Software APIs
aes_gcm.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_GCM_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_GCM_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief AES-GCM operations for the OpenTitan cryptography library.
13  */
14 
15 #ifdef __cplusplus
16 extern "C" {
17 #endif // __cplusplus
18 
19 /**
20  * Enum to denote the AES-GCM tag length.
21  *
22  * Values are hardened.
23  */
24 typedef enum otcrypto_aes_gcm_tag_len {
25  // Tag length 128 bits.
26  kOtcryptoAesGcmTagLen128 = 0x167,
27  // Tag length 96 bits.
28  kOtcryptoAesGcmTagLen96 = 0x35a,
29  // Tag length 64 bits.
30  kOtcryptoAesGcmTagLen64 = 0x5d4,
31  // Tag length 32 bits.
32  kOtcryptoAesGcmTagLen32 = 0xf06,
33 } otcrypto_aes_gcm_tag_len_t;
34 
35 /**
36  * Context for a streaming AES-GCM operation.
37  *
38  * Representation is internal to the AES-GCM implementation and subject to
39  * change.
40  */
41 typedef struct otcrypto_aes_gcm_context {
42  uint32_t data[98];
43 } otcrypto_aes_gcm_context_t;
44 
45 /**
46  * Performs the AES-GCM authenticated encryption operation.
47  *
48  * This function encrypts the input `plaintext` to produce an
49  * output `ciphertext`. Together it generates an authentication
50  * tag `auth_tag` on the ciphered data and any non-confidential
51  * additional authenticated data `aad`.
52  *
53  * The caller should allocate space for the `ciphertext` buffer,
54  * (same length as input), `auth_tag` buffer (same as tag_len), and
55  * set the length of expected outputs in the `len` field of
56  * `ciphertext` and `auth_tag`. If the user-set length and the output
57  * length does not match, an error message will be returned.
58  *
59  * @param key Pointer to the blinded gcm-key struct.
60  * @param plaintext Input data to be encrypted and authenticated.
61  * @param iv Initialization vector for the encryption function.
62  * @param aad Additional authenticated data.
63  * @param tag_len Length of authentication tag to be generated.
64  * @param[out] ciphertext Encrypted output data, same length as input data.
65  * @param[out] auth_tag Generated authentication tag.
66  * @return Result of the authenticated encryption.
67  * operation
68  */
69 otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key,
70  otcrypto_const_byte_buf_t plaintext,
71  otcrypto_const_word32_buf_t iv,
72  otcrypto_const_byte_buf_t aad,
73  otcrypto_aes_gcm_tag_len_t tag_len,
74  otcrypto_byte_buf_t ciphertext,
75  otcrypto_word32_buf_t auth_tag);
76 
77 /**
78  * Performs the AES-GCM authenticated decryption operation.
79  *
80  * This function first verifies if the authentication tag `auth_tag`
81  * matches the internally generated tag. Upon verification, the
82  * function decrypts the input `ciphertext` to get a `plaintext data.
83  *
84  * The caller should allocate space for the `plaintext` buffer,
85  * (same length as ciphertext), and set the length of expected output
86  * in the `len` field of `plaintext`. If the user-set length and the
87  * output length does not match, an error message will be returned.
88  *
89  * The caller must check the `success` argument before operating on
90  * `plaintext`. If the authentication check fails, then `plaintext` should not
91  * be used and there are no guarantees about its contents.
92  *
93  * @param key Pointer to the blinded gcm-key struct.
94  * @param ciphertext Input data to be decrypted.
95  * @param iv Initialization vector for the decryption function.
96  * @param aad Additional authenticated data.
97  * @param tag_len Length of authentication tag to be generated.
98  * @param auth_tag Authentication tag to be verified.
99  * @param[out] plaintext Decrypted plaintext data, same len as input data.
100  * @param[out] success True if the authentication check passed, otherwise false.
101  * @return Result of the authenticated decryption.
102  * operation
103  */
104 otcrypto_status_t otcrypto_aes_gcm_decrypt(
105  const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t ciphertext,
106  otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad,
107  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_const_word32_buf_t auth_tag,
108  otcrypto_byte_buf_t plaintext, hardened_bool_t *success);
109 
110 /**
111  * Initializes the AES-GCM authenticated encryption operation.
112  *
113  * The order of operations for encryption is:
114  * - `otcrypto_aes_gcm_encrypt_init()` called once
115  * - `otcrypto_aes_gcm_update_aad()` called zero or more times
116  * - `otcrypto_aes_gcm_update_encrypted_data()` called zero or more times
117  * - `otcrypto_aes_gcm_encrypt_final()` called once
118  *
119  * Associated data must be added first, before encrypted data; the caller may
120  * not call `otcrypto_aes_gcm_udpate_aad()` after the first call to
121  * `otcrypto_aes_gcm_update_encrypted_data()`.
122  *
123  * The resulting AES-GCM context will include pointers into the keyblob of the
124  * blinded key. It is important that the blinded key (or at least the keyblob)
125  * remains live as long as `ctx` is. The IV is safe to free.
126  *
127  * @param key Pointer to the blinded key struct.
128  * @param iv Initialization vector for the encryption function.
129  * @param[out] ctx Context object for the operation.
130  * @return Result of the initialization operation.
131  */
132 otcrypto_status_t otcrypto_aes_gcm_encrypt_init(
133  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
134  otcrypto_aes_gcm_context_t *ctx);
135 
136 /**
137  * Initializes the AES-GCM authenticated decryption operation.
