~mdw / catacomb / blob
? search:


e0dd386818619447f419b62750ca02286c4d5527
[catacomb] / utils / advmodes
1 #! /usr/bin/python
2
3 from sys import argv
4 from struct import unpack, pack
5 from itertools import izip
6 import catacomb as C
7
8 R = C.FibRand(0)
9
10 ###--------------------------------------------------------------------------
11 ### Utilities.
12
13 def combs(things, k):
14 ii = range(k)
15 n = len(things)
16 while True:
17 yield [things[i] for i in ii]
18 for j in xrange(k):
19 if j == k - 1: lim = n
20 else: lim = ii[j + 1]
21 i = ii[j] + 1
22 if i < lim:
23 ii[j] = i
24 break
25 ii[j] = j
26 else:
27 return
28
29 POLYMAP = {}
30
31 def poly(nbits):
32 try: return POLYMAP[nbits]
33 except KeyError: pass
34 base = C.GF(0).setbit(nbits).setbit(0)
35 for k in xrange(1, nbits, 2):
36 for cc in combs(range(1, nbits), k):
37 p = base + sum(C.GF(0).setbit(c) for c in cc)
38 if p.irreduciblep(): POLYMAP[nbits] = p; return p
39 raise ValueError, nbits
40
41 def Z(n):
42 return C.ByteString.zero(n)
43
44 def mul_blk_gf(m, x, p): return ((C.GF.loadb(m)*x)%p).storeb((p.nbits + 6)/8)
45
46 def with_lastp(it):
47 it = iter(it)
48 try: j = next(it)
49 except StopIteration: raise ValueError, 'empty iter'
50 lastp = False
51 while not lastp:
52 i = j
53 try: j = next(it)
54 except StopIteration: lastp = True
55 yield i, lastp
56
57 def safehex(x):
58 if len(x): return hex(x)
59 else: return '""'
60
61 def keylens(ksz):
62 sel = []
63 if isinstance(ksz, C.KeySZSet): kk = ksz.set
64 elif isinstance(ksz, C.KeySZRange): kk = range(ksz.min, ksz.max, ksz.mod)
65 elif isinstance(ksz, C.KeySZAny): kk = range(64); sel = [0]
66 kk = list(kk); kk = kk[:]
67 n = len(kk)
68 while n and len(sel) < 4:
69 i = R.range(n)
70 n -= 1
71 kk[i], kk[n] = kk[n], kk[i]
72 sel.append(kk[n])
73 return sel
74
75 def pad0star(m, w):
76 n = len(m)
77 if not n: r = w
78 else: r = (-len(m))%w
79 if r: m += Z(r)
80 return C.ByteString(m)
81
82 def pad10star(m, w):
83 r = w - len(m)%w
84 if r: m += '\x80' + Z(r - 1)
85 return C.ByteString(m)
86
87 def ntz(i):
88 j = 0
89 while (i&1) == 0: i >>= 1; j += 1
90 return j
91
92 def blocks(x, w):
93 v, i, n = [], 0, len(x)
94 while n - i > w:
95 v.append(C.ByteString(x[i:i + w]))
96 i += w
97 return v, C.ByteString(x[i:])
98
99 EMPTY = C.bytes('')
100
101 def blocks0(x, w):
102 v, tl = blocks(x, w)
103 if len(tl) == w: v.append(tl); tl = EMPTY
104 return v, tl
105
106 def dummygen(bc): return []
107
108 CUSTOM = {}
109
110 ###--------------------------------------------------------------------------
111 ### RC6.
112
113 class RC6Cipher (type):
114 def __new__(cls, w, r):
115 name = 'rc6-%d/%d' % (w, r)
116 me = type(name, (RC6Base,), {})
117 me.name = name
118 me.r = r
119 me.w = w
120 me.blksz = w/2
121 me.keysz = C.KeySZRange(me.blksz, 1, 255, 1)
122 return me
123
124 def rotw(w):
125 return w.bit_length() - 1
126
127 def rol(w, x, n):
128 m0, m1 = C.MP(0).setbit(w - n) - 1, C.MP(0).setbit(n) - 1
129 return ((x&m0) << n) | (x >> (w - n))&m1
130
131 def ror(w, x, n):
132 m0, m1 = C.MP(0).setbit(n) - 1, C.MP(0).setbit(w - n) - 1
133 return ((x&m0) << (w - n)) | (x >> n)&m1
134
135 class RC6Base (object):
136
137 ## Magic constants.
