/src/botan/src/lib/modes/aead/ccm/ccm.cpp

Source (jump to first uncovered line)
/*
* CCM Mode Encryption
* (C) 2013,2018 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/ccm.h>

#include <botan/internal/ct_utils.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>

namespace Botan {

// 128-bit cipher is intrinsic to CCM definition
static const size_t CCM_BS = 16;

/*
* CCM_Mode Constructor
*/
CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
      m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
   if(m_cipher->block_size() != CCM_BS) {
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
   }

   if(L < 2 || L > 8) {
      throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
   }

   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0) {
      throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
   }
}

void CCM_Mode::clear() {
   m_cipher->clear();
   reset();
}

void CCM_Mode::reset() {
   m_nonce.clear();
   m_msg_buf.clear();
   m_ad_buf.clear();
}

std::string CCM_Mode::name() const {
   return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
}

bool CCM_Mode::valid_nonce_length(size_t n) const {
   return (n == (15 - L()));
}

size_t CCM_Mode::default_nonce_length() const {
   return (15 - L());
}

size_t CCM_Mode::update_granularity() const {
   return 1;
}

size_t CCM_Mode::ideal_granularity() const {
   // Completely arbitrary
   return m_cipher->parallel_bytes();
}

bool CCM_Mode::requires_entire_message() const {
   return true;
}

Key_Length_Specification CCM_Mode::key_spec() const {
   return m_cipher->key_spec();
}

bool CCM_Mode::has_keying_material() const {
   return m_cipher->has_keying_material();
}

void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
   m_cipher->set_key(key);
}

void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
   BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");

   m_ad_buf.clear();

   if(!ad.empty()) {
      // FIXME: support larger AD using length encoding rules
      BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");

      m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
      while(m_ad_buf.size() % CCM_BS) {
         m_ad_buf.push_back(0);  // pad with zeros to full block size
      }
   }
}

void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
   if(!valid_nonce_length(nonce_len)) {
      throw Invalid_IV_Length(name(), nonce_len);
   }

   m_nonce.assign(nonce, nonce + nonce_len);
   m_msg_buf.clear();
}

size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
   BOTAN_STATE_CHECK(!m_nonce.empty());
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
   return 0;  // no output until finished
}

void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
   const size_t len_bytes = L();

   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);

   for(size_t i = 0; i != len_bytes; ++i) {
      out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
   }

   if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
      throw Encoding_Error("CCM message length too long to encode in L field");
   }
}

void CCM_Mode::inc(secure_vector<uint8_t>& C) {
   for(size_t i = 0; i != C.size(); ++i) {
      if(++C[C.size() - i - 1]) {
         break;
      }
   }
}

secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> B0(CCM_BS);

   const uint8_t b_flags =
      static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));

   B0[0] = b_flags;
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
   encode_length(sz, &B0[m_nonce.size() + 1]);

   return B0;
}

secure_vector<uint8_t> CCM_Mode::format_c0() {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> C(CCM_BS);

   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);

   C[0] = a_flags;
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());

   return C;
}

void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();
   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz];

   while(buf != buf_end) {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      buf += to_proc;
   }

   T ^= S0;

   buffer += std::make_pair(T.data(), tag_size());

   reset();
}

void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(sz - tag_size()), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();

   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   const uint8_t* buf_end = &buf[sz - tag_size()];

   while(buf != buf_end) {
      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

