Blame - interface/include/mbedtls/ccm.h - TF-M/trusted-firmware-m

Antonio de Angelis

8bb9851

2024-01-16 14:13:36 +0000

[diff] [blame]

/**

* \file ccm.h

*

* \brief This file provides an API for the CCM authenticated encryption

5

* mode for block ciphers.

6

*

7

* CCM combines Counter mode encryption with CBC-MAC authentication

8

* for 128-bit block ciphers.

9

*

10

* Input to CCM includes the following elements:

11

* <ul><li>Payload - data that is both authenticated and encrypted.</li>

12

* <li>Associated data (Adata) - data that is authenticated but not

13

* encrypted, For example, a header.</li>

14

* <li>Nonce - A unique value that is assigned to the payload and the

15

* associated data.</li></ul>

16

*

17

* Definition of CCM:

18

* http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf

19

* RFC 3610 "Counter with CBC-MAC (CCM)"

20

*

21

* Related:

22

* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"

23

*

24

* Definition of CCM*:

25

* IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks

26

* Integer representation is fixed most-significant-octet-first order and

27

* the representation of octets is most-significant-bit-first order. This is

28

* consistent with RFC 3610.

29

*/

30

/*

31

* Copyright The Mbed TLS Contributors

32

* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

33

*/

34

35

#ifndef MBEDTLS_CCM_H

36

#define MBEDTLS_CCM_H

37

#include "mbedtls/private_access.h"

38

39

#include "mbedtls/build_info.h"

40

41

#include "mbedtls/cipher.h"

42

43

#if defined(MBEDTLS_BLOCK_CIPHER_C)

44

#include "mbedtls/block_cipher.h"

45

#endif

46

47

#define MBEDTLS_CCM_DECRYPT 0

48

#define MBEDTLS_CCM_ENCRYPT 1

49

#define MBEDTLS_CCM_STAR_DECRYPT 2

50

#define MBEDTLS_CCM_STAR_ENCRYPT 3

51

52

/** Bad input parameters to the function. */

53

#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D

54

/** Authenticated decryption failed. */

55

#define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F

#ifdef __cplusplus

extern "C" {

#endif

#if !defined(MBEDTLS_CCM_ALT)

62

// Regular implementation

//

/**

* \brief The CCM context-type definition. The CCM context is passed

67

* to the APIs called.

68

*/

69

typedef struct mbedtls_ccm_context {

70

unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */

71

unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */

72

size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */

73

size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */

74

size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */

75

size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data

76

were processed (chunked input).

77

Used independently for both auth data

78

and plaintext/ciphertext.

79

This variable is set to zero after

80

auth data input is finished. */

81

unsigned int MBEDTLS_PRIVATE(q); /*!< The Q working value */

82

unsigned int MBEDTLS_PRIVATE(mode); /*!< The operation to perform:

83

#MBEDTLS_CCM_ENCRYPT or

84

#MBEDTLS_CCM_DECRYPT or

85

#MBEDTLS_CCM_STAR_ENCRYPT or

86

#MBEDTLS_CCM_STAR_DECRYPT. */

87

#if defined(MBEDTLS_BLOCK_CIPHER_C)

88

mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */

89

#else

90

mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */

91

#endif

92

int MBEDTLS_PRIVATE(state); /*!< Working value holding context's

93

state. Used for chunked data input */

}

mbedtls_ccm_context;

#else /* MBEDTLS_CCM_ALT */

98

#include "ccm_alt.h"

99

#endif /* MBEDTLS_CCM_ALT */

100

101

/**

102

* \brief This function initializes the specified CCM context,

103

* to make references valid, and prepare the context

104

* for mbedtls_ccm_setkey() or mbedtls_ccm_free().

105

*

106

* \param ctx The CCM context to initialize. This must not be \c NULL.

107

*/

108

void mbedtls_ccm_init(mbedtls_ccm_context *ctx);

109

110

/**

111

* \brief This function initializes the CCM context set in the

112

* \p ctx parameter and sets the encryption key.

113

*

114

* \param ctx The CCM context to initialize. This must be an initialized

115

* context.

