Add the Labs projects provided in the V10.2.1_191129 zip file.

[freertos] / FreeRTOS-Labs / Source / mbedtls / include / mbedtls / chachapoly.h

/**\r
 * \file chachapoly.h\r
 *\r
 * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and\r
 *          functions.\r
 *\r
 *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption\r
 *          with Associated Data (AEAD) that can be used to encrypt and\r
 *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel\r
 *          Bernstein and was standardized in RFC 7539.\r
 *\r
 * \author Daniel King <damaki.gh@gmail.com>\r
 */\r
\r
/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.\r
 *  SPDX-License-Identifier: Apache-2.0\r
 *\r
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may\r
 *  not use this file except in compliance with the License.\r
 *  You may obtain a copy of the License at\r
 *\r
 *  http://www.apache.org/licenses/LICENSE-2.0\r
 *\r
 *  Unless required by applicable law or agreed to in writing, software\r
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\r
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
 *  See the License for the specific language governing permissions and\r
 *  limitations under the License.\r
 *\r
 *  This file is part of Mbed TLS (https://tls.mbed.org)\r
 */\r
\r
#ifndef MBEDTLS_CHACHAPOLY_H\r
#define MBEDTLS_CHACHAPOLY_H\r
\r
#if !defined(MBEDTLS_CONFIG_FILE)\r
#include "config.h"\r
#else\r
#include MBEDTLS_CONFIG_FILE\r
#endif\r
\r
/* for shared error codes */\r
#include "poly1305.h"\r
\r
#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */\r
#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */\r
\r
#ifdef __cplusplus\r
extern "C" {\r
#endif\r
\r
typedef enum\r
{\r
    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */\r
    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */\r
}\r
mbedtls_chachapoly_mode_t;\r
\r
#if !defined(MBEDTLS_CHACHAPOLY_ALT)\r
\r
#include "chacha20.h"\r
\r
typedef struct mbedtls_chachapoly_context\r
{\r
    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */\r
    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */\r
    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */\r
    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */\r
    int state;                              /**< The current state of the context. */\r
    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */\r
}\r
mbedtls_chachapoly_context;\r
\r
#else /* !MBEDTLS_CHACHAPOLY_ALT */\r
#include "chachapoly_alt.h"\r
#endif /* !MBEDTLS_CHACHAPOLY_ALT */\r
\r
/**\r
 * \brief           This function initializes the specified ChaCha20-Poly1305 context.\r
 *\r
 *                  It must be the first API called before using\r
 *                  the context. It must be followed by a call to\r
 *                  \c mbedtls_chachapoly_setkey() before any operation can be\r
 *                  done, and to \c mbedtls_chachapoly_free() once all\r
 *                  operations with that context have been finished.\r
 *\r
 *                  In order to encrypt or decrypt full messages at once, for\r
 *                  each message you should make a single call to\r
 *                  \c mbedtls_chachapoly_crypt_and_tag() or\r
 *                  \c mbedtls_chachapoly_auth_decrypt().\r
 *\r
 *                  In order to encrypt messages piecewise, for each\r
 *                  message you should make a call to\r
 *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to\r
 *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to\r
 *                  \c mbedtls_chachapoly_update(), then one call to\r
 *                  \c mbedtls_chachapoly_finish().\r
 *\r
 * \warning         Decryption with the piecewise API is discouraged! Always\r
 *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!\r
 *\r
 *                  If however this is not possible because the data is too\r
 *                  large to fit in memory, you need to:\r
 *\r
 *                  - call \c mbedtls_chachapoly_starts() and (if needed)\r
 *                  \c mbedtls_chachapoly_update_aad() as above,\r
 *                  - call \c mbedtls_chachapoly_update() multiple times and\r
 *                  ensure its output (the plaintext) is NOT used in any other\r
 *                  way than placing it in temporary storage at this point,\r
 *                  - call \c mbedtls_chachapoly_finish() to compute the\r
 *                  authentication tag and compared it in constant time to the\r
 *                  tag received with the ciphertext.\r
 *\r
 *                  If the tags are not equal, you must immediately discard\r
 *                  all previous outputs of \c mbedtls_chachapoly_update(),\r
 *                  otherwise you can now safely use the plaintext.\r
 *\r
 * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.\r
 */\r
void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );\r
\r
/**\r
 * \brief           This function releases and clears the specified\r
 *                  ChaCha20-Poly1305 context.\r
 *\r
 * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which\r
 *                  case this function is a no-op.\r
 */\r
void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );\r
\r
/**\r
