xref: /freebsd/contrib/bearssl/inc/bearssl_aead.h (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_AEAD_H__
26 #define BR_BEARSSL_AEAD_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #include "bearssl_block.h"
32 #include "bearssl_hash.h"
33 
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37 
38 /** \file bearssl_aead.h
39  *
40  * # Authenticated Encryption with Additional Data
41  *
42  * This file documents the API for AEAD encryption.
43  *
44  *
45  * ## Procedural API
46  *
47  * An AEAD algorithm processes messages and provides confidentiality
48  * (encryption) and checked integrity (MAC). It uses the following
49  * parameters:
50  *
51  *   - A symmetric key. Exact size depends on the AEAD algorithm.
52  *
53  *   - A nonce (IV). Size depends on the AEAD algorithm; for most
54  *     algorithms, it is crucial for security that any given nonce
55  *     value is never used twice for the same key and distinct
56  *     messages.
57  *
58  *   - Data to encrypt and protect.
59  *
60  *   - Additional authenticated data, which is covered by the MAC but
61  *     otherwise left untouched (i.e. not encrypted).
62  *
63  * The AEAD algorithm encrypts the data, and produces an authentication
64  * tag. It is assumed that the encrypted data, the tag, the additional
65  * authenticated data and the nonce are sent to the receiver; the
66  * additional data and the nonce may be implicit (e.g. using elements of
67  * the underlying transport protocol, such as record sequence numbers).
68  * The receiver will recompute the tag value and compare it with the one
69  * received; if they match, then the data is correct, and can be
70  * decrypted and used; otherwise, at least one of the elements was
71  * altered in transit, normally leading to wholesale rejection of the
72  * complete message.
73  *
74  * For each AEAD algorithm, identified by a symbolic name (hereafter
75  * denoted as "`xxx`"), the following functions are defined:
76  *
77  *   - `br_xxx_init()`
78  *
79  *     Initialise the AEAD algorithm, on a provided context structure.
80  *     Exact parameters depend on the algorithm, and may include
81  *     pointers to extra implementations and context structures. The
82  *     secret key is provided at this point, either directly or
83  *     indirectly.
84  *
85  *   - `br_xxx_reset()`
86  *
87  *     Start a new AEAD computation. The nonce value is provided as
88  *     parameter to this function.
89  *
90  *   - `br_xxx_aad_inject()`
91  *
92  *     Inject some additional authenticated data. Additional data may
93  *     be provided in several chunks of arbitrary length.
94  *
95  *   - `br_xxx_flip()`
96  *
97  *     This function MUST be called after injecting all additional
98  *     authenticated data, and before beginning to encrypt the plaintext
99  *     (or decrypt the ciphertext).
100  *
101  *   - `br_xxx_run()`
102  *
103  *     Process some plaintext (to encrypt) or ciphertext (to decrypt).
104  *     Encryption/decryption is done in place. Data may be provided in
105  *     several chunks of arbitrary length.
106  *
107  *   - `br_xxx_get_tag()`
108  *
109  *     Compute the authentication tag. All message data (encrypted or
110  *     decrypted) must have been injected at that point. Also, this
111  *     call may modify internal context elements, so it may be called
112  *     only once for a given AEAD computation.
113  *
114  *   - `br_xxx_check_tag()`
115  *
116  *     An alternative to `br_xxx_get_tag()`, meant to be used by the
117  *     receiver: the authentication tag is internally recomputed, and
118  *     compared with the one provided as parameter.
119  *
120  * This API makes the following assumptions on the AEAD algorithm:
121  *
122  *   - Encryption does not expand the size of the ciphertext; there is
123  *     no padding. This is true of most modern AEAD modes such as GCM.
124  *
125  *   - The additional authenticated data must be processed first,
126  *     before the encrypted/decrypted data.
127  *
128  *   - Nonce, plaintext and additional authenticated data all consist
129  *     in an integral number of bytes. There is no provision to use
130  *     elements whose length in bits is not a multiple of 8.
131  *
132  * Each AEAD algorithm has its own requirements and limits on the sizes
133  * of additional data and plaintext. This API does not provide any
134  * way to report invalid usage; it is up to the caller to ensure that
135  * the provided key, nonce, and data elements all fit the algorithm's
136  * requirements.
137  *
138  *
139  * ## Object-Oriented API
140  *
141  * Each context structure begins with a field (called `vtable`) that
142  * points to an instance of a structure that references the relevant
143  * functions through pointers. Each such structure contains the
144  * following:
145  *
146  *   - `reset`
147  *
148  *     Pointer to the reset function, that allows starting a new
149  *     computation.
150  *
151  *   - `aad_inject`
152  *
153  *     Pointer to the additional authenticated data injection function.
154  *
155  *   - `flip`
156  *
157  *     Pointer to the function that transitions from additional data
158  *     to main message data processing.
159  *
160  *   - `get_tag`
161  *
162  *     Pointer to the function that computes and returns the tag.
163  *
164  *   - `check_tag`
165  *
166  *     Pointer to the function that computes and verifies the tag against
167  *     a received value.
168  *
169  * Note that there is no OOP method for context initialisation: the
170  * various AEAD algorithms have different requirements that would not
171  * map well to a single initialisation API.
