From: Andrey Rys Date: Sat, 15 Jan 2022 14:38:07 +0000 (+0100) Subject: remove OCB mode X-Git-Url: https://jxself.org/git/?a=commitdiff_plain;h=d659ac85a7c63b7833ab793be2f37fbc4ca7ba6b;p=tfcrypt.git remove OCB mode --- diff --git a/README b/README index b8f814a..a5473cb 100644 --- a/README +++ b/README @@ -15,9 +15,7 @@ with Skein hash function. This program is incompatible with older, "tf1024" tfcrypt version. This version aims to provide a portable encryption tool to encrypt fixed media such as disks and archive files, as well as to provide decades long privacy for encrypted data. -Supported modes of operation: CTR, ECB, CBC, XTS, OCB and arbitrary long keystream. -OCB mode does not use Skein hash function to hash and verify message, instead, it does -a single pass crypt and verify, thus, it is faster than other modes when both crypt and verify. +Supported modes of operation: CTR, ECB, CBC, XTS and arbitrary long keystream. Additionally, this version provides a way to virtually "extend" key size to 1280 bits, by enabling "fullkey" option or changing "do_full_key" default setting in tfcrypt_defs.h. @@ -29,7 +27,7 @@ Please note that this encryption software includes Threefish cipher, which is te slow on 32 bit systems. This way, it cannot be efficiently used on pure 32 bit machines. Threefish contained here is stripped off of it's tweak property, thus, it is turned into a -regular block cipher. To add tweakability, either XTS or OCB modes of operation are used. +regular block cipher. To add tweakability, XTS modes of operation is used. Default wide block size is 4096 bytes. SKEIN NOTES diff --git a/VERSION b/VERSION index 04f9fe4..abdfb05 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -59 +60 diff --git a/tfc_bench.c b/tfc_bench.c index e8ddaa3..2c05538 100644 --- a/tfc_bench.c +++ b/tfc_bench.c @@ -49,7 +49,7 @@ void do_benchmark(tfc_useconds useconds, double dseconds) tfc_getrandom(ctr, sizeof(ctr)); if (do_mac != NO) { tfc_getrandom(mackey, sizeof(mackey)); - if (ctr_mode < TFC_MODE_OCB) skein_init_key(&sk, mackey, macbits); + skein_init_key(&sk, mackey, macbits); } if (ctr_mode == TFC_MODE_STREAM) tfe_init_iv(&tfe, key, ctr); if (ctr_mode == TFC_MODE_XTS) tfc_getrandom(xtskey, sizeof(xtskey)); @@ -63,8 +63,7 @@ void do_benchmark(tfc_useconds useconds, double dseconds) lblock = blk_len_adj(NOFSIZE, total_processed_src, blksize); total_processed_src += lblock; - if (do_mac != NO && ctr_mode < TFC_MODE_OCB) - skein_update(&sk, srcblk, lblock); + if (do_mac != NO) skein_update(&sk, srcblk, lblock); if (ctr_mode == TFC_MODE_CTR) tf_ctr_crypt(key, ctr, srcblk, srcblk, lblock); else if (ctr_mode == TFC_MODE_STREAM) tf_stream_crypt(&tfe, srcblk, srcblk, lblock); @@ -81,11 +80,6 @@ void do_benchmark(tfc_useconds useconds, double dseconds) else if (ctr_mode == TFC_MODE_CBC && do_edcrypt == TFC_DO_DECRYPT) tf_cbc_decrypt(key, ctr, srcblk, srcblk, lblock); - else if (ctr_mode == TFC_MODE_OCB && do_edcrypt == TFC_DO_ENCRYPT) - tf_ocb_encrypt(key, ctr, srcblk, do_mac ? macresult : NULL, srcblk, lblock, xtsblocks); - else if (ctr_mode == TFC_MODE_OCB && do_edcrypt == TFC_DO_DECRYPT) - tf_ocb_decrypt(key, ctr, srcblk, do_mac ? macresult : NULL, srcblk, lblock, xtsblocks); - delta_processed += lblock; } } diff --git a/tfc_conf.c b/tfc_conf.c index 15a79ed..fc9bec7 100644 --- a/tfc_conf.c +++ b/tfc_conf.c @@ -80,8 +80,6 @@ _nspc: ctr_mode = TFC_MODE_ECB; else if (!strcasecmp(d, "xts")) ctr_mode = TFC_MODE_XTS; - else if (!strcasecmp(d, "ocb")) - ctr_mode = TFC_MODE_OCB; else xerror(NO, YES, YES, "[%s] ctr_mode=%s: invalid mode of operation", path, d); } else if (!strcmp(s, "tfc_salt")) { diff --git a/tfc_error.c b/tfc_error.c index 4d64afd..a00b070 100644 --- a/tfc_error.c +++ b/tfc_error.c @@ -245,7 +245,7 @@ void usage(void) tfc_say(" -w: overwrite source file. If not file, ignored."); tfc_say(" -n TURNS: number of turns to perform in Skein function."); tfc_say(" Default is always defined when building tfcrypt."); - tfc_say(" -C mode: mode of operation: CTR, STREAM, XTS, ECB, CBC, OCB."); + tfc_say(" -C mode: mode of operation: CTR, STREAM, XTS, ECB, CBC."); tfc_say(" Default encryption mode can be changed when building tfcrypt."); tfc_say(" -c opt: initial CTR value initialisation mode:"); tfc_say(" show: do default action, then dump CTR value to stderr,"); diff --git a/tfc_misc.c b/tfc_misc.c index bfb7265..5a6c53b 100644 --- a/tfc_misc.c +++ b/tfc_misc.c @@ -97,7 +97,6 @@ const char *tfc_modename(int mode) case TFC_MODE_XTS: return "XTS"; case TFC_MODE_ECB: return "ECB"; case TFC_MODE_CBC: return "CBC"; - case TFC_MODE_OCB: return "OCB"; } return NULL; diff --git a/tfcrypt.c b/tfcrypt.c index aac2e68..8842081 100644 --- a/tfcrypt.c +++ b/tfcrypt.c @@ -212,8 +212,6 @@ _baddfname: ctr_mode = TFC_MODE_ECB; else if (!strcasecmp(optarg, "xts")) ctr_mode = TFC_MODE_XTS; - else if (!strcasecmp(optarg, "ocb")) - ctr_mode = TFC_MODE_OCB; else xerror(NO, YES, YES, "%s: invalid mode of operation", optarg); break; case 'P': @@ -1052,12 +1050,10 @@ _xts2genkey: if (xwrite(krfd, pblk, TF_FROM_BITS(TFC_KEY_BITS)) == NOSIZE) xerro if (do_mac != NO) { if (mackey_opt == TFC_MACKEY_RAWKEY) skein(mackey, TF_MAX_BITS, key, key, TF_FROM_BITS(TFC_KEY_BITS)); - if (ctr_mode < TFC_MODE_OCB) { - if (verbose) tfc_esay("%s: doing MAC calculation, processing speed " - "will be slower.", tfc_format_pid(progname)); - if (mackey_opt) skein_init_key(&sk, mackey, macbits); - else skein_init(&sk, macbits); - } + if (verbose) tfc_esay("%s: doing MAC calculation, processing speed " + "will be slower.", tfc_format_pid(progname)); + if (mackey_opt) skein_init_key(&sk, mackey, macbits); + else skein_init(&sk, macbits); } if (!counter_file && counter_opt <= TFC_CTR_SHOW && ctr_mode != TFC_MODE_ECB) { @@ -1227,8 +1223,7 @@ _ragain: lio = xread(sfd, pblk, lrem); memset(srcblk+orig, 0, sizeof(srcblk)-orig); } - if (do_mac == TFC_MAC_SIGN && ctr_mode < TFC_MODE_OCB) - skein_update(&sk, srcblk, ldone); + if (do_mac == TFC_MAC_SIGN) skein_update(&sk, srcblk, ldone); if (ctr_mode == TFC_MODE_CTR) tf_ctr_crypt(key, ctr, dstblk, srcblk, ldone); else if (ctr_mode == TFC_MODE_STREAM) tf_stream_crypt(&tfe, dstblk, srcblk, ldone); @@ -1245,16 +1240,10 @@ _ragain: lio = xread(sfd, pblk, lrem); else if (ctr_mode == TFC_MODE_CBC && do_edcrypt == TFC_DO_DECRYPT) tf_cbc_decrypt(key, ctr, dstblk, srcblk, ldone); - else if (ctr_mode == TFC_MODE_OCB && do_edcrypt == TFC_DO_ENCRYPT) - tf_ocb_encrypt(key, ctr, dstblk, do_mac == TFC_MAC_SIGN ? macresult : NULL, srcblk, ldone, xtsblocks); - else if (ctr_mode == TFC_MODE_OCB && do_edcrypt == TFC_DO_DECRYPT) - tf_ocb_decrypt(key, ctr, dstblk, do_mac >= TFC_MAC_VRFY ? macresult : NULL, srcblk, ldone, xtsblocks); - else if (ctr_mode == TFC_MODE_PLAIN) memcpy(dstblk, srcblk, ldone); - if (do_mac >= TFC_MAC_VRFY && ctr_mode < TFC_MODE_OCB) - skein_update(&sk, dstblk, ldone); + if (do_mac >= TFC_MAC_VRFY) skein_update(&sk, dstblk, ldone); if (do_mac >= TFC_MAC_JUST_VRFY) goto _nowrite; pblk = dstblk; @@ -1337,15 +1326,13 @@ _macragain: lio = xread(sfd, pblk, lrem); goto _shortmac; } - if (ctr_mode < TFC_MODE_OCB) skein_final(macresult, &sk); - else skein(macresult, macbits, mackey, macresult, TF_FROM_BITS(macbits)); + skein_final(macresult, &sk); if (ctr_mode == TFC_MODE_CTR) tf_ctr_crypt(key, ctr, tmpdata, macvrfy, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_STREAM) tf_stream_crypt(&tfe, tmpdata, macvrfy, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_XTS) tf_xts_decrypt(key, xtskey, ctr, tmpdata, macvrfy, TF_FROM_BITS(macbits), xtsblocks); else if (ctr_mode == TFC_MODE_ECB) tf_ecb_decrypt(key, tmpdata, macvrfy, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_CBC) tf_cbc_decrypt(key, ctr, tmpdata, macvrfy, TF_FROM_BITS(macbits)); - else if (ctr_mode == TFC_MODE_OCB) tf_ocb_decrypt(key, ctr, tmpdata, NULL, macvrfy, TF_FROM_BITS(macbits), xtsblocks); if (!memcmp(tmpdata, macresult, TF_FROM_BITS(macbits))) { if (quiet == NO) { @@ -1376,15 +1363,13 @@ _shortmac: memset(macvrfy, 0, sizeof(macvrfy)); memset(tmpdata, 0, sizeof(tmpdata)); } else if (do_mac == TFC_MAC_SIGN) { - if (ctr_mode < TFC_MODE_OCB) skein_final(macresult, &sk); - else skein(macresult, macbits, mackey, macresult, TF_FROM_BITS(macbits)); + skein_final(macresult, &sk); if (ctr_mode == TFC_MODE_CTR) tf_ctr_crypt(key, ctr, tmpdata, macresult, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_STREAM) tf_stream_crypt(&tfe, tmpdata, macresult, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_XTS) tf_xts_encrypt(key, xtskey, ctr, tmpdata, macresult, TF_FROM_BITS(macbits), xtsblocks); else if (ctr_mode == TFC_MODE_ECB) tf_ecb_encrypt(key, tmpdata, macresult, TF_FROM_BITS(macbits)); else if (ctr_mode == TFC_MODE_CBC) tf_cbc_encrypt(key, ctr, tmpdata, macresult, TF_FROM_BITS(macbits)); - else if (ctr_mode == TFC_MODE_OCB) tf_ocb_encrypt(key, ctr, tmpdata, NULL, macresult, TF_FROM_BITS(macbits), xtsblocks); memset(macresult, 0, sizeof(macresult)); if (!do_mac_file) { diff --git a/tfcrypt.h b/tfcrypt.h index 8a57c11..30e1a51 100644 --- a/tfcrypt.h +++ b/tfcrypt.h @@ -233,7 +233,7 @@ enum { TFC_RAWKEY_KEYFILE = 1, TFC_RAWKEY_ASKSTR, TFC_RAWKEY_ASKHEX }; enum { TFC_OUTFMT_HEX = 1, TFC_OUTFMT_B64, TFC_OUTFMT_RAW }; enum { TFC_MODE_SKSUM = -2, TFC_MODE_PLAIN = -1, TFC_MODE_CTR = 1, - TFC_MODE_STREAM, TFC_MODE_XTS, TFC_MODE_ECB, TFC_MODE_CBC, TFC_MODE_OCB + TFC_MODE_STREAM, TFC_MODE_XTS, TFC_MODE_ECB, TFC_MODE_CBC }; enum { TFC_CTR_SHOW = 1, TFC_CTR_HEAD, TFC_CTR_RAND, TFC_CTR_ZERO, TFC_CTR_SSET }; enum { TFC_NO_FTRUNC, TFC_DO_FTRUNC, TFC_FTRUNC_TAIL }; diff --git a/tfdef.h b/tfdef.h index 72c713d..2eac9f8 100644 --- a/tfdef.h +++ b/tfdef.h @@ -137,7 +137,5 @@ void tf_cbc_encrypt(const void *key, void *iv, void *out, const void *in, size_t void tf_cbc_decrypt(const void *key, void *iv, void *out, const void *in, size_t sz); void tf_xts_encrypt(const void *keyx, const void *keyz, void *ctr, void *out, const void *in, size_t sz, size_t bpi); void tf_xts_decrypt(const void *keyx, const void *keyz, void *ctr, void *out, const void *in, size_t sz, size_t bpi); -void tf_ocb_encrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz, size_t bpi); -void tf_ocb_decrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz, size_t bpi); #endif diff --git a/tfocb.c b/tfocb.c deleted file mode 100644 index 6498d27..0000000 --- a/tfocb.c +++ /dev/null @@ -1,187 +0,0 @@ -#include -#include "tfdef.h" - -static inline void ocb_block(TF_UNIT_TYPE *x, int tag) -{ - TF_UNIT_TYPE c = (x[0] >> (TF_UNIT_BITS-1)); - size_t i; - - if (tag) goto _tag; - for (i = 0; i < TF_NR_BLOCK_UNITS-1; i++) - x[i] = ((x[i] << 1) | (x[i+1] >> (TF_UNIT_BITS-1))); - x[TF_NR_BLOCK_UNITS-1] = ((x[i-1] << 1) ^ (c*IRR_POLY_CONST)); - return; - -_tag: for (i = 0; i < TF_NR_BLOCK_UNITS-1; i++) - x[i] ^= ((x[i] << 1) | (x[i+1] >> (TF_UNIT_BITS-1))); - x[TF_NR_BLOCK_UNITS-1] ^= ((x[i-1] << 1) ^ (c*IRR_POLY_CONST)); -} - -static void ocb_encrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz) -{ - const TF_BYTE_TYPE *uin = in; - TF_BYTE_TYPE *uout = out, *s, *d; - TF_UNIT_TYPE x[TF_NR_BLOCK_UNITS], y[TF_NR_BLOCK_UNITS]; - TF_UNIT_TYPE tctr[TF_NR_BLOCK_UNITS], c[TF_NR_BLOCK_UNITS]; - TF_UNIT_TYPE *uctr = ctr, *utag = tag; - const TF_UNIT_TYPE *ukey = key; - size_t sl = sz, i; - - tf_encrypt_rawblk(tctr, uctr, ukey); - if (tag) { - memcpy(c, tag, TF_BLOCK_SIZE); - data_to_words(c, TF_BLOCK_SIZE); - } - - if (sl >= TF_BLOCK_SIZE) { - do { - memcpy(x, uin, TF_BLOCK_SIZE); - uin += TF_BLOCK_SIZE; - data_to_words(x, TF_BLOCK_SIZE); - - ctr_inc(uctr, TF_NR_BLOCK_UNITS); - ocb_block(tctr, 0); - if (tag) for (i = 0; i < TF_NR_BLOCK_UNITS; i++) c[i] ^= x[i]; - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= tctr[i]; - tf_encrypt_rawblk(y, x, ukey); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) y[i] ^= tctr[i]; - - data_to_words(y, TF_BLOCK_SIZE); - memcpy(uout, y, TF_BLOCK_SIZE); - uout += TF_BLOCK_SIZE; - } while ((sl -= TF_BLOCK_SIZE) >= TF_BLOCK_SIZE); - } - - if (sl) { - ctr_inc(uctr, TF_NR_BLOCK_UNITS); - ocb_block(tctr, 0); - memset(x, 0, TF_BLOCK_SIZE); - x[TF_NR_BLOCK_UNITS-1] = (TF_TO_BITS(sl)); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= tctr[i]; - tf_encrypt_rawblk(y, x, ukey); - - memcpy(x, uin, sl); - data_to_words(x, sl); - s = (TF_BYTE_TYPE *)x; d = (TF_BYTE_TYPE *)y; - memcpy(s+sl, d+sl, TF_BLOCK_SIZE-sl); - if (tag) for (i = 0; i < TF_NR_BLOCK_UNITS; i++) c[i] ^= x[i]; - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= y[i]; - - data_to_words(x, sl); - memcpy(uout, x, sl); - } - - if (!tag) goto _done; - - ocb_block(tctr, 1); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] = tctr[i] ^ c[i]; - tf_encrypt_rawblk(y, x, ukey); - data_to_words(y, TF_BLOCK_SIZE); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) utag[i] ^= y[i]; - -_done: memset(tctr, 0, TF_BLOCK_SIZE); - memset(c, 0, TF_BLOCK_SIZE); - memset(x, 0, TF_BLOCK_SIZE); - memset(y, 0, TF_BLOCK_SIZE); -} - -void tf_ocb_encrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz, size_t bpi) -{ - const TF_BYTE_TYPE *uin = in; - TF_BYTE_TYPE *uout = out; - size_t sl = sz, sx = TF_BLOCKS_TO_BYTES(bpi); - - if (sl >= sx) { - do { - ocb_encrypt(key, ctr, uout, tag, uin, sx); - uout += sx; - uin += sx; - } while ((sl -= sx) >= sx); - } - - if (sl) ocb_encrypt(key, ctr, uout, tag, uin, sl); -} - -static void ocb_decrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz) -{ - const TF_BYTE_TYPE *uin = in; - TF_BYTE_TYPE *uout = out; - TF_UNIT_TYPE x[TF_NR_BLOCK_UNITS], y[TF_NR_BLOCK_UNITS]; - TF_UNIT_TYPE tctr[TF_NR_BLOCK_UNITS], c[TF_NR_BLOCK_UNITS]; - TF_UNIT_TYPE *uctr = ctr, *utag = tag; - const TF_UNIT_TYPE *ukey = key; - size_t sl = sz, i; - - tf_encrypt_rawblk(tctr, uctr, ukey); - if (tag) { - memcpy(c, tag, TF_BLOCK_SIZE); - data_to_words(c, TF_BLOCK_SIZE); - } - - if (sl >= TF_BLOCK_SIZE) { - do { - memcpy(x, uin, TF_BLOCK_SIZE); - uin += TF_BLOCK_SIZE; - data_to_words(x, TF_BLOCK_SIZE); - - ctr_inc(uctr, TF_NR_BLOCK_UNITS); - ocb_block(tctr, 0); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= tctr[i]; - tf_decrypt_rawblk(y, x, ukey); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) y[i] ^= tctr[i]; - if (tag) for (i = 0; i < TF_NR_BLOCK_UNITS; i++) c[i] ^= y[i]; - - data_to_words(y, TF_BLOCK_SIZE); - memcpy(uout, y, TF_BLOCK_SIZE); - uout += TF_BLOCK_SIZE; - } while ((sl -= TF_BLOCK_SIZE) >= TF_BLOCK_SIZE); - } - - if (sl) { - ctr_inc(uctr, TF_NR_BLOCK_UNITS); - ocb_block(tctr, 0); - memset(x, 0, TF_BLOCK_SIZE); - x[TF_NR_BLOCK_UNITS-1] = (TF_TO_BITS(sl)); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= tctr[i]; - tf_encrypt_rawblk(y, x, ukey); - - memset(x, 0, TF_BLOCK_SIZE); - memcpy(x, uin, sl); - data_to_words(x, sl); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] ^= y[i]; - if (tag) for (i = 0; i < TF_NR_BLOCK_UNITS; i++) c[i] ^= x[i]; - - data_to_words(x, sl); - memcpy(uout, x, sl); - } - - if (!tag) goto _done; - - ocb_block(tctr, 1); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) x[i] = tctr[i] ^ c[i]; - tf_encrypt_rawblk(y, x, ukey); - data_to_words(y, TF_BLOCK_SIZE); - for (i = 0; i < TF_NR_BLOCK_UNITS; i++) utag[i] ^= y[i]; - -_done: memset(tctr, 0, TF_BLOCK_SIZE); - memset(c, 0, TF_BLOCK_SIZE); - memset(x, 0, TF_BLOCK_SIZE); - memset(y, 0, TF_BLOCK_SIZE); -} - -void tf_ocb_decrypt(const void *key, void *ctr, void *out, void *tag, const void *in, size_t sz, size_t bpi) -{ - const TF_BYTE_TYPE *uin = in; - TF_BYTE_TYPE *uout = out; - size_t sl = sz, sx = TF_BLOCKS_TO_BYTES(bpi); - - if (sl >= sx) { - do { - ocb_decrypt(key, ctr, uout, tag, uin, sx); - uout += sx; - uin += sx; - } while ((sl -= sx) >= sx); - } - - if (sl) ocb_decrypt(key, ctr, uout, tag, uin, sl); -}