1c6672fdcSEdison Ai // SPDX-License-Identifier: Apache-2.0 2817466cbSJens Wiklander /* 3817466cbSJens Wiklander * NIST SP800-38C compliant CCM implementation 4817466cbSJens Wiklander * 5817466cbSJens Wiklander * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander * 19817466cbSJens Wiklander * This file is part of mbed TLS (https://tls.mbed.org) 20817466cbSJens Wiklander */ 21817466cbSJens Wiklander 22817466cbSJens Wiklander /* 23817466cbSJens Wiklander * Definition of CCM: 24817466cbSJens Wiklander * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf 25817466cbSJens Wiklander * RFC 3610 "Counter with CBC-MAC (CCM)" 26817466cbSJens Wiklander * 27817466cbSJens Wiklander * Related: 28817466cbSJens Wiklander * RFC 5116 "An Interface and Algorithms for Authenticated Encryption" 29817466cbSJens Wiklander */ 30817466cbSJens Wiklander 31817466cbSJens Wiklander #if !defined(MBEDTLS_CONFIG_FILE) 32817466cbSJens Wiklander #include "mbedtls/config.h" 33817466cbSJens Wiklander #else 34817466cbSJens Wiklander #include MBEDTLS_CONFIG_FILE 35817466cbSJens Wiklander #endif 36817466cbSJens Wiklander 37817466cbSJens Wiklander #if defined(MBEDTLS_CCM_C) 38817466cbSJens Wiklander 39817466cbSJens Wiklander #include "mbedtls/ccm.h" 403d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 41*11fa71b9SJerome Forissier #include "mbedtls/error.h" 42817466cbSJens Wiklander 43817466cbSJens Wiklander #include <string.h> 44817466cbSJens Wiklander 45817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 46817466cbSJens Wiklander #if defined(MBEDTLS_PLATFORM_C) 47817466cbSJens Wiklander #include "mbedtls/platform.h" 48817466cbSJens Wiklander #else 49817466cbSJens Wiklander #include <stdio.h> 50817466cbSJens Wiklander #define mbedtls_printf printf 51817466cbSJens Wiklander #endif /* MBEDTLS_PLATFORM_C */ 52817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 53817466cbSJens Wiklander 543d3b0591SJens Wiklander #if !defined(MBEDTLS_CCM_ALT) 553d3b0591SJens Wiklander 563d3b0591SJens Wiklander #define CCM_VALIDATE_RET( cond ) \ 573d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT ) 583d3b0591SJens Wiklander #define CCM_VALIDATE( cond ) \ 593d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE( cond ) 60817466cbSJens Wiklander 61817466cbSJens Wiklander #define CCM_ENCRYPT 0 62817466cbSJens Wiklander #define CCM_DECRYPT 1 63817466cbSJens Wiklander 64817466cbSJens Wiklander /* 65817466cbSJens Wiklander * Initialize context 66817466cbSJens Wiklander */ 67817466cbSJens Wiklander void mbedtls_ccm_init( mbedtls_ccm_context *ctx ) 68817466cbSJens Wiklander { 693d3b0591SJens Wiklander CCM_VALIDATE( ctx != NULL ); 70817466cbSJens Wiklander memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); 71817466cbSJens Wiklander } 72817466cbSJens Wiklander 73817466cbSJens Wiklander int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, 74817466cbSJens Wiklander mbedtls_cipher_id_t cipher, 75817466cbSJens Wiklander const unsigned char *key, 76817466cbSJens Wiklander unsigned int keybits ) 77817466cbSJens Wiklander { 78*11fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 79817466cbSJens Wiklander const mbedtls_cipher_info_t *cipher_info; 80817466cbSJens Wiklander 813d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 823d3b0591SJens Wiklander CCM_VALIDATE_RET( key != NULL ); 833d3b0591SJens Wiklander 84*11fa71b9SJerome Forissier cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, 85*11fa71b9SJerome Forissier MBEDTLS_MODE_ECB ); 86817466cbSJens Wiklander if( cipher_info == NULL ) 87817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 88817466cbSJens Wiklander 89817466cbSJens Wiklander if( cipher_info->block_size != 16 ) 90817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 91817466cbSJens Wiklander 92817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 93817466cbSJens