Lines Matching +full:- +full:- +full:add
2 * NIST SP800-38C compliant CCM implementation
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
11 * RFC 3610 "Counter with CBC-MAC (CCM)"
60 mbedtls_block_cipher_free(&ctx->block_cipher_ctx); in mbedtls_ccm_setkey()
62 if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) { in mbedtls_ccm_setkey()
66 if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) { in mbedtls_ccm_setkey()
82 mbedtls_cipher_free(&ctx->cipher_ctx); in mbedtls_ccm_setkey()
84 if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) { in mbedtls_ccm_setkey()
88 if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits, in mbedtls_ccm_setkey()
106 mbedtls_block_cipher_free(&ctx->block_cipher_ctx); in mbedtls_ccm_free()
108 mbedtls_cipher_free(&ctx->cipher_ctx); in mbedtls_ccm_free()
132 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->ctr, tmp_buf); in mbedtls_ccm_crypt()
135 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen); in mbedtls_ccm_crypt()
138 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_crypt()
151 ctx->state = CCM_STATE__CLEAR; in mbedtls_ccm_clear_state()
152 memset(ctx->y, 0, 16); in mbedtls_ccm_clear_state()
153 memset(ctx->ctr, 0, 16); in mbedtls_ccm_clear_state()
168 if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) { in ccm_calculate_first_block_if_ready()
172 /* CCM expects non-empty tag. in ccm_calculate_first_block_if_ready()
175 if (ctx->tag_len == 0) { in ccm_calculate_first_block_if_ready()
176 if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) { in ccm_calculate_first_block_if_ready()
177 ctx->plaintext_len = 0; in ccm_calculate_first_block_if_ready()
187 * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() in ccm_calculate_first_block_if_ready()
192 * 6 add present? in ccm_calculate_first_block_if_ready()
193 * 5 .. 3 (t - 2) / 2 in ccm_calculate_first_block_if_ready()
194 * 2 .. 0 q - 1 in ccm_calculate_first_block_if_ready()
196 ctx->y[0] |= (ctx->add_len > 0) << 6; in ccm_calculate_first_block_if_ready()
197 ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3; in ccm_calculate_first_block_if_ready()
198 ctx->y[0] |= ctx->q - 1; in ccm_calculate_first_block_if_ready()
200 for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) { in ccm_calculate_first_block_if_ready()
201 ctx->y[15-i] = MBEDTLS_BYTE_0(len_left); in ccm_calculate_first_block_if_ready()
205 ctx->state |= CCM_STATE__ERROR; in ccm_calculate_first_block_if_ready()
209 /* Start CBC-MAC with first block*/ in ccm_calculate_first_block_if_ready()
211 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in ccm_calculate_first_block_if_ready()
213 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in ccm_calculate_first_block_if_ready()
216 ctx->state |= CCM_STATE__ERROR; in ccm_calculate_first_block_if_ready()
233 ctx->mode = mode; in mbedtls_ccm_starts()
234 ctx->q = 16 - 1 - (unsigned char) iv_len; in mbedtls_ccm_starts()
244 * 2 .. 0 q - 1 in mbedtls_ccm_starts()
246 memset(ctx->ctr, 0, 16); in mbedtls_ccm_starts()
247 ctx->ctr[0] = ctx->q - 1; in mbedtls_ccm_starts()
248 memcpy(ctx->ctr + 1, iv, iv_len); in mbedtls_ccm_starts()
249 memset(ctx->ctr + 1 + iv_len, 0, ctx->q); in mbedtls_ccm_starts()
250 ctx->ctr[15] = 1; in mbedtls_ccm_starts()
255 memcpy(ctx->y + 1, iv, iv_len); in mbedtls_ccm_starts()
257 ctx->state |= CCM_STATE__STARTED; in mbedtls_ccm_starts()
267 * Check length requirements: SP800-38C A.1 in mbedtls_ccm_set_lengths()
268 * Additional requirement: a < 2^16 - 2^8 to simplify the code. in mbedtls_ccm_set_lengths()
281 ctx->plaintext_len = plaintext_len; in mbedtls_ccm_set_lengths()
282 ctx->add_len = total_ad_len; in mbedtls_ccm_set_lengths()
283 ctx->tag_len = tag_len; in mbedtls_ccm_set_lengths()
284 ctx->processed = 0; in mbedtls_ccm_set_lengths()
286 ctx->state |= CCM_STATE__LENGTHS_SET; in mbedtls_ccm_set_lengths()
291 const unsigned char *add, in mbedtls_ccm_update_ad() argument
300 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_update_ad()
305 if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) { in mbedtls_ccm_update_ad()
309 if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) { in mbedtls_ccm_update_ad()
310 if (add_len > ctx->add_len) { in mbedtls_ccm_update_ad()
314 ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF); in mbedtls_ccm_update_ad()