138 P400 = C.MP(0xb7e151628aed2a6abf7158809cf4f3c762e7160f38b4da56a784d9045190cfef324e7738926cfbe5f4bf8d8d8c31d763da06)
139 Q400 = C.MP(0x9e3779b97f4a7c15f39cc0605cedc8341082276bf3a27251f86c6a11d0c18e952767f0b153d27b7f0347045b5bf1827f0188)
140
141 def __init__(me, k):
142
143 ## Build the magic numbers.
144 P = me.P400 >> (400 - me.w)
145 if P%2 == 0: P += 1
146 Q = me.Q400 >> (400 - me.w)
147 if Q%2 == 0: Q += 1
148 M = C.MP(0).setbit(me.w) - 1
149
150 ## Convert the key into words.
151 wb = me.w/8
152 c = (len(k) + wb - 1)/wb
153 kb, ktl = blocks(k, me.w/8)
154 L = map(C.MP.loadl, kb + [ktl])
155 assert c == len(L)
156
157 ## Build the subkey table.
158 me.d = rotw(me.w)
159 n = 2*me.r + 4
160 S = [(P + i*Q)&M for i in xrange(n)]
161
162 ##for j in xrange(c):
163 ## print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0'))
164 ##for i in xrange(n):
165 ## print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0'))
166
167 i = j = 0
168 A = B = C.MP(0)
169
170 for s in xrange(3*max(c, n)):
171 A = S[i] = rol(me.w, S[i] + A + B, 3)
172 B = L[j] = rol(me.w, L[j] + A + B, (A + B)%(1 << me.d))
173 ##print 'S[%3d] = %s' % (i, hex(S[i]).upper()[2:].rjust(2*wb, '0'))
174 ##print 'L[%3d] = %s' % (j, hex(L[j]).upper()[2:].rjust(2*wb, '0'))
175 i = (i + 1)%n
176 j = (j + 1)%c
177
178 ## Done.
179 me.s = S
180
181 def encrypt(me, x):
182 M = C.MP(0).setbit(me.w) - 1
183 a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4)[0])
184 b = (b + me.s[0])&M
185 d = (d + me.s[1])&M
186 ##print 'B = %s' % (hex(b).upper()[2:].rjust(me.w/4, '0'))
187 ##print 'D = %s' % (hex(d).upper()[2:].rjust(me.w/4, '0'))
188 for i in xrange(2, 2*me.r + 2, 2):
189 t = rol(me.w, 2*b*b + b, me.d)
190 u = rol(me.w, 2*d*d + d, me.d)
191 a = (rol(me.w, a ^ t, u%(1 << me.d)) + me.s[i + 0])&M
192 c = (rol(me.w, c ^ u, t%(1 << me.d)) + me.s[i + 1])&M
193 ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0'))
194 ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0'))
195 a, b, c, d = b, c, d, a
196 a = (a + me.s[2*me.r + 2])&M
197 c = (c + me.s[2*me.r + 3])&M
198 ##print 'A = %s' % (hex(a).upper()[2:].rjust(me.w/4, '0'))
199 ##print 'C = %s' % (hex(c).upper()[2:].rjust(me.w/4, '0'))
200 return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) +
201 c.storel(me.blksz/4) + d.storel(me.blksz/4))
202
203 def decrypt(me, x):
204 M = C.MP(0).setbit(me.w) - 1
205 a, b, c, d = map(C.MP.loadl, blocks0(x, me.blksz/4))
206 c = (c - me.s[2*me.r + 3])&M
207 a = (a - me.s[2*me.r + 2])&M
208 for i in xrange(2*me.r + 1, 1, -2):
209 a, b, c, d = d, a, b, c
210 u = rol(me.w, 2*d*d + d, me.d)
211 t = rol(me.w, 2*b*b + b, me.d)
212 c = ror(me.w, (c - me.s[i + 1])&M, t%(1 << me.d)) ^ u
213 a = ror(me.w, (a - me.s[i + 0])&M, u%(1 << me.d)) ^ t
214 a = (a + s[2*me.r + 2])&M
215 c = (c + s[2*me.r + 3])&M
216 return C.ByteString(a.storel(me.blksz/4) + b.storel(me.blksz/4) +
217 c.storel(me.blksz/4) + d.storel(me.blksz/4))
218
219 for (w, r) in [(8, 16), (16, 16), (24, 16), (32, 16),
220 (32, 20), (48, 16), (64, 16), (96, 16), (128, 16),
221 (192, 16), (256, 16), (400, 16)]:
222 CUSTOM['rc6-%d/%d' % (w, r)] = RC6Cipher(w, r)
223
224 ###--------------------------------------------------------------------------
225 ### OMAC (or CMAC).