138  *
139  * The order of operations for decryption is:
140  * - `otcrypto_aes_gcm_decrypt_init()` called once
141  * - `otcrypto_aes_gcm_update_aad()` called zero or more times
142  * - `otcrypto_aes_gcm_update_encrypted_data()` called zero or more times
143  * - `otcrypto_aes_gcm_decrypt_final()` called once
144  *
145  * Associated data must be added first, before encrypted data; the caller may
146  * not call `otcrypto_aes_gcm_udpate_aad()` after the first call to
147  * `otcrypto_aes_gcm_update_encrypted_data()`.
148  *
149  * The resulting AES-GCM context will include pointers into the keyblob of the
150  * blinded key. It is important that the blinded key (or at least the keyblob)
151  * remains live as long as `ctx` is. The IV is safe to free.
152  *
153  * IMPORTANT: Although this routine produces decrypted data incrementally, it
154  * is the caller's responsibility to ensure that they do not trust the
155  * decrypted data until the tag check passes.
156  *
157  * @param key Pointer to the blinded key struct.
158  * @param iv Initialization vector for the decryption function.
159  * @param[out] ctx Context object for the operation.
160  * @return Result of the initialization operation.
161  */
162 otcrypto_status_t otcrypto_aes_gcm_decrypt_init(
163  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
164  otcrypto_aes_gcm_context_t *ctx);
165 /**
166  * Updates additional authenticated data for an AES-GCM operation.
167  *
168  * May be used for either encryption or decryption. Call
169  * `otcrypto_aes_gcm_encrypt_init` or `otcrypto_aes_gcm_decrypt_init` first.
170  *
171  * @param ctx Context object for the operation, updated in place.
172  * @param aad Additional authenticated data.
173  * @return Result of the update operation.
174  */
175 otcrypto_status_t otcrypto_aes_gcm_update_aad(otcrypto_aes_gcm_context_t *ctx,
176  otcrypto_const_byte_buf_t aad);
177 
178 /**
179  * Updates authenticated-and-encrypted data for an AES-GCM operation.
180  *
181  * May be used for either encryption or decryption. Call
182  * `otcrypto_aes_gcm_encrypt_init` or `otcrypto_aes_gcm_decrypt_init` first.
183  *
184  * The caller should allocate space for the output and set the `len` field
185  * accordingly.
186  *
187  * For encryption, `input` is the plaintext and `output` is the ciphertext; for
188  * decryption, they are reversed. The output must always be long enough to
189  * store all full 128-bit blocks of encrypted data received so far minus all
190  * output produced so far; rounding the input length to the next 128-bit
191  * boundary is always enough, but if the caller knows the exact byte-length of
192  * input so far they can calculate it exactly. Returns an error if `output` is
193  * not long enough; if `output` is overly long, only the first
194  * `output_bytes_written` bytes will be used.
195  *
196  * @param ctx Context object for the operation, updated in place.
197  * @param input Plaintext for encryption, ciphertext for decryption.
198  * @param[out] output Ciphertext for encryption, plaintext for decryption.
199  * @param[out] output_bytes_written Number of bytes written to `output`.
200  * @return Result of the update operation.
201  */
202 otcrypto_status_t otcrypto_aes_gcm_update_encrypted_data(
203  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_byte_buf_t input,
204  otcrypto_byte_buf_t output, size_t *output_bytes_written);
205 
206 /**
207  * Finishes the AES-GCM authenticated encryption operation.
208  *
209  * Processes any remaining plaintext from the context and computes the
210  * authentication tag and up to 1 block of ciphertext.
211  *
212  * The caller should allocate space for the ciphertext and tag buffers and set
213  * the `len` fields accordingly. This function returns the
214  * `ciphertext_bytes_written` parameter with the number of bytes written to
215  * `ciphertext`, which is always either 16 or 0. This function returns an error
216  * if the ciphertext or tag buffer is not long enough.
217  *
218  * @param ctx Context object for the operation.
219  * @param tag_len Length of authentication tag to be generated.
220  * @param[out] ciphertext Encrypted output data.
221  * @param[out] ciphertext_bytes_written Number of bytes written to `ciphertext`.
222  * @param[out] auth_tag Generated authentication tag.
223  * @return Result of the final operation.
224  */
225 otcrypto_status_t otcrypto_aes_gcm_encrypt_final(
226  otcrypto_aes_gcm_context_t *ctx, otcrypto_aes_gcm_tag_len_t tag_len,
227  otcrypto_byte_buf_t ciphertext, size_t *ciphertext_bytes_written,
228  otcrypto_word32_buf_t auth_tag);
229 
230 /**
231  * Finishes the AES-GCM authenticated decryption operation.
232  *
233  * Processes any remaining ciphertext from the context and computes the
234  * authentication tag and up to 1 block of plaintext.
235  *
236  * The caller should allocate space for the plaintext buffer and set the `len`
237  * field accordingly. This function returns the `ciphertext_bytes_written`
238  * parameter with the number of bytes written to `ciphertext`. This function
239  * returns an error if the plaintext buffer is not long enough.
240  *
241  * IMPORTANT: the caller must check both the returned status and the `success`
242  * parameter to know if the tag is valid. The returned status may be OK even if
243  * the tag check did not succeed, if there were no errors during processing.
244  *
245  * @param ctx Context object for the operation.
246  * @param auth_tag Authentication tag to check.
247  * @param tag_len Length of authentication tag.
248  * @param[out] plaintext Decrypted output data.
249  * @param[out] plaintext_bytes_written Number of bytes written to `plaintext`.
250  * @param[out] success Whether the tag passed verification.
251  * @return Result of the final operation.
252  */
253 otcrypto_status_t otcrypto_aes_gcm_decrypt_final(
254  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_word32_buf_t auth_tag,
255  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t plaintext,
256  size_t *plaintext_bytes_written, hardened_bool_t *success);
257 
258 #ifdef __cplusplus
259 } // extern "C"
260 #endif // __cplusplus
261 
262 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_GCM_H_
Return to OpenTitan Documentation