• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file aes.h
3  *
4  * \brief   This file contains AES definitions and functions.
5  *
6  *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
7  *          cryptographic algorithm that can be used to protect electronic
8  *          data.
9  *
10  *          The AES algorithm is a symmetric block cipher that can
11  *          encrypt and decrypt information. For more information, see
12  *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
13  *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
14  *          techniques -- Encryption algorithms -- Part 2: Asymmetric
15  *          ciphers</em>.
16  *
17  *          The AES-XTS block mode is standardized by NIST SP 800-38E
18  *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
19  *          and described in detail by IEEE P1619
20  *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
21  */
22 
23 /*
24  *  Copyright The Mbed TLS Contributors
25  *  SPDX-License-Identifier: Apache-2.0
26  *
27  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
28  *  not use this file except in compliance with the License.
29  *  You may obtain a copy of the License at
30  *
31  *  http://www.apache.org/licenses/LICENSE-2.0
32  *
33  *  Unless required by applicable law or agreed to in writing, software
34  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
35  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
36  *  See the License for the specific language governing permissions and
37  *  limitations under the License.
38  */
39 
40 #ifndef MBEDTLS_AES_H
41 #define MBEDTLS_AES_H
42 #include "mbedtls/private_access.h"
43 
44 #include "mbedtls/build_info.h"
45 #include "mbedtls/platform_util.h"
46 
47 #include <stddef.h>
48 #include <stdint.h>
49 
50 /* padlock.c and aesni.c rely on these values! */
51 #define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
52 #define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
53 
54 /* Error codes in range 0x0020-0x0022 */
55 /** Invalid key length. */
56 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020
57 /** Invalid data input length. */
58 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022
59 
60 /* Error codes in range 0x0021-0x0025 */
61 /** Invalid input data. */
62 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021
63 
64 #ifdef __cplusplus
65 extern "C" {
66 #endif
67 
68 #if !defined(MBEDTLS_AES_ALT)
69 // Regular implementation
70 //
71 
72 /**
73  * \brief The AES context-type definition.
74  */
75 typedef struct mbedtls_aes_context {
76     int MBEDTLS_PRIVATE(nr);                     /*!< The number of rounds. */
77     size_t MBEDTLS_PRIVATE(rk_offset);           /*!< The offset in array elements to AES
78                                                     round keys in the buffer. */
79     uint32_t MBEDTLS_PRIVATE(buf)[68];           /*!< Unaligned data buffer. This buffer can
80                                                     hold 32 extra Bytes, which can be used for
81                                                     one of the following purposes:
82                                                     <ul><li>Alignment if VIA padlock is
83                                                     used.</li>
84                                                     <li>Simplifying key expansion in the 256-bit
85                                                     case by generating an extra round key.
86                                                     </li></ul> */
87 }
88 mbedtls_aes_context;
89 
90 #if defined(MBEDTLS_CIPHER_MODE_XTS)
91 /**
92  * \brief The AES XTS context-type definition.
93  */
94 typedef struct mbedtls_aes_xts_context {
95     mbedtls_aes_context MBEDTLS_PRIVATE(crypt); /*!< The AES context to use for AES block
96                                                    encryption or decryption. */
97     mbedtls_aes_context MBEDTLS_PRIVATE(tweak); /*!< The AES context used for tweak
98                                                    computation. */
99 } mbedtls_aes_xts_context;
100 #endif /* MBEDTLS_CIPHER_MODE_XTS */
101 
102 #else  /* MBEDTLS_AES_ALT */
103 #include "aes_alt.h"
104 #endif /* MBEDTLS_AES_ALT */
105 
106 /**
107  * \brief          This function initializes the specified AES context.
108  *
109  *                 It must be the first API called before using
110  *                 the context.
111  *
112  * \param ctx      The AES context to initialize. This must not be \c NULL.
113  */
114 void mbedtls_aes_init(mbedtls_aes_context *ctx);
115 
116 /**
117  * \brief          This function releases and clears the specified AES context.
118  *
119  * \param ctx      The AES context to clear.
120  *                 If this is \c NULL, this function does nothing.
121  *                 Otherwise, the context must have been at least initialized.
122  */
123 void mbedtls_aes_free(mbedtls_aes_context *ctx);
124 
125 #if defined(MBEDTLS_CIPHER_MODE_XTS)
126 /**
127  * \brief          This function initializes the specified AES XTS context.
128  *
129  *                 It must be the first API called before using
130  *                 the context.
131  *
132  * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
133  */
134 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx);
135 
136 /**
137  * \brief          This function releases and clears the specified AES XTS context.
138  *
139  * \param ctx      The AES XTS context to clear.
140  *                 If this is \c NULL, this function does nothing.
141  *                 Otherwise, the context must have been at least initialized.
142  */
143 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx);
144 #endif /* MBEDTLS_CIPHER_MODE_XTS */
145 
146 /**
147  * \brief          This function sets the encryption key.
148  *
149  * \param ctx      The AES context to which the key should be bound.
150  *                 It must be initialized.
151  * \param key      The encryption key.
152  *                 This must be a readable buffer of size \p keybits bits.
153  * \param keybits  The size of data passed in bits. Valid options are:
154  *                 <ul><li>128 bits</li>
155  *                 <li>192 bits</li>
156  *                 <li>256 bits</li></ul>
157  *
158  * \return         \c 0 on success.
159  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
160  */
161 MBEDTLS_CHECK_RETURN_TYPICAL
162 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
163                            unsigned int keybits);
164 
165 /**
166  * \brief          This function sets the decryption key.
167  *
168  * \param ctx      The AES context to which the key should be bound.
169  *                 It must be initialized.
170  * \param key      The decryption key.
171  *                 This must be a readable buffer of size \p keybits bits.
172  * \param keybits  The size of data passed. Valid options are:
173  *                 <ul><li>128 bits</li>
174  *                 <li>192 bits</li>
175  *                 <li>256 bits</li></ul>
176  *
177  * \return         \c 0 on success.
178  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
179  */
180 MBEDTLS_CHECK_RETURN_TYPICAL
181 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
182                            unsigned int keybits);
183 
184 #if defined(MBEDTLS_CIPHER_MODE_XTS)
185 /**
186  * \brief          This function prepares an XTS context for encryption and
187  *                 sets the encryption key.
188  *
189  * \param ctx      The AES XTS context to which the key should be bound.
190  *                 It must be initialized.
191  * \param key      The encryption key. This is comprised of the XTS key1
192  *                 concatenated with the XTS key2.
193  *                 This must be a readable buffer of size \p keybits bits.
194  * \param keybits  The size of \p key passed in bits. Valid options are:
195  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
196  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
197  *
198  * \return         \c 0 on success.
199  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
200  */
201 MBEDTLS_CHECK_RETURN_TYPICAL
202 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
203                                const unsigned char *key,
204                                unsigned int keybits);
205 
206 /**
207  * \brief          This function prepares an XTS context for decryption and
208  *                 sets the decryption key.
209  *
210  * \param ctx      The AES XTS context to which the key should be bound.
211  *                 It must be initialized.
212  * \param key      The decryption key. This is comprised of the XTS key1
213  *                 concatenated with the XTS key2.
214  *                 This must be a readable buffer of size \p keybits bits.
215  * \param keybits  The size of \p key passed in bits. Valid options are:
216  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
217  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
218  *
219  * \return         \c 0 on success.
220  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
221  */
222 MBEDTLS_CHECK_RETURN_TYPICAL
223 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
224                                const unsigned char *key,
225                                unsigned int keybits);
226 #endif /* MBEDTLS_CIPHER_MODE_XTS */
227 
228 /**
229  * \brief          This function performs an AES single-block encryption or
230  *                 decryption operation.
231  *
232  *                 It performs the operation defined in the \p mode parameter
233  *                 (encrypt or decrypt), on the input data buffer defined in
234  *                 the \p input parameter.
235  *
236  *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
237  *                 mbedtls_aes_setkey_dec() must be called before the first
238  *                 call to this API with the same context.
239  *
240  * \param ctx      The AES context to use for encryption or decryption.
241  *                 It must be initialized and bound to a key.
242  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
243  *                 #MBEDTLS_AES_DECRYPT.
244  * \param input    The buffer holding the input data.
245  *                 It must be readable and at least \c 16 Bytes long.
246  * \param output   The buffer where the output data will be written.
247  *                 It must be writeable and at least \c 16 Bytes long.
248 
249  * \return         \c 0 on success.
250  */
251 MBEDTLS_CHECK_RETURN_TYPICAL
252 int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
253                           int mode,
254                           const unsigned char input[16],
255                           unsigned char output[16]);
256 
257 #if defined(MBEDTLS_CIPHER_MODE_CBC)
258 /**
259  * \brief  This function performs an AES-CBC encryption or decryption operation
260  *         on full blocks.
261  *
262  *         It performs the operation defined in the \p mode
263  *         parameter (encrypt/decrypt), on the input data buffer defined in
264  *         the \p input parameter.
265  *
266  *         It can be called as many times as needed, until all the input
267  *         data is processed. mbedtls_aes_init(), and either
268  *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
269  *         before the first call to this API with the same context.
270  *
271  * \note   This function operates on full blocks, that is, the input size
272  *         must be a multiple of the AES block size of \c 16 Bytes.
273  *
274  * \note   Upon exit, the content of the IV is updated so that you can
275  *         call the same function again on the next
276  *         block(s) of data and get the same result as if it was
277  *         encrypted in one call. This allows a "streaming" usage.
278  *         If you need to retain the contents of the IV, you should
279  *         either save it manually or use the cipher module instead.
280  *
281  *
282  * \param ctx      The AES context to use for encryption or decryption.
283  *                 It must be initialized and bound to a key.
284  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
285  *                 #MBEDTLS_AES_DECRYPT.
286  * \param length   The length of the input data in Bytes. This must be a
287  *                 multiple of the block size (\c 16 Bytes).
288  * \param iv       Initialization vector (updated after use).
289  *                 It must be a readable and writeable buffer of \c 16 Bytes.
290  * \param input    The buffer holding the input data.
291  *                 It must be readable and of size \p length Bytes.
292  * \param output   The buffer holding the output data.
293  *                 It must be writeable and of size \p length Bytes.
294  *
295  * \return         \c 0 on success.
296  * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
297  *                 on failure.
298  */
299 MBEDTLS_CHECK_RETURN_TYPICAL
300 int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
301                           int mode,
302                           size_t length,
303                           unsigned char iv[16],
304                           const unsigned char *input,
305                           unsigned char *output);
306 #endif /* MBEDTLS_CIPHER_MODE_CBC */
307 
308 #if defined(MBEDTLS_CIPHER_MODE_XTS)
309 /**
310  * \brief      This function performs an AES-XTS encryption or decryption
311  *             operation for an entire XTS data unit.
312  *
313  *             AES-XTS encrypts or decrypts blocks based on their location as
314  *             defined by a data unit number. The data unit number must be
315  *             provided by \p data_unit.
316  *
317  *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
318  *             AES blocks. If the data unit is larger than this, this function
319  *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
320  *
321  * \param ctx          The AES XTS context to use for AES XTS operations.
322  *                     It must be initialized and bound to a key.
323  * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
324  *                     #MBEDTLS_AES_DECRYPT.
325  * \param length       The length of a data unit in Bytes. This can be any
326  *                     length between 16 bytes and 2^24 bytes inclusive
327  *                     (between 1 and 2^20 block cipher blocks).
328  * \param data_unit    The address of the data unit encoded as an array of 16
329  *                     bytes in little-endian format. For disk encryption, this
330  *                     is typically the index of the block device sector that
331  *                     contains the data.
332  * \param input        The buffer holding the input data (which is an entire
333  *                     data unit). This function reads \p length Bytes from \p
334  *                     input.
335  * \param output       The buffer holding the output data (which is an entire
336  *                     data unit). This function writes \p length Bytes to \p
337  *                     output.
338  *
339  * \return             \c 0 on success.
340  * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
341  *                     smaller than an AES block in size (16 Bytes) or if \p
342  *                     length is larger than 2^20 blocks (16 MiB).
343  */
344 MBEDTLS_CHECK_RETURN_TYPICAL
345 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
346                           int mode,
347                           size_t length,
348                           const unsigned char data_unit[16],
349                           const unsigned char *input,
350                           unsigned char *output);
351 #endif /* MBEDTLS_CIPHER_MODE_XTS */
352 
353 #if defined(MBEDTLS_CIPHER_MODE_CFB)
354 /**
355  * \brief This function performs an AES-CFB128 encryption or decryption
356  *        operation.
357  *
358  *        It performs the operation defined in the \p mode
359  *        parameter (encrypt or decrypt), on the input data buffer
360  *        defined in the \p input parameter.
361  *
362  *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
363  *        regardless of whether you are performing an encryption or decryption
364  *        operation, that is, regardless of the \p mode parameter. This is
365  *        because CFB mode uses the same key schedule for encryption and
366  *        decryption.
367  *
368  * \note  Upon exit, the content of the IV is updated so that you can
369  *        call the same function again on the next
370  *        block(s) of data and get the same result as if it was
371  *        encrypted in one call. This allows a "streaming" usage.
372  *        If you need to retain the contents of the
373  *        IV, you must either save it manually or use the cipher
374  *        module instead.
375  *
376  *
377  * \param ctx      The AES context to use for encryption or decryption.
378  *                 It must be initialized and bound to a key.
379  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
380  *                 #MBEDTLS_AES_DECRYPT.
381  * \param length   The length of the input data in Bytes.
382  * \param iv_off   The offset in IV (updated after use).
383  *                 It must point to a valid \c size_t.
384  * \param iv       The initialization vector (updated after use).
385  *                 It must be a readable and writeable buffer of \c 16 Bytes.
386  * \param input    The buffer holding the input data.
387  *                 It must be readable and of size \p length Bytes.
388  * \param output   The buffer holding the output data.
389  *                 It must be writeable and of size \p length Bytes.
390  *
391  * \return         \c 0 on success.
392  */
393 MBEDTLS_CHECK_RETURN_TYPICAL
394 int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
395                              int mode,
396                              size_t length,
397                              size_t *iv_off,
398                              unsigned char iv[16],
399                              const unsigned char *input,
400                              unsigned char *output);
401 
402 /**
403  * \brief This function performs an AES-CFB8 encryption or decryption
404  *        operation.
405  *
406  *        It performs the operation defined in the \p mode
407  *        parameter (encrypt/decrypt), on the input data buffer defined
408  *        in the \p input parameter.
409  *
410  *        Due to the nature of CFB, you must use the same key schedule for
411  *        both encryption and decryption operations. Therefore, you must
412  *        use the context initialized with mbedtls_aes_setkey_enc() for
413  *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
414  *
415  * \note  Upon exit, the content of the IV is updated so that you can
416  *        call the same function again on the next
417  *        block(s) of data and get the same result as if it was
418  *        encrypted in one call. This allows a "streaming" usage.
419  *        If you need to retain the contents of the
420  *        IV, you should either save it manually or use the cipher
421  *        module instead.
422  *
423  *
424  * \param ctx      The AES context to use for encryption or decryption.
425  *                 It must be initialized and bound to a key.
426  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
427  *                 #MBEDTLS_AES_DECRYPT
428  * \param length   The length of the input data.
429  * \param iv       The initialization vector (updated after use).
430  *                 It must be a readable and writeable buffer of \c 16 Bytes.
431  * \param input    The buffer holding the input data.
432  *                 It must be readable and of size \p length Bytes.
433  * \param output   The buffer holding the output data.
434  *                 It must be writeable and of size \p length Bytes.
435  *
436  * \return         \c 0 on success.
437  */
438 MBEDTLS_CHECK_RETURN_TYPICAL
439 int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
440                            int mode,
441                            size_t length,
442                            unsigned char iv[16],
443                            const unsigned char *input,
444                            unsigned char *output);
445 #endif /*MBEDTLS_CIPHER_MODE_CFB */
446 
447 #if defined(MBEDTLS_CIPHER_MODE_OFB)
448 /**
449  * \brief       This function performs an AES-OFB (Output Feedback Mode)
450  *              encryption or decryption operation.
451  *
452  *              For OFB, you must set up the context with
453  *              mbedtls_aes_setkey_enc(), regardless of whether you are
454  *              performing an encryption or decryption operation. This is
455  *              because OFB mode uses the same key schedule for encryption and
456  *              decryption.
457  *
458  *              The OFB operation is identical for encryption or decryption,
459  *              therefore no operation mode needs to be specified.
460  *
461  * \note        Upon exit, the content of iv, the Initialisation Vector, is
462  *              updated so that you can call the same function again on the next
463  *              block(s) of data and get the same result as if it was encrypted
464  *              in one call. This allows a "streaming" usage, by initialising
465  *              iv_off to 0 before the first call, and preserving its value
466  *              between calls.
467  *
468  *              For non-streaming use, the iv should be initialised on each call
469  *              to a unique value, and iv_off set to 0 on each call.
470  *
471  *              If you need to retain the contents of the initialisation vector,
472  *              you must either save it manually or use the cipher module
473  *              instead.
474  *
475  * \warning     For the OFB mode, the initialisation vector must be unique
476  *              every encryption operation. Reuse of an initialisation vector
477  *              will compromise security.
478  *
479  * \param ctx      The AES context to use for encryption or decryption.
480  *                 It must be initialized and bound to a key.
481  * \param length   The length of the input data.
482  * \param iv_off   The offset in IV (updated after use).
483  *                 It must point to a valid \c size_t.
484  * \param iv       The initialization vector (updated after use).
485  *                 It must be a readable and writeable buffer of \c 16 Bytes.
486  * \param input    The buffer holding the input data.
487  *                 It must be readable and of size \p length Bytes.
488  * \param output   The buffer holding the output data.
489  *                 It must be writeable and of size \p length Bytes.
490  *
491  * \return         \c 0 on success.
492  */
493 MBEDTLS_CHECK_RETURN_TYPICAL
494 int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
495                           size_t length,
496                           size_t *iv_off,
497                           unsigned char iv[16],
498                           const unsigned char *input,
499                           unsigned char *output);
500 
501 #endif /* MBEDTLS_CIPHER_MODE_OFB */
502 
503 #if defined(MBEDTLS_CIPHER_MODE_CTR)
504 /**
505  * \brief      This function performs an AES-CTR encryption or decryption
506  *             operation.
507  *
508  *             Due to the nature of CTR, you must use the same key schedule
509  *             for both encryption and decryption operations. Therefore, you
510  *             must use the context initialized with mbedtls_aes_setkey_enc()
511  *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
512  *
513  * \warning    You must never reuse a nonce value with the same key. Doing so
514  *             would void the encryption for the two messages encrypted with
515  *             the same nonce and key.
516  *
517  *             There are two common strategies for managing nonces with CTR:
518  *
519  *             1. You can handle everything as a single message processed over
520  *             successive calls to this function. In that case, you want to
521  *             set \p nonce_counter and \p nc_off to 0 for the first call, and
522  *             then preserve the values of \p nonce_counter, \p nc_off and \p
523  *             stream_block across calls to this function as they will be
524  *             updated by this function.
525  *
526  *             With this strategy, you must not encrypt more than 2**128
527  *             blocks of data with the same key.
528  *
529  *             2. You can encrypt separate messages by dividing the \p
530  *             nonce_counter buffer in two areas: the first one used for a
531  *             per-message nonce, handled by yourself, and the second one
532  *             updated by this function internally.