226
227 def omac_masks(E):
228 blksz = E.__class__.blksz
229 p = poly(8*blksz)
230 z = Z(blksz)
231 L = E.encrypt(z)
232 m0 = mul_blk_gf(L, 2, p)
233 m1 = mul_blk_gf(m0, 2, p)
234 return m0, m1
235
236 def dump_omac(E):
237 blksz = E.__class__.blksz
238 m0, m1 = omac_masks(E)
239 print 'L = %s' % hex(E.encrypt(Z(blksz)))
240 print 'm0 = %s' % hex(m0)
241 print 'm1 = %s' % hex(m1)
242 for t in xrange(3):
243 print 'v%d = %s' % (t, hex(E.encrypt(C.MP(t).storeb(blksz))))
244 print 'z%d = %s' % (t, hex(omac(E, t, '')))
245
246 def omac(E, t, m):
247 blksz = E.__class__.blksz
248 m0, m1 = omac_masks(E)
249 a = Z(blksz)
250 if t is not None: m = C.MP(t).storeb(blksz) + m
251 v, tl = blocks(m, blksz)
252 for x in v: a = E.encrypt(a ^ x)
253 r = blksz - len(tl)
254 if r == 0:
255 a = E.encrypt(a ^ tl ^ m0)
256 else:
257 pad = pad10star(tl, blksz)
258 a = E.encrypt(a ^ pad ^ m1)
259 return a
260
261 def cmac(E, m):
262 if VERBOSE: dump_omac(E)
263 return omac(E, None, m),
264
265 def cmacgen(bc):
266 return [(0,), (1,),
267 (3*bc.blksz,),
268 (3*bc.blksz - 5,)]
269
270 ###--------------------------------------------------------------------------
271 ### Counter mode.
272
273 def ctr(E, m, c0):
274 blksz = E.__class__.blksz
275 y = C.WriteBuffer()
276 c = C.MP.loadb(c0)
277 while y.size < len(m):
278 y.put(E.encrypt(c.storeb(blksz)))
279 c += 1
280 return C.ByteString(m) ^ C.ByteString(y)[:len(m)]
281
282 ###--------------------------------------------------------------------------
283 ### GCM.
284
285 def gcm_mangle(x):
286 y = C.WriteBuffer()
287 for b in x:
288 b = ord(b)
289 bb = 0
290 for i in xrange(8):
291 bb <<= 1
292 if b&1: bb |= 1
293 b >>= 1
294 y.putu8(bb)
295 return C.ByteString(y)
296
297 def gcm_mul(x, y):
298 w = len(x)
299 p = poly(8*w)
300 u, v = C.GF.loadl(gcm_mangle(x)), C.GF.loadl(gcm_mangle(y))
301 z = (u*v)%p
302 return gcm_mangle(z.storel(w))
303
304 def gcm_pow(x, n):
305 w = len(x)
306 p = poly(8*w)
307 u = C.GF.loadl(gcm_mangle(x))
308 z = pow(u, n, p)
309 return gcm_mangle(z.storel(w))
310
311 def gcm_ctr(E, m, c0):
312 y = C.WriteBuffer()
313 pre = c0[:-4]
314 c, = unpack('>L', c0[-4:])
315 while y.size < len(m):
316 c += 1
317 y.put(E.encrypt(pre + pack('>L', c)))
318 return C.ByteString(m) ^ C.ByteString(y)[:len(m)]
319
320 def g(what, x, m, a0 = None):
321 n = len(x)
322 if a0 is None: a = Z(n)
323 else: a = a0
324 i = 0
325 for b in blocks0(m, n)[0]:
326 a = gcm_mul(a ^ b, x)
327 if VERBOSE: print '%s[%d] = %s -> %s' % (what, i, hex(b), hex(a))
328 i += 1
329 return a
330
331 def gcm_pad(w, x):
332 return C.ByteString(x + Z(-len(x)%w))
333
334 def gcm_lens(w, a, b):
335 if w < 12: n = w
336 else: n = w/2
337 return C.ByteString(C.MP(a).storeb(n) + C.MP(b).storeb(n))
