1 /* ====================================================================
2 * Copyright (c) 2008 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ==================================================================== */
48
49 #include <openssl/aead.h>
50
51 #include <assert.h>
52
53 #include <openssl/cpu.h>
54 #include <openssl/cipher.h>
55 #include <openssl/err.h>
56 #include <openssl/mem.h>
57
58 #include "../fipsmodule/cipher/internal.h"
59
60
61 struct ccm128_context {
62 block128_f block;
63 ctr128_f ctr;
64 unsigned M, L;
65 };
66
67 struct ccm128_state {
68 union {
69 uint64_t u[2];
70 uint8_t c[16];
71 } nonce, cmac;
72 };
73
CRYPTO_ccm128_init(struct ccm128_context * ctx,const AES_KEY * key,block128_f block,ctr128_f ctr,unsigned M,unsigned L)74 static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key,
75 block128_f block, ctr128_f ctr, unsigned M,
76 unsigned L) {
77 if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) {
78 return 0;
79 }
80 ctx->block = block;
81 ctx->ctr = ctr;
82 ctx->M = M;
83 ctx->L = L;
84 return 1;
85 }
86
CRYPTO_ccm128_max_input(const struct ccm128_context * ctx)87 static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) {
88 return ctx->L >= sizeof(size_t) ? (size_t)-1
89 : (((size_t)1) << (ctx->L * 8)) - 1;
90 }
91
ccm128_init_state(const struct ccm128_context * ctx,struct ccm128_state * state,const AES_KEY * key,const uint8_t * nonce,size_t nonce_len,const uint8_t * aad,size_t aad_len,size_t plaintext_len)92 static int ccm128_init_state(const struct ccm128_context *ctx,
93 struct ccm128_state *state, const AES_KEY *key,
94 const uint8_t *nonce, size_t nonce_len,
95 const uint8_t *aad, size_t aad_len,
96 size_t plaintext_len) {
97 const block128_f block = ctx->block;
98 const unsigned M = ctx->M;
99 const unsigned L = ctx->L;
100
101 // |L| determines the expected |nonce_len| and the limit for |plaintext_len|.
102 if (plaintext_len > CRYPTO_ccm128_max_input(ctx) ||
103 nonce_len != 15 - L) {
104 return 0;
105 }
106
107 // Assemble the first block for computing the MAC.
108 OPENSSL_memset(state, 0, sizeof(*state));
109 state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3);
110 if (aad_len != 0) {
111 state->nonce.c[0] |= 0x40; // Set AAD Flag
112 }
113 OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len);
114 for (unsigned i = 0; i < L; i++) {
115 state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i));
116 }
117
118 (*block)(state->nonce.c, state->cmac.c, key);
119 size_t blocks = 1;
120
121 if (aad_len != 0) {
122 unsigned i;
123 // Cast to u64 to avoid the compiler complaining about invalid shifts.
124 uint64_t aad_len_u64 = aad_len;
125 if (aad_len_u64 < 0x10000 - 0x100) {
126 state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8);
127 state->cmac.c[1] ^= (uint8_t)aad_len_u64;
128 i = 2;
129 } else if (aad_len_u64 <= 0xffffffff) {
130 state->cmac.c[0] ^= 0xff;
131 state->cmac.c[1] ^= 0xfe;
132 state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24);
133 state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16);
134 state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8);
135 state->cmac.c[5] ^= (uint8_t)aad_len_u64;
136 i = 6;
137 } else {
138 state->cmac.c[0] ^= 0xff;
139 state->cmac.c[1] ^= 0xff;
140 state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56);
141 state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48);
142 state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40);
143 state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32);
144 state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24);
145 state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16);
146 state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8);
147 state->cmac.c[9] ^= (uint8_t)aad_len_u64;
148 i = 10;
149 }
150
151 do {
152 for (; i < 16 && aad_len != 0; i++) {
153 state->cmac.c[i] ^= *aad;
154 aad++;
155 aad_len--;
156 }
157 (*block)(state->cmac.c, state->cmac.c, key);
158 blocks++;
159 i = 0;
160 } while (aad_len != 0);
161 }
162
163 // Per RFC 3610, section 2.6, the total number of block cipher operations done
164 // must not exceed 2^61. There are two block cipher operations remaining per
165 // message block, plus one block at the end to encrypt the MAC.
166 size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1;
167 if (plaintext_len + 15 < plaintext_len ||
168 remaining_blocks + blocks < blocks ||
169 (uint64_t) remaining_blocks + blocks > UINT64_C(1) << 61) {
170 return 0;
171 }
172
173 // Assemble the first block for encrypting and decrypting. The bottom |L|
174 // bytes are replaced with a counter and all bit the encoding of |L| is
175 // cleared in the first byte.
