blob: 7979670b7aec22bc91b38ec25dd61874fd65b7a7 [file] [log] [blame]
Paul Bakkera9379c02012-07-04 11:02:11 +00001/**
2 * \file blowfish.h
3 *
4 * \brief Blowfish block cipher
Darryl Greena40a1012018-01-05 15:33:17 +00005 */
6/*
Bence Szépkúti1e148272020-08-07 13:07:28 +02007 * Copyright The Mbed TLS Contributors
Dave Rodgman7ff79652023-11-03 12:04:52 +00008 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Paul Bakkera9379c02012-07-04 11:02:11 +00009 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020010#ifndef MBEDTLS_BLOWFISH_H
11#define MBEDTLS_BLOWFISH_H
Paul Bakkera9379c02012-07-04 11:02:11 +000012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020013#if !defined(MBEDTLS_CONFIG_FILE)
Jaeden Ameroc49fbbf2019-07-04 20:01:14 +010014#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020015#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020016#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020017#endif
Paul Bakker90995b52013-06-24 19:20:35 +020018
Rich Evans00ab4702015-02-06 13:43:58 +000019#include <stddef.h>
Manuel Pégourié-Gonnardab229102015-04-15 11:53:16 +020020#include <stdint.h>
Paul Bakker5c2364c2012-10-01 14:41:15 +000021
Jaeden Ameroc49fbbf2019-07-04 20:01:14 +010022#include "mbedtls/platform_util.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050023
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020024#define MBEDTLS_BLOWFISH_ENCRYPT 1
25#define MBEDTLS_BLOWFISH_DECRYPT 0
Manuel Pégourié-Gonnard097c7bb2015-06-18 16:43:38 +020026#define MBEDTLS_BLOWFISH_MAX_KEY_BITS 448
27#define MBEDTLS_BLOWFISH_MIN_KEY_BITS 32
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020028#define MBEDTLS_BLOWFISH_ROUNDS 16 /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
29#define MBEDTLS_BLOWFISH_BLOCKSIZE 8 /* Blowfish uses 64 bit blocks */
Paul Bakkera9379c02012-07-04 11:02:11 +000030
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050031#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010032#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(-0x0016)
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050033#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Gilles Peskinea3974432021-07-26 18:48:10 +020034/** Bad input data. */
35#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050036
Gilles Peskinea3974432021-07-26 18:48:10 +020037/** Invalid data input length. */
38#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018
Ron Eldor9924bdc2018-10-04 10:59:13 +030039
40/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
41 */
Gilles Peskinea3974432021-07-26 18:48:10 +020042/** Blowfish hardware accelerator failed. */
43#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED -0x0017
Ron Eldor9924bdc2018-10-04 10:59:13 +030044
Paul Bakker407a0da2013-06-27 14:29:21 +020045#ifdef __cplusplus
46extern "C" {
47#endif
48
Ron Eldorb2aacec2017-05-18 16:53:08 +030049#if !defined(MBEDTLS_BLOWFISH_ALT)
50// Regular implementation
51//
52
Paul Bakkera9379c02012-07-04 11:02:11 +000053/**
54 * \brief Blowfish context structure
55 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010056typedef struct mbedtls_blowfish_context {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020057 uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2]; /*!< Blowfish round keys */
Paul Bakker5c2364c2012-10-01 14:41:15 +000058 uint32_t S[4][256]; /*!< key dependent S-boxes */
Paul Bakkera9379c02012-07-04 11:02:11 +000059}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020060mbedtls_blowfish_context;
Paul Bakkera9379c02012-07-04 11:02:11 +000061
Ron Eldorb2aacec2017-05-18 16:53:08 +030062#else /* MBEDTLS_BLOWFISH_ALT */
63#include "blowfish_alt.h"
64#endif /* MBEDTLS_BLOWFISH_ALT */
65
Paul Bakkera9379c02012-07-04 11:02:11 +000066/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050067 * \brief Initialize a Blowfish context.
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020068 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050069 * \param ctx The Blowfish context to be initialized.
70 * This must not be \c NULL.
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020071 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010072void mbedtls_blowfish_init(mbedtls_blowfish_context *ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020073
74/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050075 * \brief Clear a Blowfish context.
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020076 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050077 * \param ctx The Blowfish context to be cleared.
78 * This may be \c NULL, in which case this function
79 * returns immediately. If it is not \c NULL, it must
80 * point to an initialized Blowfish context.
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020081 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010082void mbedtls_blowfish_free(mbedtls_blowfish_context *ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +020083
84/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050085 * \brief Perform a Blowfish key schedule operation.
