1 /** 2 * \file nist_kw.h 3 * 4 * \brief This file provides an API for key wrapping (KW) and key wrapping with 5 * padding (KWP) as defined in NIST SP 800-38F. 6 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf 7 * 8 * Key wrapping specifies a deterministic authenticated-encryption mode 9 * of operation, according to <em>NIST SP 800-38F: Recommendation for 10 * Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its 11 * purpose is to protect cryptographic keys. 12 * 13 * Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP. 14 * https://tools.ietf.org/html/rfc3394 15 * https://tools.ietf.org/html/rfc5649 16 * 17 */ 18 /* 19 * Copyright The Mbed TLS Contributors 20 * SPDX-License-Identifier: Apache-2.0 21 * 22 * Licensed under the Apache License, Version 2.0 (the "License"); you may 23 * not use this file except in compliance with the License. 24 * You may obtain a copy of the License at 25 * 26 * http://www.apache.org/licenses/LICENSE-2.0 27 * 28 * Unless required by applicable law or agreed to in writing, software 29 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 30 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 31 * See the License for the specific language governing permissions and 32 * limitations under the License. 33 */ 34 35 #ifndef MBEDTLS_NIST_KW_H 36 #define MBEDTLS_NIST_KW_H 37 #include "mbedtls/private_access.h" 38 39 #include "mbedtls/build_info.h" 40 41 #include "mbedtls/cipher.h" 42 43 #ifdef __cplusplus 44 extern "C" { 45 #endif 46 47 typedef enum { 48 MBEDTLS_KW_MODE_KW = 0, 49 MBEDTLS_KW_MODE_KWP = 1 50 } mbedtls_nist_kw_mode_t; 51 52 #if !defined(MBEDTLS_NIST_KW_ALT) 53 // Regular implementation 54 // 55 56 /** 57 * \brief The key wrapping context-type definition. The key wrapping context is passed 58 * to the APIs called. 59 * 60 * \note The definition of this type may change in future library versions. 61 * Don't make any assumptions on this context! 62 */ 63 typedef struct { 64 mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ 65 } mbedtls_nist_kw_context; 66 67 #else /* MBEDTLS_NIST_key wrapping_ALT */ 68 #include "nist_kw_alt.h" 69 #endif /* MBEDTLS_NIST_KW_ALT */ 70 71 /** 72 * \brief This function initializes the specified key wrapping context 73 * to make references valid and prepare the context 74 * for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free(). 75 * 76 * \param ctx The key wrapping context to initialize. 77 * 78 */ 79 void mbedtls_nist_kw_init(mbedtls_nist_kw_context *ctx); 80 81 /** 82 * \brief This function initializes the key wrapping context set in the 83 * \p ctx parameter and sets the encryption key. 84 * 85 * \param ctx The key wrapping context. 86 * \param cipher The 128-bit block cipher to use. Only AES is supported. 87 * \param key The Key Encryption Key (KEK). 88 * \param keybits The KEK size in bits. This must be acceptable by the cipher. 89 * \param is_wrap Specify whether the operation within the context is wrapping or unwrapping 90 * 91 * \return \c 0 on success. 92 * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input. 93 * \return \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers 94 * which are not supported. 95 * \return cipher-specific error code on failure of the underlying cipher. 96 */ 97 int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx, 98 mbedtls_cipher_id_t cipher, 99 const unsigned char *key, 100 unsigned int keybits, 101 const int is_wrap); 102 103 /** 104 * \brief This function releases and clears the specified key wrapping context 105 * and underlying cipher sub-context. 106 * 107 * \param ctx The key wrapping context to clear. 108 */ 109 void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx); 110 111 /** 112 * \brief This function encrypts a buffer using key wrapping. 113 * 114 * \param ctx The key wrapping context to use for encryption. 115 * \param mode The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP) 116 * \param input The buffer holding the input data. 117 * \param in_len The length of the input data in Bytes. 118 * The input uses units of 8 Bytes called semiblocks. 119 * <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li> 120 * <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul> 121 * \param[out] output The buffer holding the output data. 122 * <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li> 123 * <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of 124 * 8 bytes for KWP (15 bytes at most).</li></ul> 125 * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure. 126 * \param[in] out_size The capacity of the output buffer. 127 * 128 * \return \c 0 on success. 129 * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length. 130 * \return cipher-specific error code on failure of the underlying cipher. 131 */ 132 int mbedtls_nist_kw_wrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, 133 const unsigned char *input, size_t in_len, 134 unsigned char *output, size_t *out_len, size_t out_size); 135 136 /** 137 * \brief This function decrypts a buffer using key wrapping. 138 * 139 * \param ctx The key wrapping context to use for decryption. 140 * \param mode The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP) 141 * \param input The buffer holding the input data. 142 * \param in_len The length of the input data in Bytes. 143 * The input uses units of 8 Bytes called semiblocks. 144 * The input must be a multiple of semiblocks. 145 * <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li> 146 * <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul> 147 * \param[out] output The buffer holding the output data. 148 * The output buffer's minimal length is 8 bytes shorter than \p in_len. 149 * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure. 150 * For KWP mode, the length could be up to 15 bytes shorter than \p in_len, 151 * depending on how much padding was added to the data. 152 * \param[in] out_size The capacity of the output buffer. 153 * 154 * \return \c 0 on success. 155 * \return \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length. 156 * \return \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext. 157 * \return cipher-specific error code on failure of the underlying cipher. 158 */ 159 int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode, 160 const unsigned char *input, size_t in_len, 161 unsigned char *output, size_t *out_len, size_t out_size); 162 163 164 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) 165 /** 166 * \brief The key wrapping checkup routine. 167 * 168 * \return \c 0 on success. 169 * \return \c 1 on failure. 170 */ 171 int mbedtls_nist_kw_self_test(int verbose); 172 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ 173 174 #ifdef __cplusplus 175 } 176 #endif 177 178 #endif /* MBEDTLS_NIST_KW_H */ 179