1
//
2
// SymCrypt.h
3
//
4
// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
5
//
6

7
#pragma once
8

9

10
#ifdef __cplusplus
11
extern "C" {
12
#endif
13

14
#include "symcrypt_internal_shared.inc"
15

16
#define SYMCRYPT_API_VERSION ((SYMCRYPT_CODE_VERSION_API << 16) | SYMCRYPT_CODE_VERSION_MINOR)
17

18
//
19
// This is the header file for the SymCrypt library which contains
20
// implementations of cryptographic algorithms.
21
//
22
// All API information is in this file. Information in the
23
// other include files (symcrypt_internal.h) is subject
24
// to change at any time. Please use only the information in this file.
25
// The header file symcrypt_low_level contains low-level API functions that
26
// are sometimes needed. That API surface is not stable across releases.
27
//
28

29
;   // <-- non-functional semicolon that makes the editor's indent work properly.
30

31
//
32
// General information about SymCrypt:
33
//
34
//
35
// CPU
36
// This library is built and tested for: X86, AMD64, ARM, and ARM64.
37
//
38
// ENVIRONMENT
39
// SymCrypt can run in different environments, such as kernel mode, user mode,
40
// etc.
41
// In earlier versions of the library, the caller specified the environment by passing a
42
// pointer to the SymCryptInit function.
43
// It turns out that that model no longer scales with the use of new extended register sets
44
// or it introduces too much overhead.
45
// The current library uses a different model. The user of the library invokes one of the
46
// environment macros inside a C file in the calling process.
47
// SymCrypt defines macros for each environment.
48
// The same mechanism will also be used to select between different implementations of a single
49
// algorithm. For example, a caller might use
50
//      SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE
51
//      SYMCRYPT_SELECT_SHA256_COMPACT
52
// to indicate that the environment is kernel mode and the compact SHA-256 implementation is to
53
// be used.
54
// There are optimized environments for various Windows use cases.
55
//
56
//
57
// CHECKED BUILDS
58
// For each CPU, SymCrypt is available in both a checked build and a fre build. The
59
// checked build includes additional error checking which catches the most common
60
// errors. Please make sure you build a checked version of your binary and test with
61
// that regularly.
62
//
63
//
64
// MEMORY STRUCTURES
65
// Most SymCrypt functions do not allocate any memory; all memory is provided by the caller.
66
// However, callers may not copy, move, or otherwise manipulate the SymCrypt
67
// data structures. In particular, a memcpy of a SymCrypt data structure is not allowed.
68
// When necessary SymCrypt provides functions to perform the necessary manipulations.
69
// If you are missing one, please ask us.
70
//
71
//
72
// MULTI_THREADING
73
// The routines in this library are multi-thread safe, taking into account the usual
74
// rules of multiple threads accessing the same data structures.
75
// Any function that accepts a pointer-to-const argument must be assumed to read the
76
// corresponding data. If the function accepts a pointer-to-non-const it must be
77
// assumed to both read and write the data.
78
// It is safe for two threads to use the same data element as long as both of them
79
// are only reading from it. For example, an expanded key is typically passed as
80
// a pointer-to-const to the encryption and decryption routines. Thus, multiple
81
// threads can perform multiple encryptions/decryptions in parallel using the
82
// same expanded key.
83
//
84
// The normal memory re-order issues apply as well. If one thread initializes a
85
// data structure and the initialization function returns, it is NOT safe for
86
// another thread to read the data structure without a suitable memory barrier or
87
// synchronization primitive.
88
//
89
//
90
// SIDE CHANNELS
91
// Side channels are ways in which an attacker can receive information about what
92
// a target process is doing using other aspects than just the input/output behaviour
93
// of the target. For example, the memory subsystem, CPU load modulation, disk usage,
94
// and many other aspects can provide side-channels to an attacker.
95
//
96
// Wherever possible the implementations in SymCrypt have been hardened against side channels.
97
// The most important rules are that the instruction sequence and the memory addresses
98
// accessed do not depend on any of the data being processed.
99
// As a general rule, the actual data being processed is protected, but the
100
// length of the data (i.e. the number of bytes) is not protected in this way and
101
// is treated as public information.
102
//
103
// The implementation of the following algorithms are NOT side-channel safe:
104
//  - non-AES-NI based AES
105
//      used on CPUs that don't have AES-NI, or in kernel mode on x86 Win8 and below.
106
//  - DES, 3DES, DESX
107
//  - RC4
108
// Making these algorithms side-channel safe would incur an overhead that is too large.
109
//
110
//
111
// FATAL ERRORS
112
// This is a high-performance library with a minimum of error checking.
113
// Many functions do not return an error code; this avoids the cost of
114
// having any error checking on the caller's side for error situations that
115
// can never occur. However, this does assume that the caller is calling
116
// SymCrypt using a valid calling sequence with proper parameters.
117
// In some situations this library will detect improper parameters or
118
// calling sequences. In those situations the library will generate a fatal
119
// error, which leads to an abrupt termination of the process (bugcheck in
120
// kernel mode). Exceptional circumstances may also induce fatal errors within
121
// the library (i.e. a caller provided buffer causes an access violation when
122
// it is read, or the library is called without sufficient stack space for the
123
// requested operation).
124
// If a fatal error is generated within the library, the internal state of the
125
// library may be inconsistent (i.e. there may be outstanding memory allocations
126
// that will never be freed, or a lock may have been taken which will never be
127
// released). Callers should not catch fatal errors and continue executing, as
128
// there is no guarantee of stability.
129
// The checked version of the library has additional error checking which detects
130
// the most common errors. We strongly recommend that callers build and test a
131
// checked version of their binary to catch these common errors.
132
//
133
//
134
// ALGORITHM SELF TEST
135
// SymCrypt includes functions that perform simple self-tests on the algorithm
136
// implementations. These functions are designed to be used for FIPS certification
137
// of crypto binaries. They should never fail, and they generate a fatal error
138
// if they do fail.
139
// If you are not FIPS-certifying your binaries, you can ignore the self test functions.
140
//
141
//
142
// CHANGES FROM RSA32.LIB
143
// This library replaces the venerable rsa32(k).lib. The major changes are:
144
//
145
// - SymCrypt requires the caller to call a library initialization function
146
//   before calling the various algorithm implementations.
147
// - SymCrypt requires the caller to specify the environment in which the library
148
//   is running.
149
// - SymCrypt has a CHKed and FRE version for use in CHKed and FRE builds.
150
// - The API has been updated. The API is more consistent and has better support
151
//   for 64-bit platforms (use of SIZE_T rather than UINT32 for lengths).
152
// - All algorithm implementations have been updated to reflect the
153
//   latest cryptographic coding guidelines. Several security weaknesses
154
//   in the RSA32.lib code have been fixed.
155
// - Code has been optimized for the newer CPUs.
156
//   This includes support for AES-NI, PCLMULQDQ, AVX2, etc.
157
//   Most algorithms are faster, especially the recommended algorithms.
158
//   Some legacy algorithms are somewhat slower due to removal of assembler support.
159
//   Note: performance on older CPUs, like the Pentium 4, is reduced in some places.
160
// - Code and data now go into their default segments.
161
//   RSA32 has a kernel-mode version where the code and data go into
162
//   special segments. This allows the crypto code to be made pageable or
163
//   nonpageable separate from the rest of the executable. This feature is
164
//   error-prone, and not widely used. Furthermore, it switches on a per-lib
165
//   basis, rather than a per-functionality basis, which is the wrong granularity.
166
// - Added native support for HMAC-SHA256 and HMAC-SHA512.
167
// - Support for parallel hashing, improves throughput up to 500%.
168
// - SymCrypt does not support binary copying of internal state information, because
169
//   it imposes restrictions on what the library can do.
170
//   Thus, you may NOT do a memcpy or remote copy on any SymCrypt data structure.
171
//   SymCrypt provides copy functions where necessary, if you need others please ask.
172
//
173

174
//
175
// Error codes
176
//
177
// This is a high-performance library with a minimum of error checking. Most
178
// routines do not perform any error checking at all.
179
// Some routines perform internal consistency checks and will cause a fatal
180
// error if the library is used incorrectly.
181
//
182
// In a few cases routines return an error code when they are called incorrectly.
183
// Mostly this is for key expansion routines which return an error code when the key
184
// size is wrong. This allows a higher-level library to be agnostic as to the proper
185
// key sizes for an algorithm and use the SymCrypt library to detect key size errors.
186
//
187
// For performance reasons this library avoids per-message error codes wherever possible.
188
//
189
// As this library can be used in many different contexts---kernel mode, user mode,
190
// WinCE, Xbox, etc.---we don't use one of the standard error types but use our own.
191
// Callers should not depend on the integer value of any of these enums.
192
//
193
// Error codes will signal the cause of the error, but callers should not rely on the
194
// exact symbolic error code returned. Especially in situations where multiple errors
195
// occur at once (e.g. multiple invalid parameters) the exact error symbol returned
196
// could change between versions of the library.
197
//
198

199
#ifndef _Return_type_success_
200
#define _Return_type_success_(expr)
201
#endif
202

203
typedef _Return_type_success_( return == SYMCRYPT_NO_ERROR ) enum {
204
    SYMCRYPT_NO_ERROR = 0,
205
    SYMCRYPT_UNUSED = 0x8000, // Start our error codes here so they're easier to distinguish
206
    SYMCRYPT_WRONG_KEY_SIZE,
207
    SYMCRYPT_WRONG_BLOCK_SIZE,
208
    SYMCRYPT_WRONG_DATA_SIZE,
209
    SYMCRYPT_WRONG_NONCE_SIZE,
210
    SYMCRYPT_WRONG_TAG_SIZE,
211
    SYMCRYPT_WRONG_ITERATION_COUNT,
212
    SYMCRYPT_AUTHENTICATION_FAILURE,
213
    SYMCRYPT_EXTERNAL_FAILURE,
214
    SYMCRYPT_FIPS_FAILURE,
215
    SYMCRYPT_HARDWARE_FAILURE,
216
    SYMCRYPT_NOT_IMPLEMENTED,
217
    SYMCRYPT_INVALID_BLOB,
218
    SYMCRYPT_BUFFER_TOO_SMALL,
219
    SYMCRYPT_INVALID_ARGUMENT,
220
    SYMCRYPT_MEMORY_ALLOCATION_FAILURE,
221
    SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE,
222
    SYMCRYPT_INCOMPATIBLE_FORMAT,
223
    SYMCRYPT_VALUE_TOO_LARGE,
224
    SYMCRYPT_SESSION_REPLAY_FAILURE,
225
    SYMCRYPT_HBS_NO_OTS_KEYS_LEFT,
226
    SYMCRYPT_HBS_PUBLIC_ROOT_MISMATCH,
227
} SYMCRYPT_ERROR;
228

229
// SYMCRYPT_ECURVE_TYPE needs to be completely defined before including
230
// symcrypt_internal.h because it's a member of another type in there.
231
typedef enum _SYMCRYPT_ECURVE_TYPE {
232
    SYMCRYPT_ECURVE_TYPE_NULL               = 0,
233
    SYMCRYPT_ECURVE_TYPE_SHORT_WEIERSTRASS  = 1,
234
    SYMCRYPT_ECURVE_TYPE_TWISTED_EDWARDS    = 2,
235
    SYMCRYPT_ECURVE_TYPE_MONTGOMERY         = 3,
236
} SYMCRYPT_ECURVE_TYPE;
237
//
238
// SYMCRYPT_ECURVE_TYPE is used to specify the type of the curve.
239
//
240

241
// SYMCRYPT_DLGROUP_FIPS needs to be completely defined before including
242
// symcrypt_internal.h because it's a member of another type in there.
243

244
//=====================================================
245
// DL group operations
246

247
typedef enum _SYMCRYPT_DLGROUP_FIPS {
248
    SYMCRYPT_DLGROUP_FIPS_NONE  = 0,
249
    SYMCRYPT_DLGROUP_FIPS_186_2 = 1,
250
    SYMCRYPT_DLGROUP_FIPS_186_3 = 2,
251
} SYMCRYPT_DLGROUP_FIPS;
252
//
253
// Dlgroup enums for the generation and verification of the group parameters.
254
// These are used in:
255
//  - SymCryptDlgroupGenerate function to specify the appropriate standard to
256
//    be used.
257
//  - SymCryptDlgroupSetValue function to verify that the input parameters were
258
//    properly generated.
259
//
260

261
typedef enum _SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE {
262
    SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_NONE = 0,
263
    SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_IKE_3526 = 1,
264
    SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_TLS_7919 = 2,
265
} SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE;
266
#define SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_DEFAULT   SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_TLS_7919
267
//
268
// Dlgroup enums for the specification and verification of the named safe prime group parameters.
269
// These are used in:
270
//  - SymCryptDlgroupGenerateSafePrime function to specify the appropriate group to
271
//    be used.
272
//
273

274
//
275
// The symcrypt_internal.h file contains information only relevant to the internals
276
// of the library, but they have to be exposed to the compiler of the caller.
277
// We put those in a separate file to make this file easier to read
278
// for users of the library.
279
// The details in the symcrypt_internal.h file can change at any time;
280
// users should only rely on the information in this header file.
281
//
282
#include "symcrypt_internal.h"
283

284
//
285
// Useful macros
286
//
287
// A variety of useful macros.
288
//
289
// The load/store macros convert from integer types to an array of bytes and vice versa.
290
// LOAD<n>_* (p) loads a value of <n> bits from the byte pointer p.
291
// STORE<n>_* (p,v) stores the n-bit value v to byte pointer p.
292
// The macros can either do Most Significant Byte first (big-endian) or
293
// Least Significant Byte first.
294
// The actual definitions are in the symcrypt_internal.h file because they contain
295
// items that are not part of the stable public API of SymCrypt.
296
//
297

298
#define SYMCRYPT_LOAD_LSBFIRST16( p )   SYMCRYPT_INTERNAL_LOAD_LSBFIRST16( p )
299
#define SYMCRYPT_LOAD_LSBFIRST32( p )   SYMCRYPT_INTERNAL_LOAD_LSBFIRST32( p )
300
#define SYMCRYPT_LOAD_LSBFIRST64( p )   SYMCRYPT_INTERNAL_LOAD_LSBFIRST64( p )
301

302
#define SYMCRYPT_LOAD_MSBFIRST16( p )   SYMCRYPT_INTERNAL_LOAD_MSBFIRST16( p )
303
#define SYMCRYPT_LOAD_MSBFIRST32( p )   SYMCRYPT_INTERNAL_LOAD_MSBFIRST32( p )
304
#define SYMCRYPT_LOAD_MSBFIRST64( p )   SYMCRYPT_INTERNAL_LOAD_MSBFIRST64( p )
305

306
#define SYMCRYPT_STORE_LSBFIRST16( p, v )   SYMCRYPT_INTERNAL_STORE_LSBFIRST16( p, v )
307
#define SYMCRYPT_STORE_LSBFIRST32( p, v )   SYMCRYPT_INTERNAL_STORE_LSBFIRST32( p, v )
308
#define SYMCRYPT_STORE_LSBFIRST64( p, v )   SYMCRYPT_INTERNAL_STORE_LSBFIRST64( p, v )
309

310
#define SYMCRYPT_STORE_MSBFIRST16( p, v )   SYMCRYPT_INTERNAL_STORE_MSBFIRST16( p, v )
311
#define SYMCRYPT_STORE_MSBFIRST32( p, v )   SYMCRYPT_INTERNAL_STORE_MSBFIRST32( p, v )
312
#define SYMCRYPT_STORE_MSBFIRST64( p, v )   SYMCRYPT_INTERNAL_STORE_MSBFIRST64( p, v )
313

314
//
315
// Convert between UINT32/UINT64 and variable-sized byte buffers
316
//
317
// The load functions take any size input array, and will return an error if the value
318
// encoded in the array exceeds the range of the target type (UINT32 or UINT64).
319
// The store functions will return an error if the destination buffer is too small
320
// to encode the actual value passed.
321
// An empty buffer (length = 0) encodes the value 0, and the value 0 can be encoded
322
// in the empty buffer.
323
// These functions are not side-channel safe.
324
//
325

326
SYMCRYPT_ERROR
327
SYMCRYPT_CALL
328
SymCryptLoadLsbFirstUint32(
329
    _In_reads_( cbSrc ) PCBYTE  pbSrc,
330
                        SIZE_T  cbSrc,
331
    _Out_               PUINT32 pDst );
332

333
SYMCRYPT_ERROR
334
SYMCRYPT_CALL
335
SymCryptLoadLsbFirstUint64(
336
    _In_reads_( cbSrc ) PCBYTE  pbSrc,
337
                        SIZE_T  cbSrc,
338
    _Out_               PUINT64 pDst );
339

340
SYMCRYPT_ERROR
341
SYMCRYPT_CALL
342
SymCryptLoadMsbFirstUint32(
343
    _In_reads_( cbSrc ) PCBYTE  pbSrc,
344
                        SIZE_T  cbSrc,
345
    _Out_               PUINT32 pDst );
346

347
SYMCRYPT_ERROR
348
SYMCRYPT_CALL
349
SymCryptLoadMsbFirstUint64(
350
    _In_reads_( cbSrc ) PCBYTE  pbSrc,
351
                        SIZE_T  cbSrc,
352
    _Out_               PUINT64 pDst );
353

354
SYMCRYPT_ERROR
355
SYMCRYPT_CALL
356
SymCryptStoreLsbFirstUint32(
357
                            UINT32  src,
358
    _Out_writes_( cbDst )   PBYTE   pbDst,
359
                            SIZE_T  cbDst );
360

361
SYMCRYPT_ERROR
362
SYMCRYPT_CALL
363
SymCryptStoreLsbFirstUint64(
364
                            UINT64  src,
365
    _Out_writes_( cbDst )   PBYTE   pbDst,
366
                            SIZE_T  cbDst );
367

368
SYMCRYPT_ERROR
369
SYMCRYPT_CALL
370
SymCryptStoreMsbFirstUint32(
371
                            UINT32  src,
372
    _Out_writes_( cbDst )   PBYTE   pbDst,
373
                            SIZE_T  cbDst );
374

375
SYMCRYPT_ERROR
376
SYMCRYPT_CALL
377
SymCryptStoreMsbFirstUint64(
378
                            UINT64  src,
379
    _Out_writes_( cbDst )   PBYTE   pbDst,
380
                            SIZE_T  cbDst );
381

382
//
383
// Functions to retrieve the bitsize/bytesize of UINT32/UINT64 values
384
// Note: the bitsize/bytesize of the value 0 is defined as 0.
385
// Some data formats don't allow empty encodings, so the caller
386
// should ensure they handle the 0-case properly.
387
// These functions are NOT side-channel safe.
388
//
389
UINT32
390
SymCryptUint32Bitsize( UINT32 value );
391

392
UINT32
393
SymCryptUint64Bitsize( UINT64 value );
394

395
UINT32
396
SymCryptUint32Bytesize( UINT32 value );
397

398
UINT32
399
SymCryptUint64Bytesize( UINT64 value );
400

401

402
//
403
// FORCED MEMORY ACCESS
404
//
405
// These macros force a memory access. That is, they require that the memory
406
// read or write takes place, and do not allow the compiler to optimize the access
407
// away. This is useful for wiping memory even if the compiler knows the memory will not be used in future.
408
//
409
// The READ<n> macros read an n-bit value from a PBYTE and return a BYTE if n=8 and an UINT<n> otherwise.
410
// The WRITE<n> macros write a value to a PBYTE using the same types as the corresponding READ<n>
411
//
412
// These macros provide no other memory ordering requirements, so there are no acquire/release
413
// semantics, memory barriers, etc.
414
//
415

416
#define SYMCRYPT_FORCE_READ8(  _p )     SYMCRYPT_INTERNAL_FORCE_READ8(  _p )
417
#define SYMCRYPT_FORCE_READ16( _p )     SYMCRYPT_INTERNAL_FORCE_READ16( _p )
418
#define SYMCRYPT_FORCE_READ32( _p )     SYMCRYPT_INTERNAL_FORCE_READ32( _p )
419
#define SYMCRYPT_FORCE_READ64( _p )     SYMCRYPT_INTERNAL_FORCE_READ64( _p )
420

421
#define SYMCRYPT_FORCE_WRITE8(  _p, _v )    SYMCRYPT_INTERNAL_FORCE_WRITE8(  _p, _v )
422
#define SYMCRYPT_FORCE_WRITE16( _p, _v )    SYMCRYPT_INTERNAL_FORCE_WRITE16( _p, _v )
423
#define SYMCRYPT_FORCE_WRITE32( _p, _v )    SYMCRYPT_INTERNAL_FORCE_WRITE32( _p, _v )
424
#define SYMCRYPT_FORCE_WRITE64( _p, _v )    SYMCRYPT_INTERNAL_FORCE_WRITE64( _p, _v )
425

426
//==========================================================================
427
//   TYPE MODIFIERS
428
//==========================================================================
429
//
430
// The SymCrypt library uses the following type modifiers
431
//
432
// SYMCRYPT_CALL
433
//
434
//      The calling-convention used by SymCrypt functions.
435
//      Some platforms have multiple calling conventions which differ in the
436
//      way arguments are passed and the stack is handled
437
//      The SYMCRYPT_CALL type modifier selects the correct calling convention.
438
//      The current implementation uses __fastcall on the x86 platform, which
439
//      passes arguments in registers and is generally faster than the __stdcall
440
//      calling convention.
441
//
442
//
443
// SYMCRYPT_ALIGN
444
//
445
//      On platforms that support alignment declaration this macro expands to
446
//      __declspec(align(<n>)) where <n> is platform-dependent.
447
//      Many data types that SymCrypt defines are SYMCRYPT_ALIGNed.
448
//      When allocating memory for any SymCrypt data type the caller
449
//      has to ensure that the memory is aligned to the natural alignment for
450
//      that platform. (e.g. 4 for x86, 16 for x64)
451
//      Memory allocation functions typically return properly aligned memory blocks.
452
//      The macro SYMCRYPT_ALIGN_VALUE contains the actual value of <n>.
453
//
454

455
//==========================================================================
456
// LIBRARY MANAGEMENT
457
//==========================================================================
458
//
459
// SymCrypt runs in many different environments. Boot library, kernel, user mode,
460
// (for each of x86, amd64, arm), and possibly WinCE, Mobile, Zune, Xbox, etc.
461
// These different environments can have different requirements.
462
//
463
// Creating different libraries for each environment has huge testing and maintenance
464
// costs. Instead, the user of the library invokes a pre-defined macro in their own code
465
// that contains the necessary adoptions to that environment.
466
// Using a macro makes the selection static, which allows the compiler to optimize
467
// away a lot of the overhead.
468
// (e.g. if XMM register saving is not needed, the stub function declared by the macro
469
// will always succeed, and the compiler will inline it and optimize it away.)
470
//
471
// Warning: due to recent changes in the Visual Studio C runtime, we cannot test saving
472
// of the YMM registers in Windows user mode. Because we do not have a kernel mode test
473
// for saving/restoring the YMM registers, this functionality is currently not tested.
474
// Before using SymCrypt in Windows 7 kernel mode, additional kernel mode tests should be
475
// added to verify this functionality.
476
//
477

478
//
479
// The following environment macros are available. Callers should invoke one of these
480
// in their own code.
481
//
482
// SYMCRYPT_ENVIRONMENT_WINDOWS_BOOTLIBRARY                 // only for the current OS release
483
//
484
// SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LEGACY           // Use for any version of Windows.
485
// SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN7_N_LATER     // Only for Win7 and later
486
// SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN8_1_N_LATER   // Only for WinBlue and later
487
// SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LATEST           // use for latest OS
488
//
489
// SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LEGACY             // use for any version of Windows
490
// SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN7_N_LATER       // Only for Win7 and later (cannot use AVX2 instructions)
491
// SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN8_1_N_LATER     // Only for Win8.1 and later
492
// SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LATEST             // use for latest OS
493
//
494
// SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELDEBUGGER
495
//
496
// SYMCRYPT_ENVIRONMENT_LINUX_USERMODE                      // use for Linux
497
//
498
// SYMCRYPT_ENVIRONMENT_OPTEE_TA                            // use for OPTEE
499
//
500
// SYMCRYPT_ENVIRONMENT_GENERIC                             // use for all other situations
501
//
502

503
VOID
504
SYMCRYPT_CALL
505
SymCryptInit(void);
506
//
507
// Initialize the static library.
508
// This function MUST be called before any other function in the library.
509
// It is not necessary to call this function when using the shared object library.
510
//
511
// This function does not perform the self tests in the library.
512
// Doing so would force the linking of all the algorithm in the library,
513
// which is obviously not desirable for applications that want to link in
514
// only one or two algorithms.
515
// If self test are required (e.g. for FIPS certification) they have to be
516
// called separately for each algorithm.
517
//
518
// It is safe to call this function multiple times.
519
// The library initialization is done in the first call; subsequent calls are no-ops.
520
//
521
// If you get an 'undefined symbol' error on this function name, then you forgot
522
// to invoke one of the environment macros documented above.
523
//
524

525
VOID
526
SYMCRYPT_CALL
527
SymCryptModuleInit(
528
    _In_ UINT32 api,
529
    _In_ UINT32 minor);
530

531
#define SYMCRYPT_MODULE_INIT() SymCryptModuleInit( SYMCRYPT_CODE_VERSION_API, SYMCRYPT_CODE_VERSION_MINOR );
532
//
533
// Initialize the SymCrypt shared object module/dynamic-link library. This function verifies
534
// that the module version supports the version requested by the application. If the version
535
// is unsupported, a fatal error will occur. Rather than explicitly calling SymCryptModuleInit,
536
// the macro SYMCRYPT_MODULE_INIT should be used to call it with the correct arguments.
537
//
538

539
//==========================================================================
540
//   DATA MANIPULATION
541
//==========================================================================
542
//
543
// This library provides some data manipulation functions that commonly occur
544
// in cryptographic code.
545
//
546

547
VOID
548
SYMCRYPT_CALL
549
SymCryptWipe(
550
    _Out_writes_bytes_( cbData )    PVOID   pbData,
551
                                    SIZE_T  cbData );
552

553
FORCEINLINE
554
VOID
555
SYMCRYPT_CALL
556
SymCryptWipeKnownSize(
557
    _Out_writes_bytes_( cbData )    PVOID   pbData,
558
                                    SIZE_T  cbData );
559

560
//
561
// The SymCryptWipe and SymCryptWipeKnownSize functions wipe memory.
562
// They work for any size and any alignment.
563
// Wiping is faster on x86 and x64 if the data buffer is 16-aligned,
564
// and the size is a multiple of 16.
565
//
566
// The SymCryptWipe function is optimized for the case where the size of the buffer
567
// is not known at compile time.
568
//
569
// The SymCryptWipeKnownSize function is optimized for the case where the
570
// cbData parameter is a compile-time known value.
571
//
572
// The two functions are functionally equivalent, but there can be a significant performance
573
// differences:
574
//  - calling SymCryptWipeKnownSize when the size is not known at compile time incurs a
575
//      code size penalty.
576
//  - calling SymCryptWipeKnownSize when the size is not known at compile time and is sometimes <= 64
577
//      incurs a performance penalty.
578
//      (The code assumes that the compiler can optimize all the conditional jumps away.
579
//      Conditional jumps can be very expensive if they are not predicted correctly.)
580
//  - calling SymCryptWipe when the buffer is small and has a compile-time known size incurs
581
//      a performance penalty.
582
// When in doubt, use SymCryptWipe.
583
//
584

585
VOID
586
SYMCRYPT_CALL
587
SymCryptXorBytes(
588
    _In_reads_( cbBytes )   PCBYTE  pbSrc1,
589
    _In_reads_( cbBytes )   PCBYTE  pbSrc2,
590
    _Out_writes_( cbBytes ) PBYTE   pbResult,
591
                            SIZE_T  cbBytes );
592
//
593
// Xor two strings of bytes together.
594
//
595
// The result buffer can be the same as Src1 or Src2, or can be non-overlapping
596
// with the inputs. However, the result buffer may not partially overlap with
597
// one of the inputs.
598
//
599

600
BOOLEAN
601
SYMCRYPT_CALL
602
SymCryptEqual(
603
    _In_reads_( cbBytes )   PCBYTE pbSrc1,
604
    _In_reads_( cbBytes )   PCBYTE pbSrc2,
605
                            SIZE_T cbBytes );
606
//
607
// Compare two regions of memory and return TRUE if they are equal, FALSE otherwise.
608
//
609
// This function compares all the bytes without an early-out mechanism.
610
// An early-out implementation, such as memcmp, reveals through side channels
611
// the position of the first byte where the inputs differ, which leaks information.
612
//
613

614

615
//==========================================================================
616
//   HASH FUNCTIONS
617
//==========================================================================
618
//
619
// All hash functions have a similar interface. For consistency we describe
620
// the generic parts of the interface once.
621
// Algorithm-specific comments are given with the API functions of each algorithm separately.
622
//
623
// For an algorithm called XXX the following functions, types, and constants are defined:
624
//
625
//
626
// SYMCRYPT_XXX_RESULT_SIZE
627
//
628
//      A constant giving the size, in bytes, of the result of the hash function.
629
//
630
//
631
// SYMCRYPT_XXX_INPUT_BLOCK_SIZE
632
//
633
//      A constant giving the natural input block size for the hash function.
634
//      Most callers don't need to know this, but some uses, like the HMAC construction
635
//      adapt to this size to improve efficiency.
636
//
637
//
638
// VOID
639
// SYMCRYPT_CALL
640
// SymCryptXxx( _In_reads_( cbData )                        PCBYTE pbData,
641
//                                                          SIZE_T cbData,
642
//              _Out_writes_( SYMCRYPT_XXX_RESULT_SIZE )    PBYTE pbResult );
643
//
644
//      Computes the hash value of the data buffer.
645
//      If you have all the data to be hashed in a single buffer this is the simplest function to use.
646
//
647
//
648
// SYMCRYPT_XXX_STATE
649
//
650
//      Type to store the intermediate state of a hash computation.
651
//      This is an opaque type whose structure can change at will.
652
//      It should only be used for transient computations in a single executable
653
//      and not be stored  or transferred to a different process.
654
//      The pointer version is also defined (PSYMCRYPT_XXX_STATE)
655
//
656
//      The SYMCRYPT_XXX_STATE structure contains the entire state of an ongoing
657
//      hash computation. If you want to compute the hash on several strings that
658
//      have the same prefix, the caller may hash the prefix first, then create
659
//      multiple copies using the supplied state copy function,
660
//      and continue hashing the different states with different postfix strings.
661
//
662
// VOID
663
// SYMCRYPT_CALL
664
// SymCryptXxxInit( _Out_ PSYMCRYPT_XXX_STATE pState );
665
//
666
//      Initialize a SYMCRYPT_XXX_STATE for subsequent use.
667
//
668
//      The state encodes an ongoing hash computation and allows incremental
669
//      computation of a hash function.
670
//      At any point in time the state object encodes a state that is equivalent to
671
//      the hash computation of a data string.
672
//      This function can be called at any time and resets the state to correspond
673
//      to the empty data string.
674
//      The SymCryptXxxAppend function appends data to the data string
675
//      encoded by the state.
676
//      The SymCryptXxxResult function finalizes the computation and
677
//      returns the actual hash result.
678
//
679
//
680
// VOID
681
// SYMCRYPT_CALL
682
// SymCryptXxxAppend( _Inout_               PSYMCRYPT_XXX_STATE pState,
683
//                    _In_reads_( cbData )  PCBYTE              pbData,
684
//                                          SIZE_T              cbData );
685
//
686
//      Provide more data to the ongoing hash computation specified by the state.
687
//      The state must have been initialized by SymCryptXxxInit.
688
//      This function can be called multiple times on the same state
689
//      to append more data to the encoded data string.
690
//
691
//
692
// VOID
693
// SYMCRYPT_CALL
694
// SymCryptXxxResult(
695
//      _Inout_                                PSYMCRYPT_XXX_STATE pState,
696
//     _Out_writes_( SYMCRYPT_XXX_RESULT_SIZE )PBYTE               pbResult );
697
//
698
//      Returns the hash of the data string encoded by the state.
699
//      If the state was newly initialized this returns the hash of the empty string.
700
//      If one or more SymCryptXxxAppend function calls were made on this state
701
//      it returns the hash of the concatenation of all the data strings
702
//      passed to SymCryptXxxAppend.
703
//
704
//      The state is re-initialized and ready for re-use; you do not have to call
705
//      SymCryptXxxInit on the state to start another fresh hash computation.
706
//      The state is also wiped of any traces of old data to prevent accidental data leakage.
707
//
708
//
709
// VOID
710
// SYMCRYPT_CALL
711
// SymCryptXxxStateCopy( _In_ PCSYMCRYPT_XXX_STATE pSrc, _Out_ PSYMCRYPT_XXX_STATE pDst );
712
//
713
//      Create a new copy of the state object.
714
//
715
//
716
// VOID
717
// SYMCRYPT_CALL
718
// SymCryptXxxStateExport(
719
//      _In_                                                    PCSYMCRYPT_XXX_STATE    pState,
720
//      _Out_writes_bytes_( SYMCRYPT_XXX_STATE_EXPORT_SIZE )    PBYTE                   pbBlob );
721
//
722
//      Converts a hash state to an exported format that can be persisted and re-imported.
723
//      The exported blob is compatible across CPU architectures, and across different
724
//      versions of SymCrypt.
725
//
726
//      pState must point to a valid initialized hash state.
727
//
728
//
729
// SYMCRYPT_ERROR
730
// SYMCRYPT_CALL
731
// SymCryptXxxStateImport(
732
//      _Out_                                               PSYMCRYPT_XXX_STATE pState,
733
//      _In_reads_bytes_( SYMCRYPT_XXX_STATE_EXPORT_SIZE)   PCBYTE              pbBlob );
734
//
735
//      Imports a hash state that was previously exported with SymCryptXxxStateExport.
736
//      After this call, the effective state of *pState is identical to the effective
737
//      state of *pState that was passed to the SymCryptXxxStateExport function which
738
//      created this blob.
739
//
740
//      This function returns an error if the blob is incorrectly formatted.
741
//
742
//
743
// VOID
744
// SYMCRYPT_CALL
745
// SymCryptXxxSelftest(void);
746
//
747
//      Perform a minimal self-test on the XXX algorithm.
748
//      This function is designed to be used for achieving FIPS 140-2 compliance or
749
//      to provide a simple self-test when an application starts.
750
//
751
//      If an error is detected, a platform-specific fatal error action is taken.
752
//      Callers do not need to handle any error conditions.
753
//
754
//
755
//
756
//
757
// There are also generic Hash functions that use a virtual table and work
758
// for any hash algorithm.
759
// Virtual table addresses that callers can use are supplied through a const-ptr-const definition.
760
// This supports an application switching the underlying implementation of one algorithm
761
// without the need to re-compile all the intermediate libraries in between.
762
// For example, you could use the same signature verification library with the fast hash implementation in one binary,
763
// and with a compact hash implementation in a second binary, without needing a different
764
// signature verification library.
765
//
766

767
typedef enum _SYMCRYPT_HASH_ID
768
{
769
    SYMCRYPT_HASH_ID_NULL                = 0,
770
    SYMCRYPT_HASH_ID_MD2                 = 1,
771
    SYMCRYPT_HASH_ID_MD4                 = 2,
772
    SYMCRYPT_HASH_ID_MD5                 = 3,
773
    SYMCRYPT_HASH_ID_SHA1                = 4,
774
    SYMCRYPT_HASH_ID_SHA224              = 5,
775
    SYMCRYPT_HASH_ID_SHA256              = 6,
776
    SYMCRYPT_HASH_ID_SHA384              = 7,
777
    SYMCRYPT_HASH_ID_SHA512              = 8,
778
    SYMCRYPT_HASH_ID_SHA512_224          = 9,
779
    SYMCRYPT_HASH_ID_SHA512_256          = 10,
780
    SYMCRYPT_HASH_ID_SHA3_224            = 11,
781
    SYMCRYPT_HASH_ID_SHA3_256            = 12,
782
    SYMCRYPT_HASH_ID_SHA3_384            = 13,
783
    SYMCRYPT_HASH_ID_SHA3_512            = 14,
784
    SYMCRYPT_HASH_ID_SHAKE128            = 15,
785
    SYMCRYPT_HASH_ID_SHAKE256            = 16
786
} SYMCRYPT_HASH_ID;
787

788
PCSYMCRYPT_HASH
789
SYMCRYPT_CALL
790
SymCryptGetHashAlgorithm( SYMCRYPT_HASH_ID hashId );
791
//
792
// Returns a pointer to the hash algorithm structure for the specified hash ID.
793
// Returns NULL if the hash ID is invalid.
794
//
795

796
SIZE_T
797
SYMCRYPT_CALL
798
SymCryptHashResultSize( _In_ PCSYMCRYPT_HASH pHash );
799

800
SIZE_T
801
SYMCRYPT_CALL
802
SymCryptHashInputBlockSize( _In_ PCSYMCRYPT_HASH pHash );
803

804
SIZE_T
805
SYMCRYPT_CALL
806
SymCryptHashStateSize( _In_ PCSYMCRYPT_HASH pHash );
807
//
808
// SymCryptHashStateSize
809
//
810
// Returns the size, in bytes, of the hash state for this hash algorithm.
811
// Note that the state must be SYMCRYPT_ALIGNed.
812
// Alternatively, the SYMCRYPT_HASH_STATE structure is large enough to contain
813
// any Symcrypt-implemented hash state, so sizeof( SYMCRYPT_HASH_STATE ) is always
814
// large enough to contain a hash state.
815
//
816

817
VOID
818
SYMCRYPT_CALL
819
SymCryptHash(
820
    _In_                                                         PCSYMCRYPT_HASH pHash,
821
    _In_reads_( cbData )                                         PCBYTE          pbData,
822
                                                                 SIZE_T          cbData,
823
    _Out_writes_( SYMCRYPT_MIN( cbResult, pHash->resultSize ) )  PBYTE           pbResult,
824
                                                                 SIZE_T          cbResult );
825
//
826
// SymCryptHash
827
//
828
// Compute a hash value using any hash function.
829
// The number of bytes written to the pbResult buffer is
830
//      min( cbResult, SymCryptHashResultSize( pHash ) )
831
//
832

833
VOID
834
SYMCRYPT_CALL
835
SymCryptHashInit(
836
    _In_                                        PCSYMCRYPT_HASH pHash,
837
    _Out_writes_bytes_( pHash->stateSize )      PVOID           pState );
838

839
VOID
840
SYMCRYPT_CALL
841
SymCryptHashAppend(
842
    _In_                                        PCSYMCRYPT_HASH pHash,
843
    _Inout_updates_bytes_( pHash->stateSize )   PVOID           pState,
844
    _In_reads_( cbData )                        PCBYTE          pbData,
845
                                                SIZE_T          cbData );
846

847
VOID
848
SYMCRYPT_CALL
849
SymCryptHashResult(
850
    _In_                                                         PCSYMCRYPT_HASH pHash,
851
    _Inout_updates_bytes_( pHash->stateSize )                    PVOID           pState,
852
    _Out_writes_( SYMCRYPT_MIN( cbResult, pHash->resultSize ) )  PBYTE           pbResult,
853
                                                                 SIZE_T          cbResult );
854
//
855
// SymCryptHashResult
856
//
857
// Finalizes the hash computation by calling the resultFunc member
858
// of pHash.
859
// The hash result is produced to an internal buffer and
860
// the number of bytes written to the pbResult buffer is
861
//      min( cbResult, SymCryptHashResultSize( pHash ) )
862

863
VOID
864
SYMCRYPT_CALL
865
SymCryptHashStateCopy(
866
    _In_                            PCSYMCRYPT_HASH pHash,
867
    _In_reads_(pHash->stateSize)    PCVOID          pSrc,
868
    _Out_writes_(pHash->stateSize)  PVOID           pDst);
869
//
870
// SymCryptHashStateCopy
871
//
872
// Copies the hash state from pSrc to pDst.
873

874
////////////////////////////////////////////////////////////////////////////
875
//   MD2
876
//
877
// Tha MD2 hash algorithm per RFC1319.
878
//
879
// The MD2 hash function has not received widespread analysis and is very slow
880
// compared to contemporary algorithms.
881
//
882
// The SymCrypt implementation of MD2 uses table lookups which leads to a side-channel
883
// vulnerability.
884
//
885
// Per the Crypto SDL, any use of this algorithm in Microsoft code requires
886
// a Crypto board exemption. Whenever possible, please use SHA-256 or SHA-512.
887
//
888
// For details on this API see the description above about the generic hash function API.
889
//
890

891
#define SYMCRYPT_MD2_RESULT_SIZE         (16)
892
#define SYMCRYPT_MD2_INPUT_BLOCK_SIZE    (16)
893

894
VOID
895
SYMCRYPT_CALL
896
SymCryptMd2(
897
    _In_reads_( cbData )                        PCBYTE  pbData,
898
                                                SIZE_T  cbData,
899
    _Out_writes_( SYMCRYPT_MD2_RESULT_SIZE )    PBYTE   pbResult );
900

