1/* 2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25#include "inner.h" 26 27/* 28 * Implementation Notes 29 * ==================== 30 * 31 * The combined CTR + CBC-MAC functions can only handle full blocks, 32 * so some buffering is necessary. 33 * 34 * - 'ptr' contains a value from 0 to 15, which is the number of bytes 35 * accumulated in buf[] that still needs to be processed with the 36 * current CBC-MAC computation. 37 * 38 * - When processing the message itself, CTR encryption/decryption is 39 * also done at the same time. The first 'ptr' bytes of buf[] then 40 * contains the plaintext bytes, while the last '16 - ptr' bytes of 41 * buf[] are the remnants of the stream block, to be used against 42 * the next input bytes, when available. When 'ptr' is 0, the 43 * contents of buf[] are to be ignored. 44 * 45 * - The current counter and running CBC-MAC values are kept in 'ctr' 46 * and 'cbcmac', respectively. 47 */ 48 49/* see bearssl_block.h */ 50void 51br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx) 52{ 53 ctx->bctx = bctx; 54} 55 56/* see bearssl_block.h */ 57int 58br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len, 59 uint64_t aad_len, uint64_t data_len, size_t tag_len) 60{ 61 unsigned char tmp[16]; 62 unsigned u, q; 63 64 if (nonce_len < 7 || nonce_len > 13) { 65 return 0; 66 } 67 if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) { 68 return 0; 69 } 70 q = 15 - (unsigned)nonce_len; 71 ctx->tag_len = tag_len; 72 73 /* 74 * Block B0, to start CBC-MAC. 75 */ 76 tmp[0] = (aad_len > 0 ? 0x40 : 0x00) 77 | (((unsigned)tag_len - 2) << 2) 78 | (q - 1); 79 memcpy(tmp + 1, nonce, nonce_len); 80 for (u = 0; u < q; u ++) { 81 tmp[15 - u] = (unsigned char)data_len; 82 data_len >>= 8; 83 } 84 if (data_len != 0) { 85 /* 86 * If the data length was not entirely consumed in the 87 * loop above, then it exceeds the maximum limit of 88 * q bytes (when encoded). 89 */ 90 return 0; 91 } 92 93 /* 94 * Start CBC-MAC. 95 */ 96 memset(ctx->cbcmac, 0, sizeof ctx->cbcmac); 97 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp); 98 99 /* 100 * Assemble AAD length header. 101 */ 102 if ((aad_len >> 32) != 0) { 103 ctx->buf[0] = 0xFF; 104 ctx->buf[1] = 0xFF; 105 br_enc64be(ctx->buf + 2, aad_len); 106 ctx->ptr = 10; 107 } else if (aad_len >= 0xFF00) { 108 ctx->buf[0] = 0xFF; 109 ctx->buf[1] = 0xFE; 110 br_enc32be(ctx->buf + 2, (uint32_t)aad_len); 111 ctx->ptr = 6; 112 } else if (aad_len > 0) { 113 br_enc16be(ctx->buf, (unsigned)aad_len); 114 ctx->ptr = 2; 115 } else { 116 ctx->ptr = 0; 117 } 118 119 /* 120 * Make initial counter value and compute tag mask. 121 */ 122 ctx->ctr[0] = q - 1; 123 memcpy(ctx->ctr + 1, nonce, nonce_len); 124 memset(ctx->ctr + 1 + nonce_len, 0, q); 125 memset(ctx->tagmask, 0, sizeof ctx->tagmask); 126 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, 127 ctx->tagmask, sizeof ctx->tagmask); 128 129 return 1; 130} 131 132/* see bearssl_block.h */ 133void 134br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len) 135{ 136 const unsigned char *dbuf; 137 size_t ptr; 138 139 dbuf = data; 140 141 /* 142 * Complete partial block, if needed. 143 */ 144 ptr = ctx->ptr; 145 if (ptr != 0) { 146 size_t clen; 147 148 clen = (sizeof ctx->buf) - ptr; 149 if (clen > len) { 150 memcpy(ctx->buf + ptr, dbuf, len); 151 ctx->ptr = ptr + len; 152 return; 153 } 154 memcpy(ctx->buf + ptr, dbuf, clen); 155 dbuf += clen; 156 len -= clen; 157 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, 158 ctx->buf, sizeof ctx->buf); 159 } 160 161 /* 162 * Process complete blocks. 163 */ 164 ptr = len & 15; 165 len -= ptr; 166 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len); 167 dbuf += len; 168 169 /* 170 * Copy last partial block in the context buffer. 171 */ 172 memcpy(ctx->buf, dbuf, ptr); 173 ctx->ptr = ptr; 174} 175 176/* see bearssl_block.h */ 177void 178br_ccm_flip(br_ccm_context *ctx) 179{ 180 size_t ptr; 181 182 /* 183 * Complete AAD partial block with zeros, if necessary. 