ST STM32F423 Reference Manual page 723

RM0430
In final phase, the AES peripheral generates the CCM authentication tag and stores it in the
AES_DOUTR register:
11. Indicate the final phase, by setting to 11 the GCMPH[1:0] bitfield of the AES_CR
register. Keep as-is the encryption mode in the MODE[1:0] bitfield.
12. Write four times the last data input into the AES_DIN register. This input must be the
128-bit value CTR0, formatted from the original B0 packet (that is, 5 flag bits set to 0,
and Q length bits set to 0).
13. Wait until the end-of-computation flag CCF of the AES_SR register is set.
14. Read four times the AES_DOUTR register: the output corresponds to the encrypted
CCM authentication tag.
15. Clear the CCF flag of the AES_SR register by setting the CCFC bit of the AES_CR
register.
16. Disable the AES peripheral, by clearing the EN bit of the AES_CR register.
17. For authenticated decryption, compare the generated encrypted tag with the encrypted
tag padded in the ciphertext.
Note: In this final phase, data must be swapped according to the DATATYPE[1:0] bitfield of the
AES_CR register.
When transiting from the header phase to the final phase, the AES peripheral must not be
disabled, otherwise the result is wrong.
Application must mask the authentication tag output with tag length to obtain a valid tag.
Suspend/resume operations in CCM mode
To suspend the authentication of the associated data and payload (GCMPH[1:0]= 01),
proceed as follows. Suspending the message during the encryption/decryption phase is
described in
1. If DMA is used, stop the AES DMA transfers to the IN FIFO by clearing the DMAINEN
bit of the AES_CR register. If DMA is not used, make sure that the current computation
is completed, which is indicated by the CCF flag of the AES_SR register set to 1.
2. Clear the CCF flag of the AES_SR register, by setting to 1 the CCFC bit of the AES_CR
register.
3. Save the AES_SUSPxR registers (where x is from 0 to 7) in the memory.
4. Save the AES_IVRx registers, as during the data processing they changed from their
initial values.
5. Disable the AES peripheral, by clearing the bit EN of the AES_CR register.
6. Save the current AES configuration in the memory, excluding the initialization vector
registers AES_IVRx. Key registers do not need to be saved as the original key value is
known by the application.
7. If DMA is used, save the DMA controller status (pointers for IN data transfers, number
of remaining bytes, and so on).
Section 24.4.9: AES counter (CTR) mode on page
RM0430 Rev 8
AES hardware accelerator (AES)
710.
723/1324
743