1a8e1175bSopenharmony_ci/** 2a8e1175bSopenharmony_ci * \file ccm.h 3a8e1175bSopenharmony_ci * 4a8e1175bSopenharmony_ci * \brief This file provides an API for the CCM authenticated encryption 5a8e1175bSopenharmony_ci * mode for block ciphers. 6a8e1175bSopenharmony_ci * 7a8e1175bSopenharmony_ci * CCM combines Counter mode encryption with CBC-MAC authentication 8a8e1175bSopenharmony_ci * for 128-bit block ciphers. 9a8e1175bSopenharmony_ci * 10a8e1175bSopenharmony_ci * Input to CCM includes the following elements: 11a8e1175bSopenharmony_ci * <ul><li>Payload - data that is both authenticated and encrypted.</li> 12a8e1175bSopenharmony_ci * <li>Associated data (Adata) - data that is authenticated but not 13a8e1175bSopenharmony_ci * encrypted, For example, a header.</li> 14a8e1175bSopenharmony_ci * <li>Nonce - A unique value that is assigned to the payload and the 15a8e1175bSopenharmony_ci * associated data.</li></ul> 16a8e1175bSopenharmony_ci * 17a8e1175bSopenharmony_ci * Definition of CCM: 18a8e1175bSopenharmony_ci * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf 19a8e1175bSopenharmony_ci * RFC 3610 "Counter with CBC-MAC (CCM)" 20a8e1175bSopenharmony_ci * 21a8e1175bSopenharmony_ci * Related: 22a8e1175bSopenharmony_ci * RFC 5116 "An Interface and Algorithms for Authenticated Encryption" 23a8e1175bSopenharmony_ci * 24a8e1175bSopenharmony_ci * Definition of CCM*: 25a8e1175bSopenharmony_ci * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks 26a8e1175bSopenharmony_ci * Integer representation is fixed most-significant-octet-first order and 27a8e1175bSopenharmony_ci * the representation of octets is most-significant-bit-first order. This is 28a8e1175bSopenharmony_ci * consistent with RFC 3610. 29a8e1175bSopenharmony_ci */ 30a8e1175bSopenharmony_ci/* 31a8e1175bSopenharmony_ci * Copyright The Mbed TLS Contributors 32a8e1175bSopenharmony_ci * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 33a8e1175bSopenharmony_ci */ 34a8e1175bSopenharmony_ci 35a8e1175bSopenharmony_ci#ifndef MBEDTLS_CCM_H 36a8e1175bSopenharmony_ci#define MBEDTLS_CCM_H 37a8e1175bSopenharmony_ci#include "mbedtls/private_access.h" 38a8e1175bSopenharmony_ci 39a8e1175bSopenharmony_ci#include "mbedtls/build_info.h" 40a8e1175bSopenharmony_ci 41a8e1175bSopenharmony_ci#include "mbedtls/cipher.h" 42a8e1175bSopenharmony_ci 43a8e1175bSopenharmony_ci#if defined(MBEDTLS_BLOCK_CIPHER_C) 44a8e1175bSopenharmony_ci#include "mbedtls/block_cipher.h" 45a8e1175bSopenharmony_ci#endif 46a8e1175bSopenharmony_ci 47a8e1175bSopenharmony_ci#define MBEDTLS_CCM_DECRYPT 0 48a8e1175bSopenharmony_ci#define MBEDTLS_CCM_ENCRYPT 1 49a8e1175bSopenharmony_ci#define MBEDTLS_CCM_STAR_DECRYPT 2 50a8e1175bSopenharmony_ci#define MBEDTLS_CCM_STAR_ENCRYPT 3 51a8e1175bSopenharmony_ci 52a8e1175bSopenharmony_ci/** Bad input parameters to the function. */ 53a8e1175bSopenharmony_ci#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D 54a8e1175bSopenharmony_ci/** Authenticated decryption failed. */ 55a8e1175bSopenharmony_ci#define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F 56a8e1175bSopenharmony_ci 57a8e1175bSopenharmony_ci#ifdef __cplusplus 58a8e1175bSopenharmony_ciextern "C" { 59a8e1175bSopenharmony_ci#endif 60a8e1175bSopenharmony_ci 61a8e1175bSopenharmony_ci#if !defined(MBEDTLS_CCM_ALT) 62a8e1175bSopenharmony_ci// Regular implementation 63a8e1175bSopenharmony_ci// 64a8e1175bSopenharmony_ci 65a8e1175bSopenharmony_ci/** 66a8e1175bSopenharmony_ci * \brief The CCM context-type definition. The CCM context is passed 67a8e1175bSopenharmony_ci * to the APIs called. 68a8e1175bSopenharmony_ci */ 69a8e1175bSopenharmony_citypedef struct mbedtls_ccm_context { 70a8e1175bSopenharmony_ci unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */ 71a8e1175bSopenharmony_ci unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */ 72a8e1175bSopenharmony_ci size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */ 73a8e1175bSopenharmony_ci size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */ 74a8e1175bSopenharmony_ci size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */ 75a8e1175bSopenharmony_ci size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data 76a8e1175bSopenharmony_ci were processed (chunked input). 