Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/modes/aead/ccm/ccm.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CCM Mode Encryption
3
* (C) 2013,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/ccm.h>
10
#include <botan/internal/loadstor.h>
11
12
namespace Botan {
13
14
// 128-bit cipher is intrinsic to CCM definition
15
static const size_t CCM_BS = 16;
16
17
/*
18
* CCM_Mode Constructor
19
*/
20
CCM_Mode::CCM_Mode(BlockCipher* cipher, size_t tag_size, size_t L) :
21
   m_tag_size(tag_size),
22
   m_L(L),
23
   m_cipher(cipher)
24
375
   {
25
375
   if(m_cipher->block_size() != CCM_BS)
26
0
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27
28
375
   if(L < 2 || L > 8)
29
0
      throw Invalid_Argument("Invalid CCM L value " + std::to_string(L));
30
31
375
   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0)
32
0
      throw Invalid_Argument("invalid CCM tag length " + std::to_string(tag_size));
33
375
   }
34
35
void CCM_Mode::clear()
36
0
   {
37
0
   m_cipher->clear();
38
0
   reset();
39
0
   }
40
41
void CCM_Mode::reset()
42
290
   {
43
290
   m_nonce.clear();
44
290
   m_msg_buf.clear();
45
290
   m_ad_buf.clear();
46
290
   }
47
48
std::string CCM_Mode::name() const
49
0
   {
50
0
   return (m_cipher->name() + "/CCM(" + std::to_string(tag_size()) + "," + std::to_string(L())) + ")";
51
0
   }
52
53
bool CCM_Mode::valid_nonce_length(size_t n) const
54
395
   {
55
395
   return (n == (15-L()));
56
395
   }
57
58
size_t CCM_Mode::default_nonce_length() const
59
0
   {
60
0
   return (15-L());
61
0
   }
62
63
size_t CCM_Mode::update_granularity() const
64
0
   {
65
   /*
66
   This value does not particularly matter as regardless CCM_Mode::update
67
   buffers all input, so in theory this could be 1. However as for instance
68
   Transform_Filter creates update_granularity() uint8_t buffers, use a
69
   somewhat large size to avoid bouncing on a tiny buffer.
70
   */
71
0
   return m_cipher->parallel_bytes();
72
0
   }
73
74
Key_Length_Specification CCM_Mode::key_spec() const
75
375
   {
76
375
   return m_cipher->key_spec();
77
375
   }
78
79
void CCM_Mode::key_schedule(const uint8_t key[], size_t length)
80
375
   {
81
375
   m_cipher->set_key(key, length);
82
375
   }
83
84
void CCM_Mode::set_associated_data(const uint8_t ad[], size_t length)
85
395
   {
86
395
   m_ad_buf.clear();
87
88
395
   if(length)
89
395
      {
90
      // FIXME: support larger AD using length encoding rules
91
395
      BOTAN_ARG_CHECK(length < (0xFFFF - 0xFF), "Supported CCM AD length");
92
93
395
      m_ad_buf.push_back(get_byte(0, static_cast<uint16_t>(length)));
94
395
      m_ad_buf.push_back(get_byte(1, static_cast<uint16_t>(length)));
95
395
      m_ad_buf += std::make_pair(ad, length);
96
790
      while(m_ad_buf.size() % CCM_BS)
97
395
         m_ad_buf.push_back(0); // pad with zeros to full block size
98
395
      }
99
395
   }
100
101
void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
102
395
   {
103
395
   if(!valid_nonce_length(nonce_len))
104
0
      throw Invalid_IV_Length(name(), nonce_len);
105
106
395
   m_nonce.assign(nonce, nonce + nonce_len);
107
395
   m_msg_buf.clear();
108
395
   }
109
110
size_t CCM_Mode::process(uint8_t buf[], size_t sz)
111
0
   {
112
0
   BOTAN_STATE_CHECK(m_nonce.size() > 0);
113
0
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
114
0
   return 0; // no output until finished
115
0
   }
116
117
void CCM_Mode::encode_length(uint64_t len, uint8_t out[])
118
395
   {
119
395
   const size_t len_bytes = L();
120
121
395
   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
122
123
1.58k
   for(size_t i = 0; i != len_bytes; ++i)
124
1.18k
      out[len_bytes-1-i] = get_byte(sizeof(uint64_t)-1-i, len);
125
126
395
   if(len_bytes < 8 && (len >> (len_bytes*8)) > 0)
127
0
      throw Encoding_Error("CCM message length too long to encode in L field");
128
395
   }
129
130
void CCM_Mode::inc(secure_vector<uint8_t>& C)
131
6.69k
   {
132
6.70k
   for(size_t i = 0; i != C.size(); ++i)
133
6.70k
      if(++C[C.size()-i-1])
134
6.69k
         break;
135
6.69k
   }
136
137
secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz)
138
395
   {
139
395
   if(m_nonce.size() != 15-L())
140
0
      throw Invalid_State("CCM mode must set nonce");
141
395
   secure_vector<uint8_t> B0(CCM_BS);
142
143
395
   const uint8_t b_flags =
144
395
      static_cast<uint8_t>((m_ad_buf.size() ? 64 : 0) + (((tag_size()/2)-1) << 3) + (L()-1));
145
146
395
   B0[0] = b_flags;
147
395
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
148
395
   encode_length(sz, &B0[m_nonce.size()+1]);
149
150
395
   return B0;
151
395
   }
152
153
secure_vector<uint8_t> CCM_Mode::format_c0()
154
395
   {
155
395
   if(m_nonce.size() != 15-L())
156
0
      throw Invalid_State("CCM mode must set nonce");
157
395
   secure_vector<uint8_t> C(CCM_BS);
158
159
395
   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
160
161
395
   C[0] = a_flags;
162
395
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());
163
164
395
   return C;
165
395
   }
166
167
void CCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
168
290
   {
169
290
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
170
171
290
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
172
173
290
   const size_t sz = buffer.size() - offset;
174
290
   uint8_t* buf = buffer.data() + offset;
175
176
290
   const secure_vector<uint8_t>& ad = ad_buf();
177
290
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
178
179
290
   const BlockCipher& E = cipher();
180
181
290
   secure_vector<uint8_t> T(CCM_BS);
182
290
   E.encrypt(format_b0(sz), T);
183
184
580
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
185
290
      {
186
290
      xor_buf(T.data(), &ad[i], CCM_BS);
187
290
      E.encrypt(T);
188
290
      }
189
190
290
   secure_vector<uint8_t> C = format_c0();
191
290
   secure_vector<uint8_t> S0(CCM_BS);
192
290
   E.encrypt(C, S0);
193
290
   inc(C);
194
195
290
   secure_vector<uint8_t> X(CCM_BS);
196
197
290
   const uint8_t* buf_end = &buf[sz];
198
199
580
   while(buf != buf_end)
200
290
      {
201
290
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
202
203
290
      xor_buf(T.data(), buf, to_proc);
204
290
      E.encrypt(T);
205
206
290
      E.encrypt(C, X);
207
290
      xor_buf(buf, X.data(), to_proc);
208
290
      inc(C);
209
210
290
      buf += to_proc;
211
290
      }
212
213
290
   T ^= S0;
214
215
290
   buffer += std::make_pair(T.data(), tag_size());
216
217
290
   reset();
218
290
   }
219
220
void CCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
221
105
   {
222
105
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is sane");
223
224
105
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
226
105
   const size_t sz = buffer.size() - offset;
227
105
   uint8_t* buf = buffer.data() + offset;
228
229
105
   BOTAN_ASSERT(sz >= tag_size(), "We have the tag");
230
231
105
   const secure_vector<uint8_t>& ad = ad_buf();
232
105
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
234
105
   const BlockCipher& E = cipher();
235
236
105
   secure_vector<uint8_t> T(CCM_BS);
237
105
   E.encrypt(format_b0(sz - tag_size()), T);
238
239
210
   for(size_t i = 0; i != ad.size(); i += CCM_BS)
240
105
      {
241
105
      xor_buf(T.data(), &ad[i], CCM_BS);
242
105
      E.encrypt(T);
243
105
      }
244
245
105
   secure_vector<uint8_t> C = format_c0();
246
247
105
   secure_vector<uint8_t> S0(CCM_BS);
248
105
   E.encrypt(C, S0);
249
105
   inc(C);
250
251
105
   secure_vector<uint8_t> X(CCM_BS);
252
253
105
   const uint8_t* buf_end = &buf[sz - tag_size()];
254
255
6.11k
   while(buf != buf_end)
256
6.00k
      {
257
6.00k
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
258
259
6.00k
      E.encrypt(C, X);
260
6.00k
      xor_buf(buf, X.data(), to_proc);
261
6.00k
      inc(C);
262
263
6.00k
      xor_buf(T.data(), buf, to_proc);
264
6.00k
      E.encrypt(T);
265
266
6.00k
      buf += to_proc;
267
6.00k
      }
268
269
105
   T ^= S0;
270
271
105
   if(!constant_time_compare(T.data(), buf_end, tag_size()))
272
105
      throw Invalid_Authentication_Tag("CCM tag check failed");
273
274
0
   buffer.resize(buffer.size() - tag_size());
275
276
0
   reset();
277
0
   }
278
279
}