15423480149

Committed 03 Jun 2025 05:07PM UTC coverage: 90.974% (+0.003%) from 90.971%

Build # 15423480149

Build Type

Pull #4880

github

Committed by

web-flow

Commit Message

Merge dd0853263 into 0ffb30b0c

Pull Request Pull Request #4880: Refactor: Cipher_Mode::finish_msg() using std::span

Run Details

98159 of 107898 relevant lines covered (90.97%)

12651583.38 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.67

/src/lib/modes/aead/ccm/ccm.cpp

/*
* CCM Mode Encryption
* (C) 2013,2018 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/ccm.h>

#include <botan/internal/ct_utils.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/stl_util.h>

namespace Botan {

// 128-bit cipher is intrinsic to CCM definition
static const size_t CCM_BS = 16;

/*
* CCM_Mode Constructor
*/
CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :
      m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {
   if(m_cipher->block_size() != CCM_BS) {
      throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");
   }

   if(L < 2 || L > 8) {
      throw Invalid_Argument(fmt("Invalid CCM L value {}", L));
   }

   if(tag_size < 4 || tag_size > 16 || tag_size % 2 != 0) {
      throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));
   }
}

void CCM_Mode::clear() {
   m_cipher->clear();
   reset();
}

void CCM_Mode::reset() {
   m_nonce.clear();
   m_msg_buf.clear();
   m_ad_buf.clear();
}

std::string CCM_Mode::name() const {
   return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());
}

bool CCM_Mode::valid_nonce_length(size_t n) const {
   return (n == (15 - L()));
}

size_t CCM_Mode::default_nonce_length() const {
   return (15 - L());
}

size_t CCM_Mode::update_granularity() const {
   return 1;
}

size_t CCM_Mode::ideal_granularity() const {
   // Completely arbitrary
   return m_cipher->parallel_bytes();
}

bool CCM_Mode::requires_entire_message() const {
   return true;
}

Key_Length_Specification CCM_Mode::key_spec() const {
   return m_cipher->key_spec();
}

bool CCM_Mode::has_keying_material() const {
   return m_cipher->has_keying_material();
}

void CCM_Mode::key_schedule(std::span<const uint8_t> key) {
   m_cipher->set_key(key);
}

void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
   BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");

   m_ad_buf.clear();

   if(!ad.empty()) {
      // FIXME: support larger AD using length encoding rules
      BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");

      m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));
      m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());
      while(m_ad_buf.size() % CCM_BS) {
         m_ad_buf.push_back(0);  // pad with zeros to full block size
      }
   }
}

void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
   if(!valid_nonce_length(nonce_len)) {
      throw Invalid_IV_Length(name(), nonce_len);
   }

   m_nonce.assign(nonce, nonce + nonce_len);
   m_msg_buf.clear();
}

size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {
   BOTAN_STATE_CHECK(!m_nonce.empty());
   m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);
   return 0;  // no output until finished
}

void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {
   const size_t len_bytes = L();

   BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);

   for(size_t i = 0; i != len_bytes; ++i) {
      out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);
   }

   if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {
      throw Encoding_Error("CCM message length too long to encode in L field");
   }
}

void CCM_Mode::inc(secure_vector<uint8_t>& C) {
   for(size_t i = 0; i != C.size(); ++i) {
      if(++C[C.size() - i - 1]) {
         break;
      }
   }
}

secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> B0(CCM_BS);

   const uint8_t b_flags =
      static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));

   B0[0] = b_flags;
   copy_mem(&B0[1], m_nonce.data(), m_nonce.size());
   encode_length(sz, &B0[m_nonce.size() + 1]);

   return B0;
}

secure_vector<uint8_t> CCM_Mode::format_c0() {
   if(m_nonce.size() != 15 - L()) {
      throw Invalid_State("CCM mode must set nonce");
   }
   secure_vector<uint8_t> C(CCM_BS);

   const uint8_t a_flags = static_cast<uint8_t>(L() - 1);

