(kk) |
| 81 | while n and len(sel) < 4: |
| 82 | i = R.range(n) |
| 83 | n -= 1 |
| 84 | kk[i], kk[n] = kk[n], kk[i] |
| 85 | sel.append(kk[n]) |
| 86 | return sel |
| 87 | |
| 88 | def pad0star(m, w): |
| 89 | n = len(m) |
| 90 | if not n: r = w |
| 91 | else: r = (-len(m))%w |
| 92 | if r: m += Z(r) |
| 93 | return C.ByteString(m) |
| 94 | |
| 95 | def pad10star(m, w): |
| 96 | r = w - len(m)%w |
| 97 | if r: m += '\x80' + Z(r - 1) |
| 98 | return C.ByteString(m) |
| 99 | |
| 100 | def ntz(i): |
| 101 | j = 0 |
| 102 | while (i&1) == 0: i >>= 1; j += 1 |
| 103 | return j |
| 104 | |
| 105 | def blocks(x, w): |
| 106 | v, i, n = [], 0, len(x) |
| 107 | while n - i > w: |
| 108 | v.append(C.ByteString(x[i:i + w])) |
| 109 | i += w |
| 110 | return v, C.ByteString(x[i:]) |
| 111 | |
| 112 | EMPTY = C.bytes('') |
| 113 | |
| 114 | def blocks0(x, w): |
| 115 | v, tl = blocks(x, w) |
| 116 | if len(tl) == w: v.append(tl); tl = EMPTY |
| 117 | return v, tl |
| 118 | |
| 119 | def dummygen(bc): return [] |
| 120 | |
| 121 | CUSTOM = {} |
| 122 | |
| 123 | ###-------------------------------------------------------------------------- |
| 124 | ### RC6. |
| 125 | |
| 126 | class RC6Cipher (type): |
| 127 | def __new__(cls, w, r): |
| 128 | name = 'rc6-%d/%d' % (w, r) |
| 129 | me = type(name, (RC6Base,), {}) |
| 130 | me.name = name |
| 131 | me.r = r |
| 132 | me.w = w |
| 133 | me.blksz = w/2 |
| 134 | me.keysz = C.KeySZRange(me.blksz, 1, 255, 1) |
| 135 | return me |
| 136 | |
| 137 | def rotw(w): |
| 138 | return w.bit_length() - 1 |
| 139 | |
| 140 | def rol(w, x, n): |
| 141 | m0, m1 = C.MP(0).setbit(w - n) - 1, C.MP(0).setbit(n) - 1 |
| 142 | return ((x&m0) << n) | (x >> (w - n))&m1 |
| 143 | |
| 144 | def ror(w, x, n): |
| 145 | m0, m1 = C.MP(0).setbit(n) - 1, C.MP(0).setbit(w - n) - 1 |
| 146 | return ((x&m0) << (w - n)) | (x >> n)&m1 |
| 147 | |
| 148 | class RC6Base (object): |
| 149 | |
| 150 | ## Magic constants. |
| 151 | P400 = C.MP(0xb7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfef324e7738926cfbe5f4bf8d8d8c31d763da06) |
| 152 | Q400 = C.MP(0x9e3779b97f4a7c15f39cc0605cedc8341082276bf3a27251f86c6a11d0c18e952767f0b153d27b7f0347045b5bf1827f0188) |
| 153 | |
| 154 | def __init__(me, k): |
| 155 | |
| 156 | ## Build the magic numbers. |
| 157 | P = me.P400 >> (400 - me.w) |
| 158 | if P%2 == 0: P += 1 |
| 159 | Q = me.Q400 >> (400 - me.w) |
| 160 | if Q%2 == 0: Q += 1 |
| 161 | M = C.MP(0).setbit(me.w) - 1 |
| 162 | |
| 163 | ## Convert the key into words. |
| 164 | wb = me.w/8 |
| 165 | c = (len(k) + wb - 1)/wb |
| 166 | kb, ktl = blocks(k, me.w/8) |
| 167 | L = map(C.MP.loadl, kb + [ktl]) |
| 168 | assert c == len(L) |
| 169 | |
| 170 | ## Build the subkey table. |
| 171 | me.d = rotw(me.w) |
| 172 | n = 2*me.r + 4 |
| 173 | S = [(P + i*Q)&M for i in xrange(n)] |
| 174 | |
| 175 | ##for j in xrange(c): |
| 176 | ## print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0')) |
| 177 | ##for i in xrange(n): |
| 178 | ## print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0')) |
| 179 | |
| 180 | i = j = 0 |
| 181 | A = B = C.MP(0) |
| 182 | |
| 183 | for s in xrange(3*max(c, n)): |
| 184 | A = S[i] = rol(me.w, S[i] + A + B, 3) |
| 185 | B = L[j] = rol(me.w, L[j] + A + B, (A + B)%(1 << me.d)) |
| 186 | ##print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0')) |
| 187 | ##print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0')) |
| 188 | i = (i + 1)%n |
| 189 | j = (j + 1)%c |
| 190 | |
| 191 | ## Done. |
| 192 | me.s = S |
| 193 | |
| 194 | def encrypt(me, x): |
| 195 | M = C.MP(0).setbit(me.w) - 1 |
| 196 | a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4)[0]) |
| 197 | b = (b + me.s[0])&M |
| 198 | d = (d + me.s[1])&M |
| 199 | ##print 'B = %s' % (hex(b).upper()[2:].rjust(me.w/4, '0')) |
| 200 | ##print 'D = %s' % (hex(d).upper()[2:].rjust(me.w/4, '0')) |
| 201 | for i in xrange(2, 2*me.r + 2, 2): |
| 202 | t = rol(me.w, 2*b*b + b, me.d) |
| 203 | u = rol(me.w, 2*d*d + d, me.d) |
| 204 | a = (rol(me.w, a ^ t, u%(1 << me.d)) + me.s[i + 0])&M |
| 205 | c = (rol(me.w, c ^ u, t%(1 << me.d)) + me.s[i + 1])&M |
| 206 | ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0')) |