Wiklander 94817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 ) 95817466cbSJens Wiklander return( ret ); 96817466cbSJens Wiklander 97817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits, 98817466cbSJens Wiklander MBEDTLS_ENCRYPT ) ) != 0 ) 99817466cbSJens Wiklander { 100817466cbSJens Wiklander return( ret ); 101817466cbSJens Wiklander } 102817466cbSJens Wiklander 103817466cbSJens Wiklander return( 0 ); 104817466cbSJens Wiklander } 105817466cbSJens Wiklander 106817466cbSJens Wiklander /* 107817466cbSJens Wiklander * Free context 108817466cbSJens Wiklander */ 109817466cbSJens Wiklander void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) 110817466cbSJens Wiklander { 1113d3b0591SJens Wiklander if( ctx == NULL ) 1123d3b0591SJens Wiklander return; 113817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 1143d3b0591SJens Wiklander mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); 115817466cbSJens Wiklander } 116817466cbSJens Wiklander 117817466cbSJens Wiklander /* 118817466cbSJens Wiklander * Macros for common operations. 119817466cbSJens Wiklander * Results in smaller compiled code than static inline functions. 120817466cbSJens Wiklander */ 121817466cbSJens Wiklander 122817466cbSJens Wiklander /* 123817466cbSJens Wiklander * Update the CBC-MAC state in y using a block in b 124817466cbSJens Wiklander * (Always using b as the source helps the compiler optimise a bit better.) 125817466cbSJens Wiklander */ 126817466cbSJens Wiklander #define UPDATE_CBC_MAC \ 127817466cbSJens Wiklander for( i = 0; i < 16; i++ ) \ 128817466cbSJens Wiklander y[i] ^= b[i]; \ 129817466cbSJens Wiklander \ 130817466cbSJens Wiklander if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \ 131817466cbSJens Wiklander return( ret ); 132817466cbSJens Wiklander 133817466cbSJens Wiklander /* 134817466cbSJens Wiklander * Encrypt or decrypt a partial block with CTR 135817466cbSJens Wiklander * Warning: using b for temporary storage! src and dst must not be b! 136817466cbSJens Wiklander * This avoids allocating one more 16 bytes buffer while allowing src == dst. 137817466cbSJens Wiklander */ 138817466cbSJens Wiklander #define CTR_CRYPT( dst, src, len ) \ 1395b25c76aSJerome Forissier do \ 1405b25c76aSJerome Forissier { \ 1415b25c76aSJerome Forissier if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \ 1425b25c76aSJerome Forissier 16, b, &olen ) ) != 0 ) \ 1435b25c76aSJerome Forissier { \ 144817466cbSJens Wiklander return( ret ); \ 1455b25c76aSJerome Forissier } \ 146817466cbSJens Wiklander \ 1475b25c76aSJerome Forissier for( i = 0; i < (len); i++ ) \ 1485b25c76aSJerome Forissier (dst)[i] = (src)[i] ^ b[i]; \ 1495b25c76aSJerome Forissier } while( 0 ) 150817466cbSJens Wiklander 151817466cbSJens Wiklander /* 152817466cbSJens Wiklander * Authenticated encryption or decryption 153817466cbSJens Wiklander */ 154817466cbSJens Wiklander static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, 155817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 156817466cbSJens Wiklander const unsigned char *add, size_t add_len, 157817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 158817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 159817466cbSJens Wiklander { 160*11fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 161817466cbSJens Wiklander unsigned char i; 162817466cbSJens Wiklander unsigned char q; 163817466cbSJens Wiklander size_t len_left, olen; 164817466cbSJens Wiklander unsigned char b[16]; 165817466cbSJens Wiklander unsigned char y[16]; 166817466cbSJens Wiklander unsigned char ctr[16]; 167817466cbSJens Wiklander const unsigned char *src; 168817466cbSJens Wiklander unsigned char *dst; 169817466cbSJens Wiklander 170817466cbSJens Wiklander /* 171817466cbSJens Wiklander * Check length requirements: SP800-38C A.1 172817466cbSJens Wiklander * Additional requirement: a < 2^16 - 2^8 to simplify the code. 173817466cbSJens Wiklander * 'length' checked later (when writing it to the first block) 1743d3b0591SJens Wiklander * 1753d3b0591SJens Wiklander * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4). 