/src/nettle/ccm.c

Source (jump to first uncovered line)
/* ccm.c

   Counter with CBC-MAC mode, specified by NIST,
   http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf

   Copyright (C) 2014 Exegin Technologies Limited
   Copyright (C) 2014 Owen Kirby

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <stdlib.h>
#include <string.h>

#include "ccm.h"
#include "ctr.h"

#include "memops.h"
#include "nettle-internal.h"
#include "macros.h"

/*
 * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count
 *  flags = 1 octet
 *  nonce = N octets
 *  count >= 1 octet
 *
 * such that:
 *  sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block
 */
#define CCM_FLAG_L          0x07
#define CCM_FLAG_M          0x38
#define CCM_FLAG_ADATA      0x40
#define CCM_FLAG_RESERVED   0x80
#define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1)
#define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L)
#define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M)

#define CCM_OFFSET_FLAGS    0
#define CCM_OFFSET_NONCE    1
#define CCM_L_SIZE(_nlen_)  (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_))

/*
 * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding
 *
 * blength is the length of data that has been added to the CBC-MAC modulus the
 * cipher block size. If the value of blength is non-zero then some data has
 * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0),
 * and iterate the cipher one more time.
 *
 * The end of adata is detected implicitly by the first call to the encrypt()
 * and decrypt() functions, and will call ccm_pad() to insert the padding if
 * necessary. Because of the underlying CTR encryption, the encrypt() and
 * decrypt() functions must be called with a multiple of the block size and
 * therefore blength should be zero on all but the first call.
 *
 * Likewise, the end of the plaintext is implicitly determined by the first call
 * to the digest() function, which will pad if the final CTR encryption was not
 * a multiple of the block size.
 */
static void
ccm_pad(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f)
{
    if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
    ctx->blength = 0;
}

static void
ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce,
       uint8_t flags, size_t count)
{
  unsigned int i;

  /* Sanity check the nonce length. */
  assert(noncelen >= CCM_MIN_NONCE_SIZE);
  assert(noncelen <= CCM_MAX_NONCE_SIZE);

  /* Generate the IV */
  iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen));
  memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen);
  for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) {
    iv[i] = count & 0xff;
    count >>= 8;
  }

  /* Ensure the count was not truncated. */
  assert(!count);
}

void
ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
        size_t length, const uint8_t *nonce,
        size_t authlen, size_t msglen, size_t taglen)
{
  /* Generate the IV for the CTR and CBC-MAC */
  ctx->blength = 0;
  ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen);
  ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1);

  /* If no auth data, encrypt B0 and skip L(a) */
  if (!authlen) {
    f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
    return;
  }

  /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */
  ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA;
  f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
#if SIZEOF_SIZE_T > 4
  if (authlen >= (0x01ULL << 32)) {
    /* Encode L(a) as 0xff || 0xff || <64-bit integer> */
    ctx->tag.b[ctx->blength++] ^= 0xff;
    ctx->tag.b[ctx->blength++] ^= 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff;
    ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff;
  }
  else
#endif
    if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) {
      /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */
      ctx->tag.b[ctx->blength++] ^= 0xff;
      ctx->tag.b[ctx->blength++] ^= 0xfe;
      ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff;
      ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff;
    }
  ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff;
  ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff;
}

void
ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
     size_t length, const uint8_t *data)
{
  const uint8_t *end = data + length;

  /* If we don't have enough to fill a block, save the data for later. */
  if ((ctx->blength + length) < CCM_BLOCK_SIZE) {
    memxor(&ctx->tag.b[ctx->blength], data, length);
    ctx->blength += length;
    return;
  }

  /* Process a partially filled block. */
  if (ctx->blength) {
    memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength);
    data += (CCM_BLOCK_SIZE - ctx->blength);
    f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
  }

  /* Process full blocks. */
  while ((data + CCM_BLOCK_SIZE) < end) {
    memxor(ctx->tag.b, data, CCM_BLOCK_SIZE);
    f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
    data += CCM_BLOCK_SIZE;
  } /* while */

  /* Save leftovers for later. */
  ctx->blength = (end - data);
  if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength);
}

/*
 * Because of the underlying CTR mode encryption, when called multiple times
 * the data in intermediate calls must be provided in multiples of the block
 * size.
 */
void
ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
      size_t length, uint8_t *dst, const uint8_t *src)
{
  ccm_pad(ctx, cipher, f);
  ccm_update(ctx, cipher, f, length, src);
  ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src);
}

/*
 * Because of the underlying CTR mode decryption, when called multiple times
 * the data in intermediate calls must be provided in multiples of the block
 * size.
 */
void
ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
      size_t length, uint8_t *dst, const uint8_t *src)
{
  ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src);
  ccm_pad(ctx, cipher, f);
  ccm_update(ctx, cipher, f, length, dst);
}

void
ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
     size_t length, uint8_t *digest)
{
  int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]);
  assert(length <= CCM_BLOCK_SIZE);
  while (i < CCM_BLOCK_SIZE)  ctx->ctr.b[i++] = 0;
  ccm_pad(ctx, cipher, f);
  ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b);
}

void
ccm_encrypt_message(const void *cipher, nettle_cipher_func *f,
        size_t nlength, const uint8_t *nonce,
        size_t alength, const uint8_t *adata, size_t tlength,
        size_t clength, uint8_t *dst, const uint8_t *src)
{
  struct ccm_ctx ctx;
  uint8_t *tag = dst + (clength-tlength);
  assert(clength >= tlength);
  ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength);
  ccm_update(&ctx, cipher, f, alength, adata);
  ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src);
  ccm_digest(&ctx, cipher, f, tlength, tag);
}

int
ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
        size_t nlength, const uint8_t *nonce,
        size_t alength, const uint8_t *adata, size_t tlength,
        size_t mlength, uint8_t *dst, const uint8_t *src)
{
  struct ccm_ctx ctx;
  uint8_t tag[CCM_BLOCK_SIZE];
  ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength);
  ccm_update(&ctx, cipher, f, alength, adata);
  ccm_decrypt(&ctx, cipher, f, mlength, dst, src);
  ccm_digest(&ctx, cipher, f, tlength, tag);
  return memeql_sec(tag, src + mlength, tlength);
}