| 207 | ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0')) |
| 208 | a, b, c, d = b, c, d, a |
| 209 | a = (a + me.s[2*me.r + 2])&M |
| 210 | c = (c + me.s[2*me.r + 3])&M |
| 211 | ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0')) |
| 212 | ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0')) |
| 213 | return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) + |
| 214 | c.storel(me.blksz/4) + d.storel(me.blksz/4)) |
| 215 | |
| 216 | def decrypt(me, x): |
| 217 | M = C.MP(0).setbit(me.w) - 1 |
| 218 | a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4)) |
| 219 | c = (c - me.s[2*me.r + 3])&M |
| 220 | a = (a - me.s[2*me.r + 2])&M |
| 221 | for i in xrange(2*me.r + 1, 1, -2): |
| 222 | a, b, c, d = d, a, b, c |
| 223 | u = rol(me.w, 2*d*d + d, me.d) |
| 224 | t = rol(me.w, 2*b*b + b, me.d) |
| 225 | c = ror(me.w, (c - me.s[i + 1])&M, t%(1 << me.d)) ^ u |
| 226 | a = ror(me.w, (a - me.s[i + 0])&M, u%(1 << me.d)) ^ t |
| 227 | a = (a + s[2*me.r + 2])&M |
| 228 | c = (c + s[2*me.r + 3])&M |
| 229 | return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) + |
| 230 | c.storel(me.blksz/4) + d.storel(me.blksz/4)) |
| 231 | |
| 232 | for (w, r) in [(8, 16), (16, 16), (24, 16), (32, 16), |
| 233 | (32, 20), (48, 16), (64, 16), (96, 16), (128, 16), |
| 234 | (192, 16), (256, 16), (400, 16)]: |
| 235 | CUSTOM['rc6-%d/%d' % (w, r)] = RC6Cipher(w, r) |
| 236 | |
| 237 | ###-------------------------------------------------------------------------- |
| 238 | ### OMAC (or CMAC). |
| 239 | |
| 240 | def omac_masks(E): |
| 241 | blksz = E.__class__.blksz |
| 242 | p = poly(8*blksz) |
| 243 | z = Z(blksz) |
| 244 | L = E.encrypt(z) |
| 245 | m0 = mul_blk_gf(L, C.GF(2), p) |
| 246 | m1 = mul_blk_gf(m0, C.GF(2), p) |
| 247 | return m0, m1 |
| 248 | |
| 249 | def dump_omac(E): |
| 250 | blksz = E.__class__.blksz |
| 251 | m0, m1 = omac_masks(E) |
| 252 | print 'L = %s' % hex(E.encrypt(Z(blksz))) |
| 253 | print 'm0 = %s' % hex(m0) |
| 254 | print 'm1 = %s' % hex(m1) |
| 255 | for t in xrange(3): |
| 256 | print 'v%d = %s' % (t, hex(E.encrypt(C.MP(t).storeb(blksz)))) |
| 257 | print 'z%d = %s' % (t, hex(omac(E, t, ''))) |
| 258 | |
| 259 | def omac(E, t, m): |
| 260 | blksz = E.__class__.blksz |
| 261 | m0, m1 = omac_masks(E) |
| 262 | a = Z(blksz) |
| 263 | if t is not None: m = C.MP(t).storeb(blksz) + m |
| 264 | v, tl = blocks(m, blksz) |
| 265 | for x in v: a = E.encrypt(a ^ x) |
| 266 | r = blksz - len(tl) |
| 267 | if r == 0: |
| 268 | a = E.encrypt(a ^ tl ^ m0) |
| 269 | else: |
| 270 | pad = pad10star(tl, blksz) |
| 271 | a = E.encrypt(a ^ pad ^ m1) |
| 272 | return a |
| 273 | |
| 274 | def cmac(E, m): |
| 275 | if VERBOSE: dump_omac(E) |
| 276 | return omac(E, None, m), |
| 277 | |
| 278 | def cmacgen(bc): |
| 279 | return [(0,), (1,), |
| 280 | (3*bc.blksz,), |
| 281 | (3*bc.blksz - 5,)] |
| 282 | |
| 283 | ###-------------------------------------------------------------------------- |
| 284 | ### Counter mode. |
| 285 | |
| 286 | def ctr(E, m, c0): |
| 287 | blksz = E.__class__.blksz |
| 288 | y = C.WriteBuffer() |
| 289 | c = C.MP.loadb(c0) |
| 290 | while y.size < len(m): |
| 291 | y.put(E.encrypt(c.storeb(blksz))) |
| 292 | c += 1 |
| 293 | return C.ByteString(m) ^ C.ByteString(y)[:len(m)] |
| 294 | |
| 295 | ###-------------------------------------------------------------------------- |
| 296 | ### GCM. |
| 297 | |
| 298 | def gcm_mangle(x): |
| 299 | y = C.WriteBuffer() |
| 300 | for b in x: |
| 301 | b = ord(b) |
| 302 | bb = 0 |
| 303 | for i in xrange(8): |
| 304 | bb <<= 1 |
| 305 | if b&1: bb |= 1 |
| 306 | b >>= 1 |
| 307 | y.putu8(bb) |
| 308 | return C.ByteString(y) |
| 309 | |
| 310 | def gcm_mul(x, y): |
| 311 | w = len(x) |
| 312 | p = poly(8*w) |
| 313 | u, v = C.GF.loadl(gcm_mangle(x)), C.GF.loadl(gcm_mangle(y)) |
| 314 | z = (u*v)%p |
| 315 | return gcm_mangle(z.storel(w)) |
| 316 | |
| 317 | def gcm_pow(x, n): |
| 318 | w = len(x) |
| 319 | p = poly(8*w) |
| 320 | u = C.GF.loadl(gcm_mangle(x)) |
| 321 | z = pow(u, n, p) |
| 322 | return gcm_mangle(z.storel(w)) |
| 323 | |
| 324 | def gcm_ctr(E, m, c0): |
| 325 | y = C.WriteBuffer() |
| 326 | pre = c0[:-4] |
