File cipher.h

This file contains an abstraction interface for use with the cipher primitives provided by the library. It provides a common interface to all of the available cipher operations.

Author

Adriaan de Jong dejong@fox-it.com

Defines

MBEDTLS_CIPHER_MODE_AEAD

MBEDTLS_CIPHER_MODE_WITH_PADDING

MBEDTLS_CIPHER_MODE_STREAM

MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE

The selected feature is not available.

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA

Bad input parameters.

MBEDTLS_ERR_CIPHER_ALLOC_FAILED

Failed to allocate memory.

MBEDTLS_ERR_CIPHER_INVALID_PADDING

Input data contains invalid padding and is rejected.

MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED

Decryption of block requires a full block.

MBEDTLS_ERR_CIPHER_AUTH_FAILED

Authentication failed (for AEAD modes).

MBEDTLS_ERR_CIPHER_INVALID_CONTEXT

The context is invalid. For example, because it was freed.

MBEDTLS_CIPHER_VARIABLE_IV_LEN

Cipher accepts IVs of variable length.

MBEDTLS_CIPHER_VARIABLE_KEY_LEN

Cipher accepts keys of variable length.

MBEDTLS_MAX_IV_LENGTH

Maximum length of any IV, in Bytes.

MBEDTLS_MAX_BLOCK_LENGTH

Maximum block size of any cipher, in Bytes.

MBEDTLS_MAX_KEY_LENGTH

Maximum key length, in Bytes.

MBEDTLS_KEY_BITLEN_SHIFT

MBEDTLS_IV_SIZE_SHIFT

Typedefs

typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t

Base cipher information (opaque struct).

typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t

CMAC context (opaque struct).

typedef struct mbedtls_cipher_info_t mbedtls_cipher_info_t

Cipher information. Allows calling cipher functions in a generic way.

Note

The library does not support custom cipher info structures, only built-in structures returned by the functions mbedtls_cipher_info_from_string(), mbedtls_cipher_info_from_type(), mbedtls_cipher_info_from_values(), mbedtls_cipher_info_from_psa().

Note

Some fields store a value that has been right-shifted to save code-size, so should not be used directly. The accessor functions adjust for this and return the “natural” value.

typedef struct mbedtls_cipher_context_t mbedtls_cipher_context_t

Generic cipher context.

Enums

enum mbedtls_cipher_id_t

Supported cipher types.

Warning

DES/3DES are considered weak ciphers and their use constitutes a security risk. We recommend considering stronger ciphers instead.

Values:

enumerator MBEDTLS_CIPHER_ID_NONE

Placeholder to mark the end of cipher ID lists.

enumerator MBEDTLS_CIPHER_ID_NULL

The identity cipher, treated as a stream cipher.

enumerator MBEDTLS_CIPHER_ID_AES

The AES cipher.

enumerator MBEDTLS_CIPHER_ID_DES

The DES cipher.

Warning

DES is considered weak.

enumerator MBEDTLS_CIPHER_ID_3DES

The Triple DES cipher.

Warning

3DES is considered weak.

enumerator MBEDTLS_CIPHER_ID_CAMELLIA

The Camellia cipher.

enumerator MBEDTLS_CIPHER_ID_ARIA

The Aria cipher.

enumerator MBEDTLS_CIPHER_ID_CHACHA20

The ChaCha20 cipher.

enum mbedtls_cipher_type_t

Supported {cipher type, cipher mode} pairs.

Warning

DES/3DES are considered weak ciphers and their use constitutes a security risk. We recommend considering stronger ciphers instead.