184 */ 185 ptr = ctx->ptr; 186 if (ptr != 0) { 187 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr); 188 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, 189 ctx->buf, sizeof ctx->buf); 190 ctx->ptr = 0; 191 } 192 193 /* 194 * Counter was already set by br_ccm_reset(). 195 */ 196} 197 198/* see bearssl_block.h */ 199void 200br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len) 201{ 202 unsigned char *dbuf; 203 size_t ptr; 204 205 dbuf = data; 206 207 /* 208 * Complete a partial block, if any: ctx->buf[] contains 209 * ctx->ptr plaintext bytes (already reported), and the other 210 * bytes are CTR stream output. 211 */ 212 ptr = ctx->ptr; 213 if (ptr != 0) { 214 size_t clen; 215 size_t u; 216 217 clen = (sizeof ctx->buf) - ptr; 218 if (clen > len) { 219 clen = len; 220 } 221 if (encrypt) { 222 for (u = 0; u < clen; u ++) { 223 unsigned w, x; 224 225 w = ctx->buf[ptr + u]; 226 x = dbuf[u]; 227 ctx->buf[ptr + u] = x; 228 dbuf[u] = w ^ x; 229 } 230 } else { 231 for (u = 0; u < clen; u ++) { 232 unsigned w; 233 234 w = ctx->buf[ptr + u] ^ dbuf[u]; 235 dbuf[u] = w; 236 ctx->buf[ptr + u] = w; 237 } 238 } 239 dbuf += clen; 240 len -= clen; 241 ptr += clen; 242 if (ptr < sizeof ctx->buf) { 243 ctx->ptr = ptr; 244 return; 245 } 246 (*ctx->bctx)->mac(ctx->bctx, 247 ctx->cbcmac, ctx->buf, sizeof ctx->buf); 248 } 249 250 /* 251 * Process all complete blocks. Note that the ctrcbc API is for 252 * encrypt-then-MAC (CBC-MAC is computed over the encrypted 253 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed 254 * over the plaintext blocks). Therefore, we need to use the 255 * _decryption_ function for encryption, and the encryption 256 * function for decryption (this works because CTR encryption 257 * and decryption are identical, so the choice really is about 258 * computing the CBC-MAC before or after XORing with the CTR 259 * stream). 260 */ 261 ptr = len & 15; 262 len -= ptr; 263 if (encrypt) { 264 (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, 265 dbuf, len); 266 } else { 267 (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, 268 dbuf, len); 269 } 270 dbuf += len; 271 272 /* 273 * If there is some remaining data, then we need to compute an 274 * extra block of CTR stream. 275 */ 276 if (ptr != 0) { 277 size_t u; 278 279 memset(ctx->buf, 0, sizeof ctx->buf); 280 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, 281 ctx->buf, sizeof ctx->buf); 282 if (encrypt) { 283 for (u = 0; u < ptr; u ++) { 284 unsigned w, x; 285 286 w = ctx->buf[u]; 287 x = dbuf[u]; 288 ctx->buf[u] = x; 289 dbuf[u] = w ^ x; 290 } 291 } else { 292 for (u = 0; u < ptr; u ++) { 293 unsigned w; 294 295 w = ctx->buf[u] ^ dbuf[u]; 296 dbuf[u] = w; 297 ctx->buf[u] = w; 298 } 299 } 300 } 301 ctx->ptr = ptr; 302} 303 304/* see bearssl_block.h */ 305size_t 306br_ccm_get_tag(br_ccm_context *ctx, void *tag) 307{ 308 size_t ptr; 309 size_t u; 310 311 /* 312 * If there is some buffered data, then we need to pad it with 313 * zeros and finish up CBC-MAC. 314 */ 315 ptr = ctx->ptr; 316 if (ptr != 0) { 317 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr); 318 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, 319 ctx->buf, sizeof ctx->buf); 320 } 321 322 /* 323 * XOR the tag mask into the CBC-MAC output. 324 */ 325 for (u = 0; u < ctx->tag_len; u ++) { 326 ctx->cbcmac[u] ^= ctx->tagmask[u]; 327 } 328 memcpy(tag, ctx->cbcmac, ctx->tag_len); 329 return ctx->tag_len; 330} 331 332/* see bearssl_block.h */ 333uint32_t 334br_ccm_check_tag(br_ccm_context *ctx, const void *tag) 335{ 336 unsigned char tmp[16]; 337 size_t u, tag_len; 338 uint32_t z; 339 340 tag_len = br_ccm_get_tag(ctx, tmp); 341 z = 0; 342 for (u = 0; u < tag_len; u ++) { 343 z |= tmp[u] ^ ((const unsigned char *)tag)[u]; 344 } 345 return EQ0(z); 346} 347