| 327 | c, = unpack('>L', c0[-4:]) |
| 328 | while y.size < len(m): |
| 329 | c += 1 |
| 330 | y.put(E.encrypt(pre + pack('>L', c))) |
| 331 | return C.ByteString(m) ^ C.ByteString(y)[:len(m)] |
| 332 | |
| 333 | def g(what, x, m, a0 = None): |
| 334 | n = len(x) |
| 335 | if a0 is None: a = Z(n) |
| 336 | else: a = a0 |
| 337 | i = 0 |
| 338 | for b in blocks0(m, n)[0]: |
| 339 | a = gcm_mul(a ^ b, x) |
| 340 | if VERBOSE: print '%s[%d] = %s -> %s' % (what, i, hex(b), hex(a)) |
| 341 | i += 1 |
| 342 | return a |
| 343 | |
| 344 | def gcm_pad(w, x): |
| 345 | return C.ByteString(x + Z(-len(x)%w)) |
| 346 | |
| 347 | def gcm_lens(w, a, b): |
| 348 | if w < 12: n = w |
| 349 | else: n = w/2 |
| 350 | return C.ByteString(C.MP(a).storeb(n) + C.MP(b).storeb(n)) |
| 351 | |
| 352 | def ghash(whata, whatb, x, a, b): |
| 353 | w = len(x) |
| 354 | ha = g(whata, x, gcm_pad(w, a)) |
| 355 | hb = g(whatb, x, gcm_pad(w, b)) |
| 356 | if a: |
| 357 | hc = gcm_mul(ha, gcm_pow(x, (len(b) + w - 1)/w)) ^ hb |
| 358 | if VERBOSE: print '%s || %s -> %s' % (whata, whatb, hex(hc)) |
| 359 | else: |
| 360 | hc = hb |
| 361 | return g(whatb, x, gcm_lens(w, 8*len(a), 8*len(b)), hc) |
| 362 | |
| 363 | def gcmenc(E, n, h, m, tsz = None): |
| 364 | w = E.__class__.blksz |
| 365 | x = E.encrypt(Z(w)) |
| 366 | if VERBOSE: print 'x = %s' % hex(x) |
| 367 | if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1)) |
| 368 | else: c0 = ghash('?', 'n', x, EMPTY, n) |
| 369 | if VERBOSE: print 'c0 = %s' % hex(c0) |
| 370 | y = gcm_ctr(E, m, c0) |
| 371 | t = ghash('h', 'y', x, h, y) ^ E.encrypt(c0) |
| 372 | return y, t |
| 373 | |
| 374 | def gcmdec(E, n, h, y, t): |
| 375 | w = E.__class__.blksz |
| 376 | x = E.encrypt(Z(w)) |
| 377 | if VERBOSE: print 'x = %s' % hex(x) |
| 378 | if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1)) |
| 379 | else: c0 = ghash('?', 'n', x, EMPTY, n) |
| 380 | if VERBOSE: print 'c0 = %s' % hex(c0) |
| 381 | m = gcm_ctr(E, y, c0) |
| 382 | tt = ghash('h', 'y', x, h, y) ^ E.encrypt(c0) |
| 383 | if t == tt: return m, |
| 384 | else: return None, |
| 385 | |
| 386 | def gcmgen(bc): |
| 387 | return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1), |
| 388 | (bc.blksz, 3*bc.blksz, 3*bc.blksz), |
| 389 | (bc.blksz - 4, bc.blksz + 3, 3*bc.blksz + 9), |
| 390 | (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] |
| 391 | |
| 392 | def gcm_mul_tests(nbits): |
| 393 | print 'gcm-mul%d {' % nbits |
| 394 | for i in xrange(64): |
| 395 | x = R.block(nbits/8) |
| 396 | y = R.block(nbits/8) |
| 397 | z = gcm_mul(x, y) |
| 398 | print ' %s\n %s\n %s;' % (hex(x), hex(y), hex(z)) |
| 399 | print '}' |
| 400 | |
| 401 | ###-------------------------------------------------------------------------- |
| 402 | ### CCM. |
| 403 | |
| 404 | def stbe(n, w): return C.MP(n).storeb(w) |
| 405 | |
| 406 | def ccm_fmthdr(blksz, n, hsz, msz, tsz): |
| 407 | b = C.WriteBuffer() |
| 408 | if blksz == 8: |
| 409 | q = blksz - len(n) - 1 |
| 410 | f = 0 |
| 411 | if hsz: f |= 0x40 |
| 412 | f |= (tsz - 1) << 3 |
| 413 | f |= q - 1 |
| 414 | b.putu8(f).put(n).put(stbe(msz, q)) |
| 415 | elif blksz == 16: |
| 416 | q = blksz - len(n) - 1 |
| 417 | f = 0 |
| 418 | if hsz: f |= 0x40 |
| 419 | f |= (tsz - 2)/2 << 3 |
| 420 | f |= q - 1 |
| 421 | b.putu8(f).put(n).put(stbe(msz, q)) |
| 422 | else: |
| 423 | q = blksz - len(n) - 2 |
| 424 | f0 = f1 = 0 |
| 425 | if hsz: f1 |= 0x80 |
| 426 | f0 |= tsz |
| 427 | f1 |= q |
| 428 | b.putu8(f0).putu8(f1).put(n).put(stbe(msz, q)) |
| 429 | b = C.ByteString(b) |
| 430 | if VERBOSE: print 'hdr = %s' % hex(b) |
| 431 | return b |
| 432 | |
| 433 | def ccm_fmtctr(blksz, n, i = 0): |
| 434 | b = C.WriteBuffer() |
| 435 | if blksz == 8 or blksz == 16: |
| 436 | q = blksz - len(n) - 1 |
| 437 | b.putu8(q - 1).put(n).put(stbe(i, q)) |
| 438 | else: |
| 439 | q = blksz - len(n) - 2 |
| 440 | b.putu8(0).putu8(q).put(n).put(stbe(i, q)) |
| 441 | b = C.ByteString(b) |
| 442 | if VERBOSE: print 'ctr = %s' % hex(b) |
| 443 | return b |
| 444 | |
| 445 | def ccmaad(b, h, blksz): |
| 446 | hsz = len(h) |
| 447 | if not hsz: pass |
| 448 | elif hsz < 0xfffe: b.putu16(hsz) |
