TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / ccm.c
blob: d39387f0904ac16e1fefaf41599f8573f873ef9e [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/*
2 * NIST SP800-38C compliant CCM implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of Mbed Crypto (https://tls.mbed.org)
20 */
21
22/*
23 * Definition of CCM:
24 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
25 * RFC 3610 "Counter with CBC-MAC (CCM)"
26 *
27 * Related:
28 * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
29 */
30
31#if !defined(MBEDCRYPTO_CONFIG_FILE)
32#include "mbedcrypto/config.h"
33#else
34#include MBEDCRYPTO_CONFIG_FILE
35#endif
36
37#if defined(MBEDCRYPTO_CCM_C)
38
39#include "mbedcrypto/ccm.h"
40#include "mbedcrypto/platform_util.h"
41
42#include <string.h>
43
44#if defined(MBEDCRYPTO_SELF_TEST) && defined(MBEDCRYPTO_AES_C)
45#if defined(MBEDCRYPTO_PLATFORM_C)
46#include "mbedcrypto/platform.h"
47#else
48#include <stdio.h>
49#define mbedcrypto_printf printf
50#endif /* MBEDCRYPTO_PLATFORM_C */
51#endif /* MBEDCRYPTO_SELF_TEST && MBEDCRYPTO_AES_C */
52
53#if !defined(MBEDCRYPTO_CCM_ALT)
54
55#define CCM_ENCRYPT 0
56#define CCM_DECRYPT 1
57
58/*
59 * Initialize context
60 */
61void mbedcrypto_ccm_init( mbedcrypto_ccm_context *ctx )
62{
63 memset( ctx, 0, sizeof( mbedcrypto_ccm_context ) );
64}
65
66int mbedcrypto_ccm_setkey( mbedcrypto_ccm_context *ctx,
67 mbedcrypto_cipher_id_t cipher,
68 const unsigned char *key,
69 unsigned int keybits )
70{
71 int ret;
72 const mbedcrypto_cipher_info_t *cipher_info;
73
74 cipher_info = mbedcrypto_cipher_info_from_values( cipher, keybits, MBEDCRYPTO_MODE_ECB );
75 if( cipher_info == NULL )
76 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
77
78 if( cipher_info->block_size != 16 )
79 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
80
81 mbedcrypto_cipher_free( &ctx->cipher_ctx );
82
83 if( ( ret = mbedcrypto_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
84 return( ret );
85
86 if( ( ret = mbedcrypto_cipher_setkey( &ctx->cipher_ctx, key, keybits,
87 MBEDCRYPTO_ENCRYPT ) ) != 0 )
88 {
89 return( ret );
90 }
91
92 return( 0 );
93}
94
95/*
96 * Free context
97 */
98void mbedcrypto_ccm_free( mbedcrypto_ccm_context *ctx )
99{
100 mbedcrypto_cipher_free( &ctx->cipher_ctx );
101 mbedcrypto_platform_zeroize( ctx, sizeof( mbedcrypto_ccm_context ) );
102}
103
104/*
105 * Macros for common operations.
106 * Results in smaller compiled code than static inline functions.
107 */
108
109/*
110 * Update the CBC-MAC state in y using a block in b
111 * (Always using b as the source helps the compiler optimise a bit better.)
112 */
113#define UPDATE_CBC_MAC \
114 for( i = 0; i < 16; i++ ) \
115 y[i] ^= b[i]; \
116 \
117 if( ( ret = mbedcrypto_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
118 return( ret );
119
120/*
121 * Encrypt or decrypt a partial block with CTR
122 * Warning: using b for temporary storage! src and dst must not be b!
123 * This avoids allocating one more 16 bytes buffer while allowing src == dst.
124 */
125#define CTR_CRYPT( dst, src, len ) \
126 if( ( ret = mbedcrypto_cipher_update( &ctx->cipher_ctx, ctr, 16, b, &olen ) ) != 0 ) \
127 return( ret ); \
128 \
129 for( i = 0; i < len; i++ ) \
130 dst[i] = src[i] ^ b[i];
131
132/*
133 * Authenticated encryption or decryption
134 */
135static int ccm_auth_crypt( mbedcrypto_ccm_context *ctx, int mode, size_t length,
136 const unsigned char *iv, size_t iv_len,
137 const unsigned char *add, size_t add_len,
138 const unsigned char *input, unsigned char *output,
139 unsigned char *tag, size_t tag_len )
140{
141 int ret;
142 unsigned char i;
143 unsigned char q;
144 size_t len_left, olen;
145 unsigned char b[16];
146 unsigned char y[16];
147 unsigned char ctr[16];
148 const unsigned char *src;
149 unsigned char *dst;
150
151 /*
152 * Check length requirements: SP800-38C A.1
153 * Additional requirement: a < 2^16 - 2^8 to simplify the code.
