deduplicated code

overheadhunter · overheadhunter · commit f046e5c04e24 · 2017-07-26T23:40:30.000+02:00
diff --git a/src/main/java/org/cryptomator/siv/SivMode.java b/src/main/java/org/cryptomator/siv/SivMode.java
@@ -114,33 +114,16 @@ public byte[] encrypt(SecretKey ctrKey, SecretKey macKey, byte[] plaintext, byte
 	 * @throws IllegalArgumentException if the either of the two keys is of invalid length for the used {@link BlockCipher}.
 	 */
 	public byte[] encrypt(byte[] ctrKey, byte[] macKey, byte[] plaintext, byte[]... associatedData) {
-		final byte[] iv = s2v(macKey, plaintext, associatedData);
-
 		// Check if plaintext length will cause overflows
 		if (plaintext.length > (Integer.MAX_VALUE - 16)) {
 			throw new IllegalArgumentException("Plaintext is too long");
 		}
 
+		assert plaintext.length + 15 < Integer.MAX_VALUE;
 		final int numBlocks = (plaintext.length + 15) / 16;
-
-		// clear out the 31st and 63rd (rightmost) bit:
-		final byte[] ctr = Arrays.copyOf(iv, 16);
-		ctr[8] = (byte) (ctr[8] & 0x7F);
-		ctr[12] = (byte) (ctr[12] & 0x7F);
-		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
-		final long initialCtrVal = ctrBuf.getLong(8);
-
-		final byte[] x = new byte[numBlocks * 16];
-		final BlockCipher cipher = threadLocalCipher.get();
-		cipher.init(true, new KeyParameter(ctrKey));
-		for (int i = 0; i < numBlocks; i++) {
-			final long ctrVal = initialCtrVal + i;
-			ctrBuf.putLong(8, ctrVal);
-			cipher.processBlock(ctrBuf.array(), 0, x, i * 16);
-			cipher.reset();
-		}
-
-		final byte[] ciphertext = xor(plaintext, x);
+		final byte[] iv = s2v(macKey, plaintext, associatedData);
+		final byte[] keystream = generateKeyStream(ctrKey, iv, numBlocks);
+		final byte[] ciphertext = xor(plaintext, keystream);
 
 		// concat IV + ciphertext:
 		final byte[] result = new byte[iv.length + ciphertext.length];
@@ -195,28 +178,11 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 		final byte[] iv = Arrays.copyOf(ciphertext, 16);
 		final byte[] actualCiphertext = Arrays.copyOfRange(ciphertext, 16, ciphertext.length);
 
-		// will not overflow because actualCiphertext.length == (ciphertext.length - 16)
+		assert actualCiphertext.length == ciphertext.length - 16;
+		assert actualCiphertext.length + 15 < Integer.MAX_VALUE;
 		final int numBlocks = (actualCiphertext.length + 15) / 16;
-
-		// clear out the 31st and 63rd (rightmost) bit:
-		final byte[] ctr = Arrays.copyOf(iv, 16);
-		ctr[8] = (byte) (ctr[8] & 0x7F);
-		ctr[12] = (byte) (ctr[12] & 0x7F);
-		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
-		final long initialCtrVal = ctrBuf.getLong(8);
-
-		final byte[] x = new byte[numBlocks * 16];
-		final BlockCipher cipher = threadLocalCipher.get();
-		cipher.init(true, new KeyParameter(ctrKey));
-		for (int i = 0; i < numBlocks; i++) {
-			final long ctrVal = initialCtrVal + i;
-			ctrBuf.putLong(8, ctrVal);
-			cipher.processBlock(ctrBuf.array(), 0, x, i * 16);
-			cipher.reset();
-		}
-
-		final byte[] plaintext = xor(actualCiphertext, x);
-
+		final byte[] keystream = generateKeyStream(ctrKey, iv, numBlocks);
+		final byte[] plaintext = xor(actualCiphertext, keystream);
 		final byte[] control = s2v(macKey, plaintext, associatedData);
 
 		// time-constant comparison (taken from MessageDigest.isEqual in JDK8)
@@ -233,6 +199,27 @@ public byte[] decrypt(byte[] ctrKey, byte[] macKey, byte[] ciphertext, byte[]...
 		}
 	}
 
+	byte[] generateKeyStream(byte[] ctrKey, byte[] iv, int numBlocks) {
+		final byte[] keystream = new byte[numBlocks * 16];
+
+		// clear out the 31st and 63rd (rightmost) bit:
+		final byte[] ctr = Arrays.copyOf(iv, 16);
+		ctr[8] = (byte) (ctr[8] & 0x7F);
+		ctr[12] = (byte) (ctr[12] & 0x7F);
+		final ByteBuffer ctrBuf = ByteBuffer.wrap(ctr);
+		final long initialCtrVal = ctrBuf.getLong(8);
+
+		final BlockCipher cipher = threadLocalCipher.get();
+		cipher.init(true, new KeyParameter(ctrKey));
+		for (int i = 0; i < numBlocks; i++) {
+			ctrBuf.putLong(8, initialCtrVal + i);
+			cipher.processBlock(ctr, 0, keystream, i * 16);
+			cipher.reset();
+		}
+
+		return keystream;
+	}
+
 	// Visible for testing, throws IllegalArgumentException if key is not accepted by CMac#init(CipherParameters)
 	byte[] s2v(byte[] macKey, byte[] plaintext, byte[]... associatedData) {
 		// Maximum permitted AD length is the block size in bits - 2
diff --git a/src/test/java/org/cryptomator/siv/SivModeTest.java b/src/test/java/org/cryptomator/siv/SivModeTest.java
@@ -23,7 +23,7 @@
 import org.mockito.Mockito;
 