      E.encrypt(C, X);
      xor_buf(buf, X.data(), to_proc);
      inc(C);

      xor_buf(T.data(), buf, to_proc);
      E.encrypt(T);

      buf += to_proc;
   }

   T ^= S0;

   if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
      throw Invalid_Authentication_Tag("CCM tag check failed");
   }

   buffer.resize(buffer.size() - tag_size());

   reset();
}

}  // namespace Botan

Coverage Report

Created: 2024-11-21 07:00

Line	Count	Source (jump to first uncovered line)
1		/*
2		* CCM Mode Encryption
3		* (C) 2013,2018 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/internal/ccm.h>
10
11		#include <botan/internal/ct_utils.h>
12		#include <botan/internal/fmt.h>
13		#include <botan/internal/loadstor.h>
14
15		namespace Botan {
16
17		// 128-bit cipher is intrinsic to CCM definition
18		static const size_t CCM_BS = 16;
19
20		/*
21		* CCM_Mode Constructor
22		*/
23		CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
24	645	m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
25	645	if(m_cipher->block_size() != CCM_BS) {
26	0	throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
27	0	}
28
29	645	if(L < 2 \|\| L > 8) {
30	0	throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
31	0	}
32
33	645	if(tag_size < 4 \|\| tag_size > 16 \|\| tag_size % 2 != 0) {
34	274	throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
35	274	}
36	645	}
37
38	0	void CCM_Mode::clear() {
39	0	m_cipher->clear();
40	0	reset();
41	0	}
42
43	47	void CCM_Mode::reset() {
44	47	m_nonce.clear();
45	47	m_msg_buf.clear();
46	47	m_ad_buf.clear();
47	47	}
48
49	52	std::string CCM_Mode::name() const {
50	52	return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
51	52	}
52
53	343	bool CCM_Mode::valid_nonce_length(size_t n) const {
54	343	return (n == (15 - L()));
55	343	}
56
57	0	size_t CCM_Mode::default_nonce_length() const {
58	0	return (15 - L());
59	0	}
60
61	319	size_t CCM_Mode::update_granularity() const {
62	319	return 1;
63	319	}
64
65	0	size_t CCM_Mode::ideal_granularity() const {
66		// Completely arbitrary
67	0	return m_cipher->parallel_bytes();
68	0	}
69
70	0	bool CCM_Mode::requires_entire_message() const {
71	0	return true;
72	0	}
73
74	371	Key_Length_Specification CCM_Mode::key_spec() const {
75	371	return m_cipher->key_spec();
76	371	}
77
78	0	bool CCM_Mode::has_keying_material() const {
79	0	return m_cipher->has_keying_material();
80	0	}
81
82	343	void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
83	343	m_cipher->set_key(key);
84	343	}
85
86	203	void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
87	203	BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");
88
89	203	m_ad_buf.clear();
90
91	203	if(!ad.empty()) {
92		// FIXME: support larger AD using length encoding rules
93	159	BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");
94
95	159	m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
96	159	m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
97	159	m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
98	1.86k	while(m_ad_buf.size() % CCM_BS) {
99	1.70k	m_ad_buf.push_back(0); // pad with zeros to full block size
100	1.70k	}
101	159	}
102	203	}
103
104	343	void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
105	343	if(!valid_nonce_length(nonce_len)) {
106	24	throw Invalid_IV_Length(name(), nonce_len);
107	24	}
108
109	319	m_nonce.assign(nonce, nonce + nonce_len);
110	319	m_msg_buf.clear();
111	319	}
112
113	420	size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
114	420	BOTAN_STATE_CHECK(!m_nonce.empty());
115	420	m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
116	420	return 0; // no output until finished
117	420	}
118
119	303	void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
120	303	const size_t len_bytes = L();
121
122	303	BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);
123
124	1.21k	for(size_t i = 0; i != len_bytes; ++i) {
125	909	out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
126	909	}
127
128	303	if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
