1 /**
2  * \file aes.h
3  *
4  * \brief   This file contains AES definitions and functions.
5  *
6  *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
7  *          cryptographic algorithm that can be used to protect electronic
8  *          data.
9  *
10  *          The AES algorithm is a symmetric block cipher that can
11  *          encrypt and decrypt information. For more information, see
12  *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
13  *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
14  *          techniques -- Encryption algorithms -- Part 2: Asymmetric
15  *          ciphers</em>.
16  *
17  *          The AES-XTS block mode is standardized by NIST SP 800-38E
18  *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
19  *          and described in detail by IEEE P1619
20  *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
21  */
22 
23 /*
24  *  Copyright The Mbed TLS Contributors
25  *  SPDX-License-Identifier: Apache-2.0
26  *
27  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
28  *  not use this file except in compliance with the License.
29  *  You may obtain a copy of the License at
30  *
31  *  http://www.apache.org/licenses/LICENSE-2.0
32  *
33  *  Unless required by applicable law or agreed to in writing, software
34  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
35  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
36  *  See the License for the specific language governing permissions and
37  *  limitations under the License.
38  */
39 
40 #ifndef MBEDTLS_AES_H
41 #define MBEDTLS_AES_H
42 
43 #if !defined(MBEDTLS_CONFIG_FILE)
44 #include "mbedtls/config.h"
45 #else
46 #include MBEDTLS_CONFIG_FILE
47 #endif
48 #include "mbedtls/platform_util.h"
49 
50 #include <stddef.h>
51 #include <stdint.h>
52 
53 /* padlock.c and aesni.c rely on these values! */
54 #define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
55 #define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
56 
57 /* Error codes in range 0x0020-0x0022 */
58 /** Invalid key length. */
59 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020
60 /** Invalid data input length. */
61 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022
62 
63 /* Error codes in range 0x0021-0x0025 */
64 /** Invalid input data. */
65 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021
66 
67 /* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
68 /** Feature not available. For example, an unsupported AES key size. */
69 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023
70 
71 /* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
72 /** AES hardware accelerator failed. */
73 #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025
74 
75 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
76     !defined(inline) && !defined(__cplusplus)
77 #define inline __inline
78 #endif
79 
80 #ifdef __cplusplus
81 extern "C" {
82 #endif
83 
84 #if !defined(MBEDTLS_AES_ALT)
85 // Regular implementation
86 //
87 
88 /**
89  * \brief The AES context-type definition.
90  */
91 typedef struct mbedtls_aes_context
92 {
93     int nr;                     /*!< The number of rounds. */
94     uint32_t *rk;               /*!< AES round keys. */
95     uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
96                                      hold 32 extra Bytes, which can be used for
97                                      one of the following purposes:
98                                      <ul><li>Alignment if VIA padlock is
99                                              used.</li>
100                                      <li>Simplifying key expansion in the 256-bit
101                                          case by generating an extra round key.
102                                          </li></ul> */
103 }
104 mbedtls_aes_context;
105 
106 #if defined(MBEDTLS_CIPHER_MODE_XTS)
107 /**
108  * \brief The AES XTS context-type definition.
109  */
110 typedef struct mbedtls_aes_xts_context
111 {
112     mbedtls_aes_context crypt; /*!< The AES context to use for AES block
113                                         encryption or decryption. */
114     mbedtls_aes_context tweak; /*!< The AES context used for tweak
115                                         computation. */
116 } mbedtls_aes_xts_context;
117 #endif /* MBEDTLS_CIPHER_MODE_XTS */
118 
119 #else  /* MBEDTLS_AES_ALT */
120 #include "aes_alt.h"
121 #endif /* MBEDTLS_AES_ALT */
122 
123 /**
124  * \brief          This function initializes the specified AES context.
125  *
126  *                 It must be the first API called before using
127  *                 the context.
128  *
129  * \param ctx      The AES context to initialize. This must not be \c NULL.
130  */
131 void mbedtls_aes_init( mbedtls_aes_context *ctx );
132 
133 /**
134  * \brief          This function releases and clears the specified AES context.
135  *
136  * \param ctx      The AES context to clear.
137  *                 If this is \c NULL, this function does nothing.