154 * 'length' checked later (when writing it to the first block)
155 */
156 if( tag_len < 4 || tag_len > 16 || tag_len % 2 != 0 )
157 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
158
159 /* Also implies q is within bounds */
160 if( iv_len < 7 || iv_len > 13 )
161 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
162
163 if( add_len > 0xFF00 )
164 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
165
166 q = 16 - 1 - (unsigned char) iv_len;
167
168 /*
169 * First block B_0:
170 * 0 .. 0 flags
171 * 1 .. iv_len nonce (aka iv)
172 * iv_len+1 .. 15 length
173 *
174 * With flags as (bits):
175 * 7 0
176 * 6 add present?
177 * 5 .. 3 (t - 2) / 2
178 * 2 .. 0 q - 1
179 */
180 b[0] = 0;
181 b[0] |= ( add_len > 0 ) << 6;
182 b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
183 b[0] |= q - 1;
184
185 memcpy( b + 1, iv, iv_len );
186
187 for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
188 b[15-i] = (unsigned char)( len_left & 0xFF );
189
190 if( len_left > 0 )
191 return( MBEDCRYPTO_ERR_CCM_BAD_INPUT );
192
193
194 /* Start CBC-MAC with first block */
195 memset( y, 0, 16 );
196 UPDATE_CBC_MAC;
197
198 /*
199 * If there is additional data, update CBC-MAC with
200 * add_len, add, 0 (padding to a block boundary)
201 */
202 if( add_len > 0 )
203 {
204 size_t use_len;
205 len_left = add_len;
206 src = add;
207
208 memset( b, 0, 16 );
209 b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
210 b[1] = (unsigned char)( ( add_len ) & 0xFF );
211
212 use_len = len_left < 16 - 2 ? len_left : 16 - 2;
213 memcpy( b + 2, src, use_len );
214 len_left -= use_len;
215 src += use_len;
216
217 UPDATE_CBC_MAC;
218
219 while( len_left > 0 )
220 {
221 use_len = len_left > 16 ? 16 : len_left;
222
223 memset( b, 0, 16 );
224 memcpy( b, src, use_len );
225 UPDATE_CBC_MAC;
226
227 len_left -= use_len;
228 src += use_len;
229 }
230 }
231
232 /*
233 * Prepare counter block for encryption:
234 * 0 .. 0 flags
235 * 1 .. iv_len nonce (aka iv)
236 * iv_len+1 .. 15 counter (initially 1)
237 *
238 * With flags as (bits):
239 * 7 .. 3 0
240 * 2 .. 0 q - 1
241 */
242 ctr[0] = q - 1;
243 memcpy( ctr + 1, iv, iv_len );
244 memset( ctr + 1 + iv_len, 0, q );
245 ctr[15] = 1;
246
247 /*
248 * Authenticate and {en,de}crypt the message.
249 *
250 * The only difference between encryption and decryption is
251 * the respective order of authentication and {en,de}cryption.
252 */
253 len_left = length;
254 src = input;
255 dst = output;
256
257 while( len_left > 0 )
258 {
259 size_t use_len = len_left > 16 ? 16 : len_left;
260
261 if( mode == CCM_ENCRYPT )
262 {
263 memset( b, 0, 16 );
264 memcpy( b, src, use_len );
265 UPDATE_CBC_MAC;
266 }
267
268 CTR_CRYPT( dst, src, use_len );
269
270 if( mode == CCM_DECRYPT )
271 {
272 memset( b, 0, 16 );
273 memcpy( b, dst, use_len );
274 UPDATE_CBC_MAC;
275 }
276
277 dst += use_len;
278 src += use_len;
279 len_left -= use_len;
280
281 /*
282 * Increment counter.
283 * No need to check for overflow thanks to the length check above.
