ocb3: properly handle empty AAD

* allow passing "no additional data" to ocb3_decrypt_verify_memory() and
  ocb3_encrypt_authenticate_memory()
* ensure that the caller didn't want to add AAD

Author: sjaeckel

src/encauth/ocb3/ocb3_add_aad.c

@@ -29,9 +29,10 @@ int ocb3_add_aad(ocb3_state *ocb, const unsigned char *aad, unsigned long aadlen
    unsigned long datalen, l;
 
    LTC_ARGCHK(ocb    != NULL);
-   LTC_ARGCHK(aad    != NULL);
+   if (aad == NULL) LTC_ARGCHK(aadlen == 0);
+   if (aadlen == 0) LTC_ARGCHK(aad    == NULL);
 
-   if (aadlen == 0) return CRYPT_OK;
+   if (aad == NULL || aadlen == 0) return CRYPT_OK;
 
    if (ocb->adata_buffer_bytes > 0) {
      l = ocb->block_len - ocb->adata_buffer_bytes;

src/encauth/ocb3/ocb3_decrypt_verify_memory.c

@@ -73,8 +73,10 @@ int ocb3_decrypt_verify_memory(int cipher,
       goto LBL_ERR;
    }
 
-   if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
-      goto LBL_ERR;
+   if (adata != NULL || adatalen != 0) {
+      if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
+         goto LBL_ERR;
+      }
    }
 
    if ((err = ocb3_decrypt_last(ocb, ct, ctlen, pt)) != CRYPT_OK) {

src/encauth/ocb3/ocb3_encrypt_authenticate_memory.c

@@ -59,8 +59,10 @@ int ocb3_encrypt_authenticate_memory(int cipher,
       goto LBL_ERR;
    }
 
-   if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
-      goto LBL_ERR;
+   if (adata != NULL || adatalen != 0) {
+      if ((err = ocb3_add_aad(ocb, adata, adatalen)) != CRYPT_OK) {
+         goto LBL_ERR;
+      }
    }
 
    if ((err = ocb3_encrypt_last(ocb, pt, ptlen, ct)) != CRYPT_OK) {

src/encauth/ocb3/ocb3_test.c

@@ -180,7 +180,7 @@ int ocb3_test(void)
         if ((err = ocb3_encrypt_authenticate_memory(idx,
                                                    key, sizeof(key),
                                                    nonce, sizeof(nonce),
-                                                   tests[x].aad, tests[x].aadlen,
+                                                   tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
                                                    tests[x].pt, tests[x].ptlen,
                                                    outct, outtag, &len)) != CRYPT_OK) {
            return err;
@@ -194,9 +194,9 @@ int ocb3_test(void)
         if ((err = ocb3_decrypt_verify_memory(idx,
                                              key, sizeof(key),
                                              nonce, sizeof(nonce),
-                                             tests[x].aad, tests[x].aadlen,
+                                             tests[x].aadlen != 0 ? tests[x].aad : NULL, tests[x].aadlen,
                                              outct, tests[x].ptlen,
-             outct, tests[x].tag, len, &res)) != CRYPT_OK) {
+                                             outct, tests[x].tag, len, &res)) != CRYPT_OK) {
            return err;
         }
         if ((res != 1) || compare_testvector(outct, tests[x].ptlen, tests[x].pt, tests[x].ptlen, "OCB3", x)) {
@@ -212,13 +212,6 @@ int ocb3_test(void)
 
 #endif /* LTC_OCB3_MODE */
 
-/* some comments
-
-   -- it's hard to seek
-   -- hard to stream [you can't emit ciphertext until full block]
-   -- The setup is somewhat complicated...
-*/
-
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */