1*3d3b0591SJens Wiklander /* SPDX-License-Identifier: Apache-2.0 */ 2*3d3b0591SJens Wiklander /** 3*3d3b0591SJens Wiklander * \file chacha20.h 4*3d3b0591SJens Wiklander * 5*3d3b0591SJens Wiklander * \brief This file contains ChaCha20 definitions and functions. 6*3d3b0591SJens Wiklander * 7*3d3b0591SJens Wiklander * ChaCha20 is a stream cipher that can encrypt and decrypt 8*3d3b0591SJens Wiklander * information. ChaCha was created by Daniel Bernstein as a variant of 9*3d3b0591SJens Wiklander * its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf 10*3d3b0591SJens Wiklander * ChaCha20 is the variant with 20 rounds, that was also standardized 11*3d3b0591SJens Wiklander * in RFC 7539. 12*3d3b0591SJens Wiklander * 13*3d3b0591SJens Wiklander * \author Daniel King <damaki.gh@gmail.com> 14*3d3b0591SJens Wiklander */ 15*3d3b0591SJens Wiklander 16*3d3b0591SJens Wiklander /* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved. 17*3d3b0591SJens Wiklander * 18*3d3b0591SJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 19*3d3b0591SJens Wiklander * not use this file except in compliance with the License. 20*3d3b0591SJens Wiklander * You may obtain a copy of the License at 21*3d3b0591SJens Wiklander * 22*3d3b0591SJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 23*3d3b0591SJens Wiklander * 24*3d3b0591SJens Wiklander * Unless required by applicable law or agreed to in writing, software 25*3d3b0591SJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 26*3d3b0591SJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 27*3d3b0591SJens Wiklander * See the License for the specific language governing permissions and 28*3d3b0591SJens Wiklander * limitations under the License. 29*3d3b0591SJens Wiklander * 30*3d3b0591SJens Wiklander * This file is part of Mbed TLS (https://tls.mbed.org) 31*3d3b0591SJens Wiklander */ 32*3d3b0591SJens Wiklander 33*3d3b0591SJens Wiklander #ifndef MBEDTLS_CHACHA20_H 34*3d3b0591SJens Wiklander #define MBEDTLS_CHACHA20_H 35*3d3b0591SJens Wiklander 36*3d3b0591SJens Wiklander #if !defined(MBEDTLS_CONFIG_FILE) 37*3d3b0591SJens Wiklander #include "config.h" 38*3d3b0591SJens Wiklander #else 39*3d3b0591SJens Wiklander #include MBEDTLS_CONFIG_FILE 40*3d3b0591SJens Wiklander #endif 41*3d3b0591SJens Wiklander 42*3d3b0591SJens Wiklander #include <stdint.h> 43*3d3b0591SJens Wiklander #include <stddef.h> 44*3d3b0591SJens Wiklander 45*3d3b0591SJens Wiklander #define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA -0x0051 /**< Invalid input parameter(s). */ 46*3d3b0591SJens Wiklander 47*3d3b0591SJens Wiklander /* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be 48*3d3b0591SJens Wiklander * used. */ 49*3d3b0591SJens Wiklander #define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */ 50*3d3b0591SJens Wiklander 51*3d3b0591SJens Wiklander /* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used. 52*3d3b0591SJens Wiklander */ 53*3d3b0591SJens Wiklander #define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED -0x0055 /**< Chacha20 hardware accelerator failed. */ 54*3d3b0591SJens Wiklander 55*3d3b0591SJens Wiklander #ifdef __cplusplus 56*3d3b0591SJens Wiklander extern "C" { 57*3d3b0591SJens Wiklander #endif 58*3d3b0591SJens Wiklander 59*3d3b0591SJens Wiklander #if !defined(MBEDTLS_CHACHA20_ALT) 60*3d3b0591SJens