xref: /freebsd/contrib/bearssl/src/aead/ccm.c (revision d6eb98610fa65663bf0df4574b7cb2c5c4ffda71)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include "inner.h"
26 
27 /*
28  * Implementation Notes
29  * ====================
30  *
31  * The combined CTR + CBC-MAC functions can only handle full blocks,
32  * so some buffering is necessary.
33  *
34  *  - 'ptr' contains a value from 0 to 15, which is the number of bytes
35  *    accumulated in buf[] that still needs to be processed with the
36  *    current CBC-MAC computation.
37  *
38  *  - When processing the message itself, CTR encryption/decryption is
39  *    also done at the same time. The first 'ptr' bytes of buf[] then
40  *    contains the plaintext bytes, while the last '16 - ptr' bytes of
41  *    buf[] are the remnants of the stream block, to be used against
42  *    the next input bytes, when available. When 'ptr' is 0, the
43  *    contents of buf[] are to be ignored.
44  *
45  *  - The current counter and running CBC-MAC values are kept in 'ctr'
46  *    and 'cbcmac', respectively.
47  */
48 
49 /* see bearssl_block.h */
50 void
51 br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx)
52 {
53 	ctx->bctx = bctx;
54 }
55 
56 /* see bearssl_block.h */
57 int
58 br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len,
59 	uint64_t aad_len, uint64_t data_len, size_t tag_len)
60 {
61 	unsigned char tmp[16];
62 	unsigned u, q;
63 
64 	if (nonce_len < 7 || nonce_len > 13) {
65 		return 0;
66 	}
67 	if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) {
68 		return 0;
69 	}
70 	q = 15 - (unsigned)nonce_len;
71 	ctx->tag_len = tag_len;
72 
73 	/*
74 	 * Block B0, to start CBC-MAC.
75 	 */
76 	tmp[0] = (aad_len > 0 ? 0x40 : 0x00)
77 		| (((unsigned)tag_len - 2) << 2)
78 		| (q - 1);
79 	memcpy(tmp + 1, nonce, nonce_len);
80 	for (u = 0; u < q; u ++) {
81 		tmp[15 - u] = (unsigned char)data_len;
82 		data_len >>= 8;
83 	}
84 	if (data_len != 0) {
85 		/*
86 		 * If the data length was not entirely consumed in the
87 		 * loop above, then it exceeds the maximum limit of
88 		 * q bytes (when encoded).
89 		 */
90 		return 0;
91 	}
92 
93 	/*
94 	 * Start CBC-MAC.
95 	 */
96 	memset(ctx->cbcmac, 0, sizeof ctx->cbcmac);
97 	(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp);
98 
99 	/*
100 	 * Assemble AAD length header.
101 	 */
102 	if ((aad_len >> 32) != 0) {
103 		ctx->buf[0] = 0xFF;
104 		ctx->buf[1] = 0xFF;
105 		br_enc64be(ctx->buf + 2, aad_len);
106 		ctx->ptr = 10;
107 	} else if (aad_len >= 0xFF00) {
108 		ctx->buf[0] = 0xFF;
109 		ctx->buf[1] = 0xFE;
110 		br_enc32be(ctx->buf + 2, (uint32_t)aad_len);
111 		ctx->ptr = 6;
112 	} else if (aad_len > 0) {
113 		br_enc16be(ctx->buf, (unsigned)aad_len);
114 		ctx->ptr = 2;
115 	} else {
116 		ctx->ptr = 0;
117 	}
118 
119 	/*
120 	 * Make initial counter value and compute tag mask.
121 	 */
122 	ctx->ctr[0] = q - 1;
123 	memcpy(ctx->ctr + 1, nonce, nonce_len);
124 	memset(ctx->ctr + 1 + nonce_len, 0, q);
125 	memset(ctx->tagmask, 0, sizeof ctx->tagmask);
126 	(*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
127 		ctx->tagmask, sizeof ctx->tagmask);
128 
129 	return 1;
130 }
131 
132 /* see bearssl_block.h */
133 void
134 br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len)
135 {
136 	const unsigned char *dbuf;
137 	size_t ptr;
138 
139 	dbuf = data;
140 
141 	/*
142 	 * Complete partial block, if needed.
143 	 */
144 	ptr = ctx->ptr;
145 	if (ptr != 0) {
146 		size_t clen;
147 
148 		clen = (sizeof ctx->buf) - ptr;
149 		if (clen > len) {
150 			memcpy(ctx->buf + ptr, dbuf, len);
151 			ctx->ptr = ptr + len;
152 			return;
153 		}
154 		memcpy(ctx->buf + ptr, dbuf, clen);
155 		dbuf += clen;
156 		len -= clen;
157 		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
158 			ctx->buf, sizeof ctx->buf);
159 	}
160 
161 	/*
162 	 * Process complete blocks.
163 	 */
164 	ptr = len & 15;
165 	len -= ptr;
166 	(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len);
167 	dbuf += len;
168 
169 	/*
170 	 * Copy last partial block in the context buffer.
171 	 */
172 	memcpy(ctx->buf, dbuf, ptr);
173 	ctx->ptr = ptr;
174 }
175 
176 /* see bearssl_block.h */
177 void
178 br_ccm_flip(br_ccm_context *ctx)
179 {
180 	size_t ptr;
181 
182 	/*
183 	 * Complete AAD partial block with zeros, if necessary.
