Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 9e3a49ef53cb0abbb05e19ef4509ff1b692f0832 / . / src / crypto / cipher_extra / e_aesccm.c
blob: e9e9e16e15c9cbd39e8e4f6f1e4d6b917f557c69 [file] [log] [blame]
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]1/* ====================================================================
2 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]3 *
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]7 *
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ==================================================================== */
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]48
49#include <openssl/aead.h>
50
51#include <assert.h>
52
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]53#include <openssl/cpu.h>
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]54#include <openssl/cipher.h>
55#include <openssl/err.h>
56#include <openssl/mem.h>
57
58#include "../fipsmodule/cipher/internal.h"
59
60
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]61struct ccm128_context {
62 block128_f block;
63 ctr128_f ctr;
64 unsigned M, L;
65};
66
67struct ccm128_state {
68 union {
69 uint64_t u[2];
70 uint8_t c[16];
71 } nonce, cmac;
72};
73
74static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key,
75 block128_f block, ctr128_f ctr, unsigned M,
76 unsigned L) {
77 if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) {
78 return 0;
79 }
80 ctx->block = block;
81 ctx->ctr = ctr;
82 ctx->M = M;
83 ctx->L = L;
84 return 1;
85}
86
87static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) {
88 return ctx->L >= sizeof(size_t) ? (size_t)-1
89 : (((size_t)1) << (ctx->L * 8)) - 1;
90}
91
92static int ccm128_init_state(const struct ccm128_context *ctx,
93 struct ccm128_state *state, const AES_KEY *key,
94 const uint8_t *nonce, size_t nonce_len,
95 const uint8_t *aad, size_t aad_len,
96 size_t plaintext_len) {
97 const block128_f block = ctx->block;
98 const unsigned M = ctx->M;
99 const unsigned L = ctx->L;
100
101 // |L| determines the expected |nonce_len| and the limit for |plaintext_len|.
102 if (plaintext_len > CRYPTO_ccm128_max_input(ctx) ||
103 nonce_len != 15 - L) {
104 return 0;
105 }
106
107 // Assemble the first block for computing the MAC.
108 OPENSSL_memset(state, 0, sizeof(*state));
109 state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3);
110 if (aad_len != 0) {
111 state->nonce.c[0] |= 0x40; // Set AAD Flag
112 }
113 OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len);
114 for (unsigned i = 0; i < L; i++) {
115 state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i));
116 }
117
118 (*block)(state->nonce.c, state->cmac.c, key);
119 size_t blocks = 1;
120
121 if (aad_len != 0) {
122 unsigned i;
123 // Cast to u64 to avoid the compiler complaining about invalid shifts.
124 uint64_t aad_len_u64 = aad_len;
125 if (aad_len_u64 < 0x10000 - 0x100) {
126 state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8);
127 state->cmac.c[1] ^= (uint8_t)aad_len_u64;
128 i = 2;
129 } else if (aad_len_u64 <= 0xffffffff) {
130 state->cmac.c[0] ^= 0xff;
131 state->cmac.c[1] ^= 0xfe;
132 state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24);
133 state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16);
134 state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8);
135 state->cmac.c[5] ^= (uint8_t)aad_len_u64;
136 i = 6;
137 } else {
138 state->cmac.c[0] ^= 0xff;
139 state->cmac.c[1] ^= 0xff;
140 state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56);
141 state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48);
142 state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40);
143 state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32);
144 state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24);
145 state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16);
146 state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8);
147 state->cmac.c[9] ^= (uint8_t)aad_len_u64;
148 i = 10;
149 }
150
151 do {
152 for (; i < 16 && aad_len != 0; i++) {
153 state->cmac.c[i] ^= *aad;
154 aad++;
155 aad_len--;
156 }
157 (*block)(state->cmac.c, state->cmac.c, key);
158 blocks++;
159 i = 0;
160 } while (aad_len != 0);
161 }
162
163 // Per RFC 3610, section 2.6, the total number of block cipher operations done
164 // must not exceed 2^61. There are two block cipher operations remaining per
165 // message block, plus one block at the end to encrypt the MAC.
