/src/botan/src/lib/modes/aead/ccm/ccm.cpp

Source (jump to first uncovered line)
/*
* CCM Mode Encryption
* (C) 2013,2018 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ccm.h>
#include <botan/loadstor.h>

namespace Botan {

// 128-bit cipher is intrinsic to CCM definition
static const size_t CCM_BS = 16;

/*
* CCM_Mode Constructor
*/
CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
   m_tag_size(tag_size),
   m_L(L),
   m_cipher(cipher)
   {
   if(m_cipher->block_size() != CCM_BS)
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");

   if(L < 2 || L > 8)
      throw Invalid_Argument("Invalid CCM L value " + std::to_string(L));

   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0)
      throw Invalid_Argument("invalid CCM tag length " + std::to_string(tag_size));
   }

void CCM_Mode::clear()
   {
   m_cipher->clear();
   reset();
   }

void CCM_Mode::reset()
   {
   m_nonce.clear();
   m_msg_buf.clear();
   m_ad_buf.clear();
   }

std::string CCM_Mode::name() const
   {
   return (m_cipher->name() + "/CCM(" + std::to_string(tag_size()) + "," + std::to_string(L())) + ")";
   }

bool CCM_Mode::valid_nonce_length(size_t n) const
   {
   return (n == (15-L()));
   }

size_t CCM_Mode::default_nonce_length() const
   {
   return (15-L());
   }

size_t CCM_Mode::update_granularity() const
   {
   /*
   This value does not particularly matter as regardless CCM_Mode::update
   buffers all input, so in theory this could be 1. However as for instance
   Transform_Filter creates update_granularity() uint8_t buffers, use a
   somewhat large size to avoid bouncing on a tiny buffer.
   */
   return m_cipher->parallel_bytes();
   }

Key_Length_Specification CCM_Mode::key_spec() const
   {
   return m_cipher->key_spec();
   }

void CCM_Mode::key_schedule(const uint8_t key[], size_t length)
   {
   m_cipher->set_key(key, length);
   }

void CCM_Mode::set_associated_data(const uint8_t ad[], size_t length)
   {
   m_ad_buf.clear();

   if(length)
      {
      // FIXME: support larger AD using length encoding rules
      BOTAN_ARG_CHECK(length < (0xFFFF - 0xFF), "Supported CCM AD length");

      m_ad_buf.push_back(get_byte(0, static_cast<uint16_t>(length)));
      m_ad_buf.push_back(get_byte(1, static_cast<uint16_t>(length)));
      m_ad_buf += std::make_pair(ad, length);
      while(m_ad_buf.size() % CCM_BS)
         m_ad_buf.push_back(0); // pad with zeros to full block size
      }
   }

void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
   {
   if(!valid_nonce_length(nonce_len))
      throw Invalid_IV_Length(name(), nonce_len);

   m_nonce.assign(nonce, nonce + nonce_len);
   m_msg_buf.clear();
   }

size_t CCM_Mode::process(uint8_t buf[], size_t sz)
   {
   BOTAN_STATE_CHECK(m_nonce.size() > 0);
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
   return 0; // no output until finished
   }

void CCM_Mode::encode_length(uint64_t len, uint8_t out[])
   {
   const size_t len_bytes = L();

   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);

   for(size_t i = 0; i != len_bytes; ++i)
      out[len_bytes-1-i] = get_byte(sizeof(uint64_t)-1-i, len);

   if(len_bytes < 8 && (len >> (len_bytes*8)) > 0)
      throw Encoding_Error("CCM message length too long to encode in L field");
   }

void CCM_Mode::inc(secure_vector<uint8_t>& C)
   {
   for(size_t i = 0; i != C.size(); ++i)
      if(++C[C.size()-i-1])
         break;
   }

secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz)
   {
   if(m_nonce.size() != 15-L())
      throw Invalid_State("CCM mode must set nonce");
   secure_vector<uint8_t> B0(CCM_BS);

   const uint8_t b_flags =
      static_cast<uint8_t>((m_ad_buf.size() ? 64 : 0) + (((tag_size()/2)-1) << 3) + (L()-1));

   B0[0] = b_flags;
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
   encode_length(sz, &B0[m_nonce.size()+1]);

   return B0;
   }

secure_vector<uint8_t> CCM_Mode::format_c0()
   {
   if(m_nonce.size() != 15-L())
      throw Invalid_State("CCM mode must set nonce");
   secure_vector<uint8_t> C(CCM_BS);

   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);

   C[0] = a_flags;
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());

   return C;
   }

void CCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS)
      {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
      }

   secure_vector<uint8_t> C = format_c0();
   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz];

   while(buf != buf_end)
      {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      buf += to_proc;
      }

   T ^= S0;

   buffer += std::make_pair(T.data(), tag_size());

   reset();
   }

void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz - tag_size()), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS)
      {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
      }

   secure_vector<uint8_t> C = format_c0();