338
339 def ghash(whata, whatb, x, a, b):
340 w = len(x)
341 ha = g(whata, x, gcm_pad(w, a))
342 hb = g(whatb, x, gcm_pad(w, b))
343 if a:
344 hc = gcm_mul(ha, gcm_pow(x, (len(b) + w - 1)/w)) ^ hb
345 if VERBOSE: print '%s || %s -> %s' % (whata, whatb, hex(hc))
346 else:
347 hc = hb
348 return g(whatb, x, gcm_lens(w, 8*len(a), 8*len(b)), hc)
349
350 def gcmenc(E, n, h, m, tsz = None):
351 w = E.__class__.blksz
352 x = E.encrypt(Z(w))
353 if VERBOSE: print 'x = %s' % hex(x)
354 if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1))
355 else: c0 = ghash('?', 'n', x, EMPTY, n)
356 if VERBOSE: print 'c0 = %s' % hex(c0)
357 y = gcm_ctr(E, m, c0)
358 t = ghash('h', 'y', x, h, y) ^ E.encrypt(c0)
359 return y, t
360
361 def gcmdec(E, n, h, y, t):
362 w = E.__class__.blksz
363 x = E.encrypt(Z(w))
364 if VERBOSE: print 'x = %s' % hex(x)
365 if len(n) + 4 == w: c0 = C.ByteString(n + pack('>L', 1))
366 else: c0 = ghash('?', 'n', x, EMPTY, n)
367 if VERBOSE: print 'c0 = %s' % hex(c0)
368 m = gcm_ctr(E, y, c0)
369 tt = ghash('h', 'y', x, h, y) ^ E.encrypt(c0)
370 if t == tt: return m,
371 else: return None,
372
373 def gcmgen(bc):
374 return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1),
375 (bc.blksz, 3*bc.blksz, 3*bc.blksz),
376 (bc.blksz - 4, bc.blksz + 3, 3*bc.blksz + 9),
377 (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)]
378
379 ###--------------------------------------------------------------------------
380 ### CCM.
381
382 def stbe(n, w): return C.MP(n).storeb(w)
383
384 def ccm_fmthdr(blksz, n, hsz, msz, tsz):
385 b = C.WriteBuffer()
386 if blksz == 8:
387 q = blksz - len(n) - 1
388 f = 0
389 if hsz: f |= 0x40
390 f |= (tsz - 1) << 3
391 f |= q - 1
392 b.putu8(f).put(n).put(stbe(msz, q))
393 elif blksz == 16:
394 q = blksz - len(n) - 1
395 f = 0
396 if hsz: f |= 0x40
397 f |= (tsz - 2)/2 << 3
398 f |= q - 1
399 b.putu8(f).put(n).put(stbe(msz, q))
400 else:
401 q = blksz - len(n) - 2
402 f0 = f1 = 0
403 if hsz: f1 |= 0x80
404 f0 |= tsz
405 f1 |= q
406 b.putu8(f0).putu8(f1).put(n).put(stbe(msz, q))
407 b = C.ByteString(b)
408 if VERBOSE: print 'hdr = %s' % hex(b)
409 return b
410
411 def ccm_fmtctr(blksz, n, i = 0):
412 b = C.WriteBuffer()
413 if blksz == 8 or blksz == 16:
414 q = blksz - len(n) - 1
415 b.putu8(q - 1).put(n).put(stbe(i, q))
416 else:
417 q = blksz - len(n) - 2
418 b.putu8(0).putu8(q).put(n).put(stbe(i, q))
419 b = C.ByteString(b)
420 if VERBOSE: print 'ctr = %s' % hex(b)
421 return b
422
423 def ccmaad(b, h, blksz):
424 hsz = len(h)
425 if not hsz: pass
426 elif hsz < 0xfffe: b.putu16(hsz)
427 elif hsz <= 0xffffffff: b.putu16(0xfffe).putu32(hsz)
428 else: b.putu16(0xffff).putu64(hsz)
429 b.put(h); b.zero((-b.size)%blksz)
430
