]>
Commit | Line | Data |
---|---|---|
1 | /** | |
2 | * \file aes.h | |
3 | * | |
4 | * \brief This file contains AES definitions and functions. | |
5 | * | |
6 | * The Advanced Encryption Standard (AES) specifies a FIPS-approved | |
7 | * cryptographic algorithm that can be used to protect electronic | |
8 | * data. | |
9 | * | |
10 | * The AES algorithm is a symmetric block cipher that can | |
11 | * encrypt and decrypt information. For more information, see | |
12 | * <em>FIPS Publication 197: Advanced Encryption Standard</em> and | |
13 | * <em>ISO/IEC 18033-2:2006: Information technology -- Security | |
14 | * techniques -- Encryption algorithms -- Part 2: Asymmetric | |
15 | * ciphers</em>. | |
16 | * | |
17 | * The AES-XTS block mode is standardized by NIST SP 800-38E | |
18 | * <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf> | |
19 | * and described in detail by IEEE P1619 | |
20 | * <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>. | |
21 | */ | |
22 | ||
23 | /* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved. | |
24 | * SPDX-License-Identifier: GPL-2.0 | |
25 | * | |
26 | * This program is free software; you can redistribute it and/or modify | |
27 | * it under the terms of the GNU General Public License as published by | |
28 | * the Free Software Foundation; either version 2 of the License, or | |
29 | * (at your option) any later version. | |
30 | * | |
31 | * This program is distributed in the hope that it will be useful, | |
32 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
33 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
34 | * GNU General Public License for more details. | |
35 | * | |
36 | * You should have received a copy of the GNU General Public License along | |
37 | * with this program; if not, write to the Free Software Foundation, Inc., | |
38 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
39 | * | |
40 | * This file is part of Mbed TLS (https://tls.mbed.org) | |
41 | */ | |
42 | ||
43 | #ifndef MBEDTLS_AES_H | |
44 | #define MBEDTLS_AES_H | |
45 | ||
46 | #if !defined(MBEDTLS_CONFIG_FILE) | |
47 | #include "config.h" | |
48 | #else | |
49 | #include MBEDTLS_CONFIG_FILE | |
50 | #endif | |
51 | ||
52 | #include <stddef.h> | |
53 | #include <stdint.h> | |
54 | ||
55 | /* padlock.c and aesni.c rely on these values! */ | |
56 | #define MBEDTLS_AES_ENCRYPT 1 /**< AES encryption. */ | |
57 | #define MBEDTLS_AES_DECRYPT 0 /**< AES decryption. */ | |
58 | ||
59 | /* Error codes in range 0x0020-0x0022 */ | |
60 | #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ | |
61 | #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ | |
62 | ||
63 | /* Error codes in range 0x0021-0x0025 */ | |
64 | #define MBEDTLS_ERR_AES_BAD_INPUT_DATA -0x0021 /**< Invalid input data. */ | |
65 | #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ | |
66 | #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */ | |
67 | ||
68 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ | |
69 | !defined(inline) && !defined(__cplusplus) | |
70 | #define inline __inline | |
71 | #endif | |
72 | ||
73 | #ifdef __cplusplus | |
74 | extern "C" { | |
75 | #endif | |
76 | ||
77 | #if !defined(MBEDTLS_AES_ALT) | |
78 | // Regular implementation | |
79 | // | |
80 | ||
81 | /** | |
82 | * \brief The AES context-type definition. | |
83 | */ | |
84 | typedef struct mbedtls_aes_context | |
85 | { | |
86 | int nr; /*!< The number of rounds. */ | |
87 | uint32_t *rk; /*!< AES round keys. */ | |
88 | uint32_t buf[68]; /*!< Unaligned data buffer. This buffer can | |
89 | hold 32 extra Bytes, which can be used for | |
90 | one of the following purposes: | |
91 | <ul><li>Alignment if VIA padlock is | |
92 | used.</li> | |
93 | <li>Simplifying key expansion in the 256-bit | |
94 | case by generating an extra round key. | |
95 | </li></ul> */ | |
96 | } | |
97 | mbedtls_aes_context; | |
98 | ||
99 | #if defined(MBEDTLS_CIPHER_MODE_XTS) | |
100 | /** | |
101 | * \brief The AES XTS context-type definition. | |
102 | */ | |
103 | typedef struct mbedtls_aes_xts_context | |
104 | { | |
105 | mbedtls_aes_context crypt; /*!< The AES context to use for AES block | |
106 | encryption or decryption. */ | |
107 | mbedtls_aes_context tweak; /*!< The AES context used for tweak | |
108 | computation. */ | |
109 | } mbedtls_aes_xts_context; | |
110 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ | |
111 | ||
112 | #else /* MBEDTLS_AES_ALT */ | |
113 | #include "aes_alt.h" | |
114 | #endif /* MBEDTLS_AES_ALT */ | |
115 | ||
116 | /** | |
117 | * \brief This function initializes the specified AES context. | |