166 size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1;
167 if (plaintext_len + 15 < plaintext_len ||
168 remaining_blocks + blocks < blocks ||
169 (uint64_t) remaining_blocks + blocks > UINT64_C(1) << 61) {
170 return 0;
171 }
172
173 // Assemble the first block for encrypting and decrypting. The bottom |L|
174 // bytes are replaced with a counter and all bit the encoding of |L| is
175 // cleared in the first byte.
176 state->nonce.c[0] &= 7;
177 return 1;
178}
179
180static int ccm128_encrypt(const struct ccm128_context *ctx,
181 struct ccm128_state *state, const AES_KEY *key,
182 uint8_t *out, const uint8_t *in, size_t len) {
183 // The counter for encryption begins at one.
184 for (unsigned i = 0; i < ctx->L; i++) {
185 state->nonce.c[15 - i] = 0;
186 }
187 state->nonce.c[15] = 1;
188
189 uint8_t partial_buf[16];
190 unsigned num = 0;
191 if (ctx->ctr != NULL) {
192 CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf,
193 &num, ctx->ctr);
194 } else {
195 CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num,
196 ctx->block);
197 }
198 return 1;
199}
200
201static int ccm128_compute_mac(const struct ccm128_context *ctx,
202 struct ccm128_state *state, const AES_KEY *key,
203 uint8_t *out_tag, size_t tag_len,
204 const uint8_t *in, size_t len) {
205 block128_f block = ctx->block;
206 if (tag_len != ctx->M) {
207 return 0;
208 }
209
210 // Incorporate |in| into the MAC.
211 union {
212 uint64_t u[2];
213 uint8_t c[16];
214 } tmp;
215 while (len >= 16) {
216 OPENSSL_memcpy(tmp.c, in, 16);
217 state->cmac.u[0] ^= tmp.u[0];
218 state->cmac.u[1] ^= tmp.u[1];
219 (*block)(state->cmac.c, state->cmac.c, key);
220 in += 16;
221 len -= 16;
222 }
223 if (len > 0) {
224 for (size_t i = 0; i < len; i++) {
225 state->cmac.c[i] ^= in[i];
226 }
227 (*block)(state->cmac.c, state->cmac.c, key);
228 }
229
230 // Encrypt the MAC with counter zero.
231 for (unsigned i = 0; i < ctx->L; i++) {
232 state->nonce.c[15 - i] = 0;
233 }
234 (*block)(state->nonce.c, tmp.c, key);
235 state->cmac.u[0] ^= tmp.u[0];
236 state->cmac.u[1] ^= tmp.u[1];
237
238 OPENSSL_memcpy(out_tag, state->cmac.c, tag_len);
239 return 1;
240}
241
242static int CRYPTO_ccm128_encrypt(const struct ccm128_context *ctx,
243 const AES_KEY *key, uint8_t *out,
244 uint8_t *out_tag, size_t tag_len,
245 const uint8_t *nonce, size_t nonce_len,
246 const uint8_t *in, size_t len,
247 const uint8_t *aad, size_t aad_len) {
248 struct ccm128_state state;
249 return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
250 len) &&
251 ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, in, len) &&
252 ccm128_encrypt(ctx, &state, key, out, in, len);
253}
254
255static int CRYPTO_ccm128_decrypt(const struct ccm128_context *ctx,
256 const AES_KEY *key, uint8_t *out,
257 uint8_t *out_tag, size_t tag_len,
258 const uint8_t *nonce, size_t nonce_len,
259 const uint8_t *in, size_t len,
260 const uint8_t *aad, size_t aad_len) {
261 struct ccm128_state state;
262 return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
263 len) &&
264 ccm128_encrypt(ctx, &state, key, out, in, len) &&
265 ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, out, len);
266}
267
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]268#define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16
269
270struct aead_aes_ccm_ctx {
271 union {
272 double align;
273 AES_KEY ks;
274 } ks;
Pete Bentley0c61efe2019-08-13 09:32:23 +0100[diff] [blame]275 struct ccm128_context ccm;
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]276};
277
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]278OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
279 sizeof(struct aead_aes_ccm_ctx),
280 "AEAD state is too small");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]281#if defined(__GNUC__) || defined(__clang__)
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]282OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
283 alignof(struct aead_aes_ccm_ctx),
284 "AEAD state has insufficient alignment");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]285#endif
286
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]287static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
288 size_t key_len, size_t tag_len, unsigned M,
289 unsigned L) {
290 assert(M == EVP_AEAD_max_overhead(ctx->aead));
291 assert(M == EVP_AEAD_max_tag_len(ctx->aead));
292 assert(15 - L == EVP_AEAD_nonce_length(ctx->aead));
293
294 if (key_len != EVP_AEAD_key_length(ctx->aead)) {
295 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
296 return 0; // EVP_AEAD_CTX_init should catch this.
