duckstation/src/common/thirdparty/aes.h

/*********************************************************************
 * Filename:   aes.h
 * Author:     Brad Conte (brad AT bradconte.com)
 * Copyright:
 * Disclaimer: This code is presented "as is" without any guarantees.
 * Details:    Defines the API for the corresponding AES implementation.
 *********************************************************************/

#pragma once

/*************************** HEADER FILES ***************************/
#include <cstddef>
#include <cstdint>

/****************************** MACROS ******************************/
static constexpr uint32_t AES_BLOCK_SIZE = 16; // AES operates on 16 bytes at a time
static constexpr uint32_t AES_KEY_SCHEDULE_SIZE = 60;

/*********************** FUNCTION DECLARATIONS **********************/
///////////////////
// AES
///////////////////
// Key setup must be done before any AES en/de-cryption functions can be used.
void aes_key_setup(const uint8_t key[], // The key, must be 128, 192, or 256 bits
                   uint32_t w[],        // Output key schedule to be used later
                   int keysize);        // Bit length of the key, 128, 192, or 256

void aes_encrypt(const uint8_t in[],   // 16 bytes of plaintext
                 uint8_t out[],        // 16 bytes of ciphertext
                 const uint32_t key[], // From the key setup
                 int keysize);         // Bit length of the key, 128, 192, or 256

void aes_decrypt(const uint8_t in[],   // 16 bytes of ciphertext
                 uint8_t out[],        // 16 bytes of plaintext
                 const uint32_t key[], // From the key setup
                 int keysize);         // Bit length of the key, 128, 192, or 256

///////////////////
// AES - CBC
///////////////////
bool aes_encrypt_cbc(const uint8_t in[],   // Plaintext
                     size_t in_len,        // Must be a multiple of AES_BLOCK_SIZE
                     uint8_t out[],        // Ciphertext, same length as plaintext
                     const uint32_t key[], // From the key setup
                     int keysize,          // Bit length of the key, 128, 192, or 256
                     const uint8_t iv[]);  // IV, must be AES_BLOCK_SIZE bytes long
bool aes_decrypt_cbc(const uint8_t in[],   // Ciphertext
                     size_t in_len,        // Must be a multiple of AES_BLOCK_SIZE
                     uint8_t out[],        // Plaintext, same length as ciphertext
                     const uint32_t key[], // From the key setup
                     int keysize,          // Bit length of the key, 128, 192, or 256
                     const uint8_t iv[]);  // IV, must be AES_BLOCK_SIZE bytes long

#if 0
// Disabled since it's not being used.
// Only output the CBC-MAC of the input.
bool aes_encrypt_cbc_mac(const uint8_t in[],   // plaintext
                         size_t in_len,        // Must be a multiple of AES_BLOCK_SIZE
                         uint8_t out[],        // Output MAC
                         const uint32_t key[], // From the key setup
                         int keysize,          // Bit length of the key, 128, 192, or 256
                         const uint8_t iv[]);  // IV, must be AES_BLOCK_SIZE bytes long

///////////////////
// AES - CTR
///////////////////
void aes_increment_iv(uint8_t iv[],      // Must be a multiple of AES_BLOCK_SIZE
                  int counter_size); // Bytes of the IV used for counting (low end)

void aes_encrypt_ctr(const uint8_t in[],   // Plaintext
                     size_t in_len,        // Any byte length
                     uint8_t out[],        // Ciphertext, same length as plaintext
                     const uint32_t key[], // From the key setup
                     int keysize,          // Bit length of the key, 128, 192, or 256
                     const uint8_t iv[]);  // IV, must be AES_BLOCK_SIZE bytes long

void aes_decrypt_ctr(const uint8_t in[],   // Ciphertext
                     size_t in_len,        // Any byte length
                     uint8_t out[],        // Plaintext, same length as ciphertext
                     const uint32_t key[], // From the key setup
                     int keysize,          // Bit length of the key, 128, 192, or 256
                     const uint8_t iv[]);  // IV, must be AES_BLOCK_SIZE bytes long

///////////////////
// AES - CCM
///////////////////
// Returns True if the input parameters do not violate any constraint.
bool aes_encrypt_ccm(
  const uint8_t plaintext[],          // IN  - Plaintext.
  uint32_t plaintext_len,             // IN  - Plaintext length.
  const uint8_t associated_data[],    // IN  - Associated Data included in authentication, but not encryption.
  unsigned short associated_data_len, // IN  - Associated Data length in bytes.
  const uint8_t nonce[],              // IN  - The Nonce to be used for encryption.
  unsigned short nonce_len,           // IN  - Nonce length in bytes.
  uint8_t ciphertext[],               // OUT - Ciphertext, a concatination of the plaintext and the MAC.
  uint32_t* ciphertext_len,           // OUT - The length of the ciphertext, always plaintext_len + mac_len.
  uint32_t mac_len,                   // IN  - The desired length of the MAC, must be 4, 6, 8, 10, 12, 14, or 16.
  const uint8_t key[],                // IN  - The AES key for encryption.
  int keysize);                       // IN  - The length of the key in bits. Valid values are 128, 192, 256.

// Returns True if the input parameters do not violate any constraint.
// Use mac_auth to ensure decryption/validation was preformed correctly.
// If authentication does not succeed, the plaintext is zeroed out. To overwride
// this, call with mac_auth = NULL. The proper proceedure is to decrypt with
// authentication enabled (mac_auth != NULL) and make a second call to that
// ignores authentication explicitly if the first call failes.
bool aes_decrypt_ccm(
  const uint8_t ciphertext[], // IN  - Ciphertext, the concatination of encrypted plaintext and MAC.
  uint32_t ciphertext_len,    // IN  - Ciphertext length in bytes.
  const uint8_t assoc[],      // IN  - The Associated Data, required for authentication.
  unsigned short assoc_len,   // IN  - Associated Data length in bytes.
  const uint8_t nonce[],      // IN  - The Nonce to use for decryption, same one as for encryption.
  unsigned short nonce_len,   // IN  - Nonce length in bytes.
  uint8_t plaintext[], // OUT - The plaintext that was decrypted. Will need to be large enough to hold ciphertext_len -
                       // mac_len.
  uint32_t* plaintext_len, // OUT - Length in bytes of the output plaintext, always ciphertext_len - mac_len .
  uint32_t mac_len,        // IN  - The length of the MAC that was calculated.
  int* mac_auth,           // OUT - TRUE if authentication succeeded, FALSE if it did not. NULL pointer will ignore the
                           // authentication.
  const uint8_t key[],     // IN  - The AES key for decryption.
  int keysize);            // IN  - The length of the key in BITS. Valid values are 128, 192, 256.
#endif