1/*
2 * ccmode_siv.h
3 * corecrypto
4 *
5 * Created on 11/13/2015
6 *
7 * Copyright (c) 2015 Apple Inc. All rights reserved.
8 *
9 */
10
11#ifndef _CORECRYPTO_CCMODE_SIV_H_
12#define _CORECRYPTO_CCMODE_SIV_H_
13
14#include <corecrypto/cc.h>
15#include <corecrypto/ccmode.h>
16#include <corecrypto/ccmode_impl.h>
17
18#include <corecrypto/cccmac.h>
19
20/* This provide an implementation of SIV
21 as specified in https://tools.ietf.org/html/rfc5297
22 also in http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/siv/siv.pdf
23 Counter Mode where IV is based on CMAC
24 */
25
26cc_aligned_struct(16) ccsiv_ctx;
27
28struct ccmode_siv {
29 size_t size; /* first argument to ccsiv_ctx_decl(). */
30 size_t block_size;
31 int (*init)(const struct ccmode_siv *siv, ccsiv_ctx *ctx,
32 size_t key_len, const uint8_t *key);
33 int (*set_nonce)(ccsiv_ctx *ctx, size_t nbytes, const uint8_t *in); // could just be ccm with NULL out
34 int (*auth)(ccsiv_ctx *ctx, size_t nbytes, const uint8_t *in); // could just be ccm with NULL out
35 int (*crypt)(ccsiv_ctx *ctx, size_t nbytes, const uint8_t *in, uint8_t *out);
36 int (*reset)(ccsiv_ctx *ctx);
37 const struct ccmode_cbc *cbc;
38 const struct ccmode_ctr *ctr;
39};
40
41#define ccsiv_ctx_decl(_size_, _name_) cc_ctx_decl(ccsiv_ctx, _size_, _name_)
42#define ccsiv_ctx_clear(_size_, _name_) cc_clear(_size_, _name_)
43
44// Functions
45
46CC_INLINE size_t ccsiv_context_size(const struct ccmode_siv *mode)
47{
48 return mode->size;
49}
50
51CC_INLINE size_t ccsiv_block_size(const struct ccmode_siv *mode)
52{
53 return mode->block_size;
54}
55
56CC_INLINE size_t ccsiv_ciphertext_size(const struct ccmode_siv *mode,
57 size_t plaintext_size)
58{
59 return plaintext_size+mode->cbc->block_size;
60}
61
62CC_INLINE size_t ccsiv_plaintext_size(const struct ccmode_siv *mode,
63 size_t ciphertext_size)
64{
65 if (ciphertext_size<mode->cbc->block_size) {
66 return 0; // error
67 }
68 return ciphertext_size-mode->cbc->block_size;
69}
70
71// Supported key sizes are 32, 48, 64 bytes
72CC_INLINE int ccsiv_init(const struct ccmode_siv *mode, ccsiv_ctx *ctx,
73 size_t key_byte_len, const uint8_t *key)
74{
75 return mode->init(mode, ctx, key_byte_len, key);
76}
77
78// Process nonce. it is actually just an authenticated data
79CC_INLINE int ccsiv_set_nonce(const struct ccmode_siv *mode, ccsiv_ctx *ctx,
80 size_t nbytes, const uint8_t *in)
81{
82 return mode->set_nonce(ctx, nbytes, in);
83}
84
85// Process authenticated data. Taken into account for authentication but not
86// encrypted
87CC_INLINE int ccsiv_aad(const struct ccmode_siv *mode, ccsiv_ctx *ctx,
88 size_t nbytes, const uint8_t *in)
89{
90 return mode->auth(ctx, nbytes, in);
91}
92
93// Encryption data. Authenticated and encrypted.
94// Encrypt/Decrypt can only be called once
95CC_INLINE int ccsiv_crypt(const struct ccmode_siv *mode, ccsiv_ctx *ctx,
96 size_t nbytes, const uint8_t *in, uint8_t *out)
97{
98 return mode->crypt(ctx, nbytes, in, out);
99}
100
101// Clear all context for reuse.
102// Key is clear to avoid leaking it
103CC_INLINE int ccsiv_reset(const struct ccmode_siv *mode, ccsiv_ctx *ctx)
104{
105 return mode->reset(ctx);
106}
107
108// One shot with only one vector of adata
109CC_INLINE int ccsiv_one_shot(const struct ccmode_siv *mode,
110 size_t key_len, const uint8_t *key,
111 unsigned nonce_nbytes, const uint8_t* nonce,
112 unsigned adata_nbytes, const uint8_t* adata,
113 size_t in_nbytes, const uint8_t *in, uint8_t *out)
114{
115 int rc;
116 ccsiv_ctx_decl(mode->size, ctx);
117 rc=mode->init(mode, ctx, key_len, key);
118 if (rc) {return rc;}
119 rc=mode->set_nonce(ctx, nonce_nbytes, nonce);
120 if (rc) {return rc;}
121 rc=mode->auth(ctx, adata_nbytes, adata);
122 if (rc) {return rc;}
123 rc=mode->crypt(ctx, in_nbytes, in, out);
124 if (rc) {return rc;}
125 ccsiv_ctx_clear(mode->size, ctx);
126 return rc;
127}
128
129#endif /* _CORECRYPTO_CCMODE_H_ */
130