1 /**
2  * \file cipher.h
3  *
4  * \brief This file contains an abstraction interface for use with the cipher
5  * primitives provided by the library. It provides a common interface to all of
6  * the available cipher operations.
7  *
8  * \author Adriaan de Jong <dejong@fox-it.com>
9  */
10 /*
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 
27 #ifndef MBEDTLS_CIPHER_H
28 #define MBEDTLS_CIPHER_H
29 #include "mbedtls/private_access.h"
30 
31 #include "mbedtls/build_info.h"
32 
33 #include <stddef.h>
34 #include "mbedtls/platform_util.h"
35 
36 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
37 #define MBEDTLS_CIPHER_MODE_AEAD
38 #endif
39 
40 #if defined(MBEDTLS_CIPHER_MODE_CBC)
41 #define MBEDTLS_CIPHER_MODE_WITH_PADDING
42 #endif
43 
44 #if defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
45     defined(MBEDTLS_CHACHA20_C)
46 #define MBEDTLS_CIPHER_MODE_STREAM
47 #endif
48 
49 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
50     !defined(inline) && !defined(__cplusplus)
51 #define inline __inline
52 #endif
53 
54 /** The selected feature is not available. */
55 #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080
56 /** Bad input parameters. */
57 #define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100
58 /** Failed to allocate memory. */
59 #define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180
60 /** Input data contains invalid padding and is rejected. */
61 #define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200
62 /** Decryption of block requires a full block. */
63 #define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280
64 /** Authentication failed (for AEAD modes). */
65 #define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300
66 /** The context is invalid. For example, because it was freed. */
67 #define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380
68 
69 #define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
70 #define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
71 
72 #ifdef __cplusplus
73 extern "C" {
74 #endif
75 
76 /**
77  * \brief     Supported cipher types.
78  *
79  * \warning   DES is considered weak cipher and its use
80  *            constitutes a security risk. Arm recommends considering stronger
81  *            ciphers instead.
82  */
83 typedef enum {
84     MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
85     MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
86     MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
87     MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. */
88     MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. */
89     MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
90     MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
91     MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
92 } mbedtls_cipher_id_t;
93 
94 /**
95  * \brief     Supported {cipher type, cipher mode} pairs.
96  *
97  * \warning   DES is considered weak cipher and its use
98  *            constitutes a security risk. Arm recommends considering stronger
99  *            ciphers instead.
100  */
101 typedef enum {
102     MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
103     MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
104     MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
105     MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
106     MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
107     MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
108     MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
109     MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
110     MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
111     MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
112     MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
113     MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
114     MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
115     MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
116     MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
117     MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
118     MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
119     MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
120     MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
121     MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
122     MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
123     MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
124     MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
125     MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
126     MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
127     MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
128     MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
129     MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
130     MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
131     MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
132     MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
133     MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
134     MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. */
135     MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. */
136     MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. */
137     MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. */
138     MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. */
139     MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. */
140     MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
141     MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
142     MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
143     MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
144     MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
145     MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
146     MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
147     MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
148     MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
149     MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
150     MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
151     MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
152     MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
153     MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
154     MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
155     MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
156     MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
157     MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
158     MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
159     MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
160     MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
161     MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
162     MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
163     MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
164     MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
165     MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
166     MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
167     MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
168     MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
169     MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
170     MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
171     MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
172     MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
173     MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
174     MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
175     MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
176     MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
177     MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
178     MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
179     MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
180     MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
181     MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
182     MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
183     MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
184     MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
185     MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
186 } mbedtls_cipher_type_t;
187 
188 /** Supported cipher modes. */
189 typedef enum {
190     MBEDTLS_MODE_NONE = 0,               /**< None.                        */
191     MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
192     MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
193     MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
194     MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
195     MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
196     MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
197     MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
198     MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
199     MBEDTLS_MODE_CCM_STAR_NO_TAG,        /**< The CCM*-no-tag cipher mode. */
200     MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
201     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
202     MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
203     MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
204 } mbedtls_cipher_mode_t;
205 
206 /** Supported cipher padding types. */
207 typedef enum {
208     MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
209     MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
210     MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
211     MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
212     MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
213 } mbedtls_cipher_padding_t;
214 
215 /** Type of operation. */
216 typedef enum {
217     MBEDTLS_OPERATION_NONE = -1,
218     MBEDTLS_DECRYPT = 0,
219     MBEDTLS_ENCRYPT,
220 } mbedtls_operation_t;
221 
222 enum {
223     /** Undefined key length. */
224     MBEDTLS_KEY_LENGTH_NONE = 0,
225     /** Key length, in bits (including parity), for DES keys. */
226     MBEDTLS_KEY_LENGTH_DES  = 64,
227     /** Key length in bits, including parity, for DES in two-key EDE. */
228     MBEDTLS_KEY_LENGTH_DES_EDE = 128,
229     /** Key length in bits, including parity, for DES in three-key EDE. */
230     MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
231 };
232 
233 /** Maximum length of any IV, in Bytes. */
234 /* This should ideally be derived automatically from list of ciphers.
