/src/botan/src/lib/modes/aead/ccm/ccm.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * CCM Mode Encryption |
3 | | * (C) 2013,2018 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/ccm.h> |
10 | | |
11 | | #include <botan/internal/ct_utils.h> |
12 | | #include <botan/internal/fmt.h> |
13 | | #include <botan/internal/loadstor.h> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | // 128-bit cipher is intrinsic to CCM definition |
18 | | static const size_t CCM_BS = 16; |
19 | | |
20 | | /* |
21 | | * CCM_Mode Constructor |
22 | | */ |
23 | | CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) : |
24 | 94 | m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) { |
25 | 94 | if(m_cipher->block_size() != CCM_BS) { |
26 | 0 | throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode"); |
27 | 0 | } |
28 | | |
29 | 94 | if(L < 2 || L > 8) { |
30 | 0 | throw Invalid_Argument(fmt("Invalid CCM L value {}", L)); |
31 | 0 | } |
32 | | |
33 | 94 | if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0) { |
34 | 23 | throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size)); |
35 | 23 | } |
36 | 94 | } |
37 | | |
38 | 0 | void CCM_Mode::clear() { |
39 | 0 | m_cipher->clear(); |
40 | 0 | reset(); |
41 | 0 | } |
42 | | |
43 | 0 | void CCM_Mode::reset() { |
44 | 0 | m_nonce.clear(); |
45 | 0 | m_msg_buf.clear(); |
46 | 0 | m_ad_buf.clear(); |
47 | 0 | } |
48 | | |
49 | 6 | std::string CCM_Mode::name() const { |
50 | 6 | return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L()); |
51 | 6 | } |
52 | | |
53 | 66 | bool CCM_Mode::valid_nonce_length(size_t n) const { |
54 | 66 | return (n == (15 - L())); |
55 | 66 | } |
56 | | |
57 | 0 | size_t CCM_Mode::default_nonce_length() const { |
58 | 0 | return (15 - L()); |
59 | 0 | } |
60 | | |
61 | 65 | size_t CCM_Mode::update_granularity() const { |
62 | 65 | return 1; |
63 | 65 | } |
64 | | |
65 | 0 | size_t CCM_Mode::ideal_granularity() const { |
66 | | // Completely arbitrary |
67 | 0 | return m_cipher->parallel_bytes(); |
68 | 0 | } |
69 | | |
70 | 0 | bool CCM_Mode::requires_entire_message() const { |
71 | 0 | return true; |
72 | 0 | } |
73 | | |
74 | 71 | Key_Length_Specification CCM_Mode::key_spec() const { |
75 | 71 | return m_cipher->key_spec(); |
76 | 71 | } |
77 | | |
78 | 0 | bool CCM_Mode::has_keying_material() const { |
79 | 0 | return m_cipher->has_keying_material(); |
80 | 0 | } |
81 | | |
82 | 66 | void CCM_Mode::key_schedule(std::span<const uint8_t> key) { |
83 | 66 | m_cipher->set_key(key); |
84 | 66 | } |
85 | | |
86 | 60 | void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) { |
87 | 60 | BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n"); |
88 | | |
89 | 60 | m_ad_buf.clear(); |
90 | | |
91 | 60 | if(!ad.empty()) { |
92 | | // FIXME: support larger AD using length encoding rules |
93 | 60 | BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length"); |
94 | | |
95 | 60 | m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size()))); |
96 | 60 | m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size()))); |
97 | 60 | m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end()); |
98 | 834 | while(m_ad_buf.size() % CCM_BS) { |
99 | 774 | m_ad_buf.push_back(0); // pad with zeros to full block size |
100 | 774 | } |
101 | 60 | } |
102 | 60 | } |
103 | | |
104 | 66 | void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) { |
105 | 66 | if(!valid_nonce_length(nonce_len)) { |
106 | 1 | throw Invalid_IV_Length(name(), nonce_len); |
107 | 1 | } |
108 | | |
109 | 65 | m_nonce.assign(nonce, nonce + nonce_len); |
110 | 65 | m_msg_buf.clear(); |
111 | 65 | } |
112 | | |
113 | 230 | size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) { |
114 | 230 | BOTAN_STATE_CHECK(!m_nonce.empty()); |
115 | 230 | m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz); |
116 | 230 | return 0; // no output until finished |
117 | 230 | } |
118 | | |
119 | 65 | void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) { |
120 | 65 | const size_t len_bytes = L(); |
121 | | |
122 | 65 | BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8); |
123 | | |
124 | 260 | for(size_t i = 0; i != len_bytes; ++i) { |
125 | 195 | out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len); |
126 | 195 | } |
127 | | |
128 | 65 | if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) { |
129 | 0 | throw Encoding_Error("CCM message length too long to encode in L field"); |
130 | 0 | } |
131 | 65 | } |
132 | | |
133 | 126 | void CCM_Mode::inc(secure_vector<uint8_t>& C) { |
134 | 126 | for(size_t i = 0; i != C.size(); ++i) { |
135 | 126 | if(++C[C.size() - i - 1]) { |
