AES-CCM authenticated Encryption / Decryption

For IPsec (RFC 4309) and also for use in ZFS encryption. Generic CCM mode is described in [RFC 3610].

To set up for AES-CCM use the following process, where K (key), nonce and additional authenticated data are as described in [RFC 3610].

Encrypt:

Set the message/data length ulDataLen in the parameter block.
Set the nonce length ulNonceLen and the nonce data pNonce in the parameter block. pNonce may be NULL if ulNonceLen is 0.
Set the AAD data pAAD and size ulAADLen in the parameter block. pAAD m ay be NULL if ulAADLen is 0.
Set the MAC length ulMACLen in the parameter block.
Call C_EncryptInit() for CKM_AES_CCM mechanism with parameters and key K.
Call C_Encrypt(), or C_DecryptUpdate()*<ref name="ftn3"/> C_EncryptFinal(), for the plaintext obtaining ciphertext output obtaining the final ciphertext output and the MAC. The total length of data processed must be ulDataLen. The output length will be ulDataLen + ulMACLen. Decrypt:

Set the message/data length ulDataLen in the parameter block. This length should not include the length of the MAC that is appended to the cipher text.
Set the nonce length ulNonceLen and the nonce data pNonce in the parameter block. pNonce may be NULL if ulNonceLen is 0.
Set the AAD data pAAD and size ulAADLen in the parameter block. pAAD m ay be NULL if ulAADLen is 0.
Set the MAC length ulMACLen in the parameter block.
Call C_DecryptInit() for CKM_AES_CCM mechanism with parameters and key K.
Call C_Decrypt(), or C_DecryptUpdate()*<ref name="ftn3"/> C_DecryptFinal(), for the ciphertext, including the appended MAC, obtaining plaintext output. The total length of data processed must be ulDataLen + ulMACLen. The key type for K must be compatible with CKM_AES_ECB and the C_EncryptInit/C_DecryptInit calls shall behave, with respect to K, as if they were called directly with CKM_AES_ECB, K and NULL parameters.