176817466cbSJens Wiklander */ 1773d3b0591SJens Wiklander if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 ) 178817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 179817466cbSJens Wiklander 180817466cbSJens Wiklander /* Also implies q is within bounds */ 181817466cbSJens Wiklander if( iv_len < 7 || iv_len > 13 ) 182817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 183817466cbSJens Wiklander 184817466cbSJens Wiklander if( add_len > 0xFF00 ) 185817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 186817466cbSJens Wiklander 187817466cbSJens Wiklander q = 16 - 1 - (unsigned char) iv_len; 188817466cbSJens Wiklander 189817466cbSJens Wiklander /* 190817466cbSJens Wiklander * First block B_0: 191817466cbSJens Wiklander * 0 .. 0 flags 192817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 193817466cbSJens Wiklander * iv_len+1 .. 15 length 194817466cbSJens Wiklander * 195817466cbSJens Wiklander * With flags as (bits): 196817466cbSJens Wiklander * 7 0 197817466cbSJens Wiklander * 6 add present? 198817466cbSJens Wiklander * 5 .. 3 (t - 2) / 2 199817466cbSJens Wiklander * 2 .. 0 q - 1 200817466cbSJens Wiklander */ 201817466cbSJens Wiklander b[0] = 0; 202817466cbSJens Wiklander b[0] |= ( add_len > 0 ) << 6; 203817466cbSJens Wiklander b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; 204817466cbSJens Wiklander b[0] |= q - 1; 205817466cbSJens Wiklander 206817466cbSJens Wiklander memcpy( b + 1, iv, iv_len ); 207817466cbSJens Wiklander 208817466cbSJens Wiklander for( i = 0, len_left = length; i < q; i++, len_left >>= 8 ) 209817466cbSJens Wiklander b[15-i] = (unsigned char)( len_left & 0xFF ); 210817466cbSJens Wiklander 211817466cbSJens Wiklander if( len_left > 0 ) 212817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 213817466cbSJens Wiklander 214817466cbSJens Wiklander 215817466cbSJens Wiklander /* Start CBC-MAC with first block */ 216817466cbSJens Wiklander memset( y, 0, 16 ); 217817466cbSJens Wiklander UPDATE_CBC_MAC; 218817466cbSJens Wiklander 219817466cbSJens Wiklander /* 220817466cbSJens Wiklander * If there is additional data, update CBC-MAC with 221817466cbSJens Wiklander * add_len, add, 0 (padding to a block boundary) 222817466cbSJens Wiklander */ 223817466cbSJens Wiklander if( add_len > 0 ) 224817466cbSJens Wiklander { 225817466cbSJens Wiklander size_t use_len; 226817466cbSJens Wiklander len_left = add_len; 227817466cbSJens Wiklander src = add; 228817466cbSJens Wiklander 229817466cbSJens Wiklander memset( b, 0, 16 ); 230817466cbSJens Wiklander b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); 231817466cbSJens Wiklander b[1] = (unsigned char)( ( add_len ) & 0xFF ); 232817466cbSJens Wiklander 233817466cbSJens Wiklander use_len = len_left < 16 - 2 ? len_left : 16 - 2; 234817466cbSJens Wiklander memcpy( b + 2, src, use_len ); 235817466cbSJens Wiklander len_left -= use_len; 236817466cbSJens Wiklander src += use_len; 237817466cbSJens Wiklander 238817466cbSJens Wiklander UPDATE_CBC_MAC; 239817466cbSJens Wiklander 240817466cbSJens Wiklander while( len_left > 0 ) 241817466cbSJens Wiklander { 242817466cbSJens Wiklander use_len = len_left > 16 ? 16 : len_left; 243817466cbSJens Wiklander 244817466cbSJens Wiklander memset( b, 0, 16 ); 245817466cbSJens Wiklander memcpy( b, src, use_len ); 246817466cbSJens Wiklander UPDATE_CBC_MAC; 247817466cbSJens Wiklander 248817466cbSJens Wiklander len_left -= use_len; 249817466cbSJens Wiklander src += use_len; 250817466cbSJens Wiklander } 251817466cbSJens Wiklander } 252817466cbSJens Wiklander 253817466cbSJens Wiklander /* 254817466cbSJens Wiklander * Prepare counter block for encryption: 255817466cbSJens Wiklander * 0 .. 0 flags 256817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 257817466cbSJens Wiklander * iv_len+1 .. 15 counter (initially 1) 258817466cbSJens Wiklander * 259817466cbSJens Wiklander * With flags as (bits): 260817466cbSJens Wiklander * 7 .. 3 0 261817466cbSJens Wiklander * 2 .. 0 q - 1 262817466cbSJens Wiklander */ 263817466cbSJens Wiklander ctr[0] = q - 1; 264817466cbSJens Wiklander memcpy( ctr + 1, iv, iv_len ); 265817466cbSJens Wiklander memset( ctr + 1 + iv_len, 0, q ); 266817466cbSJens Wiklander ctr[15] = 1; 267817466cbSJens Wiklander 268817466cbSJens Wiklander /* 269817466cbSJens Wiklander * Authenticate and {en,de}crypt the message. 270817466cbSJens Wiklander * 271817466cbSJens Wiklander * The only difference between encryption and decryption is 272817466cbSJens Wiklander * the respective order of authentication and {en,de}cryption. 273817466cbSJens Wiklander */ 274817466cbSJens Wiklander len_left = length; 275817466cbSJens Wiklander src = input; 276817466cbSJens Wiklander dst = output; 277817466cbSJens Wiklander 278817466cbSJens Wiklander while( len_left > 0 ) 279817466cbSJens Wiklander { 280817466cbSJens Wiklander size_t use_len = len_left > 16 ? 16 : len_left; 281817466cbSJens Wiklander 282817466cbSJens Wiklander if( mode == CCM_ENCRYPT ) 283817466cbSJens Wiklander { 284817466cbSJens Wiklander memset( b, 0, 16 ); 285817466cbSJens Wiklander memcpy( b, src, use_len ); 286817466cbSJens Wiklander UPDATE_CBC_MAC; 287817466cbSJens Wiklander } 288817466cbSJens Wiklander 289817466cbSJens Wiklander CTR_CRYPT( dst, src, use_len ); 290817466cbSJens Wiklander 291817466cbSJens Wiklander if( mode == CCM_DECRYPT ) 292817466cbSJens Wiklander { 293817466cbSJens Wiklander memset( b, 0, 16 ); 294817466cbSJens Wiklander memcpy( b, dst, use_len ); 295817466cbSJens Wiklander UPDATE_CBC_MAC; 296817466cbSJens Wiklander } 297817466cbSJens Wiklander 298817466cbSJens Wiklander dst += use_len; 299817466cbSJens Wiklander src += use_len; 300817466cbSJens Wiklander len_left -= use_len; 301817466cbSJens Wiklander 302817466cbSJens Wiklander /* 303817466cbSJens Wiklander * Increment counter. 304817466cbSJens Wiklander * No need to check for overflow thanks to the length check above. 305817466cbSJens Wiklander */ 306817466cbSJens Wiklander for( i = 0; i < q; i++ ) 307817466cbSJens Wiklander if( ++ctr[15-i] != 0 ) 308817466cbSJens Wiklander break; 309817466cbSJens Wiklander } 310817466cbSJens Wiklander 311817466cbSJens Wiklander /* 312817466cbSJens Wiklander * Authentication: reset counter and crypt/mask internal tag 313817466cbSJens Wiklander */ 314817466cbSJens Wiklander for( i = 0; i < q; i++ ) 315817466cbSJens Wiklander ctr[15-i] = 0; 316817466cbSJens Wiklander 317817466cbSJens Wiklander CTR_CRYPT( y, y, 16 ); 318817466cbSJens Wiklander memcpy( tag, y, tag_len ); 319817466cbSJens Wiklander 320817466cbSJens Wiklander return( 0 ); 321817466cbSJens Wiklander } 322817466cbSJens Wiklander 323817466cbSJens Wiklander /* 324817466cbSJens Wiklander * Authenticated encryption 325817466cbSJens Wiklander */ 3263d3b0591SJens Wiklander int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 3273d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 3283d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 3293d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 3303d3b0591SJens Wiklander unsigned char *tag, size_t tag_len ) 3313d3b0591SJens Wiklander { 3323d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3333d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3343d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3353d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3363d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3373d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3383d3b0591SJens Wiklander return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, 3393d3b0591SJens Wiklander add, add_len, input, output, tag, tag_len ) ); 3403d3b0591SJens Wiklander } 3413d3b0591SJens Wiklander 342817466cbSJens Wiklander int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 343817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 344817466cbSJens Wiklander const unsigned char *add, size_t add_len, 345817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 346817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 347817466cbSJens Wiklander { 3483d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3493d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3503d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3513d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3523d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3533d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3543d3b0591SJens Wiklander if( tag_len == 0 ) 3553d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 3563d3b0591SJens Wiklander 3573d3b0591SJens Wiklander return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add, 3583d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 359817466cbSJens Wiklander } 360817466cbSJens Wiklander 361817466cbSJens Wiklander /* 362817466cbSJens Wiklander * Authenticated decryption 363817466cbSJens Wiklander */ 3643d3b0591SJens Wiklander int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 365817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 366817466cbSJens Wiklander const unsigned char *add, size_t add_len, 367817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 368817466cbSJens Wiklander const unsigned char *tag, size_t tag_len ) 369817466cbSJens Wiklander { 370*11fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 371817466cbSJens Wiklander unsigned char check_tag[16]; 372817466cbSJens Wiklander unsigned char i; 373817466cbSJens Wiklander int diff; 374817466cbSJens Wiklander 3753d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3763d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3773d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3783d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3793d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3803d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3813d3b0591SJens Wiklander 382817466cbSJens Wiklander if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, 383817466cbSJens Wiklander iv, iv_len, add, add_len, 384817466cbSJens Wiklander input, output, check_tag, tag_len ) ) != 0 ) 385817466cbSJens Wiklander { 386817466cbSJens Wiklander return( ret ); 387817466cbSJens Wiklander } 388817466cbSJens Wiklander 389817466cbSJens Wiklander /* Check tag in "constant-time" */ 390817466cbSJens Wiklander for( diff = 0, i = 0; i < tag_len; i++ ) 391817466cbSJens Wiklander diff |= tag[i] ^ check_tag[i]; 392817466cbSJens Wiklander 393817466cbSJens Wiklander if( diff != 0 ) 394817466cbSJens Wiklander { 3953d3b0591SJens Wiklander mbedtls_platform_zeroize( output, length ); 396817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_AUTH_FAILED ); 397817466cbSJens Wiklander } 398817466cbSJens Wiklander 399817466cbSJens Wiklander return( 0 ); 400817466cbSJens Wiklander } 401817466cbSJens Wiklander 4023d3b0591SJens Wiklander int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 4033d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 4043d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 4053d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 4063d3b0591SJens Wiklander const unsigned char *tag, size_t tag_len ) 4073d3b0591SJens Wiklander { 4083d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 4093d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 4103d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 4113d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 4123d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 4133d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 4143d3b0591SJens Wiklander 4153d3b0591SJens Wiklander if( tag_len == 0 ) 4163d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 4173d3b0591SJens Wiklander 4183d3b0591SJens Wiklander return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add, 4193d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 4203d3b0591SJens Wiklander } 4213d3b0591SJens Wiklander #endif /* !MBEDTLS_CCM_ALT */ 422817466cbSJens Wiklander 423817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 424817466cbSJens Wiklander /* 425817466cbSJens Wiklander * Examples 1 to 3 from SP800-38C Appendix C 426817466cbSJens Wiklander */ 427817466cbSJens Wiklander 428817466cbSJens Wiklander #define NB_TESTS 3 4293d3b0591SJens Wiklander #define CCM_SELFTEST_PT_MAX_LEN 24 4303d3b0591SJens Wiklander #define CCM_SELFTEST_CT_MAX_LEN 32 431817466cbSJens Wiklander /* 432817466cbSJens Wiklander * The data is the same for all tests, only the used length changes 433817466cbSJens Wiklander */ 434*11fa71b9SJerome Forissier static const unsigned char key_test_data[] = { 435817466cbSJens Wiklander 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 436817466cbSJens Wiklander 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f 437817466cbSJens Wiklander }; 438817466cbSJens Wiklander 439*11fa71b9SJerome Forissier static const unsigned char iv_test_data[] = { 440817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 441817466cbSJens Wiklander 0x18, 0x19, 0x1a, 0x1b 442817466cbSJens Wiklander }; 443817466cbSJens Wiklander 444*11fa71b9SJerome Forissier static const unsigned char ad_test_data[] = { 445817466cbSJens Wiklander 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 446817466cbSJens Wiklander 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 447817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13 448817466cbSJens Wiklander }; 449817466cbSJens Wiklander 450*11fa71b9SJerome Forissier static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = { 451817466cbSJens Wiklander 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 452817466cbSJens Wiklander 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 453817466cbSJens Wiklander 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 454817466cbSJens Wiklander }; 455817466cbSJens Wiklander 456*11fa71b9SJerome Forissier static const size_t iv_len_test_data [NB_TESTS] = { 7, 8, 12 }; 457*11fa71b9SJerome Forissier static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 }; 458*11fa71b9SJerome Forissier static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 }; 459*11fa71b9SJerome Forissier static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 }; 460817466cbSJens Wiklander 461*11fa71b9SJerome Forissier static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { 462817466cbSJens Wiklander { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, 463817466cbSJens Wiklander { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62, 464817466cbSJens Wiklander 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d, 465817466cbSJens Wiklander 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd }, 466817466cbSJens Wiklander { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a, 467817466cbSJens Wiklander 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b, 468817466cbSJens Wiklander 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5, 469817466cbSJens Wiklander 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 } 470817466cbSJens Wiklander }; 471817466cbSJens Wiklander 472817466cbSJens Wiklander int mbedtls_ccm_self_test( int verbose ) 473817466cbSJens Wiklander { 474817466cbSJens Wiklander mbedtls_ccm_context ctx; 4753d3b0591SJens Wiklander /* 4763d3b0591SJens Wiklander * Some hardware accelerators require the input and output buffers 4773d3b0591SJens Wiklander * would be in RAM, because the flash is not accessible. 