235  * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
236  * in library/ssl_misc.h. */
237 #define MBEDTLS_MAX_IV_LENGTH      16
238 
239 /** Maximum block size of any cipher, in Bytes. */
240 /* This should ideally be derived automatically from list of ciphers.
241  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
242  * in library/ssl_misc.h. */
243 #define MBEDTLS_MAX_BLOCK_LENGTH   16
244 
245 /** Maximum key length, in Bytes. */
246 /* This should ideally be derived automatically from list of ciphers.
247  * For now, only check whether XTS is enabled which uses 64 Byte keys,
248  * and use 32 Bytes as an upper bound for the maximum key length otherwise.
249  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
250  * in library/ssl_misc.h, which however deliberately ignores the case of XTS
251  * since the latter isn't used in SSL/TLS. */
252 #if defined(MBEDTLS_CIPHER_MODE_XTS)
253 #define MBEDTLS_MAX_KEY_LENGTH     64
254 #else
255 #define MBEDTLS_MAX_KEY_LENGTH     32
256 #endif /* MBEDTLS_CIPHER_MODE_XTS */
257 
258 /**
259  * Base cipher information (opaque struct).
260  */
261 typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
262 
263 /**
264  * CMAC context (opaque struct).
265  */
266 typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
267 
268 /**
269  * Cipher information. Allows calling cipher functions
270  * in a generic way.
271  *
272  * \note        The library does not support custom cipher info structures,
273  *              only built-in structures returned by the functions
274  *              mbedtls_cipher_info_from_string(),
275  *              mbedtls_cipher_info_from_type(),
276  *              mbedtls_cipher_info_from_values(),
277  *              mbedtls_cipher_info_from_psa().
278  */
279 typedef struct mbedtls_cipher_info_t
280 {
281     /** Full cipher identifier. For example,
282      * MBEDTLS_CIPHER_AES_256_CBC.
283      */
284     mbedtls_cipher_type_t MBEDTLS_PRIVATE(type);
285 
286     /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
287     mbedtls_cipher_mode_t MBEDTLS_PRIVATE(mode);
288 
289     /** The cipher key length, in bits. This is the
290      * default length for variable sized ciphers.
291      * Includes parity bits for ciphers like DES.
292      */
293     unsigned int MBEDTLS_PRIVATE(key_bitlen);
294 
295     /** Name of the cipher. */
296     const char * MBEDTLS_PRIVATE(name);
297 
298     /** IV or nonce size, in Bytes.
299      * For ciphers that accept variable IV sizes,
300      * this is the recommended size.
301      */
302     unsigned int MBEDTLS_PRIVATE(iv_size);
303 
304     /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
305      *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
306      *  cipher supports variable IV or variable key sizes, respectively.
307      */
308     int MBEDTLS_PRIVATE(flags);
309 
310     /** The block size, in Bytes. */
311     unsigned int MBEDTLS_PRIVATE(block_size);
312 
313     /** Struct for base cipher information and functions. */
314     const mbedtls_cipher_base_t *MBEDTLS_PRIVATE(base);
315 
316 } mbedtls_cipher_info_t;
317 
318 /**
319  * Generic cipher context.
320  */
321 typedef struct mbedtls_cipher_context_t
322 {
323     /** Information about the associated cipher. */
324     const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info);
325 
326     /** Key length to use. */
327     int MBEDTLS_PRIVATE(key_bitlen);
328 
329     /** Operation that the key of the context has been
330      * initialized for.
331      */
332     mbedtls_operation_t MBEDTLS_PRIVATE(operation);
333 
334 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
335     /** Padding functions to use, if relevant for
336      * the specific cipher mode.
