Remove OCB v1

demos/timing.c

@@ -1193,7 +1193,7 @@ static void time_macs(void)
 
 static void time_encmacs_(unsigned long MAC_SIZE)
 {
-#if defined(LTC_EAX_MODE) || defined(LTC_OCB_MODE) || defined(LTC_OCB3_MODE) || \
+#if defined(LTC_EAX_MODE) || defined(LTC_OCB3_MODE) || \
    defined(LTC_CCM_MODE) || defined(LTC_GCM_MODE) || defined(LTC_SIV_MODE)
 #if defined(LTC_SIV_MODE)
    unsigned char *aad[4];
@@ -1235,22 +1235,6 @@ static void time_encmacs_(unsigned long MAC_SIZE)
    fprintf(stderr, "EAX \t\t\t%9"PRI64"u\n", t2/(ulong64)(MAC_SIZE*1024));
 #endif
 
-#ifdef LTC_OCB_MODE
-   t2 = -1;
-   for (x = 0; x < 10000; x++) {
-        t_start();
-        t1 = t_read();
-        z = 16;
-        if ((err = ocb_encrypt_authenticate_memory(cipher_idx, key, 16, IV, buf, MAC_SIZE*1024, buf, tag, &z)) != CRYPT_OK) {
-           fprintf(stderr, "\nOCB error... %s\n", error_to_string(err));
-           exit(EXIT_FAILURE);
-        }
-        t1 = t_read() - t1;
-        if (t1 < t2) t2 = t1;
-   }
-   fprintf(stderr, "OCB \t\t\t%9"PRI64"u\n", t2/(ulong64)(MAC_SIZE*1024));
-#endif
-
 #ifdef LTC_OCB3_MODE
    t2 = -1;
    for (x = 0; x < 10000; x++) {

demos/tv_gen.c

@@ -363,75 +363,6 @@ static void eax_gen(void)
 }
 #endif
 
-#ifdef LTC_OCB_MODE
-static void ocb_gen(void)
-{
-   int err, kl, x, y1, z;
-   FILE *out;
-   unsigned char key[MAXBLOCKSIZE], nonce[MAXBLOCKSIZE*2],
-                 plaintext[MAXBLOCKSIZE*2], tag[MAXBLOCKSIZE];
-   unsigned long len;
-
-   OPEN_FILE("ocb_tv.txt", out);
-   fprintf(out, "OCB Test Vectors.  Uses the 00010203...NN-1 pattern for nonce/plaintext/key.  The outputs\n"
-                "are of the form ciphertext,tag for a given NN.  The key for step N>1 is the tag of the previous\n"
-                "step repeated sufficiently.  The nonce is fixed throughout.\n\n");
-
-   for (x = 0; cipher_descriptor[x].name != NULL; x++) {
-      kl = cipher_descriptor[x].block_length;
-
-      /* skip ciphers which do not have 64 or 128 bit block sizes */
-      if (kl != 8 && kl != 16) continue;
-
-      if (cipher_descriptor[x].keysize(&kl) != CRYPT_OK) {
-         kl = cipher_descriptor[x].max_key_length;
-      }
-      fprintf(out, "OCB-%s (%d byte key)\n", cipher_descriptor[x].name, kl);
-
-      /* the key */
-      for (z = 0; z < kl; z++) {
-          key[z] = (z & 255);
-      }
-
-      /* fixed nonce */
-      for (z = 0; z < cipher_descriptor[x].block_length; z++) {
-          nonce[z] = z;
-      }
-
-      for (y1 = 0; y1 <= (int)(cipher_descriptor[x].block_length*2); y1++){
-         for (z = 0; z < y1; z++) {
-            plaintext[z] = (unsigned char)(z & 255);
-         }
-         len = sizeof(tag);
-         if ((err = ocb_encrypt_authenticate_memory(x, key, kl, nonce, plaintext, y1, plaintext, tag, &len)) != CRYPT_OK) {
-            printf("Error OCB'ing: %s\n", error_to_string(err));
-            exit(EXIT_FAILURE);
-         }
-         if (len == 0) {
-            printf("Error OCB'ing: zero length\n");
-            exit(EXIT_FAILURE);
-         }
-         fprintf(out, "%3d: ", y1);
-         for (z = 0; z < y1; z++) {
-            fprintf(out, "%02X", plaintext[z]);
-         }
-         fprintf(out, ", ");
-         for (z = 0; z <(int)len; z++) {
-            fprintf(out, "%02X", tag[z]);
-         }
-         fprintf(out, "\n");
-
-         /* forward the key */
-         for (z = 0; z < kl; z++) {
-             key[z] = tag[z % len];
-         }
-      }
-      fprintf(out, "\n");
-   }
-   fclose(out);
-}
-#endif
-
 #ifdef LTC_OCB3_MODE
 static void ocb3_gen(void)
 {
@@ -817,9 +748,6 @@ int main(int argc, char **argv)
 #ifdef LTC_EAX_MODE
    printf("Generating EAX    vectors..."); fflush(stdout); eax_gen();    printf("done\n");
 #endif
-#ifdef LTC_OCB_MODE
-   printf("Generating OCB    vectors..."); fflush(stdout); ocb_gen();    printf("done\n");
-#endif
 #ifdef LTC_OCB3_MODE
    printf("Generating OCB3   vectors..."); fflush(stdout); ocb3_gen();   printf("done\n");
 #endif

