ccm.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546
  1. /*
  2. * NIST SP800-38C compliant CCM implementation
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. /*
  20. * Definition of CCM:
  21. * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
  22. * RFC 3610 "Counter with CBC-MAC (CCM)"
  23. *
  24. * Related:
  25. * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
  26. */
  27. #include "common.h"
  28. #if defined(MBEDTLS_CCM_C)
  29. #include "mbedtls/ccm.h"
  30. #include "mbedtls/platform_util.h"
  31. #include "mbedtls/error.h"
  32. #include <string.h>
  33. #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
  34. #if defined(MBEDTLS_PLATFORM_C)
  35. #include "mbedtls/platform.h"
  36. #else
  37. #include <stdio.h>
  38. #define mbedtls_printf printf
  39. #endif /* MBEDTLS_PLATFORM_C */
  40. #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
  41. #if !defined(MBEDTLS_CCM_ALT)
  42. #define CCM_VALIDATE_RET( cond ) \
  43. MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
  44. #define CCM_VALIDATE( cond ) \
  45. MBEDTLS_INTERNAL_VALIDATE( cond )
  46. #define CCM_ENCRYPT 0
  47. #define CCM_DECRYPT 1
  48. /*
  49. * Initialize context
  50. */
  51. void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
  52. {
  53. CCM_VALIDATE( ctx != NULL );
  54. memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
  55. }
  56. int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
  57. mbedtls_cipher_id_t cipher,
  58. const unsigned char *key,
  59. unsigned int keybits )
  60. {
  61. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  62. const mbedtls_cipher_info_t *cipher_info;
  63. CCM_VALIDATE_RET( ctx != NULL );
  64. CCM_VALIDATE_RET( key != NULL );
  65. cipher_info = mbedtls_cipher_info_from_values( cipher, keybits,
  66. MBEDTLS_MODE_ECB );
  67. if( cipher_info == NULL )
  68. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  69. if( cipher_info->block_size != 16 )
  70. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  71. mbedtls_cipher_free( &ctx->cipher_ctx );
  72. if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
  73. return( ret );
  74. if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
  75. MBEDTLS_ENCRYPT ) ) != 0 )
  76. {
  77. return( ret );
  78. }
  79. return( 0 );
  80. }
  81. /*
  82. * Free context
  83. */
  84. void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
  85. {
  86. if( ctx == NULL )
  87. return;
  88. mbedtls_cipher_free( &ctx->cipher_ctx );
  89. mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
  90. }
  91. /*
  92. * Macros for common operations.
  93. * Results in smaller compiled code than static inline functions.
  94. */
  95. /*
  96. * Update the CBC-MAC state in y using a block in b
  97. * (Always using b as the source helps the compiler optimise a bit better.)
  98. */
  99. #define UPDATE_CBC_MAC \
  100. for( i = 0; i < 16; i++ ) \
  101. y[i] ^= b[i]; \
  102. \
  103. if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
  104. return( ret );
  105. /*
  106. * Encrypt or decrypt a partial block with CTR
  107. * Warning: using b for temporary storage! src and dst must not be b!
  108. * This avoids allocating one more 16 bytes buffer while allowing src == dst.
  109. */
  110. #define CTR_CRYPT( dst, src, len ) \
  111. do \
  112. { \
  113. if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \
  114. 16, b, &olen ) ) != 0 ) \
  115. { \
  116. return( ret ); \
  117. } \
  118. \
  119. for( i = 0; i < (len); i++ ) \
  120. (dst)[i] = (src)[i] ^ b[i]; \
  121. } while( 0 )
  122. /*
  123. * Authenticated encryption or decryption
  124. */
  125. static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
  126. const unsigned char *iv, size_t iv_len,
  127. const unsigned char *add, size_t add_len,
  128. const unsigned char *input, unsigned char *output,
  129. unsigned char *tag, size_t tag_len )
  130. {
  131. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  132. unsigned char i;
  133. unsigned char q;
  134. size_t len_left, olen;
  135. unsigned char b[16];
  136. unsigned char y[16];
  137. unsigned char ctr[16];
  138. const unsigned char *src;
  139. unsigned char *dst;
  140. /*
  141. * Check length requirements: SP800-38C A.1
  142. * Additional requirement: a < 2^16 - 2^8 to simplify the code.
