Coverage Report

Created: 2024-11-21 07:03

/src/botan/src/lib/modes/aead/ccm/ccm.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CCM Mode Encryption
3
* (C) 2013,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/ccm.h>
10
11
#include <botan/internal/ct_utils.h>
12
#include <botan/internal/fmt.h>
13
#include <botan/internal/loadstor.h>
14
15
namespace Botan {
16
17
// 128-bit cipher is intrinsic to CCM definition
18
static const size_t CCM_BS = 16;
19
20
/*
21
* CCM_Mode Constructor
22
*/
23
CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
24
94
      m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
25
94
   if(m_cipher->block_size() != CCM_BS) {
26
0
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27
0
   }
28
29
94
   if(L < 2 || L > 8) {
30
0
      throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
31
0
   }
32
33
94
   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0) {
34
23
      throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
35
23
   }
36
94
}
37
38
0
void CCM_Mode::clear() {
39
0
   m_cipher->clear();
40
0
   reset();
41
0
}
42
43
0
void CCM_Mode::reset() {
44
0
   m_nonce.clear();
45
0
   m_msg_buf.clear();
46
0
   m_ad_buf.clear();
47
0
}
48
49
6
std::string CCM_Mode::name() const {
50
6
   return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
51
6
}
52
53
66
bool CCM_Mode::valid_nonce_length(size_t n) const {
54
66
   return (n == (15 - L()));
55
66
}
56
57
0
size_t CCM_Mode::default_nonce_length() const {
58
0
   return (15 - L());
59
0
}
60
61
65
size_t CCM_Mode::update_granularity() const {
62
65
   return 1;
63
65
}
64
65
0
size_t CCM_Mode::ideal_granularity() const {
66
   // Completely arbitrary
67
0
   return m_cipher->parallel_bytes();
68
0
}
69
70
0
bool CCM_Mode::requires_entire_message() const {
71
0
   return true;
72
0
}
73
74
71
Key_Length_Specification CCM_Mode::key_spec() const {
75
71
   return m_cipher->key_spec();
76
71
}
77
78
0
bool CCM_Mode::has_keying_material() const {
79
0
   return m_cipher->has_keying_material();
80
0
}
81
82
66
void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
83
66
   m_cipher->set_key(key);
84
66
}
85
86
60
void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
87
60
   BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");
88
89
60
   m_ad_buf.clear();
90
91
60
   if(!ad.empty()) {
92
      // FIXME: support larger AD using length encoding rules
93
60
      BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");
94
95
60
      m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
96
60
      m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
97
60
      m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
98
834
      while(m_ad_buf.size() % CCM_BS) {
99
774
         m_ad_buf.push_back(0);  // pad with zeros to full block size
100
774
      }
101
60
   }
102
60
}
103
104
66
void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
105
66
   if(!valid_nonce_length(nonce_len)) {
106
1
      throw Invalid_IV_Length(name(), nonce_len);
107
1
   }
108
109
65
   m_nonce.assign(nonce, nonce + nonce_len);
110
65
   m_msg_buf.clear();
111
65
}
112
113
230
size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
114
230
   BOTAN_STATE_CHECK(!m_nonce.empty());
115
230
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
116
230
   return 0;  // no output until finished
117
230
}
118
119
65
void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
120
65
   const size_t len_bytes = L();
121
122
65
   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
123
124
260
   for(size_t i = 0; i != len_bytes; ++i) {
125
195
      out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
126
195
   }
127
128
65
   if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
129
0
      throw Encoding_Error("CCM message length too long to encode in L field");
130
0
   }
131
65
}
132
133
126
void CCM_Mode::inc(secure_vector<uint8_t>& C) {
134
126
   for(size_t i = 0; i != C.size(); ++i) {
135
126
      if(++C[C.size() - i - 1]) {