Coverage Report

Created: 2024-11-25 06:29

Line	Count	Source (jump to first uncovered line)
1		/* ccm.c
2
3		Counter with CBC-MAC mode, specified by NIST,
4		http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
5
6		Copyright (C) 2014 Exegin Technologies Limited
7		Copyright (C) 2014 Owen Kirby
8
9		This file is part of GNU Nettle.
10
11		GNU Nettle is free software: you can redistribute it and/or
12		modify it under the terms of either:
13
14		* the GNU Lesser General Public License as published by the Free
15		Software Foundation; either version 3 of the License, or (at your
16		option) any later version.
17
18		or
19
20		* the GNU General Public License as published by the Free
21		Software Foundation; either version 2 of the License, or (at your
22		option) any later version.
23
24		or both in parallel, as here.
25
26		GNU Nettle is distributed in the hope that it will be useful,
27		but WITHOUT ANY WARRANTY; without even the implied warranty of
28		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29		General Public License for more details.
30
31		You should have received copies of the GNU General Public License and
32		the GNU Lesser General Public License along with this program. If
33		not, see http://www.gnu.org/licenses/.
34		*/
35
36		#if HAVE_CONFIG_H
37		# include "config.h"
38		#endif
39
40		#include <assert.h>
41		#include <stdlib.h>
42		#include <string.h>
43
44		#include "ccm.h"
45		#include "ctr.h"
46
47		#include "memops.h"
48		#include "nettle-internal.h"
49		#include "macros.h"
50
51		/*
52		* The format of the CCM IV (for both CTR and CBC-MAC) is: flags \| nonce \| count
53		* flags = 1 octet
54		* nonce = N octets
55		* count >= 1 octet
56		*
57		* such that:
58		* sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block
59		*/
60	360	#define CCM_FLAG_L 0x07
61	120	#define CCM_FLAG_M 0x38
62	120	#define CCM_FLAG_ADATA 0x40
63		#define CCM_FLAG_RESERVED 0x80
64	120	#define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1)
65	240	#define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L)
66	120	#define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M)
67
68	360	#define CCM_OFFSET_FLAGS 0
69	1.20k	#define CCM_OFFSET_NONCE 1
70		#define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_))
71
72		/*
73		* The data input to the CBC-MAC: L(a) \| adata \| padding \| plaintext \| padding
74		*
75		* blength is the length of data that has been added to the CBC-MAC modulus the
76		* cipher block size. If the value of blength is non-zero then some data has
77		* been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0),
78		* and iterate the cipher one more time.
79		*
80		* The end of adata is detected implicitly by the first call to the encrypt()
81		* and decrypt() functions, and will call ccm_pad() to insert the padding if
82		* necessary. Because of the underlying CTR encryption, the encrypt() and
83		* decrypt() functions must be called with a multiple of the block size and
84		* therefore blength should be zero on all but the first call.
85		*
86		* Likewise, the end of the plaintext is implicitly determined by the first call
87		* to the digest() function, which will pad if the final CTR encryption was not
88		* a multiple of the block size.
89		*/
90		static void
91		ccm_pad(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f)
92	240	{
93	240	if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
94	240	ctx->blength = 0;
95	240	}
96
97		static void
98		ccm_build_iv(uint8_t iv, size_t noncelen, const uint8_t nonce,
99		uint8_t flags, size_t count)
100	240	{
101	240	unsigned int i;
102
103		/* Sanity check the nonce length. */
104	240	assert(noncelen >= CCM_MIN_NONCE_SIZE);
105	240	assert(noncelen <= CCM_MAX_NONCE_SIZE);
106
107		/* Generate the IV */
108	240	iv[CCM_OFFSET_FLAGS] = flags \| CCM_FLAG_SET_L(CCM_L_SIZE(noncelen));
109	240	memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen);
110	960	for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) {
111	720	iv[i] = count & 0xff;
112	720	count >>= 8;
113	720	}
114
115		/* Ensure the count was not truncated. */
116	240	assert(!count);
117	240	}
118
119		void
120		ccm_set_nonce(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f,
121		size_t length, const uint8_t *nonce,
122		size_t authlen, size_t msglen, size_t taglen)
123	120	{
124		/* Generate the IV for the CTR and CBC-MAC */
125	120	ctx->blength = 0;
126	120	ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen);
127	120	ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1);
128
129		/* If no auth data, encrypt B0 and skip L(a) */
130	120	if (!authlen) {
131	0	f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
132	0	return;
133	0	}
134
135		/* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */
136	120	ctx->tag.b[CCM_OFFSET_FLAGS] \|= CCM_FLAG_ADATA;
137	120	f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