901
VOID
902
SYMCRYPT_CALL
903
SymCryptMd2Init( _Out_ PSYMCRYPT_MD2_STATE pState );
904

905
VOID
906
SYMCRYPT_CALL
907
SymCryptMd2Append(
908
    _Inout_                 PSYMCRYPT_MD2_STATE pState,
909
    _In_reads_( cbData )    PCBYTE              pbData,
910
                            SIZE_T              cbData );
911

912
VOID
913
SYMCRYPT_CALL
914
SymCryptMd2Result(
915
    _Inout_                                  PSYMCRYPT_MD2_STATE pState,
916
    _Out_writes_( SYMCRYPT_MD2_RESULT_SIZE ) PBYTE               pbResult );
917

918
VOID
919
SYMCRYPT_CALL
920
SymCryptMd2StateCopy( _In_ PCSYMCRYPT_MD2_STATE pSrc, _Out_ PSYMCRYPT_MD2_STATE pDst );
921

922
VOID
923
SYMCRYPT_CALL
924
SymCryptMd2StateExport(
925
    _In_                                                    PCSYMCRYPT_MD2_STATE    pState,
926
    _Out_writes_bytes_( SYMCRYPT_MD2_STATE_EXPORT_SIZE )    PBYTE                   pbBlob );
927

928
SYMCRYPT_ERROR
929
SYMCRYPT_CALL
930
SymCryptMd2StateImport(
931
    _Out_                                               PSYMCRYPT_MD2_STATE     pState,
932
    _In_reads_bytes_( SYMCRYPT_MD2_STATE_EXPORT_SIZE)   PCBYTE                  pbBlob );
933

934
VOID
935
SYMCRYPT_CALL
936
SymCryptMd2Selftest(void);
937

938
extern const PCSYMCRYPT_HASH SymCryptMd2Algorithm;
939

940
////////////////////////////////////////////////////////////////////////////
941
//   MD4
942
//
943
// Tha MD4 hash algorithm per RFC1320.
944
// This implementation is limited to data strings that are in whole bytes.
945
// Odd bit length are not supported.
946
//
947
// The MD4 hash function has been badly broken and is not considered secure.
948
// Per the Crypto SDL, any use of this algorithm in Microsoft code requires
949
// a Crypto board exemption. Whenever possible, please use SHA-256 or SHA-512.
950
//
951
// For details on this API see the description above about the generic hash function API.
952
//
953

954
#define SYMCRYPT_MD4_RESULT_SIZE         (16)
955
#define SYMCRYPT_MD4_INPUT_BLOCK_SIZE    (64)
956

957
VOID
958
SYMCRYPT_CALL
959
SymCryptMd4(
960
    _In_reads_( cbData )                        PCBYTE  pbData,
961
                                                SIZE_T  cbData,
962
    _Out_writes_( SYMCRYPT_MD4_RESULT_SIZE )    PBYTE   pbResult );
963

964
VOID
965
SYMCRYPT_CALL
966
SymCryptMd4Init( _Out_ PSYMCRYPT_MD4_STATE pState );
967

968
VOID
969
SYMCRYPT_CALL
970
SymCryptMd4Append(
971
    _Inout_                 PSYMCRYPT_MD4_STATE  pState,
972
    _In_reads_( cbData )    PCBYTE               pbData,
973
                            SIZE_T               cbData );
974

975
VOID
976
SYMCRYPT_CALL
977
SymCryptMd4Result(
978
    _Inout_                                  PSYMCRYPT_MD4_STATE  pState,
979
    _Out_writes_( SYMCRYPT_MD4_RESULT_SIZE ) PBYTE                pbResult );
980

981
VOID
982
SYMCRYPT_CALL
983
SymCryptMd4StateCopy( _In_ PCSYMCRYPT_MD4_STATE pSrc, _Out_ PSYMCRYPT_MD4_STATE pDst );
984

985
VOID
986
SYMCRYPT_CALL
987
SymCryptMd4StateExport(
988
    _In_                                                    PCSYMCRYPT_MD4_STATE    pState,
989
    _Out_writes_bytes_( SYMCRYPT_MD4_STATE_EXPORT_SIZE )    PBYTE                   pbBlob );
990

991
SYMCRYPT_ERROR
992
SYMCRYPT_CALL
993
SymCryptMd4StateImport(
994
    _Out_                                               PSYMCRYPT_MD4_STATE     pState,
995
    _In_reads_bytes_( SYMCRYPT_MD4_STATE_EXPORT_SIZE)   PCBYTE                  pbBlob );
996

997
VOID
998
SYMCRYPT_CALL
999
SymCryptMd4Selftest(void);
1000

1001
extern const PCSYMCRYPT_HASH SymCryptMd4Algorithm;
1002

1003
////////////////////////////////////////////////////////////////////////////
1004
//   MD5
1005
//
1006
// Tha MD5 hash algorithm per RFC1321.
1007
// This implementation is limited to data strings that are in whole bytes.
1008
// Odd bit length are not supported.
1009
//
1010
// The MD5 hash function has been badly broken and is not considered secure.
1011
// Per the Crypto SDL, any use of this algorithm in Microsoft code requires
1012
// a Crypto board exemption. Whenever possible, please use SHA-256 or SHA-512.
1013
//
1014
// For details on this API see the description above about the generic hash function API.
1015
//
1016

1017
#define SYMCRYPT_MD5_RESULT_SIZE        (16)
1018
#define SYMCRYPT_MD5_INPUT_BLOCK_SIZE   (64)
1019

1020
VOID
1021
SYMCRYPT_CALL
1022
SymCryptMd5(
1023
    _In_reads_( cbData )                        PCBYTE  pbData,
1024
                                                SIZE_T  cbData,
1025
    _Out_writes_( SYMCRYPT_MD5_RESULT_SIZE )    PBYTE   pbResult );
1026

1027
VOID
1028
SYMCRYPT_CALL
1029
SymCryptMd5Init( _Out_ PSYMCRYPT_MD5_STATE pState );
1030

1031
VOID
1032
SYMCRYPT_CALL
1033
SymCryptMd5Append(
1034
    _Inout_                 PSYMCRYPT_MD5_STATE   pState,
1035
    _In_reads_( cbData )    PCBYTE                pbData,
1036
                            SIZE_T                cbData );
1037

1038
VOID
1039
SYMCRYPT_CALL
1040
SymCryptMd5Result(
1041
    _Inout_                                  PSYMCRYPT_MD5_STATE  pState,
1042
    _Out_writes_( SYMCRYPT_MD5_RESULT_SIZE ) PBYTE                pbResult );
1043

1044
VOID
1045
SYMCRYPT_CALL
1046
SymCryptMd5StateCopy( _In_ PCSYMCRYPT_MD5_STATE pSrc, _Out_ PSYMCRYPT_MD5_STATE pDst );
1047

1048
VOID
1049
SYMCRYPT_CALL
1050
SymCryptMd5StateExport(
1051
    _In_                                                    PCSYMCRYPT_MD5_STATE    pState,
1052
    _Out_writes_bytes_( SYMCRYPT_MD5_STATE_EXPORT_SIZE )    PBYTE                   pbBlob );
1053

1054
SYMCRYPT_ERROR
1055
SYMCRYPT_CALL
1056
SymCryptMd5StateImport(
1057
    _Out_                                               PSYMCRYPT_MD5_STATE     pState,
1058
    _In_reads_bytes_( SYMCRYPT_MD5_STATE_EXPORT_SIZE)   PCBYTE                  pbBlob );
1059

1060
VOID
1061
SYMCRYPT_CALL
1062
SymCryptMd5Selftest(void);
1063

1064
extern const PCSYMCRYPT_HASH SymCryptMd5Algorithm;
1065

1066

1067
///////////////////////////////////////////////////////////////////////////////
1068
//      SHA-1
1069
//
1070
// The SHA-1 hash algorithm per FIPS 180-4.
1071
//
1072
// This implementation is limited to data strings that are in whole bytes.
1073
// Odd bit length are not supported.
1074
//
1075
// The SHA-1 standard limits data inputs to a maximum of 2^61-1 bytes.
1076
// This implementation supports larger inputs, and simply wraps the internal message
1077
// length counter. Note that the security properties are unknown for
1078
// such long messages, and their use is not recommended.
1079
//
1080
// The SHA-1 hash algorithm has been broken in a technical sense, and future
1081
// attacks can only get better.
1082
// This algorithm is not recommended for new applications and should only be used
1083
// for backward compatibility.
1084
// Per the Crypto SDL, new uses of this algorithm in Microsoft code require
1085
// a Crypto board exemption. Whenever possible, please use SHA-256 or SHA-512.
1086
//
1087
// For details on this API see the description above about the generic hash function API.
1088
//
1089

1090
#define SYMCRYPT_SHA1_RESULT_SIZE       (20)
1091
#define SYMCRYPT_SHA1_INPUT_BLOCK_SIZE  (64)
1092

1093
VOID
1094
SYMCRYPT_CALL
1095
SymCryptSha1(
1096
    _In_reads_( cbData )                        PCBYTE  pbData,
1097
                                                SIZE_T  cbData,
1098
    _Out_writes_( SYMCRYPT_SHA1_RESULT_SIZE )   PBYTE   pbResult );
1099

1100
VOID
1101
SYMCRYPT_CALL
1102
SymCryptSha1Init( _Out_ PSYMCRYPT_SHA1_STATE pState );
1103

1104
VOID
1105
SYMCRYPT_CALL
1106
SymCryptSha1Append(
1107
    _Inout_                 PSYMCRYPT_SHA1_STATE    pState,
1108
    _In_reads_( cbData )    PCBYTE                  pbData,
1109
                            SIZE_T                  cbData );
1110

1111
VOID
1112
SYMCRYPT_CALL
1113
SymCryptSha1Result(
1114
    _Inout_                                  PSYMCRYPT_SHA1_STATE pState,
1115
    _Out_writes_( SYMCRYPT_SHA1_RESULT_SIZE )PBYTE                pbResult );
1116

1117
VOID
1118
SYMCRYPT_CALL
1119
SymCryptSha1StateCopy( _In_ PCSYMCRYPT_SHA1_STATE pSrc, _Out_ PSYMCRYPT_SHA1_STATE pDst );
1120

1121
VOID
1122
SYMCRYPT_CALL
1123
SymCryptSha1StateExport(
1124
    _In_                                                    PCSYMCRYPT_SHA1_STATE   pState,
1125
    _Out_writes_bytes_( SYMCRYPT_SHA1_STATE_EXPORT_SIZE )   PBYTE                   pbBlob );
1126

1127
SYMCRYPT_ERROR
1128
SYMCRYPT_CALL
1129
SymCryptSha1StateImport(
1130
    _Out_                                               PSYMCRYPT_SHA1_STATE    pState,
1131
    _In_reads_bytes_( SYMCRYPT_SHA1_STATE_EXPORT_SIZE)  PCBYTE                  pbBlob );
1132

1133
VOID
1134
SYMCRYPT_CALL
1135
SymCryptSha1Selftest(void);
1136

1137
extern const PCSYMCRYPT_HASH SymCryptSha1Algorithm;
1138

1139
////////////////////////////////////////////////////////////////////////////
1140
//   SHA-224
1141
//
1142
//
1143
// The SHA-224 hash algorithm per FIPS 180-4.
1144
// This implementation is limited to data strings that are in whole bytes.
1145
// Odd bit length are not supported.
1146
//
1147
// The SHA-224 standard limits data inputs to a maximum of 2^61-1 bytes.
1148
// This implementation supports larger inputs, and simply wraps the internal message
1149
// length counter. Note that the security properties are unknown for
1150
// such long messages, and their use is not recommended.
1151
//
1152
// This implementation is meant for interoperability and is not recommended for use.
1153
//
1154
// For details on this API see the description above about the generic hash function API.
1155
//
1156

1157
#define SYMCRYPT_SHA224_RESULT_SIZE         (28)
1158
#define SYMCRYPT_SHA224_INPUT_BLOCK_SIZE    (64)
1159

1160
VOID
1161
SYMCRYPT_CALL
1162
SymCryptSha224(
1163
    _In_reads_( cbData )                        PCBYTE  pbData,
1164
                                                SIZE_T  cbData,
1165
    _Out_writes_( SYMCRYPT_SHA224_RESULT_SIZE ) PBYTE   pbResult );
1166

1167
VOID
1168
SYMCRYPT_CALL
1169
SymCryptSha224Init( _Out_ PSYMCRYPT_SHA224_STATE pState );
1170

1171
VOID
1172
SYMCRYPT_CALL
1173
SymCryptSha224Append(
1174
    _Inout_                 PSYMCRYPT_SHA224_STATE  pState,
1175
    _In_reads_( cbData )    PCBYTE                  pbData,
1176
                            SIZE_T                  cbData );
1177

1178
VOID
1179
SYMCRYPT_CALL
1180
SymCryptSha224Result(
1181
    _Inout_                                       PSYMCRYPT_SHA224_STATE pState,
1182
    _Out_writes_( SYMCRYPT_SHA224_RESULT_SIZE )   PBYTE                  pbResult );
1183

1184
VOID
1185
SYMCRYPT_CALL
1186
SymCryptSha224StateCopy( _In_ PCSYMCRYPT_SHA224_STATE pSrc, _Out_ PSYMCRYPT_SHA224_STATE pDst );
1187

1188
VOID
1189
SYMCRYPT_CALL
1190
SymCryptSha224StateExport(
1191
    _In_                                                    PCSYMCRYPT_SHA224_STATE pState,
1192
    _Out_writes_bytes_( SYMCRYPT_SHA224_STATE_EXPORT_SIZE ) PBYTE                   pbBlob );
1193

1194
SYMCRYPT_ERROR
1195
SYMCRYPT_CALL
1196
SymCryptSha224StateImport(
1197
    _Out_                                                   PSYMCRYPT_SHA224_STATE  pState,
1198
    _In_reads_bytes_( SYMCRYPT_SHA224_STATE_EXPORT_SIZE)    PCBYTE                  pbBlob );
1199

1200
VOID
1201
SYMCRYPT_CALL
1202
SymCryptSha224Selftest(void);
1203

1204
extern const PCSYMCRYPT_HASH SymCryptSha224Algorithm;
1205

1206
////////////////////////////////////////////////////////////////////////////
1207
//   SHA-256
1208
//
1209
//
1210
// The SHA-256 hash algorithm per FIPS 180-4.
1211
// This implementation is limited to data strings that are in whole bytes.
1212
// Odd bit length are not supported.
1213
//
1214
// The SHA-256 standard limits data inputs to a maximum of 2^61-1 bytes.
1215
// This implementation supports larger inputs, and simply wraps the internal message
1216
// length counter. Note that the security properties are unknown for
1217
// such long messages, and their use is not recommended.
1218
//
1219
// For details on this API see the description above about the generic hash function API.
1220
//
1221

1222
#define SYMCRYPT_SHA256_RESULT_SIZE         (32)
1223
#define SYMCRYPT_SHA256_INPUT_BLOCK_SIZE    (64)
1224

1225
VOID
1226
SYMCRYPT_CALL
1227
SymCryptSha256(
1228
    _In_reads_( cbData )                        PCBYTE  pbData,
1229
                                                SIZE_T  cbData,
1230
    _Out_writes_( SYMCRYPT_SHA256_RESULT_SIZE ) PBYTE   pbResult );
1231

1232
VOID
1233
SYMCRYPT_CALL
1234
SymCryptSha256Init( _Out_ PSYMCRYPT_SHA256_STATE pState );
1235

1236
VOID
1237
SYMCRYPT_CALL
1238
SymCryptSha256Append(
1239
    _Inout_                 PSYMCRYPT_SHA256_STATE  pState,
1240
    _In_reads_( cbData )    PCBYTE                  pbData,
1241
                            SIZE_T                  cbData );
1242

1243
VOID
1244
SYMCRYPT_CALL
1245
SymCryptSha256Result(
1246
    _Inout_                                       PSYMCRYPT_SHA256_STATE pState,
1247
    _Out_writes_( SYMCRYPT_SHA256_RESULT_SIZE )   PBYTE                  pbResult );
1248

1249
VOID
1250
SYMCRYPT_CALL
1251
SymCryptSha256StateCopy( _In_ PCSYMCRYPT_SHA256_STATE pSrc, _Out_ PSYMCRYPT_SHA256_STATE pDst );
1252

1253
VOID
1254
SYMCRYPT_CALL
1255
SymCryptSha256StateExport(
1256
    _In_                                                    PCSYMCRYPT_SHA256_STATE pState,
1257
    _Out_writes_bytes_( SYMCRYPT_SHA256_STATE_EXPORT_SIZE ) PBYTE                   pbBlob );
1258

1259
SYMCRYPT_ERROR
1260
SYMCRYPT_CALL
1261
SymCryptSha256StateImport(
1262
    _Out_                                                   PSYMCRYPT_SHA256_STATE  pState,
1263
    _In_reads_bytes_( SYMCRYPT_SHA256_STATE_EXPORT_SIZE)    PCBYTE                  pbBlob );
1264

1265
VOID
1266
SYMCRYPT_CALL
1267
SymCryptSha256Selftest(void);
1268

1269
extern const PCSYMCRYPT_HASH SymCryptSha256Algorithm;
1270

1271
////////////////////////////////////////////////////////////////////////////
1272
//   SHA-384
1273
//
1274
//
1275
// The SHA-384 hash algorithm per FIPS 180-4.
1276
// This implementation is limited to data strings that are in whole bytes.
1277
// Odd bit length are not supported.
1278
//
1279
// The SHA-384 standard limits data inputs to a maximum of 2^125-1 bytes.
1280
// This implementation supports larger inputs, and simply wraps the internal message
1281
// length counter. Note that the security properties are unknown for
1282
// such long messages, and their use is not recommended.
1283
//
1284
// For details on this API see the description above about the generic hash function API.
1285
//
1286

1287
#define SYMCRYPT_SHA384_RESULT_SIZE         (48)
1288
#define SYMCRYPT_SHA384_INPUT_BLOCK_SIZE    (128)
1289

1290
VOID
1291
SYMCRYPT_CALL
1292
SymCryptSha384(
1293
    _In_reads_( cbData )                        PCBYTE  pbData,
1294
                                                SIZE_T  cbData,
1295
    _Out_writes_( SYMCRYPT_SHA384_RESULT_SIZE ) PBYTE   pbResult );
1296

1297
VOID
1298
SYMCRYPT_CALL
1299
SymCryptSha384Init( _Out_ PSYMCRYPT_SHA384_STATE pState );
1300

1301
VOID
1302
SYMCRYPT_CALL
1303
SymCryptSha384Append(
1304
    _Inout_                 PSYMCRYPT_SHA384_STATE  pState,
1305
    _In_reads_( cbData )    PCBYTE                  pbData,
1306
                            SIZE_T                  cbData );
1307

1308
VOID
1309
SYMCRYPT_CALL
1310
SymCryptSha384Result(
1311
    _Inout_                                     PSYMCRYPT_SHA384_STATE  pState,
1312
    _Out_writes_( SYMCRYPT_SHA384_RESULT_SIZE ) PBYTE                  pbResult );
1313

1314
VOID
1315
SYMCRYPT_CALL
1316
SymCryptSha384StateCopy( _In_ PCSYMCRYPT_SHA384_STATE pSrc, _Out_ PSYMCRYPT_SHA384_STATE pDst );
1317

1318
VOID
1319
SYMCRYPT_CALL
1320
SymCryptSha384StateExport(
1321
    _In_                                                    PCSYMCRYPT_SHA384_STATE pState,
1322
    _Out_writes_bytes_( SYMCRYPT_SHA384_STATE_EXPORT_SIZE ) PBYTE                   pbBlob );
1323

1324
SYMCRYPT_ERROR
1325
SYMCRYPT_CALL
1326
SymCryptSha384StateImport(
1327
    _Out_                                                   PSYMCRYPT_SHA384_STATE  pState,
1328
    _In_reads_bytes_( SYMCRYPT_SHA384_STATE_EXPORT_SIZE)    PCBYTE                  pbBlob );
1329

1330
VOID
1331
SYMCRYPT_CALL
1332
SymCryptSha384Selftest(void);
1333

1334
extern const PCSYMCRYPT_HASH SymCryptSha384Algorithm;
1335

1336
////////////////////////////////////////////////////////////////////////////
1337
//   SHA-512
1338
//
1339
//
1340
// The SHA-512 hash algorithm per FIPS 180-4.
1341
// This implementation is limited to data strings that are in whole bytes.
1342
// Odd bit length are not supported.
1343
//
1344
// The SHA-512 standard limits data inputs to a maximum of 2^125-1 bytes.
1345
// This implementation supports larger inputs, and simply wraps the internal message
1346
// length counter. Note that the security properties are unknown for
1347
// such long messages, and their use is not recommended.
1348
//
1349
// For details on this API see the description above about the generic hash function API.
1350
//
1351

1352
#define SYMCRYPT_SHA512_RESULT_SIZE         (64)
1353
#define SYMCRYPT_SHA512_INPUT_BLOCK_SIZE    (128)
1354

1355
VOID
1356
SYMCRYPT_CALL
1357
SymCryptSha512(
1358
    _In_reads_( cbData )                        PCBYTE  pbData,
1359
                                                SIZE_T  cbData,
1360
    _Out_writes_( SYMCRYPT_SHA512_RESULT_SIZE ) PBYTE   pbResult );
1361

1362
VOID
1363
SYMCRYPT_CALL
1364
SymCryptSha512Init( _Out_ PSYMCRYPT_SHA512_STATE pState );
1365

1366
VOID
1367
SYMCRYPT_CALL
1368
SymCryptSha512Append(
1369
    _Inout_                 PSYMCRYPT_SHA512_STATE  pState,
1370
    _In_reads_( cbData )    PCBYTE                  pbData,
1371
                            SIZE_T                  cbData );
1372

1373
VOID
1374
SYMCRYPT_CALL
1375
SymCryptSha512Result(
1376
    _Inout_                                     PSYMCRYPT_SHA512_STATE pState,
1377
    _Out_writes_( SYMCRYPT_SHA512_RESULT_SIZE ) PBYTE                  pbResult );
1378

1379
VOID
1380
SYMCRYPT_CALL
1381
SymCryptSha512StateCopy( _In_ PCSYMCRYPT_SHA512_STATE pSrc, _Out_ PSYMCRYPT_SHA512_STATE pDst );
1382

1383
VOID
1384
SYMCRYPT_CALL
1385
SymCryptSha512StateExport(
1386
    _In_                                                    PCSYMCRYPT_SHA512_STATE pState,
1387
    _Out_writes_bytes_( SYMCRYPT_SHA512_STATE_EXPORT_SIZE ) PBYTE                   pbBlob );
1388

1389
SYMCRYPT_ERROR
1390
SYMCRYPT_CALL
1391
SymCryptSha512StateImport(
1392
    _Out_                                                   PSYMCRYPT_SHA512_STATE  pState,
1393
    _In_reads_bytes_( SYMCRYPT_SHA512_STATE_EXPORT_SIZE)    PCBYTE                  pbBlob );
1394

1395
VOID
1396
SYMCRYPT_CALL
1397
SymCryptSha512Selftest(void);
1398

1399
extern const PCSYMCRYPT_HASH SymCryptSha512Algorithm;
1400

1401

1402
////////////////////////////////////////////////////////////////////////////
1403
//   SHA-512/224
1404
//
1405
//
1406
// The SHA-512/224 hash algorithm per FIPS 180-4.
1407
// This implementation is limited to data strings that are in whole bytes.
1408
// Odd bit length are not supported.
1409
//
1410
// The SHA-512/224 standard limits data inputs to a maximum of 2^125-1 bytes.
1411
// This implementation supports larger inputs, and simply wraps the internal message
1412
// length counter. Note that the security properties are unknown for
1413
// such long messages, and their use is not recommended.
1414
//
1415
// This implementation is meant for interoperability and is not recommended for use.
1416
//
1417
// For details on this API see the description above about the generic hash function API.
1418
//
1419

1420
#define SYMCRYPT_SHA512_224_RESULT_SIZE         (28)
1421
#define SYMCRYPT_SHA512_224_INPUT_BLOCK_SIZE    (128)
1422

1423
VOID
1424
SYMCRYPT_CALL
1425
SymCryptSha512_224(
1426
    _In_reads_( cbData )                            PCBYTE  pbData,
1427
                                                    SIZE_T  cbData,
1428
    _Out_writes_( SYMCRYPT_SHA512_224_RESULT_SIZE ) PBYTE   pbResult );
1429

1430
VOID
1431
SYMCRYPT_CALL
1432
SymCryptSha512_224Init( _Out_ PSYMCRYPT_SHA512_224_STATE pState );
1433

1434
VOID
1435
SYMCRYPT_CALL
1436
SymCryptSha512_224Append(
1437
    _Inout_                 PSYMCRYPT_SHA512_224_STATE  pState,
1438
    _In_reads_( cbData )    PCBYTE                      pbData,
1439
                            SIZE_T                      cbData );
1440

1441
VOID
1442
SYMCRYPT_CALL
1443
SymCryptSha512_224Result(
1444
    _Inout_                                         PSYMCRYPT_SHA512_224_STATE  pState,
1445
    _Out_writes_( SYMCRYPT_SHA512_224_RESULT_SIZE ) PBYTE                       pbResult );
1446

1447
VOID
1448
SYMCRYPT_CALL
1449
SymCryptSha512_224StateCopy( _In_ PCSYMCRYPT_SHA512_224_STATE pSrc, _Out_ PSYMCRYPT_SHA512_224_STATE pDst );
1450

1451
VOID
1452
SYMCRYPT_CALL
1453
SymCryptSha512_224StateExport(
1454
    _In_                                                        PCSYMCRYPT_SHA512_224_STATE pState,
1455
    _Out_writes_bytes_( SYMCRYPT_SHA512_224_STATE_EXPORT_SIZE ) PBYTE                       pbBlob );
1456

1457
SYMCRYPT_ERROR
1458
SYMCRYPT_CALL
1459
SymCryptSha512_224StateImport(
1460
    _Out_                                                       PSYMCRYPT_SHA512_224_STATE  pState,
1461
    _In_reads_bytes_( SYMCRYPT_SHA512_224_STATE_EXPORT_SIZE)    PCBYTE                      pbBlob );
1462

1463
VOID
1464
SYMCRYPT_CALL
1465
SymCryptSha512_224Selftest(void);
1466

1467
extern const PCSYMCRYPT_HASH SymCryptSha512_224Algorithm;
1468

1469

1470
////////////////////////////////////////////////////////////////////////////
1471
//   SHA-512/256
1472
//
1473
//
1474
// The SHA-512/256 hash algorithm per FIPS 180-4.
1475
// This implementation is limited to data strings that are in whole bytes.
1476
// Odd bit length are not supported.
1477
//
1478
// The SHA-512/256 standard limits data inputs to a maximum of 2^125-1 bytes.
1479
// This implementation supports larger inputs, and simply wraps the internal message
1480
// length counter. Note that the security properties are unknown for
1481
// such long messages, and their use is not recommended.
1482
//
1483
// This implementation is meant for interoperability and is not recommended for use.
1484
//
1485
// For details on this API see the description above about the generic hash function API.
1486
//
1487

1488
#define SYMCRYPT_SHA512_256_RESULT_SIZE         (32)
1489
#define SYMCRYPT_SHA512_256_INPUT_BLOCK_SIZE    (128)
1490

1491
VOID
1492
SYMCRYPT_CALL
1493
SymCryptSha512_256(
1494
    _In_reads_( cbData )                            PCBYTE  pbData,
1495
                                                    SIZE_T  cbData,
1496
    _Out_writes_( SYMCRYPT_SHA512_256_RESULT_SIZE ) PBYTE   pbResult );
1497

1498
VOID
1499
SYMCRYPT_CALL
1500
SymCryptSha512_256Init( _Out_ PSYMCRYPT_SHA512_256_STATE pState );
1501

1502
VOID
1503
SYMCRYPT_CALL
1504
SymCryptSha512_256Append(
1505
    _Inout_                 PSYMCRYPT_SHA512_256_STATE  pState,
1506
    _In_reads_( cbData )    PCBYTE                      pbData,
1507
                            SIZE_T                      cbData );
1508

1509
VOID
1510
SYMCRYPT_CALL
1511
SymCryptSha512_256Result(
1512
    _Inout_                                         PSYMCRYPT_SHA512_256_STATE  pState,
1513
    _Out_writes_( SYMCRYPT_SHA512_256_RESULT_SIZE ) PBYTE                       pbResult );
1514

1515
VOID
1516
SYMCRYPT_CALL
1517
SymCryptSha512_256StateCopy( _In_ PCSYMCRYPT_SHA512_256_STATE pSrc, _Out_ PSYMCRYPT_SHA512_256_STATE pDst );
1518

1519
VOID
1520
SYMCRYPT_CALL
1521
SymCryptSha512_256StateExport(
1522
    _In_                                                        PCSYMCRYPT_SHA512_256_STATE pState,
1523
    _Out_writes_bytes_( SYMCRYPT_SHA512_256_STATE_EXPORT_SIZE ) PBYTE                       pbBlob );
1524

1525
SYMCRYPT_ERROR
1526
SYMCRYPT_CALL
1527
SymCryptSha512_256StateImport(
1528
    _Out_                                                       PSYMCRYPT_SHA512_256_STATE  pState,
1529
    _In_reads_bytes_( SYMCRYPT_SHA512_256_STATE_EXPORT_SIZE)    PCBYTE                      pbBlob );
1530

1531
VOID
1532
SYMCRYPT_CALL
1533
SymCryptSha512_256Selftest(void);
1534

1535
extern const PCSYMCRYPT_HASH SymCryptSha512_256Algorithm;
1536

1537

1538
////////////////////////////////////////////////////////////////////////////
1539
//   SHA-3
1540
//
1541
// The SHA-3 family of hash algorithms per FIPS 202.
1542
// This implementation is limited to data strings that are in whole bytes.
1543
// Odd bit length are not supported.
1544
//
1545
// SHA3-224 is meant for interoperability and is not recommended for use.
1546
//
1547
// SHA3-224(M) = KECCAK[448](M || 01, 224)
1548
// SHA3-256(M) = KECCAK[512](M || 01, 256)
1549
// SHA3-384(M) = KECCAK[768](M || 01, 384)
1550
// SHA3-512(M) = KECCAK[1024](M || 01, 512)
1551
//
1552
// For details on this API see the description above about the generic hash function API.
1553
//
1554

1555

1556
//
1557
// SHA-3-224
1558
//
1559

1560
#define SYMCRYPT_SHA3_224_RESULT_SIZE         (28)
1561
#define SYMCRYPT_SHA3_224_INPUT_BLOCK_SIZE    (144)
1562

1563
VOID
1564
SYMCRYPT_CALL
1565
SymCryptSha3_224(
1566
    _In_reads_(cbData)                          PCBYTE  pbData,
1567
                                                SIZE_T  cbData,
1568
    _Out_writes_(SYMCRYPT_SHA3_224_RESULT_SIZE) PBYTE   pbResult);
1569

1570
VOID
1571
SYMCRYPT_CALL
1572
SymCryptSha3_224Init(_Out_ PSYMCRYPT_SHA3_224_STATE pState);
1573

1574
VOID
1575
SYMCRYPT_CALL
1576
SymCryptSha3_224Append(
1577
    _Inout_                 PSYMCRYPT_SHA3_224_STATE    pState,
1578
    _In_reads_(cbData)      PCBYTE                      pbData,
1579
                            SIZE_T                      cbData);
1580

1581
VOID
1582
SYMCRYPT_CALL
1583
SymCryptSha3_224Result(
1584
    _Inout_                                     PSYMCRYPT_SHA3_224_STATE    pState,
1585
    _Out_writes_(SYMCRYPT_SHA3_224_RESULT_SIZE) PBYTE                       pbResult);
1586

1587
VOID
1588
SYMCRYPT_CALL
1589
SymCryptSha3_224StateCopy(_In_ PCSYMCRYPT_SHA3_224_STATE pSrc, _Out_ PSYMCRYPT_SHA3_224_STATE pDst);
1590

1591
VOID
1592
SYMCRYPT_CALL
1593
SymCryptSha3_224StateExport(
1594
    _In_                                                    PCSYMCRYPT_SHA3_224_STATE   pState,
1595
    _Out_writes_bytes_(SYMCRYPT_SHA3_224_STATE_EXPORT_SIZE) PBYTE                       pbBlob);
1596

1597
SYMCRYPT_ERROR
1598
SYMCRYPT_CALL
1599
SymCryptSha3_224StateImport(
1600
    _Out_                                                   PSYMCRYPT_SHA3_224_STATE    pState,
1601
    _In_reads_bytes_(SYMCRYPT_SHA3_224_STATE_EXPORT_SIZE)   PCBYTE                      pbBlob);
1602

1603
VOID
1604
SYMCRYPT_CALL
1605
SymCryptSha3_224Selftest(void);
1606

1607
extern const PCSYMCRYPT_HASH SymCryptSha3_224Algorithm;
1608

1609

1610
//
1611
// SHA-3-256
1612
//
1613

1614
#define SYMCRYPT_SHA3_256_RESULT_SIZE         (32)
1615
#define SYMCRYPT_SHA3_256_INPUT_BLOCK_SIZE    (136)
1616

1617
VOID
1618
SYMCRYPT_CALL
1619
SymCryptSha3_256(
1620
    _In_reads_(cbData)                          PCBYTE  pbData,
1621
                                                SIZE_T  cbData,
1622
    _Out_writes_(SYMCRYPT_SHA3_256_RESULT_SIZE) PBYTE   pbResult);
1623

1624
VOID
1625
SYMCRYPT_CALL
1626
SymCryptSha3_256Init(_Out_ PSYMCRYPT_SHA3_256_STATE pState);
1627

1628
VOID
1629
SYMCRYPT_CALL
1630
SymCryptSha3_256Append(
1631
    _Inout_                 PSYMCRYPT_SHA3_256_STATE    pState,
1632
    _In_reads_(cbData)      PCBYTE                      pbData,
1633
                            SIZE_T                      cbData);
1634

1635
VOID
1636
SYMCRYPT_CALL
1637
SymCryptSha3_256Result(
1638
    _Inout_                                     PSYMCRYPT_SHA3_256_STATE    pState,
1639
    _Out_writes_(SYMCRYPT_SHA3_256_RESULT_SIZE) PBYTE                       pbResult);
1640

1641
VOID
1642
SYMCRYPT_CALL
1643
SymCryptSha3_256StateCopy(_In_ PCSYMCRYPT_SHA3_256_STATE pSrc, _Out_ PSYMCRYPT_SHA3_256_STATE pDst);
1644

1645
VOID
1646
SYMCRYPT_CALL
1647
SymCryptSha3_256StateExport(
1648
    _In_                                                    PCSYMCRYPT_SHA3_256_STATE   pState,
1649
    _Out_writes_bytes_(SYMCRYPT_SHA3_256_STATE_EXPORT_SIZE) PBYTE                       pbBlob);
1650

1651
SYMCRYPT_ERROR
1652
SYMCRYPT_CALL
1653
SymCryptSha3_256StateImport(
1654
    _Out_                                                   PSYMCRYPT_SHA3_256_STATE    pState,
1655
    _In_reads_bytes_(SYMCRYPT_SHA3_256_STATE_EXPORT_SIZE)   PCBYTE                      pbBlob);
1656

1657
VOID
1658
SYMCRYPT_CALL
1659
SymCryptSha3_256Selftest(void);
1660

1661
extern const PCSYMCRYPT_HASH SymCryptSha3_256Algorithm;
1662

1663

1664
//
1665
// SHA-3-384
1666
//
1667

1668
#define SYMCRYPT_SHA3_384_RESULT_SIZE         (48)
1669
#define SYMCRYPT_SHA3_384_INPUT_BLOCK_SIZE    (104)
1670

1671
VOID
1672
SYMCRYPT_CALL
1673
SymCryptSha3_384(
1674
    _In_reads_(cbData)                          PCBYTE  pbData,
1675
                                                SIZE_T  cbData,
1676
    _Out_writes_(SYMCRYPT_SHA3_384_RESULT_SIZE) PBYTE   pbResult);
1677

1678
VOID
1679
SYMCRYPT_CALL
1680
SymCryptSha3_384Init(_Out_ PSYMCRYPT_SHA3_384_STATE pState);
1681

1682
VOID
1683
SYMCRYPT_CALL
1684
SymCryptSha3_384Append(
1685
    _Inout_                 PSYMCRYPT_SHA3_384_STATE    pState,
1686
    _In_reads_(cbData)      PCBYTE                      pbData,
1687
                            SIZE_T                      cbData);
1688

1689
VOID
1690
SYMCRYPT_CALL
1691
SymCryptSha3_384Result(
1692
    _Inout_                                     PSYMCRYPT_SHA3_384_STATE    pState,
1693
    _Out_writes_(SYMCRYPT_SHA3_384_RESULT_SIZE) PBYTE                       pbResult);
1694

1695
VOID
1696
SYMCRYPT_CALL
1697
SymCryptSha3_384StateCopy(_In_ PCSYMCRYPT_SHA3_384_STATE pSrc, _Out_ PSYMCRYPT_SHA3_384_STATE pDst);
1698

1699
VOID
1700
SYMCRYPT_CALL
1701
SymCryptSha3_384StateExport(
1702
    _In_                                                    PCSYMCRYPT_SHA3_384_STATE   pState,
1703
    _Out_writes_bytes_(SYMCRYPT_SHA3_384_STATE_EXPORT_SIZE) PBYTE                       pbBlob);
1704

1705
SYMCRYPT_ERROR
1706
SYMCRYPT_CALL
1707
SymCryptSha3_384StateImport(
1708
    _Out_                                                   PSYMCRYPT_SHA3_384_STATE    pState,
1709
    _In_reads_bytes_(SYMCRYPT_SHA3_384_STATE_EXPORT_SIZE)   PCBYTE                      pbBlob);
1710

1711
VOID
1712
SYMCRYPT_CALL
1713
SymCryptSha3_384Selftest(void);
1714

1715
extern const PCSYMCRYPT_HASH SymCryptSha3_384Algorithm;
1716

1717

1718
//
1719
// SHA-3-512
1720
//
1721

1722
#define SYMCRYPT_SHA3_512_RESULT_SIZE         (64)
1723
#define SYMCRYPT_SHA3_512_INPUT_BLOCK_SIZE    (72)
1724

1725
VOID
1726
SYMCRYPT_CALL
1727
SymCryptSha3_512(
1728
    _In_reads_( cbData )                            PCBYTE  pbData,
1729
                                                    SIZE_T  cbData,
1730
    _Out_writes_( SYMCRYPT_SHA3_512_RESULT_SIZE )   PBYTE   pbResult );
1731

1732
VOID
1733
SYMCRYPT_CALL
1734
SymCryptSha3_512Init( _Out_ PSYMCRYPT_SHA3_512_STATE pState );
1735

1736
VOID
1737
SYMCRYPT_CALL
1738
SymCryptSha3_512Append(
1739
    _Inout_                 PSYMCRYPT_SHA3_512_STATE    pState,
1740
    _In_reads_( cbData )    PCBYTE                      pbData,
1741
                            SIZE_T                      cbData );
1742

1743
VOID
1744
SYMCRYPT_CALL
1745
SymCryptSha3_512Result(
1746
    _Inout_                                         PSYMCRYPT_SHA3_512_STATE    pState,
1747
    _Out_writes_( SYMCRYPT_SHA3_512_RESULT_SIZE )   PBYTE                       pbResult );
1748

1749
VOID
1750
SYMCRYPT_CALL
1751
SymCryptSha3_512StateCopy( _In_ PCSYMCRYPT_SHA3_512_STATE pSrc, _Out_ PSYMCRYPT_SHA3_512_STATE pDst );
1752

1753
VOID
1754
SYMCRYPT_CALL
1755
SymCryptSha3_512StateExport(
1756
    _In_                                                        PCSYMCRYPT_SHA3_512_STATE   pState,
1757
    _Out_writes_bytes_( SYMCRYPT_SHA3_512_STATE_EXPORT_SIZE )   PBYTE                       pbBlob );
1758

1759
SYMCRYPT_ERROR
1760
SYMCRYPT_CALL
1761
SymCryptSha3_512StateImport(
1762
    _Out_                                                   PSYMCRYPT_SHA3_512_STATE    pState,
1763
    _In_reads_bytes_( SYMCRYPT_SHA3_512_STATE_EXPORT_SIZE)  PCBYTE                      pbBlob );
1764

