• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file cipher.h
3  *
4  * \brief This file contains an abstraction interface for use with the cipher
5  * primitives provided by the library. It provides a common interface to all of
6  * the available cipher operations.
7  *
8  * \author Adriaan de Jong <dejong@fox-it.com>
9  */
10 /*
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 
27 #ifndef MBEDTLS_CIPHER_H
28 #define MBEDTLS_CIPHER_H
29 #include "mbedtls/private_access.h"
30 
31 #include "mbedtls/build_info.h"
32 
33 #include <stddef.h>
34 #include "mbedtls/platform_util.h"
35 
36 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
37 #define MBEDTLS_CIPHER_MODE_AEAD
38 #endif
39 
40 #if defined(MBEDTLS_CIPHER_MODE_CBC)
41 #define MBEDTLS_CIPHER_MODE_WITH_PADDING
42 #endif
43 
44 #if defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
45     defined(MBEDTLS_CHACHA20_C)
46 #define MBEDTLS_CIPHER_MODE_STREAM
47 #endif
48 
49 /** The selected feature is not available. */
50 #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080
51 /** Bad input parameters. */
52 #define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100
53 /** Failed to allocate memory. */
54 #define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180
55 /** Input data contains invalid padding and is rejected. */
56 #define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200
57 /** Decryption of block requires a full block. */
58 #define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280
59 /** Authentication failed (for AEAD modes). */
60 #define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300
61 /** The context is invalid. For example, because it was freed. */
62 #define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380
63 
64 #define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
65 #define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
66 
67 #ifdef __cplusplus
68 extern "C" {
69 #endif
70 
71 /**
72  * \brief     Supported cipher types.
73  *
74  * \warning   DES/3DES are considered weak ciphers and their use
75  *            constitutes a security risk. We recommend considering stronger
76  *            ciphers instead.
77  */
78 typedef enum {
79     MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
80     MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
81     MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
82     MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. \warning DES is considered weak. */
83     MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. \warning 3DES is considered weak. */
84     MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
85     MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
86     MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
87 } mbedtls_cipher_id_t;
88 
89 /**
90  * \brief     Supported {cipher type, cipher mode} pairs.
91  *
92  * \warning   DES/3DES are considered weak ciphers and their use
93  *            constitutes a security risk. We recommend considering stronger
94  *            ciphers instead.
95  */
96 typedef enum {
97     MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
98     MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
99     MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
100     MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
101     MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
102     MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
103     MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
104     MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
105     MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
106     MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
107     MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
108     MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
109     MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
110     MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
111     MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
112     MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
113     MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
114     MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
115     MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
116     MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
117     MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
118     MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
119     MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
120     MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
121     MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
122     MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
123     MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
124     MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
125     MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
126     MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
127     MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
128     MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
129     MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. \warning DES is considered weak. */
130     MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. \warning DES is considered weak. */
131     MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. \warning 3DES is considered weak. */
132     MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. \warning 3DES is considered weak. */
133     MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. \warning 3DES is considered weak. */
134     MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. \warning 3DES is considered weak. */
135     MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
136     MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
137     MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
138     MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
139     MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
140     MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
141     MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
142     MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
143     MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
144     MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
145     MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
146     MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
147     MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
148     MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
149     MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
150     MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
151     MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
152     MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
153     MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
154     MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
155     MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
156     MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
157     MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
158     MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
159     MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
160     MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
161     MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
162     MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
163     MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
164     MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
165     MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
166     MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
167     MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
168     MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
169     MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
170     MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
171     MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
172     MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
173     MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
174     MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
175     MBEDTLS_CIPHER_AES_128_KW,           /**< AES cipher with 128-bit NIST KW mode. */
176     MBEDTLS_CIPHER_AES_192_KW,           /**< AES cipher with 192-bit NIST KW mode. */
177     MBEDTLS_CIPHER_AES_256_KW,           /**< AES cipher with 256-bit NIST KW mode. */
178     MBEDTLS_CIPHER_AES_128_KWP,          /**< AES cipher with 128-bit NIST KWP mode. */
179     MBEDTLS_CIPHER_AES_192_KWP,          /**< AES cipher with 192-bit NIST KWP mode. */
180     MBEDTLS_CIPHER_AES_256_KWP,          /**< AES cipher with 256-bit NIST KWP mode. */
181 } mbedtls_cipher_type_t;
182 
183 /** Supported cipher modes. */
184 typedef enum {
185     MBEDTLS_MODE_NONE = 0,               /**< None.                        */
186     MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode.         */
187     MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode.         */
188     MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode.         */
189     MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode.         */
190     MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode.         */
191     MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
192     MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
193     MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
194     MBEDTLS_MODE_CCM_STAR_NO_TAG,        /**< The CCM*-no-tag cipher mode. */
195     MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
196     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
197     MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
198     MBEDTLS_MODE_KWP,                    /**< The SP800-38F KWP mode */
199 } mbedtls_cipher_mode_t;
200 
201 /** Supported cipher padding types. */
202 typedef enum {
203     MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
204     MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
205     MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
206     MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
207     MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
208 } mbedtls_cipher_padding_t;
209 
210 /** Type of operation. */
211 typedef enum {
212     MBEDTLS_OPERATION_NONE = -1,
213     MBEDTLS_DECRYPT = 0,
214     MBEDTLS_ENCRYPT,
215 } mbedtls_operation_t;
216 
217 enum {
218     /** Undefined key length. */
219     MBEDTLS_KEY_LENGTH_NONE = 0,
220     /** Key length, in bits (including parity), for DES keys. \warning DES is considered weak. */
221     MBEDTLS_KEY_LENGTH_DES  = 64,
222     /** Key length in bits, including parity, for DES in two-key EDE. \warning 3DES is considered weak. */
223     MBEDTLS_KEY_LENGTH_DES_EDE = 128,
224     /** Key length in bits, including parity, for DES in three-key EDE. \warning 3DES is considered weak. */
225     MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
226 };
227 
228 /** Maximum length of any IV, in Bytes. */
229 /* This should ideally be derived automatically from list of ciphers.