| 449 | elif hsz <= 0xffffffff: b.putu16(0xfffe).putu32(hsz) |
| 450 | else: b.putu16(0xffff).putu64(hsz) |
| 451 | b.put(h); b.zero((-b.size)%blksz) |
| 452 | |
| 453 | def ccmenc(E, n, h, m, tsz = None): |
| 454 | blksz = E.__class__.blksz |
| 455 | if tsz is None: tsz = blksz |
| 456 | b = C.WriteBuffer() |
| 457 | b.put(ccm_fmthdr(blksz, n, len(h), len(m), tsz)) |
| 458 | ccmaad(b, h, blksz) |
| 459 | b.put(m); b.zero((-b.size)%blksz) |
| 460 | b = C.ByteString(b) |
| 461 | a = Z(blksz) |
| 462 | v, _ = blocks0(b, blksz) |
| 463 | i = 0 |
| 464 | for x in v: |
| 465 | a = E.encrypt(a ^ x) |
| 466 | if VERBOSE: |
| 467 | print 'b[%d] = %s' % (i, hex(x)) |
| 468 | print 'a[%d] = %s' % (i + 1, hex(a)) |
| 469 | i += 1 |
| 470 | y = ctr(E, a + m, ccm_fmtctr(blksz, n)) |
| 471 | return C.ByteString(y[blksz:]), C.ByteString(y[0:tsz]) |
| 472 | |
| 473 | def ccmdec(E, n, h, y, t): |
| 474 | blksz = E.__class__.blksz |
| 475 | tsz = len(t) |
| 476 | b = C.WriteBuffer() |
| 477 | b.put(ccm_fmthdr(blksz, n, len(h), len(y), tsz)) |
| 478 | ccmaad(b, h, blksz) |
| 479 | mm = ctr(E, t + Z(blksz - tsz) + y, ccm_fmtctr(blksz, n)) |
| 480 | u, m = C.ByteString(mm[0:tsz]), C.ByteString(mm[blksz:]) |
| 481 | b.put(m); b.zero((-b.size)%blksz) |
| 482 | b = C.ByteString(b) |
| 483 | a = Z(blksz) |
| 484 | v, _ = blocks0(b, blksz) |
| 485 | i = 0 |
| 486 | for x in v: |
| 487 | a = E.encrypt(a ^ x) |
| 488 | if VERBOSE: |
| 489 | print 'b[%d] = %s' % (i, hex(x)) |
| 490 | print 'a[%d] = %s' % (i + 1, hex(a)) |
| 491 | i += 1 |
| 492 | if u == a[:tsz]: return m, |
| 493 | else: return None, |
| 494 | |
| 495 | def ccmgen(bc): |
| 496 | bsz = bc.blksz |
| 497 | return [(bsz - 5, 0, 0, 4), (bsz - 5, 1, 0, 4), (bsz - 5, 0, 1, 4), |
| 498 | (bsz/2 + 1, 3*bc.blksz, 3*bc.blksz), |
| 499 | (bsz/2 + 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] |
| 500 | |
| 501 | ###-------------------------------------------------------------------------- |
| 502 | ### EAX. |
| 503 | |
| 504 | def eaxenc(E, n, h, m, tsz = None): |
| 505 | if VERBOSE: |
| 506 | print 'k = %s' % hex(k) |
| 507 | print 'n = %s' % hex(n) |
| 508 | print 'h = %s' % hex(h) |
| 509 | print 'm = %s' % hex(m) |
| 510 | dump_omac(E) |
| 511 | if tsz is None: tsz = E.__class__.blksz |
| 512 | c0 = omac(E, 0, n) |
| 513 | y = ctr(E, m, c0) |
| 514 | ht = omac(E, 1, h) |
| 515 | yt = omac(E, 2, y) |
| 516 | if VERBOSE: |
| 517 | print 'c0 = %s' % hex(c0) |
| 518 | print 'ht = %s' % hex(ht) |
| 519 | print 'yt = %s' % hex(yt) |
| 520 | return y, C.ByteString((c0 ^ ht ^ yt)[:tsz]) |
| 521 | |
| 522 | def eaxdec(E, n, h, y, t): |
| 523 | if VERBOSE: |
| 524 | print 'k = %s' % hex(k) |
| 525 | print 'n = %s' % hex(n) |
| 526 | print 'h = %s' % hex(h) |
| 527 | print 'y = %s' % hex(y) |
| 528 | print 't = %s' % hex(t) |
| 529 | dump_omac(E) |
| 530 | c0 = omac(E, 0, n) |
| 531 | m = ctr(E, y, c0) |
| 532 | ht = omac(E, 1, h) |
| 533 | yt = omac(E, 2, y) |
| 534 | if VERBOSE: |
| 535 | print 'c0 = %s' % hex(c0) |
| 536 | print 'ht = %s' % hex(ht) |
| 537 | print 'yt = %s' % hex(yt) |
| 538 | if t == (c0 ^ ht ^ yt)[:len(t)]: return m, |
| 539 | else: return None, |
| 540 | |
| 541 | def eaxgen(bc): |
| 542 | return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1), |
| 543 | (bc.blksz, 3*bc.blksz, 3*bc.blksz), |
| 544 | (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)] |
| 545 | |
| 546 | ###-------------------------------------------------------------------------- |
| 547 | ### PMAC. |
| 548 | |
| 549 | def ocb_masks(E): |
| 550 | blksz = E.__class__.blksz |
| 551 | p = poly(8*blksz) |
| 552 | x = C.GF(2); xinv = p.modinv(x) |
| 553 | z = Z(blksz) |
| 554 | L = E.encrypt(z) |
| 555 | Lxinv = mul_blk_gf(L, xinv, p) |
| 556 | Lgamma = 66*[L] |
| 557 | for i in xrange(1, len(Lgamma)): |
| 558 | Lgamma[i] = mul_blk_gf(Lgamma[i - 1], x, p) |
| 559 | return Lgamma, Lxinv |
| 560 | |
| 561 | def dump_ocb(E): |
| 562 | Lgamma, Lxinv = ocb_masks(E) |
| 563 | print 'L x^-1 = %s' % hex(Lxinv) |
| 564 | for i, lg in enumerate(Lgamma[:16]): |
| 565 | print 'L x^%d = %s' % (i, hex(lg)) |
| 566 | |
| 567 | def pmac1(E, m): |
| 568 | blksz = E.__class__.blksz |
| 569 | Lgamma, Lxinv = ocb_masks(E) |