1765
VOID
1766
SYMCRYPT_CALL
1767
SymCryptSha3_512Selftest(void);
1768

1769
extern const PCSYMCRYPT_HASH SymCryptSha3_512Algorithm;
1770

1771

1772
//==========================================================================
1773
//   Extendable-Output Functions (XOFs)
1774
//==========================================================================
1775
//
1776
//  XOFs are similar to hash functions except that the output can be arbitrary length.
1777
//  SHAKE128 and SHAKE256 are XOFs specified in FIPS 202.
1778
//
1779
//  SHAKE128(M, d) = KECCAK[256] (M || 1111, d)
1780
//  SHAKE256(M, d) = KECCAK[512] (M || 1111, d)
1781
//
1782
//  SHAKEs share the same Keccak state as the other Keccak based algorithms under
1783
//  the name SYMCRYPT_SHAKEXxx_STATE.
1784
//
1785
//  Both SHAKE128 and SHAKE256 have default result sizes (32- and 64-bytes resp.)
1786
//  that allows them to be used as substitutes for hash functions with the Init-Append-Result
1787
//  pattern.
1788
//
1789
//  Extract is a new type of function that does not exist in hash functions, which can
1790
//  be called multiple times to successively generate output from the state. Extract
1791
//  function also provides the caller with a flag to wipe the state when no further Extract
1792
//  calls will be made. If the caller does not know in advance whether an Extract call is
1793
//  the final one, wiping can be performed later with an Init call or an Extract call with
1794
//  zero bytes output.
1795
//
1796
//  If Append is called after an Extract call which did not wipe the state (i.e., the state
1797
//  is still in 'extract' mode), Append will notice this and switch from 'extract' mode to
1798
//  'append' mode by wiping and initializing the state. This Append call effectively appends
1799
//  data for a fresh computation, saving an additional call to wipe/initialize the state.
1800
//
1801
//
1802
//  SYMCRYPT_SHAKEXXX_RESULT_SIZE
1803
//
1804
//      Default output size, used by the SymCryptShakeXxxResult function.
1805
//
1806
//  SYMCRYPT_SHAKEXXX_INPUT_BLOCK_SIZE
1807
//
1808
//      Rate for the Keccak permutation.
1809
//
1810
//  VOID
1811
//  SYMCRYPT_CALL
1812
//  SymCryptShakeXxxDefault(
1813
//      _In_reads_( cbData )                            PCBYTE  pbData,
1814
//                                                      SIZE_T  cbData,
1815
//      _Out_writes_( SYMCRYPT_SHAKEXXX_RESULT_SIZE )   PBYTE   pbResult);
1816
//
1817
//      SHAKE single-call function that produces default output size defined by
1818
//      SYMCRYPT_SHAKEXXX_RESULT_SIZE.
1819
//
1820
//  VOID
1821
//  SYMCRYPT_CALL
1822
//  SymCryptShakeXxx(
1823
//      _In_reads_( cbData )        PCBYTE  pbData,
1824
//                                  SIZE_T  cbData,
1825
//      _Out_writes_( cbResult )    PBYTE   pbResult,
1826
//                                  SIZE_T  cbResult);
1827
//
1828
//      SHAKE single-call function that produces variable-length output specified
1829
//      by the cbResult parameter.
1830
//
1831
//  VOID
1832
//  SYMCRYPT_CALL
1833
//  SymCryptShakeXxxInit( _Out_ PSYMCRYPT_XXX_STATE pState );
1834
//
1835
//      Initializes the SHAKE state.
1836
//
1837
//  VOID
1838
//  SYMCRYPT_CALL
1839
//  SymCryptShakeXxxAppend(
1840
//      _Inout_                 PSYMCRYPT_XXX_STATE pState,
1841
//      _In_reads_( cbData )    PCBYTE              pbData,
1842
//                              SIZE_T              cbData );
1843
//
1844
//      Appends data to the SHAKE state.
1845
//
1846
//      Append cannot be the first call to an uninitialized SHAKE state. All
1847
//      other uses independent of whether the state is in 'append' mode or 'extract'
1848
//      mode are well defined. If the state was previously in 'extract' mode, (i.e., after
1849
//      an Extract call with bWipe=FALSE) it wipes/resets the state and the data is
1850
//      appended to a fresh state.
1851
//
1852
//  VOID
1853
//  SYMCRYPT_CALL
1854
//  SymCryptShakeXxxExtract(
1855
//      _Inout_                 PSYMCRYPT_XXX_STATE pState,
1856
//      _Out_writes_(cbResult)  PBYTE               pbResult,
1857
//                              SIZE_T              cbResult,
1858
//                              BOOLEAN             bWipe);
1859
//
1860
//      Generates output from the SHAKE state.
1861
//
1862
//      Extract cannot be the first call to an uninitialized SHAKE state. All
1863
//      other uses independent of whether the state is in 'append' mode or 'extract' mode
1864
//      are well defined.
1865
//
1866
//      If the state was in 'append' mode before the Extract call, Extract switches
1867
//      the state to 'extract' mode and generates the requested number of bytes from
1868
//      the state. Extract wipes/resets the state and transitions the state to 'append'
1869
//      mode if bWipe=TRUE, otherwise leaving the state in 'extract' mode, available for
1870
//      further extractions.
1871
//
1872
//  VOID
1873
//  SYMCRYPT_CALL
1874
//  SymCryptShakeXxxResult(
1875
//      _Inout_                                     PSYMCRYPT_XXX_STATE pState,
1876
//      _Out_writes_(SYMCRYPT_SHAKEXXX_RESULT_SIZE) PBYTE               pbResult );
1877
//
1878
//      Extracts SYMCRYPT_SHAKEXXX_RESULT_SIZE bytes from the state and wipes/resets
1879
//      it for a new computation.
1880
//
1881
//      Result cannot be called with an uninitialized state. All other uses are well
1882
//      defined. If it is called after an Extract call with bWipe=FALSE, it does the
1883
//      final extraction from the state for SYMCRYPT_SHAKEXXX_RESULT_SIZE bytes,
1884
//      effectively calling Extract with cbResult=SYMCRYPT_SHAKEXXX_RESULT_SIZE and
1885
//      bWipe=TRUE.
1886
//
1887
//  VOID
1888
//  SYMCRYPT_CALL
1889
//  SymCryptShakeXxxStateCopy(_In_ PCSYMCRYPT_SHAKEXXX_STATE pSrc, _Out_ PSYMCRYPT_SHAKEXXX_STATE pDst);
1890
//
1891
//      Create a new copy of the state object.
1892
//
1893
// VOID
1894
// SYMCRYPT_CALL
1895
// SymCryptShakeXxxSelftest(void);
1896
//
1897
//      Perform a minimal self-test on the ShakeXxx algorithm.
1898
//      This function is designed to be used for achieving FIPS 140-2 compliance or
1899
//      to provide a simple self-test when an application starts.
1900
//
1901
//      If an error is detected, a platform-specific fatal error action is taken.
1902
//      Callers do not need to handle any error conditions.
1903

1904

1905
//
1906
// SHAKE128
1907
//
1908
#define SYMCRYPT_SHAKE128_RESULT_SIZE           (32)
1909
#define SYMCRYPT_SHAKE128_INPUT_BLOCK_SIZE      (168)
1910

1911
VOID
1912
SYMCRYPT_CALL
1913
SymCryptShake128Default(
1914
    _In_reads_( cbData )                            PCBYTE  pbData,
1915
                                                    SIZE_T  cbData,
1916
    _Out_writes_( SYMCRYPT_SHAKE128_RESULT_SIZE )   PBYTE   pbResult);
1917

1918
VOID
1919
SYMCRYPT_CALL
1920
SymCryptShake128(
1921
    _In_reads_( cbData )        PCBYTE  pbData,
1922
                                SIZE_T  cbData,
1923
    _Out_writes_( cbResult )    PBYTE   pbResult,
1924
                                SIZE_T  cbResult);
1925

1926
VOID
1927
SYMCRYPT_CALL
1928
SymCryptShake128Init( _Out_ PSYMCRYPT_SHAKE128_STATE pState );
1929

1930
VOID
1931
SYMCRYPT_CALL
1932
SymCryptShake128Append(
1933
    _Inout_                 PSYMCRYPT_SHAKE128_STATE    pState,
1934
    _In_reads_( cbData )    PCBYTE                      pbData,
1935
                            SIZE_T                      cbData );
1936

1937
VOID
1938
SYMCRYPT_CALL
1939
SymCryptShake128Extract(
1940
    _Inout_                 PSYMCRYPT_SHAKE128_STATE    pState,
1941
    _Out_writes_(cbResult)  PBYTE                       pbResult,
1942
                            SIZE_T                      cbResult,
1943
                            BOOLEAN                     bWipe);
1944

1945
VOID
1946
SYMCRYPT_CALL
1947
SymCryptShake128Result(
1948
    _Inout_                                     PSYMCRYPT_SHAKE128_STATE    pState,
1949
    _Out_writes_(SYMCRYPT_SHAKE128_RESULT_SIZE) PBYTE                       pbResult );
1950

1951
VOID
1952
SYMCRYPT_CALL
1953
SymCryptShake128StateCopy(_In_ PCSYMCRYPT_SHAKE128_STATE pSrc, _Out_ PSYMCRYPT_SHAKE128_STATE pDst);
1954

1955
VOID
1956
SYMCRYPT_CALL
1957
SymCryptShake128Selftest(void);
1958

1959
extern const PCSYMCRYPT_HASH SymCryptShake128HashAlgorithm;
1960

1961
//
1962
// SHAKE256
1963
//
1964
#define SYMCRYPT_SHAKE256_RESULT_SIZE           (64)
1965
#define SYMCRYPT_SHAKE256_INPUT_BLOCK_SIZE      (136)
1966

1967
VOID
1968
SYMCRYPT_CALL
1969
SymCryptShake256Default(
1970
    _In_reads_( cbData )                            PCBYTE  pbData,
1971
                                                    SIZE_T  cbData,
1972
    _Out_writes_( SYMCRYPT_SHAKE256_RESULT_SIZE )   PBYTE   pbResult);
1973

1974
VOID
1975
SYMCRYPT_CALL
1976
SymCryptShake256(
1977
    _In_reads_( cbData )        PCBYTE  pbData,
1978
                                SIZE_T  cbData,
1979
    _Out_writes_( cbResult )    PBYTE   pbResult,
1980
                                SIZE_T  cbResult);
1981

1982
VOID
1983
SYMCRYPT_CALL
1984
SymCryptShake256Init( _Out_ PSYMCRYPT_SHAKE256_STATE pState );
1985

1986
VOID
1987
SYMCRYPT_CALL
1988
SymCryptShake256Append(
1989
    _Inout_                 PSYMCRYPT_SHAKE256_STATE    pState,
1990
    _In_reads_( cbData )    PCBYTE                      pbData,
1991
                            SIZE_T                      cbData );
1992

1993
VOID
1994
SYMCRYPT_CALL
1995
SymCryptShake256Extract(
1996
    _Inout_                 PSYMCRYPT_SHAKE256_STATE    pState,
1997
    _Out_writes_(cbResult)  PBYTE                       pbResult,
1998
                            SIZE_T                      cbResult,
1999
                            BOOLEAN                     bWipe);
2000

2001
VOID
2002
SYMCRYPT_CALL
2003
SymCryptShake256Result(
2004
    _Inout_                                     PSYMCRYPT_SHAKE256_STATE    pState,
2005
    _Out_writes_(SYMCRYPT_SHAKE256_RESULT_SIZE) PBYTE                       pbResult );
2006

2007

2008
VOID
2009
SYMCRYPT_CALL
2010
SymCryptShake256StateCopy(_In_ PCSYMCRYPT_SHAKE256_STATE pSrc, _Out_ PSYMCRYPT_SHAKE256_STATE pDst);
2011

2012
VOID
2013
SYMCRYPT_CALL
2014
SymCryptShake256Selftest(void);
2015

2016
extern const PCSYMCRYPT_HASH SymCryptShake256HashAlgorithm;
2017

2018
//==========================================================================
2019
//   Customizable Extendable-Output Functions (XOFs)
2020
//==========================================================================
2021
//
2022
//  cSHAKE128 and cSHAKE256 are customizable SHAKE functions specified in NIST SP 800-185.
2023
//
2024
//  When cSHAKE input strings N (function name string) and S (customization string) are
2025
//  both empty, cSHAKE is equivalent to SHAKE:
2026
//
2027
//  cSHAKE128(X, L, "", "") = SHAKE128(X, L)
2028
//  cSHAKE256(X, L, "", "") = SHAKE256(X, L)
2029
//
2030
//  If at least one of N and S is non-empty, cSHAKE is defined as follows:
2031
//
2032
//  cSHAKE128(X, L, N, S) = KECCAK[256](bytepad(encode_string(N) || encode_string(S), 168) || X || 00, L)
2033
//  cSHAKE256(X, L, N, S) = KECCAK[512](bytepad(encode_string(N) || encode_string(S), 136) || X || 00, L)
2034
//
2035
//  The following functions are equivalent to their SHAKE counterparts.
2036
//  SymCryptCShakeXxxExtract with bWipe=TRUE and SymCryptCShakeXxxResult functions reset
2037
//  the cSHAKE state to an empty SHAKE state after generating output. This behavior is
2038
//  equivalent to calling SymCryptCShakeXxxInit with empty input strings.
2039
//
2040
//      SymCryptCShakeXxxAppend
2041
//      SymCryptCShakeXxxExtract
2042
//      SymCryptCShakeXxxResult
2043
//
2044
//  Calling SymCryptCShakeXxxAppend when cSHAKE state is in 'extract' mode results
2045
//  in the same behavior described above: the state is wiped and initialized with
2046
//  empty input strings, after which the data is appended to the empty state. This
2047
//  converts the state to a SHAKE state since cSHAKE with empty input strings is
2048
//  equivalent to SHAKE. This is a consequence of not being able to store the input
2049
//  strings to cSHAKE and re-initialize it with them. Thus, if multiple cSHAKE
2050
//  computations with the same input strings are to be carried out, cSHAKE state must
2051
//  be initialized with the input strings each time.
2052
//
2053
//  The following functions differ from the SHAKE by the introduction of customization
2054
//  strings:
2055
//
2056
//  VOID
2057
//  SYMCRYPT_CALL
2058
//  SymCryptCShakeXxx(
2059
//      _In_reads_( cbFunctionNameString )  PCBYTE  pbFunctionNameString,
2060
//                                          SIZE_T  cbFunctionNameString,
2061
//      _In_reads_( cbCustomizationString ) PCBYTE  pbCustomizationString,
2062
//                                          SIZE_T  cbCustomizationString,
2063
//      _In_reads_( cbData )                PCBYTE  pbData,
2064
//                                          SIZE_T  cbData,
2065
//      _Out_writes_( cbResult )            PBYTE   pbResult,
2066
//                                          SIZE_T  cbResult);
2067
//
2068
//      Single-call cSHAKE computation.
2069
//
2070
//  VOID
2071
//  SYMCRYPT_CALL
2072
//  SymCryptCShakeXxxInit(
2073
//      _Out_                               PSYMCRYPT_CSHAKEXXX_STATE   pState,
2074
//      _In_reads_( cbFunctionNameString )  PCBYTE                      pbFunctionNameString,
2075
//                                          SIZE_T                      cbFunctionNameString,
2076
//      _In_reads_( cbCustomizationString ) PCBYTE                      pbCustomizationString,
2077
//                                          SIZE_T                      cbCustomizationString);
2078
//
2079
//      Initializes the cSHAKE state with the provided input strings. If both of
2080
//      the input strings are empty, the call is equivalent to SymCryptShakeXxxInit,
2081
//      otherwise the input strings will be encoded and appended to the state.
2082

2083

2084
//
2085
// cSHAKE128
2086
//
2087
#define SYMCRYPT_CSHAKE128_RESULT_SIZE           SYMCRYPT_SHAKE128_RESULT_SIZE
2088
#define SYMCRYPT_CSHAKE128_INPUT_BLOCK_SIZE      SYMCRYPT_SHAKE128_INPUT_BLOCK_SIZE
2089

2090
VOID
2091
SYMCRYPT_CALL
2092
SymCryptCShake128(
2093
    _In_reads_( cbFunctionNameString )  PCBYTE  pbFunctionNameString,
2094
                                        SIZE_T  cbFunctionNameString,
2095
    _In_reads_( cbCustomizationString ) PCBYTE  pbCustomizationString,
2096
                                        SIZE_T  cbCustomizationString,
2097
    _In_reads_( cbData )                PCBYTE  pbData,
2098
                                        SIZE_T  cbData,
2099
    _Out_writes_( cbResult )            PBYTE   pbResult,
2100
                                        SIZE_T  cbResult);
2101

2102
VOID
2103
SYMCRYPT_CALL
2104
SymCryptCShake128Init(
2105
    _Out_                               PSYMCRYPT_CSHAKE128_STATE   pState,
2106
    _In_reads_( cbFunctionNameString )  PCBYTE                      pbFunctionNameString,
2107
                                        SIZE_T                      cbFunctionNameString,
2108
    _In_reads_( cbCustomizationString ) PCBYTE                      pbCustomizationString,
2109
                                        SIZE_T                      cbCustomizationString);
2110

2111
VOID
2112
SYMCRYPT_CALL
2113
SymCryptCShake128Append(
2114
    _Inout_                 PSYMCRYPT_CSHAKE128_STATE   pState,
2115
    _In_reads_( cbData )    PCBYTE                      pbData,
2116
                            SIZE_T                      cbData );
2117

2118
VOID
2119
SYMCRYPT_CALL
2120
SymCryptCShake128Extract(
2121
    _Inout_                 PSYMCRYPT_CSHAKE128_STATE   pState,
2122
    _Out_writes_(cbResult)  PBYTE                       pbResult,
2123
                            SIZE_T                      cbResult,
2124
                            BOOLEAN                     bWipe);
2125

2126
VOID
2127
SYMCRYPT_CALL
2128
SymCryptCShake128Result(
2129
    _Inout_                                         PSYMCRYPT_CSHAKE128_STATE   pState,
2130
    _Out_writes_( SYMCRYPT_CSHAKE128_RESULT_SIZE )  PBYTE                       pbResult);
2131

2132
VOID
2133
SYMCRYPT_CALL
2134
SymCryptCShake128StateCopy(_In_ PCSYMCRYPT_CSHAKE128_STATE pSrc, _Out_ PSYMCRYPT_CSHAKE128_STATE pDst);
2135

2136
VOID
2137
SYMCRYPT_CALL
2138
SymCryptCShake128Selftest(void);
2139

2140

2141
//
2142
// cSHAKE256
2143
//
2144
#define SYMCRYPT_CSHAKE256_RESULT_SIZE           SYMCRYPT_SHAKE256_RESULT_SIZE
2145
#define SYMCRYPT_CSHAKE256_INPUT_BLOCK_SIZE      SYMCRYPT_SHAKE256_INPUT_BLOCK_SIZE
2146

2147
VOID
2148
SYMCRYPT_CALL
2149
SymCryptCShake256(
2150
    _In_reads_( cbFunctionNameString )  PCBYTE  pbFunctionNameString,
2151
                                        SIZE_T  cbFunctionNameString,
2152
    _In_reads_( cbCustomizationString ) PCBYTE  pbCustomizationString,
2153
                                        SIZE_T  cbCustomizationString,
2154
    _In_reads_( cbData )                PCBYTE  pbData,
2155
                                        SIZE_T  cbData,
2156
    _Out_writes_( cbResult )            PBYTE   pbResult,
2157
                                        SIZE_T  cbResult);
2158

2159
VOID
2160
SYMCRYPT_CALL
2161
SymCryptCShake256Init(
2162
    _Out_                               PSYMCRYPT_CSHAKE256_STATE   pState,
2163
    _In_reads_( cbFunctionNameString )  PCBYTE                      pbFunctionNameString,
2164
                                        SIZE_T                      cbFunctionNameString,
2165
    _In_reads_( cbCustomizationString ) PCBYTE                      pbCustomizationString,
2166
                                        SIZE_T                      cbCustomizationString);
2167

2168
VOID
2169
SYMCRYPT_CALL
2170
SymCryptCShake256Append(
2171
    _Inout_                 PSYMCRYPT_CSHAKE256_STATE   pState,
2172
    _In_reads_( cbData )    PCBYTE                      pbData,
2173
                            SIZE_T                      cbData );
2174

2175
VOID
2176
SYMCRYPT_CALL
2177
SymCryptCShake256Extract(
2178
    _Inout_                 PSYMCRYPT_CSHAKE256_STATE   pState,
2179
    _Out_writes_(cbResult)  PBYTE                       pbResult,
2180
                            SIZE_T                      cbResult,
2181
                            BOOLEAN                     bWipe);
2182

2183
VOID
2184
SYMCRYPT_CALL
2185
SymCryptCShake256Result(
2186
    _Inout_                                         PSYMCRYPT_CSHAKE256_STATE   pState,
2187
    _Out_writes_( SYMCRYPT_CSHAKE256_RESULT_SIZE )  PBYTE                      pbResult);
2188

2189
VOID
2190
SYMCRYPT_CALL
2191
SymCryptCShake256StateCopy(_In_ PCSYMCRYPT_CSHAKE256_STATE pSrc, _Out_ PSYMCRYPT_CSHAKE256_STATE pDst);
2192

2193
VOID
2194
SYMCRYPT_CALL
2195
SymCryptCShake256Selftest(void);
2196

2197

2198

2199
//==========================================================================
2200
//   PARALLELISED HASH FUNCTIONS
2201
//==========================================================================
2202
//
2203
// On some platforms it is possible to parallelize the hash function
2204
// computation to achieve a higher throughput.
2205
// The parallel hash APIs support this.
2206
// The parallel implementation tries to perform the computations as efficiently
2207
// as possible. Applications that have many hashes to compute can always call these
2208
// functions; the library will optimize the computation to the current situation.
2209
// For example, if only a single hash is computed using these APIs, the
2210
// single-hash version is used to achieve full single-hash speed.
2211
// On platforms that do not support parallel hash implementations, these functions
2212
// are still available, and will implement the parallel hashing by computing the
2213
// hashes one at a time.
2214
//
2215
//
2216
// SYMCRYPT_PARALLEL_XXX_MIN_PARALLELISM
2217
//
2218
//      Compile-time constant, but can vary per platform.
2219
//      Minimum number of parallel computations at which
2220
//      the parallel implementation is faster on at least some CPU versions.
2221
//      Applications can safely ask for parallel computations with fewer hashes,
2222
//      but there will be no speed gain.
2223
//
2224
// SYMCRYPT_PARALLEL_XXX_MAX_PARALLELISM
2225
//
2226
//      Maximum internal parallelism that the library uses internally on at least one
2227
//      CPU version of this architecture.
2228
//      If all hash computations are the same length, then there is no significant
2229
//      benefit to providing more than this number of hash requests in parallel.
2230
//      However, if the hash computations are of different lengths then the library
2231
//      overlaps various hash computations and still gains efficiency when the
2232
//      number of parallel hash computations increases past this bound.
2233
//      Note that the internal parallelism that can be used might depend
2234
//      on the CPU features available, so this value is only an upper bound.
2235
//      We recommend that callers provide as much parallelism as practical,
2236
//      and let the library perform the optimal sequence of computations.
2237
//
2238
// SYMCRYPT_HASH_OPERATION_TYPE
2239
//
2240
//      An enum that specifies which operation is to be performed in a command
2241
//      structure passed to a parallel hash operations function.
2242
//      Defined values:
2243
//          SYMCRYPT_HASH_OPERATION_APPEND;
2244
//          SYMCRYPT_HASH_OPERATION_RESULT;
2245
//
2246
// SYMCRYPT_PARALLEL_HASH_OPERATION
2247
//
2248
//      Structure that contains a command to be performed on a single item in a
2249
//      parallel hash state array. Visible fields are:
2250
//
2251
//      SIZE_T                          iHash;          // index of hash object into the state array
2252
//      SYMCRYPT_HASH_OPERATION_TYPE    hashOperation;  // operation to be performed
2253
//      PBYTE                           pbBuffer;       // data to be hashed, or result buffer
2254
//      SIZE_T                          cbBuffer;
2255
//
2256
//      There might be other fields in this structure that the caller should not use or assume anything about.
2257
//
2258
// SymCryptParallelXxxInit(
2259
//          _Out_writes_( nStates ) PSYMCRYPT_XXX_STATE pStates,
2260
//                                  SIZE_T              nStates );
2261
//      Initialize an array of hash states.
2262
//      The elements of the array are normal hash states, and they can be
2263
//      manipulated individually using the standard functions for the hash
2264
//      algorithm.
2265
//
2266
//      Functionally equivalent to:
2267
//          for( i=0; i<nStates; i++ ) {
2268
//              SymCryptXxxInit( &pStates[i] );
2269
//          }
2270
//
2271
//      It is not necessary to use this function to initialize a state array;
2272
//      the normal initialization function can also be used, but this function might
2273
//      be faster.
2274
//
2275
// SymCryptParallelXxxProcess(
2276
//          _Inout_updates_( nStates )      PSYMCRYPT_XXX_STATE                 pStates,
2277
//                                          SIZE_T                              nStates,
2278
//          _Inout_updates_( nOperations )  PSYMCRYPT_PARALLEL_HASH_OPERATION   pOperation,
2279
//                                          SIZE_T                              nOperations,
2280
//          _Out_writes_( cbScratch )       PBYTE                               pbScratch,
2281
//                                          SIZE_T                              cbScratch );
2282
//
2283
//      Perform optionally parallel processing of hashes.
2284
//      This is functionally equivalent to iterating over the pOperations array in order,
2285
//      and executing the command in each PARALLEL_HASH_OPERATION one at a time.
2286
//      For each command:
2287
//          iHash           Which hash state this operation applies to; must be < nStates.
2288
//          hashOperation   Specifies whether this is an append or result operation.
2289
//          pbBuffer        The buffer that contains the data to be hashed, or that will receive the result.
2290
//          cbBuffer        The size of pbBuffer. (Must be equal to the hash algorithm result size for RESULT operations.)
2291
//      As the SAL annotations document, the pOperations array is updated by this function, and therefore
2292
//      it cannot be in read-only memory.
2293
//      The updates modify only to the internal scratch space that is reserved
2294
//      in the SYMCRYPT_PARALLEL_HASH_OPERATION structure; none of the documented fields
2295
//      (iHash, hashOperation, pbBuffer, cbBuffer) are modified.
2296
//      The scratch fields are used purely within one call to this function, their value does not have to be
2297
//      maintained between function calls. The scratch fields do not have to be initialized by the caller
2298
//      of this function,
2299
//      THREAD SAFETY: as the pOperations array is updated, it CANNOT be shared between different threads.
2300
//      Obviously, the same is true of pStates and pbScratch.
2301
//
2302
//      The pbScratch pointer provides a scratch buffer for the parallel processing function.
2303
//      This is used to organize the request and perform the functions in an optimal order for
2304
//      maximum parallelism, and for storing intermediate results that are too large
2305
//      to fit on the stack. The scratch buffer must be at least
2306
//      SYMCRYPT_PARALLEL_XXX_FIXED_SCRATCH + nStates * SYMCRYPT_PARALLEL_HASH_PER_STATE_SCRATCH
2307
//      bytes in size.
2308
//
2309
//      For incremental hashing, we recommend that callers process data sizes that are
2310
//      a multiple of the SYMCRYPT_XXX_INPUT_BLOCK_LEN.
2311
//
2312

2313

2314
VOID
2315
SYMCRYPT_CALL
2316
SymCryptParallelSha256Init(
2317
    _Out_writes_( nStates ) PSYMCRYPT_SHA256_STATE pStates,
2318
                            SIZE_T                 nStates );
2319

2320
SYMCRYPT_ERROR
2321
SYMCRYPT_CALL
2322
SymCryptParallelSha256Process(
2323
    _Inout_updates_( nStates )      PSYMCRYPT_SHA256_STATE              pStates,
2324
                                    SIZE_T                              nStates,
2325
    _Inout_updates_( nOperations )  PSYMCRYPT_PARALLEL_HASH_OPERATION   pOperations,
2326
                                    SIZE_T                              nOperations,
2327
    _Out_writes_( cbScratch )       PBYTE                               pbScratch,
2328
                                    SIZE_T                              cbScratch );
2329

2330

2331
VOID
2332
SYMCRYPT_CALL
2333
SymCryptParallelSha384Init(
2334
    _Out_writes_( nStates ) PSYMCRYPT_SHA384_STATE pStates,
2335
                            SIZE_T                 nStates );
2336

2337
SYMCRYPT_ERROR
2338
SYMCRYPT_CALL
2339
SymCryptParallelSha384Process(
2340
    _Inout_updates_( nStates )      PSYMCRYPT_SHA384_STATE              pStates,
2341
                                    SIZE_T                              nStates,
2342
    _Inout_updates_( nOperations )  PSYMCRYPT_PARALLEL_HASH_OPERATION   pOperations,
2343
                                    SIZE_T                              nOperations,
2344
    _Out_writes_( cbScratch )       PBYTE                               pbScratch,
2345
                                    SIZE_T                              cbScratch );
2346

2347

2348
VOID
2349
SYMCRYPT_CALL
2350
SymCryptParallelSha512Init(
2351
    _Out_writes_( nStates ) PSYMCRYPT_SHA512_STATE pStates,
2352
                            SIZE_T                 nStates );
2353

2354
SYMCRYPT_ERROR
2355
SYMCRYPT_CALL
2356
SymCryptParallelSha512Process(
2357
    _Inout_updates_( nStates )      PSYMCRYPT_SHA512_STATE              pStates,
2358
                                    SIZE_T                              nStates,
2359
    _Inout_updates_( nOperations )  PSYMCRYPT_PARALLEL_HASH_OPERATION   pOperations,
2360
                                    SIZE_T                              nOperations,
2361
    _Out_writes_( cbScratch )       PBYTE                               pbScratch,
2362
                                    SIZE_T                              cbScratch );
2363

2364

2365
VOID
2366
SYMCRYPT_CALL
2367
SymCryptParallelSha256Selftest(void);
2368

2369
VOID
2370
SYMCRYPT_CALL
2371
SymCryptParallelSha384Selftest(void);
2372

2373
VOID
2374
SYMCRYPT_CALL
2375
SymCryptParallelSha512Selftest(void);
2376

2377

2378

2379
//==========================================================================
2380
//   MESSAGE AUTHENTICATION CODE (MAC)
2381
//==========================================================================
2382
//
2383
// All MAC functions have a similar interface. For consistency we describe
2384
// the generic parts of the interface once.
2385
// Algorithm-specific comments are given with the API functions of each algorithm separately.
2386
//
2387
// For a MAC algorithm called XXX the following functions, types, and constants are defined:
2388
//
2389
//
2390
// SYMCRYPT_XXX_RESULT_SIZE
2391
//
2392
//      A constant giving is the size, in bytes, of the result of the MAC function.
2393
//      Some applications use truncated MAC functions. These are not directly supported
2394
//      by this library. Applications will have to perform the truncation themselves.
2395
//
2396
//
2397
// SYMCRYPT_XXX_INPUT_BLOCK_SIZE
2398
//
2399
//      A constant giving the natural input block size for the MAC function.
2400
//      Most callers don't need to know this, but in some cases it can be useful
2401
//      for optimizations.
2402
//
2403
//
2404
// SYMCRYPT_XXX_EXPANDED_KEY
2405
//
2406
//      Type which contains a key with all the pre-computations performed.
2407
//      This is an opaque type whose structure can change at will.
2408
//      It should only be used for transient computations in a single executable
2409
//      and not be stored or transferred to a different environment.
2410
//      The pointer and const-pointer versions are also declared
2411
//      (PSYMCRYPOT_XXX_EXPANDED_KEY and PCSYMCRYPT_XXX_EXPANDED_KEY).
2412
//
2413
//      The EXPANDED_KEY structure contains keying material and should be wiped
2414
//      once it is no longer used. (See SymCryptWipe & SymCryptWipeKnownSize)
2415
//
2416
//      Once a key has been expanded, multiple threads can simultaneously use the same expanded key
2417
//      object for different MAC computations that use the same key as the expanded key
2418
//      object does not change value.
2419
//
2420
//
2421
// SYMCRYPT_ERROR
2422
// SYMCRYPT_CALL
2423
// SymCryptXxxExpandKey(   _Out_                PSYMCRYPT_XXX_EXPANDED_KEY  pExpandedKey,
2424
//                         _In_reads_(cbKey)    PCBYTE                      pbKey,
2425
//                                              SIZE_T                      cbKey );
2426
//
2427
//      Prepare a key for future use by the Xxx algorithm.
2428
//      This function performs pre-computations on the key
2429
//      to speed up the actual MAC computations later, and stores the result as an expanded key.
2430
//      The expanded key must be kept unchanged until all MAC computations that use the key are finished.
2431
//      When the key is no longer needed the expanded key structure should be wiped.
2432
//
2433
//      Different algorithms pose different requirements on the length of the key.
2434
//      If the key that is provided is of an unsupported length the SYMCRYPT_WRONG_KEY_SIZE error is returned.
2435
//      In this case the expanded key structure will not contain any keying material and does not have to be wiped.
2436
//
2437
//
2438
// VOID
2439
// SYMCRYPT_CALL
2440
// SymCryptXxxKeyCopy( _In_ PCSYMCRYPT_XXX_EXPANDED_KEY pSrc,
2441
//                     _Out_ PSYMCRYPT_XXX_EXPANDED_KEY pDst );
2442
//
2443
//      Create a copy of an expanded key.
2444
//
2445
// VOID
2446
// SYMCRYPT_CALL
2447
// SymCryptXxx( _In_                                        PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
2448
//              _In_reads_( cbData )                        PCBYTE                      pbData,
2449
//                                                          SIZE_T                      cbData,
2450
//              _Out_writes_( SYMCRYPT_XXX_RESULT_SIZE )    PBYTE                       pbResult );
2451
//
2452
//      Computes the MAC value of the data buffer with a given key.
2453
//      If you have all the data to be MACed in a single buffer this is the simplest function to use.
2454
//
2455
//
2456
// SYMCRYPT_XXX_STATE
2457
//
2458
//      The state encodes an ongoing MAC computation and allows incremental
2459
//      computation of a MAC function.
2460
//      At any point in time the state encodes a state that is equivalent to
2461
//      the MAC computation of a data string X with the key specified during initialization of the state.
2462
//      The SymCryptXxxInit() function initializes a state.
2463
//      The SymCryptXxxAppend() function appends data to the data string X.
2464
//      The SymCryptXxxResult() function returns the final MAC result.
2465
//
2466
//      The state is an opaque type whose structure can change at will.
2467
//      It should only be used for transient computations in a single executable
2468
//      and not be stored or transferred to a different environment.
2469
//
2470
//      Once initialized using SymCryptXxxInit, the state contains sensitive keying information.
2471
//      The SymCryptXxxResult function wipes the sensitive information from the state.
2472
//      Callers can also wipe the structure themselves if it is no longer needed.
2473
//
2474
//      The state can be duplicated using the SymCryptXxxStateCopy function. This supports
2475
//      applications that compute the MAC over a prefix and then duplicate the state to
2476
//      compute the MAC using multiple different continuations.
2477
//
2478
//
2479
// VOID
2480
// SYMCRYPT_CALL
2481
// SymCryptXxxStateCopy(
2482
//      _In_        PCSYMCRYPT_XXX_STATE        pSrc,
2483
//      _In_opt_    PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
2484
//      _Out_       PSYMCRYPT_XXX_STATE         pDst );
2485
//
2486
//      Create a copy of the pSrc state in pDst. If pExpandedKey is NULL, the pDst state
2487
//      uses the same expanded key as the pSrc state did. If pExpandedKey is not NULL,
2488
//      it must point to an expanded key that contains the same key material as the key
2489
//      used by pSrc. (For example, a copy of the expanded key that pSrc uses.)
2490
//
2491
// VOID
2492
// SYMCRYPT_CALL
2493
// SymCryptXxxInit( _Out_   PSYMCRYPT_XXX_STATE         pState,
2494
//                  _In_    PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey);
2495
//
2496
//      Initialize a SYMCRYPT_XXX_STATE for subsequent use with the provided key.
2497
//
2498
//      This function can be called at any time and resets the state to correspond
2499
//      to the empty data string with the newly specified key.
2500
//      The SymCryptXxxAppend function appends data to the data string
2501
//      encoded by the state.
2502
//      The SymCryptXxxResult function finalizes the computation and
2503
//      returns the actual MAC result.
2504
//
2505
//      This function typically stores a pointer to the expanded key in the state.
2506
//      The expanded key must remain unchanged in
2507
//      memory until the SYMCRYPT_XXX_STATE structure is no longer used.
2508
//
2509
//      After initialization the state contains sensitive keying materials, and should
2510
//      be wiped when the state is no longer used. The SymCryptXxxResult() function
2511
//      also wipes the state, so this is only a concern for aborted MAC computations.
2512
//      Note that SymCryptXxxResult() does not wipe the expanded key; callers are always
2513
//      responsible for wiping the expanded key.
2514
//
2515
//
2516
// VOID
2517
// SYMCRYPT_CALL
2518
// SymCryptXxxAppend( _Inout_               PSYMCRYPT_XXX_STATE   pState,
2519
//                    _In_reads_( cbData )  PCBYTE                pbData,
2520
//                                          SIZE_T                cbData );
2521
//
2522
//      Provide more data to the ongoing MAC computation specified by the state.
2523
//      The state must have been initialized by SymCryptXxxInit.
2524
//      This function can be called multiple times on the same state
2525
//      to append more data to the encoded data string.
2526
//
2527
//      The SYMCRYPT_XXX_STATE structure contains the entire state of an ongoing
2528
//      MAC computation. If you want to MAC some data and then continue with
2529
//      multiple other strings you may create one or more copies of the state.
2530
//      (The expanded key must remain unchanged in memory until all copies of the state
2531
//      are no longer used.)
2532
//
2533
//
2534
// VOID
2535
// SYMCRYPT_CALL
2536
// SymCryptXxxResult(
2537
//      _Inout_                                     PSYMCRYPT_XXX_STATE  pState,
2538
//      _Out_writes_( SYMCRYPT_XXX_RESULT_SIZE )    PBYTE                pbResult );
2539
//
2540
//      Returns the MAC result of the state.
2541
//      If the state was newly initialized this returns the MAC of the empty string
2542
//      using the key specified in the SymCryptXxxInit call.
2543
//      If one or more SymCryptXxxAppend function calls were made on this state
2544
//      it returns the MAC of the concatenation of all the data strings
2545
//      passed to SymCryptXxxAppend using the specified key.
2546
//
2547
//      The state is wiped to remove any traces of sensitive data.
2548
//      To use the same state for another MAC computation you must call
2549
//      SymCryptXxxInit again to re-initialize the state.
2550
//      This behaviour is different from hash function states that are re-initialized for
2551
//      use by the Result routine. This difference is by design; re-initializing a hash
2552
//      state is a safe operation. Re-initializing a MAC state puts keying information
2553
//      in the state, and callers would have to wipe the MAC state explicitly.
2554
//
2555
//
2556
// VOID
2557
// SYMCRYPT_CALL
2558
// SymCryptXxxSelftest(void);
2559
//
2560
//      Perform a minimal self-test on the XXX algorithm.
2561
//      This function is designed to be used for achieving FIPS 140-2 compliance or
2562
//      to provide a simple self-test when an application starts.
2563
//
2564
//      If an error is detected, a platform-specific fatal error action is taken.
2565
//      Callers do not need to handle any error conditions.
2566
//
2567
//
2568
// We also have the Generic HMAC API where the hash function to be used in the HMAC
2569
// computation can be selected at runtime.
2570
//
2571

2572
typedef enum _SYMCRYPT_MAC_ID
2573
{
2574
    SYMCRYPT_MAC_ID_NULL                = 0,
2575
    SYMCRYPT_MAC_ID_HMAC_MD5            = 1,
2576
    SYMCRYPT_MAC_ID_HMAC_SHA1           = 2,
2577
    SYMCRYPT_MAC_ID_HMAC_SHA224         = 3,
2578
    SYMCRYPT_MAC_ID_HMAC_SHA256         = 4,
2579
    SYMCRYPT_MAC_ID_HMAC_SHA384         = 5,
2580
    SYMCRYPT_MAC_ID_HMAC_SHA512         = 6,
2581
    SYMCRYPT_MAC_ID_HMAC_SHA512_224     = 7,
2582
    SYMCRYPT_MAC_ID_HMAC_SHA512_256     = 8,
2583
    SYMCRYPT_MAC_ID_HMAC_SHA3_224       = 9,
2584
    SYMCRYPT_MAC_ID_HMAC_SHA3_256       = 10,
2585
    SYMCRYPT_MAC_ID_HMAC_SHA3_384       = 11,
2586
    SYMCRYPT_MAC_ID_HMAC_SHA3_512       = 12,
2587
    SYMCRYPT_MAC_ID_AES_CMAC            = 13,
2588
    SYMCRYPT_MAC_ID_KMAC_128            = 14,
2589
    SYMCRYPT_MAC_ID_KMAC_256            = 15
2590
} SYMCRYPT_MAC_ID;
2591