172  *
173  * The OOP API is not provided for CCM, due to its specific requirements
174  * (length of plaintext must be known in advance).
175  */
176 
177 /**
178  * \brief Class type of an AEAD algorithm.
179  */
180 typedef struct br_aead_class_ br_aead_class;
181 struct br_aead_class_ {
182 
183 	/**
184 	 * \brief Size (in bytes) of authentication tags created by
185 	 * this AEAD algorithm.
186 	 */
187 	size_t tag_size;
188 
189 	/**
190 	 * \brief Reset an AEAD context.
191 	 *
192 	 * This function resets an already initialised AEAD context for
193 	 * a new computation run. Implementations and keys are
194 	 * conserved. This function can be called at any time; it
195 	 * cancels any ongoing AEAD computation that uses the provided
196 	 * context structure.
197 
198 	 * The provided IV is a _nonce_. Each AEAD algorithm has its
199 	 * own requirements on IV size and contents; for most of them,
200 	 * it is crucial to security that each nonce value is used
201 	 * only once for a given secret key.
202 	 *
203 	 * \param cc    AEAD context structure.
204 	 * \param iv    AEAD nonce to use.
205 	 * \param len   AEAD nonce length (in bytes).
206 	 */
207 	void (*reset)(const br_aead_class **cc, const void *iv, size_t len);
208 
209 	/**
210 	 * \brief Inject additional authenticated data.
211 	 *
212 	 * The provided data is injected into a running AEAD
213 	 * computation. Additional data must be injected _before_ the
214 	 * call to `flip()`. Additional data can be injected in several
215 	 * chunks of arbitrary length.
216 	 *
217 	 * \param cc     AEAD context structure.
218 	 * \param data   pointer to additional authenticated data.
219 	 * \param len    length of additional authenticated data (in bytes).
220 	 */
221 	void (*aad_inject)(const br_aead_class **cc,
222 		const void *data, size_t len);
223 
224 	/**
225 	 * \brief Finish injection of additional authenticated data.
226 	 *
227 	 * This function MUST be called before beginning the actual
228 	 * encryption or decryption (with `run()`), even if no
229 	 * additional authenticated data was injected. No additional
230 	 * authenticated data may be injected after this function call.
231 	 *
232 	 * \param cc   AEAD context structure.
233 	 */
234 	void (*flip)(const br_aead_class **cc);
235 
236 	/**
237 	 * \brief Encrypt or decrypt some data.
238 	 *
239 	 * Data encryption or decryption can be done after `flip()` has
240 	 * been called on the context. If `encrypt` is non-zero, then
241 	 * the provided data shall be plaintext, and it is encrypted in
242 	 * place. Otherwise, the data shall be ciphertext, and it is
243 	 * decrypted in place.
244 	 *
245 	 * Data may be provided in several chunks of arbitrary length.
246 	 *
247 	 * \param cc        AEAD context structure.
248 	 * \param encrypt   non-zero for encryption, zero for decryption.
249 	 * \param data      data to encrypt or decrypt.
250 	 * \param len       data length (in bytes).
251 	 */
252 	void (*run)(const br_aead_class **cc, int encrypt,
253 		void *data, size_t len);
254 
255 	/**
256 	 * \brief Compute authentication tag.
257 	 *
258 	 * Compute the AEAD authentication tag. The tag length depends
259 	 * on the AEAD algorithm; it is written in the provided `tag`
260 	 * buffer. This call terminates the AEAD run: no data may be
261 	 * processed with that AEAD context afterwards, until `reset()`
262 	 * is called to initiate a new AEAD run.
263 	 *
264 	 * The tag value must normally be sent along with the encrypted
265 	 * data. When decrypting, the tag value must be recomputed and
266 	 * compared with the received tag: if the two tag values differ,
267 	 * then either the tag or the encrypted data was altered in
268 	 * transit. As an alternative to this function, the
269 	 * `check_tag()` function may be used to compute and check the
270 	 * tag value.
271 	 *
272 	 * Tag length depends on the AEAD algorithm.
273 	 *
274 	 * \param cc    AEAD context structure.
275 	 * \param tag   destination buffer for the tag.
276 	 */
277 	void (*get_tag)(const br_aead_class **cc, void *tag);
278 
279 	/**
280 	 * \brief Compute and check authentication tag.
281 	 *
282 	 * This function is an alternative to `get_tag()`, and is
283 	 * normally used on the receiving end (i.e. when decrypting
284 	 * messages). The tag value is recomputed and compared with the
285 	 * provided tag value. If they match, 1 is returned; on
286 	 * mismatch, 0 is returned. A returned value of 0 means that the
287 	 * data or the tag was altered in transit, normally leading to
288 	 * wholesale rejection of the complete message.
289 	 *
290 	 * Tag length depends on the AEAD algorithm.
291 	 *
292 	 * \param cc    AEAD context structure.
293 	 * \param tag   tag value to compare with.
294 	 * \return  1 on success (exact match of tag value), 0 otherwise.
295 	 */
296 	uint32_t (*check_tag)(const br_aead_class **cc, const void *tag);
297 
298 	/**
299 	 * \brief Compute authentication tag (with truncation).
300 	 *
301 	 * This function is similar to `get_tag()`, except that the tag
302 	 * length is provided. Some AEAD algorithms allow several tag
303 	 * lengths, usually by truncating the normal tag. Shorter tags
304 	 * mechanically increase success probability of forgeries.