315 ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF); in mbedtls_ccm_update_ad()
317 ctx->state |= CCM_STATE__AUTH_DATA_STARTED; in mbedtls_ccm_update_ad()
318 } else if (ctx->processed + add_len > ctx->add_len) { in mbedtls_ccm_update_ad()
323 offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1] in mbedtls_ccm_update_ad()
325 use_len = 16 - offset; in mbedtls_ccm_update_ad()
331 mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len); in mbedtls_ccm_update_ad()
333 ctx->processed += use_len; in mbedtls_ccm_update_ad()
334 add_len -= use_len; in mbedtls_ccm_update_ad()
335 add += use_len; in mbedtls_ccm_update_ad()
337 if (use_len + offset == 16 || ctx->processed == ctx->add_len) { in mbedtls_ccm_update_ad()
339 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update_ad()
341 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update_ad()
344 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update_ad()
350 if (ctx->processed == ctx->add_len) { in mbedtls_ccm_update_ad()
351 ctx->state |= CCM_STATE__AUTH_DATA_FINISHED; in mbedtls_ccm_update_ad()
352 ctx->processed = 0; // prepare for mbedtls_ccm_update() in mbedtls_ccm_update_ad()
373 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_update()
380 if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) { in mbedtls_ccm_update()
392 offset = ctx->processed % 16; in mbedtls_ccm_update()
394 use_len = 16 - offset; in mbedtls_ccm_update()
400 ctx->processed += use_len; in mbedtls_ccm_update()
402 if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \ in mbedtls_ccm_update()
403 ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) { in mbedtls_ccm_update()
404 mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len); in mbedtls_ccm_update()
406 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
408 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update()
410 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update()
413 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update()
424 if (ctx->mode == MBEDTLS_CCM_DECRYPT || \ in mbedtls_ccm_update()
425 ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) { in mbedtls_ccm_update()
437 mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len); in mbedtls_ccm_update()
441 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
443 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update()
445 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update()
448 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update()
454 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
455 for (i = 0; i < ctx->q; i++) { in mbedtls_ccm_update()
456 if (++(ctx->ctr)[15-i] != 0) { in mbedtls_ccm_update()
462 input_len -= use_len; in mbedtls_ccm_update()
479 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_finish()
483 if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) { in mbedtls_ccm_finish()
487 if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) { in mbedtls_ccm_finish()
494 for (i = 0; i < ctx->q; i++) { in mbedtls_ccm_finish()
495 ctx->ctr[15-i] = 0; in mbedtls_ccm_finish()
498 ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y); in mbedtls_ccm_finish()
503 memcpy(tag, ctx->y, tag_len); in mbedtls_ccm_finish()
515 const unsigned char *add, size_t add_len, in ccm_auth_crypt() argument
530 if ((ret = mbedtls_ccm_update_ad(ctx, add, add_len)) != 0) { in ccm_auth_crypt()
551 const unsigned char *add, size_t add_len, in mbedtls_ccm_star_encrypt_and_tag() argument
556 add, add_len, input, output, tag, tag_len); in mbedtls_ccm_star_encrypt_and_tag()
561 const unsigned char *add, size_t add_len, in mbedtls_ccm_encrypt_and_tag() argument
566 add, add_len, input, output, tag, tag_len); in mbedtls_ccm_encrypt_and_tag()
576 /* Check tag in "constant-time" */ in mbedtls_ccm_compare_tags()
588 const unsigned char *add, size_t add_len, in ccm_auth_decrypt() argument
596 iv, iv_len, add, add_len, in ccm_auth_decrypt()
611 const unsigned char *add, size_t add_len, in mbedtls_ccm_star_auth_decrypt() argument
616 iv, iv_len, add, add_len, in mbedtls_ccm_star_auth_decrypt()
622 const unsigned char *add, size_t add_len, in mbedtls_ccm_auth_decrypt() argument
627 iv, iv_len, add, add_len, in mbedtls_ccm_auth_decrypt()
634 * Examples 1 to 3 from SP800-38C Appendix C
707 mbedtls_printf(" CCM-AES #%u: ", (unsigned int) i + 1); in mbedtls_ccm_self_test()