136
126
         break;
137
126
      }
138
126
   }
139
126
}
140
141
65
secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
142
65
   if(m_nonce.size() != 15 - L()) {
143
0
      throw Invalid_State("CCM mode must set nonce");
144
0
   }
145
65
   secure_vector<uint8_t> B0(CCM_BS);
146
147
65
   const uint8_t b_flags =
148
65
      static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));
149
150
65
   B0[0] = b_flags;
151
65
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
152
65
   encode_length(sz, &B0[m_nonce.size() + 1]);
153
154
65
   return B0;
155
65
}
156
157
65
secure_vector<uint8_t> CCM_Mode::format_c0() {
158
65
   if(m_nonce.size() != 15 - L()) {
159
0
      throw Invalid_State("CCM mode must set nonce");
160
0
   }
161
65
   secure_vector<uint8_t> C(CCM_BS);
162
163
65
   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
164
165
65
   C[0] = a_flags;
166
65
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());
167
168
65
   return C;
169
65
}
170
171
0
void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
172
0
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
173
174
0
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
175
176
0
   const size_t sz = buffer.size() - offset;
177
0
   uint8_t* buf = buffer.data() + offset;
178
179
0
   const secure_vector<uint8_t>& ad = ad_buf();
180
0
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
181
182
0
   const BlockCipher& E = cipher();
183
184
0
   secure_vector<uint8_t> T(CCM_BS);
185
0
   E.encrypt(format_b0(sz), T);
186
187
0
   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
188
0
      xor_buf(T.data(), &ad[i], CCM_BS);
189
0
      E.encrypt(T);
190
0
   }
191
192
0
   secure_vector<uint8_t> C = format_c0();
193
0
   secure_vector<uint8_t> S0(CCM_BS);
194
0
   E.encrypt(C, S0);
195
0
   inc(C);
196
197
0
   secure_vector<uint8_t> X(CCM_BS);
198
199
0
   const uint8_t* buf_end = &buf[sz];
200
201
0
   while(buf != buf_end) {
202
0
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
203
204
0
      xor_buf(T.data(), buf, to_proc);
205
0
      E.encrypt(T);
206
207
0
      E.encrypt(C, X);
208
0
      xor_buf(buf, X.data(), to_proc);
209
0
      inc(C);
210
211
0
      buf += to_proc;
212
0
   }
213
214
0
   T ^= S0;
215
216
0
   buffer += std::make_pair(T.data(), tag_size());
217
218
0
   reset();
219
0
}
220
221
65
void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
222
65
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
223
224
65
   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
226
65
   const size_t sz = buffer.size() - offset;
227
65
   uint8_t* buf = buffer.data() + offset;
228
229
65
   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
230
231
65
   const secure_vector<uint8_t>& ad = ad_buf();
232
65
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
234
65
   const BlockCipher& E = cipher();
235
236
65
   secure_vector<uint8_t> T(CCM_BS);
237
65
   E.encrypt(format_b0(sz - tag_size()), T);
238
239
125
   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
240
60
      xor_buf(T.data(), &ad[i], CCM_BS);
241
60
      E.encrypt(T);
242
60
   }
243
244
65
   secure_vector<uint8_t> C = format_c0();
245
246
65
   secure_vector<uint8_t> S0(CCM_BS);
247
65
   E.encrypt(C, S0);
248
65
   inc(C);
249
250
65
   secure_vector<uint8_t> X(CCM_BS);
251
252
65
   const uint8_t* buf_end = &buf[sz - tag_size()];
253
254
126
   while(buf != buf_end) {
255
61
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
256
257
61
      E.encrypt(C, X);
258
61
      xor_buf(buf, X.data(), to_proc);
259
61
      inc(C);
260
261
61
      xor_buf(T.data(), buf, to_proc);
262
61
      E.encrypt(T);
263
264
61
      buf += to_proc;
265
61
   }
266
267
65
   T ^= S0;
268
269
65
   if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
270
65
      throw Invalid_Authentication_Tag("CCM tag check failed");
271
65
   }
272
273
0
   buffer.resize(buffer.size() - tag_size());
274
275
0
   reset();
276
0
}
277
278
}  // namespace Botan