138  *                 Otherwise, the context must have been at least initialized.
139  */
140 void mbedtls_aes_free( mbedtls_aes_context *ctx );
141 
142 #if defined(MBEDTLS_CIPHER_MODE_XTS)
143 /**
144  * \brief          This function initializes the specified AES XTS context.
145  *
146  *                 It must be the first API called before using
147  *                 the context.
148  *
149  * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
150  */
151 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
152 
153 /**
154  * \brief          This function releases and clears the specified AES XTS context.
155  *
156  * \param ctx      The AES XTS context to clear.
157  *                 If this is \c NULL, this function does nothing.
158  *                 Otherwise, the context must have been at least initialized.
159  */
160 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
161 #endif /* MBEDTLS_CIPHER_MODE_XTS */
162 
163 /**
164  * \brief          This function sets the encryption key.
165  *
166  * \param ctx      The AES context to which the key should be bound.
167  *                 It must be initialized.
168  * \param key      The encryption key.
169  *                 This must be a readable buffer of size \p keybits bits.
170  * \param keybits  The size of data passed in bits. Valid options are:
171  *                 <ul><li>128 bits</li>
172  *                 <li>192 bits</li>
173  *                 <li>256 bits</li></ul>
174  *
175  * \return         \c 0 on success.
176  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
177  */
178 MBEDTLS_CHECK_RETURN_TYPICAL
179 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
180                     unsigned int keybits );
181 
182 /**
183  * \brief          This function sets the decryption key.
184  *
185  * \param ctx      The AES context to which the key should be bound.
186  *                 It must be initialized.
187  * \param key      The decryption key.
188  *                 This must be a readable buffer of size \p keybits bits.
189  * \param keybits  The size of data passed. Valid options are:
190  *                 <ul><li>128 bits</li>
191  *                 <li>192 bits</li>
192  *                 <li>256 bits</li></ul>
193  *
194  * \return         \c 0 on success.
195  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
196  */
197 MBEDTLS_CHECK_RETURN_TYPICAL
198 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
199                     unsigned int keybits );
200 
201 #if defined(MBEDTLS_CIPHER_MODE_XTS)
202 /**
203  * \brief          This function prepares an XTS context for encryption and
204  *                 sets the encryption key.
205  *
206  * \param ctx      The AES XTS context to which the key should be bound.
207  *                 It must be initialized.
208  * \param key      The encryption key. This is comprised of the XTS key1
209  *                 concatenated with the XTS key2.
210  *                 This must be a readable buffer of size \p keybits bits.
211  * \param keybits  The size of \p key passed in bits. Valid options are:
212  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
213  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
214  *
215  * \return         \c 0 on success.
216  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
217  */
218 MBEDTLS_CHECK_RETURN_TYPICAL
219 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
220                                 const unsigned char *key,
221                                 unsigned int keybits );
222 
223 /**
224  * \brief          This function prepares an XTS context for decryption and
225  *                 sets the decryption key.
226  *
227  * \param ctx      The AES XTS context to which the key should be bound.
228  *                 It must be initialized.
229  * \param key      The decryption key. This is comprised of the XTS key1
230  *                 concatenated with the XTS key2.
231  *                 This must be a readable buffer of size \p keybits bits.
232  * \param keybits  The size of \p key passed in bits. Valid options are:
233  *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
234  *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
235  *
236  * \return         \c 0 on success.
237  * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
238  */
239 MBEDTLS_CHECK_RETURN_TYPICAL
240 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
241                                 const unsigned char *key,
242                                 unsigned int keybits );
243 #endif /* MBEDTLS_CIPHER_MODE_XTS */
244 
245 /**
246  * \brief          This function performs an AES single-block encryption or
247  *                 decryption operation.
248  *
249  *                 It performs the operation defined in the \p mode parameter
250  *                 (encrypt or decrypt), on the input data buffer defined in
251  *                 the \p input parameter.
252  *
253  *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
254  *                 mbedtls_aes_setkey_dec() must be called before the first
255  *                 call to this API with the same context.
256  *
257  * \param ctx      The AES context to use for encryption or decryption.
258  *                 It must be initialized and bound to a key.
259  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
260  *                 #MBEDTLS_AES_DECRYPT.
