diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-07-21 12:32:58 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-07-21 12:32:58 +0700 |
| commit | 27b0208e3182649cc190128e13b2157d73c10b33 (patch) | |
| tree | e85f8cc4fd9a073576799844da5eaf98feb31a50 /crypto | |
| parent | Port of latest GCM/OCB changes (diff) | |
| download | BouncyCastle.NET-ed25519-27b0208e3182649cc190128e13b2157d73c10b33.tar.xz | |
De-tabify
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/src/crypto/modes/GCMBlockCipher.cs | 352 |
1 files changed, 176 insertions, 176 deletions
diff --git a/crypto/src/crypto/modes/GCMBlockCipher.cs b/crypto/src/crypto/modes/GCMBlockCipher.cs index 74b895e7b..91858f6f5 100644 --- a/crypto/src/crypto/modes/GCMBlockCipher.cs +++ b/crypto/src/crypto/modes/GCMBlockCipher.cs @@ -8,123 +8,123 @@ using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Crypto.Modes { - /// <summary> - /// Implements the Galois/Counter mode (GCM) detailed in - /// NIST Special Publication 800-38D. - /// </summary> - public class GcmBlockCipher - : IAeadBlockCipher - { - private const int BlockSize = 16; + /// <summary> + /// Implements the Galois/Counter mode (GCM) detailed in + /// NIST Special Publication 800-38D. + /// </summary> + public class GcmBlockCipher + : IAeadBlockCipher + { + private const int BlockSize = 16; private readonly IBlockCipher cipher; - private readonly IGcmMultiplier multiplier; + private readonly IGcmMultiplier multiplier; private IGcmExponentiator exp; // These fields are set by Init and not modified by processing - private bool forEncryption; - private int macSize; - private byte[] nonce; - private byte[] initialAssociatedText; + private bool forEncryption; + private int macSize; + private byte[] nonce; + private byte[] initialAssociatedText; private byte[] H; - private byte[] J0; + private byte[] J0; // These fields are modified during processing - private byte[] bufBlock; - private byte[] macBlock; + private byte[] bufBlock; + private byte[] macBlock; private byte[] S, S_at, S_atPre; - private byte[] counter; - private int bufOff; - private ulong totalLength; + private byte[] counter; + private int bufOff; + private ulong totalLength; private byte[] atBlock; private int atBlockPos; private ulong atLength; private ulong atLengthPre; public GcmBlockCipher( - IBlockCipher c) - : this(c, null) - { - } - - public GcmBlockCipher( - IBlockCipher c, - IGcmMultiplier m) - { - if (c.GetBlockSize() != BlockSize) - throw new ArgumentException("cipher required with a block size of " + BlockSize + "."); - - if (m == null) - { - // TODO Consider a static property specifying default multiplier - m = new Tables8kGcmMultiplier(); - } - - this.cipher = c; - this.multiplier = m; - } - - public virtual string AlgorithmName - { - get { return cipher.AlgorithmName + "/GCM"; } - } - - public IBlockCipher GetUnderlyingCipher() - { - return cipher; - } - - public virtual int GetBlockSize() - { - return BlockSize; - } - - public virtual void Init( - bool forEncryption, - ICipherParameters parameters) - { - this.forEncryption = forEncryption; - this.macBlock = null; + IBlockCipher c) + : this(c, null) + { + } + + public GcmBlockCipher( + IBlockCipher c, + IGcmMultiplier m) + { + if (c.GetBlockSize() != BlockSize) + throw new ArgumentException("cipher required with a block size of " + BlockSize + "."); + + if (m == null) + { + // TODO Consider a static property specifying default multiplier + m = new Tables8kGcmMultiplier(); + } + + this.cipher = c; + this.multiplier = m; + } + + public virtual string AlgorithmName + { + get { return cipher.AlgorithmName + "/GCM"; } + } + + public IBlockCipher GetUnderlyingCipher() + { + return