116

* \param cipher The 128-bit block cipher to use.

117

* \param key The encryption key. This must not be \c NULL.

118

* \param keybits The key size in bits. This must be acceptable by the cipher.

119

*

120

* \return \c 0 on success.

121

* \return A CCM or cipher-specific error code on failure.

122

*/

123

int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,

124

mbedtls_cipher_id_t cipher,

125

const unsigned char *key,

126

unsigned int keybits);

127

128

/**

129

* \brief This function releases and clears the specified CCM context

130

* and underlying cipher sub-context.

131

*

132

* \param ctx The CCM context to clear. If this is \c NULL, the function

133

* has no effect. Otherwise, this must be initialized.

134

*/

135

void mbedtls_ccm_free(mbedtls_ccm_context *ctx);

136

137

/**

138

* \brief This function encrypts a buffer using CCM.

139

*

140

* \note The tag is written to a separate buffer. To concatenate

141

* the \p tag with the \p output, as done in <em>RFC-3610:

142

* Counter with CBC-MAC (CCM)</em>, use

143

* \p tag = \p output + \p length, and make sure that the

144

* output buffer is at least \p length + \p tag_len wide.

145

*

146

* \param ctx The CCM context to use for encryption. This must be

147

* initialized and bound to a key.

148

* \param length The length of the input data in Bytes.

149

* \param iv The initialization vector (nonce). This must be a readable

150

* buffer of at least \p iv_len Bytes.

151

* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

152

* or 13. The length L of the message length field is

153

* 15 - \p iv_len.

154

* \param ad The additional data field. If \p ad_len is greater than

155

* zero, \p ad must be a readable buffer of at least that

156

* length.

157

* \param ad_len The length of additional data in Bytes.

158

* This must be less than `2^16 - 2^8`.

159

* \param input The buffer holding the input data. If \p length is greater

160

* than zero, \p input must be a readable buffer of at least

161

* that length.

162

* \param output The buffer holding the output data. If \p length is greater

163

* than zero, \p output must be a writable buffer of at least

164

* that length.

165

* \param tag The buffer holding the authentication field. This must be a

166

* writable buffer of at least \p tag_len Bytes.

167

* \param tag_len The length of the authentication field to generate in Bytes:

168

* 4, 6, 8, 10, 12, 14 or 16.

169

*

170

* \return \c 0 on success.

171

* \return A CCM or cipher-specific error code on failure.

172

*/

173

int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,

174

const unsigned char *iv, size_t iv_len,

175

const unsigned char *ad, size_t ad_len,

176

const unsigned char *input, unsigned char *output,

177

unsigned char *tag, size_t tag_len);

178

179

/**

180

* \brief This function encrypts a buffer using CCM*.

181

*

182

* \note The tag is written to a separate buffer. To concatenate

183

* the \p tag with the \p output, as done in <em>RFC-3610:

184

* Counter with CBC-MAC (CCM)</em>, use

185

* \p tag = \p output + \p length, and make sure that the

186

* output buffer is at least \p length + \p tag_len wide.

187

*

188

* \note When using this function in a variable tag length context,

189

* the tag length has to be encoded into the \p iv passed to

190

* this function.

191

*

192

* \param ctx The CCM context to use for encryption. This must be

193

* initialized and bound to a key.

194

* \param length The length of the input data in Bytes.

195

* For tag length = 0, input length is ignored.

196

* \param iv The initialization vector (nonce). This must be a readable

197

* buffer of at least \p iv_len Bytes.

198

* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

199

* or 13. The length L of the message length field is

200

* 15 - \p iv_len.

201

* \param ad The additional data field. This must be a readable buffer of

202

* at least \p ad_len Bytes.

203

* \param ad_len The length of additional data in Bytes.

204

* This must be less than 2^16 - 2^8.

205

* \param input The buffer holding the input data. If \p length is greater

206

* than zero, \p input must be a readable buffer of at least

207

* that length.

208

* \param output The buffer holding the output data. If \p length is greater

209

* than zero, \p output must be a writable buffer of at least

210

* that length.

211

* \param tag The buffer holding the authentication field. This must be a

212

* writable buffer of at least \p tag_len Bytes.