431 def ccmenc(E, n, h, m, tsz = None):
432 blksz = E.__class__.blksz
433 if tsz is None: tsz = blksz
434 b = C.WriteBuffer()
435 b.put(ccm_fmthdr(blksz, n, len(h), len(m), tsz))
436 ccmaad(b, h, blksz)
437 b.put(m); b.zero((-b.size)%blksz)
438 b = C.ByteString(b)
439 a = Z(blksz)
440 v, _ = blocks0(b, blksz)
441 i = 0
442 for x in v:
443 a = E.encrypt(a ^ x)
444 if VERBOSE:
445 print 'b[%d] = %s' % (i, hex(x))
446 print 'a[%d] = %s' % (i + 1, hex(a))
447 i += 1
448 y = ctr(E, a + m, ccm_fmtctr(blksz, n))
449 return C.ByteString(y[blksz:]), C.ByteString(y[0:tsz])
450
451 def ccmdec(E, n, h, y, t):
452 blksz = E.__class__.blksz
453 tsz = len(t)
454 b = C.WriteBuffer()
455 b.put(ccm_fmthdr(blksz, n, len(h), len(y), tsz))
456 ccmaad(b, h, blksz)
457 mm = ctr(E, t + Z(blksz - tsz) + y, ccm_fmtctr(blksz, n))
458 u, m = C.ByteString(mm[0:tsz]), C.ByteString(mm[blksz:])
459 b.put(m); b.zero((-b.size)%blksz)
460 b = C.ByteString(b)
461 a = Z(blksz)
462 v, _ = blocks0(b, blksz)
463 i = 0
464 for x in v:
465 a = E.encrypt(a ^ x)
466 if VERBOSE:
467 print 'b[%d] = %s' % (i, hex(x))
468 print 'a[%d] = %s' % (i + 1, hex(a))
469 i += 1
470 if u == a[:tsz]: return m,
471 else: return None,
472
473 def ccmgen(bc):
474 bsz = bc.blksz
475 return [(bsz - 5, 0, 0, 4), (bsz - 5, 1, 0, 4), (bsz - 5, 0, 1, 4),
476 (bsz/2 + 1, 3*bc.blksz, 3*bc.blksz),
477 (bsz/2 + 1, 3*bc.blksz - 5, 3*bc.blksz + 5)]
478
479 ###--------------------------------------------------------------------------
480 ### EAX.
481
482 def eaxenc(E, n, h, m, tsz = None):
483 if VERBOSE:
484 print 'k = %s' % hex(k)
485 print 'n = %s' % hex(n)
486 print 'h = %s' % hex(h)
487 print 'm = %s' % hex(m)
488 dump_omac(E)
489 if tsz is None: tsz = E.__class__.blksz
490 c0 = omac(E, 0, n)
491 y = ctr(E, m, c0)
492 ht = omac(E, 1, h)
493 yt = omac(E, 2, y)
494 if VERBOSE:
495 print 'c0 = %s' % hex(c0)
496 print 'ht = %s' % hex(ht)
497 print 'yt = %s' % hex(yt)
498 return y, C.ByteString((c0 ^ ht ^ yt)[:tsz])
499
500 def eaxdec(E, n, h, y, t):
501 if VERBOSE:
502 print 'k = %s' % hex(k)
503 print 'n = %s' % hex(n)
504 print 'h = %s' % hex(h)
505 print 'y = %s' % hex(y)
506 print 't = %s' % hex(t)
507 dump_omac(E)
508 c0 = omac(E, 0, n)
509 m = ctr(E, y, c0)
510 ht = omac(E, 1, h)
511 yt = omac(E, 2, y)
512 if VERBOSE:
513 print 'c0 = %s' % hex(c0)
514 print 'ht = %s' % hex(ht)
515 print 'yt = %s' % hex(yt)
516 if t == (c0 ^ ht ^ yt)[:len(t)]: return m,
517 else: return None,
518
519 def eaxgen(bc):
520 return [(0, 0, 0), (1, 0, 0), (0, 1, 0), (0, 0, 1),
521 (bc.blksz, 3*bc.blksz, 3*bc.blksz),
522 (bc.blksz - 1, 3*bc.blksz - 5, 3*bc.blksz + 5)]
523
524 ###--------------------------------------------------------------------------
525 ### PMAC.