Paul Bakkera9379c02012-07-04 11:02:11 +000086 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050087 * \param ctx The Blowfish context to perform the key schedule on.
88 * \param key The encryption key. This must be a readable buffer of
89 * length \p keybits Bits.
90 * \param keybits The length of \p key in Bits. This must be between
91 * \c 32 and \c 448 and a multiple of \c 8.
Paul Bakkera9379c02012-07-04 11:02:11 +000092 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050093 * \return \c 0 if successful.
94 * \return A negative error code on failure.
Paul Bakkera9379c02012-07-04 11:02:11 +000095 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +010096int mbedtls_blowfish_setkey(mbedtls_blowfish_context *ctx, const unsigned char *key,
97 unsigned int keybits);
Paul Bakkera9379c02012-07-04 11:02:11 +000098
99/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500100 * \brief Perform a Blowfish-ECB block encryption/decryption operation.
Paul Bakkera9379c02012-07-04 11:02:11 +0000101 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500102 * \param ctx The Blowfish context to use. This must be initialized
103 * and bound to a key.
104 * \param mode The mode of operation. Possible values are
105 * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
106 * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
107 * \param input The input block. This must be a readable buffer
108 * of size \c 8 Bytes.
109 * \param output The output block. This must be a writable buffer
110 * of size \c 8 Bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000111 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500112 * \return \c 0 if successful.
113 * \return A negative error code on failure.
Paul Bakkera9379c02012-07-04 11:02:11 +0000114 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100115int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
116 int mode,
117 const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
118 unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE]);
Paul Bakkera9379c02012-07-04 11:02:11 +0000119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200120#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakkera9379c02012-07-04 11:02:11 +0000121/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500122 * \brief Perform a Blowfish-CBC buffer encryption/decryption operation.
Paul Bakkera9379c02012-07-04 11:02:11 +0000123 *
Manuel Pégourié-Gonnard2be147a2015-01-23 16:19:47 +0000124 * \note Upon exit, the content of the IV is updated so that you can
125 * call the function same function again on the following
126 * block(s) of data and get the same result as if it was
127 * encrypted in one call. This allows a "streaming" usage.
128 * If on the other hand you need to retain the contents of the
129 * IV, you should either save it manually or use the cipher
130 * module instead.
131 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500132 * \param ctx The Blowfish context to use. This must be initialized
133 * and bound to a key.
134 * \param mode The mode of operation. Possible values are
135 * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
136 * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
137 * \param length The length of the input data in Bytes. This must be
138 * multiple of \c 8.
139 * \param iv The initialization vector. This must be a read/write buffer
140 * of length \c 8 Bytes. It is updated by this function.
141 * \param input The input data. This must be a readable buffer of length
142 * \p length Bytes.
143 * \param output The output data. This must be a writable buffer of length
144 * \p length Bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000145 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500146 * \return \c 0 if successful.
147 * \return A negative error code on failure.
Paul Bakkera9379c02012-07-04 11:02:11 +0000148 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100149int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
150 int mode,
151 size_t length,
152 unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
153 const unsigned char *input,
154 unsigned char *output);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200155#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakkera9379c02012-07-04 11:02:11 +0000156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200157#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakkera9379c02012-07-04 11:02:11 +0000158/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500159 * \brief Perform a Blowfish CFB buffer encryption/decryption operation.
Paul Bakkera9379c02012-07-04 11:02:11 +0000160 *
Manuel Pégourié-Gonnard2be147a2015-01-23 16:19:47 +0000161 * \note Upon exit, the content of the IV is updated so that you can
162 * call the function same function again on the following
163 * block(s) of data and get the same result as if it was
164 * encrypted in one call. This allows a "streaming" usage.
165 * If on the other hand you need to retain the contents of the
166 * IV, you should either save it manually or use the cipher
167 * module instead.
168 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500169 * \param ctx The Blowfish context to use. This must be initialized
170 * and bound to a key.
171 * \param mode The mode of operation. Possible values are
172 * #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
173 * #MBEDTLS_BLOWFISH_DECRYPT for decryption.
174 * \param length The length of the input data in Bytes.
bootstrap-prime7ef96ea2022-05-18 14:08:33 -0400175 * \param iv_off The offset in the initialization vector.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500176 * The value pointed to must be smaller than \c 8 Bytes.
177 * It is updated by this function to support the aforementioned
178 * streaming usage.
179 * \param iv The initialization vector. This must be a read/write buffer
180 * of size \c 8 Bytes. It is updated after use.
181 * \param input The input data. This must be a readable buffer of length
182 * \p length Bytes.
