1 /* 2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org> 3 * 4 * Permission is hereby granted, free of charge, to any person obtaining 5 * a copy of this software and associated documentation files (the 6 * "Software"), to deal in the Software without restriction, including 7 * without limitation the rights to use, copy, modify, merge, publish, 8 * distribute, sublicense, and/or sell copies of the Software, and to 9 * permit persons to whom the Software is furnished to do so, subject to 10 * the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25 #ifndef BR_BEARSSL_AEAD_H__ 26 #define BR_BEARSSL_AEAD_H__ 27 28 #include <stddef.h> 29 #include <stdint.h> 30 31 #include "bearssl_block.h" 32 #include "bearssl_hash.h" 33 34 #ifdef __cplusplus 35 extern "C" { 36 #endif 37 38 /** \file bearssl_aead.h 39 * 40 * # Authenticated Encryption with Additional Data 41 * 42 * This file documents the API for AEAD encryption. 43 * 44 * 45 * ## Procedural API 46 * 47 * An AEAD algorithm processes messages and provides confidentiality 48 * (encryption) and checked integrity (MAC). It uses the following 49 * parameters: 50 * 51 * - A symmetric key. Exact size depends on the AEAD algorithm. 52 * 53 * - A nonce (IV). Size depends on the AEAD algorithm; for most 54 * algorithms, it is crucial for security that any given nonce 55 * value is never used twice for the same key and distinct 56 * messages. 57 * 58 * - Data to encrypt and protect. 59 * 60 * - Additional authenticated data, which is covered by the MAC but 61 * otherwise left untouched (i.e. not encrypted). 62 * 63 * The AEAD algorithm encrypts the data, and produces an authentication 64 * tag. It is assumed that the encrypted data, the tag, the additional 65 * authenticated data and the nonce are sent to the receiver; the 66 * additional data and the nonce may be implicit (e.g. using elements of 67 * the underlying transport protocol, such as record sequence numbers). 68 * The receiver will recompute the tag value and compare it with the one 69 * received; if they match, then the data is correct, and can be 70 * decrypted and used; otherwise, at least one of the elements was 71 * altered in transit, normally leading to wholesale rejection of the 72 * complete message. 73 * 74 * For each AEAD algorithm, identified by a symbolic name (hereafter 75 * denoted as "`xxx`"), the following functions are defined: 76 * 77 * - `br_xxx_init()` 78 * 79 * Initialise the AEAD algorithm, on a provided context structure. 80 * Exact parameters depend on the algorithm, and may include 81 * pointers to extra implementations and context structures. The 82 * secret key is provided at this point, either directly or 83 * indirectly. 84 * 85 * - `br_xxx_reset()` 86 * 87 * Start a new AEAD computation. The nonce value is provided as 88 * parameter to this function. 89 * 90 * - `br_xxx_aad_inject()` 91 * 92 * Inject some additional authenticated data. Additional data may 93 * be provided in several chunks of arbitrary length. 94 * 95 * - `br_xxx_flip()` 96 * 97 * This function MUST be called after injecting all additional 98 * authenticated data, and before beginning to encrypt the plaintext 99 * (or decrypt the ciphertext). 100 * 101 * - `br_xxx_run()` 102 * 103 * Process some plaintext (to encrypt) or ciphertext (to decrypt). 104 * Encryption/decryption is done in place. Data may be provided in 105 * several chunks of arbitrary length. 106 * 107 * - `br_xxx_get_tag()` 108 * 109 * Compute the authentication tag. All message data (encrypted or 110 * decrypted) must have been injected at that point. Also, this 111 * call may modify internal context elements, so it may be called 112 * only once for a given AEAD computation. 113 * 114 * - `br_xxx_check_tag()` 115 * 116 * An alternative to `br_xxx_get_tag()`, meant to be used by the 117 * receiver: the authentication tag is internally recomputed, and 118 * compared with the one provided as parameter. 119 * 120 * This API makes the following assumptions on the AEAD algorithm: 121 * 122 * - Encryption does not expand the size of the ciphertext; there is 123 * no padding. This is true of most modern AEAD modes such as GCM. 124 * 125 * - The additional authenticated data must be processed first, 126 * before the encrypted/decrypted data. 127 * 128 * - Nonce, plaintext and additional authenticated data all consist 129 * in an integral number of bytes. There is no provision to use 130 * elements whose length in bits is not a multiple of 8. 131 * 132 * Each AEAD algorithm has its own requirements and limits on the sizes 133 * of additional data and plaintext. This API does not provide any 134 * way to report invalid usage; it is up to the caller to ensure that 135 * the provided key, nonce, and data elements all fit the algorithm's 136 * requirements. 137 * 138 * 139 * ## Object-Oriented API 140 * 141 * Each context structure begins with a field (called `vtable`) that 142 * points to an instance of a structure that references the relevant 143 * functions through pointers. Each such structure contains the 144 * following: 145 * 146 * - `reset` 147 * 148 * Pointer to the reset function, that allows starting a new 149 * computation. 150 * 151 * - `aad_inject` 152 * 153 * Pointer to the additional authenticated data injection function. 154 * 155 * - `flip` 156 * 157 * Pointer to the function that transitions from additional data 158 * to main message data processing. 