  143. * 'length' checked later (when writing it to the first block)
  144. *
  145. * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
  146. */
  147. if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
  148. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  149. /* Also implies q is within bounds */
  150. if( iv_len < 7 || iv_len > 13 )
  151. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  152. if( add_len >= 0xFF00 )
  153. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  154. q = 16 - 1 - (unsigned char) iv_len;
  155. /*
  156. * First block B_0:
  157. * 0 .. 0 flags
  158. * 1 .. iv_len nonce (aka iv)
  159. * iv_len+1 .. 15 length
  160. *
  161. * With flags as (bits):
  162. * 7 0
  163. * 6 add present?
  164. * 5 .. 3 (t - 2) / 2
  165. * 2 .. 0 q - 1
  166. */
  167. b[0] = 0;
  168. b[0] |= ( add_len > 0 ) << 6;
  169. b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
  170. b[0] |= q - 1;
  171. memcpy( b + 1, iv, iv_len );
  172. for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
  173. b[15-i] = MBEDTLS_BYTE_0( len_left );
  174. if( len_left > 0 )
  175. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  176. /* Start CBC-MAC with first block */
  177. memset( y, 0, 16 );
  178. UPDATE_CBC_MAC;
  179. /*
  180. * If there is additional data, update CBC-MAC with
  181. * add_len, add, 0 (padding to a block boundary)
  182. */
  183. if( add_len > 0 )
  184. {
  185. size_t use_len;
  186. len_left = add_len;
  187. src = add;
  188. memset( b, 0, 16 );
  189. MBEDTLS_PUT_UINT16_BE( add_len, b, 0 );
  190. use_len = len_left < 16 - 2 ? len_left : 16 - 2;
  191. memcpy( b + 2, src, use_len );
  192. len_left -= use_len;
  193. src += use_len;
  194. UPDATE_CBC_MAC;
  195. while( len_left > 0 )
  196. {
  197. use_len = len_left > 16 ? 16 : len_left;
  198. memset( b, 0, 16 );
  199. memcpy( b, src, use_len );
  200. UPDATE_CBC_MAC;
  201. len_left -= use_len;
  202. src += use_len;
  203. }
  204. }
  205. /*
  206. * Prepare counter block for encryption:
  207. * 0 .. 0 flags
  208. * 1 .. iv_len nonce (aka iv)
  209. * iv_len+1 .. 15 counter (initially 1)
  210. *
  211. * With flags as (bits):
  212. * 7 .. 3 0
  213. * 2 .. 0 q - 1
  214. */
  215. ctr[0] = q - 1;
  216. memcpy( ctr + 1, iv, iv_len );
  217. memset( ctr + 1 + iv_len, 0, q );
  218. ctr[15] = 1;
  219. /*
  220. * Authenticate and {en,de}crypt the message.
  221. *
  222. * The only difference between encryption and decryption is
  223. * the respective order of authentication and {en,de}cryption.
  224. */
  225. len_left = length;
  226. src = input;
  227. dst = output;
  228. while( len_left > 0 )
  229. {
  230. size_t use_len = len_left > 16 ? 16 : len_left;
  231. if( mode == CCM_ENCRYPT )
  232. {
  233. memset( b, 0, 16 );
  234. memcpy( b, src, use_len );
  235. UPDATE_CBC_MAC;
  236. }
  237. CTR_CRYPT( dst, src, use_len );
  238. if( mode == CCM_DECRYPT )
  239. {
  240. memset( b, 0, 16 );
  241. memcpy( b, dst, use_len );
  242. UPDATE_CBC_MAC;
  243. }
  244. dst += use_len;
  245. src += use_len;
  246. len_left -= use_len;
  247. /*
  248. * Increment counter.
