Software APIs
aes.h
Go to the documentation of this file.
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_H_
7 
8 #include "datatypes.h"
9 
10 /**
11  * @file
12  * @brief AES operations for the OpenTitan cryptography library.
13  */
14 
15 #ifdef __cplusplus
16 extern "C" {
17 #endif // __cplusplus
18 
19 /**
20  * Enum to denote the AES-GCM tag length.
21  *
22  * Values are hardened.
23  */
24 typedef enum otcrypto_aes_gcm_tag_len {
25  // Tag length 128 bits.
26  kOtcryptoAesGcmTagLen128 = 0x167,
27  // Tag length 96 bits.
28  kOtcryptoAesGcmTagLen96 = 0x35a,
29  // Tag length 64 bits.
30  kOtcryptoAesGcmTagLen64 = 0x5d4,
31  // Tag length 32 bits.
32  kOtcryptoAesGcmTagLen32 = 0xf06,
33 } otcrypto_aes_gcm_tag_len_t;
34 
35 /**
36  * Enum to define AES mode of operation.
37  *
38  * Values are hardened.
39  */
40 typedef enum otcrypto_aes_mode {
41  // AES ECB mode (electronic codebook mode).
42  kOtcryptoAesModeEcb = 0x533,
43  // AES CBC mode (cipher block chaining mode).
44  kOtcryptoAesModeCbc = 0x45d,
45  // AES CFB mode (cipher feedback mode).
46  kOtcryptoAesModeCfb = 0xcd2,
47  // AES OFB mode (output feedback mode).
48  kOtcryptoAesModeOfb = 0x39a,
49  // AES CTR mode (counter mode).
50  kOtcryptoAesModeCtr = 0xd2c,
51 } otcrypto_aes_mode_t;
52 
53 /**
54  * Enum to define AES operation to be performed.
55  *
56  * Values are hardened.
57  */
58 typedef enum otcrypto_aes_operation {
59  // AES operation mode encrypt.
60  kOtcryptoAesOperationEncrypt = 0x2b6,
61  // AES operation mode decrypt.
62  kOtcryptoAesOperationDecrypt = 0x5f0,
63 } otcrypto_aes_operation_t;
64 
65 /**
66  * Enum to define padding scheme for AES data.
67  *
68  * Values are hardened.
69  */
70 typedef enum otcrypto_aes_padding {
71  // Pads with value same as the number of padding bytes.
72  kOtcryptoAesPaddingPkcs7 = 0xe7f,
73  // Pads with 0x80 (10000000), followed by zero bytes.
74  kOtcryptoAesPaddingIso9797M2 = 0xfac,
75  // Add no padding.
76  kOtcryptoAesPaddingNull = 0x8ce,
77 } otcrypto_aes_padding_t;
78 
79 /**
80  * Context for a streaming AES-GCM operation.
81  *
82  * Representation is internal to the AES-GCM implementation and subject to
83  * change.
84  */
85 typedef struct otcrypto_aes_gcm_context {
86  uint32_t data[98];
87 } otcrypto_aes_gcm_context_t;
88 
89 /**
90  * Get the number of blocks needed for the plaintext length and padding mode.
91  *
92  * This returns the size of the padded plaintext, which is the same as the
93  * ciphertext size. Returns `kOtcryptoStatusValueBadArgs` if the padding mode
94  * and length are incompatible (for instance, if the padding mode is "no
95  * padding" but the input length is not a multiple of the AES block size).
96  *
97  * @param plaintext_len Plaintext data length in bytes.
98  * @param aes_padding Padding scheme to be used for the data.
99  * @return Size of the padded input or ciphertext.
100  * @return Result of the operation.
101  */
102 otcrypto_status_t otcrypto_aes_padded_plaintext_length(
103  size_t plaintext_len, otcrypto_aes_padding_t aes_padding,
104  size_t *padded_len);
105 
106 /**
107  * Performs the AES operation.