159 * 160 * - `get_tag` 161 * 162 * Pointer to the function that computes and returns the tag. 163 * 164 * - `check_tag` 165 * 166 * Pointer to the function that computes and verifies the tag against 167 * a received value. 168 * 169 * Note that there is no OOP method for context initialisation: the 170 * various AEAD algorithms have different requirements that would not 171 * map well to a single initialisation API. 172 * 173 * The OOP API is not provided for CCM, due to its specific requirements 174 * (length of plaintext must be known in advance). 175 */ 176 177 /** 178 * \brief Class type of an AEAD algorithm. 179 */ 180 typedef struct br_aead_class_ br_aead_class; 181 struct br_aead_class_ { 182 183 /** 184 * \brief Size (in bytes) of authentication tags created by 185 * this AEAD algorithm. 186 */ 187 size_t tag_size; 188 189 /** 190 * \brief Reset an AEAD context. 191 * 192 * This function resets an already initialised AEAD context for 193 * a new computation run. Implementations and keys are 194 * conserved. This function can be called at any time; it 195 * cancels any ongoing AEAD computation that uses the provided 196 * context structure. 197 198 * The provided IV is a _nonce_. Each AEAD algorithm has its 199 * own requirements on IV size and contents; for most of them, 200 * it is crucial to security that each nonce value is used 201 * only once for a given secret key. 202 * 203 * \param cc AEAD context structure. 204 * \param iv AEAD nonce to use. 205 * \param len AEAD nonce length (in bytes). 206 */ 207 void (*reset)(const br_aead_class **cc, const void *iv, size_t len); 208 209 /** 210 * \brief Inject additional authenticated data. 211 * 212 * The provided data is injected into a running AEAD 213 * computation. Additional data must be injected _before_ the 214 * call to `flip()`. Additional data can be injected in several 215 * chunks of arbitrary length. 216 * 217 * \param cc AEAD context structure. 218 * \param data pointer to additional authenticated data. 219 * \param len length of additional authenticated data (in bytes). 220 */ 221 void (*aad_inject)(const br_aead_class **cc, 222 const void *data, size_t len); 223 224 /** 225 * \brief Finish injection of additional authenticated data. 226 * 227 * This function MUST be called before beginning the actual 228 * encryption or decryption (with `run()`), even if no 229 * additional authenticated data was injected. No additional 230 * authenticated data may be injected after this function call. 231 * 232 * \param cc AEAD context structure. 233 */ 234 void (*flip)(const br_aead_class **cc); 235 236 /** 237 * \brief Encrypt or decrypt some data. 238 * 239 * Data encryption or decryption can be done after `flip()` has 240 * been called on the context. If `encrypt` is non-zero, then 241 * the provided data shall be plaintext, and it is encrypted in 242 * place. Otherwise, the data shall be ciphertext, and it is 243 * decrypted in place. 244 * 245 * Data may be provided in several chunks of arbitrary length. 246 * 247 * \param cc AEAD context structure. 248 * \param encrypt non-zero for encryption, zero for decryption. 249 * \param data data to encrypt or decrypt. 250 * \param len data length (in bytes). 251 */ 252 void (*run)(const br_aead_class **cc, int encrypt, 253 void *data, size_t len); 254 255 /** 256 * \brief Compute authentication tag. 257 * 258 * Compute the AEAD authentication tag. The tag length depends 259 * on the AEAD algorithm; it is written in the provided `tag` 260 * buffer. This call terminates the AEAD run: no data may be 261 * processed with that AEAD context afterwards, until `reset()` 262 * is called to initiate a new AEAD run. 263 * 264 * The tag value must normally be sent along with the encrypted 265 * data. When decrypting, the tag value must be recomputed and 266 * compared with the received tag: if the two tag values differ, 267 * then either the tag or the encrypted data was altered in 268 * transit. As an alternative to this function, the 269 * `check_tag()` function may be used to compute and check the 270 * tag value. 271 * 272 * Tag length depends on the AEAD algorithm. 273 * 274 * \param cc AEAD context structure. 275 * \param tag destination buffer for the tag. 276 */ 277 void (*get_tag)(const br_aead_class **cc, void *tag); 278 279 /** 280 * \brief Compute and check authentication tag. 281 * 282 * This function is an alternative to `get_tag()`, and is 283 * normally used on the receiving end (i.e. when decrypting 284 * messages). The tag value is recomputed and compared with the 285 * provided tag value. If they match, 1 is returned; on 286 * mismatch, 0 is returned. A returned value of 0 means that the 287 * data or the tag was altered in transit, normally leading to 288 * wholesale rejection of the complete message. 289 * 290 * Tag length depends on the AEAD algorithm. 291 * 292 * \param cc AEAD context structure. 293 * \param tag tag value to compare with. 294 * \return 1 on success (exact match of tag value), 0 otherwise. 295 */ 296 uint32_t (*check_tag)(const br_aead_class **cc, const void *tag); 297 298 /** 299 * \brief Compute authentication tag (with truncation). 300 * 301 * This function is similar to `get_tag()`, except that the tag 302 * length is provided. Some AEAD algorithms allow several tag 303 * lengths, usually by truncating the normal tag. Shorter tags 304 * mechanically increase success probability of forgeries. 