xref: /xnu-10002.61.3/EXTERNAL_HEADERS/corecrypto/ccmode_siv_hmac.h (revision 0f4c859e951fba394238ab619495c4e1d54d0f34) 
1 /* Copyright (c) (2019-2021) Apple Inc. All rights reserved.
2  *
3  * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
4  * is contained in the License.txt file distributed with corecrypto) and only to
5  * people who accept that license. IMPORTANT:  Any license rights granted to you by
6  * Apple Inc. (if any) are limited to internal use within your organization only on
7  * devices and computers you own or control, for the sole purpose of verifying the
8  * security characteristics and correct functioning of the Apple Software.  You may
9  * not, directly or indirectly, redistribute the Apple Software or any portions thereof.
10  */
11 
12 #ifndef ccmode_siv_hmac_h
13 #define ccmode_siv_hmac_h
14 
15 #include <corecrypto/cc.h>
16 #include <corecrypto/ccmode.h>
17 #include <corecrypto/ccmode_impl.h>
18 #include <corecrypto/ccdigest.h>
19 #include <corecrypto/cchmac.h>
20 #include <corecrypto/ccsha2.h>
21 
22 /* This provides an implementation of SIV using AES CTR mode with HMAC as the MAC,
23  allowing for a tagging mechanism with collision resistant tags. This is a modification of the
24  standard specified in https://tools.ietf.org/html/rfc5297
25  also in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/siv/siv.pdf
26  Counter Mode where IV is based on HMAC.
27  */
28 
29 cc_aligned_struct(16) ccsiv_hmac_ctx;
30 
31 struct ccmode_siv_hmac {
32     size_t size; /* first argument to ccsiv_hmac_ctx_decl(). */
33     size_t block_size;
34 
35     int (*CC_SPTR(ccmode_siv_hmac, init))(const struct ccmode_siv_hmac *sivhmac,
36                 ccsiv_hmac_ctx *ctx,
37                 size_t key_len,
38                 const uint8_t *key,
39                 const size_t tag_size);
40     int (*CC_SPTR(ccmode_siv_hmac, set_nonce))(ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in);
41     int (*CC_SPTR(ccmode_siv_hmac, auth))(ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in);
42     int (*CC_SPTR(ccmode_siv_hmac, crypt))(ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in, uint8_t *out);
43     int (*CC_SPTR(ccmode_siv_hmac, reset))(ccsiv_hmac_ctx *ctx);
44     const struct ccdigest_info *hmac_digest; // Digest to be used in HMAC;
45     const struct ccmode_ctr *ctr;
46 };
47 
48 #define ccsiv_hmac_ctx_decl(_size_, _name_) cc_ctx_decl_vla(ccsiv_hmac_ctx, _size_, _name_)
49 #define ccsiv_hmac_ctx_clear(_size_, _name_) cc_clear(_size_, _name_)
50 
51 /*!
52  @function   ccsiv_hmac_context_size
53  @abstract   Return size of context
54 
55  @param      mode       Descriptor for the mode
56  */
ccsiv_hmac_context_size(const struct ccmode_siv_hmac * mode)57 CC_INLINE size_t ccsiv_hmac_context_size(const struct ccmode_siv_hmac *mode)
58 {
59     return mode->size;
60 }
61 
62 /*!
63  @function   ccsiv_hmac_block_size
64  @abstract   Return size of context
65 
66  @param      mode       Descriptor for the mode
67  */
ccsiv_hmac_block_size(const struct ccmode_siv_hmac * mode)68 CC_INLINE size_t ccsiv_hmac_block_size(const struct ccmode_siv_hmac *mode)
69 {
70     return mode->block_size;
71 }
72 
73 /*!
74  @function   ccsiv_hmac_ciphertext_size
75  @abstract   Return size of Ciphertext (which is the ciphertext and corresponding tag) given the mode and plaintext length
76 
77  @param      ctx               Current siv_hmac context that has been previously initialized
78  @param      plaintext_size    Size of the plaintext
79 
80  @discussion returns the length of the aead ciphertext that the context will generate which includes both the encrypted plaintext
81  and tag.