230  * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
231  * in library/ssl_misc.h. */
232 #define MBEDTLS_MAX_IV_LENGTH      16
233 
234 /** Maximum block size of any cipher, in Bytes. */
235 /* This should ideally be derived automatically from list of ciphers.
236  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
237  * in library/ssl_misc.h. */
238 #define MBEDTLS_MAX_BLOCK_LENGTH   16
239 
240 /** Maximum key length, in Bytes. */
241 /* This should ideally be derived automatically from list of ciphers.
242  * For now, only check whether XTS is enabled which uses 64 Byte keys,
243  * and use 32 Bytes as an upper bound for the maximum key length otherwise.
244  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
245  * in library/ssl_misc.h, which however deliberately ignores the case of XTS
246  * since the latter isn't used in SSL/TLS. */
247 #if defined(MBEDTLS_CIPHER_MODE_XTS)
248 #define MBEDTLS_MAX_KEY_LENGTH     64
249 #else
250 #define MBEDTLS_MAX_KEY_LENGTH     32
251 #endif /* MBEDTLS_CIPHER_MODE_XTS */
252 
253 /**
254  * Base cipher information (opaque struct).
255  */
256 typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
257 
258 /**
259  * CMAC context (opaque struct).
260  */
261 typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
262 
263 /**
264  * Cipher information. Allows calling cipher functions
265  * in a generic way.
266  *
267  * \note        The library does not support custom cipher info structures,
268  *              only built-in structures returned by the functions
269  *              mbedtls_cipher_info_from_string(),
270  *              mbedtls_cipher_info_from_type(),
271  *              mbedtls_cipher_info_from_values(),
272  *              mbedtls_cipher_info_from_psa().
273  */
274 typedef struct mbedtls_cipher_info_t {
275     /** Full cipher identifier. For example,
276      * MBEDTLS_CIPHER_AES_256_CBC.
277      */
278     mbedtls_cipher_type_t MBEDTLS_PRIVATE(type);
279 
280     /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
281     mbedtls_cipher_mode_t MBEDTLS_PRIVATE(mode);
282 
283     /** The cipher key length, in bits. This is the
284      * default length for variable sized ciphers.
285      * Includes parity bits for ciphers like DES.
286      */
287     unsigned int MBEDTLS_PRIVATE(key_bitlen);
288 
289     /** Name of the cipher. */
290     const char *MBEDTLS_PRIVATE(name);
291 
292     /** IV or nonce size, in Bytes.
293      * For ciphers that accept variable IV sizes,
294      * this is the recommended size.
295      */
296     unsigned int MBEDTLS_PRIVATE(iv_size);
297 
298     /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
299      *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
300      *  cipher supports variable IV or variable key sizes, respectively.
301      */
302     int MBEDTLS_PRIVATE(flags);
303 
304     /** The block size, in Bytes. */
305     unsigned int MBEDTLS_PRIVATE(block_size);
306 
307     /** Struct for base cipher information and functions. */
308     const mbedtls_cipher_base_t *MBEDTLS_PRIVATE(base);
309 
310 } mbedtls_cipher_info_t;
311 
312 /**
313  * Generic cipher context.
314  */
315 typedef struct mbedtls_cipher_context_t {
316     /** Information about the associated cipher. */
317     const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info);
318 
319     /** Key length to use. */
320     int MBEDTLS_PRIVATE(key_bitlen);
321 
322     /** Operation that the key of the context has been
323      * initialized for.
324      */
325     mbedtls_operation_t MBEDTLS_PRIVATE(operation);
326 
327 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
328     /** Padding functions to use, if relevant for
329      * the specific cipher mode.
330      */
331     void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
332     int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
333 #endif
334 
335     /** Buffer for input that has not been processed yet. */
336     unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH];
337 
338     /** Number of Bytes that have not been processed yet. */
339     size_t MBEDTLS_PRIVATE(unprocessed_len);
340 
341     /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
342      * for XTS-mode. */
343     unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH];
344 
345     /** IV size in Bytes, for ciphers with variable-length IVs. */
346     size_t MBEDTLS_PRIVATE(iv_size);
347 
348     /** The cipher-specific context. */
349     void *MBEDTLS_PRIVATE(cipher_ctx);
350 
351 #if defined(MBEDTLS_CMAC_C)
352     /** CMAC-specific context. */
353     mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx);
354 #endif
355 
356 #if defined(MBEDTLS_USE_PSA_CRYPTO)
357     /** Indicates whether the cipher operations should be performed
358      *  by Mbed TLS' own crypto library or an external implementation
359      *  of the PSA Crypto API.