183 * \param output The output data. This must be a writable buffer of length
184 * \p length Bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000185 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500186 * \return \c 0 if successful.
187 * \return A negative error code on failure.
Paul Bakkera9379c02012-07-04 11:02:11 +0000188 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100189int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
190 int mode,
191 size_t length,
192 size_t *iv_off,
193 unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
194 const unsigned char *input,
195 unsigned char *output);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200196#endif /*MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkera9379c02012-07-04 11:02:11 +0000197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200198#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakker9a736322012-11-14 12:39:52 +0000199/**
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500200 * \brief Perform a Blowfish-CTR buffer encryption/decryption operation.
Paul Bakkera9379c02012-07-04 11:02:11 +0000201 *
Manuel Pégourié-Gonnard22997b72018-02-28 12:29:41 +0100202 * \warning You must never reuse a nonce value with the same key. Doing so
203 * would void the encryption for the two messages encrypted with
204 * the same nonce and key.
205 *
206 * There are two common strategies for managing nonces with CTR:
207 *
Manuel Pégourié-Gonnardd0f143b2018-05-24 12:01:58 +0200208 * 1. You can handle everything as a single message processed over
209 * successive calls to this function. In that case, you want to
210 * set \p nonce_counter and \p nc_off to 0 for the first call, and
211 * then preserve the values of \p nonce_counter, \p nc_off and \p
212 * stream_block across calls to this function as they will be
213 * updated by this function.
Manuel Pégourié-Gonnard22997b72018-02-28 12:29:41 +0100214 *
Manuel Pégourié-Gonnardd0f143b2018-05-24 12:01:58 +0200215 * With this strategy, you must not encrypt more than 2**64
216 * blocks of data with the same key.
217 *
218 * 2. You can encrypt separate messages by dividing the \p
219 * nonce_counter buffer in two areas: the first one used for a
220 * per-message nonce, handled by yourself, and the second one
221 * updated by this function internally.
222 *
223 * For example, you might reserve the first 4 bytes for the
224 * per-message nonce, and the last 4 bytes for internal use. In that
225 * case, before calling this function on a new message you need to
226 * set the first 4 bytes of \p nonce_counter to your chosen nonce
227 * value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
228 * stream_block to be ignored). That way, you can encrypt at most
229 * 2**32 messages of up to 2**32 blocks each with the same key.
230 *
231 * The per-message nonce (or information sufficient to reconstruct
232 * it) needs to be communicated with the ciphertext and must be unique.
233 * The recommended way to ensure uniqueness is to use a message
234 * counter.
235 *
Tom Cosgrove2b150752022-05-26 11:55:43 +0100236 * Note that for both strategies, sizes are measured in blocks and
Manuel Pégourié-Gonnardd0f143b2018-05-24 12:01:58 +0200237 * that a Blowfish block is 8 bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000238 *
Manuel Pégourié-Gonnardfa0c47d2018-05-24 19:02:06 +0200239 * \warning Upon return, \p stream_block contains sensitive data. Its
240 * content must not be written to insecure storage and should be
241 * securely discarded as soon as it's no longer needed.
242 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500243 * \param ctx The Blowfish context to use. This must be initialized
244 * and bound to a key.
245 * \param length The length of the input data in Bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000246 * \param nc_off The offset in the current stream_block (for resuming
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500247 * within current cipher stream). The offset pointer
248 * should be \c 0 at the start of a stream and must be
249 * smaller than \c 8. It is updated by this function.
250 * \param nonce_counter The 64-bit nonce and counter. This must point to a
251 * read/write buffer of length \c 8 Bytes.
252 * \param stream_block The saved stream-block for resuming. This must point to
253 * a read/write buffer of length \c 8 Bytes.
254 * \param input The input data. This must be a readable buffer of
255 * length \p length Bytes.
256 * \param output The output data. This must be a writable buffer of
257 * length \p length Bytes.
Paul Bakkera9379c02012-07-04 11:02:11 +0000258 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500259 * \return \c 0 if successful.
260 * \return A negative error code on failure.
Paul Bakkera9379c02012-07-04 11:02:11 +0000261 */
Gilles Peskine1b6c09a2023-01-11 14:52:35 +0100262int mbedtls_blowfish_crypt_ctr(mbedtls_blowfish_context *ctx,
263 size_t length,
264 size_t *nc_off,
265 unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
266 unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
267 const unsigned char *input,
268 unsigned char *output);
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200269#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakkera9379c02012-07-04 11:02:11 +0000270
271#ifdef __cplusplus
272}
273#endif
274
Paul Bakkera9379c02012-07-04 11:02:11 +0000275#endif /* blowfish.h */