261  * \param input    The buffer holding the input data.
262  *                 It must be readable and at least \c 16 Bytes long.
263  * \param output   The buffer where the output data will be written.
264  *                 It must be writeable and at least \c 16 Bytes long.
265 
266  * \return         \c 0 on success.
267  */
268 MBEDTLS_CHECK_RETURN_TYPICAL
269 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
270                     int mode,
271                     const unsigned char input[16],
272                     unsigned char output[16] );
273 
274 #if defined(MBEDTLS_CIPHER_MODE_CBC)
275 /**
276  * \brief  This function performs an AES-CBC encryption or decryption operation
277  *         on full blocks.
278  *
279  *         It performs the operation defined in the \p mode
280  *         parameter (encrypt/decrypt), on the input data buffer defined in
281  *         the \p input parameter.
282  *
283  *         It can be called as many times as needed, until all the input
284  *         data is processed. mbedtls_aes_init(), and either
285  *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
286  *         before the first call to this API with the same context.
287  *
288  * \note   This function operates on full blocks, that is, the input size
289  *         must be a multiple of the AES block size of \c 16 Bytes.
290  *
291  * \note   Upon exit, the content of the IV is updated so that you can
292  *         call the same function again on the next
293  *         block(s) of data and get the same result as if it was
294  *         encrypted in one call. This allows a "streaming" usage.
295  *         If you need to retain the contents of the IV, you should
296  *         either save it manually or use the cipher module instead.
297  *
298  *
299  * \param ctx      The AES context to use for encryption or decryption.
300  *                 It must be initialized and bound to a key.
301  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
302  *                 #MBEDTLS_AES_DECRYPT.
303  * \param length   The length of the input data in Bytes. This must be a
304  *                 multiple of the block size (\c 16 Bytes).
305  * \param iv       Initialization vector (updated after use).
306  *                 It must be a readable and writeable buffer of \c 16 Bytes.
307  * \param input    The buffer holding the input data.
308  *                 It must be readable and of size \p length Bytes.
309  * \param output   The buffer holding the output data.
310  *                 It must be writeable and of size \p length Bytes.
311  *
312  * \return         \c 0 on success.
313  * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
314  *                 on failure.
315  */
316 MBEDTLS_CHECK_RETURN_TYPICAL
317 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
318                     int mode,
319                     size_t length,
320                     unsigned char iv[16],
321                     const unsigned char *input,
322                     unsigned char *output );
323 #endif /* MBEDTLS_CIPHER_MODE_CBC */
324 
325 #if defined(MBEDTLS_CIPHER_MODE_XTS)
326 /**
327  * \brief      This function performs an AES-XTS encryption or decryption
328  *             operation for an entire XTS data unit.
329  *
330  *             AES-XTS encrypts or decrypts blocks based on their location as
331  *             defined by a data unit number. The data unit number must be
332  *             provided by \p data_unit.
333  *
334  *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
335  *             AES blocks. If the data unit is larger than this, this function
336  *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
337  *
338  * \param ctx          The AES XTS context to use for AES XTS operations.
339  *                     It must be initialized and bound to a key.
340  * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
341  *                     #MBEDTLS_AES_DECRYPT.
342  * \param length       The length of a data unit in Bytes. This can be any
343  *                     length between 16 bytes and 2^24 bytes inclusive
344  *                     (between 1 and 2^20 block cipher blocks).
345  * \param data_unit    The address of the data unit encoded as an array of 16
346  *                     bytes in little-endian format. For disk encryption, this
347  *                     is typically the index of the block device sector that
348  *                     contains the data.
349  * \param input        The buffer holding the input data (which is an entire
350  *                     data unit). This function reads \p length Bytes from \p
351  *                     input.
352  * \param output       The buffer holding the output data (which is an entire
353  *                     data unit). This function writes \p length Bytes to \p
354  *                     output.
355  *
356  * \return             \c 0 on success.
357  * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
358  *                     smaller than an AES block in size (16 Bytes) or if \p
359  *                     length is larger than 2^20 blocks (16 MiB).
