TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 50a57cfac89291d55a91078e8c6c4e7578494074 / . / lib / libmbedtls / mbedtls / include / mbedtls / chachapoly.h
blob: 49e615d278fad937d2843039a69a4584ead4e1a6 [file] [log] [blame]
Jens Wiklander50a57cf2019-03-13 10:41:54 +0100[diff] [blame^]1/**
2 * \file chachapoly.h
3 *
4 * \brief This file contains the AEAD-ChaCha20-Poly1305 definitions and
5 * functions.
6 *
7 * ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
8 * with Associated Data (AEAD) that can be used to encrypt and
9 * authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
10 * Bernstein and was standardized in RFC 7539.
11 *
12 * \author Daniel King <damaki.gh@gmail.com>
13 */
14
15/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
16 * SPDX-License-Identifier: Apache-2.0
17 *
18 * Licensed under the Apache License, Version 2.0 (the "License"); you may
19 * not use this file except in compliance with the License.
20 * You may obtain a copy of the License at
21 *
22 * http://www.apache.org/licenses/LICENSE-2.0
23 *
24 * Unless required by applicable law or agreed to in writing, software
25 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
26 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
27 * See the License for the specific language governing permissions and
28 * limitations under the License.
29 *
30 * This file is part of Mbed TLS (https://tls.mbed.org)
31 */
32
33#ifndef MBEDTLS_CHACHAPOLY_H
34#define MBEDTLS_CHACHAPOLY_H
35
36#if !defined(MBEDTLS_CONFIG_FILE)
37#include "config.h"
38#else
39#include MBEDTLS_CONFIG_FILE
40#endif
41
42/* for shared error codes */
43#include "poly1305.h"
44
45#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE -0x0054 /**< The requested operation is not permitted in the current state. */
46#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED -0x0056 /**< Authenticated decryption failed: data was not authentic. */
47
48#ifdef __cplusplus
49extern "C" {
50#endif
51
52typedef enum
53{
54 MBEDTLS_CHACHAPOLY_ENCRYPT, /**< The mode value for performing encryption. */
55 MBEDTLS_CHACHAPOLY_DECRYPT /**< The mode value for performing decryption. */
56}
57mbedtls_chachapoly_mode_t;
58
59#if !defined(MBEDTLS_CHACHAPOLY_ALT)
60
61#include "chacha20.h"
62
63typedef struct mbedtls_chachapoly_context
64{
65 mbedtls_chacha20_context chacha20_ctx; /**< The ChaCha20 context. */
66 mbedtls_poly1305_context poly1305_ctx; /**< The Poly1305 context. */
67 uint64_t aad_len; /**< The length (bytes) of the Additional Authenticated Data. */
68 uint64_t ciphertext_len; /**< The length (bytes) of the ciphertext. */
69 int state; /**< The current state of the context. */
70 mbedtls_chachapoly_mode_t mode; /**< Cipher mode (encrypt or decrypt). */
71}
72mbedtls_chachapoly_context;
73
74#else /* !MBEDTLS_CHACHAPOLY_ALT */
75#include "chachapoly_alt.h"
76#endif /* !MBEDTLS_CHACHAPOLY_ALT */
77
78/**
79 * \brief This function initializes the specified ChaCha20-Poly1305 context.
80 *
81 * It must be the first API called before using
82 * the context. It must be followed by a call to
83 * \c mbedtls_chachapoly_setkey() before any operation can be
84 * done, and to \c mbedtls_chachapoly_free() once all
85 * operations with that context have been finished.
86 *
87 * In order to encrypt or decrypt full messages at once, for
88 * each message you should make a single call to
89 * \c mbedtls_chachapoly_crypt_and_tag() or
90 * \c mbedtls_chachapoly_auth_decrypt().
91 *
92 * In order to encrypt messages piecewise, for each
93 * message you should make a call to
94 * \c mbedtls_chachapoly_starts(), then 0 or more calls to
95 * \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
96 * \c mbedtls_chachapoly_update(), then one call to
97 * \c mbedtls_chachapoly_finish().
98 *
99 * \warning Decryption with the piecewise API is discouraged! Always
100 * use \c mbedtls_chachapoly_auth_decrypt() when possible!
101 *
102 * If however this is not possible because the data is too
103 * large to fit in memory, you need to:
104 *
105 * - call \c mbedtls_chachapoly_starts() and (if needed)
106 * \c mbedtls_chachapoly_update_aad() as above,
107 * - call \c mbedtls_chachapoly_update() multiple times and
108 * ensure its output (the plaintext) is NOT used in any other
109 * way than placing it in temporary storage at this point,
110 * - call \c mbedtls_chachapoly_finish() to compute the
111 * authentication tag and compared it in constant time to the
112 * tag received with the ciphertext.