526
527 def ocb_masks(E):
528 blksz = E.__class__.blksz
529 p = poly(8*blksz)
530 x = C.GF(2); xinv = p.modinv(x)
531 z = Z(blksz)
532 L = E.encrypt(z)
533 Lxinv = mul_blk_gf(L, xinv, p)
534 Lgamma = 66*[L]
535 for i in xrange(1, len(Lgamma)):
536 Lgamma[i] = mul_blk_gf(Lgamma[i - 1], x, p)
537 return Lgamma, Lxinv
538
539 def dump_ocb(E):
540 Lgamma, Lxinv = ocb_masks(E)
541 print 'L x^-1 = %s' % hex(Lxinv)
542 for i, lg in enumerate(Lgamma[:16]):
543 print 'L x^%d = %s' % (i, hex(lg))
544
545 def pmac1(E, m):
546 blksz = E.__class__.blksz
547 Lgamma, Lxinv = ocb_masks(E)
548 a = o = Z(blksz)
549 i = 0
550 v, tl = blocks(m, blksz)
551 for x in v:
552 i += 1
553 b = ntz(i)
554 o ^= Lgamma[b]
555 a ^= E.encrypt(x ^ o)
556 if VERBOSE:
557 print 'Z[%d]: %d -> %s' % (i, b, hex(o))
558 print 'A[%d]: %s' % (i, hex(a))
559 if len(tl) == blksz: a ^= tl ^ Lxinv
560 else: a ^= pad10star(tl, blksz)
561 return E.encrypt(a)
562
563 def pmac1_pub(E, m):
564 if VERBOSE: dump_ocb(E)
565 return pmac1(E, m),
566
567 def pmacgen(bc):
568 return [(0,), (1,),
569 (3*bc.blksz,),
570 (3*bc.blksz - 5,)]
571
572 ###--------------------------------------------------------------------------
573 ### OCB.
574
575 def ocb1enc(E, n, h, m, tsz = None):
576 ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with
577 ## Associated-Data'.
578 blksz = E.__class__.blksz
579 if VERBOSE: dump_ocb(E)
580 Lgamma, Lxinv = ocb_masks(E)
581 if tsz is None: tsz = blksz
582 a = Z(blksz)
583 o = E.encrypt(n ^ Lgamma[0])
584 if VERBOSE: print 'R = %s' % hex(o)
585 i = 0
586 y = C.WriteBuffer()
587 v, tl = blocks(m, blksz)
588 for x in v:
589 i += 1
590 b = ntz(i)
591 o ^= Lgamma[b]
592 a ^= x
593 if VERBOSE:
594 print 'Z[%d]: %d -> %s' % (i, b, hex(o))
595 print 'A[%d]: %s' % (i, hex(a))
596 y.put(E.encrypt(x ^ o) ^ o)
597 i += 1
598 b = ntz(i)
599 o ^= Lgamma[b]
600 n = len(tl)
601 if VERBOSE:
602 print 'Z[%d]: %d -> %s' % (i, b, hex(o))
603 print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz))
604 yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o)
605 cfinal = tl ^ yfinal[:n]
606 a ^= o ^ (tl + yfinal[n:])
607 y.put(cfinal)
608 t = E.encrypt(a)
609 if h: t ^= pmac1(E, h)
610 return C.ByteString(y), C.ByteString(t[:tsz])
611
612 def ocb1dec(E, n, h, y, t):
613 ## This is OCB1.PMAC1 from Rogaway's `Authenticated-Encryption with
614 ## Associated-Data'.
