Fixed comment.
[BearSSL] / src / aead / ccm.c
1 /*
2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 /*
28 * Implementation Notes
29 * ====================
30 *
31 * The combined CTR + CBC-MAC functions can only handle full blocks,
32 * so some buffering is necessary.
33 *
34 * - 'ptr' contains a value from 0 to 15, which is the number of bytes
35 * accumulated in buf[] that still needs to be processed with the
36 * current CBC-MAC computation.
37 *
38 * - When processing the message itself, CTR encryption/decryption is
39 * also done at the same time. The first 'ptr' bytes of buf[] then
40 * contains the plaintext bytes, while the last '16 - ptr' bytes of
41 * buf[] are the remnants of the stream block, to be used against
42 * the next input bytes, when available. When 'ptr' is 0, the
43 * contents of buf[] are to be ignored.
44 *
45 * - The current counter and running CBC-MAC values are kept in 'ctr'
46 * and 'cbcmac', respectively.
47 */
48
49 /* see bearssl_block.h */
50 void
51 br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx)
52 {
53 ctx->bctx = bctx;
54 }
55
56 /* see bearssl_block.h */
57 int
58 br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len,
59 uint64_t aad_len, uint64_t data_len, size_t tag_len)
60 {
61 unsigned char tmp[16];
62 unsigned u, q;
63
64 if (nonce_len < 7 || nonce_len > 13) {
65 return 0;
66 }
67 if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) {
68 return 0;
69 }
70 q = 15 - (unsigned)nonce_len;
71 ctx->tag_len = tag_len;
72
73 /*
74 * Block B0, to start CBC-MAC.
75 */
76 tmp[0] = (aad_len > 0 ? 0x40 : 0x00)
77 | (((unsigned)tag_len - 2) << 2)
78 | (q - 1);
79 memcpy(tmp + 1, nonce, nonce_len);
80 for (u = 0; u < q; u ++) {
81 tmp[15 - u] = (unsigned char)data_len;
82 data_len >>= 8;
83 }
84 if (data_len != 0) {
85 /*
86 * If the data length was not entirely consumed in the
87 * loop above, then it exceeds the maximum limit of
88 * q bytes (when encoded).
89 */
90 return 0;
91 }
92
93 /*
94 * Start CBC-MAC.
95 */
96 memset(ctx->cbcmac, 0, sizeof ctx->cbcmac);
97 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp);
98
99 /*
100 * Assemble AAD length header.
101 */
102 if ((aad_len >> 32) != 0) {
103 ctx->buf[0] = 0xFF;
104 ctx->buf[1] = 0xFF;
105 br_enc64be(ctx->buf + 2, aad_len);
106 ctx->ptr = 10;
107 } else if (aad_len >= 0xFF00) {
108 ctx->buf[0] = 0xFF;
109 ctx->buf[1] = 0xFE;
110 br_enc32be(ctx->buf + 2, (uint32_t)aad_len);
111 ctx->ptr = 6;
112 } else if (aad_len > 0) {
113 br_enc16be(ctx->buf, (unsigned)aad_len);
114 ctx->ptr = 2;
115 } else {
116 ctx->ptr = 0;
117 }
118
119 /*
120 * Make initial counter value and compute tag mask.
121 */
122 ctx->ctr[0] = q - 1;
123 memcpy(ctx->ctr + 1, nonce, nonce_len);
124 memset(ctx->ctr + 1 + nonce_len, 0, q);
125 memset(ctx->tagmask, 0, sizeof ctx->tagmask);
126 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
127 ctx->tagmask, sizeof ctx->tagmask);
128
129 return 1;
130 }
131
132 /* see bearssl_block.h */
133 void
134 br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len)
135 {
136 const unsigned char *dbuf;
137 size_t ptr;
138
139 dbuf = data;
140
141 /*
142 * Complete partial block, if needed.
143 */
144 ptr = ctx->ptr;
145 if (ptr != 0) {
146 size_t clen;
147
148 clen = (sizeof ctx->buf) - ptr;
149 if (clen > len) {
150 memcpy(ctx->buf + ptr, dbuf, len);
151 ctx->ptr = ptr + len;
152 return;
153 }
154 memcpy(ctx->buf + ptr, dbuf, clen);
155 dbuf += clen;
156 len -= clen;
157 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
158 ctx->buf, sizeof ctx->buf);
159 }
160
161 /*
162 * Process complete blocks.
163 */
164 ptr = len & 15;
165 len -= ptr;
166 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len);
167 dbuf += len;
168
169 /*
170 * Copy last partial block in the context buffer.
171 */
172 memcpy(ctx->buf, dbuf, ptr);
173 ctx->ptr = ptr;
174 }
175
176 /* see bearssl_block.h */
177 void
178 br_ccm_flip(br_ccm_context *ctx)
179 {
180 size_t ptr;
181
182 /*
183 * Complete AAD partial block with zeros, if necessary.
