/src/botan/src/lib/modes/aead/ccm/ccm.cpp

Source (jump to first uncovered line)
/*
* CCM Mode Encryption
* (C) 2013,2018 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/ccm.h>

#include <botan/internal/ct_utils.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>

namespace Botan {

// 128-bit cipher is intrinsic to CCM definition
static const size_t CCM_BS = 16;

/*
* CCM_Mode Constructor
*/
CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
      m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
   if(m_cipher->block_size() != CCM_BS) {
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
   }

   if(L < 2 || L > 8) {
      throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
   }

   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0) {
      throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
   }
}

void CCM_Mode::clear() {
   m_cipher->clear();
   reset();
}

void CCM_Mode::reset() {
   m_nonce.clear();
   m_msg_buf.clear();
   m_ad_buf.clear();
}

std::string CCM_Mode::name() const {
   return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
}

bool CCM_Mode::valid_nonce_length(size_t n) const {
   return (n == (15 - L()));
}

size_t CCM_Mode::default_nonce_length() const {
   return (15 - L());
}

size_t CCM_Mode::update_granularity() const {
   return 1;
}

size_t CCM_Mode::ideal_granularity() const {
   // Completely arbitrary
   return m_cipher->parallel_bytes();
}

bool CCM_Mode::requires_entire_message() const {
   return true;
}

Key_Length_Specification CCM_Mode::key_spec() const {
   return m_cipher->key_spec();
}

bool CCM_Mode::has_keying_material() const {
   return m_cipher->has_keying_material();
}

void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
   m_cipher->set_key(key);
}

void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
   BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");

   m_ad_buf.clear();

   if(!ad.empty()) {
      // FIXME: support larger AD using length encoding rules
      BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");

      m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
      while(m_ad_buf.size() % CCM_BS) {
         m_ad_buf.push_back(0);  // pad with zeros to full block size
      }
   }
}

void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
   if(!valid_nonce_length(nonce_len)) {
      throw Invalid_IV_Length(name(), nonce_len);
   }

   m_nonce.assign(nonce, nonce + nonce_len);
   m_msg_buf.clear();
}

size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
   BOTAN_STATE_CHECK(!m_nonce.empty());
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
   return 0;  // no output until finished
}

void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
   const size_t len_bytes = L();

   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);

   for(size_t i = 0; i != len_bytes; ++i) {
      out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
   }

   if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
      throw Encoding_Error("CCM message length too long to encode in L field");
   }
}

void CCM_Mode::inc(secure_vector<uint8_t>& C) {
   for(size_t i = 0; i != C.size(); ++i) {
      if(++C[C.size() - i - 1]) {
         break;
      }
   }
}

secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> B0(CCM_BS);

   const uint8_t b_flags =
      static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));

   B0[0] = b_flags;
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
   encode_length(sz, &B0[m_nonce.size() + 1]);

   return B0;
}

secure_vector<uint8_t> CCM_Mode::format_c0() {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> C(CCM_BS);

   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);

   C[0] = a_flags;
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());

   return C;
}

void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();
   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz];

   while(buf != buf_end) {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      buf += to_proc;
   }

   T ^= S0;

   buffer += std::make_pair(T.data(), tag_size());

   reset();
}

void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz - tag_size()), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();

   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz - tag_size()];

   while(buf != buf_end) {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      buf += to_proc;
   }

   T ^= S0;

   if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
      throw Invalid_Authentication_Tag("CCM tag check failed");
   }

   buffer.resize(buffer.size() - tag_size());