118 | * | |
119 | * It must be the first API called before using | |
120 | * the context. | |
121 | * | |
122 | * \param ctx The AES context to initialize. | |
123 | */ | |
124 | void mbedtls_aes_init( mbedtls_aes_context *ctx ); | |
125 | ||
126 | /** | |
127 | * \brief This function releases and clears the specified AES context. | |
128 | * | |
129 | * \param ctx The AES context to clear. | |
130 | */ | |
131 | void mbedtls_aes_free( mbedtls_aes_context *ctx ); | |
132 | ||
133 | #if defined(MBEDTLS_CIPHER_MODE_XTS) | |
134 | /** | |
135 | * \brief This function initializes the specified AES XTS context. | |
136 | * | |
137 | * It must be the first API called before using | |
138 | * the context. | |
139 | * | |
140 | * \param ctx The AES XTS context to initialize. | |
141 | */ | |
142 | void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ); | |
143 | ||
144 | /** | |
145 | * \brief This function releases and clears the specified AES XTS context. | |
146 | * | |
147 | * \param ctx The AES XTS context to clear. | |
148 | */ | |
149 | void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ); | |
150 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ | |
151 | ||
152 | /** | |
153 | * \brief This function sets the encryption key. | |
154 | * | |
155 | * \param ctx The AES context to which the key should be bound. | |
156 | * \param key The encryption key. | |
157 | * \param keybits The size of data passed in bits. Valid options are: | |
158 | * <ul><li>128 bits</li> | |
159 | * <li>192 bits</li> | |
160 | * <li>256 bits</li></ul> | |
161 | * | |
162 | * \return \c 0 on success. | |
163 | * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure. | |
164 | */ | |
165 | int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, | |
166 | unsigned int keybits ); | |
167 | ||
168 | /** | |
169 | * \brief This function sets the decryption key. | |
170 | * | |
171 | * \param ctx The AES context to which the key should be bound. | |
172 | * \param key The decryption key. | |
173 | * \param keybits The size of data passed. Valid options are: | |
174 | * <ul><li>128 bits</li> | |
175 | * <li>192 bits</li> | |
176 | * <li>256 bits</li></ul> | |
177 | * | |
178 | * \return \c 0 on success. | |
179 | * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure. | |
180 | */ | |
181 | int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, | |
182 | unsigned int keybits ); | |
183 | ||
184 | #if defined(MBEDTLS_CIPHER_MODE_XTS) | |
185 | /** | |
186 | * \brief This function prepares an XTS context for encryption and | |
187 | * sets the encryption key. | |
188 | * | |
189 | * \param ctx The AES XTS context to which the key should be bound. | |
190 | * \param key The encryption key. This is comprised of the XTS key1 | |
191 | * concatenated with the XTS key2. | |
192 | * \param keybits The size of \p key passed in bits. Valid options are: | |
193 | * <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li> | |
194 | * <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul> | |
195 | * | |
196 | * \return \c 0 on success. | |
197 | * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure. | |
198 | */ | |
199 | int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, | |
200 | const unsigned char *key, | |
201 | unsigned int keybits ); | |
202 | ||
203 | /** | |
204 | * \brief This function prepares an XTS context for decryption and | |
205 | * sets the decryption key. | |
206 | * | |
207 | * \param ctx The AES XTS context to which the key should be bound. | |
208 | * \param key The decryption key. This is comprised of the XTS key1 | |
209 | * concatenated with the XTS key2. | |
210 | * \param keybits The size of \p key passed in bits. Valid options are: | |
211 | * <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li> | |
212 | * <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul> | |
213 | * | |
214 | * \return \c 0 on success. | |
215 | * \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure. | |
216 | */ | |
217 | int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, | |
218 | const unsigned char *key, | |
219 | unsigned int keybits ); | |
220 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ | |
221 | ||
222 | /** | |
223 | * \brief This function performs an AES single-block encryption or | |
224 | * decryption operation. | |
225 | * | |
226 | * It performs the operation defined in the \p mode parameter | |
227 | * (encrypt or decrypt), on the input data buffer defined in | |
228 | * the \p input parameter. | |
229 | * | |
