1  /*
  2   * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
  3   *
  4   * Permission is hereby granted, free of charge, to any person obtaining 
  5   * a copy of this software and associated documentation files (the
  6   * "Software"), to deal in the Software without restriction, including
  7   * without limitation the rights to use, copy, modify, merge, publish,
  8   * distribute, sublicense, and/or sell copies of the Software, and to
  9   * permit persons to whom the Software is furnished to do so, subject to
 10   * the following conditions:
 11   *
 12   * The above copyright notice and this permission notice shall be 
 13   * included in all copies or substantial portions of the Software.
 14   *
 15   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
 16   * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 17   * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
 18   * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 19   * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 20   * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 21   * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 22   * SOFTWARE.
 23   */
 24  
 25  #include "inner.h"
 26  
 27  /*
 28   * Implementation Notes
 29   * ====================
 30   *
 31   * The combined CTR + CBC-MAC functions can only handle full blocks,
 32   * so some buffering is necessary.
 33   *
 34   *  - 'ptr' contains a value from 0 to 15, which is the number of bytes
 35   *    accumulated in buf[] that still needs to be processed with the
 36   *    current CBC-MAC computation.
 37   *
 38   *  - When processing the message itself, CTR encryption/decryption is
 39   *    also done at the same time. The first 'ptr' bytes of buf[] then
 40   *    contains the plaintext bytes, while the last '16 - ptr' bytes of
 41   *    buf[] are the remnants of the stream block, to be used against
 42   *    the next input bytes, when available. When 'ptr' is 0, the
 43   *    contents of buf[] are to be ignored.
 44   *
 45   *  - The current counter and running CBC-MAC values are kept in 'ctr'
 46   *    and 'cbcmac', respectively.
 47   */
 48  
 49  /* see bearssl_block.h */
 50  void
 51  br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx)
 52  {
 53  	ctx->bctx = bctx;
 54  }
 55  
 56  /* see bearssl_block.h */
 57  int
 58  br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len,
 59  	uint64_t aad_len, uint64_t data_len, size_t tag_len)
 60  {
 61  	unsigned char tmp[16];
 62  	unsigned u, q;
 63  
 64  	if (nonce_len < 7 || nonce_len > 13) {
 65  		return 0;
 66  	}
 67  	if (tag_len < 4 || tag_len > 16 || (tag_len & 1) != 0) {
 68  		return 0;
 69  	}
 70  	q = 15 - (unsigned)nonce_len;
 71  	ctx->tag_len = tag_len;
 72  
 73  	/*
 74  	 * Block B0, to start CBC-MAC.
 75  	 */
 76  	tmp[0] = (aad_len > 0 ? 0x40 : 0x00)
 77  		| (((unsigned)tag_len - 2) << 2)
 78  		| (q - 1);
 79  	memcpy(tmp + 1, nonce, nonce_len);
 80  	for (u = 0; u < q; u ++) {
 81  		tmp[15 - u] = (unsigned char)data_len;
 82  		data_len >>= 8;
 83  	}
 84  	if (data_len != 0) {
 85  		/*
 86  		 * If the data length was not entirely consumed in the
 87  		 * loop above, then it exceeds the maximum limit of
 88  		 * q bytes (when encoded).
 89  		 */
 90  		return 0;
 91  	}
 92  
 93  	/*
 94  	 * Start CBC-MAC.
 95  	 */
 96  	memset(ctx->cbcmac, 0, sizeof ctx->cbcmac);
 97  	(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, tmp, sizeof tmp);
 98  
 99  	/*
100  	 * Assemble AAD length header.
101  	 */
102  	if ((aad_len >> 32) != 0) {
103  		ctx->buf[0] = 0xFF;
104  		ctx->buf[1] = 0xFF;
105  		br_enc64be(ctx->buf + 2, aad_len);
106  		ctx->ptr = 10;
107  	} else if (aad_len >= 0xFF00) {
108  		ctx->buf[0] = 0xFF;
109  		ctx->buf[1] = 0xFE;
110  		br_enc32be(ctx->buf + 2, (uint32_t)aad_len);
111  		ctx->ptr = 6;
112  	} else if (aad_len > 0) {
113  		br_enc16be(ctx->buf, (unsigned)aad_len);
114  		ctx->ptr = 2;
115  	} else {
116  		ctx->ptr = 0;
117  	}
118  
119  	/*
120  	 * Make initial counter value and compute tag mask.
121  	 */
122  	ctx->ctr[0] = q - 1;
123  	memcpy(ctx->ctr + 1, nonce, nonce_len);
124  	memset(ctx->ctr + 1 + nonce_len, 0, q);
125  	memset(ctx->tagmask, 0, sizeof ctx->tagmask);
126  	(*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
127  		ctx->tagmask, sizeof ctx->tagmask);
128  
129  	return 1;
130  }
131  
132  /* see bearssl_block.h */
133  void
134  br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len)
135  {
136  	const unsigned char *dbuf;
137  	size_t ptr;
138  
139  	dbuf = data;
140  
141  	/*
142  	 * Complete partial block, if needed.
143  	 */
144  	ptr = ctx->ptr;
145  	if (ptr != 0) {
146  		size_t clen;
147  
148  		clen = (sizeof ctx->buf) - ptr;
149  		if (clen > len) {
150  			memcpy(ctx->buf + ptr, dbuf, len);
151  			ctx->ptr = ptr + len;
152  			return;
153  		}
154  		memcpy(ctx->buf + ptr, dbuf, clen);
155  		dbuf += clen;
156  		len -= clen;
157  		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
158  			ctx->buf, sizeof ctx->buf);
159  	}
160  
161  	/*
162  	 * Process complete blocks.
163  	 */
164  	ptr = len & 15;
165  	len -= ptr;
166  	(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, dbuf, len);
167  	dbuf += len;
168  
169  	/*
170  	 * Copy last partial block in the context buffer.
171  	 */
172  	memcpy(ctx->buf, dbuf, ptr);
173  	ctx->ptr = ptr;
174  }
175  
176  /* see bearssl_block.h */
177  void
178  br_ccm_flip(br_ccm_context *ctx)
179  {
180  	size_t ptr;
181  
182  	/*
183  	 * Complete AAD partial block with zeros, if necessary.
184  	 */
185  	ptr = ctx->ptr;
186  	if (ptr != 0) {
187  		memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
188  		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
189  			ctx->buf, sizeof ctx->buf);
190  		ctx->ptr = 0;
191  	}
192  
193  	/*
194  	 * Counter was already set by br_ccm_reset().
195  	 */
196  }
197  
198  /* see bearssl_block.h */
199  void
200  br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len)
201  {
202  	unsigned char *dbuf;
203  	size_t ptr;
204  
205  	dbuf = data;
206  
207  	/*
208  	 * Complete a partial block, if any: ctx->buf[] contains
209  	 * ctx->ptr plaintext bytes (already reported), and the other
210  	 * bytes are CTR stream output.
