1817466cbSJens Wiklander /* 2817466cbSJens Wiklander * NIST SP800-38C compliant CCM implementation 3817466cbSJens Wiklander * 4*7901324dSJerome Forissier * Copyright The Mbed TLS Contributors 5*7901324dSJerome Forissier * SPDX-License-Identifier: Apache-2.0 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander */ 19817466cbSJens Wiklander 20817466cbSJens Wiklander /* 21817466cbSJens Wiklander * Definition of CCM: 22817466cbSJens Wiklander * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf 23817466cbSJens Wiklander * RFC 3610 "Counter with CBC-MAC (CCM)" 24817466cbSJens Wiklander * 25817466cbSJens Wiklander * Related: 26817466cbSJens Wiklander * RFC 5116 "An Interface and Algorithms for Authenticated Encryption" 27817466cbSJens Wiklander */ 28817466cbSJens Wiklander 29*7901324dSJerome Forissier #include "common.h" 30817466cbSJens Wiklander 31817466cbSJens Wiklander #if defined(MBEDTLS_CCM_C) 32817466cbSJens Wiklander 33817466cbSJens Wiklander #include "mbedtls/ccm.h" 343d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 3511fa71b9SJerome Forissier #include "mbedtls/error.h" 36817466cbSJens Wiklander 37817466cbSJens Wiklander #include <string.h> 38817466cbSJens Wiklander 39817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 40817466cbSJens Wiklander #if defined(MBEDTLS_PLATFORM_C) 41817466cbSJens Wiklander #include "mbedtls/platform.h" 42817466cbSJens Wiklander #else 43817466cbSJens Wiklander #include <stdio.h> 44817466cbSJens Wiklander #define mbedtls_printf printf 45817466cbSJens Wiklander #endif /* MBEDTLS_PLATFORM_C */ 46817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 47817466cbSJens Wiklander 483d3b0591SJens Wiklander #if !defined(MBEDTLS_CCM_ALT) 493d3b0591SJens Wiklander 503d3b0591SJens Wiklander #define CCM_VALIDATE_RET( cond ) \ 513d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT ) 523d3b0591SJens Wiklander #define CCM_VALIDATE( cond ) \ 533d3b0591SJens Wiklander MBEDTLS_INTERNAL_VALIDATE( cond ) 54817466cbSJens Wiklander 55817466cbSJens Wiklander #define CCM_ENCRYPT 0 56817466cbSJens Wiklander #define CCM_DECRYPT 1 57817466cbSJens Wiklander 58817466cbSJens Wiklander /* 59817466cbSJens Wiklander * Initialize context 60817466cbSJens Wiklander */ 61817466cbSJens Wiklander void mbedtls_ccm_init( mbedtls_ccm_context *ctx ) 62817466cbSJens Wiklander { 633d3b0591SJens Wiklander CCM_VALIDATE( ctx != NULL ); 64817466cbSJens Wiklander memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); 65817466cbSJens Wiklander } 66817466cbSJens Wiklander 67817466cbSJens Wiklander int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, 68817466cbSJens Wiklander mbedtls_cipher_id_t cipher, 69817466cbSJens Wiklander const unsigned char *key, 70817466cbSJens Wiklander unsigned int keybits ) 71817466cbSJens Wiklander { 7211fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 73817466cbSJens Wiklander const mbedtls_cipher_info_t *cipher_info; 74817466cbSJens Wiklander 753d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 763d3b0591SJens Wiklander CCM_VALIDATE_RET( key != NULL ); 773d3b0591SJens Wiklander 7811fa71b9SJerome Forissier cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, 7911fa71b9SJerome Forissier MBEDTLS_MODE_ECB ); 80817466cbSJens Wiklander if( cipher_info == NULL ) 81817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 82817466cbSJens Wiklander 83817466cbSJens Wiklander if( cipher_info->block_size != 16 ) 84817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 85817466cbSJens Wiklander 86817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 87817466cbSJens Wiklander 88817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 ) 89817466cbSJens Wiklander return( ret ); 90817466cbSJens Wiklander 91817466cbSJens Wiklander if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits, 92817466cbSJens Wiklander