337      */
338     void (*MBEDTLS_PRIVATE(add_padding))( unsigned char *output, size_t olen, size_t data_len );
339     int (*MBEDTLS_PRIVATE(get_padding))( unsigned char *input, size_t ilen, size_t *data_len );
340 #endif
341 
342     /** Buffer for input that has not been processed yet. */
343     unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH];
344 
345     /** Number of Bytes that have not been processed yet. */
346     size_t MBEDTLS_PRIVATE(unprocessed_len);
347 
348     /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
349      * for XTS-mode. */
350     unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH];
351 
352     /** IV size in Bytes, for ciphers with variable-length IVs. */
353     size_t MBEDTLS_PRIVATE(iv_size);
354 
355     /** The cipher-specific context. */
356     void *MBEDTLS_PRIVATE(cipher_ctx);
357 
358 #if defined(MBEDTLS_CMAC_C)
359     /** CMAC-specific context. */
360     mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx);
361 #endif
362 
363 #if defined(MBEDTLS_USE_PSA_CRYPTO)
364     /** Indicates whether the cipher operations should be performed
365      *  by Mbed TLS' own crypto library or an external implementation
366      *  of the PSA Crypto API.
367      *  This is unset if the cipher context was established through
368      *  mbedtls_cipher_setup(), and set if it was established through
369      *  mbedtls_cipher_setup_psa().
370      */
371     unsigned char MBEDTLS_PRIVATE(psa_enabled);
372 #endif /* MBEDTLS_USE_PSA_CRYPTO */
373 
374 } mbedtls_cipher_context_t;
375 
376 /**
377  * \brief This function retrieves the list of ciphers supported
378  *        by the generic cipher module.
379  *
380  *        For any cipher identifier in the returned list, you can
381  *        obtain the corresponding generic cipher information structure
382  *        via mbedtls_cipher_info_from_type(), which can then be used
383  *        to prepare a cipher context via mbedtls_cipher_setup().
384  *
385  *
386  * \return      A statically-allocated array of cipher identifiers
387  *              of type cipher_type_t. The last entry is zero.
388  */
389 const int *mbedtls_cipher_list( void );
390 
391 /**
392  * \brief               This function retrieves the cipher-information
393  *                      structure associated with the given cipher name.
394  *
395  * \param cipher_name   Name of the cipher to search for. This must not be
396  *                      \c NULL.
397  *
398  * \return              The cipher information structure associated with the
399  *                      given \p cipher_name.
400  * \return              \c NULL if the associated cipher information is not found.
401  */
402 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
403 
404 /**
405  * \brief               This function retrieves the cipher-information
406  *                      structure associated with the given cipher type.
407  *
408  * \param cipher_type   Type of the cipher to search for.
409  *
410  * \return              The cipher information structure associated with the
411  *                      given \p cipher_type.
412  * \return              \c NULL if the associated cipher information is not found.
413  */
414 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
415 
416 /**
417  * \brief               This function retrieves the cipher-information
418  *                      structure associated with the given cipher ID,
419  *                      key size and mode.
420  *
421  * \param cipher_id     The ID of the cipher to search for. For example,
422  *                      #MBEDTLS_CIPHER_ID_AES.
423  * \param key_bitlen    The length of the key in bits.
424  * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
425  *
426  * \return              The cipher information structure associated with the
427  *                      given \p cipher_id.
428  * \return              \c NULL if the associated cipher information is not found.
429  */
430 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
431                                               int key_bitlen,
432                                               const mbedtls_cipher_mode_t mode );
433 
434 /**
435  * \brief               Retrieve the identifier for a cipher info structure.
436  *
437  * \param[in] info      The cipher info structure to query.
438  *                      This may be \c NULL.
439  *
440  * \return              The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
441  * \return              #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
442  */
mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t * info)443 static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
444     const mbedtls_cipher_info_t *info )
445 {
446     if( info == NULL )
447         return( MBEDTLS_CIPHER_NONE );
448     else
449         return( info->MBEDTLS_PRIVATE(type) );
450 }
451 
452 /**
453  * \brief               Retrieve the operation mode for a cipher info structure.
454  *
455  * \param[in] info      The cipher info structure to query.
456  *                      This may be \c NULL.
457  *
458  * \return              The cipher mode (\c MBEDTLS_MODE_xxx).
459  * \return              #MBEDTLS_MODE_NONE if \p info is \c NULL.
460  */
mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t * info)461 static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
462     const mbedtls_cipher_info_t *info )
463 {
464     if( info == NULL )
465         return( MBEDTLS_MODE_NONE );
466     else
467         return( info->MBEDTLS_PRIVATE(mode) );
468 }
469 
470 /**
471  * \brief               Retrieve the key size for a cipher info structure.
472  *
473  * \param[in] info      The cipher info structure to query.
474  *                      This may be \c NULL.
475  *
476  * \return              The key length in bits.
477  *                      For variable-sized ciphers, this is the default length.
478  *                      For DES, this includes the parity bits.
479  * \return              \c 0 if \p info is \c NULL.