doc/crypt.tex

@@ -1811,127 +1811,18 @@ \chapter{Authenticated Encryption}
 The only difference is eax\_decrypt\_verify\_memory() does not emit a tag.  Instead you pass it a tag as input and it compares it against
 the tag it computed while decrypting the message.  If the tags match then it stores a $1$ in \textit{res}, otherwise it stores a $0$.
 
-\mysection{OCB Modes}
+\mysection{OCB Mode}
 \subsection{Preface}
 
-LibTomCrypt provides support for a mode called OCB in version 1 ''OCB''\footnote{See
-P. Rogaway, M. Bellare, J. Black, T. Krovetz, \textit{OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption}.}
-and version 3 ''OCB3''\footnote{See RFC7253, T. Krovetz, P. Rogaway, \textit{The OCB Authenticated-Encryption Algorithm}.}.
+LibTomCrypt provides support for a mode called OCB in version 3
+''OCB3''\footnote{See RFC7253, T. Krovetz, P. Rogaway, \textit{The OCB Authenticated-Encryption Algorithm}.}.
 OCB is an encryption protocol that simultaneously provides authentication.  It is slightly faster to use than EAX mode
 but is less flexible.
 
-Please be aware that all versions of OCB are patented and there are several licensing models provided by P. Rogaway, the patent holder
+All versions of OCB were patented, but have been put into the public domain in 2013 and since then are free to use
 -- see \url{http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm}.
 
-\subsection{OCB}
-\subsubsection{Initialization and processing}
-
-Let's review how to initialize an OCB context.
-
-\index{ocb\_init()}
-\begin{verbatim}
-int ocb_init(          ocb_state *ocb,
-                             int  cipher,
-             const unsigned char *key,
-                   unsigned long  keylen,
-             const unsigned char *nonce);
-\end{verbatim}
-
-This will initialize the \textit{ocb} context using cipher descriptor \textit{cipher}.  It will use a \textit{key} of length \textit{keylen}
-and the random \textit{nonce}.  Note that \textit{nonce} must be a random (public) string the same length as the block ciphers
-block size (e.g. 16 bytes for AES).
-
-This mode has no \textit{Associated Data} like EAX mode does which means you cannot authenticate metadata along with the stream.
-To encrypt or decrypt data use the following.
-
-\index{ocb\_encrypt()} \index{ocb\_decrypt()}
-\begin{verbatim}
-int ocb_encrypt(          ocb_state *ocb,
-                const unsigned char *pt,
-                      unsigned char *ct);
-
-int ocb_decrypt(          ocb_state *ocb,
-                const unsigned char *ct,
-                      unsigned char *pt);
-\end{verbatim}
-
-This will encrypt (or decrypt for the latter) a fixed length of data from \textit{pt} to \textit{ct} (vice versa for the latter).
-They assume that \textit{pt} and \textit{ct} are the same size as the block cipher's block size.  Note that you cannot call
-both functions given a single \textit{ocb} state.  For bi-directional communication you will have to initialize two \textit{ocb}
-states (with different nonces).  Also \textit{pt} and \textit{ct} may point to the same location in memory.
-
-\subsubsection{State Termination}
-
-When you are finished encrypting the message you call the following function to compute the tag.
-
-\index{ocb\_done\_encrypt()}
-\begin{verbatim}
-int ocb_done_encrypt(          ocb_state *ocb,
-                     const unsigned char *pt,
-                           unsigned long  ptlen,
-                           unsigned char *ct,
-                           unsigned char *tag,
-                           unsigned long *taglen);
-\end{verbatim}
-
-This will terminate an encrypt stream \textit{ocb}.  If you have trailing bytes of plaintext that will not complete a block
-you can pass them here.  This will also encrypt the \textit{ptlen} bytes in \textit{pt} and store them in \textit{ct}.  It will also
-store up to \textit{taglen} bytes of the tag into \textit{tag}.
-
-Note that \textit{ptlen} must be less than or equal to the block size of block cipher chosen.  Also note that if you have
-an input message equal to the length of the block size then you pass the data here (not to ocb\_encrypt()) only.
-
-To terminate a decrypt stream and compared the tag you call the following.
-
-\index{ocb\_done\_decrypt()}
-\begin{verbatim}
-int ocb_done_decrypt(          ocb_state *ocb,
-                     const unsigned char *ct,
-                           unsigned long  ctlen,
-                           unsigned char *pt,
-                     const unsigned char *tag,
-                           unsigned long  taglen,
-                                     int *res);
-\end{verbatim}
-Similarly to the previous function you can pass trailing message bytes into this function.  This will compute the
-tag of the message (internally) and then compare it against the \textit{taglen} bytes of \textit{tag} provided.  By default
-\textit{res} is set to zero.  If all \textit{taglen} bytes of \textit{tag} can be verified then \textit{res} is set to one (authenticated
-message).
-
-\subsubsection{Packet Functions}
-To make life simpler the following two functions are provided for memory bound OCB.
-
-%\index{ocb\_encrypt\_authenticate\_memory()}
-\begin{verbatim}
-int ocb_encrypt_authenticate_memory(
-                    int  cipher,
-    const unsigned char *key,    unsigned long keylen,
-    const unsigned char *nonce,
-    const unsigned char *pt,     unsigned long ptlen,
-          unsigned char *ct,
-          unsigned char *tag,    unsigned long *taglen);
-\end{verbatim}
-
-This will OCB encrypt the message \textit{pt} of length \textit{ptlen}, and store the ciphertext in \textit{ct}.  The length \textit{ptlen}
-can be any arbitrary length.
-
-\index{ocb\_decrypt\_verify\_memory()}
-\begin{verbatim}
-int ocb_decrypt_verify_memory(
-                    int  cipher,
-    const unsigned char *key,    unsigned long keylen,
-    const unsigned char *nonce,
-    const unsigned char *ct,     unsigned long ctlen,
-          unsigned char *pt,
-    const unsigned char *tag,    unsigned long taglen,
-          int           *res);
-\end{verbatim}
-
-Similarly, this will OCB decrypt, and compare the internally computed tag against the tag provided. \textit{res} is set
-appropriately to \textit{1} if the tag matches or to \textit{0} if it doesn't match.
-
-\subsection{OCB3}
-\subsubsection{Initialization and processing}
+\subsection{Initialization and processing}
 
