FEAT: added support for CCM (Counter with CBC-MAC) cipher mode

Author: Oldes

make/rebol3.nest

@@ -482,6 +482,13 @@ include-cipher-mode-gcm: [
 	core-files: %core/mbedtls/cipher_wrap.c
 	config: MBEDTLS_GCM_C
 ]
+include-cipher-mode-ccm: [
+	core-files: %core/mbedtls/ccm.c
+	; CCM runs with multiple ciphers and internally uses the generic wrapper
+	core-files: %core/mbedtls/cipher.c
+	core-files: %core/mbedtls/cipher_wrap.c
+	config: MBEDTLS_CCM_C
+]
 include-cipher-mode-cbc: [
 	; costs cca 1.5kB uncompressed (for AES)
 	config: MBEDTLS_CIPHER_MODE_CBC
@@ -586,6 +593,7 @@ include-cryptography: [
 	:include-cipher-chacha20
 	:include-cipher-chachapoly
 	:include-cipher-mode-cbc
+	:include-cipher-mode-ccm
 	:include-cipher-mode-gcm
 
 	;:include-deprecated-cipher-chacha20

src/boot/words.reb

@@ -309,12 +309,16 @@ curve448       ; Curve448
 
 init-vector
 
+; the order is important!
 aes-128-ecb
 aes-192-ecb
 aes-256-ecb
 aes-128-cbc
 aes-192-cbc
 aes-256-cbc
+aes-128-ccm
+aes-192-ccm
+aes-256-ccm
 aes-128-gcm
 aes-192-gcm
 aes-256-gcm
@@ -324,6 +328,9 @@ camellia-256-ecb
 camellia-128-cbc
 camellia-192-cbc
 camellia-256-cbc
+camellia-128-ccm
+camellia-192-ccm
+camellia-256-ccm
 camellia-128-gcm
 camellia-192-gcm
 camellia-256-gcm
@@ -333,6 +340,9 @@ aria-256-ecb
 aria-128-cbc
 aria-192-cbc
 aria-256-cbc
+aria-128-ccm
+aria-192-ccm
+aria-256-ccm
 aria-128-gcm
 aria-192-gcm
 aria-256-gcm

src/core/n-crypt.c

@@ -91,6 +91,11 @@ static mbedtls_ctr_drbg_context ctr_drbg;
 			add_ec_word(SYM_AES_192_CBC)
 			add_ec_word(SYM_AES_256_CBC)
 		#endif
+		#ifdef MBEDTLS_CCM_C
+			add_ec_word(SYM_AES_128_CCM)
+			add_ec_word(SYM_AES_192_CCM)
+			add_ec_word(SYM_AES_256_CCM)
+		#endif
 		#ifdef MBEDTLS_GCM_C
 			add_ec_word(SYM_AES_128_GCM)
 			add_ec_word(SYM_AES_192_GCM)
@@ -105,6 +110,11 @@ static mbedtls_ctr_drbg_context ctr_drbg;
 			add_ec_word(SYM_CAMELLIA_192_CBC)
 			add_ec_word(SYM_CAMELLIA_256_CBC)
 		#endif
+		#ifdef MBEDTLS_CCM_C
+			add_ec_word(SYM_CAMELLIA_128_CCM)
+			add_ec_word(SYM_CAMELLIA_192_CCM)
+			add_ec_word(SYM_CAMELLIA_256_CCM)
+		#endif
 		#ifdef MBEDTLS_GCM_C
 			add_ec_word(SYM_CAMELLIA_128_GCM)
 			add_ec_word(SYM_CAMELLIA_192_GCM)
@@ -120,6 +130,11 @@ static mbedtls_ctr_drbg_context ctr_drbg;
 		add_ec_word(SYM_ARIA_192_CBC)
 		add_ec_word(SYM_ARIA_256_CBC)
 		#endif
+		#ifdef MBEDTLS_CCM_C
+			add_ec_word(SYM_ARIA_128_CCM)
+			add_ec_word(SYM_ARIA_192_CCM)
+			add_ec_word(SYM_ARIA_256_CCM)
+		#endif
 		#ifdef MBEDTLS_GCM_C
 		add_ec_word(SYM_ARIA_128_GCM)
 		add_ec_word(SYM_ARIA_192_GCM)