  249. * No need to check for overflow thanks to the length check above.
  250. */
  251. for( i = 0; i < q; i++ )
  252. if( ++ctr[15-i] != 0 )
  253. break;
  254. }
  255. /*
  256. * Authentication: reset counter and crypt/mask internal tag
  257. */
  258. for( i = 0; i < q; i++ )
  259. ctr[15-i] = 0;
  260. CTR_CRYPT( y, y, 16 );
  261. memcpy( tag, y, tag_len );
  262. return( 0 );
  263. }
  264. /*
  265. * Authenticated encryption
  266. */
  267. int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
  268. const unsigned char *iv, size_t iv_len,
  269. const unsigned char *add, size_t add_len,
  270. const unsigned char *input, unsigned char *output,
  271. unsigned char *tag, size_t tag_len )
  272. {
  273. CCM_VALIDATE_RET( ctx != NULL );
  274. CCM_VALIDATE_RET( iv != NULL );
  275. CCM_VALIDATE_RET( add_len == 0 || add != NULL );
  276. CCM_VALIDATE_RET( length == 0 || input != NULL );
  277. CCM_VALIDATE_RET( length == 0 || output != NULL );
  278. CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
  279. return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
  280. add, add_len, input, output, tag, tag_len ) );
  281. }
  282. int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
  283. const unsigned char *iv, size_t iv_len,
  284. const unsigned char *add, size_t add_len,
  285. const unsigned char *input, unsigned char *output,
  286. unsigned char *tag, size_t tag_len )
  287. {
  288. CCM_VALIDATE_RET( ctx != NULL );
  289. CCM_VALIDATE_RET( iv != NULL );
  290. CCM_VALIDATE_RET( add_len == 0 || add != NULL );
  291. CCM_VALIDATE_RET( length == 0 || input != NULL );
  292. CCM_VALIDATE_RET( length == 0 || output != NULL );
  293. CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
  294. if( tag_len == 0 )
  295. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  296. return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
  297. add_len, input, output, tag, tag_len ) );
  298. }
  299. /*
  300. * Authenticated decryption
  301. */
  302. int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
  303. const unsigned char *iv, size_t iv_len,
  304. const unsigned char *add, size_t add_len,
  305. const unsigned char *input, unsigned char *output,
  306. const unsigned char *tag, size_t tag_len )
  307. {
  308. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  309. unsigned char check_tag[16];
  310. unsigned char i;
  311. int diff;
  312. CCM_VALIDATE_RET( ctx != NULL );
  313. CCM_VALIDATE_RET( iv != NULL );
  314. CCM_VALIDATE_RET( add_len == 0 || add != NULL );
  315. CCM_VALIDATE_RET( length == 0 || input != NULL );
  316. CCM_VALIDATE_RET( length == 0 || output != NULL );
  317. CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
  318. if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
  319. iv, iv_len, add, add_len,
  320. input, output, check_tag, tag_len ) ) != 0 )
  321. {
  322. return( ret );
  323. }
  324. /* Check tag in "constant-time" */
  325. for( diff = 0, i = 0; i < tag_len; i++ )
  326. diff |= tag[i] ^ check_tag[i];
  327. if( diff != 0 )
  328. {
  329. mbedtls_platform_zeroize( output, length );
  330. return( MBEDTLS_ERR_CCM_AUTH_FAILED );
  331. }
  332. return( 0 );
  333. }
  334. int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
  335. const unsigned char *iv, size_t iv_len,
  336. const unsigned char *add, size_t add_len,
  337. const unsigned char *input, unsigned char *output,
  338. const unsigned char *tag, size_t tag_len )
  339. {
  340. CCM_VALIDATE_RET( ctx != NULL );
  341. CCM_VALIDATE_RET( iv != NULL );
  342. CCM_VALIDATE_RET( add_len == 0 || add != NULL );
  343. CCM_VALIDATE_RET( length == 0 || input != NULL );
  344. CCM_VALIDATE_RET( length == 0 || output != NULL );
  345. CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
  346. if( tag_len == 0 )
  347. return( MBEDTLS_ERR_CCM_BAD_INPUT );
  348. return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
  349. add_len, input, output, tag, tag_len ) );
  350. }
  351. #endif /* !MBEDTLS_CCM_ALT */
  352. #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
  353. /*
  354. * Examples 1 to 3 from SP800-38C Appendix C
  355. */
  356. #define NB_TESTS 3
