review CCM

* improve some comments
* harden some arguments
* fix the overflow warning

fixes #555, fixes #544

Author: sjaeckel

src/encauth/ccm/ccm_add_nonce.c

@@ -25,6 +25,9 @@ int ccm_add_nonce(ccm_state *ccm,
    if ((15 - ccm->noncelen) > ccm->L) {
       ccm->L = 15 - ccm->noncelen;
    }
+   if (ccm->L > 8) {
+      return CRYPT_INVALID_ARG;
+   }
 
    /* decrease noncelen to match L */
    if ((ccm->noncelen + ccm->L) > 15) {
@@ -38,7 +41,7 @@ int ccm_add_nonce(ccm_state *ccm,
                    (ccm->L-1));
 
    /* nonce */
-   for (y = 0; y < (16 - (ccm->L + 1)); y++) {
+   for (y = 0; y < 15 - ccm->L; y++) {
       ccm->PAD[x++] = nonce[y];
    }
 

src/encauth/ccm/ccm_init.c

@@ -35,7 +35,7 @@ int ccm_init(ccm_state *ccm, int cipher,
    }
 
    /* make sure the taglen is valid */
-   if (taglen < 4 || taglen > 16 || (taglen % 2) == 1) {
+   if (taglen < 4 || taglen > 16 || (taglen % 2) == 1 || aadlen < 0 || ptlen < 0) {
       return CRYPT_INVALID_ARG;
    }
    ccm->taglen = taglen;

src/encauth/ccm/ccm_memory.c

@@ -75,7 +75,7 @@ int ccm_memory(int cipher,
    }
 
    /* make sure the taglen is valid */
-   if (*taglen < 4 || *taglen > 16 || (*taglen % 2) == 1) {
+   if (*taglen < 4 || *taglen > 16 || (*taglen % 2) == 1 || headerlen > 0x7fffffffu) {
       return CRYPT_INVALID_ARG;
    }
 
@@ -108,6 +108,9 @@ int ccm_memory(int cipher,
    if ((15 - noncelen) > L) {
       L = 15 - noncelen;
    }
+   if (L > 8) {
+      return CRYPT_INVALID_ARG;
+   }
 
    /* allocate mem for the symmetric key */
    if (uskey == NULL) {
@@ -141,7 +144,7 @@ int ccm_memory(int cipher,
             (L-1));
 
    /* nonce */
-   for (y = 0; y < (16 - (L + 1)); y++) {
+   for (y = 0; y < 15 - L; y++) {
        PAD[x++] = nonce[y];
    }
 

src/headers/tomcrypt_mac.h

@@ -395,7 +395,7 @@ int ocb3_test(void);
 typedef struct {
    symmetric_key       K;
    int                 cipher,               /* which cipher */
-                       taglen,               /* length of the tag */
+                       taglen,               /* length of the tag (encoded in M value) */
                        x;                    /* index in PAD */
 
    unsigned long       L,                    /* L value */
@@ -405,7 +405,7 @@ typedef struct {
                        current_aadlen,       /* length of the currently provided add */
                        noncelen;             /* length of the nonce */
 
-   unsigned char       PAD[16],
+   unsigned char       PAD[16],              /* flags | Nonce N | l(m) */
                        ctr[16],
                        CTRPAD[16],
                        CTRlen;