77a8e1175bSopenharmony_ci Used independently for both auth data 78a8e1175bSopenharmony_ci and plaintext/ciphertext. 79a8e1175bSopenharmony_ci This variable is set to zero after 80a8e1175bSopenharmony_ci auth data input is finished. */ 81a8e1175bSopenharmony_ci unsigned int MBEDTLS_PRIVATE(q); /*!< The Q working value */ 82a8e1175bSopenharmony_ci unsigned int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: 83a8e1175bSopenharmony_ci #MBEDTLS_CCM_ENCRYPT or 84a8e1175bSopenharmony_ci #MBEDTLS_CCM_DECRYPT or 85a8e1175bSopenharmony_ci #MBEDTLS_CCM_STAR_ENCRYPT or 86a8e1175bSopenharmony_ci #MBEDTLS_CCM_STAR_DECRYPT. */ 87a8e1175bSopenharmony_ci#if defined(MBEDTLS_BLOCK_CIPHER_C) 88a8e1175bSopenharmony_ci mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */ 89a8e1175bSopenharmony_ci#else 90a8e1175bSopenharmony_ci mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ 91a8e1175bSopenharmony_ci#endif 92a8e1175bSopenharmony_ci int MBEDTLS_PRIVATE(state); /*!< Working value holding context's 93a8e1175bSopenharmony_ci state. Used for chunked data input */ 94a8e1175bSopenharmony_ci} 95a8e1175bSopenharmony_cimbedtls_ccm_context; 96a8e1175bSopenharmony_ci 97a8e1175bSopenharmony_ci#else /* MBEDTLS_CCM_ALT */ 98a8e1175bSopenharmony_ci#include "ccm_alt.h" 99a8e1175bSopenharmony_ci#endif /* MBEDTLS_CCM_ALT */ 100a8e1175bSopenharmony_ci 101a8e1175bSopenharmony_ci/** 102a8e1175bSopenharmony_ci * \brief This function initializes the specified CCM context, 103a8e1175bSopenharmony_ci * to make references valid, and prepare the context 104a8e1175bSopenharmony_ci * for mbedtls_ccm_setkey() or mbedtls_ccm_free(). 105a8e1175bSopenharmony_ci * 106a8e1175bSopenharmony_ci * \param ctx The CCM context to initialize. This must not be \c NULL. 107a8e1175bSopenharmony_ci */ 108a8e1175bSopenharmony_civoid mbedtls_ccm_init(mbedtls_ccm_context *ctx); 109a8e1175bSopenharmony_ci 110a8e1175bSopenharmony_ci/** 111a8e1175bSopenharmony_ci * \brief This function initializes the CCM context set in the 112a8e1175bSopenharmony_ci * \p ctx parameter and sets the encryption key. 113a8e1175bSopenharmony_ci * 114a8e1175bSopenharmony_ci * \param ctx The CCM context to initialize. This must be an initialized 115a8e1175bSopenharmony_ci * context. 116a8e1175bSopenharmony_ci * \param cipher The 128-bit block cipher to use. 117a8e1175bSopenharmony_ci * \param key The encryption key. This must not be \c NULL. 118a8e1175bSopenharmony_ci * \param keybits The key size in bits. This must be acceptable by the cipher. 119a8e1175bSopenharmony_ci * 120a8e1175bSopenharmony_ci * \return \c 0 on success. 121a8e1175bSopenharmony_ci * \return A CCM or cipher-specific error code on failure. 122a8e1175bSopenharmony_ci */ 123a8e1175bSopenharmony_ciint mbedtls_ccm_setkey(mbedtls_ccm_context *ctx, 124a8e1175bSopenharmony_ci mbedtls_cipher_id_t cipher, 125a8e1175bSopenharmony_ci const unsigned char *key, 126a8e1175bSopenharmony_ci unsigned int keybits); 127a8e1175bSopenharmony_ci 128a8e1175bSopenharmony_ci/** 129a8e1175bSopenharmony_ci * \brief This function releases and clears the specified CCM context 130a8e1175bSopenharmony_ci * and underlying cipher sub-context. 131a8e1175bSopenharmony_ci * 132a8e1175bSopenharmony_ci * \param ctx The CCM context to clear. If this is \c NULL, the function 133a8e1175bSopenharmony_ci * has no effect. Otherwise, this must be initialized. 134a8e1175bSopenharmony_ci */ 135a8e1175bSopenharmony_civoid mbedtls_ccm_free(mbedtls_ccm_context *ctx); 136a8e1175bSopenharmony_ci 137a8e1175bSopenharmony_ci/** 138a8e1175bSopenharmony_ci * \brief This function encrypts a buffer using CCM. 139a8e1175bSopenharmony_ci * 140a8e1175bSopenharmony_ci * \note The tag is written to a separate buffer. To concatenate 141a8e1175bSopenharmony_ci * the \p tag with the \p output, as done in <em>RFC-3610: 142a8e1175bSopenharmony_ci * Counter with CBC-MAC (CCM)</em>, use 143a8e1175bSopenharmony_ci * \p tag = \p output + \p length, and make sure that the 144a8e1175bSopenharmony_ci * output buffer is at least \p length + \p tag_len wide. 145a8e1175bSopenharmony_ci * 146a8e1175bSopenharmony_ci * \param ctx The CCM context to use for encryption. This must be 147a8e1175bSopenharmony_ci * initialized and bound to a key. 148a8e1175bSopenharmony_ci * \param length The length of the input data in Bytes. 