 \index{ocb3\_init()}
 \begin{verbatim}
@@ -1948,7 +1839,7 @@ \subsubsection{Initialization and processing}
 
 Note that you can only use ciphers with a block length of 16.
 
-\subsubsection{Additional Authenticated Data}
+\subsection{Additional Authenticated Data}
 
 OCB3 has, in contrary to OCB, the possibility to add "Additional Authenticated Data" (AAD) when performing cryptographic operations.
 
@@ -1977,7 +1868,7 @@ \subsubsection{Additional Authenticated Data}
 both functions given a single \textit{ocb} state.  For bi-directional communication you will have to initialize two \textit{ocb}
 states (with different nonces).  Also \textit{pt} and \textit{ct} may point to the same location in memory.
 
-\subsubsection{State Termination}
+\subsection{State Termination}
 
 \index{ocb3\_encrypt\_last()} \index{ocb3\_decrypt\_last()}
 \begin{verbatim}
@@ -2006,7 +1897,7 @@ \subsubsection{State Termination}
 The \textit{taglen} parameter defines on input the length of the tag to output and will be set to the actual length written, which
 is at most 16 octets.
 
-\subsubsection{Packet Functions}
+\subsection{Packet Functions}
 To make life simpler the following two functions are provided for memory bound OCB3.
 
 \index{ocb3\_encrypt\_authenticate\_memory()}
@@ -10396,7 +10287,6 @@ \subsection{Elliptic Curve Cryptography - $GF(p)$}
 
 These two ECC verify functions have been deprecated in favor of \code{ecc\_verify\_hash\_v2()}.
 Please check Chapter \ref{ecc-verify} for details.
-
 \subsection{PKCS \#1 Padding}
 PKCS \#1 v1.5 padding is so simple that both signature and encryption padding are performed by the same function.  Note: the
 signature padding does \textbf{not} include the ASN.1 padding required.  That is performed by the rsa\_sign\_hash\_ex() function
@@ -10737,7 +10627,6 @@ \subsection{Extended Verification}
                 rsa_key *key);
 \end{verbatim}
 
-
 \clearpage
 \addcontentsline{toc}{chapter}{Index}
 \printindex

libtomcrypt_VS2008.vcproj

@@ -735,54 +735,6 @@
 					>
 				</File>
 			</Filter>
-			<Filter
-				Name="ocb"
-				>
-				<File
-					RelativePath="src\encauth\ocb\ocb_decrypt.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_decrypt_verify_memory.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_done_decrypt.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_done_encrypt.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_encrypt.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_encrypt_authenticate_memory.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_init.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_ntz.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_shift_xor.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\ocb_test.c"
-					>
-				</File>
-				<File
-					RelativePath="src\encauth\ocb\s_ocb_done.c"
-					>
-				</File>
-			</Filter>
 			<Filter
 				Name="ocb3"
 				>

makefile.mingw

@@ -56,10 +56,6 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
-src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
-src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
-src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
-src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
 src/encauth/ocb3/ocb3_decrypt_verify_memory.o src/encauth/ocb3/ocb3_done.o \
 src/encauth/ocb3/ocb3_encrypt.o src/encauth/ocb3/ocb3_encrypt_authenticate_memory.o \

makefile.msvc

@@ -49,10 +49,6 @@ src/encauth/eax/eax_init.obj src/encauth/eax/eax_test.obj src/encauth/gcm/gcm_ad
 src/encauth/gcm/gcm_add_iv.obj src/encauth/gcm/gcm_done.obj src/encauth/gcm/gcm_gf_mult.obj \
 src/encauth/gcm/gcm_init.obj src/encauth/gcm/gcm_memory.obj src/encauth/gcm/gcm_mult_h.obj \
 src/encauth/gcm/gcm_process.obj src/encauth/gcm/gcm_reset.obj src/encauth/gcm/gcm_test.obj \
-src/encauth/ocb/ocb_decrypt.obj src/encauth/ocb/ocb_decrypt_verify_memory.obj \
-src/encauth/ocb/ocb_done_decrypt.obj src/encauth/ocb/ocb_done_encrypt.obj src/encauth/ocb/ocb_encrypt.obj \
-src/encauth/ocb/ocb_encrypt_authenticate_memory.obj src/encauth/ocb/ocb_init.obj src/encauth/ocb/ocb_ntz.obj \
-src/encauth/ocb/ocb_shift_xor.obj src/encauth/ocb/ocb_test.obj src/encauth/ocb/s_ocb_done.obj \
 src/encauth/ocb3/ocb3_add_aad.obj src/encauth/ocb3/ocb3_decrypt.obj src/encauth/ocb3/ocb3_decrypt_last.obj \
 src/encauth/ocb3/ocb3_decrypt_verify_memory.obj src/encauth/ocb3/ocb3_done.obj \
 src/encauth/ocb3/ocb3_encrypt.obj src/encauth/ocb3/ocb3_encrypt_authenticate_memory.obj \

makefile.unix

@@ -70,10 +70,6 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
-src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
-src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
-src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
-src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
 src/encauth/ocb3/ocb3_decrypt_verify_memory.o src/encauth/ocb3/ocb3_done.o \
 src/encauth/ocb3/ocb3_encrypt.o src/encauth/ocb3/ocb3_encrypt_authenticate_memory.o \

makefile_include.mk

@@ -241,10 +241,6 @@ src/encauth/eax/eax_init.o src/encauth/eax/eax_test.o src/encauth/gcm/gcm_add_aa
 src/encauth/gcm/gcm_add_iv.o src/encauth/gcm/gcm_done.o src/encauth/gcm/gcm_gf_mult.o \
 src/encauth/gcm/gcm_init.o src/encauth/gcm/gcm_memory.o src/encauth/gcm/gcm_mult_h.o \
 src/encauth/gcm/gcm_process.o src/encauth/gcm/gcm_reset.o src/encauth/gcm/gcm_test.o \
-src/encauth/ocb/ocb_decrypt.o src/encauth/ocb/ocb_decrypt_verify_memory.o \
-src/encauth/ocb/ocb_done_decrypt.o src/encauth/ocb/ocb_done_encrypt.o src/encauth/ocb/ocb_encrypt.o \
-src/encauth/ocb/ocb_encrypt_authenticate_memory.o src/encauth/ocb/ocb_init.o src/encauth/ocb/ocb_ntz.o \
-src/encauth/ocb/ocb_shift_xor.o src/encauth/ocb/ocb_test.o src/encauth/ocb/s_ocb_done.o \
 src/encauth/ocb3/ocb3_add_aad.o src/encauth/ocb3/ocb3_decrypt.o src/encauth/ocb3/ocb3_decrypt_last.o \
 src/encauth/ocb3/ocb3_decrypt_verify_memory.o src/encauth/ocb3/ocb3_done.o \
 src/encauth/ocb3/ocb3_encrypt.o src/encauth/ocb3/ocb3_encrypt_authenticate_memory.o \