Wiklander 61*3d3b0591SJens Wiklander typedef struct mbedtls_chacha20_context 62*3d3b0591SJens Wiklander { 63*3d3b0591SJens Wiklander uint32_t state[16]; /*! The state (before round operations). */ 64*3d3b0591SJens Wiklander uint8_t keystream8[64]; /*! Leftover keystream bytes. */ 65*3d3b0591SJens Wiklander size_t keystream_bytes_used; /*! Number of keystream bytes already used. */ 66*3d3b0591SJens Wiklander } 67*3d3b0591SJens Wiklander mbedtls_chacha20_context; 68*3d3b0591SJens Wiklander 69*3d3b0591SJens Wiklander #else /* MBEDTLS_CHACHA20_ALT */ 70*3d3b0591SJens Wiklander #include "chacha20_alt.h" 71*3d3b0591SJens Wiklander #endif /* MBEDTLS_CHACHA20_ALT */ 72*3d3b0591SJens Wiklander 73*3d3b0591SJens Wiklander /** 74*3d3b0591SJens Wiklander * \brief This function initializes the specified ChaCha20 context. 75*3d3b0591SJens Wiklander * 76*3d3b0591SJens Wiklander * It must be the first API called before using 77*3d3b0591SJens Wiklander * the context. 78*3d3b0591SJens Wiklander * 79*3d3b0591SJens Wiklander * It is usually followed by calls to 80*3d3b0591SJens Wiklander * \c mbedtls_chacha20_setkey() and 81*3d3b0591SJens Wiklander * \c mbedtls_chacha20_starts(), then one or more calls to 82*3d3b0591SJens Wiklander * to \c mbedtls_chacha20_update(), and finally to 83*3d3b0591SJens Wiklander * \c mbedtls_chacha20_free(). 84*3d3b0591SJens Wiklander * 85*3d3b0591SJens Wiklander * \param ctx The ChaCha20 context to initialize. 86*3d3b0591SJens Wiklander * This must not be \c NULL. 87*3d3b0591SJens Wiklander */ 88*3d3b0591SJens Wiklander void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ); 89*3d3b0591SJens Wiklander 90*3d3b0591SJens Wiklander /** 91*3d3b0591SJens Wiklander * \brief This function releases and clears the specified 92*3d3b0591SJens Wiklander * ChaCha20 context. 93*3d3b0591SJens Wiklander * 94*3d3b0591SJens Wiklander * \param ctx The ChaCha20 context to clear. This may be \c NULL, 95*3d3b0591SJens Wiklander * in which case this function is a no-op. If it is not 96*3d3b0591SJens Wiklander * \c NULL, it must point to an initialized context. 97*3d3b0591SJens Wiklander * 98*3d3b0591SJens Wiklander */ 99*3d3b0591SJens Wiklander void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ); 100*3d3b0591SJens Wiklander 101*3d3b0591SJens Wiklander /** 102*3d3b0591SJens Wiklander * \brief This function sets the encryption/decryption key. 103*3d3b0591SJens Wiklander * 104*3d3b0591SJens Wiklander * \note After using this function, you must also call 105*3d3b0591SJens Wiklander * \c mbedtls_chacha20_starts() to set a nonce before you 106*3d3b0591SJens Wiklander * start encrypting/decrypting data with 107*3d3b0591SJens Wiklander * \c mbedtls_chacha_update(). 108*3d3b0591SJens Wiklander * 109*3d3b0591SJens Wiklander * \param ctx The ChaCha20 context to which the key should be bound. 110*3d3b0591SJens Wiklander * It must be initialized. 111*3d3b0591SJens Wiklander * \param key The encryption/decryption key. This must be \c 32 Bytes 112*3d3b0591SJens Wiklander * in length. 113*3d3b0591SJens Wiklander * 114*3d3b0591SJens Wiklander * \return \c 0 on success. 