305 	 * The range of allowed tag lengths depends on the algorithm.
306 	 *
307 	 * \param cc    AEAD context structure.
308 	 * \param tag   destination buffer for the tag.
309 	 * \param len   tag length (in bytes).
310 	 */
311 	void (*get_tag_trunc)(const br_aead_class **cc, void *tag, size_t len);
312 
313 	/**
314 	 * \brief Compute and check authentication tag (with truncation).
315 	 *
316 	 * This function is similar to `check_tag()` except that it
317 	 * works over an explicit tag length. See `get_tag()` for a
318 	 * discussion of explicit tag lengths; the range of allowed tag
319 	 * lengths depends on the algorithm.
320 	 *
321 	 * \param cc    AEAD context structure.
322 	 * \param tag   tag value to compare with.
323 	 * \param len   tag length (in bytes).
324 	 * \return  1 on success (exact match of tag value), 0 otherwise.
325 	 */
326 	uint32_t (*check_tag_trunc)(const br_aead_class **cc,
327 		const void *tag, size_t len);
328 };
329 
330 /**
331  * \brief Context structure for GCM.
332  *
333  * GCM is an AEAD mode that combines a block cipher in CTR mode with a
334  * MAC based on GHASH, to provide authenticated encryption:
335  *
336  *   - Any block cipher with 16-byte blocks can be used with GCM.
337  *
338  *   - The nonce can have any length, from 0 up to 2^64-1 bits; however,
339  *     96-bit nonces (12 bytes) are recommended (nonces with a length
340  *     distinct from 12 bytes are internally hashed, which risks reusing
341  *     nonce value with a small but not always negligible probability).
342  *
343  *   - Additional authenticated data may have length up to 2^64-1 bits.
344  *
345  *   - Message length may range up to 2^39-256 bits at most.
346  *
347  *   - The authentication tag has length 16 bytes.
348  *
349  * The GCM initialisation function receives as parameter an
350  * _initialised_ block cipher implementation context, with the secret
351  * key already set. A pointer to that context will be kept within the
352  * GCM context structure. It is up to the caller to allocate and
353  * initialise that block cipher context.
354  */
355 typedef struct {
356 	/** \brief Pointer to vtable for this context. */
357 	const br_aead_class *vtable;
358 
359 #ifndef BR_DOXYGEN_IGNORE
360 	const br_block_ctr_class **bctx;
361 	br_ghash gh;
362 	unsigned char h[16];
363 	unsigned char j0_1[12];
364 	unsigned char buf[16];
365 	unsigned char y[16];
366 	uint32_t j0_2, jc;
367 	uint64_t count_aad, count_ctr;
368 #endif
369 } br_gcm_context;
370 
371 /**
372  * \brief Initialize a GCM context.
373  *
374  * A block cipher implementation, with its initialised context structure,
375  * is provided. The block cipher MUST use 16-byte blocks in CTR mode,
376  * and its secret key MUST have been already set in the provided context.
377  * A GHASH implementation must also be provided. The parameters are linked
378  * in the GCM context.
379  *
380  * After this function has been called, the `br_gcm_reset()` function must
381  * be called, to provide the IV for GCM computation.
382  *
383  * \param ctx    GCM context structure.
384  * \param bctx   block cipher context (already initialised with secret key).
385  * \param gh     GHASH implementation.
386  */
387 void br_gcm_init(br_gcm_context *ctx,
388 	const br_block_ctr_class **bctx, br_ghash gh);
389 
390 /**
391  * \brief Reset a GCM context.
392  *
393  * This function resets an already initialised GCM context for a new
394  * computation run. Implementations and keys are conserved. This function
395  * can be called at any time; it cancels any ongoing GCM computation that
396  * uses the provided context structure.
397  *
398  * The provided IV is a _nonce_. It is critical to GCM security that IV
399  * values are not repeated for the same encryption key. IV can have
400  * arbitrary length (up to 2^64-1 bits), but the "normal" length is
401  * 96 bits (12 bytes).
402  *
403  * \param ctx   GCM context structure.
404  * \param iv    GCM nonce to use.
405  * \param len   GCM nonce length (in bytes).
406  */
407 void br_gcm_reset(br_gcm_context *ctx, const void *iv, size_t len);
408 
409 /**
410  * \brief Inject additional authenticated data into GCM.
411  *
412  * The provided data is injected into a running GCM computation. Additional
413  * data must be injected _before_ the call to `br_gcm_flip()`.
414  * Additional data can be injected in several chunks of arbitrary length;
415  * the maximum total size of additional authenticated data is 2^64-1
416  * bits.
417  *
418  * \param ctx    GCM context structure.
419  * \param data   pointer to additional authenticated data.
420  * \param len    length of additional authenticated data (in bytes).
421  */
422 void br_gcm_aad_inject(br_gcm_context *ctx, const void *data, size_t len);
423 
424 /**
425  * \brief Finish injection of additional authenticated data into GCM.
426  *
427  * This function MUST be called before beginning the actual encryption
428  * or decryption (with `br_gcm_run()`), even if no additional authenticated
429  * data was injected. No additional authenticated data may be injected
430  * after this function call.
431  *
432  * \param ctx   GCM context structure.
