1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

//! A pure-Rust, `#![no_std]`, zero-allocation AES-CCM implementation ported
//! from [TinyCrypt] using [RustCrypto's AES].
//!
//! ## Overview
//! CCM (for "Counter with CBC-MAC") mode is a NIST approved mode of operation
//! defined in [SP 800-38C].
//!
//! This implementation accepts:
//! 1. Both non-empty payload and associated data (it encrypts and
//!    authenticates the payload and also authenticates the associated data).
//! 2. Non-empty payload and empty associated data (it encrypts and
//!    authenticates the payload).
//! 3. Non-empty associated data and empty payload (it degenerates to an
//!    authentication mode on the associated data).
//!
//! The implementation accepts payloads of any length between 0 and 2^16 bytes
//! and associated data of any length between 0 and (2^16 - 2^8) bytes.
//!
//! ## Usage
//! ```rust
//! use aes_ccm::CcmMode;
//!
//! let key = [
//!     0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7, 0xC8, 0xC9, 0xCA,
//!     0xCB, 0xCC, 0xCD, 0xCE, 0xCF,
//! ];
//! let nonce = [
//!     0x00, 0x00, 0x00, 0x03, 0x02, 0x01, 0x00, 0xA0, 0xA1, 0xA2, 0xA3,
//!     0xA4, 0xA5,
//! ];
//! let ccm = CcmMode::new(&key, nonce, 8).unwrap();
//!
//! let mut ciphertext_buf = [0u8; 50];
//! let payload = [
//!     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12,
//!     0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D,
//!     0x1E,
//! ];
//! let associated_data = [0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07];
//! let ciphertext = ccm
//!     .generate_encrypt(&mut ciphertext_buf, &associated_data, &payload)
//!     .unwrap();
//!
//! let mut plaintext_buf = [0u8; 50];
//! let plaintext = ccm
//!     .decrypt_verify(&mut plaintext_buf, &associated_data, &ciphertext)
//!     .unwrap();
//! assert_eq!(&payload, plaintext);
//! ```
//!
//! ## Security
//! I'm not a cryptographer and this hasn't been audited in any way.
//! It is however a careful port of [TinyCrypt], so if it's sound, then this
//! *should* be too.
//!
//! The MAC length parameter is an important parameter to estimate the security
//! against collision attacks (that aim at finding different messages that
//! produce the same authentication tag).
//! The implementation accepts any even integer between 4 and 16, as suggested
//! in [SP 800-38C].
//!
//! [RFC 3610], which also specifies CCM, presents a few relevant security
//! suggestions, such as:
//! * It is recommended that most applications use a MAC length greater than 8.
//! * The usage of the same nonce for two different messages which are
//!   encrypted with the same key destroys the security of CCM mode.
//!
//! [TinyCrypt]: https://github.com/intel/tinycrypt
//! [RustCrypto's AES]: https://github.com/RustCrypto/block-ciphers
//! [SP 800-38C]: https://csrc.nist.gov/publications/detail/sp/800-38c/final
//! [RFC 3610]: https://tools.ietf.org/html/rfc3610

#![cfg_attr(not(feature = "std"), no_std)]

#[cfg(test)]
#[macro_use]
extern crate hex_literal;

mod ccm;
#[cfg_attr(tarpaulin, skip)]
mod error;

pub use ccm::CcmMode;
pub use error::Error;