TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fd13a0f85195cc5cf7e0d650713935b88a28ac52 / . / library / ccm.c
blob: 065eb60248fb1bcdf21e192f604d880866c32891 [file] [log] [blame]
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]1/*
2 * NIST SP800-38C compliant CCM implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]18 */
19
20/*
21 * Definition of CCM:
22 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
23 * RFC 3610 "Counter with CBC-MAC (CCM)"
24 *
25 * Related:
26 * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
27 */
28
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]29#include "common.h"
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]30
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#if defined(MBEDTLS_CCM_C)
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]32
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]33#include "mbedtls/ccm.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]36
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]37#include <string.h>
38
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/platform.h"
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]41#else
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]42#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]43#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#define mbedtls_printf printf
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]46#endif /* MBEDTLS_PLATFORM_C */
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47
Steven Cooreman222e2ff2017-04-04 11:37:15 +0200[diff] [blame]48#if !defined(MBEDTLS_CCM_ALT)
49
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]50
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]51/*
52 * Initialize context
53 */
Manuel Pégourié-Gonnard6963ff02015-04-28 18:02:54 +0200[diff] [blame]54void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
55{
56 memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
57}
58
59int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
60 mbedtls_cipher_id_t cipher,
61 const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]62 unsigned int keybits )
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]63{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]64 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]65 const mbedtls_cipher_info_t *cipher_info;
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]66
Andrzej Kurekee3c4352019-01-10 03:10:02 -0500[diff] [blame]67 cipher_info = mbedtls_cipher_info_from_values( cipher, keybits,
68 MBEDTLS_MODE_ECB );
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]69 if( cipher_info == NULL )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]70 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]71
72 if( cipher_info->block_size != 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]74
Manuel Pégourié-Gonnard43b08572015-05-27 17:23:30 +0200[diff] [blame]75 mbedtls_cipher_free( &ctx->cipher_ctx );
76
Manuel Pégourié-Gonnard8473f872015-05-14 13:51:45 +0200[diff] [blame]77 if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]78 return( ret );
79
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]80 if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]81 MBEDTLS_ENCRYPT ) ) != 0 )
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]82 {
83 return( ret );
84 }
85
86 return( 0 );
87}
88
89/*
90 * Free context
91 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]92void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]93{
k-stachowiakfd42d532018-12-11 14:37:51 +0100[diff] [blame]94 if( ctx == NULL )
95 return;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]96 mbedtls_cipher_free( &ctx->cipher_ctx );
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]97 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
Manuel Pégourié-Gonnard9fe0d132014-05-06 12:12:45 +0200[diff] [blame]98}
99
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]100#define CCM_STATE__CLEAR 0
Mateusz Starzyka9cbdfb2021-07-27 13:49:54 +0200[diff] [blame]101#define CCM_STATE__STARTED (1 << 0)
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]102#define CCM_STATE__LENGTHS_SET (1 << 1)
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]103#define CCM_STATE__AUTH_DATA_STARTED (1 << 2)
104#define CCM_STATE__AUTH_DATA_FINISHED (1 << 3)
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]105#define CCM_STATE__ERROR (1 << 4)
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]106
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]107/*
108 * Encrypt or decrypt a partial block with CTR
109 */
110static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx,
111 size_t offset, size_t use_len,
112 const unsigned char *input,
113 unsigned char *output )
114{
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]115 size_t olen = 0;
116 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
117 unsigned char tmp_buf[16] = {0};
118
119 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, 16, tmp_buf,
120 &olen ) ) != 0 )
121 {
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]122 ctx->state |= CCM_STATE__ERROR;
Mateusz Starzykc52220d2021-07-27 13:54:55 +0200[diff] [blame]123 mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]124 return ret;
125 }
126
Dave Rodgman0d3b55b2022-11-22 16:30:35 +0000[diff] [blame]127 mbedtls_xor( output, input, tmp_buf + offset, use_len );
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]128
Mateusz Starzykc52220d2021-07-27 13:54:55 +0200[diff] [blame]129 mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]130 return ret;
131}
132
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]133static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) {
134 ctx->state = CCM_STATE__CLEAR;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]135 memset( ctx->y, 0, 16);
136 memset( ctx->ctr, 0, 16);
137}
138
Mateusz Starzykca9dc8d2021-07-27 14:03:53 +0200[diff] [blame]139static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]140{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]141 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]142 unsigned char i;
Manuel Pégourié-Gonnardaed60652014-05-07 13:14:42 +0200[diff] [blame]143 size_t len_left, olen;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]144
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]145 /* length calculation can be done only after both
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]146 * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
147 */
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]148 if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET) )
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]149 return 0;
150
Mateusz Starzykbb2ced32021-10-13 13:37:30 +0200[diff] [blame]151 /* CCM expects non-empty tag.
152 * CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
153 */
154 if( ctx->tag_len == 0 )
155 {
156 if( ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT )
157 {
158 ctx->plaintext_len = 0;
159 }
160 else
161 {
162 return( MBEDTLS_ERR_CCM_BAD_INPUT );
163 }
164 }
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]165
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]166 /*
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]167 * First block:
Mateusz Starzykeb2ca962021-07-06 12:45:11 +0200[diff] [blame]168 * 0 .. 0 flags
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]169 * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts()
Mateusz Starzykeb2ca962021-07-06 12:45:11 +0200[diff] [blame]170 * iv_len+1 .. 15 length
171 *
172 * With flags as (bits):
173 * 7 0
174 * 6 add present?
175 * 5 .. 3 (t - 2) / 2
176 * 2 .. 0 q - 1
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]177 */
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]178 ctx->y[0] |= ( ctx->add_len > 0 ) << 6;
179 ctx->y[0] |= ( ( ctx->tag_len - 2 ) / 2 ) << 3;
180 ctx->y[0] |= ctx->q - 1;
Mateusz Starzykeb2ca962021-07-06 12:45:11 +0200[diff] [blame]181
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]182 for( i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8 )
Mateusz Starzykcbefb6b2021-08-24 15:14:23 +0200[diff] [blame]183 ctx->y[15-i] = MBEDTLS_BYTE_0( len_left );
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]184
185 if( len_left > 0 )
Mateusz Starzyk88c4d622021-07-05 17:09:16 +0200[diff] [blame]186 {
187 ctx->state |= CCM_STATE__ERROR;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]188 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Mateusz Starzyk88c4d622021-07-05 17:09:16 +0200[diff] [blame]189 }
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]190
191 /* Start CBC-MAC with first block*/
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]192 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
193 {
194 ctx->state |= CCM_STATE__ERROR;
195 return( ret );
196 }
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]197
198 return (0);
199}
200
201int mbedtls_ccm_starts( mbedtls_ccm_context *ctx,
202 int mode,
203 const unsigned char *iv,
204 size_t iv_len )
205{
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]206 /* Also implies q is within bounds */
207 if( iv_len < 7 || iv_len > 13 )
208 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]209
Mateusz Starzyk89d469c2021-06-22 16:24:28 +0200[diff] [blame]210 ctx->mode = mode;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]211 ctx->q = 16 - 1 - (unsigned char) iv_len;
212
213 /*
214 * Prepare counter block for encryption:
215 * 0 .. 0 flags
216 * 1 .. iv_len nonce (aka iv)
217 * iv_len+1 .. 15 counter (initially 1)
218 *
219 * With flags as (bits):
220 * 7 .. 3 0
221 * 2 .. 0 q - 1
222 */
223 memset( ctx->ctr, 0, 16);
224 ctx->ctr[0] = ctx->q - 1;
225 memcpy( ctx->ctr + 1, iv, iv_len );
226 memset( ctx->ctr + 1 + iv_len, 0, ctx->q );
227 ctx->ctr[15] = 1;
228
229 /*
Mateusz Starzykca9dc8d2021-07-27 14:03:53 +0200[diff] [blame]230 * See ccm_calculate_first_block_if_ready() for block layout description
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]231 */
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]232 memcpy( ctx->y + 1, iv, iv_len );
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]233
234 ctx->state |= CCM_STATE__STARTED;
Mateusz Starzykca9dc8d2021-07-27 14:03:53 +0200[diff] [blame]235 return ccm_calculate_first_block_if_ready(ctx);
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]236}
237
238int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx,
239 size_t total_ad_len,
240 size_t plaintext_len,
241 size_t tag_len )
242{
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]243 /*
244 * Check length requirements: SP800-38C A.1
245 * Additional requirement: a < 2^16 - 2^8 to simplify the code.