433  */
434 void br_gcm_flip(br_gcm_context *ctx);
435 
436 /**
437  * \brief Encrypt or decrypt some data with GCM.
438  *
439  * Data encryption or decryption can be done after `br_gcm_flip()`
440  * has been called on the context. If `encrypt` is non-zero, then the
441  * provided data shall be plaintext, and it is encrypted in place.
442  * Otherwise, the data shall be ciphertext, and it is decrypted in place.
443  *
444  * Data may be provided in several chunks of arbitrary length. The maximum
445  * total length for data is 2^39-256 bits, i.e. about 65 gigabytes.
446  *
447  * \param ctx       GCM context structure.
448  * \param encrypt   non-zero for encryption, zero for decryption.
449  * \param data      data to encrypt or decrypt.
450  * \param len       data length (in bytes).
451  */
452 void br_gcm_run(br_gcm_context *ctx, int encrypt, void *data, size_t len);
453 
454 /**
455  * \brief Compute GCM authentication tag.
456  *
457  * Compute the GCM authentication tag. The tag is a 16-byte value which
458  * is written in the provided `tag` buffer. This call terminates the
459  * GCM run: no data may be processed with that GCM context afterwards,
460  * until `br_gcm_reset()` is called to initiate a new GCM run.
461  *
462  * The tag value must normally be sent along with the encrypted data.
463  * When decrypting, the tag value must be recomputed and compared with
464  * the received tag: if the two tag values differ, then either the tag
465  * or the encrypted data was altered in transit. As an alternative to
466  * this function, the `br_gcm_check_tag()` function can be used to
467  * compute and check the tag value.
468  *
469  * \param ctx   GCM context structure.
470  * \param tag   destination buffer for the tag (16 bytes).
471  */
472 void br_gcm_get_tag(br_gcm_context *ctx, void *tag);
473 
474 /**
475  * \brief Compute and check GCM authentication tag.
476  *
477  * This function is an alternative to `br_gcm_get_tag()`, normally used
478  * on the receiving end (i.e. when decrypting value). The tag value is
479  * recomputed and compared with the provided tag value. If they match, 1
480  * is returned; on mismatch, 0 is returned. A returned value of 0 means
481  * that the data or the tag was altered in transit, normally leading to
482  * wholesale rejection of the complete message.
483  *
484  * \param ctx   GCM context structure.
485  * \param tag   tag value to compare with (16 bytes).
486  * \return  1 on success (exact match of tag value), 0 otherwise.
487  */
488 uint32_t br_gcm_check_tag(br_gcm_context *ctx, const void *tag);
489 
490 /**
491  * \brief Compute GCM authentication tag (with truncation).
492  *
493  * This function is similar to `br_gcm_get_tag()`, except that it allows
494  * the tag to be truncated to a smaller length. The intended tag length
495  * is provided as `len` (in bytes); it MUST be no more than 16, but
496  * it may be smaller. Note that decreasing tag length mechanically makes
497  * forgeries easier; NIST SP 800-38D specifies that the tag length shall
498  * lie between 12 and 16 bytes (inclusive), but may be truncated down to
499  * 4 or 8 bytes, for specific applications that can tolerate it. It must
500  * also be noted that successful forgeries leak information on the
501  * authentication key, making subsequent forgeries easier. Therefore,
502  * tag truncation, and in particular truncation to sizes lower than 12
503  * bytes, shall be envisioned only with great care.
504  *
505  * The tag is written in the provided `tag` buffer. This call terminates
506  * the GCM run: no data may be processed with that GCM context
507  * afterwards, until `br_gcm_reset()` is called to initiate a new GCM
508  * run.
509  *
510  * The tag value must normally be sent along with the encrypted data.
511  * When decrypting, the tag value must be recomputed and compared with
512  * the received tag: if the two tag values differ, then either the tag
513  * or the encrypted data was altered in transit. As an alternative to
514  * this function, the `br_gcm_check_tag_trunc()` function can be used to
515  * compute and check the tag value.
516  *
517  * \param ctx   GCM context structure.
518  * \param tag   destination buffer for the tag.
519  * \param len   tag length (16 bytes or less).
520  */
521 void br_gcm_get_tag_trunc(br_gcm_context *ctx, void *tag, size_t len);
522 
523 /**
524  * \brief Compute and check GCM authentication tag (with truncation).
525  *
526  * This function is an alternative to `br_gcm_get_tag_trunc()`, normally used
527  * on the receiving end (i.e. when decrypting value). The tag value is
528  * recomputed and compared with the provided tag value. If they match, 1
529  * is returned; on mismatch, 0 is returned. A returned value of 0 means
530  * that the data or the tag was altered in transit, normally leading to
531  * wholesale rejection of the complete message.
532  *
533  * Tag length MUST be 16 bytes or less. The normal GCM tag length is 16
534  * bytes. See `br_check_tag_trunc()` for some discussion on the potential
535  * perils of truncating authentication tags.
536  *
537  * \param ctx   GCM context structure.
538  * \param tag   tag value to compare with.
539  * \param len   tag length (in bytes).
540  * \return  1 on success (exact match of tag value), 0 otherwise.
541  */
542 uint32_t br_gcm_check_tag_trunc(br_gcm_context *ctx,
543 	const void *tag, size_t len);
544 
545 /**
546  * \brief Class instance for GCM.