cipher; + } + + public virtual int GetBlockSize() + { + return BlockSize; + } + + public virtual void Init( + bool forEncryption, + ICipherParameters parameters) + { + this.forEncryption = forEncryption; + this.macBlock = null; KeyParameter keyParam; if (parameters is AeadParameters) - { - AeadParameters param = (AeadParameters)parameters; - - nonce = param.GetNonce(); - initialAssociatedText = param.GetAssociatedText(); - - int macSizeBits = param.MacSize; - if (macSizeBits < 96 || macSizeBits > 128 || macSizeBits % 8 != 0) - { - throw new ArgumentException("Invalid value for MAC size: " + macSizeBits); - } - - macSize = macSizeBits / 8; - keyParam = param.Key; - } - else if (parameters is ParametersWithIV) - { - ParametersWithIV param = (ParametersWithIV)parameters; - - nonce = param.GetIV(); + { + AeadParameters param = (AeadParameters)parameters; + + nonce = param.GetNonce(); + initialAssociatedText = param.GetAssociatedText(); + + int macSizeBits = param.MacSize; + if (macSizeBits < 96 || macSizeBits > 128 || macSizeBits % 8 != 0) + { + throw new ArgumentException("Invalid value for MAC size: " + macSizeBits); + } + + macSize = macSizeBits / 8; + keyParam = param.Key; + } + else if (parameters is ParametersWithIV) + { + ParametersWithIV param = (ParametersWithIV)parameters; + + nonce = param.GetIV(); initialAssociatedText = null; - macSize = 16; - keyParam = (KeyParameter)param.Parameters; - } - else - { - throw new ArgumentException("invalid parameters passed to GCM"); - } - - int bufLength = forEncryption ? BlockSize : (BlockSize + macSize); - this.bufBlock = new byte[bufLength]; - - if (nonce == null || nonce.Length < 1) - { - throw new ArgumentException("IV must be at least 1 byte"); - } + macSize = 16; + keyParam = (KeyParameter)param.Parameters; + } + else + { + throw new ArgumentException("invalid parameters passed to GCM"); + } + + int bufLength = forEncryption ? BlockSize : (BlockSize + macSize); + this.bufBlock = new byte[bufLength]; + + if (nonce == null || nonce.Length < 1) + { + throw new ArgumentException("IV must be at least 1 byte"); + } // TODO This should be configurable by Init parameters // (but must be 16 if nonce length not 12) (BlockSize?) @@ -136,8 +136,8 @@ namespace Org.BouncyCastle.Crypto.Modes { cipher.Init(true, keyParam); - this.H = new byte[BlockSize]; - cipher.ProcessBlock(H, 0, H, 0); + this.H = new byte[BlockSize]; + cipher.ProcessBlock(H, 0, H, 0); // if keyParam is null we're reusing the last key and the multiplier doesn't need re-init multiplier.Init(H); @@ -147,17 +147,17 @@ namespace Org.BouncyCastle.Crypto.Modes this.J0 = new byte[BlockSize]; if (nonce.Length == 12) - { - Array.Copy(nonce, 0, J0, 0, nonce.Length); - this.J0[BlockSize - 1] = 0x01; - } - else - { + { + Array.Copy(nonce, 0, J0, 0, nonce.Length); + this.J0[BlockSize - 1] = 0x01; + } + else + { gHASH(J0, nonce, nonce.Length); - byte[] X = new byte[BlockSize]; + byte[] X = new byte[BlockSize]; Pack.UInt64_To_BE((ulong)nonce.Length * 8UL, X, 8); gHASHBlock(J0, X); - } + } this.S = new byte[BlockSize]; this.S_at = new byte[BlockSize]; @@ -174,16 +174,16 @@ namespace Org.BouncyCastle.Crypto.Modes { ProcessAadBytes(initialAssociatedText, 0, initialAssociatedText.Length); } - } + } - public virtual byte[] GetMac() - { - return Arrays.Clone(macBlock); - } + public virtual byte[] GetMac() + { + return Arrays.Clone(macBlock); + } - public virtual int GetOutputSize( - int len) - { + public virtual int GetOutputSize( + int len) + { int totalData = len + bufOff; if (forEncryption) @@ -192,11 +192,11 @@ namespace Org.BouncyCastle.Crypto.Modes } return totalData < macSize ? 