MBEDTLS_ENCRYPT ) ) != 0 ) 93817466cbSJens Wiklander { 94817466cbSJens Wiklander return( ret ); 95817466cbSJens Wiklander } 96817466cbSJens Wiklander 97817466cbSJens Wiklander return( 0 ); 98817466cbSJens Wiklander } 99817466cbSJens Wiklander 100817466cbSJens Wiklander /* 101817466cbSJens Wiklander * Free context 102817466cbSJens Wiklander */ 103817466cbSJens Wiklander void mbedtls_ccm_free( mbedtls_ccm_context *ctx ) 104817466cbSJens Wiklander { 1053d3b0591SJens Wiklander if( ctx == NULL ) 1063d3b0591SJens Wiklander return; 107817466cbSJens Wiklander mbedtls_cipher_free( &ctx->cipher_ctx ); 1083d3b0591SJens Wiklander mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) ); 109817466cbSJens Wiklander } 110817466cbSJens Wiklander 111817466cbSJens Wiklander /* 112817466cbSJens Wiklander * Macros for common operations. 113817466cbSJens Wiklander * Results in smaller compiled code than static inline functions. 114817466cbSJens Wiklander */ 115817466cbSJens Wiklander 116817466cbSJens Wiklander /* 117817466cbSJens Wiklander * Update the CBC-MAC state in y using a block in b 118817466cbSJens Wiklander * (Always using b as the source helps the compiler optimise a bit better.) 119817466cbSJens Wiklander */ 120817466cbSJens Wiklander #define UPDATE_CBC_MAC \ 121817466cbSJens Wiklander for( i = 0; i < 16; i++ ) \ 122817466cbSJens Wiklander y[i] ^= b[i]; \ 123817466cbSJens Wiklander \ 124817466cbSJens Wiklander if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \ 125817466cbSJens Wiklander return( ret ); 126817466cbSJens Wiklander 127817466cbSJens Wiklander /* 128817466cbSJens Wiklander * Encrypt or decrypt a partial block with CTR 129817466cbSJens Wiklander * Warning: using b for temporary storage! src and dst must not be b! 130817466cbSJens Wiklander * This avoids allocating one more 16 bytes buffer while allowing src == dst. 131817466cbSJens Wiklander */ 132817466cbSJens Wiklander #define CTR_CRYPT( dst, src, len ) \ 1335b25c76aSJerome Forissier do \ 1345b25c76aSJerome Forissier { \ 1355b25c76aSJerome Forissier if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \ 1365b25c76aSJerome Forissier 16, b, &olen ) ) != 0 ) \ 1375b25c76aSJerome Forissier { \ 138817466cbSJens Wiklander return( ret ); \ 1395b25c76aSJerome Forissier } \ 140817466cbSJens Wiklander \ 1415b25c76aSJerome Forissier for( i = 0; i < (len); i++ ) \ 1425b25c76aSJerome Forissier (dst)[i] = (src)[i] ^ b[i]; \ 1435b25c76aSJerome Forissier } while( 0 ) 144817466cbSJens Wiklander 145817466cbSJens Wiklander /* 146817466cbSJens Wiklander * Authenticated encryption or decryption 147817466cbSJens Wiklander */ 148817466cbSJens Wiklander static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length, 149817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 150817466cbSJens Wiklander const unsigned char *add, size_t add_len, 151817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 152817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 153817466cbSJens Wiklander { 15411fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 155817466cbSJens Wiklander unsigned char i; 156817466cbSJens Wiklander unsigned char q; 157817466cbSJens Wiklander size_t len_left, olen; 158817466cbSJens Wiklander unsigned char b[16]; 159817466cbSJens Wiklander unsigned char y[16]; 160817466cbSJens Wiklander unsigned char ctr[16]; 161817466cbSJens Wiklander const unsigned char *src; 162817466cbSJens Wiklander unsigned char *dst; 163817466cbSJens Wiklander 164817466cbSJens Wiklander /* 165817466cbSJens Wiklander * Check length requirements: SP800-38C A.1 166817466cbSJens Wiklander * Additional requirement: a < 2^16 - 2^8 to simplify the code. 167817466cbSJens Wiklander * 'length' checked later (when writing it to the first block) 1683d3b0591SJens Wiklander * 1693d3b0591SJens Wiklander * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4). 170817466cbSJens Wiklander */ 1713d3b0591SJens Wiklander if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 ) 172817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 173817466cbSJens Wiklander 174817466cbSJens Wiklander /* Also implies q is within bounds */ 175817466cbSJens Wiklander if( iv_len < 7 || iv_len > 13 ) 176817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 177817466cbSJens Wiklander 178*7901324dSJerome Forissier if( add_len >= 0xFF00 ) 179817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 180817466cbSJens Wiklander 181817466cbSJens Wiklander q = 16 - 1 - (unsigned char) iv_len; 182817466cbSJens Wiklander 183817466cbSJens Wiklander /* 184817466cbSJens Wiklander * First block B_0: 185817466cbSJens Wiklander * 0 .. 0 flags 186817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 187817466cbSJens Wiklander * iv_len+1 .. 15 length 188817466cbSJens Wiklander * 189817466cbSJens Wiklander * With flags as (bits): 190817466cbSJens Wiklander * 7 0 191817466cbSJens Wiklander * 6 add present? 192817466cbSJens Wiklander * 5 .. 3 (t - 2) / 2 193817466cbSJens Wiklander * 2 .. 0 q - 1 194817466cbSJens Wiklander */ 195817466cbSJens Wiklander b[0] = 0; 196817466cbSJens Wiklander b[0] |= ( add_len > 0 ) << 6; 197817466cbSJens Wiklander b[0] |= ( ( tag_len - 2 ) / 2 ) << 3; 198817466cbSJens Wiklander b[0] |= q - 1; 199817466cbSJens Wiklander 200817466cbSJens Wiklander memcpy( b + 1, iv, iv_len ); 201817466cbSJens Wiklander 202817466cbSJens Wiklander for( i = 0, len_left = length; i < q; i++, len_left >>= 8 ) 203817466cbSJens Wiklander b[15-i] = (unsigned char)( len_left & 0xFF ); 204817466cbSJens Wiklander 205817466cbSJens Wiklander if( len_left > 0 ) 206817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 207817466cbSJens Wiklander 208817466cbSJens Wiklander 209817466cbSJens Wiklander /* Start CBC-MAC with first block */ 210817466cbSJens Wiklander memset( y, 0, 16 ); 211817466cbSJens Wiklander UPDATE_CBC_MAC; 212817466cbSJens Wiklander 213817466cbSJens Wiklander /* 214817466cbSJens Wiklander * If there is additional data, update CBC-MAC with 215817466cbSJens Wiklander * add_len, add, 0 (padding to a block boundary) 216817466cbSJens Wiklander */ 217817466cbSJens Wiklander if( add_len > 0 ) 218817466cbSJens Wiklander { 219817466cbSJens Wiklander size_t use_len; 220817466cbSJens Wiklander len_left = add_len; 221817466cbSJens Wiklander src = add; 222817466cbSJens Wiklander 223817466cbSJens Wiklander memset( b, 0, 16 ); 224817466cbSJens Wiklander b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF ); 225817466cbSJens Wiklander b[1] = (unsigned char)( ( add_len ) & 0xFF ); 226817466cbSJens Wiklander 227817466cbSJens Wiklander use_len = len_left < 16 - 2 ? len_left : 16 - 2; 228817466cbSJens Wiklander memcpy( b + 2, src, use_len ); 229817466cbSJens Wiklander len_left -= use_len; 230817466cbSJens Wiklander src += use_len; 231817466cbSJens Wiklander 232817466cbSJens Wiklander UPDATE_CBC_MAC; 233817466cbSJens Wiklander 234817466cbSJens Wiklander while( len_left > 0 ) 235817466cbSJens Wiklander { 236817466cbSJens Wiklander use_len = len_left > 16 ? 16 : len_left; 237817466cbSJens Wiklander 238817466cbSJens Wiklander memset( b, 0, 16 ); 239817466cbSJens Wiklander memcpy( b, src, use_len ); 240817466cbSJens Wiklander UPDATE_CBC_MAC; 241817466cbSJens Wiklander 242817466cbSJens Wiklander len_left -= use_len; 243817466cbSJens Wiklander src += use_len; 244817466cbSJens Wiklander } 245817466cbSJens Wiklander } 246817466cbSJens Wiklander 247817466cbSJens Wiklander /* 248817466cbSJens Wiklander * Prepare counter block for encryption: 249817466cbSJens Wiklander * 0 .. 0 flags 250817466cbSJens Wiklander * 1 .. iv_len nonce (aka iv) 251817466cbSJens Wiklander * iv_len+1 .. 