360      *  This is unset if the cipher context was established through
361      *  mbedtls_cipher_setup(), and set if it was established through
362      *  mbedtls_cipher_setup_psa().
363      */
364     unsigned char MBEDTLS_PRIVATE(psa_enabled);
365 #endif /* MBEDTLS_USE_PSA_CRYPTO */
366 
367 } mbedtls_cipher_context_t;
368 
369 /**
370  * \brief This function retrieves the list of ciphers supported
371  *        by the generic cipher module.
372  *
373  *        For any cipher identifier in the returned list, you can
374  *        obtain the corresponding generic cipher information structure
375  *        via mbedtls_cipher_info_from_type(), which can then be used
376  *        to prepare a cipher context via mbedtls_cipher_setup().
377  *
378  *
379  * \return      A statically-allocated array of cipher identifiers
380  *              of type cipher_type_t. The last entry is zero.
381  */
382 const int *mbedtls_cipher_list(void);
383 
384 /**
385  * \brief               This function retrieves the cipher-information
386  *                      structure associated with the given cipher name.
387  *
388  * \param cipher_name   Name of the cipher to search for. This must not be
389  *                      \c NULL.
390  *
391  * \return              The cipher information structure associated with the
392  *                      given \p cipher_name.
393  * \return              \c NULL if the associated cipher information is not found.
394  */
395 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name);
396 
397 /**
398  * \brief               This function retrieves the cipher-information
399  *                      structure associated with the given cipher type.
400  *
401  * \param cipher_type   Type of the cipher to search for.
402  *
403  * \return              The cipher information structure associated with the
404  *                      given \p cipher_type.
405  * \return              \c NULL if the associated cipher information is not found.
406  */
407 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type);
408 
409 /**
410  * \brief               This function retrieves the cipher-information
411  *                      structure associated with the given cipher ID,
412  *                      key size and mode.
413  *
414  * \param cipher_id     The ID of the cipher to search for. For example,
415  *                      #MBEDTLS_CIPHER_ID_AES.
416  * \param key_bitlen    The length of the key in bits.
417  * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
418  *
419  * \return              The cipher information structure associated with the
420  *                      given \p cipher_id.
421  * \return              \c NULL if the associated cipher information is not found.
422  */
423 const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id,
424                                                              int key_bitlen,
425                                                              const mbedtls_cipher_mode_t mode);
426 
427 /**
428  * \brief               Retrieve the identifier for a cipher info structure.
429  *
430  * \param[in] info      The cipher info structure to query.
431  *                      This may be \c NULL.
432  *
433  * \return              The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
434  * \return              #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
435  */
mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t * info)436 static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
437     const mbedtls_cipher_info_t *info)
438 {
439     if (info == NULL) {
440         return MBEDTLS_CIPHER_NONE;
441     } else {
442         return info->MBEDTLS_PRIVATE(type);
443     }
444 }
445 
446 /**
447  * \brief               Retrieve the operation mode for a cipher info structure.
448  *
449  * \param[in] info      The cipher info structure to query.
450  *                      This may be \c NULL.
451  *
452  * \return              The cipher mode (\c MBEDTLS_MODE_xxx).
453  * \return              #MBEDTLS_MODE_NONE if \p info is \c NULL.
454  */
mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t * info)455 static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
456     const mbedtls_cipher_info_t *info)
457 {
458     if (info == NULL) {
459         return MBEDTLS_MODE_NONE;
460     } else {
461         return info->MBEDTLS_PRIVATE(mode);
462     }
463 }
464 
465 /**
466  * \brief               Retrieve the key size for a cipher info structure.
467  *
468  * \param[in] info      The cipher info structure to query.
469  *                      This may be \c NULL.
470  *
471  * \return              The key length in bits.
472  *                      For variable-sized ciphers, this is the default length.
473  *                      For DES, this includes the parity bits.
474  * \return              \c 0 if \p info is \c NULL.
475  */
mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t * info)476 static inline size_t mbedtls_cipher_info_get_key_bitlen(
477     const mbedtls_cipher_info_t *info)
478 {
479     if (info == NULL) {
480         return 0;
481     } else {
482         return info->MBEDTLS_PRIVATE(key_bitlen);
483     }
484 }
485 
486 /**
487  * \brief               Retrieve the human-readable name for a
488  *                      cipher info structure.
489  *
490  * \param[in] info      The cipher info structure to query.
491  *                      This may be \c NULL.
492  *
493  * \return              The cipher name, which is a human readable string,
494  *                      with static storage duration.
495  * \return              \c NULL if \c info is \p NULL.