82  */
83 size_t ccsiv_hmac_ciphertext_size(ccsiv_hmac_ctx *ctx, size_t plaintext_size);
84 
85 /*!
86  @function   ccsiv_hmac_plaintext_size
87  @abstract   Return size of plaintext given a ciphertext length and mode.
88 
89  @param      ctx               Current siv_hmac context that has been previously initialized
90  @param      ciphertext_size    Size of the ciphertext (which includes the tag)
91 
92  @discussion returns the length of the plaintext which results from the decryption of a ciphertext of the corresponding size (here ciphertext size includes the tag).
93  */
94 size_t ccsiv_hmac_plaintext_size(ccsiv_hmac_ctx *ctx, size_t ciphertext_size);
95 
96 /*!
97  @function   ccsiv_hmac_init
98  @abstract   Initialize a context for siv_hmac with an associated mode, given key and specifying output tag size.
99 
100  @param      mode               Descriptor for the mode
101  @param      ctx                Alocated context to be intialized
102  @param      key_byte_len       Length of the key:  Supported key sizes are 32, 48, 64 bytes
103  @param      key                key for siv_hmac
104  @param      tag_size           The length of the output tag requested. Must be at least 20 bytes, and can be as large as the
105  associated digest's output
106 
107  @discussion In order to  compute HMAC_SIV_Enc_k(a1,...,am, n, x) where ai is the ith piece of associated data, n is a nonce and x
108  is a plaintext, we first initialize the context with this call, and then use it to call ccsiv_hmac_aad for each ai, followed by
109  ccsiv_hmac_set_nonce for nonce n, and finally a call to ccsiv_hmac_crypt for the plaintext x. Note the order of the calls to aad,
110  nonce and then crypt is critical. If a second encryption is needed then a call to ccsiv_hmac_reset can be used to reset state,
111  and begin again.
112  */
113 int ccsiv_hmac_init(const struct ccmode_siv_hmac *mode, ccsiv_hmac_ctx *ctx, size_t key_byte_len, const uint8_t *key, size_t tag_size);
114 
115 /*!
116  @function   ccsiv_hmac_aad
117  @abstract   Add the next piece of associated data to the hmac_siv's computation of the tag. Note this call is optional and no
118  associated data needs to be provided. Multiple pieces of associated data can be provided by multiple calls to this
119  function. Each input is regarded as a separate piece of associated data, and the mac is NOT simply computed on the
120  concatenation of all of the associated data inputs. Therefore on decryption the same inputs must be provided in
121  the same order.
122 
123  @param      mode               Descriptor for the mode
124  @param      ctx                Intialized ctx
125  @param      nbytes             Length of the current associated data being added
126  @param      in                 Associated data to be authenticated.
127 
128  @discussion Adds the associated data given by in to the computation of the tag in the associated data.
129  */
130 int ccsiv_hmac_aad(const struct ccmode_siv_hmac *mode, ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in);
131 
132 /*!
133  @function   ccsiv_hmac_nonce
134  @abstract   Add the nonce to the hmac_siv's computation of the the tag. Changes the internal state of the context
135  so that after the call only a crypt or reset call is permitted.
136  @param      mode               Descriptor for the mode
137  @param      ctx                Intialized ctx
138  @param      nbytes             Length of the current nonce data being added
139  @param      in                 Nonce data to be authenticated.
140 
141  @discussion The nonce is a special form of authenticated data. If provided ( a call to hmac_nonce is optional) it allows
142  randomization of the ciphertext (preventing deterministic encryption). While the length of the nonce is not limited, the
143  amount of entropy that can be provided is limited by the number of bits in the block of the associated block-cipher in mode.
144  */
145 int ccsiv_hmac_set_nonce(const struct ccmode_siv_hmac *mode, ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in);
146 
147 /*!