15 counter (initially 1) 252817466cbSJens Wiklander * 253817466cbSJens Wiklander * With flags as (bits): 254817466cbSJens Wiklander * 7 .. 3 0 255817466cbSJens Wiklander * 2 .. 0 q - 1 256817466cbSJens Wiklander */ 257817466cbSJens Wiklander ctr[0] = q - 1; 258817466cbSJens Wiklander memcpy( ctr + 1, iv, iv_len ); 259817466cbSJens Wiklander memset( ctr + 1 + iv_len, 0, q ); 260817466cbSJens Wiklander ctr[15] = 1; 261817466cbSJens Wiklander 262817466cbSJens Wiklander /* 263817466cbSJens Wiklander * Authenticate and {en,de}crypt the message. 264817466cbSJens Wiklander * 265817466cbSJens Wiklander * The only difference between encryption and decryption is 266817466cbSJens Wiklander * the respective order of authentication and {en,de}cryption. 267817466cbSJens Wiklander */ 268817466cbSJens Wiklander len_left = length; 269817466cbSJens Wiklander src = input; 270817466cbSJens Wiklander dst = output; 271817466cbSJens Wiklander 272817466cbSJens Wiklander while( len_left > 0 ) 273817466cbSJens Wiklander { 274817466cbSJens Wiklander size_t use_len = len_left > 16 ? 16 : len_left; 275817466cbSJens Wiklander 276817466cbSJens Wiklander if( mode == CCM_ENCRYPT ) 277817466cbSJens Wiklander { 278817466cbSJens Wiklander memset( b, 0, 16 ); 279817466cbSJens Wiklander memcpy( b, src, use_len ); 280817466cbSJens Wiklander UPDATE_CBC_MAC; 281817466cbSJens Wiklander } 282817466cbSJens Wiklander 283817466cbSJens Wiklander CTR_CRYPT( dst, src, use_len ); 284817466cbSJens Wiklander 285817466cbSJens Wiklander if( mode == CCM_DECRYPT ) 286817466cbSJens Wiklander { 287817466cbSJens Wiklander memset( b, 0, 16 ); 288817466cbSJens Wiklander memcpy( b, dst, use_len ); 289817466cbSJens Wiklander UPDATE_CBC_MAC; 290817466cbSJens Wiklander } 291817466cbSJens Wiklander 292817466cbSJens Wiklander dst += use_len; 293817466cbSJens Wiklander src += use_len; 294817466cbSJens Wiklander len_left -= use_len; 295817466cbSJens Wiklander 296817466cbSJens Wiklander /* 297817466cbSJens Wiklander * Increment counter. 298817466cbSJens Wiklander * No need to check for overflow thanks to the length check above. 299817466cbSJens Wiklander */ 300817466cbSJens Wiklander for( i = 0; i < q; i++ ) 301817466cbSJens Wiklander if( ++ctr[15-i] != 0 ) 302817466cbSJens Wiklander break; 303817466cbSJens Wiklander } 304817466cbSJens Wiklander 305817466cbSJens Wiklander /* 306817466cbSJens Wiklander * Authentication: reset counter and crypt/mask internal tag 307817466cbSJens Wiklander */ 308817466cbSJens Wiklander for( i = 0; i < q; i++ ) 309817466cbSJens Wiklander ctr[15-i] = 0; 310817466cbSJens Wiklander 311817466cbSJens Wiklander CTR_CRYPT( y, y, 16 ); 312817466cbSJens Wiklander memcpy( tag, y, tag_len ); 313817466cbSJens Wiklander 314817466cbSJens Wiklander return( 0 ); 315817466cbSJens Wiklander } 316817466cbSJens Wiklander 317817466cbSJens Wiklander /* 318817466cbSJens Wiklander * Authenticated encryption 319817466cbSJens Wiklander */ 3203d3b0591SJens Wiklander int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 3213d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 3223d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 3233d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 3243d3b0591SJens Wiklander unsigned char *tag, size_t tag_len ) 3253d3b0591SJens Wiklander { 3263d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3273d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3283d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3293d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3303d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3313d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3323d3b0591SJens Wiklander return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, 3333d3b0591SJens Wiklander add, add_len, input, output, tag, tag_len ) ); 3343d3b0591SJens Wiklander } 3353d3b0591SJens Wiklander 336817466cbSJens Wiklander int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, 337817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 338817466cbSJens Wiklander const unsigned char *add, size_t add_len, 339817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 340817466cbSJens Wiklander unsigned char *tag, size_t tag_len ) 341817466cbSJens Wiklander { 3423d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3433d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3443d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3453d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3463d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3473d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3483d3b0591SJens Wiklander if( tag_len == 0 ) 3493d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 3503d3b0591SJens Wiklander 3513d3b0591SJens Wiklander return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add, 3523d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 353817466cbSJens Wiklander } 354817466cbSJens Wiklander 355817466cbSJens Wiklander /* 356817466cbSJens Wiklander * Authenticated decryption 357817466cbSJens Wiklander */ 3583d3b0591SJens Wiklander int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 359817466cbSJens Wiklander const unsigned char *iv, size_t iv_len, 360817466cbSJens Wiklander const unsigned char *add, size_t add_len, 361817466cbSJens Wiklander const unsigned char *input, unsigned char *output, 362817466cbSJens Wiklander const unsigned char *tag, size_t tag_len ) 363817466cbSJens Wiklander { 36411fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 365817466cbSJens Wiklander unsigned char check_tag[16]; 366817466cbSJens Wiklander unsigned char i; 367817466cbSJens Wiklander int diff; 368817466cbSJens Wiklander 3693d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 3703d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 3713d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 3723d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 3733d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 3743d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 3753d3b0591SJens Wiklander 376817466cbSJens Wiklander if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, 377817466cbSJens Wiklander iv, iv_len, add, add_len, 378817466cbSJens Wiklander input, output, check_tag, tag_len ) ) != 0 ) 379817466cbSJens Wiklander { 380817466cbSJens Wiklander return( ret ); 381817466cbSJens Wiklander } 382817466cbSJens Wiklander 383817466cbSJens Wiklander /* Check tag in "constant-time" */ 384817466cbSJens Wiklander for( diff = 0, i = 0; i < tag_len; i++ ) 385817466cbSJens Wiklander diff |= tag[i] ^ check_tag[i]; 386817466cbSJens Wiklander 387817466cbSJens Wiklander if( diff != 0 ) 388817466cbSJens Wiklander { 3893d3b0591SJens Wiklander mbedtls_platform_zeroize( output, length ); 390817466cbSJens Wiklander return( MBEDTLS_ERR_CCM_AUTH_FAILED ); 391817466cbSJens Wiklander } 392817466cbSJens Wiklander 393817466cbSJens Wiklander return( 0 ); 394817466cbSJens Wiklander } 395817466cbSJens Wiklander 3963d3b0591SJens Wiklander int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, 3973d3b0591SJens Wiklander const unsigned char *iv, size_t iv_len, 3983d3b0591SJens Wiklander const unsigned char *add, size_t add_len, 3993d3b0591SJens Wiklander const unsigned char *input, unsigned char *output, 4003d3b0591SJens Wiklander const unsigned char *tag, size_t tag_len ) 4013d3b0591SJens Wiklander { 4023d3b0591SJens Wiklander CCM_VALIDATE_RET( ctx != NULL ); 4033d3b0591SJens Wiklander CCM_VALIDATE_RET( iv != NULL ); 4043d3b0591SJens Wiklander CCM_VALIDATE_RET( add_len == 0 || add != NULL ); 4053d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || input != NULL ); 4063d3b0591SJens Wiklander CCM_VALIDATE_RET( length == 0 || output != NULL ); 4073d3b0591SJens Wiklander CCM_VALIDATE_RET( tag_len == 0 || tag != NULL ); 4083d3b0591SJens Wiklander 4093d3b0591SJens Wiklander if( tag_len == 0 ) 4103d3b0591SJens Wiklander return( MBEDTLS_ERR_CCM_BAD_INPUT ); 4113d3b0591SJens Wiklander 4123d3b0591SJens Wiklander return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add, 4133d3b0591SJens Wiklander add_len, input, output, tag, tag_len ) ); 4143d3b0591SJens Wiklander } 4153d3b0591SJens Wiklander #endif /* !MBEDTLS_CCM_ALT */ 416817466cbSJens Wiklander 417817466cbSJens Wiklander #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 418817466cbSJens Wiklander /* 419817466cbSJens Wiklander * Examples 1 to 3 from SP800-38C Appendix C 420817466cbSJens Wiklander */ 421817466cbSJens Wiklander 422817466cbSJens Wiklander #define NB_TESTS 3 4233d3b0591SJens Wiklander #define CCM_SELFTEST_PT_MAX_LEN 24 4243d3b0591SJens Wiklander #define CCM_SELFTEST_CT_MAX_LEN 32 425817466cbSJens Wiklander /* 426817466cbSJens Wiklander * The data is the same for all tests, only the used length changes 427817466cbSJens Wiklander */ 42811fa71b9SJerome Forissier static const unsigned char key_test_data[] = { 429817466cbSJens Wiklander 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 430817466cbSJens Wiklander 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f 431817466cbSJens Wiklander }; 432817466cbSJens Wiklander 43311fa71b9SJerome Forissier static const unsigned char iv_test_data[] = { 434817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 435817466cbSJens Wiklander 0x18, 0x19, 0x1a, 0x1b 436817466cbSJens Wiklander }; 437817466cbSJens Wiklander 43811fa71b9SJerome Forissier static const unsigned char ad_test_data[] = { 439817466cbSJens Wiklander 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 440817466cbSJens Wiklander 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 441817466cbSJens Wiklander 0x10, 0x11, 0x12, 0x13 442817466cbSJens Wiklander }; 443817466cbSJens Wiklander 44411fa71b9SJerome Forissier static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = { 445817466cbSJens Wiklander 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 446817466cbSJens Wiklander 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 447817466cbSJens Wiklander 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 448817466cbSJens Wiklander }; 449817466cbSJens Wiklander 45011fa71b9SJerome Forissier static const size_t iv_len_test_data [NB_TESTS] = { 7, 8, 12 }; 45111fa71b9SJerome Forissier static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 }; 45211fa71b9SJerome Forissier static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 }; 45311fa71b9SJerome Forissier static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 }; 454817466cbSJens Wiklander 45511fa71b9SJerome Forissier static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = { 456817466cbSJens Wiklander { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d }, 457817466cbSJens Wiklander { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62, 458817466cbSJens Wiklander 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d, 459817466cbSJens Wiklander 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd }, 460817466cbSJens Wiklander { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a, 461817466cbSJens Wiklander 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b, 462817466cbSJens Wiklander 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5, 463817466cbSJens Wiklander 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 } 464817466cbSJens Wiklander }; 465817466cbSJens Wiklander 466817466cbSJens Wiklander int mbedtls_ccm_self_test( int verbose ) 467817466cbSJens Wiklander { 468817466cbSJens Wiklander mbedtls_ccm_context ctx; 4693d3b0591SJens Wiklander /* 4703d3b0591SJens Wiklander * Some hardware accelerators require the input and output buffers 4713d3b0591SJens Wiklander * would be in RAM, because the flash is not accessible. 