1 /**
2  * \file chachapoly.h
3  *
4  * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
5  *          functions.
6  *
7  *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
8  *          with Associated Data (AEAD) that can be used to encrypt and
9  *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
10  *          Bernstein and was standardized in RFC 7539.
11  *
12  * \author Daniel King <damaki.gh@gmail.com>
13  */
14 
15 /*
16  *  Copyright The Mbed TLS Contributors
17  *  SPDX-License-Identifier: Apache-2.0
18  *
19  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
20  *  not use this file except in compliance with the License.
21  *  You may obtain a copy of the License at
22  *
23  *  http://www.apache.org/licenses/LICENSE-2.0
24  *
25  *  Unless required by applicable law or agreed to in writing, software
26  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
27  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
28  *  See the License for the specific language governing permissions and
29  *  limitations under the License.
30  */
31 
32 #ifndef MBEDTLS_CHACHAPOLY_H
33 #define MBEDTLS_CHACHAPOLY_H
34 #include "mbedtls/private_access.h"
35 
36 #include "mbedtls/build_info.h"
37 
38 /* for shared error codes */
39 #include "mbedtls/poly1305.h"
40 
41 /** The requested operation is not permitted in the current state. */
42 #define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054
43 /** Authenticated decryption failed: data was not authentic. */
44 #define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056
45 
46 #ifdef __cplusplus
47 extern "C" {
48 #endif
49 
50 typedef enum
51 {
52     MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
53     MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
54 }
55 mbedtls_chachapoly_mode_t;
56 
57 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
58 
59 #include "mbedtls/chacha20.h"
60 
61 typedef struct mbedtls_chachapoly_context
62 {
63     mbedtls_chacha20_context MBEDTLS_PRIVATE(chacha20_ctx);  /**< The ChaCha20 context. */
64     mbedtls_poly1305_context MBEDTLS_PRIVATE(poly1305_ctx);  /**< The Poly1305 context. */
65     uint64_t MBEDTLS_PRIVATE(aad_len);                       /**< The length (bytes) of the Additional Authenticated Data. */
66     uint64_t MBEDTLS_PRIVATE(ciphertext_len);                /**< The length (bytes) of the ciphertext. */
67     int MBEDTLS_PRIVATE(state);                              /**< The current state of the context. */
68     mbedtls_chachapoly_mode_t MBEDTLS_PRIVATE(mode);         /**< Cipher mode (encrypt or decrypt). */
69 }
70 mbedtls_chachapoly_context;
71 
72 #else /* !MBEDTLS_CHACHAPOLY_ALT */
73 #include "chachapoly_alt.h"
74 #endif /* !MBEDTLS_CHACHAPOLY_ALT */
75 
76 /**
77  * \brief           This function initializes the specified ChaCha20-Poly1305 context.
78  *
79  *                  It must be the first API called before using
80  *                  the context. It must be followed by a call to
81  *                  \c mbedtls_chachapoly_setkey() before any operation can be
82  *                  done, and to \c mbedtls_chachapoly_free() once all
83  *                  operations with that context have been finished.
84  *
85  *                  In order to encrypt or decrypt full messages at once, for
86  *                  each message you should make a single call to
87  *                  \c mbedtls_chachapoly_crypt_and_tag() or
88  *                  \c mbedtls_chachapoly_auth_decrypt().
89  *
90  *                  In order to encrypt messages piecewise, for each
91  *                  message you should make a call to
92  *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
93  *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
94  *                  \c mbedtls_chachapoly_update(), then one call to
95  *                  \c mbedtls_chachapoly_finish().
96  *
97  * \warning         Decryption with the piecewise API is discouraged! Always
98  *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
99  *
100  *                  If however this is not possible because the data is too
101  *                  large to fit in memory, you need to:
102  *
103  *                  - call \c mbedtls_chachapoly_starts() and (if needed)
104  *                  \c mbedtls_chachapoly_update_aad() as above,
105  *                  - call \c mbedtls_chachapoly_update() multiple times and
106  *                  ensure its output (the plaintext) is NOT used in any other
107  *                  way than placing it in temporary storage at this point,
108  *                  - call \c mbedtls_chachapoly_finish() to compute the
109  *                  authentication tag and compared it in constant time to the
110  *                  tag received with the ciphertext.
111  *
112  *                  If the tags are not equal, you must immediately discard
113  *                  all previous outputs of \c mbedtls_chachapoly_update(),
114  *                  otherwise you can now safely use the plaintext.
