Lines Matching +full:- +full:y
2 * NIST SP800-38C compliant CCM implementation
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
11 * RFC 3610 "Counter with CBC-MAC (CCM)"
60 mbedtls_block_cipher_free(&ctx->block_cipher_ctx); in mbedtls_ccm_setkey()
62 if ((ret = mbedtls_block_cipher_setup(&ctx->block_cipher_ctx, cipher)) != 0) { in mbedtls_ccm_setkey()
66 if ((ret = mbedtls_block_cipher_setkey(&ctx->block_cipher_ctx, key, keybits)) != 0) { in mbedtls_ccm_setkey()
82 mbedtls_cipher_free(&ctx->cipher_ctx); in mbedtls_ccm_setkey()
84 if ((ret = mbedtls_cipher_setup(&ctx->cipher_ctx, cipher_info)) != 0) { in mbedtls_ccm_setkey()
88 if ((ret = mbedtls_cipher_setkey(&ctx->cipher_ctx, key, keybits, in mbedtls_ccm_setkey()
106 mbedtls_block_cipher_free(&ctx->block_cipher_ctx); in mbedtls_ccm_free()
108 mbedtls_cipher_free(&ctx->cipher_ctx); in mbedtls_ccm_free()
132 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->ctr, tmp_buf); in mbedtls_ccm_crypt()
135 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->ctr, 16, tmp_buf, &olen); in mbedtls_ccm_crypt()
138 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_crypt()
151 ctx->state = CCM_STATE__CLEAR; in mbedtls_ccm_clear_state()
152 memset(ctx->y, 0, 16); in mbedtls_ccm_clear_state()
153 memset(ctx->ctr, 0, 16); in mbedtls_ccm_clear_state()
168 if (!(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGTHS_SET)) { in ccm_calculate_first_block_if_ready()
172 /* CCM expects non-empty tag. in ccm_calculate_first_block_if_ready()
175 if (ctx->tag_len == 0) { in ccm_calculate_first_block_if_ready()
176 if (ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT || ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) { in ccm_calculate_first_block_if_ready()
177 ctx->plaintext_len = 0; in ccm_calculate_first_block_if_ready()
186 * 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts() in ccm_calculate_first_block_if_ready()
192 * 5 .. 3 (t - 2) / 2 in ccm_calculate_first_block_if_ready()
193 * 2 .. 0 q - 1 in ccm_calculate_first_block_if_ready()
195 ctx->y[0] |= (ctx->add_len > 0) << 6; in ccm_calculate_first_block_if_ready()
196 ctx->y[0] |= ((ctx->tag_len - 2) / 2) << 3; in ccm_calculate_first_block_if_ready()
197 ctx->y[0] |= ctx->q - 1; in ccm_calculate_first_block_if_ready()
199 for (i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8) { in ccm_calculate_first_block_if_ready()
200 ctx->y[15-i] = MBEDTLS_BYTE_0(len_left); in ccm_calculate_first_block_if_ready()
204 ctx->state |= CCM_STATE__ERROR; in ccm_calculate_first_block_if_ready()
208 /* Start CBC-MAC with first block*/ in ccm_calculate_first_block_if_ready()
210 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in ccm_calculate_first_block_if_ready()
212 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in ccm_calculate_first_block_if_ready()
215 ctx->state |= CCM_STATE__ERROR; in ccm_calculate_first_block_if_ready()
232 ctx->mode = mode; in mbedtls_ccm_starts()
233 ctx->q = 16 - 1 - (unsigned char) iv_len; in mbedtls_ccm_starts()
243 * 2 .. 0 q - 1 in mbedtls_ccm_starts()
245 memset(ctx->ctr, 0, 16); in mbedtls_ccm_starts()
246 ctx->ctr[0] = ctx->q - 1; in mbedtls_ccm_starts()
247 memcpy(ctx->ctr + 1, iv, iv_len); in mbedtls_ccm_starts()
248 memset(ctx->ctr + 1 + iv_len, 0, ctx->q); in mbedtls_ccm_starts()
249 ctx->ctr[15] = 1; in mbedtls_ccm_starts()
254 memcpy(ctx->y + 1, iv, iv_len); in mbedtls_ccm_starts()
256 ctx->state |= CCM_STATE__STARTED; in mbedtls_ccm_starts()
266 * Check length requirements: SP800-38C A.1 in mbedtls_ccm_set_lengths()
267 * Additional requirement: a < 2^16 - 2^8 to simplify the code. in mbedtls_ccm_set_lengths()
280 ctx->plaintext_len = plaintext_len; in mbedtls_ccm_set_lengths()
281 ctx->add_len = total_ad_len; in mbedtls_ccm_set_lengths()
282 ctx->tag_len = tag_len; in mbedtls_ccm_set_lengths()
283 ctx->processed = 0; in mbedtls_ccm_set_lengths()
285 ctx->state |= CCM_STATE__LENGTHS_SET; in mbedtls_ccm_set_lengths()