Values:

enumerator MBEDTLS_CIPHER_NONE

Placeholder to mark the end of cipher-pair lists.

enumerator MBEDTLS_CIPHER_NULL

The identity stream cipher.

enumerator MBEDTLS_CIPHER_AES_128_ECB

AES cipher with 128-bit ECB mode.

enumerator MBEDTLS_CIPHER_AES_192_ECB

AES cipher with 192-bit ECB mode.

enumerator MBEDTLS_CIPHER_AES_256_ECB

AES cipher with 256-bit ECB mode.

enumerator MBEDTLS_CIPHER_AES_128_CBC

AES cipher with 128-bit CBC mode.

enumerator MBEDTLS_CIPHER_AES_192_CBC

AES cipher with 192-bit CBC mode.

enumerator MBEDTLS_CIPHER_AES_256_CBC

AES cipher with 256-bit CBC mode.

enumerator MBEDTLS_CIPHER_AES_128_CFB128

AES cipher with 128-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_AES_192_CFB128

AES cipher with 192-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_AES_256_CFB128

AES cipher with 256-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_AES_128_CTR

AES cipher with 128-bit CTR mode.

enumerator MBEDTLS_CIPHER_AES_192_CTR

AES cipher with 192-bit CTR mode.

enumerator MBEDTLS_CIPHER_AES_256_CTR

AES cipher with 256-bit CTR mode.

enumerator MBEDTLS_CIPHER_AES_128_GCM

AES cipher with 128-bit GCM mode.

enumerator MBEDTLS_CIPHER_AES_192_GCM

AES cipher with 192-bit GCM mode.

enumerator MBEDTLS_CIPHER_AES_256_GCM

AES cipher with 256-bit GCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_ECB

Camellia cipher with 128-bit ECB mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_ECB

Camellia cipher with 192-bit ECB mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_ECB

Camellia cipher with 256-bit ECB mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_CBC

Camellia cipher with 128-bit CBC mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_CBC

Camellia cipher with 192-bit CBC mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_CBC

Camellia cipher with 256-bit CBC mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_CFB128

Camellia cipher with 128-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_CFB128

Camellia cipher with 192-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_CFB128

Camellia cipher with 256-bit CFB128 mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_CTR

Camellia cipher with 128-bit CTR mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_CTR

Camellia cipher with 192-bit CTR mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_CTR

Camellia cipher with 256-bit CTR mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_GCM

Camellia cipher with 128-bit GCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_GCM

Camellia cipher with 192-bit GCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_GCM

Camellia cipher with 256-bit GCM mode.

enumerator MBEDTLS_CIPHER_DES_ECB

DES cipher with ECB mode.

Warning

DES is considered weak.

enumerator MBEDTLS_CIPHER_DES_CBC

DES cipher with CBC mode.

Warning

DES is considered weak.

enumerator MBEDTLS_CIPHER_DES_EDE_ECB

DES cipher with EDE ECB mode.

Warning

3DES is considered weak.

enumerator MBEDTLS_CIPHER_DES_EDE_CBC

DES cipher with EDE CBC mode.

Warning

3DES is considered weak.

enumerator MBEDTLS_CIPHER_DES_EDE3_ECB

DES cipher with EDE3 ECB mode.

Warning

3DES is considered weak.

enumerator MBEDTLS_CIPHER_DES_EDE3_CBC

DES cipher with EDE3 CBC mode.

Warning

3DES is considered weak.

enumerator MBEDTLS_CIPHER_AES_128_CCM

AES cipher with 128-bit CCM mode.

enumerator MBEDTLS_CIPHER_AES_192_CCM

AES cipher with 192-bit CCM mode.

enumerator MBEDTLS_CIPHER_AES_256_CCM

AES cipher with 256-bit CCM mode.

enumerator MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG

AES cipher with 128-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG

AES cipher with 192-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG

AES cipher with 256-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_CCM

Camellia cipher with 128-bit CCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_CCM

Camellia cipher with 192-bit CCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_CCM

Camellia cipher with 256-bit CCM mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG

Camellia cipher with 128-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG

Camellia cipher with 192-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG

Camellia cipher with 256-bit CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_ARIA_128_ECB

Aria cipher with 128-bit key and ECB mode.

enumerator MBEDTLS_CIPHER_ARIA_192_ECB

Aria cipher with 192-bit key and ECB mode.

enumerator MBEDTLS_CIPHER_ARIA_256_ECB

Aria cipher with 256-bit key and ECB mode.

enumerator MBEDTLS_CIPHER_ARIA_128_CBC

Aria cipher with 128-bit key and CBC mode.

enumerator MBEDTLS_CIPHER_ARIA_192_CBC

Aria cipher with 192-bit key and CBC mode.