360  */
361 MBEDTLS_CHECK_RETURN_TYPICAL
362 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
363                            int mode,
364                            size_t length,
365                            const unsigned char data_unit[16],
366                            const unsigned char *input,
367                            unsigned char *output );
368 #endif /* MBEDTLS_CIPHER_MODE_XTS */
369 
370 #if defined(MBEDTLS_CIPHER_MODE_CFB)
371 /**
372  * \brief This function performs an AES-CFB128 encryption or decryption
373  *        operation.
374  *
375  *        It performs the operation defined in the \p mode
376  *        parameter (encrypt or decrypt), on the input data buffer
377  *        defined in the \p input parameter.
378  *
379  *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
380  *        regardless of whether you are performing an encryption or decryption
381  *        operation, that is, regardless of the \p mode parameter. This is
382  *        because CFB mode uses the same key schedule for encryption and
383  *        decryption.
384  *
385  * \note  Upon exit, the content of the IV is updated so that you can
386  *        call the same function again on the next
387  *        block(s) of data and get the same result as if it was
388  *        encrypted in one call. This allows a "streaming" usage.
389  *        If you need to retain the contents of the
390  *        IV, you must either save it manually or use the cipher
391  *        module instead.
392  *
393  *
394  * \param ctx      The AES context to use for encryption or decryption.
395  *                 It must be initialized and bound to a key.
396  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
397  *                 #MBEDTLS_AES_DECRYPT.
398  * \param length   The length of the input data in Bytes.
399  * \param iv_off   The offset in IV (updated after use).
400  *                 It must point to a valid \c size_t.
401  * \param iv       The initialization vector (updated after use).
402  *                 It must be a readable and writeable buffer of \c 16 Bytes.
403  * \param input    The buffer holding the input data.
404  *                 It must be readable and of size \p length Bytes.
405  * \param output   The buffer holding the output data.
406  *                 It must be writeable and of size \p length Bytes.
407  *
408  * \return         \c 0 on success.
409  */
410 MBEDTLS_CHECK_RETURN_TYPICAL
411 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
412                        int mode,
413                        size_t length,
414                        size_t *iv_off,
415                        unsigned char iv[16],
416                        const unsigned char *input,
417                        unsigned char *output );
418 
419 /**
420  * \brief This function performs an AES-CFB8 encryption or decryption
421  *        operation.
422  *
423  *        It performs the operation defined in the \p mode
424  *        parameter (encrypt/decrypt), on the input data buffer defined
425  *        in the \p input parameter.
426  *
427  *        Due to the nature of CFB, you must use the same key schedule for
428  *        both encryption and decryption operations. Therefore, you must
429  *        use the context initialized with mbedtls_aes_setkey_enc() for
430  *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
431  *
432  * \note  Upon exit, the content of the IV is updated so that you can
433  *        call the same function again on the next
434  *        block(s) of data and get the same result as if it was
435  *        encrypted in one call. This allows a "streaming" usage.
436  *        If you need to retain the contents of the
437  *        IV, you should either save it manually or use the cipher
438  *        module instead.
439  *
440  *
441  * \param ctx      The AES context to use for encryption or decryption.
442  *                 It must be initialized and bound to a key.
443  * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
444  *                 #MBEDTLS_AES_DECRYPT
445  * \param length   The length of the input data.
446  * \param iv       The initialization vector (updated after use).
447  *                 It must be a readable and writeable buffer of \c 16 Bytes.
448  * \param input    The buffer holding the input data.
449  *                 It must be readable and of size \p length Bytes.
450  * \param output   The buffer holding the output data.
451  *                 It must be writeable and of size \p length Bytes.
452  *
453  * \return         \c 0 on success.
454  */
455 MBEDTLS_CHECK_RETURN_TYPICAL
456 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
457                     int mode,
458                     size_t length,
459                     unsigned char iv[16],
460                     const unsigned char *input,
461                     unsigned char *output );
462 #endif /*MBEDTLS_CIPHER_MODE_CFB */
463 
464 #if defined(MBEDTLS_CIPHER_MODE_OFB)
465 /**
466  * \brief       This function performs an AES-OFB (Output Feedback Mode)
467  *              encryption or decryption operation.
468  *
469  *              For OFB, you must set up the context with
470  *              mbedtls_aes_setkey_enc(), regardless of whether you are
471  *              performing an encryption or decryption operation. This is
472  *              because OFB mode uses the same key schedule for encryption and
473  *              decryption.