246 * 'length' checked later (when writing it to the first block)
Janos Follath997e85c2018-05-29 11:33:45 +0100[diff] [blame]247 *
248 * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]249 */
Janos Follath997e85c2018-05-29 11:33:45 +0100[diff] [blame]250 if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
Janos Follath997e85c2018-05-29 11:33:45 +0100[diff] [blame]251 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]252
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]253 if( total_ad_len >= 0xFF00 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]254 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]255
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]256 ctx->plaintext_len = plaintext_len;
Mateusz Starzykeb2ca962021-07-06 12:45:11 +0200[diff] [blame]257 ctx->add_len = total_ad_len;
258 ctx->tag_len = tag_len;
259 ctx->processed = 0;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]260
bootstrap-prime6dbbf442022-05-17 19:30:44 -0400[diff] [blame]261 ctx->state |= CCM_STATE__LENGTHS_SET;
Mateusz Starzykca9dc8d2021-07-27 14:03:53 +0200[diff] [blame]262 return ccm_calculate_first_block_if_ready(ctx);
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]263}
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]264
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]265int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx,
266 const unsigned char *add,
267 size_t add_len )
268{
269 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]270 size_t olen, use_len, offset;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]271
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]272 if( ctx->state & CCM_STATE__ERROR )
273 {
Mateusz Starzyk64f0b5f2021-09-02 11:50:38 +0200[diff] [blame]274 return MBEDTLS_ERR_CCM_BAD_INPUT;
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]275 }
276
Mateusz Starzyk5d7f6b12021-09-02 15:11:14 +0200[diff] [blame]277 if( add_len > 0 )
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]278 {
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]279 if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED )
280 {
Mateusz Starzyk7251eda2021-09-01 13:26:44 +0200[diff] [blame]281 return MBEDTLS_ERR_CCM_BAD_INPUT;
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]282 }
283
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]284 if( !(ctx->state & CCM_STATE__AUTH_DATA_STARTED) )
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]285 {
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]286 if ( add_len > ctx->add_len )
287 {
288 return MBEDTLS_ERR_CCM_BAD_INPUT;
289 }
290
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]291 ctx->y[0] ^= (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF );
292 ctx->y[1] ^= (unsigned char)( ( ctx->add_len ) & 0xFF );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]293
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]294 ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]295 }
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]296 else if ( ctx->processed + add_len > ctx->add_len )
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]297 {
298 return MBEDTLS_ERR_CCM_BAD_INPUT;
299 }
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]300
301 while( add_len > 0 )
302 {
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]303 offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
304 * holding total auth data length */
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]305 use_len = 16 - offset;
306
307 if( use_len > add_len )
308 use_len = add_len;
309
Dave Rodgman0d3b55b2022-11-22 16:30:35 +0000[diff] [blame]310 mbedtls_xor( ctx->y + offset, ctx->y + offset, add, use_len );
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]311
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]312 ctx->processed += use_len;
313 add_len -= use_len;
314 add += use_len;
315
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]316 if( use_len + offset == 16 || ctx->processed == ctx->add_len )
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]317 {
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]318 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
319 {
320 ctx->state |= CCM_STATE__ERROR;
321 return( ret );
322 }
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]323 }
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]324 }
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]325
Mateusz Starzyk62d22f92021-08-09 15:53:41 +0200[diff] [blame]326 if( ctx->processed == ctx->add_len )
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]327 {
328 ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
329 ctx->processed = 0; // prepare for mbedtls_ccm_update()
330 }
331 }
Mateusz Starzyk33392452021-07-06 15:38:35 +0200[diff] [blame]332
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]333 return (0);
334}
335
336int mbedtls_ccm_update( mbedtls_ccm_context *ctx,
337 const unsigned char *input, size_t input_len,
338 unsigned char *output, size_t output_size,
339 size_t *output_len )
340{
Mateusz Starzykb73c3ec2021-08-09 15:55:38 +0200[diff] [blame]341 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]342 unsigned char i;