184 	 */
185 	ptr = ctx->ptr;
186 	if (ptr != 0) {
187 		memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
188 		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
189 			ctx->buf, sizeof ctx->buf);
190 		ctx->ptr = 0;
191 	}
192 
193 	/*
194 	 * Counter was already set by br_ccm_reset().
195 	 */
196 }
197 
198 /* see bearssl_block.h */
199 void
200 br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len)
201 {
202 	unsigned char *dbuf;
203 	size_t ptr;
204 
205 	dbuf = data;
206 
207 	/*
208 	 * Complete a partial block, if any: ctx->buf[] contains
209 	 * ctx->ptr plaintext bytes (already reported), and the other
210 	 * bytes are CTR stream output.
211 	 */
212 	ptr = ctx->ptr;
213 	if (ptr != 0) {
214 		size_t clen;
215 		size_t u;
216 
217 		clen = (sizeof ctx->buf) - ptr;
218 		if (clen > len) {
219 			clen = len;
220 		}
221 		if (encrypt) {
222 			for (u = 0; u < clen; u ++) {
223 				unsigned w, x;
224 
225 				w = ctx->buf[ptr + u];
226 				x = dbuf[u];
227 				ctx->buf[ptr + u] = x;
228 				dbuf[u] = w ^ x;
229 			}
230 		} else {
231 			for (u = 0; u < clen; u ++) {
232 				unsigned w;
233 
234 				w = ctx->buf[ptr + u] ^ dbuf[u];
235 				dbuf[u] = w;
236 				ctx->buf[ptr + u] = w;
237 			}
238 		}
239 		dbuf += clen;
240 		len -= clen;
241 		ptr += clen;
242 		if (ptr < sizeof ctx->buf) {
243 			ctx->ptr = ptr;
244 			return;
245 		}
246 		(*ctx->bctx)->mac(ctx->bctx,
247 			ctx->cbcmac, ctx->buf, sizeof ctx->buf);
248 	}
249 
250 	/*
251 	 * Process all complete blocks. Note that the ctrcbc API is for
252 	 * encrypt-then-MAC (CBC-MAC is computed over the encrypted
253 	 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed
254 	 * over the plaintext blocks). Therefore, we need to use the
255 	 * _decryption_ function for encryption, and the encryption
256 	 * function for decryption (this works because CTR encryption
257 	 * and decryption are identical, so the choice really is about
258 	 * computing the CBC-MAC before or after XORing with the CTR
259 	 * stream).
260 	 */
261 	ptr = len & 15;
262 	len -= ptr;
263 	if (encrypt) {
264 		(*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
265 			dbuf, len);
266 	} else {
267 		(*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
268 			dbuf, len);
269 	}
270 	dbuf += len;
271 
272 	/*
273 	 * If there is some remaining data, then we need to compute an
274 	 * extra block of CTR stream.
275 	 */
276 	if (ptr != 0) {
277 		size_t u;
278 
279 		memset(ctx->buf, 0, sizeof ctx->buf);
280 		(*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
281 			ctx->buf, sizeof ctx->buf);
282 		if (encrypt) {
283 			for (u = 0; u < ptr; u ++) {
284 				unsigned w, x;
285 
286 				w = ctx->buf[u];
287 				x = dbuf[u];
288 				ctx->buf[u] = x;
289 				dbuf[u] = w ^ x;
290 			}
291 		} else {
292 			for (u = 0; u < ptr; u ++) {
293 				unsigned w;
294 
295 				w = ctx->buf[u] ^ dbuf[u];
296 				dbuf[u] = w;
297 				ctx->buf[u] = w;
298 			}
299 		}
300 	}
301 	ctx->ptr = ptr;
302 }
303 
304 /* see bearssl_block.h */
305 size_t
306 br_ccm_get_tag(br_ccm_context *ctx, void *tag)
307 {
308 	size_t ptr;
309 	size_t u;
310 
311 	/*
312 	 * If there is some buffered data, then we need to pad it with
313 	 * zeros and finish up CBC-MAC.
314 	 */
315 	ptr = ctx->ptr;
316 	if (ptr != 0) {
317 		memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
318 		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
319 			ctx->buf, sizeof ctx->buf);
320 	}
321 
322 	/*
323 	 * XOR the tag mask into the CBC-MAC output.
324 	 */
325 	for (u = 0; u < ctx->tag_len; u ++) {
326 		ctx->cbcmac[u] ^= ctx->tagmask[u];
327 	}
328 	memcpy(tag, ctx->cbcmac, ctx->tag_len);
329 	return ctx->tag_len;
330 }
331 
332 /* see bearssl_block.h */
333 uint32_t
334 br_ccm_check_tag(br_ccm_context *ctx, const void *tag)
335 {
336 	unsigned char tmp[16];
337 	size_t u, tag_len;
338 	uint32_t z;
339 
340 	tag_len = br_ccm_get_tag(ctx, tmp);
341 	z = 0;
342 	for (u = 0; u < tag_len; u ++) {
343 		z |= tmp[u] ^ ((const unsigned char *)tag)[u];
344 	}
345 	return EQ0(z);
346 }
347