  357. #define CCM_SELFTEST_PT_MAX_LEN 24
  358. #define CCM_SELFTEST_CT_MAX_LEN 32
  359. /*
  360. * The data is the same for all tests, only the used length changes
  361. */
  362. static const unsigned char key_test_data[] = {
  363. 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
  364. 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
  365. };
  366. static const unsigned char iv_test_data[] = {
  367. 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  368. 0x18, 0x19, 0x1a, 0x1b
  369. };
  370. static const unsigned char ad_test_data[] = {
  371. 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  372. 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  373. 0x10, 0x11, 0x12, 0x13
  374. };
  375. static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
  376. 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
  377. 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
  378. 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
  379. };
  380. static const size_t iv_len_test_data [NB_TESTS] = { 7, 8, 12 };
  381. static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
  382. static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
  383. static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 };
  384. static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
  385. { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
  386. { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
  387. 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
  388. 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
  389. { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
  390. 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
  391. 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
  392. 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
  393. };
  394. int mbedtls_ccm_self_test( int verbose )
  395. {
  396. mbedtls_ccm_context ctx;
  397. /*
  398. * Some hardware accelerators require the input and output buffers
  399. * would be in RAM, because the flash is not accessible.
  400. * Use buffers on the stack to hold the test vectors data.
  401. */
  402. unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
  403. unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
  404. size_t i;
  405. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  406. mbedtls_ccm_init( &ctx );
  407. if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
  408. 8 * sizeof key_test_data ) != 0 )
  409. {
  410. if( verbose != 0 )
  411. mbedtls_printf( " CCM: setup failed" );
  412. return( 1 );
  413. }
  414. for( i = 0; i < NB_TESTS; i++ )
  415. {
  416. if( verbose != 0 )
  417. mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 );
  418. memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
  419. memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN );
  420. memcpy( plaintext, msg_test_data, msg_len_test_data[i] );
  421. ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i],
  422. iv_test_data, iv_len_test_data[i],
  423. ad_test_data, add_len_test_data[i],
  424. plaintext, ciphertext,
  425. ciphertext + msg_len_test_data[i],
  426. tag_len_test_data[i] );
  427. if( ret != 0 ||
  428. memcmp( ciphertext, res_test_data[i],
  429. msg_len_test_data[i] + tag_len_test_data[i] ) != 0 )
  430. {
  431. if( verbose != 0 )
  432. mbedtls_printf( "failed\n" );
  433. return( 1 );
  434. }
  435. memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
  436. ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i],
  437. iv_test_data, iv_len_test_data[i],
  438. ad_test_data, add_len_test_data[i],
  439. ciphertext, plaintext,
  440. ciphertext + msg_len_test_data[i],
  441. tag_len_test_data[i] );
  442. if( ret != 0 ||
  443. memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 )
  444. {
  445. if( verbose != 0 )
  446. mbedtls_printf( "failed\n" );
  447. return( 1 );
  448. }
  449. if( verbose != 0 )
  450. mbedtls_printf( "passed\n" );
  451. }
  452. mbedtls_ccm_free( &ctx );
  453. if( verbose != 0 )
  454. mbedtls_printf( "\n" );
  455. return( 0 );
  456. }
  457. #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
  458. #endif /* MBEDTLS_CCM_C */