213

* \param tag_len The length of the authentication field to generate in Bytes:

214

* 0, 4, 6, 8, 10, 12, 14 or 16.

215

*

216

* \warning Passing \c 0 as \p tag_len means that the message is no

217

* longer authenticated.

218

*

219

* \return \c 0 on success.

220

* \return A CCM or cipher-specific error code on failure.

221

*/

222

int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,

223

const unsigned char *iv, size_t iv_len,

224

const unsigned char *ad, size_t ad_len,

225

const unsigned char *input, unsigned char *output,

226

unsigned char *tag, size_t tag_len);

227

228

/**

229

* \brief This function performs a CCM authenticated decryption of a

230

* buffer.

231

*

232

* \param ctx The CCM context to use for decryption. This must be

233

* initialized and bound to a key.

234

* \param length The length of the input data in Bytes.

235

* \param iv The initialization vector (nonce). This must be a readable

236

* buffer of at least \p iv_len Bytes.

237

* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

238

* or 13. The length L of the message length field is

239

* 15 - \p iv_len.

240

* \param ad The additional data field. This must be a readable buffer

241

* of at least that \p ad_len Bytes..

242

* \param ad_len The length of additional data in Bytes.

243

* This must be less than 2^16 - 2^8.

244

* \param input The buffer holding the input data. If \p length is greater

245

* than zero, \p input must be a readable buffer of at least

246

* that length.

247

* \param output The buffer holding the output data. If \p length is greater

248

* than zero, \p output must be a writable buffer of at least

249

* that length.

250

* \param tag The buffer holding the authentication field. This must be a

251

* readable buffer of at least \p tag_len Bytes.

252

* \param tag_len The length of the authentication field to generate in Bytes:

253

* 4, 6, 8, 10, 12, 14 or 16.

254

*

255

* \return \c 0 on success. This indicates that the message is authentic.

256

* \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.

257

* \return A cipher-specific error code on calculation failure.

258

*/

259

int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,

260

const unsigned char *iv, size_t iv_len,

261

const unsigned char *ad, size_t ad_len,

262

const unsigned char *input, unsigned char *output,

263

const unsigned char *tag, size_t tag_len);

264

265

/**

266

* \brief This function performs a CCM* authenticated decryption of a

267

* buffer.

268

*

269

* \note When using this function in a variable tag length context,

270

* the tag length has to be decoded from \p iv and passed to

271

* this function as \p tag_len. (\p tag needs to be adjusted

272

* accordingly.)

273

*

274

* \param ctx The CCM context to use for decryption. This must be

275

* initialized and bound to a key.

276

* \param length The length of the input data in Bytes.

277

* For tag length = 0, input length is ignored.

278

* \param iv The initialization vector (nonce). This must be a readable

279

* buffer of at least \p iv_len Bytes.

280

* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

281

* or 13. The length L of the message length field is

282

* 15 - \p iv_len.

283

* \param ad The additional data field. This must be a readable buffer of

284

* at least that \p ad_len Bytes.

285

* \param ad_len The length of additional data in Bytes.

286

* This must be less than 2^16 - 2^8.

287

* \param input The buffer holding the input data. If \p length is greater

288

* than zero, \p input must be a readable buffer of at least

289

* that length.

290

* \param output The buffer holding the output data. If \p length is greater

291

* than zero, \p output must be a writable buffer of at least

292

* that length.

293

* \param tag The buffer holding the authentication field. This must be a

294

* readable buffer of at least \p tag_len Bytes.

295

* \param tag_len The length of the authentication field in Bytes.

296

* 0, 4, 6, 8, 10, 12, 14 or 16.

297

*

298

* \warning Passing \c 0 as \p tag_len means that the message is nos

299

* longer authenticated.

300

*

301

* \return \c 0 on success.

302

* \return #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.

303

* \return A cipher-specific error code on calculation failure.

304

*/

305

int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,

306

const unsigned char *iv, size_t iv_len,

307

const unsigned char *ad, size_t ad_len,

308

const unsigned char *input, unsigned char *output,

309

const unsigned char *tag, size_t tag_len);

310

311

/**

312

* \brief This function starts a CCM encryption or decryption

313

* operation.

