randombit/botan | Build 5079590438 | source/src/lib/modes/aead/ccm/ccm.cpp | Coveralls

22

CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :

236✔

23

      m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {

236✔

24

   if(m_cipher->block_size() != CCM_BS)

236✔

27

   if(L < 2 || L > 8)

236✔

30

   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0)

236✔

32

236✔

34

void CCM_Mode::clear() {

68✔

35

   m_cipher->clear();

68✔

36

   reset();

136✔

37

68✔

39

void CCM_Mode::reset() {

796✔

40

   m_nonce.clear();

371✔

41

   m_msg_buf.clear();

796✔

42

   m_ad_buf.clear();

796✔

43

303✔

45

std::string CCM_Mode::name() const { return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L()); }

34✔

47

bool CCM_Mode::valid_nonce_length(size_t n) const { return (n == (15 - L())); }

629✔

49

size_t CCM_Mode::default_nonce_length() const { return (15 - L()); }

34✔

51

size_t CCM_Mode::update_granularity() const { return 1; }

237✔

53

size_t CCM_Mode::ideal_granularity() const {

204✔

55

   return m_cipher->parallel_bytes();

204✔

58

bool CCM_Mode::requires_entire_message() const { return true; }

66✔

60

Key_Length_Specification CCM_Mode::key_spec() const { return m_cipher->key_spec(); }

168✔

62

bool CCM_Mode::has_keying_material() const { return m_cipher->has_keying_material(); }

238✔

64

void CCM_Mode::key_schedule(const uint8_t key[], size_t length) { m_cipher->set_key(key, length); }

168✔

66

void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {

659✔

67

   BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");

659✔

69

   m_ad_buf.clear();

659✔

71

   if(!ad.empty()) {

659✔

73

      BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");

635✔

75

      m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));

635✔

76

      m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));

635✔

77

      m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());

635✔

78

      while(m_ad_buf.size() % CCM_BS)

5,960✔

79

         m_ad_buf.push_back(0);  // pad with zeros to full block size

5,325✔

81

659✔

83

void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {

595✔

84

   if(!valid_nonce_length(nonce_len))

595✔

87

   m_nonce.assign(nonce, nonce + nonce_len);

595✔

88

   m_msg_buf.clear();

595✔

89

595✔

91

size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {

1,749✔

92

   BOTAN_STATE_CHECK(!m_nonce.empty());

1,749✔

93

   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);

1,613✔

94

   return 0;  // no output until finished

1,613✔

97

void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {

527✔

98

   const size_t len_bytes = L();

527✔

100

   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);

527✔

102

   for(size_t i = 0; i != len_bytes; ++i)

2,111✔

103

      out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);

1,584✔

105

   if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0)

527✔

107

527✔

109

void CCM_Mode::inc(secure_vector<uint8_t>& C) {

5,825✔

110

   for(size_t i = 0; i != C.size(); ++i)

5,825✔

111

      if(++C[C.size() - i - 1])

5,825✔

115

secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {

663✔

116

   if(m_nonce.size() != 15 - L())

663✔

117

      throw Invalid_State("CCM mode must set nonce");

136✔

118

   secure_vector<uint8_t> B0(CCM_BS);

527✔

120

   const uint8_t b_flags =

527✔

121

      static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));

547✔

123

   B0[0] = b_flags;

527✔

124

   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());

527✔

125

   encode_length(sz, &B0[m_nonce.size() + 1]);

527✔

127

   return B0;

527✔

130

secure_vector<uint8_t> CCM_Mode::format_c0() {

527✔

131

   if(m_nonce.size() != 15 - L())

527✔

133

   secure_vector<uint8_t> C(CCM_BS);

527✔

135

   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);

527✔

137

   C[0] = a_flags;

527✔

138

   copy_mem(&C[1], m_nonce.data(), m_nonce.size());

527✔

140

   return C;

527✔

143

void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

314✔

144

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

314✔

146

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

314✔

148

   const size_t sz = buffer.size() - offset;