2592
PCSYMCRYPT_MAC
2593
SYMCRYPT_CALL
2594
SymCryptGetMacAlgorithm( SYMCRYPT_MAC_ID macId );
2595
//
2596
// Returns a pointer to the MAC algorithm structure for the specified MAC ID.
2597
// Returns NULL if the MAC ID is invalid.
2598
//
2599

2600
//
2601
// Generic HMAC API with parametrized hash function
2602
//
2603
VOID
2604
SYMCRYPT_CALL
2605
SymCryptHmacStateCopy(
2606
    _In_        PCSYMCRYPT_HMAC_STATE           pSrc,
2607
    _In_opt_    PCSYMCRYPT_HMAC_EXPANDED_KEY    pExpandedKey,
2608
    _Out_       PSYMCRYPT_HMAC_STATE            pDst );
2609

2610
VOID
2611
SYMCRYPT_CALL
2612
SymCryptHmacKeyCopy(
2613
    _In_    PCSYMCRYPT_HMAC_EXPANDED_KEY    pSrc,
2614
    _Out_   PSYMCRYPT_HMAC_EXPANDED_KEY     pDst );
2615

2616
SYMCRYPT_ERROR
2617
SYMCRYPT_CALL
2618
SymCryptHmacExpandKey(
2619
    _In_                    PCSYMCRYPT_HASH             pHash,
2620
    _Out_                   PSYMCRYPT_HMAC_EXPANDED_KEY pExpandedKey,
2621
    _In_reads_opt_(cbKey)   PCBYTE                      pbKey,
2622
                            SIZE_T                      cbKey );
2623

2624
SYMCRYPT_NOINLINE
2625
VOID
2626
SYMCRYPT_CALL
2627
SymCryptHmacInit(
2628
    _Out_   PSYMCRYPT_HMAC_STATE            pState,
2629
    _In_    PCSYMCRYPT_HMAC_EXPANDED_KEY    pExpandedKey );
2630

2631
VOID
2632
SYMCRYPT_CALL
2633
SymCryptHmacAppend(
2634
    _Inout_                 PSYMCRYPT_HMAC_STATE    pState,
2635
    _In_reads_( cbData )    PCBYTE                  pbData,
2636
                            SIZE_T                  cbData );
2637

2638
SYMCRYPT_NOINLINE
2639
VOID
2640
SYMCRYPT_CALL
2641
SymCryptHmacResult(
2642
    _Inout_                                         PSYMCRYPT_HMAC_STATE    pState,
2643
    _Out_writes_( pState->pKey->pHash->resultSize ) PBYTE                   pbResult );
2644

2645
SYMCRYPT_NOINLINE
2646
VOID
2647
SYMCRYPT_CALL
2648
SymCryptHmac(
2649
    _In_                                            PCSYMCRYPT_HMAC_EXPANDED_KEY    pExpandedKey,
2650
    _In_reads_( cbData )                            PCBYTE                          pbData,
2651
                                                    SIZE_T                          cbData,
2652
    _Out_writes_( pExpandedKey->pHash->resultSize ) PBYTE                           pbResult );
2653

2654

2655
////////////////////////////////////////////////////////////////////////////
2656
//   HMAC-MD5
2657
//
2658
//
2659

2660
#define SYMCRYPT_HMAC_MD5_RESULT_SIZE       SYMCRYPT_MD5_RESULT_SIZE
2661
#define SYMCRYPT_HMAC_MD5_INPUT_BLOCK_SIZE  SYMCRYPT_MD5_INPUT_BLOCK_SIZE
2662

2663
SYMCRYPT_ERROR
2664
SYMCRYPT_CALL
2665
SymCryptHmacMd5ExpandKey(
2666
    _Out_                   PSYMCRYPT_HMAC_MD5_EXPANDED_KEY pExpandedKey,
2667
    _In_reads_opt_(cbKey)   PCBYTE                          pbKey,
2668
                            SIZE_T                          cbKey );
2669
//
2670
// Supports all key lengths; never returns an error.
2671
//
2672

2673
VOID
2674
SYMCRYPT_CALL
2675
SymCryptHmacMd5KeyCopy(
2676
    _In_    PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY pSrc,
2677
    _Out_   PSYMCRYPT_HMAC_MD5_EXPANDED_KEY  pDst );
2678

2679

2680
VOID
2681
SYMCRYPT_CALL
2682
SymCryptHmacMd5(
2683
    _In_                                            PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY pExpandedKey,
2684
    _In_reads_( cbData )                            PCBYTE                           pbData,
2685
                                                    SIZE_T                           cbData,
2686
    _Out_writes_( SYMCRYPT_HMAC_MD5_RESULT_SIZE )   PBYTE                            pbResult );
2687

2688
VOID
2689
SYMCRYPT_CALL
2690
SymCryptHmacMd5StateCopy(
2691
    _In_        PCSYMCRYPT_HMAC_MD5_STATE           pSrc,
2692
    _In_opt_    PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY    pExpandedKey,
2693
    _Out_       PSYMCRYPT_HMAC_MD5_STATE            pDst );
2694

2695
VOID
2696
SYMCRYPT_CALL
2697
SymCryptHmacMd5Init(
2698
    _Out_   PSYMCRYPT_HMAC_MD5_STATE         pState,
2699
    _In_    PCSYMCRYPT_HMAC_MD5_EXPANDED_KEY pExpandedKey);
2700

2701
VOID
2702
SYMCRYPT_CALL
2703
SymCryptHmacMd5Append(
2704
    _Inout_                 PSYMCRYPT_HMAC_MD5_STATE    pState,
2705
    _In_reads_( cbData )    PCBYTE                      pbData,
2706
                            SIZE_T                      cbData );
2707

2708
VOID
2709
SYMCRYPT_CALL
2710
SymCryptHmacMd5Result(
2711
    _Inout_                                      PSYMCRYPT_HMAC_MD5_STATE   pState,
2712
    _Out_writes_( SYMCRYPT_HMAC_MD5_RESULT_SIZE )PBYTE                      pbResult );
2713

2714
VOID
2715
SYMCRYPT_CALL
2716
SymCryptHmacMd5Selftest(void);
2717

2718
extern const PCSYMCRYPT_MAC SymCryptHmacMd5Algorithm;
2719

2720
////////////////////////////////////////////////////////////////////////////
2721
//   HMAC-SHA-1
2722
//
2723
//
2724

2725
#define SYMCRYPT_HMAC_SHA1_RESULT_SIZE       SYMCRYPT_SHA1_RESULT_SIZE
2726
#define SYMCRYPT_HMAC_SHA1_INPUT_BLOCK_SIZE  SYMCRYPT_SHA1_INPUT_BLOCK_SIZE
2727

2728
SYMCRYPT_ERROR
2729
SYMCRYPT_CALL
2730
SymCryptHmacSha1ExpandKey(
2731
    _Out_                   PSYMCRYPT_HMAC_SHA1_EXPANDED_KEY    pExpandedKey,
2732
    _In_reads_opt_(cbKey)   PCBYTE                              pbKey,
2733
                            SIZE_T                              cbKey );
2734
//
2735
// Supports all key lengths; never returns an error.
2736
//
2737

2738
VOID
2739
SYMCRYPT_CALL
2740
SymCryptHmacSha1KeyCopy(
2741
    _In_    PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY  pSrc,
2742
    _Out_   PSYMCRYPT_HMAC_SHA1_EXPANDED_KEY   pDst );
2743

2744

2745
VOID
2746
SYMCRYPT_CALL
2747
SymCryptHmacSha1(
2748
    _In_                                            PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY   pExpandedKey,
2749
    _In_reads_( cbData )                            PCBYTE                              pbData,
2750
                                                    SIZE_T                              cbData,
2751
    _Out_writes_( SYMCRYPT_HMAC_SHA1_RESULT_SIZE )  PBYTE                               pbResult );
2752

2753
VOID
2754
SYMCRYPT_CALL
2755
SymCryptHmacSha1StateCopy(
2756
    _In_        PCSYMCRYPT_HMAC_SHA1_STATE          pSrc,
2757
    _In_opt_    PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY   pExpandedKey,
2758
    _Out_       PSYMCRYPT_HMAC_SHA1_STATE           pDst );
2759

2760
VOID
2761
SYMCRYPT_CALL
2762
SymCryptHmacSha1Init(
2763
    _Out_   PSYMCRYPT_HMAC_SHA1_STATE           pState,
2764
    _In_    PCSYMCRYPT_HMAC_SHA1_EXPANDED_KEY   pExpandedKey);
2765

2766
VOID
2767
SYMCRYPT_CALL
2768
SymCryptHmacSha1Append(
2769
    _Inout_                 PSYMCRYPT_HMAC_SHA1_STATE   pState,
2770
    _In_reads_( cbData )    PCBYTE                      pbData,
2771
                            SIZE_T                      cbData );
2772

2773
VOID
2774
SYMCRYPT_CALL
2775
SymCryptHmacSha1Result(
2776
    _Inout_                                         PSYMCRYPT_HMAC_SHA1_STATE   pState,
2777
    _Out_writes_( SYMCRYPT_HMAC_SHA1_RESULT_SIZE )  PBYTE                       pbResult );
2778

2779
VOID
2780
SYMCRYPT_CALL
2781
SymCryptHmacSha1Selftest(void);
2782

2783
extern const PCSYMCRYPT_MAC SymCryptHmacSha1Algorithm;
2784

2785
////////////////////////////////////////////////////////////////////////////
2786
//   HMAC-SHA-224
2787
//
2788
// This implementation is meant for interoperability and is not recommended for use.
2789
//
2790
//
2791

2792
#define SYMCRYPT_HMAC_SHA224_RESULT_SIZE       SYMCRYPT_SHA224_RESULT_SIZE
2793
#define SYMCRYPT_HMAC_SHA224_INPUT_BLOCK_SIZE  SYMCRYPT_SHA224_INPUT_BLOCK_SIZE
2794

2795
SYMCRYPT_ERROR
2796
SYMCRYPT_CALL
2797
SymCryptHmacSha224ExpandKey(
2798
    _Out_                   PSYMCRYPT_HMAC_SHA224_EXPANDED_KEY  pExpandedKey,
2799
    _In_reads_opt_(cbKey)   PCBYTE                              pbKey,
2800
                            SIZE_T                              cbKey );
2801
//
2802
// Supports all key lengths; never returns an error.
2803
//
2804

2805
VOID
2806
SYMCRYPT_CALL
2807
SymCryptHmacSha224KeyCopy(
2808
    _In_    PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY pSrc,
2809
    _Out_   PSYMCRYPT_HMAC_SHA224_EXPANDED_KEY  pDst );
2810

2811
VOID
2812
SYMCRYPT_CALL
2813
SymCryptHmacSha224(
2814
    _In_                                            PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY pExpandedKey,
2815
    _In_reads_( cbData )                            PCBYTE                              pbData,
2816
                                                    SIZE_T                              cbData,
2817
    _Out_writes_( SYMCRYPT_HMAC_SHA224_RESULT_SIZE )PBYTE                               pbResult );
2818

2819
VOID
2820
SYMCRYPT_CALL
2821
SymCryptHmacSha224StateCopy(
2822
    _In_        PCSYMCRYPT_HMAC_SHA224_STATE        pSrc,
2823
    _In_opt_    PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY pExpandedKey,
2824
    _Out_       PSYMCRYPT_HMAC_SHA224_STATE         pDst );
2825

2826
VOID
2827
SYMCRYPT_CALL
2828
SymCryptHmacSha224Init(
2829
    _Out_   PSYMCRYPT_HMAC_SHA224_STATE         pState,
2830
    _In_    PCSYMCRYPT_HMAC_SHA224_EXPANDED_KEY pExpandedKey);
2831

2832
VOID
2833
SYMCRYPT_CALL
2834
SymCryptHmacSha224Append(
2835
    _Inout_                 PSYMCRYPT_HMAC_SHA224_STATE pState,
2836
    _In_reads_( cbData )    PCBYTE                      pbData,
2837
                            SIZE_T                      cbData );
2838

2839
VOID
2840
SYMCRYPT_CALL
2841
SymCryptHmacSha224Result(
2842
    _Inout_                                         PSYMCRYPT_HMAC_SHA224_STATE pState,
2843
    _Out_writes_( SYMCRYPT_HMAC_SHA224_RESULT_SIZE )PBYTE                       pbResult );
2844

2845
VOID
2846
SYMCRYPT_CALL
2847
SymCryptHmacSha224Selftest(void);
2848

2849
extern const PCSYMCRYPT_MAC  SymCryptHmacSha224Algorithm;
2850

2851
////////////////////////////////////////////////////////////////////////////
2852
//   HMAC-SHA-256
2853
//
2854
//
2855

2856
#define SYMCRYPT_HMAC_SHA256_RESULT_SIZE       SYMCRYPT_SHA256_RESULT_SIZE
2857
#define SYMCRYPT_HMAC_SHA256_INPUT_BLOCK_SIZE  SYMCRYPT_SHA256_INPUT_BLOCK_SIZE
2858

2859
SYMCRYPT_ERROR
2860
SYMCRYPT_CALL
2861
SymCryptHmacSha256ExpandKey(
2862
    _Out_                   PSYMCRYPT_HMAC_SHA256_EXPANDED_KEY  pExpandedKey,
2863
    _In_reads_opt_(cbKey)   PCBYTE                              pbKey,
2864
                            SIZE_T                              cbKey );
2865
//
2866
// Supports all key lengths; never returns an error.
2867
//
2868

2869
VOID
2870
SYMCRYPT_CALL
2871
SymCryptHmacSha256KeyCopy(
2872
    _In_    PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY pSrc,
2873
    _Out_   PSYMCRYPT_HMAC_SHA256_EXPANDED_KEY  pDst );
2874

2875
VOID
2876
SYMCRYPT_CALL
2877
SymCryptHmacSha256(
2878
    _In_                                            PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY pExpandedKey,
2879
    _In_reads_( cbData )                            PCBYTE                              pbData,
2880
                                                    SIZE_T                              cbData,
2881
    _Out_writes_( SYMCRYPT_HMAC_SHA256_RESULT_SIZE )PBYTE                               pbResult );
2882

2883
VOID
2884
SYMCRYPT_CALL
2885
SymCryptHmacSha256StateCopy(
2886
    _In_        PCSYMCRYPT_HMAC_SHA256_STATE        pSrc,
2887
    _In_opt_    PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY pExpandedKey,
2888
    _Out_       PSYMCRYPT_HMAC_SHA256_STATE         pDst );
2889

2890
VOID
2891
SYMCRYPT_CALL
2892
SymCryptHmacSha256Init(
2893
    _Out_   PSYMCRYPT_HMAC_SHA256_STATE         pState,
2894
    _In_    PCSYMCRYPT_HMAC_SHA256_EXPANDED_KEY pExpandedKey);
2895

2896
VOID
2897
SYMCRYPT_CALL
2898
SymCryptHmacSha256Append(
2899
    _Inout_                 PSYMCRYPT_HMAC_SHA256_STATE pState,
2900
    _In_reads_( cbData )    PCBYTE                      pbData,
2901
                            SIZE_T                      cbData );
2902

2903
VOID
2904
SYMCRYPT_CALL
2905
SymCryptHmacSha256Result(
2906
    _Inout_                                         PSYMCRYPT_HMAC_SHA256_STATE pState,
2907
    _Out_writes_( SYMCRYPT_HMAC_SHA256_RESULT_SIZE )PBYTE                       pbResult );
2908

2909
VOID
2910
SYMCRYPT_CALL
2911
SymCryptHmacSha256Selftest(void);
2912

2913
extern const PCSYMCRYPT_MAC  SymCryptHmacSha256Algorithm;
2914

2915
////////////////////////////////////////////////////////////////////////////
2916
//   HMAC-SHA-384
2917
//
2918
//
2919

2920
#define SYMCRYPT_HMAC_SHA384_RESULT_SIZE       SYMCRYPT_SHA384_RESULT_SIZE
2921
#define SYMCRYPT_HMAC_SHA384_INPUT_BLOCK_SIZE  SYMCRYPT_SHA384_INPUT_BLOCK_SIZE
2922

2923
SYMCRYPT_ERROR
2924
SYMCRYPT_CALL
2925
SymCryptHmacSha384ExpandKey(
2926
    _Out_                   PSYMCRYPT_HMAC_SHA384_EXPANDED_KEY  pExpandedKey,
2927
    _In_reads_opt_(cbKey)   PCBYTE                              pbKey,
2928
                            SIZE_T                              cbKey );
2929
//
2930
// Supports all key lengths; never returns an error.
2931
//
2932

2933
VOID
2934
SYMCRYPT_CALL
2935
SymCryptHmacSha384KeyCopy(
2936
    _In_    PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY pSrc,
2937
    _Out_   PSYMCRYPT_HMAC_SHA384_EXPANDED_KEY  pDst );
2938

2939
VOID
2940
SYMCRYPT_CALL
2941
SymCryptHmacSha384(
2942
    _In_                                            PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY pExpandedKey,
2943
    _In_reads_( cbData )                            PCBYTE                              pbData,
2944
                                                    SIZE_T                              cbData,
2945
    _Out_writes_( SYMCRYPT_HMAC_SHA384_RESULT_SIZE )PBYTE                               pbResult );
2946

2947
VOID
2948
SYMCRYPT_CALL
2949
SymCryptHmacSha384StateCopy(
2950
    _In_        PCSYMCRYPT_HMAC_SHA384_STATE        pSrc,
2951
    _In_opt_    PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY pExpandedKey,
2952
    _Out_       PSYMCRYPT_HMAC_SHA384_STATE         pDst );
2953

2954
VOID
2955
SYMCRYPT_CALL
2956
SymCryptHmacSha384Init(
2957
    _Out_   PSYMCRYPT_HMAC_SHA384_STATE         pState,
2958
    _In_    PCSYMCRYPT_HMAC_SHA384_EXPANDED_KEY pExpandedKey);
2959

2960
VOID
2961
SYMCRYPT_CALL
2962
SymCryptHmacSha384Append(
2963
    _Inout_                 PSYMCRYPT_HMAC_SHA384_STATE pState,
2964
    _In_reads_( cbData )    PCBYTE                      pbData,
2965
                            SIZE_T                      cbData );
2966

2967
VOID
2968
SYMCRYPT_CALL
2969
SymCryptHmacSha384Result(
2970
    _Inout_                                         PSYMCRYPT_HMAC_SHA384_STATE pState,
2971
    _Out_writes_( SYMCRYPT_HMAC_SHA384_RESULT_SIZE )PBYTE                       pbResult );
2972

2973
VOID
2974
SYMCRYPT_CALL
2975
SymCryptHmacSha384Selftest(void);
2976

2977
extern const PCSYMCRYPT_MAC  SymCryptHmacSha384Algorithm;
2978

2979
////////////////////////////////////////////////////////////////////////////
2980
//   HMAC-SHA-512
2981
//
2982
//
2983

2984
#define SYMCRYPT_HMAC_SHA512_RESULT_SIZE       SYMCRYPT_SHA512_RESULT_SIZE
2985
#define SYMCRYPT_HMAC_SHA512_INPUT_BLOCK_SIZE  SYMCRYPT_SHA512_INPUT_BLOCK_SIZE
2986

2987
SYMCRYPT_ERROR
2988
SYMCRYPT_CALL
2989
SymCryptHmacSha512ExpandKey(
2990
    _Out_                   PSYMCRYPT_HMAC_SHA512_EXPANDED_KEY  pExpandedKey,
2991
    _In_reads_opt_(cbKey)   PCBYTE                              pbKey,
2992
                            SIZE_T                              cbKey );
2993
//
2994
// Supports all key lengths; never returns an error.
2995
//
2996

2997
VOID
2998
SYMCRYPT_CALL
2999
SymCryptHmacSha512KeyCopy(
3000
    _In_    PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY pSrc,
3001
    _Out_   PSYMCRYPT_HMAC_SHA512_EXPANDED_KEY  pDst );
3002

3003
VOID
3004
SYMCRYPT_CALL
3005
SymCryptHmacSha512(
3006
    _In_                                            PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY pExpandedKey,
3007
    _In_reads_( cbData )                            PCBYTE                              pbData,
3008
                                                    SIZE_T                              cbData,
3009
    _Out_writes_( SYMCRYPT_HMAC_SHA512_RESULT_SIZE )PBYTE                               pbResult );
3010

3011
VOID
3012
SYMCRYPT_CALL
3013
SymCryptHmacSha512StateCopy(
3014
    _In_        PCSYMCRYPT_HMAC_SHA512_STATE        pSrc,
3015
    _In_opt_    PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY pExpandedKey,
3016
    _Out_       PSYMCRYPT_HMAC_SHA512_STATE         pDst );
3017

3018
VOID
3019
SYMCRYPT_CALL
3020
SymCryptHmacSha512Init(
3021
    _Out_   PSYMCRYPT_HMAC_SHA512_STATE         pState,
3022
    _In_    PCSYMCRYPT_HMAC_SHA512_EXPANDED_KEY pExpandedKey);
3023

3024
VOID
3025
SYMCRYPT_CALL
3026
SymCryptHmacSha512Append(
3027
    _Inout_                 PSYMCRYPT_HMAC_SHA512_STATE pState,
3028
    _In_reads_( cbData )    PCBYTE                      pbData,
3029
                            SIZE_T                      cbData );
3030

3031
VOID
3032
SYMCRYPT_CALL
3033
SymCryptHmacSha512Result(
3034
    _Inout_                                         PSYMCRYPT_HMAC_SHA512_STATE pState,
3035
    _Out_writes_( SYMCRYPT_HMAC_SHA512_RESULT_SIZE )PBYTE                       pbResult );
3036

3037
VOID
3038
SYMCRYPT_CALL
3039
SymCryptHmacSha512Selftest(void);
3040

3041
extern const PCSYMCRYPT_MAC  SymCryptHmacSha512Algorithm;
3042

3043
////////////////////////////////////////////////////////////////////////////
3044
//   HMAC-SHA-512_224
3045
//
3046
// This implementation is meant for interoperability and is not recommended for use.
3047
//
3048
//
3049

3050
#define SYMCRYPT_HMAC_SHA512_224_RESULT_SIZE       SYMCRYPT_SHA512_224_RESULT_SIZE
3051
#define SYMCRYPT_HMAC_SHA512_224_INPUT_BLOCK_SIZE  SYMCRYPT_SHA512_224_INPUT_BLOCK_SIZE
3052

3053
SYMCRYPT_ERROR
3054
SYMCRYPT_CALL
3055
SymCryptHmacSha512_224ExpandKey(
3056
    _Out_                   PSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY  pExpandedKey,
3057
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3058
                            SIZE_T                                  cbKey );
3059
//
3060
// Supports all key lengths; never returns an error.
3061
//
3062

3063
VOID
3064
SYMCRYPT_CALL
3065
SymCryptHmacSha512_224KeyCopy(
3066
    _In_    PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY pSrc,
3067
    _Out_   PSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY  pDst );
3068

3069
VOID
3070
SYMCRYPT_CALL
3071
SymCryptHmacSha512_224(
3072
    _In_                                                    PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY pExpandedKey,
3073
    _In_reads_( cbData )                                    PCBYTE                                  pbData,
3074
                                                            SIZE_T                                  cbData,
3075
    _Out_writes_( SYMCRYPT_HMAC_SHA512_224_RESULT_SIZE )    PBYTE                                   pbResult );
3076

3077
VOID
3078
SYMCRYPT_CALL
3079
SymCryptHmacSha512_224StateCopy(
3080
    _In_        PCSYMCRYPT_HMAC_SHA512_224_STATE        pSrc,
3081
    _In_opt_    PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY pExpandedKey,
3082
    _Out_       PSYMCRYPT_HMAC_SHA512_224_STATE         pDst );
3083

3084
VOID
3085
SYMCRYPT_CALL
3086
SymCryptHmacSha512_224Init(
3087
    _Out_   PSYMCRYPT_HMAC_SHA512_224_STATE         pState,
3088
    _In_    PCSYMCRYPT_HMAC_SHA512_224_EXPANDED_KEY pExpandedKey);
3089

3090
VOID
3091
SYMCRYPT_CALL
3092
SymCryptHmacSha512_224Append(
3093
    _Inout_                 PSYMCRYPT_HMAC_SHA512_224_STATE pState,
3094
    _In_reads_( cbData )    PCBYTE                          pbData,
3095
                            SIZE_T                          cbData );
3096

3097
VOID
3098
SYMCRYPT_CALL
3099
SymCryptHmacSha512_224Result(
3100
    _Inout_                                                 PSYMCRYPT_HMAC_SHA512_224_STATE pState,
3101
    _Out_writes_( SYMCRYPT_HMAC_SHA512_224_RESULT_SIZE )    PBYTE                           pbResult );
3102

3103
VOID
3104
SYMCRYPT_CALL
3105
SymCryptHmacSha512_224Selftest(void);
3106

3107
extern const PCSYMCRYPT_MAC  SymCryptHmacSha512_224Algorithm;
3108

3109
////////////////////////////////////////////////////////////////////////////
3110
//   HMAC-SHA-512_256
3111
//
3112
// This implementation is meant for interoperability and is not recommended for use.
3113
//
3114
//
3115

3116
#define SYMCRYPT_HMAC_SHA512_256_RESULT_SIZE       SYMCRYPT_SHA512_256_RESULT_SIZE
3117
#define SYMCRYPT_HMAC_SHA512_256_INPUT_BLOCK_SIZE  SYMCRYPT_SHA512_256_INPUT_BLOCK_SIZE
3118

3119
SYMCRYPT_ERROR
3120
SYMCRYPT_CALL
3121
SymCryptHmacSha512_256ExpandKey(
3122
    _Out_                   PSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY  pExpandedKey,
3123
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3124
                            SIZE_T                                  cbKey );
3125
//
3126
// Supports all key lengths; never returns an error.
3127
//
3128

3129
VOID
3130
SYMCRYPT_CALL
3131
SymCryptHmacSha512_256KeyCopy(
3132
    _In_    PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY pSrc,
3133
    _Out_   PSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY  pDst );
3134

3135
VOID
3136
SYMCRYPT_CALL
3137
SymCryptHmacSha512_256(
3138
    _In_                                                    PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY pExpandedKey,
3139
    _In_reads_( cbData )                                    PCBYTE                                  pbData,
3140
                                                            SIZE_T                                  cbData,
3141
    _Out_writes_( SYMCRYPT_HMAC_SHA512_256_RESULT_SIZE )    PBYTE                                   pbResult );
3142

3143
VOID
3144
SYMCRYPT_CALL
3145
SymCryptHmacSha512_256StateCopy(
3146
    _In_        PCSYMCRYPT_HMAC_SHA512_256_STATE        pSrc,
3147
    _In_opt_    PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY pExpandedKey,
3148
    _Out_       PSYMCRYPT_HMAC_SHA512_256_STATE         pDst );
3149

3150
VOID
3151
SYMCRYPT_CALL
3152
SymCryptHmacSha512_256Init(
3153
    _Out_   PSYMCRYPT_HMAC_SHA512_256_STATE         pState,
3154
    _In_    PCSYMCRYPT_HMAC_SHA512_256_EXPANDED_KEY pExpandedKey);
3155

3156
VOID
3157
SYMCRYPT_CALL
3158
SymCryptHmacSha512_256Append(
3159
    _Inout_                 PSYMCRYPT_HMAC_SHA512_256_STATE pState,
3160
    _In_reads_( cbData )    PCBYTE                          pbData,
3161
                            SIZE_T                          cbData );
3162

3163
VOID
3164
SYMCRYPT_CALL
3165
SymCryptHmacSha512_256Result(
3166
    _Inout_                                                 PSYMCRYPT_HMAC_SHA512_256_STATE pState,
3167
    _Out_writes_( SYMCRYPT_HMAC_SHA512_256_RESULT_SIZE )    PBYTE                           pbResult );
3168

3169
VOID
3170
SYMCRYPT_CALL
3171
SymCryptHmacSha512_256Selftest(void);
3172

3173
extern const PCSYMCRYPT_MAC  SymCryptHmacSha512_256Algorithm;
3174

3175
////////////////////////////////////////////////////////////////////////////
3176
//   HMAC-SHA3-224
3177
//
3178
// This implementation is meant for interoperability and is not recommended for use.
3179
//
3180
//
3181

3182
#define SYMCRYPT_HMAC_SHA3_224_RESULT_SIZE       SYMCRYPT_SHA3_224_RESULT_SIZE
3183
#define SYMCRYPT_HMAC_SHA3_224_INPUT_BLOCK_SIZE  SYMCRYPT_SHA3_224_INPUT_BLOCK_SIZE
3184

3185
SYMCRYPT_ERROR
3186
SYMCRYPT_CALL
3187
SymCryptHmacSha3_224ExpandKey(
3188
    _Out_                   PSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY    pExpandedKey,
3189
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3190
                            SIZE_T                                  cbKey );
3191
//
3192
// Supports all key lengths; never returns an error.
3193
//
3194

3195
VOID
3196
SYMCRYPT_CALL
3197
SymCryptHmacSha3_224KeyCopy(
3198
    _In_    PCSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY pSrc,
3199
    _Out_   PSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY  pDst );
3200

3201
VOID
3202
SYMCRYPT_CALL
3203
SymCryptHmacSha3_224(
3204
    _In_                                                PCSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY   pExpandedKey,
3205
    _In_reads_( cbData )                                PCBYTE                                  pbData,
3206
                                                        SIZE_T                                  cbData,
3207
    _Out_writes_( SYMCRYPT_HMAC_SHA3_224_RESULT_SIZE )  PBYTE                                   pbResult );
3208

3209
VOID
3210
SYMCRYPT_CALL
3211
SymCryptHmacSha3_224StateCopy(
3212
    _In_        PCSYMCRYPT_HMAC_SHA3_224_STATE        pSrc,
3213
    _In_opt_    PCSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY pExpandedKey,
3214
    _Out_       PSYMCRYPT_HMAC_SHA3_224_STATE         pDst );
3215

3216
VOID
3217
SYMCRYPT_CALL
3218
SymCryptHmacSha3_224Init(
3219
    _Out_   PSYMCRYPT_HMAC_SHA3_224_STATE         pState,
3220
    _In_    PCSYMCRYPT_HMAC_SHA3_224_EXPANDED_KEY pExpandedKey);
3221

3222
VOID
3223
SYMCRYPT_CALL
3224
SymCryptHmacSha3_224Append(
3225
    _Inout_                 PSYMCRYPT_HMAC_SHA3_224_STATE   pState,
3226
    _In_reads_( cbData )    PCBYTE                          pbData,
3227
                            SIZE_T                          cbData );
3228

3229
VOID
3230
SYMCRYPT_CALL
3231
SymCryptHmacSha3_224Result(
3232
    _Inout_                                             PSYMCRYPT_HMAC_SHA3_224_STATE   pState,
3233
    _Out_writes_( SYMCRYPT_HMAC_SHA3_224_RESULT_SIZE )  PBYTE                           pbResult );
3234

3235
VOID
3236
SYMCRYPT_CALL
3237
SymCryptHmacSha3_224Selftest(void);
3238

3239
extern const PCSYMCRYPT_MAC  SymCryptHmacSha3_224Algorithm;
3240

3241
////////////////////////////////////////////////////////////////////////////
3242
//   HMAC-SHA3-256
3243
//
3244
//
3245

3246
#define SYMCRYPT_HMAC_SHA3_256_RESULT_SIZE       SYMCRYPT_SHA3_256_RESULT_SIZE
3247
#define SYMCRYPT_HMAC_SHA3_256_INPUT_BLOCK_SIZE  SYMCRYPT_SHA3_256_INPUT_BLOCK_SIZE
3248

3249
SYMCRYPT_ERROR
3250
SYMCRYPT_CALL
3251
SymCryptHmacSha3_256ExpandKey(
3252
    _Out_                   PSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY    pExpandedKey,
3253
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3254
                            SIZE_T                                  cbKey );
3255
//
3256
// Supports all key lengths; never returns an error.
3257
//
3258

3259
VOID
3260
SYMCRYPT_CALL
3261
SymCryptHmacSha3_256KeyCopy(
3262
    _In_    PCSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY pSrc,
3263
    _Out_   PSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY  pDst );
3264

3265
VOID
3266
SYMCRYPT_CALL
3267
SymCryptHmacSha3_256(
3268
    _In_                                                PCSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY   pExpandedKey,
3269
    _In_reads_( cbData )                                PCBYTE                                  pbData,
3270
                                                        SIZE_T                                  cbData,
3271
    _Out_writes_( SYMCRYPT_HMAC_SHA3_256_RESULT_SIZE )  PBYTE                                   pbResult );
3272

3273
VOID
3274
SYMCRYPT_CALL
3275
SymCryptHmacSha3_256StateCopy(
3276
    _In_        PCSYMCRYPT_HMAC_SHA3_256_STATE        pSrc,
3277
    _In_opt_    PCSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY pExpandedKey,
3278
    _Out_       PSYMCRYPT_HMAC_SHA3_256_STATE         pDst );
3279

3280
VOID
3281
SYMCRYPT_CALL
3282
SymCryptHmacSha3_256Init(
3283
    _Out_   PSYMCRYPT_HMAC_SHA3_256_STATE         pState,
3284
    _In_    PCSYMCRYPT_HMAC_SHA3_256_EXPANDED_KEY pExpandedKey);
3285

3286
VOID
3287
SYMCRYPT_CALL
3288
SymCryptHmacSha3_256Append(
3289
    _Inout_                 PSYMCRYPT_HMAC_SHA3_256_STATE   pState,
3290
    _In_reads_( cbData )    PCBYTE                          pbData,
3291
                            SIZE_T                          cbData );
3292

3293
VOID
3294
SYMCRYPT_CALL
3295
SymCryptHmacSha3_256Result(
3296
    _Inout_                                             PSYMCRYPT_HMAC_SHA3_256_STATE   pState,
3297
    _Out_writes_( SYMCRYPT_HMAC_SHA3_256_RESULT_SIZE )  PBYTE                           pbResult );
3298

3299
VOID
3300
SYMCRYPT_CALL
3301
SymCryptHmacSha3_256Selftest(void);
3302

3303
extern const PCSYMCRYPT_MAC  SymCryptHmacSha3_256Algorithm;
3304

3305
////////////////////////////////////////////////////////////////////////////
3306
//   HMAC-SHA3-384
3307
//
3308
//
3309

3310
#define SYMCRYPT_HMAC_SHA3_384_RESULT_SIZE       SYMCRYPT_SHA3_384_RESULT_SIZE
3311
#define SYMCRYPT_HMAC_SHA3_384_INPUT_BLOCK_SIZE  SYMCRYPT_SHA3_384_INPUT_BLOCK_SIZE
3312

3313
SYMCRYPT_ERROR
3314
SYMCRYPT_CALL
3315
SymCryptHmacSha3_384ExpandKey(
3316
    _Out_                   PSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY    pExpandedKey,
3317
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3318
                            SIZE_T                                  cbKey );
3319
//
3320
// Supports all key lengths; never returns an error.
3321
//
3322

3323
VOID
3324
SYMCRYPT_CALL
3325
SymCryptHmacSha3_384KeyCopy(
3326
    _In_    PCSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY pSrc,
3327
    _Out_   PSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY  pDst );
3328

3329
VOID
3330
SYMCRYPT_CALL
3331
SymCryptHmacSha3_384(
3332
    _In_                                                PCSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY   pExpandedKey,
3333
    _In_reads_( cbData )                                PCBYTE                                  pbData,
3334
                                                        SIZE_T                                  cbData,
3335
    _Out_writes_( SYMCRYPT_HMAC_SHA3_384_RESULT_SIZE )  PBYTE                                   pbResult );
3336

3337
VOID
3338
SYMCRYPT_CALL
3339
SymCryptHmacSha3_384StateCopy(
3340
    _In_        PCSYMCRYPT_HMAC_SHA3_384_STATE        pSrc,
3341
    _In_opt_    PCSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY pExpandedKey,
3342
    _Out_       PSYMCRYPT_HMAC_SHA3_384_STATE         pDst );
3343

3344
VOID
3345
SYMCRYPT_CALL
3346
SymCryptHmacSha3_384Init(
3347
    _Out_   PSYMCRYPT_HMAC_SHA3_384_STATE         pState,
3348
    _In_    PCSYMCRYPT_HMAC_SHA3_384_EXPANDED_KEY pExpandedKey);
3349

3350
VOID
3351
SYMCRYPT_CALL
3352
SymCryptHmacSha3_384Append(
3353
    _Inout_                 PSYMCRYPT_HMAC_SHA3_384_STATE   pState,
3354
    _In_reads_( cbData )    PCBYTE                          pbData,
3355
                            SIZE_T                          cbData );
3356

3357
VOID
3358
SYMCRYPT_CALL
3359
SymCryptHmacSha3_384Result(
3360
    _Inout_                                             PSYMCRYPT_HMAC_SHA3_384_STATE   pState,
3361
    _Out_writes_( SYMCRYPT_HMAC_SHA3_384_RESULT_SIZE )  PBYTE                           pbResult );
3362

3363
VOID
3364
SYMCRYPT_CALL
3365
SymCryptHmacSha3_384Selftest(void);
3366

3367
extern const PCSYMCRYPT_MAC  SymCryptHmacSha3_384Algorithm;
3368

3369
////////////////////////////////////////////////////////////////////////////
3370
//   HMAC-SHA3-512
3371
//
3372
//
3373

3374
#define SYMCRYPT_HMAC_SHA3_512_RESULT_SIZE       SYMCRYPT_SHA3_512_RESULT_SIZE
3375
#define SYMCRYPT_HMAC_SHA3_512_INPUT_BLOCK_SIZE  SYMCRYPT_SHA3_512_INPUT_BLOCK_SIZE
3376

3377
SYMCRYPT_ERROR
3378
SYMCRYPT_CALL
3379
SymCryptHmacSha3_512ExpandKey(
3380
    _Out_                   PSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY    pExpandedKey,
3381
    _In_reads_opt_(cbKey)   PCBYTE                                  pbKey,
3382
                            SIZE_T                                  cbKey );
3383
//
3384
// Supports all key lengths; never returns an error.
3385
//
3386

3387
VOID
3388
SYMCRYPT_CALL
3389
SymCryptHmacSha3_512KeyCopy(
3390
    _In_    PCSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY pSrc,
3391
    _Out_   PSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY  pDst );
3392

3393
VOID
3394
SYMCRYPT_CALL
3395
SymCryptHmacSha3_512(
3396
    _In_                                                PCSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY   pExpandedKey,
3397
    _In_reads_( cbData )                                PCBYTE                                  pbData,
3398
                                                        SIZE_T                                  cbData,
3399
    _Out_writes_( SYMCRYPT_HMAC_SHA3_512_RESULT_SIZE )  PBYTE                                   pbResult );
3400

3401
VOID
3402
SYMCRYPT_CALL
3403
SymCryptHmacSha3_512StateCopy(
3404
    _In_        PCSYMCRYPT_HMAC_SHA3_512_STATE        pSrc,
3405
    _In_opt_    PCSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY pExpandedKey,
3406
    _Out_       PSYMCRYPT_HMAC_SHA3_512_STATE         pDst );
3407

3408
VOID
3409
SYMCRYPT_CALL
3410
SymCryptHmacSha3_512Init(
3411
    _Out_   PSYMCRYPT_HMAC_SHA3_512_STATE         pState,
3412
    _In_    PCSYMCRYPT_HMAC_SHA3_512_EXPANDED_KEY pExpandedKey);
3413

3414
VOID
3415
SYMCRYPT_CALL
3416
SymCryptHmacSha3_512Append(
3417
    _Inout_                 PSYMCRYPT_HMAC_SHA3_512_STATE   pState,
3418
    _In_reads_( cbData )    PCBYTE                          pbData,
3419
                            SIZE_T                          cbData );
3420

3421
VOID
3422
SYMCRYPT_CALL
3423
SymCryptHmacSha3_512Result(
3424
    _Inout_                                             PSYMCRYPT_HMAC_SHA3_512_STATE   pState,
3425
    _Out_writes_( SYMCRYPT_HMAC_SHA3_512_RESULT_SIZE )  PBYTE                           pbResult );
3426

3427
VOID
3428
SYMCRYPT_CALL
3429
SymCryptHmacSha3_512Selftest(void);
3430

3431
extern const PCSYMCRYPT_MAC  SymCryptHmacSha3_512Algorithm;
3432

3433

3434
////////////////////////////////////////////////////////////////////////////
3435
//   AES-CMAC
3436
//
3437
// This is the AES-CMAC algorithm per SP 800-38B & RFC 4493.
3438
// It is also known as AES-OMAC1.
3439
//
3440

3441
#define SYMCRYPT_AES_CMAC_RESULT_SIZE        (16)
3442
#define SYMCRYPT_AES_CMAC_INPUT_BLOCK_SIZE   (16)
3443

3444
SYMCRYPT_ERROR
3445
SYMCRYPT_CALL
3446
SymCryptAesCmacExpandKey(
3447
    _Out_               PSYMCRYPT_AES_CMAC_EXPANDED_KEY pExpandedKey,
3448
    _In_reads_(cbKey)   PCBYTE                          pbKey,
3449
                        SIZE_T                          cbKey );
3450
//
3451
// Key size must be a valid AES key (16, 24, or 32 bytes)
3452
//
3453