src/core/p-crypt.c

@@ -50,6 +50,31 @@
     )
 #endif
 
+
+/***********************************************************************
+**
+*/	static mbedtls_cipher_id_t get_cipher_id(REBCNT sym)
+/*
+**  Note: requires exact word order defined in boot/words.reb file
+**
+***********************************************************************/
+{
+	if (sym >= SYM_AES_128_ECB && sym <= SYM_AES_256_GCM) {
+		return MBEDTLS_CIPHER_ID_AES;
+	}
+	if (sym >= SYM_CAMELLIA_128_ECB && sym <= SYM_CAMELLIA_256_GCM) {
+		return MBEDTLS_CIPHER_ID_CAMELLIA;
+	}
+	if (sym >= SYM_ARIA_128_ECB && sym <= SYM_ARIA_256_GCM) {
+		return MBEDTLS_CIPHER_ID_ARIA;
+	}
+	if (sym >= SYM_CHACHA20 && sym <= SYM_CHACHA20_POLY1305) {
+		return MBEDTLS_CIPHER_ID_CHACHA20;
+	}
+	return MBEDTLS_CIPHER_ID_NULL;
+}
+
+
 static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 
 
@@ -117,6 +142,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 	if (IS_NONE(val)) {
 		CLEAR(&ctx->IV, MBEDTLS_MAX_IV_LENGTH);
 		CLEAR(&ctx->nonce, MBEDTLS_MAX_IV_LENGTH);
+		ctx->IV_len = 0;
 		return TRUE;
 	}
 	if (IS_BINARY(val)) {
@@ -127,6 +153,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 			CLEAR(&ctx->IV, MBEDTLS_MAX_IV_LENGTH);
 			CLEAR(&ctx->nonce, MBEDTLS_MAX_IV_LENGTH);
 			COPY_MEM(&ctx->IV, VAL_BIN_AT(val), len);
+			ctx->IV_len = len;
 		}
 		return TRUE;
 	}
@@ -255,6 +282,39 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		ctx->cipher_block_size = 16;
 		break;
 
+#ifdef MBEDTLS_CCM_C
+	case SYM_AES_128_CCM:
+	case SYM_AES_192_CCM:
+	case SYM_AES_256_CCM:
+#ifdef MBEDTLS_CAMELLIA_C
+	case SYM_CAMELLIA_128_CCM:
+	case SYM_CAMELLIA_192_CCM:
+	case SYM_CAMELLIA_256_CCM:
+#endif
+#ifdef MBEDTLS_ARIA_C
+	case SYM_ARIA_128_CCM:
+	case SYM_ARIA_192_CCM:
+	case SYM_ARIA_256_CCM:
+#endif
+		if (ctx->cipher_ctx == NULL)
+			ctx->cipher_ctx = malloc(sizeof(mbedtls_ccm_context));
+		mbedtls_ccm_init((mbedtls_ccm_context*)ctx->cipher_ctx);
+		switch (type) {
+		case SYM_AES_128_CCM:
+		case SYM_ARIA_128_CCM:
+		case SYM_CAMELLIA_128_CCM: ctx->key_bitlen = 128; break;
+		case SYM_AES_192_CCM:
+		case SYM_ARIA_192_CCM:
+		case SYM_CAMELLIA_192_CCM: ctx->key_bitlen = 192; break;
+		case SYM_AES_256_CCM:
+		case SYM_ARIA_256_CCM:
+		case SYM_CAMELLIA_256_CCM: ctx->key_bitlen = 256; break;
+		}
+		ctx->cipher_block_size = 0;
+		break;
+
+#endif
+
 #ifdef MBEDTLS_GCM_C
 	case SYM_AES_128_GCM:
 	case SYM_AES_192_GCM:
@@ -466,6 +526,30 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		break;
 #endif
 