314✔

149

   uint8_t* buf = buffer.data() + offset;

314✔

151

   const secure_vector<uint8_t>& ad = ad_buf();

314✔

152

   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

314✔

154

   const BlockCipher& E = cipher();

314✔

156

   secure_vector<uint8_t> T(CCM_BS);

314✔

157

   E.encrypt(format_b0(sz), T);

526✔

159

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {

552✔

160

      xor_buf(T.data(), &ad[i], CCM_BS);

340✔

161

      E.encrypt(T);

680✔

164

   secure_vector<uint8_t> C = format_c0();

212✔

165

   secure_vector<uint8_t> S0(CCM_BS);

212✔

166

   E.encrypt(C, S0);

212✔

167

   inc(C);

212✔

169

   secure_vector<uint8_t> X(CCM_BS);

212✔

171

   const uint8_t* buf_end = &buf[sz];

212✔

173

   while(buf != buf_end) {

2,764✔

174

      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

2,552✔

176

      xor_buf(T.data(), buf, to_proc);

2,552✔

177

      E.encrypt(T);

2,552✔

179

      E.encrypt(C, X);

2,552✔

180

      xor_buf(buf, X.data(), to_proc);

2,552✔

181

      inc(C);

2,552✔

183

      buf += to_proc;

2,552✔

186

   T ^= S0;

212✔

188

   buffer += std::make_pair(T.data(), tag_size());

212✔

190

   reset();

424✔

191

848✔

193

void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

417✔

194

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

417✔

196

   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());

417✔

198

   const size_t sz = buffer.size() - offset;

417✔

199

   uint8_t* buf = buffer.data() + offset;

417✔

201

   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");

417✔

203

   const secure_vector<uint8_t>& ad = ad_buf();

349✔

204

   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

349✔

206

   const BlockCipher& E = cipher();

349✔

208

   secure_vector<uint8_t> T(CCM_BS);

349✔

209

   E.encrypt(format_b0(sz - tag_size()), T);

766✔

211

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {

863✔

212

      xor_buf(T.data(), &ad[i], CCM_BS);

548✔

213

      E.encrypt(T);

1,096✔

216

   secure_vector<uint8_t> C = format_c0();

315✔

218

   secure_vector<uint8_t> S0(CCM_BS);

417✔

219

   E.encrypt(C, S0);

315✔

220

   inc(C);

315✔

222

   secure_vector<uint8_t> X(CCM_BS);

417✔

224

   const uint8_t* buf_end = &buf[sz - tag_size()];

315✔

226

   while(buf != buf_end) {

3,061✔

227

      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);

2,746✔

229

      E.encrypt(C, X);

2,746✔

230

      xor_buf(buf, X.data(), to_proc);

2,746✔

231

      inc(C);

2,746✔

233

      xor_buf(T.data(), buf, to_proc);

2,746✔

234

      E.encrypt(T);

2,746✔

236

      buf += to_proc;

2,746✔

239

   T ^= S0;

315✔

241

   if(!constant_time_compare(T.data(), buf_end, tag_size()))

315✔

242

      throw Invalid_Authentication_Tag("CCM tag check failed");

102✔

244

   buffer.resize(buffer.size() - tag_size());

213✔

246

   reset();