129	0	throw Encoding_Error("CCM message length too long to encode in L field");
130	0	}
131	303	}
132
133	534	void CCM_Mode::inc(secure_vector<uint8_t>& C) {
134	534	for(size_t i = 0; i != C.size(); ++i) {
135	534	if(++C[C.size() - i - 1]) {
136	534	break;
137	534	}
138	534	}
139	534	}
140
141	303	secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
142	303	if(m_nonce.size() != 15 - L()) {
143	0	throw Invalid_State("CCM mode must set nonce");
144	0	}
145	303	secure_vector<uint8_t> B0(CCM_BS);
146
147	303	const uint8_t b_flags =
148	303	static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));
149
150	303	B0[0] = b_flags;
151	303	copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
152	303	encode_length(sz, &B0[m_nonce.size() + 1]);
153
154	303	return B0;
155	303	}
156
157	303	secure_vector<uint8_t> CCM_Mode::format_c0() {
158	303	if(m_nonce.size() != 15 - L()) {
159	0	throw Invalid_State("CCM mode must set nonce");
160	0	}
161	303	secure_vector<uint8_t> C(CCM_BS);
162
163	303	const uint8_t a_flags = static_cast<uint8_t>(L() - 1);
164
165	303	C[0] = a_flags;
166	303	copy_mem(&C[1], m_nonce.data(), m_nonce.size());
167
168	303	return C;
169	303	}
170
171	47	void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
172	47	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
173
174	47	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
175
176	47	const size_t sz = buffer.size() - offset;
177	47	uint8_t* buf = buffer.data() + offset;
178
179	47	const secure_vector<uint8_t>& ad = ad_buf();
180	47	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
181
182	47	const BlockCipher& E = cipher();
183
184	47	secure_vector<uint8_t> T(CCM_BS);
185	47	E.encrypt(format_b0(sz), T);
186
187	95	for(size_t i = 0; i != ad.size(); i += CCM_BS) {
188	48	xor_buf(T.data(), &ad[i], CCM_BS);
189	48	E.encrypt(T);
190	48	}
191
192	47	secure_vector<uint8_t> C = format_c0();
193	47	secure_vector<uint8_t> S0(CCM_BS);
194	47	E.encrypt(C, S0);
195	47	inc(C);
196
197	47	secure_vector<uint8_t> X(CCM_BS);
198
199	47	const uint8_t* buf_end = &buf[sz];
200
201	47	while(buf != buf_end) {
202	0	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
203
204	0	xor_buf(T.data(), buf, to_proc);
205	0	E.encrypt(T);
206
207	0	E.encrypt(C, X);
208	0	xor_buf(buf, X.data(), to_proc);
209	0	inc(C);
210
211	0	buf += to_proc;
212	0	}
213
214	47	T ^= S0;
215
216	47	buffer += std::make_pair(T.data(), tag_size());
217
218	47	reset();
219	47	}
220
221	272	void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
222	272	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
223
224	272	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
225
226	272	const size_t sz = buffer.size() - offset;
227	272	uint8_t* buf = buffer.data() + offset;
228
229	272	BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
230
231	272	const secure_vector<uint8_t>& ad = ad_buf();
232	272	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
233
234	272	const BlockCipher& E = cipher();
235
236	272	secure_vector<uint8_t> T(CCM_BS);
237	272	E.encrypt(format_b0(sz - tag_size()), T);
238
239	516	for(size_t i = 0; i != ad.size(); i += CCM_BS) {
240	244	xor_buf(T.data(), &ad[i], CCM_BS);
241	244	E.encrypt(T);
242	244	}
243
244	272	secure_vector<uint8_t> C = format_c0();
245
246	272	secure_vector<uint8_t> S0(CCM_BS);
247	272	E.encrypt(C, S0);
248	272	inc(C);
249
250	272	secure_vector<uint8_t> X(CCM_BS);
251
252	272	const uint8_t* buf_end = &buf[sz - tag_size()];
253
254	503	while(buf != buf_end) {
255	231	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
256
257	231	E.encrypt(C, X);
258	231	xor_buf(buf, X.data(), to_proc);
259	231	inc(C);
260
261	231	xor_buf(T.data(), buf, to_proc);
262	231	E.encrypt(T);
263
264	231	buf += to_proc;
265	231	}
266
267	272	T ^= S0;
268
269	272	if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
270	256	throw Invalid_Authentication_Tag("CCM tag check failed");
271	256	}
272
273	16	buffer.resize(buffer.size() - tag_size());
274
275	16	reset();
276	16	}
277
278		} // namespace Botan