   C[0] = a_flags;
   copy_mem(&C[1], m_nonce.data(), m_nonce.size());

   return C;
}

size_t CCM_Encryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
   const auto tag_length = tag_size();
   const auto& buffered = msg_buf();

   BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes + tag_length == buffer.size());

   const auto entire_payload = buffer.first(buffered.size() + input_bytes);
   const auto tag = buffer.last(tag_length);

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   // TODO: consider using std::array<> for all those block-size'ed buffers
   //       (this requires adapting more helper functions like `format_b0`, ...)
   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(entire_payload.size()), T);

   BufferSlicer ad_bs(ad);
   while(!ad_bs.empty()) {
      xor_buf(T, ad_bs.take(CCM_BS));
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();
   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   // copy all buffered input into the in/out buffer if needed
   if(!buffered.empty()) {
      copy_mem(entire_payload.last(input_bytes), entire_payload.first(input_bytes));
      copy_mem(entire_payload.first(buffered.size()), buffered);
   }

   // TODO: Use BufferTransformer, once it is available
   //       See https://github.com/randombit/botan/pull/4151
   BufferSlicer payload_slicer(entire_payload);
   BufferStuffer payload_stuffer(entire_payload);

   while(!payload_slicer.empty()) {
      const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());
      const auto in_chunk = payload_slicer.take(to_proc);
      const auto out_chunk = payload_stuffer.next(to_proc);

      xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);
      E.encrypt(T);

      E.encrypt(C, X);
      xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));
      inc(C);
   }

   T ^= S0;

   BOTAN_DEBUG_ASSERT(tag.size() <= T.size());
   copy_mem(tag, std::span{T}.first(tag.size()));

   reset();

   return buffer.size();
}

size_t CCM_Decryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
   const auto tag_length = tag_size();
   const auto& buffered = msg_buf();

   BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes == buffer.size());

   const auto entire_payload = buffer.first(buffer.size() - tag_length);
   const auto tag = buffer.last(tag_length);

   const secure_vector<uint8_t>& ad = ad_buf();
   BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");

   const BlockCipher& E = cipher();

   secure_vector<uint8_t> T(CCM_BS);
   E.encrypt(format_b0(entire_payload.size()), T);

   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
      xor_buf(T.data(), &ad[i], CCM_BS);
      E.encrypt(T);
   }

   secure_vector<uint8_t> C = format_c0();

   secure_vector<uint8_t> S0(CCM_BS);
   E.encrypt(C, S0);
   inc(C);

   secure_vector<uint8_t> X(CCM_BS);

   // copy all buffered input into the in/out buffer if needed
   if(!buffered.empty()) {
      copy_mem(buffer.last(input_bytes), buffer.first(input_bytes));
      copy_mem(buffer.first(buffered.size()), buffered);
   }

   // TODO: Use BufferTransformer, once it is available
   //       See https://github.com/randombit/botan/pull/4151
   BufferSlicer payload_slicer(entire_payload);
   BufferStuffer payload_stuffer(entire_payload);

   while(!payload_slicer.empty()) {
      const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());
      const auto in_chunk = payload_slicer.take(to_proc);
      const auto out_chunk = payload_stuffer.next(to_proc);

      E.encrypt(C, X);
      xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));
      inc(C);

      xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);
      E.encrypt(T);
   }

   T ^= S0;

   if(!CT::is_equal(T.data(), tag.data(), tag.size()).as_bool()) {
      throw Invalid_Authentication_Tag("CCM tag check failed");
   }

   reset();

