instead of two different buffers, there is just one buffer. Based upon the verification result, a mask is applied to the buffer before it is written to the output buffer.
Create two buffers of the same size as the input data.
Copy the input data to the first one and work with that version to hold the
decrypted data, zeroize the second one.
Copy depending on the verification result, either the zero-buffer or the
real plaintext to the output buffer.
The API of the function is changed (for decryption, tag is now an input
parameter). With the old API it is impossible to confirm to the NIST
specification and a timing sidechannel leak is inevitable.
CCM is only meant for packet mode where the length of the input is known in
advance. Since it is a packet mode function, CCM only had one function that
performs the protocol.
However, incremental authentication is usefull in some usecases. It also
ensure some kind of coherencies when processing with a given authentication
mode or another. To achieve this aim, this commit adds the following functions:
ccm_init()
ccm_add_aad()
cm_add_nonce()
ccm_process()
ccm_done()
ccm_reset()
as well as the data structure
ccm_state
Change-Id: I5225a42bb098708c4af07518b561bb00f85bc243