115  *
116  * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
117  */
118 void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
119 
120 /**
121  * \brief           This function releases and clears the specified
122  *                  ChaCha20-Poly1305 context.
123  *
124  * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
125  *                  case this function is a no-op.
126  */
127 void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
128 
129 /**
130  * \brief           This function sets the ChaCha20-Poly1305
131  *                  symmetric encryption key.
132  *
133  * \param ctx       The ChaCha20-Poly1305 context to which the key should be
134  *                  bound. This must be initialized.
135  * \param key       The \c 256 Bit (\c 32 Bytes) key.
136  *
137  * \return          \c 0 on success.
138  * \return          A negative error code on failure.
139  */
140 int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
141                                const unsigned char key[32] );
142 
143 /**
144  * \brief           This function starts a ChaCha20-Poly1305 encryption or
145  *                  decryption operation.
146  *
147  * \warning         You must never use the same nonce twice with the same key.
148  *                  This would void any confidentiality and authenticity
149  *                  guarantees for the messages encrypted with the same nonce
150  *                  and key.
151  *
152  * \note            If the context is being used for AAD only (no data to
153  *                  encrypt or decrypt) then \p mode can be set to any value.
154  *
155  * \warning         Decryption with the piecewise API is discouraged, see the
156  *                  warning on \c mbedtls_chachapoly_init().
157  *
158  * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
159  *                  and bound to a key.
160  * \param nonce     The nonce/IV to use for the message.
161  *                  This must be a readable buffer of length \c 12 Bytes.
162  * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
163  *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
164  *
165  * \return          \c 0 on success.
166  * \return          A negative error code on failure.
167  */
168 int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
169                                const unsigned char nonce[12],
170                                mbedtls_chachapoly_mode_t mode );
171 
172 /**
173  * \brief           This function feeds additional data to be authenticated
174  *                  into an ongoing ChaCha20-Poly1305 operation.
175  *
176  *                  The Additional Authenticated Data (AAD), also called
177  *                  Associated Data (AD) is only authenticated but not
178  *                  encrypted nor included in the encrypted output. It is
179  *                  usually transmitted separately from the ciphertext or
180  *                  computed locally by each party.
181  *
182  * \note            This function is called before data is encrypted/decrypted.
183  *                  I.e. call this function to process the AAD before calling
184  *                  \c mbedtls_chachapoly_update().
185  *
186  *                  You may call this function multiple times to process
187  *                  an arbitrary amount of AAD. It is permitted to call
188  *                  this function 0 times, if no AAD is used.
189  *
190  *                  This function cannot be called any more if data has
191  *                  been processed by \c mbedtls_chachapoly_update(),
192  *                  or if the context has been finished.
193  *
194  * \warning         Decryption with the piecewise API is discouraged, see the
195  *                  warning on \c mbedtls_chachapoly_init().
196  *
197  * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
198  *                  and bound to a key.
199  * \param aad_len   The length in Bytes of the AAD. The length has no
200  *                  restrictions.
201  * \param aad       Buffer containing the AAD.
202  *                  This pointer can be \c NULL if `aad_len == 0`.
203  *
204  * \return          \c 0 on success.
205  * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
206  *                  if \p ctx or \p aad are NULL.
207  * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
208  *                  if the operations has not been started or has been
209  *                  finished, or if the AAD has been finished.
210  */
211 int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
212                                    const unsigned char *aad,
213                                    size_t aad_len );
214 
215 /**
216  * \brief           Thus function feeds data to be encrypted or decrypted
217  *                  into an on-going ChaCha20-Poly1305
218  *                  operation.
219  *
220  *                  The direction (encryption or decryption) depends on the
221  *                  mode that was given when calling
222  *                  \c mbedtls_chachapoly_starts().
223  *
224  *                  You may call this function multiple times to process
225  *                  an arbitrary amount of data. It is permitted to call
226  *                  this function 0 times, if no data is to be encrypted
227  *                  or decrypted.
228  *
229  * \warning         Decryption with the piecewise API is discouraged, see the
230  *                  warning on \c mbedtls_chachapoly_init().
231  *
232  * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
233  * \param len       The length (in bytes) of the data to encrypt or decrypt.
234  * \param input     The buffer containing the data to encrypt or decrypt.
235  *                  This pointer can be \c NULL if `len == 0`.