enumerator MBEDTLS_CIPHER_ARIA_256_CBC

Aria cipher with 256-bit key and CBC mode.

enumerator MBEDTLS_CIPHER_ARIA_128_CFB128

Aria cipher with 128-bit key and CFB-128 mode.

enumerator MBEDTLS_CIPHER_ARIA_192_CFB128

Aria cipher with 192-bit key and CFB-128 mode.

enumerator MBEDTLS_CIPHER_ARIA_256_CFB128

Aria cipher with 256-bit key and CFB-128 mode.

enumerator MBEDTLS_CIPHER_ARIA_128_CTR

Aria cipher with 128-bit key and CTR mode.

enumerator MBEDTLS_CIPHER_ARIA_192_CTR

Aria cipher with 192-bit key and CTR mode.

enumerator MBEDTLS_CIPHER_ARIA_256_CTR

Aria cipher with 256-bit key and CTR mode.

enumerator MBEDTLS_CIPHER_ARIA_128_GCM

Aria cipher with 128-bit key and GCM mode.

enumerator MBEDTLS_CIPHER_ARIA_192_GCM

Aria cipher with 192-bit key and GCM mode.

enumerator MBEDTLS_CIPHER_ARIA_256_GCM

Aria cipher with 256-bit key and GCM mode.

enumerator MBEDTLS_CIPHER_ARIA_128_CCM

Aria cipher with 128-bit key and CCM mode.

enumerator MBEDTLS_CIPHER_ARIA_192_CCM

Aria cipher with 192-bit key and CCM mode.

enumerator MBEDTLS_CIPHER_ARIA_256_CCM

Aria cipher with 256-bit key and CCM mode.

enumerator MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG

Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG

Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG

Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode.

enumerator MBEDTLS_CIPHER_AES_128_OFB

AES 128-bit cipher in OFB mode.

enumerator MBEDTLS_CIPHER_AES_192_OFB

AES 192-bit cipher in OFB mode.

enumerator MBEDTLS_CIPHER_AES_256_OFB

AES 256-bit cipher in OFB mode.

enumerator MBEDTLS_CIPHER_AES_128_XTS

AES 128-bit cipher in XTS block mode.

enumerator MBEDTLS_CIPHER_AES_256_XTS

AES 256-bit cipher in XTS block mode.

enumerator MBEDTLS_CIPHER_CHACHA20

ChaCha20 stream cipher.

enumerator MBEDTLS_CIPHER_CHACHA20_POLY1305

ChaCha20-Poly1305 AEAD cipher.

enumerator MBEDTLS_CIPHER_AES_128_KW

AES cipher with 128-bit NIST KW mode.

enumerator MBEDTLS_CIPHER_AES_192_KW

AES cipher with 192-bit NIST KW mode.

enumerator MBEDTLS_CIPHER_AES_256_KW

AES cipher with 256-bit NIST KW mode.

enumerator MBEDTLS_CIPHER_AES_128_KWP

AES cipher with 128-bit NIST KWP mode.

enumerator MBEDTLS_CIPHER_AES_192_KWP

AES cipher with 192-bit NIST KWP mode.

enumerator MBEDTLS_CIPHER_AES_256_KWP

AES cipher with 256-bit NIST KWP mode.

enum mbedtls_cipher_mode_t

Supported cipher modes.

Values:

enumerator MBEDTLS_MODE_NONE

None.

enumerator MBEDTLS_MODE_ECB

The ECB cipher mode.

enumerator MBEDTLS_MODE_CBC

The CBC cipher mode.

enumerator MBEDTLS_MODE_CFB

The CFB cipher mode.

enumerator MBEDTLS_MODE_OFB

The OFB cipher mode.

enumerator MBEDTLS_MODE_CTR

The CTR cipher mode.

enumerator MBEDTLS_MODE_GCM

The GCM cipher mode.

enumerator MBEDTLS_MODE_STREAM

The stream cipher mode.

enumerator MBEDTLS_MODE_CCM

The CCM cipher mode.

enumerator MBEDTLS_MODE_CCM_STAR_NO_TAG

The CCM*-no-tag cipher mode.

enumerator MBEDTLS_MODE_XTS

The XTS cipher mode.

enumerator MBEDTLS_MODE_CHACHAPOLY

The ChaCha-Poly cipher mode.

enumerator MBEDTLS_MODE_KW

The SP800-38F KW mode

enumerator MBEDTLS_MODE_KWP

The SP800-38F KWP mode

enum mbedtls_cipher_padding_t

Supported cipher padding types.