480  */
mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t * info)481 static inline size_t mbedtls_cipher_info_get_key_bitlen(
482     const mbedtls_cipher_info_t *info )
483 {
484     if( info == NULL )
485         return( 0 );
486     else
487         return( info->MBEDTLS_PRIVATE(key_bitlen) );
488 }
489 
490 /**
491  * \brief               Retrieve the human-readable name for a
492  *                      cipher info structure.
493  *
494  * \param[in] info      The cipher info structure to query.
495  *                      This may be \c NULL.
496  *
497  * \return              The cipher name, which is a human readable string,
498  *                      with static storage duration.
499  * \return              \c NULL if \c info is \p NULL.
500  */
mbedtls_cipher_info_get_name(const mbedtls_cipher_info_t * info)501 static inline const char *mbedtls_cipher_info_get_name(
502     const mbedtls_cipher_info_t *info )
503 {
504     if( info == NULL )
505         return( NULL );
506     else
507         return( info->MBEDTLS_PRIVATE(name) );
508 }
509 
510 /**
511  * \brief               This function initializes a \p cipher_context as NONE.
512  *
513  * \param ctx           The context to be initialized. This must not be \c NULL.
514  */
515 void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
516 
517 /**
518  * \brief               This function frees and clears the cipher-specific
519  *                      context of \p ctx. Freeing \p ctx itself remains the
520  *                      responsibility of the caller.
521  *
522  * \param ctx           The context to be freed. If this is \c NULL, the
523  *                      function has no effect, otherwise this must point to an
524  *                      initialized context.
525  */
526 void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
527 
528 
529 /**
530  * \brief               This function prepares a cipher context for
531  *                      use with the given cipher primitive.
532  *
533  * \note                After calling this function, you should call
534  *                      mbedtls_cipher_setkey() and, if the mode uses padding,
535  *                      mbedtls_cipher_set_padding_mode(), then for each
536  *                      message to encrypt or decrypt with this key, either:
537  *                      - mbedtls_cipher_crypt() for one-shot processing with
538  *                      non-AEAD modes;
539  *                      - mbedtls_cipher_auth_encrypt_ext() or
540  *                      mbedtls_cipher_auth_decrypt_ext() for one-shot
541  *                      processing with AEAD modes or NIST_KW;
542  *                      - for multi-part processing, see the documentation of
543  *                      mbedtls_cipher_reset().
544  *
545  * \param ctx           The context to prepare. This must be initialized by
546  *                      a call to mbedtls_cipher_init() first.
547  * \param cipher_info   The cipher to use.
548  *
549  * \return              \c 0 on success.
550  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
551  *                      parameter-verification failure.
552  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
553  *                      cipher-specific context fails.
554  */
555 int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
556                           const mbedtls_cipher_info_t *cipher_info );
557 
558 #if defined(MBEDTLS_USE_PSA_CRYPTO)
559 /**
560  * \brief               This function initializes a cipher context for
561  *                      PSA-based use with the given cipher primitive.
562  *
563  * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
564  *
565  * \param ctx           The context to initialize. May not be \c NULL.
566  * \param cipher_info   The cipher to use.
567  * \param taglen        For AEAD ciphers, the length in bytes of the
568  *                      authentication tag to use. Subsequent uses of
569  *                      mbedtls_cipher_auth_encrypt_ext() or
570  *                      mbedtls_cipher_auth_decrypt_ext() must provide
571  *                      the same tag length.
572  *                      For non-AEAD ciphers, the value must be \c 0.
573  *
574  * \return              \c 0 on success.
575  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
576  *                      parameter-verification failure.
577  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
578  *                      cipher-specific context fails.
579  */
580 int mbedtls_cipher_setup_psa( mbedtls_cipher_context_t *ctx,
581                               const mbedtls_cipher_info_t *cipher_info,
582                               size_t taglen );
583 #endif /* MBEDTLS_USE_PSA_CRYPTO */
584 
585 /**
586  * \brief        This function returns the block size of the given cipher.
587  *
588  * \param ctx    The context of the cipher. This must be initialized.
589  *
590  * \return       The block size of the underlying cipher.
591  * \return       \c 0 if \p ctx has not been initialized.
592  */
mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t * ctx)593 static inline unsigned int mbedtls_cipher_get_block_size(
594     const mbedtls_cipher_context_t *ctx )
595 {
596     MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
597     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
598         return 0;
599 
600     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size);
601 }
602 
603 /**
604  * \brief        This function returns the mode of operation for
605  *               the cipher. For example, MBEDTLS_MODE_CBC.
606  *
607  * \param ctx    The context of the cipher. This must be initialized.