3454
VOID
3455
SYMCRYPT_CALL
3456
SymCryptAesCmacKeyCopy(
3457
    _In_    PCSYMCRYPT_AES_CMAC_EXPANDED_KEY pSrc,
3458
    _Out_   PSYMCRYPT_AES_CMAC_EXPANDED_KEY  pDst );
3459

3460
VOID
3461
SYMCRYPT_CALL
3462
SymCryptAesCmac(
3463
    _In_                                            PSYMCRYPT_AES_CMAC_EXPANDED_KEY pExpandedKey,
3464
    _In_reads_( cbData )                            PCBYTE                          pbData,
3465
                                                    SIZE_T                          cbData,
3466
    _Out_writes_( SYMCRYPT_AES_CMAC_RESULT_SIZE )   PBYTE                           pbResult );
3467

3468
VOID
3469
SYMCRYPT_CALL
3470
SymCryptAesCmacStateCopy(
3471
    _In_        PCSYMCRYPT_AES_CMAC_STATE        pSrc,
3472
    _In_opt_    PCSYMCRYPT_AES_CMAC_EXPANDED_KEY pExpandedKey,
3473
    _Out_       PSYMCRYPT_AES_CMAC_STATE         pDst );
3474

3475
VOID
3476
SYMCRYPT_CALL
3477
SymCryptAesCmacInit(
3478
    _Out_   PSYMCRYPT_AES_CMAC_STATE        pState,
3479
    _In_    PCSYMCRYPT_AES_CMAC_EXPANDED_KEY pExpandedKey);
3480

3481
VOID
3482
SYMCRYPT_CALL
3483
SymCryptAesCmacAppend(
3484
    _Inout_                 PSYMCRYPT_AES_CMAC_STATE    pState,
3485
    _In_reads_( cbData )    PCBYTE                      pbData,
3486
                            SIZE_T                      cbData );
3487

3488
VOID
3489
SYMCRYPT_CALL
3490
SymCryptAesCmacResult(
3491
    _Inout_                                         PSYMCRYPT_AES_CMAC_STATE    pState,
3492
    _Out_writes_( SYMCRYPT_AES_CMAC_RESULT_SIZE )   PBYTE                       pbResult );
3493

3494
VOID
3495
SYMCRYPT_CALL
3496
SymCryptAesCmacSelftest(void);
3497

3498
extern const PCSYMCRYPT_MAC SymCryptAesCmacAlgorithm;
3499

3500
////////////////////////////////////////////////////////////////////////////
3501
// KMAC
3502
//
3503
// Keccak Message Authentication Code (KMAC) is specified in NIST SP 800-185
3504
// and has two variants; KMAC128 and KMAC256, using cSHAKE128 and cSHAKE256
3505
// as the underlying functions, respectively.
3506
//
3507
// KMAC128(K, X, L, S) = cSHAKE128(bytepad(encode_string(K), 168) || X || right_encode(L), L, "KMAC", S)
3508
// KMAC256(K, X, L, S) = cSHAKE256(bytepad(encode_string(K), 136) || X || right_encode(L), L, "KMAC", S)
3509
//
3510
// KMAC accepts a variable-size key. There's no restriction on the size of the key.
3511
//
3512
// KMAC differs from other MAC algorithms in SymCrypt by having two additional input
3513
// parameters; a customization string and the length of the output. Output generated
3514
// by KMAC also depends on the specified output length, i.e., outputs generated from
3515
// two KMAC calls with the same key, message, customization string, but different output
3516
// lengths will be unrelated/uncorrelated. This differs from SHAKE and cSHAKE where an
3517
// output of size N bytes from the algorithm is a prefix of the output of size M bytes
3518
// where N < M, when the inputs are the same.
3519
//
3520
// KMAC works in two modes; fixed-length mode and XOF mode. XOF variants are named KMACXOF128
3521
// and  KMACXOF256. SymCrypt does not provide a separate KMACXOF API but supports them via
3522
// the KMAC interface.
3523
//
3524
// KMACXOF128(K, X, L, S) = cSHAKE128(bytepad(encode_string(K), 168) || X || right_encode(0), L, "KMAC", S)
3525
// KMACXOF256(K, X, L, S) = cSHAKE256(bytepad(encode_string(K), 136) || X || right_encode(0), L, "KMAC", S)
3526
//
3527
// KMAC output generation mode is determined by the output length parameter
3528
// L in SP 800-185; if it is non-zero then KMAC works in fixed-length mode, otherwise (i.e., L=0)
3529
// it works in XOF mode.
3530
//  - Fixed-length mode generates result with SymCryptKmacXxxResult or SymCryptKmacXxxResultEx.
3531
//    These functions wipe the state after generating output, thus can only be used
3532
//    once per initialized state. The result size is SYMCRYPT_KMAC_XXX_RESULT
3533
//    for SymCryptKmacXxxResult and specified by the caller for SymCryptKmacXxxResultEx.
3534
//  - XOF mode can produce arbitrary length output. SymCryptKmacXxxExtract function puts KMAC
3535
//    state into XOF mode and all the successive calls that generate output from the KMAC state will be
3536
//    from the XOF mode. SymCryptKmacXxxResult and SymCryptKmacXxxResultEx functions
3537
//    will also generate output in XOF mode IF they are called after a SymCryptKmacXxxExtract
3538
//    function with bWipe=FALSE (so that the state remains in XOF mode). Note that
3539
//    SymCryptKmacXxxResult and SymCryptKmacXxxResultEx functions wipe the state afterwards,
3540
//    thus KMAC state can only be used to generate output in XOF mode once with these two functions.
3541
//
3542
//  SYMCRYPT_KMACXXX_RESULT_SIZE
3543
//
3544
//      Default result size when KMAC is used with the existing MAC interface.
3545
//      Equals to twice the SYMCRYPT_KMACXXX_KEY_SIZE.
3546
//
3547
//  SYMCRYPT_ERROR
3548
//  SYMCRYPT_CALL
3549
//  SymCryptKmacXxxExpandKey(
3550
//          _Out_                                       PSYMCRYPT_KMACXXX_EXPANDED_KEY pExpandedKey,
3551
//          _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3552
//                                                      SIZE_T  cbKey);
3553
//
3554
//      Performs key expansion with empty customization string.
3555
//      There's no restriction on the size of the key.
3556
//
3557
//  SYMCRYPT_ERROR
3558
//  SYMCRYPT_CALL
3559
//  SymCryptKmacXxxExpandKeyEx(
3560
//          _Out_                                       PSYMCRYPT_KMAXXX_EXPANDED_KEY pExpandedKey,
3561
//          _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3562
//                                                      SIZE_T  cbKey,
3563
//          _In_reads_bytes_( cbCustomizationString )   PCBYTE  pbCustomizationString,
3564
//                                                      SIZE_T  cbCustomizationString);
3565
//
3566
//      Performs key expansion for the provided key and customization string.
3567
//      There's no restriction on the size of the key.
3568
//
3569
//  VOID
3570
//  SYMCRYPT_CALL
3571
//  SymCryptKmacXxx(
3572
//          _In_                                                PCSYMCRYPT_KMACXXX_EXPANDED_KEY pExpandedKey,
3573
//          _In_reads_bytes_( cbInput )                         PCBYTE  pbInput,
3574
//                                                              SIZE_T  cbInput,
3575
//          _Out_writes_bytes_( SYMCRYPT_KMACXXX_RESULT_SIZE )  PBYTE   pbResult);
3576
//
3577
//      Single-call KMAC computation for the given input producing default result
3578
//      size SYMCRYPT_KMACXXX_RESULT_SIZE.
3579
//
3580
//      pExpandedKey must be initialized before the call. This function is equivalent
3581
//      to SymCryptKmacXxxEx with output size set to SYMCRYPT_KMACXXX_RESULT_SIZE.
3582
//      If a result size different than the default value is desired, SymCryptKmacXxxEx
3583
//      must be called.
3584
//
3585
//  VOID
3586
//  SYMCRYPT_CALL
3587
//  SymCryptKmacXxxEx(
3588
//          _In_                            PCSYMCRYPT_KMACXXX_EXPANDED_KEY pExpandedKey,
3589
//          _In_reads_bytes_( cbInput )     PCBYTE  pbInput,
3590
//                                          SIZE_T  cbInput,
3591
//          _Out_writes_bytes_( cbResult )  PBYTE   pbResult,
3592
//                                          SIZE_T  cbResult);
3593
//
3594
//      Single-call KMAC computation for the given input producing cbResult bytes result.
3595
//      pExpandedKey must be initialized before the call.
3596
//
3597
//  VOID
3598
//  SYMCRYPT_CALL
3599
//  SymCryptKmacXxxInit(
3600
//      _Out_   PSYMCRYPT_KMACXXX_STATE         pState,
3601
//      _In_    PCSYMCRYPT_KMACXXX_EXPANDED_KEY pExpandedKey);
3602
//
3603
//      Initializes KMAC state for appending data for the provided key. Expanded
3604
//      key must be generated prior to this call.
3605
//
3606
//  VOID
3607
//  SYMCRYPT_CALL
3608
//  SymCryptKmacXxxAppend(
3609
//      _Inout_                 PSYMCRYPT_KMACXXX_STATE pState,
3610
//      _In_reads_( cbData )    PCBYTE                  pbData,
3611
//                              SIZE_T                  cbData );
3612
//
3613
//      Appends data to the KMAC state.
3614
//
3615
//      This function must only be called after SymCryptKmacXxxInit or SymCryptKmacXxxAppend.
3616
//      Calling SymCryptKmacXxxAppend after SymCryptKmacXxxExtract with bWipe=FALSE
3617
//      is not well-defined. KMAC state must be initialized with SymCryptKmacXxxInit before
3618
//      the first call to SymCryptKmacXxxAppend.
3619
//
3620
//  VOID
3621
//  SYMCRYPT_CALL
3622
//  SymCryptKmacXxxExtract(
3623
//      _Inout_                     PSYMCRYPT_KMACXXX_STATE pState,
3624
//      _Out_writes_( cbOutput )    PBYTE                   pbOutput,
3625
//                                  SIZE_T                  cbOutput,
3626
//                                  BOOLEAN                 bWipe);
3627
//
3628
//      Generates KMAC output in XOF mode.
3629
//
3630
//      Extract can only be called after an Init, Append or Extract call.
3631
//      The state is cleared if bWipe=TRUE, otherwise further Extract calls
3632
//      can be made to generate more output.
3633
//
3634
//  VOID
3635
//  SYMCRYPT_CALL
3636
//  SymCryptKmacXxxResult(
3637
//      _Inout_                                         PSYMCRYPT_KMACXXX_STATE pState,
3638
//      _Out_writes_( SYMCRYPT_KMACXXX_RESULT_SIZE )    PBYTE   pbResult);
3639
//
3640
//      Produces SYMCRYPT_KMACXXX_RESULT_SIZE bytes of output from the KMAC state.
3641
//      The state is wiped on return.
3642
//
3643
//      This function internally calls SymCryptKmacXxxResultEx with result size
3644
//      SYMCRYPT_KMACXXX_RESULT_SIZE.
3645
//      If Result is called in XOF mode (i.e., after an Extract with bWipe=FALSE), it
3646
//      performs a final extraction of SYMCRYPT_KMACXXX_RESULT_SIZE bytes in XOF mode
3647
//      and clears the state afterwards.
3648
//      Result function does not re-initialize the state for a new computation like
3649
//      the Result for hash functions do. Computing a new MAC with the same key
3650
//      requires calling the SymCryptKmacXxxInit function first.
3651
//
3652
//  VOID
3653
//  SYMCRYPT_CALL
3654
//  SymCryptKmacXxxResultEx(
3655
//      _Inout_                     PSYMCRYPT_KMACXXX_STATE pState,
3656
//      _Out_writes_( cbResult )    PBYTE   pbResult,
3657
//                                  SIZE_T  cbResult);
3658
//
3659
//      Produces cbResult bytes of output from the KMAC state. The state is
3660
//      wiped on return.
3661
//
3662
//      If ResultEx is called in XOF mode (i.e., after an Extract with bWipe=FALSE), it
3663
//      performs a final extraction of cbResult bytes in XOF mode and clears the state
3664
//      afterwards.
3665
//      ResultEx function does not re-initialize the state for a new computation like
3666
//      the Result for hash functions do. Computing a new MAC with the same key
3667
//      requires calling the SymCryptKmacXxxInit function first.
3668
//
3669

3670

3671
//
3672
//  KMAC128
3673
//
3674
#define SYMCRYPT_KMAC128_RESULT_SIZE        SYMCRYPT_CSHAKE128_RESULT_SIZE
3675
#define SYMCRYPT_KMAC128_INPUT_BLOCK_SIZE   SYMCRYPT_CSHAKE128_INPUT_BLOCK_SIZE
3676

3677
VOID
3678
SYMCRYPT_CALL
3679
SymCryptKmac128(
3680
        _In_                                                PCSYMCRYPT_KMAC128_EXPANDED_KEY pExpandedKey,
3681
        _In_reads_bytes_( cbInput )                         PCBYTE  pbInput,
3682
                                                            SIZE_T  cbInput,
3683
        _Out_writes_bytes_( SYMCRYPT_KMAC128_RESULT_SIZE )  PBYTE   pbResult);
3684

3685
VOID
3686
SYMCRYPT_CALL
3687
SymCryptKmac128Ex(
3688
        _In_                            PCSYMCRYPT_KMAC128_EXPANDED_KEY pExpandedKey,
3689
        _In_reads_bytes_( cbInput )     PCBYTE  pbInput,
3690
                                        SIZE_T  cbInput,
3691
        _Out_writes_bytes_( cbResult )  PBYTE   pbResult,
3692
                                        SIZE_T  cbResult);
3693

3694

3695
SYMCRYPT_ERROR
3696
SYMCRYPT_CALL
3697
SymCryptKmac128ExpandKey(
3698
        _Out_                                       PSYMCRYPT_KMAC128_EXPANDED_KEY pExpandedKey,
3699
        _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3700
                                                    SIZE_T  cbKey);
3701

3702
SYMCRYPT_ERROR
3703
SYMCRYPT_CALL
3704
SymCryptKmac128ExpandKeyEx(
3705
        _Out_                                       PSYMCRYPT_KMAC128_EXPANDED_KEY pExpandedKey,
3706
        _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3707
                                                    SIZE_T  cbKey,
3708
        _In_reads_bytes_( cbCustomizationString )   PCBYTE  pbCustomizationString,
3709
                                                    SIZE_T  cbCustomizationString);
3710

3711
VOID
3712
SYMCRYPT_CALL
3713
SymCryptKmac128Init(
3714
    _Out_   PSYMCRYPT_KMAC128_STATE         pState,
3715
    _In_    PCSYMCRYPT_KMAC128_EXPANDED_KEY pExpandedKey);
3716

3717
VOID
3718
SYMCRYPT_CALL
3719
SymCryptKmac128Append(
3720
    _Inout_                 PSYMCRYPT_KMAC128_STATE pState,
3721
    _In_reads_( cbData )    PCBYTE                  pbData,
3722
                            SIZE_T                  cbData );
3723

3724
VOID
3725
SYMCRYPT_CALL
3726
SymCryptKmac128Extract(
3727
    _Inout_                     PSYMCRYPT_KMAC128_STATE pState,
3728
    _Out_writes_( cbOutput )    PBYTE                   pbOutput,
3729
                                SIZE_T                  cbOutput,
3730
                                BOOLEAN                 bWipe);
3731

3732
VOID
3733
SYMCRYPT_CALL
3734
SymCryptKmac128Result(
3735
    _Inout_                                         PSYMCRYPT_KMAC128_STATE pState,
3736
    _Out_writes_( SYMCRYPT_KMAC128_RESULT_SIZE )    PBYTE   pbResult);
3737

3738
VOID
3739
SYMCRYPT_CALL
3740
SymCryptKmac128ResultEx(
3741
    _Inout_                     PSYMCRYPT_KMAC128_STATE pState,
3742
    _Out_writes_( cbResult )    PBYTE   pbResult,
3743
                                SIZE_T  cbResult);
3744

3745
VOID
3746
SYMCRYPT_CALL
3747
SymCryptKmac128KeyCopy(_In_ PCSYMCRYPT_KMAC128_EXPANDED_KEY pSrc, _Out_ PSYMCRYPT_KMAC128_EXPANDED_KEY pDst);
3748

3749
VOID
3750
SYMCRYPT_CALL
3751
SymCryptKmac128StateCopy(_In_ const SYMCRYPT_KMAC128_STATE* pSrc, _Out_ SYMCRYPT_KMAC128_STATE* pDst);
3752

3753
VOID
3754
SYMCRYPT_CALL
3755
SymCryptKmac128Selftest(void);
3756

3757
extern const PCSYMCRYPT_MAC SymCryptKmac128Algorithm;
3758

3759
//
3760
//  KMAC256
3761
//
3762
#define SYMCRYPT_KMAC256_RESULT_SIZE        SYMCRYPT_CSHAKE256_RESULT_SIZE
3763
#define SYMCRYPT_KMAC256_INPUT_BLOCK_SIZE   SYMCRYPT_CSHAKE256_INPUT_BLOCK_SIZE
3764

3765
VOID
3766
SYMCRYPT_CALL
3767
SymCryptKmac256(
3768
        _In_                                                PCSYMCRYPT_KMAC256_EXPANDED_KEY pExpandedKey,
3769
        _In_reads_bytes_( cbInput )                         PCBYTE  pbInput,
3770
                                                            SIZE_T  cbInput,
3771
        _Out_writes_bytes_( SYMCRYPT_KMAC256_RESULT_SIZE )  PBYTE   pbResult);
3772

3773
VOID
3774
SYMCRYPT_CALL
3775
SymCryptKmac256Ex(
3776
        _In_                            PCSYMCRYPT_KMAC256_EXPANDED_KEY pExpandedKey,
3777
        _In_reads_bytes_( cbInput )     PCBYTE  pbInput,
3778
                                        SIZE_T  cbInput,
3779
        _Out_writes_bytes_( cbResult )  PBYTE   pbResult,
3780
                                        SIZE_T  cbResult);
3781

3782
SYMCRYPT_ERROR
3783
SYMCRYPT_CALL
3784
SymCryptKmac256ExpandKey(
3785
        _Out_                                       PSYMCRYPT_KMAC256_EXPANDED_KEY pExpandedKey,
3786
        _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3787
                                                    SIZE_T  cbKey);
3788

3789
SYMCRYPT_ERROR
3790
SYMCRYPT_CALL
3791
SymCryptKmac256ExpandKeyEx(
3792
        _Out_                                       PSYMCRYPT_KMAC256_EXPANDED_KEY pExpandedKey,
3793
        _In_reads_bytes_( cbKey )                   PCBYTE  pbKey,
3794
                                                    SIZE_T  cbKey,
3795
        _In_reads_bytes_( cbCustomizationString )   PCBYTE  pbCustomizationString,
3796
                                                    SIZE_T  cbCustomizationString);
3797

3798
VOID
3799
SYMCRYPT_CALL
3800
SymCryptKmac256Init(
3801
    _Out_   PSYMCRYPT_KMAC256_STATE         pState,
3802
    _In_    PCSYMCRYPT_KMAC256_EXPANDED_KEY pExpandedKey);
3803

3804
VOID
3805
SYMCRYPT_CALL
3806
SymCryptKmac256Append(
3807
    _Inout_                 PSYMCRYPT_KMAC256_STATE pState,
3808
    _In_reads_( cbData )    PCBYTE                  pbData,
3809
                            SIZE_T                  cbData );
3810

3811
VOID
3812
SYMCRYPT_CALL
3813
SymCryptKmac256Extract(
3814
    _Inout_                     PSYMCRYPT_KMAC256_STATE pState,
3815
    _Out_writes_( cbOutput )    PBYTE                   pbOutput,
3816
                                SIZE_T                  cbOutput,
3817
                                BOOLEAN                 bWipe);
3818

3819
VOID
3820
SYMCRYPT_CALL
3821
SymCryptKmac256Result(
3822
    _Inout_                                         PSYMCRYPT_KMAC256_STATE pState,
3823
    _Out_writes_( SYMCRYPT_KMAC256_RESULT_SIZE )    PBYTE   pbResult);
3824

3825
VOID
3826
SYMCRYPT_CALL
3827
SymCryptKmac256ResultEx(
3828
    _Inout_                     PSYMCRYPT_KMAC256_STATE pState,
3829
    _Out_writes_( cbResult )    PBYTE                   pbResult,
3830
                                SIZE_T                  cbResult);
3831

3832
VOID
3833
SYMCRYPT_CALL
3834
SymCryptKmac256KeyCopy(_In_ PCSYMCRYPT_KMAC256_EXPANDED_KEY pSrc, _Out_ PSYMCRYPT_KMAC256_EXPANDED_KEY pDst);
3835

3836
VOID
3837
SYMCRYPT_CALL
3838
SymCryptKmac256StateCopy(_In_ const SYMCRYPT_KMAC256_STATE* pSrc, _Out_ SYMCRYPT_KMAC256_STATE* pDst);
3839

3840
VOID
3841
SYMCRYPT_CALL
3842
SymCryptKmac256Selftest(void);
3843

3844
extern const PCSYMCRYPT_MAC SymCryptKmac256Algorithm;
3845

3846

3847
////////////////////////////////////////////////////////////////////////////
3848
// POLY1305
3849
//
3850
// Poly1305 is different from other MAC functions because a key can only
3851
// be used safely for a single message.
3852
// We do not follow the default API pattern for MAC functions as that invites
3853
// callers to compute multiple MACs per key.
3854
//
3855

3856
#define SYMCRYPT_POLY1305_RESULT_SIZE   (16)
3857
#define SYMCRYPT_POLY1305_BLOCK_SIZE    (16)
3858
#define SYMCRYPT_POLY1305_KEY_SIZE      (32)
3859

3860
VOID
3861
SYMCRYPT_CALL
3862
SymCryptPoly1305(
3863
    _In_reads_( SYMCRYPT_POLY1305_KEY_SIZE )        PCBYTE  pbKey,
3864
    _In_reads_( cbData )                            PCBYTE  pbData,
3865
                                                    SIZE_T  cbData,
3866
    _Out_writes_( SYMCRYPT_POLY1305_RESULT_SIZE )   PBYTE   pbResult );
3867
// Compute a Poly1305 authentication with the provided key on the data buffer.
3868
// Note: A Poly1305 key may only be used for a single message.
3869

3870
VOID
3871
SYMCRYPT_CALL
3872
SymCryptPoly1305Init(
3873
    _Out_                                       PSYMCRYPT_POLY1305_STATE    pState,
3874
    _In_reads_( SYMCRYPT_POLY1305_KEY_SIZE )    PCBYTE                      pbKey );
3875
// Starts an incremental Poly1305 computation.
3876
// Note: A Poly1305 key may only be used for a single message.
3877

3878
VOID
3879
SYMCRYPT_CALL
3880
SymCryptPoly1305Append(
3881
    _Inout_                 PSYMCRYPT_POLY1305_STATE    pState,
3882
    _In_reads_( cbData )    PCBYTE                      pbData,
3883
                            SIZE_T                      cbData );
3884

3885
VOID
3886
SYMCRYPT_CALL
3887
SymCryptPoly1305Result(
3888
    _Inout_                                         PSYMCRYPT_POLY1305_STATE    pState,
3889
    _Out_writes_( SYMCRYPT_POLY1305_RESULT_SIZE )   PBYTE                       pbResult );
3890
// The state is wiped and not suitable for re-use.
3891

3892
VOID
3893
SYMCRYPT_CALL
3894
SymCryptPoly1305Selftest(void);
3895

3896
//
3897
// We do NOT define a SYMCRYPT_MAC structure SymCryptPoly1305Algorithm
3898
// for Poly1305 as it is a 1-time MAC function and cannot safely be used
3899
// by any KDF we have
3900
//
3901
// NOT DEFINED: extern const PCSYMCRYPT_MAC SymCryptPoly1305Algorithm;
3902
//
3903

3904
////////////////////////////////////////////////////////////////////////////
3905
// CHACHA20_POLY1305
3906
//
3907
// This algorithm combines the CHACHA20 symmetric key stream cipher with
3908
// the POLY1305 MAC function as per RFC 8439.
3909
// The POLY1305 authenticator key is generated from the first 32 bytes
3910
// of the CHACHA20 keystream and is only valid for a single message.
3911
// For this reason each key and nonce combination passed to
3912
// SymCryptChaCha20Poly1305Encrypt MUST only be used once.
3913
//
3914
// The Src and Dst buffers can be identical or non-overlapping; partial overlaps
3915
// are not supported.
3916
//
3917

3918
SYMCRYPT_ERROR
3919
SYMCRYPT_CALL
3920
SymCryptChaCha20Poly1305Encrypt(
3921
    _In_reads_( cbKey )             PCBYTE    pbKey,
3922
                                    SIZE_T    cbKey,      // Required. Key size MUST be 32 bytes.
3923
    _In_reads_( cbNonce )           PCBYTE    pbNonce,
3924
                                    SIZE_T    cbNonce,    // Required. Nonce size MUST be 12 bytes.
3925
    _In_reads_opt_( cbAuthData )    PCBYTE    pbAuthData,
3926
                                    SIZE_T    cbAuthData, // Optional. Can be any size.
3927
    _In_reads_( cbData )            PCBYTE    pbSrc,
3928
    _Out_writes_( cbData )          PBYTE     pbDst,
3929
                                    SIZE_T    cbData,     // Required. Max size is 274,877,906,880 bytes.
3930
    _Out_writes_( cbTag )           PBYTE     pbTag,
3931
                                    SIZE_T    cbTag );    // Required. Tag size MUST be 16 bytes.
3932

3933
SYMCRYPT_ERROR
3934
SYMCRYPT_CALL
3935
SymCryptChaCha20Poly1305Decrypt(
3936
    _In_reads_( cbKey )             PCBYTE    pbKey,
3937
                                    SIZE_T    cbKey,      // Required. Key size MUST be 32 bytes.
3938
    _In_reads_( cbNonce )           PCBYTE    pbNonce,
3939
                                    SIZE_T    cbNonce,    // Required. Nonce size MUST be 12 bytes.
3940
    _In_reads_opt_( cbAuthData )    PCBYTE    pbAuthData,
3941
                                    SIZE_T    cbAuthData, // Optional. Can be any size.
3942
    _In_reads_( cbData )            PCBYTE    pbSrc,
3943
    _Out_writes_( cbData )          PBYTE     pbDst,
3944
                                    SIZE_T    cbData,     // Required. Max size is 274,877,906,880 bytes.
3945
    _In_reads_( cbTag )             PCBYTE    pbTag,
3946
                                    SIZE_T    cbTag );    // Required. Tag size MUST be 16 bytes.
3947

3948
VOID
3949
SYMCRYPT_CALL
3950
SymCryptChaCha20Poly1305Selftest(void);
3951

3952
////////////////////////////////////////////////////////////////////////////
3953
//   MARVIN32
3954
//
3955
// Marvin is a checksum function optimized for speed on small inputs.
3956
// IT IS NOT A CRYPTOGRAPHIC HASH FUNCTION.
3957
// Marvin lacks the security properties of a cryptographic hash function.
3958
// DO NOT USE FOR ANY SECURITY USE.
3959
//
3960
// A randomizable checksum function has essentially the same API as a MAC
3961
// function. We use the SymCrypt MAC API here, with the difference
3962
// that we use the word 'seed' rather than 'key'.
3963
//
3964
// See the description above of the generic MAC API for details on how
3965
// these functions are used. Wherever the MAC API talks about keys, this
3966
// applies to the seed for Marvin32.
3967
//
3968
// The randomization is useful for hash tables.
3969
// There are DOS attacks where an attacker generates many inputs that
3970
// hash to the same location in the hash table. Some hash table implementations
3971
// then use O(n^2) CPU time, allowing a DOS attack.
3972
// The randomization provided by the seed avoids this attack if:
3973
// - The seed is unpredictable and unknown to the attacker.
3974
// - The attacker cannot learn information about the output of the checksum function.
3975
// In particular, if an attacker can measure how long it takes to add each
3976
// element in a hash table, they might be able to determine enough information about
3977
// the output of the checksum function to recover the seed. Of course,
3978
// once that is done the DOS attack is once again possible.
3979
//
3980
// SymCrypt provides a default seed for applications that don't need a seed.
3981
//
3982
// FUTURE IMPROVEMENTS:
3983
// At the moment it is relatively expensive to change the seed.
3984
// If needed, we can add a facility to modify the seed faster than
3985
// re-running the ExpandSeed function.
3986
//
3987

3988
#define SYMCRYPT_MARVIN32_RESULT_SIZE       (8)
3989
#define SYMCRYPT_MARVIN32_SEED_SIZE         (8)
3990
#define SYMCRYPT_MARVIN32_INPUT_BLOCK_SIZE  (4)
3991

3992
SYMCRYPT_ERROR
3993
SYMCRYPT_CALL
3994
SymCryptMarvin32ExpandSeed(
3995
    _Out_               PSYMCRYPT_MARVIN32_EXPANDED_SEED    pExpandedSeed,
3996
    _In_reads_(cbSeed)  PCBYTE                              pbSeed,
3997
                        SIZE_T                              cbSeed );
3998
//
3999
// The seed must be 8 bytes (= SYMCRYPT_MARVIN32_SEED_SIZE).
4000
// Use of the all-zero seed is not recommended as it has some undesirable properties.
4001
// Note that a pre-expanded default seed is provided for applications that do not wish to control
4002
// their seed. Such applications do not need to call SymCryptMarvin32ExpandSeed
4003
//
4004

4005
extern PCSYMCRYPT_MARVIN32_EXPANDED_SEED const SymCryptMarvin32DefaultSeed;
4006

4007
PCSYMCRYPT_MARVIN32_EXPANDED_SEED
4008
SYMCRYPT_CALL
4009
SymCryptGetMarvin32DefaultSeed( void );
4010
//
4011
// Returns a pointer to the default Marvin32 seed.
4012
//
4013

4014
VOID
4015
SYMCRYPT_CALL
4016
SymCryptMarvin32SeedCopy(   _In_    PCSYMCRYPT_MARVIN32_EXPANDED_SEED   pSrc,
4017
                            _Out_   PSYMCRYPT_MARVIN32_EXPANDED_SEED    pDst );
4018

4019
VOID
4020
SYMCRYPT_CALL
4021
SymCryptMarvin32(
4022
    _In_                                            PCSYMCRYPT_MARVIN32_EXPANDED_SEED   pExpandedSeed,
4023
    _In_reads_( cbData )                            PCBYTE                              pbData,
4024
                                                    SIZE_T                              cbData,
4025
    _Out_writes_( SYMCRYPT_MARVIN32_RESULT_SIZE )   PBYTE                               pbResult );
4026
//
4027
// If the application does not wish to use a seed, a default expanded seed is provided.
4028
// Callers can pass SymCryptMarvin32DefaultSeed as the first argument.
4029
//
4030

4031
VOID
4032
SYMCRYPT_CALL
4033
SymCryptMarvin32StateCopy(
4034
    _In_        PCSYMCRYPT_MARVIN32_STATE           pSrc,
4035
    _In_opt_    PCSYMCRYPT_MARVIN32_EXPANDED_SEED   pExpandedSeed,
4036
    _Out_       PSYMCRYPT_MARVIN32_STATE            pDst );
4037

4038

4039
VOID
4040
SYMCRYPT_CALL
4041
SymCryptMarvin32Init(   _Out_   PSYMCRYPT_MARVIN32_STATE            pState,
4042
                        _In_    PCSYMCRYPT_MARVIN32_EXPANDED_SEED   pExpandedSeed);
4043

4044
VOID
4045
SYMCRYPT_CALL
4046
SymCryptMarvin32Append(     _Inout_                 PSYMCRYPT_MARVIN32_STATE    pState,
4047
                            _In_reads_( cbData )    PCBYTE                      pbData,
4048
                                                    SIZE_T                      cbData );
4049

4050
VOID
4051
SYMCRYPT_CALL
4052
SymCryptMarvin32Result(
4053
     _Inout_                                        PSYMCRYPT_MARVIN32_STATE    pState,
4054
     _Out_writes_( SYMCRYPT_MARVIN32_RESULT_SIZE )  PBYTE                       pbResult );
4055

4056

4057
VOID
4058
SYMCRYPT_CALL
4059
SymCryptMarvin32Selftest(void);
4060

4061

4062
//==========================================================================
4063
//   BLOCK CIPHERS
4064
//==========================================================================
4065
//
4066
// For a block cipher XXX the following minimal functions, types, and constants are defined:
4067
//
4068
// SYMCRYPT_XXX_BLOCK_SIZE
4069
//
4070
//      A constant giving is the block size, in bytes, of the algorithm.
4071
//
4072
//
4073
// SYMCRYPT_XXX_EXPANDED_KEY
4074
//      Type which contains a key with all the pre-computations performed.
4075
//      This is an opaque type whose structure can change at will.
4076
//      It should only be used for transient computations in a single executable
4077
//      and not be stored or transferred to a different environment.
4078
//      The pointer and const-pointer versions are also declared
4079
//      (PSYMCRYPOT_XXX_EXPANDED_KEY and PCSYMCRYPT_XXX_EXPANDED_KEY).
4080
//
4081
//      The EXPANDED_KEY structure contains keying material and should be wiped
4082
//      once it is no longer used. (See SymCryptWipe & SymCryptWipeKnownSize)
4083
//
4084
//      Once initialized, multiple threads can use the same expanded key object simultaneously
4085
//      for different block cipher computations as the expanded key is not modified once initialized.
4086
//
4087
// SymCryptXxxBlockCipher
4088
//      A SYMCRYPT_BLOCKCIPHER structure that provides a description
4089
//      of the block cipher and its primary functions. This is used by cipher modes to pass
4090
//      all the block-cipher specific information in a single structure.
4091
//
4092
//
4093
// SYMCRYPT_ERROR
4094
// SYMCRYPT_CALL
4095
// SymCryptXxxExpandKey(    _Out_               PSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4096
//                          _In_reads_(cbKey)   PCBYTE                     pbKey,
4097
//                                              SIZE_T                     cbKey );
4098
//
4099
//      Prepare a key for future use by the Xxx algorithm.
4100
//      This function performs pre-computations on the key
4101
//      to speed up the actual block cipher computations later, and stores the result as an expanded key.
4102
//      The expanded key must be kept unchanged until all computations that use the key are finished.
4103
//      When the key is no longer needed the expanded key structure should be wiped.
4104
//
4105
//      Different algorithms pose different requirements on the length of the key.
4106
//      If the key that is provided is of an unsupported length the SYMCRYPT_WRONG_KEY_SIZE error is returned.
4107
//      In this case the expanded key structure will not contain any keying material and does not have to be wiped.
4108
//
4109
//
4110
// VOID
4111
// SYMCRYPT_CALL
4112
// SymCryptXxxEncrypt(  _In_                                    PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4113
//                      _In_reads_( SYMCRYPT_XXX_BLOCK_SIZE )   PCBYTE                      pbSrc,
4114
//                      _Out_writes_( SYMCRYPT_XXX_BLOCK_SIZE ) PBYTE                       pbDst );
4115
//
4116
//      Encrypt a single block.
4117
//
4118
//
4119
// VOID
4120
// SYMCRYPT_CALL
4121
// SymCryptXxxDecrypt(  _In_                                    PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4122
//                      _In_reads_( SYMCRYPT_XXX_BLOCK_SIZE )   PCBYTE                      pbSrc,
4123
//                      _Out_writes_( SYMCRYPT_XXX_BLOCK_SIZE ) PBYTE                       pbDst );
4124
//
4125
//      Decrypt a single block.
4126
//
4127
//
4128
// --------------------------------------------------------------------------------------------------------------
4129
//      In addition to these elementary encrypt block/decrypt block functions a block cipher may also implement
4130
//      optimized versions of CBC encryption, CBC decryption, CBC-MAC, and CTR encryption. Not all block ciphers
4131
//      do implement these.
4132
//      All block cipher modes are always available through the generic block cipher mode functions.
4133
//
4134
// VOID
4135
// SYMCRYPT_CALL
4136
// SymCryptXxxCbcEncrypt(
4137
//      _In_                                        PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4138
//      _Inout_updates_( SYMCRYPT_XXX_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4139
//      _In_reads_( cbData )                        PCBYTE                      pbSrc,
4140
//      _Out_writes_( cbData )                      PBYTE                       pbDst,
4141
//                                                  SIZE_T                      cbData );
4142
//
4143
//      Encrypt data using the CBC chaining mode.
4144
//      On entry the pbChainingValue is the IV which is xorred into the first plaintext block of the CBC encryption.
4145
//      On exit the pbChainingValue is updated to the last ciphertext block of the result.
4146
//      This allows a longer CBC encryption to be done incrementally.
4147
//
4148
//      cbData must be a multiple of the block size. For efficiency reasons this routine does not return an error
4149
//      if cbData is not a proper multiple; instead the result is undefined. The routine might hang,
4150
//      round cbData down to a multiple of the block size, or return random data that cannot be decrypted.
4151
//
4152
//      The pbSrc and pbDst buffers may be the same, or they may be non-overlapping. However, they may
4153
//      not be partially overlapping.
4154
//
4155
//
4156
// VOID
4157
// SYMCRYPT_CALL
4158
// SymCryptXxxCbcDecrypt(
4159
//      _In_                                        PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4160
//      _Inout_updates_( SYMCRYPT_XXX_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4161
//      _In_reads_( cbData )                        PCBYTE                      pbSrc,
4162
//      _Out_writes_( cbData )                      PBYTE                       pbDst,
4163
//                                                  SIZE_T                      cbData );
4164
//
4165
//      Decrypt data using the CBC chaining mode.
4166
//      On entry the pbChainingValue is the IV to be xorred into the first plaintext block of the CBC decryption.
4167
//      On exit the pbChainingValue is updated to the last ciphertext block of the input.
4168
//      This allows a longer CBC decryption to be done incrementally.
4169
//
4170
//      cbData must be a multiple of the block size. For efficiency reasons this routine does not return an error
4171
//      if cbData is not a proper multiple; instead the result is undefined. The routine might hang,
4172
//      round cbData down to a multiple of the block size, or return random data.
4173
//
4174
//      The pbSrc and pbDst buffers may be the same, or they may be non-overlapping. However, they may
4175
//      not be partially overlapping.
4176
//
4177
//
4178
// VOID
4179
// SYMCRYPT_CALL
4180
// SymCryptXxxCbcMac(
4181
//      _In_                                        PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4182
//      _Inout_updates_( SYMCRYPT_XXX_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4183
//      _In_reads_( cbData )                        PCBYTE                      pbData,
4184
//                                                  SIZE_T                      cbData );
4185
//
4186
//      Compute a CBC-MAC on the input data.
4187
//      On entry the pbChainingValue is the current chaining state of the CBC-MAC computation; this routine
4188
//      updates the state to reflect the chaining state after MACing the data.
4189
//      cbData must be a multiple of the block size.
4190
//      This function is NOT intended for general use; rather it is a high-performance primitive to support
4191
//      implementations of other cipher modes like CCM and CMAC.
4192
//      Note: If a key is used for CBC-MAC computations it should NOT be used for any encryptions.
4193
//
4194
//
4195
// VOID
4196
// SYMCRYPT_CALL
4197
// SymCryptXxxCtrMsb64(
4198
//      _In_                                        PCSYMCRYPT_XXX_EXPANDED_KEY pExpandedKey,
4199
//      _Inout_updates_( SYMCRYPT_XXX_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4200
//      _In_reads_( cbData )                        PCBYTE                      pbSrc,
4201
//      _Out_writes_( cbData )                      PBYTE                       pbDst,
4202
//                                                  SIZE_T                      cbData );
4203
//
4204
//      Perform a CTR encryption on the data. (Note: CTR encryption and decryption are the same operation.)
4205
//      On entry pbChainingValue contains the first counter value to be used. On exit it contains
4206
//      the next counter value to be used.
4207
//      The increment function treats the last 8 bytes of the pbChainingValue string as an integer
4208
//      in most-significant-byte-first format, and increments this integer.
4209
//      Thus, the last byte is incremented the fastest.
4210
//      The pbSrc and pbDst buffers may be identical or non-overlapping, but they may not partially overlap.
4211
//      cbData must be a multiple of the block size.
4212
//
4213
//
4214
// VOID
4215
// SYMCRYPT_CALL
4216
// SymCryptXxxSelftest(void);
4217
//
4218
//      Perform a minimal self-test on the XXX algorithm.
4219
//      This function is designed to be used for achieving FIPS 140-2 compliance or
4220
//      to provide a simple self-test when an application starts.
4221
//
4222
//      If an error is detected the fatal callback routine is called.
4223
//
4224
//      We do not provide self-tests for the various cipher modes. There are too many
4225
//      (block cipher, key size, cipher mode) combinations and CNG performs the self tests
4226
//      on the outside APIs, not on the internal APIs.
4227
//      We retain a self test on the basic algorithm to help internal library testing.
4228