108  *
109  * The input data in the `cipher_input` is first padded using the
110  * `aes_padding` scheme and the output is copied to `cipher_output`.
111  *
112  * The caller should allocate space for the `cipher_output` buffer, which is
113  * given in bytes by `otcrypto_aes_padded_plaintext_length`, and set the number
114  * of bytes allocated in the `len` field of the output. If the user-set length
115  * and the expected length do not match, an error message will be returned.
116  *
117  * Note that, during decryption, the padding mode is ignored. This function
118  * will NOT check the padding or return an error if the padding is invalid,
119  * since doing so could expose a padding oracle (especially in CBC mode).
120  *
121  * @param key Pointer to the blinded key struct with key shares.
122  * @param iv Initialization vector, used for CBC, CFB, OFB, CTR modes. May be
123  * NULL if mode is ECB.
124  * @param aes_mode Required AES mode of operation.
125  * @param aes_operation Required AES operation (encrypt or decrypt).
126  * @param cipher_input Input data to be ciphered.
127  * @param aes_padding Padding scheme to be used for the data.
128  * @param[out] cipher_output Output data after cipher operation.
129  * @return The result of the cipher operation.
130  */
131 otcrypto_status_t otcrypto_aes(const otcrypto_blinded_key_t *key,
132  otcrypto_word32_buf_t iv,
133  otcrypto_aes_mode_t aes_mode,
134  otcrypto_aes_operation_t aes_operation,
135  otcrypto_const_byte_buf_t cipher_input,
136  otcrypto_aes_padding_t aes_padding,
137  otcrypto_byte_buf_t cipher_output);
138 
139 /**
140  * Performs the AES-GCM authenticated encryption operation.
141  *
142  * This function encrypts the input `plaintext` to produce an
143  * output `ciphertext`. Together it generates an authentication
144  * tag `auth_tag` on the ciphered data and any non-confidential
145  * additional authenticated data `aad`.
146  *
147  * The caller should allocate space for the `ciphertext` buffer,
148  * (same length as input), `auth_tag` buffer (same as tag_len), and
149  * set the length of expected outputs in the `len` field of
150  * `ciphertext` and `auth_tag`. If the user-set length and the output
151  * length does not match, an error message will be returned.
152  *
153  * @param key Pointer to the blinded gcm-key struct.
154  * @param plaintext Input data to be encrypted and authenticated.
155  * @param iv Initialization vector for the encryption function.
156  * @param aad Additional authenticated data.
157  * @param tag_len Length of authentication tag to be generated.
158  * @param[out] ciphertext Encrypted output data, same length as input data.
159  * @param[out] auth_tag Generated authentication tag.
160  * @return Result of the authenticated encryption.
161  * operation
162  */
163 otcrypto_status_t otcrypto_aes_gcm_encrypt(const otcrypto_blinded_key_t *key,
164  otcrypto_const_byte_buf_t plaintext,
165  otcrypto_const_word32_buf_t iv,
166  otcrypto_const_byte_buf_t aad,
167  otcrypto_aes_gcm_tag_len_t tag_len,
168  otcrypto_byte_buf_t ciphertext,
169  otcrypto_word32_buf_t auth_tag);
170 
171 /**
172  * Performs the AES-GCM authenticated decryption operation.
173  *
174  * This function first verifies if the authentication tag `auth_tag`
175  * matches the internally generated tag. Upon verification, the
176  * function decrypts the input `ciphertext` to get a `plaintext data.
177  *
178  * The caller should allocate space for the `plaintext` buffer,
179  * (same length as ciphertext), and set the length of expected output
180  * in the `len` field of `plaintext`. If the user-set length and the
181  * output length does not match, an error message will be returned.
182  *
183  * The caller must check the `success` argument before operating on
184  * `plaintext`. If the authentication check fails, then `plaintext` should not
185  * be used and there are no guarantees about its contents.
186  *
187  * @param key Pointer to the blinded gcm-key struct.
188  * @param ciphertext Input data to be decrypted.