608  *
609  * \return       The mode of operation.
610  * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
611  */
mbedtls_cipher_get_cipher_mode(const mbedtls_cipher_context_t * ctx)612 static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
613     const mbedtls_cipher_context_t *ctx )
614 {
615     MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE );
616     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
617         return MBEDTLS_MODE_NONE;
618 
619     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode);
620 }
621 
622 /**
623  * \brief       This function returns the size of the IV or nonce
624  *              of the cipher, in Bytes.
625  *
626  * \param ctx   The context of the cipher. This must be initialized.
627  *
628  * \return      The recommended IV size if no IV has been set.
629  * \return      \c 0 for ciphers not using an IV or a nonce.
630  * \return      The actual size if an IV has been set.
631  */
mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t * ctx)632 static inline int mbedtls_cipher_get_iv_size(
633     const mbedtls_cipher_context_t *ctx )
634 {
635     MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
636     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
637         return 0;
638 
639     if( ctx->MBEDTLS_PRIVATE(iv_size) != 0 )
640         return (int) ctx->MBEDTLS_PRIVATE(iv_size);
641 
642     return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size);
643 }
644 
645 /**
646  * \brief               This function returns the type of the given cipher.
647  *
648  * \param ctx           The context of the cipher. This must be initialized.
649  *
650  * \return              The type of the cipher.
651  * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
652  */
mbedtls_cipher_get_type(const mbedtls_cipher_context_t * ctx)653 static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
654     const mbedtls_cipher_context_t *ctx )
655 {
656     MBEDTLS_INTERNAL_VALIDATE_RET(
657         ctx != NULL, MBEDTLS_CIPHER_NONE );
658     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
659         return MBEDTLS_CIPHER_NONE;
660 
661     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type);
662 }
663 
664 /**
665  * \brief               This function returns the name of the given cipher
666  *                      as a string.
667  *
668  * \param ctx           The context of the cipher. This must be initialized.
669  *
670  * \return              The name of the cipher.
671  * \return              NULL if \p ctx has not been not initialized.
672  */
mbedtls_cipher_get_name(const mbedtls_cipher_context_t * ctx)673 static inline const char *mbedtls_cipher_get_name(
674     const mbedtls_cipher_context_t *ctx )
675 {
676     MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
677     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
678         return 0;
679 
680     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name);
681 }
682 
683 /**
684  * \brief               This function returns the key length of the cipher.
685  *
686  * \param ctx           The context of the cipher. This must be initialized.
687  *
688  * \return              The key length of the cipher in bits.
689  * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
690  *                      initialized.
691  */
mbedtls_cipher_get_key_bitlen(const mbedtls_cipher_context_t * ctx)692 static inline int mbedtls_cipher_get_key_bitlen(
693     const mbedtls_cipher_context_t *ctx )
694 {
695     MBEDTLS_INTERNAL_VALIDATE_RET(
696         ctx != NULL, MBEDTLS_KEY_LENGTH_NONE );
697     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
698         return MBEDTLS_KEY_LENGTH_NONE;
699 
700     return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen);
701 }
702 
703 /**
704  * \brief          This function returns the operation of the given cipher.
705  *
706  * \param ctx      The context of the cipher. This must be initialized.
707  *
708  * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
709  * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
710  */
mbedtls_cipher_get_operation(const mbedtls_cipher_context_t * ctx)711 static inline mbedtls_operation_t mbedtls_cipher_get_operation(
712     const mbedtls_cipher_context_t *ctx )
713 {
714     MBEDTLS_INTERNAL_VALIDATE_RET(
715         ctx != NULL, MBEDTLS_OPERATION_NONE );
716     if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL )
717         return MBEDTLS_OPERATION_NONE;
718 
719     return ctx->MBEDTLS_PRIVATE(operation);
720 }
721 
722 /**
723  * \brief               This function sets the key to use with the given context.
724  *
725  * \param ctx           The generic cipher context. This must be initialized and
726  *                      bound to a cipher information structure.
727  * \param key           The key to use. This must be a readable buffer of at
728  *                      least \p key_bitlen Bits.
729  * \param key_bitlen    The key length to use, in Bits.
730  * \param operation     The operation that the key will be used for:
731  *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
732  *
733  * \return              \c 0 on success.
734  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
735  *                      parameter-verification failure.
736  * \return              A cipher-specific error code on failure.
737  */
738 int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
739                            const unsigned char *key,
740                            int key_bitlen,
741                            const mbedtls_operation_t operation );
742 
743 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
744 /**
745  * \brief               This function sets the padding mode, for cipher modes
746  *                      that use padding.