314

*

315

* This function and mbedtls_ccm_set_lengths() must be called

316

* before calling mbedtls_ccm_update_ad() or

317

* mbedtls_ccm_update(). This function can be called before

318

* or after mbedtls_ccm_set_lengths().

319

*

320

* \note This function is not implemented in Mbed TLS yet.

321

*

322

* \param ctx The CCM context. This must be initialized.

323

* \param mode The operation to perform: #MBEDTLS_CCM_ENCRYPT or

324

* #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or

325

* #MBEDTLS_CCM_STAR_DECRYPT.

326

* \param iv The initialization vector. This must be a readable buffer

327

* of at least \p iv_len Bytes.

328

* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

329

* or 13. The length L of the message length field is

330

* 15 - \p iv_len.

331

*

332

* \return \c 0 on success.

333

* \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure:

334

* \p ctx is in an invalid state,

335

* \p mode is invalid,

336

* \p iv_len is invalid (lower than \c 7 or greater than

337

* \c 13).

338

*/

339

int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,

340

int mode,

341

const unsigned char *iv,

size_t iv_len);

/**

* \brief This function declares the lengths of the message

346

* and additional data for a CCM encryption or decryption

347

* operation.

348

*

349

* This function and mbedtls_ccm_starts() must be called

350

* before calling mbedtls_ccm_update_ad() or

351

* mbedtls_ccm_update(). This function can be called before

352

* or after mbedtls_ccm_starts().

353

*

354

* \note This function is not implemented in Mbed TLS yet.

355

*

356

* \param ctx The CCM context. This must be initialized.

357

* \param total_ad_len The total length of additional data in bytes.

358

* This must be less than `2^16 - 2^8`.

359

* \param plaintext_len The length in bytes of the plaintext to encrypt or

360

* result of the decryption (thus not encompassing the

361

* additional data that are not encrypted).

362

* \param tag_len The length of the tag to generate in Bytes:

363

* 4, 6, 8, 10, 12, 14 or 16.

364

* For CCM*, zero is also valid.

365

*

366

* \return \c 0 on success.

367

* \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure:

368

* \p ctx is in an invalid state,

369

* \p total_ad_len is greater than \c 0xFF00.

370

*/

371

int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,

372

size_t total_ad_len,

373

size_t plaintext_len,

size_t tag_len);

/**

* \brief This function feeds an input buffer as associated data

378

* (authenticated but not encrypted data) in a CCM

379

* encryption or decryption operation.

380

*

381

* You may call this function zero, one or more times

382

* to pass successive parts of the additional data. The

383

* lengths \p ad_len of the data parts should eventually add

384

* up exactly to the total length of additional data

385

* \c total_ad_len passed to mbedtls_ccm_set_lengths(). You

386

* may not call this function after calling

387

* mbedtls_ccm_update().

388

*

389

* \note This function is not implemented in Mbed TLS yet.

390

*

391

* \param ctx The CCM context. This must have been started with

392

* mbedtls_ccm_starts(), the lengths of the message and

393

* additional data must have been declared with

394

* mbedtls_ccm_set_lengths() and this must not have yet

395

* received any input with mbedtls_ccm_update().

396

* \param ad The buffer holding the additional data, or \c NULL

397

* if \p ad_len is \c 0.

398

* \param ad_len The length of the additional data. If \c 0,

399

* \p ad may be \c NULL.

400

*

401

* \return \c 0 on success.

402

* \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure:

403

* \p ctx is in an invalid state,

404

* total input length too long.

405

*/

406

int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,

407

const unsigned char *ad,

size_t ad_len);

/**

* \brief This function feeds an input buffer into an ongoing CCM

412

* encryption or decryption operation.

413

*

414

* You may call this function zero, one or more times

415

* to pass successive parts of the input: the plaintext to

416

* encrypt, or the ciphertext (not including the tag) to

417

* decrypt. After the last part of the input, call

418

* mbedtls_ccm_finish(). The lengths \p input_len of the

419

* data parts should eventually add up exactly to the

420

* plaintext length \c plaintext_len passed to

421

* mbedtls_ccm_set_lengths().