496  */
mbedtls_cipher_info_get_name(const mbedtls_cipher_info_t * info)497 static inline const char *mbedtls_cipher_info_get_name(
498     const mbedtls_cipher_info_t *info)
499 {
500     if (info == NULL) {
501         return NULL;
502     } else {
503         return info->MBEDTLS_PRIVATE(name);
504     }
505 }
506 
507 /**
508  * \brief       This function returns the size of the IV or nonce
509  *              for the cipher info structure, in bytes.
510  *
511  * \param info  The cipher info structure. This may be \c NULL.
512  *
513  * \return      The recommended IV size.
514  * \return      \c 0 for ciphers not using an IV or a nonce.
515  * \return      \c 0 if \p info is \c NULL.
516  */
mbedtls_cipher_info_get_iv_size(const mbedtls_cipher_info_t * info)517 static inline size_t mbedtls_cipher_info_get_iv_size(
518     const mbedtls_cipher_info_t *info)
519 {
520     if (info == NULL) {
521         return 0;
522     }
523 
524     return (size_t) info->MBEDTLS_PRIVATE(iv_size);
525 }
526 
527 /**
528  * \brief        This function returns the block size of the given
529  *               cipher info structure in bytes.
530  *
531  * \param info   The cipher info structure. This may be \c NULL.
532  *
533  * \return       The block size of the cipher.
534  * \return       \c 1 if the cipher is a stream cipher.
535  * \return       \c 0 if \p info is \c NULL.
536  */
mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t * info)537 static inline size_t mbedtls_cipher_info_get_block_size(
538     const mbedtls_cipher_info_t *info)
539 {
540     if (info == NULL) {
541         return 0;
542     }
543 
544     return (size_t) info->MBEDTLS_PRIVATE(block_size);
545 }
546 
547 /**
548  * \brief        This function returns a non-zero value if the key length for
549  *               the given cipher is variable.
550  *
551  * \param info   The cipher info structure. This may be \c NULL.
552  *
553  * \return       Non-zero if the key length is variable, \c 0 otherwise.
554  * \return       \c 0 if the given pointer is \c NULL.
555  */
mbedtls_cipher_info_has_variable_key_bitlen(const mbedtls_cipher_info_t * info)556 static inline int mbedtls_cipher_info_has_variable_key_bitlen(
557     const mbedtls_cipher_info_t *info)
558 {
559     if (info == NULL) {
560         return 0;
561     }
562 
563     return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
564 }
565 
566 /**
567  * \brief        This function returns a non-zero value if the IV size for
568  *               the given cipher is variable.
569  *
570  * \param info   The cipher info structure. This may be \c NULL.
571  *
572  * \return       Non-zero if the IV size is variable, \c 0 otherwise.
573  * \return       \c 0 if the given pointer is \c NULL.
574  */
mbedtls_cipher_info_has_variable_iv_size(const mbedtls_cipher_info_t * info)575 static inline int mbedtls_cipher_info_has_variable_iv_size(
576     const mbedtls_cipher_info_t *info)
577 {
578     if (info == NULL) {
579         return 0;
580     }
581 
582     return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_IV_LEN;
583 }
584 
585 /**
586  * \brief               This function initializes a \p cipher_context as NONE.
587  *
588  * \param ctx           The context to be initialized. This must not be \c NULL.
589  */
590 void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx);
591 
592 /**
593  * \brief               This function frees and clears the cipher-specific
594  *                      context of \p ctx. Freeing \p ctx itself remains the
595  *                      responsibility of the caller.
596  *
597  * \param ctx           The context to be freed. If this is \c NULL, the
598  *                      function has no effect, otherwise this must point to an
599  *                      initialized context.
600  */
601 void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
602 
603 
604 /**
605  * \brief               This function prepares a cipher context for
606  *                      use with the given cipher primitive.
607  *
608  * \note                After calling this function, you should call
609  *                      mbedtls_cipher_setkey() and, if the mode uses padding,
610  *                      mbedtls_cipher_set_padding_mode(), then for each
611  *                      message to encrypt or decrypt with this key, either:
612  *                      - mbedtls_cipher_crypt() for one-shot processing with
613  *                      non-AEAD modes;
614  *                      - mbedtls_cipher_auth_encrypt_ext() or
615  *                      mbedtls_cipher_auth_decrypt_ext() for one-shot
616  *                      processing with AEAD modes or NIST_KW;
617  *                      - for multi-part processing, see the documentation of
618  *                      mbedtls_cipher_reset().
619  *
620  * \param ctx           The context to prepare. This must be initialized by
621  *                      a call to mbedtls_cipher_init() first.
622  * \param cipher_info   The cipher to use.
623  *
624  * \return              \c 0 on success.
625  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
626  *                      parameter-verification failure.
627  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
628  *                      cipher-specific context fails.
629  */
630 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
631                          const mbedtls_cipher_info_t *cipher_info);
632 
633 #if defined(MBEDTLS_USE_PSA_CRYPTO)
634 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
635 /**
636  * \brief               This function initializes a cipher context for
637  *                      PSA-based use with the given cipher primitive.
638  *
639  * \deprecated          This function is deprecated and will be removed in a
640  *                      future version of the library.
641  *                      Please use psa_aead_xxx() / psa_cipher_xxx() directly
642  *                      instead.
643  *
644  * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
645  *
646  * \param ctx           The context to initialize. May not be \c NULL.