136 | 126 | break; |
137 | 126 | } |
138 | 126 | } |
139 | 126 | } |
140 | | |
141 | 65 | secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) { |
142 | 65 | if(m_nonce.size() != 15 - L()) { |
143 | 0 | throw Invalid_State("CCM mode must set nonce"); |
144 | 0 | } |
145 | 65 | secure_vector<uint8_t> B0(CCM_BS); |
146 | | |
147 | 65 | const uint8_t b_flags = |
148 | 65 | static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1)); |
149 | | |
150 | 65 | B0[0] = b_flags; |
151 | 65 | copy_mem(&B0[1], m_nonce.data(), m_nonce.size()); |
152 | 65 | encode_length(sz, &B0[m_nonce.size() + 1]); |
153 | | |
154 | 65 | return B0; |
155 | 65 | } |
156 | | |
157 | 65 | secure_vector<uint8_t> CCM_Mode::format_c0() { |
158 | 65 | if(m_nonce.size() != 15 - L()) { |
159 | 0 | throw Invalid_State("CCM mode must set nonce"); |
160 | 0 | } |
161 | 65 | secure_vector<uint8_t> C(CCM_BS); |
162 | | |
163 | 65 | const uint8_t a_flags = static_cast<uint8_t>(L() - 1); |
164 | | |
165 | 65 | C[0] = a_flags; |
166 | 65 | copy_mem(&C[1], m_nonce.data(), m_nonce.size()); |
167 | | |
168 | 65 | return C; |
169 | 65 | } |
170 | | |
171 | 0 | void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
172 | 0 | BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range"); |
173 | |
|
174 | 0 | buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end()); |
175 | |
|
176 | 0 | const size_t sz = buffer.size() - offset; |
177 | 0 | uint8_t* buf = buffer.data() + offset; |
178 | |
|
179 | 0 | const secure_vector<uint8_t>& ad = ad_buf(); |
180 | 0 | BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple"); |
181 | |
|
182 | 0 | const BlockCipher& E = cipher(); |
183 | |
|
184 | 0 | secure_vector<uint8_t> T(CCM_BS); |
185 | 0 | E.encrypt(format_b0(sz), T); |
186 | |
|
187 | 0 | for(size_t i = 0; i != ad.size(); i += CCM_BS) { |
188 | 0 | xor_buf(T.data(), &ad[i], CCM_BS); |
189 | 0 | E.encrypt(T); |
190 | 0 | } |
191 | |
|
192 | 0 | secure_vector<uint8_t> C = format_c0(); |
193 | 0 | secure_vector<uint8_t> S0(CCM_BS); |
194 | 0 | E.encrypt(C, S0); |
195 | 0 | inc(C); |
196 | |
|
197 | 0 | secure_vector<uint8_t> X(CCM_BS); |
198 | |
|
199 | 0 | const uint8_t* buf_end = &buf[sz]; |
200 | |
|
201 | 0 | while(buf != buf_end) { |
202 | 0 | const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf); |
203 | |
|
204 | 0 | xor_buf(T.data(), buf, to_proc); |
205 | 0 | E.encrypt(T); |
206 | |
|
207 | 0 | E.encrypt(C, X); |
208 | 0 | xor_buf(buf, X.data(), to_proc); |
209 | 0 | inc(C); |
210 | |
|
211 | 0 | buf += to_proc; |
212 | 0 | } |
213 | |
|
214 | 0 | T ^= S0; |
215 | |
|
216 | 0 | buffer += std::make_pair(T.data(), tag_size()); |
217 | |
|
218 | 0 | reset(); |
219 | 0 | } |
220 | | |
221 | 65 | void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
222 | 65 | BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range"); |
223 | | |
224 | 65 | buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end()); |
225 | | |
226 | 65 | const size_t sz = buffer.size() - offset; |
227 | 65 | uint8_t* buf = buffer.data() + offset; |
228 | | |
229 | 65 | BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag"); |
230 | | |
231 | 65 | const secure_vector<uint8_t>& ad = ad_buf(); |
232 | 65 | BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple"); |
233 | | |
234 | 65 | const BlockCipher& E = cipher(); |
235 | | |
236 | 65 | secure_vector<uint8_t> T(CCM_BS); |
237 | 65 | E.encrypt(format_b0(sz - tag_size()), T); |
238 | | |
239 | 125 | for(size_t i = 0; i != ad.size(); i += CCM_BS) { |
240 | 60 | xor_buf(T.data(), &ad[i], CCM_BS); |
241 | 60 | E.encrypt(T); |
242 | 60 | } |
243 | | |
244 | 65 | secure_vector<uint8_t> C = format_c0(); |
245 | | |
246 | 65 | secure_vector<uint8_t> S0(CCM_BS); |
247 | 65 | E.encrypt(C, S0); |
248 | 65 | inc(C); |
249 | | |
250 | 65 | secure_vector<uint8_t> X(CCM_BS); |
251 | | |
252 | 65 | const uint8_t* buf_end = &buf[sz - tag_size()]; |
253 | | |
254 | 126 | while(buf != buf_end) { |
255 | 61 | const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf); |
256 | | |
257 | 61 | E.encrypt(C, X); |
258 | 61 | xor_buf(buf, X.data(), to_proc); |
259 | 61 | inc(C); |
260 | | |
261 | 61 | xor_buf(T.data(), buf, to_proc); |
262 | 61 | E.encrypt(T); |
263 | | |
264 | 61 | buf += to_proc; |
265 | 61 | } |
266 | | |
267 | 65 | T ^= S0; |
268 | | |
269 | 65 | if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) { |
270 | 65 | throw Invalid_Authentication_Tag("CCM tag check failed"); |
271 | 65 | } |
272 | | |
273 | 0 | buffer.resize(buffer.size() - tag_size()); |
274 | |
|
275 | 0 | reset(); |
276 | 0 | } |
277 | | |
278 | | } // namespace Botan |