1c6672fdcSEdison Ai // SPDX-License-Identifier: Apache-2.0 2817466cbSJens Wiklander /* 3817466cbSJens Wiklander * NIST SP800-38C compliant CCM implementation 4817466cbSJens Wiklander * 5817466cbSJens Wiklander * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander * 19817466cbSJens Wiklander * This file is part of mbed TLS (https://tls.mbed.org) 20817466cbSJens Wiklander */ 21817466cbSJens Wiklander 22817466cbSJens Wiklander /* 23817466cbSJens Wiklander * Definition of CCM: 24817466cbSJens Wiklander * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf 25817466cbSJens Wiklander * RFC 3610 "Counter with CBC-MAC (CCM)" 26817466cbSJens Wiklander * 27817466cbSJens Wiklander * Related: 28817466cbSJens Wiklander * RFC 5116 "An Interface and Algorithms for Authenticated Encryption" 29817466cbSJens Wiklander */ 30817466cbSJens Wiklander 31817466cbSJens Wiklander #if !defined(MBEDTLS_CONFIG_FILE) 32817466cbSJens Wiklander #include "mbedtls/config.h" 33817466cbSJens Wiklander #else 34817466cbSJens Wiklander #include MBEDTLS_CONFIG_FILE 35817466cbSJens Wiklander #endif 36817466cbSJens Wiklander 37817466cbSJens Wiklander #if defined(MBEDTLS_CCM_C) 38817466cbSJens Wiklander 39817466cbSJens Wiklander #include "mbedtls/ccm.h" 403d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 41817466cbSJens Wiklander 42817466cbSJens Wiklander #include <string.h> 43817466cbSJens Wiklander 44817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 45817466cbSJens Wiklander #if defined(MBEDTLS_PLATFORM_C) 46817466cbSJens Wiklander #include "mbedtls/platform.h" 47817466cbSJens Wiklander #else 48817466cbSJens Wiklander #include <stdio.h> 49817466cbSJens Wiklander #define mbedtls_printf printf 50817466cbSJens Wiklander #endif /* MBEDTLS_PLATFORM_C */ 51817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 52817466cbSJens Wiklander 533d3b0591SJens Wiklander #if !defined(MBEDTLS_CCM_ALT) 543d3b0591SJens Wiklander 553d3b0591SJens Wiklander #define CCM_VALIDATE_RET( cond ) \ 563d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT ) 573d3b0591SJens Wiklander #define CCM_VALIDATE( cond ) \ 583d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE( cond ) 59817466cbSJens Wiklander 60817466cbSJens Wiklander #define CCM_ENCRYPT 0 61817466cbSJens Wiklander #define CCM_DECRYPT 1 62817466cbSJens Wiklander 63817466cbSJens Wiklander /* 64817466cbSJens Wiklander * Initialize context 65817466cbSJens Wiklander */ 66817466cbSJens Wiklander void mbedtls_ccm_init( mbedtls_ccm_context *ctx ) 67817466cbSJens Wiklander { 683d3b0591SJens Wiklander CCM_VALIDATE( ctx != NULL ); 69817466cbSJens Wiklander memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); 70817466cbSJens Wiklander } 71817466cbSJens Wiklander 72817466cbSJens Wiklander int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, 73817466cbSJens Wiklander mbedtls_cipher_id_t cipher, 74817466cbSJens Wiklander const unsigned char *key, 75817466cbSJens Wiklander unsigned int keybits ) 76817466cbSJens Wiklander { 77817466cbSJens Wiklander int ret; 78817466cbSJens Wiklander const mbedtls_cipher_info_t *cipher_info; 79817466cbSJens Wiklander 803d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 813d3b0591SJens Wiklander CCM_VALIDATE_RET( key != NULL ); 823d3b0591SJens Wiklander 83817466cbSJens Wiklander cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB ); 84817466cbSJens Wiklander if( cipher_info == NULL ) 85817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 86817466cbSJens Wiklander 87817466cbSJens Wiklander if( cipher_info->block_size != 16 ) 88817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 89817466cbSJens Wiklander 90817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 91817466cbSJens Wiklander 92817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 ) 93817466cbSJens Wiklander return( ret ); 94817466cbSJens Wiklander 95817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits, 96817466cbSJens Wiklander MBEDTLS_ENCRYPT ) ) != 0 ) 97817466cbSJens Wiklander { 98817466cbSJens Wiklander return( ret ); 99817466cbSJens Wiklander } 100817466cbSJens Wiklander 101817466cbSJens Wiklander return( 0 ); 102817466cbSJens Wiklander } 103817466cbSJens Wiklander 104817466cbSJens Wiklander /* 105817466cbSJens Wiklander * Free context 106817466cbSJens Wiklander */ 107817466cbSJens Wiklander void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) 108817466cbSJens Wiklander { 1093d3b0591SJens Wiklander if( ctx == NULL ) 1103d3b0591SJens Wiklander return; 111817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 1123d3b0591SJens Wiklander mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); 113817466cbSJens Wiklander } 114817466cbSJens Wiklander 115817466cbSJens Wiklander /* 116817466cbSJens Wiklander * Macros for common operations. 