4229

4230

4231
////////////////////////////////////////////////////////////////////////////
4232
//   AES
4233
//
4234
// The AES block cipher per FIPS 197
4235
//
4236
// WARNING:
4237
// Unless this code is running on a CPU with AES-NI instructions,
4238
// the AES implementation makes extensive use of table lookups to implement the S-boxes of the algorithm.
4239
// This violates our current crypto implementation guidelines and opens up a possible side-channel attack
4240
// through information leakage via the memory caching system of the CPU.
4241
//
4242
// Unfortunately there is no known software fix for this that does not lead to an order of magnitude performance loss.
4243
// An implementation that is 10x slower will not be used by anybody and is useless, so we implement a fast
4244
// version that uses table lookups. (Just like all other systems we know of.)
4245
//
4246
// The risk of this type of side-channel attack is limited as it requires malicious code to run on the same
4247
// machine as the code being attacked.
4248
//
4249
// At the time of writing (Apr 2007) there are no approved alternative encryption algorithms that do not
4250
// use table lookups. NIST and NSA are aware of this problem, but so far we have not seen any indication
4251
// that they consider this important enough to create an alternative encryption algorithm that does not
4252
// rely on table lookups as much.
4253
//
4254

4255
#define SYMCRYPT_AES_BLOCK_SIZE  (16)
4256

4257
SYMCRYPT_ERROR
4258
SYMCRYPT_CALL
4259
SymCryptAesExpandKey(
4260
    _Out_               PSYMCRYPT_AES_EXPANDED_KEY  pExpandedKey,
4261
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4262
                        SIZE_T                      cbKey );
4263

4264
//
4265
// The SymCryptAesExpandKeyEncryptOnly creates an AES-expanded key that can ONLY be used
4266
// for AES encryption operations. There are no safeguards when you use it for decryption; you get the wrong
4267
// result if you try.
4268
//
4269
SYMCRYPT_ERROR
4270
SYMCRYPT_CALL
4271
SymCryptAesExpandKeyEncryptOnly(
4272
    _Out_               PSYMCRYPT_AES_EXPANDED_KEY  pExpandedKey,
4273
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4274
                        SIZE_T                      cbKey );
4275

4276
VOID
4277
SYMCRYPT_CALL
4278
SymCryptAesKeyCopy( _In_ PCSYMCRYPT_AES_EXPANDED_KEY pSrc,
4279
                    _Out_ PSYMCRYPT_AES_EXPANDED_KEY pDst );
4280

4281
VOID
4282
SYMCRYPT_CALL
4283
SymCryptAesEncrypt(
4284
    _In_                                    PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4285
    _In_reads_( SYMCRYPT_AES_BLOCK_SIZE )   PCBYTE                      pbSrc,
4286
    _Out_writes_( SYMCRYPT_AES_BLOCK_SIZE ) PBYTE                       pbDst );
4287

4288
VOID
4289
SYMCRYPT_CALL
4290
SymCryptAesDecrypt(
4291
    _In_                                    PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4292
    _In_reads_( SYMCRYPT_AES_BLOCK_SIZE )   PCBYTE                      pbSrc,
4293
    _Out_writes_( SYMCRYPT_AES_BLOCK_SIZE ) PBYTE                       pbDst );
4294

4295
VOID
4296
SYMCRYPT_CALL
4297
SymCryptAesEcbEncrypt(
4298
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4299
    _In_reads_( cbData )                        PCBYTE                      pbSrc,
4300
    _Out_writes_( cbData )                      PBYTE                       pbDst,
4301
                                                SIZE_T                      cbData );
4302

4303
VOID
4304
SYMCRYPT_CALL
4305
SymCryptAesEcbDecrypt(
4306
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4307
    _In_reads_( cbData )                        PCBYTE                      pbSrc,
4308
    _Out_writes_( cbData )                      PBYTE                       pbDst,
4309
                                                SIZE_T                      cbData );
4310

4311
VOID
4312
SYMCRYPT_CALL
4313
SymCryptAesCbcEncrypt(
4314
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4315
    _Inout_updates_( SYMCRYPT_AES_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4316
    _In_reads_( cbData )                        PCBYTE                      pbSrc,
4317
    _Out_writes_( cbData )                      PBYTE                       pbDst,
4318
                                                SIZE_T                      cbData );
4319

4320
VOID
4321
SYMCRYPT_CALL
4322
SymCryptAesCbcDecrypt(
4323
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4324
    _Inout_updates_( SYMCRYPT_AES_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4325
    _In_reads_( cbData )                        PCBYTE                      pbSrc,
4326
    _Out_writes_( cbData )                      PBYTE                       pbDst,
4327
                                                SIZE_T                      cbData );
4328

4329
VOID
4330
SYMCRYPT_CALL
4331
SymCryptAesCbcMac(
4332
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4333
    _Inout_updates_( SYMCRYPT_AES_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4334
    _In_reads_( cbData )                        PCBYTE                      pbData,
4335
                                                SIZE_T                      cbData );
4336

4337
VOID
4338
SYMCRYPT_CALL
4339
SymCryptAesCtrMsb64(
4340
    _In_                                        PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
4341
    _Inout_updates_( SYMCRYPT_AES_BLOCK_SIZE )  PBYTE                       pbChainingValue,
4342
    _In_reads_( cbData )                        PCBYTE                      pbSrc,
4343
    _Out_writes_( cbData )                      PBYTE                       pbDst,
4344
                                                SIZE_T                      cbData );
4345

4346
//
4347
// There are many optimized implementations for various AES modes.
4348
// To test them all would pull in all the code for these modes.
4349
// We solve this by letting the caller specify a bitmask of modes to be tested.
4350
// Under the following circumstances this will avoid pulling in unnecessary code:
4351
// - The argument is a compile-time constant.
4352
// - The compiler implements the usual constant propagation optimizations.
4353
//
4354
// Note: GCM, CCM, and XTS are NOT tested by this function.
4355

4356
#define SYMCRYPT_AES_SELFTEST_BASE      0x01        // tests AesEncrypt & AesDecrypt
4357
#define SYMCRYPT_AES_SELFTEST_ECB       0x02        // ECB mode
4358
#define SYMCRYPT_AES_SELFTEST_CBC       0x04        // CBC mode
4359
#define SYMCRYPT_AES_SELFTEST_CBCMAC    0x08        // CBC-mac
4360
#define SYMCRYPT_AES_SELFTEST_CTR       0x10        // all CTR modes
4361

4362
#define SYMCRYPT_AES_SELFTEST_ALL       0x1f
4363

4364
VOID
4365
SYMCRYPT_CALL
4366
SymCryptAesSelftest( UINT32 maskTestsToRun );
4367

4368
extern const PCSYMCRYPT_BLOCKCIPHER SymCryptAesBlockCipher;
4369

4370

4371
////////////////////////////////////////////////////////////////////////////
4372
//   DES
4373
//
4374
// The DES block cipher per FIPS-46-3
4375
//
4376
// WARNING:
4377
// DES is no longer considered secure and should not be used.
4378
// Per the Crypto SDL, any use of DES in Microsoft code requires a Crypto board exemption
4379
//
4380
// The DES implementation makes extensive use of table lookups to implement the S-boxes of the algorithm.
4381
// This violates our current crypto implementation guidelines and opens up a possible side-channel attack
4382
// through information leakage via the memory caching system of the CPU.
4383
//
4384

4385
#define SYMCRYPT_DES_BLOCK_SIZE  (8)
4386

4387
SYMCRYPT_ERROR
4388
SYMCRYPT_CALL
4389
SymCryptDesExpandKey(
4390
    _Out_               PSYMCRYPT_DES_EXPANDED_KEY  pExpandedKey,
4391
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4392
                        SIZE_T                      cbKey );
4393
//
4394
// The key must be 8 bytes long. The parity bits in the key are ignored and can be any value.
4395
//
4396

4397
VOID
4398
SYMCRYPT_CALL
4399
SymCryptDesEncrypt(
4400
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
4401
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
4402
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst );
4403

4404
VOID
4405
SYMCRYPT_CALL
4406
SymCryptDesDecrypt(
4407
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
4408
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
4409
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst );
4410

4411

4412
VOID
4413
SYMCRYPT_CALL
4414
SymCryptDesSetOddParity(
4415
    _Inout_updates_( cbData ) PBYTE   pbData,
4416
    _In_                            SIZE_T  cbData );
4417
//
4418
// Set each byte to have odd parity by possibly flipping bit 0.
4419
// This is the parity used by DES, and is needed for compatibility.
4420
// The parity bit is ignored by the DES key expansion.
4421
//
4422

4423
VOID
4424
SYMCRYPT_CALL
4425
SymCryptDesSelftest(void);
4426

4427
extern const PCSYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher;
4428

4429
////////////////////////////////////////////////////////////////////////////
4430
//   3DES
4431
//
4432
// The triple-DES block cipher
4433
//
4434
// WARNING:
4435
// The DES implementation makes extensive use of table lookups to implement the S-boxes of the algorithm.
4436
// This violates our current crypto implementation guidelines and opens up a possible side-channel attack
4437
// through information leakage via the memory caching system of the CPU.
4438
//
4439

4440
#define SYMCRYPT_3DES_BLOCK_SIZE  (8)
4441

4442
SYMCRYPT_ERROR
4443
SYMCRYPT_CALL
4444
SymCrypt3DesExpandKey(
4445
    _Out_               PSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey,
4446
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4447
                        SIZE_T                      cbKey );
4448
//
4449
// If the provided key is 24 bytes long this expands a 3-key 3DES key. If 16 bytes are provided it
4450
// expands a 2-key 3DES. If 8 bytes are provided it creates the 3-key equivalent of the single
4451
// key des encryption. The parity bits in the key are ignored.
4452
//
4453

4454
VOID
4455
SYMCRYPT_CALL
4456
SymCrypt3DesEncrypt(
4457
    _In_                                    PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
4458
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )  PCBYTE                          pbSrc,
4459
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )PBYTE                           pbDst );
4460

4461
VOID
4462
SYMCRYPT_CALL
4463
SymCrypt3DesDecrypt(
4464
    _In_                                    PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
4465
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )  PCBYTE                          pbSrc,
4466
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )PBYTE                           pbDst );
4467

4468
VOID
4469
SYMCRYPT_CALL
4470
SymCrypt3DesCbcEncrypt(
4471
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
4472
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
4473
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
4474
    _Out_writes_( cbData )                      PBYTE                           pbDst,
4475
                                                SIZE_T                          cbData );
4476

4477
VOID
4478
SYMCRYPT_CALL
4479
SymCrypt3DesCbcDecrypt(
4480
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
4481
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
4482
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
4483
    _Out_writes_( cbData )                      PBYTE                           pbDst,
4484
                                                SIZE_T                          cbData );
4485

4486
VOID
4487
SYMCRYPT_CALL
4488
SymCrypt3DesSelftest(void);
4489

4490
extern const PCSYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher;
4491

4492
////////////////////////////////////////////////////////////////////////////
4493
//   DESX
4494
//
4495
// The DESX block cipher.
4496
//
4497
// Use of DESX is not recommended.
4498
//
4499

4500
#define SYMCRYPT_DESX_BLOCK_SIZE  (8)
4501

4502
SYMCRYPT_ERROR
4503
SYMCRYPT_CALL
4504
SymCryptDesxExpandKey(
4505
    _Out_               PSYMCRYPT_DESX_EXPANDED_KEY pExpandedKey,
4506
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4507
                        SIZE_T                      cbKey );
4508

4509
VOID
4510
SYMCRYPT_CALL
4511
SymCryptDesxEncrypt(
4512
    _In_                                    PCSYMCRYPT_DESX_EXPANDED_KEY    pExpandedKey,
4513
    _In_reads_( SYMCRYPT_DESX_BLOCK_SIZE )  PCBYTE                          pbSrc,
4514
    _Out_writes_( SYMCRYPT_DESX_BLOCK_SIZE )PBYTE                           pbDst );
4515

4516
VOID
4517
SYMCRYPT_CALL
4518
SymCryptDesxDecrypt(
4519
    _In_                                    PCSYMCRYPT_DESX_EXPANDED_KEY    pExpandedKey,
4520
    _In_reads_( SYMCRYPT_DESX_BLOCK_SIZE )  PCBYTE                          pbSrc,
4521
    _Out_writes_( SYMCRYPT_DESX_BLOCK_SIZE )PBYTE                           pbDst );
4522

4523

4524
VOID
4525
SYMCRYPT_CALL
4526
SymCryptDesxSelftest(void);
4527

4528
extern const PCSYMCRYPT_BLOCKCIPHER SymCryptDesxBlockCipher;
4529

4530
////////////////////////////////////////////////////////////////////////////
4531
//   RC2
4532
//
4533
// The RC2 block cipher
4534
//
4535
// WARNING:
4536
// Use of RC2 is not recommended for many reasons.
4537
//
4538
// The RC2 implementation makes extensive use of table lookups to implement the S-boxes of the algorithm.
4539
// This violates our current crypto implementation guidelines and opens up a possible side-channel attack
4540
// through information leakage via the memory caching system of the CPU.
4541
//
4542

4543
#define SYMCRYPT_RC2_BLOCK_SIZE  (8)
4544

4545
SYMCRYPT_ERROR
4546
SYMCRYPT_CALL
4547
SymCryptRc2ExpandKey(
4548
    _Out_               PSYMCRYPT_RC2_EXPANDED_KEY  pExpandedKey,
4549
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4550
                        SIZE_T                      cbKey );
4551
//
4552
// The default effective key size is 8*cbKey. Note that this is NOT the default used in
4553
// the old RSA32 library which used a default effective key size of 40 bits.
4554
// That is too dangerous a default to implement. We chose 8*cbKey rather than 1024 as
4555
// our choice provides slightly better mixing of the key bytes into the expanded key.
4556
//
4557

4558
SYMCRYPT_ERROR
4559
SYMCRYPT_CALL
4560
SymCryptRc2ExpandKeyEx(
4561
    _Out_               PSYMCRYPT_RC2_EXPANDED_KEY  pExpandedKey,
4562
    _In_reads_(cbKey)   PCBYTE                      pbKey,
4563
                        SIZE_T                      cbKey,
4564
                        UINT32                      effectiveKeySizeInBits );
4565
//
4566
// Rc2 has an option to limit the effective key size, which means the key expansion function has an extra
4567
// parameter.
4568
//
4569
// The effective key size in bits may be any value from 9..1024. If it is larger than 8*cbKey it does
4570
// not significantly affect the key strength. However, the expanded key will always depend on the
4571
// effective key size; expanding the same string of key bytes with differ effective key sizes leads
4572
// to different expanded keys and different encryption functions.
4573
//
4574
// The original default was an effective key size of 40 bits.
4575
//
4576
// Do not allow your attacker to choose the effective key size. RC2 seems vulnerable to
4577
// related-effective-key-size attacks.
4578
//
4579

4580
VOID
4581
SYMCRYPT_CALL
4582
SymCryptRc2Encrypt(
4583
    _In_                                    PCSYMCRYPT_RC2_EXPANDED_KEY pExpandedKey,
4584
    _In_reads_( SYMCRYPT_RC2_BLOCK_SIZE )   PCBYTE                      pbSrc,
4585
    _Out_writes_( SYMCRYPT_RC2_BLOCK_SIZE ) PBYTE                       pbDst );
4586

4587
VOID
4588
SYMCRYPT_CALL
4589
SymCryptRc2Decrypt(
4590
    _In_                                    PCSYMCRYPT_RC2_EXPANDED_KEY pExpandedKey,
4591
    _In_reads_( SYMCRYPT_RC2_BLOCK_SIZE )   PCBYTE                      pbSrc,
4592
    _Out_writes_( SYMCRYPT_RC2_BLOCK_SIZE ) PBYTE                       pbDst );
4593

4594

4595
VOID
4596
SYMCRYPT_CALL
4597
SymCryptRc2Selftest(void);
4598

4599
extern const PCSYMCRYPT_BLOCKCIPHER SymCryptRc2BlockCipher;
4600

4601

4602
//==========================================================================
4603
//   BLOCK CIPHER MODES
4604
//==========================================================================
4605
//
4606
// Block cipher modes use the block cipher description tables to implement
4607
// the various modes in a block-cipher independent way.
4608
//
4609
// Some block ciphers implement optimized versions of the block cipher modes.
4610
// These functions call that optimized version, but calling the block-cipher specific
4611
// function has less overhead.
4612
//
4613
// Note that these functions will only work with SymCrypt-provided block ciphers.
4614
// They are not designed to be used with externally provided block ciphers.
4615
// (The SYMCRYPT_BLOCKCIPHER structure is a private one not available to callers.)
4616
//
4617

4618
typedef enum _SYMCRYPT_BLOCKCIPHER_ID
4619
{
4620
    SYMCRYPT_BLOCKCIPHER_ID_NULL        = 0,
4621
    SYMCRYPT_BLOCKCIPHER_ID_AES         = 1,
4622
    SYMCRYPT_BLOCKCIPHER_ID_DES         = 2,
4623
    SYMCRYPT_BLOCKCIPHER_ID_3DES        = 3,
4624
    SYMCRYPT_BLOCKCIPHER_ID_DESX        = 4,
4625
    SYMCRYPT_BLOCKCIPHER_ID_RC2         = 5
4626
} SYMCRYPT_BLOCKCIPHER_ID;
4627

4628
PCSYMCRYPT_BLOCKCIPHER
4629
SYMCRYPT_CALL
4630
SymCryptGetBlockCipher( SYMCRYPT_BLOCKCIPHER_ID blockCipherId );
4631
//
4632
// Returns a pointer to the block cipher structure for the specified block cipher ID.
4633
// Returns NULL if the block cipher ID is invalid.
4634
//
4635

4636
VOID
4637
SYMCRYPT_CALL
4638
SymCryptEcbEncrypt(
4639
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4640
    _In_                        PCVOID                  pExpandedKey,
4641
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4642
    _Out_writes_( cbData )      PBYTE                   pbDst,
4643
                                SIZE_T                  cbData );
4644
//
4645
// Generic ECB encryption routine for block ciphers.
4646
//
4647
// - pBlockCipher is a pointer to the block cipher description table.
4648
//      Suitable description tables for all ciphers in this library have been pre-defined.
4649
// - pExpandedKey points to the expanded key to use. This generic function uses PVOID so there
4650
//      is no type safety to ensure that the expanded key and the encryption function match.
4651
// - pbSrc is the plaintext input buffer. The plaintext and ciphertext buffers may be
4652
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
4653
// - cbData. Number of bytes to encrypt. This must be a multiple of the block size.
4654
// - pbDst is the result buffer. It may be identical to pbPlaintext or non-overlapping,
4655
//      but it may not partially overlap with the pbPlaintext buffer.
4656
//
4657

4658
VOID
4659
SYMCRYPT_CALL
4660
SymCryptEcbDecrypt(
4661
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4662
    _In_                        PCVOID                  pExpandedKey,
4663
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4664
    _Out_writes_( cbData )      PBYTE                   pbDst,
4665
                                SIZE_T                  cbData );
4666
//
4667
// Generic ECB decryption routine for block ciphers.
4668
//
4669
// - pBlockCipher is a pointer to the block cipher description table.
4670
//      Suitable description tables for all ciphers in this library have been pre-defined.
4671
// - pExpandedKey points to the expanded key to use. This generic function uses PVOID so there
4672
//      is no type safety to ensure that the expanded key and the encryption function match.
4673
// - pbSrc is the plaintext input buffer. The plaintext and ciphertext buffers may be
4674
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
4675
// - cbData. Number of bytes to encrypt. This must be a multiple of the block size.
4676
// - pbDst is the result buffer. It may be identical to pbPlaintext or non-overlapping,
4677
//      but it may not partially overlap with the pbPlaintext buffer.
4678
//
4679

4680

4681
VOID
4682
SYMCRYPT_CALL
4683
SymCryptCbcEncrypt(
4684
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4685
    _In_                        PCVOID                  pExpandedKey,
4686
    _Inout_updates_( pBlockCipher->blockSize )
4687
                                PBYTE                   pbChainingValue,
4688
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4689
    _Out_writes_( cbData )      PBYTE                   pbDst,
4690
                                SIZE_T                  cbData );
4691

4692
//
4693
// Generic CBC encryption routine for block ciphers.
4694
//
4695
// - pBlockCipher is a pointer to the block cipher description table.
4696
//      Suitable description tables for all ciphers in this library have been pre-defined.
4697
// - pExpandedKey points to the expanded key to use. This generic function uses PVOID so there
4698
//      is no type safety to ensure that the expanded key and the encryption function match.
4699
// - pbChainingValue points to the chaining value. On entry it is the IV value for the CBC
4700
//      encryption, on return it is the last ciphertext block. A long message can be encrypted
4701
//      piecewise in multiple calls; at the end of one call the pbChainingValue buffer will contain
4702
//      the correct chaining value for encrypting the next piece of the message.
4703
//      Once the encryption is finished the value in the chaining buffer is no longer needed.
4704
// - pbSrc is the plaintext input buffer. The plaintext and ciphertext buffers may be
4705
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
4706
// - cbData. Number of bytes to encrypt. This must be a multiple of the block size.
4707
// - pbDst is the result buffer. It may be identical to pbPlaintext or non-overlapping,
4708
//      but it may not partially overlap with the pbPlaintext buffer.
4709
//
4710

4711

4712
VOID
4713
SYMCRYPT_CALL
4714
SymCryptCbcDecrypt(
4715
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4716
    _In_                        PCVOID                  pExpandedKey,
4717
    _Inout_updates_( pBlockCipher->blockSize )
4718
                                PBYTE                   pbChainingValue,
4719
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4720
    _Out_writes_( cbData )      PBYTE                   pbDst,
4721
                                SIZE_T                  cbData );
4722

4723
//
4724
// This is the decryption version of SymCryptCbcEncrypt.
4725
// All parameters have the same explanation and restrictions.:
4726
//
4727

4728

4729
VOID
4730
SYMCRYPT_CALL
4731
SymCryptCbcMac(
4732
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4733
    _In_                        PCVOID                  pExpandedKey,
4734
    _Inout_updates_( pBlockCipher->blockSize )
4735
                                PBYTE                   pbChainingValue,
4736
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4737
                                SIZE_T                  cbData );
4738
//
4739
// This function implements the same function as SymCryptCbcEncrypt except that
4740
// it does not produce a ciphertext output.
4741
// All other restrictions apply.
4742
// The pbChainingValue is the only output provided.
4743
//
4744
// This is the primitive operation used by other modes of operation,
4745
// and some platforms have special optimizations for this primitive.
4746
// As we expose special APIs for some algorithms, we provide the generic function so that it
4747
// can be used for all algorithms.
4748
//
4749

4750

4751
VOID
4752
SYMCRYPT_CALL
4753
SymCryptCtrMsb64(
4754
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4755
    _In_                        PCVOID                  pExpandedKey,
4756
    _Inout_updates_( pBlockCipher->blockSize )
4757
                                PBYTE                   pbChainingValue,
4758
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4759
    _Out_writes_( cbData )      PBYTE                   pbDst,
4760
                                SIZE_T                  cbData );
4761
//
4762
// This function implements the CTR cipher mode.
4763
// It is not intended to be used as-is, rather it is a building block for modes like CCM.
4764
// On some platforms we have optimized code for AES-CTR, on other platforms
4765
// we use this generic construction to achieve the same effect.
4766
//
4767
// Note that in CTR mode encryption and decryption are the same operation.
4768
//
4769
// - pBlockCipher is a pointer to the block cipher description table.
4770
//      Suitable description tables for all ciphers in this library have been pre-defined.
4771
// - pExpandedKey points to the expanded key to use. This generic function uses PVOID so there
4772
//      is no type safety to ensure that the expanded key and the encryption function match.
4773
// - pbChainingValue points to the chaining value. On entry it is the first counter value to be
4774
//      used. On exit is the next counter value to be used.
4775
//      The pbChainingValue is incremented by cbData/blockSize.
4776
//      The increment function treats the last 8 bytes of pbChaining a MSBfirst integer
4777
//      and increments the integer representation by one for each block.
4778
// - pbSrc is the input data buffer that will be encrypted/decrypted.
4779
// - cbData. Number of bytes to encrypt/decrypt. This must be a multiple of the block size.
4780
// - pbDst is the output buffer that receives the encrypted/decrypted data. The input and output
4781
//      buffers may be the same or non-overlapping, but may not partially overlap.
4782
//
4783

4784
VOID
4785
SYMCRYPT_CALL
4786
SymCryptCfbEncrypt(
4787
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4788
                                SIZE_T                  cbShift,
4789
    _In_                        PCVOID                  pExpandedKey,
4790
    _Inout_updates_( pBlockCipher->blockSize )
4791
                                PBYTE                   pbChainingValue,
4792
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4793
    _Out_writes_( cbData )      PBYTE                   pbDst,
4794
                                SIZE_T                  cbData );
4795
//
4796
// Encrypt a buffer using the CFB cipher mode.
4797
//
4798
// This implements the CFB mode, with selected shift amount (in bytes).
4799
// In general, one block cipher encryption is used for each cbShift bytes
4800
// of plaintext, which can be slow.
4801
// Use of this cipher mode is not recommended.
4802
//
4803
// - pBlockCipher is a pointer to the block cipher description table.
4804
//      Suitable description tables for all ciphers in this library have been pre-defined.
4805
// - cbShift is the shift value (in bytes) of the CFB mode.
4806
//      The only supported values are 1 and the block size.
4807
// - pExpandedKey points to the expanded key to use. This generic function uses PVOID so there
4808
//      is no type safety to ensure that the expanded key and the encryption function match.
4809
// - pbChainingValue points to the chaining value. On entry and exit it
4810
//      contains the last blockSize ciphertext bytes.
4811
// - pbSrc is the input data buffer that will be encrypted/decrypted.
4812
// - cbData. Number of bytes to encrypt/decrypt.
4813
//      Must be a multiple of cbShift, or a multiple of the block size if cbShift = 0.
4814
// - pbDst is the output buffer that receives the encrypted/decrypted data. The input and output
4815
//      buffers may be the same or non-overlapping, but may not partially overlap.
4816
//
4817

4818
VOID
4819
SYMCRYPT_CALL
4820
SymCryptCfbDecrypt(
4821
    _In_                        PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4822
                                SIZE_T                  cbShift,
4823
    _In_                        PCVOID                  pExpandedKey,
4824
    _Inout_updates_( pBlockCipher->blockSize )
4825
                                PBYTE                   pbChainingValue,
4826
    _In_reads_( cbData )        PCBYTE                  pbSrc,
4827
    _Out_writes_( cbData )      PBYTE                   pbDst,
4828
                                SIZE_T                  cbData );
4829
//
4830
// The corresponding decryption routine.
4831
//
4832

4833
VOID
4834
SYMCRYPT_CALL
4835
SymCryptPaddingPkcs7Add(
4836
                                            SIZE_T  cbBlockSize,
4837
    _In_reads_(cbSrc)                       PCBYTE  pbSrc,
4838
                                            SIZE_T  cbSrc,
4839
    _Out_writes_to_(cbDst, *pcbResult)      PBYTE   pbDst,
4840
                                            SIZE_T  cbDst,
4841
                                            SIZE_T* pcbResult);
4842
//
4843
// Prerequisites:
4844
//  cbBlockSize is a power of 2 and < 256
4845
//  cbDst >= cbSrc - cbSrc % cbBlockSize + cbBlockSize
4846
//
4847
// Add PKCS7 block padding to a message
4848
// The input data (pbSrc,cbSrc) is padded with between 1 and cbBlockSize bytes so that
4849
// the length of the result is a multiple of cbBlockSize.
4850
// The padded message is written to the pbDst buffer.
4851
// The length of the padded message is returned in *pcbResult.
4852
//
4853
// If pbSrc == pbDst this function avoids copying all the data.
4854
// Note that cbSrc == cbDst is not valid as it violates the prerequisites.
4855
// Padding a message with cbSrc == 0 is valid.
4856
//
4857
// Note:
4858
// Any whole blocks in Src are merely copied to Dst.
4859
// Callers can either process the whole message in this call,
4860
// or handle the whole blocks themselves and only pass the last few bytes of the message to this function.
4861
//
4862
// Note: the prerequisites are not checked by this function; if they are not satisfied
4863
// the behaviour of the function is undefined.
4864
//
4865

4866

4867
SYMCRYPT_ERROR
4868
SYMCRYPT_CALL
4869
SymCryptPaddingPkcs7Remove(
4870
                                            SIZE_T  cbBlockSize,
4871
    _In_reads_(cbSrc)                       PCBYTE  pbSrc,
4872
                                            SIZE_T  cbSrc,
4873
    _Out_writes_to_(cbDst, *pcbResult)      PBYTE   pbDst,
4874
                                            SIZE_T  cbDst,
4875
                                            SIZE_T* pcbResult);
4876
//
4877
// Prerequisites:
4878
//  - cbBlockSize is a power of 2 and < 256
4879
//  - cbSrc is a multiple of cbBlockSize
4880
//  - cbSrc is greater than zero (at least equals to cbBlockSize)
4881
//
4882
// Remove PKCS7 block padding from a message in a side-channel safe way.
4883
//  *** see below for important rules the caller should follow w.r.t. side-channel safety ***
4884
// The input data (pbSrc, cbSrc) is a valid PKCS7 padded message for the given blocksize.
4885
// This function removes the padding, copies the result to the (pbDst, cbDst) buffer,
4886
// and returns the size of the result in *pcbResult.
4887
//
4888
// This function only supports padding with a size up to the block size.
4889
//
4890
// If pbSrc == pbDst this function avoids copying data.
4891
//
4892
// The following errors are returned:
4893
//  - SYMCRYPT_INVALID_ARGUMENT if cbSrc or the padding is invalid
4894
//  - SYMCRYPT_BUFFER_TOO_SMALL if cbDst < size of the unpadded message
4895
// If cbDst >= cbSrc the SYMCRYPT_BUFFER_TOO_SMALL error will not be returned.
4896
// Even if an error is returned, the pbDst buffer may or may not contain data from the message.
4897
// Callers should wipe the buffer even if an error is returned.
4898
//
4899
// Note: Removal of PKCS7 padding is extremely sensitive to side channels.
4900
// For example, if a message is encrypted with AES-CBC and the attacker can modify
4901
// the ciphertext and then determine whether a padding error occurs during decryption,
4902
// then the attacker can use the presence or absence of the error to decrypt the message itself.
4903
// This function takes great care not to reveal whether an error occurred, and hides
4904
// the size of the unpadded message. This is even true when writing to pbDst. If cbDst is large
4905
// enough, the code will write cbSrc-1 bytes to pbDst, using masking to only update the bytes of the
4906
// message and leaving the other bytes in pbDst unchanged.
4907
// Callers should take great care not to reveal the returned error or success,
4908
// or the size of the returned message, until they have authenticated
4909
// the source of the data.
4910
//
4911
// In particular, any mapping of the error code should be done in a side-channel safe way.
4912
// See the SymCryptMapUint32() function for a side-channel safe way to map error codes.
4913
//
4914
// The error caused by an invalid cbSrc value is not hidden from side channels as this does not reveal any
4915
// secret information.
4916
//
4917
// Note: callers can either process the whole message in this call,
4918
// or process the whole blocks themselves and only pass the last block to this function.
4919

4920
////////////////////////////
4921
// CCM
4922
////////////////////////////
4923

4924
SYMCRYPT_ERROR
4925
SYMCRYPT_CALL
4926
SymCryptCcmValidateParameters(
4927
    _In_    PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4928
    _In_    SIZE_T                  cbNonce,
4929
    _In_    SIZE_T                  cbAssociatedData,
4930
    _In_    UINT64                  cbData,
4931
    _In_    SIZE_T                  cbTag
4932
   );
4933
//
4934
// To achieve maximum performance, CCM functions do not check for valid parameters.
4935
// Passing invalid parameters can lead to buffer overflows.
4936
// Callers who want to validate their CCM parameters can call this function.
4937
// Note: In Checked builds some CCM functions might fatal out when invalid parameters are
4938
// passed.
4939
//
4940

4941

4942
VOID
4943
SYMCRYPT_CALL
4944
SymCryptCcmEncrypt(
4945
     _In_                           PCSYMCRYPT_BLOCKCIPHER     pBlockCipher,
4946
     _In_                           PCVOID                     pExpandedKey,
4947
     _In_reads_( cbNonce )          PCBYTE                     pbNonce,
4948
                                    SIZE_T                     cbNonce,
4949
     _In_reads_opt_( cbAuthData )   PCBYTE                     pbAuthData,
4950
                                    SIZE_T                     cbAuthData,
4951
     _In_reads_( cbData )           PCBYTE                     pbSrc,
4952
     _Out_writes_( cbData )         PBYTE                      pbDst,
4953
                                    SIZE_T                     cbData,
4954
     _Out_writes_( cbTag )          PBYTE                      pbTag,
4955
                                    SIZE_T                     cbTag );
4956

4957
//
4958
//  Encrypt a buffer using the block cipher in CCM mode.
4959
//      - pBlockCipher points to the block cipher description table.
4960
//      - pExpandedKey points to the expanded key for the block cipher.
4961
//      - pbNonce: Pointer to the nonce for this encryption. For a single key, each nonce
4962
//          value may be used at most once to encrypt data. Re-using nonce values leads
4963
//          to catastrophic loss of security.
4964
//      - cbNonce: number of bytes in the nonce: 7 <= cbNonce <= 13.
4965
//      - pbAuthData: pointer to the associated authentication data. This data is not encrypted
4966
//          but it is included in the authentication. Use NULL if not used.
4967
//      - cbAuthData: # bytes of associated authentication data. (0 if not used)
4968
//      - pbSrc: plaintext input
4969
//      - pbDst: ciphertext output. The ciphertext buffer may be identical to the plaintext
4970
//          buffer, or non-overlapping. The ciphertext is also cbData bytes long.
4971
//      - cbData: # bytes of plaintext input. The maximum length is 2^{8(15-cbNonce)} - 1 bytes.
4972
//      - pbTag: buffer that will receive the authentication tag.
4973
//      - cbTag: size of tag. cbTag must be one of {4, 6, 8, 10, 12, 14, 16}.
4974
//
4975

4976

4977
SYMCRYPT_ERROR
4978
SYMCRYPT_CALL
4979
SymCryptCcmDecrypt(
4980
     _In_                           PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
4981
     _In_                           PCVOID                  pExpandedKey,
4982
     _In_reads_( cbNonce )          PCBYTE                  pbNonce,
4983
                                    SIZE_T                  cbNonce,
4984
     _In_reads_opt_( cbAuthData )   PCBYTE                  pbAuthData,
4985
                                    SIZE_T                  cbAuthData,
4986
     _In_reads_( cbData )           PCBYTE                  pbSrc,
4987
     _Out_writes_( cbData )         PBYTE                   pbDst,
4988
                                    SIZE_T                  cbData,
4989
     _In_reads_( cbTag )            PCBYTE                  pbTag,
4990
                                    SIZE_T                  cbTag );
4991
//
4992
// Decrypt a buffer using the block cipher in CCM mode.
4993
// See SymCryptCcmEncrypt for a description of the parameters. This function decrypts rather than
4994
// encrypts, and as a result the pbTag parameter is read rather than filled.
4995
//
4996
// If the tag value is not correct the SYMCRYPT_AUTHENTICATION_FAILURE error is returned and the pbDst buffer
4997
// is wiped of any plaintext.
4998
// Note: While checking the authentication the purported plaintext is stored in pbDst. It is not safe to reveal
4999
// purported plaintext when the authentication has not been checked. (Doing so would reveal key stream information
5000
// that can be used to decrypt any message encrypted with the same nonce value.) Thus, users should be careful
5001
// to not reveal the pbDst buffer until this function returns (e.g. through other threads or sharing memory).
5002
//
5003

5004
//
5005
// We also provide functions for incremental computation of CCM encryption and decryption. See the functions
5006
// above for a description of the parameters and restrictions.
5007
// In particular, note that the restriction on revealing the plaintext for unauthenticated decryptions holds
5008
// for all the decrypted data, even when the decryption is done incrementally.
5009
//
5010
// SYMCRYPT_CCM_STATE
5011
//      Ongoing state of an incremental CCM encryption or decryption operation.
5012
//
5013

5014
VOID
5015
SYMCRYPT_CALL
5016
SymCryptCcmInit(
5017
    _Out_                           PSYMCRYPT_CCM_STATE     pState,
5018
    _In_                            PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
5019
    _In_                            PCVOID                  pExpandedKey,
5020
    _In_reads_( cbNonce )           PCBYTE                  pbNonce,
5021
                                    SIZE_T                  cbNonce,
5022
    _In_reads_opt_( cbAuthData )    PCBYTE                  pbAuthData,
5023
                                    SIZE_T                  cbAuthData,
5024
                                    UINT64                  cbData,
5025
                                    SIZE_T                  cbTag );
5026
//
5027
// Initialize a CCM computation. Note that the ultimate data length has to be provided.
5028
// The pBlockCipher and pExpandedKey structures must remain unchanged until the CCM computation is finished.
5029
//
5030

5031
VOID
5032
SYMCRYPT_CALL
5033
SymCryptCcmEncryptPart(
5034
    _Inout_                 PSYMCRYPT_CCM_STATE pState,
5035
    _In_reads_( cbData )    PCBYTE              pbSrc,
5036
    _Out_writes_( cbData )  PBYTE               pbDst,
5037
                            SIZE_T              cbData );
5038

5039
VOID
5040
SYMCRYPT_CALL
5041
SymCryptCcmEncryptFinal(
5042
    _Inout_                 PSYMCRYPT_CCM_STATE pState,
5043
    _Out_writes_( cbTag )   PBYTE               pbTag,
5044
                            SIZE_T              cbTag );
5045
//
5046
// Note: passing cbTag is redundant but necessary for SAL purposes.
5047
//
5048

5049
VOID
5050
SYMCRYPT_CALL
5051
SymCryptCcmDecryptPart(
5052
    _Inout_                 PSYMCRYPT_CCM_STATE pState,
5053
    _In_reads_( cbData )    PCBYTE              pbSrc,
5054
    _Out_writes_( cbData )  PBYTE               pbDst,
5055
                            SIZE_T              cbData );
5056

5057
SYMCRYPT_ERROR
5058
SYMCRYPT_CALL
5059
SymCryptCcmDecryptFinal(
5060
    _Inout_                 PSYMCRYPT_CCM_STATE pState,
5061
    _In_reads_( cbTag )     PCBYTE              pbTag,
5062
                            SIZE_T              cbTag );
5063
//
5064
// WARNING: When the authentication fails the data already decrypted may not be revealed.
5065
// This function cannot wipe the plaintext buffers; the caller is responsible for ensuring
5066
// the plaintext is not revealed.
5067
//
5068

5069
VOID
5070
SYMCRYPT_CALL
5071
SymCryptCcmSelftest(void);
5072
//
5073
// Self test for CCM cipher mode
5074
//
5075

5076
///////////////////////////////////////
5077
// GCM
5078
///////////////////////////////////////
5079
//
5080
// The GCM algorithm per SP 800-38D.
5081
// GMAC is just GCM with an empty data string; all the data is put in the pbAuthData buffer.
5082
//
5083

5084
SYMCRYPT_ERROR
5085
SYMCRYPT_CALL
5086
SymCryptGcmValidateParameters(
5087
    _In_    PCSYMCRYPT_BLOCKCIPHER  pBlockCipher,
5088
    _In_    SIZE_T                  cbNonce,
5089
    _In_    UINT64                  cbAssociatedData,
5090
    _In_    UINT64                  cbData,
5091
    _In_    SIZE_T                  cbTag
5092
   );
5093
//
5094
// To achieve maximum performance, GCM functions do not check for valid parameters.
5095
// Passing invalid parameters can lead to buffer overflows.
5096
// Callers who want to validate their GCM parameters can call this function.
5097
// Note: In Checked builds some GCM functions might fatal out when invalid parameters are
5098
// passed.
5099
//
5100

5101

5102
SYMCRYPT_ERROR
5103
SYMCRYPT_CALL
5104
SymCryptGcmExpandKey(
5105
    _Out_                   PSYMCRYPT_GCM_EXPANDED_KEY  pExpandedKey,
5106
    _In_                    PCSYMCRYPT_BLOCKCIPHER      pBlockCipher,
5107
    _In_reads_( cbKey )     PCBYTE                      pbKey,
5108
                            SIZE_T                      cbKey );
5109
//
5110
// Create an expanded key suitable for GCM
5111
//
5112

5113
VOID
5114
SYMCRYPT_CALL
5115
SymCryptGcmKeyCopy( _In_ PCSYMCRYPT_GCM_EXPANDED_KEY pSrc, _Out_ PSYMCRYPT_GCM_EXPANDED_KEY pDst );
5116