647  * \param cipher_info   The cipher to use.
648  * \param taglen        For AEAD ciphers, the length in bytes of the
649  *                      authentication tag to use. Subsequent uses of
650  *                      mbedtls_cipher_auth_encrypt_ext() or
651  *                      mbedtls_cipher_auth_decrypt_ext() must provide
652  *                      the same tag length.
653  *                      For non-AEAD ciphers, the value must be \c 0.
654  *
655  * \return              \c 0 on success.
656  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
657  *                      parameter-verification failure.
658  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
659  *                      cipher-specific context fails.
660  */
661 int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
662                                                 const mbedtls_cipher_info_t *cipher_info,
663                                                 size_t taglen);
664 #endif /* MBEDTLS_DEPRECATED_REMOVED */
665 #endif /* MBEDTLS_USE_PSA_CRYPTO */
666 
667 /**
668  * \brief        This function returns the block size of the given cipher
669  *               in bytes.
670  *
671  * \param ctx    The context of the cipher.
672  *
673  * \return       The block size of the underlying cipher.
674  * \return       \c 1 if the cipher is a stream cipher.
675  * \return       \c 0 if \p ctx has not been initialized.
676  */
mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t * ctx)677 static inline unsigned int mbedtls_cipher_get_block_size(
678     const mbedtls_cipher_context_t *ctx)
679 {
680     MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
681     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
682         return 0;
683     }
684 
685     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size);
686 }
687 
688 /**
689  * \brief        This function returns the mode of operation for
690  *               the cipher. For example, MBEDTLS_MODE_CBC.
691  *
692  * \param ctx    The context of the cipher. This must be initialized.
693  *
694  * \return       The mode of operation.
695  * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
696  */
mbedtls_cipher_get_cipher_mode(const mbedtls_cipher_context_t * ctx)697 static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
698     const mbedtls_cipher_context_t *ctx)
699 {
700     MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
701     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
702         return MBEDTLS_MODE_NONE;
703     }
704 
705     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode);
706 }
707 
708 /**
709  * \brief       This function returns the size of the IV or nonce
710  *              of the cipher, in Bytes.
711  *
712  * \param ctx   The context of the cipher. This must be initialized.
713  *
714  * \return      The recommended IV size if no IV has been set.
715  * \return      \c 0 for ciphers not using an IV or a nonce.
716  * \return      The actual size if an IV has been set.
717  */
mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t * ctx)718 static inline int mbedtls_cipher_get_iv_size(
719     const mbedtls_cipher_context_t *ctx)
720 {
721     MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
722     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
723         return 0;
724     }
725 
726     if (ctx->MBEDTLS_PRIVATE(iv_size) != 0) {
727         return (int) ctx->MBEDTLS_PRIVATE(iv_size);
728     }
729 
730     return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size);
731 }
732 
733 /**
734  * \brief               This function returns the type of the given cipher.
735  *
736  * \param ctx           The context of the cipher. This must be initialized.
737  *
738  * \return              The type of the cipher.
739  * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
740  */
mbedtls_cipher_get_type(const mbedtls_cipher_context_t * ctx)741 static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
742     const mbedtls_cipher_context_t *ctx)
743 {
744     MBEDTLS_INTERNAL_VALIDATE_RET(
745         ctx != NULL, MBEDTLS_CIPHER_NONE);
746     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
747         return MBEDTLS_CIPHER_NONE;
748     }
749 
750     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type);
751 }
752 
753 /**
754  * \brief               This function returns the name of the given cipher
755  *                      as a string.
756  *
757  * \param ctx           The context of the cipher. This must be initialized.
758  *
759  * \return              The name of the cipher.
760  * \return              NULL if \p ctx has not been not initialized.
761  */
mbedtls_cipher_get_name(const mbedtls_cipher_context_t * ctx)762 static inline const char *mbedtls_cipher_get_name(
763     const mbedtls_cipher_context_t *ctx)
764 {
765     MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
766     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
767         return 0;
768     }
769 
770     return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name);
771 }
772 
773 /**
774  * \brief               This function returns the key length of the cipher.
775  *
776  * \param ctx           The context of the cipher. This must be initialized.
777  *
778  * \return              The key length of the cipher in bits.
779  * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
780  *                      initialized.
781  */
mbedtls_cipher_get_key_bitlen(const mbedtls_cipher_context_t * ctx)782 static inline int mbedtls_cipher_get_key_bitlen(
783     const mbedtls_cipher_context_t *ctx)
784 {
785     MBEDTLS_INTERNAL_VALIDATE_RET(
786         ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
787     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
788         return MBEDTLS_KEY_LENGTH_NONE;
789     }
790 
791     return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen);
792 }
793 
794 /**
795  * \brief          This function returns the operation of the given cipher.
796  *
797  * \param ctx      The context of the cipher. This must be initialized.
