Build failed only on insufficient memory and doxygen mistake:

running './dist/tools/headerguards/check.sh' x
Command output:

	--- sys/include/crypto/modes/ccm_common.h
	+++ sys/include/crypto/modes/ccm_common.h
	@@ -46,5 +46,5 @@
	 }
	 #endif
	 
	-#endif /* CRYPTO_MODES_CCM_H */
	+#endif /* CRYPTO_MODES_CCM_COMMON_H */
	 /** @} */

I'll add the boards after review:

atmega1284p
derfmega128
mega-xplained
microduino-corerf
msb-430
msb-430h

TBH, I don't quite see the point of this cipher mode.

@mtausig the OpenWSN re-integration in #13824 requires it. This mode is involved in link layer security in TSCH networks. Do you have objections?

TBH, I don't quite see the point of this cipher mode.

@mtausig the OpenWSN re-integration in #13824 requires it. This mode is involved in link layer security in TSCH networks. Do you have objections?

No, if there is a valid reason for it I'm OK with it. Maybe add a disclaimer in the documentation to prevent it from beeing used for generic encryption.

No, if there is a valid reason for it I'm OK with it. Maybe add a disclaimer in the documentation to prevent it from beeing used for generic encryption.

Added a note in the documentation

Just to double check, this is the only difference to cipher_decrypt_ccm above?
Yes and no. CCM* specifies as well that:

The nonce N shall encode the potential values for M such that one can uniquely determine from N the actually used value of M. The exact format of the nonce N is outside the scope of this specification and shall be determined and fixed by the actual implementation environment of the CCM* mode.

This part I did not address, this PR intended only to allow messages requiring only encryption. How to generate that nonce to encode M, and how to decode M from the nonce, was not required for me currently. I would address it latter if needed. But I realize this is not clear in the documentation I will add a comment.

Add more context on this in the documentation. Note that If at some point the nonce is encoded, this would depend on the application. Since this was out of scope of the specification they just use the source address, frame counter and security level, OpenWSN does something similar using source address and the ASN (absolute slot number).

Add more context on this in the documentation. Note that If at some point the nonce is encoded, this would depend on the application. Since this was out of scope of the specification they just use the source address, frame counter and security level, OpenWSN does something similar using source address and the ASN (absolute slot number).

Contiki's implementation also just receives the nonce. But let me take a second look elsewhere.

The CCM* mode extends the definition of the original CCM mode, such as to provide for confidentiality-only services, in addition to the other security service options already offered. Moreover, the CCM* mode adapts the original CCM mode such that the resulting mode can be used securely with variable-length authentication tags, rather than fixed-length authentication tags only. Thus, the CCM* mode takes away the disadvantages of the CCM mode pointed out above. For the detailed specification of the CCM* mode of operation, see Section 2.

I looked again into ccm, ccms documentation and implementations. I now think I agree with @mtausig, there is no interest in adding CCMS as this PR is constructed. Using CCMS for encryption only is not recommended security wise, so its not to be expected that upper layers would have a use for it. Only the nonce part could be of interest, but its not part of the PR. OpenWSN on its side although it uses an implementation of ccms similar to this PR (so it allows encryption only), it never uses encryption only mode, for the same security issues.

Also in the case of OpenWSN oscore or iee802154e specifies how the nonce should be computed, so there is no use case for the second feature that a CCM extension would provide. Since my main use case was the OpenWSN PR, and since it is no longer needed, I'll would like to close this PR, and split the change that adds the test and handling of input_len=0 3b4aca6.

If I come around implementing a scheme for nonce encoding, I would re-open.

Closed.