5117
//
5118
// Create a copy of an expanded key
5119
//
5120

5121
VOID
5122
SYMCRYPT_CALL
5123
SymCryptGcmEncrypt(
5124
     _In_                           PCSYMCRYPT_GCM_EXPANDED_KEY pExpandedKey,
5125
     _In_reads_( cbNonce )          PCBYTE                      pbNonce,
5126
                                    SIZE_T                      cbNonce,
5127
     _In_reads_opt_( cbAuthData )   PCBYTE                      pbAuthData,
5128
                                    SIZE_T                      cbAuthData,
5129
     _In_reads_( cbData )           PCBYTE                      pbSrc,
5130
     _Out_writes_( cbData )         PBYTE                       pbDst,
5131
                                    SIZE_T                      cbData,
5132
     _Out_writes_( cbTag )          PBYTE                       pbTag,
5133
                                    SIZE_T                      cbTag );
5134

5135
//
5136
//  Encrypt a buffer using the block cipher in GCM mode.
5137
//      - pExpandedKey points to the expanded key for GCM.
5138
//      - pbNonce: Pointer to the nonce for this encryption. For a single key, each nonce
5139
//          value may be used at most once to encrypt data. Re-using nonce values leads
5140
//          to catastrophic loss of security. Only 12-byte nonces are supported,
5141
//          per the SP800-38D section 5.2.1.1 recommendation.
5142
//      - cbNonce: number of bytes in the nonce, must be 12.
5143
//      - pbAuthData: pointer to the associated authentication data. This data is not encrypted
5144
//          but it is included in the authentication. Use NULL if not used.
5145
//      - cbAuthData: # bytes of associated authentication data. (0 if not used)
5146
//      - pbSrc: plaintext input
5147
//      - pbDst: ciphertext output. The ciphertext buffer may be identical to the plaintext
5148
//          buffer, or non-overlapping. The ciphertext is also cbData bytes long.
5149
//      - cbData: # bytes of plaintext input. The maximum length is 2^{36} - 32 bytes.
5150
//      - pbTag: buffer that will receive the authentication tag.
5151
//      - cbTag: size of tag. cbTag must be one of {12, 13, 14, 15, 16} per SP800-38D
5152
//          section 5.2.1.2. The optional shorter tag sizes (4 and 8) are not supported.
5153
//
5154

5155

5156
SYMCRYPT_ERROR
5157
SYMCRYPT_CALL
5158
SymCryptGcmDecrypt(
5159
    _In_                            PCSYMCRYPT_GCM_EXPANDED_KEY pExpandedKey,
5160
    _In_reads_( cbNonce )           PCBYTE                      pbNonce,
5161
                                    SIZE_T                      cbNonce,
5162
    _In_reads_opt_( cbAuthData )    PCBYTE                      pbAuthData,
5163
                                    SIZE_T                      cbAuthData,
5164
    _In_reads_( cbData )            PCBYTE                      pbSrc,
5165
    _Out_writes_( cbData )          PBYTE                       pbDst,
5166
                                    SIZE_T                      cbData,
5167
    _In_reads_( cbTag )             PCBYTE                      pbTag,
5168
                                    SIZE_T                      cbTag );
5169
//
5170
// Decrypt a buffer using the block cipher in GCM mode.
5171
// See SymCryptGcmEncrypt for a description of the parameters. This function decrypts rather than
5172
// encrypts, and as a result the pbTag parameter is read rather than filled.
5173
// If the tag value is not correct the SYMCRYPT_AUTHENTICATION_FAILURE error is returned and the pbDst buffer
5174
// is wiped of any plaintext.
5175
// Note: While checking the authentication the purported plaintext is stored in pbDst. It is not safe to reveal
5176
// purported plaintext when the authentication has not been checked. (Doing so would reveal key stream information
5177
// that can be used to decrypt any message encrypted with the same nonce value.) Thus, users should be careful
5178
// to not reveal the pbDst buffer until this function returns (e.g. through other threads or sharing memory).
5179
//
5180

5181
//
5182
// We also provide functions for incremental computation of GCM encryption and decryption. See the functions
5183
// above for a description of the parameters and restrictions.
5184
// In particular, note that the restriction on revealing the plaintext for unauthenticated decryptions holds
5185
// for all the decrypted data, even when the decryption is done incrementally.
5186
//
5187
//
5188
// SYMCRYPT_GCM_STATE
5189
//      Ongoing state of an incremental GCM encryption or decryption operation.
5190
//
5191

5192
VOID
5193
SYMCRYPT_CALL
5194
SymCryptGcmInit(
5195
    _Out_                       PSYMCRYPT_GCM_STATE         pState,
5196
    _In_                        PCSYMCRYPT_GCM_EXPANDED_KEY pExpandedKey,
5197
    _In_reads_( cbNonce )       PCBYTE                      pbNonce,
5198
                                SIZE_T                      cbNonce );
5199
//
5200
// Initialize a GCM computation.
5201
// The pBlockCipher and pExpandedKey structures must remain unchanged until the GCM computation is finished.
5202
//
5203

5204
VOID
5205
SYMCRYPT_CALL
5206
SymCryptGcmStateCopy(
5207
    _In_        PCSYMCRYPT_GCM_STATE            pSrc,
5208
    _In_opt_    PCSYMCRYPT_GCM_EXPANDED_KEY     pExpandedKeyCopy,
5209
    _Out_       PSYMCRYPT_GCM_STATE             pDst );
5210
//
5211
// Copy a GCM state.
5212
// If pExpandedKeyCopy is NULL, then the new pDst state uses the same expanded key as pSrc.
5213
// If pExpandedKeyCopy is not NULL, it must point to a copy of the expanded key of the pSrc state.
5214
// This new expanded key will be used as the expanded key for pDst.
5215
//
5216

5217
VOID
5218
SYMCRYPT_CALL
5219
SymCryptGcmAuthPart(
5220
    _Inout_                     PSYMCRYPT_GCM_STATE pState,
5221
    _In_reads_opt_( cbData )    PCBYTE              pbAuthData,
5222
                                SIZE_T              cbData );
5223
//
5224
// Incrementally process the authentication data. This function can be called multiple times
5225
// after the SymCryptGcmInit function. It may not be called after any encrypt or decrypt
5226
// function has been called on the GCM state.
5227
//
5228

5229
VOID
5230
SYMCRYPT_CALL
5231
SymCryptGcmEncryptPart(
5232
    _Inout_                 PSYMCRYPT_GCM_STATE pState,
5233
    _In_reads_( cbData )    PCBYTE              pbSrc,
5234
    _Out_writes_( cbData )  PBYTE               pbDst,
5235
                            SIZE_T              cbData );
5236

5237
VOID
5238
SYMCRYPT_CALL
5239
SymCryptGcmEncryptFinal(
5240
    _Inout_                 PSYMCRYPT_GCM_STATE pState,
5241
    _Out_writes_( cbTag )   PBYTE               pbTag,
5242
                            SIZE_T              cbTag );
5243

5244
VOID
5245
SYMCRYPT_CALL
5246
SymCryptGcmDecryptPart(
5247
    _Inout_                 PSYMCRYPT_GCM_STATE pState,
5248
    _In_reads_( cbData )    PCBYTE              pbSrc,
5249
    _Out_writes_( cbData )  PBYTE               pbDst,
5250
                            SIZE_T              cbData );
5251

5252
SYMCRYPT_ERROR
5253
SYMCRYPT_CALL
5254
SymCryptGcmDecryptFinal(
5255
    _Inout_                 PSYMCRYPT_GCM_STATE pState,
5256
    _In_reads_( cbTag )     PCBYTE              pbTag,
5257
                            SIZE_T              cbTag );
5258
//
5259
// Returns SYMCRYPT_AUTHENTICATION_FAILURE if the tag value does not match.
5260
//
5261

5262

5263
VOID
5264
SYMCRYPT_CALL
5265
SymCryptGcmSelftest(void);
5266
//
5267
// Self test for GCM cipher mode
5268
//
5269

5270

5271
//==========================================================================
5272
//   SESSION BASED APIs
5273
//==========================================================================
5274

5275

5276
SYMCRYPT_ERROR
5277
SYMCRYPT_CALL
5278
SymCryptSessionSenderInit(
5279
    _Inout_ PSYMCRYPT_SESSION   pSession,
5280
            UINT32              senderId,
5281
            UINT32              flags );
5282
//
5283
//  Initialize an encryption session object. The default nonce size of 12B is used - 8B are provided
5284
//  by message number, 4B by senderId.
5285
//      - pSession: Pointer to an uninitialized session object.
5286
//      - senderId: The id of the sender (must be unique for each user of a given key).
5287
//        Callers should either choose a senderId which is specific to the sender, or
5288
//        at least to the software and role in a system in which a key is being used.
5289
//        Two encryption sessions using the same key and senderId leads to catastrophic loss of security.
5290
//      - No flags are specified for this function
5291
//
5292
//  Remarks:
5293
//  On some platforms use of a session object requires use of a mutex. On those platforms this
5294
//  function will call SymCryptCallbackAllocateMutexFastInproc and may indicate failure by returning
5295
//  SYMCRYPT_MEMORY_ALLOCATION_FAILURE if a mutex object cannot be created.
5296
//  Callers must call SymCryptSessionDestroy to ensure any associated allocated mutex object is freed
5297
//  either before calling another Init function on the SYMCRYPT_SESSION object, and instead of directly
5298
//  calling SymCryptWipeKnownSize on the object.
5299
//
5300

5301
SYMCRYPT_ERROR
5302
SYMCRYPT_CALL
5303
SymCryptSessionReceiverInit(
5304
    _Inout_ PSYMCRYPT_SESSION   pSession,
5305
            UINT32              senderId,
5306
            UINT32              flags );
5307
//
5308
//  Initialize an decryption session object. The default nonce size of 12B is used - 8B are provided
5309
//  by message number, 4B by senderId.
5310
//      - pSession: Pointer to an uninitialized session object.
5311
//      - senderId: The id of the sender (must be unique for each user of a given key).
5312
//        Callers should either choose a senderId which is specific to the sender, or
5313
//        at least to the software and role in a system in which a key is being used.
5314
//        The id used in a decryption session must be the same as the id used in the corresponding
5315
//        encryption session (i.e. sender and receiver must agree upon a senderId for their
5316
//        communication session)
5317
//      - No flags are specified for this function
5318
//
5319
//  Remarks:
5320
//  On some platforms use of a session object requires use of a mutex. On those platforms this
5321
//  function will call SymCryptCallbackAllocateMutexFastInproc and may indicate failure by returning
5322
//  SYMCRYPT_MEMORY_ALLOCATION_FAILURE if a mutex object cannot be created.
5323
//  Callers must call SymCryptSessionDestroy to ensure any associated allocated mutex object is freed
5324
//  either before calling another Init function on the SYMCRYPT_SESSION object, and instead of directly
5325
//  calling SymCryptWipeKnownSize on the object.
5326
//
5327

5328
VOID
5329
SYMCRYPT_CALL
5330
SymCryptSessionDestroy(
5331
    _Inout_ PSYMCRYPT_SESSION   pSession );
5332
//
5333
//  Clear session object and free any data associated with the object (i.e. allocated locks)
5334
//  After this call the memory used for pSession is uninitialized and can be used for other purposes.
5335
//  Note that it is not safe to just wipe the memory of the session object as the session
5336
//  object contains pointers to other allocations.
5337
//  The only way to safely destroy a session is to use this function.
5338
//
5339

5340
SYMCRYPT_ERROR
5341
SYMCRYPT_CALL
5342
SymCryptSessionGcmEncrypt(
5343
    _Inout_                         PSYMCRYPT_SESSION           pSession,
5344
    _In_                            PCSYMCRYPT_GCM_EXPANDED_KEY pExpandedKey,
5345
    _In_reads_opt_( cbAuthData )    PCBYTE                      pbAuthData,
5346
                                    SIZE_T                      cbAuthData,
5347
    _In_reads_( cbData )            PCBYTE                      pbSrc,
5348
    _Out_writes_( cbData )          PBYTE                       pbDst,
5349
                                    SIZE_T                      cbData,
5350
    _Out_writes_( cbTag )           PBYTE                       pbTag,
5351
                                    SIZE_T                      cbTag,
5352
    _Out_opt_                       PUINT64                     pu64MessageNumber );
5353
//
5354
//  Encrypt a buffer, in a series, using the block cipher in GCM mode.
5355
//      - pSession points to the session object for this series of GCM encryptions. It handles
5356
//        ensuring Nonce uniqueness across several encryption calls using the same key. The message
5357
//        number in the pSession object is atomically incremented by this call.
5358
//        If too many messages (2^64 - 2^32) have been encrypted with the same session object,
5359
//        SYMCRYPT_INVALID_ARGUMENT is returned and no encryption takes place. This should never
5360
//        occur in real use!
5361
//      - pExpandedKey points to the expanded key for GCM.
5362
//      - pbAuthData: pointer to the associated authentication data. This data is not encrypted
5363
//          but it is included in the authentication. Use NULL if not used.
5364
//      - cbAuthData: # bytes of associated authentication data. (0 if not used)
5365
//      - pbSrc: plaintext input
5366
//      - pbDst: ciphertext output. The ciphertext buffer may be identical to the plaintext
5367
//          buffer, or non-overlapping. The ciphertext is also cbData bytes long.
5368
//      - cbData: # bytes of plaintext input. The maximum length is 2^{36} - 32 bytes.
5369
//      - pbTag: buffer that will receive the authentication tag.
5370
//      - cbTag: size of tag. cbTag must be one of {12, 13, 14, 15, 16} per SP800-38D
5371
//          section 5.2.1.2. The optional shorter tag sizes (4 and 8) are not supported.
5372
//      - pu64MessageNumber: Optional message number output for this encryption. A unique message
5373
//          number is extracted from the pSession object, this output is set to the value used in
5374
//          the encryption. The first message number generated in a session will have the value 1,
5375
//          and subsequent message numbers will be taken by atomically incrementing the counter.
5376
//
5377

5378
SYMCRYPT_ERROR
5379
SYMCRYPT_CALL
5380
SymCryptSessionGcmDecrypt(
5381
    _Inout_                         PSYMCRYPT_SESSION           pSession,
5382
                                    UINT64                      messageNumber,
5383
    _In_                            PCSYMCRYPT_GCM_EXPANDED_KEY pExpandedKey,
5384
    _In_reads_opt_( cbAuthData )    PCBYTE                      pbAuthData,
5385
                                    SIZE_T                      cbAuthData,
5386
    _In_reads_( cbData )            PCBYTE                      pbSrc,
5387
    _Out_writes_( cbData )          PBYTE                       pbDst,
5388
                                    SIZE_T                      cbData,
5389
    _In_reads_( cbTag )             PCBYTE                      pbTag,
5390
                                    SIZE_T                      cbTag );
5391
//
5392
// Decrypt a buffer, in a series, using the block cipher in GCM mode.
5393
//      - pSession points to the session object for this series of GCM decryptions. It handles
5394
//          ensuring Nonce uniqueness across several decryption calls using the same key, particularly
5395
//          ensuring there are no replays.
5396
//      - messageNumber: The message number to be used for this decryption, forming part of the Nonce.
5397
//          When performing decryption in a session, it is guaranteed that no 2 decryptions using the
5398
//          same session and same message number can succeed. This is to provide protection against
5399
//          replay attacks.
5400
//          In order to provide this guarantee, pSession tracks a window of used message numbers
5401
//          preceding the largest messageNumber successfully used so far in the decryption session.
5402
//          A SYMCRYPT_SESSION_REPLAY_FAILURE error will be returned if either:
5403
//          a) messageNumber is less than the smallest message number that can be tracked for replays
5404
//          b) messageNumber is within the window that can be tracked for replays, and the message
5405
//             number is marked as already having been used in a successful decryption in this session
5406
//          In either case, the destination buffer is wiped.
5407
// See SymCryptSessionGcmEncrypt for a description of the other parameters. This function decrypts
5408
// rather than encrypts, and as a result the pbTag parameter is read rather than filled.
5409
// If the tag value is not correct the SYMCRYPT_AUTHENTICATION_FAILURE error is returned and the
5410
// pbDst buffer is wiped of any plaintext.
5411
// Note: While checking the authentication the purported plaintext is stored in pbDst. It is not safe to reveal
5412
// purported plaintext when the authentication has not been checked. (Doing so would reveal key stream information
5413
// that can be used to decrypt any message encrypted with the same nonce value.) Thus, users should be careful
5414
// to not reveal the pbDst buffer until this function returns (e.g. through other threads or sharing memory).
5415
//
5416

5417

5418
//==========================================================================
5419
//   STREAM CIPHERS
5420
//==========================================================================
5421

5422
////////////////////////////////////////////////////////////////////////////
5423
//   RC4
5424
//
5425
// The RC4 stream cipher
5426
//
5427
// Use of RC4 is not recommended.
5428
//
5429
// The RC4 implementation makes extensive use of table lookups to implement the S-boxes of the algorithm.
5430
// This violates our current crypto implementation guidelines and opens up a possible side-channel attack
5431
// through information leakage via the memory caching system of the CPU.
5432
//
5433

5434
SYMCRYPT_ERROR
5435
SYMCRYPT_CALL
5436
SymCryptRc4Init(
5437
    _Out_                   PSYMCRYPT_RC4_STATE pState,
5438
    _In_reads_( cbKey )     PCBYTE              pbKey,
5439
    _In_                    SIZE_T              cbKey );
5440
//
5441
// Initialize an RC4 encryption/decryption state.
5442
// WARNING: the most common error in using RC4 is to use the same key to encrypt two different pieces of data.
5443
// This is insecure and should never be done; you need a unique key for each data element that is encrypted.
5444
//
5445

5446
VOID
5447
SYMCRYPT_CALL
5448
SymCryptRc4Crypt(
5449
    _Inout_                 PSYMCRYPT_RC4_STATE pState,
5450
    _In_reads_( cbData )    PCBYTE              pbSrc,
5451
    _Out_writes_( cbData )  PBYTE               pbDst,
5452
    _In_                    SIZE_T              cbData );
5453
//
5454
// Encrypt or Decrypt data using the RC4 state. Note that the RC4 state is updated and therefore this
5455
// function cannot be used by two threads simultaneously using the same state object.
5456
//
5457

5458
VOID
5459
SYMCRYPT_CALL
5460
SymCryptRc4Selftest(void);
5461

5462

5463
//
5464
// ChaCha20
5465
//
5466
// The ChaCha20 stream cipher is specified in RFC 7539 and referenced by RFC 7905
5467
// which specifies the ChaCha20-Poly1305 TLS cipher suite.
5468
//
5469
// ChaCha is a random-access stream cipher. It is possible to jump to any part of
5470
// the key stream and start en/decrypting there.
5471
// We support this by allowing the caller to select the position in the key stream
5472
// to use.
5473
//
5474

5475
SYMCRYPT_ERROR
5476
SYMCRYPT_CALL
5477
SymCryptChaCha20Init(
5478
    _Out_                   PSYMCRYPT_CHACHA20_STATE    pState,
5479
    _In_reads_( cbKey )     PCBYTE                      pbKey,
5480
    _In_                    SIZE_T                      cbKey,
5481
    _In_reads_( cbNonce )   PCBYTE                      pbNonce,
5482
                            SIZE_T                      cbNonce,
5483
                            UINT64                      offset );
5484
//
5485
// Initialize a ChaCha20 en/decryption state.
5486
// Key must be 32 bytes
5487
// Nonce must be 12 bytes
5488
// offset is the position into the key stream that the next encrypt/decrypt
5489
// operation will use. Requirement: 0 <= offset < 2^38
5490
// The ChaCha documentation is formulated in terms of a 'counter' or 'initial counter'.
5491
// Callers can set offset = 64 * <counter> to achieve the same results.
5492
//
5493
// An error is returned only for invalid key or nonce sizes.
5494
//
5495
// A single (key,nonce) pair defines a key stream of 256 GB.
5496
// Any part of that key stream can be used to encrypt a message, or part of a
5497
// message.
5498
// Note that it is critical that each key stream byte is used only once; thus
5499
// callers have to ensure that for any key, each nonce is used at most once for
5500
// a message, and messages cannot use any part of the 256 GB key stream more than
5501
// once.
5502
//
5503

5504
VOID
5505
SYMCRYPT_CALL
5506
SymCryptChaCha20SetOffset(
5507
    _Inout_                 PSYMCRYPT_CHACHA20_STATE    pState,
5508
                            UINT64                      offset );
5509
//
5510
// Specify the offset into the key stream where the next encrypt/decrypt operation
5511
// will start.
5512
// Requirement: 0 <= offset < 2^38
5513
//
5514

5515
VOID
5516
SYMCRYPT_CALL
5517
SymCryptChaCha20Crypt(
5518
    _Inout_                 PSYMCRYPT_CHACHA20_STATE    pState,
5519
    _In_reads_( cbData )    PCBYTE                      pbSrc,
5520
    _Out_writes_( cbData )  PBYTE                       pbDst,
5521
                            SIZE_T                      cbData );
5522
//
5523
// Encrypt or Decrypt data using the CHACHA20 state.
5524
// The Src data is xorred with the key stream generated from the state, and the result stored
5525
// in the Dst buffer. The Src and Dst buffer can be identical or non-overlapping; partial overlaps
5526
// are not supported.
5527
// As the state is updated two threads cannot en/decrypt with the same state at the same time.
5528
// The key stream used is the one generated from the key and nonce, starting at the specified
5529
// offset into the key stream. This function updates the offset of the state by adding cbData to
5530
// it so that the next call will use the next part of the key stream.
5531
// Any attempt to use the key stream at offset >= 2^38 will result in catastrophic loss of security.
5532
//
5533

5534
VOID
5535
SYMCRYPT_CALL
5536
SymCryptChaCha20Selftest(void);
5537

5538

5539

5540

5541
//==========================================================================
5542
//   KEY DERIVATION ALGORITHMS
5543
//==========================================================================
5544

5545
////////////////////////////////////////////////////////////////////////////
5546
// PBKDF2
5547
//
5548
// Generic KDF parameter handling:
5549
//  - Generic parameter is passed in the Salt input;
5550
//  - iterationCnt is set to 1.
5551
//
5552

5553
SYMCRYPT_ERROR
5554
SYMCRYPT_CALL
5555
SymCryptPbkdf2ExpandKey(
5556
    _Out_               PSYMCRYPT_PBKDF2_EXPANDED_KEY   pExpandedKey,
5557
    _In_                PCSYMCRYPT_MAC                  macAlgorithm,
5558
    _In_reads_(cbKey)   PCBYTE                          pbKey,
5559
                        SIZE_T                          cbKey );
5560

5561
SYMCRYPT_ERROR
5562
SYMCRYPT_CALL
5563
SymCryptPbkdf2Derive(
5564
    _In_                    PCSYMCRYPT_PBKDF2_EXPANDED_KEY  pExpandedKey,
5565
    _In_reads_opt_(cbSalt)  PCBYTE                          pbSalt,
5566
                            SIZE_T                          cbSalt,
5567
                            UINT64                          iterationCnt,
5568
    _Out_writes_(cbResult)  PBYTE                           pbResult,
5569
                            SIZE_T                          cbResult);
5570

5571
SYMCRYPT_ERROR
5572
SYMCRYPT_CALL
5573
SymCryptPbkdf2(
5574
                            PCSYMCRYPT_MAC  macAlgorithm,
5575
    _In_reads_(cbKey)       PCBYTE          pbKey,
5576
                            SIZE_T          cbKey,
5577
    _In_reads_opt_(cbSalt)  PCBYTE          pbSalt,
5578
                            SIZE_T          cbSalt,
5579
                            UINT64          iterationCnt,
5580
    _Out_writes_(cbResult)  PBYTE           pbResult,
5581
                            SIZE_T          cbResult);
5582

5583
//
5584
// Because the self-test pulls in the associated MAC function,
5585
// we have several self-tests; each of which tests the PBKDF2 implementation
5586
// using the specified MAC function.
5587
// This allows a FIPS module to run the self-test with the MAC function it already
5588
// uses internally.
5589
//
5590
// More can be added when needed.
5591
//
5592

5593
VOID
5594
SYMCRYPT_CALL
5595
SymCryptPbkdf2_HmacSha1SelfTest(void);
5596

5597
VOID
5598
SYMCRYPT_CALL
5599
SymCryptPbkdf2_HmacSha256SelfTest(void);
5600

5601
////////////////////////////////////////////////////////////////////////////
5602
// SP800-108 Counter mode
5603
//
5604
// Generic KDF parameter handling:
5605
// Generic parameter contains the concatenation of the Label, a zero byte, and the Context.
5606
// To pass a generic parameter do the following:
5607
//  - pbLabel = NULL
5608
//  - cbLabel = (SIZE_T) -1;
5609
//  - pbContext/cbContext = generic parameter
5610
//
5611

5612
SYMCRYPT_ERROR
5613
SYMCRYPT_CALL
5614
SymCryptSp800_108ExpandKey(
5615
    _Out_               PSYMCRYPT_SP800_108_EXPANDED_KEY    pExpandedKey,
5616
    _In_                PCSYMCRYPT_MAC                      macAlgorithm,
5617
    _In_reads_(cbKey)   PCBYTE                              pbKey,
5618
                        SIZE_T                              cbKey );
5619

5620
SYMCRYPT_ERROR
5621
SYMCRYPT_CALL
5622
SymCryptSp800_108Derive(
5623
    _In_                        PCSYMCRYPT_SP800_108_EXPANDED_KEY   pExpandedKey,
5624
    _In_reads_opt_(cbLabel)     PCBYTE                              pbLabel,
5625
                                SIZE_T                              cbLabel,
5626
    _In_reads_opt_(cbContext)   PCBYTE                              pbContext,
5627
                                SIZE_T                              cbContext,
5628
    _Out_writes_(cbResult)      PBYTE                               pbResult,
5629
                                SIZE_T                              cbResult);
5630

5631
SYMCRYPT_ERROR
5632
SYMCRYPT_CALL
5633
SymCryptSp800_108(
5634
                                PCSYMCRYPT_MAC  macAlgorithm,
5635
    _In_reads_(cbKey)           PCBYTE          pbKey,
5636
                                SIZE_T          cbKey,
5637
    _In_reads_opt_(cbLabel)     PCBYTE          pbLabel,
5638
                                SIZE_T          cbLabel,
5639
    _In_reads_opt_(cbContext)   PCBYTE          pbContext,
5640
                                SIZE_T          cbContext,
5641
    _Out_writes_(cbResult)      PBYTE           pbResult,
5642
                                SIZE_T          cbResult);
5643

5644
VOID
5645
SYMCRYPT_CALL
5646
SymCryptSp800_108_HmacSha1SelfTest(void);
5647

5648
VOID
5649
SYMCRYPT_CALL
5650
SymCryptSp800_108_HmacSha256SelfTest(void);
5651

5652
VOID
5653
SYMCRYPT_CALL
5654
SymCryptSp800_108_HmacSha384SelfTest(void);
5655

5656
VOID
5657
SYMCRYPT_CALL
5658
SymCryptSp800_108_HmacSha512SelfTest(void);
5659

5660
////////////////////////////////////////////////////////////////////////////
5661
// TLS Key Derivation PRFs
5662
//
5663
// PRFs used in the key derivation functions of the TLS protocol, versions
5664
// 1.0, 1.1, and 1.2. These are defined in RFC 2246, 4346, and 5246,
5665
// respectively.
5666
// Note: The PRFs for versions 1.0 and 1.1 are identical.
5667
//
5668

5669
// Maximum sizes (in bytes) for the label and the seed inputs. See the
5670
// above RFCs 2246, 4346, and 5246 for more details.
5671
#define SYMCRYPT_TLS_MAX_LABEL_SIZE 256
5672
#define SYMCRYPT_TLS_MAX_SEED_SIZE  256
5673

5674
//
5675
//  Version 1.0/1.1
5676
//
5677
SYMCRYPT_ERROR
5678
SYMCRYPT_CALL
5679
SymCryptTlsPrf1_1ExpandKey(
5680
    _Out_               PSYMCRYPT_TLSPRF1_1_EXPANDED_KEY    pExpandedKey,
5681
    _In_reads_(cbKey)   PCBYTE                              pbKey,
5682
                        SIZE_T                              cbKey);
5683

5684
SYMCRYPT_ERROR
5685
SYMCRYPT_CALL
5686
SymCryptTlsPrf1_1Derive(
5687
    _In_                    PCSYMCRYPT_TLSPRF1_1_EXPANDED_KEY   pExpandedKey,
5688
    _In_reads_opt_(cbLabel) PCBYTE                              pbLabel,
5689
    _In_                    SIZE_T                              cbLabel,        // Up to SYMCRYPT_TLS_MAX_LABEL_SIZE
5690
    _In_reads_(cbSeed)      PCBYTE                              pbSeed,
5691
    _In_                    SIZE_T                              cbSeed,         // Up to SYMCRYPT_TLS_MAX_SEED_SIZE
5692
    _Out_writes_(cbResult)  PBYTE                               pbResult,
5693
                            SIZE_T                              cbResult);
5694

5695
SYMCRYPT_ERROR
5696
SYMCRYPT_CALL
5697
SymCryptTlsPrf1_1(
5698
    _In_reads_(cbKey)       PCBYTE   pbKey,
5699
    _In_                    SIZE_T   cbKey,
5700
    _In_reads_opt_(cbLabel) PCBYTE   pbLabel,
5701
    _In_                    SIZE_T   cbLabel,
5702
    _In_reads_(cbSeed)      PCBYTE   pbSeed,
5703
    _In_                    SIZE_T   cbSeed,
5704
    _Out_writes_(cbResult)  PBYTE    pbResult,
5705
                            SIZE_T   cbResult);
5706

5707
VOID
5708
SYMCRYPT_CALL
5709
SymCryptTlsPrf1_1SelfTest(void);
5710

5711
//
5712
//  Version 1.2
5713
//
5714
SYMCRYPT_ERROR
5715
SYMCRYPT_CALL
5716
SymCryptTlsPrf1_2ExpandKey(
5717
    _Out_               PSYMCRYPT_TLSPRF1_2_EXPANDED_KEY    pExpandedKey,
5718
    _In_                PCSYMCRYPT_MAC                      macAlgorithm,
5719
    _In_reads_(cbKey)   PCBYTE                              pbKey,
5720
                        SIZE_T                              cbKey);
5721

5722
SYMCRYPT_ERROR
5723
SYMCRYPT_CALL
5724
SymCryptTlsPrf1_2Derive(
5725
    _In_                    PCSYMCRYPT_TLSPRF1_2_EXPANDED_KEY   pExpandedKey,
5726
    _In_reads_opt_(cbLabel) PCBYTE                              pbLabel,
5727
    _In_                    SIZE_T                              cbLabel,    // Up to SYMCRYPT_TLS_MAX_LABEL_SIZE
5728
    _In_reads_(cbSeed)      PCBYTE                              pbSeed,
5729
    _In_                    SIZE_T                              cbSeed,     // Up to SYMCRYPT_TLS_MAX_SEED_SIZE
5730
    _Out_writes_(cbResult)  PBYTE                               pbResult,
5731
                            SIZE_T                              cbResult);
5732

5733
SYMCRYPT_ERROR
5734
SYMCRYPT_CALL
5735
SymCryptTlsPrf1_2(
5736
    _In_                    PCSYMCRYPT_MAC  macAlgorithm,
5737
    _In_reads_(cbKey)       PCBYTE          pbKey,
5738
    _In_                    SIZE_T          cbKey,
5739
    _In_reads_opt_(cbLabel) PCBYTE          pbLabel,
5740
    _In_                    SIZE_T          cbLabel,
5741
    _In_reads_(cbSeed)      PCBYTE          pbSeed,
5742
    _In_                    SIZE_T          cbSeed,
5743
    _Out_writes_(cbResult)  PBYTE           pbResult,
5744
                            SIZE_T          cbResult);
5745

5746
VOID
5747
SYMCRYPT_CALL
5748
SymCryptTlsPrf1_2SelfTest(void);
5749

5750

5751
////////////////////////////////////////////////////////////////////////////
5752
// SSH-KDF as specified in RFC 4253 Section 7.2.
5753
//
5754

5755

5756
// Labels defined in RFC 4253
5757
#define SYMCRYPT_SSHKDF_IV_CLIENT_TO_SERVER                0x41        // 'A'
5758
#define SYMCRYPT_SSHKDF_IV_SERVER_TO_CLIENT                0x42        // 'B'
5759
#define SYMCRYPT_SSHKDF_ENCRYPTION_KEY_CLIENT_TO_SERVER    0x43        // 'C'
5760
#define SYMCRYPT_SSHKDF_ENCRYPTION_KEY_SERVER_TO_CLIENT    0x44        // 'D'
5761
#define SYMCRYPT_SSHKDF_INTEGRITY_KEY_CLIENT_TO_SERVER     0x45        // 'E'
5762
#define SYMCRYPT_SSHKDF_INTEGRITY_KEY_SERVER_TO_CLIENT     0x46        // 'F'
5763

5764

5765
SYMCRYPT_ERROR
5766
SYMCRYPT_CALL
5767
SymCryptSshKdfExpandKey(
5768
    _Out_               PSYMCRYPT_SSHKDF_EXPANDED_KEY   pExpandedKey,
5769
    _In_                PCSYMCRYPT_HASH                 pHashFunc,
5770
    _In_reads_(cbKey)   PCBYTE                          pbKey,
5771
                        SIZE_T                          cbKey);
5772
//
5773
// Process the key using the specified hash function and store the result in
5774
// SYMCRYPT_SSHKDF_EXPANDED_KEY structure. Once the key is expanded,
5775
// SymCryptSshKdfDerive can be called multiple times to generate keys for
5776
// different uses/labels.
5777
//
5778
// After all the keys are derived from a particular "shared secret" key,
5779
// SYMCRYPT_SSHKDF_EXPANDED_KEY structure must be wiped.
5780
//
5781
// Parameters:
5782
//      - pExpandedKey  :   Pointer to a SYMCRYPT_SSHKDF_EXPANDED_KEY structure that
5783
//                          will contain the expanded key after the function returns.
5784
//      - pHashFunc     :   Hash function that will be used in the key derivation.
5785
//                          This function is saved in SYMCRYPT_SSHKDF_EXPANDED_KEY
5786
//                          so that it is also used by the SymCryptSshKdfDerive function.
5787
//      - pbKey, cbKey  :   Buffer containing the secret key for the KDF.
5788
//
5789
// Returns SYMCRYPT_NO_ERROR
5790
//
5791

5792

5793
SYMCRYPT_ERROR
5794
SYMCRYPT_CALL
5795
SymCryptSshKdfDerive(
5796
    _In_                        PCSYMCRYPT_SSHKDF_EXPANDED_KEY  pExpandedKey,
5797
    _In_reads_(cbHashValue)     PCBYTE                          pbHashValue,
5798
                                SIZE_T                          cbHashValue,
5799
                                BYTE                            label,
5800
    _In_reads_(cbSessionId)     PCBYTE                          pbSessionId,
5801
                                SIZE_T                          cbSessionId,
5802
    _Inout_updates_(cbOutput)   PBYTE                           pbOutput,
5803
                                SIZE_T                          cbOutput);
5804
//
5805
// Derive keys using the expanded key that was initialized with SymCryptSshKdfExpandKey
5806
// along with other inputs. This function can be called consecutively with varying label
5807
// values to generate keys for different purposes as defined in the RFC.
5808
//
5809
// Parameters:
5810
//      - pExpandedKey              :   Pointer to a SYMCRYPT_SSHKDF_EXPANDED_KEY structure that is
5811
//                                      initialized by a prior call to SymCryptSshKdfExpandKey.
5812
//                                      Must be wiped when SymCryptSshKdfDerive is not going to be called
5813
//                                      again with the same expanded key.
5814
//      - pbHashValue, cbHashValue  :   Buffer pointing to "exchange hash" value. cbHashValue must be equal
5815
//                                      to the output size of the hash function passed to SymCryptSshKdfExpandKey.
5816
//      - label                     :   Label value used to indicate the type of the derived key.
5817
//      - pbSessionId, cbSessionId  :   Buffer pointing to the session identifier. cbSessionId must be equal
5818
//                                      to the output size of the hash function passed to SymCryptSshKdfExpandKey.
5819
//      - pbOutput, cbOutput        :   Buffer to store the derived key. Exactly cbOutput bytes of output will be generated.
5820
//
5821
// Returns SYMCRYPT_NO_ERROR
5822
//
5823

5824

5825
SYMCRYPT_ERROR
5826
SYMCRYPT_CALL
5827
SymCryptSshKdf(
5828
    _In_                    PCSYMCRYPT_HASH     pHashFunc,
5829
    _In_reads_(cbKey)       PCBYTE              pbKey,
5830
                            SIZE_T              cbKey,
5831
    _In_reads_(cbHashValue) PCBYTE              pbHashValue,
5832
                            SIZE_T              cbHashValue,
5833
                            BYTE                label,
5834
    _In_reads_(cbSessionId) PCBYTE              pbSessionId,
5835
                            SIZE_T              cbSessionId,
5836
    _Out_writes_(cbOutput)  PBYTE               pbOutput,
5837
                            SIZE_T              cbOutput);
5838
//
5839
// This function is a wrapper for using SymCryptSshKdfExpandKey followed by SymCryptSshKdfDerive
5840
// in order to produce SSH-KDF output.
5841
//
5842
// All of the function arguments are forwarded to SymCryptSshKdfExpandKey and SymCryptSshKdfDerive
5843
// functions, hence the documentation on those functions apply here as well.
5844
//
5845

5846

5847
VOID
5848
SYMCRYPT_CALL
5849
SymCryptSshKdfSha256SelfTest(void);
5850

5851
VOID
5852
SYMCRYPT_CALL
5853
SymCryptSshKdfSha512SelfTest(void);
5854

5855

5856
////////////////////////////////////////////////////////////////////////////
5857
// SRTP-KDF as specified in RFC 3711 Section 4.3.1.
5858
//
5859

5860

5861
// Labels defined in RFC 3711
5862
#define SYMCRYPT_SRTP_ENCRYPTION_KEY        0x00
5863
#define SYMCRYPT_SRTP_AUTHENTICATION_KEY    0x01
5864
#define SYMCRYPT_SRTP_SALTING_KEY           0x02
5865
#define SYMCRYPT_SRTCP_ENCRYPTION_KEY       0x03
5866
#define SYMCRYPT_SRTCP_AUTHENTICATION_KEY   0x04
5867
#define SYMCRYPT_SRTCP_SALTING_KEY          0x05
5868

5869

5870
SYMCRYPT_ERROR
5871
SYMCRYPT_CALL
5872
SymCryptSrtpKdfExpandKey(
5873
    _Out_                PSYMCRYPT_SRTPKDF_EXPANDED_KEY  pExpandedKey,
5874
    _In_reads_(cbKey)    PCBYTE                          pbKey,
5875
                         SIZE_T                          cbKey);
5876
//
5877
// Process the key and store the result in SYMCRYPT_SRTPKDF_EXPANDED_KEY structure.
5878
// Once the key is expanded, SymCryptSrtpKdfDerive can be called multiple times to
5879
// generate keys for different uses/labels.
5880
//
5881
// After all the keys are derived from a particular "shared secret" key,
5882
// SYMCRYPT_SRTPKDF_EXPANDED_KEY structure must be wiped.
5883
//
5884
// Parameters:
5885
//      - pExpandedKey  :   Pointer to a SYMCRYPT_SRTPKDF_EXPANDED_KEY structure that
5886
//                          will contain the expanded key after the function returns.
5887
//      - pbKey, cbKey  :   Buffer containing the secret key for the KDF. cbKey must be
5888
//                          a valid AES key size (16-, 24-, or 32-bytes).
5889
//
5890
// Returns:
5891
//      SYMCRYPT_WRONG_KEY_SIZE : If cbKey is not a valid AES key size
5892
//      SYMCRYPT_NO_ERROR       : On success
5893
//
5894