| 570 | a = o = Z(blksz) |
| 571 | i = 0 |
| 572 | v, tl = blocks(m, blksz) |
| 573 | for x in v: |
| 574 | i += 1 |
| 575 | b = ntz(i) |
| 576 | o ^= Lgamma[b] |
| 577 | a ^= E.encrypt(x ^ o) |
| 578 | if VERBOSE: |
| 579 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 580 | print 'A[%d]: %s' % (i, hex(a)) |
| 581 | if len(tl) == blksz: a ^= tl ^ Lxinv |
| 582 | else: a ^= pad10star(tl, blksz) |
| 583 | return E.encrypt(a) |
| 584 | |
| 585 | def pmac2(E, m): |
| 586 | blksz = E.__class__.blksz |
| 587 | p = prim(8*blksz) |
| 588 | L = E.encrypt(Z(blksz)) |
| 589 | o = mul_blk_gf(L, C.GF(10), p) |
| 590 | a = Z(blksz) |
| 591 | v, tl = blocks(m, blksz) |
| 592 | for x in v: |
| 593 | a ^= E.encrypt(x ^ o) |
| 594 | o = mul_blk_gf(o, C.GF(2), p) |
| 595 | if len(tl) == blksz: a ^= tl ^ mul_blk_gf(o, C.GF(3), p) |
| 596 | else: a ^= pad10star(tl, blksz) ^ mul_blk_gf(o, C.GF(5), p) |
| 597 | return E.encrypt(a) |
| 598 | |
| 599 | def ocb3_masks(E): |
| 600 | Lgamma, _ = ocb_masks(E) |
| 601 | Lstar = Lgamma[0] |
| 602 | Ldollar = Lgamma[1] |
| 603 | return Lstar, Ldollar, Lgamma[2:] |
| 604 | |
| 605 | def dump_ocb3(E): |
| 606 | Lstar, Ldollar, Lgamma = ocb3_masks(E) |
| 607 | print 'L_* = %s' % hex(Lstar) |
| 608 | print 'L_$ = %s' % hex(Ldollar) |
| 609 | for i, lg in enumerate(Lgamma[:16]): |
| 610 | print 'L x^%d = %s' % (i, hex(lg)) |
| 611 | |
| 612 | def pmac3(E, m): |
| 613 | ## Note that `PMAC3' is /not/ a secure MAC. It depends on other parts of |
| 614 | ## OCB3 to prevent a rather easy linear-algebra attack. |
| 615 | blksz = E.__class__.blksz |
| 616 | Lstar, Ldollar, Lgamma = ocb3_masks(E) |
| 617 | a = o = Z(blksz) |
| 618 | i = 0 |
| 619 | v, tl = blocks0(m, blksz) |
| 620 | for x in v: |
| 621 | i += 1 |
| 622 | b = ntz(i) |
| 623 | o ^= Lgamma[b] |
| 624 | a ^= E.encrypt(x ^ o) |
| 625 | if VERBOSE: |
| 626 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 627 | print 'A[%d]: %s' % (i, hex(a)) |
| 628 | if tl: |
| 629 | o ^= Lstar |
| 630 | a ^= E.encrypt(pad10star(tl, blksz) ^ o) |
| 631 | if VERBOSE: |
| 632 | print 'Z[%d]: * -> %s' % (i, hex(o)) |
| 633 | print 'A[%d]: %s' % (i, hex(a)) |
| 634 | return a |
| 635 | |
| 636 | def pmac1_pub(E, m): |
| 637 | if VERBOSE: dump_ocb(E) |
| 638 | return pmac1(E, m), |
| 639 | |
| 640 | def pmacgen(bc): |
| 641 | return [(0,), (1,), |
| 642 | (3*bc.blksz,), |
| 643 | (3*bc.blksz - 5,)] |
| 644 | |
| 645 | ###-------------------------------------------------------------------------- |
| 646 | ### OCB. |
| 647 | |
| 648 | def ocb1enc(E, n, h, m, tsz = None): |
| 649 | ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with |
| 650 | ## Associated-Data'. |
| 651 | blksz = E.__class__.blksz |
| 652 | if VERBOSE: dump_ocb(E) |
| 653 | Lgamma, Lxinv = ocb_masks(E) |
| 654 | if tsz is None: tsz = blksz |
| 655 | a = Z(blksz) |
| 656 | o = E.encrypt(n ^ Lgamma[0]) |
| 657 | if VERBOSE: print 'R = %s' % hex(o) |
| 658 | i = 0 |
| 659 | y = C.WriteBuffer() |
| 660 | v, tl = blocks(m, blksz) |
| 661 | for x in v: |
| 662 | i += 1 |
| 663 | b = ntz(i) |
| 664 | o ^= Lgamma[b] |
| 665 | a ^= x |
| 666 | if VERBOSE: |
| 667 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 668 | print 'A[%d]: %s' % (i, hex(a)) |
| 669 | y.put(E.encrypt(x ^ o) ^ o) |
| 670 | i += 1 |
| 671 | b = ntz(i) |
| 672 | o ^= Lgamma[b] |
| 673 | n = len(tl) |
| 674 | if VERBOSE: |
| 675 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 676 | print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz)) |
| 677 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o) |
| 678 | cfinal = tl ^ yfinal[:n] |
| 679 | a ^= o ^ (tl + yfinal[n:]) |
| 680 | y.put(cfinal) |
| 681 | t = E.encrypt(a) |
| 682 | if h: t ^= pmac1(E, h) |
| 683 | return C.ByteString(y), C.ByteString(t[:tsz]) |
| 684 | |
| 685 | def ocb1dec(E, n, h, y, t): |
| 686 | ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with |
| 687 | ## Associated-Data'. |
| 688 | blksz = E.__class__.blksz |
| 689 | if VERBOSE: dump_ocb(E) |
| 690 | Lgamma, Lxinv = ocb_masks(E) |
| 691 | a = Z(blksz) |
| 692 | o = E.encrypt(n ^ Lgamma[0]) |
| 693 | if VERBOSE: print 'R = %s' % hex(o) |
| 694 | i = 0 |