547  */
548 extern const br_aead_class br_gcm_vtable;
549 
550 /**
551  * \brief Context structure for EAX.
552  *
553  * EAX is an AEAD mode that combines a block cipher in CTR mode with
554  * CBC-MAC using the same block cipher and the same key, to provide
555  * authenticated encryption:
556  *
557  *   - Any block cipher with 16-byte blocks can be used with EAX
558  *     (technically, other block sizes are defined as well, but this
559  *     is not implemented by these functions; shorter blocks also
560  *     imply numerous security issues).
561  *
562  *   - The nonce can have any length, as long as nonce values are
563  *     not reused (thus, if nonces are randomly selected, the nonce
564  *     size should be such that reuse probability is negligible).
565  *
566  *   - Additional authenticated data length is unlimited.
567  *
568  *   - Message length is unlimited.
569  *
570  *   - The authentication tag has length 16 bytes.
571  *
572  * The EAX initialisation function receives as parameter an
573  * _initialised_ block cipher implementation context, with the secret
574  * key already set. A pointer to that context will be kept within the
575  * EAX context structure. It is up to the caller to allocate and
576  * initialise that block cipher context.
577  */
578 typedef struct {
579 	/** \brief Pointer to vtable for this context. */
580 	const br_aead_class *vtable;
581 
582 #ifndef BR_DOXYGEN_IGNORE
583 	const br_block_ctrcbc_class **bctx;
584 	unsigned char L2[16];
585 	unsigned char L4[16];
586 	unsigned char nonce[16];
587 	unsigned char head[16];
588 	unsigned char ctr[16];
589 	unsigned char cbcmac[16];
590 	unsigned char buf[16];
591 	size_t ptr;
592 #endif
593 } br_eax_context;
594 
595 /**
596  * \brief EAX captured state.
597  *
598  * Some internal values computed by EAX may be captured at various
599  * points, and reused for another EAX run with the same secret key,
600  * for lower per-message overhead. Captured values do not depend on
601  * the nonce.
602  */
603 typedef struct {
604 #ifndef BR_DOXYGEN_IGNORE
605 	unsigned char st[3][16];
606 #endif
607 } br_eax_state;
608 
609 /**
610  * \brief Initialize an EAX context.
611  *
612  * A block cipher implementation, with its initialised context
613  * structure, is provided. The block cipher MUST use 16-byte blocks in
614  * CTR + CBC-MAC mode, and its secret key MUST have been already set in
615  * the provided context. The parameters are linked in the EAX context.
616  *
617  * After this function has been called, the `br_eax_reset()` function must
618  * be called, to provide the nonce for EAX computation.
619  *
620  * \param ctx    EAX context structure.
621  * \param bctx   block cipher context (already initialised with secret key).
622  */
623 void br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx);
624 
625 /**
626  * \brief Capture pre-AAD state.
627  *
628  * This function precomputes key-dependent data, and stores it in the
629  * provided `st` structure. This structure should then be used with
630  * `br_eax_reset_pre_aad()`, or updated with `br_eax_get_aad_mac()`
631  * and then used with `br_eax_reset_post_aad()`.
632  *
633  * The EAX context structure is unmodified by this call.
634  *
635  * \param ctx   EAX context structure.
636  * \param st    recipient for captured state.
637  */
638 void br_eax_capture(const br_eax_context *ctx, br_eax_state *st);
639 
640 /**
641  * \brief Reset an EAX context.
642  *
643  * This function resets an already initialised EAX context for a new
644  * computation run. Implementations and keys are conserved. This function
645  * can be called at any time; it cancels any ongoing EAX computation that
646  * uses the provided context structure.
647  *
648  * It is critical to EAX security that nonce values are not repeated for
649  * the same encryption key. Nonces can have arbitrary length. If nonces
650  * are randomly generated, then a nonce length of at least 128 bits (16
651  * bytes) is recommended, to make nonce reuse probability sufficiently
652  * low.
653  *
654  * \param ctx     EAX context structure.
655  * \param nonce   EAX nonce to use.
656  * \param len     EAX nonce length (in bytes).
657  */
658 void br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len);
659 
660 /**
661  * \brief Reset an EAX context with a pre-AAD captured state.
662  *
663  * This function is an alternative to `br_eax_reset()`, that reuses a
664  * previously captured state structure for lower per-message overhead.
665  * The state should have been populated with `br_eax_capture_state()`
666  * but not updated with `br_eax_get_aad_mac()`.
667  *
668  * After this function is called, additional authenticated data MUST
669  * be injected. At least one byte of additional authenticated data
670  * MUST be provided with `br_eax_aad_inject()`; computation result will
671  * be incorrect if `br_eax_flip()` is called right away.
672  *
673  * After injection of the AAD and call to `br_eax_flip()`, at least
674  * one message byte must be provided. Empty messages are not supported
675  * with this reset mode.
676  *
677  * \param ctx     EAX context structure.
678  * \param st      pre-AAD captured state.
679  * \param nonce   EAX nonce to use.
680  * \param len     EAX nonce length (in bytes).
681  */
682 void br_eax_reset_pre_aad(br_eax_context *ctx, const br_eax_state *st,
683 	const void *nonce, size_t len);
684 
685 /**
686  * \brief Reset an EAX context with a post-AAD captured state.