Values:

enumerator MBEDTLS_PADDING_PKCS7

PKCS7 padding (default).

enumerator MBEDTLS_PADDING_ONE_AND_ZEROS

ISO/IEC 7816-4 padding.

enumerator MBEDTLS_PADDING_ZEROS_AND_LEN

ANSI X.923 padding.

enumerator MBEDTLS_PADDING_ZEROS

Zero padding (not reversible).

enumerator MBEDTLS_PADDING_NONE

Never pad (full blocks only).

enum mbedtls_operation_t

Type of operation.

Values:

enumerator MBEDTLS_OPERATION_NONE

enumerator MBEDTLS_DECRYPT

enumerator MBEDTLS_ENCRYPT

enum [anonymous]

Values:

enumerator MBEDTLS_KEY_LENGTH_NONE

Undefined key length.

enumerator MBEDTLS_KEY_LENGTH_DES

Key length, in bits (including parity), for DES keys.

Warning

DES is considered weak.

enumerator MBEDTLS_KEY_LENGTH_DES_EDE

Key length in bits, including parity, for DES in two-key EDE.

Warning

3DES is considered weak.

enumerator MBEDTLS_KEY_LENGTH_DES_EDE3

Key length in bits, including parity, for DES in three-key EDE.

Warning

3DES is considered weak.

Functions

const int *mbedtls_cipher_list(void)

This function retrieves the list of ciphers supported by the generic cipher module.

For any cipher identifier in the returned list, you can obtain the corresponding generic cipher information structure via mbedtls_cipher_info_from_type(), which can then be used to prepare a cipher context via mbedtls_cipher_setup().

Returns:

A statically-allocated array of cipher identifiers of type cipher_type_t. The last entry is zero.

const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string(const char *cipher_name)

This function retrieves the cipher-information structure associated with the given cipher name.

Parameters:

cipher_name – Name of the cipher to search for. This must not be NULL.

Returns:

The cipher information structure associated with the given cipher_name.

Returns:

NULL if the associated cipher information is not found.

const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type(const mbedtls_cipher_type_t cipher_type)

This function retrieves the cipher-information structure associated with the given cipher type.

Parameters:

cipher_type – Type of the cipher to search for.

Returns:

The cipher information structure associated with the given cipher_type.

Returns:

NULL if the associated cipher information is not found.

const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_cipher_id_t cipher_id, int key_bitlen, const mbedtls_cipher_mode_t mode)

This function retrieves the cipher-information structure associated with the given cipher ID, key size and mode.

Parameters:

• cipher_id – The ID of the cipher to search for. For example, MBEDTLS_CIPHER_ID_AES.

• key_bitlen – The length of the key in bits.

• mode – The cipher mode. For example, MBEDTLS_MODE_CBC.

Returns:

The cipher information structure associated with the given cipher_id.

Returns:

NULL if the associated cipher information is not found.

static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(const mbedtls_cipher_info_t *info)

Retrieve the identifier for a cipher info structure.

Parameters:

info – [in] The cipher info structure to query. This may be NULL.

Returns:

The full cipher identifier (MBEDTLS_CIPHER_xxx).

Returns:

MBEDTLS_CIPHER_NONE if info is NULL.

static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(const mbedtls_cipher_info_t *info)

Retrieve the operation mode for a cipher info structure.

Parameters:

info – [in] The cipher info structure to query. This may be NULL.

Returns:

The cipher mode (MBEDTLS_MODE_xxx).

Returns:

MBEDTLS_MODE_NONE if info is NULL.

static inline size_t mbedtls_cipher_info_get_key_bitlen(const mbedtls_cipher_info_t *info)

Retrieve the key size for a cipher info structure.