299 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_update_ad()
304 if (ctx->state & CCM_STATE__AUTH_DATA_FINISHED) { in mbedtls_ccm_update_ad()
308 if (!(ctx->state & CCM_STATE__AUTH_DATA_STARTED)) { in mbedtls_ccm_update_ad()
309 if (add_len > ctx->add_len) { in mbedtls_ccm_update_ad()
313 ctx->y[0] ^= (unsigned char) ((ctx->add_len >> 8) & 0xFF); in mbedtls_ccm_update_ad()
314 ctx->y[1] ^= (unsigned char) ((ctx->add_len) & 0xFF); in mbedtls_ccm_update_ad()
316 ctx->state |= CCM_STATE__AUTH_DATA_STARTED; in mbedtls_ccm_update_ad()
317 } else if (ctx->processed + add_len > ctx->add_len) { in mbedtls_ccm_update_ad()
322 offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1] in mbedtls_ccm_update_ad()
324 use_len = 16 - offset; in mbedtls_ccm_update_ad()
330 mbedtls_xor(ctx->y + offset, ctx->y + offset, add, use_len); in mbedtls_ccm_update_ad()
332 ctx->processed += use_len; in mbedtls_ccm_update_ad()
333 add_len -= use_len; in mbedtls_ccm_update_ad()
336 if (use_len + offset == 16 || ctx->processed == ctx->add_len) { in mbedtls_ccm_update_ad()
338 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update_ad()
340 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update_ad()
343 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update_ad()
349 if (ctx->processed == ctx->add_len) { in mbedtls_ccm_update_ad()
350 ctx->state |= CCM_STATE__AUTH_DATA_FINISHED; in mbedtls_ccm_update_ad()
351 ctx->processed = 0; // prepare for mbedtls_ccm_update() in mbedtls_ccm_update_ad()
372 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_update()
379 if (ctx->tag_len != 0 && ctx->processed + input_len > ctx->plaintext_len) { in mbedtls_ccm_update()
391 offset = ctx->processed % 16; in mbedtls_ccm_update()
393 use_len = 16 - offset; in mbedtls_ccm_update()
399 ctx->processed += use_len; in mbedtls_ccm_update()
401 if (ctx->mode == MBEDTLS_CCM_ENCRYPT || \ in mbedtls_ccm_update()
402 ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT) { in mbedtls_ccm_update()
403 mbedtls_xor(ctx->y + offset, ctx->y + offset, input, use_len); in mbedtls_ccm_update()
405 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
407 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update()
409 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update()
412 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update()
423 if (ctx->mode == MBEDTLS_CCM_DECRYPT || \ in mbedtls_ccm_update()
424 ctx->mode == MBEDTLS_CCM_STAR_DECRYPT) { in mbedtls_ccm_update()
429 * input in the XOR operation for Y. in mbedtls_ccm_update()
436 mbedtls_xor(ctx->y + offset, ctx->y + offset, local_output, use_len); in mbedtls_ccm_update()
440 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
442 ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, ctx->y, ctx->y); in mbedtls_ccm_update()
444 ret = mbedtls_cipher_update(&ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen); in mbedtls_ccm_update()
447 ctx->state |= CCM_STATE__ERROR; in mbedtls_ccm_update()
453 if (use_len + offset == 16 || ctx->processed == ctx->plaintext_len) { in mbedtls_ccm_update()
454 for (i = 0; i < ctx->q; i++) { in mbedtls_ccm_update()
455 if (++(ctx->ctr)[15-i] != 0) { in mbedtls_ccm_update()
461 input_len -= use_len; in mbedtls_ccm_update()
478 if (ctx->state & CCM_STATE__ERROR) { in mbedtls_ccm_finish()
482 if (ctx->add_len > 0 && !(ctx->state & CCM_STATE__AUTH_DATA_FINISHED)) { in mbedtls_ccm_finish()
486 if (ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len) { in mbedtls_ccm_finish()
493 for (i = 0; i < ctx->q; i++) { in mbedtls_ccm_finish()
494 ctx->ctr[15-i] = 0; in mbedtls_ccm_finish()
497 ret = mbedtls_ccm_crypt(ctx, 0, 16, ctx->y, ctx->y); in mbedtls_ccm_finish()
502 memcpy(tag, ctx->y, tag_len); in mbedtls_ccm_finish()
575 /* Check tag in "constant-time" */ in mbedtls_ccm_compare_tags()
633 * Examples 1 to 3 from SP800-38C Appendix C
706 mbedtls_printf(" CCM-AES #%u: ", (unsigned int) i + 1); in mbedtls_ccm_self_test()