Coverage Report

Created: 2020-06-30 13:58

/src/botan/src/lib/modes/aead/ccm/ccm.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CCM Mode Encryption
3
* (C) 2013,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/ccm.h>
10
#include <botan/loadstor.h>
11
12
namespace Botan {
13
14
// 128-bit cipher is intrinsic to CCM definition
15
static const size_t CCM_BS = 16;
16
17
/*
18
* CCM_Mode Constructor
19
*/
20
CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
21
   m_tag_size(tag_size),
22
   m_L(L),
23
   m_cipher(cipher)
24
309
   {
25
309
   if(m_cipher->block_size() != CCM_BS)
26
0
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27
309
28
309
   if(L < 2 || L > 8)
29
0
      throw Invalid_Argument("Invalid CCM L value " + std::to_string(L));
30
309
31
309
   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0)
32
0
      throw Invalid_Argument("invalid CCM tag length " + std::to_string(tag_size));
33
309
   }
34
35
void CCM_Mode::clear()
36
0
   {
37
0
   m_cipher->clear();
38
0
   reset();
39
0
   }
40
41
void CCM_Mode::reset()
42
266
   {
43
266
   m_nonce.clear();
44
266
   m_msg_buf.clear();
45
266
   m_ad_buf.clear();
46
266
   }
47
48
std::string CCM_Mode::name() const
49
0
   {
50
0
   return (m_cipher->name() + "/CCM(" + std::to_string(tag_size()) + "," + std::to_string(L())) + ")";
51
0
   }
52
53
bool CCM_Mode::valid_nonce_length(size_t n) const
54
372
   {
55
372
   return (n == (15-L()));
56
372
   }
57
58
size_t CCM_Mode::default_nonce_length() const
59
0
   {
60
0
   return (15-L());
61
0
   }
62
63
size_t CCM_Mode::update_granularity() const
64
0
   {
65
0
   /*
66
0
   This value does not particularly matter as regardless CCM_Mode::update
67
0
   buffers all input, so in theory this could be 1. However as for instance
68
0
   Transform_Filter creates update_granularity() uint8_t buffers, use a
69
0
   somewhat large size to avoid bouncing on a tiny buffer.
70
0
   */
71
0
   return m_cipher->parallel_bytes();
72
0
   }
73
74
Key_Length_Specification CCM_Mode::key_spec() const
75
309
   {
76
309
   return m_cipher->key_spec();
77
309
   }
78
79
void CCM_Mode::key_schedule(const uint8_t key[], size_t length)
80
309
   {
81
309
   m_cipher->set_key(key, length);
82
309
   }
83
84
void CCM_Mode::set_associated_data(const uint8_t ad[], size_t length)
85
372
   {
86
372
   m_ad_buf.clear();
87
372
88
372
   if(length)
89
372
      {
90
372
      // FIXME: support larger AD using length encoding rules
91
372
      BOTAN_ARG_CHECK(length < (0xFFFF - 0xFF), "Supported CCM AD length");
92
372
93
372
      m_ad_buf.push_back(get_byte(0, static_cast<uint16_t>(length)));
94
372
      m_ad_buf.push_back(get_byte(1, static_cast<uint16_t>(length)));
95
372
      m_ad_buf += std::make_pair(ad, length);
96
744
      while(m_ad_buf.size() % CCM_BS)
97
372
         m_ad_buf.push_back(0); // pad with zeros to full block size
98
372
      }
99
372
   }
100
101
void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
102
372
   {
103
372
   if(!valid_nonce_length(nonce_len))
104
0
      throw Invalid_IV_Length(name(), nonce_len);
105
372
106
372
   m_nonce.assign(nonce, nonce + nonce_len);
107
372
   m_msg_buf.clear();
108
372
   }
109
110
size_t CCM_Mode::process(uint8_t buf[], size_t sz)
111
0
   {
112
0
   BOTAN_STATE_CHECK(m_nonce.size() > 0);
113
0
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
114
0
   return 0; // no output until finished
115
0
   }
116
117
void CCM_Mode::encode_length(uint64_t len, uint8_t out[])
118
372
   {
119
372
   const size_t len_bytes = L();
120
372
121
372
   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
122
372
123
1.48k
   for(size_t i = 0; i != len_bytes; ++i)
124
1.11k
      out[len_bytes-1-i] = get_byte(sizeof(uint64_t)-1-i, len);
125
372
126
372
   if(len_bytes < 8 && (len >> (len_bytes*8)) > 0)
127
0
      throw Encoding_Error("CCM message length too long to encode in L field");
128
372
   }
129
130
void CCM_Mode::inc(secure_vector<uint8_t>& C)
131
6.36k
   {
132
6.37k
   for(size_t i = 0; i != C.size(); ++i)
133
6.37k
      if(++C[C.size()-i-1])
134
6.36k
         break;
135
6.36k
   }
136
137
secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz)
138
372
   {
139
372