Parameters:

info – [in] The cipher info structure to query. This may be NULL.

Returns:

The key length in bits. For variable-sized ciphers, this is the default length. For DES, this includes the parity bits.

Returns:

0 if info is NULL.

static inline const char *mbedtls_cipher_info_get_name(const mbedtls_cipher_info_t *info)

Retrieve the human-readable name for a cipher info structure.

Parameters:

info – [in] The cipher info structure to query. This may be NULL.

Returns:

The cipher name, which is a human readable string, with static storage duration.

Returns:

NULL if info is NULL.

static inline size_t mbedtls_cipher_info_get_iv_size(const mbedtls_cipher_info_t *info)

This function returns the size of the IV or nonce for the cipher info structure, in bytes.

Parameters:

info – The cipher info structure. This may be NULL.

Returns:

The recommended IV size.

Returns:

0 for ciphers not using an IV or a nonce.

Returns:

0 if info is NULL.

static inline size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *info)

This function returns the block size of the given cipher info structure in bytes.

Parameters:

info – The cipher info structure. This may be NULL.

Returns:

The block size of the cipher.

Returns:

1 if the cipher is a stream cipher.

Returns:

0 if info is NULL.

static inline int mbedtls_cipher_info_has_variable_key_bitlen(const mbedtls_cipher_info_t *info)

This function returns a non-zero value if the key length for the given cipher is variable.

Parameters:

info – The cipher info structure. This may be NULL.

Returns:

Non-zero if the key length is variable, 0 otherwise.

Returns:

0 if the given pointer is NULL.

static inline int mbedtls_cipher_info_has_variable_iv_size(const mbedtls_cipher_info_t *info)

This function returns a non-zero value if the IV size for the given cipher is variable.

Parameters:

info – The cipher info structure. This may be NULL.

Returns:

Non-zero if the IV size is variable, 0 otherwise.

Returns:

0 if the given pointer is NULL.

void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)

This function initializes a ctx as NONE.

Parameters:

ctx – The context to be initialized. This must not be NULL.

void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)

This function frees and clears the cipher-specific context of ctx. Freeing ctx itself remains the responsibility of the caller.

Parameters:

ctx – The context to be freed. If this is NULL, the function has no effect, otherwise this must point to an initialized context.

int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info)

This function prepares a cipher context for use with the given cipher primitive.

Note

After calling this function, you should call mbedtls_cipher_setkey() and, if the mode uses padding, mbedtls_cipher_set_padding_mode(), then for each message to encrypt or decrypt with this key, either:

• mbedtls_cipher_crypt() for one-shot processing with non-AEAD modes;

• mbedtls_cipher_auth_encrypt_ext() or mbedtls_cipher_auth_decrypt_ext() for one-shot processing with AEAD modes or NIST_KW;

• for multi-part processing, see the documentation of mbedtls_cipher_reset().

Parameters:

• ctx – The context to prepare. This must be initialized by a call to mbedtls_cipher_init() first.

• cipher_info – The cipher to use.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the cipher-specific context fails.

static inline unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t *ctx)

This function returns the block size of the given cipher in bytes.

Parameters:

ctx – The context of the cipher.

Returns:

The block size of the underlying cipher.

Returns:

1 if the cipher is a stream cipher.

Returns:

0 if ctx has not been initialized.

static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(const mbedtls_cipher_context_t *ctx)

This function returns the mode of operation for the cipher. For example, MBEDTLS_MODE_CBC.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The mode of operation.

Returns:

MBEDTLS_MODE_NONE if ctx has not been initialized.

static inline int mbedtls_cipher_get_iv_size(const mbedtls_cipher_context_t *ctx)

This function returns the size of the IV or nonce of the cipher, in Bytes.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The recommended IV size if no IV has been set.

Returns:

0 for ciphers not using an IV or a nonce.

Returns:

The actual size if an IV has been set.

static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(const mbedtls_cipher_context_t *ctx)

This function returns the type of the given cipher.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The type of the cipher.

Returns:

MBEDTLS_CIPHER_NONE if ctx has not been initialized.

static inline const char *mbedtls_cipher_get_name(const mbedtls_cipher_context_t *ctx)

This function returns the name of the given cipher as a string.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The name of the cipher.