184 */
185 ptr = ctx->ptr;
186 if (ptr != 0) {
187 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
188 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
189 ctx->buf, sizeof ctx->buf);
190 ctx->ptr = 0;
191 }
192
193 /*
194 * Counter was already set by br_ccm_reset().
195 */
196 }
197
198 /* see bearssl_block.h */
199 void
200 br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len)
201 {
202 unsigned char *dbuf;
203 size_t ptr;
204
205 dbuf = data;
206
207 /*
208 * Complete a partial block, if any: ctx->buf[] contains
209 * ctx->ptr plaintext bytes (already reported), and the other
210 * bytes are CTR stream output.
211 */
212 ptr = ctx->ptr;
213 if (ptr != 0) {
214 size_t clen;
215 size_t u;
216
217 clen = (sizeof ctx->buf) - ptr;
218 if (clen > len) {
219 clen = len;
220 }
221 if (encrypt) {
222 for (u = 0; u < clen; u ++) {
223 unsigned w, x;
224
225 w = ctx->buf[ptr + u];
226 x = dbuf[u];
227 ctx->buf[ptr + u] = x;
228 dbuf[u] = w ^ x;
229 }
230 } else {
231 for (u = 0; u < clen; u ++) {
232 unsigned w;
233
234 w = ctx->buf[ptr + u] ^ dbuf[u];
235 dbuf[u] = w;
236 ctx->buf[ptr + u] = w;
237 }
238 }
239 dbuf += clen;
240 len -= clen;
241 ptr += clen;
242 if (ptr < sizeof ctx->buf) {
243 ctx->ptr = ptr;
244 return;
245 }
246 (*ctx->bctx)->mac(ctx->bctx,
247 ctx->cbcmac, ctx->buf, sizeof ctx->buf);
248 }
249
250 /*
251 * Process all complete blocks. Note that the ctrcbc API is for
252 * encrypt-then-MAC (CBC-MAC is computed over the encrypted
253 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed
254 * over the plaintext blocks). Therefore, we need to use the
255 * _decryption_ function for encryption, and the encryption
256 * function for decryption (this works because CTR encryption
257 * and decryption are identical, so the choice really is about
258 * computing the CBC-MAC before or after XORing with the CTR
259 * stream).
260 */
261 ptr = len & 15;
262 len -= ptr;
263 if (encrypt) {
264 (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
265 dbuf, len);
266 } else {
267 (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
268 dbuf, len);
269 }
270 dbuf += len;
271
272 /*
273 * If there is some remaining data, then we need to compute an
274 * extra block of CTR stream.
275 */
276 if (ptr != 0) {
277 size_t u;
278
279 memset(ctx->buf, 0, sizeof ctx->buf);
280 (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
281 ctx->buf, sizeof ctx->buf);
282 if (encrypt) {
283 for (u = 0; u < ptr; u ++) {
284 unsigned w, x;
285
286 w = ctx->buf[u];
287 x = dbuf[u];
288 ctx->buf[u] = x;
289 dbuf[u] = w ^ x;
290 }
291 } else {
292 for (u = 0; u < ptr; u ++) {
293 unsigned w;
294
295 w = ctx->buf[u] ^ dbuf[u];
296 dbuf[u] = w;
297 ctx->buf[u] = w;
298 }
299 }
300 }
301 ctx->ptr = ptr;
302 }
303
304 /* see bearssl_block.h */
305 size_t
306 br_ccm_get_tag(br_ccm_context *ctx, void *tag)
307 {
308 size_t ptr;
309 size_t u;
310
311 /*
312 * If there is some buffered data, then we need to pad it with
313 * zeros and finish up CBC-MAC.
314 */
315 ptr = ctx->ptr;
316 if (ptr != 0) {
317 memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
318 (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
319 ctx->buf, sizeof ctx->buf);
320 }
321
322 /*
323 * XOR the tag mask into the CBC-MAC output.
324 */
325 for (u = 0; u < ctx->tag_len; u ++) {
326 ctx->cbcmac[u] ^= ctx->tagmask[u];
327 }
328 memcpy(tag, ctx->cbcmac, ctx->tag_len);
329 return ctx->tag_len;
330 }
331
332 /* see bearssl_block.h */
333 uint32_t
334 br_ccm_check_tag(br_ccm_context *ctx, const void *tag)
335 {
336 unsigned char tmp[16];
337 size_t u, tag_len;
338 uint32_t z;
339
340 tag_len = br_ccm_get_tag(ctx, tmp);
341 z = 0;
342 for (u = 0; u < tag_len; u ++) {
343 z |= tmp[u] ^ ((const unsigned char *)tag)[u];
344 }
345 return EQ0(z);
346 }