747  *
748  *                      The default passing mode is PKCS7 padding.
749  *
750  * \param ctx           The generic cipher context. This must be initialized and
751  *                      bound to a cipher information structure.
752  * \param mode          The padding mode.
753  *
754  * \return              \c 0 on success.
755  * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
756  *                      if the selected padding mode is not supported.
757  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
758  *                      does not support padding.
759  */
760 int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
761                                      mbedtls_cipher_padding_t mode );
762 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
763 
764 /**
765  * \brief           This function sets the initialization vector (IV)
766  *                  or nonce.
767  *
768  * \note            Some ciphers do not use IVs nor nonce. For these
769  *                  ciphers, this function has no effect.
770  *
771  * \param ctx       The generic cipher context. This must be initialized and
772  *                  bound to a cipher information structure.
773  * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
774  *                  must be a readable buffer of at least \p iv_len Bytes.
775  * \param iv_len    The IV length for ciphers with variable-size IV.
776  *                  This parameter is discarded by ciphers with fixed-size IV.
777  *
778  * \return          \c 0 on success.
779  * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
780  *                  parameter-verification failure.
781  */
782 int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
783                            const unsigned char *iv,
784                            size_t iv_len );
785 
786 /**
787  * \brief         This function resets the cipher state.
788  *
789  * \note          With non-AEAD ciphers, the order of calls for each message
790  *                is as follows:
791  *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
792  *                2. mbedtls_cipher_reset()
793  *                3. mbedtls_cipher_update() one or more times
794  *                4. mbedtls_cipher_finish()
795  *                .
796  *                This sequence can be repeated to encrypt or decrypt multiple
797  *                messages with the same key.
798  *
799  * \note          With AEAD ciphers, the order of calls for each message
800  *                is as follows:
801  *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
802  *                2. mbedtls_cipher_reset()
803  *                3. mbedtls_cipher_update_ad()
804  *                4. mbedtls_cipher_update() one or more times
805  *                5. mbedtls_cipher_finish()
806  *                6. mbedtls_cipher_check_tag() (for decryption) or
807  *                mbedtls_cipher_write_tag() (for encryption).
808  *                .
809  *                This sequence can be repeated to encrypt or decrypt multiple
810  *                messages with the same key.
811  *
812  * \param ctx     The generic cipher context. This must be bound to a key.
813  *
814  * \return        \c 0 on success.
815  * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
816  *                parameter-verification failure.
817  */
818 int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
819 
820 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
821 /**
822  * \brief               This function adds additional data for AEAD ciphers.
823  *                      Currently supported with GCM and ChaCha20+Poly1305.
824  *
825  * \param ctx           The generic cipher context. This must be initialized.
826  * \param ad            The additional data to use. This must be a readable
827  *                      buffer of at least \p ad_len Bytes.
828  * \param ad_len        The length of \p ad in Bytes.
829  *
830  * \return              \c 0 on success.
831  * \return              A specific error code on failure.
832  */
833 int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
834                       const unsigned char *ad, size_t ad_len );
835 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
836 
837 /**
838  * \brief               The generic cipher update function. It encrypts or
839  *                      decrypts using the given cipher context. Writes as
840  *                      many block-sized blocks of data as possible to output.
841  *                      Any data that cannot be written immediately is either
842  *                      added to the next block, or flushed when
843  *                      mbedtls_cipher_finish() is called.
844  *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
845  *                      in size. For example, 16 Bytes for AES.
846  *
847  * \param ctx           The generic cipher context. This must be initialized and
848  *                      bound to a key.
849  * \param input         The buffer holding the input data. This must be a
850  *                      readable buffer of at least \p ilen Bytes.
851  * \param ilen          The length of the input data.
852  * \param output        The buffer for the output data. This must be able to
853  *                      hold at least `ilen + block_size`. This must not be the
854  *                      same buffer as \p input.
855  * \param olen          The length of the output data, to be updated with the
856  *                      actual number of Bytes written. This must not be
857  *                      \c NULL.
858  *
859  * \return              \c 0 on success.
860  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
861  *                      parameter-verification failure.
862  * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
863  *                      unsupported mode for a cipher.
864  * \return              A cipher-specific error code on failure.
865  */
866 int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx,
867                            const unsigned char *input,
868                            size_t ilen, unsigned char *output,
869                            size_t *olen );
870 
871 /**
872  * \brief               The generic cipher finalization function. If data still
873  *                      needs to be flushed from an incomplete block, the data
874  *                      contained in it is padded to the size of
875  *                      the last block, and written to the \p output buffer.
876  *
877  * \param ctx           The generic cipher context. This must be initialized and
878  *                      bound to a key.
