GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libcrypto/modes/ccm128.c Lines: 0 213 0.0 %
Date: 2017-11-07 Branches: 0 92 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: ccm128.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */
2
/* ====================================================================
3
 * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 *
9
 * 1. Redistributions of source code must retain the above copyright
10
 *    notice, this list of conditions and the following disclaimer.
11
 *
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in
14
 *    the documentation and/or other materials provided with the
15
 *    distribution.
16
 *
17
 * 3. All advertising materials mentioning features or use of this
18
 *    software must display the following acknowledgment:
19
 *    "This product includes software developed by the OpenSSL Project
20
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21
 *
22
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23
 *    endorse or promote products derived from this software without
24
 *    prior written permission. For written permission, please contact
25
 *    openssl-core@openssl.org.
26
 *
27
 * 5. Products derived from this software may not be called "OpenSSL"
28
 *    nor may "OpenSSL" appear in their names without prior written
29
 *    permission of the OpenSSL Project.
30
 *
31
 * 6. Redistributions of any form whatsoever must retain the following
32
 *    acknowledgment:
33
 *    "This product includes software developed by the OpenSSL Project
34
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35
 *
36
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
40
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47
 * OF THE POSSIBILITY OF SUCH DAMAGE.
48
 * ====================================================================
49
 */
50
51
#include <openssl/crypto.h>
52
#include "modes_lcl.h"
53
#include <string.h>
54
55
#ifndef MODES_DEBUG
56
# ifndef NDEBUG
57
#  define NDEBUG
58
# endif
59
#endif
60
61
/* First you setup M and L parameters and pass the key schedule.
62
 * This is called once per session setup... */
63
void CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
64
	unsigned int M,unsigned int L,void *key,block128_f block)
65
{
66
	memset(ctx->nonce.c,0,sizeof(ctx->nonce.c));
67
	ctx->nonce.c[0] = ((u8)(L-1)&7) | (u8)(((M-2)/2)&7)<<3;
68
	ctx->blocks = 0;
69
	ctx->block = block;
70
	ctx->key = key;
71
}
72
73
/* !!! Following interfaces are to be called *once* per packet !!! */
74
75
/* Then you setup per-message nonce and pass the length of the message */
76
int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
77
	const unsigned char *nonce,size_t nlen,size_t mlen)
78
{
79
	unsigned int L = ctx->nonce.c[0]&7;	/* the L parameter */
80
81
	if (nlen<(14-L)) return -1;		/* nonce is too short */
82
83
	if (sizeof(mlen)==8 && L>=3) {
84
		ctx->nonce.c[8]  = (u8)(mlen>>(56%(sizeof(mlen)*8)));
85
		ctx->nonce.c[9]  = (u8)(mlen>>(48%(sizeof(mlen)*8)));
86
		ctx->nonce.c[10] = (u8)(mlen>>(40%(sizeof(mlen)*8)));
87
		ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
88
	}
89
	else
90
		ctx->nonce.u[1] = 0;
91
92
	ctx->nonce.c[12] = (u8)(mlen>>24);
93
	ctx->nonce.c[13] = (u8)(mlen>>16);
94
	ctx->nonce.c[14] = (u8)(mlen>>8);
95
	ctx->nonce.c[15] = (u8)mlen;
96
97
	ctx->nonce.c[0] &= ~0x40;	/* clear Adata flag */
98
	memcpy(&ctx->nonce.c[1],nonce,14-L);
99
100
	return 0;
101
}
102
103
/* Then you pass additional authentication data, this is optional */
104
void CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
105
	const unsigned char *aad,size_t alen)
106
{	unsigned int i;
107
	block128_f block = ctx->block;
108
109
	if (alen==0) return;
110
111
	ctx->nonce.c[0] |= 0x40;	/* set Adata flag */
112
	(*block)(ctx->nonce.c,ctx->cmac.c,ctx->key),
113
	ctx->blocks++;
114
115
	if (alen<(0x10000-0x100)) {
116
		ctx->cmac.c[0] ^= (u8)(alen>>8);
117
		ctx->cmac.c[1] ^= (u8)alen;
118
		i=2;
119
	}
120
	else if (sizeof(alen)==8 && alen>=(size_t)1<<(32%(sizeof(alen)*8))) {
121
		ctx->cmac.c[0] ^= 0xFF;
122
		ctx->cmac.c[1] ^= 0xFF;
123
		ctx->cmac.c[2] ^= (u8)(alen>>(56%(sizeof(alen)*8)));
124
		ctx->cmac.c[3] ^= (u8)(alen>>(48%(sizeof(alen)*8)));
125
		ctx->cmac.c[4] ^= (u8)(alen>>(40%(sizeof(alen)*8)));
126
		ctx->cmac.c[5] ^= (u8)(alen>>(32%(sizeof(alen)*8)));
127
		ctx->cmac.c[6] ^= (u8)(alen>>24);
128
		ctx->cmac.c[7] ^= (u8)(alen>>16);
129
		ctx->cmac.c[8] ^= (u8)(alen>>8);
130
		ctx->cmac.c[9] ^= (u8)alen;
131
		i=10;
132
	}
133
	else {
134
		ctx->cmac.c[0] ^= 0xFF;
135
		ctx->cmac.c[1] ^= 0xFE;
136
		ctx->cmac.c[2] ^= (u8)(alen>>24);
137
		ctx->cmac.c[3] ^= (u8)(alen>>16);
138
		ctx->cmac.c[4] ^= (u8)(alen>>8);
139
		ctx->cmac.c[5] ^= (u8)alen;
140
		i=6;
141
	}
142
143
	do {
144
		for(;i<16 && alen;++i,++aad,--alen)
145
			ctx->cmac.c[i] ^= *aad;
146
		(*block)(ctx->cmac.c,ctx->cmac.c,ctx->key),
147
		ctx->blocks++;
148
		i=0;
149
	} while (alen);
150
}
151
152
/* Finally you encrypt or decrypt the message */
153
154
/* counter part of nonce may not be larger than L*8 bits,
155
 * L is not larger than 8, therefore 64-bit counter... */
156
static void ctr64_inc(unsigned char *counter) {
157
	unsigned int n=8;
158
	u8  c;
159
160
	counter += 8;
161
	do {
162
		--n;
163
		c = counter[n];
164
		++c;
165
		counter[n] = c;
166
		if (c) return;
167
	} while (n);
168
}
169
170
int CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
171
	const unsigned char *inp, unsigned char *out,
172
	size_t len)
173
{
174
	size_t		n;
175
	unsigned int	i,L;
176
	unsigned char	flags0	= ctx->nonce.c[0];
177
	block128_f	block	= ctx->block;
178
	void *		key	= ctx->key;
179
	union { u64 u[2]; u8 c[16]; } scratch;
180
181
	if (!(flags0&0x40))
182
		(*block)(ctx->nonce.c,ctx->cmac.c,key),
183
		ctx->blocks++;
184
185
	ctx->nonce.c[0] = L = flags0&7;
186
	for (n=0,i=15-L;i<15;++i) {
187
		n |= ctx->nonce.c[i];
188
		ctx->nonce.c[i]=0;
189
		n <<= 8;
190
	}
191
	n |= ctx->nonce.c[15];	/* reconstructed length */
192
	ctx->nonce.c[15]=1;
193
194
	if (n!=len) return -1;	/* length mismatch */
195
196
	ctx->blocks += ((len+15)>>3)|1;
197
	if (ctx->blocks > (U64(1)<<61))	return -2; /* too much data */
198
199
	while (len>=16) {
200
#ifdef __STRICT_ALIGNMENT
201
		union { u64 u[2]; u8 c[16]; } temp;
202
203
		memcpy (temp.c,inp,16);
