2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 * Implementation Notes
29 * ====================
31 * The combined CTR + CBC-MAC functions can only handle full blocks,
32 * so some buffering is necessary.
34 * - 'ptr' contains a value from 0 to 15, which is the number of bytes
35 * accumulated in buf[] that still needs to be processed with the
36 * current CBC-MAC computation.
38 * - When processing the message itself, CTR encryption/decryption is
39 * also done at the same time. The first 'ptr' bytes of buf[] then
40 * contains the plaintext bytes, while the last '16 - ptr' bytes of
41 * buf[] are the remnants of the stream block, to be used against
42 * the next input bytes, when available. When 'ptr' is 0, the
43 * contents of buf[] are to be ignored.
45 * - The current counter and running CBC-MAC values are kept in 'ctr'
46 * and 'cbcmac', respectively.
49 /* see bearssl_block.h */
51 br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx)
56 /* see bearssl_block.h */
58 br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len,
59 uint64_t aad_len, uint64_t data_len, size_t tag_len)
61 unsigned char tmp[16];
64 if (nonce_len < 7 || nonce_len > 13) {
67 if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) {
70 q = 15 - (unsigned)nonce_len;
71 ctx->tag_len = tag_len;
74 * Block B0, to start CBC-MAC.
76 tmp[0] = (aad_len > 0 ? 0x40 : 0x00)
77 | (((unsigned)tag_len - 2) << 2)
79 memcpy(tmp + 1, nonce, nonce_len);
80 for (u = 0; u < q; u ++) {
81 tmp[15 - u] = (unsigned char)data_len;
86 * If the data length was not entirely consumed in the
87 * loop above, then it exceeds the maximum limit of
88 * q bytes (when encoded).
96 memset(ctx->cbcmac, 0, sizeof ctx->cbcmac);
97 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp);
100 * Assemble AAD length header.
102 if ((aad_len >> 32) != 0) {
105 br_enc64be(ctx->buf + 2, aad_len);
107 } else if (aad_len >= 0xFF00) {
110 br_enc32be(ctx->buf + 2, (uint32_t)aad_len);
112 } else if (aad_len > 0) {
113 br_enc16be(ctx->buf, (unsigned)aad_len);
120 * Make initial counter value and compute tag mask.
123 memcpy(ctx->ctr + 1, nonce, nonce_len);
124 memset(ctx->ctr + 1 + nonce_len, 0, q);
125 memset(ctx->tagmask, 0, sizeof ctx->tagmask);
126 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
127 ctx->tagmask, sizeof ctx->tagmask);
132 /* see bearssl_block.h */
134 br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len)
136 const unsigned char *dbuf;
142 * Complete partial block, if needed.
148 clen = (sizeof ctx->buf) - ptr;
150 memcpy(ctx->buf + ptr, dbuf, len);
151 ctx->ptr = ptr + len;
154 memcpy(ctx->buf + ptr, dbuf, clen);
157 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
158 ctx->buf, sizeof ctx->buf);
162 * Process complete blocks.
166 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len);
170 * Copy last partial block in the context buffer.
172 memcpy(ctx->buf, dbuf, ptr);
176 /* see bearssl_block.h */
178 br_ccm_flip(br_ccm_context *ctx)
183 * Complete AAD partial block with zeros, if necessary.
187 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
188 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
189 ctx->buf, sizeof ctx->buf);
194 * Counter was already set by br_ccm_reset().
198 /* see bearssl_block.h */
200 br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len)
208 * Complete a partial block, if any: ctx->buf[] contains
209 * ctx->ptr plaintext bytes (already reported), and the other
210 * bytes are CTR stream output.
217 clen = (sizeof ctx->buf) - ptr;
222 for (u = 0; u < clen; u ++) {
225 w = ctx->buf[ptr + u];
227 ctx->buf[ptr + u] = x;
231 for (u = 0; u < clen; u ++) {
234 w = ctx->buf[ptr + u] ^ dbuf[u];
236 ctx->buf[ptr + u] = w;
242 if (ptr < sizeof ctx->buf) {
246 (*ctx->bctx)->mac(ctx->bctx,
247 ctx->cbcmac, ctx->buf, sizeof ctx->buf);
251 * Process all complete blocks. Note that the ctrcbc API is for
252 * encrypt-then-MAC (CBC-MAC is computed over the encrypted
253 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed
254 * over the plaintext blocks). Therefore, we need to use the
255 * _decryption_ function for encryption, and the encryption
256 * function for decryption (this works because CTR encryption
257 * and decryption are identical, so the choice really is about
258 * computing the CBC-MAC before or after XORing with the CTR
264 (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
267 (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
273 * If there is some remaining data, then we need to compute an
274 * extra block of CTR stream.
279 memset(ctx->buf, 0, sizeof ctx->buf);
280 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
281 ctx->buf, sizeof ctx->buf);
283 for (u = 0; u < ptr; u ++) {
292 for (u = 0; u < ptr; u ++) {
295 w = ctx->buf[u] ^ dbuf[u];
304 /* see bearssl_block.h */
306 br_ccm_get_tag(br_ccm_context *ctx, void *tag)
312 * If there is some buffered data, then we need to pad it with
313 * zeros and finish up CBC-MAC.
317 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
318 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
319 ctx->buf, sizeof ctx->buf);
323 * XOR the tag mask into the CBC-MAC output.
325 for (u = 0; u < ctx->tag_len; u ++) {
326 ctx->cbcmac[u] ^= ctx->tagmask[u];
328 memcpy(tag, ctx->cbcmac, ctx->tag_len);
332 /* see bearssl_block.h */
334 br_ccm_check_tag(br_ccm_context *ctx, const void *tag)
336 unsigned char tmp[16];
340 tag_len = br_ccm_get_tag(ctx, tmp);
342 for (u = 0; u < tag_len; u ++) {
343 z |= tmp[u] ^ ((const unsigned char *)tag)[u];