4 * \brief This file contains the AEAD-ChaCha20-Poly1305 definitions and
7 * ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
8 * with Associated Data (AEAD) that can be used to encrypt and
9 * authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
10 * Bernstein and was standardized in RFC 7539.
12 * \author Daniel King <damaki.gh@gmail.com>
15 /* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
16 * SPDX-License-Identifier: Apache-2.0
18 * Licensed under the Apache License, Version 2.0 (the "License"); you may
19 * not use this file except in compliance with the License.
20 * You may obtain a copy of the License at
22 * http://www.apache.org/licenses/LICENSE-2.0
24 * Unless required by applicable law or agreed to in writing, software
25 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
26 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
27 * See the License for the specific language governing permissions and
28 * limitations under the License.
30 * This file is part of Mbed TLS (https://tls.mbed.org)
33 #ifndef MBEDTLS_CHACHAPOLY_H
34 #define MBEDTLS_CHACHAPOLY_H
36 #if !defined(MBEDTLS_CONFIG_FILE)
39 #include MBEDTLS_CONFIG_FILE
42 /* for shared error codes */
45 #define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE -0x0054 /**< The requested operation is not permitted in the current state. */
46 #define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED -0x0056 /**< Authenticated decryption failed: data was not authentic. */
54 MBEDTLS_CHACHAPOLY_ENCRYPT, /**< The mode value for performing encryption. */
55 MBEDTLS_CHACHAPOLY_DECRYPT /**< The mode value for performing decryption. */
57 mbedtls_chachapoly_mode_t;
59 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
63 typedef struct mbedtls_chachapoly_context
65 mbedtls_chacha20_context chacha20_ctx; /**< The ChaCha20 context. */
66 mbedtls_poly1305_context poly1305_ctx; /**< The Poly1305 context. */
67 uint64_t aad_len; /**< The length (bytes) of the Additional Authenticated Data. */
68 uint64_t ciphertext_len; /**< The length (bytes) of the ciphertext. */
69 int state; /**< The current state of the context. */
70 mbedtls_chachapoly_mode_t mode; /**< Cipher mode (encrypt or decrypt). */
72 mbedtls_chachapoly_context;
74 #else /* !MBEDTLS_CHACHAPOLY_ALT */
75 #include "chachapoly_alt.h"
76 #endif /* !MBEDTLS_CHACHAPOLY_ALT */
79 * \brief This function initializes the specified ChaCha20-Poly1305 context.
81 * It must be the first API called before using
82 * the context. It must be followed by a call to
83 * \c mbedtls_chachapoly_setkey() before any operation can be
84 * done, and to \c mbedtls_chachapoly_free() once all
85 * operations with that context have been finished.
87 * In order to encrypt or decrypt full messages at once, for
88 * each message you should make a single call to
89 * \c mbedtls_chachapoly_crypt_and_tag() or
90 * \c mbedtls_chachapoly_auth_decrypt().
92 * In order to encrypt messages piecewise, for each
93 * message you should make a call to
94 * \c mbedtls_chachapoly_starts(), then 0 or more calls to
95 * \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
96 * \c mbedtls_chachapoly_update(), then one call to
97 * \c mbedtls_chachapoly_finish().
99 * \warning Decryption with the piecewise API is discouraged! Always
100 * use \c mbedtls_chachapoly_auth_decrypt() when possible!
102 * If however this is not possible because the data is too
103 * large to fit in memory, you need to:
105 * - call \c mbedtls_chachapoly_starts() and (if needed)
106 * \c mbedtls_chachapoly_update_aad() as above,
107 * - call \c mbedtls_chachapoly_update() multiple times and
108 * ensure its output (the plaintext) is NOT used in any other
109 * way than placing it in temporary storage at this point,
110 * - call \c mbedtls_chachapoly_finish() to compute the
111 * authentication tag and compared it in constant time to the
112 * tag received with the ciphertext.
114 * If the tags are not equal, you must immediately discard
115 * all previous outputs of \c mbedtls_chachapoly_update(),
116 * otherwise you can now safely use the plaintext.