230 | * mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or | |
231 | * mbedtls_aes_setkey_dec() must be called before the first | |
232 | * call to this API with the same context. | |
233 | * | |
234 | * \param ctx The AES context to use for encryption or decryption. | |
235 | * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or | |
236 | * #MBEDTLS_AES_DECRYPT. | |
237 | * \param input The 16-Byte buffer holding the input data. | |
238 | * \param output The 16-Byte buffer holding the output data. | |
239 | ||
240 | * \return \c 0 on success. | |
241 | */ | |
242 | int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, | |
243 | int mode, | |
244 | const unsigned char input[16], | |
245 | unsigned char output[16] ); | |
246 | ||
247 | #if defined(MBEDTLS_CIPHER_MODE_CBC) | |
248 | /** | |
249 | * \brief This function performs an AES-CBC encryption or decryption operation | |
250 | * on full blocks. | |
251 | * | |
252 | * It performs the operation defined in the \p mode | |
253 | * parameter (encrypt/decrypt), on the input data buffer defined in | |
254 | * the \p input parameter. | |
255 | * | |
256 | * It can be called as many times as needed, until all the input | |
257 | * data is processed. mbedtls_aes_init(), and either | |
258 | * mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called | |
259 | * before the first call to this API with the same context. | |
260 | * | |
261 | * \note This function operates on aligned blocks, that is, the input size | |
262 | * must be a multiple of the AES block size of 16 Bytes. | |
263 | * | |
264 | * \note Upon exit, the content of the IV is updated so that you can | |
265 | * call the same function again on the next | |
266 | * block(s) of data and get the same result as if it was | |
267 | * encrypted in one call. This allows a "streaming" usage. | |
268 | * If you need to retain the contents of the IV, you should | |
269 | * either save it manually or use the cipher module instead. | |
270 | * | |
271 | * | |
272 | * \param ctx The AES context to use for encryption or decryption. | |
273 | * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or | |
274 | * #MBEDTLS_AES_DECRYPT. | |
275 | * \param length The length of the input data in Bytes. This must be a | |
276 | * multiple of the block size (16 Bytes). | |
277 | * \param iv Initialization vector (updated after use). | |
278 | * \param input The buffer holding the input data. | |
279 | * \param output The buffer holding the output data. | |
280 | * | |
281 | * \return \c 0 on success. | |
282 | * \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH | |
283 | * on failure. | |
284 | */ | |
285 | int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, | |
286 | int mode, | |
287 | size_t length, | |
288 | unsigned char iv[16], | |
289 | const unsigned char *input, | |
290 | unsigned char *output ); | |
291 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ | |
292 | ||
293 | #if defined(MBEDTLS_CIPHER_MODE_XTS) | |
294 | /** | |
295 | * \brief This function performs an AES-XTS encryption or decryption | |
296 | * operation for an entire XTS data unit. | |
297 | * | |
298 | * AES-XTS encrypts or decrypts blocks based on their location as | |
299 | * defined by a data unit number. The data unit number must be | |
300 | * provided by \p data_unit. | |
301 | * | |
302 | * NIST SP 800-38E limits the maximum size of a data unit to 2^20 | |
303 | * AES blocks. If the data unit is larger than this, this function | |
304 | * returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH. | |
305 | * | |
306 | * \param ctx The AES XTS context to use for AES XTS operations. | |
307 | * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or | |
308 | * #MBEDTLS_AES_DECRYPT. | |
309 | * \param length The length of a data unit in bytes. This can be any | |
310 | * length between 16 bytes and 2^24 bytes inclusive | |
311 | * (between 1 and 2^20 block cipher blocks). | |
312 | * \param data_unit The address of the data unit encoded as an array of 16 | |
313 | * bytes in little-endian format. For disk encryption, this | |
314 | * is typically the index of the block device sector that | |
315 | * contains the data. | |
316 | * \param input The buffer holding the input data (which is an entire | |
317 | * data unit). This function reads \p length bytes from \p | |
318 | * input. | |
319 | * \param output The buffer holding the output data (which is an entire | |
320 | * data unit). This function writes \p length bytes to \p | |
321 | * output. | |
322 | * | |
323 | * \return \c 0 on success. | |