305 * The range of allowed tag lengths depends on the algorithm. 306 * 307 * \param cc AEAD context structure. 308 * \param tag destination buffer for the tag. 309 * \param len tag length (in bytes). 310 */ 311 void (*get_tag_trunc)(const br_aead_class **cc, void *tag, size_t len); 312 313 /** 314 * \brief Compute and check authentication tag (with truncation). 315 * 316 * This function is similar to `check_tag()` except that it 317 * works over an explicit tag length. See `get_tag()` for a 318 * discussion of explicit tag lengths; the range of allowed tag 319 * lengths depends on the algorithm. 320 * 321 * \param cc AEAD context structure. 322 * \param tag tag value to compare with. 323 * \param len tag length (in bytes). 324 * \return 1 on success (exact match of tag value), 0 otherwise. 325 */ 326 uint32_t (*check_tag_trunc)(const br_aead_class **cc, 327 const void *tag, size_t len); 328 }; 329 330 /** 331 * \brief Context structure for GCM. 332 * 333 * GCM is an AEAD mode that combines a block cipher in CTR mode with a 334 * MAC based on GHASH, to provide authenticated encryption: 335 * 336 * - Any block cipher with 16-byte blocks can be used with GCM. 337 * 338 * - The nonce can have any length, from 0 up to 2^64-1 bits; however, 339 * 96-bit nonces (12 bytes) are recommended (nonces with a length 340 * distinct from 12 bytes are internally hashed, which risks reusing 341 * nonce value with a small but not always negligible probability). 342 * 343 * - Additional authenticated data may have length up to 2^64-1 bits. 344 * 345 * - Message length may range up to 2^39-256 bits at most. 346 * 347 * - The authentication tag has length 16 bytes. 348 * 349 * The GCM initialisation function receives as parameter an 350 * _initialised_ block cipher implementation context, with the secret 351 * key already set. A pointer to that context will be kept within the 352 * GCM context structure. It is up to the caller to allocate and 353 * initialise that block cipher context. 354 */ 355 typedef struct { 356 /** \brief Pointer to vtable for this context. */ 357 const br_aead_class *vtable; 358 359 #ifndef BR_DOXYGEN_IGNORE 360 const br_block_ctr_class **bctx; 361 br_ghash gh; 362 unsigned char h[16]; 363 unsigned char j0_1[12]; 364 unsigned char buf[16]; 365 unsigned char y[16]; 366 uint32_t j0_2, jc; 367 uint64_t count_aad, count_ctr; 368 #endif 369 } br_gcm_context; 370 371 /** 372 * \brief Initialize a GCM context. 373 * 374 * A block cipher implementation, with its initialised context structure, 375 * is provided. The block cipher MUST use 16-byte blocks in CTR mode, 376 * and its secret key MUST have been already set in the provided context. 377 * A GHASH implementation must also be provided. The parameters are linked 378 * in the GCM context. 379 * 380 * After this function has been called, the `br_gcm_reset()` function must 381 * be called, to provide the IV for GCM computation. 382 * 383 * \param ctx GCM context structure. 384 * \param bctx block cipher context (already initialised with secret key). 385 * \param gh GHASH implementation. 386 */ 387 void br_gcm_init(br_gcm_context *ctx, 388 const br_block_ctr_class **bctx, br_ghash gh); 389 390 /** 391 * \brief Reset a GCM context. 392 * 393 * This function resets an already initialised GCM context for a new 394 * computation run. Implementations and keys are conserved. This function 395 * can be called at any time; it cancels any ongoing GCM computation that 396 * uses the provided context structure. 397 * 398 * The provided IV is a _nonce_. It is critical to GCM security that IV 399 * values are not repeated for the same encryption key. IV can have 400 * arbitrary length (up to 2^64-1 bits), but the "normal" length is 401 * 96 bits (12 bytes). 402 * 403 * \param ctx GCM context structure. 404 * \param iv GCM nonce to use. 405 * \param len GCM nonce length (in bytes). 406 */ 407 void br_gcm_reset(br_gcm_context *ctx, const void *iv, size_t len); 408 409 /** 410 * \brief Inject additional authenticated data into GCM. 411 * 412 * The provided data is injected into a running GCM computation. Additional 413 * data must be injected _before_ the call to `br_gcm_flip()`. 414 * Additional data can be injected in several chunks of arbitrary length; 415 * the maximum total size of additional authenticated data is 2^64-1 416 * bits. 417 * 418 * \param ctx GCM context structure. 419 * \param data pointer to additional authenticated data. 420 * \param len length of additional authenticated data (in bytes). 421 */ 422 void br_gcm_aad_inject(br_gcm_context *ctx, const void *data, size_t len); 423 424 /** 425 * \brief Finish injection of additional authenticated data into GCM. 426 * 427 * This function MUST be called before beginning the actual encryption 428 * or decryption (with `br_gcm_run()`), even if no additional authenticated 429 * data was injected. No additional authenticated data may be injected 430 * after this function call. 431 * 432 * \param ctx GCM context structure. 433 */ 434 void br_gcm_flip(br_gcm_context *ctx); 435 436 /** 437 * \brief Encrypt or decrypt some data with GCM. 438 * 439 * Data encryption or decryption can be done after `br_gcm_flip()` 440 * has been called on the context. If `encrypt` is non-zero, then the 441 * provided data shall be plaintext, and it is encrypted in place. 