   reset();
}

}  // namespace Botan

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/*
2		* CCM Mode Encryption
3		* (C) 2013,2018 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/internal/ccm.h>
10
11		#include <botan/internal/ct_utils.h>
12		#include <botan/internal/fmt.h>
13		#include <botan/internal/loadstor.h>
14
15		namespace Botan {
16
17		// 128-bit cipher is intrinsic to CCM definition
18		static const size_t CCM_BS = 16;
19
20		/*
21		* CCM_Mode Constructor
22		*/
23		CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
24	94	m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
25	94	if(m_cipher->block_size() != CCM_BS) {
26	0	throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27	0	}
28
29	94	if(L < 2 \|\| L > 8) {
30	0	throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
31	0	}
32
33	94	if(tag_size < 4 \|\| tag_size > 16 \|\| tag_size % 2 != 0) {
34	23	throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
35	23	}
36	94	}
37
38	0	void CCM_Mode::clear() {
39	0	m_cipher->clear();
40	0	reset();
41	0	}
42
43	0	void CCM_Mode::reset() {
44	0	m_nonce.clear();
45	0	m_msg_buf.clear();
46	0	m_ad_buf.clear();
47	0	}
48
49	6	std::string CCM_Mode::name() const {
50	6	return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
51	6	}
52
53	66	bool CCM_Mode::valid_nonce_length(size_t n) const {
54	66	return (n == (15 - L()));
55	66	}
56
57	0	size_t CCM_Mode::default_nonce_length() const {
58	0	return (15 - L());
59	0	}
60
61	65	size_t CCM_Mode::update_granularity() const {
62	65	return 1;
63	65	}
64
65	0	size_t CCM_Mode::ideal_granularity() const {
66		// Completely arbitrary
67	0	return m_cipher->parallel_bytes();
68	0	}
69
70	0	bool CCM_Mode::requires_entire_message() const {
71	0	return true;
72	0	}
73
74	71	Key_Length_Specification CCM_Mode::key_spec() const {
75	71	return m_cipher->key_spec();
76	71	}
77
78	0	bool CCM_Mode::has_keying_material() const {
79	0	return m_cipher->has_keying_material();
80	0	}
81
82	66	void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
83	66	m_cipher->set_key(key);
84	66	}
85
86	60	void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
87	60	BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");
88
89	60	m_ad_buf.clear();
90
91	60	if(!ad.empty()) {
92		// FIXME: support larger AD using length encoding rules
93	60	BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");
94
95	60	m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
96	60	m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
97	60	m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
98	834	while(m_ad_buf.size() % CCM_BS) {
99	774	m_ad_buf.push_back(0); // pad with zeros to full block size
100	774	}
101	60	}
102	60	}
103
104	66	void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
105	66	if(!valid_nonce_length(nonce_len)) {
106	1	throw Invalid_IV_Length(name(), nonce_len);
107	1	}
108
109	65	m_nonce.assign(nonce, nonce + nonce_len);
110	65	m_msg_buf.clear();
111	65	}
112
113	230	size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
114	230	BOTAN_STATE_CHECK(!m_nonce.empty());
115	230	m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
116	230	return 0; // no output until finished
117	230	}
118
119	65	void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
120	65	const size_t len_bytes = L();
121
122	65	BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
123
124	260	for(size_t i = 0; i != len_bytes; ++i) {
125	195	out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
126	195	}
127
128	65	if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
129	0	throw Encoding_Error("CCM message length too long to encode in L field");
130	0	}
131	65	}
132
133	126	void CCM_Mode::inc(secure_vector<uint8_t>& C) {
134	126	for(size_t i = 0; i != C.size(); ++i) {
135	126	if(++C[C.size() - i - 1]) {
136	126	break;
137	126	}
138	126	}
139	126	}
140
141	65	secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
142	65	if(m_nonce.size() != 15 - L()) {
143	0	throw Invalid_State("CCM mode must set nonce");
144	0	}
145	65	secure_vector<uint8_t> B0(CCM_BS);
146
147	65	const uint8_t b_flags =
148	65	static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));
149
150	65	B0[0] = b_flags;
151	65	copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
152	65	encode_length(sz, &B0[m_nonce.size() + 1]);
153
154	65	return B0;
155	65	}
156
157	65	secure_vector<uint8_t> CCM_Mode::format_c0() {
158	65	if(m_nonce.size() != 15 - L()) {
159	0	throw Invalid_State("CCM mode must set nonce");
160	0	}
161	65	secure_vector<uint8_t> C(CCM_BS);
162
163	65	const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
164
165	65	C[0] = a_flags;
166	65	copy_mem(&C[1], m_nonce.data(), m_nonce.size());
167
168	65	return C;
169	65	}
170
171	0	void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
172	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
173
174	0	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
175
176	0	const size_t sz = buffer.size() - offset;
177	0	uint8_t* buf = buffer.data() + offset;
178
179	0	const secure_vector<uint8_t>& ad = ad_buf();
180	0	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
181
182	0	const BlockCipher& E = cipher();
183
184	0	secure_vector<uint8_t> T(CCM_BS);
185	0	E.encrypt(format_b0(sz), T);
186
187	0	for(size_t i = 0; i != ad.size(); i += CCM_BS) {
188	0	xor_buf(T.data(), &ad[i], CCM_BS);
189	0	E.encrypt(T);
190	0	}
191
192	0	secure_vector<uint8_t> C = format_c0();
193	0	secure_vector<uint8_t> S0(CCM_BS);
194	0	E.encrypt(C, S0);
195	0	inc(C);
196
197	0	secure_vector<uint8_t> X(CCM_BS);
198
199	0	const uint8_t* buf_end = &buf[sz];
200
201	0	while(buf != buf_end) {
202	0	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
203
204	0	xor_buf(T.data(), buf, to_proc);
205	0	E.encrypt(T);
206
207	0	E.encrypt(C, X);
208	0	xor_buf(buf, X.data(), to_proc);
209	0	inc(C);
210
211	0	buf += to_proc;
212	0	}
213
214	0	T ^= S0;
215
216	0	buffer += std::make_pair(T.data(), tag_size());
217
218	0	reset();
219	0	}
220
221	65	void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
222	65	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
223
224	65	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
226	65	const size_t sz = buffer.size() - offset;
227	65	uint8_t* buf = buffer.data() + offset;
228
229	65	BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
230
231	65	const secure_vector<uint8_t>& ad = ad_buf();
232	65	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
234	65	const BlockCipher& E = cipher();
235
236	65	secure_vector<uint8_t> T(CCM_BS);
237	65	E.encrypt(format_b0(sz - tag_size()), T);
238
239	125	for(size_t i = 0; i != ad.size(); i += CCM_BS) {
240	60	xor_buf(T.data(), &ad[i], CCM_BS);
241	60	E.encrypt(T);
242	60	}
243
244	65	secure_vector<uint8_t> C = format_c0();
245
246	65	secure_vector<uint8_t> S0(CCM_BS);
247	65	E.encrypt(C, S0);
248	65	inc(C);
249
250	65	secure_vector<uint8_t> X(CCM_BS);
251
252	65	const uint8_t* buf_end = &buf[sz - tag_size()];
253
254	126	while(buf != buf_end) {
255	61	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
256
257	61	E.encrypt(C, X);
258	61	xor_buf(buf, X.data(), to_proc);
259	61	inc(C);
260
261	61	xor_buf(T.data(), buf, to_proc);
262	61	E.encrypt(T);
263
264	61	buf += to_proc;
265	61	}
266
267	65	T ^= S0;
268
269	65	if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
270	65	throw Invalid_Authentication_Tag("CCM tag check failed");
271	65	}
272
273	0	buffer.resize(buffer.size() - tag_size());
274
275	0	reset();
276	0	}
277
278		} // namespace Botan