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]343 size_t use_len, offset, olen;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]344
Mateusz Starzykf3378502021-08-09 11:32:11 +0200[diff] [blame]345 unsigned char local_output[16];
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]346
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]347 if( ctx->state & CCM_STATE__ERROR )
348 {
Mateusz Starzyk64f0b5f2021-09-02 11:50:38 +0200[diff] [blame]349 return MBEDTLS_ERR_CCM_BAD_INPUT;
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]350 }
351
Mateusz Starzykbb2ced32021-10-13 13:37:30 +0200[diff] [blame]352 /* Check against plaintext length only if performing operation with
353 * authentication
354 */
355 if( ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len )
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]356 {
357 return MBEDTLS_ERR_CCM_BAD_INPUT;
358 }
359
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]360 if( output_size < input_len )
361 return( MBEDTLS_ERR_CCM_BAD_INPUT );
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]362 *output_len = input_len;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]363
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]364 ret = 0;
365
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]366 while ( input_len > 0 )
367 {
368 offset = ctx->processed % 16;
369
370 use_len = 16 - offset;
371
372 if( use_len > input_len )
373 use_len = input_len;
374
375 ctx->processed += use_len;
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]376
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]377 if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \
378 ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT )
379 {
Dave Rodgman0d3b55b2022-11-22 16:30:35 +0000[diff] [blame]380 mbedtls_xor( ctx->y + offset, ctx->y + offset, input, use_len );
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]381
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]382 if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
383 {
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]384 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
385 {
386 ctx->state |= CCM_STATE__ERROR;
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]387 goto exit;
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]388 }
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]389 }
Mateusz Starzyk663055f2021-07-12 19:13:52 +0200[diff] [blame]390
391 ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output );
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]392 if( ret != 0 )
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]393 goto exit;
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]394 }
395
396 if( ctx->mode == MBEDTLS_CCM_DECRYPT || \
397 ctx->mode == MBEDTLS_CCM_STAR_DECRYPT )
398 {
Mateusz Starzyk2f175492021-08-09 16:05:14 +0200[diff] [blame]399 /* Since output may be in shared memory, we cannot be sure that
400 * it will contain what we wrote to it. Therefore, we should avoid using
401 * it as input to any operations.
402 * Write decrypted data to local_output to avoid using output variable as
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]403 * input in the XOR operation for Y.
404 */
405 ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, local_output );
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]406 if( ret != 0 )
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]407 goto exit;
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]408
Dave Rodgman0d3b55b2022-11-22 16:30:35 +0000[diff] [blame]409 mbedtls_xor( ctx->y + offset, ctx->y + offset, local_output, use_len );
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]410
411 memcpy( output, local_output, use_len );
Mateusz Starzykf3378502021-08-09 11:32:11 +0200[diff] [blame]412 mbedtls_platform_zeroize( local_output, 16 );
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]413
414 if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
415 {
416 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
417 {
418 ctx->state |= CCM_STATE__ERROR;
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]419 goto exit;
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]420 }
421 }
422 }
423
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]424 if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
425 {
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]426 for( i = 0; i < ctx->q; i++ )
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]427 if( ++(ctx->ctr)[15-i] != 0 )
428 break;
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]429 }
Mateusz Starzyk20bac2f2021-07-12 14:52:44 +0200[diff] [blame]430
431 input_len -= use_len;
432 input += use_len;
433 output += use_len;
Mateusz Starzyk6a15bcf2021-07-07 13:41:30 +0200[diff] [blame]434 }
435
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]436exit:
Mateusz Starzykf3378502021-08-09 11:32:11 +0200[diff] [blame]437 mbedtls_platform_zeroize( local_output, 16 );
Mateusz Starzyk22f7a352021-07-28 15:08:47 +0200[diff] [blame]438
439 return ret;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]440}
441
442int mbedtls_ccm_finish( mbedtls_ccm_context *ctx,
443 unsigned char *tag, size_t tag_len )
444{
Mateusz Starzykb73c3ec2021-08-09 15:55:38 +0200[diff] [blame]445 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]446 unsigned char i;
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]447
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]448 if( ctx->state & CCM_STATE__ERROR )
449 {
Mateusz Starzyk4f2dd8a2021-08-09 15:37:47 +0200[diff] [blame]450 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Mateusz Starzyk2d5652a2021-07-27 16:07:54 +0200[diff] [blame]451 }
452
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]453 if( ctx->add_len > 0 && !( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) )
454 {
Mateusz Starzyk7251eda2021-09-01 13:26:44 +0200[diff] [blame]455 return MBEDTLS_ERR_CCM_BAD_INPUT;
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]456 }
457
458 if( ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len )
459 {
Mateusz Starzyk7251eda2021-09-01 13:26:44 +0200[diff] [blame]460 return MBEDTLS_ERR_CCM_BAD_INPUT;
Mateusz Starzyk36d3b892021-07-28 14:14:58 +0200[diff] [blame]461 }
462
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]463 /*
Manuel Pégourié-Gonnardaed60652014-05-07 13:14:42 +0200[diff] [blame]464 * Authentication: reset counter and crypt/mask internal tag
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]465 */
Mateusz Starzyk89d469c2021-06-22 16:24:28 +0200[diff] [blame]466 for( i = 0; i < ctx->q; i++ )
467 ctx->ctr[15-i] = 0;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]468
Mateusz Starzyk2ad7d8e2021-07-07 11:05:45 +0200[diff] [blame]469 ret = mbedtls_ccm_crypt( ctx, 0, 16, ctx->y, ctx->y );
470 if( ret != 0 )
471 return ret;
Mateusz Starzykc8bdf362021-07-28 15:39:51 +0200[diff] [blame]472 if( tag != NULL )
473 memcpy( tag, ctx->y, tag_len );
Mateusz Starzyk793692c2021-06-22 20:34:20 +0200[diff] [blame]474 mbedtls_ccm_clear_state(ctx);
475
476 return( 0 );
477}
478
479/*
480 * Authenticated encryption or decryption
481 */
482static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
483 const unsigned char *iv, size_t iv_len,
484 const unsigned char *add, size_t add_len,
485 const unsigned char *input, unsigned char *output,
486 unsigned char *tag, size_t tag_len )
487{
488 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
489 size_t olen;
490
491 if( ( ret = mbedtls_ccm_starts( ctx, mode, iv, iv_len ) ) != 0 )
492 return( ret );
493
494 if( ( ret = mbedtls_ccm_set_lengths( ctx, add_len, length, tag_len ) ) != 0 )
495 return( ret );
496
497 if( ( ret = mbedtls_ccm_update_ad( ctx, add, add_len ) ) != 0 )
498 return( ret );
499
500 if( ( ret = mbedtls_ccm_update( ctx, input, length,
501 output, length, &olen ) ) != 0 )
502 return( ret );
503
504 if( ( ret = mbedtls_ccm_finish( ctx, tag, tag_len ) ) != 0 )
505 return( ret );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]506
507 return( 0 );
508}
509
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]510/*
511 * Authenticated encryption
512 */
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]513int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]514 const unsigned char *iv, size_t iv_len,
515 const unsigned char *add, size_t add_len,
516 const unsigned char *input, unsigned char *output,
517 unsigned char *tag, size_t tag_len )
518{
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]519 return( ccm_auth_crypt( ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]520 add, add_len, input, output, tag, tag_len ) );
521}
522
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]523int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
524 const unsigned char *iv, size_t iv_len,
525 const unsigned char *add, size_t add_len,
526 const unsigned char *input, unsigned char *output,
527 unsigned char *tag, size_t tag_len )
528{
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]529 return( ccm_auth_crypt( ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
530 add, add_len, input, output, tag, tag_len ) );
531}
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]532
Mateusz Starzykeb395c02021-07-28 15:10:54 +0200[diff] [blame]533/*
534 * Authenticated decryption
535 */
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]536static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned char *tag2, size_t tag_len)
537{
538 unsigned char i;
539 int diff;
540
541 /* Check tag in "constant-time" */
542 for( diff = 0, i = 0; i < tag_len; i++ )
543 diff |= tag1[i] ^ tag2[i];
544
545 if( diff != 0 )
546 {
547 return( MBEDTLS_ERR_CCM_AUTH_FAILED );
548 }
549
550 return( 0 );
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]551}
552
Mateusz Starzyk1bda9452021-07-28 15:21:46 +0200[diff] [blame]553static int ccm_auth_decrypt( mbedtls_ccm_context *ctx, int mode, size_t length,
554 const unsigned char *iv, size_t iv_len,
555 const unsigned char *add, size_t add_len,
556 const unsigned char *input, unsigned char *output,
557 const unsigned char *tag, size_t tag_len )
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]558{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]559 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]560 unsigned char check_tag[16];
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]561
Mateusz Starzyk1bda9452021-07-28 15:21:46 +0200[diff] [blame]562 if( ( ret = ccm_auth_crypt( ctx, mode, length,
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]563 iv, iv_len, add, add_len,
564 input, output, check_tag, tag_len ) ) != 0 )
565 {
566 return( ret );
567 }
568
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]569 if( ( ret = mbedtls_ccm_compare_tags( tag, check_tag, tag_len ) ) != 0 )
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]570 {
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]571 mbedtls_platform_zeroize( output, length );
Mateusz Starzyk05e92d62021-07-09 12:44:07 +0200[diff] [blame]572 return( ret );
Manuel Pégourié-Gonnard00232332014-05-06 15:56:07 +0200[diff] [blame]573 }
574
575 return( 0 );
576}
577
Mateusz Starzyk1bda9452021-07-28 15:21:46 +0200[diff] [blame]578int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
579 const unsigned char *iv, size_t iv_len,
580 const unsigned char *add, size_t add_len,
581 const unsigned char *input, unsigned char *output,
582 const unsigned char *tag, size_t tag_len )
583{
584 return ccm_auth_decrypt( ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
585 iv, iv_len, add, add_len,
586 input, output, tag, tag_len );
587}
588
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]589int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
590 const unsigned char *iv, size_t iv_len,
591 const unsigned char *add, size_t add_len,
592 const unsigned char *input, unsigned char *output,
593 const unsigned char *tag, size_t tag_len )
594{
Mateusz Starzyk1bda9452021-07-28 15:21:46 +0200[diff] [blame]595 return ccm_auth_decrypt( ctx, MBEDTLS_CCM_DECRYPT, length,
596 iv, iv_len, add, add_len,
597 input, output, tag, tag_len );
Janos Follathb5734a22018-05-14 14:31:49 +0100[diff] [blame]598}
Steven Cooreman222e2ff2017-04-04 11:37:15 +0200[diff] [blame]599#endif /* !MBEDTLS_CCM_ALT */
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]601#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]602/*
603 * Examples 1 to 3 from SP800-38C Appendix C
604 */
605
606#define NB_TESTS 3
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]607#define CCM_SELFTEST_PT_MAX_LEN 24
608#define CCM_SELFTEST_CT_MAX_LEN 32
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]609/*
610 * The data is the same for all tests, only the used length changes
611 */
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]612static const unsigned char key_test_data[] = {
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]613 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
614 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
615};
616
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]617static const unsigned char iv_test_data[] = {
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]618 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
619 0x18, 0x19, 0x1a, 0x1b
620};
621
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]622static const unsigned char ad_test_data[] = {
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]623 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
624 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
625 0x10, 0x11, 0x12, 0x13
626};
627
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]628static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]629 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
630 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
631 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
632};
633
Michał Janiszewski9aeea932018-10-30 23:00:15 +0100[diff] [blame]634static const size_t iv_len_test_data [NB_TESTS] = { 7, 8, 12 };
635static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
636static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
637static const size_t tag_len_test_data[NB_TESTS] = { 4, 6, 8 };
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]638
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]639static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]640 { 0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
641 { 0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
642 0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
643 0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
644 { 0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
645 0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
646 0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
647 0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
648};
649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650int mbedtls_ccm_self_test( int verbose )
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]651{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652 mbedtls_ccm_context ctx;
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]653 /*
654 * Some hardware accelerators require the input and output buffers
655 * would be in RAM, because the flash is not accessible.
656 * Use buffers on the stack to hold the test vectors data.
657 */
658 unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
659 unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]660 size_t i;
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]661 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]662
Manuel Pégourié-Gonnard6963ff02015-04-28 18:02:54 +0200[diff] [blame]663 mbedtls_ccm_init( &ctx );
664
Andrzej Kurekee3c4352019-01-10 03:10:02 -0500[diff] [blame]665 if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
666 8 * sizeof key_test_data ) != 0 )
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]667 {
668 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]669 mbedtls_printf( " CCM: setup failed" );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]670
671 return( 1 );
672 }
673
674 for( i = 0; i < NB_TESTS; i++ )
675 {
676 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_printf( " CCM-AES #%u: ", (unsigned int) i + 1 );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]678
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]679 memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
680 memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN );
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]681 memcpy( plaintext, msg_test_data, msg_len_test_data[i] );
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]682
Michał Janiszewski9aeea932018-10-30 23:00:15 +0100[diff] [blame]683 ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len_test_data[i],
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]684 iv_test_data, iv_len_test_data[i],
685 ad_test_data, add_len_test_data[i],
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]686 plaintext, ciphertext,
Andrzej Kurekee3c4352019-01-10 03:10:02 -0500[diff] [blame]687 ciphertext + msg_len_test_data[i],
688 tag_len_test_data[i] );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]689
690 if( ret != 0 ||
Andrzej Kurekee3c4352019-01-10 03:10:02 -0500[diff] [blame]691 memcmp( ciphertext, res_test_data[i],
692 msg_len_test_data[i] + tag_len_test_data[i] ) != 0 )
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]693 {
694 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]695 mbedtls_printf( "failed\n" );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]696
697 return( 1 );
698 }
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]699 memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]700
Michał Janiszewski9aeea932018-10-30 23:00:15 +0100[diff] [blame]701 ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len_test_data[i],
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]702 iv_test_data, iv_len_test_data[i],
703 ad_test_data, add_len_test_data[i],
Ron Eldor1b9b2172018-04-26 14:15:01 +0300[diff] [blame]704 ciphertext, plaintext,
Andrzej Kurekee3c4352019-01-10 03:10:02 -0500[diff] [blame]705 ciphertext + msg_len_test_data[i],
706 tag_len_test_data[i] );
Manuel Pégourié-Gonnardce77d552014-05-06 18:06:52 +0200[diff] [blame]707
708 if( ret != 0 ||
Michał Janiszewskic79e92b2018-10-31 20:43:05 +0100[diff] [blame]709 memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 )
Manuel Pégourié-Gonnardce77d552014-05-06 18:06:52 +0200[diff] [blame]710 {
711 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712 mbedtls_printf( "failed\n" );
Manuel Pégourié-Gonnardce77d552014-05-06 18:06:52 +0200[diff] [blame]713
714 return( 1 );
715 }
716
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]717 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]718 mbedtls_printf( "passed\n" );
Manuel Pégourié-Gonnard637eb3d2014-05-06 12:13:09 +0200[diff] [blame]719 }
720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]721 mbedtls_ccm_free( &ctx );
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]722
723 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]724 mbedtls_printf( "\n" );
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]725
726 return( 0 );
727}
728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
Manuel Pégourié-Gonnarda6916fa2014-05-02 15:17:29 +0200[diff] [blame]730
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731#endif /* MBEDTLS_CCM_C */