615 blksz = E.__class__.blksz
616 if VERBOSE: dump_ocb(E)
617 Lgamma, Lxinv = ocb_masks(E)
618 a = Z(blksz)
619 o = E.encrypt(n ^ Lgamma[0])
620 if VERBOSE: print 'R = %s' % hex(o)
621 i = 0
622 m = C.WriteBuffer()
623 v, tl = blocks(y, blksz)
624 for x in v:
625 i += 1
626 b = ntz(i)
627 o ^= Lgamma[b]
628 if VERBOSE:
629 print 'Z[%d]: %d -> %s' % (i, b, hex(o))
630 print 'A[%d]: %s' % (i, hex(a))
631 u = E.decrypt(x ^ o) ^ o
632 m.put(u)
633 a ^= u
634 i += 1
635 b = ntz(i)
636 o ^= Lgamma[b]
637 n = len(tl)
638 if VERBOSE:
639 print 'Z[%d]: %d -> %s' % (i, b, hex(o))
640 print 'LEN = %s' % hex(C.MP(8*n).storeb(blksz))
641 yfinal = E.encrypt(C.MP(8*n).storeb(blksz) ^ Lxinv ^ o)
642 mfinal = tl ^ yfinal[:n]
643 a ^= o ^ (mfinal + yfinal[n:])
644 m.put(mfinal)
645 u = E.encrypt(a)
646 if h: u ^= pmac1(E, h)
647 if t == u[:len(t)]: return C.ByteString(m),
648 else: return None,
649
650 def ocbgen(bc):
651 w = bc.blksz
652 return [(w, 0, 0), (w, 1, 0), (w, 0, 1),
653 (w, 0, 3*w),
654 (w, 3*w, 3*w),
655 (w, 0, 3*w + 5),
656 (w, 3*w - 5, 3*w + 5)]
657
658 ###--------------------------------------------------------------------------
659 ### Main program.
660
661 class struct (object):
662 def __init__(me, **kw):
663 me.__dict__.update(kw)
664
665 binarg = struct(mk = R.block, parse = C.bytes, show = safehex)
666 intarg = struct(mk = lambda x: x, parse = int, show = None)
667
668 MODEMAP = { 'eax-enc': (eaxgen, 3*[binarg] + [intarg], eaxenc),
669 'eax-dec': (dummygen, 4*[binarg], eaxdec),
670 'ccm-enc': (ccmgen, 3*[binarg] + [intarg], ccmenc),
671 'ccm-dec': (dummygen, 4*[binarg], ccmdec),
672 'cmac': (cmacgen, [binarg], cmac),
673 'gcm-enc': (gcmgen, 3*[binarg] + [intarg], gcmenc),
674 'gcm-dec': (dummygen, 4*[binarg], gcmdec),
675 'ocb1-enc': (ocbgen, 3*[binarg] + [intarg], ocb1enc),
676 'ocb1-dec': (dummygen, 4*[binarg], ocb1dec),
677 'pmac1': (pmacgen, [binarg], pmac1_pub) }
678
679 mode = argv[1]
680 bc = None
681 for d in CUSTOM, C.gcprps:
682 try: bc = d[argv[2]]
683 except KeyError: pass
684 else: break
685 if bc is None: raise KeyError, argv[2]
686 if len(argv) == 3:
687 VERBOSE = False
688 gen, argty, func = MODEMAP[mode]
689 if mode.endswith('-enc'): mode = mode[:-4]
690 print '%s-%s {' % (bc.name, mode)
691 for ksz in keylens(bc.keysz):
692 for argvals in gen(bc):
693 k = R.block(ksz)
694 args = [t.mk(a) for t, a in izip(argty, argvals)]
695 rets = func(bc(k), *args)
696 print ' %s' % safehex(k)
697 for t, a in izip(argty, args):
698 if t.show: print ' %s' % t.show(a)
699 for r, lastp in with_lastp(rets):
700 print ' %s%s' % (safehex(r), lastp and ';' or '')
701 print '}'
702 else:
703 VERBOSE = True
704 k = C.bytes(argv[3])
705 gen, argty, func = MODEMAP[mode]
706 args = [t.parse(a) for t, a in izip(argty, argv[4:])]
707 rets = func(bc(k), *args)
708 for r in rets:
709 if r is None: print "X"
710 else: print hex(r)
711
712 ###----- That's all, folks --------------------------------------------------
Catacomb cryptographic library