324 | * \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is | |
325 | * smaller than an AES block in size (16 bytes) or if \p | |
326 | * length is larger than 2^20 blocks (16 MiB). | |
327 | */ | |
328 | int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, | |
329 | int mode, | |
330 | size_t length, | |
331 | const unsigned char data_unit[16], | |
332 | const unsigned char *input, | |
333 | unsigned char *output ); | |
334 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ | |
335 | ||
336 | #if defined(MBEDTLS_CIPHER_MODE_CFB) | |
337 | /** | |
338 | * \brief This function performs an AES-CFB128 encryption or decryption | |
339 | * operation. | |
340 | * | |
341 | * It performs the operation defined in the \p mode | |
342 | * parameter (encrypt or decrypt), on the input data buffer | |
343 | * defined in the \p input parameter. | |
344 | * | |
345 | * For CFB, you must set up the context with mbedtls_aes_setkey_enc(), | |
346 | * regardless of whether you are performing an encryption or decryption | |
347 | * operation, that is, regardless of the \p mode parameter. This is | |
348 | * because CFB mode uses the same key schedule for encryption and | |
349 | * decryption. | |
350 | * | |
351 | * \note Upon exit, the content of the IV is updated so that you can | |
352 | * call the same function again on the next | |
353 | * block(s) of data and get the same result as if it was | |
354 | * encrypted in one call. This allows a "streaming" usage. | |
355 | * If you need to retain the contents of the | |
356 | * IV, you must either save it manually or use the cipher | |
357 | * module instead. | |
358 | * | |
359 | * | |
360 | * \param ctx The AES context to use for encryption or decryption. | |
361 | * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or | |
362 | * #MBEDTLS_AES_DECRYPT. | |
363 | * \param length The length of the input data. | |
364 | * \param iv_off The offset in IV (updated after use). | |
365 | * \param iv The initialization vector (updated after use). | |
366 | * \param input The buffer holding the input data. | |
367 | * \param output The buffer holding the output data. | |
368 | * | |
369 | * \return \c 0 on success. | |
370 | */ | |
371 | int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, | |
372 | int mode, | |
373 | size_t length, | |
374 | size_t *iv_off, | |
375 | unsigned char iv[16], | |
376 | const unsigned char *input, | |
377 | unsigned char *output ); | |
378 | ||
379 | /** | |
380 | * \brief This function performs an AES-CFB8 encryption or decryption | |
381 | * operation. | |
382 | * | |
383 | * It performs the operation defined in the \p mode | |
384 | * parameter (encrypt/decrypt), on the input data buffer defined | |
385 | * in the \p input parameter. | |
386 | * | |
387 | * Due to the nature of CFB, you must use the same key schedule for | |
388 | * both encryption and decryption operations. Therefore, you must | |
389 | * use the context initialized with mbedtls_aes_setkey_enc() for | |
390 | * both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT. | |
391 | * | |
392 | * \note Upon exit, the content of the IV is updated so that you can | |
393 | * call the same function again on the next | |
394 | * block(s) of data and get the same result as if it was | |
395 | * encrypted in one call. This allows a "streaming" usage. | |
396 | * If you need to retain the contents of the | |
397 | * IV, you should either save it manually or use the cipher | |
398 | * module instead. | |
399 | * | |
400 | * | |
401 | * \param ctx The AES context to use for encryption or decryption. | |
402 | * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or | |
403 | * #MBEDTLS_AES_DECRYPT | |
404 | * \param length The length of the input data. | |
405 | * \param iv The initialization vector (updated after use). | |
406 | * \param input The buffer holding the input data. | |
407 | * \param output The buffer holding the output data. | |
408 | * | |
409 | * \return \c 0 on success. | |
410 | */ | |
411 | int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, | |
412 | int mode, | |
413 | size_t length, | |
414 | unsigned char iv[16], | |
415 | const unsigned char *input, | |
416 | unsigned char *output ); | |
417 | #endif /*MBEDTLS_CIPHER_MODE_CFB */ | |
418 | ||
419 | #if defined(MBEDTLS_CIPHER_MODE_OFB) | |
420 | /** | |
421 | * \brief This function performs an AES-OFB (Output Feedback Mode) | |
422 | * encryption or decryption operation. | |
423 | * | |
424 | * For OFB, you must set up the context with | |
425 | * mbedtls_aes_setkey_enc(), regardless of whether you are | |