687  *
688  * This function is an alternative to `br_eax_reset()`, that reuses a
689  * previously captured state structure for lower per-message overhead.
690  * The state should have been populated with `br_eax_capture_state()`
691  * and then updated with `br_eax_get_aad_mac()`.
692  *
693  * After this function is called, message data MUST be injected. The
694  * `br_eax_flip()` function MUST NOT be called. At least one byte of
695  * message data MUST be provided with `br_eax_run()`; empty messages
696  * are not supported with this reset mode.
697  *
698  * \param ctx     EAX context structure.
699  * \param st      post-AAD captured state.
700  * \param nonce   EAX nonce to use.
701  * \param len     EAX nonce length (in bytes).
702  */
703 void br_eax_reset_post_aad(br_eax_context *ctx, const br_eax_state *st,
704 	const void *nonce, size_t len);
705 
706 /**
707  * \brief Inject additional authenticated data into EAX.
708  *
709  * The provided data is injected into a running EAX computation. Additional
710  * data must be injected _before_ the call to `br_eax_flip()`.
711  * Additional data can be injected in several chunks of arbitrary length;
712  * the total amount of additional authenticated data is unlimited.
713  *
714  * \param ctx    EAX context structure.
715  * \param data   pointer to additional authenticated data.
716  * \param len    length of additional authenticated data (in bytes).
717  */
718 void br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len);
719 
720 /**
721  * \brief Finish injection of additional authenticated data into EAX.
722  *
723  * This function MUST be called before beginning the actual encryption
724  * or decryption (with `br_eax_run()`), even if no additional authenticated
725  * data was injected. No additional authenticated data may be injected
726  * after this function call.
727  *
728  * \param ctx   EAX context structure.
729  */
730 void br_eax_flip(br_eax_context *ctx);
731 
732 /**
733  * \brief Obtain a copy of the MAC on additional authenticated data.
734  *
735  * This function may be called only after `br_eax_flip()`; it copies the
736  * AAD-specific MAC value into the provided state. The MAC value depends
737  * on the secret key and the additional data itself, but not on the
738  * nonce. The updated state `st` is meant to be used as parameter for a
739  * further `br_eax_reset_post_aad()` call.
740  *
741  * \param ctx   EAX context structure.
742  * \param st    captured state to update.
743  */
744 static inline void
745 br_eax_get_aad_mac(const br_eax_context *ctx, br_eax_state *st)
746 {
747 	memcpy(st->st[1], ctx->head, sizeof ctx->head);
748 }
749 
750 /**
751  * \brief Encrypt or decrypt some data with EAX.
752  *
753  * Data encryption or decryption can be done after `br_eax_flip()`
754  * has been called on the context. If `encrypt` is non-zero, then the
755  * provided data shall be plaintext, and it is encrypted in place.
756  * Otherwise, the data shall be ciphertext, and it is decrypted in place.
757  *
758  * Data may be provided in several chunks of arbitrary length.
759  *
760  * \param ctx       EAX context structure.
761  * \param encrypt   non-zero for encryption, zero for decryption.
762  * \param data      data to encrypt or decrypt.
763  * \param len       data length (in bytes).
764  */
765 void br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len);
766 
767 /**
768  * \brief Compute EAX authentication tag.
769  *
770  * Compute the EAX authentication tag. The tag is a 16-byte value which
771  * is written in the provided `tag` buffer. This call terminates the
772  * EAX run: no data may be processed with that EAX context afterwards,
773  * until `br_eax_reset()` is called to initiate a new EAX run.
774  *
775  * The tag value must normally be sent along with the encrypted data.
776  * When decrypting, the tag value must be recomputed and compared with
777  * the received tag: if the two tag values differ, then either the tag
778  * or the encrypted data was altered in transit. As an alternative to
779  * this function, the `br_eax_check_tag()` function can be used to
780  * compute and check the tag value.
781  *
782  * \param ctx   EAX context structure.
783  * \param tag   destination buffer for the tag (16 bytes).
784  */
785 void br_eax_get_tag(br_eax_context *ctx, void *tag);
786 
787 /**
788  * \brief Compute and check EAX authentication tag.
789  *
790  * This function is an alternative to `br_eax_get_tag()`, normally used
791  * on the receiving end (i.e. when decrypting value). The tag value is
792  * recomputed and compared with the provided tag value. If they match, 1
793  * is returned; on mismatch, 0 is returned. A returned value of 0 means
794  * that the data or the tag was altered in transit, normally leading to
795  * wholesale rejection of the complete message.
796  *
797  * \param ctx   EAX context structure.
798  * \param tag   tag value to compare with (16 bytes).
799  * \return  1 on success (exact match of tag value), 0 otherwise.
800  */
801 uint32_t br_eax_check_tag(br_eax_context *ctx, const void *tag);
802 
803 /**
804  * \brief Compute EAX authentication tag (with truncation).