115*3d3b0591SJens Wiklander * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL. 116*3d3b0591SJens Wiklander */ 117*3d3b0591SJens Wiklander int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx, 118*3d3b0591SJens Wiklander const unsigned char key[32] ); 119*3d3b0591SJens Wiklander 120*3d3b0591SJens Wiklander /** 121*3d3b0591SJens Wiklander * \brief This function sets the nonce and initial counter value. 122*3d3b0591SJens Wiklander * 123*3d3b0591SJens Wiklander * \note A ChaCha20 context can be re-used with the same key by 124*3d3b0591SJens Wiklander * calling this function to change the nonce. 125*3d3b0591SJens Wiklander * 126*3d3b0591SJens Wiklander * \warning You must never use the same nonce twice with the same key. 127*3d3b0591SJens Wiklander * This would void any confidentiality guarantees for the 128*3d3b0591SJens Wiklander * messages encrypted with the same nonce and key. 129*3d3b0591SJens Wiklander * 130*3d3b0591SJens Wiklander * \param ctx The ChaCha20 context to which the nonce should be bound. 131*3d3b0591SJens Wiklander * It must be initialized and bound to a key. 132*3d3b0591SJens Wiklander * \param nonce The nonce. This must be \c 12 Bytes in size. 133*3d3b0591SJens Wiklander * \param counter The initial counter value. This is usually \c 0. 134*3d3b0591SJens Wiklander * 135*3d3b0591SJens Wiklander * \return \c 0 on success. 136*3d3b0591SJens Wiklander * \return #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is 137*3d3b0591SJens Wiklander * NULL. 138*3d3b0591SJens Wiklander */ 139*3d3b0591SJens Wiklander int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, 140*3d3b0591SJens Wiklander const unsigned char nonce[12], 141*3d3b0591SJens Wiklander uint32_t counter ); 142*3d3b0591SJens Wiklander 143*3d3b0591SJens Wiklander /** 144*3d3b0591SJens Wiklander * \brief This function encrypts or decrypts data. 145*3d3b0591SJens Wiklander * 146*3d3b0591SJens Wiklander * Since ChaCha20 is a stream cipher, the same operation is 147*3d3b0591SJens Wiklander * used for encrypting and decrypting data. 148*3d3b0591SJens Wiklander * 149*3d3b0591SJens Wiklander * \note The \p input and \p output pointers must either be equal or 150*3d3b0591SJens Wiklander * point to non-overlapping buffers. 151*3d3b0591SJens Wiklander * 152*3d3b0591SJens Wiklander * \note \c mbedtls_chacha20_setkey() and 153*3d3b0591SJens Wiklander * \c mbedtls_chacha20_starts() must be called at least once 154*3d3b0591SJens Wiklander * to setup the context before this function can be called. 155*3d3b0591SJens Wiklander * 156*3d3b0591SJens Wiklander * \note This function can be called multiple times in a row in 157*3d3b0591SJens Wiklander * order to encrypt of decrypt data piecewise with the same 158*3d3b0591SJens Wiklander * key and nonce. 159*3d3b0591SJens Wiklander * 160*3d3b0591SJens Wiklander * \param ctx The ChaCha20 context to use for encryption or decryption. 161*3d3b0591SJens Wiklander * It must be initialized and bound to a key and nonce. 162*3d3b0591SJens Wiklander * \param size The length of the input data in Bytes. 163*3d3b0591SJens Wiklander * \param input The buffer holding the input data. 164*3d3b0591SJens Wiklander * This pointer can be \c NULL if `size == 0`. 165*3d3b0591SJens Wiklander * \param output The buffer holding the output data. 166*3d3b0591SJens Wiklander * This must be able to hold \p size Bytes. 167*3d3b0591SJens Wiklander * This pointer can be \c NULL if `size == 0`. 168*3d3b0591SJens Wiklander * 169*3d3b0591SJens Wiklander * \return \c 0 on success. 