149a8e1175bSopenharmony_ci * \param iv The initialization vector (nonce). This must be a readable 150a8e1175bSopenharmony_ci * buffer of at least \p iv_len Bytes. 151a8e1175bSopenharmony_ci * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, 152a8e1175bSopenharmony_ci * or 13. The length L of the message length field is 153a8e1175bSopenharmony_ci * 15 - \p iv_len. 154a8e1175bSopenharmony_ci * \param ad The additional data field. If \p ad_len is greater than 155a8e1175bSopenharmony_ci * zero, \p ad must be a readable buffer of at least that 156a8e1175bSopenharmony_ci * length. 157a8e1175bSopenharmony_ci * \param ad_len The length of additional data in Bytes. 158a8e1175bSopenharmony_ci * This must be less than `2^16 - 2^8`. 159a8e1175bSopenharmony_ci * \param input The buffer holding the input data. If \p length is greater 160a8e1175bSopenharmony_ci * than zero, \p input must be a readable buffer of at least 161a8e1175bSopenharmony_ci * that length. 162a8e1175bSopenharmony_ci * \param output The buffer holding the output data. If \p length is greater 163a8e1175bSopenharmony_ci * than zero, \p output must be a writable buffer of at least 164a8e1175bSopenharmony_ci * that length. 165a8e1175bSopenharmony_ci * \param tag The buffer holding the authentication field. This must be a 166a8e1175bSopenharmony_ci * writable buffer of at least \p tag_len Bytes. 167a8e1175bSopenharmony_ci * \param tag_len The length of the authentication field to generate in Bytes: 168a8e1175bSopenharmony_ci * 4, 6, 8, 10, 12, 14 or 16. 169a8e1175bSopenharmony_ci * 170a8e1175bSopenharmony_ci * \return \c 0 on success. 171a8e1175bSopenharmony_ci * \return A CCM or cipher-specific error code on failure. 172a8e1175bSopenharmony_ci */ 173a8e1175bSopenharmony_ciint mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length, 174a8e1175bSopenharmony_ci const unsigned char *iv, size_t iv_len, 175a8e1175bSopenharmony_ci const unsigned char *ad, size_t ad_len, 176a8e1175bSopenharmony_ci const unsigned char *input, unsigned char *output, 177a8e1175bSopenharmony_ci unsigned char *tag, size_t tag_len); 178a8e1175bSopenharmony_ci 179a8e1175bSopenharmony_ci/** 180a8e1175bSopenharmony_ci * \brief This function encrypts a buffer using CCM*. 181a8e1175bSopenharmony_ci * 182a8e1175bSopenharmony_ci * \note The tag is written to a separate buffer. To concatenate 183a8e1175bSopenharmony_ci * the \p tag with the \p output, as done in <em>RFC-3610: 184a8e1175bSopenharmony_ci * Counter with CBC-MAC (CCM)</em>, use 185a8e1175bSopenharmony_ci * \p tag = \p output + \p length, and make sure that the 186a8e1175bSopenharmony_ci * output buffer is at least \p length + \p tag_len wide. 187a8e1175bSopenharmony_ci * 188a8e1175bSopenharmony_ci * \note When using this function in a variable tag length context, 189a8e1175bSopenharmony_ci * the tag length has to be encoded into the \p iv passed to 190a8e1175bSopenharmony_ci * this function. 191a8e1175bSopenharmony_ci * 192a8e1175bSopenharmony_ci * \param ctx The CCM context to use for encryption. This must be 193a8e1175bSopenharmony_ci * initialized and bound to a key. 194a8e1175bSopenharmony_ci * \param length The length of the input data in Bytes. 195a8e1175bSopenharmony_ci * For tag length = 0, input length is ignored. 196a8e1175bSopenharmony_ci * \param iv The initialization vector (nonce). This must be a readable 197a8e1175bSopenharmony_ci * buffer of at least \p iv_len Bytes. 198a8e1175bSopenharmony_ci * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, 199a8e1175bSopenharmony_ci * or 13. The length L of the message length field is 200a8e1175bSopenharmony_ci * 15 - \p iv_len. 201a8e1175bSopenharmony_ci * \param ad The additional data field. This must be a readable buffer of 202a8e1175bSopenharmony_ci * at least \p ad_len Bytes. 203a8e1175bSopenharmony_ci * \param ad_len The length of additional data in Bytes. 204a8e1175bSopenharmony_ci * This must be less than 2^16 - 2^8. 