   if(m_nonce.size() != 15-L())
140
0
      throw Invalid_State("CCM mode must set nonce");
141
372
   secure_vector<uint8_t> B0(CCM_BS);
142
372
143
372
   const uint8_t b_flags =
144
372
      static_cast<uint8_t>((m_ad_buf.size() ? 64 : 0) + (((tag_size()/2)-1) << 3) + (L()-1));
145
372
146
372
   B0[0] = b_flags;
147
372
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
148
372
   encode_length(sz, &B0[m_nonce.size()+1]);
149
372
150
372
   return B0;
151
372
   }
152
153
secure_vector<uint8_t> CCM_Mode::format_c0()
154
372
   {
155
372
   if(m_nonce.size() != 15-L())
156
0
      throw Invalid_State("CCM mode must set nonce");
157
372
   secure_vector<uint8_t> C(CCM_BS);
158
372
159
372
   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
160
372
161
372
   C[0] = a_flags;
162
372
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());
163
372
164
372
   return C;
165
372
   }
166
167
void CCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
168
266
   {
169
266
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
170
266
171
266
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
172
266
173
266
   const size_t sz = buffer.size() - offset;
174
266
   uint8_t* buf = buffer.data() + offset;
175
266
176
266
   const secure_vector<uint8_t>& ad = ad_buf();
177
266
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
178
266
179
266
   const BlockCipher& E = cipher();
180
266
181
266
   secure_vector<uint8_t> T(CCM_BS);
182
266
   E.encrypt(format_b0(sz), T);
183
266
184
532
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
185
266
      {
186
266
      xor_buf(T.data(), &ad[i], CCM_BS);
187
266
      E.encrypt(T);
188
266
      }
189
266
190
266
   secure_vector<uint8_t> C = format_c0();
191
266
   secure_vector<uint8_t> S0(CCM_BS);
192
266
   E.encrypt(C, S0);
193
266
   inc(C);
194
266
195
266
   secure_vector<uint8_t> X(CCM_BS);
196
266
197
266
   const uint8_t* buf_end = &buf[sz];
198
266
199
532
   while(buf != buf_end)
200
266
      {
201
266
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
202
266
203
266
      xor_buf(T.data(), buf, to_proc);
204
266
      E.encrypt(T);
205
266
206
266
      E.encrypt(C, X);
207
266
      xor_buf(buf, X.data(), to_proc);
208
266
      inc(C);
209
266
210
266
      buf += to_proc;
211
266
      }
212
266
213
266
   T ^= S0;
214
266
215
266
   buffer += std::make_pair(T.data(), tag_size());
216
266
217
266
   reset();
218
266
   }
219
220
void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
221
106
   {
222
106
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
223
106
224
106
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
106
226
106
   const size_t sz = buffer.size() - offset;
227
106
   uint8_t* buf = buffer.data() + offset;
228
106
229
106
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
230
106
231
106
   const secure_vector<uint8_t>& ad = ad_buf();
232
106
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
106
234
106
   const BlockCipher& E = cipher();
235
106
236
106
   secure_vector<uint8_t> T(CCM_BS);
237
106
   E.encrypt(format_b0(sz - tag_size()), T);
238
106
239
212
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
240
106
      {
241
106
      xor_buf(T.data(), &ad[i], CCM_BS);
242
106
      E.encrypt(T);
243
106
      }
244
106
245
106
   secure_vector<uint8_t> C = format_c0();
246
106
247
106
   secure_vector<uint8_t> S0(CCM_BS);
248
106
   E.encrypt(C, S0);
249
106
   inc(C);
250
106
251
106
   secure_vector<uint8_t> X(CCM_BS);
252
106
253
106
   const uint8_t* buf_end = &buf[sz - tag_size()];
254
106
255
5.83k
   while(buf != buf_end)
256
5.72k
      {
257
5.72k
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
258
5.72k
259
5.72k
      E.encrypt(C, X);
260
5.72k
      xor_buf(buf, X.data(), to_proc);
261
5.72k
      inc(C);
262
5.72k
263
5.72k
      xor_buf(T.data(), buf, to_proc);
264
5.72k
      E.encrypt(T);
265
5.72k
266
5.72k
      buf += to_proc;
267
5.72k
      }
268
106
269
106
   T ^= S0;
270
106
271
106
   if(!constant_time_compare(T.data(), buf_end, tag_size()))
272
106
      throw Invalid_Authentication_Tag("CCM tag check failed");
273
0
274
0
   buffer.resize(buffer.size() - tag_size());
275
0
276
0
   reset();
277
0
   }
278
279
}