API documentation
nRF CC310 bootloader crypto library
- group nrf_cc310_bl
Common declarations for nrf_cc310_bl ECDSA verify APIs.
Function for initializing the CC310 hardware and runtime library.
Type definitions and public APIs for nrf_cc310_bl HASH using SHA-256.
Shared declarations used by nrf_cc310_bl for hash APIs.
Type definitions and APIs for nrf_cc310_bl ECDSA verify using curve secp256r1.
Note
Running this initialization is intended for cases where there is no direct requirement for the RNG subsystem (all operations are deterministic).
- retval CRYS_OK
Initialization was successful.
Defines
-
NRF_CC310_BL_ECDSA_CONTEXT_INITIALIZED
-
NRF_CC310_BL_ECDSA_VERIFY_CONTEXT_SIZE_SECP224R1
Macro for the size of the ECDSA Verify context.
-
NRF_CC310_BL_ECDSA_VERIFY_CONTEXT_SIZE_SECP256R1
Macro for the size of the ECDSA Verify context.
-
NRF_CC310_BL_HASH_CONTEXT_INITIALIZED
Value indicating that the hash context is initialized.
-
NRF_CC310_BL_HASH_CONTEXT_BUFFER_SIZE_SHA256
Size of internal representation of SHA-256 hash context.
-
NRF_CC310_BL_SHA256_DIGEST_SIZE_IN_WORDS
Size of SHA-256 hash digest in words.
-
NRF_CC310_BL_SHA256_DIGEST_SIZE_IN_BYTES
Size of SHA-256 hash digest in bytes.
Typedefs
-
typedef uint8_t nrf_cc310_bl_hash_digest_sha256_t[(32)]
Array to hold SHA-256 hash digest.
Functions
-
CRYSError_t nrf_cc310_bl_ecdsa_verify_init_secp256r1(nrf_cc310_bl_ecdsa_verify_context_secp256r1_t *const p_context, nrf_cc310_bl_ecc_public_key_secp256r1_t const *const p_public_key)
Function for initializing the context information for an ECDSA verify operation.
Note
The memory that holds the context object must be allocated prior to this call.
- Parameters
p_context – [inout] Pointer to the structure holding context information for the ECDSA verify operation.
p_public_key – [in] Pointer to the structure holding the public key for the ECDSA verify operation.
- Return values
CRYS_ECDSA_VERIFY_INVALID_USER_CONTEXT_PTR_ERROR – p_context was NULL.
CRYS_ECDSA_VERIFY_SIGNER_PUBL_KEY_VALIDATION_TAG_ERROR – p_public_key was NULL.
-
CRYSError_t nrf_cc310_bl_ecdsa_verify_hash_secp256r1(nrf_cc310_bl_ecdsa_verify_context_secp256r1_t *const p_context, nrf_cc310_bl_ecc_signature_secp256r1_t const *const p_signature, uint8_t const *const p_hash, uint32_t hash_len)
Function for executing an ECDSA verify operation using secp256r1 with hash input.
Note
The ECDSA verify context structure must be initialized prior to this call using nrf_cc310_bl_ecdsa_verify_init_secp256r1.
- Parameters
p_context – [inout] Pointer to the structure holding context information for the ECDSA verify operation.
p_signature – [in] Pointer to the structure holding the signature to use for the ECDSA verify operation.
p_hash – [in] Pointer to the hash to use in the ECDSA verify operation.
hash_len – [in] Length of the hash to verify.
- Return values
CRYS_OK – Signature was successfully verified.
CRYS_ECDSA_VERIFY_INVALID_USER_CONTEXT_PTR_ERROR – p_context was NULL.
CRYS_ECDSA_VERIFY_USER_CONTEXT_VALIDATION_TAG_ERROR – p_context was not initialized.
CRYS_ECDSA_VERIFY_INVALID_SIGNATURE_IN_PTR_ERROR – p_signature was NULL.
CRYS_ECDSA_VERIFY_INVALID_MESSAGE_DATA_IN_PTR_ERROR – p_hash was NULL.
CRYS_ECDSA_VERIFY_INVALID_MESSAGE_DATA_IN_SIZE_ERROR – hash_len was invalid.
CRYS_ECDSA_VERIFY_INCONSISTENT_VERIFY_ERROR – Signature verification failed.
-
CRYSError_t nrf_cc310_bl_ecdsa_verify_secp256r1(nrf_cc310_bl_ecdsa_verify_context_secp256r1_t *const p_context, nrf_cc310_bl_ecc_public_key_secp256r1_t const *const p_public_key, nrf_cc310_bl_ecc_signature_secp256r1_t const *const p_signature, uint8_t const *const p_hash, uint32_t hash_len)
Function for executing an ECDSA verify operation using secp256r1 with hash input in integrated form.
Note
This will run initialization of ECDSA context and run ECDSA verify in a single step.
- Parameters
p_context – [inout] Pointer to the structure holding context information for the ECDSA verify operation.
p_public_key – [in] Pointer to the structure holding the public key for the ECDSA verify operation.
p_signature – [in] Pointer to the structure holding the signature to use for the ECDSA verify operation.
p_hash – [in] Pointer to the hash to use in the ECDSA verify operation.
hash_len – [in] Length of the hash to verify.
- Return values
CRYS_OK – Signature was successfully verified.
CRYS_ECDSA_VERIFY_INVALID_USER_CONTEXT_PTR_ERROR – p_context was NULL.
CRYS_ECDSA_VERIFY_USER_CONTEXT_VALIDATION_TAG_ERROR – p_context was not initialized.
CRYS_ECDSA_VERIFY_SIGNER_PUBL_KEY_VALIDATION_TAG_ERROR – p_public_key was NULL.
CRYS_ECDSA_VERIFY_INVALID_SIGNATURE_IN_PTR_ERROR – p_signature was NULL.
CRYS_ECDSA_VERIFY_INVALID_MESSAGE_DATA_IN_PTR_ERROR – p_hash was NULL.
CRYS_ECDSA_VERIFY_INVALID_MESSAGE_DATA_IN_SIZE_ERROR – hash_len was invalid.
CRYS_ECDSA_VERIFY_INCONSISTENT_VERIFY_ERROR – Signature verification failed.
-
CRYSError_t nrf_cc310_bl_hash_sha256_init(nrf_cc310_bl_hash_context_sha256_t *const p_hash_context)
Function for initializing the SHA-256 context.
Note
Memory pointed to in hash context must be allocated prior to this call.
- Parameters
p_hash_context – [inout] Structure holding context information for the SHA-256 operation.
- Return values
CRYS_OK – If call was successful.
CRYS_HASH_INVALID_USER_CONTEXT_POINTER_ERROR – p_hash_context was NULL.
-
CRYSError_t nrf_cc310_bl_hash_sha256_update(nrf_cc310_bl_hash_context_sha256_t *const p_hash_context, uint8_t const *p_src, uint32_t len)
Function for running an update to the SHA-256 hash calculation.
- Parameters
p_hash_context – [inout] Structure holding context information for the SHA-256 operation.
p_src – [in] Input data to be added to the digest.
len – [in] Amount of data passed in p_src.
- Return values
CRYS_OK – If call was successful.
CRYS_HASH_INVALID_USER_CONTEXT_POINTER_ERROR – p_hash_context was NULL.
CRYS_HASH_USER_CONTEXT_CORRUPTED_ERROR – p_hash_context not initialized.
CRYS_HASH_LAST_BLOCK_ALREADY_PROCESSED_ERROR – p_hash_context already finalized.
-
CRYSError_t nrf_cc310_bl_hash_sha256_finalize(nrf_cc310_bl_hash_context_sha256_t *const p_hash_context, nrf_cc310_bl_hash_digest_sha256_t *const p_digest)
Function for finalizing the hash calculation.
Note
Memory pointed to in hash digest must be allocated prior to this call.
- Parameters
p_hash_context – [inout] Structure holding context information for the SHA-256 operation.
p_digest – [inout] Pointer to the structure holding SHA-256 hash digest. Data pointed to must be 32 bytes long.
- Return values
CRYS_HASH_INVALID_USER_CONTEXT_POINTER_ERROR – p_hash_context was NULL.
CRYS_HASH_USER_CONTEXT_CORRUPTED_ERROR – p_hash_context was corrupted.
CRYS_HASH_INVALID_RESULT_BUFFER_POINTER_ERROR – p_digest was NULL.
-
CRYSError_t nrf_cc310_bl_init(void)
-
struct nrf_cc310_bl_ecc_public_key_secp256r1_t
- #include <nrf_cc310_bl_ecdsa_verify_secp256r1.h>
Structure holding the secp256r1 public key represented by X,Y coordinates.
-
struct nrf_cc310_bl_ecc_signature_secp256r1_t
- #include <nrf_cc310_bl_ecdsa_verify_secp256r1.h>
Structure holding the secp256r1 signature represented by R,S values.
-
struct nrf_cc310_bl_ecdsa_verify_context_secp256r1_t
- #include <nrf_cc310_bl_ecdsa_verify_secp256r1.h>
Structure holding memory required for allocation of CC310 ECDSA verify context using curve secp256r1.
-
struct nrf_cc310_bl_hash_context_sha256_t
- #include <nrf_cc310_bl_hash_sha256.h>
Structure to hold SHA-256 context information.
nRF CC3XX platform library
- group nrf_cc3xx_platform
nrf_cc3xx_platform library containing cc3xx hardware initialization and entropy gathering APIs. The library also contains APIs and companion source-files to setus RTOS dependent mutex and abort functionality for the nrf_cc3xx_mbedcrypto library in Zephyr RTOS and FreeRTOS.
CC3XX Platform - Defines
- group nrf_cc3xx_platform_defines
nrf_cc3xx_platform shared defines and return codes.
Defines
-
NRF_CC3XX_PLATFORM_ENTROPY_MAX_GATHER
Definition of max number of entropy bits to gather for CTR_DRBG.
-
NRF_CC3XX_PLATFORM_USE_COUNT_MAX
Definition of max count of concurrent usage.
Note
The max value will never be reached.
-
NRF_CC3XX_PLATFORM_SUCCESS
-
NRF_CC3XX_PLATFORM_ERROR_PARAM_NULL
-
NRF_CC3XX_PLATFORM_ERROR_INTERNAL
-
NRF_CC3XX_PLATFORM_ERROR_RNG_TEST_FAILED
-
NRF_CC3XX_PLATFORM_ERROR_HW_VERSION_FAILED
-
NRF_CC3XX_PLATFORM_ERROR_PARAM_WRITE_FAILED
-
NRF_CC3XX_PLATFORM_ERROR_MUTEX_NOT_INITIALIZED
-
NRF_CC3XX_PLATFORM_ERROR_MUTEX_FAILED
-
NRF_CC3XX_PLATFORM_ERROR_ENTROPY_NOT_INITIALIZED
-
NRF_CC3XX_PLATFORM_ERROR_ENTROPY_TRNG_TOO_LONG
-
NRF_CC3XX_PLATFORM_ERROR_KMU_INVALID_SLOT
-
NRF_CC3XX_PLATFORM_ERROR_KMU_ALREADY_FILLED
-
NRF_CC3XX_PLATFORM_ERROR_KMU_WRONG_ADDRESS
-
NRF_CC3XX_PLATFORM_ERROR_KMU_WRITE_KEY_FAILED
-
NRF_CC3XX_PLATFORM_ERROR_KMU_WRITE_INVALID_PERM
-
NRF_CC3XX_PLATFORM_ERROR_KDR_INVALID_WRITE
-
NRF_CC3XX_PLATFORM_ERROR_KDR_INVALID_PUSH
-
NRF_CC3XX_PLATFORM_ERROR_KMU_INVALID_KEY_TYPE
-
NRF_CC3XX_PLATFORM_ERROR_INVALID_PARAM
-
NRF_CC3XX_PLATFORM_ERROR_DERIVED_KEY_CTX_INVALID_STATE
-
NRF_CC3XX_PLATFORM_DERIVED_KEY_CTX_INITIALIZED
-
NRF_CC3XX_PLATFORM_DERIVED_KEY_DERIV_INFO_SET
-
NRF_CC3XX_PLATFORM_DERIVED_KEY_CIPH_INFO_SET
-
NRF_CC3XX_PLATFORM_DERIVED_KEY_AUTH_INFO_SET
-
NRF_CC3XX_PLATFORM_ENTROPY_MAX_GATHER
CC3XX Platform - Initialization APIs
- group nrf_cc3xx_platform_init
The nrf_cc3xx_platform APIs provides functions related to initialization of the Arm CryptoCell cc3xx hardware accelerator for usage in nrf_cc3xx_platform and dependent libraries.
Functions
-
int nrf_cc3xx_platform_init(void)
Function to initialize the nrf_cc3xx_platform with rng support. The function is using CTR_DRBG to generate a random seed.
- Returns
Zero on success, otherwise a non-zero error code.
-
int nrf_cc3xx_platform_init_hmac_drbg(void)
Function to initialize the nrf_cc3xx_platform with rng. The function is using HMAC_DRBG to generate a random seed.
Note
If this is called after nrf_cc3xx_platform_init it will create a new random seed using HMAC_DRBG.
- Returns
Zero on success, otherwise a non-zero error code.
-
int nrf_cc3xx_platform_init_no_rng(void)
Function to initialize the nrf_cc3xx_platform without rng support.
- Returns
Zero on success, otherwise a non-zero error code.
-
int nrf_cc3xx_platform_deinit(void)
Function to deintialize the nrf_cc3xx_platform.
- Returns
Zero on success, otherwise a non-zero error code.
-
bool nrf_cc3xx_platform_is_initialized(void)
Function to check if the nrf_cc3xx_platform is initialized.
- Return values
True – if initialized, otherwise false.
-
bool nrf_cc3xx_platform_rng_is_initialized(void)
Function to check if the nrf_cc3xx_platform is initialized with RNG support.
- Return values
True – if RNG is initialized, otherwise false.
-
void CRYPTOCELL_IRQHandler(void)
ISR Function for processing of cc3xx Interrupts. This cc3xx interrupt service routine function should be called for interrupt processing. Either by placing this functions directly in the vector table or by calling it from the ISR in the OS.
-
int nrf_cc3xx_platform_init(void)
CC3XX Platform - Entropy APIs
- group nrf_cc3xx_platform_entropy
The nrf_cc3xx_platform_entropy APIs provides TRNG using Arm CC3xx hardware acceleration.
Functions
-
int nrf_cc3xx_platform_entropy_get(uint8_t *buffer, size_t length, size_t *olen)
Function to generate entropy using Arm CryptoCell cc3xx.
This API corresponds to mbedtls_hardware_poll. It provides TRNG using the Arm CryptoCell cc3xx hardware accelerator.
Note
This API is only usable if nrf_cc3xx_platform initialization APIs was run prior to calling it.
- Parameters
buffer – [out] Pointer to buffer to hold the entropy data.
length – [in] Length of the buffer to fill with entropy data.
olen – [out] Pointer to variable that will hold the length of generated entropy.
- Return values
0 – on success
- Returns
Any other error code returned from mbedtls_hardware_poll
-
int nrf_cc3xx_platform_entropy_get(uint8_t *buffer, size_t length, size_t *olen)
CC3XX Platform - Mutex APIs
- group nrf_cc3xx_platform_mutex
The nrf_cc3xx_platform_mutex APIs provides RTOS integration for mutex usage in nrf_cc3xx_platform and dependent libraries.
Defines
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_INVALID
Mask indicating that the mutex is invalid (not initialized or allocated).
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
Mask value indicating that the mutex is valid for use.
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ALLOCATED
Mask value indicating that the mutex is allocated and requires deallocation once freed.
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC
Mask value indicating that the mutex is atomic type.
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX
Mask value indicating that the mutex is hardware mutex type.
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_INTERNAL_MUTEX
Mask value indicating that the mutex is an internal CryptoCell mutex.
Typedefs
-
typedef void (*nrf_cc3xx_platform_mutex_init_fn_t)(nrf_cc3xx_platform_mutex_t *mutex)
Type definition of function pointer to initialize a mutex.
Calling this function pointer should initialize a previously uninitialized mutex or do nothing if the mutex is already initialized.
Note
Initialization may not imply memory allocation, as this can be done using static allocation through other APIs in the RTOS.