117817466cbSJens Wiklander * Results in smaller compiled code than static inline functions. 118817466cbSJens Wiklander */ 119817466cbSJens Wiklander 120817466cbSJens Wiklander /* 121817466cbSJens Wiklander * Update the CBC-MAC state in y using a block in b 122817466cbSJens Wiklander * (Always using b as the source helps the compiler optimise a bit better.) 123817466cbSJens Wiklander */ 124817466cbSJens Wiklander #define UPDATE_CBC_MAC \ 125817466cbSJens Wiklander for( i = 0; i < 16; i++ ) \ 126817466cbSJens Wiklander y[i] ^= b[i]; \ 127817466cbSJens Wiklander \ 128817466cbSJens Wiklander if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \ 129817466cbSJens Wiklander return( ret ); 130817466cbSJens Wiklander 131817466cbSJens Wiklander /* 132817466cbSJens Wiklander * Encrypt or decrypt a partial block with CTR 133817466cbSJens Wiklander * Warning: using b for temporary storage! src and dst must not be b! 134817466cbSJens Wiklander * This avoids allocating one more 16 bytes buffer while allowing src == dst. 135817466cbSJens Wiklander */ 136817466cbSJens Wiklander #define CTR_CRYPT( dst, src, len ) \ 137*5b25c76aSJerome Forissier do \ 138*5b25c76aSJerome Forissier { \ 139*5b25c76aSJerome Forissier if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \ 140*5b25c76aSJerome Forissier 16, b, &olen ) ) != 0 ) \ 141*5b25c76aSJerome Forissier { \ 142817466cbSJens Wiklander return( ret ); \ 143*5b25c76aSJerome Forissier } \ 144817466cbSJens Wiklander \ 145*5b25c76aSJerome Forissier for( i = 0; i < (len); i++ ) \ 146*5b25c76aSJerome Forissier (dst)[i] = (src)[i] ^ b[i]; \ 147*5b25c76aSJerome Forissier } while( 0 ) 148817466cbSJens Wiklander 149817466cbSJens Wiklander /* 150817466cbSJens Wiklander * Authenticated encryption or decryption 151817466cbSJens Wiklander */ 152817466cbSJens Wiklander static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, 153817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 154817466cbSJens Wiklander const unsigned char *add, size_t add_len, 155817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 156817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 157817466cbSJens Wiklander { 158817466cbSJens Wiklander int ret; 159817466cbSJens Wiklander unsigned char i; 160817466cbSJens Wiklander unsigned char q; 161817466cbSJens Wiklander size_t len_left, olen; 162817466cbSJens Wiklander unsigned char b[16]; 163817466cbSJens Wiklander unsigned char y[16]; 164817466cbSJens Wiklander unsigned char ctr[16]; 165817466cbSJens Wiklander const unsigned char *src; 166817466cbSJens Wiklander unsigned char *dst; 167817466cbSJens Wiklander 168817466cbSJens Wiklander /* 169817466cbSJens Wiklander * Check length requirements: SP800-38C A.1 170817466cbSJens Wiklander * Additional requirement: a < 2^16 - 2^8 to simplify the code. 171817466cbSJens Wiklander * 'length' checked later (when writing it to the first block) 1723d3b0591SJens Wiklander * 1733d3b0591SJens Wiklander * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4). 174817466cbSJens Wiklander */ 1753d3b0591SJens Wiklander if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 ) 176817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 177817466cbSJens Wiklander 178817466cbSJens Wiklander /* Also implies q is within bounds */ 179817466cbSJens Wiklander if( iv_len < 7 || iv_len > 13 ) 180817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 181817466cbSJens Wiklander 182817466cbSJens Wiklander if( add_len > 0xFF00 ) 183817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 184817466cbSJens Wiklander 185817466cbSJens Wiklander q = 16 - 1 - (unsigned char) iv_len; 186817466cbSJens Wiklander 187817466cbSJens Wiklander /* 188817466cbSJens Wiklander * First block B_0: 189817466cbSJens Wiklander * 0 .. 0 flags 190817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 191817466cbSJens Wiklander * iv_len+1 .. 15 length 192817466cbSJens Wiklander * 193817466cbSJens Wiklander * With flags as (bits): 194817466cbSJens Wiklander * 7 0 195817466cbSJens Wiklander * 6 add present? 