| 695 | m = C.WriteBuffer() |
| 696 | v, tl = blocks(y, blksz) |
| 697 | for x in v: |
| 698 | i += 1 |
| 699 | b = ntz(i) |
| 700 | o ^= Lgamma[b] |
| 701 | if VERBOSE: |
| 702 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 703 | print 'A[%d]: %s' % (i, hex(a)) |
| 704 | u = E.decrypt(x ^ o) ^ o |
| 705 | m.put(u) |
| 706 | a ^= u |
| 707 | i += 1 |
| 708 | b = ntz(i) |
| 709 | o ^= Lgamma[b] |
| 710 | n = len(tl) |
| 711 | if VERBOSE: |
| 712 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 713 | print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz)) |
| 714 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o) |
| 715 | mfinal = tl ^ yfinal[:n] |
| 716 | a ^= o ^ (mfinal + yfinal[n:]) |
| 717 | m.put(mfinal) |
| 718 | u = E.encrypt(a) |
| 719 | if h: u ^= pmac1(E, h) |
| 720 | if t == u[:len(t)]: return C.ByteString(m), |
| 721 | else: return None, |
| 722 | |
| 723 | def ocb2enc(E, n, h, m, tsz = None): |
| 724 | ## For OCB2, it's important for security that n = log_x (x + 1) is large in |
| 725 | ## the field representations of GF(2^w) used -- in fact, we need more, that |
| 726 | ## i n (mod 2^w - 1) is large for i in {4, -3, -2, -1, 1, 2, 3, 4}. The |
| 727 | ## original paper lists the values for 64 and 128, but we support other |
| 728 | ## block sizes, so here's the result of the (rather large, in some cases) |
| 729 | ## computation. |
| 730 | ## |
| 731 | ## Block size log_x (x + 1) |
| 732 | ## |
| 733 | ## 64 9686038906114705801 |
| 734 | ## 96 63214690573408919568138788065 |
| 735 | ## 128 338793687469689340204974836150077311399 |
| 736 | ## 192 161110085006042185925119981866940491651092686475226538785 |
| 737 | ## 256 22928580326165511958494515843249267194111962539778797914076675796261938307298 |
| 738 | |
| 739 | blksz = E.__class__.blksz |
| 740 | if tsz is None: tsz = blksz |
| 741 | p = prim(8*blksz) |
| 742 | L = E.encrypt(n) |
| 743 | o = mul_blk_gf(L, C.GF(2), p) |
| 744 | a = Z(blksz) |
| 745 | v, tl = blocks(m, blksz) |
| 746 | y = C.WriteBuffer() |
| 747 | for x in v: |
| 748 | a ^= x |
| 749 | y.put(E.encrypt(x ^ o) ^ o) |
| 750 | o = mul_blk_gf(o, C.GF(2), p) |
| 751 | n = len(tl) |
| 752 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ o) |
| 753 | cfinal = tl ^ yfinal[:n] |
| 754 | a ^= (tl + yfinal[n:]) ^ mul_blk_gf(o, C.GF(3), p) |
| 755 | y.put(cfinal) |
| 756 | t = E.encrypt(a) |
| 757 | if h: t ^= pmac2(E, h) |
| 758 | return C.ByteString(y), C.ByteString(t[:tsz]) |
| 759 | |
| 760 | def ocb2dec(E, n, h, y, t): |
| 761 | blksz = E.__class__.blksz |
| 762 | p = prim(8*blksz) |
| 763 | L = E.encrypt(n) |
| 764 | o = mul_blk_gf(L, C.GF(2), p) |
| 765 | a = Z(blksz) |
| 766 | v, tl = blocks(y, blksz) |
| 767 | m = C.WriteBuffer() |
| 768 | for x in v: |
| 769 | u = E.encrypt(x ^ o) ^ o |
| 770 | y.put(u) |
| 771 | a ^= u |
| 772 | o = mul_blk_gf(o, C.GF(2), p) |
| 773 | n = len(tl) |
| 774 | yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ o) |
| 775 | mfinal = tl ^ yfinal[:n] |
| 776 | a ^= (mfinal + yfinal[n:]) ^ mul_blk_gf(o, C.GF(3), p) |
| 777 | m.put(mfinal) |
| 778 | u = E.encrypt(a) |
| 779 | if h: u ^= pmac2(E, h) |
| 780 | if t == u[:len(t)]: return C.ByteString(m), |
| 781 | else: return None, |
| 782 | |
| 783 | OCB3_STRETCH = { 4: ( 4, 17), |
| 784 | 8: ( 5, 25), |
| 785 | 12: ( 6, 33), |
| 786 | 16: ( 6, 8), |
| 787 | 24: ( 7, 40), |
| 788 | 32: ( 8, 1), |
| 789 | 48: ( 8, 80), |
| 790 | 64: ( 8, 176), |
| 791 | 96: ( 9, 160), |
| 792 | 128: ( 9, 352), |
| 793 | 200: (10, 192) } |
| 794 | |
| 795 | def ocb3nonce(E, n, tsz): |
| 796 | |
| 797 | ## Figure out how much we need to glue onto the nonce. This ends up being |
| 798 | ## [t mod w]_v || 0^p || 1 || N, where w is the block size in bits, t is |
| 799 | ## the tag length in bits, v = floor(log_2(w - 1)) + 1, and p = w - l(N) - |
| 800 | ## v - 1. But this is an annoying way to think about it because of the |
| 801 | ## byte misalignment. Instead, think of it as a byte-aligned prefix |
| 802 | ## encoding the tag and an `is the nonce full-length' flag, followed by |
| 803 | ## optional padding, and then the nonce: |
| 804 | ## |
| 805 | ## F || N if l(N) = w - f |