204
		ctx->cmac.u[0] ^= temp.u[0];
205
		ctx->cmac.u[1] ^= temp.u[1];
206
#else
207
		ctx->cmac.u[0] ^= ((u64*)inp)[0];
208
		ctx->cmac.u[1] ^= ((u64*)inp)[1];
209
#endif
210
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
211
		(*block)(ctx->nonce.c,scratch.c,key);
212
		ctr64_inc(ctx->nonce.c);
213
#ifdef __STRICT_ALIGNMENT
214
		temp.u[0] ^= scratch.u[0];
215
		temp.u[1] ^= scratch.u[1];
216
		memcpy(out,temp.c,16);
217
#else
218
		((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0];
219
		((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1];
220
#endif
221
		inp += 16;
222
		out += 16;
223
		len -= 16;
224
	}
225
226
	if (len) {
227
		for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
228
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
229
		(*block)(ctx->nonce.c,scratch.c,key);
230
		for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
231
	}
232
233
	for (i=15-L;i<16;++i)
234
		ctx->nonce.c[i]=0;
235
236
	(*block)(ctx->nonce.c,scratch.c,key);
237
	ctx->cmac.u[0] ^= scratch.u[0];
238
	ctx->cmac.u[1] ^= scratch.u[1];
239
240
	ctx->nonce.c[0] = flags0;
241
242
	return 0;
243
}
244
245
int CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
246
	const unsigned char *inp, unsigned char *out,
247
	size_t len)
248
{
249
	size_t		n;
250
	unsigned int	i,L;
251
	unsigned char	flags0	= ctx->nonce.c[0];
252
	block128_f	block	= ctx->block;
253
	void *		key	= ctx->key;
254
	union { u64 u[2]; u8 c[16]; } scratch;
255
256
	if (!(flags0&0x40))
257
		(*block)(ctx->nonce.c,ctx->cmac.c,key);
258
259
	ctx->nonce.c[0] = L = flags0&7;
260
	for (n=0,i=15-L;i<15;++i) {
261
		n |= ctx->nonce.c[i];
262
		ctx->nonce.c[i]=0;
263
		n <<= 8;
264
	}
265
	n |= ctx->nonce.c[15];	/* reconstructed length */
266
	ctx->nonce.c[15]=1;
267
268
	if (n!=len) return -1;
269
270
	while (len>=16) {
271
#ifdef __STRICT_ALIGNMENT
272
		union { u64 u[2]; u8 c[16]; } temp;
273
#endif
274
		(*block)(ctx->nonce.c,scratch.c,key);
275
		ctr64_inc(ctx->nonce.c);
276
#ifdef __STRICT_ALIGNMENT
277
		memcpy (temp.c,inp,16);
278
		ctx->cmac.u[0] ^= (scratch.u[0] ^= temp.u[0]);
279
		ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
280
		memcpy (out,scratch.c,16);
281
#else
282
		ctx->cmac.u[0] ^= (((u64*)out)[0] = scratch.u[0]^((u64*)inp)[0]);
283
		ctx->cmac.u[1] ^= (((u64*)out)[1] = scratch.u[1]^((u64*)inp)[1]);
284
#endif
285
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
286
287
		inp += 16;
288
		out += 16;
289
		len -= 16;
290
	}
291
292
	if (len) {
293
		(*block)(ctx->nonce.c,scratch.c,key);
294
		for (i=0; i<len; ++i)
295
			ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
296
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
297
	}
298
299
	for (i=15-L;i<16;++i)
300
		ctx->nonce.c[i]=0;
301
302
	(*block)(ctx->nonce.c,scratch.c,key);
303
	ctx->cmac.u[0] ^= scratch.u[0];
304
	ctx->cmac.u[1] ^= scratch.u[1];
305
306
	ctx->nonce.c[0] = flags0;
307
308
	return 0;
309
}
310
311
static void ctr64_add (unsigned char *counter,size_t inc)
312
{	size_t n=8, val=0;
313
314
	counter += 8;
315
	do {
316
		--n;
317
		val += counter[n] + (inc&0xff);
318
		counter[n] = (unsigned char)val;
319