4783d3b0591SJens Wiklander * Use buffers on the stack to hold the test vectors data. 4793d3b0591SJens Wiklander */ 4803d3b0591SJens Wiklander unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN]; 4813d3b0591SJens Wiklander unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN]; 482817466cbSJens Wiklander size_t i; 483*11fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 484817466cbSJens Wiklander 485817466cbSJens Wiklander mbedtls_ccm_init( &ctx ); 486817466cbSJens Wiklander 487*11fa71b9SJerome Forissier if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data, 488*11fa71b9SJerome Forissier 8 * sizeof key_test_data ) != 0 ) 489817466cbSJens Wiklander { 490817466cbSJens Wiklander if( verbose != 0 ) 491817466cbSJens Wiklander mbedtls_printf( " CCM: setup failed" ); 492817466cbSJens Wiklander 493817466cbSJens Wiklander return( 1 ); 494817466cbSJens Wiklander } 495817466cbSJens Wiklander 496817466cbSJens Wiklander for( i = 0; i < NB_TESTS; i++ ) 497817466cbSJens Wiklander { 498817466cbSJens Wiklander if( verbose != 0 ) 499817466cbSJens Wiklander mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 ); 500817466cbSJens Wiklander 5013d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 5023d3b0591SJens Wiklander memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); 503*11fa71b9SJerome Forissier memcpy( plaintext, msg_test_data, msg_len_test_data[i] ); 5043d3b0591SJens Wiklander 505*11fa71b9SJerome Forissier ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i], 506*11fa71b9SJerome Forissier iv_test_data, iv_len_test_data[i], 507*11fa71b9SJerome Forissier ad_test_data, add_len_test_data[i], 5083d3b0591SJens Wiklander plaintext, ciphertext, 509*11fa71b9SJerome Forissier ciphertext + msg_len_test_data[i], 510*11fa71b9SJerome Forissier tag_len_test_data[i] ); 511817466cbSJens Wiklander 512817466cbSJens Wiklander if( ret != 0 || 513*11fa71b9SJerome Forissier memcmp( ciphertext, res_test_data[i], 514*11fa71b9SJerome Forissier msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) 515817466cbSJens Wiklander { 516817466cbSJens Wiklander if( verbose != 0 ) 517817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 518817466cbSJens Wiklander 519817466cbSJens Wiklander return( 1 ); 520817466cbSJens Wiklander } 5213d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 522817466cbSJens Wiklander 523*11fa71b9SJerome Forissier ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i], 524*11fa71b9SJerome Forissier iv_test_data, iv_len_test_data[i], 525*11fa71b9SJerome Forissier ad_test_data, add_len_test_data[i], 5263d3b0591SJens Wiklander ciphertext, plaintext, 527*11fa71b9SJerome Forissier ciphertext + msg_len_test_data[i], 528*11fa71b9SJerome Forissier tag_len_test_data[i] ); 529817466cbSJens Wiklander 530817466cbSJens Wiklander if( ret != 0 || 531*11fa71b9SJerome Forissier memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 ) 532817466cbSJens Wiklander { 533817466cbSJens Wiklander if( verbose != 0 ) 534817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 535817466cbSJens Wiklander 536817466cbSJens Wiklander return( 1 ); 537817466cbSJens Wiklander } 538817466cbSJens Wiklander 539817466cbSJens Wiklander if( verbose != 0 ) 540817466cbSJens Wiklander mbedtls_printf( "passed\n" ); 541817466cbSJens Wiklander } 542817466cbSJens Wiklander 543817466cbSJens Wiklander mbedtls_ccm_free( &ctx ); 544817466cbSJens Wiklander 545817466cbSJens Wiklander if( verbose != 0 ) 546817466cbSJens Wiklander mbedtls_printf( "\n" ); 547817466cbSJens Wiklander 548817466cbSJens Wiklander return( 0 ); 549817466cbSJens Wiklander } 550817466cbSJens Wiklander 551817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 552817466cbSJens Wiklander 553817466cbSJens Wiklander #endif /* MBEDTLS_CCM_C */ 554