Returns:

NULL if ctx has not been not initialized.

static inline int mbedtls_cipher_get_key_bitlen(const mbedtls_cipher_context_t *ctx)

This function returns the key length of the cipher.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The key length of the cipher in bits.

Returns:

MBEDTLS_KEY_LENGTH_NONE if ctx has not been initialized.

static inline mbedtls_operation_t mbedtls_cipher_get_operation(const mbedtls_cipher_context_t *ctx)

This function returns the operation of the given cipher.

Parameters:

ctx – The context of the cipher. This must be initialized.

Returns:

The type of operation: MBEDTLS_ENCRYPT or MBEDTLS_DECRYPT.

Returns:

MBEDTLS_OPERATION_NONE if ctx has not been initialized.

int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key, int key_bitlen, const mbedtls_operation_t operation)

This function sets the key to use with the given context.

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a cipher information structure.

• key – The key to use. This must be a readable buffer of at least key_bitlen Bits.

• key_bitlen – The key length to use, in Bits.

• operation – The operation that the key will be used for: MBEDTLS_ENCRYPT or MBEDTLS_DECRYPT.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

A cipher-specific error code on failure.

int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode)

This function sets the padding mode, for cipher modes that use padding.

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a cipher information structure.

• mode – The padding mode.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE if the selected padding mode is not supported.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode does not support padding.

int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len)

This function sets the initialization vector (IV) or nonce.

Note

Some ciphers do not use IVs nor nonce. For these ciphers, this function has no effect.

Note

For MBEDTLS_CIPHER_CHACHA20, the nonce length must be 12, and the initial counter value is 0.

Note

For MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length must be 12.

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a cipher information structure.

• iv – The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This must be a readable buffer of at least iv_len Bytes.

• iv_len – The IV length for ciphers with variable-size IV. This parameter is discarded by ciphers with fixed-size IV.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)

This function resets the cipher state.

Note

With non-AEAD ciphers, the order of calls for each message is as follows:

1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.

2. mbedtls_cipher_reset()

3. mbedtls_cipher_update() one or more times

4. mbedtls_cipher_finish()

This sequence can be repeated to encrypt or decrypt multiple messages with the same key.

Note

With AEAD ciphers, the order of calls for each message is as follows:

1. mbedtls_cipher_set_iv() if the mode uses an IV/nonce.

2. mbedtls_cipher_reset()

3. mbedtls_cipher_update_ad()

4. mbedtls_cipher_update() one or more times

5. mbedtls_cipher_finish()

6. mbedtls_cipher_check_tag() (for decryption) or mbedtls_cipher_write_tag() (for encryption).

This sequence can be repeated to encrypt or decrypt multiple messages with the same key.

Parameters:

ctx – The generic cipher context. This must be bound to a key.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len)

This function adds additional data for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305.

Parameters:

• ctx – The generic cipher context. This must be initialized.

• ad – The additional data to use. This must be a readable buffer of at least ad_len Bytes.

• ad_len – The length of ad in Bytes.

Returns:

0 on success.

Returns:

A specific error code on failure.

int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)

The generic cipher update function. It encrypts or decrypts using the given cipher context. Writes as many block-sized blocks of data as possible to output. Any data that cannot be written immediately is either added to the next block, or flushed when mbedtls_cipher_finish() is called. Exception: For MBEDTLS_MODE_ECB, expects a single block in size. For example, 16 Bytes for AES.

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a key.

• input – The buffer holding the input data. This must be a readable buffer of at least ilen Bytes.

• ilen – The length of the input data.

• output – The buffer for the output data. This must be able to hold at least ilen + block_size. This must not be the same buffer as input.

• olen – The length of the output data, to be updated with the actual number of Bytes written. This must not be NULL.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an unsupported mode for a cipher.

Returns:

A cipher-specific error code on failure.

int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen)

The generic cipher finalization function. If data still needs to be flushed from an incomplete block, the data contained in it is padded to the size of the last block, and written to the output buffer.

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a key.