196817466cbSJens Wiklander * 5 .. 3 (t - 2) / 2 197817466cbSJens Wiklander * 2 .. 0 q - 1 198817466cbSJens Wiklander */ 199817466cbSJens Wiklander b[0] = 0; 200817466cbSJens Wiklander b[0] |= ( add_len > 0 ) << 6; 201817466cbSJens Wiklander b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; 202817466cbSJens Wiklander b[0] |= q - 1; 203817466cbSJens Wiklander 204817466cbSJens Wiklander memcpy( b + 1, iv, iv_len ); 205817466cbSJens Wiklander 206817466cbSJens Wiklander for( i = 0, len_left = length; i < q; i++, len_left >>= 8 ) 207817466cbSJens Wiklander b[15-i] = (unsigned char)( len_left & 0xFF ); 208817466cbSJens Wiklander 209817466cbSJens Wiklander if( len_left > 0 ) 210817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 211817466cbSJens Wiklander 212817466cbSJens Wiklander 213817466cbSJens Wiklander /* Start CBC-MAC with first block */ 214817466cbSJens Wiklander memset( y, 0, 16 ); 215817466cbSJens Wiklander UPDATE_CBC_MAC; 216817466cbSJens Wiklander 217817466cbSJens Wiklander /* 218817466cbSJens Wiklander * If there is additional data, update CBC-MAC with 219817466cbSJens Wiklander * add_len, add, 0 (padding to a block boundary) 220817466cbSJens Wiklander */ 221817466cbSJens Wiklander if( add_len > 0 ) 222817466cbSJens Wiklander { 223817466cbSJens Wiklander size_t use_len; 224817466cbSJens Wiklander len_left = add_len; 225817466cbSJens Wiklander src = add; 226817466cbSJens Wiklander 227817466cbSJens Wiklander memset( b, 0, 16 ); 228817466cbSJens Wiklander b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); 229817466cbSJens Wiklander b[1] = (unsigned char)( ( add_len ) & 0xFF ); 230817466cbSJens Wiklander 231817466cbSJens Wiklander use_len = len_left < 16 - 2 ? len_left : 16 - 2; 232817466cbSJens Wiklander memcpy( b + 2, src, use_len ); 233817466cbSJens Wiklander len_left -= use_len; 234817466cbSJens Wiklander src += use_len; 235817466cbSJens Wiklander 236817466cbSJens Wiklander UPDATE_CBC_MAC; 237817466cbSJens Wiklander 238817466cbSJens Wiklander while( len_left > 0 ) 239817466cbSJens Wiklander { 240817466cbSJens Wiklander use_len = len_left > 16 ? 16 : len_left; 241817466cbSJens Wiklander 242817466cbSJens Wiklander memset( b, 0, 16 ); 243817466cbSJens Wiklander memcpy( b, src, use_len ); 244817466cbSJens Wiklander UPDATE_CBC_MAC; 245817466cbSJens Wiklander 246817466cbSJens Wiklander len_left -= use_len; 247817466cbSJens Wiklander src += use_len; 248817466cbSJens Wiklander } 249817466cbSJens Wiklander } 250817466cbSJens Wiklander 251817466cbSJens Wiklander /* 252817466cbSJens Wiklander * Prepare counter block for encryption: 253817466cbSJens Wiklander * 0 .. 0 flags 254817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 255817466cbSJens Wiklander * iv_len+1 .. 15 counter (initially 1) 256817466cbSJens Wiklander * 257817466cbSJens Wiklander * With flags as (bits): 258817466cbSJens Wiklander * 7 .. 3 0 259817466cbSJens Wiklander * 2 .. 0 q - 1 260817466cbSJens Wiklander */ 261817466cbSJens Wiklander ctr[0] = q - 1; 262817466cbSJens Wiklander memcpy( ctr + 1, iv, iv_len ); 263817466cbSJens Wiklander memset( ctr + 1 + iv_len, 0, q ); 264817466cbSJens Wiklander ctr[15] = 1; 265817466cbSJens Wiklander 266817466cbSJens Wiklander /* 267817466cbSJens Wiklander * Authenticate and {en,de}crypt the message. 268817466cbSJens Wiklander * 269817466cbSJens Wiklander * The only difference between encryption and decryption is 270817466cbSJens Wiklander * the respective order of authentication and {en,de}cryption. 271817466cbSJens Wiklander */ 272817466cbSJens Wiklander len_left = length; 273817466cbSJens Wiklander src = input; 274817466cbSJens Wiklander dst = output; 275817466cbSJens Wiklander 276817466cbSJens Wiklander while( len_left > 0 ) 277817466cbSJens Wiklander { 278817466cbSJens Wiklander size_t use_len = len_left > 16 ? 16 : len_left; 279817466cbSJens Wiklander 280817466cbSJens Wiklander if( mode == CCM_ENCRYPT ) 281817466cbSJens Wiklander { 282817466cbSJens Wiklander memset( b, 0, 16 ); 283817466cbSJens Wiklander memcpy( b, src, use_len ); 284817466cbSJens Wiklander UPDATE_CBC_MAC; 285817466cbSJens Wiklander } 286817466cbSJens Wiklander 287817466cbSJens Wiklander CTR_CRYPT( dst, src, use_len ); 288817466cbSJens Wiklander 289817466cbSJens Wiklander if( mode == CCM_DECRYPT ) 290817466cbSJens Wiklander { 291817466cbSJens Wiklander memset( b, 0, 16 ); 292817466cbSJens Wiklander memcpy( b, dst, use_len ); 293817466cbSJens Wiklander UPDATE_CBC_MAC; 294817466cbSJens Wiklander } 295817466cbSJens Wiklander 296817466cbSJens Wiklander dst += use_len; 297817466cbSJens Wiklander src += use_len; 298817466cbSJens Wiklander len_left -= use_len; 299817466cbSJens Wiklander 300817466cbSJens Wiklander /* 301817466cbSJens Wiklander * Increment counter. 