cipher: Buffer data from gcry_cipher_authenticate in OCB mode.

* cipher/cipher-internal.h (gcry_cipher_handle): Add fields
aad_leftover and aad_nleftover to u_mode.ocb.
* cipher/cipher-ocb.c (_gcry_cipher_ocb_set_nonce): Clear
aad_nleftover.
(_gcry_cipher_ocb_authenticate): Add buffering and facor some code out
to ...
(ocb_aad_finalize): new.
(compute_tag_if_needed): Call new function.
* tests/basic.c (check_ocb_cipher_splitaad): New.
(check_ocb_cipher): Call new function.
(main): Also call check_cipher_modes with --ciper-modes.
--

It is more convenient to not require full blocks for
gcry_cipher_authenticate.  Other modes than OCB do this as well.

Note that the size of the context structure is not increased because
other modes require more context data.

Signed-off-by: Werner Koch <wk@gnupg.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index 80e7c092..9fd1d91f 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -274,10 +274,16 @@ struct gcry_cipher_handle
          checksum of the data.  */
       unsigned char aad_sum[OCB_BLOCK_LEN];
 
+      /* A buffer to store AAD data not yet processed.  */
+      unsigned char aad_leftover[OCB_BLOCK_LEN];
+
       /* Number of data/aad blocks processed so far.  */
       u64 data_nblocks;
       u64 aad_nblocks;
 
+      /* Number of valid bytes in AAD_LEFTOVER.  */
+      unsigned char aad_nleftover;
+
       /* Length of the tag.  Fixed for now but may eventually be
          specified using a set of gcry_cipher_flags.  */
       unsigned char taglen;