• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  NIST SP800-38C compliant CCM implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 /*
21  * Definition of CCM:
22  * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
23  * RFC 3610 "Counter with CBC-MAC (CCM)"
24  *
25  * Related:
26  * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
27  */
28 
29 #include "common.h"
30 
31 #if defined(MBEDTLS_CCM_C)
32 
33 #include "mbedtls/ccm.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 
37 #include <string.h>
38 
39 #if defined(MBEDTLS_PLATFORM_C)
40 #include "mbedtls/platform.h"
41 #else
42 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
43 #include <stdio.h>
44 #define mbedtls_printf printf
45 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
46 #endif /* MBEDTLS_PLATFORM_C */
47 
48 #if !defined(MBEDTLS_CCM_ALT)
49 
50 
51 /*
52  * Initialize context
53  */
mbedtls_ccm_init(mbedtls_ccm_context * ctx)54 void mbedtls_ccm_init(mbedtls_ccm_context *ctx)
55 {
56     memset(ctx, 0, sizeof(mbedtls_ccm_context));
57 }
58 
mbedtls_ccm_setkey(mbedtls_ccm_context * ctx,mbedtls_cipher_id_t cipher,const unsigned char * key,unsigned int keybits)59 int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
60                        mbedtls_cipher_id_t cipher,
61                        const unsigned char *key,
62                        unsigned int keybits)
63 {
64     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
65     const mbedtls_cipher_info_t *cipher_info;
66 
67     cipher_info = mbedtls_cipher_info_from_values(cipher, keybits,
68                                                   MBEDTLS_MODE_ECB);
69     if (cipher_info == NULL) {
70         return MBEDTLS_ERR_CCM_BAD_INPUT;
71     }
72 
73     if (cipher_info->block_size != 16) {
74         return MBEDTLS_ERR_CCM_BAD_INPUT;
75     }
76 
77     mbedtls_cipher_free(&ctx->cipher_ctx);
78 
79     if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) {
80         return ret;
81     }
82 
83     if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits,
84                                      MBEDTLS_ENCRYPT)) != 0) {
85         return ret;
86     }
87 
88     return 0;
89 }
90 
91 /*
92  * Free context
93  */
mbedtls_ccm_free(mbedtls_ccm_context * ctx)94 void mbedtls_ccm_free(mbedtls_ccm_context *ctx)
95 {
96     if (ctx == NULL) {
97         return;
98     }
99     mbedtls_cipher_free(&ctx->cipher_ctx);
100     mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ccm_context));
101 }
102 
103 #define CCM_STATE__CLEAR                0
104 #define CCM_STATE__STARTED              (1 << 0)
105 #define CCM_STATE__LENGTHS_SET          (1 << 1)
106 #define CCM_STATE__AUTH_DATA_STARTED    (1 << 2)
107 #define CCM_STATE__AUTH_DATA_FINISHED   (1 << 3)
108 #define CCM_STATE__ERROR                (1 << 4)
109 
110 /*
111  * Encrypt or decrypt a partial block with CTR
112  */
mbedtls_ccm_crypt(mbedtls_ccm_context * ctx,size_t offset,size_t use_len,const unsigned char * input,unsigned char * output)113 static int mbedtls_ccm_crypt(mbedtls_ccm_context *ctx,
114                              size_t offset, size_t use_len,
115                              const unsigned char *input,
116                              unsigned char *output)
117 {
118     size_t olen = 0;
119     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
120     unsigned char tmp_buf[16] = { 0 };
121 
122     if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf,
123                                      &olen)) != 0) {
124         ctx->state |= CCM_STATE__ERROR;
125         mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
126         return ret;
127     }
128 
129     mbedtls_xor(output, input, tmp_buf + offset, use_len);
130 
131     mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
132     return ret;
133 }
134 
mbedtls_ccm_clear_state(mbedtls_ccm_context * ctx)135 static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx)
136 {
137     ctx->state = CCM_STATE__CLEAR;
138     memset(ctx->y, 0, 16);
139     memset(ctx->ctr, 0, 16);
140 }
141 
ccm_calculate_first_block_if_ready(mbedtls_ccm_context * ctx)142 static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
143 {
144     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
145     unsigned char i;
146     size_t len_left, olen;
147 
148     /* length calculation can be done only after both
149      * mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
150      */
151     if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) {
152         return 0;
153     }
154 
155     /* CCM expects non-empty tag.
156      * CCM* allows empty tag. For CCM* without tag, ignore plaintext length.
157      */
158     if (ctx->tag_len == 0) {
159         if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
160             ctx->plaintext_len = 0;
161         } else {
162             return MBEDTLS_ERR_CCM_BAD_INPUT;
163         }
164     }
165 
166     /*
167      * First block:
168      * 0        .. 0        flags
169      * 1        .. iv_len   nonce (aka iv)  - set by: mbedtls_ccm_starts()
170      * iv_len+1 .. 15       length
171      *
172      * With flags as (bits):
173      * 7        0
174      * 6        add present?
175      * 5 .. 3   (t - 2) / 2
176      * 2 .. 0   q - 1
177      */
178     ctx->y[0] |= (ctx->add_len > 0) << 6;
179     ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3;
180     ctx->y[0] |= ctx->q - 1;
181 
182     for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) {
183         ctx->y[15-i] = MBEDTLS_BYTE_0(len_left);
184     }
185 
186     if (len_left > 0) {
187         ctx->state |= CCM_STATE__ERROR;
188         return MBEDTLS_ERR_CCM_BAD_INPUT;
189     }
190 
191     /* Start CBC-MAC with first block*/
192     if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
193         ctx->state |= CCM_STATE__ERROR;
194         return ret;
195     }
196 
197     return 0;
198 }
199 
mbedtls_ccm_starts(mbedtls_ccm_context * ctx,int mode,const unsigned char * iv,size_t iv_len)200 int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
201                        int mode,
202                        const unsigned char *iv,
203                        size_t iv_len)
204 {
205     /* Also implies q is within bounds */
206     if (iv_len < 7 || iv_len > 13) {
207         return MBEDTLS_ERR_CCM_BAD_INPUT;
208     }
209 
210     ctx->mode = mode;
211     ctx->q = 16 - 1 - (unsigned char) iv_len;
212 
213     /*
214      * Prepare counter block for encryption:
215      * 0        .. 0        flags
216      * 1        .. iv_len   nonce (aka iv)
217      * iv_len+1 .. 15       counter (initially 1)
218      *
219      * With flags as (bits):
220      * 7 .. 3   0
221      * 2 .. 0   q - 1
222      */
223     memset(ctx->ctr, 0, 16);
224     ctx->ctr[0] = ctx->q - 1;
225     memcpy(ctx->ctr + 1, iv, iv_len);
226     memset(ctx->ctr + 1 + iv_len, 0, ctx->q);
227     ctx->ctr[15] = 1;
228 
229     /*
230      * See ccm_calculate_first_block_if_ready() for block layout description
231      */
232     memcpy(ctx->y + 1, iv, iv_len);
233 
234     ctx->state |= CCM_STATE__STARTED;
235     return ccm_calculate_first_block_if_ready(ctx);
236 }
237 
mbedtls_ccm_set_lengths(mbedtls_ccm_context * ctx,size_t total_ad_len,size_t plaintext_len,size_t tag_len)238 int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
239                             size_t total_ad_len,
240                             size_t plaintext_len,
241                             size_t tag_len)
242 {
243     /*
244      * Check length requirements: SP800-38C A.1
245      * Additional requirement: a < 2^16 - 2^8 to simplify the code.
246      * 'length' checked later (when writing it to the first block)
247      *
248      * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
249      */
250     if (tag_len == 2 || tag_len > 16 || tag_len % 2 != 0) {
251         return MBEDTLS_ERR_CCM_BAD_INPUT;
252     }
253 
254     if (total_ad_len >= 0xFF00) {
255         return MBEDTLS_ERR_CCM_BAD_INPUT;
256     }
257 
258     ctx->plaintext_len = plaintext_len;
259     ctx->add_len = total_ad_len;
260     ctx->tag_len = tag_len;
261     ctx->processed = 0;
262 
263     ctx->state |= CCM_STATE__LENGTHS_SET;
264     return ccm_calculate_first_block_if_ready(ctx);
265 }
266 
mbedtls_ccm_update_ad(mbedtls_ccm_context * ctx,const unsigned char * add,size_t add_len)267 int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
268                           const unsigned char *add,
269                           size_t add_len)
270 {
271     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
272     size_t olen, use_len, offset;
273 
274     if (ctx->state & CCM_STATE__ERROR) {
275         return MBEDTLS_ERR_CCM_BAD_INPUT;
276     }
277 
278     if (add_len > 0) {
279         if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) {
280             return MBEDTLS_ERR_CCM_BAD_INPUT;
281         }
282 
283         if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) {
284             if (add_len > ctx->add_len) {
285                 return MBEDTLS_ERR_CCM_BAD_INPUT;
286             }
287 
288             ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF);
289             ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF);
290 
291             ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
292         } else if (ctx->processed + add_len > ctx->add_len) {
293             return MBEDTLS_ERR_CCM_BAD_INPUT;
294         }
295 
296         while (add_len > 0) {
297             offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
298                                                  * holding total auth data length */
299             use_len = 16 - offset;
300 
301             if (use_len > add_len) {
302                 use_len = add_len;
303             }
304 
305             mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len);
306 
307             ctx->processed += use_len;
308             add_len -= use_len;
309             add += use_len;
310 
311             if (use_len + offset == 16 || ctx->processed == ctx->add_len) {
312                 if ((ret =
313                          mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
314                     ctx->state |= CCM_STATE__ERROR;
315                     return ret;
316                 }
317             }
318         }
319 
320         if (ctx->processed == ctx->add_len) {
321             ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
322             ctx->processed = 0; // prepare for mbedtls_ccm_update()
323         }
324     }
325 
326     return 0;
327 }
328 
mbedtls_ccm_update(mbedtls_ccm_context * ctx,const unsigned char * input,size_t input_len,unsigned char * output,size_t output_size,size_t * output_len)329 int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
330                        const unsigned char *input, size_t input_len,
331                        unsigned char *output, size_t output_size,
332                        size_t *output_len)
333 {
334     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
335     unsigned char i;
336     size_t use_len, offset, olen;
337 
338     unsigned char local_output[16];
339 
340     if (ctx->state & CCM_STATE__ERROR) {
341         return MBEDTLS_ERR_CCM_BAD_INPUT;
342     }
343 
344     /* Check against plaintext length only if performing operation with
345      * authentication
346      */
347     if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) {
348         return MBEDTLS_ERR_CCM_BAD_INPUT;
349     }
350 
351     if (output_size < input_len) {
352         return MBEDTLS_ERR_CCM_BAD_INPUT;
353     }
354     *output_len = input_len;
355 
356     ret = 0;
357 
358     while (input_len > 0) {
359         offset = ctx->processed % 16;
360 
361         use_len = 16 - offset;
362 
363         if (use_len > input_len) {
364             use_len = input_len;
365         }
366 
367         ctx->processed += use_len;
368 
369         if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \
370             ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) {
371             mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len);
372 
373             if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
374                 if ((ret =
375                          mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
376                     ctx->state |= CCM_STATE__ERROR;
377                     goto exit;
378                 }
379             }
380 
381             ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, output);
382             if (ret != 0) {
383                 goto exit;
384             }
385         }
386 
387         if (ctx->mode == MBEDTLS_CCM_DECRYPT || \
388             ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) {
389             /* Since output may be in shared memory, we cannot be sure that
390              * it will contain what we wrote to it. Therefore, we should avoid using
391              * it as input to any operations.
392              * Write decrypted data to local_output to avoid using output variable as
393              * input in the XOR operation for Y.
394              */
395             ret = mbedtls_ccm_crypt(ctx, offset, use_len, input, local_output);
396             if (ret != 0) {
397                 goto exit;
398             }
399 
400             mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len);
401 
402             memcpy(output, local_output, use_len);
403             mbedtls_platform_zeroize(local_output, 16);
404 
405             if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
406                 if ((ret =
407                          mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen)) != 0) {
408                     ctx->state |= CCM_STATE__ERROR;
409                     goto exit;
410                 }
411             }
412         }
413 
414         if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) {
415             for (i = 0; i < ctx->q; i++) {
416                 if (++(ctx->ctr)[15-i] != 0) {
417                     break;
418                 }
419             }
420         }
421 
422         input_len -= use_len;
423         input += use_len;
424         output += use_len;
425     }
426 
427 exit:
428     mbedtls_platform_zeroize(local_output, 16);
429 
430     return ret;
431 }
432 
mbedtls_ccm_finish(mbedtls_ccm_context * ctx,unsigned char * tag,size_t tag_len)433 int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
434                        unsigned char *tag, size_t tag_len)
435 {
436     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
437     unsigned char i;
438 
439     if (ctx->state & CCM_STATE__ERROR) {
440         return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
441     }
442 
443     if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) {
444         return MBEDTLS_ERR_CCM_BAD_INPUT;
445     }
446 
447     if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) {
448         return MBEDTLS_ERR_CCM_BAD_INPUT;
449     }
450 
451     /*
452      * Authentication: reset counter and crypt/mask internal tag
453      */
454     for (i = 0; i < ctx->q; i++) {
455         ctx->ctr[15-i] = 0;
456     }
457 
458     ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y);
459     if (ret != 0) {
460         return ret;
461     }
462     if (tag != NULL) {
463         memcpy(tag, ctx->y, tag_len);
464     }
465     mbedtls_ccm_clear_state(ctx);
466 
467     return 0;
468 }
469 
470 /*
471  * Authenticated encryption or decryption
472  */
ccm_auth_crypt(mbedtls_ccm_context * ctx,int mode,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,unsigned char * tag,size_t tag_len)473 static int ccm_auth_crypt(mbedtls_ccm_context *ctx, int mode, size_t length,
474                           const unsigned char *iv, size_t iv_len,
475                           const unsigned char *add, size_t add_len,
476                           const unsigned char *input, unsigned char *output,
477                           unsigned char *tag, size_t tag_len)
478 {
479     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
480     size_t olen;
481 
482     if ((ret = mbedtls_ccm_starts(ctx, mode, iv, iv_len)) != 0) {
483         return ret;
484     }
485 
486     if ((ret = mbedtls_ccm_set_lengths(ctx, add_len, length, tag_len)) != 0) {
487         return ret;
488     }
489 
490     if ((ret = mbedtls_ccm_update_ad(ctx, add, add_len)) != 0) {
491         return ret;
492     }
493 
494     if ((ret = mbedtls_ccm_update(ctx, input, length,
495                                   output, length, &olen)) != 0) {
496         return ret;
497     }
498 
499     if ((ret = mbedtls_ccm_finish(ctx, tag, tag_len)) != 0) {
500         return ret;
501     }
502 
503     return 0;
504 }
505 
506 /*
507  * Authenticated encryption
508  */
mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context * ctx,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,unsigned char * tag,size_t tag_len)509 int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
510                                      const unsigned char *iv, size_t iv_len,
511                                      const unsigned char *add, size_t add_len,
512                                      const unsigned char *input, unsigned char *output,
513                                      unsigned char *tag, size_t tag_len)
514 {
515     return ccm_auth_crypt(ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
516                           add, add_len, input, output, tag, tag_len);
517 }
518 
mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context * ctx,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,unsigned char * tag,size_t tag_len)519 int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
520                                 const unsigned char *iv, size_t iv_len,
521                                 const unsigned char *add, size_t add_len,
522                                 const unsigned char *input, unsigned char *output,
523                                 unsigned char *tag, size_t tag_len)
524 {
525     return ccm_auth_crypt(ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
526                           add, add_len, input, output, tag, tag_len);
527 }
528 
529 /*
530  * Authenticated decryption
531  */
mbedtls_ccm_compare_tags(const unsigned char * tag1,const unsigned char * tag2,size_t tag_len)532 static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
533                                     const unsigned char *tag2,
534                                     size_t tag_len)
535 {
536     unsigned char i;
537     int diff;
538 
539     /* Check tag in "constant-time" */
540     for (diff = 0, i = 0; i < tag_len; i++) {
541         diff |= tag1[i] ^ tag2[i];
542     }
543 
544     if (diff != 0) {
545         return MBEDTLS_ERR_CCM_AUTH_FAILED;
546     }
547 
548     return 0;
549 }
550 
ccm_auth_decrypt(mbedtls_ccm_context * ctx,int mode,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,const unsigned char * tag,size_t tag_len)551 static int ccm_auth_decrypt(mbedtls_ccm_context *ctx, int mode, size_t length,
552                             const unsigned char *iv, size_t iv_len,
553                             const unsigned char *add, size_t add_len,
554                             const unsigned char *input, unsigned char *output,
555                             const unsigned char *tag, size_t tag_len)
556 {
557     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
558     unsigned char check_tag[16];
559 
560     if ((ret = ccm_auth_crypt(ctx, mode, length,
561                               iv, iv_len, add, add_len,
562                               input, output, check_tag, tag_len)) != 0) {
563         return ret;
564     }
565 
566     if ((ret = mbedtls_ccm_compare_tags(tag, check_tag, tag_len)) != 0) {
567         mbedtls_platform_zeroize(output, length);
568         return ret;
569     }
570 
571     return 0;
572 }
573 
mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context * ctx,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,const unsigned char * tag,size_t tag_len)574 int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
575                                   const unsigned char *iv, size_t iv_len,
576                                   const unsigned char *add, size_t add_len,
577                                   const unsigned char *input, unsigned char *output,
578                                   const unsigned char *tag, size_t tag_len)
579 {
580     return ccm_auth_decrypt(ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
581                             iv, iv_len, add, add_len,
582                             input, output, tag, tag_len);
583 }
584 
mbedtls_ccm_auth_decrypt(mbedtls_ccm_context * ctx,size_t length,const unsigned char * iv,size_t iv_len,const unsigned char * add,size_t add_len,const unsigned char * input,unsigned char * output,const unsigned char * tag,size_t tag_len)585 int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
586                              const unsigned char *iv, size_t iv_len,
587                              const unsigned char *add, size_t add_len,
588                              const unsigned char *input, unsigned char *output,
589                              const unsigned char *tag, size_t tag_len)
590 {
591     return ccm_auth_decrypt(ctx, MBEDTLS_CCM_DECRYPT, length,
592                             iv, iv_len, add, add_len,
593                             input, output, tag, tag_len);
594 }
595 #endif /* !MBEDTLS_CCM_ALT */
596 
597 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
598 /*
599  * Examples 1 to 3 from SP800-38C Appendix C
600  */
601 
602 #define NB_TESTS 3
603 #define CCM_SELFTEST_PT_MAX_LEN 24
604 #define CCM_SELFTEST_CT_MAX_LEN 32
605 /*
606  * The data is the same for all tests, only the used length changes
607  */
608 static const unsigned char key_test_data[] = {
609     0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
610     0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
611 };
612 
613 static const unsigned char iv_test_data[] = {
614     0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
615     0x18, 0x19, 0x1a, 0x1b
616 };
617 
618 static const unsigned char ad_test_data[] = {
619     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
620     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
621     0x10, 0x11, 0x12, 0x13
622 };
623 
624 static const unsigned char msg_test_data[CCM_SELFTEST_PT_MAX_LEN] = {
625     0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
626     0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
627     0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
628 };
629 
630 static const size_t iv_len_test_data[NB_TESTS] = { 7, 8,  12 };
631 static const size_t add_len_test_data[NB_TESTS] = { 8, 16, 20 };
632 static const size_t msg_len_test_data[NB_TESTS] = { 4, 16, 24 };
633 static const size_t tag_len_test_data[NB_TESTS] = { 4, 6,  8  };
634 
635 static const unsigned char res_test_data[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
636     {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
637     {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
638         0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
639         0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
640     {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
641         0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
642         0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
643         0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
644 };
645 
mbedtls_ccm_self_test(int verbose)646 int mbedtls_ccm_self_test(int verbose)
647 {
648     mbedtls_ccm_context ctx;
649     /*
650      * Some hardware accelerators require the input and output buffers
651      * would be in RAM, because the flash is not accessible.
652      * Use buffers on the stack to hold the test vectors data.
653      */
654     unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
655     unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
656     size_t i;
657     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
658 
659     mbedtls_ccm_init(&ctx);
660 
661     if (mbedtls_ccm_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, key_test_data,
662                            8 * sizeof(key_test_data)) != 0) {
663         if (verbose != 0) {
664             mbedtls_printf("  CCM: setup failed");
665         }
666 
667         return 1;
668     }
669 
670     for (i = 0; i < NB_TESTS; i++) {
671         if (verbose != 0) {
672             mbedtls_printf("  CCM-AES #%u: ", (unsigned int) i + 1);
673         }
674 
675         memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
676         memset(ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN);
677         memcpy(plaintext, msg_test_data, msg_len_test_data[i]);
678 
679         ret = mbedtls_ccm_encrypt_and_tag(&ctx, msg_len_test_data[i],
680                                           iv_test_data, iv_len_test_data[i],
681                                           ad_test_data, add_len_test_data[i],
682                                           plaintext, ciphertext,
683                                           ciphertext + msg_len_test_data[i],
684                                           tag_len_test_data[i]);
685 
686         if (ret != 0 ||
687             memcmp(ciphertext, res_test_data[i],
688                    msg_len_test_data[i] + tag_len_test_data[i]) != 0) {
689             if (verbose != 0) {
690                 mbedtls_printf("failed\n");
691             }
692 
693             return 1;
694         }
695         memset(plaintext, 0, CCM_SELFTEST_PT_MAX_LEN);
696 
697         ret = mbedtls_ccm_auth_decrypt(&ctx, msg_len_test_data[i],
698                                        iv_test_data, iv_len_test_data[i],
699                                        ad_test_data, add_len_test_data[i],
700                                        ciphertext, plaintext,
701                                        ciphertext + msg_len_test_data[i],
702                                        tag_len_test_data[i]);
703 
704         if (ret != 0 ||
705             memcmp(plaintext, msg_test_data, msg_len_test_data[i]) != 0) {
706             if (verbose != 0) {
707                 mbedtls_printf("failed\n");
708             }
709 
710             return 1;
711         }
712 
713         if (verbose != 0) {
714             mbedtls_printf("passed\n");
715         }
716     }
717 
718     mbedtls_ccm_free(&ctx);
719 
720     if (verbose != 0) {
721         mbedtls_printf("\n");
722     }
723 
724     return 0;
725 }
726 
727 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
728 
729 #endif /* MBEDTLS_CCM_C */
730