205a8e1175bSopenharmony_ci * \param input The buffer holding the input data. If \p length is greater 206a8e1175bSopenharmony_ci * than zero, \p input must be a readable buffer of at least 207a8e1175bSopenharmony_ci * that length. 208a8e1175bSopenharmony_ci * \param output The buffer holding the output data. If \p length is greater 209a8e1175bSopenharmony_ci * than zero, \p output must be a writable buffer of at least 210a8e1175bSopenharmony_ci * that length. 211a8e1175bSopenharmony_ci * \param tag The buffer holding the authentication field. This must be a 212a8e1175bSopenharmony_ci * writable buffer of at least \p tag_len Bytes. 213a8e1175bSopenharmony_ci * \param tag_len The length of the authentication field to generate in Bytes: 214a8e1175bSopenharmony_ci * 0, 4, 6, 8, 10, 12, 14 or 16. 215a8e1175bSopenharmony_ci * 216a8e1175bSopenharmony_ci * \warning Passing \c 0 as \p tag_len means that the message is no 217a8e1175bSopenharmony_ci * longer authenticated. 218a8e1175bSopenharmony_ci * 219a8e1175bSopenharmony_ci * \return \c 0 on success. 220a8e1175bSopenharmony_ci * \return A CCM or cipher-specific error code on failure. 221a8e1175bSopenharmony_ci */ 222a8e1175bSopenharmony_ciint mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length, 223a8e1175bSopenharmony_ci const unsigned char *iv, size_t iv_len, 224a8e1175bSopenharmony_ci const unsigned char *ad, size_t ad_len, 225a8e1175bSopenharmony_ci const unsigned char *input, unsigned char *output, 226a8e1175bSopenharmony_ci unsigned char *tag, size_t tag_len); 227a8e1175bSopenharmony_ci 228a8e1175bSopenharmony_ci/** 229a8e1175bSopenharmony_ci * \brief This function performs a CCM authenticated decryption of a 230a8e1175bSopenharmony_ci * buffer. 231a8e1175bSopenharmony_ci * 232a8e1175bSopenharmony_ci * \param ctx The CCM context to use for decryption. This must be 233a8e1175bSopenharmony_ci * initialized and bound to a key. 234a8e1175bSopenharmony_ci * \param length The length of the input data in Bytes. 235a8e1175bSopenharmony_ci * \param iv The initialization vector (nonce). This must be a readable 236a8e1175bSopenharmony_ci * buffer of at least \p iv_len Bytes. 237a8e1175bSopenharmony_ci * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, 238a8e1175bSopenharmony_ci * or 13. The length L of the message length field is 239a8e1175bSopenharmony_ci * 15 - \p iv_len. 240a8e1175bSopenharmony_ci * \param ad The additional data field. This must be a readable buffer 241a8e1175bSopenharmony_ci * of at least that \p ad_len Bytes.. 242a8e1175bSopenharmony_ci * \param ad_len The length of additional data in Bytes. 243a8e1175bSopenharmony_ci * This must be less than 2^16 - 2^8. 244a8e1175bSopenharmony_ci * \param input The buffer holding the input data. If \p length is greater 245a8e1175bSopenharmony_ci * than zero, \p input must be a readable buffer of at least 246a8e1175bSopenharmony_ci * that length. 247a8e1175bSopenharmony_ci * \param output The buffer holding the output data. If \p length is greater 248a8e1175bSopenharmony_ci * than zero, \p output must be a writable buffer of at least 249a8e1175bSopenharmony_ci * that length. 250a8e1175bSopenharmony_ci * \param tag The buffer holding the authentication field. This must be a 251a8e1175bSopenharmony_ci * readable buffer of at least \p tag_len Bytes. 252a8e1175bSopenharmony_ci * \param tag_len The length of the authentication field to generate in Bytes: 253a8e1175bSopenharmony_ci * 4, 6, 8, 10, 12, 14 or 16. 254a8e1175bSopenharmony_ci * 255a8e1175bSopenharmony_ci * \return \c 0 on success. This indicates that the message is authentic. 256a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match. 257a8e1175bSopenharmony_ci * \return A cipher-specific error code on calculation failure. 258a8e1175bSopenharmony_ci */ 259a8e1175bSopenharmony_ciint mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length, 260a8e1175bSopenharmony_ci const unsigned char *iv, size_t iv_len, 261a8e1175bSopenharmony_ci const unsigned char *ad, size_t ad_len, 262a8e1175bSopenharmony_ci const unsigned char *input, unsigned char *output, 263a8e1175bSopenharmony_ci const unsigned char *tag, size_t tag_len); 264a8e1175bSopenharmony_ci 265a8e1175bSopenharmony_ci/** 266a8e1175bSopenharmony_ci * \brief This function performs a CCM* authenticated decryption of a 267a8e1175bSopenharmony_ci * buffer. 268a8e1175bSopenharmony_ci * 269a8e1175bSopenharmony_ci * \note When using this function in a variable tag length context, 270a8e1175bSopenharmony_ci * the tag length has to be decoded from \p iv and passed to 271a8e1175bSopenharmony_ci * this function as \p tag_len. (\p tag needs to be adjusted 272a8e1175bSopenharmony_ci * accordingly.) 273a8e1175bSopenharmony_ci * 274a8e1175bSopenharmony_ci * \param ctx The CCM context to use for decryption. This must be 275a8e1175bSopenharmony_ci * initialized and bound to a key. 276a8e1175bSopenharmony_ci * \param length The length of the input data in Bytes. 277a8e1175bSopenharmony_ci * For tag length = 0, input length is ignored. 278a8e1175bSopenharmony_ci * \param iv The initialization vector (nonce). This must be a readable 279a8e1175bSopenharmony_ci * buffer of at least \p iv_len Bytes. 280a8e1175bSopenharmony_ci * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, 281a8e1175bSopenharmony_ci * or 13. The length L of the message length field is 282a8e1175bSopenharmony_ci * 15 - \p iv_len. 283a8e1175bSopenharmony_ci * \param ad The additional data field. This must be a readable buffer of 284a8e1175bSopenharmony_ci * at least that \p ad_len Bytes. 285a8e1175bSopenharmony_ci * \param ad_len The length of additional data in Bytes. 286a8e1175bSopenharmony_ci * This must be less than 2^16 - 2^8. 287a8e1175bSopenharmony_ci * \param input The buffer holding the input data. If \p length is greater 288a8e1175bSopenharmony_ci * than zero, \p input must be a readable buffer of at least 289a8e1175bSopenharmony_ci * that length. 290a8e1175bSopenharmony_ci * \param output The buffer holding the output data. If \p length is greater 291a8e1175bSopenharmony_ci * than zero, \p output must be a writable buffer of at least 292a8e1175bSopenharmony_ci * that length. 293a8e1175bSopenharmony_ci * \param tag The buffer holding the authentication field. This must be a 294a8e1175bSopenharmony_ci * readable buffer of at least \p tag_len Bytes. 295a8e1175bSopenharmony_ci * \param tag_len The length of the authentication field in Bytes. 296a8e1175bSopenharmony_ci * 0, 4, 6, 8, 10, 12, 14 or 16. 297a8e1175bSopenharmony_ci * 298a8e1175bSopenharmony_ci * \warning Passing \c 0 as \p tag_len means that the message is nos 299a8e1175bSopenharmony_ci * longer authenticated. 300a8e1175bSopenharmony_ci * 301a8e1175bSopenharmony_ci * \return \c 0 on success. 302a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match. 303a8e1175bSopenharmony_ci * \return A cipher-specific error code on calculation failure. 304a8e1175bSopenharmony_ci */ 305a8e1175bSopenharmony_ciint mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length, 306a8e1175bSopenharmony_ci const unsigned char *iv, size_t iv_len, 307a8e1175bSopenharmony_ci const unsigned char *ad, size_t ad_len, 308a8e1175bSopenharmony_ci const unsigned char *input, unsigned char *output, 309a8e1175bSopenharmony_ci const unsigned char *tag, size_t tag_len); 310a8e1175bSopenharmony_ci 311a8e1175bSopenharmony_ci/** 312a8e1175bSopenharmony_ci * \brief This function starts a CCM encryption or decryption 313a8e1175bSopenharmony_ci * operation. 314a8e1175bSopenharmony_ci * 315a8e1175bSopenharmony_ci * This function and mbedtls_ccm_set_lengths() must be called 316a8e1175bSopenharmony_ci * before calling mbedtls_ccm_update_ad() or 317a8e1175bSopenharmony_ci * mbedtls_ccm_update(). This function can be called before 318a8e1175bSopenharmony_ci * or after mbedtls_ccm_set_lengths(). 319a8e1175bSopenharmony_ci * 320a8e1175bSopenharmony_ci * \note This function is not implemented in Mbed TLS yet. 321a8e1175bSopenharmony_ci * 322a8e1175bSopenharmony_ci * \param ctx The CCM context. This must be initialized. 323a8e1175bSopenharmony_ci * \param mode The operation to perform: #MBEDTLS_CCM_ENCRYPT or 324a8e1175bSopenharmony_ci * #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or 325a8e1175bSopenharmony_ci * #MBEDTLS_CCM_STAR_DECRYPT. 326a8e1175bSopenharmony_ci * \param iv The initialization vector. This must be a readable buffer 327a8e1175bSopenharmony_ci * of at least \p iv_len Bytes. 328a8e1175bSopenharmony_ci * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12, 329a8e1175bSopenharmony_ci * or 13. The length L of the message length field is 330a8e1175bSopenharmony_ci * 15 - \p iv_len. 331a8e1175bSopenharmony_ci * 332a8e1175bSopenharmony_ci * \return \c 0 on success. 333a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure: 334a8e1175bSopenharmony_ci * \p ctx is in an invalid state, 335a8e1175bSopenharmony_ci * \p mode is invalid, 336a8e1175bSopenharmony_ci * \p iv_len is invalid (lower than \c 7 or greater than 337a8e1175bSopenharmony_ci * \c 13). 338a8e1175bSopenharmony_ci */ 339a8e1175bSopenharmony_ciint mbedtls_ccm_starts(mbedtls_ccm_context *ctx, 340a8e1175bSopenharmony_ci int mode, 341a8e1175bSopenharmony_ci const unsigned char *iv, 342a8e1175bSopenharmony_ci size_t iv_len); 343a8e1175bSopenharmony_ci 344a8e1175bSopenharmony_ci/** 345a8e1175bSopenharmony_ci * \brief This function declares the lengths of the message 346a8e1175bSopenharmony_ci * and additional data for a CCM encryption or decryption 347a8e1175bSopenharmony_ci * operation. 348a8e1175bSopenharmony_ci * 349a8e1175bSopenharmony_ci * This function and mbedtls_ccm_starts() must be called 350a8e1175bSopenharmony_ci * before calling mbedtls_ccm_update_ad() or 351a8e1175bSopenharmony_ci * mbedtls_ccm_update(). This function can be called before 352a8e1175bSopenharmony_ci * or after mbedtls_ccm_starts(). 353a8e1175bSopenharmony_ci * 354a8e1175bSopenharmony_ci * \note This function is not implemented in Mbed TLS yet. 355a8e1175bSopenharmony_ci * 356a8e1175bSopenharmony_ci * \param ctx The CCM context. This must be initialized. 357a8e1175bSopenharmony_ci * \param total_ad_len The total length of additional data in bytes. 358a8e1175bSopenharmony_ci * This must be less than `2^16 - 2^8`. 359a8e1175bSopenharmony_ci * \param plaintext_len The length in bytes of the plaintext to encrypt or 360a8e1175bSopenharmony_ci * result of the decryption (thus not encompassing the 361a8e1175bSopenharmony_ci * additional data that are not encrypted). 362a8e1175bSopenharmony_ci * \param tag_len The length of the tag to generate in Bytes: 363a8e1175bSopenharmony_ci * 4, 6, 8, 10, 12, 14 or 16. 364a8e1175bSopenharmony_ci * For CCM*, zero is also valid. 365a8e1175bSopenharmony_ci * 366a8e1175bSopenharmony_ci * \return \c 0 on success. 367a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure: 368a8e1175bSopenharmony_ci * \p ctx is in an invalid state, 369a8e1175bSopenharmony_ci * \p total_ad_len is greater than \c 0xFF00. 370a8e1175bSopenharmony_ci */ 371a8e1175bSopenharmony_ciint mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx, 372a8e1175bSopenharmony_ci size_t total_ad_len, 373a8e1175bSopenharmony_ci size_t plaintext_len, 374a8e1175bSopenharmony_ci size_t tag_len); 375a8e1175bSopenharmony_ci 376a8e1175bSopenharmony_ci/** 377a8e1175bSopenharmony_ci * \brief This function feeds an input buffer as associated data 378a8e1175bSopenharmony_ci * (authenticated but not encrypted data) in a CCM 379a8e1175bSopenharmony_ci * encryption or decryption operation. 380a8e1175bSopenharmony_ci * 381a8e1175bSopenharmony_ci * You may call this function zero, one or more times 382a8e1175bSopenharmony_ci * to pass successive parts of the additional data. The 383a8e1175bSopenharmony_ci * lengths \p ad_len of the data parts should eventually add 384a8e1175bSopenharmony_ci * up exactly to the total length of additional data 385a8e1175bSopenharmony_ci * \c total_ad_len passed to mbedtls_ccm_set_lengths(). You 386a8e1175bSopenharmony_ci * may not call this function after calling 387a8e1175bSopenharmony_ci * mbedtls_ccm_update(). 388a8e1175bSopenharmony_ci * 389a8e1175bSopenharmony_ci * \note This function is not implemented in Mbed TLS yet. 390a8e1175bSopenharmony_ci * 391a8e1175bSopenharmony_ci * \param ctx The CCM context. This must have been started with 392a8e1175bSopenharmony_ci * mbedtls_ccm_starts(), the lengths of the message and 393a8e1175bSopenharmony_ci * additional data must have been declared with 394a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths() and this must not have yet 395a8e1175bSopenharmony_ci * received any input with mbedtls_ccm_update(). 396a8e1175bSopenharmony_ci * \param ad The buffer holding the additional data, or \c NULL 397a8e1175bSopenharmony_ci * if \p ad_len is \c 0. 398a8e1175bSopenharmony_ci * \param ad_len The length of the additional data. If \c 0, 399a8e1175bSopenharmony_ci * \p ad may be \c NULL. 400a8e1175bSopenharmony_ci * 401a8e1175bSopenharmony_ci * \return \c 0 on success. 402a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure: 403a8e1175bSopenharmony_ci * \p ctx is in an invalid state, 404a8e1175bSopenharmony_ci * total input length too long. 405a8e1175bSopenharmony_ci */ 406a8e1175bSopenharmony_ciint mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx, 407a8e1175bSopenharmony_ci const unsigned char *ad, 408a8e1175bSopenharmony_ci size_t ad_len); 409a8e1175bSopenharmony_ci 410a8e1175bSopenharmony_ci/** 411a8e1175bSopenharmony_ci * \brief This function feeds an input buffer into an ongoing CCM 412a8e1175bSopenharmony_ci * encryption or decryption operation. 413a8e1175bSopenharmony_ci * 414a8e1175bSopenharmony_ci * You may call this function zero, one or more times 415a8e1175bSopenharmony_ci * to pass successive parts of the input: the plaintext to 416a8e1175bSopenharmony_ci * encrypt, or the ciphertext (not including the tag) to 417a8e1175bSopenharmony_ci * decrypt. After the last part of the input, call 418a8e1175bSopenharmony_ci * mbedtls_ccm_finish(). The lengths \p input_len of the 419a8e1175bSopenharmony_ci * data parts should eventually add up exactly to the 420a8e1175bSopenharmony_ci * plaintext length \c plaintext_len passed to 421a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths(). 422a8e1175bSopenharmony_ci * 423a8e1175bSopenharmony_ci * This function may produce output in one of the following 424a8e1175bSopenharmony_ci * ways: 425a8e1175bSopenharmony_ci * - Immediate output: the output length is always equal 426a8e1175bSopenharmony_ci * to the input length. 427a8e1175bSopenharmony_ci * - Buffered output: except for the last part of input data, 428a8e1175bSopenharmony_ci * the output consists of a whole number of 16-byte blocks. 429a8e1175bSopenharmony_ci * If the total input length so far (not including 430a8e1175bSopenharmony_ci * associated data) is 16 \* *B* + *A* with *A* < 16 then 431a8e1175bSopenharmony_ci * the total output length is 16 \* *B*. 432a8e1175bSopenharmony_ci * For the last part of input data, the output length is 433a8e1175bSopenharmony_ci * equal to the input length plus the number of bytes (*A*) 434a8e1175bSopenharmony_ci * buffered in the previous call to the function (if any). 435a8e1175bSopenharmony_ci * The function uses the plaintext length 436a8e1175bSopenharmony_ci * \c plaintext_len passed to mbedtls_ccm_set_lengths() 437a8e1175bSopenharmony_ci * to detect the last part of input data. 438a8e1175bSopenharmony_ci * 439a8e1175bSopenharmony_ci * In particular: 440a8e1175bSopenharmony_ci * - It is always correct to call this function with 441a8e1175bSopenharmony_ci * \p output_size >= \p input_len + 15. 442a8e1175bSopenharmony_ci * - If \p input_len is a multiple of 16 for all the calls 443a8e1175bSopenharmony_ci * to this function during an operation (not necessary for 444a8e1175bSopenharmony_ci * the last one) then it is correct to use \p output_size 445a8e1175bSopenharmony_ci * =\p input_len. 446a8e1175bSopenharmony_ci * 447a8e1175bSopenharmony_ci * \note This function is not implemented in Mbed TLS yet. 448a8e1175bSopenharmony_ci * 449a8e1175bSopenharmony_ci * \param ctx The CCM context. This must have been started with 450a8e1175bSopenharmony_ci * mbedtls_ccm_starts() and the lengths of the message and 451a8e1175bSopenharmony_ci * additional data must have been declared with 452a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths(). 453a8e1175bSopenharmony_ci * \param input The buffer holding the input data. If \p input_len 454a8e1175bSopenharmony_ci * is greater than zero, this must be a readable buffer 455a8e1175bSopenharmony_ci * of at least \p input_len bytes. 456a8e1175bSopenharmony_ci * \param input_len The length of the input data in bytes. 457a8e1175bSopenharmony_ci * \param output The buffer for the output data. If \p output_size 458a8e1175bSopenharmony_ci * is greater than zero, this must be a writable buffer of 459a8e1175bSopenharmony_ci * at least \p output_size bytes. 460a8e1175bSopenharmony_ci * \param output_size The size of the output buffer in bytes. 461a8e1175bSopenharmony_ci * See the function description regarding the output size. 462a8e1175bSopenharmony_ci * \param output_len On success, \p *output_len contains the actual 463a8e1175bSopenharmony_ci * length of the output written in \p output. 464a8e1175bSopenharmony_ci * On failure, the content of \p *output_len is 465a8e1175bSopenharmony_ci * unspecified. 466a8e1175bSopenharmony_ci * 467a8e1175bSopenharmony_ci * \return \c 0 on success. 468a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure: 469a8e1175bSopenharmony_ci * \p ctx is in an invalid state, 470a8e1175bSopenharmony_ci * total input length too long, 471a8e1175bSopenharmony_ci * or \p output_size too small. 472a8e1175bSopenharmony_ci */ 473a8e1175bSopenharmony_ciint mbedtls_ccm_update(mbedtls_ccm_context *ctx, 474a8e1175bSopenharmony_ci const unsigned char *input, size_t input_len, 475a8e1175bSopenharmony_ci unsigned char *output, size_t output_size, 476a8e1175bSopenharmony_ci size_t *output_len); 477a8e1175bSopenharmony_ci 478a8e1175bSopenharmony_ci/** 479a8e1175bSopenharmony_ci * \brief This function finishes the CCM operation and generates 480a8e1175bSopenharmony_ci * the authentication tag. 481a8e1175bSopenharmony_ci * 482a8e1175bSopenharmony_ci * It wraps up the CCM stream, and generates the 483a8e1175bSopenharmony_ci * tag. The tag can have a maximum length of 16 Bytes. 484a8e1175bSopenharmony_ci * 485a8e1175bSopenharmony_ci * \note This function is not implemented in Mbed TLS yet. 486a8e1175bSopenharmony_ci * 487a8e1175bSopenharmony_ci * \param ctx The CCM context. This must have been started with 488a8e1175bSopenharmony_ci * mbedtls_ccm_starts() and the lengths of the message and 489a8e1175bSopenharmony_ci * additional data must have been declared with 490a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths(). 491a8e1175bSopenharmony_ci * \param tag The buffer for holding the tag. If \p tag_len is greater 492a8e1175bSopenharmony_ci * than zero, this must be a writable buffer of at least \p 493a8e1175bSopenharmony_ci * tag_len Bytes. 494a8e1175bSopenharmony_ci * \param tag_len The length of the tag. Must match the tag length passed to 495a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths() function. 496a8e1175bSopenharmony_ci * 497a8e1175bSopenharmony_ci * \return \c 0 on success. 498a8e1175bSopenharmony_ci * \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure: 499a8e1175bSopenharmony_ci * \p ctx is in an invalid state, 500a8e1175bSopenharmony_ci * invalid value of \p tag_len, 501a8e1175bSopenharmony_ci * the total amount of additional data passed to 502a8e1175bSopenharmony_ci * mbedtls_ccm_update_ad() was lower than the total length of 503a8e1175bSopenharmony_ci * additional data \c total_ad_len passed to 504a8e1175bSopenharmony_ci * mbedtls_ccm_set_lengths(), 505a8e1175bSopenharmony_ci * the total amount of input data passed to 506a8e1175bSopenharmony_ci * mbedtls_ccm_update() was lower than the plaintext length 507a8e1175bSopenharmony_ci * \c plaintext_len passed to mbedtls_ccm_set_lengths(). 508a8e1175bSopenharmony_ci */ 509a8e1175bSopenharmony_ciint mbedtls_ccm_finish(mbedtls_ccm_context *ctx, 510a8e1175bSopenharmony_ci unsigned char *tag, size_t tag_len); 511a8e1175bSopenharmony_ci 512a8e1175bSopenharmony_ci#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES) 513a8e1175bSopenharmony_ci/** 514a8e1175bSopenharmony_ci * \brief The CCM checkup routine. 515a8e1175bSopenharmony_ci * 516a8e1175bSopenharmony_ci * \return \c 0 on success. 517a8e1175bSopenharmony_ci * \return \c 1 on failure. 518a8e1175bSopenharmony_ci */ 519a8e1175bSopenharmony_ciint mbedtls_ccm_self_test(int verbose); 520a8e1175bSopenharmony_ci#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 521a8e1175bSopenharmony_ci 522a8e1175bSopenharmony_ci#ifdef __cplusplus 523a8e1175bSopenharmony_ci} 524a8e1175bSopenharmony_ci#endif 525a8e1175bSopenharmony_ci 526a8e1175bSopenharmony_ci#endif /* MBEDTLS_CCM_H */ 527