2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Implementation Notes
29 * ====================
31 * The combined CTR + CBC-MAC functions can only handle full blocks,
32 * so some buffering is necessary.
34 * - 'ptr' contains a value from 0 to 15, which is the number of bytes
35 * accumulated in buf[] that still needs to be processed with the
36 * current CBC-MAC computation.
38 * - When processing the message itself, CTR encryption/decryption is
39 * also done at the same time. The first 'ptr' bytes of buf[] then
40 * contains the plaintext bytes, while the last '16 - ptr' bytes of
41 * buf[] are the remnants of the stream block, to be used against
42 * the next input bytes, when available. When 'ptr' is 0, the
43 * contents of buf[] are to be ignored.
45 * - The current counter and running CBC-MAC values are kept in 'ctr'
46 * and 'cbcmac', respectively.
49 /* see bearssl_block.h */
51 br_ccm_init(br_ccm_context
*ctx
, const br_block_ctrcbc_class
**bctx
)
56 /* see bearssl_block.h */
58 br_ccm_reset(br_ccm_context
*ctx
, const void *nonce
, size_t nonce_len
,
59 uint64_t aad_len
, uint64_t data_len
, size_t tag_len
)
61 unsigned char tmp
[16];
64 if (nonce_len
< 7 || nonce_len
> 13) {
67 if (tag_len
< 4 || tag_len
> 16 || (tag_len
& 1) != 0) {
70 q
= 15 - (unsigned)nonce_len
;
71 ctx
->tag_len
= tag_len
;
74 * Block B0, to start CBC-MAC.
76 tmp
[0] = (aad_len
> 0 ? 0x40 : 0x00)
77 | (((unsigned)tag_len
- 2) << 2)
79 memcpy(tmp
+ 1, nonce
, nonce_len
);
80 for (u
= 0; u
< q
; u
++) {
81 tmp
[15 - u
] = (unsigned char)data_len
;
86 * If the data length was not entirely consumed in the
87 * loop above, then it exceeds the maximum limit of
88 * q bytes (when encoded).
96 memset(ctx
->cbcmac
, 0, sizeof ctx
->cbcmac
);
97 (*ctx
->bctx
)->mac(ctx
->bctx
, ctx
->cbcmac
, tmp
, sizeof tmp
);
100 * Assemble AAD length header.
102 if ((aad_len
>> 32) != 0) {
105 br_enc64be(ctx
->buf
+ 2, aad_len
);
107 } else if (aad_len
>= 0xFF00) {
110 br_enc32be(ctx
->buf
+ 2, (uint32_t)aad_len
);
112 } else if (aad_len
> 0) {
113 br_enc16be(ctx
->buf
, (unsigned)aad_len
);
120 * Make initial counter value and compute tag mask.
123 memcpy(ctx
->ctr
+ 1, nonce
, nonce_len
);
124 memset(ctx
->ctr
+ 1 + nonce_len
, 0, q
);
125 memset(ctx
->tagmask
, 0, sizeof ctx
->tagmask
);
126 (*ctx
->bctx
)->ctr(ctx
->bctx
, ctx
->ctr
,
127 ctx
->tagmask
, sizeof ctx
->tagmask
);
132 /* see bearssl_block.h */
134 br_ccm_aad_inject(br_ccm_context
*ctx
, const void *data
, size_t len
)
136 const unsigned char *dbuf
;
142 * Complete partial block, if needed.
148 clen
= (sizeof ctx
->buf
) - ptr
;
150 memcpy(ctx
->buf
+ ptr
, dbuf
, len
);
151 ctx
->ptr
= ptr
+ len
;
154 memcpy(ctx
->buf
+ ptr
, dbuf
, clen
);
157 (*ctx
->bctx
)->mac(ctx
->bctx
, ctx
->cbcmac
,
158 ctx
->buf
, sizeof ctx
->buf
);
162 * Process complete blocks.
166 (*ctx
->bctx
)->mac(ctx
->bctx
, ctx
->cbcmac
, dbuf
, len
);
170 * Copy last partial block in the context buffer.