798  *
799  * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
800  * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
801  */
mbedtls_cipher_get_operation(const mbedtls_cipher_context_t * ctx)802 static inline mbedtls_operation_t mbedtls_cipher_get_operation(
803     const mbedtls_cipher_context_t *ctx)
804 {
805     MBEDTLS_INTERNAL_VALIDATE_RET(
806         ctx != NULL, MBEDTLS_OPERATION_NONE);
807     if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
808         return MBEDTLS_OPERATION_NONE;
809     }
810 
811     return ctx->MBEDTLS_PRIVATE(operation);
812 }
813 
814 /**
815  * \brief               This function sets the key to use with the given context.
816  *
817  * \param ctx           The generic cipher context. This must be initialized and
818  *                      bound to a cipher information structure.
819  * \param key           The key to use. This must be a readable buffer of at
820  *                      least \p key_bitlen Bits.
821  * \param key_bitlen    The key length to use, in Bits.
822  * \param operation     The operation that the key will be used for:
823  *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
824  *
825  * \return              \c 0 on success.
826  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
827  *                      parameter-verification failure.
828  * \return              A cipher-specific error code on failure.
829  */
830 int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
831                           const unsigned char *key,
832                           int key_bitlen,
833                           const mbedtls_operation_t operation);
834 
835 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
836 /**
837  * \brief               This function sets the padding mode, for cipher modes
838  *                      that use padding.
839  *
840  *                      The default passing mode is PKCS7 padding.
841  *
842  * \param ctx           The generic cipher context. This must be initialized and
843  *                      bound to a cipher information structure.
844  * \param mode          The padding mode.
845  *
846  * \return              \c 0 on success.
847  * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
848  *                      if the selected padding mode is not supported.
849  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
850  *                      does not support padding.
851  */
852 int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
853                                     mbedtls_cipher_padding_t mode);
854 #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
855 
856 /**
857  * \brief           This function sets the initialization vector (IV)
858  *                  or nonce.
859  *
860  * \note            Some ciphers do not use IVs nor nonce. For these
861  *                  ciphers, this function has no effect.
862  *
863  * \note            For #MBEDTLS_CIPHER_CHACHA20, the nonce length must
864  *                  be 12, and the initial counter value is 0.
865  *
866  * \note            For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length
867  *                  must be 12.
868  *
869  * \param ctx       The generic cipher context. This must be initialized and
870  *                  bound to a cipher information structure.
871  * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
872  *                  must be a readable buffer of at least \p iv_len Bytes.
873  * \param iv_len    The IV length for ciphers with variable-size IV.
874  *                  This parameter is discarded by ciphers with fixed-size IV.
875  *
876  * \return          \c 0 on success.
877  * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
878  *                  parameter-verification failure.
879  */
880 int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
881                           const unsigned char *iv,
882                           size_t iv_len);
883 
884 /**
885  * \brief         This function resets the cipher state.
886  *
887  * \note          With non-AEAD ciphers, the order of calls for each message
888  *                is as follows:
889  *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
890  *                2. mbedtls_cipher_reset()
891  *                3. mbedtls_cipher_update() one or more times
892  *                4. mbedtls_cipher_finish()
893  *                .
894  *                This sequence can be repeated to encrypt or decrypt multiple
895  *                messages with the same key.
896  *
897  * \note          With AEAD ciphers, the order of calls for each message
898  *                is as follows:
899  *                1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.
900  *                2. mbedtls_cipher_reset()
901  *                3. mbedtls_cipher_update_ad()
902  *                4. mbedtls_cipher_update() one or more times
903  *                5. mbedtls_cipher_finish()
904  *                6. mbedtls_cipher_check_tag() (for decryption) or
905  *                mbedtls_cipher_write_tag() (for encryption).
906  *                .
907  *                This sequence can be repeated to encrypt or decrypt multiple
908  *                messages with the same key.
909  *
910  * \param ctx     The generic cipher context. This must be bound to a key.
911  *
912  * \return        \c 0 on success.
913  * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
914  *                parameter-verification failure.
915  */
916 int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx);
917 
918 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
919 /**
920  * \brief               This function adds additional data for AEAD ciphers.
921  *                      Currently supported with GCM and ChaCha20+Poly1305.
922  *
923  * \param ctx           The generic cipher context. This must be initialized.
924  * \param ad            The additional data to use. This must be a readable
925  *                      buffer of at least \p ad_len Bytes.
926  * \param ad_len        The length of \p ad in Bytes.
927  *
928  * \return              \c 0 on success.
929  * \return              A specific error code on failure.
930  */
931 int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
932                              const unsigned char *ad, size_t ad_len);
933 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
934 
935 /**
936  * \brief               The generic cipher update function. It encrypts or
937  *                      decrypts using the given cipher context. Writes as
938  *                      many block-sized blocks of data as possible to output.
939  *                      Any data that cannot be written immediately is either
940  *                      added to the next block, or flushed when
941  *                      mbedtls_cipher_finish() is called.
942  *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
943  *                      in size. For example, 16 Bytes for AES.
944  *
945  * \param ctx           The generic cipher context. This must be initialized and
946  *                      bound to a key.
947  * \param input         The buffer holding the input data. This must be a
948  *                      readable buffer of at least \p ilen Bytes.
949  * \param ilen          The length of the input data.
950  * \param output        The buffer for the output data. This must be able to
951  *                      hold at least `ilen + block_size`. This must not be the
952  *                      same buffer as \p input.