| 806 | ## F || 0^p || 1 || N otherwise |
| 807 | ## |
| 808 | ## where F is [t mod w]_v || 0^{f-v-1} || b; f = floor(log_2(w - 1)) + 2; |
| 809 | ## b is 1 if l(N) = w - f, or 0 otherwise; and p = w - f - l(N) - 1. |
| 810 | blksz = E.__class__.blksz |
| 811 | tszbits = min(C.MP(8*blksz - 1).nbits, 8) |
| 812 | fwd = tszbits/8 + 1 |
| 813 | f = 8*(tsz%blksz) << + 8*fwd - tszbits |
| 814 | |
| 815 | ## Form the augmented nonce. |
| 816 | nb = C.WriteBuffer() |
| 817 | nsz, nwd = len(n), blksz - fwd |
| 818 | if nsz == nwd: f |= 1 |
| 819 | nb.put(C.MP(f).storeb(fwd)) |
| 820 | if nsz < nwd: nb.zero(nwd - nsz - 1).putu8(1) |
| 821 | nb.put(n) |
| 822 | nn = C.ByteString(nb) |
| 823 | if VERBOSE: print 'aug-nonce = %s' % hex(nn) |
| 824 | |
| 825 | ## Calculate the initial offset. |
| 826 | split, shift = OCB3_STRETCH[blksz] |
| 827 | t2pw = C.MP(0).setbit(8*blksz) - 1 |
| 828 | lomask = (C.MP(0).setbit(split) - 1) |
| 829 | himask = ~lomask |
| 830 | top, bottom = nn&himask.storeb2c(blksz), C.MP.loadb(nn)&lomask |
| 831 | ktop = C.MP.loadb(E.encrypt(top)) |
| 832 | stretch = (ktop << 8*blksz) | (ktop ^ (ktop << shift)&t2pw) |
| 833 | o = (stretch >> 8*blksz - bottom).storeb(blksz) |
| 834 | if VERBOSE: |
| 835 | print 'stretch = %s' % hex(stretch.storeb(2*blksz)) |
| 836 | print 'Z[0] = %s' % hex(o) |
| 837 | |
| 838 | return o |
| 839 | |
| 840 | def ocb3enc(E, n, h, m, tsz = None): |
| 841 | blksz = E.__class__.blksz |
| 842 | if tsz is None: tsz = blksz |
| 843 | Lstar, Ldollar, Lgamma = ocb3_masks(E) |
| 844 | if VERBOSE: dump_ocb3(E) |
| 845 | |
| 846 | ## Set things up. |
| 847 | o = ocb3nonce(E, n, tsz) |
| 848 | a = C.ByteString.zero(blksz) |
| 849 | |
| 850 | ## Split the message into blocks. |
| 851 | i = 0 |
| 852 | y = C.WriteBuffer() |
| 853 | v, tl = blocks0(m, blksz) |
| 854 | for x in v: |
| 855 | i += 1 |
| 856 | b = ntz(i) |
| 857 | o ^= Lgamma[b] |
| 858 | a ^= x |
| 859 | if VERBOSE: |
| 860 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 861 | print 'A[%d]: %s' % (i, hex(a)) |
| 862 | y.put(E.encrypt(x ^ o) ^ o) |
| 863 | if tl: |
| 864 | o ^= Lstar |
| 865 | n = len(tl) |
| 866 | pad = E.encrypt(o) |
| 867 | a ^= pad10star(tl, blksz) |
| 868 | if VERBOSE: |
| 869 | print 'Z[%d]: * -> %s' % (i, hex(o)) |
| 870 | print 'A[%d]: %s' % (i, hex(a)) |
| 871 | y.put(tl ^ pad[0:n]) |
| 872 | o ^= Ldollar |
| 873 | t = E.encrypt(a ^ o) ^ pmac3(E, h) |
| 874 | return C.ByteString(y), C.ByteString(t[:tsz]) |
| 875 | |
| 876 | def ocb3dec(E, n, h, y, t): |
| 877 | blksz = E.__class__.blksz |
| 878 | tsz = len(t) |
| 879 | Lstar, Ldollar, Lgamma = ocb3_masks(E) |
| 880 | if VERBOSE: dump_ocb3(E) |
| 881 | |
| 882 | ## Set things up. |
| 883 | o = ocb3nonce(E, n, tsz) |
| 884 | a = C.ByteString.zero(blksz) |
| 885 | |
| 886 | ## Split the message into blocks. |
| 887 | i = 0 |
| 888 | m = C.WriteBuffer() |
| 889 | v, tl = blocks0(y, blksz) |
| 890 | for x in v: |
| 891 | i += 1 |
| 892 | b = ntz(i) |
| 893 | o ^= Lgamma[b] |
| 894 | if VERBOSE: |
| 895 | print 'Z[%d]: %d -> %s' % (i, b, hex(o)) |
| 896 | print 'A[%d]: %s' % (i, hex(a)) |
| 897 | u = E.encrypt(x ^ o) ^ o |
| 898 | m.put(u) |
| 899 | a ^= u |
| 900 | if tl: |
| 901 | o ^= Lstar |
| 902 | n = len(tl) |
| 903 | pad = E.encrypt(o) |
| 904 | if VERBOSE: |
| 905 | print 'Z[%d]: * -> %s' % (i, hex(o)) |
| 906 | print 'A[%d]: %s' % (i, hex(a)) |
| 907 | u = tl ^ pad[0:n] |
| 908 | m.put(u) |
| 909 | a ^= pad10star(u, blksz) |
| 910 | o ^= Ldollar |
| 911 | u = E.encrypt(a ^ o) ^ pmac3(E, h) |
| 912 | if t == u[:tsz]: return C.ByteString(m), |
| 913 | else: return None, |
| 914 | |
| 915 | def ocbgen(bc): |
| 916 | w = bc.blksz |
| 917 | return [(w, 0, 0), (w, 1, 0), (w, 0, 1), |
| 918 | (w, 0, 3*w), |
| 919 | (w, 3*w, 3*w), |
| 920 | (w, 0, 3*w + 5), |
| 921 | (w, 3*w - 5, 3*w + 5)] |
| 922 | |
| 923 | def ocb3gen(bc): |
| 924 | w = bc.blksz |
| 925 | return [(w - 2, 0, 0), (w - 2, 1, 0), (w - 2, 0, 1), |
| 926 | (w - 5, 0, 3*w), |
| 927 | (w - 3, 3*w, 3*w), |
| 928 | (w - 2, 0, 3*w + 5), |
| 929 | (w - 2, 3*w - 5, 3*w + 5)] |
| 930 | |
| 931 | def ocb3_mct(bc, ksz, tsz): |
| 932 | k = C.ByteString(C.WriteBuffer().zero(ksz - 4).putu32(8*tsz)) |
