4 * \brief This file provides an API for the CCM authenticated encryption
\r
5 * mode for block ciphers.
\r
7 * CCM combines Counter mode encryption with CBC-MAC authentication
\r
8 * for 128-bit block ciphers.
\r
10 * Input to CCM includes the following elements:
\r
11 * <ul><li>Payload - data that is both authenticated and encrypted.</li>
\r
12 * <li>Associated data (Adata) - data that is authenticated but not
\r
13 * encrypted, For example, a header.</li>
\r
14 * <li>Nonce - A unique value that is assigned to the payload and the
\r
15 * associated data.</li></ul>
\r
17 * Definition of CCM:
\r
18 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
\r
19 * RFC 3610 "Counter with CBC-MAC (CCM)"
\r
22 * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
\r
24 * Definition of CCM*:
\r
25 * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
\r
26 * Integer representation is fixed most-significant-octet-first order and
\r
27 * the representation of octets is most-significant-bit-first order. This is
\r
28 * consistent with RFC 3610.
\r
31 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
\r
32 * SPDX-License-Identifier: Apache-2.0
\r
34 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
35 * not use this file except in compliance with the License.
\r
36 * You may obtain a copy of the License at
\r
38 * http://www.apache.org/licenses/LICENSE-2.0
\r
40 * Unless required by applicable law or agreed to in writing, software
\r
41 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
42 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
43 * See the License for the specific language governing permissions and
\r
44 * limitations under the License.
\r
46 * This file is part of Mbed TLS (https://tls.mbed.org)
\r
49 #ifndef MBEDTLS_CCM_H
\r
50 #define MBEDTLS_CCM_H
\r
52 #if !defined(MBEDTLS_CONFIG_FILE)
\r
55 #include MBEDTLS_CONFIG_FILE
\r
60 #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the function. */
\r
61 #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */
\r
63 /* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
\r
64 #define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
\r
70 #if !defined(MBEDTLS_CCM_ALT)
\r
71 // Regular implementation
\r
75 * \brief The CCM context-type definition. The CCM context is passed
\r
76 * to the APIs called.
\r
78 typedef struct mbedtls_ccm_context
\r
80 mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */
\r
82 mbedtls_ccm_context;
\r
84 #else /* MBEDTLS_CCM_ALT */
\r
85 #include "ccm_alt.h"
\r
86 #endif /* MBEDTLS_CCM_ALT */
\r
89 * \brief This function initializes the specified CCM context,
\r
90 * to make references valid, and prepare the context
\r
91 * for mbedtls_ccm_setkey() or mbedtls_ccm_free().
\r
93 * \param ctx The CCM context to initialize. This must not be \c NULL.
\r
95 void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
\r
98 * \brief This function initializes the CCM context set in the
\r
99 * \p ctx parameter and sets the encryption key.
\r
101 * \param ctx The CCM context to initialize. This must be an initialized
\r
103 * \param cipher The 128-bit block cipher to use.
\r
104 * \param key The encryption key. This must not be \c NULL.
\r
105 * \param keybits The key size in bits. This must be acceptable by the cipher.
\r
107 * \return \c 0 on success.
\r
108 * \return A CCM or cipher-specific error code on failure.
\r
110 int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
\r
111 mbedtls_cipher_id_t cipher,
\r
112 const unsigned char *key,
\r
113 unsigned int keybits );
\r
116 * \brief This function releases and clears the specified CCM context
\r
117 * and underlying cipher sub-context.
\r
119 * \param ctx The CCM context to clear. If this is \c NULL, the function
\r
120 * has no effect. Otherwise, this must be initialized.
\r
122 void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
\r
125 * \brief This function encrypts a buffer using CCM.
\r
127 * \note The tag is written to a separate buffer. To concatenate
\r
128 * the \p tag with the \p output, as done in <em>RFC-3610:
\r
129 * Counter with CBC-MAC (CCM)</em>, use
\r
130 * \p tag = \p output + \p length, and make sure that the
\r
131 * output buffer is at least \p length + \p tag_len wide.
\r
133 * \param ctx The CCM context to use for encryption. This must be
\r
134 * initialized and bound to a key.
\r
135 * \param length The length of the input data in Bytes.
\r
136 * \param iv The initialization vector (nonce). This must be a readable
\r
137 * buffer of at least \p iv_len Bytes.
\r
138 * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
\r
139 * or 13. The length L of the message length field is
\r
141 * \param add The additional data field. If \p add_len is greater than
\r
142 * zero, \p add must be a readable buffer of at least that
\r
144 * \param add_len The length of additional data in Bytes.
\r
145 * This must be less than `2^16 - 2^8`.
\r
146 * \param input The buffer holding the input data. If \p length is greater
\r
147 * than zero, \p input must be a readable buffer of at least
\r
149 * \param output The buffer holding the output data. If \p length is greater
\r
150 * than zero, \p output must be a writable buffer of at least
\r
152 * \param tag The buffer holding the authentication field. This must be a
\r
153 * readable buffer of at least \p tag_len Bytes.
\r
154 * \param tag_len The length of the authentication field to generate in Bytes:
\r
155 * 4, 6, 8, 10, 12, 14 or 16.
\r
157 * \return \c 0 on success.
\r
158 * \return A CCM or cipher-specific error code on failure.
\r
160 int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
\r
161 const unsigned char *iv, size_t iv_len,
\r
162 const unsigned char *add, size_t add_len,
\r
163 const unsigned char *input, unsigned char *output,
\r
164 unsigned char *tag, size_t tag_len );
\r
167 * \brief This function encrypts a buffer using CCM*.