422

*

423

* This function may produce output in one of the following

424

* ways:

425

* - Immediate output: the output length is always equal

426

* to the input length.

427

* - Buffered output: except for the last part of input data,

428

* the output consists of a whole number of 16-byte blocks.

429

* If the total input length so far (not including

430

* associated data) is 16 \* *B* + *A* with *A* < 16 then

431

* the total output length is 16 \* *B*.

432

* For the last part of input data, the output length is

433

* equal to the input length plus the number of bytes (*A*)

434

* buffered in the previous call to the function (if any).

435

* The function uses the plaintext length

436

* \c plaintext_len passed to mbedtls_ccm_set_lengths()

437

* to detect the last part of input data.

438

*

439

* In particular:

440

* - It is always correct to call this function with

441

* \p output_size >= \p input_len + 15.

442

* - If \p input_len is a multiple of 16 for all the calls

443

* to this function during an operation (not necessary for

444

* the last one) then it is correct to use \p output_size

445

* =\p input_len.

446

*

447

* \note This function is not implemented in Mbed TLS yet.

448

*

449

* \param ctx The CCM context. This must have been started with

450

* mbedtls_ccm_starts() and the lengths of the message and

451

* additional data must have been declared with

452

* mbedtls_ccm_set_lengths().

453

* \param input The buffer holding the input data. If \p input_len

454

* is greater than zero, this must be a readable buffer

455

* of at least \p input_len bytes.

456

* \param input_len The length of the input data in bytes.

457

* \param output The buffer for the output data. If \p output_size

458

* is greater than zero, this must be a writable buffer of

459

* at least \p output_size bytes.

460

* \param output_size The size of the output buffer in bytes.

461

* See the function description regarding the output size.

462

* \param output_len On success, \p *output_len contains the actual

463

* length of the output written in \p output.

464

* On failure, the content of \p *output_len is

465

* unspecified.

466

*

467

* \return \c 0 on success.

468

* \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure:

469

* \p ctx is in an invalid state,

470

* total input length too long,

471

* or \p output_size too small.

472

*/

473

int mbedtls_ccm_update(mbedtls_ccm_context *ctx,

474

const unsigned char *input, size_t input_len,

475

unsigned char *output, size_t output_size,

size_t *output_len);

/**

* \brief This function finishes the CCM operation and generates

480

* the authentication tag.

481

*

482

* It wraps up the CCM stream, and generates the

483

* tag. The tag can have a maximum length of 16 Bytes.

484

*

485

* \note This function is not implemented in Mbed TLS yet.

486

*

487

* \param ctx The CCM context. This must have been started with

488

* mbedtls_ccm_starts() and the lengths of the message and

489

* additional data must have been declared with

490

* mbedtls_ccm_set_lengths().

491

* \param tag The buffer for holding the tag. If \p tag_len is greater

492

* than zero, this must be a writable buffer of at least \p

493

* tag_len Bytes.

494

* \param tag_len The length of the tag. Must match the tag length passed to

495

* mbedtls_ccm_set_lengths() function.

496

*

497

* \return \c 0 on success.

498

* \return #MBEDTLS_ERR_CCM_BAD_INPUT on failure:

499

* \p ctx is in an invalid state,

500

* invalid value of \p tag_len,

501

* the total amount of additional data passed to

502

* mbedtls_ccm_update_ad() was lower than the total length of

503

* additional data \c total_ad_len passed to

504

* mbedtls_ccm_set_lengths(),

505

* the total amount of input data passed to

506

* mbedtls_ccm_update() was lower than the plaintext length

507

* \c plaintext_len passed to mbedtls_ccm_set_lengths().

508

*/

509

int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,

510

unsigned char *tag, size_t tag_len);

511

512

#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)

513

/**

514

* \brief The CCM checkup routine.

515

*

516

* \return \c 0 on success.

517

* \return \c 1 on failure.

518

*/

519

int mbedtls_ccm_self_test(int verbose);

520

#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */

#ifdef __cplusplus

}

#endif

#endif /* MBEDTLS_CCM_H */