   return entire_payload.size();
}

}  // namespace Botan

1	/*
2	* CCM Mode Encryption
3	* (C) 2013,2018 Jack Lloyd
4	* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/internal/ccm.h>
10
11	#include <botan/internal/ct_utils.h>
12	#include <botan/internal/fmt.h>
13	#include <botan/internal/loadstor.h>
14	#include <botan/internal/stl_util.h>
15
16	namespace Botan {
17
18	// 128-bit cipher is intrinsic to CCM definition
19	static const size_t CCM_BS = 16;
20
21	/*
22	* CCM_Mode Constructor
23	*/
24	CCM_Mode::CCM_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size, size_t L) :	244✔
25	m_tag_size(tag_size), m_L(L), m_cipher(std::move(cipher)) {	244✔
26	if(m_cipher->block_size() != CCM_BS) {	244✔
27	throw Invalid_Argument(m_cipher->name() + " cannot be used with CCM mode");	×
28	}
29
30	if(L < 2 \|\| L > 8) {	244✔
31	throw Invalid_Argument(fmt("Invalid CCM L value {}", L));	×
32	}
33
34	if(tag_size < 4 \|\| tag_size > 16 \|\| tag_size % 2 != 0) {	244✔
35	throw Invalid_Argument(fmt("Invalid CCM tag length {}", tag_size));	×
36	}
37	}	244✔
38
39	void CCM_Mode::clear() {	70✔
40	m_cipher->clear();	70✔
41	reset();	140✔
42	}	70✔
43
44	void CCM_Mode::reset() {	809✔
45	m_nonce.clear();	382✔
46	m_msg_buf.clear();	809✔
47	m_ad_buf.clear();	809✔
48	}	312✔
49
50	std::string CCM_Mode::name() const {	35✔
51	return fmt("{}/CCM({},{})", m_cipher->name(), tag_size(), L());	35✔
52	}
53
54	bool CCM_Mode::valid_nonce_length(size_t n) const {	637✔
55	return (n == (15 - L()));	637✔
56	}
57
58	size_t CCM_Mode::default_nonce_length() const {	36✔
59	return (15 - L());	36✔
60	}
61
62	size_t CCM_Mode::update_granularity() const {	526✔
63	return 1;	526✔
64	}
65
66	size_t CCM_Mode::ideal_granularity() const {	216✔
67	// Completely arbitrary
68	return m_cipher->parallel_bytes();	216✔
69	}
70
71	bool CCM_Mode::requires_entire_message() const {	84✔
72	return true;	84✔
73	}
74
75	Key_Length_Specification CCM_Mode::key_spec() const {	176✔
76	return m_cipher->key_spec();	176✔
77	}
78
79	bool CCM_Mode::has_keying_material() const {	245✔
80	return m_cipher->has_keying_material();	245✔
81	}
82
83	void CCM_Mode::key_schedule(std::span<const uint8_t> key) {	174✔
84	m_cipher->set_key(key);	174✔
85	}	174✔
86
87	void CCM_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {	666✔
88	BOTAN_ARG_CHECK(idx == 0, "CCM: cannot handle non-zero index in set_associated_data_n");	666✔
89
90	m_ad_buf.clear();	666✔
91
92	if(!ad.empty()) {	666✔
93	// FIXME: support larger AD using length encoding rules
94	BOTAN_ARG_CHECK(ad.size() < (0xFFFF - 0xFF), "Supported CCM AD length");	642✔
95
96	m_ad_buf.push_back(get_byte<0>(static_cast<uint16_t>(ad.size())));	642✔
97	m_ad_buf.push_back(get_byte<1>(static_cast<uint16_t>(ad.size())));	642✔
98	m_ad_buf.insert(m_ad_buf.end(), ad.begin(), ad.end());	642✔
99	while(m_ad_buf.size() % CCM_BS) {	6,110✔
100	m_ad_buf.push_back(0); // pad with zeros to full block size	5,468✔
101	}
102	}
103	}	666✔
104
105	void CCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {	602✔
106	if(!valid_nonce_length(nonce_len)) {	602✔
107	throw Invalid_IV_Length(name(), nonce_len);	×
108	}
109
110	m_nonce.assign(nonce, nonce + nonce_len);	602✔
111	m_msg_buf.clear();	602✔
112	}	602✔
113