172 memcpy(ctx
->buf
, dbuf
, ptr
);
176 /* see bearssl_block.h */
178 br_ccm_flip(br_ccm_context
*ctx
)
183 * Complete AAD partial block with zeros, if necessary.
187 memset(ctx
->buf
+ ptr
, 0, (sizeof ctx
->buf
) - ptr
);
188 (*ctx
->bctx
)->mac(ctx
->bctx
, ctx
->cbcmac
,
189 ctx
->buf
, sizeof ctx
->buf
);
194 * Counter was already set by br_ccm_reset().
198 /* see bearssl_block.h */
200 br_ccm_run(br_ccm_context
*ctx
, int encrypt
, void *data
, size_t len
)
208 * Complete a partial block, if any: ctx->buf[] contains
209 * ctx->ptr plaintext bytes (already reported), and the other
210 * bytes are CTR stream output.
217 clen
= (sizeof ctx
->buf
) - ptr
;
222 for (u
= 0; u
< clen
; u
++) {
225 w
= ctx
->buf
[ptr
+ u
];
227 ctx
->buf
[ptr
+ u
] = x
;
231 for (u
= 0; u
< clen
; u
++) {
234 w
= ctx
->buf
[ptr
+ u
] ^ dbuf
[u
];
236 ctx
->buf
[ptr
+ u
] = w
;
242 if (ptr
< sizeof ctx
->buf
) {
246 (*ctx
->bctx
)->mac(ctx
->bctx
,
247 ctx
->cbcmac
, ctx
->buf
, sizeof ctx
->buf
);
251 * Process all complete blocks. Note that the ctrcbc API is for
252 * encrypt-then-MAC (CBC-MAC is computed over the encrypted
253 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed
254 * over the plaintext blocks). Therefore, we need to use the
255 * _decryption_ function for encryption, and the encryption
256 * function for decryption (this works because CTR encryption
257 * and decryption are identical, so the choice really is about
258 * computing the CBC-MAC before or after XORing with the CTR
264 (*ctx
->bctx
)->decrypt(ctx
->bctx
, ctx
->ctr
, ctx
->cbcmac
,
267 (*ctx
->bctx
)->encrypt(ctx
->bctx
, ctx
->ctr
, ctx
->cbcmac
,
273 * If there is some remaining data, then we need to compute an
274 * extra block of CTR stream.
279 memset(ctx
->buf
, 0, sizeof ctx
->buf
);
280 (*ctx
->bctx
)->ctr(ctx
->bctx
, ctx
->ctr
,
281 ctx
->buf
, sizeof ctx
->buf
);
283 for (u
= 0; u
< ptr
; u
++) {
292 for (u
= 0; u
< ptr
; u
++) {
295 w
= ctx
->buf
[u
] ^ dbuf
[u
];
304 /* see bearssl_block.h */
306 br_ccm_get_tag(br_ccm_context
*ctx
, void *tag
)
312 * If there is some buffered data, then we need to pad it with
313 * zeros and finish up CBC-MAC.
317 memset(ctx
->buf
+ ptr
, 0, (sizeof ctx
->buf
) - ptr
);
318 (*ctx
->bctx
)->mac(ctx
->bctx
, ctx
->cbcmac
,
319 ctx
->buf
, sizeof ctx
->buf
);
323 * XOR the tag mask into the CBC-MAC output.
325 for (u
= 0; u
< ctx
->tag_len
; u
++) {
326 ctx
->cbcmac
[u
] ^= ctx
->tagmask
[u
];
328 memcpy(tag
, ctx
->cbcmac
, ctx
->tag_len
);
332 /* see bearssl_block.h */
334 br_ccm_check_tag(br_ccm_context
*ctx
, const void *tag
)
336 unsigned char tmp
[16];
340 tag_len
= br_ccm_get_tag(ctx
, tmp
);
342 for (u
= 0; u
< tag_len
; u
++) {
343 z
|= tmp
[u
] ^ ((const unsigned char *)tag
)[u
];