Implement OCB mode

src/crypto/index.js

@@ -14,6 +14,7 @@ import hash from './hash';
 import cfb from './cfb';
 import gcm from './gcm';
 import eax from './eax';
+import ocb from './ocb';
 import publicKey from './public_key';
 import signature from './signature';
 import random from './random';
@@ -34,6 +35,8 @@ const mod = {
   gcm: gcm,
   /** @see module:crypto/eax */
   eax: eax,
+  /** @see module:crypto/ocb */
+  ocb: ocb,
   /** @see module:crypto/public_key */
   publicKey: publicKey,
   /** @see module:crypto/signature */

src/crypto/ocb.js

@@ -0,0 +1,312 @@
+// OpenPGP.js - An OpenPGP implementation in javascript
+// Copyright (C) 2018 ProtonTech AG
+//
+// This library is free software; you can redistribute it and/or
+// modify it under the terms of the GNU Lesser General Public
+// License as published by the Free Software Foundation; either
+// version 3.0 of the License, or (at your option) any later version.
+//
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public
+// License along with this library; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+/**
+ * @fileoverview This module implements AES-OCB en/decryption.
+ * @requires crypto/cipher
+ * @requires util
+ * @module crypto/ocb
+ */
+
+import ciphers from './cipher';
+import util from '../util';
+
+
+const blockLength = 16;
+const ivLength = 15;
+
+// https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2:
+// While OCB [RFC7253] allows the authentication tag length to be of any
+// number up to 128 bits long, this document requires a fixed
+// authentication tag length of 128 bits (16 octets) for simplicity.
+const tagLength = 16;
+
+
+const { shiftLeft, shiftRight } = util;
+
+
+function zeros(bytes) {
+  return new Uint8Array(bytes);
+}
+
+function ntz(n) {
+  let ntz = 0;
+  for(let i = 1; (n & i) === 0; i <<= 1) {
+    ntz++;
+  }
+  return ntz;
+}
+
+function set_xor(S, T) {
+  for (let i = 0; i < S.length; i++) {
+    S[i] ^= T[i];
+  }
+  return S;
+}
+
+function xor(S, T) {
+  return set_xor(S.slice(), T);
+}
+
+function concat(...arrays) {
+  return util.concatUint8Array(arrays);
+}
+
+function double(S) {
+  const double = S.slice();
+  shiftLeft(double, 1);
+  if (S[0] & 0b10000000) {
+    double[15] ^= 0b10000111;
+  }
+  return double;
+}
+
+
+function constructKeyVariables(cipher, key, text, adata) {
+  const aes = new ciphers[cipher](key);
+  const encipher = aes.encrypt.bind(aes);
+  const decipher = aes.decrypt.bind(aes);
+
+  const L_x = encipher(zeros(16));
+  const L_$ = double(L_x);
+  const L = [];
+  L[0] = double(L_$);
+
+  const max_ntz = util.nbits(Math.max(text.length, adata.length) >> 4) - 1;
+  for (let i = 1; i <= max_ntz; i++) {
+    L[i] = double(L[i - 1]);
+  }
+
+  L.x = L_x;
+  L.$ = L_$;
+
+  return { encipher, decipher, L };
+}
+
+function hash(kv, key, adata) {
+  if (!adata.length) {
+    // Fast path
+    return zeros(16);
+  }
+
+  const { encipher, L } = kv;
+
+  //
+  // Consider A as a sequence of 128-bit blocks
+  //
+  const m = adata.length >> 4;
+
+  const offset = zeros(16);
+  const sum = zeros(16);
+  for (let i = 0; i < m; i++) {
+    set_xor(offset, L[ntz(i + 1)]);
+    set_xor(sum, encipher(xor(offset, adata)));
+    adata = adata.subarray(16);
+  }
+
+  //
+  // Process any final partial block; compute final hash value
+  //
+  if (adata.length) {
+    set_xor(offset, L.x);
+
+    const cipherInput = zeros(16);
+    cipherInput.set(adata, 0);
+    cipherInput[adata.length] = 0b10000000;
+    set_xor(cipherInput, offset);
+
+    set_xor(sum, encipher(cipherInput));
+  }
+
+  return sum;
+}
+
+
+/**
+ * Encrypt plaintext input.
+ * @param  {String}     cipher      The symmetric cipher algorithm to use e.g. 'aes128'
+ * @param  {Uint8Array} plaintext   The cleartext input to be encrypted
+ * @param  {Uint8Array} key         The encryption key
+ * @param  {Uint8Array} nonce       The nonce (15 bytes)
+ * @param  {Uint8Array} adata       Associated data to sign
+ * @returns {Promise<Uint8Array>}    The ciphertext output
+ */
+async function encrypt(cipher, plaintext, key, nonce, adata) {
+  //
+  // Consider P as a sequence of 128-bit blocks
+  //
+  const m = plaintext.length >> 4;
+
+  //
+  // Key-dependent variables
+  //
+  const kv = constructKeyVariables(cipher, key, plaintext, adata);
+  const { encipher, L } = kv;
+
+  //
+  // Nonce-dependent and per-encryption variables
+  //
+  // We assume here that TAGLEN mod 128 == 0 (tagLength === 16).