474  *
475  *              The OFB operation is identical for encryption or decryption,
476  *              therefore no operation mode needs to be specified.
477  *
478  * \note        Upon exit, the content of iv, the Initialisation Vector, is
479  *              updated so that you can call the same function again on the next
480  *              block(s) of data and get the same result as if it was encrypted
481  *              in one call. This allows a "streaming" usage, by initialising
482  *              iv_off to 0 before the first call, and preserving its value
483  *              between calls.
484  *
485  *              For non-streaming use, the iv should be initialised on each call
486  *              to a unique value, and iv_off set to 0 on each call.
487  *
488  *              If you need to retain the contents of the initialisation vector,
489  *              you must either save it manually or use the cipher module
490  *              instead.
491  *
492  * \warning     For the OFB mode, the initialisation vector must be unique
493  *              every encryption operation. Reuse of an initialisation vector
494  *              will compromise security.
495  *
496  * \param ctx      The AES context to use for encryption or decryption.
497  *                 It must be initialized and bound to a key.
498  * \param length   The length of the input data.
499  * \param iv_off   The offset in IV (updated after use).
500  *                 It must point to a valid \c size_t.
501  * \param iv       The initialization vector (updated after use).
502  *                 It must be a readable and writeable buffer of \c 16 Bytes.
503  * \param input    The buffer holding the input data.
504  *                 It must be readable and of size \p length Bytes.
505  * \param output   The buffer holding the output data.
506  *                 It must be writeable and of size \p length Bytes.
507  *
508  * \return         \c 0 on success.
509  */
510 MBEDTLS_CHECK_RETURN_TYPICAL
511 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
512                        size_t length,
513                        size_t *iv_off,
514                        unsigned char iv[16],
515                        const unsigned char *input,
516                        unsigned char *output );
517 
518 #endif /* MBEDTLS_CIPHER_MODE_OFB */
519 
520 #if defined(MBEDTLS_CIPHER_MODE_CTR)
521 /**
522  * \brief      This function performs an AES-CTR encryption or decryption
523  *             operation.
524  *
525  *             Due to the nature of CTR, you must use the same key schedule
526  *             for both encryption and decryption operations. Therefore, you
527  *             must use the context initialized with mbedtls_aes_setkey_enc()
528  *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
529  *
530  * \warning    You must never reuse a nonce value with the same key. Doing so
531  *             would void the encryption for the two messages encrypted with
532  *             the same nonce and key.
533  *
534  *             There are two common strategies for managing nonces with CTR:
535  *
536  *             1. You can handle everything as a single message processed over
537  *             successive calls to this function. In that case, you want to
538  *             set \p nonce_counter and \p nc_off to 0 for the first call, and
539  *             then preserve the values of \p nonce_counter, \p nc_off and \p
540  *             stream_block across calls to this function as they will be
541  *             updated by this function.
542  *
543  *             With this strategy, you must not encrypt more than 2**128
544  *             blocks of data with the same key.
545  *
546  *             2. You can encrypt separate messages by dividing the \p
547  *             nonce_counter buffer in two areas: the first one used for a
548  *             per-message nonce, handled by yourself, and the second one
549  *             updated by this function internally.
550  *
551  *             For example, you might reserve the first 12 bytes for the
552  *             per-message nonce, and the last 4 bytes for internal use. In that
553  *             case, before calling this function on a new message you need to
554  *             set the first 12 bytes of \p nonce_counter to your chosen nonce
555  *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
556  *             stream_block to be ignored). That way, you can encrypt at most
557  *             2**96 messages of up to 2**32 blocks each with the same key.
558  *
559  *             The per-message nonce (or information sufficient to reconstruct
560  *             it) needs to be communicated with the ciphertext and must be unique.
561  *             The recommended way to ensure uniqueness is to use a message
562  *             counter. An alternative is to generate random nonces, but this
563  *             limits the number of messages that can be securely encrypted:
564  *             for example, with 96-bit random nonces, you should not encrypt
565  *             more than 2**32 messages with the same key.
566  *
567  *             Note that for both stategies, sizes are measured in blocks and
568  *             that an AES block is 16 bytes.