113 *
114 * If the tags are not equal, you must immediately discard
115 * all previous outputs of \c mbedtls_chachapoly_update(),
116 * otherwise you can now safely use the plaintext.
117 *
118 * \param ctx The ChachaPoly context to initialize. Must not be \c NULL.
119 */
120void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
121
122/**
123 * \brief This function releases and clears the specified
124 * ChaCha20-Poly1305 context.
125 *
126 * \param ctx The ChachaPoly context to clear. This may be \c NULL, in which
127 * case this function is a no-op.
128 */
129void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
130
131/**
132 * \brief This function sets the ChaCha20-Poly1305
133 * symmetric encryption key.
134 *
135 * \param ctx The ChaCha20-Poly1305 context to which the key should be
136 * bound. This must be initialized.
137 * \param key The \c 256 Bit (\c 32 Bytes) key.
138 *
139 * \return \c 0 on success.
140 * \return A negative error code on failure.
141 */
142int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
143 const unsigned char key[32] );
144
145/**
146 * \brief This function starts a ChaCha20-Poly1305 encryption or
147 * decryption operation.
148 *
149 * \warning You must never use the same nonce twice with the same key.
150 * This would void any confidentiality and authenticity
151 * guarantees for the messages encrypted with the same nonce
152 * and key.
153 *
154 * \note If the context is being used for AAD only (no data to
155 * encrypt or decrypt) then \p mode can be set to any value.
156 *
157 * \warning Decryption with the piecewise API is discouraged, see the
158 * warning on \c mbedtls_chachapoly_init().
159 *
160 * \param ctx The ChaCha20-Poly1305 context. This must be initialized
161 * and bound to a key.
162 * \param nonce The nonce/IV to use for the message.
163 * This must be a redable buffer of length \c 12 Bytes.
164 * \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
165 * #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
166 *
167 * \return \c 0 on success.
168 * \return A negative error code on failure.
169 */
170int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
171 const unsigned char nonce[12],
172 mbedtls_chachapoly_mode_t mode );
173
174/**
175 * \brief This function feeds additional data to be authenticated
176 * into an ongoing ChaCha20-Poly1305 operation.
177 *
178 * The Additional Authenticated Data (AAD), also called
179 * Associated Data (AD) is only authenticated but not
180 * encrypted nor included in the encrypted output. It is
181 * usually transmitted separately from the ciphertext or
182 * computed locally by each party.
183 *
184 * \note This function is called before data is encrypted/decrypted.
185 * I.e. call this function to process the AAD before calling
186 * \c mbedtls_chachapoly_update().
187 *
188 * You may call this function multiple times to process
189 * an arbitrary amount of AAD. It is permitted to call
190 * this function 0 times, if no AAD is used.
191 *
192 * This function cannot be called any more if data has
193 * been processed by \c mbedtls_chachapoly_update(),
194 * or if the context has been finished.
195 *
196 * \warning Decryption with the piecewise API is discouraged, see the
197 * warning on \c mbedtls_chachapoly_init().
198 *
199 * \param ctx The ChaCha20-Poly1305 context. This must be initialized
200 * and bound to a key.
201 * \param aad_len The length in Bytes of the AAD. The length has no
202 * restrictions.
203 * \param aad Buffer containing the AAD.
204 * This pointer can be \c NULL if `aad_len == 0`.
205 *
206 * \return \c 0 on success.
207 * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
208 * if \p ctx or \p aad are NULL.
209 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
210 * if the operations has not been started or has been
211 * finished, or if the AAD has been finished.
212 */
213int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
214 const unsigned char *aad,
215 size_t aad_len );
216
217/**
218 * \brief Thus function feeds data to be encrypted or decrypted
219 * into an on-going ChaCha20-Poly1305
220 * operation.
221 *
222 * The direction (encryption or decryption) depends on the
223 * mode that was given when calling
224 * \c mbedtls_chachapoly_starts().
225 *
226 * You may call this function multiple times to process
227 * an arbitrary amount of data. It is permitted to call
228 * this function 0 times, if no data is to be encrypted
229 * or decrypted.
230 *
231 * \warning Decryption with the piecewise API is discouraged, see the
232 * warning on \c mbedtls_chachapoly_init().
233 *
234 * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
235 * \param len The length (in bytes) of the data to encrypt or decrypt.