• output – The buffer to write data to. This needs to be a writable buffer of at least block_size Bytes.

• olen – The length of the data written to the output buffer. This may not be NULL.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption expecting a full block but not receiving one.

Returns:

MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding while decrypting.

Returns:

A cipher-specific error code on failure.

int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len)

This function writes a tag for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305. This must be called after mbedtls_cipher_finish().

Parameters:

• ctx – The generic cipher context. This must be initialized, bound to a key, and have just completed a cipher operation through mbedtls_cipher_finish() the tag for which should be written.

• tag – The buffer to write the tag to. This must be a writable buffer of at least tag_len Bytes.

• tag_len – The length of the tag to write.

Returns:

0 on success.

Returns:

A specific error code on failure.

int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx, const unsigned char *tag, size_t tag_len)

This function checks the tag for AEAD ciphers. Currently supported with GCM and ChaCha20+Poly1305. This must be called after mbedtls_cipher_finish().

Parameters:

• ctx – The generic cipher context. This must be initialized.

• tag – The buffer holding the tag. This must be a readable buffer of at least tag_len Bytes.

• tag_len – The length of the tag to check.

Returns:

0 on success.

Returns:

A specific error code on failure.

int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)

The generic all-in-one encryption/decryption function, for all ciphers except AEAD constructs.

Note

Some ciphers do not use IVs nor nonce. For these ciphers, use iv = NULL and iv_len = 0.

Parameters:

• ctx – The generic cipher context. This must be initialized.

• iv – The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This must be a readable buffer of at least iv_len Bytes.

• iv_len – The IV length for ciphers with variable-size IV. This parameter is discarded by ciphers with fixed-size IV.

• input – The buffer holding the input data. This must be a readable buffer of at least ilen Bytes.

• ilen – The length of the input data in Bytes.

• output – The buffer for the output data. This must be able to hold at least ilen + block_size. This must not be the same buffer as input.

• olen – The length of the output data, to be updated with the actual number of Bytes written. This must not be NULL.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption expecting a full block but not receiving one.

Returns:

MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding while decrypting.

Returns:

A cipher-specific error code on failure.

int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t output_len, size_t *olen, size_t tag_len)

The authenticated encryption (AEAD/NIST_KW) function.

Note

For AEAD modes, the tag will be appended to the ciphertext, as recommended by RFC 5116. (NIST_KW doesn’t have a separate tag.)

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a key, with an AEAD algorithm or NIST_KW.

• iv – The nonce to use. This must be a readable buffer of at least iv_len Bytes and may be NULL if iv_len is 0.

• iv_len – The length of the nonce. For AEAD ciphers, this must satisfy the constraints imposed by the cipher used. For NIST_KW, this must be 0.

• ad – The additional data to authenticate. This must be a readable buffer of at least ad_len Bytes, and may be NULL is ad_len is 0.

• ad_len – The length of ad. For NIST_KW, this must be 0.

• input – The buffer holding the input data. This must be a readable buffer of at least ilen Bytes, and may be NULL if ilen is 0.

• ilen – The length of the input data.

• output – The buffer for the output data. This must be a writable buffer of at least output_len Bytes, and must not be NULL.

• output_len – The length of the output buffer in Bytes. For AEAD ciphers, this must be at least ilen + tag_len. For NIST_KW, this must be at least ilen + 8 (rounded up to a multiple of 8 if KWP is used); ilen + 15 is always a safe value.

• olen – This will be filled with the actual number of Bytes written to the output buffer. This must point to a writable object of type size_t.

• tag_len – The desired length of the authentication tag. For AEAD ciphers, this must match the constraints imposed by the cipher used, and in particular must not be 0. For NIST_KW, this must be 0.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

A cipher-specific error code on failure.

int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t output_len, size_t *olen, size_t tag_len)

The authenticated encryption (AEAD/NIST_KW) function.

Note

If the data is not authentic, then the output buffer is zeroed out to prevent the unauthentic plaintext being used, making this interface safer.

Note

For AEAD modes, the tag must be appended to the ciphertext, as recommended by RFC 5116. (NIST_KW doesn’t have a separate tag.)