114	size_t CCM_Mode::process_msg(uint8_t buf[], size_t sz) {	1,894✔
115	BOTAN_STATE_CHECK(!m_nonce.empty());	1,894✔
116	m_msg_buf.insert(m_msg_buf.end(), buf, buf + sz);	1,754✔
117	return 0; // no output until finished	1,754✔
118	}
119
120	void CCM_Mode::encode_length(uint64_t len, uint8_t out[]) {	532✔
121	const size_t len_bytes = L();	532✔
122
123	BOTAN_ASSERT_NOMSG(len_bytes >= 2 && len_bytes <= 8);	532✔
124
125	for(size_t i = 0; i != len_bytes; ++i) {	2,131✔
126	out[len_bytes - 1 - i] = get_byte_var(sizeof(uint64_t) - 1 - i, len);	1,599✔
127	}
128
129	if(len_bytes < 8 && (len >> (len_bytes * 8)) > 0) {	532✔
130	throw Encoding_Error("CCM message length too long to encode in L field");	×
131	}
132	}	532✔
133
134	void CCM_Mode::inc(secure_vector<uint8_t>& C) {	5,584✔
135	for(size_t i = 0; i != C.size(); ++i) {	5,584✔
136	if(++C[C.size() - i - 1]) {	5,584✔
137	break;
138	}
139	}
140	}	×
141
142	secure_vector<uint8_t> CCM_Mode::format_b0(size_t sz) {	672✔
143	if(m_nonce.size() != 15 - L()) {	672✔
144	throw Invalid_State("CCM mode must set nonce");	140✔
145	}
146	secure_vector<uint8_t> B0(CCM_BS);	532✔
147
148	const uint8_t b_flags =	532✔
149	static_cast<uint8_t>((!m_ad_buf.empty() ? 64 : 0) + (((tag_size() / 2) - 1) << 3) + (L() - 1));	554✔
150
151	B0[0] = b_flags;	532✔
152	copy_mem(&B0[1], m_nonce.data(), m_nonce.size());	532✔
153	encode_length(sz, &B0[m_nonce.size() + 1]);	532✔
154
155	return B0;	532✔
156	}	×
157
158	secure_vector<uint8_t> CCM_Mode::format_c0() {	532✔
159	if(m_nonce.size() != 15 - L()) {	532✔
160	throw Invalid_State("CCM mode must set nonce");	×
161	}
162	secure_vector<uint8_t> C(CCM_BS);	532✔
163
164	const uint8_t a_flags = static_cast<uint8_t>(L() - 1);	532✔
165
166	C[0] = a_flags;	532✔
167	copy_mem(&C[1], m_nonce.data(), m_nonce.size());	532✔
168
169	return C;	532✔
170	}	×
171
172	size_t CCM_Encryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {	318✔
173	const auto tag_length = tag_size();	318✔
174	const auto& buffered = msg_buf();	318✔
175
176	BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes + tag_length == buffer.size());	318✔
177
178	const auto entire_payload = buffer.first(buffered.size() + input_bytes);	318✔
179	const auto tag = buffer.last(tag_length);	318✔
180
181	const secure_vector<uint8_t>& ad = ad_buf();	318✔
182	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");	318✔
183
184	const BlockCipher& E = cipher();	318✔
185
186	// TODO: consider using std::array<> for all those block-size'ed buffers
187	// (this requires adapting more helper functions like `format_b0`, ...)
188	secure_vector<uint8_t> T(CCM_BS);	318✔
189	E.encrypt(format_b0(entire_payload.size()), T);	531✔
190
191	BufferSlicer ad_bs(ad);	213✔
192	while(!ad_bs.empty()) {	213✔
193	xor_buf(T, ad_bs.take(CCM_BS));	449✔
194	E.encrypt(T);	901✔
195	}
196
197	secure_vector<uint8_t> C = format_c0();	213✔
198	secure_vector<uint8_t> S0(CCM_BS);	213✔
199	E.encrypt(C, S0);	213✔
200	inc(C);	213✔
201
202	secure_vector<uint8_t> X(CCM_BS);	213✔
203
204	// copy all buffered input into the in/out buffer if needed
205	if(!buffered.empty()) {	213✔
206	copy_mem(entire_payload.last(input_bytes), entire_payload.first(input_bytes));	69✔
207	copy_mem(entire_payload.first(buffered.size()), buffered);	69✔