+  const Nonce = concat(zeros(15 - nonce.length), new Uint8Array([1]), nonce);
+  const bottom = Nonce[15] & 0b111111;
+  Nonce[15] &= 0b11000000;
+  const Ktop = encipher(Nonce);
+  const Stretch = concat(Ktop, xor(Ktop.subarray(0, 8), Ktop.subarray(1, 9)));
+  //    Offset_0 = Stretch[1+bottom..128+bottom]
+  const offset = shiftRight(Stretch.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1);
+  const checksum = zeros(16);
+
+  const C = new Uint8Array(plaintext.length + tagLength);
+
+  //
+  // Process any whole blocks
+  //
+  let i;
+  let pos = 0;
+  for (i = 0; i < m; i++) {
+    set_xor(offset, L[ntz(i + 1)]);
+    C.set(xor(offset, encipher(xor(offset, plaintext))), pos);
+    set_xor(checksum, plaintext);
+
+    plaintext = plaintext.subarray(16);
+    pos += 16;
+  }
+
+  //
+  // Process any final partial block and compute raw tag
+  //
+  if (plaintext.length) {
+    set_xor(offset, L.x);
+    const Pad = encipher(offset);
+    C.set(xor(plaintext, Pad), pos);
+
+    // Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
+    const xorInput = zeros(16);
+    xorInput.set(plaintext, 0);
+    xorInput[plaintext.length] = 0b10000000;
+    set_xor(checksum, xorInput);
+    pos += plaintext.length;
+  }
+  const Tag = xor(encipher(xor(xor(checksum, offset), L.$)), hash(kv, key, adata));
+
+  //
+  // Assemble ciphertext
+  //
+  C.set(Tag, pos);
+  return C;
+}
+
+
+/**
+ * Decrypt ciphertext input.
+ * @param  {String}     cipher       The symmetric cipher algorithm to use e.g. 'aes128'
+ * @param  {Uint8Array} ciphertext   The ciphertext input to be decrypted
+ * @param  {Uint8Array} key          The encryption key
+ * @param  {Uint8Array} nonce        The nonce (15 bytes)
+ * @param  {Uint8Array} adata        Associated data to verify
+ * @returns {Promise<Uint8Array>}     The plaintext output
+ */
+async function decrypt(cipher, ciphertext, key, nonce, adata) {
+  //
+  // Consider C as a sequence of 128-bit blocks
+  //
+  const T = ciphertext.subarray(ciphertext.length - tagLength);
+  ciphertext = ciphertext.subarray(0, ciphertext.length - tagLength);
+  const m = ciphertext.length >> 4;
+
+  //
+  // Key-dependent variables
+  //
+  const kv = constructKeyVariables(cipher, key, ciphertext, adata);
+  const { encipher, decipher, L } = kv;
+
+  //
+  // Nonce-dependent and per-encryption variables
+  //
+  // We assume here that TAGLEN mod 128 == 0 (tagLength === 16).
+  const Nonce = concat(zeros(15 - nonce.length), new Uint8Array([1]), nonce);
+  const bottom = Nonce[15] & 0b111111;
+  Nonce[15] &= 0b11000000;
+  const Ktop = encipher(Nonce);
+  const Stretch = concat(Ktop, xor(Ktop.subarray(0, 8), Ktop.subarray(1, 9)));
+  //    Offset_0 = Stretch[1+bottom..128+bottom]
+  const offset = shiftRight(Stretch.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1);
+  const checksum = zeros(16);
+
+  const P = new Uint8Array(ciphertext.length);
+
+  //
+  // Process any whole blocks
+  //
+  let i;
+  let pos = 0;
+  for (i = 0; i < m; i++) {
+    set_xor(offset, L[ntz(i + 1)]);
+    P.set(xor(offset, decipher(xor(offset, ciphertext))), pos);
+    set_xor(checksum, P.subarray(pos));
+
+    ciphertext = ciphertext.subarray(16);
+    pos += 16;
+  }
+
+  //
+  // Process any final partial block and compute raw tag
+  //
+  if (ciphertext.length) {
+    set_xor(offset, L.x);
+    const Pad = encipher(offset);
+    P.set(xor(ciphertext, Pad), pos);
+
+    // Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*)))
+    const xorInput = zeros(16);
+    xorInput.set(P.subarray(pos), 0);
+    xorInput[ciphertext.length] = 0b10000000;
+    set_xor(checksum, xorInput);
+    pos += ciphertext.length;
+  }
+  const Tag = xor(encipher(xor(xor(checksum, offset), L.$)), hash(kv, key, adata));
+
+  //
+  // Check for validity and assemble plaintext
+  //
+  if (!util.equalsUint8Array(Tag, T)) {
+    throw new Error('Authentication tag mismatch in OCB ciphertext');
+  }
+  return P;
+}
+
+/**
+ * Get OCB nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2|RFC4880bis-04, section 5.16.2}.
+ * @param  {Uint8Array} iv           The initialization vector (15 bytes)
+ * @param  {Uint8Array} chunkIndex   The chunk index (8 bytes)
+ */
+function getNonce(iv, chunkIndex) {
+  const nonce = iv.slice();
+  for (let i = 0; i < chunkIndex.length; i++) {
+    nonce[7 + i] ^= chunkIndex[i];
+  }
+  return nonce;
+}
+
+
+export default {
+  blockLength,
+  ivLength,
+  encrypt,
+  decrypt,
+  getNonce
+};

