This file is more or less new code; it's free to follow style(9) from the beginning.

So nitpicks here: Blank line between variable declarations and first statement; and return (retval);.

ditto the blank line thing

Seems like retval could be named something more descriptive, like B0 or MAC.

And temp_block is maybe auth_block or something (staging_block would match software CBC-MAC).

Does __m128i foo = 0; generate different code than __m128i foo = _mm_setzero_si128();? It isn't important, I'm just vaguely curious.

Edit: Ahhh, __m128i is literally a vector, rather than integral, type, according to the compiler. So it cannot simply be initialized with an integer.

Could just use

be16enc(&temp_block, auth_len);

What do you mean by calling convention? The immediate function takes a size_t, which can represent larger values.

I understand that internally OCF deals only in int sizes, but I'd suggest either implementing the 3rd mode or asserting we're within range of the 2nd mode anyway.

Simplified:

be16enc(&temp_block, 0xfffe);
be32enc((char *)&temp_block + 2, auth_len);

style nit: sizeof(temp_block), for consistency with the object we're acting on

typo: abytes

usually spelled "4 GB" or "4 gigabytes" but not "4gbytes"

I don't know what these pre-processor error directives (there are a few) are intended to be, but probably remove them before commit. (Figure out how to incorporate them into comments or code, if necessary.)

Ugh. I know you just inherited this mess from GCM, but what an obnoxious API :P.

Is it impossible to generate a tag for AAD without any ciphered input?

You don't need explicit_bzero for ordinary initializations. Here _mm_setzero_si128 would be fine. explicit_bzero is for deleting private keys when you release memory.

Also, current_block is never used?

So really last_block is the rolling MAC value. I'd suggest a name incorporating MAC, for clarity.

Right, ok, we're generating a keystream from an encrypted series of counter blocks.

style nit: Usually we at declare variables at the beginning of some scope, if not function scope.

This step doesn't have any dependency on the data, right? We could do it earlier, as soon as we have saved a copy in s_x for use in generating the keystream.

style: Empty return

Here is where you would explicit_bzero() sensitive data, like maybe last_block, s0, temp_block, and X.

maybe this is just phabricator, but it looks like there are extra spaces between __m128i and s0

style(9) nit: pointers aren't booleans; compare with null in expressions. Ditto below.

It's not a hash. It's a MAC, or tag.

You already zero padded temp_block on lines 322-325.

Not that they're different types, but since this acts on pad_block, sizeof(pad_block) is slightly more appropriate

empty return

probably also the last block of decrypted plaintext is sensitive (temp_block)? And perhaps the tag, hash_block.

No verifying of the tag over the AAD?

s_x is never used?

timingsafe_bcmp

style(9) nit: return (0);

Huh. I hadn't thought about that, but looks like it can. Thanks! (I'm working on the other feedback as well.)

I find memcpy backwards, bcopy sane. But it's also kernel code, and bcopy/bzero is more prevalent than memcpy/memset.

ha. I did not know about those. Much nicer.

I deal with bits (networking stuff) so often that my habit is to specify Xbits or Xbytes as appropriate.

Old debugging code, I've gotten rid of all of them.

I hate any function with more than 6 arguments. That's from compiler work decades ago ;).

I am, *always*, horrible at naming things. I changed it to "rolling_mac".

I put it there because of how the spec was written.

There was in at least one place, fixed.

Done, I believe.

Is the tag sensitive? I've got it in the new changes, but since it's part of the message, I'm not sure it's sensitive?

I changed both of them to check for message and aad len being zero for early exit.

Good catch, holdover from the older code.

I think we lost 0xfffe?

bcopy/bzero is more prevalent than memcpy/memset.

How did you arrive at that conclusion? Recursive grep suggests the opposite is true.

Being explicit about bytes is harmless, but we're missing a space and a full SI-prefix.

Thanks

This is the correct tag, as opposed to the one provided by the attacker in the message. It's sensitive, no?

Yeah, put back and explicitly tested the larger AAD lengths.

Older check. "_was_ more prevalent" it turns out.

FWIW, I've sorted these alphabetically in the manpage for ccr and think it wouldn't hurt to do the same here.

Unrelated, it seems like SHA224 is missing (that might be a cem@ bug and a separate commit to fix).

So we do have AES_CBC_MAC_HASH_LEN which is what I used in ccr(4) as the equivalent of GMAC_DIGEST_LEN. I prefer the explicit constants as right now this is hardcoding the assumption that CCM and GCM have the same tags. We could instead add a _Static_assert() that 'sizeof(tag) >= GMAC_DIGEST_LEN' for the GCM case and something similar for CCM.

Nit: s/put/Put/

FWIW, this will be the 3rd copy of this code in the tree (plain software generates the B0 block, ccr has a 'generate_ccm_b0' function). Someday we should export a shared helper function, but we don't have to do that as part of this change.

For actual CCM I think the limits are 7 and 13.

I didn't touch that -- but it's possible I'm out of date. I'll do an update before I upload these modified diffs.

Keyboard issues.

That may be right, the spec just said "15-L octets"; it clearly can't be 0, since it says it must also be unique. But the other constraints on L aren't as clear to me.

Right, I didn't enumerate SHA224 independent of SHA256 (nor the HMAC varieties) in the device string. It's really just SHA256 with a different initial vector and truncated result. Maybe it should be included (unrelated to CCM).

I still find hashp and hash_block problematic here; these have specific cryptographic meaning that AES-CBC-MAC does not satisfy. macp/mac_block (or tagp/tag_block) would be totally fine.

NIST 800-38c §A.1 states n ∈ [7, 13].

still present