138	120	#if SIZEOF_SIZE_T > 4
139	120	if (authlen >= (0x01ULL << 32)) {
140		/* Encode L(a) as 0xff \|\| 0xff \|\| <64-bit integer> */
141	0	ctx->tag.b[ctx->blength++] ^= 0xff;
142	0	ctx->tag.b[ctx->blength++] ^= 0xff;
143	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff;
144	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff;
145	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff;
146	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff;
147	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff;
148	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff;
149	0	}
150	120	else
151	120	#endif
152	120	if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) {
153		/* Encode L(a) as 0xff \|\| 0xfe \|\| <32-bit integer> */
154	0	ctx->tag.b[ctx->blength++] ^= 0xff;
155	0	ctx->tag.b[ctx->blength++] ^= 0xfe;
156	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff;
157	0	ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff;
158	0	}
159	120	ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff;
160	120	ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff;
161	120	}
162
163		void
164		ccm_update(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f,
165		size_t length, const uint8_t *data)
166	240	{
167	240	const uint8_t *end = data + length;
168
169		/* If we don't have enough to fill a block, save the data for later. */
170	240	if ((ctx->blength + length) < CCM_BLOCK_SIZE) {
171	157	memxor(&ctx->tag.b[ctx->blength], data, length);
172	157	ctx->blength += length;
173	157	return;
174	157	}
175
176		/* Process a partially filled block. */
177	83	if (ctx->blength) {
178	0	memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength);
179	0	data += (CCM_BLOCK_SIZE - ctx->blength);
180	0	f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
181	0	}
182
183		/* Process full blocks. */
184	5.68k	while ((data + CCM_BLOCK_SIZE) < end) {
185	5.59k	memxor(ctx->tag.b, data, CCM_BLOCK_SIZE);
186	5.59k	f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b);
187	5.59k	data += CCM_BLOCK_SIZE;
188	5.59k	} /* while */
189
190		/* Save leftovers for later. */
191	83	ctx->blength = (end - data);
192	83	if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength);
193	83	}
194
195		/*
196		* Because of the underlying CTR mode encryption, when called multiple times
197		* the data in intermediate calls must be provided in multiples of the block
198		* size.
199		*/
200		void
201		ccm_encrypt(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f,
202		size_t length, uint8_t dst, const uint8_t src)
203	37	{
204	37	ccm_pad(ctx, cipher, f);
205	37	ccm_update(ctx, cipher, f, length, src);
206	37	ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src);
207	37	}
208
209		/*
210		* Because of the underlying CTR mode decryption, when called multiple times
211		* the data in intermediate calls must be provided in multiples of the block
212		* size.
213		*/
214		void
215		ccm_decrypt(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f,
216		size_t length, uint8_t dst, const uint8_t src)
217	83	{
218	83	ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src);
219	83	ccm_pad(ctx, cipher, f);
220	83	ccm_update(ctx, cipher, f, length, dst);
221	83	}
222
223		void
224		ccm_digest(struct ccm_ctx ctx, const void cipher, nettle_cipher_func *f,
225		size_t length, uint8_t *digest)
226	120	{
227	120	int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]);
228	120	assert(length <= CCM_BLOCK_SIZE);
229	480	while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0;
230	120	ccm_pad(ctx, cipher, f);
231	120	ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b);
232	120	}
233
234		void
235		ccm_encrypt_message(const void cipher, nettle_cipher_func f,
236		size_t nlength, const uint8_t *nonce,
237		size_t alength, const uint8_t *adata, size_t tlength,
238		size_t clength, uint8_t dst, const uint8_t src)
239	37	{
240	37	struct ccm_ctx ctx;
241	37	uint8_t *tag = dst + (clength-tlength);
242	37	assert(clength >= tlength);
243	37	ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength);
244	37	ccm_update(&ctx, cipher, f, alength, adata);
245	37	ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src);
246	37	ccm_digest(&ctx, cipher, f, tlength, tag);
247	37	}
248
249		int
250		ccm_decrypt_message(const void cipher, nettle_cipher_func f,
251		size_t nlength, const uint8_t *nonce,
252		size_t alength, const uint8_t *adata, size_t tlength,
253		size_t mlength, uint8_t dst, const uint8_t src)
254	83	{
255	83	struct ccm_ctx ctx;
256	83	uint8_t tag[CCM_BLOCK_SIZE];
257	83	ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength);
258	83	ccm_update(&ctx, cipher, f, alength, adata);
259	83	ccm_decrypt(&ctx, cipher, f, mlength, dst, src);
260	83	ccm_digest(&ctx, cipher, f, tlength, tag);
261	83	return memeql_sec(tag, src + mlength, tlength);
262	83	}