426 | * performing an encryption or decryption operation. This is | |
427 | * because OFB mode uses the same key schedule for encryption and | |
428 | * decryption. | |
429 | * | |
430 | * The OFB operation is identical for encryption or decryption, | |
431 | * therefore no operation mode needs to be specified. | |
432 | * | |
433 | * \note Upon exit, the content of iv, the Initialisation Vector, is | |
434 | * updated so that you can call the same function again on the next | |
435 | * block(s) of data and get the same result as if it was encrypted | |
436 | * in one call. This allows a "streaming" usage, by initialising | |
437 | * iv_off to 0 before the first call, and preserving its value | |
438 | * between calls. | |
439 | * | |
440 | * For non-streaming use, the iv should be initialised on each call | |
441 | * to a unique value, and iv_off set to 0 on each call. | |
442 | * | |
443 | * If you need to retain the contents of the initialisation vector, | |
444 | * you must either save it manually or use the cipher module | |
445 | * instead. | |
446 | * | |
447 | * \warning For the OFB mode, the initialisation vector must be unique | |
448 | * every encryption operation. Reuse of an initialisation vector | |
449 | * will compromise security. | |
450 | * | |
451 | * \param ctx The AES context to use for encryption or decryption. | |
452 | * \param length The length of the input data. | |
453 | * \param iv_off The offset in IV (updated after use). | |
454 | * \param iv The initialization vector (updated after use). | |
455 | * \param input The buffer holding the input data. | |
456 | * \param output The buffer holding the output data. | |
457 | * | |
458 | * \return \c 0 on success. | |
459 | */ | |
460 | int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, | |
461 | size_t length, | |
462 | size_t *iv_off, | |
463 | unsigned char iv[16], | |
464 | const unsigned char *input, | |
465 | unsigned char *output ); | |
466 | ||
467 | #endif /* MBEDTLS_CIPHER_MODE_OFB */ | |
468 | ||
469 | #if defined(MBEDTLS_CIPHER_MODE_CTR) | |
470 | /** | |
471 | * \brief This function performs an AES-CTR encryption or decryption | |
472 | * operation. | |
473 | * | |
474 | * This function performs the operation defined in the \p mode | |
475 | * parameter (encrypt/decrypt), on the input data buffer | |
476 | * defined in the \p input parameter. | |
477 | * | |
478 | * Due to the nature of CTR, you must use the same key schedule | |
479 | * for both encryption and decryption operations. Therefore, you | |
480 | * must use the context initialized with mbedtls_aes_setkey_enc() | |
481 | * for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT. | |
482 | * | |
483 | * \warning You must never reuse a nonce value with the same key. Doing so | |
484 | * would void the encryption for the two messages encrypted with | |
485 | * the same nonce and key. | |
486 | * | |
487 | * There are two common strategies for managing nonces with CTR: | |
488 | * | |
489 | * 1. You can handle everything as a single message processed over | |
490 | * successive calls to this function. In that case, you want to | |
491 | * set \p nonce_counter and \p nc_off to 0 for the first call, and | |
492 | * then preserve the values of \p nonce_counter, \p nc_off and \p | |
493 | * stream_block across calls to this function as they will be | |
494 | * updated by this function. | |
495 | * | |
496 | * With this strategy, you must not encrypt more than 2**128 | |
497 | * blocks of data with the same key. | |
498 | * | |
499 | * 2. You can encrypt separate messages by dividing the \p | |
500 | * nonce_counter buffer in two areas: the first one used for a | |
501 | * per-message nonce, handled by yourself, and the second one | |
502 | * updated by this function internally. | |
503 | * | |
504 | * For example, you might reserve the first 12 bytes for the | |
505 | * per-message nonce, and the last 4 bytes for internal use. In that | |
506 | * case, before calling this function on a new message you need to | |
507 | * set the first 12 bytes of \p nonce_counter to your chosen nonce | |
508 | * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p | |
509 | * stream_block to be ignored). That way, you can encrypt at most | |
510 | * 2**96 messages of up to 2**32 blocks each with the same key. | |
511 | * | |
512 | * The per-message nonce (or information sufficient to reconstruct | |
513 | * it) needs to be communicated with the ciphertext and must be unique. | |
514 | * The recommended way to ensure uniqueness is to use a message | |