\r
169 * \note The tag is written to a separate buffer. To concatenate
\r
170 * the \p tag with the \p output, as done in <em>RFC-3610:
\r
171 * Counter with CBC-MAC (CCM)</em>, use
\r
172 * \p tag = \p output + \p length, and make sure that the
\r
173 * output buffer is at least \p length + \p tag_len wide.
\r
175 * \note When using this function in a variable tag length context,
\r
176 * the tag length has to be encoded into the \p iv passed to
\r
179 * \param ctx The CCM context to use for encryption. This must be
\r
180 * initialized and bound to a key.
\r
181 * \param length The length of the input data in Bytes.
\r
182 * \param iv The initialization vector (nonce). This must be a readable
\r
183 * buffer of at least \p iv_len Bytes.
\r
184 * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
\r
185 * or 13. The length L of the message length field is
\r
187 * \param add The additional data field. This must be a readable buffer of
\r
188 * at least \p add_len Bytes.
\r
189 * \param add_len The length of additional data in Bytes.
\r
190 * This must be less than 2^16 - 2^8.
\r
191 * \param input The buffer holding the input data. If \p length is greater
\r
192 * than zero, \p input must be a readable buffer of at least
\r
194 * \param output The buffer holding the output data. If \p length is greater
\r
195 * than zero, \p output must be a writable buffer of at least
\r
197 * \param tag The buffer holding the authentication field. This must be a
\r
198 * readable buffer of at least \p tag_len Bytes.
\r
199 * \param tag_len The length of the authentication field to generate in Bytes:
\r
200 * 0, 4, 6, 8, 10, 12, 14 or 16.
\r
202 * \warning Passing \c 0 as \p tag_len means that the message is no
\r
203 * longer authenticated.
\r
205 * \return \c 0 on success.
\r
206 * \return A CCM or cipher-specific error code on failure.
\r
208 int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
\r
209 const unsigned char *iv, size_t iv_len,
\r
210 const unsigned char *add, size_t add_len,
\r
211 const unsigned char *input, unsigned char *output,
\r
212 unsigned char *tag, size_t tag_len );
\r
215 * \brief This function performs a CCM authenticated decryption of a
\r
218 * \param ctx The CCM context to use for decryption. This must be
\r
219 * initialized and bound to a key.
\r
220 * \param length The length of the input data in Bytes.
\r
221 * \param iv The initialization vector (nonce). This must be a readable
\r
222 * buffer of at least \p iv_len Bytes.
\r
223 * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
\r
224 * or 13. The length L of the message length field is
\r
226 * \param add The additional data field. This must be a readable buffer
\r
227 * of at least that \p add_len Bytes..
\r
228 * \param add_len The length of additional data in Bytes.
\r
229 * This must be less than 2^16 - 2^8.
\r
230 * \param input The buffer holding the input data. If \p length is greater
\r
231 * than zero, \p input must be a readable buffer of at least
\r
233 * \param output The buffer holding the output data. If \p length is greater
\r
234 * than zero, \p output must be a writable buffer of at least
\r
236 * \param tag The buffer holding the authentication field. This must be a
\r
237 * readable buffer of at least \p tag_len Bytes.
\r
238 * \param tag_len The length of the authentication field to generate in Bytes:
\r
239 * 4, 6, 8, 10, 12, 14 or 16.
\r
241 * \return \c 0 on success. This indicates that the message is authentic.
\r
242 * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
\r
243 * \return A cipher-specific error code on calculation failure.
\r
245 int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
\r
246 const unsigned char *iv, size_t iv_len,
\r
247 const unsigned char *add, size_t add_len,
\r
248 const unsigned char *input, unsigned char *output,
\r
249 const unsigned char *tag, size_t tag_len );
\r
252 * \brief This function performs a CCM* authenticated decryption of a
\r
255 * \note When using this function in a variable tag length context,
\r
256 * the tag length has to be decoded from \p iv and passed to
\r
257 * this function as \p tag_len. (\p tag needs to be adjusted
\r
260 * \param ctx The CCM context to use for decryption. This must be
\r
261 * initialized and bound to a key.
\r
262 * \param length The length of the input data in Bytes.
\r
263 * \param iv The initialization vector (nonce). This must be a readable
\r
264 * buffer of at least \p iv_len Bytes.
\r
265 * \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
\r
266 * or 13. The length L of the message length field is
\r
268 * \param add The additional data field. This must be a readable buffer of
\r
269 * at least that \p add_len Bytes.
\r
270 * \param add_len The length of additional data in Bytes.
\r
271 * This must be less than 2^16 - 2^8.
\r
272 * \param input The buffer holding the input data. If \p length is greater
\r
273 * than zero, \p input must be a readable buffer of at least
\r
275 * \param output The buffer holding the output data. If \p length is greater
\r
276 * than zero, \p output must be a writable buffer of at least
\r
278 * \param tag The buffer holding the authentication field. This must be a
\r
279 * readable buffer of at least \p tag_len Bytes.
\r
280 * \param tag_len The length of the authentication field in Bytes.
\r
281 * 0, 4, 6, 8, 10, 12, 14 or 16.
\r
283 * \warning Passing \c 0 as \p tag_len means that the message is nos
\r
284 * longer authenticated.
\r
286 * \return \c 0 on success.
\r
287 * \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
\r
288 * \return A cipher-specific error code on calculation failure.
\r
290 int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
\r
291 const unsigned char *iv, size_t iv_len,
\r
292 const unsigned char *add, size_t add_len,
\r
293 const unsigned char *input, unsigned char *output,
\r
294 const unsigned char *tag, size_t tag_len );
\r
296 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
\r
298 * \brief The CCM checkup routine.
\r
300 * \return \c 0 on success.
\r
301 * \return \c 1 on failure.
\r
303 int mbedtls_ccm_self_test( int verbose );
\r
304 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
\r
310 #endif /* MBEDTLS_CCM_H */
\r