| 933 | E = bc(k) |
| 934 | n = C.MP(1) |
| 935 | nw = bc.blksz - 4 |
| 936 | cbuf = C.WriteBuffer() |
| 937 | for i in xrange(128): |
| 938 | s = C.ByteString.zero(i) |
| 939 | y, t = ocb3enc(E, n.storeb(nw), s, s, tsz); n += 1; cbuf.put(y).put(t) |
| 940 | y, t = ocb3enc(E, n.storeb(nw), EMPTY, s, tsz); n += 1; cbuf.put(y).put(t) |
| 941 | y, t = ocb3enc(E, n.storeb(nw), s, EMPTY, tsz); n += 1; cbuf.put(y).put(t) |
| 942 | _, t = ocb3enc(E, n.storeb(nw), C.ByteString(cbuf), EMPTY, tsz) |
| 943 | print hex(t) |
| 944 | |
| 945 | def ocb3_mct2(bc): |
| 946 | k = C.bytes('000102030405060708090a0b0c0d0e0f') |
| 947 | E = bc(k) |
| 948 | tsz = min(E.blksz, 32) |
| 949 | n = C.MP(1) |
| 950 | cbuf = C.WriteBuffer() |
| 951 | for i in xrange(128): |
| 952 | sbuf = C.WriteBuffer() |
| 953 | for j in xrange(i): sbuf.putu8(j) |
| 954 | s = C.ByteString(sbuf) |
| 955 | y, t = ocb3enc(E, n.storeb(2), s, s, tsz); n += 1; cbuf.put(y).put(t) |
| 956 | y, t = ocb3enc(E, n.storeb(2), EMPTY, s, tsz); n += 1; cbuf.put(y).put(t) |
| 957 | y, t = ocb3enc(E, n.storeb(2), s, EMPTY, tsz); n += 1; cbuf.put(y).put(t) |
| 958 | _, t = ocb3enc(E, n.storeb(2), C.ByteString(cbuf), EMPTY, tsz) |
| 959 | print hex(t) |
| 960 | |
| 961 | ###-------------------------------------------------------------------------- |
| 962 | ### Main program. |
| 963 | |
| 964 | class struct (object): |
| 965 | def __init__(me, **kw): |
| 966 | me.__dict__.update(kw) |
| 967 | |
| 968 | binarg = struct(mk = R.block, parse = C.bytes, show = safehex) |
| 969 | intarg = struct(mk = lambda x: x, parse = int, show = None) |
| 970 | |
| 971 | MODEMAP = { 'eax-enc': (eaxgen, 3*[binarg] + [intarg], eaxenc), |
| 972 | 'eax-dec': (dummygen, 4*[binarg], eaxdec), |
| 973 | 'ccm-enc': (ccmgen, 3*[binarg] + [intarg], ccmenc), |
| 974 | 'ccm-dec': (dummygen, 4*[binarg], ccmdec), |
| 975 | 'cmac': (cmacgen, [binarg], cmac), |
| 976 | 'gcm-enc': (gcmgen, 3*[binarg] + [intarg], gcmenc), |
| 977 | 'gcm-dec': (dummygen, 4*[binarg], gcmdec), |
| 978 | 'ocb1-enc': (ocbgen, 3*[binarg] + [intarg], ocb1enc), |
| 979 | 'ocb1-dec': (dummygen, 4*[binarg], ocb1dec), |
| 980 | 'ocb2-enc': (ocbgen, 3*[binarg] + [intarg], ocb2enc), |
| 981 | 'ocb2-dec': (dummygen, 4*[binarg], ocb2dec), |
| 982 | 'ocb3-enc': (ocb3gen, 3*[binarg] + [intarg], ocb3enc), |
| 983 | 'ocb3-dec': (dummygen, 4*[binarg], ocb3dec), |
| 984 | 'pmac1': (pmacgen, [binarg], pmac1_pub) } |
| 985 | |
| 986 | mode = argv[1] |
| 987 | if len(argv) == 3 and mode == 'gcm-mul': |
| 988 | VERBOSE = False |
| 989 | nbits = int(argv[2]) |
| 990 | gcm_mul_tests(nbits) |
| 991 | exit(0) |
| 992 | bc = None |
| 993 | for d in CUSTOM, C.gcprps: |
| 994 | try: bc = d[argv[2]] |
| 995 | except KeyError: pass |
| 996 | else: break |
| 997 | if bc is None: raise KeyError, argv[2] |
| 998 | if len(argv) == 5 and mode == 'ocb3-mct': |
| 999 | VERBOSE = False |
| 1000 | ksz, tsz = int(argv[3]), int(argv[4]) |
| 1001 | ocb3_mct(bc, ksz, tsz) |
| 1002 | exit(0) |
| 1003 | if len(argv) == 3 and mode == 'ocb3-mct2': |
| 1004 | VERBOSE = False |
| 1005 | ocb3_mct2(bc) |
| 1006 | exit(0) |
| 1007 | if len(argv) == 3: |
| 1008 | VERBOSE = False |
| 1009 | gen, argty, func = MODEMAP[mode] |
| 1010 | if mode.endswith('-enc'): mode = mode[:-4] |
| 1011 | print '%s-%s {' % (bc.name, mode) |
| 1012 | for ksz in keylens(bc.keysz): |
| 1013 | for argvals in gen(bc): |
| 1014 | k = R.block(ksz) |
| 1015 | args = [t.mk(a) for t, a in izip(argty, argvals)] |
| 1016 | rets = func(bc(k), *args) |
| 1017 | print ' %s' % safehex(k) |
| 1018 | for t, a in izip(argty, args): |
| 1019 | if t.show: print ' %s' % t.show(a) |
| 1020 | for r, lastp in with_lastp(rets): |
| 1021 | print ' %s%s' % (safehex(r), lastp and ';' or '') |
| 1022 | print '}' |
| 1023 | else: |
| 1024 | VERBOSE = True |
| 1025 | k = C.bytes(argv[3]) |
| 1026 | gen, argty, func = MODEMAP[mode] |
| 1027 | args = [t.parse(a) for t, a in izip(argty, argv[4:])] |
| 1028 | rets = func(bc(k), *args) |
| 1029 | for r in rets: |
| 1030 | if r is None: print "X" |
| 1031 | else: print hex(r) |
| 1032 | |
| 1033 | ###----- That's all, folks -------------------------------------------------- |