515 | * counter. An alternative is to generate random nonces, but this | |
516 | * limits the number of messages that can be securely encrypted: | |
517 | * for example, with 96-bit random nonces, you should not encrypt | |
518 | * more than 2**32 messages with the same key. | |
519 | * | |
520 | * Note that for both stategies, sizes are measured in blocks and | |
521 | * that an AES block is 16 bytes. | |
522 | * | |
523 | * \warning Upon return, \p stream_block contains sensitive data. Its | |
524 | * content must not be written to insecure storage and should be | |
525 | * securely discarded as soon as it's no longer needed. | |
526 | * | |
527 | * \param ctx The AES context to use for encryption or decryption. | |
528 | * \param length The length of the input data. | |
529 | * \param nc_off The offset in the current \p stream_block, for | |
530 | * resuming within the current cipher stream. The | |
531 | * offset pointer should be 0 at the start of a stream. | |
532 | * \param nonce_counter The 128-bit nonce and counter. | |
533 | * \param stream_block The saved stream block for resuming. This is | |
534 | * overwritten by the function. | |
535 | * \param input The buffer holding the input data. | |
536 | * \param output The buffer holding the output data. | |
537 | * | |
538 | * \return \c 0 on success. | |
539 | */ | |
540 | int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, | |
541 | size_t length, | |
542 | size_t *nc_off, | |
543 | unsigned char nonce_counter[16], | |
544 | unsigned char stream_block[16], | |
545 | const unsigned char *input, | |
546 | unsigned char *output ); | |
547 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ | |
548 | ||
549 | /** | |
550 | * \brief Internal AES block encryption function. This is only | |
551 | * exposed to allow overriding it using | |
552 | * \c MBEDTLS_AES_ENCRYPT_ALT. | |
553 | * | |
554 | * \param ctx The AES context to use for encryption. | |
555 | * \param input The plaintext block. | |
556 | * \param output The output (ciphertext) block. | |
557 | * | |
558 | * \return \c 0 on success. | |
559 | */ | |
560 | int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, | |
561 | const unsigned char input[16], | |
562 | unsigned char output[16] ); | |
563 | ||
564 | /** | |
565 | * \brief Internal AES block decryption function. This is only | |
566 | * exposed to allow overriding it using see | |
567 | * \c MBEDTLS_AES_DECRYPT_ALT. | |
568 | * | |
569 | * \param ctx The AES context to use for decryption. | |
570 | * \param input The ciphertext block. | |
571 | * \param output The output (plaintext) block. | |
572 | * | |
573 | * \return \c 0 on success. | |
574 | */ | |
575 | int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, | |
576 | const unsigned char input[16], | |
577 | unsigned char output[16] ); | |
578 | ||
579 | #if !defined(MBEDTLS_DEPRECATED_REMOVED) | |
580 | #if defined(MBEDTLS_DEPRECATED_WARNING) | |
581 | #define MBEDTLS_DEPRECATED __attribute__((deprecated)) | |
582 | #else | |
583 | #define MBEDTLS_DEPRECATED | |
584 | #endif | |
585 | /** | |
586 | * \brief Deprecated internal AES block encryption function | |
587 | * without return value. | |
588 | * | |
589 | * \deprecated Superseded by mbedtls_aes_encrypt_ext() in 2.5.0. | |
590 | * | |
591 | * \param ctx The AES context to use for encryption. | |
592 | * \param input Plaintext block. | |
593 | * \param output Output (ciphertext) block. | |
594 | */ | |
595 | MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, | |
596 | const unsigned char input[16], | |
597 | unsigned char output[16] ); | |
598 | ||
599 | /** | |
600 | * \brief Deprecated internal AES block decryption function | |
601 | * without return value. | |
602 | * | |
603 | * \deprecated Superseded by mbedtls_aes_decrypt_ext() in 2.5.0. | |
604 | * | |
605 | * \param ctx The AES context to use for decryption. | |
606 | * \param input Ciphertext block. | |
607 | * \param output Output (plaintext) block. | |
608 | */ | |
609 | MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, | |
610 | const unsigned char input[16], | |
611 | unsigned char output[16] ); | |
612 | ||
613 | #undef MBEDTLS_DEPRECATED | |
614 | #endif /* !MBEDTLS_DEPRECATED_REMOVED */ | |
615 | ||
616 | /** | |
617 | * \brief Checkup routine. | |
618 | * | |
619 | * \return \c 0 on success. | |
620 | * \return \c 1 on failure. | |
621 | */ | |
622 | int mbedtls_aes_self_test( int verbose ); | |
623 | ||
624 | #ifdef __cplusplus | |
625 | } | |
626 | #endif | |
627 | ||
628 | #endif /* aes.h */ |