176 state->nonce.c[0] &= 7;
177 return 1;
178 }
179
ccm128_encrypt(const struct ccm128_context * ctx,struct ccm128_state * state,const AES_KEY * key,uint8_t * out,const uint8_t * in,size_t len)180 static int ccm128_encrypt(const struct ccm128_context *ctx,
181 struct ccm128_state *state, const AES_KEY *key,
182 uint8_t *out, const uint8_t *in, size_t len) {
183 // The counter for encryption begins at one.
184 for (unsigned i = 0; i < ctx->L; i++) {
185 state->nonce.c[15 - i] = 0;
186 }
187 state->nonce.c[15] = 1;
188
189 uint8_t partial_buf[16];
190 unsigned num = 0;
191 if (ctx->ctr != NULL) {
192 CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf,
193 &num, ctx->ctr);
194 } else {
195 CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num,
196 ctx->block);
197 }
198 return 1;
199 }
200
ccm128_compute_mac(const struct ccm128_context * ctx,struct ccm128_state * state,const AES_KEY * key,uint8_t * out_tag,size_t tag_len,const uint8_t * in,size_t len)201 static int ccm128_compute_mac(const struct ccm128_context *ctx,
202 struct ccm128_state *state, const AES_KEY *key,
203 uint8_t *out_tag, size_t tag_len,
204 const uint8_t *in, size_t len) {
205 block128_f block = ctx->block;
206 if (tag_len != ctx->M) {
207 return 0;
208 }
209
210 // Incorporate |in| into the MAC.
211 union {
212 uint64_t u[2];
213 uint8_t c[16];
214 } tmp;
215 while (len >= 16) {
216 OPENSSL_memcpy(tmp.c, in, 16);
217 state->cmac.u[0] ^= tmp.u[0];
218 state->cmac.u[1] ^= tmp.u[1];
219 (*block)(state->cmac.c, state->cmac.c, key);
220 in += 16;
221 len -= 16;
222 }
223 if (len > 0) {
224 for (size_t i = 0; i < len; i++) {
225 state->cmac.c[i] ^= in[i];
226 }
227 (*block)(state->cmac.c, state->cmac.c, key);
228 }
229
230 // Encrypt the MAC with counter zero.
231 for (unsigned i = 0; i < ctx->L; i++) {
232 state->nonce.c[15 - i] = 0;
233 }
234 (*block)(state->nonce.c, tmp.c, key);
235 state->cmac.u[0] ^= tmp.u[0];
236 state->cmac.u[1] ^= tmp.u[1];
237
238 OPENSSL_memcpy(out_tag, state->cmac.c, tag_len);
239 return 1;
240 }
241
CRYPTO_ccm128_encrypt(const struct ccm128_context * ctx,const AES_KEY * key,uint8_t * out,uint8_t * out_tag,size_t tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t len,const uint8_t * aad,size_t aad_len)242 static int CRYPTO_ccm128_encrypt(const struct ccm128_context *ctx,
243 const AES_KEY *key, uint8_t *out,
244 uint8_t *out_tag, size_t tag_len,
245 const uint8_t *nonce, size_t nonce_len,
246 const uint8_t *in, size_t len,
247 const uint8_t *aad, size_t aad_len) {
248 struct ccm128_state state;
249 return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
250 len) &&
251 ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, in, len) &&
252 ccm128_encrypt(ctx, &state, key, out, in, len);
253 }
254
CRYPTO_ccm128_decrypt(const struct ccm128_context * ctx,const AES_KEY * key,uint8_t * out,uint8_t * out_tag,size_t tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t len,const uint8_t * aad,size_t aad_len)255 static int CRYPTO_ccm128_decrypt(const struct ccm128_context *ctx,
256 const AES_KEY *key, uint8_t *out,
257 uint8_t *out_tag, size_t tag_len,
258 const uint8_t *nonce, size_t nonce_len,
259 const uint8_t *in, size_t len,
260 const uint8_t *aad, size_t aad_len) {
261 struct ccm128_state state;
262 return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,
263 len) &&
264 ccm128_encrypt(ctx, &state, key, out, in, len) &&
265 ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, out, len);
266 }
267
268 #define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16
269
270 struct aead_aes_ccm_ctx {
271 union {
272 double align;
273 AES_KEY ks;
274 } ks;
275 struct ccm128_context ccm;
276 };
277
278 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
279 sizeof(struct aead_aes_ccm_ctx),
280 "AEAD state is too small");
281 #if defined(__GNUC__) || defined(__clang__)
282 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
283 alignof(struct aead_aes_ccm_ctx),
284 "AEAD state has insufficient alignment");
285 #endif
286
aead_aes_ccm_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len,unsigned M,unsigned L)287 static int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
288 size_t key_len, size_t tag_len, unsigned M,
289 unsigned L) {
290 assert(M == EVP_AEAD_max_overhead(ctx->aead));
291 assert(M == EVP_AEAD_max_tag_len(ctx->aead));
292 assert(15 - L == EVP_AEAD_nonce_length(ctx->aead));
293
294 if (key_len != EVP_AEAD_key_length(ctx->aead)) {
295 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
296 return 0; // EVP_AEAD_CTX_init should catch this.