442 * Otherwise, the data shall be ciphertext, and it is decrypted in place. 443 * 444 * Data may be provided in several chunks of arbitrary length. The maximum 445 * total length for data is 2^39-256 bits, i.e. about 65 gigabytes. 446 * 447 * \param ctx GCM context structure. 448 * \param encrypt non-zero for encryption, zero for decryption. 449 * \param data data to encrypt or decrypt. 450 * \param len data length (in bytes). 451 */ 452 void br_gcm_run(br_gcm_context *ctx, int encrypt, void *data, size_t len); 453 454 /** 455 * \brief Compute GCM authentication tag. 456 * 457 * Compute the GCM authentication tag. The tag is a 16-byte value which 458 * is written in the provided `tag` buffer. This call terminates the 459 * GCM run: no data may be processed with that GCM context afterwards, 460 * until `br_gcm_reset()` is called to initiate a new GCM run. 461 * 462 * The tag value must normally be sent along with the encrypted data. 463 * When decrypting, the tag value must be recomputed and compared with 464 * the received tag: if the two tag values differ, then either the tag 465 * or the encrypted data was altered in transit. As an alternative to 466 * this function, the `br_gcm_check_tag()` function can be used to 467 * compute and check the tag value. 468 * 469 * \param ctx GCM context structure. 470 * \param tag destination buffer for the tag (16 bytes). 471 */ 472 void br_gcm_get_tag(br_gcm_context *ctx, void *tag); 473 474 /** 475 * \brief Compute and check GCM authentication tag. 476 * 477 * This function is an alternative to `br_gcm_get_tag()`, normally used 478 * on the receiving end (i.e. when decrypting value). The tag value is 479 * recomputed and compared with the provided tag value. If they match, 1 480 * is returned; on mismatch, 0 is returned. A returned value of 0 means 481 * that the data or the tag was altered in transit, normally leading to 482 * wholesale rejection of the complete message. 483 * 484 * \param ctx GCM context structure. 485 * \param tag tag value to compare with (16 bytes). 486 * \return 1 on success (exact match of tag value), 0 otherwise. 487 */ 488 uint32_t br_gcm_check_tag(br_gcm_context *ctx, const void *tag); 489 490 /** 491 * \brief Compute GCM authentication tag (with truncation). 492 * 493 * This function is similar to `br_gcm_get_tag()`, except that it allows 494 * the tag to be truncated to a smaller length. The intended tag length 495 * is provided as `len` (in bytes); it MUST be no more than 16, but 496 * it may be smaller. Note that decreasing tag length mechanically makes 497 * forgeries easier; NIST SP 800-38D specifies that the tag length shall 498 * lie between 12 and 16 bytes (inclusive), but may be truncated down to 499 * 4 or 8 bytes, for specific applications that can tolerate it. It must 500 * also be noted that successful forgeries leak information on the 501 * authentication key, making subsequent forgeries easier. Therefore, 502 * tag truncation, and in particular truncation to sizes lower than 12 503 * bytes, shall be envisioned only with great care. 504 * 505 * The tag is written in the provided `tag` buffer. This call terminates 506 * the GCM run: no data may be processed with that GCM context 507 * afterwards, until `br_gcm_reset()` is called to initiate a new GCM 508 * run. 509 * 510 * The tag value must normally be sent along with the encrypted data. 511 * When decrypting, the tag value must be recomputed and compared with 512 * the received tag: if the two tag values differ, then either the tag 513 * or the encrypted data was altered in transit. As an alternative to 514 * this function, the `br_gcm_check_tag_trunc()` function can be used to 515 * compute and check the tag value. 516 * 517 * \param ctx GCM context structure. 518 * \param tag destination buffer for the tag. 519 * \param len tag length (16 bytes or less). 520 */ 521 void br_gcm_get_tag_trunc(br_gcm_context *ctx, void *tag, size_t len); 522 523 /** 524 * \brief Compute and check GCM authentication tag (with truncation). 525 * 526 * This function is an alternative to `br_gcm_get_tag_trunc()`, normally used 527 * on the receiving end (i.e. when decrypting value). The tag value is 528 * recomputed and compared with the provided tag value. If they match, 1 529 * is returned; on mismatch, 0 is returned. A returned value of 0 means 530 * that the data or the tag was altered in transit, normally leading to 531 * wholesale rejection of the complete message. 532 * 533 * Tag length MUST be 16 bytes or less. The normal GCM tag length is 16 534 * bytes. See `br_check_tag_trunc()` for some discussion on the potential 535 * perils of truncating authentication tags. 536 * 537 * \param ctx GCM context structure. 538 * \param tag tag value to compare with. 539 * \param len tag length (in bytes). 540 * \return 1 on success (exact match of tag value), 0 otherwise. 541 */ 542 uint32_t br_gcm_check_tag_trunc(br_gcm_context *ctx, 543 const void *tag, size_t len); 544 545 /** 546 * \brief Class instance for GCM. 547 */ 548 extern const br_aead_class br_gcm_vtable; 549 550 /** 551 * \brief Context structure for EAX. 552 * 553 * EAX is an AEAD mode that combines a block cipher in CTR mode with 554 * CBC-MAC using the same block cipher and the same key, to provide 555 * authenticated encryption: 556 * 557 * - Any block cipher with 16-byte blocks can be used with EAX 558 * (technically, other block sizes are defined as well, but this 559 * is not implemented by these functions; shorter blocks also 560 * imply numerous security issues). 