test/crypto/index.js

@@ -7,4 +7,5 @@ describe('Crypto', function () {
   require('./pkcs5.js');
   require('./aes_kw.js');
   require('./eax.js');
+  require('./ocb.js');
 });

test/crypto/ocb.js

@@ -0,0 +1,152 @@
+// Modified by ProtonTech AG
+
+// Adapted from https://github.com/artjomb/cryptojs-extension/blob/8c61d159/test/eax.js
+
+const openpgp = typeof window !== 'undefined' && window.openpgp ? window.openpgp : require('../../dist/openpgp');
+
+const chai = require('chai');
+chai.use(require('chai-as-promised'));
+
+const expect = chai.expect;
+
+const ocb = openpgp.crypto.ocb;
+
+describe('Symmetric AES-OCB', function() {
+  it('Passes all test vectors', async function() {
+    const K = '000102030405060708090A0B0C0D0E0F';
+    const keyBytes = openpgp.util.hex_to_Uint8Array(K);
+
+    var vectors = [
+      // From https://tools.ietf.org/html/rfc7253#appendix-A
+      {
+        N: 'BBAA99887766554433221100',
+        A: '',
+        P: '',
+        C: '785407BFFFC8AD9EDCC5520AC9111EE6'
+      },
+      {
+        N: 'BBAA99887766554433221101',
+        A: '0001020304050607',
+        P: '0001020304050607',
+        C: '6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009'
+      },
+      {
+        N: 'BBAA99887766554433221102',
+        A: '0001020304050607',
+        P: '',
+        C: '81017F8203F081277152FADE694A0A00'
+      },
+      {
+        N: 'BBAA99887766554433221103',
+        A: '',
+        P: '0001020304050607',
+        C: '45DD69F8F5AAE72414054CD1F35D82760B2CD00D2F99BFA9'
+      },
+      {
+        N: 'BBAA99887766554433221104',
+        A: '000102030405060708090A0B0C0D0E0F',
+        P: '000102030405060708090A0B0C0D0E0F',
+        C: '571D535B60B277188BE5147170A9A22C3AD7A4FF3835B8C5701C1CCEC8FC3358'
+      },
+      {
+        N: 'BBAA99887766554433221105',
+        A: '000102030405060708090A0B0C0D0E0F',
+        P: '',
+        C: '8CF761B6902EF764462AD86498CA6B97'
+      },
+      {
+        N: 'BBAA99887766554433221106',
+        A: '',
+        P: '000102030405060708090A0B0C0D0E0F',
+        C: '5CE88EC2E0692706A915C00AEB8B2396F40E1C743F52436BDF06D8FA1ECA343D'
+      },
+      {
+        N: 'BBAA99887766554433221107',
+        A: '000102030405060708090A0B0C0D0E0F1011121314151617',
+        P: '000102030405060708090A0B0C0D0E0F1011121314151617',
+        C: '1CA2207308C87C010756104D8840CE1952F09673A448A122C92C62241051F57356D7F3C90BB0E07F'
+      },
+      {
+        N: 'BBAA99887766554433221108',
+        A: '000102030405060708090A0B0C0D0E0F1011121314151617',
+        P: '',
+        C: '6DC225A071FC1B9F7C69F93B0F1E10DE'
+      },
+      {
+        N: 'BBAA99887766554433221109',
+        A: '',
+        P: '000102030405060708090A0B0C0D0E0F1011121314151617',
+        C: '221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3CE725F32494B9F914D85C0B1EB38357FF'
+      },
+      {
+        N: 'BBAA9988776655443322110A',
+        A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F',
+        P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F',
+        C: 'BD6F6C496201C69296C11EFD138A467ABD3C707924B964DEAFFC40319AF5A48540FBBA186C5553C68AD9F592A79A4240'
+      },
+      {
+        N: 'BBAA9988776655443322110B',
+        A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F',
+        P: '',
+        C: 'FE80690BEE8A485D11F32965BC9D2A32'
+      },
+      {
+        N: 'BBAA9988776655443322110C',
+        A: '',
+        P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F',
+        C: '2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF46040C53F1432BCDFB5E1DDE3BC18A5F840B52E653444D5DF'
+      },
+      {
+        N: 'BBAA9988776655443322110D',
+        A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627',
+        P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627',
+        C: 'D5CA91748410C1751FF8A2F618255B68A0A12E093FF454606E59F9C1D0DDC54B65E8628E568BAD7AED07BA06A4A69483A7035490C5769E60'
+      },
+      {
+        N: 'BBAA9988776655443322110E',
+        A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627',
+        P: '',
+        C: 'C5CD9D1850C141E358649994EE701B68'
+      },
+      {
+        N: 'BBAA9988776655443322110F',
+        A: '',
+        P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627',
+        C: '4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15A5DDBFC5787E50B5CC55EE507BCB084E479AD363AC366B95A98CA5F3000B1479'
+      }
+    ];
+
+    const cipher = 'aes128';
+
+    for(const [i, vec] of vectors.entries()) {
+      const msgBytes = openpgp.util.hex_to_Uint8Array(vec.P),
+        nonceBytes = openpgp.util.hex_to_Uint8Array(vec.N),
+        headerBytes = openpgp.util.hex_to_Uint8Array(vec.A),
+        ctBytes = openpgp.util.hex_to_Uint8Array(vec.C);
+
+      // encryption test
+      let ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, headerBytes);
+      expect(openpgp.util.Uint8Array_to_hex(ct)).to.equal(vec.C.toLowerCase());
+
+      // decryption test with verification
+      let pt = await ocb.decrypt(cipher, ctBytes, keyBytes, nonceBytes, headerBytes);
+      expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase());
+
+      // tampering detection test
+      ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, headerBytes);
+      ct[2] ^= 8;
+      pt = ocb.decrypt(cipher, ct, keyBytes, nonceBytes, headerBytes);
+      await expect(pt).to.eventually.be.rejectedWith('Authentication tag mismatch in OCB ciphertext')
+
+      // testing without additional data
+      ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, new Uint8Array());
+      pt = await ocb.decrypt(cipher, ct, keyBytes, nonceBytes, new Uint8Array());
+      expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase());
+
+      // testing with multiple additional data
+      ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, openpgp.util.concatUint8Array([headerBytes, headerBytes, headerBytes]));
+      pt = await ocb.decrypt(cipher, ct, keyBytes, nonceBytes, openpgp.util.concatUint8Array([headerBytes, headerBytes, headerBytes]));
+      expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase());
+    }
+  });
+});