297 }
298
299 if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
300 tag_len = M;
301 }
302
303 if (tag_len != M) {
304 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
305 return 0;
306 }
307
308 struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state;
309
310 block128_f block;
311 ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);
312 ctx->tag_len = tag_len;
313 if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {
314 OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);
315 return 0;
316 }
317
318 return 1;
319 }
320
aead_aes_ccm_cleanup(EVP_AEAD_CTX * ctx)321 static void aead_aes_ccm_cleanup(EVP_AEAD_CTX *ctx) {}
322
aead_aes_ccm_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)323 static int aead_aes_ccm_seal_scatter(
324 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
325 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
326 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
327 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
328 const struct aead_aes_ccm_ctx *ccm_ctx =
329 (struct aead_aes_ccm_ctx *)&ctx->state;
330
331 if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
332 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
333 return 0;
334 }
335
336 if (max_out_tag_len < ctx->tag_len) {
337 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
338 return 0;
339 }
340
341 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
342 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
343 return 0;
344 }
345
346 if (!CRYPTO_ccm128_encrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, out_tag,
347 ctx->tag_len, nonce, nonce_len, in, in_len, ad,
348 ad_len)) {
349 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
350 return 0;
351 }
352
353 *out_tag_len = ctx->tag_len;
354 return 1;
355 }
356
aead_aes_ccm_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)357 static int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,
358 const uint8_t *nonce, size_t nonce_len,
359 const uint8_t *in, size_t in_len,
360 const uint8_t *in_tag, size_t in_tag_len,
361 const uint8_t *ad, size_t ad_len) {
362 const struct aead_aes_ccm_ctx *ccm_ctx =
363 (struct aead_aes_ccm_ctx *)&ctx->state;
364
365 if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {
366 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
367 return 0;
368 }
369
370 if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
371 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
372 return 0;
373 }
374
375 if (in_tag_len != ctx->tag_len) {
376 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
377 return 0;
378 }
379
380 uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN];
381 assert(ctx->tag_len <= EVP_AEAD_AES_CCM_MAX_TAG_LEN);
382 if (!CRYPTO_ccm128_decrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, tag,
383 ctx->tag_len, nonce, nonce_len, in, in_len, ad,
384 ad_len)) {
385 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
386 return 0;
387 }
388
389 if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
390 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
391 return 0;
392 }
393
394 return 1;
395 }
396
aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)397 static int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
398 size_t key_len, size_t tag_len) {
399 return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);
400 }
401
402 static const EVP_AEAD aead_aes_128_ccm_bluetooth = {
403 16, // key length (AES-128)
404 13, // nonce length
405 4, // overhead
406 4, // max tag length
407 0, // seal_scatter_supports_extra_in
408
409 aead_aes_ccm_bluetooth_init,
410 NULL /* init_with_direction */,
411 aead_aes_ccm_cleanup,
412 NULL /* open */,
413 aead_aes_ccm_seal_scatter,
414 aead_aes_ccm_open_gather,
415 NULL /* get_iv */,
416 NULL /* tag_len */,
417 };
418
EVP_aead_aes_128_ccm_bluetooth(void)419 const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void) {
420 return &aead_aes_128_ccm_bluetooth;
421 }
422
aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)423 static int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
424 size_t key_len, size_t tag_len) {
425 return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);
426 }
427
428 static const EVP_AEAD aead_aes_128_ccm_bluetooth_8 = {
429 16, // key length (AES-128)
430 13, // nonce length
431 8, // overhead
432 8, // max tag length
433 0, // seal_scatter_supports_extra_in
434
435 aead_aes_ccm_bluetooth_8_init,
436 NULL /* init_with_direction */,
437 aead_aes_ccm_cleanup,
438 NULL /* open */,
439 aead_aes_ccm_seal_scatter,
440 aead_aes_ccm_open_gather,
441 NULL /* get_iv */,
442 NULL /* tag_len */,
443 };
444
EVP_aead_aes_128_ccm_bluetooth_8(void)445 const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void) {
446 return &aead_aes_128_ccm_bluetooth_8;
447 }
448