561 * 562 * - The nonce can have any length, as long as nonce values are 563 * not reused (thus, if nonces are randomly selected, the nonce 564 * size should be such that reuse probability is negligible). 565 * 566 * - Additional authenticated data length is unlimited. 567 * 568 * - Message length is unlimited. 569 * 570 * - The authentication tag has length 16 bytes. 571 * 572 * The EAX initialisation function receives as parameter an 573 * _initialised_ block cipher implementation context, with the secret 574 * key already set. A pointer to that context will be kept within the 575 * EAX context structure. It is up to the caller to allocate and 576 * initialise that block cipher context. 577 */ 578 typedef struct { 579 /** \brief Pointer to vtable for this context. */ 580 const br_aead_class *vtable; 581 582 #ifndef BR_DOXYGEN_IGNORE 583 const br_block_ctrcbc_class **bctx; 584 unsigned char L2[16]; 585 unsigned char L4[16]; 586 unsigned char nonce[16]; 587 unsigned char head[16]; 588 unsigned char ctr[16]; 589 unsigned char cbcmac[16]; 590 unsigned char buf[16]; 591 size_t ptr; 592 #endif 593 } br_eax_context; 594 595 /** 596 * \brief EAX captured state. 597 * 598 * Some internal values computed by EAX may be captured at various 599 * points, and reused for another EAX run with the same secret key, 600 * for lower per-message overhead. Captured values do not depend on 601 * the nonce. 602 */ 603 typedef struct { 604 #ifndef BR_DOXYGEN_IGNORE 605 unsigned char st[3][16]; 606 #endif 607 } br_eax_state; 608 609 /** 610 * \brief Initialize an EAX context. 611 * 612 * A block cipher implementation, with its initialised context 613 * structure, is provided. The block cipher MUST use 16-byte blocks in 614 * CTR + CBC-MAC mode, and its secret key MUST have been already set in 615 * the provided context. The parameters are linked in the EAX context. 616 * 617 * After this function has been called, the `br_eax_reset()` function must 618 * be called, to provide the nonce for EAX computation. 619 * 620 * \param ctx EAX context structure. 621 * \param bctx block cipher context (already initialised with secret key). 622 */ 623 void br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx); 624 625 /** 626 * \brief Capture pre-AAD state. 627 * 628 * This function precomputes key-dependent data, and stores it in the 629 * provided `st` structure. This structure should then be used with 630 * `br_eax_reset_pre_aad()`, or updated with `br_eax_get_aad_mac()` 631 * and then used with `br_eax_reset_post_aad()`. 632 * 633 * The EAX context structure is unmodified by this call. 634 * 635 * \param ctx EAX context structure. 636 * \param st recipient for captured state. 637 */ 638 void br_eax_capture(const br_eax_context *ctx, br_eax_state *st); 639 640 /** 641 * \brief Reset an EAX context. 642 * 643 * This function resets an already initialised EAX context for a new 644 * computation run. Implementations and keys are conserved. This function 645 * can be called at any time; it cancels any ongoing EAX computation that 646 * uses the provided context structure. 647 * 648 * It is critical to EAX security that nonce values are not repeated for 649 * the same encryption key. Nonces can have arbitrary length. If nonces 650 * are randomly generated, then a nonce length of at least 128 bits (16 651 * bytes) is recommended, to make nonce reuse probability sufficiently 652 * low. 653 * 654 * \param ctx EAX context structure. 655 * \param nonce EAX nonce to use. 656 * \param len EAX nonce length (in bytes). 657 */ 658 void br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len); 659 660 /** 661 * \brief Reset an EAX context with a pre-AAD captured state. 662 * 663 * This function is an alternative to `br_eax_reset()`, that reuses a 664 * previously captured state structure for lower per-message overhead. 665 * The state should have been populated with `br_eax_capture_state()` 666 * but not updated with `br_eax_get_aad_mac()`. 667 * 668 * After this function is called, additional authenticated data MUST 669 * be injected. At least one byte of additional authenticated data 670 * MUST be provided with `br_eax_aad_inject()`; computation result will 671 * be incorrect if `br_eax_flip()` is called right away. 672 * 673 * After injection of the AAD and call to `br_eax_flip()`, at least 674 * one message byte must be provided. Empty messages are not supported 675 * with this reset mode. 676 * 677 * \param ctx EAX context structure. 678 * \param st pre-AAD captured state. 679 * \param nonce EAX nonce to use. 680 * \param len EAX nonce length (in bytes). 681 */ 682 void br_eax_reset_pre_aad(br_eax_context *ctx, const br_eax_state *st, 683 const void *nonce, size_t len); 684 685 /** 686 * \brief Reset an EAX context with a post-AAD captured state. 687 * 688 * This function is an alternative to `br_eax_reset()`, that reuses a 689 * previously captured state structure for lower per-message overhead. 690 * The state should have been populated with `br_eax_capture_state()` 691 * and then updated with `br_eax_get_aad_mac()`. 