805  *
806  * This function is similar to `br_eax_get_tag()`, except that it allows
807  * the tag to be truncated to a smaller length. The intended tag length
808  * is provided as `len` (in bytes); it MUST be no more than 16, but
809  * it may be smaller. Note that decreasing tag length mechanically makes
810  * forgeries easier; NIST SP 800-38D specifies that the tag length shall
811  * lie between 12 and 16 bytes (inclusive), but may be truncated down to
812  * 4 or 8 bytes, for specific applications that can tolerate it. It must
813  * also be noted that successful forgeries leak information on the
814  * authentication key, making subsequent forgeries easier. Therefore,
815  * tag truncation, and in particular truncation to sizes lower than 12
816  * bytes, shall be envisioned only with great care.
817  *
818  * The tag is written in the provided `tag` buffer. This call terminates
819  * the EAX run: no data may be processed with that EAX context
820  * afterwards, until `br_eax_reset()` is called to initiate a new EAX
821  * run.
822  *
823  * The tag value must normally be sent along with the encrypted data.
824  * When decrypting, the tag value must be recomputed and compared with
825  * the received tag: if the two tag values differ, then either the tag
826  * or the encrypted data was altered in transit. As an alternative to
827  * this function, the `br_eax_check_tag_trunc()` function can be used to
828  * compute and check the tag value.
829  *
830  * \param ctx   EAX context structure.
831  * \param tag   destination buffer for the tag.
832  * \param len   tag length (16 bytes or less).
833  */
834 void br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len);
835 
836 /**
837  * \brief Compute and check EAX authentication tag (with truncation).
838  *
839  * This function is an alternative to `br_eax_get_tag_trunc()`, normally used
840  * on the receiving end (i.e. when decrypting value). The tag value is
841  * recomputed and compared with the provided tag value. If they match, 1
842  * is returned; on mismatch, 0 is returned. A returned value of 0 means
843  * that the data or the tag was altered in transit, normally leading to
844  * wholesale rejection of the complete message.
845  *
846  * Tag length MUST be 16 bytes or less. The normal EAX tag length is 16
847  * bytes. See `br_check_tag_trunc()` for some discussion on the potential
848  * perils of truncating authentication tags.
849  *
850  * \param ctx   EAX context structure.
851  * \param tag   tag value to compare with.
852  * \param len   tag length (in bytes).
853  * \return  1 on success (exact match of tag value), 0 otherwise.
854  */
855 uint32_t br_eax_check_tag_trunc(br_eax_context *ctx,
856 	const void *tag, size_t len);
857 
858 /**
859  * \brief Class instance for EAX.
860  */
861 extern const br_aead_class br_eax_vtable;
862 
863 /**
864  * \brief Context structure for CCM.
865  *
866  * CCM is an AEAD mode that combines a block cipher in CTR mode with
867  * CBC-MAC using the same block cipher and the same key, to provide
868  * authenticated encryption:
869  *
870  *   - Any block cipher with 16-byte blocks can be used with CCM
871  *     (technically, other block sizes are defined as well, but this
872  *     is not implemented by these functions; shorter blocks also
873  *     imply numerous security issues).
874  *
875  *   - The authentication tag length, and plaintext length, MUST be
876  *     known when starting processing data. Plaintext and ciphertext
877  *     can still be provided by chunks, but the total size must match
878  *     the value provided upon initialisation.
879  *
880  *   - The nonce length is constrained between 7 and 13 bytes (inclusive).
881  *     Furthermore, the plaintext length, when encoded, must fit over
882  *     15-nonceLen bytes; thus, if the nonce has length 13 bytes, then
883  *     the plaintext length cannot exceed 65535 bytes.
884  *
885  *   - Additional authenticated data length is practically unlimited
886  *     (formal limit is at 2^64 bytes).
887  *
888  *   - The authentication tag has length 4 to 16 bytes (even values only).
889  *
890  * The CCM initialisation function receives as parameter an
891  * _initialised_ block cipher implementation context, with the secret
892  * key already set. A pointer to that context will be kept within the
893  * CCM context structure. It is up to the caller to allocate and
894  * initialise that block cipher context.
895  */
896 typedef struct {
897 #ifndef BR_DOXYGEN_IGNORE
898 	const br_block_ctrcbc_class **bctx;
899 	unsigned char ctr[16];
900 	unsigned char cbcmac[16];
901 	unsigned char tagmask[16];
902 	unsigned char buf[16];
903 	size_t ptr;
904 	size_t tag_len;
905 #endif
906 } br_ccm_context;
907 
908 /**
909  * \brief Initialize a CCM context.
910  *
911  * A block cipher implementation, with its initialised context
912  * structure, is provided. The block cipher MUST use 16-byte blocks in
913  * CTR + CBC-MAC mode, and its secret key MUST have been already set in
914  * the provided context. The parameters are linked in the CCM context.
915  *
916  * After this function has been called, the `br_ccm_reset()` function must
917  * be called, to provide the nonce for CCM computation.
918  *
919  * \param ctx    CCM context structure.
920  * \param bctx   block cipher context (already initialised with secret key).
921  */
922 void br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx);
923 
924 /**
925  * \brief Reset a CCM context.
926  *
927  * This function resets an already initialised CCM context for a new
928  * computation run. Implementations and keys are conserved. This function
929  * can be called at any time; it cancels any ongoing CCM computation that
930  * uses the provided context structure.
931  *
932  * The `aad_len` parameter contains the total length, in bytes, of the
933  * additional authenticated data. It may be zero. That length MUST be
934  * exact.