953  * \param olen          The length of the output data, to be updated with the
954  *                      actual number of Bytes written. This must not be
955  *                      \c NULL.
956  *
957  * \return              \c 0 on success.
958  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
959  *                      parameter-verification failure.
960  * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
961  *                      unsupported mode for a cipher.
962  * \return              A cipher-specific error code on failure.
963  */
964 int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx,
965                           const unsigned char *input,
966                           size_t ilen, unsigned char *output,
967                           size_t *olen);
968 
969 /**
970  * \brief               The generic cipher finalization function. If data still
971  *                      needs to be flushed from an incomplete block, the data
972  *                      contained in it is padded to the size of
973  *                      the last block, and written to the \p output buffer.
974  *
975  * \param ctx           The generic cipher context. This must be initialized and
976  *                      bound to a key.
977  * \param output        The buffer to write data to. This needs to be a writable
978  *                      buffer of at least \p block_size Bytes.
979  * \param olen          The length of the data written to the \p output buffer.
980  *                      This may not be \c NULL.
981  *
982  * \return              \c 0 on success.
983  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
984  *                      parameter-verification failure.
985  * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
986  *                      expecting a full block but not receiving one.
987  * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
988  *                      while decrypting.
989  * \return              A cipher-specific error code on failure.
990  */
991 int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
992                           unsigned char *output, size_t *olen);
993 
994 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
995 /**
996  * \brief               This function writes a tag for AEAD ciphers.
997  *                      Currently supported with GCM and ChaCha20+Poly1305.
998  *                      This must be called after mbedtls_cipher_finish().
999  *
1000  * \param ctx           The generic cipher context. This must be initialized,
1001  *                      bound to a key, and have just completed a cipher
1002  *                      operation through mbedtls_cipher_finish() the tag for
1003  *                      which should be written.
1004  * \param tag           The buffer to write the tag to. This must be a writable
1005  *                      buffer of at least \p tag_len Bytes.
1006  * \param tag_len       The length of the tag to write.
1007  *
1008  * \return              \c 0 on success.
1009  * \return              A specific error code on failure.
1010  */
1011 int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
1012                              unsigned char *tag, size_t tag_len);
1013 
1014 /**
1015  * \brief               This function checks the tag for AEAD ciphers.
1016  *                      Currently supported with GCM and ChaCha20+Poly1305.
1017  *                      This must be called after mbedtls_cipher_finish().
1018  *
1019  * \param ctx           The generic cipher context. This must be initialized.
1020  * \param tag           The buffer holding the tag. This must be a readable
1021  *                      buffer of at least \p tag_len Bytes.
1022  * \param tag_len       The length of the tag to check.
1023  *
1024  * \return              \c 0 on success.
1025  * \return              A specific error code on failure.
1026  */
1027 int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
1028                              const unsigned char *tag, size_t tag_len);
1029 #endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
1030 
1031 /**
1032  * \brief               The generic all-in-one encryption/decryption function,
1033  *                      for all ciphers except AEAD constructs.
1034  *
1035  * \param ctx           The generic cipher context. This must be initialized.
1036  * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
1037  *                      This must be a readable buffer of at least \p iv_len
1038  *                      Bytes.
1039  * \param iv_len        The IV length for ciphers with variable-size IV.
1040  *                      This parameter is discarded by ciphers with fixed-size
1041  *                      IV.
1042  * \param input         The buffer holding the input data. This must be a
1043  *                      readable buffer of at least \p ilen Bytes.
1044  * \param ilen          The length of the input data in Bytes.
1045  * \param output        The buffer for the output data. This must be able to
1046  *                      hold at least `ilen + block_size`. This must not be the
1047  *                      same buffer as \p input.
1048  * \param olen          The length of the output data, to be updated with the
1049  *                      actual number of Bytes written. This must not be
1050  *                      \c NULL.
1051  *
1052  * \note                Some ciphers do not use IVs nor nonce. For these
1053  *                      ciphers, use \p iv = NULL and \p iv_len = 0.
1054  *
1055  * \return              \c 0 on success.
1056  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
1057  *                      parameter-verification failure.
1058  * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
1059  *                      expecting a full block but not receiving one.
1060  * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
1061  *                      while decrypting.
1062  * \return              A cipher-specific error code on failure.
1063  */
1064 int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
1065                          const unsigned char *iv, size_t iv_len,
1066                          const unsigned char *input, size_t ilen,
1067                          unsigned char *output, size_t *olen);
1068 
1069 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
1070 /**
1071  * \brief               The authenticated encryption (AEAD/NIST_KW) function.
1072  *
1073  * \note                For AEAD modes, the tag will be appended to the
1074  *                      ciphertext, as recommended by RFC 5116.
1075  *                      (NIST_KW doesn't have a separate tag.)
1076  *
1077  * \param ctx           The generic cipher context. This must be initialized and
1078  *                      bound to a key, with an AEAD algorithm or NIST_KW.
1079  * \param iv            The nonce to use. This must be a readable buffer of
1080  *                      at least \p iv_len Bytes and may be \c NULL if \p
1081  *                      iv_len is \c 0.