692 * 693 * After this function is called, message data MUST be injected. The 694 * `br_eax_flip()` function MUST NOT be called. At least one byte of 695 * message data MUST be provided with `br_eax_run()`; empty messages 696 * are not supported with this reset mode. 697 * 698 * \param ctx EAX context structure. 699 * \param st post-AAD captured state. 700 * \param nonce EAX nonce to use. 701 * \param len EAX nonce length (in bytes). 702 */ 703 void br_eax_reset_post_aad(br_eax_context *ctx, const br_eax_state *st, 704 const void *nonce, size_t len); 705 706 /** 707 * \brief Inject additional authenticated data into EAX. 708 * 709 * The provided data is injected into a running EAX computation. Additional 710 * data must be injected _before_ the call to `br_eax_flip()`. 711 * Additional data can be injected in several chunks of arbitrary length; 712 * the total amount of additional authenticated data is unlimited. 713 * 714 * \param ctx EAX context structure. 715 * \param data pointer to additional authenticated data. 716 * \param len length of additional authenticated data (in bytes). 717 */ 718 void br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len); 719 720 /** 721 * \brief Finish injection of additional authenticated data into EAX. 722 * 723 * This function MUST be called before beginning the actual encryption 724 * or decryption (with `br_eax_run()`), even if no additional authenticated 725 * data was injected. No additional authenticated data may be injected 726 * after this function call. 727 * 728 * \param ctx EAX context structure. 729 */ 730 void br_eax_flip(br_eax_context *ctx); 731 732 /** 733 * \brief Obtain a copy of the MAC on additional authenticated data. 734 * 735 * This function may be called only after `br_eax_flip()`; it copies the 736 * AAD-specific MAC value into the provided state. The MAC value depends 737 * on the secret key and the additional data itself, but not on the 738 * nonce. The updated state `st` is meant to be used as parameter for a 739 * further `br_eax_reset_post_aad()` call. 740 * 741 * \param ctx EAX context structure. 742 * \param st captured state to update. 743 */ 744 static inline void 745 br_eax_get_aad_mac(const br_eax_context *ctx, br_eax_state *st) 746 { 747 memcpy(st->st[1], ctx->head, sizeof ctx->head); 748 } 749 750 /** 751 * \brief Encrypt or decrypt some data with EAX. 752 * 753 * Data encryption or decryption can be done after `br_eax_flip()` 754 * has been called on the context. If `encrypt` is non-zero, then the 755 * provided data shall be plaintext, and it is encrypted in place. 756 * Otherwise, the data shall be ciphertext, and it is decrypted in place. 757 * 758 * Data may be provided in several chunks of arbitrary length. 759 * 760 * \param ctx EAX context structure. 761 * \param encrypt non-zero for encryption, zero for decryption. 762 * \param data data to encrypt or decrypt. 763 * \param len data length (in bytes). 764 */ 765 void br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len); 766 767 /** 768 * \brief Compute EAX authentication tag. 769 * 770 * Compute the EAX authentication tag. The tag is a 16-byte value which 771 * is written in the provided `tag` buffer. This call terminates the 772 * EAX run: no data may be processed with that EAX context afterwards, 773 * until `br_eax_reset()` is called to initiate a new EAX run. 774 * 775 * The tag value must normally be sent along with the encrypted data. 776 * When decrypting, the tag value must be recomputed and compared with 777 * the received tag: if the two tag values differ, then either the tag 778 * or the encrypted data was altered in transit. As an alternative to 779 * this function, the `br_eax_check_tag()` function can be used to 780 * compute and check the tag value. 781 * 782 * \param ctx EAX context structure. 783 * \param tag destination buffer for the tag (16 bytes). 784 */ 785 void br_eax_get_tag(br_eax_context *ctx, void *tag); 786 787 /** 788 * \brief Compute and check EAX authentication tag. 789 * 790 * This function is an alternative to `br_eax_get_tag()`, normally used 791 * on the receiving end (i.e. when decrypting value). The tag value is 792 * recomputed and compared with the provided tag value. If they match, 1 793 * is returned; on mismatch, 0 is returned. A returned value of 0 means 794 * that the data or the tag was altered in transit, normally leading to 795 * wholesale rejection of the complete message. 796 * 797 * \param ctx EAX context structure. 798 * \param tag tag value to compare with (16 bytes). 799 * \return 1 on success (exact match of tag value), 0 otherwise. 800 */ 801 uint32_t br_eax_check_tag(br_eax_context *ctx, const void *tag); 802 803 /** 804 * \brief Compute EAX authentication tag (with truncation). 