935  *
936  * The `data_len` parameter contains the total length, in bytes, of the
937  * data that will be injected (plaintext or ciphertext). That length MUST
938  * be exact. Moreover, that length MUST be less than 2^(8*(15-nonce_len)).
939  *
940  * The nonce length (`nonce_len`), in bytes, must be in the 7..13 range
941  * (inclusive).
942  *
943  * The tag length (`tag_len`), in bytes, must be in the 4..16 range, and
944  * be an even integer. Short tags mechanically allow for higher forgery
945  * probabilities; hence, tag sizes smaller than 12 bytes shall be used only
946  * with care.
947  *
948  * It is critical to CCM security that nonce values are not repeated for
949  * the same encryption key. Random generation of nonces is not generally
950  * recommended, due to the relatively small maximum nonce value.
951  *
952  * Returned value is 1 on success, 0 on error. An error is reported if
953  * the tag or nonce length is out of range, or if the
954  * plaintext/ciphertext length cannot be encoded with the specified
955  * nonce length.
956  *
957  * \param ctx         CCM context structure.
958  * \param nonce       CCM nonce to use.
959  * \param nonce_len   CCM nonce length (in bytes, 7 to 13).
960  * \param aad_len     additional authenticated data length (in bytes).
961  * \param data_len    plaintext/ciphertext length (in bytes).
962  * \param tag_len     tag length (in bytes).
963  * \return  1 on success, 0 on error.
964  */
965 int br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len,
966 	uint64_t aad_len, uint64_t data_len, size_t tag_len);
967 
968 /**
969  * \brief Inject additional authenticated data into CCM.
970  *
971  * The provided data is injected into a running CCM computation. Additional
972  * data must be injected _before_ the call to `br_ccm_flip()`.
973  * Additional data can be injected in several chunks of arbitrary length,
974  * but the total amount MUST exactly match the value which was provided
975  * to `br_ccm_reset()`.
976  *
977  * \param ctx    CCM context structure.
978  * \param data   pointer to additional authenticated data.
979  * \param len    length of additional authenticated data (in bytes).
980  */
981 void br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len);
982 
983 /**
984  * \brief Finish injection of additional authenticated data into CCM.
985  *
986  * This function MUST be called before beginning the actual encryption
987  * or decryption (with `br_ccm_run()`), even if no additional authenticated
988  * data was injected. No additional authenticated data may be injected
989  * after this function call.
990  *
991  * \param ctx   CCM context structure.
992  */
993 void br_ccm_flip(br_ccm_context *ctx);
994 
995 /**
996  * \brief Encrypt or decrypt some data with CCM.
997  *
998  * Data encryption or decryption can be done after `br_ccm_flip()`
999  * has been called on the context. If `encrypt` is non-zero, then the
1000  * provided data shall be plaintext, and it is encrypted in place.
1001  * Otherwise, the data shall be ciphertext, and it is decrypted in place.
1002  *
1003  * Data may be provided in several chunks of arbitrary length, provided
1004  * that the total length exactly matches the length provided to the
1005  * `br_ccm_reset()` call.
1006  *
1007  * \param ctx       CCM context structure.
1008  * \param encrypt   non-zero for encryption, zero for decryption.
1009  * \param data      data to encrypt or decrypt.
1010  * \param len       data length (in bytes).
1011  */
1012 void br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len);
1013 
1014 /**
1015  * \brief Compute CCM authentication tag.
1016  *
1017  * Compute the CCM authentication tag. This call terminates the CCM
1018  * run: all data must have been injected with `br_ccm_run()` (in zero,
1019  * one or more successive calls). After this function has been called,
1020  * no more data can br processed; a `br_ccm_reset()` call is required
1021  * to start a new message.
1022  *
1023  * The tag length was provided upon context initialisation (last call
1024  * to `br_ccm_reset()`); it is returned by this function.
1025  *
1026  * The tag value must normally be sent along with the encrypted data.
1027  * When decrypting, the tag value must be recomputed and compared with
1028  * the received tag: if the two tag values differ, then either the tag
1029  * or the encrypted data was altered in transit. As an alternative to
1030  * this function, the `br_ccm_check_tag()` function can be used to
1031  * compute and check the tag value.
1032  *
1033  * \param ctx   CCM context structure.
1034  * \param tag   destination buffer for the tag (up to 16 bytes).
1035  * \return  the tag length (in bytes).
1036  */
1037 size_t br_ccm_get_tag(br_ccm_context *ctx, void *tag);
1038 
1039 /**
1040  * \brief Compute and check CCM authentication tag.
1041  *
1042  * This function is an alternative to `br_ccm_get_tag()`, normally used
1043  * on the receiving end (i.e. when decrypting value). The tag value is
1044  * recomputed and compared with the provided tag value. If they match, 1
1045  * is returned; on mismatch, 0 is returned. A returned value of 0 means
1046  * that the data or the tag was altered in transit, normally leading to
1047  * wholesale rejection of the complete message.
1048  *
1049  * \param ctx   CCM context structure.
1050  * \param tag   tag value to compare with (up to 16 bytes).
1051  * \return  1 on success (exact match of tag value), 0 otherwise.
1052  */
1053 uint32_t br_ccm_check_tag(br_ccm_context *ctx, const void *tag);
1054 
1055 #ifdef __cplusplus
1056 }
1057 #endif
1058 
1059 #endif
1060