118 * \param ctx The ChachaPoly context to initialize. Must not be \c NULL.
120 void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
123 * \brief This function releases and clears the specified
124 * ChaCha20-Poly1305 context.
126 * \param ctx The ChachaPoly context to clear. This may be \c NULL, in which
127 * case this function is a no-op.
129 void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
132 * \brief This function sets the ChaCha20-Poly1305
133 * symmetric encryption key.
135 * \param ctx The ChaCha20-Poly1305 context to which the key should be
136 * bound. This must be initialized.
137 * \param key The \c 256 Bit (\c 32 Bytes) key.
139 * \return \c 0 on success.
140 * \return A negative error code on failure.
142 int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
143 const unsigned char key[32] );
146 * \brief This function starts a ChaCha20-Poly1305 encryption or
147 * decryption operation.
149 * \warning You must never use the same nonce twice with the same key.
150 * This would void any confidentiality and authenticity
151 * guarantees for the messages encrypted with the same nonce
154 * \note If the context is being used for AAD only (no data to
155 * encrypt or decrypt) then \p mode can be set to any value.
157 * \warning Decryption with the piecewise API is discouraged, see the
158 * warning on \c mbedtls_chachapoly_init().
160 * \param ctx The ChaCha20-Poly1305 context. This must be initialized
161 * and bound to a key.
162 * \param nonce The nonce/IV to use for the message.
163 * This must be a redable buffer of length \c 12 Bytes.
164 * \param mode The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
165 * #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
167 * \return \c 0 on success.
168 * \return A negative error code on failure.
170 int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
171 const unsigned char nonce[12],
172 mbedtls_chachapoly_mode_t mode );
175 * \brief This function feeds additional data to be authenticated
176 * into an ongoing ChaCha20-Poly1305 operation.
178 * The Additional Authenticated Data (AAD), also called
179 * Associated Data (AD) is only authenticated but not
180 * encrypted nor included in the encrypted output. It is
181 * usually transmitted separately from the ciphertext or
182 * computed locally by each party.
184 * \note This function is called before data is encrypted/decrypted.
185 * I.e. call this function to process the AAD before calling
186 * \c mbedtls_chachapoly_update().
188 * You may call this function multiple times to process
189 * an arbitrary amount of AAD. It is permitted to call
190 * this function 0 times, if no AAD is used.
192 * This function cannot be called any more if data has
193 * been processed by \c mbedtls_chachapoly_update(),
194 * or if the context has been finished.
196 * \warning Decryption with the piecewise API is discouraged, see the
197 * warning on \c mbedtls_chachapoly_init().
199 * \param ctx The ChaCha20-Poly1305 context. This must be initialized
200 * and bound to a key.
201 * \param aad_len The length in Bytes of the AAD. The length has no
203 * \param aad Buffer containing the AAD.
204 * This pointer can be \c NULL if `aad_len == 0`.
206 * \return \c 0 on success.
207 * \return #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
208 * if \p ctx or \p aad are NULL.
209 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
210 * if the operations has not been started or has been
211 * finished, or if the AAD has been finished.
213 int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
214 const unsigned char *aad,
218 * \brief Thus function feeds data to be encrypted or decrypted
219 * into an on-going ChaCha20-Poly1305
222 * The direction (encryption or decryption) depends on the
223 * mode that was given when calling
224 * \c mbedtls_chachapoly_starts().
226 * You may call this function multiple times to process
227 * an arbitrary amount of data. It is permitted to call
228 * this function 0 times, if no data is to be encrypted
231 * \warning Decryption with the piecewise API is discouraged, see the
232 * warning on \c mbedtls_chachapoly_init().
234 * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
235 * \param len The length (in bytes) of the data to encrypt or decrypt.
236 * \param input The buffer containing the data to encrypt or decrypt.
237 * This pointer can be \c NULL if `len == 0`.
238 * \param output The buffer to where the encrypted or decrypted data is
239 * written. This must be able to hold \p len bytes.
