Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/modes/aead/ccm/ccm.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CCM Mode Encryption
3
* (C) 2013,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/ccm.h>
10
#include <botan/loadstor.h>
11
12
namespace Botan {
13
14
// 128-bit cipher is intrinsic to CCM definition
15
static const size_t CCM_BS = 16;
16
17
/*
18
* CCM_Mode Constructor
19
*/
20
CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
21
   m_tag_size(tag_size),
22
   m_L(L),
23
   m_cipher(cipher)
24
282
   {
25
282
   if(m_cipher->block_size() != CCM_BS)
26
0
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27
282
28
282
   if(L < 2 || L > 8)
29
0
      throw Invalid_Argument("Invalid CCM L value " + std::to_string(L));
30
282
31
282
   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0)
32
0
      throw Invalid_Argument("invalid CCM tag length " + std::to_string(tag_size));
33
282
   }
34
35
void CCM_Mode::clear()
36
0
   {
37
0
   m_cipher->clear();
38
0
   reset();
39
0
   }
40
41
void CCM_Mode::reset()
42
247
   {
43
247
   m_nonce.clear();
44
247
   m_msg_buf.clear();
45
247
   m_ad_buf.clear();
46
247
   }
47
48
std::string CCM_Mode::name() const
49
0
   {
50
0
   return (m_cipher->name() + "/CCM(" + std::to_string(tag_size()) + "," + std::to_string(L())) + ")";
51
0
   }
52
53
bool CCM_Mode::valid_nonce_length(size_t n) const
54
347
   {
55
347
   return (n == (15-L()));
56
347
   }
57
58
size_t CCM_Mode::default_nonce_length() const
59
0
   {
60
0
   return (15-L());
61
0
   }
62
63
size_t CCM_Mode::update_granularity() const
64
0
   {
65
0
   /*
66
0
   This value does not particularly matter as regardless CCM_Mode::update
67
0
   buffers all input, so in theory this could be 1. However as for instance
68
0
   Transform_Filter creates update_granularity() uint8_t buffers, use a
69
0
   somewhat large size to avoid bouncing on a tiny buffer.
70
0
   */
71
0
   return m_cipher->parallel_bytes();
72
0
   }
73
74
Key_Length_Specification CCM_Mode::key_spec() const
75
282
   {
76
282
   return m_cipher->key_spec();
77
282
   }
78
79
void CCM_Mode::key_schedule(const uint8_t key[], size_t length)
80
282
   {
81
282
   m_cipher->set_key(key, length);
82
282
   }
83
84
void CCM_Mode::set_associated_data(const uint8_t ad[], size_t length)
85
347
   {
86
347
   m_ad_buf.clear();
87
347
88
347
   if(length)
89
347
      {
90
347
      // FIXME: support larger AD using length encoding rules
91
347
      BOTAN_ARG_CHECK(length < (0xFFFF - 0xFF), "Supported CCM AD length");
92
347
93
347
      m_ad_buf.push_back(get_byte(0, static_cast<uint16_t>(length)));
94
347
      m_ad_buf.push_back(get_byte(1, static_cast<uint16_t>(length)));
95
347
      m_ad_buf += std::make_pair(ad, length);
96
694
      while(m_ad_buf.size() % CCM_BS)
97
347
         m_ad_buf.push_back(0); // pad with zeros to full block size
98
347
      }
99
347
   }
100
101
void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
102
347
   {
103
347
   if(!valid_nonce_length(nonce_len))
104
0
      throw Invalid_IV_Length(name(), nonce_len);
105
347
106
347
   m_nonce.assign(nonce, nonce + nonce_len);
107
347
   m_msg_buf.clear();
108
347
   }
109
110
size_t CCM_Mode::process(uint8_t buf[], size_t sz)
111
0
   {
112
0
   BOTAN_STATE_CHECK(m_nonce.size() > 0);
113
0
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
114
0
   return 0; // no output until finished
115
0
   }
116
117
void CCM_Mode::encode_length(uint64_t len, uint8_t out[])
118
347
   {
119
347
   const size_t len_bytes = L();
120
347
121
347
   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
122
347
123
1.38k
   for(size_t i = 0; i != len_bytes; ++i)
124
1.04k
      out[len_bytes-1-i] = get_byte(sizeof(uint64_t)-1-i, len);
125
347
126
347
   if(len_bytes < 8 && (len >> (len_bytes*8)) > 0)
127
0
      throw Encoding_Error("CCM message length too long to encode in L field");
128
347
   }
129
130
void CCM_Mode::inc(secure_vector<uint8_t>& C)
131
6.64k
   {
132
6.65k
   for(size_t i = 0; i != C.size(); ++i)
133
6.65k
      if(++C[C.size()-i-1])
134
6.64k
         break;
135
6.64k
   }
136
137
secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz)
138
347
   {
139
347