189  * @param iv Initialization vector for the decryption function.
190  * @param aad Additional authenticated data.
191  * @param tag_len Length of authentication tag to be generated.
192  * @param auth_tag Authentication tag to be verified.
193  * @param[out] plaintext Decrypted plaintext data, same len as input data.
194  * @param[out] success True if the authentication check passed, otherwise false.
195  * @return Result of the authenticated decryption.
196  * operation
197  */
198 otcrypto_status_t otcrypto_aes_gcm_decrypt(
199  const otcrypto_blinded_key_t *key, otcrypto_const_byte_buf_t ciphertext,
200  otcrypto_const_word32_buf_t iv, otcrypto_const_byte_buf_t aad,
201  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_const_word32_buf_t auth_tag,
202  otcrypto_byte_buf_t plaintext, hardened_bool_t *success);
203 
204 /**
205  * Initializes the AES-GCM authenticated encryption operation.
206  *
207  * The order of operations for encryption is:
208  * - `otcrypto_aes_gcm_encrypt_init()` called once
209  * - `otcrypto_aes_gcm_update_aad()` called zero or more times
210  * - `otcrypto_aes_gcm_update_encrypted_data()` called zero or more times
211  * - `otcrypto_aes_gcm_encrypt_final()` called once
212  *
213  * Associated data must be added first, before encrypted data; the caller may
214  * not call `otcrypto_aes_gcm_udpate_aad()` after the first call to
215  * `otcrypto_aes_gcm_update_encrypted_data()`.
216  *
217  * The resulting AES-GCM context will include pointers into the keyblob of the
218  * blinded key. It is important that the blinded key (or at least the keyblob)
219  * remains live as long as `ctx` is. The IV is safe to free.
220  *
221  * @param key Pointer to the blinded key struct.
222  * @param iv Initialization vector for the encryption function.
223  * @param[out] ctx Context object for the operation.
224  * @return Result of the initialization operation.
225  */
226 otcrypto_status_t otcrypto_aes_gcm_encrypt_init(
227  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
228  otcrypto_aes_gcm_context_t *ctx);
229 
230 /**
231  * Initializes the AES-GCM authenticated decryption operation.
232  *
233  * The order of operations for decryption is:
234  * - `otcrypto_aes_gcm_decrypt_init()` called once
235  * - `otcrypto_aes_gcm_update_aad()` called zero or more times
236  * - `otcrypto_aes_gcm_update_encrypted_data()` called zero or more times
237  * - `otcrypto_aes_gcm_decrypt_final()` called once
238  *
239  * Associated data must be added first, before encrypted data; the caller may
240  * not call `otcrypto_aes_gcm_udpate_aad()` after the first call to
241  * `otcrypto_aes_gcm_update_encrypted_data()`.
242  *
243  * The resulting AES-GCM context will include pointers into the keyblob of the
244  * blinded key. It is important that the blinded key (or at least the keyblob)
245  * remains live as long as `ctx` is. The IV is safe to free.
246  *
247  * IMPORTANT: Although this routine produces decrypted data incrementally, it
248  * is the caller's responsibility to ensure that they do not trust the
249  * decrypted data until the tag check passes.
250  *
251  * @param key Pointer to the blinded key struct.
252  * @param iv Initialization vector for the decryption function.
253  * @param[out] ctx Context object for the operation.
254  * @return Result of the initialization operation.
255  */
256 otcrypto_status_t otcrypto_aes_gcm_decrypt_init(
257  const otcrypto_blinded_key_t *key, otcrypto_const_word32_buf_t iv,
258  otcrypto_aes_gcm_context_t *ctx);
259 /**
260  * Updates additional authenticated data for an AES-GCM operation.
261  *
262  * May be used for either encryption or decryption. Call
263  * `otcrypto_aes_gcm_encrypt_init` or `otcrypto_aes_gcm_decrypt_init` first.
264  *
265  * @param ctx Context object for the operation, updated in place.