170*3d3b0591SJens Wiklander * \return A negative error code on failure. 171*3d3b0591SJens Wiklander */ 172*3d3b0591SJens Wiklander int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, 173*3d3b0591SJens Wiklander size_t size, 174*3d3b0591SJens Wiklander const unsigned char *input, 175*3d3b0591SJens Wiklander unsigned char *output ); 176*3d3b0591SJens Wiklander 177*3d3b0591SJens Wiklander /** 178*3d3b0591SJens Wiklander * \brief This function encrypts or decrypts data with ChaCha20 and 179*3d3b0591SJens Wiklander * the given key and nonce. 180*3d3b0591SJens Wiklander * 181*3d3b0591SJens Wiklander * Since ChaCha20 is a stream cipher, the same operation is 182*3d3b0591SJens Wiklander * used for encrypting and decrypting data. 183*3d3b0591SJens Wiklander * 184*3d3b0591SJens Wiklander * \warning You must never use the same (key, nonce) pair more than 185*3d3b0591SJens Wiklander * once. This would void any confidentiality guarantees for 186*3d3b0591SJens Wiklander * the messages encrypted with the same nonce and key. 187*3d3b0591SJens Wiklander * 188*3d3b0591SJens Wiklander * \note The \p input and \p output pointers must either be equal or 189*3d3b0591SJens Wiklander * point to non-overlapping buffers. 190*3d3b0591SJens Wiklander * 191*3d3b0591SJens Wiklander * \param key The encryption/decryption key. 192*3d3b0591SJens Wiklander * This must be \c 32 Bytes in length. 193*3d3b0591SJens Wiklander * \param nonce The nonce. This must be \c 12 Bytes in size. 194*3d3b0591SJens Wiklander * \param counter The initial counter value. This is usually \c 0. 195*3d3b0591SJens Wiklander * \param size The length of the input data in Bytes. 196*3d3b0591SJens Wiklander * \param input The buffer holding the input data. 197*3d3b0591SJens Wiklander * This pointer can be \c NULL if `size == 0`. 198*3d3b0591SJens Wiklander * \param output The buffer holding the output data. 199*3d3b0591SJens Wiklander * This must be able to hold \p size Bytes. 200*3d3b0591SJens Wiklander * This pointer can be \c NULL if `size == 0`. 201*3d3b0591SJens Wiklander * 202*3d3b0591SJens Wiklander * \return \c 0 on success. 203*3d3b0591SJens Wiklander * \return A negative error code on failure. 204*3d3b0591SJens Wiklander */ 205*3d3b0591SJens Wiklander int mbedtls_chacha20_crypt( const unsigned char key[32], 206*3d3b0591SJens Wiklander const unsigned char nonce[12], 207*3d3b0591SJens Wiklander uint32_t counter, 208*3d3b0591SJens Wiklander size_t size, 209*3d3b0591SJens Wiklander const unsigned char* input, 210*3d3b0591SJens Wiklander unsigned char* output ); 211*3d3b0591SJens Wiklander 212*3d3b0591SJens Wiklander #if defined(MBEDTLS_SELF_TEST) 213*3d3b0591SJens Wiklander /** 214*3d3b0591SJens Wiklander * \brief The ChaCha20 checkup routine. 215*3d3b0591SJens Wiklander * 216*3d3b0591SJens Wiklander * \return \c 0 on success. 217*3d3b0591SJens Wiklander * \return \c 1 on failure. 218*3d3b0591SJens Wiklander */ 219*3d3b0591SJens Wiklander int mbedtls_chacha20_self_test( int verbose ); 220*3d3b0591SJens Wiklander #endif /* MBEDTLS_SELF_TEST */ 221*3d3b0591SJens Wiklander 222*3d3b0591SJens Wiklander #ifdef __cplusplus 223*3d3b0591SJens Wiklander } 224*3d3b0591SJens Wiklander #endif 225*3d3b0591SJens Wiklander 226*3d3b0591SJens Wiklander #endif /* MBEDTLS_CHACHA20_H */ 227