   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz - tag_size()];

   while(buf != buf_end)
      {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      buf += to_proc;
      }

   T ^= S0;

   if(!constant_time_compare(T.data(), buf_end, tag_size()))
      throw Invalid_Authentication_Tag("CCM tag check failed");

   buffer.resize(buffer.size() - tag_size());

   reset();
   }

}

Coverage Report

Created: 2020-05-23 13:54

Line	Count	Source (jump to first uncovered line)
1		/*
2		* CCM Mode Encryption
3		* (C) 2013,2018 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/ccm.h>
10		#include <botan/loadstor.h>
11
12		namespace Botan {
13
14		// 128-bit cipher is intrinsic to CCM definition
15		static const size_t CCM_BS = 16;
16
17		/*
18		* CCM_Mode Constructor
19		*/
20		CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
21		m_tag_size(tag_size),
22		m_L(L),
23		m_cipher(cipher)
24	282	{
25	282	if(m_cipher->block_size() != CCM_BS)
26	0	throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27	282
28	282	if(L < 2 \|\| L > 8)
29	0	throw Invalid_Argument("Invalid CCM L value " + std::to_string(L));
30	282
31	282	if(tag_size < 4 \|\| tag_size > 16 \|\| tag_size % 2 != 0)
32	0	throw Invalid_Argument("invalid CCM tag length " + std::to_string(tag_size));
33	282	}
34
35		void CCM_Mode::clear()
36	0	{
37	0	m_cipher->clear();
38	0	reset();
39	0	}
40
41		void CCM_Mode::reset()
42	247	{
43	247	m_nonce.clear();
44	247	m_msg_buf.clear();
45	247	m_ad_buf.clear();
46	247	}
47
48		std::string CCM_Mode::name() const
49	0	{
50	0	return (m_cipher->name() + "/CCM(" + std::to_string(tag_size()) + "," + std::to_string(L())) + ")";
51	0	}
52
53		bool CCM_Mode::valid_nonce_length(size_t n) const
54	347	{
55	347	return (n == (15-L()));
56	347	}
57
58		size_t CCM_Mode::default_nonce_length() const
59	0	{
60	0	return (15-L());
61	0	}
62
63		size_t CCM_Mode::update_granularity() const
64	0	{
65	0	/*
66	0	This value does not particularly matter as regardless CCM_Mode::update
67	0	buffers all input, so in theory this could be 1. However as for instance
68	0	Transform_Filter creates update_granularity() uint8_t buffers, use a
69	0	somewhat large size to avoid bouncing on a tiny buffer.
70	0	*/
71	0	return m_cipher->parallel_bytes();
72	0	}
73
74		Key_Length_Specification CCM_Mode::key_spec() const
75	282	{
76	282	return m_cipher->key_spec();
77	282	}
78
79		void CCM_Mode::key_schedule(const uint8_t key[], size_t length)
80	282	{
81	282	m_cipher->set_key(key, length);
82	282	}
83
84		void CCM_Mode::set_associated_data(const uint8_t ad[], size_t length)
85	347	{
86	347	m_ad_buf.clear();
87	347
88	347	if(length)
89	347	{
90	347	// FIXME: support larger AD using length encoding rules
91	347	BOTAN_ARG_CHECK(length < (0xFFFF - 0xFF), "Supported CCM AD length");
92	347
93	347	m_ad_buf.push_back(get_byte(0, static_cast<uint16_t>(length)));
94	347	m_ad_buf.push_back(get_byte(1, static_cast<uint16_t>(length)));
95	347	m_ad_buf += std::make_pair(ad, length);
96	694	while(m_ad_buf.size() % CCM_BS)
97	347	m_ad_buf.push_back(0); // pad with zeros to full block size
98	347	}
99	347	}
100
101		void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
102	347	{
103	347	if(!valid_nonce_length(nonce_len))
104	0	throw Invalid_IV_Length(name(), nonce_len);
105	347
106	347	m_nonce.assign(nonce, nonce + nonce_len);
107	347	m_msg_buf.clear();
108	347	}
109
110		size_t CCM_Mode::process(uint8_t buf[], size_t sz)
111	0	{
112	0	BOTAN_STATE_CHECK(m_nonce.size() > 0);
113	0	m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
114	0	return 0; // no output until finished
115	0	}
116
117		void CCM_Mode::encode_length(uint64_t len, uint8_t out[])
118	347	{
119	347	const size_t len_bytes = L();
120	347
121	347	BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
122	347
123	1.38k	for(size_t i = 0; i != len_bytes; ++i)
124	1.04k	out[len_bytes-1-i] = get_byte(sizeof(uint64_t)-1-i, len);
125	347
126	347	if(len_bytes < 8 && (len >> (len_bytes*8)) > 0)
127	0	throw Encoding_Error("CCM message length too long to encode in L field");
128	347	}
129
130		void CCM_Mode::inc(secure_vector<uint8_t>& C)
131	6.64k	{
132	6.65k	for(size_t i = 0; i != C.size(); ++i)
133	6.65k	if(++C[C.size()-i-1])
134	6.64k	break;
135	6.64k	}
136
137		secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz)
138	347	{
139	347	if(m_nonce.size() != 15-L())
140	0	throw Invalid_State("CCM mode must set nonce");
141	347	secure_vector<uint8_t> B0(CCM_BS);
142	347
143	347	const uint8_t b_flags =
144	347	static_cast<uint8_t>((m_ad_buf.size() ? 64 : 0) + (((tag_size()/2)-1) << 3) + (L()-1));
145	347
146	347	B0[0] = b_flags;
147	347	copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
148	347	encode_length(sz, &B0[m_nonce.size()+1]);
149	347
150	347	return B0;
151	347	}
152
153		secure_vector<uint8_t> CCM_Mode::format_c0()
154	347	{
155	347	if(m_nonce.size() != 15-L())
156	0	throw Invalid_State("CCM mode must set nonce");
157	347	secure_vector<uint8_t> C(CCM_BS);
158	347
159	347	const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
160	347
161	347	C[0] = a_flags;
162	347	copy_mem(&C[1], m_nonce.data(), m_nonce.size());
163	347
164	347	return C;
165	347	}
166
167		void CCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
168	247	{
169	247	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
170	247
171	247	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
172	247
173	247	const size_t sz = buffer.size() - offset;
174	247	uint8_t* buf = buffer.data() + offset;
175	247
176	247	const secure_vector<uint8_t>& ad = ad_buf();
177	247	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
178	247
179	247	const BlockCipher& E = cipher();
180	247
181	247	secure_vector<uint8_t> T(CCM_BS);
182	247	E.encrypt(format_b0(sz), T);
183	247
184	494	for(size_t i = 0; i != ad.size(); i += CCM_BS)
185	247	{
186	247	xor_buf(T.data(), &ad[i], CCM_BS);
187	247	E.encrypt(T);
188	247	}
189	247
190	247	secure_vector<uint8_t> C = format_c0();
191	247	secure_vector<uint8_t> S0(CCM_BS);
192	247	E.encrypt(C, S0);
193	247	inc(C);
194	247
195	247	secure_vector<uint8_t> X(CCM_BS);
196	247
197	247	const uint8_t* buf_end = &buf[sz];
198	247
199	494	while(buf != buf_end)
200	247	{
201	247	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
202	247
203	247	xor_buf(T.data(), buf, to_proc);
204	247	E.encrypt(T);
205	247
206	247	E.encrypt(C, X);
207	247	xor_buf(buf, X.data(), to_proc);
208	247	inc(C);
209	247
210	247	buf += to_proc;
211	247	}
212	247
213	247	T ^= S0;
214	247
215	247	buffer += std::make_pair(T.data(), tag_size());
216	247
217	247	reset();
218	247	}
219
220		void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
221	100	{
222	100	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
223	100
224	100	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225	100
226	100	const size_t sz = buffer.size() - offset;
227	100	uint8_t* buf = buffer.data() + offset;
228	100
229	100	BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
230	100
231	100	const secure_vector<uint8_t>& ad = ad_buf();
232	100	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233	100
234	100	const BlockCipher& E = cipher();
235	100
236	100	secure_vector<uint8_t> T(CCM_BS);
237	100	E.encrypt(format_b0(sz - tag_size()), T);
238	100
239	200	for(size_t i = 0; i != ad.size(); i += CCM_BS)
240	100	{
241	100	xor_buf(T.data(), &ad[i], CCM_BS);
242	100	E.encrypt(T);
243	100	}
244	100
245	100	secure_vector<uint8_t> C = format_c0();
246	100
247	100	secure_vector<uint8_t> S0(CCM_BS);
248	100	E.encrypt(C, S0);
249	100	inc(C);
250	100
251	100	secure_vector<uint8_t> X(CCM_BS);
252	100
253	100	const uint8_t* buf_end = &buf[sz - tag_size()];
254	100
255	6.15k	while(buf != buf_end)
256	6.05k	{
257	6.05k	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
258	6.05k
259	6.05k	E.encrypt(C, X);
260	6.05k	xor_buf(buf, X.data(), to_proc);
261	6.05k	inc(C);
262	6.05k
263	6.05k	xor_buf(T.data(), buf, to_proc);
264	6.05k	E.encrypt(T);
265	6.05k
266	6.05k	buf += to_proc;
267	6.05k	}
268	100
269	100	T ^= S0;
270	100
271	100	if(!constant_time_compare(T.data(), buf_end, tag_size()))
272	100	throw Invalid_Authentication_Tag("CCM tag check failed");
273	0
274	0	buffer.resize(buffer.size() - tag_size());
275	0
276	0	reset();
277	0	}
278
279		}