4723d3b0591SJens Wiklander * Use buffers on the stack to hold the test vectors data. 4733d3b0591SJens Wiklander */ 4743d3b0591SJens Wiklander unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN]; 4753d3b0591SJens Wiklander unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN]; 476817466cbSJens Wiklander size_t i; 47711fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 478817466cbSJens Wiklander 479817466cbSJens Wiklander mbedtls_ccm_init( &ctx ); 480817466cbSJens Wiklander 48111fa71b9SJerome Forissier if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data, 48211fa71b9SJerome Forissier 8 * sizeof key_test_data ) != 0 ) 483817466cbSJens Wiklander { 484817466cbSJens Wiklander if( verbose != 0 ) 485817466cbSJens Wiklander mbedtls_printf( " CCM: setup failed" ); 486817466cbSJens Wiklander 487817466cbSJens Wiklander return( 1 ); 488817466cbSJens Wiklander } 489817466cbSJens Wiklander 490817466cbSJens Wiklander for( i = 0; i < NB_TESTS; i++ ) 491817466cbSJens Wiklander { 492817466cbSJens Wiklander if( verbose != 0 ) 493817466cbSJens Wiklander mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 ); 494817466cbSJens Wiklander 4953d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 4963d3b0591SJens Wiklander memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN ); 49711fa71b9SJerome Forissier memcpy( plaintext, msg_test_data, msg_len_test_data[i] ); 4983d3b0591SJens Wiklander 49911fa71b9SJerome Forissier ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i], 50011fa71b9SJerome Forissier iv_test_data, iv_len_test_data[i], 50111fa71b9SJerome Forissier ad_test_data, add_len_test_data[i], 5023d3b0591SJens Wiklander plaintext, ciphertext, 50311fa71b9SJerome Forissier ciphertext + msg_len_test_data[i], 50411fa71b9SJerome Forissier tag_len_test_data[i] ); 505817466cbSJens Wiklander 506817466cbSJens Wiklander if( ret != 0 || 50711fa71b9SJerome Forissier memcmp( ciphertext, res_test_data[i], 50811fa71b9SJerome Forissier msg_len_test_data[i] + tag_len_test_data[i] ) != 0 ) 509817466cbSJens Wiklander { 510817466cbSJens Wiklander if( verbose != 0 ) 511817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 512817466cbSJens Wiklander 513817466cbSJens Wiklander return( 1 ); 514817466cbSJens Wiklander } 5153d3b0591SJens Wiklander memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN ); 516817466cbSJens Wiklander 51711fa71b9SJerome Forissier ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i], 51811fa71b9SJerome Forissier iv_test_data, iv_len_test_data[i], 51911fa71b9SJerome Forissier ad_test_data, add_len_test_data[i], 5203d3b0591SJens Wiklander ciphertext, plaintext, 52111fa71b9SJerome Forissier ciphertext + msg_len_test_data[i], 52211fa71b9SJerome Forissier tag_len_test_data[i] ); 523817466cbSJens Wiklander 524817466cbSJens Wiklander if( ret != 0 || 52511fa71b9SJerome Forissier memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 ) 526817466cbSJens Wiklander { 527817466cbSJens Wiklander if( verbose != 0 ) 528817466cbSJens Wiklander mbedtls_printf( "failed\n" ); 529817466cbSJens Wiklander 530817466cbSJens Wiklander return( 1 ); 531817466cbSJens Wiklander } 532817466cbSJens Wiklander 533817466cbSJens Wiklander if( verbose != 0 ) 534817466cbSJens Wiklander mbedtls_printf( "passed\n" ); 535817466cbSJens Wiklander } 536817466cbSJens Wiklander 537817466cbSJens Wiklander mbedtls_ccm_free( &ctx ); 538817466cbSJens Wiklander 539817466cbSJens Wiklander if( verbose != 0 ) 540817466cbSJens Wiklander mbedtls_printf( "\n" ); 541817466cbSJens Wiklander 542817466cbSJens Wiklander return( 0 ); 543817466cbSJens Wiklander } 544817466cbSJens Wiklander 545817466cbSJens Wiklander #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 546817466cbSJens Wiklander 547817466cbSJens Wiklander #endif /* MBEDTLS_CCM_C */ 548