 /**
- * Official RFC 5297 test vector taken from https://tools.ietf.org/html/rfc5297#appendix-A.1
+ * Official RFC 5297 test vector taken from https://tools.ietf.org/html/rfc5297#appendix-A.1 and https://tools.ietf.org/html/rfc5297#appendix-A.2
  */
 public class SivModeTest {
 
@@ -121,6 +121,58 @@ public void testDecryptAssociatedDataLimit() throws UnauthenticCiphertextExcepti
 		new SivMode().decrypt(ctrKey, macKey, plaintext, new byte[127][0]);
 	}
 
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.1
+	@Test
+	public void testGenerateKeyStream1() {
+		final byte[] ctrKey = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, //
+				(byte) 0xf4, (byte) 0xf5, (byte) 0xf6, (byte) 0xf7, //
+				(byte) 0xf8, (byte) 0xf9, (byte) 0xfa, (byte) 0xfb, //
+				(byte) 0xfc, (byte) 0xfd, (byte) 0xfe, (byte) 0xff};
+
+		final byte[] ctr = {(byte) 0x85, (byte) 0x63, (byte) 0x2d, (byte) 0x07, //
+				(byte) 0xc6, (byte) 0xe8, (byte) 0xf3, (byte) 0x7f, //
+				(byte) 0x15, (byte) 0x0a, (byte) 0xcd, (byte) 0x32, //
+				(byte) 0x0a, (byte) 0x2e, (byte) 0xcc, (byte) 0x93};
+
+		final byte[] expected = {(byte) 0x51, (byte) 0xe2, (byte) 0x18, (byte) 0xd2, //
+				(byte) 0xc5, (byte) 0xa2, (byte) 0xab, (byte) 0x8c, //
+				(byte) 0x43, (byte) 0x45, (byte) 0xc4, (byte) 0xa6, //
+				(byte) 0x23, (byte) 0xb2, (byte) 0xf0, (byte) 0x8f};
+
+		final byte[] result = new SivMode().generateKeyStream(ctrKey, ctr, 1);
+		Assert.assertArrayEquals(expected, result);
+	}
+
+	// CTR-AES https://tools.ietf.org/html/rfc5297#appendix-A.2
+	@Test
+	public void testGenerateKeyStream2() {
+		final byte[] ctrKey = {(byte) 0x40, (byte) 0x41, (byte) 0x42, (byte) 0x43, //
+				(byte) 0x44, (byte) 0x45, (byte) 0x46, (byte) 0x47, //
+				(byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, //
+				(byte) 0x4c, (byte) 0x4d, (byte) 0x4e, (byte) 0x4f};
+
+		final byte[] ctr = {(byte) 0x7b, (byte) 0xdb, (byte) 0x6e, (byte) 0x3b, //
+				(byte) 0x43, (byte) 0x26, (byte) 0x67, (byte) 0xeb, //
+				(byte) 06, (byte) 0xf4, (byte) 0xd1, (byte) 0x4b, //
+				(byte) 0x7f, (byte) 0x2f, (byte) 0xbd, (byte) 0x0f};
+
+		final byte[] expected = {(byte) 0xbf, (byte) 0xf8, (byte) 0x66, (byte) 0x5c, //
+				(byte) 0xfd, (byte) 0xd7, (byte) 0x33, (byte) 0x63, //
+				(byte) 0x55, (byte) 0x0f, (byte) 0x74, (byte) 0x00, //
+				(byte) 0xe8, (byte) 0xf9, (byte) 0xd3, (byte) 0x76, //
+				(byte) 0xb2, (byte) 0xc9, (byte) 0x08, (byte) 0x8e, //
+				(byte) 0x71, (byte) 0x3b, (byte) 0x86, (byte) 0x17, //
+				(byte) 0xd8, (byte) 0x83, (byte) 0x92, (byte) 0x26, //
+				(byte) 0xd9, (byte) 0xf8, (byte) 0x81, (byte) 0x59, //
+				(byte) 0x9e, (byte) 0x44, (byte) 0xd8, (byte) 0x27, //
+				(byte) 0x23, (byte) 0x49, (byte) 0x49, (byte) 0xbc, //
+				(byte) 0x1b, (byte) 0x12, (byte) 0x34, (byte) 0x8e, //
+				(byte) 0xbc, (byte) 0x19, (byte) 0x5e, (byte) 0xc7};
+
+		final byte[] result = new SivMode().generateKeyStream(ctrKey, ctr, 3);
+		Assert.assertArrayEquals(expected, result);
+	}
+
 	@Test
 	public void testS2v() {
 		final byte[] macKey = {(byte) 0xff, (byte) 0xfe, (byte) 0xfd, (byte) 0xfc, //