		val >>= 8;	/* carry bit */
320
		inc >>= 8;
321
	} while(n && (inc || val));
322
}
323
324
int CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
325
	const unsigned char *inp, unsigned char *out,
326
	size_t len,ccm128_f stream)
327
{
328
	size_t		n;
329
	unsigned int	i,L;
330
	unsigned char	flags0	= ctx->nonce.c[0];
331
	block128_f	block	= ctx->block;
332
	void *		key	= ctx->key;
333
	union { u64 u[2]; u8 c[16]; } scratch;
334
335
	if (!(flags0&0x40))
336
		(*block)(ctx->nonce.c,ctx->cmac.c,key),
337
		ctx->blocks++;
338
339
	ctx->nonce.c[0] = L = flags0&7;
340
	for (n=0,i=15-L;i<15;++i) {
341
		n |= ctx->nonce.c[i];
342
		ctx->nonce.c[i]=0;
343
		n <<= 8;
344
	}
345
	n |= ctx->nonce.c[15];	/* reconstructed length */
346
	ctx->nonce.c[15]=1;
347
348
	if (n!=len) return -1;	/* length mismatch */
349
350
	ctx->blocks += ((len+15)>>3)|1;
351
	if (ctx->blocks > (U64(1)<<61))	return -2; /* too much data */
352
353
	if ((n=len/16)) {
354
		(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
355
		n   *= 16;
356
		inp += n;
357
		out += n;
358
		len -= n;
359
		if (len) ctr64_add(ctx->nonce.c,n/16);
360
	}
361
362
	if (len) {
363
		for (i=0; i<len; ++i) ctx->cmac.c[i] ^= inp[i];
364
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
365
		(*block)(ctx->nonce.c,scratch.c,key);
366
		for (i=0; i<len; ++i) out[i] = scratch.c[i]^inp[i];
367
	}
368
369
	for (i=15-L;i<16;++i)
370
		ctx->nonce.c[i]=0;
371
372
	(*block)(ctx->nonce.c,scratch.c,key);
373
	ctx->cmac.u[0] ^= scratch.u[0];
374
	ctx->cmac.u[1] ^= scratch.u[1];
375
376
	ctx->nonce.c[0] = flags0;
377
378
	return 0;
379
}
380
381
int CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
382
	const unsigned char *inp, unsigned char *out,
383
	size_t len,ccm128_f stream)
384
{
385
	size_t		n;
386
	unsigned int	i,L;
387
	unsigned char	flags0	= ctx->nonce.c[0];
388
	block128_f	block	= ctx->block;
389
	void *		key	= ctx->key;
390
	union { u64 u[2]; u8 c[16]; } scratch;
391
392
	if (!(flags0&0x40))
393
		(*block)(ctx->nonce.c,ctx->cmac.c,key);
394
395
	ctx->nonce.c[0] = L = flags0&7;
396
	for (n=0,i=15-L;i<15;++i) {
397
		n |= ctx->nonce.c[i];
398
		ctx->nonce.c[i]=0;
399
		n <<= 8;
400
	}
401
	n |= ctx->nonce.c[15];	/* reconstructed length */
402
	ctx->nonce.c[15]=1;
403
404
	if (n!=len) return -1;
405
406
	if ((n=len/16)) {
407
		(*stream)(inp,out,n,key,ctx->nonce.c,ctx->cmac.c);
408
		n   *= 16;
409
		inp += n;
410
		out += n;
411
		len -= n;
412
		if (len) ctr64_add(ctx->nonce.c,n/16);
413
	}
414
415
	if (len) {
416
		(*block)(ctx->nonce.c,scratch.c,key);
417
		for (i=0; i<len; ++i)
418
			ctx->cmac.c[i] ^= (out[i] = scratch.c[i]^inp[i]);
419
		(*block)(ctx->cmac.c,ctx->cmac.c,key);
420
	}
421
422
	for (i=15-L;i<16;++i)
423
		ctx->nonce.c[i]=0;
424
425
	(*block)(ctx->nonce.c,scratch.c,key);
426
	ctx->cmac.u[0] ^= scratch.u[0];
427
	ctx->cmac.u[1] ^= scratch.u[1];
428
429
	ctx->nonce.c[0] = flags0;
430
431
	return 0;
432
}
433
434
size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len)
435
{	unsigned int M = (ctx->nonce.c[0]>>3)&7;	/* the M parameter */
436
437
	M *= 2; M += 2;
438
	if (len<M)	return 0;
439
	memcpy(tag,ctx->cmac.c,M);
440
	return M;
441
}