 * \brief           This function sets the ChaCha20-Poly1305\r
 *                  symmetric encryption key.\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context to which the key should be\r
 *                  bound. This must be initialized.\r
 * \param key       The \c 256 Bit (\c 32 Bytes) key.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,\r
                               const unsigned char key[32] );\r
\r
/**\r
 * \brief           This function starts a ChaCha20-Poly1305 encryption or\r
 *                  decryption operation.\r
 *\r
 * \warning         You must never use the same nonce twice with the same key.\r
 *                  This would void any confidentiality and authenticity\r
 *                  guarantees for the messages encrypted with the same nonce\r
 *                  and key.\r
 *\r
 * \note            If the context is being used for AAD only (no data to\r
 *                  encrypt or decrypt) then \p mode can be set to any value.\r
 *\r
 * \warning         Decryption with the piecewise API is discouraged, see the\r
 *                  warning on \c mbedtls_chachapoly_init().\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context. This must be initialized\r
 *                  and bound to a key.\r
 * \param nonce     The nonce/IV to use for the message.\r
 *                  This must be a redable buffer of length \c 12 Bytes.\r
 * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or\r
 *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).\r
 *\r
 * \return          \c 0 on success.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,\r
                               const unsigned char nonce[12],\r
                               mbedtls_chachapoly_mode_t mode );\r
\r
/**\r
 * \brief           This function feeds additional data to be authenticated\r
 *                  into an ongoing ChaCha20-Poly1305 operation.\r
 *\r
 *                  The Additional Authenticated Data (AAD), also called\r
 *                  Associated Data (AD) is only authenticated but not\r
 *                  encrypted nor included in the encrypted output. It is\r
 *                  usually transmitted separately from the ciphertext or\r
 *                  computed locally by each party.\r
 *\r
 * \note            This function is called before data is encrypted/decrypted.\r
 *                  I.e. call this function to process the AAD before calling\r
 *                  \c mbedtls_chachapoly_update().\r
 *\r
 *                  You may call this function multiple times to process\r
 *                  an arbitrary amount of AAD. It is permitted to call\r
 *                  this function 0 times, if no AAD is used.\r
 *\r
 *                  This function cannot be called any more if data has\r
 *                  been processed by \c mbedtls_chachapoly_update(),\r
 *                  or if the context has been finished.\r
 *\r
 * \warning         Decryption with the piecewise API is discouraged, see the\r
 *                  warning on \c mbedtls_chachapoly_init().\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context. This must be initialized\r
 *                  and bound to a key.\r
 * \param aad_len   The length in Bytes of the AAD. The length has no\r
 *                  restrictions.\r
 * \param aad       Buffer containing the AAD.\r
 *                  This pointer can be \c NULL if `aad_len == 0`.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA\r
 *                  if \p ctx or \p aad are NULL.\r
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE\r
 *                  if the operations has not been started or has been\r
 *                  finished, or if the AAD has been finished.\r
 */\r
int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,\r
                                   const unsigned char *aad,\r
                                   size_t aad_len );\r
\r
/**\r
 * \brief           Thus function feeds data to be encrypted or decrypted\r
 *                  into an on-going ChaCha20-Poly1305\r
 *                  operation.\r
 *\r
 *                  The direction (encryption or decryption) depends on the\r
 *                  mode that was given when calling\r
 *                  \c mbedtls_chachapoly_starts().\r
 *\r
 *                  You may call this function multiple times to process\r
 *                  an arbitrary amount of data. It is permitted to call\r
 *                  this function 0 times, if no data is to be encrypted\r
 *                  or decrypted.\r
 *\r
 * \warning         Decryption with the piecewise API is discouraged, see the\r
 *                  warning on \c mbedtls_chachapoly_init().\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.\r
 * \param len       The length (in bytes) of the data to encrypt or decrypt.\r
 * \param input     The buffer containing the data to encrypt or decrypt.\r
 *                  This pointer can be \c NULL if `len == 0`.\r
 * \param output    The buffer to where the encrypted or decrypted data is\r
 *                  written. This must be able to hold \p len bytes.\r
 *                  This pointer can be \c NULL if `len == 0`.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE\r
 *                  if the operation has not been started or has been\r
 *                  finished.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,\r
                               size_t len,\r
                               const unsigned char *input,\r
                               unsigned char *output );\r
\r
/**\r
 * \brief           This function finished the ChaCha20-Poly1305 operation and\r
 *                  generates the MAC (authentication tag).\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.\r
 * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.\r
 *\r
 * \warning         Decryption with the piecewise API is discouraged, see the\r
 *                  warning on \c mbedtls_chachapoly_init().\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE\r
 *                  if the operation has not been started or has been\r
 *                  finished.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,\r
                               unsigned char mac[16] );\r
\r
/**\r
 * \brief           This function performs a complete ChaCha20-Poly1305\r
 *                  authenticated encryption with the previously-set key.\r
 *\r
 * \note            Before using this function, you must set the key with\r
 *                  \c mbedtls_chachapoly_setkey().\r
 *\r
 * \warning         You must never use the same nonce twice with the same key.\r
 *                  This would void any confidentiality and authenticity\r
 *                  guarantees for the messages encrypted with the same nonce\r
 *                  and key.\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).\r
 *                  This must be initialized.\r
 * \param length    The length (in bytes) of the data to encrypt or decrypt.\r
 * \param nonce     The 96-bit (12 bytes) nonce/IV to use.\r
 * \param aad       The buffer containing the additional authenticated\r
 *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.\r
 * \param aad_len   The length (in bytes) of the AAD data to process.\r
 * \param input     The buffer containing the data to encrypt or decrypt.\r
 *                  This pointer can be \c NULL if `ilen == 0`.\r
 * \param output    The buffer to where the encrypted or decrypted data\r
 *                  is written. This pointer can be \c NULL if `ilen == 0`.\r
 * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC\r
 *                  is written. This must not be \c NULL.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          A negative error code on failure.\r
 */\r
int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,\r
                                        size_t length,\r
                                        const unsigned char nonce[12],\r
                                        const unsigned char *aad,\r
                                        size_t aad_len,\r
                                        const unsigned char *input,\r
                                        unsigned char *output,\r
                                        unsigned char tag[16] );\r
\r
/**\r
 * \brief           This function performs a complete ChaCha20-Poly1305\r
 *                  authenticated decryption with the previously-set key.\r
 *\r
 * \note            Before using this function, you must set the key with\r
 *                  \c mbedtls_chachapoly_setkey().\r
 *\r
 * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).\r
 * \param length    The length (in Bytes) of the data to decrypt.\r
 * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.\r
 * \param aad       The buffer containing the additional authenticated data (AAD).\r
 *                  This pointer can be \c NULL if `aad_len == 0`.\r
 * \param aad_len   The length (in bytes) of the AAD data to process.\r
 * \param tag       The buffer holding the authentication tag.\r
 *                  This must be a readable buffer of length \c 16 Bytes.\r
 * \param input     The buffer containing the data to decrypt.\r
 *                  This pointer can be \c NULL if `ilen == 0`.\r
 * \param output    The buffer to where the decrypted data is written.\r
 *                  This pointer can be \c NULL if `ilen == 0`.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED\r
 *                  if the data was not authentic.\r
 * \return          Another negative error code on other kinds of failure.\r
 */\r
int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,\r
                                     size_t length,\r
                                     const unsigned char nonce[12],\r
                                     const unsigned char *aad,\r
                                     size_t aad_len,\r
                                     const unsigned char tag[16],\r
                                     const unsigned char *input,\r
                                     unsigned char *output );\r
\r
#if defined(MBEDTLS_SELF_TEST)\r
/**\r
 * \brief           The ChaCha20-Poly1305 checkup routine.\r
 *\r
 * \return          \c 0 on success.\r
 * \return          \c 1 on failure.\r
 */\r
int mbedtls_chachapoly_self_test( int verbose );\r
#endif /* MBEDTLS_SELF_TEST */\r
\r
#ifdef __cplusplus\r
}\r
#endif\r
\r
#endif /* MBEDTLS_CHACHAPOLY_H */\r