   if(m_nonce.size() != 15-L())
140
0
      throw Invalid_State("CCM mode must set nonce");
141
347
   secure_vector<uint8_t> B0(CCM_BS);
142
347
143
347
   const uint8_t b_flags =
144
347
      static_cast<uint8_t>((m_ad_buf.size() ? 64 : 0) + (((tag_size()/2)-1) << 3) + (L()-1));
145
347
146
347
   B0[0] = b_flags;
147
347
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
148
347
   encode_length(sz, &B0[m_nonce.size()+1]);
149
347
150
347
   return B0;
151
347
   }
152
153
secure_vector<uint8_t> CCM_Mode::format_c0()
154
347
   {
155
347
   if(m_nonce.size() != 15-L())
156
0
      throw Invalid_State("CCM mode must set nonce");
157
347
   secure_vector<uint8_t> C(CCM_BS);
158
347
159
347
   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
160
347
161
347
   C[0] = a_flags;
162
347
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());
163
347
164
347
   return C;
165
347
   }
166
167
void CCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
168
247
   {
169
247
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
170
247
171
247
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
172
247
173
247
   const size_t sz = buffer.size() - offset;
174
247
   uint8_t* buf = buffer.data() + offset;
175
247
176
247
   const secure_vector<uint8_t>& ad = ad_buf();
177
247
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
178
247
179
247
   const BlockCipher& E = cipher();
180
247
181
247
   secure_vector<uint8_t> T(CCM_BS);
182
247
   E.encrypt(format_b0(sz), T);
183
247
184
494
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
185
247
      {
186
247
      xor_buf(T.data(), &ad[i], CCM_BS);
187
247
      E.encrypt(T);
188
247
      }
189
247
190
247
   secure_vector<uint8_t> C = format_c0();
191
247
   secure_vector<uint8_t> S0(CCM_BS);
192
247
   E.encrypt(C, S0);
193
247
   inc(C);
194
247
195
247
   secure_vector<uint8_t> X(CCM_BS);
196
247
197
247
   const uint8_t* buf_end = &buf[sz];
198
247
199
494
   while(buf != buf_end)
200
247
      {
201
247
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
202
247
203
247
      xor_buf(T.data(), buf, to_proc);
204
247
      E.encrypt(T);
205
247
206
247
      E.encrypt(C, X);
207
247
      xor_buf(buf, X.data(), to_proc);
208
247
      inc(C);
209
247
210
247
      buf += to_proc;
211
247
      }
212
247
213
247
   T ^= S0;
214
247
215
247
   buffer += std::make_pair(T.data(), tag_size());
216
247
217
247
   reset();
218
247
   }
219
220
void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
221
100
   {
222
100
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
223
100
224
100
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
100
226
100
   const size_t sz = buffer.size() - offset;
227
100
   uint8_t* buf = buffer.data() + offset;
228
100
229
100
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
230
100
231
100
   const secure_vector<uint8_t>& ad = ad_buf();
232
100
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
100
234
100
   const BlockCipher& E = cipher();
235
100
236
100
   secure_vector<uint8_t> T(CCM_BS);
237
100
   E.encrypt(format_b0(sz - tag_size()), T);
238
100
239
200
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
240
100
      {
241
100
      xor_buf(T.data(), &ad[i], CCM_BS);
242
100
      E.encrypt(T);
243
100
      }
244
100
245
100
   secure_vector<uint8_t> C = format_c0();
246
100
247
100
   secure_vector<uint8_t> S0(CCM_BS);
248
100
   E.encrypt(C, S0);
249
100
   inc(C);
250
100
251
100
   secure_vector<uint8_t> X(CCM_BS);
252
100
253
100
   const uint8_t* buf_end = &buf[sz - tag_size()];
254
100
255
6.15k
   while(buf != buf_end)
256
6.05k
      {
257
6.05k
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
258
6.05k
259
6.05k
      E.encrypt(C, X);
260
6.05k
      xor_buf(buf, X.data(), to_proc);
261
6.05k
      inc(C);
262
6.05k
263
6.05k
      xor_buf(T.data(), buf, to_proc);
264
6.05k
      E.encrypt(T);
265
6.05k
266
6.05k
      buf += to_proc;
267
6.05k
      }
268
100
269
100
   T ^= S0;
270
100
271
100
   if(!constant_time_compare(T.data(), buf_end, tag_size()))
272
100
      throw Invalid_Authentication_Tag("CCM tag check failed");
273
0
274
0
   buffer.resize(buffer.size() - tag_size());
275
0
276
0
   reset();
277
0
   }
278
279
}