236 * \param input The buffer containing the data to encrypt or decrypt.
237 * This pointer can be \c NULL if `len == 0`.
238 * \param output The buffer to where the encrypted or decrypted data is
239 * written. This must be able to hold \p len bytes.
240 * This pointer can be \c NULL if `len == 0`.
241 *
242 * \return \c 0 on success.
243 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
244 * if the operation has not been started or has been
245 * finished.
246 * \return Another negative error code on other kinds of failure.
247 */
248int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
249 size_t len,
250 const unsigned char *input,
251 unsigned char *output );
252
253/**
254 * \brief This function finished the ChaCha20-Poly1305 operation and
255 * generates the MAC (authentication tag).
256 *
257 * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
258 * \param mac The buffer to where the 128-bit (16 bytes) MAC is written.
259 *
260 * \warning Decryption with the piecewise API is discouraged, see the
261 * warning on \c mbedtls_chachapoly_init().
262 *
263 * \return \c 0 on success.
264 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
265 * if the operation has not been started or has been
266 * finished.
267 * \return Another negative error code on other kinds of failure.
268 */
269int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
270 unsigned char mac[16] );
271
272/**
273 * \brief This function performs a complete ChaCha20-Poly1305
274 * authenticated encryption with the previously-set key.
275 *
276 * \note Before using this function, you must set the key with
277 * \c mbedtls_chachapoly_setkey().
278 *
279 * \warning You must never use the same nonce twice with the same key.
280 * This would void any confidentiality and authenticity
281 * guarantees for the messages encrypted with the same nonce
282 * and key.
283 *
284 * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
285 * This must be initialized.
286 * \param length The length (in bytes) of the data to encrypt or decrypt.
287 * \param nonce The 96-bit (12 bytes) nonce/IV to use.
288 * \param aad The buffer containing the additional authenticated
289 * data (AAD). This pointer can be \c NULL if `aad_len == 0`.
290 * \param aad_len The length (in bytes) of the AAD data to process.
291 * \param input The buffer containing the data to encrypt or decrypt.
292 * This pointer can be \c NULL if `ilen == 0`.
293 * \param output The buffer to where the encrypted or decrypted data
294 * is written. This pointer can be \c NULL if `ilen == 0`.
295 * \param tag The buffer to where the computed 128-bit (16 bytes) MAC
296 * is written. This must not be \c NULL.
297 *
298 * \return \c 0 on success.
299 * \return A negative error code on failure.
300 */
301int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
302 size_t length,
303 const unsigned char nonce[12],
304 const unsigned char *aad,
305 size_t aad_len,
306 const unsigned char *input,
307 unsigned char *output,
308 unsigned char tag[16] );
309
310/**
311 * \brief This function performs a complete ChaCha20-Poly1305
312 * authenticated decryption with the previously-set key.
313 *
314 * \note Before using this function, you must set the key with
315 * \c mbedtls_chachapoly_setkey().
316 *
317 * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
318 * \param length The length (in Bytes) of the data to decrypt.
319 * \param nonce The \c 96 Bit (\c 12 bytes) nonce/IV to use.
320 * \param aad The buffer containing the additional authenticated data (AAD).
321 * This pointer can be \c NULL if `aad_len == 0`.
322 * \param aad_len The length (in bytes) of the AAD data to process.
323 * \param tag The buffer holding the authentication tag.
324 * This must be a readable buffer of length \c 16 Bytes.
325 * \param input The buffer containing the data to decrypt.
326 * This pointer can be \c NULL if `ilen == 0`.
327 * \param output The buffer to where the decrypted data is written.
328 * This pointer can be \c NULL if `ilen == 0`.
329 *
330 * \return \c 0 on success.
331 * \return #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
332 * if the data was not authentic.
333 * \return Another negative error code on other kinds of failure.
334 */
335int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
336 size_t length,
337 const unsigned char nonce[12],
338 const unsigned char *aad,
339 size_t aad_len,
340 const unsigned char tag[16],
341 const unsigned char *input,
342 unsigned char *output );
343
344#if defined(MBEDTLS_SELF_TEST)
345/**
346 * \brief The ChaCha20-Poly1305 checkup routine.
347 *
348 * \return \c 0 on success.
349 * \return \c 1 on failure.
350 */
351int mbedtls_chachapoly_self_test( int verbose );
352#endif /* MBEDTLS_SELF_TEST */
353
354#ifdef __cplusplus
355}
356#endif
357
358#endif /* MBEDTLS_CHACHAPOLY_H */