266  * @param aad Additional authenticated data.
267  * @return Result of the update operation.
268  */
269 otcrypto_status_t otcrypto_aes_gcm_update_aad(otcrypto_aes_gcm_context_t *ctx,
270  otcrypto_const_byte_buf_t aad);
271 
272 /**
273  * Updates authenticated-and-encrypted data for an AES-GCM operation.
274  *
275  * May be used for either encryption or decryption. Call
276  * `otcrypto_aes_gcm_encrypt_init` or `otcrypto_aes_gcm_decrypt_init` first.
277  *
278  * The caller should allocate space for the output and set the `len` field
279  * accordingly.
280  *
281  * For encryption, `input` is the plaintext and `output` is the ciphertext; for
282  * decryption, they are reversed. The output must always be long enough to
283  * store all full 128-bit blocks of encrypted data received so far minus all
284  * output produced so far; rounding the input length to the next 128-bit
285  * boundary is always enough, but if the caller knows the exact byte-length of
286  * input so far they can calculate it exactly. Returns an error if `output` is
287  * not long enough; if `output` is overly long, only the first
288  * `output_bytes_written` bytes will be used.
289  *
290  * @param ctx Context object for the operation, updated in place.
291  * @param input Plaintext for encryption, ciphertext for decryption.
292  * @param[out] output Ciphertext for encryption, plaintext for decryption.
293  * @param[out] output_bytes_written Number of bytes written to `output`.
294  * @return Result of the update operation.
295  */
296 otcrypto_status_t otcrypto_aes_gcm_update_encrypted_data(
297  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_byte_buf_t input,
298  otcrypto_byte_buf_t output, size_t *output_bytes_written);
299 
300 /**
301  * Finishes the AES-GCM authenticated encryption operation.
302  *
303  * Processes any remaining plaintext from the context and computes the
304  * authentication tag and up to 1 block of ciphertext.
305  *
306  * The caller should allocate space for the ciphertext and tag buffers and set
307  * the `len` fields accordingly. This function returns the
308  * `ciphertext_bytes_written` parameter with the number of bytes written to
309  * `ciphertext`, which is always either 16 or 0. This function returns an error
310  * if the ciphertext or tag buffer is not long enough.
311  *
312  * @param ctx Context object for the operation.
313  * @param tag_len Length of authentication tag to be generated.
314  * @param[out] ciphertext Encrypted output data.
315  * @param[out] ciphertext_bytes_written Number of bytes written to `ciphertext`.
316  * @param[out] auth_tag Generated authentication tag.
317  * @return Result of the final operation.
318  */
319 otcrypto_status_t otcrypto_aes_gcm_encrypt_final(
320  otcrypto_aes_gcm_context_t *ctx, otcrypto_aes_gcm_tag_len_t tag_len,
321  otcrypto_byte_buf_t ciphertext, size_t *ciphertext_bytes_written,
322  otcrypto_word32_buf_t auth_tag);
323 
324 /**
325  * Finishes the AES-GCM authenticated decryption operation.
326  *
327  * Processes any remaining ciphertext from the context and computes the
328  * authentication tag and up to 1 block of plaintext.
329  *
330  * The caller should allocate space for the plaintext buffer and set the `len`
331  * field accordingly. This function returns the `ciphertext_bytes_written`
332  * parameter with the number of bytes written to `ciphertext`. This function
333  * returns an error if the plaintext buffer is not long enough.
334  *
335  * IMPORTANT: the caller must check both the returned status and the `success`
336  * parameter to know if the tag is valid. The returned status may be OK even if
337  * the tag check did not succeed, if there were no errors during processing.
338  *
339  * @param ctx Context object for the operation.
340  * @param auth_tag Authentication tag to check.
341  * @param tag_len Length of authentication tag.
342  * @param[out] plaintext Decrypted output data.
343  * @param[out] plaintext_bytes_written Number of bytes written to `plaintext`.
344  * @param[out] success Whether the tag passed verification.