0 : totalData - macSize; - } + } public virtual int GetUpdateOutputSize( - int len) - { + int len) + { int totalData = len + bufOff; if (!forEncryption) { @@ -207,7 +207,7 @@ namespace Org.BouncyCastle.Crypto.Modes totalData -= macSize; } return totalData - totalData % BlockSize; - } + } public virtual void ProcessAadByte(byte input) { @@ -258,10 +258,10 @@ namespace Org.BouncyCastle.Crypto.Modes } public virtual int ProcessByte( - byte input, - byte[] output, - int outOff) - { + byte input, + byte[] output, + int outOff) + { bufBlock[bufOff] = input; if (++bufOff == bufBlock.Length) { @@ -269,15 +269,15 @@ namespace Org.BouncyCastle.Crypto.Modes return BlockSize; } return 0; - } + } public virtual int ProcessBytes( - byte[] input, - int inOff, - int len, - byte[] output, - int outOff) - { + byte[] input, + int inOff, + int len, + byte[] output, + int outOff) + { int resultLen = 0; for (int i = 0; i < len; ++i) @@ -291,7 +291,7 @@ namespace Org.BouncyCastle.Crypto.Modes } return resultLen; - } + } private void OutputBlock(byte[] output, int offset) { @@ -311,8 +311,8 @@ namespace Org.BouncyCastle.Crypto.Modes } } - public int DoFinal(byte[] output, int outOff) - { + public int DoFinal(byte[] output, int outOff) + { if (totalLength == 0) { InitCipher(); @@ -375,52 +375,52 @@ namespace Org.BouncyCastle.Crypto.Modes } // Final gHASH - byte[] X = new byte[BlockSize]; + byte[] X = new byte[BlockSize]; Pack.UInt64_To_BE(atLength * 8UL, X, 0); Pack.UInt64_To_BE(totalLength * 8UL, X, 8); gHASHBlock(S, X); - // TODO Fix this if tagLength becomes configurable - // T = MSBt(GCTRk(J0,S)) - byte[] tag = new byte[BlockSize]; - cipher.ProcessBlock(J0, 0, tag, 0); - GcmUtilities.Xor(tag, S); - - int resultLen = extra; - - // We place into macBlock our calculated value for T - this.macBlock = new byte[macSize]; - Array.Copy(tag, 0, macBlock, 0, macSize); - - if (forEncryption) - { - // Append T to the message - Array.Copy(macBlock, 0, output, outOff + bufOff, macSize); - resultLen += macSize; - } - else - { - // Retrieve the T value from the message and compare to calculated one - byte[] msgMac = new byte[macSize]; - Array.Copy(bufBlock, extra, msgMac, 0, macSize); - if (!Arrays.ConstantTimeAreEqual(this.macBlock, msgMac)) - throw new InvalidCipherTextException("mac check in GCM failed"); - } - - Reset(false); - - return resultLen; - } - - public virtual void Reset() - { - Reset(true); - } - - private void Reset( - bool clearMac) - { + // TODO Fix this if tagLength becomes configurable + // T = MSBt(GCTRk(J0,S)) + byte[] tag = new byte[BlockSize]; + cipher.ProcessBlock(J0, 0, tag, 0); + GcmUtilities.Xor(tag, S); + + int resultLen = extra; + + // We place into macBlock our calculated value for T + this.macBlock = new byte[macSize]; + Array.Copy(tag, 0, macBlock, 0, macSize); + + if (forEncryption) + { + // Append T to the message + Array.Copy(macBlock, 0, output, outOff + bufOff, macSize); + resultLen += macSize; + } + else + { + // Retrieve the T value from the message and compare to calculated one + byte[] msgMac = new byte[macSize]; + Array.Copy(bufBlock, extra, msgMac, 0, macSize); + if (!Arrays.ConstantTimeAreEqual(this.macBlock, msgMac)) + throw new InvalidCipherTextException("mac check in GCM failed"); + } + + Reset(false); + + return resultLen; + } + + public virtual void Reset() + { + Reset(true); + } + + private void Reset( + bool clearMac) + { cipher.Reset(); S = new byte[BlockSize]; @@ -448,7 +448,7 @@ namespace Org.BouncyCastle.Crypto.Modes { ProcessAadBytes(initialAssociatedText, 0, initialAssociatedText.Length); } - } + } private void gCTRBlock(byte[] block, byte[] output, int outOff) { @@ -507,5 +507,5 @@ namespace Org.BouncyCastle.Crypto.Modes cipher.ProcessBlock(counter, 0, tmp, 0); return tmp; } - } + } } |