426✔

247

1,158✔

randombit / botan / 5079590438

Source File
Press 'n' to go to next uncovered line, 'b' for previous

1	/*
2	* CCM Mode Encryption
3	* (C) 2013,2018 Jack Lloyd
4	* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/internal/ccm.h>
10
11	#include <botan/internal/fmt.h>
12	#include <botan/internal/loadstor.h>
13
14	namespace Botan {
15
16	// 128-bit cipher is intrinsic to CCM definition
17	static const size_t CCM_BS = 16;
18
19	/*
20	* CCM_Mode Constructor
21	*/
22	CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :	236✔
23	m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {	236✔
24	if(m_cipher->block_size() != CCM_BS)	236✔
25	throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");	×
26
27	if(L < 2 \|\| L > 8)	236✔
28	throw Invalid_Argument(fmt("Invalid CCM L value {}", L));	×
29
30	if(tag_size < 4 \|\| tag_size > 16 \|\| tag_size % 2 != 0)	236✔
31	throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));	×
32	}	236✔
33
34	void CCM_Mode::clear() {	68✔
35	m_cipher->clear();	68✔
36	reset();	136✔
37	}	68✔
38
39	void CCM_Mode::reset() {	796✔
40	m_nonce.clear();	371✔
41	m_msg_buf.clear();	796✔
42	m_ad_buf.clear();	796✔
43	}	303✔
44
45	std::string CCM_Mode::name() const { return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L()); }	34✔
46
47	bool CCM_Mode::valid_nonce_length(size_t n) const { return (n == (15 - L())); }	629✔
48
49	size_t CCM_Mode::default_nonce_length() const { return (15 - L()); }	34✔
50
51	size_t CCM_Mode::update_granularity() const { return 1; }	237✔
52
53	size_t CCM_Mode::ideal_granularity() const {	204✔
54	// Completely arbitrary
55	return m_cipher->parallel_bytes();	204✔
56	}
57
58	bool CCM_Mode::requires_entire_message() const { return true; }	66✔
59
60	Key_Length_Specification CCM_Mode::key_spec() const { return m_cipher->key_spec(); }	168✔
61
62	bool CCM_Mode::has_keying_material() const { return m_cipher->has_keying_material(); }	238✔
63
64	void CCM_Mode::key_schedule(const uint8_t key[], size_t length) { m_cipher->set_key(key, length); }	168✔
65
66	void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {	659✔
67	BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");	659✔
68
69	m_ad_buf.clear();	659✔
70
71	if(!ad.empty()) {	659✔
72	// FIXME: support larger AD using length encoding rules
73	BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");	635✔
74
75	m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));	635✔
76	m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));	635✔
77	m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());	635✔
78	while(m_ad_buf.size() % CCM_BS)	5,960✔
79	m_ad_buf.push_back(0); // pad with zeros to full block size	5,325✔
80	}
81	}	659✔
82
83	void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {	595✔
84	if(!valid_nonce_length(nonce_len))	595✔
85	throw Invalid_IV_Length(name(), nonce_len);	×
86
87	m_nonce.assign(nonce, nonce + nonce_len);	595✔
88	m_msg_buf.clear();	595✔
89	}	595✔
90
91	size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {	1,749✔
92	BOTAN_STATE_CHECK(!m_nonce.empty());	1,749✔
93	m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);	1,613✔
94	return 0; // no output until finished	1,613✔
95	}
96
97	void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {	527✔
98	const size_t len_bytes = L();	527✔
99
100	BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);	527✔
101
102	for(size_t i = 0; i != len_bytes; ++i)	2,111✔
103	out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);	1,584✔
104
105	if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0)	527✔
106	throw Encoding_Error("CCM message length too long to encode in L field");	×
107	}	527✔
108
109	void CCM_Mode::inc(secure_vector<uint8_t>& C) {	5,825✔
110	for(size_t i = 0; i != C.size(); ++i)	5,825✔
111	if(++C[C.size() - i - 1])	5,825✔
112	break;
113	}	×
114
115	secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {	663✔