- Param mutex
[in] Pointer to a mutex to initialize.
-
typedef void (*nrf_cc3xx_platform_mutex_free_fn_t)(nrf_cc3xx_platform_mutex_t *mutex)
Type definition of function pointer to free a mutex.
Calling this function pointer should free a mutex.
Note
If the RTOS does not provide an API to free the mutex it is advised to reset the mutex to an initialized state with no owner.
- Param mutex
[in] Pointer to a mutex to free.
-
typedef int (*nrf_cc3xx_platform_mutex_lock_fn_t)(nrf_cc3xx_platform_mutex_t *mutex)
Type definition of function pointer to lock a mutex.
Calling this function pointer should lock a mutex.
- Param mutex
[in] Pointer to a mutex to lock.
-
typedef int (*nrf_cc3xx_platform_mutex_unlock_fn_t)(nrf_cc3xx_platform_mutex_t *mutex)
Type definition of function pointer to unlock a mutex.
Calling this function pointer should unlock a mutex.
- Param mutex
[in] Pointer to a mutex to unlock.
Functions
-
void nrf_cc3xx_platform_set_mutexes(nrf_cc3xx_platform_mutex_apis_t const *const apis, nrf_cc3xx_platform_mutexes_t const *const mutexes)
Function to set platform mutex APIs and mutexes.
- Parameters
apis – [in] Structure holding the mutex APIs.
mutexes – [in] Structure holding the mutexes.
-
void nrf_cc3xx_platform_mutex_init(void)
Function to initialize RTOS thread-safe mutexes.
This function must be implemented to set the platform mutex APIS, and platform mutexes.
Note
This function must be called once before calling nrf_cc3xx_platform initialization APIs or nrf_cc3xx_platform_init_no_rng.
Note
This function is not expected to be thread-safe.
Variables
-
nrf_cc3xx_platform_mutex_apis_t platform_mutex_apis
External reference to structure holding the currently set platform mutexe APIs.
-
nrf_cc3xx_platform_mutexes_t platform_mutexes
External reference to currently set platform hw mutexes.
-
struct nrf_cc3xx_platform_mutex_t
- #include <nrf_cc3xx_platform_mutex.h>
Type definition of architecture neutral mutex type.
-
struct nrf_cc3xx_platform_mutex_apis_t
- #include <nrf_cc3xx_platform_mutex.h>
Type definition of structure holding platform mutex APIs.
-
struct nrf_cc3xx_platform_mutexes_t
- #include <nrf_cc3xx_platform_mutex.h>
Type definition of structure to platform hw mutexes.
-
NRF_CC3XX_PLATFORM_MUTEX_MASK_INVALID
CC3XX Platform - Abort APIs
- group nrf_cc3xx_platform_abort
The nrf_cc3xx_platform_entropy APIs provides callbacks to abort from nrf_cc3xx_platform and/or dependent libraries.
Typedefs
-
typedef void *nrf_cc3xx_platform_abort_handle_t
Type definition of handle used for abort.
This handle could point to the thread or task to abort or any other static memory required for aborting the on-going cryptographic routine(s).
-
typedef void (*nrf_cc3xx_platform_abort_fn_t)(char const *const reason)
Type definition of platform abort function.
Note
This function pointer will be used when the nrf_cc3xx_platform and/or dependent libraries raises an error that can’t be recovered.
Functions
-
void nrf_cc3xx_platform_set_abort(nrf_cc3xx_platform_abort_apis_t const *const apis)
Function to set platform abort APIs.
- Parameters
apis – [in] Pointer to platform APIs.
-
void nrf_cc3xx_platform_abort_init(void)
Function to initialize platform abort APIs.
Note
This function must be called once before calling nrf_cc3xx_platform initialization APIs or nrf_cc3xx_platform_init_no_rng.
Note
This function is not expected to be thread-safe.
Variables
-
nrf_cc3xx_platform_abort_apis_t platform_abort_apis
External reference to the platform abort APIs.
-
struct nrf_cc3xx_platform_abort_apis_t
- #include <nrf_cc3xx_platform_abort.h>
Type definition of structure holding platform abort APIs.
Public Members
-
nrf_cc3xx_platform_abort_handle_t abort_handle
Handle to use when crypto operations are aborted.
-
nrf_cc3xx_platform_abort_fn_t abort_fn
Function to use when crypto operations are aborted.
-
nrf_cc3xx_platform_abort_handle_t abort_handle
-
typedef void *nrf_cc3xx_platform_abort_handle_t
CC3XX Platform - KMU APIs
- group nrf_cc3xx_platform_kmu
The nrf_cc3xx_platform_kmu APIs provides RTOS integration for storing keys in KMU hardware peripherals.
Defines
-
NRF_CC3XX_PLATFORM_KMU_DEFAULT_PERMISSIONS
Constant value representing the default permission to use when writing a key to KMU.
This sets up the written key to be non-writable, non-readable and pushable.
Warning
Deviating from this mask when setting up permissions may allow reading the key from CPU, which has security implications.
-
NRF_CC3XX_PLATFORM_KMU_AES_ADDR
Address of the AES key register in CryptoCell.
-
NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR
Address of the ChaChaPoly key register in CryptoCell for 128 bit keys.
-
NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR1
Address of the first 128 bits of ChaChaPoly key in CryptoCell
-
NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR2
Address of the last 128 bits bits of ChaChaPoly key register in CryptoCell HW
Note
Used only when ChaChaPoly key is larger than 128 bits, in which case the ChaChaPoly key is split between two slots in KMU
-
NRF_CC3XX_PLATFORM_NRF9160_KDR_ADDR
Enums
-
enum nrf_cc3xx_platform_key_type_t
Enumeration type listing the key types which support the CryptoCell push operation.
Values:
-
enumerator NRF_CC3XX_PLATFORM_KEY_TYPE_KDR_AES_128_BIT
AES 128 bit key to be used in KDR.
-
enumerator NRF_CC3XX_PLATFORM_KEY_TYPE_CHACHAPOLY_256_BIT
ChaChaPoly 256 bit key to be used in a KMU slot.
-
enumerator NRF_CC3XX_PLATFORM_KEY_TYPE_AES_128_BIT
AES 128 bit key to be used in a KMU slot.
-
enumerator NRF_CC3XX_PLATFORM_KEY_TYPE_AES_256_BIT
AES 256 bit key to be used in a KMU slot.
-
enumerator NRF_CC3XX_PLATFORM_KEY_TYPE_KDR_AES_128_BIT
Functions
-
int nrf_cc3xx_platform_kmu_write_key(uint32_t slot_id, nrf_cc3xx_platform_key_type_t key_type, nrf_cc3xx_platform_key_buff_t key_buff)
Write a key into the KMU.
This writes a key into the KMU slot defined by slot_id. If the key is larger than 128 bit it will occupy two consecutive KMU slots.
Note
This function uses the default KMU key permissions, see NRF_CC3XX_PLATFORM_KMU_DEFAULT_PERMISSIONS.
- Parameters
slot_id – [in] KMU slot ID for the new key (2 - 127).
key_type – [in] The type of the key to store in the KMU.
key_buff – [in] Buffer containing the key material.
- Returns
NRF_CC3XX_PLATFORM_SUCCESS on success, otherwise a negative value.
-
int nrf_cc3xx_platform_kmu_write_key_slot(uint32_t slot_id, uint32_t key_addr, uint32_t key_perm, const uint8_t key[16])
Write a 128 bit key into a KMU slot.
This writes a key to KMU with the destination of the subsequent push operation set to the address of the AES or ChaChaPoly key registers in Arm CryptoCell.
Note
The default mask for permissions is recommended to use. Please see NRF_CC3XX_PLATFORM_KMU_DEFAULT_PERMISSIONS.
Note
AES keys of 128 bits can use NRF_CC3XX_PLATFORM_KMU_AES_ADDR as the key_addr. ChaChaPoly keys of 128 bits can use NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR as the key addr. Keys larger than 128 bits must be split up to use two KMU slots. For AES (only applicable to nRF5340): Use NRF_CC3XX_PLATFORM_KMU_AES_ADDR_1 for the first 128 bits of the key. Use NRF_CC3XX_PLATFORM_KMU_AES_ADDR_2 for the subsequent bits of the key. For ChaChaPoly: Use NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR_1 for the first 128 bits of the key. Use NRF_CC3XX_PLATFORM_KMU_CHACHAPOLY_ADDR_2 for the subsequent bits of the key.
- Parameters
slot_id – [in] KMU slot ID for the new key (2 - 127).
key_addr – [in] Destination address in CryptoCell used for key push.
key_perm – [in] Permissions to set for the KMU slot.
key – [in] Array with the 128 bit key to put in the KMU slot.
- Returns
NRF_CC3XX_PLATFORM_SUCCESS on success, otherwise a negative value.
-
int nrf_cc3xx_platform_kmu_write_kdr_slot(uint32_t slot_id, const uint8_t key[16])
Write a 128 bit AES key into a KMU slot for KDR use.
This writes a key to KMU with the destination of the subsequent push operation set to the address of the KDR registers in Arm CryptoCell.
Note
The permission set by this function is “non-writable, non-readable
and pushable”. Please see
NRF_CC3XX_PLATFORM_KMU_DEFAULT_PERMISSIONS.- Parameters
key – [in] Array with the 128 bit key to put in the KMU slot.
- Returns
NRF_CC3XX_PLATFORM_SUCCESS on success, otherwise a negative value.
-
int nrf_cc3xx_platform_kmu_push_kdr_slot_and_lock(uint32_t slot_id)
Push the 128 bit AES key from a KMU slot into CryptoCell KDR registers and set LCS state to secure.
Note
This function must be run once on every boot to load the KDR key and to set the LCS state to secure.
Note
The KDR key will be stored in the Always on Domain (AO) untill the next reset. It is not possible to set the KDR value once the LCS state is set to secure.
- Returns
NRF_CC3XX_PLATFORM_SUCCESS on success, otherwise a negative value.
-
int nrf_cc3xx_platform_kdr_load_key(uint8_t key[16])
Load a unique 128 bit root key into CryptoCell KDR registers and set CryptoCell LCS state to secure.
Note
This function must be run once on every boot do load an AES key into KDR. It is recommended that this is done in an immutable bootloader stage and the page holding the key is ACL read+write protected after it has been loaded into KDR with this API.
Note
The KDR key should be a randomly generated unique key.
Note
The KDR key will be stored in the Always on Domain (AO) until the next reset. It is not possible to set the KDR value once the LCS state is set to secure.
- Parameters
key – [in] Array with the AES 128 bit key.
- Returns
NRF_CC3XX_PLATFORM_SUCCESS on success, otherwise a negative value.
-
int nrf_cc3xx_platform_kmu_shadow_key_derive(uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size, uint8_t *output, size_t output_size)
Function to use CMAC to derive a key stored in KMU/KDR.
The KDF is using a PRF function described in the Special publication 800-108: Recommendation for Key Derivation Using Pseudorandom Functions https://csrc.nist.gov/publications/detail/sp/800-108/final.
This algorithm is described in chapter 5.1 - KDF in Counter Mode
The format of the PRF (the input) is as follows: PRF (KI, i || Label || 0x00 || Context || L)
KI: The Key derivation key i : The counter value for each iteration of the PRF represented as one byte. label: A string identifying the purpose of the derived key that is up to 64 bytes long. 0x00: A single byte delimiter. Context: Fixed information about the derived keying material that is up to 64 bytes long. L : The length of derived key material in bits represented as two bytes.
Note
On nRF52840 only slot_id == 0 is valid, pointing to the Kdr key (also known as a HUK key) loaded into the CryptoCell.
- Parameters
slot_id – Identifier of the key slot.
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label in bytes to use for KDF.
context – Context info to use for KDF.
context_size – Context info size in bytes to use for KDF.
output – Output buffer.
output_size – Size of the output buffer in bytes.
- Returns
0 on success, otherwise a negative number.
-
union nrf_cc3xx_platform_key_buff_t
- #include <nrf_cc3xx_platform_kmu.h>
Union type holding the key material to be loaded in the CryptoCell.
-
NRF_CC3XX_PLATFORM_KMU_DEFAULT_PERMISSIONS
CC3XX Platform - CTR_DRBG APIs
- group nrf_cc3xx_platform_ctr_drbg
The nrf_cc3xx_platform_ctr_drbg APIs provide PRNG seeded by TRNG in accordance with NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators The generation of TRNG/PRNG data is using Arm CryptoCell cc3xx hardware acceleration.
The pre-built APIs are based on mbedtls_entropy and mbedtls_ctr_drbg but doesn’t require setting up memory allocation before use.
Defines
-
NRF_CC3XX_PLATFORM_ENTROPY_SIZE_WORDS
Macro holding size of the opaque ctr_drbg context type.
This corresponds to a structure with the combined size of mbedtls_entropy_context and mbedtls_ctr_drbg_context in Arm CryptoCell code base which is sized differently than in vanilla mbed TLS software.
Functions
-
int nrf_cc3xx_platform_ctr_drbg_init(nrf_cc3xx_platform_ctr_drbg_context_t *const context, const uint8_t *pers_string, size_t pers_string_len)
Function that initializes an ctr_drbg context.
Note
If the context is NULL the function uses an internal context.
- Parameters
context – [inout] Pointer to structure holding the ctr_drbg context which must be used for subsequent calls to generate random data.
pers_string – [in] Personalization string used for the CTR_DRBG_Instantiate_algorithm.
pers_string_len – [in] Length of the personalization string, which may be zero.
- Returns
0 on success, otherwise a non-zero failure from mbedtls_ctrl_drbg_seed.
-
int nrf_cc3xx_platform_ctr_drbg_free(nrf_cc3xx_platform_ctr_drbg_context_t *const context)
Function that deintializes an ctr_drbg context.
Param[in,out] context Pointer to structure holding ctr_drbg context which is to be deinitialized.
-
int nrf_cc3xx_platform_ctr_drbg_set_pr(nrf_cc3xx_platform_ctr_drbg_context_t *const context, bool pr_enabled)
Function to enable prediction resistance.
If prediction resistance is enabled, TRNG is gathered at the beginning of every call to nrf_cc3xx_platform_ctr_drbg_get and nrf_cc3xx_platform_ctr_drbg_get_with_add. This leads to a higher power draw and longer execution time.
Note
If the context is NULL the function uses an internal context.
Note
Before calling this api the context to must be initialized by calling nrf_cc3xx_platform_ctr_drbg_init
Note
The default configuration is to have prediction resistance turned off.
- Parameters
context – [inout] Pointer to a structure holding the ctr_drbg context.
pr_enabled – [in] Enables prediction resistance if true, otherwise false (default).
- Returns
0 on success, otherwise a non-zero failure.
-
int nrf_cc3xx_platform_ctr_drbg_set_reseed_interval(nrf_cc3xx_platform_ctr_drbg_context_t *const context, int interval)
Function to change the reseed interval.
This API controls when the ctr_drbg is automatically reseeded
Note
If the context is NULL the function uses an internal context.
Note
Before calling this api the context to must be initialized by calling nrf_cc3xx_platform_ctr_drbg_init.
Note
Changing the reseed interval is optional.
- Parameters
context – [inout] Pointer to a structure holding the ctr_drbg context.
interval – [in] New reeseed interval value.
- Returns
0 on success, otherwise a non-zero failure according to the API mbedtls_ctrl_drbg_reseed.
-
int nrf_cc3xx_platform_ctr_drbg_reseed(nrf_cc3xx_platform_ctr_drbg_context_t *const context, const uint8_t *additional, size_t add_len)
Function to do a manual reseed of ctr_drbg (using TRNG)
Note
If the context is NULL the function uses an internal context.
Note
Calling this API is optional as the APIs nrf_cc3xx_platform_ctr_drbg_get and nrf_cc3xx_platform_ctr_drbg_get_with_add functions will reseed automatically according to the reseed interval in the built-in mbedtls_ctr_drbg context.
Note
Before calling this api the context to must be initialized by calling nrf_cc3xx_platform_ctr_drbg_init.
Note
This API is only usable if nrf_cc3xx_platform initialization APIs was run prior to calling it.
Note
This API is unneccesary if ctr_drbg is executed with prediction resistance turned on.
- Parameters
context – [inout] Pointer to a structure holding the ctr_drbg context.
additional – [in] Optional additional input to use for CTR_DRBG_Reseed_function.
add_len – [in] Length of the additional input, may be zero.
- Returns
0 on success, otherwise a non-zero failure according to the API mbedtls_ctrl_drbg_seed.
-
int nrf_cc3xx_platform_ctr_drbg_get_with_add(nrf_cc3xx_platform_ctr_drbg_context_t *const context, uint8_t *buffer, size_t len, size_t *olen, const uint8_t *additional, size_t add_len)
Function to get PRNG using ctr_drbg and an additional string of data.
This function will calculate PRNG using HW accelarated AES CTR_DRBG with a 16-byte key and reseed with TRNG using ARM CryptoCEll cc3xx HW according to a reseed interval.
This function calculates random numbers using PRNG seeded by TRNG as defined in NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The random numbers are generated using Arm CryptoCell cc3xx hardware acceleration.
Note
If the context is NULL the function uses an internal context.
Note
Before calling this api the context to must be initialized by calling nrf_cc3xx_platform_ctr_drbg_init.
Note
This API is only usable if nrf_cc3xx_platform initialization APIs was run prior to calling it.
- Parameters
context – [inout] Pointer to structure holding the ctr_drbg context.
buffer – [in] Pointer to buffer to hold PRNG data.
len – [in] Length of PRNG to get.
olen – [out] Length reported out.
additional – [in] Additional input to use with CTR_DRBG_Generate_algorithm.
add_len – [in] Length of CTR_DRBG additional input.
- Returns
0 on success, otherwise a non-zero failure according to the API mbedtls_ctrl_drbg_get_with_add.
-
int nrf_cc3xx_platform_ctr_drbg_get(nrf_cc3xx_platform_ctr_drbg_context_t *const context, uint8_t *buffer, size_t length, size_t *olen)
Function to get PRNG data using ctr_drbg.
This function calculates random numbers using PRNG seeded by TRNG as defined in NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The random numbers are generated using Arm CryptoCell cc3xx hardware acceleration.
Note
If the context is NULL the function uses an internal context.
Note
Before calling this api the context to must be initialized by calling nrf_cc3xx_platform_ctr_drbg_init.
Note
This API is only usable if nrf_cc3xx_platform initialization APIs was run prior to calling it.
- Parameters
context – [inout] Pointer to structure holding the ctr_drbg context.
buffer – [in] Pointer to buffer to hold PRNG data.
length – [in] Length of PRNG to get.
olen – [out] Length reported out.
- Returns
0 on success, otherwise a non-zero failure according to the API mbedtls_ctr_drbg_random.
-
struct nrf_cc3xx_platform_ctr_drbg_context_t
- #include <nrf_cc3xx_platform_ctr_drbg.h>
Opaque type for the context required for ctr_drbg generation.
Note: This opaque type contains contexts for mbed TLS entropy generation (TRNG) and ctr_drbg (PRNG).
-
NRF_CC3XX_PLATFORM_ENTROPY_SIZE_WORDS
nRF CC3XX mbedcrypto library
- group nrf_cc3xx_mbedcrypto
nrf_cc3xx_mbedcrypto nrf_cc3xx_mbedcrypto library containing cc3xx APIs for the KMU or KDR peripherals. Further documentation can be found on : https://tls.mbed.org
KMU/KDR APIs
- group nrf_cc3xx_mbedcrypto_kmu
The nrf_cc3xx_mbedcrypto_kmu APIs can be utilized to directly use or derive keys from KMU or KDR in ARM CryptoCell devices.
Defines
-
NRF_KMU_FIRST_SLOT
First addressable key slot in KMU.
-
NRF_KMU_SECOND_SLOT
Second addressable key slot in KMU.
-
NRF_KMU_LAST_SLOT
Last addressable key slot in KMU.
-
NRF_KMU_SLOT_KDR
Key slot reserved for Kdr (Also known as HUK or Root derivation key).
-
NRF_KMU_SLOT_KDR_RESERVED
Key slot reserved for Kdr (CC312: Used for last 128 bits of key material).
-
NRF_KMU_SLOT_MKEK
Key slot reserved for MKEK (Master Key Encryption Key).
-
NRF_KMU_SLOT_MKEK_RESERVED
Key slot reserved for MKEK (CC312: Used for last 128 bits of key material).
-
NRF_KMU_SLOT_MEXT
Key slot reserved for MEXT (Master Key Encryption Key).
-
NRF_KMU_SLOT_MEXT_RESERVED
Key slot reserved for MEXT (CC312: Used for last 128 bits of key material).
-
MBEDTLS_SHADOW_KEY_KDF_MAX_LABEL_SIZE_IN_BYTES
KDF input “label” can be 0 to 64 bytes.
-
MBEDTLS_SHADOW_KEY_KDF_MAX_CONTEXT_SIZE_IN_BYTES
KDF input “context” can be 0 to 64 bytes.
-
MBEDTLS_SHADOW_KEY_KDF_MAX_DERIVED_SIZE_IN_BYTES
KDF max length for derived material.
-
MBEDTLS_ERR_SHADOW_KEY_KEY_OK
The shadow key operation was succesful.
-
MBEDTLS_ERR_SHADOW_KEY_INVALID_SLOT
The shadow key operation used an invalid slot.
-
MBEDTLS_ERR_SHADOW_KEY_INVALID_SIZE
The shadow key was of invalid size.
-
MBEDTLS_ERR_SHADOW_KEY_KDF_INVALID_LABEL
The KDF input label is invalid.
-
MBEDTLS_ERR_SHADOW_KEY_KDF_INVALID_CONTEXT
The KDF input context is invalid.
-
MBEDTLS_ERR_SHADOW_KEY_KDF_INVALID_INPUT
The KDF input is invalid.
-
MBEDTLS_ERR_SHADOW_KEY_INTERNAL_ERROR
KMU/KDF internal error.
Functions
-
int mbedtls_aes_setkey_enc_shadow_key(mbedtls_aes_context *const ctx, uint32_t slot_id, unsigned int keybits)
Function to configure AES to use one or more KMU key slot for encryption.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_aes_setkey_enc.
Note
Using this API enforces raw key usage of keys in the KMU slots. If derived key usage is intended, please use the API nrf_cc3xx_platform_kmu_aes_setkey_enc_shadow_key_derived.
- Parameters
ctx – AES context to set the key by KMU slot
slot_id – Identifier of the key slot (0 - 127)
keybits – Key size in bits
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_aes_setkey_dec_shadow_key(mbedtls_aes_context *const ctx, uint32_t slot_id, unsigned int keybits)
Function to configure AES to use one or more KMU key slot for decryption.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_aes_setkey_dec.
Note
Using this API enforces raw key usage of keys in the KMU slots. If derived key usage is intended, please use the API nrf_cc3xx_platform_kmu_aes_setkey_dec_shadow_key_derived.
- Parameters
ctx – AES context to set the key by KMU slot.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_aes_setkey_enc_shadow_key_derived(mbedtls_aes_context *const ctx, uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size)
Function to configure AES to use a key derived from one or more slots in KMU for encryption.
See mbedtls_derive_kmu_key for details on the KDF function.
Note
Replaces the API mbedtls_aes_setkey_dec.
Note
The key derivation is executed before each requests to encrypt. this function only configures the context to use a derived key.
Note
When deriving the key from KMU registers, the derived keys exist in SRAM for a brief period of time, before being loaded into the write-only CryptoCell HW registers for AES keys before encryption.
- Parameters
ctx – AES context to set the decryption key by KMU slot.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label to use for KDF.
context – Context info to use for KDF.
context_size – Context info size to use for KDF.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_aes_setkey_dec_shadow_key_derived(mbedtls_aes_context *const ctx, uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size)
Function to configure AES to use a key derived from one or more slots in KMU for decryption.
See mbedtls_derive_kmu_key for details on the KDF function.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_aes_setkey_enc.
Note
The key derivation is executed before each requests to decrypt. This function only configures the context to use a derived key.
Note
When deriving the key from KMU registers, the derived keys exist in SRAM for a brief period of time, before being loaded into the write-only CryptoCell HW registers for AES keys before decryption.
- Parameters
ctx – AES context to set the decryption key by KMU slot.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label to use for KDF.
context – Context info to use for KDF.
context_size – Context info size to use for KDF.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_ccm_setkey_shadow_key(mbedtls_ccm_context *const ctx, mbedtls_cipher_id_t cipher, uint32_t slot_id, unsigned int keybits)
Function to configure AES CCM to use one or more KMU key slot as encryption key.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_ccm_setkey.
Note
Using this API enforces raw key usage of keys in the KMU slots. If derived key usage is intended, please use the API nrf_cc3xx_platform_kmu_aes_setkey_enc_shadow_key_derived.
- Parameters
ctx – AES context to set the key by KMU slot.
cipher – Cipher id to use.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_ccm_setkey_shadow_key_derived(mbedtls_ccm_context *const ctx, mbedtls_cipher_id_t cipher, uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size)
Function to configure AES CCM to use a key derived from one or more slots in KMU for encryption.
See mbedtls_derive_kmu_key for details on the KDF function.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_ccm_setkey.
Note
The key derivation is executed before each requests to decrypt. This function only configures the context to use a derived key.
Note
When deriving the key from KMU registers, the derived keys exist in SRAM for a brief period of time, before being loaded into the write-only CryptoCell HW registers for AES keys before decryption.
- Parameters
ctx – AES context to set the decryption key by KMU slot.
cipher – Cipher id to use.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label to use for KDF.
context – Context info to use for KDF.
context_size – Context info size to use for KDF.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_gcm_setkey_shadow_key(mbedtls_gcm_context *const ctx, mbedtls_cipher_id_t cipher, uint32_t slot_id, unsigned int keybits)
Function to configure AES GCM to use one or more KMU key slot as encryption key.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_gcm_setkey.
Note
Using this API enforces raw key usage of keys in the KMU slots. If derived key usage is intended, please use the API nrf_cc3xx_platform_kmu_aes_setkey_enc_shadow_key_derived.
- Parameters
ctx – AES context to set the key by KMU slot.
cipher – Cipher id to use.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_gcm_setkey_shadow_key_derived(mbedtls_gcm_context *const ctx, mbedtls_cipher_id_t cipher, uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size)
Function to configure AES GCM to use a key derived from one or more slots in KMU for encryption.
See mbedtls_derive_kmu_key for details on the KDF function.
Note
A shadow key is not directly accessible, only reference information is stored in the context type
Note
Replaces the API mbedtls_gcm_setkey.
Note
The key derivation is executed before each requests to decrypt. this function only configures the context to use a derived key.
Note
When deriving the key from KMU registers, the derived keys exist in SRAM for a brief period of time, before being loaded into the write-only CryptoCell HW registers for AES keys before decryption.
- Parameters
ctx – AES context to set the decryption key by KMU slot.
cipher – Cipher id to use.
slot_id – Identifier of the key slot (0 - 127).
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label to use for KDF.
context – Context info to use for KDF.
context_size – Context info size to use for KDF.
- Returns
0 on success, otherwise a negative number.
-
int mbedtls_shadow_key_derive(uint32_t slot_id, unsigned int keybits, uint8_t const *label, size_t label_size, uint8_t const *context, size_t context_size, uint8_t *output, size_t output_size)
Function to use CMAC to derive a key stored in KMU/Kdr.
The KDF is using a PRF function described in the Special publication 800-108: Recommendation for Key Derivation Using Pseudorandom Functions https://csrc.nist.gov/publications/detail/sp/800-108/final.
This algorithm is described in chapter 5.1 - KDF in Counter Mode
The format of the PRF (the input) is as follows: PRF (KI, i || Label || 0x00 || Context || L)
KI: The Key derivation key i : The counter value for each iteration of the PRF represented as one byte. label: A string identifying the purpose of the derived key that is up to 64 bytes long. 0x00: a single byte delimiter. Context: Fixed information about the derived keying material that is up to 64 bytes long. L : The length of derived key material in bits represented as two bytes.
Note
On nRF52840 only slot_id == 0 is valid, pointing to the Kdr key (also known as a HUK key) loaded into the CryptoCell.
- Parameters
slot_id – Identifier of the key slot.
keybits – Key size in bits.
label – Label to use for KDF.
label_size – Size of the label to use for KDF.
context – Context info to use for KDF.
context_size – Context info size to use for KDF.
output – Output buffer.
output_size – Size of output buffer in bytes.
- Returns
0 on success, otherwise a negative number.
-
NRF_KMU_FIRST_SLOT
nrf_oberon crypto library
- group ocrypto
Highly optimized cryptographic algorithm implementation for Cortex-M0, Cortex-M4, and Cortex-M33. Created by Oberon, under distribution license with Nordic Semiconductor ASA.
AES - Advanced Encryption Standard APIs
- group ocrypto_aes
AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST. AES transfers a 128-bit block of data into an encrypted block of the same size.
AES-CTR - AES Counter Mode
- group ocrypto_aes_ctr
Type definitions and APIs for AES-CTR (AES counter mode).
AES-CTR (AES counter mode) is an AES mode which effectively turns the block cipher into a stream cipher. The AES block encryption is used on a value which is incremented for each new block. The resulting cipher stream is then xor combined with the plaintext to get the ciphertext. In contrast to AES itself, encryption and decryption operations are identical for AES-CTR.
Incremental AES-CTR encryption/decryption.
This group of functions can be used to incrementally compute the AES-CTR encryption/decryption for a given message.
-
void ocrypto_aes_ctr_init(ocrypto_aes_ctr_ctx *ctx, const uint8_t *key, size_t size, const uint8_t iv[16])
AES-CTR initialization.
The context
ctx
is initialized using the given keykey
and initial vectoriv
.- Parameters
ctx – [out] Context.
key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
-
void ocrypto_aes_ctr_update(ocrypto_aes_ctr_ctx *ctx, uint8_t *ct, const uint8_t *pt, size_t pt_len)
AES-CTR incremental encryption/decryption.
The plaintext
pt
is encrypted to the ciphertextct
using the contextctx
.This function can be called repeatedly until the whole message is processed.
Remark
ct
andpt
can point to the same address.Remark
Initialization of the context
ctx
throughocrypto_aes_ctr_init
is required before this function can be called.- Parameters
ctx – Context.
ct – [out] Ciphertext.
pt – Plaintext.
pt_len – Length of
pt
andct
.
Functions
-
void ocrypto_aes_ctr_encrypt(uint8_t *ct, const uint8_t *pt, size_t pt_len, const uint8_t *key, size_t size, const uint8_t iv[16])
AES-CTR encryption.
Remark
ct
may be same aspt
.- Parameters
ct – [out] Ciphertext.
pt – Plaintext.
pt_len – Length of
pt
andct
.key – AES key.
size – Key size (16, 24, or 32).
iv – Initial vector.
-
void ocrypto_aes_ctr_decrypt(uint8_t *pt, const uint8_t *ct, size_t ct_len, const uint8_t *key, size_t size, const uint8_t iv[16])
AES-CTR decryption.
Remark
ct
may be same aspt
.- Parameters
pt – [out] Plaintext.
ct – Ciphertext.
ct_len – Length of
pt
andct
.key – AES key.
size – Key size (16, 24, or 32).
iv – Initial vector.
-
void ocrypto_aes_ctr_init(ocrypto_aes_ctr_ctx *ctx, const uint8_t *key, size_t size, const uint8_t iv[16])
AES EAX APIs
- group ocrypto_aes_eax
Type definitions and APIS for AES-EAX (Encrypt-then-authenticate-then-translate)
AES-EAX (encrypt-then-authenticate-then-translate) is an AES mode which effectively turns the block cipher into a stream cipher. The AES block cipher primitive is used in CTR mode for encryption and as OMAC for authentication over each block.
Functions
-
void ocrypto_aes_eax_encrypt(uint8_t *ct, uint8_t tag[16], const uint8_t *pt, size_t pt_len, const uint8_t *key, size_t size, const uint8_t *iv, size_t iv_len, const uint8_t *aa, size_t aa_len)
AES-EAX encryption.
Remark
ct
may be same aspt
.- Parameters
ct – [out] Ciphertext.
tag – [out] Authentication tag.
pt – Plaintext.
pt_len – Length of
pt
andct
.key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
iv_len – Initial vector length.
aa – Additional authentication data.
aa_len – Additional authentication data length.
-
int ocrypto_aes_eax_decrypt(uint8_t *pt, const uint8_t tag[16], const uint8_t *ct, size_t ct_len, const uint8_t *key, size_t size, const uint8_t *iv, size_t iv_len, const uint8_t *aa, size_t aa_len)
AES-EAX decryption.
Remark
ct
may be same aspt
.- Parameters
pt – [out] Plaintext.
tag – Authentication tag.
ct – Ciphertext.
ct_len – Length of
pt
andct
.key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
iv_len – Initial vector length.
aa – Additional authentication data.
aa_len – Additional authentication data length.
- Return values
0 – If
tag
is valid.-1 – Otherwise.
-
void ocrypto_aes_eax_encrypt(uint8_t *ct, uint8_t tag[16], const uint8_t *pt, size_t pt_len, const uint8_t *key, size_t size, const uint8_t *iv, size_t iv_len, const uint8_t *aa, size_t aa_len)
AES GCM - AES Galois/Counter Mode APIs
- group ocrypto_aes_gcm
Type definitions and APIs for AES-GCM (AES Galois/Counter Mode).
AES-GCM (AES Galois/Counter Mode) is an AES mode which effectively turns the block cipher into a stream cipher. The AES block cipher primitive is used in CTR mode for encryption and decryption. In addition, 128-bit Galois Field multiplication is used for authentication.
Incremental AES-GCM encryption/decryption.
This group of functions can be used to incrementally compute the AES-GCM encryption/decryption for a given message.
-
void ocrypto_aes_gcm_init(ocrypto_aes_gcm_ctx *ctx, const uint8_t *key, size_t size, const uint8_t iv[12])
AES-GCM initialization.
The context
ctx
is initialized using the given keykey
and initial vectoriv
.- Parameters
ctx – [out] Context.
key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
-
void ocrypto_aes_gcm_update_aad(ocrypto_aes_gcm_ctx *ctx, const uint8_t *aa, size_t aa_len)
AES-GCM incremental aad input.
The generator state
ctx
is updated to include a data chunkaa
.This function can be called repeatedly until the whole data is processed.
Remark
Initialization of the context
ctx
throughocrypto_aes_gcm_init
is required before this function can be called.Remark
ocrypto_aes_gcm_update_aad
must be called before any call toocrypto_aes_gcm_update_enc
orocrypto_aes_gcm_update_dec
.- Parameters
ctx – Generator state.
aa – Additional authenticated data.
aa_len – Length of
aa
.
-
void ocrypto_aes_gcm_update_enc(ocrypto_aes_gcm_ctx *ctx, uint8_t *ct, const uint8_t *pt, size_t pt_len)
AES-GCM incremental encryption.
The plaintext
pt
is encrypted to the ciphertextct
using the contextctx
.This function can be called repeatedly until the whole message is processed.
Remark
ct
andpt
can point to the same address.Remark
Initialization of the context
ctx
throughocrypto_aes_gcm_init
is required before this function can be called.- Parameters
ctx – Context.
ct – [out] Ciphertext.
pt – Plaintext.
pt_len – Length of
pt
andct
.
-
void ocrypto_aes_gcm_update_dec(ocrypto_aes_gcm_ctx *ctx, uint8_t *pt, const uint8_t *ct, size_t ct_len)
AES-GCM incremental decryption.
The ciphertext
ct
is decrypted to the plaintextpt
using the contextctx
.This function can be called repeatedly until the whole message is processed.
Remark
ct
andpt
can point to the same address.Remark
Initialization of the context
ctx
throughocrypto_aes_gcm_init
is required before this function can be called.- Parameters
ctx – Context.
pt – [out] Plaintext.
ct – Ciphertext.
ct_len – Length of
ct
andpt
.
-
void ocrypto_aes_gcm_final_enc(ocrypto_aes_gcm_ctx *ctx, uint8_t *tag, size_t tag_len)
AES-GCM final encoder step.
The generator state
ctx
is used to finalize the encryption and generate the tag.- Parameters
ctx – Generator state.
tag – [out] Generated authentication tag.
tag_len – Authentication tag length, 0 <
tag_len
<= 16.
-
int ocrypto_aes_gcm_final_dec(ocrypto_aes_gcm_ctx *ctx, const uint8_t *tag, size_t tag_len)
AES-GCM final decoder step.
The generator state
ctx
is used to finalize the decryption and check the tag.- Parameters
ctx – Generator state.
tag – Received authentication tag.
tag_len – Authentication tag length.
- Return values
0 – If
tag
is valid.-1 – Otherwise.
Functions
-
void ocrypto_aes_gcm_encrypt(uint8_t *ct, uint8_t *tag, size_t tag_len, const uint8_t *pt, size_t pt_len, const uint8_t *key, size_t size, const uint8_t iv[12], const uint8_t *aa, size_t aa_len)
AES-GCM encryption.
Remark
ct
may be same aspt
.- Parameters
ct – [out] Ciphertext.
tag – [out] Authentication tag.
tag_len – Authentication tag length, 0 <
tag_len
<= 16.pt – Plaintext.
pt_len – Plaintext length, 0 <
ct_len
< 2^36-32 bytes.key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
aa – Additional authentication data.
aa_len – Additional authentication data length, 0 <
aa_len
< 2^61 bytes.
-
int ocrypto_aes_gcm_decrypt(uint8_t *pt, const uint8_t *tag, size_t tag_len, const uint8_t *ct, size_t ct_len, const uint8_t *key, size_t size, const uint8_t iv[12], const uint8_t *aa, size_t aa_len)
AES-GCM decryption.
Remark
ct
may be same aspt
.- Parameters
pt – [out] Plaintext.
tag – Authentication tag.
tag_len – Authentication tag length, 0 <
tag_len
<= 16.ct – Ciphertext.
ct_len – Ciphertext length, 0 <
ct_len
< 2^36-32 bytes.key – AES key.
size – Key size (16, 24, or 32 bytes).
iv – Initial vector.
aa – Additional authentication data.
aa_len – Additional authentication data length, 0 <
aa_len
< 2^61 bytes.
- Return values
0 – If
tag
is valid.-1 – Otherwise.
-
void ocrypto_aes_gcm_init(ocrypto_aes_gcm_ctx *ctx, const uint8_t *key, size_t size, const uint8_t iv[12])
AES key sizes
- group ocrypto_aes_key
Type definition of AES key sizes.
AES key sizes in bytes.
ChaCha20-Poly1305
- group ocrypto_chacha_poly
ChaCha20-Poly1305 is an authenticated encryption algorithm with optional additional authenticated data developed by Daniel J.Bernstein.
ChaCha20-Poly1305 APIs
- group ocrypto_chacha_poly_apis
Type declaration and APIs for authenticated encryption and additional data using the ChaCha20-Poly1305 algorithm in incremental steps.
ChaCha20-Poly1305 is an authenticated encryption algorithm with optional additional authenticated data developed by Daniel J.Bernstein.
The ChaCha20 stream cipher is combined with the Poly1305 authenticator.
Incremental ChaCha20-Poly1305 generator.
This group of functions can be used to incrementally encode and decode a message using the ChaCha20-Poly1305 stream cipher.
Use pattern:
Encoding:
Decoding:ocrypto_chacha20_poly1305_init(ctx, nonce, nonce_len, key); ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len); ... ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len); ocrypto_chacha20_poly1305_update_enc(ctx, ct, pt, pt_len); ... ocrypto_chacha20_poly1305_update_enc(ctx, ct, pt, pt_len); ocrypto_chacha20_poly1305_final_enc(ctx, tag);
ocrypto_chacha20_poly1305_init(ctx, nonce, nonce_len, key); ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len); ... ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len); ocrypto_chacha20_poly1305_update_dec(ctx, pt, ct, ct_len); ... ocrypto_chacha20_poly1305_update_dec(ctx, pt, ct, ct_len); res = ocrypto_chacha20_poly1305_final_dec(ctx, tag);
-
void ocrypto_chacha20_poly1305_init(ocrypto_chacha20_poly1305_ctx *ctx, const uint8_t *n, size_t n_len, const uint8_t k[(32)])
ChaCha20-Poly1305 initialization.
The generator state
ctx
is initialized by this function.- Parameters
ctx – [out] Generator state.
n – Nonce.
n_len – Length of
n
. 0 <=n_len
<=ocrypto_chacha20_poly1305_NONCE_BYTES_MAX
.k – Encryption key.
-
void ocrypto_chacha20_poly1305_update_aad(ocrypto_chacha20_poly1305_ctx *ctx, const uint8_t *a, size_t a_len)
ChaCha20-Poly1305 incremental aad input.
The generator state
ctx
is updated to include an additional authenticated data chunka
.This function can be called repeatedly until the whole data is processed.
Remark
Initialization of the generator state
ctx
throughocrypto_chacha20_poly1305_init
is required before this function can be called.Remark
ocrypto_chacha20_poly1305_update_aad
must be called before any call toocrypto_chacha20_poly1305_update_enc
orocrypto_chacha20_poly1305_update_dec
.- Parameters
ctx – Generator state.
a – Additional authenticated data.
a_len – Length of
a
.
-
void ocrypto_chacha20_poly1305_update_enc(ocrypto_chacha20_poly1305_ctx *ctx, uint8_t *c, const uint8_t *m, size_t m_len)
ChaCha20-Poly1305 incremental encoder input.
The generator state
ctx
is updated to include a message chunkm
.This function can be called repeatedly on arbitrarily small chunks of the message until the whole message has been processed.
Remark
Initialization of the generator state
ctx
throughocrypto_chacha20_poly1305_init
is required before this function can be called.Remark
ocrypto_chacha20_poly1305_update_enc
must be called after any call toocrypto_chacha20_poly1305_update_aad
.Remark
c
may be same asm
.- Parameters
ctx – Generator state.
c – [out] Generated ciphertext. Same length as input message.
m – Message chunk.
m_len – Length of
m
.
-
void ocrypto_chacha20_poly1305_update_dec(ocrypto_chacha20_poly1305_ctx *ctx, uint8_t *m, const uint8_t *c, size_t c_len)
ChaCha20-Poly1305 incremental decoder input.
The generator state
ctx
is updated to include a ciphertext chunkc
.This function can be called repeatedly on arbitrarily small chunks of the ciphertext until the whole ciphertext has been processed.
Remark
Initialization of the generator state
ctx
throughocrypto_chacha20_poly1305_init
is required before this function can be called.Remark
ocrypto_chacha20_poly1305_update_dec
must be called after any call toocrypto_chacha20_poly1305_update_aad
.Remark
m
may be same asc
.- Parameters
ctx – Generator state.
m – [out] Decoded message. Same length as received ciphertext.
c – Ciphertext chunk.
c_len – Length of
c
.
-
void ocrypto_chacha20_poly1305_final_enc(ocrypto_chacha20_poly1305_ctx *ctx, uint8_t tag[(16)])
ChaCha20-Poly1305 final encoder step.
The generator state
ctx
is used to finalize the encryption and generate the tag.- Parameters
ctx – Generator state.
tag – [out] Generated authentication tag.
-
int ocrypto_chacha20_poly1305_final_dec(ocrypto_chacha20_poly1305_ctx *ctx, const uint8_t tag[(16)])
ChaCha20-Poly1305 final decoder step.
The generator state
ctx
is used to finalize the decryption and check the tag.- Parameters
ctx – Generator state.
tag – Received authentication tag.
- Return values
0 – If
tag
is valid.-1 – Otherwise.
Defines
-
ocrypto_chacha20_poly1305_KEY_BYTES
Length of the encryption key.
-
ocrypto_chacha20_poly1305_NONCE_BYTES_MAX
Maximum length of the nonce.
-
ocrypto_chacha20_poly1305_TAG_BYTES
Length of the authentication tag.
Functions
-
void ocrypto_chacha20_poly1305_encrypt(uint8_t tag[(16)], uint8_t *c, const uint8_t *m, size_t m_len, const uint8_t *a, size_t a_len, const uint8_t *n, size_t n_len, const uint8_t k[(32)])
AEAD ChaCha20-Poly1305 encrypt.
The message
m
is encrypted using a ChaCha20 cipher stream derived from the encryption keyk
and the noncen
. The resulting ciphertext has the same lengthm_len
as the input messagem
and is put intoc
.Additionally, the ciphertext
c
, as well as the additional authenticated dataa
, is authenticated with a tag that is generated with Poly1305 using a unique subkey derived fromk
andn
, and then put intotag
.Remark
c
may be same asm
.Remark
When reusing an encryption key
k
for a different messagem
or different additional authenticated dataa
, a different noncen
must be used.- Parameters
tag – [out] Generated authentication tag.
c – [out] Generated ciphertext. Same length as input message.
m – Input message.
m_len – Length of
m
andc
.a – Additional authenticated data.
a_len – Length of
a
. May be 0.n – Nonce.
n_len – Length of
n
. 0 <=n_len
<=ocrypto_chacha20_poly1305_NONCE_BYTES_MAX
.k – Encryption key.
-
int ocrypto_chacha20_poly1305_decrypt(const uint8_t tag[(16)], uint8_t *m, const uint8_t *c, size_t c_len, const uint8_t *a, size_t a_len, const uint8_t *n, size_t n_len, const uint8_t k[(32)])
AEAD ChaCha20-Poly1305 decrypt.
If the authentication tag
tag
is valid for the ciphertextc
, the additional authenticated dataa
, the encryption keyk
and the noncen
, the ciphertext is decrypted and put intom
. The decrypted messagem
has the same lengthc_len
as the original ciphertext.Remark
m
may be same asc
.- Parameters
tag – Received authentication tag.
m – [out] Decoded message. Same length as received ciphertext.
c – Received ciphertext.
c_len – Length of
c
andm
.a – Received additional authenticated data.
a_len – Length of
a
. May be 0.n – Nonce.
n_len – Length of
n
. 0 <=n_len
<=ocrypto_chacha20_poly1305_NONCE_BYTES_MAX
.k – Encryption key.
- Return values
0 – If
tag
is valid.-1 – Otherwise.
-
void ocrypto_chacha20_poly1305_init(ocrypto_chacha20_poly1305_ctx *ctx, const uint8_t *n, size_t n_len, const uint8_t k[(32)])
ChaCha20 APIs
- group ocrypto_chacha
Type declaration and APIs for the Chacha20 stream cipher algorithm.
ChaCha20 is a stream cipher developed by Daniel J. Bernstein based on the 20-round cipher Salsa20/20.
A 256-bit key is expanded into 2^64 randomly accessible streams, each containing 2^64 randomly accessible 64-byte (512-bit) blocks.
The changes from Salsa20/20 to ChaCha20 are designed to improve diffusion per round, conjecturally increasing resistance to cryptanalysis, while preserving - and often improving - time per round.
See also
Incremental ChaCha20 Encoder.
This group of functions can be used to incrementally compute the ChaCha20 encryption for a given message and key, by segmenting a message into smaller chunks.
Use pattern:
Encoding/Decoding:
ocrypto_chacha20_init(ctx, n, n_len, key, count); ocrypto_chacha20_update(ctx, c, m, m_len); ... ocrypto_chacha20_update(ctx, c, m, m_len);
-
void ocrypto_chacha20_init(ocrypto_chacha20_ctx *ctx, const uint8_t *n, size_t n_len, const uint8_t key[(32)], uint32_t count)
ChaCha20 encoder initialization.
The generator state
ctx
is initialized by this function.Remark
When reusing an encryption key
key
for a different message, a different noncen
or initial block countercount
must be used.- Parameters
ctx – [out] Encoder state.
n – Nonce.
n_len – Nonce length. 0 <=
n_len
<=ocrypto_chacha20_NONCE_BYTES_MAX
.key – Authentication key.
count – Initial block counter, usually 0 or 1.
-
void ocrypto_chacha20_update(ocrypto_chacha20_ctx *ctx, uint8_t *c, const uint8_t *m, size_t m_len)
ChaCha20 encoder.
The message
m
is ChaCha20 encrypted and the resulting cipher stream is writen toc
.This function can be called repeatedly on arbitrarily small chunks of a larger message until the whole message has been processed.
Remark
Initialization of the encoder state
ctx
throughocrypto_chacha20_init
is required before this function can be called.- Parameters
ctx – Encoder state.
c – [out] Generated ciphertext. Same length as input message.
m – Input message.
m_len – Length of
c
andm
;m_len
< 2^38 bytes.
Defines
-
ocrypto_chacha20_KEY_BYTES
Length of the encryption key.
-
ocrypto_chacha20_NONCE_BYTES_MAX
Maximum length of the nonce.
Functions
-
void ocrypto_chacha20_encode(uint8_t *c, const uint8_t *m, size_t m_len, const uint8_t *n, size_t n_len, const uint8_t key[(32)], uint32_t count)
ChaCha20 cipher stream encoder.
The message
m
is encrypted by applying the XOR operation with a pseudo random cipher stream derived from the encryption keykey
, the noncen
, and the initial block countercount
.Calling the function a second time with the generated ciphertext as input message
m
decrypts it back to the original message.Remark
c
may be same asm
.Remark
When reusing an encryption key
key
for a different messagem
, a different noncen
or initial block countercount
must be used.- Parameters
c – [out] Generated ciphertext. Same length as input message.
m – Input message.
m_len – Length of
c
andm
.n – Nonce.
n_len – Nonce length. 0 <=
n_len
<=ocrypto_chacha20_NONCE_BYTES_MAX
.key – Encryption key.
count – Initial block counter.
-
void ocrypto_chacha20_init(ocrypto_chacha20_ctx *ctx, const uint8_t *n, size_t n_len, const uint8_t key[(32)], uint32_t count)
Constant time APIs
- group ocrypto_constant_time
Timing-invariant functions to use with cryptography.
Defines
-
ocrypto_constant_time_copy(x, y, length)
Variable length copy.
- Parameters
x – Memory region to copy
y
to.y – Memory region to copy to
x
.length – Number of bytes to copy,
length
> 0.
-
ocrypto_constant_time_fill_zero(x, length)
Variable length fill with zero.
- Parameters
x – Memory region to be filled with zero.
length – Number of bytes to fill,
length
> 0.
Functions
-
int ocrypto_constant_time_equal(const void *x, const void *y, size_t length)
Variable length comparison.
- Parameters
x – Memory region to compare with
y
.y – Memory region to compare with
x
.length – Number of bytes to compare,
length
> 0.
- Return values
1 – If
x
andy
point to equal memory regions.0 – Otherwise.
-
int ocrypto_constant_time_is_zero(const void *x, size_t length)
Variable length compare to zero.
- Parameters
x – Memory region that will be compared.
length – Number of bytes to compare,
length
> 0.
- Return values
1 – If
x
is equal to a zero memory region.0 – Otherwise.
-
void ocrypto_constant_time_xor(void *r, const void *x, const void *y, size_t length)
Variable length bitwise xor.
Remark
r
may be same asx
ory
.- Parameters
r – Memory region to store the result.
x – Memory region containing the first argument.
y – Memory region containing the second argument.
length – Number of bytes in both arguments,
length
> 0.
-
ocrypto_constant_time_copy(x, y, length)
ECC secp256r1 low-level APIs
- group ocrypto_p256
Type declarations and APIs for low-level elliptic curve point operations based on the NIST secp256r1 curve.
Functions
-
int ocrypto_curve_p256_from32bytes(ocrypto_cp_p256 *r, const uint8_t p[32])
Load r.x from bytes, keep r.y.
- Parameters
r – [out] Point with r.x loaded, r.y kept.
p – x as as array of bytes.
- Return values
0 – If
r
is a valid curve point.-1 – Otherwise.
-
int ocrypto_curve_p256_from64bytes(ocrypto_cp_p256 *r, const uint8_t p[64])
Load point from bytes.
- Parameters
r – [out] Loaded point.
p – Point as array of bytes.
- Return values
0 – If
r
is a valid curve point.-1 – Otherwise.
-
void ocrypto_curve_p256_to32bytes(uint8_t r[32], ocrypto_cp_p256 *p)
Store p.x to bytes.
- Parameters
r – [out] x stored as array.
p – Point with x to be stored.
-
void ocrypto_curve_p256_to64bytes(uint8_t r[64], ocrypto_cp_p256 *p)
Store p.x to bytes.
- Parameters
r – [out] Point stored as array.
p – Point to be stored.
-
int ocrypto_curve_p256_scalarmult(ocrypto_cp_p256 *r, const ocrypto_cp_p256 *p, const ocrypto_sc_p256 *s)
P256 scalar multiplication.
r = p * s r = [0,0] if p = [0,0] or s mod q = 0
- Parameters
r – [out] Output point.
p – Input point.
s – Scalar.
- Return values
-1 – If r = [0,0].
0 – If 0 < s < q.
1 – If s > q.
-
int ocrypto_curve_p256_scalarmult_base(ocrypto_cp_p256 *r, const ocrypto_sc_p256 *s)
P256 scalar base multiplication.
r = basePoint * s r = [0,0] if s mod q = 0
- Parameters
r – [out] Output point.
s – Scalar.
- Return values
-1 – If r = [0,0].
0 – If 0 < s < q.
1 – If s > q.
-
int ocrypto_curve_p256_from32bytes(ocrypto_cp_p256 *r, const uint8_t p[32])
ECC Curve25519 low-level APIs
- group ocrypto_curve25519
Type declarations and APIs for low-level elliptic curve point operations based on Curve25519.
Curve25519 is an elliptic curve offering 128 bits of security. It is designed for use in the Elliptic Curve Diffie-Hellman (ECDH) key agreement scheme.
Defines
-
ocrypto_curve25519_SCALAR_BYTES
Length of a scalar.
-
ocrypto_curve25519_BYTES
Length of a curve point.
Functions
-
void ocrypto_curve25519_scalarmult_base(uint8_t r[(32)], const uint8_t n[(32)])
Curve25519 scalar multiplication
r = n * basePoint
.Given a secret key
n
, the corresponding Curve25519 public key is computed and put intor
.Remark
r
may be same asn
.- Parameters
r – [out] Resulting curve point.
n – [in] Scalar factor.
-
void ocrypto_curve25519_scalarmult(uint8_t r[(32)], const uint8_t n[(32)], const uint8_t p[(32)])
Curve25519 scalar multiplication
r = n * p
.A shared secret is computed from the local secret key
n
and another party’s public keyp
and put intor
. The same shared secret is generated when the other party combines its private key with the local public key.Remark
r
may be same asn
.- Parameters
r – [out] Resulting curve point.
n – [in] Scalar factor.
p – [in] Point factor.
-
void ocrypto_curve25519_scalarmult_base_ctx(ocrypto_curve25519_ctx *ctx, uint8_t r[(32)], const uint8_t n[(32)])
Curve25519 scalar multiplication
r = n * basePoint
with context.Given a secret key
n
, the corresponding Curve25519 public key is computed and put intor
.Remark
r
may be same asn
.- Parameters
ctx – Context.
r – [out] Resulting curve point.
n – [in] Scalar factor.
-
void ocrypto_curve25519_scalarmult_ctx(ocrypto_curve25519_ctx *ctx, uint8_t r[(32)], const uint8_t n[(32)], const uint8_t p[(32)])
Curve25519 scalar multiplication
r = n * p
with context.A shared secret is computed from the local secret key
n
and another party’s public keyp
and put intor
. The same shared secret is generated when the other party combines its private key with the local public key.Remark
r
may be same asn
.- Parameters
ctx – Context.
r – [out] Resulting curve point.
n – [in] Scalar factor.
p – [in] Point factor.
-
ocrypto_curve25519_SCALAR_BYTES
ECDH APIs
- group ocrypto_ecdh_p256
Type declarations and APIs for low-level elliptic curve point operations to do Elliptic Curve Diffie-Hellman based on the NIST secp256r1 curve.
Incremental ECDH P-256 calculation.
This group of functions can be used to incrementally calculate the ECDH P-256 public key and common secret. Each call completes in less than 25ms on a 16MHz Cortex-M0.
Use pattern:
Public Key:
Common Secret:ocrypto_ecdh_p256_public_key_init(ctx, sKey); while (ocrypto_ecdh_p256_public_key_iterate(ctx)); res = ocrypto_ecdh_p256_public_key_final(ctx, pKey);
ocrypto_ecdh_p256_common_secret_init(ctx, sKey, pKey); while (ocrypto_ecdh_p256_common_secret_iterate(ctx)); res = ocrypto_ecdh_p256_common_secret_final(ctx, secret);
-
void ocrypto_ecdh_p256_public_key_init(ocrypto_ecdh_p256_context *ctx, const uint8_t sk[32])
Incremental ECDH P-256 public key generation start.
Key generation is started and the context
ctx
is initialized by this function.- Parameters
ctx – [out] Context.
sk – Secret key. Must be pre-filled with random data.
-
int ocrypto_ecdh_p256_public_key_iterate(ocrypto_ecdh_p256_context *ctx)
Incremental ECDH P-256 public key generation step.
The key calculation is advanced and the context
ctx
is updated by this function.- Parameters
ctx – Context.
- Return values
1 – If another call to
ocrypto_ecdh_p256_public_key_init
is needed.0 – If key generation should be completed by a call to
ocrypto_ecdh_p256_public_key_final
.
-
int ocrypto_ecdh_p256_public_key_final(ocrypto_ecdh_p256_context *ctx, uint8_t r[64])
Incremental ECDH P-256 public key generation final step.
Key generation is finalized and the context
ctx
is used to generate the key.- Parameters
ctx – Context.
r – [out] Generated public key.
- Return values
0 – If
sk
is a valid secret key.-1 – Otherwise.
-
void ocrypto_ecdh_p256_common_secret_init(ocrypto_ecdh_p256_context *ctx, const uint8_t sk[32], const uint8_t pk[64])
Incremental ECDH P-256 common secret generation start.
Common secret calculation is started and the context
ctx
is initialized by this function.- Parameters
ctx – [out] Context.
sk – Server private key.
pk – Client public key.
-
int ocrypto_ecdh_p256_common_secret_iterate(ocrypto_ecdh_p256_context *ctx)
Incremental ECDH P-256 common secret generation step.
Common secret calculation is advanced and the context
ctx
is updated by this function.- Parameters
ctx – Context.
- Return values
1 – If another call to
ocrypto_ecdh_p256_common_secret_iterate
is needed.0 – If key generation should be completed by a call to
ocrypto_ecdh_p256_common_secret_final
.
-
int ocrypto_ecdh_p256_common_secret_final(ocrypto_ecdh_p256_context *ctx, uint8_t r[32])
Incremental ECDH P-256 common secret generation final step.
Common secret calculation is finalized and the context
ctx
is used to generate the secret.- Parameters
ctx – Context.
r – [out] Generated common secret.
- Return values
0 – If
sk
is a valid secret key andpk
is a valid public key.-1 – Otherwise.
Functions
-
int ocrypto_ecdh_p256_public_key(uint8_t r[64], const uint8_t sk[32])
ECDH P-256 public key generation
r = n * p
.Given a secret key
sk
the corresponding public key is computed and put intor
.Remark
r
may be same assk
.- Parameters
r – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
- Return values
0 – If
sk
is a valid secret key.-1 – Otherwise.
-
int ocrypto_ecdh_p256_common_secret(uint8_t r[32], const uint8_t sk[32], const uint8_t pk[64])
ECDH P-256 common secret.
The common secret is computed from both the client’s public key
pk
and the server’s secret keysk
and put intor
.Remark
r
may be same assk
orpk
.- Parameters
r – [out] Generated common secret.
sk – Server private key.
pk – Client public key.
- Return values
0 – If
sk
is a valid secret key andpk
is a valid public key.-1 – Otherwise.
-
void ocrypto_ecdh_p256_public_key_init(ocrypto_ecdh_p256_context *ctx, const uint8_t sk[32])
- group ocrypto_ecdh_p224
Type declarations and APIs for low-level elliptic curve point operations to do Elliptic Curve Diffie-Hellman based on the NIST secp224r1 curve.
Functions
-
int ocrypto_ecdh_p224_public_key(uint8_t r[56], const uint8_t sk[28])
ECDH P-224 public key generation
r = n * p
.Given a secret key
sk
the corresponding public key is computed and put intor
.Remark
r
may be same assk
.- Parameters
r – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
- Return values
0 – If
sk
is a valid secret key.-1 – Otherwise.
-
int ocrypto_ecdh_p224_common_secret(uint8_t r[28], const uint8_t sk[28], const uint8_t pk[56])
ECDH P-224 common secret.
The common secret is computed from both the client’s public key
pk
and the server’s secret keysk
and put intor
.Remark
r
may be same assk
orpk
.- Parameters
r – [out] Generated common secret.
sk – Server private key.
pk – Client public key.
- Return values
0 – If
sk
is a valid secret key andpk
is a valid public key.-1 – Otherwise.
-
int ocrypto_ecdh_p224_public_key(uint8_t r[56], const uint8_t sk[28])
ECDSA APIs
- group ocrypto_ecdsa_p256
Type declarations and APIs to do Elliptic Curve Digital Signature Algorith using the NIST secp256r1 curve.
ECDSA P-256 is a specific implementation of a digital signature scheme.
Functions
-
int ocrypto_ecdsa_p256_public_key(uint8_t pk[64], const uint8_t sk[32])
ECDSA P-256 public key generation.
Given a secret key
sk
the corresponding public key is computed and put intopk
.- Parameters
pk – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
- Return values
0 – If
sk
is a valid secret key.-1 – Otherwise.
-
int ocrypto_ecdsa_p256_sign(uint8_t sig[64], const uint8_t *m, size_t mlen, const uint8_t sk[32], const uint8_t ek[32])
ECDSA P-256 signature generation.
The message
m
is signed using the secret keysk
and the ephemeral session keyek
. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
m – Input message.
mlen – Length of
m
.sk – Secret key.
ek – Session key.
- Return values
0 – If
ek
is a valid session key.-1 – Otherwise.
-
int ocrypto_ecdsa_p256_sign_hash(uint8_t sig[64], const uint8_t hash[32], const uint8_t sk[32], const uint8_t ek[32])
ECDSA P-256 signature generation from SHA256 hash.
The message hash
hash
is signed using the secret keysk
and the ephemeral session keyek
. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
hash – Input hash.
sk – Secret key.
ek – Session key.
- Return values
0 – If
ek
is a valid session key.-1 – Otherwise.
-
void ocrypto_ecdsa_p256_det_sign(uint8_t sig[64], const uint8_t *m, size_t mlen, const uint8_t sk[32])
ECDSA P-256 deterministic signature generation.
The message
m
is signed using the secret keysk
and a session key calculated from message hash and key. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
m – Input message.
mlen – Length of
m
.sk – Secret key.
-
void ocrypto_ecdsa_p256_det_sign_hash(uint8_t sig[64], const uint8_t hash[32], const uint8_t sk[32])
ECDSA P-256 deterministic signature generation from SHA256 hash.
The message hash
hash
is signed using the secret keysk
and a session key calculated from hash and key. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
hash – Input hash.
sk – Secret key.
-
int ocrypto_ecdsa_p256_verify(const uint8_t sig[64], const uint8_t *m, size_t mlen, const uint8_t pk[64])
ECDSA P-256 signature verification.
The signature
sig
of the input messagem
is verified using the signer’s public keypk
.- Parameters
sig – Input signature.
m – Input message.
mlen – Length of
m
.pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
int ocrypto_ecdsa_p256_verify_hash(const uint8_t sig[64], const uint8_t hash[32], const uint8_t pk[64])
ECDSA P-256 signature verification from SHA256 hash.
The signature
sig
of the message hashhash
is verified using the signer’s public keypk
.- Parameters
sig – Input signature.
hash – Input hash.
pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
int ocrypto_ecdsa_p256_public_key(uint8_t pk[64], const uint8_t sk[32])
- group ocrypto_ecdsa_p224
Type declarations and APIs to do Elliptic Curve Digital Signature Algorithm using the NIST secp224r1 curve.
ECDSA P-224 is a specific implementation of a digital signature scheme.
Functions
-
int ocrypto_ecdsa_p224_public_key(uint8_t pk[56], const uint8_t sk[28])
ECDSA P-224 public key generation.
Given a secret key
sk
the corresponding public key is computed and put intopk
.- Parameters
pk – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
- Return values
0 – If
sk
is a valid secret key.-1 – Otherwise.
-
int ocrypto_ecdsa_p224_sign(uint8_t sig[56], const uint8_t *m, size_t mlen, const uint8_t sk[28], const uint8_t ek[28])
ECDSA P-224 signature generation.
The message
m
is signed using the secret keysk
and the ephemeral session keyek
. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
m – Input message.
mlen – Length of
m
.sk – Secret key.
ek – Session key.
- Return values
0 – If
ek
is a valid session key.-1 – Otherwise.
-
int ocrypto_ecdsa_p224_sign_hash(uint8_t sig[56], const uint8_t hash[28], const uint8_t sk[28], const uint8_t ek[28])
ECDSA P-224 signature generation from SHA224 hash.
The message hash
hash
is signed using the secret keysk
and the ephemeral session keyek
. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
hash – Input hash.
sk – Secret key.
ek – Session key.
- Return values
0 – If
ek
is a valid session key.-1 – Otherwise.
-
int ocrypto_ecdsa_p224_verify(const uint8_t sig[56], const uint8_t *m, size_t mlen, const uint8_t pk[56])
ECDSA P-224 signature verification.
The signature
sig
of the input messagem
is verified using the signer’s public keypk
.- Parameters
sig – Input signature.
m – Input message.
mlen – Length of
m
.pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
int ocrypto_ecdsa_p224_verify_hash(const uint8_t sig[56], const uint8_t hash[28], const uint8_t pk[56])
ECDSA P-224 signature verification from SHA224 hash.
The signature
sig
of the message hashhash
is verified using the signer’s public keypk
.- Parameters
sig – Input signature.
hash – Input hash.
pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
int ocrypto_ecdsa_p224_public_key(uint8_t pk[56], const uint8_t sk[28])
Ed25519 APIs
- group ocrypto_ed25519
Type declarations and APIs for the Ed25519 algorithm.
Ed25519 is a specific implementation of EdDSA, a digital signature scheme. EdDSA is based on Twisted Edwards curves and is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by Daniel J. Bernstein, et al. Ed25519 is intended to provide attack resistance comparable to quality 128-bit symmetric ciphers.
Defines
-
ocrypto_ed25519_PUBLIC_KEY_BYTES
Length of a public key.
-
ocrypto_ed25519_SECRET_KEY_BYTES
Length of a secret key.
-
ocrypto_ed25519_BYTES
Length of a signature.
Functions
-
void ocrypto_ed25519_public_key(uint8_t pk[(32)], const uint8_t sk[(32)])
Ed25519 signature key pair generation.
Given a secret key
sk
, the corresponding public key is computed and put intopk
. The key pair can then be used to sign and verify message signatures.- Parameters
pk – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
-
void ocrypto_ed25519_sign(uint8_t sig[(64)], const uint8_t *m, size_t m_len, const uint8_t sk[(32)], const uint8_t pk[(32)])
Ed25519 signature generate.
The message
m
is signed using the secret keysk
and the corresponding public keypk
. The signature is put intosig
.- Parameters
sig – [out] Generated signature.
m – Input message.
m_len – Length of
m
.sk – Secret key.
pk – Public key.
-
int ocrypto_ed25519_verify(const uint8_t sig[(64)], const uint8_t *m, size_t m_len, const uint8_t pk[(32)])
Ed25519 signature verification.
The signature
sig
of the input messagem
is verified using the signer’s public keypk
.- Parameters
sig – Input signature.
m – Input message.
m_len – Length of
m
.pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
void ocrypto_ed25519_public_key_ctx(ocrypto_ed25519_ctx *ctx, uint8_t pk[(32)], const uint8_t sk[(32)])
Ed25519 signature key pair generation with context.
Given a secret key
sk
, the corresponding public key is computed and put intopk
. The key pair can then be used to sign and verify message signatures.- Parameters
ctx – Context.
pk – [out] Generated public key.
sk – Secret key. Must be pre-filled with random data.
-
void ocrypto_ed25519_sign_ctx(ocrypto_ed25519_ctx *ctx, uint8_t sig[(64)], const uint8_t *m, size_t m_len, const uint8_t sk[(32)], const uint8_t pk[(32)])
Ed25519 signature generate with context.
The message
m
is signed using the secret keysk
and the corresponding public keypk
. The signature is put intosig
.- Parameters
ctx – Context.
sig – [out] Generated signature.
m – Input message.
m_len – Length of
m
.sk – Secret key.
pk – Public key.
-
int ocrypto_ed25519_verify_ctx(ocrypto_ed25519_ctx *ctx, const uint8_t sig[(64)], const uint8_t *m, size_t m_len, const uint8_t pk[(32)])
Ed25519 signature verification with context.
The signature
sig
of the input messagem
is verified using the signer’s public keypk
.- Parameters
ctx – Context.
sig – Input signature.
m – Input message.
m_len – Length of
m
.pk – Signer’s public key.
- Return values
0 – If the signature is valid.
-1 – Otherwise.
-
ocrypto_ed25519_PUBLIC_KEY_BYTES
HKDF - HMAC based Key Derivation Function
- group ocrypto_hkdf
HKDF is a key derivation function based on HMAC Extract-and-Expand.
HKDF APIs using SHA-256
- group ocrypto_hkdf_sha256
Type declarations and APIs for the HKDF-SHA256 algorithm.
HKDF-SHA256 is a key derivation function based on HMAC-SHA256.
Functions
-
void ocrypto_hkdf_sha256(uint8_t *r, size_t r_len, const uint8_t *key, size_t key_len, const uint8_t *salt, size_t salt_len, const uint8_t *info, size_t info_len)
HKDF-SHA256 algorithm.
A new pseudo-random key of length
r_len
is derived from an input keykey
, a saltsalt
and additional informationinfo
. The new key is put intor
.- Parameters
r – [out] Output key.
r_len – Length of
r
.key – Input key.
key_len – Length of
key
.salt – Salt.
salt_len – Length of salt
salt
.info – Additional information.
info_len – Length of
info
.
-
void ocrypto_hkdf_sha256(uint8_t *r, size_t r_len, const uint8_t *key, size_t key_len, const uint8_t *salt, size_t salt_len, const uint8_t *info, size_t info_len)
HKDF APIs using SHA-512
- group ocrypto_hkdf_sha512
Type declaration and APIs for the HKDF-SHA512 algorithm.
HKDF-SHA512 is a key derivation function based on HMAC-SHA512.
Functions
-
void ocrypto_hkdf_sha512(uint8_t *r, size_t r_len, const uint8_t *key, size_t key_len, const uint8_t *salt, size_t salt_len, const uint8_t *info, size_t info_len)
HKDF-SHA512 algorithm.
A new pseudo-random key of length
r_len
is derived from an input keykey
, a saltsalt
and additional informationinfo
. The new key is put intor
.- Parameters
r – [out] Output key.
r_len – Length of
r
.key – Input key.
key_len – Length of
key
.salt – Salt.
salt_len – Length of salt
salt
.info – Additional information.
info_len – Length of
info
.
-
void ocrypto_hkdf_sha512(uint8_t *r, size_t r_len, const uint8_t *key, size_t key_len, const uint8_t *salt, size_t salt_len, const uint8_t *info, size_t info_len)
HMAC - Hash-based Aessage Authentication Code
- group ocrypto_hmac
HMAC is a hash-based Message Authentication Code utilizing a secure hash function.
HMAC APIs using SHA-256
- group ocrypto_hmac_sha256
Type declarations and APIs for the HMAC-SHA256 algorithm.
HMAC-SHA256 is an algorithm for message authentication using the cryptographic hash function SHA256 and a reusable secret key. Users in possession of the key can verify the integrity and authenticity of the message.
Defines
-
ocrypto_hmac_sha256_BYTES
Length of the authenticator.
Functions
-
void ocrypto_hmac_sha256(uint8_t r[(32)], const uint8_t *key, size_t key_len, const uint8_t *in, size_t in_len)
HMAC-SHA256 algorithm.
The input message
in
is authenticated using the keykey
. The computed authenticator is put intor
. To verify the authenticator, the recipient needs to recompute the HMAC authenticator and can then compare it with the received authenticator.- Parameters
r – [out] HMAC output.
key – HMAC key.
key_len – Length of
key
.in – Input data.
in_len – Length of
in
.
-
void ocrypto_hmac_sha256_aad(uint8_t r[(32)], const uint8_t *key, size_t key_len, const uint8_t *in, size_t in_len, const uint8_t *aad, size_t aad_len)
HMAC-SHA256 algorithm with AAD.
- Parameters
r – [out] HMAC output
key – HMAC key.
key_len – Length of
key
.in – Input data.
in_len – Length of
in
.aad – Additional authentication data. May be NULL.
aad_len – Length of
aad
.
-
ocrypto_hmac_sha256_BYTES
HMAC APIs using SHA-512
- group ocrypto_hmac_sha512
Type declarations and APIs for the HMAC-SHA512 algorithm.
HMAC-SHA512 is an algorithm for message authentication using the cryptographic hash function SHA512 and a reusable secret key. Users in possession of the key can verify the integrity and authenticity of the message.
Defines
-
ocrypto_hmac_sha512_BYTES
Length of the authenticator.
Functions
-
void ocrypto_hmac_sha512(uint8_t r[(64)], const uint8_t *key, size_t key_len, const uint8_t *in, size_t in_len)
HMAC-SHA512 algorithm.
The input message
in
is authenticated using the keykey
. The computed authenticator is put intor
. To verify the authenticator, the recipient needs to recompute the HMAC authenticator and can then compare it with the received authenticator.- Parameters
r – [out] HMAC output.
key – HMAC key.
key_len – Length of
key
.in – Input data.
in_len – Length of
in
.
-
void ocrypto_hmac_sha512_aad(uint8_t r[(64)], const uint8_t *key, size_t key_len, const uint8_t *in, size_t in_len, const uint8_t *aad, size_t aad_len)
HMAC-SHA512 algorithm with AAD.
- Parameters
r – [out] HMAC output
key – HMAC key.
key_len – Length of
key
.in – Input data.
in_len – Length of
in
.aad – Additional authentication data. May be NULL.
aad_len – Length of
aad
.
-
ocrypto_hmac_sha512_BYTES
RSA - Rivest-Shamir-Adleman algorithm
- group ocrypto_rsa
RSA is a number theoretic public-key encryption and signature algorithm.
RSA APIs
- group ocrypto_rsa_api
APIs to for RSA encryption/decryption and sign/verify using PKCS1 v1.5, OEAP and PSS.
These functions support RSA encryption and signatures with 1024 and 2048 bit modulo, PKCS1 V1.5, OEAP and PSS padding.
1024-bit RSA Functions.
This group of functions is used for 1024-bit RSA.
-
int ocrypto_rsa1024_pkcs1_v15_encrypt(uint8_t c[128], const uint8_t *m, size_t m_len, const uint8_t *seed, size_t s_len, const ocrypto_rsa1024_pub_key *pk)
1024 bit RSA PKCS1 V1.5 encryption.
The message
m
is encrypted to a ciphertext returned inc
.Remark
The key
pk
should be initialized withocrypto_rsa1024_init_pub_key
.Remark
The
seed
should consist of non-zero random bytes.Remark
c
may be same asm
.- Parameters
c – [out] The generated 128-byte ciphertext.
m – The message to be encrypted.
m_len – Length of
m
. 0 <= m_len <= 117.seed – The random seed to be used for the padding.
s_len – Length of
seed
.s_len
>= 125 -m_len
pk – A valid 1024-bit RSA public key.
- Return values
-1 – If the message is too long (m_len > 117).
-2 – If the seed is too short (s_len < 125 - m_len).
0 – Otherwise.
-
int ocrypto_rsa1024_pkcs1_v15_decrypt(uint8_t *m, size_t m_len, const uint8_t c[128], const ocrypto_rsa1024_key *sk)
1024-bit RSA PKCS1 V1.5 decryption.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
m_len – Length of
m
.c – The 128-byte ciphertext to decrypt.
sk – A valid 1024-bit RSA secret key.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (m_len < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa1024_pkcs1_v15_crt_decrypt(uint8_t *m, size_t m_len, const uint8_t c[128], const ocrypto_rsa1024_crt_key *sk)
1024-bit RSA PKCS1 V1.5 decryption with CRT acceleration.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_crt_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
m_len – Length of
m
.c – The 128-byte ciphertext to decrypt.
sk – A valid 1024-bit RSA secret key with CRT coefficients.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (m_len < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa1024_oaep_sha256_encrypt(uint8_t c[128], const uint8_t *m, size_t m_len, const uint8_t *label, size_t l_len, const uint8_t seed[32], const ocrypto_rsa1024_pub_key *pk)
1024-bit RSA OAEP SHA256 encryption.
The message
m
is encrypted to a ciphertext returned inc
.Remark
The key
pk
should be initialized withocrypto_rsa1024_init_pub_key
.Remark
c
may be same asm
.- Parameters
c – [out] The generated 128-byte ciphertext.
m – The message to be encrypted.
m_len – Length of
m
. 0 <= m_len <= 62.label – The label associated with the message.
l_len – Length of
label
. May be 0.seed – 32-byte random seed.
pk – A valid 1024-bit RSA public key.
- Return values
-1 – If the message is too long (m_len > 62).
0 – Otherwise.
-
int ocrypto_rsa1024_oaep_sha256_decrypt(uint8_t *m, size_t m_len, const uint8_t c[128], const uint8_t *label, size_t l_len, const ocrypto_rsa1024_key *sk)
1024 bit RSA OAEP SHA256 decryption.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
m_len – Length of
m
.c – The 128 byte ciphertext to decrypt.
label – The label associated with the message.
l_len – Length of
label
. May be 0.sk – A valid 1024 bit RSA secret key.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (m_len < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa1024_oaep_sha256_crt_decrypt(uint8_t *m, size_t m_len, const uint8_t c[128], const uint8_t *label, size_t l_len, const ocrypto_rsa1024_crt_key *sk)
1024-bit RSA OAEP SHA256 decryption with CRT acceleration.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_crt_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
m_len – Length of
m
.c – The 128-byte ciphertext to decrypt.
label – The label associated with the message.
l_len – Length of
label
. May be 0.sk – A valid 1024-bit RSA secret key with CRT coefficients.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (m_len < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa1024_pkcs1_v15_sha256_sign(uint8_t s[128], const uint8_t *m, size_t m_len, const ocrypto_rsa1024_key *sk)
1024-bit RSA PKCS1 V1.5 SHA-256 sign.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 128-byte signature.
m – The message to be signed.
m_len – Length of
m
.sk – A valid 1024-bit RSA secret key.
- Return values
0 – on success.
-
int ocrypto_rsa1024_pkcs1_v15_sha256_crt_sign(uint8_t s[128], const uint8_t *m, size_t m_len, const ocrypto_rsa1024_crt_key *sk)
1024-bit RSA PKCS1 V1.5 SHA-256 sign with CRT acceleration.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_crt_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 128-byte signature.
m – The message to be signed.
m_len – Length of
m
.sk – A valid 1024-bit RSA secret key with CRT coefficients.
- Return values
0 –
-
int ocrypto_rsa1024_pkcs1_v15_sha256_verify(const uint8_t s[128], const uint8_t *m, size_t m_len, const ocrypto_rsa1024_pub_key *pk)
1024-bit RSA PKCS1 V1.5 SHA-256 signature verify.
The signature
s
is verified for a valid signature of messagem
.Remark
The key
pk
should be initialized withocrypto_rsa1024_init_pub_key
.- Parameters
s – The 128-byte signature.
m – The signed message.
m_len – Length of
m
.pk – A valid 1024-bit RSA public key.
- Return values
0 – If the signature is valid.
-1 – If verification failed.
-
int ocrypto_rsa1024_pss_sha256_sign(uint8_t s[128], const uint8_t *m, size_t m_len, const uint8_t *salt, size_t s_len, const ocrypto_rsa1024_key *sk)
1024-bit RSA PSS SHA-256 sign.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 128-byte signature.
m – The message to be signed.
m_len – Length of
m
.salt – The salt to be used.
s_len – Length of
salt
.sk – A valid 1024-bit RSA secret key.
- Return values
-2 – If the salt is too long.
0 – Otherwise.
-
int ocrypto_rsa1024_pss_sha256_crt_sign(uint8_t s[128], const uint8_t *m, size_t m_len, const uint8_t *salt, size_t s_len, const ocrypto_rsa1024_crt_key *sk)
1024-bit RSA PSS SHA-256 sign with CRT acceleration.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa1024_init_crt_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 128-byte signature.
m – The message to be signed.
m_len – Length of
m
.salt – The salt to be used.
s_len – Length of
salt
.sk – A valid 1024-bit RSA secret key with CRT coefficients.
- Return values
-2 – If the salt is too long.
0 – Otherwise.
-
int ocrypto_rsa1024_pss_sha256_verify(const uint8_t s[128], const uint8_t *m, size_t m_len, size_t s_len, const ocrypto_rsa1024_pub_key *pk)
1024-bit RSA PSS SHA-256 signature verify.
The signature
s
is verified for a valid signature of messagem
.Remark
The key
pk
should be initialized withocrypto_rsa1024_init_pub_key
.- Parameters
s – The 128-byte signature.
m – The signed message.
m_len – Length of
m
.s_len – The length of the salt.
pk – A valid 1024-bit RSA public key.
- Return values
0 – If the signature is valid.
-1 – If verification failed.
-2 – If the salt is too long.
2048-bit RSA Functions.
This group of functions is used for 2048-bit RSA.
-
int ocrypto_rsa2048_pkcs1_v15_encrypt(uint8_t c[256], const uint8_t *m, size_t mlen, const uint8_t *seed, size_t slen, const ocrypto_rsa2048_pub_key *pk)
2048-bit RSA PKCS1 V1.5 encryption.
The message
m
is encrypted to a ciphertext returned inc
.Remark
The key
pk
should be initialized withocrypto_rsa2048_init_pub_key
.Remark
The
seed
should consist of non-zero random bytes.Remark
c
may be same asm
.- Parameters
c – [out] The generated 256-byte ciphertext.
m – The message to be encrypted.
mlen – Length of
m
. 0 <=mlen
<= 245.seed – The random seed to be used for the padding.
slen – Length of
seed
.slen
>= 253 -mlen
.pk – A valid 2048-bit RSA public key.
- Return values
-1 – If the message is too long (mlen > 245).
-2 – If the seed is too short (slen < 253 - mlen).
0 – Otherwise.
-
int ocrypto_rsa2048_pkcs1_v15_decrypt(uint8_t *m, size_t mlen, const uint8_t c[256], const ocrypto_rsa2048_key *sk)
2048-bit RSA PKCS1 V1.5 decryption.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
mlen – Length of
m
.c – The 256-byte ciphertext to decrypt.
sk – A valid 2048-bit RSA secret key.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (mlen < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa2048_pkcs1_v15_crt_decrypt(uint8_t *m, size_t mlen, const uint8_t c[256], const ocrypto_rsa2048_crt_key *sk)
2048-bit RSA PKCS1 V1.5 decryption with CRT acceleration.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_crt_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
mlen – Length of
m
.c – The 256-byte ciphertext to decrypt.
sk – A valid 2048-bit RSA secret key with CRT coefficients.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (mlen < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa2048_oaep_sha256_encrypt(uint8_t c[256], const uint8_t *m, size_t mlen, const uint8_t *label, size_t llen, const uint8_t seed[32], const ocrypto_rsa2048_pub_key *pk)
2048-bit RSA OAEP SHA256 encryption.
The message
m
is encrypted to a ciphertext returned inc
.Remark
The key
pk
should be initialized withocrypto_rsa2048_init_pub_key
.Remark
c
may be same asm
.- Parameters
c – [out] The generated 256-byte ciphertext.
m – The message to be encrypted.
mlen – Length of
m
. 0 <= mlen <= 190.label – The label associated with the message.
llen – Length of
label
. May be 0.seed – 32-byte random seed.
pk – A valid 2048-bit RSA public key.
- Return values
-1 – If the message is too long (mlen > 190).
0 – Otherwise.
-
int ocrypto_rsa2048_oaep_sha256_decrypt(uint8_t *m, size_t mlen, const uint8_t c[256], const uint8_t *label, size_t llen, const ocrypto_rsa2048_key *sk)
2048-bit RSA OAEP SHA256 decryption.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
mlen – Length of
m
.c – The 256-byte ciphertext to decrypt.
label – The label associated with the message.
llen – Length of
label
. May be 0.sk – A valid 2048-bit RSA secret key.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (mlen < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa2048_oaep_sha256_crt_decrypt(uint8_t *m, size_t mlen, const uint8_t c[256], const uint8_t *label, size_t llen, const ocrypto_rsa2048_crt_key *sk)
2048-bit RSA OAEP SHA256 decryption with CRT acceleration.
The ciphertext
c
is decrypted to the message returned inm
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_crt_key
.Remark
m
may be same asc
.- Parameters
m – [out] The decrypted message. The buffer must be long enough to hold the message.
mlen – Length of
m
.c – The 256-byte ciphertext to decrypt.
label – The label associated with the message.
llen – Length of
label
. May be 0.sk – A valid 2048-bit RSA secret key with CRT coefficients.
- Return values
-1 – If decryption failed.
-2 – If the output buffer is too short (mlen < length of message).
n – If a message of length n was successfully decrypted.
-
int ocrypto_rsa2048_pkcs1_v15_sha256_sign(uint8_t s[256], const uint8_t *m, size_t mlen, const ocrypto_rsa2048_key *sk)
2048-bit RSA PKCS1 V1.5 SHA-256 sign.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 256-byte signature.
m – The message to be signed.
mlen – Length of
m
.sk – A valid 2048-bit RSA secret key.
- Return values
0 –
-
int ocrypto_rsa2048_pkcs1_v15_sha256_crt_sign(uint8_t s[256], const uint8_t *m, size_t mlen, const ocrypto_rsa2048_crt_key *sk)
2048-bit RSA PKCS1 V1.5 SHA-256 sign with CRT acceleration.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_crt_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 256-byte signature.
m – The message to be signed.
mlen – Length of
m
.sk – A valid 2048-bit RSA secret key with CRT coefficients.
- Return values
0 –
-
int ocrypto_rsa2048_pkcs1_v15_sha256_verify(const uint8_t s[256], const uint8_t *m, size_t mlen, const ocrypto_rsa2048_pub_key *pk)
2048-bit RSA PKCS1 V1.5 SHA-256 signature verify.
The signature
s
is verified for a valid signature of messagem
.Remark
The key
pk
should be initialized withocrypto_rsa2048_init_pub_key
.- Parameters
s – The 256-byte signature.
m – The signed message.
mlen – Length of
m
.pk – A valid 2048-bit RSA public key.
- Return values
0 – If the signature is valid.
-1 – If verification failed.
-
int ocrypto_rsa2048_pss_sha256_sign(uint8_t s[256], const uint8_t *m, size_t mlen, const uint8_t *salt, size_t slen, const ocrypto_rsa2048_key *sk)
2048-bit RSA PSS SHA-256 sign.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 256-byte signature.
m – The message to be signed.
mlen – Length of
m
.salt – The salt to be used.
slen – Length of
salt
.sk – A valid 2048-bit RSA secret key.
- Return values
-2 – If the salt is too long.
0 – Otherwise.
-
int ocrypto_rsa2048_pss_sha256_crt_sign(uint8_t s[256], const uint8_t *m, size_t mlen, const uint8_t *salt, size_t slen, const ocrypto_rsa2048_crt_key *sk)
2048-bit RSA PSS SHA-256 sign with CRT acceleration.
The message
m
is signed and the signature returned ins
.Remark
The key
sk
should be initialized withocrypto_rsa2048_init_crt_key
.Remark
s
may be same asm
.- Parameters
s – [out] The generated 256-byte signature.
m – The message to be signed.
mlen – Length of
m
.salt – The salt to be used.
slen – Length of
salt
.sk – A valid 2048-bit RSA secret key with CRT coefficients.
- Return values
-2 – If the salt is too long.
0 – Otherwise.
-
int ocrypto_rsa2048_pss_sha256_verify(const uint8_t s[256], const uint8_t *m, size_t mlen, size_t slen, const ocrypto_rsa2048_pub_key *pk)
2048-bit RSA PSS SHA-256 signature verify.
The signature
s
is verified for a valid signature of messagem
.Remark
The key
pk
should be initialized withocrypto_rsa2048_init_pub_key
.- Parameters
s – The 256-byte signature.
m – The signed message.
mlen – Length of
m
.slen – The length of the salt.
pk – A valid 2048-bit RSA public key.
- Return values
0 – If the signature is valid.
-1 – If verification failed.
-2 – If the salt is too long.
-
int ocrypto_rsa1024_pkcs1_v15_encrypt(uint8_t c[128], const uint8_t *m, size_t m_len, const uint8_t *seed, size_t s_len, const ocrypto_rsa1024_pub_key *pk)
RSA key APIs
- group ocrypto_rsa_key
Type declarations for RSA APIs.
RSA is a number theoretic public-key encryption and signature algorithm.
These functions support the setup of 1024 and 2048 RSA secret and public keys.
1024-bit RSA key setup.
This group of functions is used for 1024-bit RSA key setup.
-
int ocrypto_rsa1024_init_pub_key(ocrypto_rsa1024_pub_key *pk, const uint8_t *n, size_t n_len)
1024-bit RSA public key setup.
Remark
The public exponent is fixed at 65537.
- Parameters
pk – [out] The initialized public key.
n – The RSA modulus. Must be exactly 1024 bits.
n_len – Length of
n
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
-
int ocrypto_rsa1024_init_key(ocrypto_rsa1024_key *pk, const uint8_t *n, size_t n_len, const uint8_t *d, size_t d_len)
1024-bit RSA secret key setup.
- Parameters
pk – [out] The initialized public key.
n – The RSA modulus. Must be exactly 1024 bits.
n_len – Length of
n
.d – The secret exponent. Must be <= 1024 bits.
d_len – Length of
d
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
-
int ocrypto_rsa1024_init_crt_key(ocrypto_rsa1024_crt_key *sk, const uint8_t *p, size_t p_len, const uint8_t *q, size_t q_len, const uint8_t *dp, size_t dp_len, const uint8_t *dq, size_t dq_len, const uint8_t *qinv, size_t qi_len)
1024-bit RSA secret key setup with CRT coefficients.
- Parameters
sk – [out] The initialized secret key.
p – The 1. RSA prime. Must be exactly 512 bits.
p_len – Length of
p
.q – The 2. RSA prime. Must be exactly 512 bits.
q_len – Length of
q
.dp – The 1. CRT exponent. dp = d mod (p-1).
dp_len – Length of
dp
.dq – The 2. CRT exponent. dq = d mod (q-1).
dq_len – Length of
dq
.qinv – The CRT coefficient. qinv = 1/q mod p.
qi_len – Length of
qinv
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
2048-bit RSA key setup.
This group of functions is used for 2048-bit RSA key setup.
-
int ocrypto_rsa2048_init_pub_key(ocrypto_rsa2048_pub_key *pk, const uint8_t *n, size_t n_len)
2048-bit RSA public key setup.
Remark
The public exponent is fixed at 65537.
- Parameters
pk – [out] The initialized public key.
n – The RSA modulus. Must be exactly 2048 bits.
n_len – Length of
n
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
-
int ocrypto_rsa2048_init_key(ocrypto_rsa2048_key *sk, const uint8_t *n, size_t n_len, const uint8_t *d, size_t d_len)
2048-bit RSA secret key setup.
- Parameters
sk – [out] The initialized public key.
n – The RSA modulus. Must be exactly 2048 bits.
n_len – Length of
n
.d – The secret exponent. Must be <= 2048 bits.
d_len – Length of
d
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
-
int ocrypto_rsa2048_init_crt_key(ocrypto_rsa2048_crt_key *sk, const uint8_t *p, size_t p_len, const uint8_t *q, size_t q_len, const uint8_t *dp, size_t dp_len, const uint8_t *dq, size_t dq_len, const uint8_t *qinv, size_t qi_len)
2048-bit RSA secret key setup with CRT coefficients.
- Parameters
sk – [out] The initialized secret key.
p – The 1. RSA prime. Must be exactly 1024 bits.
p_len – Length of
p
.q – The 2. RSA prime. Must be exactly 1024 bits.
q_len – Length of
q
.dp – The 1. CRT exponent. dp = d mod (p-1).
dp_len – Length of
dp
.dq – The 2. CRT exponent. dq = d mod (q-1).
dq_len – Length of
dq
.qinv – The CRT coefficient. qinv = 1/q mod p.
qi_len – Length of
qinv
.
- Return values
-1 – If the input length is invalid.
0 – Otherwise.
Defines
-
ocrypto_rsa_PUBLIC_EXPONENT
The Public RSA Exponent.
-
struct ocrypto_rsa1024_pub_key
- #include <ocrypto_rsa_key.h>
1024-bit RSA public key.
-
struct ocrypto_rsa1024_key
- #include <ocrypto_rsa_key.h>
1024 bit RSA secret key.
-
struct ocrypto_rsa1024_crt_key
- #include <ocrypto_rsa_key.h>
1024-bit RSA secret key with CRT coefficients.
-
struct ocrypto_rsa2048_pub_key
- #include <ocrypto_rsa_key.h>
2048-bit RSA public key.
-
struct ocrypto_rsa2048_key
- #include <ocrypto_rsa_key.h>
2048-bit RSA secret key.
-
struct ocrypto_rsa2048_crt_key
- #include <ocrypto_rsa_key.h>
2048-bit RSA secret key with CRT coefficients.
-
int ocrypto_rsa1024_init_pub_key(ocrypto_rsa1024_pub_key *pk, const uint8_t *n, size_t n_len)
SHA-256 APIs
- group ocrypto_sha_256
Type declarations and APIs for the SHA-256 algorithm.
SHA-256 is part of the SHA-2 family that is a set of cryptographic hash functions designed by the NSA. It is the successor of the SHA-1 algorithm.
A fixed-sized message digest is computed from variable length input data. The function is practically impossible to revert, and small changes in the input message lead to major changes in the message digest.
Incremental SHA-256 generator.
This group of functions can be used to incrementally compute the SHA-256 hash for a given message.
-
void ocrypto_sha256_init(ocrypto_sha256_ctx *ctx)
SHA-256 initialization.
The generator state
ctx
is initialized by this function.- Parameters
ctx – [out] Generator state.
-
void ocrypto_sha256_update(ocrypto_sha256_ctx *ctx, const uint8_t *in, size_t in_len)
SHA-256 incremental data input.
The generator state
ctx
is updated to hash a message chunkin
.This function can be called repeatedly until the whole message is processed.
Remark
Initialization of the generator state
ctx
throughocrypto_sha256_init
is required before this function can be called.- Parameters
ctx – Generator state.
in – Input data.
in_len – Length of
in
.
-
void ocrypto_sha256_final(ocrypto_sha256_ctx *ctx, uint8_t r[(32)])
SHA-256 output.
The generator state
ctx
is updated to finalize the hash for the previously processed message chunks. The hash is put intor
.Remark
Initialization of the generator state
ctx
throughocrypto_sha256_init
is required before this function can be called.Remark
After return, the generator state
ctx
must no longer be used withocrypto_sha256_update
andocrypto_sha256_final
unless it is reinitialized usingocrypto_sha256_init
.- Parameters
ctx – Generator state.
r – [out] Generated hash value.
Defines
-
ocrypto_sha256_BYTES
Length of SHA-256 hash.
Functions
-
void ocrypto_sha256(uint8_t r[(32)], const uint8_t *in, size_t in_len)
SHA-256 hash.
The SHA-256 hash of a given input message
in
is computed and put intor
.- Parameters
r – [out] Generated hash.
in – Input data.
in_len – Length of
in
.
-
void ocrypto_sha256_init(ocrypto_sha256_ctx *ctx)
SHA-512 APIs
- group ocrypto_sha_512
Type declarations and APIs for the SHA-512 algorithm.
SHA-512 is part of the SHA-2 family that is a set of cryptographic hash functions designed by the NSA. It is the successor of the SHA-1 algorithm.