345  * @return Result of the final operation.
346  */
347 otcrypto_status_t otcrypto_aes_gcm_decrypt_final(
348  otcrypto_aes_gcm_context_t *ctx, otcrypto_const_word32_buf_t auth_tag,
349  otcrypto_aes_gcm_tag_len_t tag_len, otcrypto_byte_buf_t plaintext,
350  size_t *plaintext_bytes_written, hardened_bool_t *success);
351 
352 /**
353  * Returns the length that the blinded key will have once wrapped.
354  *
355  * @param config Key configuration.
356  * @param[out] wrapped_num_words Number of 32b words for the wrapped key.
357  * @return Result of the operation.
358  */
359 otcrypto_status_t otcrypto_aes_kwp_wrapped_len(
360  const otcrypto_key_config_t config, size_t *wrapped_num_words);
361 
362 /**
363  * Performs the cryptographic key wrapping operation.
364  *
365  * This key wrap function takes an input key `key_to_wrap` and using
366  * the encryption key `key_kek` outputs a wrapped key `wrapped_key`.
367  *
368  * The caller should allocate space for the `wrapped_key` buffer according to
369  * `otcrypto_aes_kwp_wrapped_len`., and set the length of expected output
370  * in the `len` field of `wrapped_key`. If the user-set length and the
371  * output length do not match, an error message will be returned.
372  *
373  * The blinded key struct to wrap must be 32-bit aligned.
374  *
375  * @param key_to_wrap Pointer to the blinded key to be wrapped.
376  * @param key_kek Input Pointer to the blinded encryption key.
377  * @param[out] wrapped_key Pointer to the output wrapped key.
378  * @return Result of the aes-kwp wrap operation.
379  */
380 otcrypto_status_t otcrypto_aes_kwp_wrap(
381  const otcrypto_blinded_key_t *key_to_wrap,
382  const otcrypto_blinded_key_t *key_kek, otcrypto_word32_buf_t wrapped_key);
383 
384 /**
385  * Performs the cryptographic key unwrapping operation.
386  *
387  * This key unwrap function takes a wrapped key `wrapped_key` and using
388  * encryption key `key_kek` outputs an unwrapped key `unwrapped_key`.
389  *
390  * The caller must allocate space for the keyblob and set the keyblob-length
391  * and keyblob fields in `unwrapped_key` accordingly. If there is not enough
392  * space in the keyblob, this function will return an error. Too much space in
393  * the keyblob is okay; this function will write to the first part of the
394  * keyblob buffer and set the keyblob length field to the correct exact value
395  * for the unwrapped key, at which point it is safe to check the new length and
396  * free the remaining keyblob memory. It is always safe to allocate a keyblob
397  * the same size as the wrapped key; this will always be enough space by
398  * definition.
399  *
400  * The caller does not need to populate the blinded key configuration, since
401  * this information is encrypted along with the key. However, the caller may
402  * want to check that the configuration matches expectations.
403  *
404  * An OK status from this function does NOT necessarily mean that unwrapping
405  * succeeded; the caller must check both the returned status and the `success`
406  * parameter before reading the unwrapped key.
407  *
408  * @param wrapped_key Pointer to the input wrapped key.
409  * @param key_kek Input Pointer to the blinded encryption key.
410  * @param[out] success Whether the wrapped key was valid.
411  * @param[out] unwrapped_key Pointer to the output unwrapped key struct.
412  * @return Result of the aes-kwp unwrap operation.
413  */
414 otcrypto_status_t otcrypto_aes_kwp_unwrap(
415  otcrypto_const_word32_buf_t wrapped_key,
416  const otcrypto_blinded_key_t *key_kek, hardened_bool_t *success,
417  otcrypto_blinded_key_t *unwrapped_key);
418 
419 #ifdef __cplusplus
420 } // extern "C"
421 #endif // __cplusplus
422 
423 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_INCLUDE_AES_H_
Return to OpenTitan Documentation