879  * \param output        The buffer to write data to. This needs to be a writable
880  *                      buffer of at least \p block_size Bytes.
881  * \param olen          The length of the data written to the \p output buffer.
882  *                      This may not be \c NULL.
883  *
884  * \return              \c 0 on success.
885  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
886  *                      parameter-verification failure.
887  * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
888  *                      expecting a full block but not receiving one.
889  * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
890  *                      while decrypting.
891  * \return              A cipher-specific error code on failure.
892  */
893 int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
894                    unsigned char *output, size_t *olen );
895 
896 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
897 /**
898  * \brief               This function writes a tag for AEAD ciphers.
899  *                      Currently supported with GCM and ChaCha20+Poly1305.
900  *                      This must be called after mbedtls_cipher_finish().
901  *
902  * \param ctx           The generic cipher context. This must be initialized,
903  *                      bound to a key, and have just completed a cipher
904  *                      operation through mbedtls_cipher_finish() the tag for
905  *                      which should be written.
906  * \param tag           The buffer to write the tag to. This must be a writable
907  *                      buffer of at least \p tag_len Bytes.
908  * \param tag_len       The length of the tag to write.
909  *
910  * \return              \c 0 on success.
911  * \return              A specific error code on failure.
912  */
913 int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
914                       unsigned char *tag, size_t tag_len );
915 
916 /**
917  * \brief               This function checks the tag for AEAD ciphers.
918  *                      Currently supported with GCM and ChaCha20+Poly1305.
919  *                      This must be called after mbedtls_cipher_finish().
920  *
921  * \param ctx           The generic cipher context. This must be initialized.
922  * \param tag           The buffer holding the tag. This must be a readable
923  *                      buffer of at least \p tag_len Bytes.
924  * \param tag_len       The length of the tag to check.
925  *
926  * \return              \c 0 on success.
927  * \return              A specific error code on failure.
928  */
929 int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
930                       const unsigned char *tag, size_t tag_len );
931 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
932 
933 /**
934  * \brief               The generic all-in-one encryption/decryption function,
935  *                      for all ciphers except AEAD constructs.
936  *
937  * \param ctx           The generic cipher context. This must be initialized.
938  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
939  *                      This must be a readable buffer of at least \p iv_len
940  *                      Bytes.
941  * \param iv_len        The IV length for ciphers with variable-size IV.
942  *                      This parameter is discarded by ciphers with fixed-size
943  *                      IV.
944  * \param input         The buffer holding the input data. This must be a
945  *                      readable buffer of at least \p ilen Bytes.
946  * \param ilen          The length of the input data in Bytes.
947  * \param output        The buffer for the output data. This must be able to
948  *                      hold at least `ilen + block_size`. This must not be the
949  *                      same buffer as \p input.
950  * \param olen          The length of the output data, to be updated with the
951  *                      actual number of Bytes written. This must not be
952  *                      \c NULL.
953  *
954  * \note                Some ciphers do not use IVs nor nonce. For these
955  *                      ciphers, use \p iv = NULL and \p iv_len = 0.
956  *
957  * \return              \c 0 on success.
958  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
959  *                      parameter-verification failure.
960  * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
961  *                      expecting a full block but not receiving one.
962  * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
963  *                      while decrypting.
964  * \return              A cipher-specific error code on failure.
965  */
966 int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
967                   const unsigned char *iv, size_t iv_len,
968                   const unsigned char *input, size_t ilen,
969                   unsigned char *output, size_t *olen );
970 
971 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
972 /**
973  * \brief               The authenticated encryption (AEAD/NIST_KW) function.
974  *
975  * \note                For AEAD modes, the tag will be appended to the
976  *                      ciphertext, as recommended by RFC 5116.
977  *                      (NIST_KW doesn't have a separate tag.)
978  *
979  * \param ctx           The generic cipher context. This must be initialized and
980  *                      bound to a key, with an AEAD algorithm or NIST_KW.
981  * \param iv            The nonce to use. This must be a readable buffer of
982  *                      at least \p iv_len Bytes and may be \c NULL if \p
983  *                      iv_len is \c 0.
984  * \param iv_len        The length of the nonce. For AEAD ciphers, this must
985  *                      satisfy the constraints imposed by the cipher used.
986  *                      For NIST_KW, this must be \c 0.
987  * \param ad            The additional data to authenticate. This must be a
988  *                      readable buffer of at least \p ad_len Bytes, and may
989  *                      be \c NULL is \p ad_len is \c 0.