302817466cbSJens Wiklander * No need to check for overflow thanks to the length check above. 303817466cbSJens Wiklander */ 304817466cbSJens Wiklander for( i = 0; i < q; i++ ) 305817466cbSJens Wiklander if( ++ctr[15-i] != 0 ) 306817466cbSJens Wiklander break; 307817466cbSJens Wiklander } 308817466cbSJens Wiklander 309817466cbSJens Wiklander /* 310817466cbSJens Wiklander * Authentication: reset counter and crypt/mask internal tag 311817466cbSJens Wiklander */ 312817466cbSJens Wiklander for( i = 0; i < q; i++ ) 313817466cbSJens Wiklander ctr[15-i] = 0; 314817466cbSJens Wiklander 315817466cbSJens Wiklander CTR_CRYPT( y, y, 16 ); 316817466cbSJens Wiklander memcpy( tag, y, tag_len ); 317817466cbSJens Wiklander 318817466cbSJens Wiklander return( 0 ); 319817466cbSJens Wiklander } 320817466cbSJens Wiklander 321817466cbSJens Wiklander /* 322817466cbSJens Wiklander * Authenticated encryption 323817466cbSJens Wiklander */ 3243d3b0591SJens Wiklander int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 3253d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 3263d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 3273d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 3283d3b0591SJens Wiklander unsigned char *tag, size_t tag_len ) 3293d3b0591SJens Wiklander { 3303d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3313d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3323d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3333d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3343d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3353d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3363d3b0591SJens Wiklander return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, 3373d3b0591SJens Wiklander add, add_len, input, output, tag, tag_len ) ); 3383d3b0591SJens Wiklander } 3393d3b0591SJens Wiklander 340817466cbSJens Wiklander int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 341817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 342817466cbSJens Wiklander const unsigned char *add, size_t add_len, 343817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 344817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 345817466cbSJens Wiklander { 3463d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3473d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3483d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3493d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3503d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3513d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3523d3b0591SJens Wiklander if( tag_len == 0 ) 3533d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 3543d3b0591SJens Wiklander 3553d3b0591SJens Wiklander return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add, 3563d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 357817466cbSJens Wiklander } 358817466cbSJens Wiklander 359817466cbSJens Wiklander /* 360817466cbSJens Wiklander * Authenticated decryption 361817466cbSJens Wiklander */ 3623d3b0591SJens Wiklander int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 363817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 364817466cbSJens Wiklander const unsigned char *add, size_t add_len, 365817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 366817466cbSJens Wiklander const unsigned char *tag, size_t tag_len ) 367817466cbSJens Wiklander { 368817466cbSJens Wiklander int ret; 369817466cbSJens Wiklander unsigned char check_tag[16]; 370817466cbSJens Wiklander unsigned char i; 371817466cbSJens Wiklander int diff; 372817466cbSJens Wiklander 3733d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3743d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3753d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3763d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3773d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3783d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3793d3b0591SJens