A fixed-sized message digest is computed from variable length input data. The function is practically impossible to revert, and small changes in the input message lead to major changes in the message digest.
Incremental SHA-512 generator.
This group of functions can be used to incrementally compute the SHA-512 hash for a given message.
-
void ocrypto_sha512_init(ocrypto_sha512_ctx *ctx)
SHA-512 initialization.
The generator state
ctx
is initialized by this function.- Parameters
ctx – [out] Generator state.
-
void ocrypto_sha512_update(ocrypto_sha512_ctx *ctx, const uint8_t *in, size_t in_len)
SHA-512 incremental data input.
The generator state
ctx
is updated to hash a message chunkin
.This function can be called repeatedly until the whole message is processed.
Remark
Initialization of the generator state
ctx
throughocrypto_sha512_init
is required before this function can be called.- Parameters
ctx – Generator state.
in – Input data.
in_len – Length of
in
.
-
void ocrypto_sha512_final(ocrypto_sha512_ctx *ctx, uint8_t r[(64)])
SHA-512 output.
The generator state
ctx
is updated to finalize the hash for the previously processed message chunks. The hash is put intor
.Remark
Initialization of the generator state
ctx
throughocrypto_sha512_init
is required before this function can be called.Remark
After return, the generator state
ctx
must no longer be used withocrypto_sha512_update
andocrypto_sha512_final
unless it is reinitialized usingocrypto_sha512_init
.- Parameters
ctx – Generator state.
r – [out] Generated hash value.
Defines
-
ocrypto_sha512_BYTES
Length of SHA-512 hash.
Functions
-
void ocrypto_sha512(uint8_t r[(64)], const uint8_t *in, size_t in_len)
SHA-512 hash.
The SHA-512 hash of a given input message
in
is computed and put intor
.- Parameters
r – [out] Generated hash.
in – Input data.
in_len – Length of
in
.
-
void ocrypto_sha512_init(ocrypto_sha512_ctx *ctx)
SRP - Secure Remote Password APIs
- group ocrypto_srp
Type declarations and APIs for the SRP key agreement protocol.
SRP is an augmented password-authenticated key agreement protocol, specifically designed to work around existing patents. SRP allows the use of user names and passwords over unencrypted channels and supplies a shared secret at the end of the authentication sequence that can be used to generate encryption keys.
An eavesdropper or man in the middle cannot obtain enough information to be able to brute force guess a password without further interactions with the parties for each guess.
The server does not store password-equivalent data. This means that an attacker who steals the server data cannot masquerade as the client unless they first perform a brute force search for the password.
The specific variant implemented here is SRP-6 3072 bit SHA-512.
Basic protocol overview
See also
Setup
Server generates a username / password combination together with a salt.
Server derives a password verifier (see ocrypto_srp_verifier).
The username, salt and verifier are stored and required to open sessions. The original password is no longer needed.
Session opening
Client sends a username and the public key of an ephemeral key pair to the server.
Server sends the salt and the public key of another ephemeral key pair to the client (see ocrypto_srp_public_key).
Client and Server both compute the session key from this information (see ocrypto_srp_scrambling_parameter, ocrypto_srp_premaster_secret, ocrypto_srp_session_key).
Client sends proof of the session key to the server.
Server validates proof (see ocrypto_srp_proof_m1), then sends proof of the session key to the client (see ocrypto_srp_proof_m2).
Client validates proof. Both parties know that they share the same private session key.
SRP-6 password verifier generation.
A password verifier is generated from a user name and a password. The password
pass
may be discarded, as only the verifier is used during later computations.-
void ocrypto_srp_verifier(uint8_t v[(384)], const uint8_t salt[(16)], const uint8_t *user, size_t user_len, const uint8_t *pass, size_t pass_len)
SRP-6 password verifier.
The verifier is generated for a given user name
user
, a passwordpass
and saltsalt
.- Parameters
v – [out] Generated password verifier, must be 32-bit aligned.
salt – Salt.
user – User name.
user_len – Length of
user
.pass – Password.
pass_len – Length of
pass
.
SRP-6 public key generation.
An ephemeral keypair can be generated based on the password verifier to be used when opening a new session.
-
void ocrypto_srp_public_key(uint8_t pub_b[(384)], const uint8_t priv_b[(32)], const uint8_t v[(384)])
SRP-6 public Key.
The public key for a given private key
priv_b
is generated using the password verifierv
and put intopub_b
.- Parameters
pub_b – [out] Generated public key, must be 32-bit aligned.
priv_b – Private key.
v – Password verifier.
SRP-6 session key generation.
A premaster secret can be derived from both the client’s and server’s public keys, the server’s private key and the password verifier. A shared session key can be generated from this premaster secret.
-
void ocrypto_srp_scrambling_parameter(uint8_t u[(64)], const uint8_t pub_a[(384)], const uint8_t pub_b[(384)])
SRP-6 scrambling parameter.
The scrambling parameter is computed from both the client’s public key
pub_a
and the server’s public keypub_b
. The scrambling parameter is required to compute the premaster secret.- Parameters
u – [out] Generated scrambling parameter.
pub_a – Client public key.
pub_b – Server public key.
-
int ocrypto_srp_premaster_secret(uint8_t s[(384)], const uint8_t pub_a[(384)], const uint8_t priv_b[(32)], const uint8_t u[(64)], const uint8_t v[(384)])
SRP-6 premaster secret.
The premaster secret between the client and the server is computed using the client public key
pub_a
, the server private keypriv_b
, the scrambling parameteru
and the password verifierv
. If the client public keypub_a
is valid, the premaster secret is then put intos
. The premaster secret can be used to generate encryption keys.- Parameters
s – [out] Generated premaster secret, must be 32-bit aligned.
pub_a – Client public key.
priv_b – Server private key.
u – Scrambling parameter; generated with
ocrypto_srp_scrambling_parameter
.v – Password verifier.
- Return values
0 – If
pub_a
is a valid public key.1 – Otherwise.
-
void ocrypto_srp_session_key(uint8_t k[(64)], const uint8_t s[(384)])
SRP-6 SRP session key.
Generates the shared SRP session key from the premaster secret
s
and puts it intok
.- Parameters
k – [out] Generated SRP session key.
s – Premaster secret.
SRP-6 proof exchange.
Proofs are exchanged from client to server and vice versa to ensure that both parties computed the same shared session key. The proofs only match if the correct password is used by the client.
-
void ocrypto_srp_proof_m1(uint8_t m1[(64)], const uint8_t *user, size_t user_len, const uint8_t salt[(16)], const uint8_t pub_a[(384)], const uint8_t pub_b[(384)], const uint8_t k[(64)])
SRP-6 proof M1 (client to server).
A proof is generated by the client and sent to the server to assert that the client is in possession of the shared session key
k
. The server also generates the proof. Only if the proofs match, the process can continue. The proof is based on the saltsalt
, the client public keypub_a
, the server public keypub_b
and the shared session keyk
.- Parameters
m1 – [out] Generated proof.
user – User name.
user_len – Length of
user
.salt – Salt.
pub_a – Client public key.
pub_b – Server public key.
k – Session key.
-
void ocrypto_srp_proof_m2(uint8_t m2[(64)], const uint8_t pub_a[(384)], const uint8_t m1[(64)], const uint8_t k[(64)])
SRP-6 proof M2 (server to client).
A second proof is generated by the server and sent back to the client to assert that the server is in possession of the shared session key
k
. The client also generates the proof. If the proofs match, both parties can assume that they share the same session keyk
. The second proof is based on the client public keypub_a
, the first proofm1
and the session keyk
.- Parameters
m2 – [out] Generated proof.
pub_a – Client public key.
m1 – First proof; generated with
ocrypto_srp_proof_m1
.k – Session key.
SRP-6 password verifier generation with context.
A password verifier is generated from a user name and a password. The password
pass
may be discarded, as only the verifier is used in subsequent computations.-
void ocrypto_srp_verifier_ctx(ocrypto_srp_ctx *ctx, uint8_t v[(384)], const uint8_t salt[(16)], const uint8_t *user, size_t user_len, const uint8_t *pass, size_t pass_len)
SRP-6 password verifier.
The verifier is generated for a given user name
user
, a passwordpass
and saltsalt
.- Parameters
ctx – Context.
v – [out] Generated password verifier, must be 32-bit aligned.
salt – Salt.
user – User name.
user_len – Length of
user
.pass – Password.
pass_len – Length of
pass
.
SRP-6 public key generation with context.
An ephemeral keypair can be generated based on the password verifier to be used when opening a new session.
-
void ocrypto_srp_public_key_ctx(ocrypto_srp_ctx *ctx, uint8_t pub_b[(384)], const uint8_t priv_b[(32)], const uint8_t v[(384)])
SRP-6 public Key.
The public key for a given private key
priv_b
is generated using the password verifierv
and put intopub_b
.- Parameters
ctx – Context.
pub_b – [out] Generated public key, must be 32-bit aligned.
priv_b – Private key.
v – Password verifier.
SRP-6 session key generation with context.
A premaster secret can be derived from both the client’s and server’s public keys, the server’s private key and the password verifier. A shared session key can be generated from this premaster secret.
-
void ocrypto_srp_scrambling_parameter_ctx(ocrypto_srp_ctx *ctx, uint8_t u[(64)], const uint8_t pub_a[(384)], const uint8_t pub_b[(384)])
SRP-6 scrambling parameter.
The scrambling parameter is computed from both the client’s public key
pub_a
and the server’s public keypub_b
. The scrambling parameter is required to compute the premaster secret.- Parameters
ctx – Context.
u – [out] Generated scrambling parameter.
pub_a – Client public key.
pub_b – Server public key.
-
int ocrypto_srp_premaster_secret_ctx(ocrypto_srp_ctx *ctx, uint8_t s[(384)], const uint8_t pub_a[(384)], const uint8_t priv_b[(32)], const uint8_t u[(64)], const uint8_t v[(384)])
SRP-6 premaster secret with context.
The premaster secret between the client and the server is computed using the client public key
pub_a
, the server private keypriv_b
, the scrambling parameteru
and the password verifierv
. If the client public keypub_a
is valid, the premaster secret is then put intos
. The premaster secret can be used to generate encryption keys.- Parameters
ctx – Context.
s – [out] Generated premaster secret, must be 32-bit aligned.
pub_a – Client public key.
priv_b – Server private key.
u – Scrambling parameter; generated with
ocrypto_srp_scrambling_parameter
.v – Password verifier.
- Return values
0 – If
pub_a
is a valid public key.1 – Otherwise.
-
void ocrypto_srp_session_key_ctx(ocrypto_srp_ctx *ctx, uint8_t k[(64)], const uint8_t s[(384)])
SRP-6 SRP session Key with context.
Generates the shared SRP session key from the premaster secret
s
and puts it intok
.- Parameters
ctx – Context.
k – [out] Generated SRP session key.
s – Premaster secret.
SRP-6 proof exchange with context.
Proofs are exchanged from client to server and vice versa to ensure that both parties computed the same shared session key. The proofs only match if the correct password is used by the client.
-
void ocrypto_srp_proof_m1_ctx(ocrypto_srp_ctx *ctx, uint8_t m1[(64)], const uint8_t *user, size_t user_len, const uint8_t salt[(16)], const uint8_t pub_a[(384)], const uint8_t pub_b[(384)], const uint8_t k[(64)])
SRP-6 proof M1 (client to server) with context.
A proof is generated by the client and sent to the server to assert that the client is in possession of the shared session key
k
. The server also generates the proof. Only if the proofs match, the process can continue. The proof is based on the saltsalt
, the client public keypub_a
, the server public keypub_b
and the shared session keyk
.- Parameters
ctx – Context.
m1 – [out] Generated proof.
user – User name.
user_len – Length of
user
.salt – Salt.
pub_a – Client public key.
pub_b – Server public key.
k – Session key.
-
void ocrypto_srp_proof_m2_ctx(ocrypto_srp_ctx *ctx, uint8_t m2[(64)], const uint8_t pub_a[(384)], const uint8_t m1[(64)], const uint8_t k[(64)])
SRP-6 proof M2 (server to client) with context.
A second proof is generated by the server and sent back to the client to assert that the server is in possession of the shared session key
k
. The client also generates the proof. If the proofs match, both parties can assume that they share the same session keyk
. The second proof is based on the client public keypub_a
, the first proofm1
and the session keyk
.- Parameters
ctx – Context.
m2 – [out] Generated proof.
pub_a – Client public key.
m1 – First proof; generated with
ocrypto_srp_proof_m1
.k – Session key.
Defines
-
ocrypto_srp_SALT_BYTES
Salt length.
-
ocrypto_srp_VERIFIER_BYTES
Password verifier length.
-
ocrypto_srp_SECRET_KEY_BYTES
Secret key length.
-
ocrypto_srp_PUBLIC_KEY_BYTES
Public key length.
-
ocrypto_srp_SCRAMBLING_PARAMETER_BYTES
Scrambling parameter length.
-
ocrypto_srp_PREMASTER_SECRET_BYTES
Premaster secret length.
-
ocrypto_srp_SESSION_KEY_BYTES
Session key length.
-
ocrypto_srp_PROOF_BYTES
Proof length.
SRPT - Secure Real-Time Transport Protocol APIs
- group ocrypto_srtp
Type declarations and APIs for SRTP - Secure Real-time Transport Protocol.
SRTP is an extension of the RTP protocol with an enhanced security mechanism.
Defines
-
ocrypto_srtp_AUTH_KEY_SIZE
SRTP Authentication Key Size.
-
ocrypto_srtp_SALT_SIZE
SRTP Salt Size.
-
ocrypto_srtp_MAX_KEY_SIZE
SRTP Maximum Key Size.
Functions
-
void ocrypto_srtp_setup_context(ocrypto_srtp_context *srtp_context, ocrypto_srtp_context *srtcp_context, const uint8_t *key, uint32_t key_size, const uint8_t *salt, uint32_t tag_size, uint32_t ssrc)
Setup SRTP contexts.
- Parameters
srtp_context – [out] SRTP context to be setup.
srtcp_context – [out] SRTCP context to be setup.
key – Master key.
key_size – Size of the master key (16, 24, or 32 bytes).
salt – Master salt (
ocrypto_srtp_SALT_SIZE
bytes).tag_size – Size of the authentication tag.
ssrc – Synchronization source.
-
void ocrypto_srtp_encrypt(const ocrypto_srtp_context *srtp_context, uint8_t *packet, const uint8_t *data_bytes, size_t num_header_bytes, size_t num_data_bytes, uint32_t index)
Encrypt SRTP packet.
The final packet consists of
num_header_bytes
encrypted in place, followed bynum_data_bytes
copied fromdata_bytes
during encryption.- Parameters
srtp_context – SRTP context.
packet – [inout] Encrypted packet.
data_bytes – Data bytes to be encrypted.
num_header_bytes – Number of header bytes.
num_data_bytes – Number of data bytes.
index – Packet index.
-
void ocrypto_srtp_decrypt(const ocrypto_srtp_context *srtp_context, uint8_t *data, const uint8_t *packet_bytes, size_t num_packet_bytes, uint32_t index)
Decrypt SRTP packet.
- Parameters
srtp_context – SRTP context.
data – [out] Decrypted data.
packet_bytes – Packet bytes.
num_packet_bytes – Number of packet bytes.
index – Packet index.
-
void ocrypto_srtp_authenticate(const ocrypto_srtp_context *context, uint8_t *tag, const uint8_t *bytes, size_t num_bytes, uint32_t index)
Generate SRTP authentication tag from bytes and index.
- Parameters
context – SRTP context.
tag – [out] Authentication tag generated.
bytes – Byte buffer.
num_bytes – Number of bytes in buffer.
index – Index.
-
int ocrypto_srtp_verify_authentication(const ocrypto_srtp_context *context, const uint8_t *tag, const uint8_t *bytes, size_t num_bytes, uint32_t index)
Check SRTP authentication tag against bytes and index.
- Parameters
context – SRTP context.
tag – Tag.
bytes – Byte buffer.
num_bytes – Number of bytes in buffer.
index – Index.
- Return values
1 – If the tag is valid.
0 – Otherwise.
-
struct ocrypto_srtp_context
- #include <ocrypto_srtp.h>
SRTP Context.
-
ocrypto_srtp_AUTH_KEY_SIZE