240 * This pointer can be \c NULL if `len == 0`.
242 * \return \c 0 on success.
243 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
244 * if the operation has not been started or has been
246 * \return Another negative error code on other kinds of failure.
248 int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
250 const unsigned char *input,
251 unsigned char *output );
254 * \brief This function finished the ChaCha20-Poly1305 operation and
255 * generates the MAC (authentication tag).
257 * \param ctx The ChaCha20-Poly1305 context to use. This must be initialized.
258 * \param mac The buffer to where the 128-bit (16 bytes) MAC is written.
260 * \warning Decryption with the piecewise API is discouraged, see the
261 * warning on \c mbedtls_chachapoly_init().
263 * \return \c 0 on success.
264 * \return #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
265 * if the operation has not been started or has been
267 * \return Another negative error code on other kinds of failure.
269 int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
270 unsigned char mac[16] );
273 * \brief This function performs a complete ChaCha20-Poly1305
274 * authenticated encryption with the previously-set key.
276 * \note Before using this function, you must set the key with
277 * \c mbedtls_chachapoly_setkey().
279 * \warning You must never use the same nonce twice with the same key.
280 * This would void any confidentiality and authenticity
281 * guarantees for the messages encrypted with the same nonce
284 * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
285 * This must be initialized.
286 * \param length The length (in bytes) of the data to encrypt or decrypt.
287 * \param nonce The 96-bit (12 bytes) nonce/IV to use.
288 * \param aad The buffer containing the additional authenticated
289 * data (AAD). This pointer can be \c NULL if `aad_len == 0`.
290 * \param aad_len The length (in bytes) of the AAD data to process.
291 * \param input The buffer containing the data to encrypt or decrypt.
292 * This pointer can be \c NULL if `ilen == 0`.
293 * \param output The buffer to where the encrypted or decrypted data
294 * is written. This pointer can be \c NULL if `ilen == 0`.
295 * \param tag The buffer to where the computed 128-bit (16 bytes) MAC
296 * is written. This must not be \c NULL.
298 * \return \c 0 on success.
299 * \return A negative error code on failure.
301 int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
303 const unsigned char nonce[12],
304 const unsigned char *aad,
306 const unsigned char *input,
307 unsigned char *output,
308 unsigned char tag[16] );
311 * \brief This function performs a complete ChaCha20-Poly1305
312 * authenticated decryption with the previously-set key.
314 * \note Before using this function, you must set the key with
315 * \c mbedtls_chachapoly_setkey().
317 * \param ctx The ChaCha20-Poly1305 context to use (holds the key).
318 * \param length The length (in Bytes) of the data to decrypt.
319 * \param nonce The \c 96 Bit (\c 12 bytes) nonce/IV to use.
320 * \param aad The buffer containing the additional authenticated data (AAD).
321 * This pointer can be \c NULL if `aad_len == 0`.
322 * \param aad_len The length (in bytes) of the AAD data to process.
323 * \param tag The buffer holding the authentication tag.
324 * This must be a readable buffer of length \c 16 Bytes.
325 * \param input The buffer containing the data to decrypt.
326 * This pointer can be \c NULL if `ilen == 0`.
327 * \param output The buffer to where the decrypted data is written.
328 * This pointer can be \c NULL if `ilen == 0`.
330 * \return \c 0 on success.
331 * \return #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
332 * if the data was not authentic.
333 * \return Another negative error code on other kinds of failure.
335 int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
337 const unsigned char nonce[12],
338 const unsigned char *aad,
340 const unsigned char tag[16],
341 const unsigned char *input,
342 unsigned char *output );
344 #if defined(MBEDTLS_SELF_TEST)
346 * \brief The ChaCha20-Poly1305 checkup routine.
348 * \return \c 0 on success.
349 * \return \c 1 on failure.
351 int mbedtls_chachapoly_self_test( int verbose );
352 #endif /* MBEDTLS_SELF_TEST */
358 #endif /* MBEDTLS_CHACHAPOLY_H */