805 * 806 * This function is similar to `br_eax_get_tag()`, except that it allows 807 * the tag to be truncated to a smaller length. The intended tag length 808 * is provided as `len` (in bytes); it MUST be no more than 16, but 809 * it may be smaller. Note that decreasing tag length mechanically makes 810 * forgeries easier; NIST SP 800-38D specifies that the tag length shall 811 * lie between 12 and 16 bytes (inclusive), but may be truncated down to 812 * 4 or 8 bytes, for specific applications that can tolerate it. It must 813 * also be noted that successful forgeries leak information on the 814 * authentication key, making subsequent forgeries easier. Therefore, 815 * tag truncation, and in particular truncation to sizes lower than 12 816 * bytes, shall be envisioned only with great care. 817 * 818 * The tag is written in the provided `tag` buffer. This call terminates 819 * the EAX run: no data may be processed with that EAX context 820 * afterwards, until `br_eax_reset()` is called to initiate a new EAX 821 * run. 822 * 823 * The tag value must normally be sent along with the encrypted data. 824 * When decrypting, the tag value must be recomputed and compared with 825 * the received tag: if the two tag values differ, then either the tag 826 * or the encrypted data was altered in transit. As an alternative to 827 * this function, the `br_eax_check_tag_trunc()` function can be used to 828 * compute and check the tag value. 829 * 830 * \param ctx EAX context structure. 831 * \param tag destination buffer for the tag. 832 * \param len tag length (16 bytes or less). 833 */ 834 void br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len); 835 836 /** 837 * \brief Compute and check EAX authentication tag (with truncation). 838 * 839 * This function is an alternative to `br_eax_get_tag_trunc()`, normally used 840 * on the receiving end (i.e. when decrypting value). The tag value is 841 * recomputed and compared with the provided tag value. If they match, 1 842 * is returned; on mismatch, 0 is returned. A returned value of 0 means 843 * that the data or the tag was altered in transit, normally leading to 844 * wholesale rejection of the complete message. 845 * 846 * Tag length MUST be 16 bytes or less. The normal EAX tag length is 16 847 * bytes. See `br_check_tag_trunc()` for some discussion on the potential 848 * perils of truncating authentication tags. 849 * 850 * \param ctx EAX context structure. 851 * \param tag tag value to compare with. 852 * \param len tag length (in bytes). 853 * \return 1 on success (exact match of tag value), 0 otherwise. 854 */ 855 uint32_t br_eax_check_tag_trunc(br_eax_context *ctx, 856 const void *tag, size_t len); 857 858 /** 859 * \brief Class instance for EAX. 860 */ 861 extern const br_aead_class br_eax_vtable; 862 863 /** 864 * \brief Context structure for CCM. 865 * 866 * CCM is an AEAD mode that combines a block cipher in CTR mode with 867 * CBC-MAC using the same block cipher and the same key, to provide 868 * authenticated encryption: 869 * 870 * - Any block cipher with 16-byte blocks can be used with CCM 871 * (technically, other block sizes are defined as well, but this 872 * is not implemented by these functions; shorter blocks also 873 * imply numerous security issues). 874 * 875 * - The authentication tag length, and plaintext length, MUST be 876 * known when starting processing data. Plaintext and ciphertext 877 * can still be provided by chunks, but the total size must match 878 * the value provided upon initialisation. 879 * 880 * - The nonce length is constrained between 7 and 13 bytes (inclusive). 881 * Furthermore, the plaintext length, when encoded, must fit over 882 * 15-nonceLen bytes; thus, if the nonce has length 13 bytes, then 883 * the plaintext length cannot exceed 65535 bytes. 884 * 885 * - Additional authenticated data length is practically unlimited 886 * (formal limit is at 2^64 bytes). 887 * 888 * - The authentication tag has length 4 to 16 bytes (even values only). 889 * 890 * The CCM initialisation function receives as parameter an 891 * _initialised_ block cipher implementation context, with the secret 892 * key already set. A pointer to that context will be kept within the 893 * CCM context structure. It is up to the caller to allocate and 894 * initialise that block cipher context. 895 */ 896 typedef struct { 897 #ifndef BR_DOXYGEN_IGNORE 898 const br_block_ctrcbc_class **bctx; 899 unsigned char ctr[16]; 900 unsigned char cbcmac[16]; 901 unsigned char tagmask[16]; 902 unsigned char buf[16]; 903 size_t ptr; 904 size_t tag_len; 905 #endif 906 } br_ccm_context; 907 908 /** 909 * \brief Initialize a CCM context. 910 * 911 * A block cipher implementation, with its initialised context 912 * structure, is provided. The block cipher MUST use 16-byte blocks in 913 * CTR + CBC-MAC mode, and its secret key MUST have been already set in 914 * the provided context. The parameters are linked in the CCM context. 915 * 916 * After this function has been called, the `br_ccm_reset()` function must 917 * be called, to provide the nonce for CCM computation. 918 * 919 * \param ctx CCM context structure. 920 * \param bctx block cipher context (already initialised with secret key). 921 */ 922 void br_ccm_init(br_ccm_context *ctx, const br_block_ctrcbc_class **bctx); 923 924 /** 925 * \brief Reset a CCM context. 926 * 927 * This function resets an already initialised CCM context for a new 928 * computation run. Implementations and keys are conserved. This function 929 * can be called at any time; it cancels any ongoing CCM computation that 930 * uses the provided context structure. 931 * 932 * The `aad_len` parameter contains the total length, in bytes, of the 933 * additional authenticated data. It may be zero. That length MUST be 934 * exact. 935 * 936 * The `data_len` parameter contains the total length, in bytes, of the 937 * data that will be injected (plaintext or ciphertext). That length MUST 938 * be exact. Moreover, that length MUST be less than 2^(8*(15-nonce_len)). 