236  * \param output    The buffer to where the encrypted or decrypted data is
237  *                  written. This must be able to hold \p len bytes.
238  *                  This pointer can be \c NULL if `len == 0`.
239  *
240  * \return          \c 0 on success.
241  * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
242  *                  if the operation has not been started or has been
243  *                  finished.
244  * \return          Another negative error code on other kinds of failure.
245  */
246 int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
247                                size_t len,
248                                const unsigned char *input,
249                                unsigned char *output );
250 
251 /**
252  * \brief           This function finished the ChaCha20-Poly1305 operation and
253  *                  generates the MAC (authentication tag).
254  *
255  * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
256  * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
257  *
258  * \warning         Decryption with the piecewise API is discouraged, see the
259  *                  warning on \c mbedtls_chachapoly_init().
260  *
261  * \return          \c 0 on success.
262  * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
263  *                  if the operation has not been started or has been
264  *                  finished.
265  * \return          Another negative error code on other kinds of failure.
266  */
267 int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
268                                unsigned char mac[16] );
269 
270 /**
271  * \brief           This function performs a complete ChaCha20-Poly1305
272  *                  authenticated encryption with the previously-set key.
273  *
274  * \note            Before using this function, you must set the key with
275  *                  \c mbedtls_chachapoly_setkey().
276  *
277  * \warning         You must never use the same nonce twice with the same key.
278  *                  This would void any confidentiality and authenticity
279  *                  guarantees for the messages encrypted with the same nonce
280  *                  and key.
281  *
282  * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
283  *                  This must be initialized.
284  * \param length    The length (in bytes) of the data to encrypt or decrypt.
285  * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
286  * \param aad       The buffer containing the additional authenticated
287  *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
288  * \param aad_len   The length (in bytes) of the AAD data to process.
289  * \param input     The buffer containing the data to encrypt or decrypt.
290  *                  This pointer can be \c NULL if `ilen == 0`.
291  * \param output    The buffer to where the encrypted or decrypted data
292  *                  is written. This pointer can be \c NULL if `ilen == 0`.
293  * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
294  *                  is written. This must not be \c NULL.
295  *
296  * \return          \c 0 on success.
297  * \return          A negative error code on failure.
298  */
299 int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
300                                         size_t length,
301                                         const unsigned char nonce[12],
302                                         const unsigned char *aad,
303                                         size_t aad_len,
304                                         const unsigned char *input,
305                                         unsigned char *output,
306                                         unsigned char tag[16] );
307 
308 /**
309  * \brief           This function performs a complete ChaCha20-Poly1305
310  *                  authenticated decryption with the previously-set key.
311  *
312  * \note            Before using this function, you must set the key with
313  *                  \c mbedtls_chachapoly_setkey().
314  *
315  * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
316  * \param length    The length (in Bytes) of the data to decrypt.
317  * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
318  * \param aad       The buffer containing the additional authenticated data (AAD).
319  *                  This pointer can be \c NULL if `aad_len == 0`.
320  * \param aad_len   The length (in bytes) of the AAD data to process.
321  * \param tag       The buffer holding the authentication tag.
322  *                  This must be a readable buffer of length \c 16 Bytes.
323  * \param input     The buffer containing the data to decrypt.
324  *                  This pointer can be \c NULL if `ilen == 0`.
325  * \param output    The buffer to where the decrypted data is written.
326  *                  This pointer can be \c NULL if `ilen == 0`.
327  *
328  * \return          \c 0 on success.
329  * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
330  *                  if the data was not authentic.
331  * \return          Another negative error code on other kinds of failure.
332  */
333 int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
334                                      size_t length,
335                                      const unsigned char nonce[12],
336                                      const unsigned char *aad,
337                                      size_t aad_len,
338                                      const unsigned char tag[16],
339                                      const unsigned char *input,
340                                      unsigned char *output );
341 
342 #if defined(MBEDTLS_SELF_TEST)
343 /**
344  * \brief           The ChaCha20-Poly1305 checkup routine.
345  *
346  * \return          \c 0 on success.
347  * \return          \c 1 on failure.
348  */
349 int mbedtls_chachapoly_self_test( int verbose );
350 #endif /* MBEDTLS_SELF_TEST */
351 
352 #ifdef __cplusplus
353 }
354 #endif
355 
356 #endif /* MBEDTLS_CHACHAPOLY_H */
357