297 }
298
299 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
300 tag_len = M;
301 }
302
303 if (tag_len != M) {
304 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
305 return 0;
306 }
307
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]308 struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state;
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]309
310 block128_f block;
Robert Sloan59e99502019-03-25 12:33:16 -0700[diff] [blame]311 ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]312 ctx->tag_len = tag_len;
313 if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
314 OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]315 return 0;
316 }
317
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]318 return 1;
319}
320
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]321static void aead_aes_ccm_cleanup(EVP_AEAD_CTX *ctx) {}
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]322
323static int aead_aes_ccm_seal_scatter(
324 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
325 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
326 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
327 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]328 const struct aead_aes_ccm_ctx *ccm_ctx =
329 (struct aead_aes_ccm_ctx *)&ctx->state;
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]330
331 if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
332 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
333 return 0;
334 }
335
336 if (max_out_tag_len < ctx->tag_len) {
337 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
338 return 0;
339 }
340
341 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
342 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
343 return 0;
344 }
345
346 if (!CRYPTO_ccm128_encrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, out_tag,
347 ctx->tag_len, nonce, nonce_len, in, in_len, ad,
348 ad_len)) {
349 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
350 return 0;
351 }
352
353 *out_tag_len = ctx->tag_len;
354 return 1;
355}
356
357static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
358 const uint8_t *nonce, size_t nonce_len,
359 const uint8_t *in, size_t in_len,
360 const uint8_t *in_tag, size_t in_tag_len,
361 const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]362 const struct aead_aes_ccm_ctx *ccm_ctx =
363 (struct aead_aes_ccm_ctx *)&ctx->state;
Robert Sloanab8b8882018-03-26 11:39:51 -0700[diff] [blame]364
365 if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
366 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
367 return 0;
368 }
369
370 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
371 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
372 return 0;
373 }
374
375 if (in_tag_len != ctx->tag_len) {
376 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
377 return 0;
378 }
379
380 uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN];
381 assert(ctx->tag_len <= EVP_AEAD_AES_CCM_MAX_TAG_LEN);
382 if (!CRYPTO_ccm128_decrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, tag,
383 ctx->tag_len, nonce, nonce_len, in, in_len, ad,
384 ad_len)) {
385 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
386 return 0;
387 }
388
389 if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
390 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
391 return 0;
392 }
393
394 return 1;
395}
396
397static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
398 size_t key_len, size_t tag_len) {
399 return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
400}
401
402static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
403 16, // key length (AES-128)
404 13, // nonce length
405 4, // overhead
406 4, // max tag length
407 0, // seal_scatter_supports_extra_in
408
409 aead_aes_ccm_bluetooth_init,
410 NULL /* init_with_direction */,
411 aead_aes_ccm_cleanup,
412 NULL /* open */,
413 aead_aes_ccm_seal_scatter,
414 aead_aes_ccm_open_gather,
415 NULL /* get_iv */,
416 NULL /* tag_len */,
417};
418
419const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
420 return &aead_aes_128_ccm_bluetooth;
421}
422
423static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
424 size_t key_len, size_t tag_len) {
425 return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
426}
427
428static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
429 16, // key length (AES-128)
430 13, // nonce length
431 8, // overhead
432 8, // max tag length
433 0, // seal_scatter_supports_extra_in
434
435 aead_aes_ccm_bluetooth_8_init,
436 NULL /* init_with_direction */,
437 aead_aes_ccm_cleanup,
438 NULL /* open */,
439 aead_aes_ccm_seal_scatter,
440 aead_aes_ccm_open_gather,
441 NULL /* get_iv */,
442 NULL /* tag_len */,
443};
444
445const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
446 return &aead_aes_128_ccm_bluetooth_8;
447}