990  * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
991  * \param input         The buffer holding the input data. This must be a
992  *                      readable buffer of at least \p ilen Bytes, and may be
993  *                      \c NULL if \p ilen is \c 0.
994  * \param ilen          The length of the input data.
995  * \param output        The buffer for the output data. This must be a
996  *                      writable buffer of at least \p output_len Bytes, and
997  *                      must not be \c NULL.
998  * \param output_len    The length of the \p output buffer in Bytes. For AEAD
999  *                      ciphers, this must be at least \p ilen + \p tag_len.
1000  *                      For NIST_KW, this must be at least \p ilen + 8
1001  *                      (rounded up to a multiple of 8 if KWP is used);
1002  *                      \p ilen + 15 is always a safe value.
1003  * \param olen          This will be filled with the actual number of Bytes
1004  *                      written to the \p output buffer. This must point to a
1005  *                      writable object of type \c size_t.
1006  * \param tag_len       The desired length of the authentication tag. For AEAD
1007  *                      ciphers, this must match the constraints imposed by
1008  *                      the cipher used, and in particular must not be \c 0.
1009  *                      For NIST_KW, this must be \c 0.
1010  *
1011  * \return              \c 0 on success.
1012  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
1013  *                      parameter-verification failure.
1014  * \return              A cipher-specific error code on failure.
1015  */
1016 int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
1017                          const unsigned char *iv, size_t iv_len,
1018                          const unsigned char *ad, size_t ad_len,
1019                          const unsigned char *input, size_t ilen,
1020                          unsigned char *output, size_t output_len,
1021                          size_t *olen, size_t tag_len );
1022 
1023 /**
1024  * \brief               The authenticated encryption (AEAD/NIST_KW) function.
1025  *
1026  * \note                If the data is not authentic, then the output buffer
1027  *                      is zeroed out to prevent the unauthentic plaintext being
1028  *                      used, making this interface safer.
1029  *
1030  * \note                For AEAD modes, the tag must be appended to the
1031  *                      ciphertext, as recommended by RFC 5116.
1032  *                      (NIST_KW doesn't have a separate tag.)
1033  *
1034  * \param ctx           The generic cipher context. This must be initialized and
1035  *                      bound to a key, with an AEAD algorithm or NIST_KW.
1036  * \param iv            The nonce to use. This must be a readable buffer of
1037  *                      at least \p iv_len Bytes and may be \c NULL if \p
1038  *                      iv_len is \c 0.
1039  * \param iv_len        The length of the nonce. For AEAD ciphers, this must
1040  *                      satisfy the constraints imposed by the cipher used.
1041  *                      For NIST_KW, this must be \c 0.
1042  * \param ad            The additional data to authenticate. This must be a
1043  *                      readable buffer of at least \p ad_len Bytes, and may
1044  *                      be \c NULL is \p ad_len is \c 0.
1045  * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
1046  * \param input         The buffer holding the input data. This must be a
1047  *                      readable buffer of at least \p ilen Bytes, and may be
1048  *                      \c NULL if \p ilen is \c 0.
1049  * \param ilen          The length of the input data. For AEAD ciphers this
1050  *                      must be at least \p tag_len. For NIST_KW this must be
1051  *                      at least \c 8.
1052  * \param output        The buffer for the output data. This must be a
1053  *                      writable buffer of at least \p output_len Bytes, and
1054  *                      may be \c NULL if \p output_len is \c 0.
1055  * \param output_len    The length of the \p output buffer in Bytes. For AEAD
1056  *                      ciphers, this must be at least \p ilen - \p tag_len.
1057  *                      For NIST_KW, this must be at least \p ilen - 8.
1058  * \param olen          This will be filled with the actual number of Bytes
1059  *                      written to the \p output buffer. This must point to a
1060  *                      writable object of type \c size_t.
1061  * \param tag_len       The actual length of the authentication tag. For AEAD
1062  *                      ciphers, this must match the constraints imposed by
1063  *                      the cipher used, and in particular must not be \c 0.
1064  *                      For NIST_KW, this must be \c 0.
1065  *
1066  * \return              \c 0 on success.
1067  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
1068  *                      parameter-verification failure.
1069  * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
1070  * \return              A cipher-specific error code on failure.
1071  */
1072 int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
1073                          const unsigned char *iv, size_t iv_len,
1074                          const unsigned char *ad, size_t ad_len,
1075                          const unsigned char *input, size_t ilen,
1076                          unsigned char *output, size_t output_len,
1077                          size_t *olen, size_t tag_len );
1078 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1079 #ifdef __cplusplus
1080 }
1081 #endif
1082 
1083 #endif /* MBEDTLS_CIPHER_H */
1084