Refactor to prepare for CCM decryption

include/polarssl/ccm.h

@@ -84,19 +84,43 @@ void ccm_free( ccm_context *ctx );
  * \param tag_len   length of the tag to generate in bytes
  *                  must be 4, 6, 8, 10, 14 or 16
  *
- * \note            The tag is written to a separete buffer. To get the tag
+ * \note            The tag is written to a separate buffer. To get the tag
  *                  concatenated with the output as in the CCM spec, use
  *                  tag = output + length and make sure the output buffer is
  *                  at least length + tag_len wide.
  *
  * \return          0 if successful
  */
-int ccm_crypt_and_tag( ccm_context *ctx, size_t length,
+int ccm_encrypt_and_tag( ccm_context *ctx, size_t length,
                          const unsigned char *iv, size_t iv_len,
                          const unsigned char *add, size_t add_len,
                          const unsigned char *input, unsigned char *output,
                          unsigned char *tag, size_t tag_len );
 
+/**
+ * \brief           CCM buffer authenticated decryption
+ *
+ * \todo            Document if input/output buffers can be the same
+ *
+ * \param ctx       CCM context
+ * \param length    length of the input data
+ * \param iv        initialization vector
+ * \param iv_len    length of IV
+ * \param add       additional data
+ * \param add_len   length of additional data
+ * \param input     buffer holding the input data
+ * \param output    buffer for holding the output data
+ * \param tag       buffer holding the tag
+ * \param tag_len   length of the tag
+ *
+ * \return         0 if successful and authenticated,
+ *                 POLARSSL_ERR_CCM_AUTH_FAILED if tag does not match
+ */
+int ccm_auth_decrypt( ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
 
 #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C)
 /**

library/ccm.c

@@ -42,6 +42,9 @@
 
 #include "polarssl/ccm.h"
 
+#define CCM_ENCRYPT 0
+#define CCM_DECRYPT 1
+
 /*
  * Initialize context
  */
@@ -110,9 +113,9 @@ void ccm_free( ccm_context *ctx )
 }
 
 /*
- * Authenticated encryption
+ * Authenticated encryption or decryption
  */
-int ccm_crypt_and_tag( ccm_context *ctx, size_t length,
+static int ccm_auth_crypt( ccm_context *ctx, int mode, size_t length,
                            const unsigned char *iv, size_t iv_len,
                            const unsigned char *add, size_t add_len,
                            const unsigned char *input, unsigned char *output,
@@ -143,6 +146,9 @@ int ccm_crypt_and_tag( ccm_context *ctx, size_t length,
     if( add_len > 0xFF00 )
         return( POLARSSL_ERR_CCM_BAD_INPUT );
 
+    if( mode != CCM_ENCRYPT )
+        return( POLARSSL_ERR_CCM_BAD_INPUT ); /* Not implemented yet */
+
     /*
      * First block B_0:
      * 0        .. 0        flags
@@ -281,6 +287,53 @@ int ccm_crypt_and_tag( ccm_context *ctx, size_t length,
     return( 0 );
 }
 
+/*
+ * Authenticated encryption
+ */
+int ccm_encrypt_and_tag( ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
+                            add, add_len, input, output, tag, tag_len ) );
+}
+
+/*
+ * Authenticated decryption
+ */
+int ccm_auth_decrypt( ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char check_tag[16];
+    unsigned char i;
+    int diff;
+
+    if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
+                                iv, iv_len, add, add_len,
+                                input, output, check_tag, tag_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        memset( output, 0, length );
+        return( POLARSSL_ERR_CCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
 
 #if defined(POLARSSL_SELF_TEST) && defined(POLARSSL_AES_C)
 
@@ -357,7 +410,7 @@ int ccm_self_test( int verbose )
         if( verbose != 0 )
             polarssl_printf( "  CCM-AES #%u: ", (unsigned int) i + 1 );
 
-        ret =  ccm_crypt_and_tag( &ctx, msg_len[i],
+        ret =  ccm_encrypt_and_tag( &ctx, msg_len[i],
                                     iv, iv_len[i], ad, add_len[i],
                                     msg, out,
                                     out + msg_len[i], tag_len[i] );

tests/suites/test_suite_ccm.function

@@ -62,7 +62,7 @@ void ccm_encrypt_and_tag( int cipher_id,
 
     TEST_ASSERT( ccm_init( &ctx, cipher_id, key, key_len * 8 ) == 0 );
 
-    TEST_ASSERT( ccm_crypt_and_tag( &ctx, msg_len, iv, iv_len, add, add_len,
+    TEST_ASSERT( ccm_encrypt_and_tag( &ctx, msg_len, iv, iv_len, add, add_len,
                  msg, output, output + msg_len, tag_len ) == 0 );
 
     TEST_ASSERT( memcmp( output, result, result_len ) == 0 );