533  *
534  *             For example, you might reserve the first 12 bytes for the
535  *             per-message nonce, and the last 4 bytes for internal use. In that
536  *             case, before calling this function on a new message you need to
537  *             set the first 12 bytes of \p nonce_counter to your chosen nonce
538  *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
539  *             stream_block to be ignored). That way, you can encrypt at most
540  *             2**96 messages of up to 2**32 blocks each with the same key.
541  *
542  *             The per-message nonce (or information sufficient to reconstruct
543  *             it) needs to be communicated with the ciphertext and must be unique.
544  *             The recommended way to ensure uniqueness is to use a message
545  *             counter. An alternative is to generate random nonces, but this
546  *             limits the number of messages that can be securely encrypted:
547  *             for example, with 96-bit random nonces, you should not encrypt
548  *             more than 2**32 messages with the same key.
549  *
550  *             Note that for both strategies, sizes are measured in blocks and
551  *             that an AES block is 16 bytes.
552  *
553  * \warning    Upon return, \p stream_block contains sensitive data. Its
554  *             content must not be written to insecure storage and should be
555  *             securely discarded as soon as it's no longer needed.
556  *
557  * \param ctx              The AES context to use for encryption or decryption.
558  *                         It must be initialized and bound to a key.
559  * \param length           The length of the input data.
560  * \param nc_off           The offset in the current \p stream_block, for
561  *                         resuming within the current cipher stream. The
562  *                         offset pointer should be 0 at the start of a stream.
563  *                         It must point to a valid \c size_t.
564  * \param nonce_counter    The 128-bit nonce and counter.
565  *                         It must be a readable-writeable buffer of \c 16 Bytes.
566  * \param stream_block     The saved stream block for resuming. This is
567  *                         overwritten by the function.
568  *                         It must be a readable-writeable buffer of \c 16 Bytes.
569  * \param input            The buffer holding the input data.
570  *                         It must be readable and of size \p length Bytes.
571  * \param output           The buffer holding the output data.
572  *                         It must be writeable and of size \p length Bytes.
573  *
574  * \return                 \c 0 on success.
575  */
576 MBEDTLS_CHECK_RETURN_TYPICAL
577 int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
578                           size_t length,
579                           size_t *nc_off,
580                           unsigned char nonce_counter[16],
581                           unsigned char stream_block[16],
582                           const unsigned char *input,
583                           unsigned char *output);
584 #endif /* MBEDTLS_CIPHER_MODE_CTR */
585 
586 /**
587  * \brief           Internal AES block encryption function. This is only
588  *                  exposed to allow overriding it using
589  *                  \c MBEDTLS_AES_ENCRYPT_ALT.
590  *
591  * \param ctx       The AES context to use for encryption.
592  * \param input     The plaintext block.
593  * \param output    The output (ciphertext) block.
594  *
595  * \return          \c 0 on success.
596  */
597 MBEDTLS_CHECK_RETURN_TYPICAL
598 int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
599                                  const unsigned char input[16],
600                                  unsigned char output[16]);
601 
602 /**
603  * \brief           Internal AES block decryption function. This is only
604  *                  exposed to allow overriding it using see
605  *                  \c MBEDTLS_AES_DECRYPT_ALT.
606  *
607  * \param ctx       The AES context to use for decryption.
608  * \param input     The ciphertext block.
609  * \param output    The output (plaintext) block.
610  *
611  * \return          \c 0 on success.
612  */
613 MBEDTLS_CHECK_RETURN_TYPICAL
614 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
615                                  const unsigned char input[16],
616                                  unsigned char output[16]);
617 
618 #if defined(MBEDTLS_SELF_TEST)
619 /**
620  * \brief          Checkup routine.
621  *
622  * \return         \c 0 on success.
623  * \return         \c 1 on failure.
624  */
625 MBEDTLS_CHECK_RETURN_CRITICAL
626 int mbedtls_aes_self_test(int verbose);
627 
628 #endif /* MBEDTLS_SELF_TEST */
629 
630 #ifdef __cplusplus
631 }
632 #endif
633 
634 #endif /* aes.h */
635