284 */
285 for( i = 0; i < q; i++ )
286 if( ++ctr[15-i] != 0 )
287 break;
288 }
289
290 /*
291 * Authentication: reset counter and crypt/mask internal tag
292 */
293 for( i = 0; i < q; i++ )
294 ctr[15-i] = 0;
295
296 CTR_CRYPT( y, y, 16 );
297 memcpy( tag, y, tag_len );
298
299 return( 0 );
300}
301
302/*
303 * Authenticated encryption
304 */
305int mbedcrypto_ccm_encrypt_and_tag( mbedcrypto_ccm_context *ctx, size_t length,
306 const unsigned char *iv, size_t iv_len,
307 const unsigned char *add, size_t add_len,
308 const unsigned char *input, unsigned char *output,
309 unsigned char *tag, size_t tag_len )
310{
311 return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
312 add, add_len, input, output, tag, tag_len ) );
313}
314
315/*
316 * Authenticated decryption
317 */
318int mbedcrypto_ccm_auth_decrypt( mbedcrypto_ccm_context *ctx, size_t length,
319 const unsigned char *iv, size_t iv_len,
320 const unsigned char *add, size_t add_len,
321 const unsigned char *input, unsigned char *output,
322 const unsigned char *tag, size_t tag_len )
323{
324 int ret;
325 unsigned char check_tag[16];
326 unsigned char i;
327 int diff;
328
329 if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
330 iv, iv_len, add, add_len,
331 input, output, check_tag, tag_len ) ) != 0 )
332 {
333 return( ret );
334 }
335
336 /* Check tag in "constant-time" */
337 for( diff = 0, i = 0; i < tag_len; i++ )
338 diff |= tag[i] ^ check_tag[i];
339
340 if( diff != 0 )
341 {
342 mbedcrypto_platform_zeroize( output, length );
343 return( MBEDCRYPTO_ERR_CCM_AUTH_FAILED );
344 }
345
346 return( 0 );
347}
348
349#endif /* !MBEDCRYPTO_CCM_ALT */
350
351#if defined(MBEDCRYPTO_SELF_TEST) && defined(MBEDCRYPTO_AES_C)
352/*
353 * Examples 1 to 3 from SP800-38C Appendix C
354 */
355
356#define NB_TESTS 3
357
358/*
359 * The data is the same for all tests, only the used length changes
360 */
361static const unsigned char key[] = {
362 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
363 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
364};
365
366static const unsigned char iv[] = {
367 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
368 0x18, 0x19, 0x1a, 0x1b
369};
370
371static const unsigned char ad[] = {
372 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
373 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
374 0x10, 0x11, 0x12, 0x13
375};
376
377static const unsigned char msg[] = {
378 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
379 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
380 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
381};
382
383static const size_t iv_len [NB_TESTS] = { 7, 8, 12 };
384static const size_t add_len[NB_TESTS] = { 8, 16, 20 };
385static const size_t msg_len[NB_TESTS] = { 4, 16, 24 };
386static const size_t tag_len[NB_TESTS] = { 4, 6, 8 };
387
388static const unsigned char res[NB_TESTS][32] = {
389 { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
390 { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
391 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
392 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
393 { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
394 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
395 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
396 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
397};
398
399int mbedcrypto_ccm_self_test( int verbose )
400{
401 mbedcrypto_ccm_context ctx;
402 unsigned char out[32];
403 size_t i;
404 int ret;
405
406 mbedcrypto_ccm_init( &ctx );
407
408 if( mbedcrypto_ccm_setkey( &ctx, MBEDCRYPTO_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 )
409 {
410 if( verbose != 0 )
411 mbedcrypto_printf( " CCM: setup failed" );
412
413 return( 1 );
414 }
415
416 for( i = 0; i < NB_TESTS; i++ )
417 {
418 if( verbose != 0 )
419 mbedcrypto_printf( " CCM-AES #%u: ", (unsigned int) i + 1 );
420
421 ret = mbedcrypto_ccm_encrypt_and_tag( &ctx, msg_len[i],
422 iv, iv_len[i], ad, add_len[i],
423 msg, out,
424 out + msg_len[i], tag_len[i] );
425
426 if( ret != 0 ||
427 memcmp( out, res[i], msg_len[i] + tag_len[i] ) != 0 )
428 {
429 if( verbose != 0 )
430 mbedcrypto_printf( "failed\n" );
431
432 return( 1 );
433 }
434
435 ret = mbedcrypto_ccm_auth_decrypt( &ctx, msg_len[i],
436 iv, iv_len[i], ad, add_len[i],
437 res[i], out,
438 res[i] + msg_len[i], tag_len[i] );
439
440 if( ret != 0 ||
441 memcmp( out, msg, msg_len[i] ) != 0 )
442 {
443 if( verbose != 0 )
444 mbedcrypto_printf( "failed\n" );
445
446 return( 1 );
447 }
448
449 if( verbose != 0 )
450 mbedcrypto_printf( "passed\n" );
451 }
452
453 mbedcrypto_ccm_free( &ctx );
454
455 if( verbose != 0 )
456 mbedcrypto_printf( "\n" );
457
458 return( 0 );
459}
460
461#endif /* MBEDCRYPTO_SELF_TEST && MBEDCRYPTO_AES_C */
462
463#endif /* MBEDCRYPTO_CCM_C */