208	}
209
210	// TODO: Use BufferTransformer, once it is available
211	// See https://github.com/randombit/botan/pull/4151
212	BufferSlicer payload_slicer(entire_payload);	213✔
213	BufferStuffer payload_stuffer(entire_payload);	213✔
214
215	while(!payload_slicer.empty()) {	2,637✔
216	const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());	2,424✔
217	const auto in_chunk = payload_slicer.take(to_proc);	2,424✔
218	const auto out_chunk = payload_stuffer.next(to_proc);	2,424✔
219
220	xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);	2,424✔
221	E.encrypt(T);	2,424✔
222
223	E.encrypt(C, X);	2,424✔
224	xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));	2,424✔
225	inc(C);	4,848✔
226	}
227
228	T ^= S0;	213✔
229
230	BOTAN_DEBUG_ASSERT(tag.size() <= T.size());	213✔
231	copy_mem(tag, std::span{T}.first(tag.size()));	213✔
232
233	reset();	213✔
234
235	return buffer.size();	213✔
236	}	5,913✔
237
238	size_t CCM_Decryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {	354✔
239	const auto tag_length = tag_size();	354✔
240	const auto& buffered = msg_buf();	354✔
241
242	BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes == buffer.size());	354✔
243
244	const auto entire_payload = buffer.first(buffer.size() - tag_length);	354✔
245	const auto tag = buffer.last(tag_length);	354✔
246
247	const secure_vector<uint8_t>& ad = ad_buf();	354✔
248	BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");	354✔
249
250	const BlockCipher& E = cipher();	354✔
251
252	secure_vector<uint8_t> T(CCM_BS);	354✔
253	E.encrypt(format_b0(entire_payload.size()), T);	778✔
254
255	for(size_t i = 0; i != ad.size(); i += CCM_BS) {	877✔
256	xor_buf(T.data(), &ad[i], CCM_BS);	558✔
257	E.encrypt(T);	1,116✔
258	}
259
260	secure_vector<uint8_t> C = format_c0();	319✔
261
262	secure_vector<uint8_t> S0(CCM_BS);	424✔
263	E.encrypt(C, S0);	319✔
264	inc(C);	319✔
265
266	secure_vector<uint8_t> X(CCM_BS);	424✔
267
268	// copy all buffered input into the in/out buffer if needed
269	if(!buffered.empty()) {	319✔
270	copy_mem(buffer.last(input_bytes), buffer.first(input_bytes));	69✔
271	copy_mem(buffer.first(buffered.size()), buffered);	69✔
272	}
273
274	// TODO: Use BufferTransformer, once it is available
275	// See https://github.com/randombit/botan/pull/4151
276	BufferSlicer payload_slicer(entire_payload);	319✔
277	BufferStuffer payload_stuffer(entire_payload);	319✔
278
279	while(!payload_slicer.empty()) {	2,947✔
280	const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());	2,628✔
281	const auto in_chunk = payload_slicer.take(to_proc);	2,628✔
282	const auto out_chunk = payload_stuffer.next(to_proc);	2,628✔
283
284	E.encrypt(C, X);	2,628✔
285	xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));	2,628✔
286	inc(C);	2,628✔
287
288	xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);	2,733✔
289	E.encrypt(T);	5,256✔
290	}
291
292	T ^= S0;	319✔
293
294	if(!CT::is_equal(T.data(), tag.data(), tag.size()).as_bool()) {	638✔
295	throw Invalid_Authentication_Tag("CCM tag check failed");	105✔
296	}
297
298	reset();	214✔
299
300	return entire_payload.size();	214✔
301	}	1,171✔
302
303	} // namespace Botan

randombit / botan / 15423480149

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous