diff --git a/include/polarssl/ccm.h b/include/polarssl/ccm.h index de2908352..50e0b1cc0 100644 --- a/include/polarssl/ccm.h +++ b/include/polarssl/ccm.h @@ -84,19 +84,43 @@ void ccm_free( ccm_context *ctx ); * \param tag_len length of the tag to generate in bytes * must be 4, 6, 8, 10, 14 or 16 * - * \note The tag is written to a separete buffer. To get the tag + * \note The tag is written to a separate buffer. To get the tag * concatenated with the output as in the CCM spec, use * tag = output + length and make sure the output buffer is * at least length + tag_len wide. * * \return 0 if successful */ -int ccm_crypt_and_tag( ccm_context *ctx, size_t length, - const unsigned char *iv, size_t iv_len, - const unsigned char *add, size_t add_len, - const unsigned char *input, unsigned char *output, - unsigned char *tag, size_t tag_len ); +int ccm_encrypt_and_tag( ccm_context *ctx, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + unsigned char *tag, size_t tag_len ); +/** + * \brief CCM buffer authenticated decryption + * + * \todo Document if input/output buffers can be the same + * + * \param ctx CCM context + * \param length length of the input data + * \param iv initialization vector + * \param iv_len length of IV + * \param add additional data + * \param add_len length of additional data + * \param input buffer holding the input data + * \param output buffer for holding the output data + * \param tag buffer holding the tag + * \param tag_len length of the tag + * + * \return 0 if successful and authenticated, + * POLARSSL_ERR_CCM_AUTH_FAILED if tag does not match + */ +int ccm_auth_decrypt( ccm_context *ctx, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + const unsigned char *tag, size_t tag_len ); #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C) /** diff --git a/library/ccm.c b/library/ccm.c index 4a8decf5b..399b9fe7d 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -42,6 +42,9 @@ #include "polarssl/ccm.h" +#define CCM_ENCRYPT 0 +#define CCM_DECRYPT 1 + /* * Initialize context */ @@ -110,13 +113,13 @@ void ccm_free( ccm_context *ctx ) } /* - * Authenticated encryption + * Authenticated encryption or decryption */ -int ccm_crypt_and_tag( ccm_context *ctx, size_t length, - const unsigned char *iv, size_t iv_len, - const unsigned char *add, size_t add_len, - const unsigned char *input, unsigned char *output, - unsigned char *tag, size_t tag_len ) +static int ccm_auth_crypt( ccm_context *ctx, int mode, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + unsigned char *tag, size_t tag_len ) { int ret; unsigned char i; @@ -143,6 +146,9 @@ int ccm_crypt_and_tag( ccm_context *ctx, size_t length, if( add_len > 0xFF00 ) return( POLARSSL_ERR_CCM_BAD_INPUT ); + if( mode != CCM_ENCRYPT ) + return( POLARSSL_ERR_CCM_BAD_INPUT ); /* Not implemented yet */ + /* * First block B_0: * 0 .. 0 flags @@ -281,6 +287,53 @@ int ccm_crypt_and_tag( ccm_context *ctx, size_t length, return( 0 ); } +/* + * Authenticated encryption + */ +int ccm_encrypt_and_tag( ccm_context *ctx, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + unsigned char *tag, size_t tag_len ) +{ + return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len, + add, add_len, input, output, tag, tag_len ) ); +} + +/* + * Authenticated decryption + */ +int ccm_auth_decrypt( ccm_context *ctx, size_t length, + const unsigned char *iv, size_t iv_len, + const unsigned char *add, size_t add_len, + const unsigned char *input, unsigned char *output, + const unsigned char *tag, size_t tag_len ) +{ + int ret; + unsigned char check_tag[16]; + unsigned char i; + int diff; + + if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length, + iv, iv_len, add, add_len, + input, output, check_tag, tag_len ) ) != 0 ) + { + return( ret ); + } + + /* Check tag in "constant-time" */ + for( diff = 0, i = 0; i < tag_len; i++ ) + diff |= tag[i] ^ check_tag[i]; + + if( diff != 0 ) + { + memset( output, 0, length ); + return( POLARSSL_ERR_CCM_AUTH_FAILED ); + } + + return( 0 ); +} + #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C) @@ -357,10 +410,10 @@ int ccm_self_test( int verbose ) if( verbose != 0 ) polarssl_printf( " CCM-AES #%u: ", (unsigned int) i + 1 ); - ret = ccm_crypt_and_tag( &ctx, msg_len[i], - iv, iv_len[i], ad, add_len[i], - msg, out, - out + msg_len[i], tag_len[i] ); + ret = ccm_encrypt_and_tag( &ctx, msg_len[i], + iv, iv_len[i], ad, add_len[i], + msg, out, + out + msg_len[i], tag_len[i] ); if( ret != 0 || memcmp( out, res[i], msg_len[i] + tag_len[i] ) != 0 ) diff --git a/tests/suites/test_suite_ccm.function b/tests/suites/test_suite_ccm.function index 3e97abad6..dda0b9029 100644 --- a/tests/suites/test_suite_ccm.function +++ b/tests/suites/test_suite_ccm.function @@ -62,7 +62,7 @@ void ccm_encrypt_and_tag( int cipher_id, TEST_ASSERT( ccm_init( &ctx, cipher_id, key, key_len * 8 ) == 0 ); - TEST_ASSERT( ccm_crypt_and_tag( &ctx, msg_len, iv, iv_len, add, add_len, + TEST_ASSERT( ccm_encrypt_and_tag( &ctx, msg_len, iv, iv_len, add, add_len, msg, output, output + msg_len, tag_len ) == 0 ); TEST_ASSERT( memcmp( output, result, result_len ) == 0 );