Wiklander 380817466cbSJens Wiklander if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, 381817466cbSJens Wiklander iv, iv_len, add, add_len, 382817466cbSJens Wiklander input, output, check_tag, tag_len ) ) != 0 ) 383817466cbSJens Wiklander { 384817466cbSJens Wiklander return( ret ); 385817466cbSJens Wiklander } 386817466cbSJens Wiklander 387817466cbSJens Wiklander /* Check tag in "constant-time" */ 388817466cbSJens Wiklander for( diff = 0, i = 0; i < tag_len; i++ ) 389817466cbSJens Wiklander diff |= tag[i] ^ check_tag[i]; 390817466cbSJens Wiklander 391817466cbSJens Wiklander if( diff != 0 ) 392817466cbSJens Wiklander { 3933d3b0591SJens Wiklander mbedtls_platform_zeroize( output, length ); 394817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_AUTH_FAILED ); 395817466cbSJens Wiklander } 396817466cbSJens Wiklander 397817466cbSJens Wiklander return( 0 ); 398817466cbSJens Wiklander } 399817466cbSJens Wiklander 4003d3b0591SJens Wiklander int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 4013d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 4023d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 4033d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 4043d3b0591SJens Wiklander const unsigned char *tag, size_t tag_len ) 4053d3b0591SJens Wiklander { 4063d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 4073d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 4083d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 4093d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 4103d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 4113d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 4123d3b0591SJens Wiklander 4133d3b0591SJens Wiklander if( tag_len == 0 ) 4143d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 4153d3b0591SJens Wiklander 4163d3b0591SJens Wiklander return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add, 4173d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 4183d3b0591SJens Wiklander } 4193d3b0591SJens Wiklander #endif /* !MBEDTLS_CCM_ALT */ 420817466cbSJens Wiklander 421817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 422817466cbSJens Wiklander /* 423817466cbSJens Wiklander * Examples 1 to 3 from SP800-38C Appendix C 424817466cbSJens Wiklander */ 425817466cbSJens Wiklander 426817466cbSJens Wiklander #define NB_TESTS 3 4273d3b0591SJens Wiklander #define CCM_SELFTEST_PT_MAX_LEN 24 4283d3b0591SJens Wiklander #define CCM_SELFTEST_CT_MAX_LEN 32 429817466cbSJens Wiklander /* 430817466cbSJens Wiklander * The data is the same for all tests, only the used length changes 431817466cbSJens Wiklander */ 432817466cbSJens Wiklander static const unsigned char key[] = { 433817466cbSJens Wiklander 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 434817466cbSJens Wiklander 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f 435817466cbSJens Wiklander }; 436817466cbSJens Wiklander 437817466cbSJens Wiklander static const unsigned char iv[] = { 438817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 439817466cbSJens Wiklander 0x18, 0x19, 0x1a, 0x1b 440817466cbSJens Wiklander }; 441817466cbSJens Wiklander 442817466cbSJens Wiklander static const unsigned char ad[] = { 443817466cbSJens Wiklander 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 444817466cbSJens Wiklander 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 445817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13 446817466cbSJens Wiklander }; 447817466cbSJens Wiklander 4483d3b0591SJens Wiklander static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = { 449817466cbSJens Wiklander 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 450817466cbSJens Wiklander 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 451817466cbSJens Wiklander 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 452817466cbSJens Wiklander }; 453817466cbSJens Wiklander 454817466cbSJens Wiklander static const size_t iv_len [NB_TESTS] = { 7, 8, 12 }; 455817466cbSJens Wiklander static const size_t add_len[NB_TESTS] = { 8, 16, 20 }; 456817466cbSJens Wiklander static const size_t msg_len[NB_TESTS] = { 4, 16, 24 }; 457817466cbSJens Wiklander static const size_t tag_len[NB_TESTS] = { 4, 6, 8 }; 458817466cbSJens Wiklander 4593d3b0591SJens Wiklander static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { 460817466cbSJens