1082  * \param iv_len        The length of the nonce. For AEAD ciphers, this must
1083  *                      satisfy the constraints imposed by the cipher used.
1084  *                      For NIST_KW, this must be \c 0.
1085  * \param ad            The additional data to authenticate. This must be a
1086  *                      readable buffer of at least \p ad_len Bytes, and may
1087  *                      be \c NULL is \p ad_len is \c 0.
1088  * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
1089  * \param input         The buffer holding the input data. This must be a
1090  *                      readable buffer of at least \p ilen Bytes, and may be
1091  *                      \c NULL if \p ilen is \c 0.
1092  * \param ilen          The length of the input data.
1093  * \param output        The buffer for the output data. This must be a
1094  *                      writable buffer of at least \p output_len Bytes, and
1095  *                      must not be \c NULL.
1096  * \param output_len    The length of the \p output buffer in Bytes. For AEAD
1097  *                      ciphers, this must be at least \p ilen + \p tag_len.
1098  *                      For NIST_KW, this must be at least \p ilen + 8
1099  *                      (rounded up to a multiple of 8 if KWP is used);
1100  *                      \p ilen + 15 is always a safe value.
1101  * \param olen          This will be filled with the actual number of Bytes
1102  *                      written to the \p output buffer. This must point to a
1103  *                      writable object of type \c size_t.
1104  * \param tag_len       The desired length of the authentication tag. For AEAD
1105  *                      ciphers, this must match the constraints imposed by
1106  *                      the cipher used, and in particular must not be \c 0.
1107  *                      For NIST_KW, this must be \c 0.
1108  *
1109  * \return              \c 0 on success.
1110  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
1111  *                      parameter-verification failure.
1112  * \return              A cipher-specific error code on failure.
1113  */
1114 int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
1115                                     const unsigned char *iv, size_t iv_len,
1116                                     const unsigned char *ad, size_t ad_len,
1117                                     const unsigned char *input, size_t ilen,
1118                                     unsigned char *output, size_t output_len,
1119                                     size_t *olen, size_t tag_len);
1120 
1121 /**
1122  * \brief               The authenticated encryption (AEAD/NIST_KW) function.
1123  *
1124  * \note                If the data is not authentic, then the output buffer
1125  *                      is zeroed out to prevent the unauthentic plaintext being
1126  *                      used, making this interface safer.
1127  *
1128  * \note                For AEAD modes, the tag must be appended to the
1129  *                      ciphertext, as recommended by RFC 5116.
1130  *                      (NIST_KW doesn't have a separate tag.)
1131  *
1132  * \param ctx           The generic cipher context. This must be initialized and
1133  *                      bound to a key, with an AEAD algorithm or NIST_KW.
1134  * \param iv            The nonce to use. This must be a readable buffer of
1135  *                      at least \p iv_len Bytes and may be \c NULL if \p
1136  *                      iv_len is \c 0.
1137  * \param iv_len        The length of the nonce. For AEAD ciphers, this must
1138  *                      satisfy the constraints imposed by the cipher used.
1139  *                      For NIST_KW, this must be \c 0.
1140  * \param ad            The additional data to authenticate. This must be a
1141  *                      readable buffer of at least \p ad_len Bytes, and may
1142  *                      be \c NULL is \p ad_len is \c 0.
1143  * \param ad_len        The length of \p ad. For NIST_KW, this must be \c 0.
1144  * \param input         The buffer holding the input data. This must be a
1145  *                      readable buffer of at least \p ilen Bytes, and may be
1146  *                      \c NULL if \p ilen is \c 0.
1147  * \param ilen          The length of the input data. For AEAD ciphers this
1148  *                      must be at least \p tag_len. For NIST_KW this must be
1149  *                      at least \c 8.
1150  * \param output        The buffer for the output data. This must be a
1151  *                      writable buffer of at least \p output_len Bytes, and
1152  *                      may be \c NULL if \p output_len is \c 0.
1153  * \param output_len    The length of the \p output buffer in Bytes. For AEAD
1154  *                      ciphers, this must be at least \p ilen - \p tag_len.
1155  *                      For NIST_KW, this must be at least \p ilen - 8.
1156  * \param olen          This will be filled with the actual number of Bytes
1157  *                      written to the \p output buffer. This must point to a
1158  *                      writable object of type \c size_t.
1159  * \param tag_len       The actual length of the authentication tag. For AEAD
1160  *                      ciphers, this must match the constraints imposed by
1161  *                      the cipher used, and in particular must not be \c 0.
1162  *                      For NIST_KW, this must be \c 0.
1163  *
1164  * \return              \c 0 on success.
1165  * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
1166  *                      parameter-verification failure.
1167  * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
1168  * \return              A cipher-specific error code on failure.
1169  */
1170 int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
1171                                     const unsigned char *iv, size_t iv_len,
1172                                     const unsigned char *ad, size_t ad_len,
1173                                     const unsigned char *input, size_t ilen,
1174                                     unsigned char *output, size_t output_len,
1175                                     size_t *olen, size_t tag_len);
1176 #endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
1177 #ifdef __cplusplus
1178 }
1179 #endif
1180 
1181 #endif /* MBEDTLS_CIPHER_H */
1182