211  	 */
212  	ptr = ctx->ptr;
213  	if (ptr != 0) {
214  		size_t clen;
215  		size_t u;
216  
217  		clen = (sizeof ctx->buf) - ptr;
218  		if (clen > len) {
219  			clen = len;
220  		}
221  		if (encrypt) {
222  			for (u = 0; u < clen; u ++) {
223  				unsigned w, x;
224  
225  				w = ctx->buf[ptr + u];
226  				x = dbuf[u];
227  				ctx->buf[ptr + u] = x;
228  				dbuf[u] = w ^ x;
229  			}
230  		} else {
231  			for (u = 0; u < clen; u ++) {
232  				unsigned w;
233  
234  				w = ctx->buf[ptr + u] ^ dbuf[u];
235  				dbuf[u] = w;
236  				ctx->buf[ptr + u] = w;
237  			}
238  		}
239  		dbuf += clen;
240  		len -= clen;
241  		ptr += clen;
242  		if (ptr < sizeof ctx->buf) {
243  			ctx->ptr = ptr;
244  			return;
245  		}
246  		(*ctx->bctx)->mac(ctx->bctx,
247  			ctx->cbcmac, ctx->buf, sizeof ctx->buf);
248  	}
249  
250  	/*
251  	 * Process all complete blocks. Note that the ctrcbc API is for
252  	 * encrypt-then-MAC (CBC-MAC is computed over the encrypted
253  	 * blocks) while CCM uses MAC-and-encrypt (CBC-MAC is computed
254  	 * over the plaintext blocks). Therefore, we need to use the
255  	 * _decryption_ function for encryption, and the encryption
256  	 * function for decryption (this works because CTR encryption
257  	 * and decryption are identical, so the choice really is about
258  	 * computing the CBC-MAC before or after XORing with the CTR
259  	 * stream).
260  	 */
261  	ptr = len & 15;
262  	len -= ptr;
263  	if (encrypt) {
264  		(*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
265  			dbuf, len);
266  	} else {
267  		(*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac,
268  			dbuf, len);
269  	}
270  	dbuf += len;
271  
272  	/*
273  	 * If there is some remaining data, then we need to compute an
274  	 * extra block of CTR stream.
275  	 */
276  	if (ptr != 0) {
277  		size_t u;
278  
279  		memset(ctx->buf, 0, sizeof ctx->buf);
280  		(*ctx->bctx)->ctr(ctx->bctx, ctx->ctr,
281  			ctx->buf, sizeof ctx->buf);
282  		if (encrypt) {
283  			for (u = 0; u < ptr; u ++) {
284  				unsigned w, x;
285  
286  				w = ctx->buf[u];
287  				x = dbuf[u];
288  				ctx->buf[u] = x;
289  				dbuf[u] = w ^ x;
290  			}
291  		} else {
292  			for (u = 0; u < ptr; u ++) {
293  				unsigned w;
294  
295  				w = ctx->buf[u] ^ dbuf[u];
296  				dbuf[u] = w;
297  				ctx->buf[u] = w;
298  			}
299  		}
300  	}
301  	ctx->ptr = ptr;
302  }
303  
304  /* see bearssl_block.h */
305  size_t
306  br_ccm_get_tag(br_ccm_context *ctx, void *tag)
307  {
308  	size_t ptr;
309  	size_t u;
310  
311  	/*
312  	 * If there is some buffered data, then we need to pad it with
313  	 * zeros and finish up CBC-MAC.
314  	 */
315  	ptr = ctx->ptr;
316  	if (ptr != 0) {
317  		memset(ctx->buf + ptr, 0, (sizeof ctx->buf) - ptr);
318  		(*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac,
319  			ctx->buf, sizeof ctx->buf);
320  	}
321  
322  	/*
323  	 * XOR the tag mask into the CBC-MAC output.
324  	 */
325  	for (u = 0; u < ctx->tag_len; u ++) {
326  		ctx->cbcmac[u] ^= ctx->tagmask[u];
327  	}
328  	memcpy(tag, ctx->cbcmac, ctx->tag_len);
329  	return ctx->tag_len;
330  }
331  
332  /* see bearssl_block.h */
333  uint32_t
334  br_ccm_check_tag(br_ccm_context *ctx, const void *tag)
335  {
336  	unsigned char tmp[16];
337  	size_t u, tag_len;
338  	uint32_t z;
339  
340  	tag_len = br_ccm_get_tag(ctx, tmp);
341  	z = 0;
342  	for (u = 0; u < tag_len; u ++) {
343  		z |= tmp[u] ^ ((const unsigned char *)tag)[u];
344  	}
345  	return EQ0(z);
346  }