116	if(m_nonce.size() != 15 - L())	663✔
117	throw Invalid_State("CCM mode must set nonce");	136✔
118	secure_vector<uint8_t> B0(CCM_BS);	527✔
119
120	const uint8_t b_flags =	527✔
121	static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));	547✔
122
123	B0[0] = b_flags;	527✔
124	copy_mem(&B0[1], m_nonce.data(), m_nonce.size());	527✔
125	encode_length(sz, &B0[m_nonce.size() + 1]);	527✔
126
127	return B0;	527✔
128	}	×
129
130	secure_vector<uint8_t> CCM_Mode::format_c0() {	527✔
131	if(m_nonce.size() != 15 - L())	527✔
132	throw Invalid_State("CCM mode must set nonce");	×
133	secure_vector<uint8_t> C(CCM_BS);	527✔
134
135	const uint8_t a_flags = static_cast<uint8_t>(L() - 1);	527✔
136
137	C[0] = a_flags;	527✔
138	copy_mem(&C[1], m_nonce.data(), m_nonce.size());	527✔
139
140	return C;	527✔
141	}	×
142
143	void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {	314✔
144	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");	314✔
145
146	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());	314✔
147
148	const size_t sz = buffer.size() - offset;	314✔
149	uint8_t* buf = buffer.data() + offset;	314✔
150
151	const secure_vector<uint8_t>& ad = ad_buf();	314✔
152	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");	314✔
153
154	const BlockCipher& E = cipher();	314✔
155
156	secure_vector<uint8_t> T(CCM_BS);	314✔
157	E.encrypt(format_b0(sz), T);	526✔
158
159	for(size_t i = 0; i != ad.size(); i += CCM_BS) {	552✔
160	xor_buf(T.data(), &ad[i], CCM_BS);	340✔
161	E.encrypt(T);	680✔
162	}
163
164	secure_vector<uint8_t> C = format_c0();	212✔
165	secure_vector<uint8_t> S0(CCM_BS);	212✔
166	E.encrypt(C, S0);	212✔
167	inc(C);	212✔
168
169	secure_vector<uint8_t> X(CCM_BS);	212✔
170
171	const uint8_t* buf_end = &buf[sz];	212✔
172
173	while(buf != buf_end) {	2,764✔
174	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);	2,552✔
175
176	xor_buf(T.data(), buf, to_proc);	2,552✔
177	E.encrypt(T);	2,552✔
178
179	E.encrypt(C, X);	2,552✔
180	xor_buf(buf, X.data(), to_proc);	2,552✔
181	inc(C);	2,552✔
182
183	buf += to_proc;	2,552✔
184	}
185
186	T ^= S0;	212✔
187
188	buffer += std::make_pair(T.data(), tag_size());	212✔
189
190	reset();	424✔
191	}	848✔
192
193	void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {	417✔
194	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");	417✔
195
196	buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());	417✔
197
198	const size_t sz = buffer.size() - offset;	417✔
199	uint8_t* buf = buffer.data() + offset;	417✔
200
201	BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");	417✔
202
203	const secure_vector<uint8_t>& ad = ad_buf();	349✔
204	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");	349✔
205
206	const BlockCipher& E = cipher();	349✔
207
208	secure_vector<uint8_t> T(CCM_BS);	349✔
209	E.encrypt(format_b0(sz - tag_size()), T);	766✔
210
211	for(size_t i = 0; i != ad.size(); i += CCM_BS) {	863✔
212	xor_buf(T.data(), &ad[i], CCM_BS);	548✔
213	E.encrypt(T);	1,096✔
214	}
215
216	secure_vector<uint8_t> C = format_c0();	315✔
217
218	secure_vector<uint8_t> S0(CCM_BS);	417✔
219	E.encrypt(C, S0);	315✔
220	inc(C);	315✔
221
222	secure_vector<uint8_t> X(CCM_BS);	417✔
223
224	const uint8_t* buf_end = &buf[sz - tag_size()];	315✔
225
226	while(buf != buf_end) {	3,061✔
227	const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);	2,746✔
228
229	E.encrypt(C, X);	2,746✔
230	xor_buf(buf, X.data(), to_proc);	2,746✔
231	inc(C);	2,746✔
232
233	xor_buf(T.data(), buf, to_proc);	2,746✔
234	E.encrypt(T);	2,746✔
235
236	buf += to_proc;	2,746✔
237	}
238
239	T ^= S0;	315✔
240
241	if(!constant_time_compare(T.data(), buf_end, tag_size()))	315✔
242	throw Invalid_Authentication_Tag("CCM tag check failed");	102✔
243
244	buffer.resize(buffer.size() - tag_size());	213✔
245
246	reset();	426✔
247	}	1,158✔
248
249	}

randombit / botan / 5079590438

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous