Merge pull request #407 from WilliamTakeshi/aes-ccm-16-128-128

add support to Aes-ccm-16-128-128

Author: WilliamTakeshi

crypto/lakers-crypto-cryptocell310-sys/src/lib.rs

@@ -80,7 +80,7 @@ impl CryptoTrait for Crypto {
         output
     }
 
-    fn aes_ccm_encrypt_tag_8<const N: usize>(
+    fn aes_ccm_encrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
@@ -114,33 +114,31 @@ impl CryptoTrait for Crypto {
                     reason = "hax won't allow creating a .as_mut_slice() method"
                 )]
                 output.content.as_mut_ptr(),
-                AES_CCM_TAG_LEN as u8, // authentication tag length
+                Tag::LEN as u8,
                 tag.as_mut_ptr(),
                 0 as u32, // CCM
             )
         };
 
-        output.extend_from_slice(&tag[..AES_CCM_TAG_LEN]).unwrap();
+        output.extend_from_slice(&tag[..Tag::LEN]).unwrap();
 
         output
     }
 
-    fn aes_ccm_decrypt_tag_8<const N: usize>(
+    fn aes_ccm_decrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &[u8],
         ciphertext: &[u8],
     ) -> Result<EdhocBuffer<N>, EDHOCError> {
         let mut output = EdhocBuffer::new();
-        output
-            .extend_reserve(ciphertext.len() - AES_CCM_TAG_LEN)
-            .unwrap();
+        output.extend_reserve(ciphertext.len() - Tag::LEN).unwrap();
         let mut aesccm_key: CRYS_AESCCM_Key_t = Default::default();
 
-        aesccm_key[0..AES_CCM_KEY_LEN].copy_from_slice(&key[..]);
+        aesccm_key[0..Tag::LEN].copy_from_slice(&key[..]);
 
-        assert!(ciphertext.len() - AES_CCM_TAG_LEN <= N);
+        assert!(ciphertext.len() - Tag::LEN <= N);
 
         #[allow(deprecated, reason = "using extend_reserve")]
         unsafe {
@@ -154,11 +152,11 @@ impl CryptoTrait for Crypto {
                 ad.len() as u32,
                 // CC_AESCCM does not really write there, it's just missing a `const`
                 ciphertext.as_ptr() as *mut _,
-                (ciphertext.len() - AES_CCM_TAG_LEN) as u32,
+                (ciphertext.len() - Tag::LEN) as u32,
                 output.content.as_mut_ptr(),
-                AES_CCM_TAG_LEN as u8, // authentication tag length
+                Tag::LEN as u8,
                 // as before
-                ciphertext[ciphertext.len() - AES_CCM_TAG_LEN..].as_ptr() as *mut _,
+                ciphertext[ciphertext.len() - Tag::LEN..].as_ptr() as *mut _,
                 0 as u32, // CCM
             ) {
                 CRYS_OK => Ok(output),
@@ -368,3 +366,20 @@ impl digest::OutputSizeUser for HashInProcessSha256 {
     type OutputSize = digest::typenum::U32;
 }
 impl digest::HashMarker for HashInProcessSha256 {}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use lakers_shared::test_helper::{
+        test_aes_ccm_roundtrip, test_aes_ccm_tag_16, test_aes_ccm_tag_8,
+    };
+
+    #[test]
+    fn test_cryptocell_aes_ccm() {
+        test_aes_ccm_roundtrip::<Crypto, CcmTagLen8>(&mut Crypto);
+        test_aes_ccm_roundtrip::<Crypto, CcmTagLen16>(&mut Crypto);
+
+        test_aes_ccm_tag_8::<Crypto>(&mut Crypto);
+        test_aes_ccm_tag_16::<Crypto>(&mut Crypto);
+    }
+}

crypto/lakers-crypto-psa/src/lib.rs

@@ -88,7 +88,7 @@ impl CryptoTrait for Crypto {
         output
     }
 
-    fn aes_ccm_encrypt_tag_8<const N: usize>(
+    fn aes_ccm_encrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
@@ -99,7 +99,7 @@ impl CryptoTrait for Crypto {
 
         let alg = Aead::AeadWithShortenedTag {
             aead_alg: AeadWithDefaultLengthTag::Ccm,
-            tag_length: 8,
+            tag_length: Tag::LEN,
         };
         let mut usage_flags: UsageFlags = Default::default();
         usage_flags.set_encrypt();
@@ -116,7 +116,7 @@ impl CryptoTrait for Crypto {
         let my_key = key_management::import(attributes, None, &key[..]).unwrap();
         let mut output_buffer = EdhocBuffer::new();
         let full_range = output_buffer
-            .extend_reserve(plaintext.len() + AES_CCM_TAG_LEN)
+            .extend_reserve(plaintext.len() + Tag::LEN)
             .unwrap();
 
         #[allow(deprecated, reason = "using extend_reserve")]
@@ -133,7 +133,7 @@ impl CryptoTrait for Crypto {
         output_buffer
     }
 
-    fn aes_ccm_decrypt_tag_8<const N: usize>(
+    fn aes_ccm_decrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
@@ -144,7 +144,7 @@ impl CryptoTrait for Crypto {
 
         let alg = Aead::AeadWithShortenedTag {
             aead_alg: AeadWithDefaultLengthTag::Ccm,
-            tag_length: 8,
+            tag_length: Tag::LEN,
         };
         let mut usage_flags: UsageFlags = Default::default();
         usage_flags.set_decrypt();
@@ -161,7 +161,7 @@ impl CryptoTrait for Crypto {
         let my_key = key_management::import(attributes, None, &key[..]).unwrap();
         let mut output_buffer = EdhocBuffer::new();
         let out_slice = output_buffer
-            .extend_reserve(ciphertext.len() - AES_CCM_TAG_LEN)
+            .extend_reserve(ciphertext.len() - Tag::LEN)
             .unwrap();
 
         #[allow(deprecated, reason = "using extend_reserve")]
@@ -324,6 +324,9 @@ impl digest::HashMarker for BufferedHasherSha256 {}
 #[cfg(test)]
 mod tests {
     use super::*;
+    use lakers_shared::test_helper::{
+        test_aes_ccm_roundtrip, test_aes_ccm_tag_16, test_aes_ccm_tag_8,
+    };
 
     #[test]
     fn test_hmac_sha256() {
@@ -347,4 +350,13 @@ mod tests {
         let result_2 = Crypto.hmac_sha256(&MESSAGE_2, &KEY);
         assert_eq!(result_2, RESULT_2_TV);
     }
+
+    #[test]
+    fn test_psa_aes_ccm() {
+        test_aes_ccm_roundtrip::<Crypto, CcmTagLen8>(&mut Crypto);
+        test_aes_ccm_roundtrip::<Crypto, CcmTagLen16>(&mut Crypto);
+
+        test_aes_ccm_tag_8::<Crypto>(&mut Crypto);
+        test_aes_ccm_tag_16::<Crypto>(&mut Crypto);
+    }
 }

crypto/lakers-crypto-rustcrypto/src/lib.rs

@@ -1,8 +1,9 @@
 #![no_std]
 
+use lakers_shared::CcmTagLen;
 use lakers_shared::{
     BytesCcmIvLen, BytesCcmKeyLen, BytesHashLen, BytesP256ElemLen, Crypto as CryptoTrait,
-    EDHOCError, EDHOCSuite, EdhocBuffer, AES_CCM_TAG_LEN, MAX_SUITES_LEN,
+    EDHOCError, EDHOCSuite, EdhocBuffer, MAX_SUITES_LEN,
 };
 
 use ccm::AeadInPlace;
@@ -12,6 +13,7 @@ use p256::elliptic_curve::point::DecompressPoint;
 use sha2::Digest;
 
 type AesCcm16_64_128 = ccm::Ccm<aes::Aes128, ccm::consts::U8, ccm::consts::U13>;
+type AesCcm16_128_128 = ccm::Ccm<aes::Aes128, ccm::consts::U16, ccm::consts::U13>;
 
 /// A type representing cryptographic operations through various RustCrypto crates (eg. [aes],
 /// [ccm], [p256]).
@@ -72,51 +74,81 @@ impl<Rng: rand_core::RngCore + rand_core::CryptoRng> CryptoTrait for Crypto<Rng>
         extracted.finalize().0.into()
     }
 
-    fn aes_ccm_encrypt_tag_8<const N: usize>(
+    fn aes_ccm_encrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &[u8],
         plaintext: &[u8],
     ) -> EdhocBuffer<N> {
-        let key = AesCcm16_64_128::new(key.into());
         let mut outbuffer = EdhocBuffer::new_from_slice(plaintext).unwrap();
         #[allow(
             deprecated,
             reason = "hax won't allow creating a .as_mut_slice() method"
         )]
-        if let Ok(tag) =
-            key.encrypt_in_place_detached(iv.into(), ad, &mut outbuffer.content[..plaintext.len()])
-        {
-            outbuffer.extend_from_slice(&tag).unwrap();
-        } else {
-            panic!("Preconfigured sizes should not allow encryption to fail")
-        }
+        match Tag::LEN {
+            8 => {
+                let enc = AesCcm16_64_128::new(key.into())
+                    .encrypt_in_place_detached(
+                        iv.into(),
+                        ad,
+                        &mut outbuffer.content[..plaintext.len()],
+                    )
+                    .expect("Preconfigured sizes should not allow encryption to fail");
+
+                outbuffer.extend_from_slice(&enc).unwrap()
+            }
+
+            16 => {
+                let enc = AesCcm16_128_128::new(key.into())
+                    .encrypt_in_place_detached(
+                        iv.into(),
+                        ad,
+                        &mut outbuffer.content[..plaintext.len()],
+                    )
+                    .expect("Preconfigured sizes should not allow encryption to fail");
+
+                outbuffer.extend_from_slice(&enc).unwrap()
+            }
+
+            _ => unreachable!(), // CcmTagLen bound guarantees this
+        };
         outbuffer
     }
 
-    fn aes_ccm_decrypt_tag_8<const N: usize>(
+    fn aes_ccm_decrypt<const N: usize, Tag: CcmTagLen>(
         &mut self,
         key: &BytesCcmKeyLen,
         iv: &BytesCcmIvLen,
         ad: &[u8],
         ciphertext: &[u8],
     ) -> Result<EdhocBuffer<N>, EDHOCError> {
-        let key = AesCcm16_64_128::new(key.into());
-        let plaintext_len = ciphertext.len() - AES_CCM_TAG_LEN;
+        let plaintext_len = ciphertext.len() - Tag::LEN;
         let mut buffer = EdhocBuffer::new_from_slice(&ciphertext[..plaintext_len]).unwrap();
         let tag = &ciphertext[plaintext_len..];
         #[allow(
             deprecated,
             reason = "hax won't allow creating a .as_mut_slice() method"
         )]
-        key.decrypt_in_place_detached(
-            iv.into(),
-            ad,
-            &mut buffer.content[..plaintext_len],
-            tag.into(),
-        )
-        .map_err(|_| EDHOCError::MacVerificationFailed)?;
+        match Tag::LEN {
+            8 => AesCcm16_64_128::new(key.into())
+                .decrypt_in_place_detached(
+                    iv.into(),
+                    ad,
+                    &mut buffer.content[..plaintext_len],
+                    tag.into(),
+                )
+                .map_err(|_| EDHOCError::MacVerificationFailed)?,
+            16 => AesCcm16_128_128::new(key.into())
+                .decrypt_in_place_detached(
+                    iv.into(),
+                    ad,
+                    &mut buffer.content[..plaintext_len],
+                    tag.into(),
+                )
+                .map_err(|_| EDHOCError::MacVerificationFailed)?,
+            _ => unreachable!(), // CcmTagLen bound guarantees this
+        };
         Ok(buffer)
     }
 
@@ -153,3 +185,23 @@ impl<Rng: rand_core::RngCore + rand_core::CryptoRng> CryptoTrait for Crypto<Rng>
         (private_key.into(), public_key.into())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use lakers_shared::test_helper::{
+        test_aes_ccm_roundtrip, test_aes_ccm_tag_16, test_aes_ccm_tag_8,
+    };
+    use lakers_shared::{CcmTagLen16, CcmTagLen8};
+
+    use super::*;
+
+    #[test]
+    fn test_rustcrypto_aes_ccm() {
+        let mut crypto = Crypto::new(rand_core::OsRng);
+        test_aes_ccm_roundtrip::<Crypto<rand_core::OsRng>, CcmTagLen8>(&mut crypto);
+        test_aes_ccm_roundtrip::<Crypto<rand_core::OsRng>, CcmTagLen16>(&mut crypto);
+
+        test_aes_ccm_tag_8::<Crypto<rand_core::OsRng>>(&mut crypto);
+        test_aes_ccm_tag_16::<Crypto<rand_core::OsRng>>(&mut crypto);
+    }
+}

ead/lakers-ead-authz/src/device.rs

@@ -107,7 +107,12 @@ fn encrypt_enc_id<Crypto: CryptoTrait>(
     let enc_structure = encode_enc_structure(ss);
 
     // ENC_ID = 'ciphertext' of COSE_Encrypt0
-    crypto.aes_ccm_encrypt_tag_8(&k_1, &iv_1, &enc_structure[..], plaintext.as_slice())
+    crypto.aes_ccm_encrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+        &k_1,
+        &iv_1,
+        &enc_structure[..],
+        plaintext.as_slice(),
+    )
 }
 
 fn encode_ead_1_value(loc_w: &EdhocMessageBuffer, enc_id: &EdhocMessageBuffer) -> EADBuffer {

ead/lakers-ead-authz/src/server.rs

@@ -139,7 +139,12 @@ fn decrypt_enc_id<Crypto: CryptoTrait>(
     let enc_structure = encode_enc_structure(ss);
 
     // ENC_ID = 'ciphertext' of COSE_Encrypt0
-    crypto.aes_ccm_decrypt_tag_8(&k_1, &iv_1, &enc_structure[..], enc_id.as_slice())
+    crypto.aes_ccm_decrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+        &k_1,
+        &iv_1,
+        &enc_structure[..],
+        enc_id.as_slice(),
+    )
 }
 
 fn decode_id_u(id_u_bstr: EdhocMessageBuffer) -> Result<EdhocMessageBuffer, EDHOCError> {

lib/src/edhoc.rs

@@ -681,8 +681,13 @@ fn encrypt_message_3(
 
     let (k_3, iv_3) = compute_k_3_iv_3(crypto, prk_3e2m, th_3);
 
-    let ciphertext_3: BufferCiphertext3 =
-        crypto.aes_ccm_encrypt_tag_8(&k_3, &iv_3, &enc_structure[..], plaintext_3.as_slice());
+    let ciphertext_3: BufferCiphertext3 = crypto
+        .aes_ccm_encrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+            &k_3,
+            &iv_3,
+            &enc_structure[..],
+            plaintext_3.as_slice(),
+        );
 
     output.extend_from_slice(ciphertext_3.as_slice()).unwrap();
 
@@ -724,7 +729,12 @@ fn decrypt_message_3(
 
     let enc_structure = encode_enc_structure(th_3);
 
-    crypto.aes_ccm_decrypt_tag_8(&k_3, &iv_3, &enc_structure, ciphertext_3.as_slice())
+    crypto.aes_ccm_decrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+        &k_3,
+        &iv_3,
+        &enc_structure,
+        ciphertext_3.as_slice(),
+    )
 }
 
 fn encrypt_message_4(
@@ -751,8 +761,13 @@ fn encrypt_message_4(
 
     let (k_4, iv_4) = compute_k_4_iv_4(crypto, prk_4e3m, th_4);
 
-    let ciphertext_4: BufferCiphertext4 =
-        crypto.aes_ccm_encrypt_tag_8(&k_4, &iv_4, &enc_structure[..], plaintext_4.as_slice());
+    let ciphertext_4: BufferCiphertext4 = crypto
+        .aes_ccm_encrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+            &k_4,
+            &iv_4,
+            &enc_structure[..],
+            plaintext_4.as_slice(),
+        );
 
     output.extend_from_slice(ciphertext_4.as_slice()).unwrap();
 
@@ -794,7 +809,12 @@ fn decrypt_message_4(
 
     let enc_structure = encode_enc_structure(th_4);
 
-    crypto.aes_ccm_decrypt_tag_8(&k_4, &iv_4, &enc_structure, ciphertext_4.as_slice())
+    crypto.aes_ccm_decrypt::<MAX_MESSAGE_SIZE_LEN, CcmTagLen8>(
+        &k_4,
+        &iv_4,
+        &enc_structure,
+        ciphertext_4.as_slice(),
+    )
 }
 
 // output must hold id_cred.len() + cred.len()