569  *
570  * \warning    Upon return, \p stream_block contains sensitive data. Its
571  *             content must not be written to insecure storage and should be
572  *             securely discarded as soon as it's no longer needed.
573  *
574  * \param ctx              The AES context to use for encryption or decryption.
575  *                         It must be initialized and bound to a key.
576  * \param length           The length of the input data.
577  * \param nc_off           The offset in the current \p stream_block, for
578  *                         resuming within the current cipher stream. The
579  *                         offset pointer should be 0 at the start of a stream.
580  *                         It must point to a valid \c size_t.
581  * \param nonce_counter    The 128-bit nonce and counter.
582  *                         It must be a readable-writeable buffer of \c 16 Bytes.
583  * \param stream_block     The saved stream block for resuming. This is
584  *                         overwritten by the function.
585  *                         It must be a readable-writeable buffer of \c 16 Bytes.
586  * \param input            The buffer holding the input data.
587  *                         It must be readable and of size \p length Bytes.
588  * \param output           The buffer holding the output data.
589  *                         It must be writeable and of size \p length Bytes.
590  *
591  * \return                 \c 0 on success.
592  */
593 MBEDTLS_CHECK_RETURN_TYPICAL
594 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
595                        size_t length,
596                        size_t *nc_off,
597                        unsigned char nonce_counter[16],
598                        unsigned char stream_block[16],
599                        const unsigned char *input,
600                        unsigned char *output );
601 #endif /* MBEDTLS_CIPHER_MODE_CTR */
602 
603 /**
604  * \brief           Internal AES block encryption function. This is only
605  *                  exposed to allow overriding it using
606  *                  \c MBEDTLS_AES_ENCRYPT_ALT.
607  *
608  * \param ctx       The AES context to use for encryption.
609  * \param input     The plaintext block.
610  * \param output    The output (ciphertext) block.
611  *
612  * \return          \c 0 on success.
613  */
614 MBEDTLS_CHECK_RETURN_TYPICAL
615 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
616                                   const unsigned char input[16],
617                                   unsigned char output[16] );
618 
619 /**
620  * \brief           Internal AES block decryption function. This is only
621  *                  exposed to allow overriding it using see
622  *                  \c MBEDTLS_AES_DECRYPT_ALT.
623  *
624  * \param ctx       The AES context to use for decryption.
625  * \param input     The ciphertext block.
626  * \param output    The output (plaintext) block.
627  *
628  * \return          \c 0 on success.
629  */
630 MBEDTLS_CHECK_RETURN_TYPICAL
631 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
632                                   const unsigned char input[16],
633                                   unsigned char output[16] );
634 
635 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
636 #if defined(MBEDTLS_DEPRECATED_WARNING)
637 #define MBEDTLS_DEPRECATED      __attribute__((deprecated))
638 #else
639 #define MBEDTLS_DEPRECATED
640 #endif
641 /**
642  * \brief           Deprecated internal AES block encryption function
643  *                  without return value.
644  *
645  * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
646  *
647  * \param ctx       The AES context to use for encryption.
648  * \param input     Plaintext block.
649  * \param output    Output (ciphertext) block.
650  */
651 MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
652                                              const unsigned char input[16],
653                                              unsigned char output[16] );
654 
655 /**
656  * \brief           Deprecated internal AES block decryption function
657  *                  without return value.
658  *
659  * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
660  *
661  * \param ctx       The AES context to use for decryption.
662  * \param input     Ciphertext block.
663  * \param output    Output (plaintext) block.
664  */
665 MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
666                                              const unsigned char input[16],
667                                              unsigned char output[16] );
668 
669 #undef MBEDTLS_DEPRECATED
670 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
671 
672 
673 #if defined(MBEDTLS_SELF_TEST)
674 /**
675  * \brief          Checkup routine.
676  *
677  * \return         \c 0 on success.
678  * \return         \c 1 on failure.
679  */
680 MBEDTLS_CHECK_RETURN_CRITICAL
681 int mbedtls_aes_self_test( int verbose );
682 
683 #endif /* MBEDTLS_SELF_TEST */
684 
685 #ifdef __cplusplus
686 }
687 #endif
688 
689 #endif /* aes.h */
690