Wiklander { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, 461817466cbSJens Wiklander { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62, 462817466cbSJens Wiklander 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d, 463817466cbSJens Wiklander 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd }, 464817466cbSJens Wiklander { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a, 465817466cbSJens Wiklander 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b, 466817466cbSJens Wiklander 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5, 467817466cbSJens Wiklander 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 } 468817466cbSJens Wiklander }; 469817466cbSJens Wiklander 470817466cbSJens Wiklander int mbedtls_ccm_self_test( int verbose ) 471817466cbSJens Wiklander { 472817466cbSJens Wiklander mbedtls_ccm_context ctx; 4733d3b0591SJens Wiklander /* 4743d3b0591SJens Wiklander * Some hardware accelerators require the input and output buffers 4753d3b0591SJens Wiklander * would be in RAM, because the flash is not accessible. 4763d3b0591SJens Wiklander * Use buffers on the stack to hold the test vectors data. 4773d3b0591SJens Wiklander */ 4783d3b0591SJens Wiklander unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN]; 4793d3b0591SJens Wiklander unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN]; 480817466cbSJens Wiklander size_t i; 481817466cbSJens Wiklander int ret; 482817466cbSJens Wiklander 483817466cbSJens Wiklander mbedtls_ccm_init( &ctx ); 484817466cbSJens Wiklander 485817466cbSJens Wiklander if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 ) 486817466cbSJens Wiklander { 487817466cbSJens Wiklander if( verbose != 0 ) 488817466cbSJens Wiklander mbedtls_printf( " CCM: setup failed" ); 489817466cbSJens Wiklander 490817466cbSJens Wiklander return( 1 ); 491817466cbSJens Wiklander } 492817466cbSJens Wiklander 493817466cbSJens Wiklander for( i = 0; i < NB_TESTS; i++ ) 494817466cbSJens Wiklander { 495817466cbSJens Wiklander if( verbose != 0 ) 496817466cbSJens Wiklander mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 ); 497817466cbSJens Wiklander 4983d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 4993d3b0591SJens Wiklander memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); 5003d3b0591SJens Wiklander memcpy( plaintext, msg, msg_len[i] ); 5013d3b0591SJens Wiklander 502817466cbSJens Wiklander ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i], 503817466cbSJens Wiklander iv, iv_len[i], ad, add_len[i], 5043d3b0591SJens Wiklander plaintext, ciphertext, 5053d3b0591SJens Wiklander ciphertext + msg_len[i], tag_len[i] ); 506817466cbSJens Wiklander 507817466cbSJens Wiklander if( ret != 0 || 5083d3b0591SJens Wiklander memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 ) 509817466cbSJens Wiklander { 510817466cbSJens Wiklander if( verbose != 0 ) 511817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 512817466cbSJens Wiklander 513817466cbSJens Wiklander return( 1 ); 514817466cbSJens Wiklander } 5153d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 516817466cbSJens Wiklander 517817466cbSJens Wiklander ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i], 518817466cbSJens Wiklander iv, iv_len[i], ad, add_len[i], 5193d3b0591SJens Wiklander ciphertext, plaintext, 5203d3b0591SJens Wiklander ciphertext + msg_len[i], tag_len[i] ); 521817466cbSJens Wiklander 522817466cbSJens Wiklander if( ret != 0 || 5233d3b0591SJens Wiklander memcmp( plaintext, msg, msg_len[i] ) != 0 ) 524817466cbSJens Wiklander { 525817466cbSJens Wiklander if( verbose != 0 ) 526817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 527817466cbSJens Wiklander 528817466cbSJens Wiklander return( 1 ); 529817466cbSJens Wiklander } 530817466cbSJens Wiklander 531817466cbSJens Wiklander if( verbose != 0 ) 532817466cbSJens Wiklander mbedtls_printf( "passed\n" ); 533817466cbSJens Wiklander } 534817466cbSJens Wiklander 535817466cbSJens Wiklander mbedtls_ccm_free( &ctx ); 536817466cbSJens Wiklander 537817466cbSJens Wiklander if( verbose != 0 ) 538817466cbSJens Wiklander mbedtls_printf( "\n" ); 539817466cbSJens Wiklander 540817466cbSJens Wiklander return( 0 ); 541817466cbSJens Wiklander } 542817466cbSJens Wiklander 543817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 544817466cbSJens Wiklander 545817466cbSJens Wiklander #endif /* MBEDTLS_CCM_C */ 546