148  @function   ccsiv_hmac_crypt
149  @abstract   Depending on whether mode has been setup to encrypt or decrypt, this function
150  1) Encrypts the plaintext given as input in, and provides the ciphertext (which is a concatenation of the tag
151  followed by the encrypted plaintext) as output out. 2) Decrypts plaintext using the input ciphertext at in (which again is the
152  tag, followed by encrypted plaintext), and then verifies that the computer tag and provided tags match.
153  @param      mode               Descriptor for the mode
154  @param      ctx                Intialized ctx
155  @param      nbytes             Case 1) Length of the current plaintext
156  Case 2) Length of the current ciphertext (tag length + plaintext length)
157  @param      in                 Case 1) Plaintext
158  Case 2) Ciphertext
159  @discussion This function is only called once. If one wishes to compute another (en)/(de)cryption, one resets the state with
160  ccsiv_hmac_reset, and then begins the process again. There is no way to stream large plaintext/ciphertext inputs into the
161  function.
162  @param     out           Case1)  Tag+ Ciphertext (buffer should be already allocated and of length tag + plaintext length)
163                     Case 2) Plaintext (buffer should be already allocated and of length ciphertext - tag length
164 
165  In the case of a decryption, if there is a failure in verifying the computed tag against the provided tag (embedded int he ciphertext), then a decryption/verification
166  failure is returned, and any internally computed plaintexts and tags are zeroed out.
167  Lastly the contexts internal state is reset, so that a new decryption/encryption can be commenced.
168  */
169 int ccsiv_hmac_crypt(const struct ccmode_siv_hmac *mode, ccsiv_hmac_ctx *ctx, size_t nbytes, const uint8_t *in, uint8_t *out);
170 
171 /*!
172  @function   ccsiv_hmac_reset
173  @abstract   Resets the state of the siv_hamc ctx, maintaining the key, but preparing  the
174  ctx to preform a new Associated Data Authenticated (En)/(De)cryption.
175  @param      mode               Descriptor for the mode
176  @param      ctx                Intialized ctx
177  */
178 int ccsiv_hmac_reset(const struct ccmode_siv_hmac *mode, ccsiv_hmac_ctx *ctx);
179 
180 /*!
181  @function   ccsiv_hmac_one_shot
182  @abstract   A simplified but more constrained way of performing an AEAD SIV HMAC (en)/(de)cryption. It is limited because only
183  one piece of associated data may be provided.
184  @param      mode               Descriptor for the mode
185  @param      key_len            Length of the key:  Supported key sizes are 32, 48, 64 bytes
186  @param      key                key for siv_hmac
187  @param      tag_length         The length of the tag to produce or accept as input. Must be at least 20
188  bytes, and can be as large as the hmac's digest's output
189  @param      nonce_nbytes       Length of the current nonce data being added
190  @param      nonce              Nonce data to be authenticated.
191  @param      adata_nbytes       Length of the associated data.
192  @param      adata              Associated data to be authenticated.
193  @param      in_nbytes          Length of either the plaintext (for encryption) or ciphertext (for decryption)
194  @param      in                 plaintext or ciphertext. Note that the ciphertext includes a tag of length tag_length prepended to it.
195  @param      out                Buffer to hold ciphertext/plaintext. (Note Ciphertext is of size plaintext length + tag_length and plaintext is of length ciphertext - tag_length.)
196  */
197 
198 // One shot AEAD with only one input for adata, and a nonce.
199 int ccsiv_hmac_one_shot(const struct ccmode_siv_hmac *mode,
200                                   size_t key_len,
201                                   const uint8_t *key,
202                                   size_t tag_length,
203                                   unsigned nonce_nbytes,
204                                   const uint8_t *nonce,
205                                   unsigned adata_nbytes,
206                                   const uint8_t *adata,
207                                   size_t in_nbytes,
208                                   const uint8_t *in,
209                         uint8_t *out);
210 
211 #endif /* ccmode_siv_hmac_h */
212