Parameters:

• ctx – The generic cipher context. This must be initialized and bound to a key, with an AEAD algorithm or NIST_KW.

• iv – The nonce to use. This must be a readable buffer of at least iv_len Bytes and may be NULL if iv_len is 0.

• iv_len – The length of the nonce. For AEAD ciphers, this must satisfy the constraints imposed by the cipher used. For NIST_KW, this must be 0.

• ad – The additional data to authenticate. This must be a readable buffer of at least ad_len Bytes, and may be NULL is ad_len is 0.

• ad_len – The length of ad. For NIST_KW, this must be 0.

• input – The buffer holding the input data. This must be a readable buffer of at least ilen Bytes, and may be NULL if ilen is 0.

• ilen – The length of the input data. For AEAD ciphers this must be at least tag_len. For NIST_KW this must be at least 8.

• output – The buffer for the output data. This must be a writable buffer of at least output_len Bytes, and may be NULL if output_len is 0.

• output_len – The length of the output buffer in Bytes. For AEAD ciphers, this must be at least ilen - tag_len. For NIST_KW, this must be at least ilen - 8.

• olen – This will be filled with the actual number of Bytes written to the output buffer. This must point to a writable object of type size_t.

• tag_len – The actual length of the authentication tag. For AEAD ciphers, this must match the constraints imposed by the cipher used, and in particular must not be 0. For NIST_KW, this must be 0.

Returns:

0 on success.

Returns:

MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter-verification failure.

Returns:

MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.

Returns:

A cipher-specific error code on failure.

struct mbedtls_cipher_info_t

#include <cipher.h>

Cipher information. Allows calling cipher functions in a generic way.

Note

The library does not support custom cipher info structures, only built-in structures returned by the functions mbedtls_cipher_info_from_string(), mbedtls_cipher_info_from_type(), mbedtls_cipher_info_from_values(), mbedtls_cipher_info_from_psa().

Note

Some fields store a value that has been right-shifted to save code-size, so should not be used directly. The accessor functions adjust for this and return the “natural” value.

Public Members

const char *private_name

Name of the cipher.

unsigned int private_block_size

The block size, in bytes.

unsigned int private_iv_size

IV or nonce size, in bytes (right shifted by MBEDTLS_IV_SIZE_SHIFT). For ciphers that accept variable IV sizes, this is the recommended size.

unsigned int private_key_bitlen

The cipher key length, in bits (right shifted by MBEDTLS_KEY_BITLEN_SHIFT). This is the default length for variable sized ciphers. Includes parity bits for ciphers like DES.

unsigned int private_mode

The cipher mode (as per mbedtls_cipher_mode_t). For example, MBEDTLS_MODE_CBC.

unsigned int private_type

Full cipher identifier (as per mbedtls_cipher_type_t). For example, MBEDTLS_CIPHER_AES_256_CBC.

This could be 7 bits, but 8 bits retains byte alignment for the next field, which reduces code size to access that field.

unsigned int private_flags

Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the cipher supports variable IV or variable key sizes, respectively.

unsigned int private_base_idx

Index to LUT for base cipher information and functions.

struct mbedtls_cipher_context_t

#include <cipher.h>

Generic cipher context.

Public Members

const mbedtls_cipher_info_t *private_cipher_info

Information about the associated cipher.

int private_key_bitlen

Key length to use.

mbedtls_operation_t private_operation

Operation that the key of the context has been initialized for.

void (*private_add_padding)(unsigned char *output, size_t olen, size_t data_len)

Padding functions to use, if relevant for the specific cipher mode.

int (*private_get_padding)(unsigned char *input, size_t ilen, size_t *data_len)

unsigned char private_unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH]

Buffer for input that has not been processed yet.

size_t private_unprocessed_len

Number of Bytes that have not been processed yet.

unsigned char private_iv[MBEDTLS_MAX_IV_LENGTH]

Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number for XTS-mode.

size_t private_iv_size

IV size in Bytes, for ciphers with variable-length IVs.

void *private_cipher_ctx

The cipher-specific context.

mbedtls_cmac_context_t *private_cmac_ctx

CMAC-specific context.