+#ifdef MBEDTLS_CCM_C
+	case SYM_AES_128_CCM:
+	case SYM_AES_192_CCM:
+	case SYM_AES_256_CCM:
+#ifdef MBEDTLS_CAMELLIA_C
+	case SYM_CAMELLIA_128_CCM:
+	case SYM_CAMELLIA_192_CCM:
+	case SYM_CAMELLIA_256_CCM:
+#endif
+#ifdef MBEDTLS_ARIA_C
+	case SYM_ARIA_128_CCM:
+	case SYM_ARIA_192_CCM:
+	case SYM_ARIA_256_CCM:
+#endif
+	{
+		size_t out_bytes = 0;
+		err = mbedtls_ccm_update((mbedtls_ccm_context*)ctx->cipher_ctx, input, len, BIN_TAIL(bin), len, &out_bytes);
+		if (err) return err;
+		SERIES_TAIL(bin) += out_bytes;
+		input += out_bytes;
+		break;
+	}
+#endif
+
 #ifdef MBEDTLS_GCM_C
 	case SYM_AES_128_GCM:
 	case SYM_AES_192_GCM:
@@ -589,6 +673,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 	return CRYPT_OK;
 }
 
+
 /***********************************************************************
 **
 */	static REBINT Crypt_Init(CRYPT_CTX *ctx)
@@ -619,6 +704,31 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		}
 		break;
 
+	#ifdef MBEDTLS_CCM_C
+	case SYM_AES_128_CCM:
+	case SYM_AES_192_CCM:
+	case SYM_AES_256_CCM:
+	#ifdef MBEDTLS_CAMELLIA_C
+	case SYM_CAMELLIA_128_CCM:
+	case SYM_CAMELLIA_192_CCM:
+	case SYM_CAMELLIA_256_CCM:
+	#endif
+	#ifdef MBEDTLS_ARIA_C
+	case SYM_ARIA_128_CCM:
+	case SYM_ARIA_192_CCM:
+	case SYM_ARIA_256_CCM:
+	#endif
+	{
+		mbedtls_ccm_context* ccm = (mbedtls_ccm_context*)ctx->cipher_ctx;
+		err = mbedtls_ccm_setkey(ccm, get_cipher_id(ctx->cipher_type), ctx->key, ctx->key_bitlen);
+		if (err) return err;
+		ctx->IV_len = MAX(7, MIN(13, ctx->IV_len));
+		err = mbedtls_ccm_starts(ccm, ctx->operation, ctx->IV, ctx->IV_len);
+		ctx->unprocessed_len = 0;
+		break;
+	}
+	#endif
+
 	#ifdef MBEDTLS_GCM_C
 	case SYM_AES_128_GCM:
 	case SYM_AES_192_GCM:
@@ -635,7 +745,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 	#endif
 	{
 		mbedtls_gcm_context *gcm = (mbedtls_gcm_context *)ctx->cipher_ctx;
-		err = mbedtls_gcm_setkey(gcm, MBEDTLS_CIPHER_ID_AES, ctx->key, ctx->key_bitlen);
+		err = mbedtls_gcm_setkey(gcm, get_cipher_id(ctx->cipher_type), ctx->key, ctx->key_bitlen);
 		if (err) return err;
 		err = mbedtls_gcm_starts(gcm, ctx->operation, ctx->IV, 16);
 		ctx->unprocessed_len = 0;

src/include/sys-crypt.h

@@ -62,6 +62,10 @@ typedef mbedtls_chachapoly_context CHACHAPOLY_CTX;
 #define CHACHAPOLY_STATE_CIPHERTEXT (2)
 #endif
 
+#ifdef MBEDTLS_CCM_C
+#include "mbedtls/ccm.h"
+#endif
+
 #ifdef MBEDTLS_GCM_C
 #include "mbedtls/gcm.h"
 #endif
@@ -95,6 +99,7 @@ typedef struct crypt_ctx {
 	void                *cipher_ctx;
 	REBSER              *buffer;
 	unsigned int        key_bitlen;
+	unsigned int        IV_len;
 	unsigned int        unprocessed_len;
 	unsigned char       nonce[MBEDTLS_MAX_IV_LENGTH]; // nonce may be changed, like in Camellia cipher!
 	unsigned char       IV[MBEDTLS_MAX_IV_LENGTH];