939 * 940 * The nonce length (`nonce_len`), in bytes, must be in the 7..13 range 941 * (inclusive). 942 * 943 * The tag length (`tag_len`), in bytes, must be in the 4..16 range, and 944 * be an even integer. Short tags mechanically allow for higher forgery 945 * probabilities; hence, tag sizes smaller than 12 bytes shall be used only 946 * with care. 947 * 948 * It is critical to CCM security that nonce values are not repeated for 949 * the same encryption key. Random generation of nonces is not generally 950 * recommended, due to the relatively small maximum nonce value. 951 * 952 * Returned value is 1 on success, 0 on error. An error is reported if 953 * the tag or nonce length is out of range, or if the 954 * plaintext/ciphertext length cannot be encoded with the specified 955 * nonce length. 956 * 957 * \param ctx CCM context structure. 958 * \param nonce CCM nonce to use. 959 * \param nonce_len CCM nonce length (in bytes, 7 to 13). 960 * \param aad_len additional authenticated data length (in bytes). 961 * \param data_len plaintext/ciphertext length (in bytes). 962 * \param tag_len tag length (in bytes). 963 * \return 1 on success, 0 on error. 964 */ 965 int br_ccm_reset(br_ccm_context *ctx, const void *nonce, size_t nonce_len, 966 uint64_t aad_len, uint64_t data_len, size_t tag_len); 967 968 /** 969 * \brief Inject additional authenticated data into CCM. 970 * 971 * The provided data is injected into a running CCM computation. Additional 972 * data must be injected _before_ the call to `br_ccm_flip()`. 973 * Additional data can be injected in several chunks of arbitrary length, 974 * but the total amount MUST exactly match the value which was provided 975 * to `br_ccm_reset()`. 976 * 977 * \param ctx CCM context structure. 978 * \param data pointer to additional authenticated data. 979 * \param len length of additional authenticated data (in bytes). 980 */ 981 void br_ccm_aad_inject(br_ccm_context *ctx, const void *data, size_t len); 982 983 /** 984 * \brief Finish injection of additional authenticated data into CCM. 985 * 986 * This function MUST be called before beginning the actual encryption 987 * or decryption (with `br_ccm_run()`), even if no additional authenticated 988 * data was injected. No additional authenticated data may be injected 989 * after this function call. 990 * 991 * \param ctx CCM context structure. 992 */ 993 void br_ccm_flip(br_ccm_context *ctx); 994 995 /** 996 * \brief Encrypt or decrypt some data with CCM. 997 * 998 * Data encryption or decryption can be done after `br_ccm_flip()` 999 * has been called on the context. If `encrypt` is non-zero, then the 1000 * provided data shall be plaintext, and it is encrypted in place. 1001 * Otherwise, the data shall be ciphertext, and it is decrypted in place. 1002 * 1003 * Data may be provided in several chunks of arbitrary length, provided 1004 * that the total length exactly matches the length provided to the 1005 * `br_ccm_reset()` call. 1006 * 1007 * \param ctx CCM context structure. 1008 * \param encrypt non-zero for encryption, zero for decryption. 1009 * \param data data to encrypt or decrypt. 1010 * \param len data length (in bytes). 1011 */ 1012 void br_ccm_run(br_ccm_context *ctx, int encrypt, void *data, size_t len); 1013 1014 /** 1015 * \brief Compute CCM authentication tag. 1016 * 1017 * Compute the CCM authentication tag. This call terminates the CCM 1018 * run: all data must have been injected with `br_ccm_run()` (in zero, 1019 * one or more successive calls). After this function has been called, 1020 * no more data can br processed; a `br_ccm_reset()` call is required 1021 * to start a new message. 1022 * 1023 * The tag length was provided upon context initialisation (last call 1024 * to `br_ccm_reset()`); it is returned by this function. 1025 * 1026 * The tag value must normally be sent along with the encrypted data. 1027 * When decrypting, the tag value must be recomputed and compared with 1028 * the received tag: if the two tag values differ, then either the tag 1029 * or the encrypted data was altered in transit. As an alternative to 1030 * this function, the `br_ccm_check_tag()` function can be used to 1031 * compute and check the tag value. 1032 * 1033 * \param ctx CCM context structure. 1034 * \param tag destination buffer for the tag (up to 16 bytes). 1035 * \return the tag length (in bytes). 1036 */ 1037 size_t br_ccm_get_tag(br_ccm_context *ctx, void *tag); 1038 1039 /** 1040 * \brief Compute and check CCM authentication tag. 1041 * 1042 * This function is an alternative to `br_ccm_get_tag()`, normally used 1043 * on the receiving end (i.e. when decrypting value). The tag value is 1044 * recomputed and compared with the provided tag value. If they match, 1 1045 * is returned; on mismatch, 0 is returned. A returned value of 0 means 1046 * that the data or the tag was altered in transit, normally leading to 1047 * wholesale rejection of the complete message. 1048 * 1049 * \param ctx CCM context structure. 1050 * \param tag tag value to compare with (up to 16 bytes). 1051 * \return 1 on success (exact match of tag value), 0 otherwise. 1052 */ 1053 uint32_t br_ccm_check_tag(br_ccm_context *ctx, const void *tag); 1054 1055 #ifdef __cplusplus 1056 } 1057 #endif 1058 1059 #endif 1060