5895
SYMCRYPT_ERROR
5896
SYMCRYPT_CALL
5897
SymCryptSrtpKdfDerive(
5898
    _In_                    PCSYMCRYPT_SRTPKDF_EXPANDED_KEY pExpandedKey,
5899
    _In_reads_(cbSalt)      PCBYTE                          pbSalt,
5900
                            SIZE_T                          cbSalt,
5901
                            UINT32                          uKeyDerivationRate,
5902
                            UINT64                          uIndex,
5903
                            UINT32                          uIndexWidth,
5904
                            BYTE                            label,
5905
    _Out_writes_(cbOutput)  PBYTE                           pbOutput,
5906
                            SIZE_T                          cbOutput);
5907
//
5908
// Derive keys using the expanded key that was initialized with SymCryptSrtpKdfExpandKey
5909
// along with other inputs. This function can be called consecutively with varying label
5910
// values to generate keys for different purposes as defined in the RFC.
5911
//
5912
// Parameters:
5913
//      - pExpandedKey              :   Pointer to a SYMCRYPT_SRTPKDF_EXPANDED_KEY structure that is
5914
//                                      initialized by a prior call to SymCryptSrtpKdfExpandKey.
5915
//                                      Must be wiped when SymCryptSrtpKdfDerive is not going to be called
5916
//                                      again with the same expanded key.
5917
//      - pbSalt, cbSalt            :   Buffer pointing to the salt value. cbSalt must always be 14 (112-bits).
5918
//      - uKeyDerivationRate        :   Key derivation rate; must be zero or 2^i for 0 <= i <= 24.
5919
//      - uIndex                    :   Denotes an SRTP index value when label is 0x00, 0x01, or 0x02, otherwise
5920
//                                      denotes an SRTCP index value.
5921
//      - uIndexWidth               :   Denotes how wide uIndex value is. Must be one of 0, 32, or 48. By default,
5922
//                                      (when uIndexWidth = 0) uIndex is treated as 48-bits.
5923
//                                      RFC 3711 initially defined SRTCP indices to be 32-bit values. It was updated
5924
//                                      to be 48-bits by Errata ID 3712. SRTP index values are defined to be 48-bits.
5925
//      - label                     :   Label value used to indicate the type of the derived key.
5926
//      - pbOutput, cbOutput        :   Buffer to store the derived key. Exactly cbOutput bytes of output will be generated.
5927
//
5928
// Returns:
5929
//      SYMCRYPT_INVALID_ARGUMENT   :   If cbSalt is not 14-bytes, or uKeyDerivationRate in invalid.
5930
//      SYMCRYPT_NO_ERROR           :   On success.
5931
//
5932

5933

5934
SYMCRYPT_ERROR
5935
SYMCRYPT_CALL
5936
SymCryptSrtpKdf(
5937
    _In_reads_(cbKey)           PCBYTE  pbKey,
5938
                                SIZE_T  cbKey,
5939
    _In_reads_(cbSalt)          PCBYTE  pbSalt,
5940
                                SIZE_T  cbSalt,
5941
                                UINT32  uKeyDerivationRate,
5942
                                UINT64  uIndex,
5943
                                UINT32  uIndexWidth,
5944
                                BYTE    label,
5945
    _Out_writes_(cbOutput)      PBYTE   pbOutput,
5946
                                SIZE_T  cbOutput);
5947
//
5948
// This function is a wrapper for using SymCryptSrtpKdfExpandKey followed by SymCryptSrtpKdfDerive
5949
// in order to produce SRTP-KDF output.
5950
//
5951
// All of the function arguments are forwarded to SymCryptSrtpKdfExpandKey and SymCryptSrtpKdfDerive
5952
// functions, hence the documentation on those functions apply here as well.
5953
//
5954

5955

5956
VOID
5957
SYMCRYPT_CALL
5958
SymCryptSrtpKdfSelfTest(void);
5959

5960

5961
////////////////////////////////////////////////////////////////////////////
5962
// HKDF
5963
//
5964
// PRF used in the key derivation functions of the TLS protocol, version
5965
// 1.3. It is defined in RFC 5869.
5966
//
5967
// The SymCrypt ExtractPrk function corresponds to the "HKDF-Extract" function
5968
// of the RFC 5869, while the SymCrypt PrkExpandKey and Derive functions
5969
// correspond to the "HKDF-Expand" function of the RFC.
5970
//
5971
// SymCryptHkdfExtractPrk takes as inputs the MAC algorithm, the IKM (input
5972
// keying material), and the optional salt. It executes the full "HKDF-Extract"
5973
// function to produce the PRK (pseudorandom key).
5974
//
5975
// SymCryptHkdfPrkExpandKey takes as inputs just the MAC algorithm and the PRK.
5976
// It produces the final (MAC) key to be used by the "HKDF-Expand" function.
5977
//
5978
// SymCryptHkdfExpandKey performs SymCryptHkdfExtractPrk followed by
5979
// SymCryptHkdfPrkExpandKey to produce the final (MAC) key to be used by the
5980
// "HKDF-Expand" function, without exposing the PRK to the caller.
5981
//
5982
// SymCryptHkdfDerive takes as input the final MAC key and the optional info. It
5983
// performs the rest of the "HKDF-Expand" function to produce the HKDF result.
5984
//
5985

5986
SYMCRYPT_ERROR
5987
SYMCRYPT_CALL
5988
SymCryptHkdfExpandKey(
5989
    _Out_                   PSYMCRYPT_HKDF_EXPANDED_KEY     pExpandedKey,
5990
    _In_                    PCSYMCRYPT_MAC                  macAlgorithm,
5991
    _In_reads_(cbIkm)       PCBYTE                          pbIkm,
5992
                            SIZE_T                          cbIkm,
5993
    _In_reads_opt_(cbSalt)  PCBYTE                          pbSalt,
5994
                            SIZE_T                          cbSalt );
5995

5996
SYMCRYPT_ERROR
5997
SYMCRYPT_CALL
5998
SymCryptHkdfExtractPrk(
5999
    _In_                    PCSYMCRYPT_MAC                  macAlgorithm,
6000
    _In_reads_(cbIkm)       PCBYTE                          pbIkm,
6001
                            SIZE_T                          cbIkm,
6002
    _In_reads_opt_(cbSalt)  PCBYTE                          pbSalt,
6003
                            SIZE_T                          cbSalt,
6004
    _Out_writes_(cbPrk)     PBYTE                           pbPrk,
6005
                            SIZE_T                          cbPrk );
6006

6007
SYMCRYPT_ERROR
6008
SYMCRYPT_CALL
6009
SymCryptHkdfPrkExpandKey(
6010
    _Out_                   PSYMCRYPT_HKDF_EXPANDED_KEY     pExpandedKey,
6011
    _In_                    PCSYMCRYPT_MAC                  macAlgorithm,
6012
    _In_reads_(cbPrk)       PCBYTE                          pbPrk,
6013
                            SIZE_T                          cbPrk );
6014

6015
SYMCRYPT_ERROR
6016
SYMCRYPT_CALL
6017
SymCryptHkdfDerive(
6018
    _In_                    PCSYMCRYPT_HKDF_EXPANDED_KEY    pExpandedKey,
6019
    _In_reads_opt_(cbInfo)  PCBYTE                          pbInfo,
6020
                            SIZE_T                          cbInfo,
6021
    _Out_writes_(cbResult)  PBYTE                           pbResult,
6022
                            SIZE_T                          cbResult);
6023

6024
SYMCRYPT_ERROR
6025
SYMCRYPT_CALL
6026
SymCryptHkdf(
6027
                            PCSYMCRYPT_MAC  macAlgorithm,
6028
    _In_reads_(cbIkm)       PCBYTE          pbIkm,
6029
                            SIZE_T          cbIkm,
6030
    _In_reads_opt_(cbSalt)  PCBYTE          pbSalt,
6031
                            SIZE_T          cbSalt,
6032
    _In_reads_opt_(cbInfo)  PCBYTE          pbInfo,
6033
                            SIZE_T          cbInfo,
6034
    _Out_writes_(cbResult)  PBYTE           pbResult,
6035
                            SIZE_T          cbResult);
6036

6037
VOID
6038
SYMCRYPT_CALL
6039
SymCryptHkdfSelfTest(void);
6040

6041
////////////////////////////////////////////////////////////////////////////
6042
// SSKDF
6043
//
6044
// Single-Step KDF as specified in SP800-56C section 4.
6045
//
6046
// SSKDF requires an auxiliary function H. This can be approved hash function,
6047
// HMAC with an approved hash function, or KMAC. The approved hash functions
6048
// are listed in SP800-56C section 7.
6049
//
6050
// A salt value may be optionally provided if either HMAC or KMAC is used for H.
6051
// When no salt is provided, an all-zero default salt is used instead. For HMAC,
6052
// the default salt is the length of an input block of the HMAC's hash function.
6053
// For KMAC128, the default salt is 164 bytes. For KMAC256, the default salt is 132 bytes.
6054
//
6055

6056
SYMCRYPT_ERROR
6057
SYMCRYPT_CALL
6058
SymCryptSskdfMacExpandSalt(
6059
    _Out_                   PSYMCRYPT_SSKDF_MAC_EXPANDED_SALT   pExpandedSalt,
6060
    _In_                    PCSYMCRYPT_MAC                      macAlgorithm,
6061
    _In_reads_opt_(cbSalt)  PCBYTE                              pbSalt,
6062
                            SIZE_T                              cbSalt);
6063
//
6064
// Initializes *pExpandedSalt with the macAlgorithm, and optionally the salt. Used
6065
// for SSKDF when H is a MAC function. After calling SymCryptSskdfMacExpandSalt,
6066
// SymCryptSskdfMacDerive can be called multiple times to generate keys for different
6067
// uses, fixed infos, and shared secrets. For multiple KDFs using the same MAC and salt,
6068
// calling SymCryptSskdfMacExpandSalt once and SymCryptSskdfMacDerive multiple times
6069
// is more efficient than calling SymCryptSskdfMac multiple times.
6070
//
6071
// The expanded salt contains no secrets and does not need to be wiped.
6072
//
6073
// Parameters:
6074
//    - pExpandedSalt   :   Pointer to a SYMCRYPT_SSKDF_MAC_EXPANDED_SALT structure that
6075
//                          will contain the expanded salt after the function returns.
6076
//    - macAlgorithm    :   MAC algorithm that will be used in the key derivation.
6077
//                          This function is saved in SYMCRYPT_SSKDF_MAC_EXPANDED_SALT.
6078
//    - pbSalt, cbSalt  :   Buffer containing the salt for the KDF. cbSalt must be a valid
6079
//                          key size for the MAC algorithm. If pbSalt is NULL, the default
6080
//                          all zero-byte salt is used.
6081
//
6082

6083
SYMCRYPT_ERROR
6084
SYMCRYPT_CALL
6085
SymCryptSskdfMacDerive(
6086
    _In_                    PCSYMCRYPT_SSKDF_MAC_EXPANDED_SALT  pExpandedSalt,
6087
                            SIZE_T                              cbMacOutputSize,
6088
    _In_reads_(cbSecret)    PCBYTE                              pbSecret,
6089
                            SIZE_T                              cbSecret,
6090
    _In_reads_opt_(cbInfo)  PCBYTE                              pbInfo,
6091
                            SIZE_T                              cbInfo,
6092
    _Out_writes_(cbResult)  PBYTE                               pbResult,
6093
                            SIZE_T                              cbResult);
6094
//
6095
// Derive keys using the expanded salt that was initialized with SymCryptSskdfMacExpandSalt
6096
// along with other inputs. This function can be called consecutively with varying fixed infos
6097
// and shared secrets to generate keys for different purposes as defined in the SP800-56C.
6098
// The same pbExpandedKey can be used simultaneously by multiple threads.
6099
//
6100
// Parameters:
6101
//    - pExpandedSalt       :   Pointer to a SYMCRYPT_SSKDF_MAC_EXPANDED_SALT structure that is
6102
//                              initialized by a prior call to SymCryptSskdfMacExpandSalt.
6103
//    - cbMacOutputSize     :   Output size used by the MAC algorithm for intermediate computations. Must not be
6104
//                              greater than 64 bytes. Set to 0 for MACs that don't support variable output sizes,
6105
//                              or to use the default output size. The default output size when KMAC is used is cbResult.
6106
//    - pbSecret, cbSecret  :   Buffer containing the shared secret.
6107
//    - pbInfo, cbInfo      :   Buffer containing the fixed info.
6108
//    - pbResult, cbResult  :   Buffer to store the derived key. Exactly cbResult bytes of output will be generated.
6109
//                              Must not exceed 2^{32} - 1 times the result size of the MAC algorithm.
6110
//
6111

6112
SYMCRYPT_ERROR
6113
SYMCRYPT_CALL
6114
SymCryptSskdfMac(
6115
    _In_                    PCSYMCRYPT_MAC  macAlgorithm,
6116
                            SIZE_T          cbMacOutputSize,
6117
    _In_reads_(cbSecret)    PCBYTE          pbSecret,
6118
                            SIZE_T          cbSecret,
6119
    _In_reads_opt_(cbSalt)  PCBYTE          pbSalt,
6120
                            SIZE_T          cbSalt,
6121
    _In_reads_opt_(cbInfo)  PCBYTE          pbInfo,
6122
                            SIZE_T          cbInfo,
6123
    _Out_writes_(cbResult)  PBYTE           pbResult,
6124
                            SIZE_T          cbResult);
6125
//
6126
// This function is a wrapper for using SymCryptSskdfMacExpandSalt followed by SymCryptSskdfMacDerive
6127
// in order to produce SSKDF output.
6128
//
6129
// All of the function arguments are forwarded to SymCryptSskdfMacExpandSalt and SymCryptSskdfMacDerive
6130
// functions, hence the documentation on those functions apply here as well.
6131
//
6132

6133
SYMCRYPT_ERROR
6134
SYMCRYPT_CALL
6135
SymCryptSskdfHash(
6136
    _In_                    PCSYMCRYPT_HASH hashAlgorithm,
6137
                            SIZE_T          cbHashOutputSize,
6138
    _In_reads_(cbSecret)    PCBYTE          pbSecret,
6139
                            SIZE_T          cbSecret,
6140
    _In_reads_opt_(cbInfo)  PCBYTE          pbInfo,
6141
                            SIZE_T          cbInfo,
6142
    _Out_writes_(cbResult)  PBYTE           pbResult,
6143
                            SIZE_T          cbResult);
6144
//
6145
// Derive keys using the specified hash algorithm as H.
6146
//
6147
// Parameters:
6148
//    - hashAlgorithm       :   Hash algorithm that will be used in the key derivation.
6149
//    - cbHashOutputSize    :   Output size used by the hash algorithm for intermediate computations.
6150
//                              Set to 0 for hashes that don't support variable output sizes, or to use
6151
//                              the default output size. Currently, no allowed hash algorithms support
6152
//                              variable output sizes, so this should always be set to 0.
6153
//    - pbSecret, cbSecret  :   Buffer containing the shared secret.
6154
//    - pbInfo, cbInfo      :   Buffer containing the fixed info.
6155
//    - pbResult, cbResult  :   Buffer to store the derived key. Exactly cbResult bytes of output will be generated.
6156
//                              Must not exceed 2^{32} - 1 times the result size of hashAlgorithm.
6157
//
6158

6159
VOID
6160
SYMCRYPT_CALL
6161
SymCryptSskdfSelfTest(void);
6162

6163
//==========================================================================
6164
//   RNG ALGORITHMS
6165
//==========================================================================
6166

6167
////////////////////////////////////////////////////////////////////////////
6168
// AES-CTR-DRBG
6169
//
6170
// This is an implementation of AES-CTR_DRBG as specified in SP 800-90.
6171
// It always uses a 256-bit security strength.
6172
//
6173
// Note: This RNG is NOT compliant with FIPS 140-2 as it lacks the continuous
6174
//   self test required by FIPS 140-2. See the AES-FIPS RNG algorithm below.
6175
//
6176
// SYMCRYPT_RNG_AES_STATE
6177
//      State of an AES-CTR_DRBG instance.
6178
//
6179

6180
#define SYMCRYPT_RNG_AES_MIN_INSTANTIATE_SIZE   (32 + 16)
6181
#define SYMCRYPT_RNG_AES_MIN_RESEED_SIZE   (32)
6182
#define SYMCRYPT_RNG_AES_MAX_SEED_SIZE   (256)
6183

6184
SYMCRYPT_ERROR
6185
SYMCRYPT_CALL
6186
SymCryptRngAesInstantiate(
6187
    _Out_                       PSYMCRYPT_RNG_AES_STATE pRngState,
6188
    _In_reads_(cbSeedMaterial)  PCBYTE                  pcbSeedMaterial,
6189

6190
    _In_range_(SYMCRYPT_RNG_AES_MIN_INSTANTIATE_SIZE, SYMCRYPT_RNG_AES_MAX_SEED_SIZE)
6191
                                SIZE_T                  cbSeedMaterial );
6192
//
6193
// Initialize a new SYMCRYPT_RNG_AES_STATE, and seed it with the seed material.
6194
//
6195
// 'Instantiate' is the SP800-90 terminology.
6196
// The seed material must be at least SYMCRYPT_RNG_AES_MIN_INSTANTIATE_SIZE bytes,
6197
// and at most SYMCRYPT_RNG_AES_MAX_SEED_SIZE bytes.
6198
//
6199
// This implementation always uses 256-bit security strength, and
6200
// does not support 'prediction resistance' as defined in SP 800-90.
6201
//
6202
// SP 800-90 specifies three inputs to the instantiation:
6203
// - entropy
6204
// - nonce
6205
// - personalization string
6206
// This function takes only a single input, which is the concatenation of these three:
6207
//   seed material := entropy | nonce | personalization string
6208
//
6209
// The following are the requirements on the three inputs:
6210
//  Entropy: must have at least 256 bits of entropy
6211
//  Nonce: must either be a random value with 128-bits of entropy, or a value that does not
6212
//      repeat with a probability of more than 2^{-128}.
6213
// Together these requirements imply that cbSeedMaterial should be at least
6214
//  SYMCRYPT_RNG_AES_MIN_INSTANTIATE_SIZE
6215
//
6216
// This function only returns an error if the cbSeedMaterial value is out of range.
6217
//
6218

6219
VOID
6220
SYMCRYPT_CALL
6221
SymCryptRngAesGenerate(
6222
    _Inout_                 PSYMCRYPT_RNG_AES_STATE pRngState,
6223
    _Out_writes_(cbRandom)  PBYTE                   pbRandom,
6224
                            SIZE_T                  cbRandom );
6225
//
6226
// Generate random output from the state.
6227
//
6228
// Callers do not need to limit themselves to requests of 64 kB or less;
6229
// large requests are split internally to follow the request size limitations of SP 800-90.
6230
//
6231
// SP 800-90 also requires a limit on the # generate calls that can be done between reseeds.
6232
// For AES-CTR_DRBG this limit is 2^48, which means it is all but impossible to hit this limit.
6233
// If the caller were to succeed, the 2^48'th call will result in a fatal error.
6234
//
6235

6236
SYMCRYPT_ERROR
6237
SYMCRYPT_CALL
6238
SymCryptRngAesReseed(
6239
    _Inout_                     PSYMCRYPT_RNG_AES_STATE pRngState,
6240
    _In_reads_(cbSeedMaterial)  PCBYTE                  pcbSeedMaterial,
6241

6242
    _In_range_(SYMCRYPT_RNG_AES_MIN_RESEED_SIZE, SYMCRYPT_RNG_AES_MAX_SEED_SIZE)
6243
                                SIZE_T                  cbSeedMaterial );
6244
//
6245
// Reseed the PRNG state.
6246
//
6247
// The seed material consists of the concatenation of the following SP800-90 fields:
6248
// - entropy
6249
// - additional input
6250
//
6251
// The entropy input should have at least 256 bits of entropy.
6252
// This function only returns an error if the cbSeedMaterial value is out of range.
6253
//
6254

6255
VOID
6256
SYMCRYPT_CALL
6257
SymCryptRngAesUninstantiate(
6258
    _Inout_                 PSYMCRYPT_RNG_AES_STATE pRngState );
6259
//
6260
// Uninstantiate (clean up) the PRNG state
6261
//
6262

6263
VOID
6264
SYMCRYPT_CALL
6265
SymCryptRngAesInstantiateSelftest(void);
6266
//
6267
// For FIPS-certified modules, this function should be called before every instantiation.
6268
// If multiple DRBGs are instantiated 'in quick succession', a single self-test is sufficient
6269
//  (see SP 800-90 11.3.2).
6270
//
6271

6272

6273
VOID
6274
SYMCRYPT_CALL
6275
SymCryptRngAesReseedSelftest(void);
6276
//
6277
// FIPS-certified modules should call this function before every call to the reseed function.
6278
//
6279

6280
VOID
6281
SYMCRYPT_CALL
6282
SymCryptRngAesGenerateSelftest(void);
6283
//
6284
// FIPS-certified modules should call this function at least once on startup, and whenever
6285
// they want to re-test the generate function.
6286
//
6287

6288
////////////////////////////////////////////////////////////////////////////
6289
// AES-CTR-DRBG with FIPS 140-2 continuous self-test
6290
//
6291
// This is a straightforward wrapper around the AES-CTR-DRBG implementation
6292
// that adds the FIPS 140-2 continuous self-test.
6293
// At the moment, it looks like this test will not be present in FIPS 140-3 so
6294
// this RNG will be dropped when FIPS 140-3 comes out.
6295
// The self-test requirements are met by calling the selftest functions of the
6296
// AES-CTR_DRBG implementation directly.
6297
//
6298
// These functions are functionally equivalent to the ones for AES-CTR_DRBG.
6299
//
6300

6301
SYMCRYPT_ERROR
6302
SYMCRYPT_CALL
6303
SymCryptRngAesFips140_2Instantiate(
6304
    _Out_                       PSYMCRYPT_RNG_AES_FIPS140_2_STATE   pRngState,
6305
    _In_reads_(cbSeedMaterial)  PCBYTE                              pcbSeedMaterial,
6306

6307
    _In_range_(SYMCRYPT_RNG_AES_MIN_INSTANTIATE_SIZE, SYMCRYPT_RNG_AES_MAX_SEED_SIZE)
6308
                                SIZE_T                              cbSeedMaterial );
6309

6310
VOID
6311
SYMCRYPT_CALL
6312
SymCryptRngAesFips140_2Generate(
6313
    _Inout_                 PSYMCRYPT_RNG_AES_FIPS140_2_STATE       pRngState,
6314
    _Out_writes_(cbRandom)  PBYTE                                   pbRandom,
6315
                            SIZE_T                                  cbRandom );
6316

6317
SYMCRYPT_ERROR
6318
SYMCRYPT_CALL
6319
SymCryptRngAesFips140_2Reseed(
6320
    _Inout_                     PSYMCRYPT_RNG_AES_FIPS140_2_STATE   pRngState,
6321
    _In_reads_(cbSeedMaterial)  PCBYTE                              pcbSeedMaterial,
6322

6323
    _In_range_(SYMCRYPT_RNG_AES_MIN_RESEED_SIZE, SYMCRYPT_RNG_AES_MAX_SEED_SIZE)
6324
                                SIZE_T                              cbSeedMaterial );
6325

6326
VOID
6327
SYMCRYPT_CALL
6328
SymCryptRngAesFips140_2Uninstantiate(
6329
    _Inout_                 PSYMCRYPT_RNG_AES_FIPS140_2_STATE pRngState );
6330

6331
////////////////////////////////////////////////////////////////////////////////////////////
6332
//
6333
// Internal RNG functions
6334
//
6335
// To satisfy FIPS 140-3 and SP 800-90B, certain modules of SymCrypt may set up internal
6336
// RNG state(s) to keep random bit generation behind the module's FIPS boundary.
6337
// These functions allow the caller to get random bits and provide entropy, respectively,
6338
// to SymCrypt's internal RNG state(s).
6339
// Implementation is module dependent, and these functions may not be defined
6340
// for certain modules. Check before using.
6341
//
6342

6343
VOID
6344
SYMCRYPT_CALL
6345
SymCryptRandom(
6346
    _Out_writes_(cbRandom)  PBYTE   pbRandom,
6347
                            SIZE_T  cbRandom );
6348
// Fills pbRandom with cbRandom random bytes
6349

6350
VOID
6351
SYMCRYPT_CALL
6352
SymCryptProvideEntropy(
6353
    _In_reads_(cbEntropy)   PCBYTE  pbEntropy,
6354
                            SIZE_T  cbEntropy );
6355
// Mixes pbEntropy into the internal RNG state. There may be module-specific limits on
6356
// cbEntropy - check module before use
6357

6358

6359
////////////////////////////////////////////////////////////////////////////////////////////
6360
//
6361
// RdRand support
6362
// These functions provide access to the RdRand random number generator in
6363
// the latest Intel CPUs.
6364
// The DRBG that underlies the RdRand instruction is limited to 128-bit security.
6365
// The seed for each consecutive 8 kB of data can be recovered in 2^128 work.
6366
// Therefore, we allow for multiple blocks of 8 kB to be gathered in an attempt to
6367
// extract 256-bit security from the hardware.
6368
// In general, to achieve N*128 bits of security, you should use a buffer of
6369
// (N+1)*SYMCRYPT_RDRAND_RESEED_SIZE bytes.
6370
//
6371

6372
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
6373

6374
// The RdRand instruction reseeds its internal DRBG every 8 kB (or faster)
6375
#define SYMCRYPT_RDRAND_RESEED_SIZE (1<<13)
6376

6377
SYMCRYPT_ERROR
6378
SYMCRYPT_CALL
6379
SymCryptRdrandStatus(void);
6380
//
6381
// Returns SYMCRYPT_NO_ERROR if RdRand is available.
6382
// returns SYMCRYPT_NOT_IMPLEMENTED if RdRand is not available.
6383
// Note: the library must be initialized before you call this function.
6384
//
6385

6386

6387
SYMCRYPT_ERROR
6388
SYMCRYPT_CALL
6389
SymCryptRdrandGetBytes(
6390
    _Out_writes_( cbBuffer )                    PBYTE   pbBuffer,
6391
                                                SIZE_T  cbBuffer,
6392
    _Out_writes_( SYMCRYPT_SHA512_RESULT_SIZE ) PBYTE   pbResult );
6393
//
6394
// Gets cbBuffer bytes from the RdRand instruction and hashes them to the pbResult buffer.
6395
// pbBuffer points to a scratch buffer that is used internally, but wiped upon exit.
6396
// cbBuffer must be a multiple of 16.
6397
// Fatal error if SymCryptRdrandStatus indicates that Rdrand is not available.
6398
// Returns an error if the RdRand instruction failed consistently.
6399
// Note: SymCrypt only checks whether RdRand self-reports as failing. SymCrypt does NOT attempt
6400
// to validate that the values returned in successful RdRand calls are in fact random.
6401
// See SymCryptRdrandGet for a version that does not return an error but fatals instead.
6402
//
6403

6404
VOID
6405
SYMCRYPT_CALL
6406
SymCryptRdrandGet(
6407
    _Out_writes_( cbBuffer )                    PBYTE   pbBuffer,
6408
                                                SIZE_T  cbBuffer,
6409
    _Out_writes_( SYMCRYPT_SHA512_RESULT_SIZE ) PBYTE   pbResult );
6410
//
6411
// Gets cbBuffer bytes from the RdRand instruction and hashes them to the pbResult buffer.
6412
// pbBuffer points to a scratch buffer that is used internally, but wiped upon exit.
6413
// cbBuffer must be a multiple of 16.
6414
// Fatal error if the RdRand instruction fails.
6415
// Note: SymCrypt only checks whether RdRand self-reports as failing. SymCrypt does NOT attempt
6416
// to validate that the values returned in successful RdRand calls are in fact random.
6417
//
6418

6419
#endif
6420

6421

6422
////////////////////////////////////////////////////////////////////////////////////////////
6423
//
6424
// RdSeed support
6425
// These functions provide access to the RdSeed random number generator in
6426
// recent Intel CPUs.
6427
//
6428

6429
#if SYMCRYPT_CPU_X86 | SYMCRYPT_CPU_AMD64
6430

6431
SYMCRYPT_ERROR
6432
SYMCRYPT_CALL
6433
SymCryptRdseedStatus(void);
6434
//
6435
// Returns SYMCRYPT_NO_ERROR if RdSeed is available.
6436
// returns SYMCRYPT_NOT_IMPLEMENTED if RdSeed is not available.
6437
// Note: the library must be initialized before you call this function.
6438
//
6439

6440

6441
SYMCRYPT_ERROR
6442
SYMCRYPT_CALL
6443
SymCryptRdseedGetBytes(
6444
    _Out_writes_( cbResult )                    PBYTE   pbResult,
6445
                                                SIZE_T  cbResult );
6446
//
6447
// Queries cbResult bytes from the Rdseed instruction and puts them in the buffer.
6448
// The number of bytes (cbResult) must be a multiple of 16.
6449
// Fatal error if the Rdseed instruction is not present.
6450
// Returns an error if the Rdseed instruction fails consistently.
6451
// Note: SymCrypt only checks whether Rdseed self-reports as failing. SymCrypt does NOT attempt
6452
// to validate that the values returned in successful Rdseed calls are in fact random.
6453
// See SymCryptRdseedGet for a version that does not return an error but fatals instead.
6454
//
6455

6456
VOID
6457
SYMCRYPT_CALL
6458
SymCryptRdseedGet(
6459
    _Out_writes_( cbResult )                    PBYTE   pbResult,
6460
                                                SIZE_T  cbResult );
6461
//
6462
// Queries cbResult bytes from the Rdseed instruction and puts them in the buffer.
6463
// The number of bytes (cbResult) must be a multiple of 16.
6464
// Fatal error if the Rdseed instruction is not present, or the instruction fails consistently.
6465
// Note: SymCrypt only checks whether Rdseed self-reports as failing. SymCrypt does NOT attempt
6466
// to validate that the values returned in successful Rdseed calls are in fact random.
6467
//
6468

6469
#endif
6470

6471
////////////////////////////////////////////////////////////////////////////////////////////
6472
//
6473
// AES-XTS
6474
//
6475

6476
SYMCRYPT_ERROR
6477
SYMCRYPT_CALL
6478
SymCryptXtsAesExpandKey(
6479
    _Out_               PSYMCRYPT_XTS_AES_EXPANDED_KEY  pExpandedKey,
6480
    _In_reads_( cbKey ) PCBYTE                          pbKey,
6481
                        SIZE_T                          cbKey );
6482
// Note that this key expansion function does not perform FIPS checks for backwards compatibility.
6483
// Use SymCryptXtsAesExpandKeyEx for FIPS-approved XTS key expansion.
6484

6485
SYMCRYPT_ERROR
6486
SYMCRYPT_CALL
6487
SymCryptXtsAesExpandKeyEx(
6488
    _Out_               PSYMCRYPT_XTS_AES_EXPANDED_KEY  pExpandedKey,
6489
    _In_reads_( cbKey ) PCBYTE                          pbKey,
6490
                        SIZE_T                          cbKey,
6491
                        UINT32                          flags );
6492
// Allowed flags:
6493
//
6494
// - SYMCRYPT_FLAG_KEY_NO_FIPS
6495
//   Opt-out of performing validation required for FIPS.
6496
//   Currently this is just checking that 2 AES keys used in XTS are non-equal.
6497

6498
VOID
6499
SYMCRYPT_CALL
6500
SymCryptXtsAesKeyCopy(
6501
    _In_    PCSYMCRYPT_XTS_AES_EXPANDED_KEY pSrc,
6502
    _Out_   PSYMCRYPT_XTS_AES_EXPANDED_KEY  pDst );
6503
//
6504
// Create a copy of an expanded key
6505
//
6506

6507
VOID
6508
SYMCRYPT_CALL
6509
SymCryptXtsAesEncrypt(
6510
    _In_                    PCSYMCRYPT_XTS_AES_EXPANDED_KEY pExpandedKey,
6511
                            SIZE_T                          cbDataUnit,
6512
                            UINT64                          tweak,
6513
    _In_reads_( cbData )    PCBYTE                          pbSrc,
6514
    _Out_writes_( cbData )  PBYTE                           pbDst,
6515
                            SIZE_T                          cbData );
6516
//
6517
// Encrypt a buffer using XTS-AES and 64 bit tweak.
6518
//      - pExpandedKey points to the expanded key for XTS.
6519
//      - cbDataUnit: size of each data unit, must be at least 16 and cannot exceed 2^{24} bytes. Typically 512.
6520
//      - tweak: 64 bit tweak value used for the first data unit in the buffer, incremented for subsequent data units.
6521
//      - pbSrc: plaintext input
6522
//      - pbDst: ciphertext output. The ciphertext buffer may be identical to the plaintext
6523
//          buffer, or non-overlapping. The ciphertext is also cbData bytes long.
6524
//      - cbData: # bytes of plaintext input. Must be a multiple of cbDataUnit.
6525
//
6526
// XTS-AES works on equal-sized data units, with each data unit being uniquely encrypted using a combination of
6527
// an integer "tweak" value and the XTS key (a pair of AES keys). A data unit typically corresponds to a sector
6528
// size on a disk.
6529
//
6530
// This API encrypts a buffer consisting of several consecutive data units, which use consecutive tweak values.
6531
// As the tweak is 64 bits, if there is an overflow of 64 bits, the value of the tweak will wrap to 0.
6532
//
6533
// i.e. encryption with tweak 0xffffffffffffffff for a buffer consisting of 2 data units will correspond to:
6534
// encryption using tweak 0xffffffffffffffff for the first data unit,
6535
// encryption using tweak 0x0000000000000000 for the second data unit
6536
//
6537
// Note, using cbDataUnit which is a power of 2 >= 256, will likely be more performant.
6538
//
6539

6540
VOID
6541
SYMCRYPT_CALL
6542
SymCryptXtsAesDecrypt(
6543
    _In_                    PCSYMCRYPT_XTS_AES_EXPANDED_KEY pExpandedKey,
6544
                            SIZE_T                          cbDataUnit,
6545
                            UINT64                          tweak,
6546
    _In_reads_( cbData )    PCBYTE                          pbSrc,
6547
    _Out_writes_( cbData )  PBYTE                           pbDst,
6548
                            SIZE_T                          cbData );
6549
//
6550
// Decrypt a buffer using XTS-AES and 64 bit tweak.
6551
// See SymCryptXtsAesEncrypt for a more in depth description, everything is the same, only this decrypts rather than encrypts.
6552
//
6553

6554
VOID
6555
SYMCRYPT_CALL
6556
SymCryptXtsAesEncryptWith128bTweak(
6557
    _In_                                    PCSYMCRYPT_XTS_AES_EXPANDED_KEY pExpandedKey,
6558
                                            SIZE_T                          cbDataUnit,
6559
    _In_reads_( SYMCRYPT_AES_BLOCK_SIZE )   PCBYTE                          pbTweak,
6560
    _In_reads_( cbData )                    PCBYTE                          pbSrc,
6561
    _Out_writes_( cbData )                  PBYTE                           pbDst,
6562
                                            SIZE_T                          cbData );
6563
//
6564
// Encrypt a buffer using XTS-AES and 128 bit tweak.
6565
//      - pExpandedKey points to the expanded key for XTS.
6566
//      - cbDataUnit: size of each data unit, must be at least 16 and cannot exceed 2^{24} bytes. Typically 512.
6567
//      - pbTweak: 128 bit tweak value used for the first data unit in the buffer, incremented for subsequent data units.
6568
//      - pbSrc: plaintext input
6569
//      - pbDst: ciphertext output. The ciphertext buffer may be identical to the plaintext
6570
//          buffer, or non-overlapping. The ciphertext is also cbData bytes long.
6571
//      - cbData: # bytes of plaintext input. Must be a multiple of cbDataUnit.
6572
//
6573
// XTS-AES works on equal-sized data units, with each data unit being uniquely encrypted using a combination of
6574
// an integer "tweak" value and the XTS key (a pair of AES keys). A data unit typically corresponds to a sector
6575
// size on a disk.
6576
//
6577
// This API encrypts a buffer consisting of several consecutive data units, which use consecutive tweak values.
6578
// As the tweak is 128 bits, if there is an overflow of 128 bits, the value of the tweak will wrap to 0.
6579
//
6580
// i.e. encryption with tweak 0x0000000000000000ffffffffffffffff for a buffer consisting of 2 data units will correspond to:
6581
// encryption using tweak 0x0000000000000000ffffffffffffffff for the first data unit,
6582
// encryption using tweak 0x00000000000000010000000000000000 for the second data unit
6583
//  but encryption with tweak 0xffffffffffffffffffffffffffffffff for a buffer consisting of 2 data units will correspond to:
6584
// encryption using tweak 0xffffffffffffffffffffffffffffffff for the first data unit,
6585
// encryption using tweak 0x00000000000000000000000000000000 for the second data unit
6586
//
6587
// Note, using cbDataUnit which is a power of 2 >= 256, will likely be more performant.
6588
//
6589

6590
VOID
6591
SYMCRYPT_CALL
6592
SymCryptXtsAesDecryptWith128bTweak(
6593
    _In_                                    PCSYMCRYPT_XTS_AES_EXPANDED_KEY pExpandedKey,
6594
                                            SIZE_T                          cbDataUnit,
6595
    _In_reads_( SYMCRYPT_AES_BLOCK_SIZE )   PCBYTE                          pbTweak,
6596
    _In_reads_( cbData )                    PCBYTE                          pbSrc,
6597
    _Out_writes_( cbData )                  PBYTE                           pbDst,
6598
                                            SIZE_T                          cbData );
6599
//
6600
// Decrypt a buffer using XTS-AES and 128 bit tweak.
6601
// See SymCryptXtsAesEncryptWith128bTweak for a more in depth description, everything is the same, only this decrypts rather than encrypts.
6602
//
6603

6604
VOID
6605
SYMCRYPT_CALL
6606
SymCryptXtsAesSelftest(void);
6607

6608
////////////////////////////////////////////////////////////////////////////////////////////
6609
//
6610
// AES-KW and AES-KWP
6611
//
6612
// These are the AES-KW and AES-KWP algorithms per SP 800-38F.
6613
//
6614
// These are very slow compared to most AES modes, requiring a long serial chain of AES
6615
// block encryption/decryptions, with a best case cost comparable to ~12x AES-CBC encryption
6616
// for a given buffer size. In practice the cost is often higher.
6617
// These cipher modes are not recommended.
6618
//
6619

6620
SYMCRYPT_ERROR
6621
SYMCRYPT_CALL
6622
SymCryptAesKwEncrypt(
6623
    _In_                                PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
6624
    _In_reads_(cbSrc)                   PCBYTE                      pbSrc,
6625
                                        SIZE_T                      cbSrc,
6626
    _Out_writes_to_(cbDst, *pcbResult)  PBYTE                       pbDst,
6627
                                        SIZE_T                      cbDst,
6628
    _Out_                               SIZE_T*                     pcbResult );
6629
//
6630
// Encrypt a buffer using AES-KW mode.
6631
//
6632
// - pExpandedKey points to the expanded key to use.
6633
// - pbSrc is the plaintext source buffer. The source and destination buffers may be
6634
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
6635
// - cbSrc. # bytes of plaintext. This must be a multiple of 8, >=16, and <2^31.
6636
// - pbDst is the ciphertext destination buffer. The source and destination buffers may be
6637
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
6638
// - cbDst. # bytes in the destination buffer. This must be >= cbSrc+8.
6639
// - pcbResult pointer to a variable which receives the length of the ciphertext written to pbDst.
6640
//
6641
// Returns:
6642
//      SYMCRYPT_INVALID_ARGUMENT           :   If cbSrc is an invalid size
6643
//      SYMCRYPT_BUFFER_TOO_SMALL           :   If cbDst is not large enough
6644
//                                              (this can always be avoided if cbDst >= cbSrc+8)
6645
//      SYMCRYPT_MEMORY_ALLOCATION_FAILURE  :   If there is insufficient memory for the operation
6646
//      SYMCRYPT_NO_ERROR                   :   On success
6647
//
6648
// Remarks:
6649
//  The standard allows larger plaintexts but there is no requirement to support them, we only support
6650
//  plaintext up to 2^31 bytes because it avoids complexity in handling overflow of 32b buffer sizes, and
6651
//  is larger than practically necessary.
6652
//  The output parameters (pbDst and pcbResult) are only set on success.
6653
//
6654

6655
SYMCRYPT_ERROR
6656
SYMCRYPT_CALL
6657
SymCryptAesKwDecrypt(
6658
    _In_                                PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
6659
    _In_reads_(cbSrc)                   PCBYTE                      pbSrc,
6660
                                        SIZE_T                      cbSrc,
6661
    _Out_writes_to_(cbDst, *pcbResult)  PBYTE                       pbDst,
6662
                                        SIZE_T                      cbDst,
6663
    _Out_                               SIZE_T*                     pcbResult );
6664
//
6665
// Decrypt a buffer using AES-KW mode.
6666
//
6667
// - pExpandedKey points to the expanded key to use.
6668
// - pbSrc is the ciphertext source buffer. The source and destination buffers may be
6669
//      identical (in-place decryption) or non-overlapping, but they may not partially overlap.
6670
// - cbSrc. # bytes of ciphertext. This must be a multiple of 8, >=24, and <=2^31.
6671
// - pbDst is the plaintext destination buffer. The source and destination buffers may be
6672
//      identical (in-place decryption) or non-overlapping, but they may not partially overlap.
6673
// - cbDst. # bytes in the destination buffer. This must be >= cbSrc-8.
6674
// - pcbResult pointer to a variable which receives the length of the plaintext written to pbDst.
6675
//
6676
// Returns:
6677
//      SYMCRYPT_INVALID_ARGUMENT           :   If cbSrc is an invalid size
6678
//      SYMCRYPT_BUFFER_TOO_SMALL           :   If cbDst is not large enough
6679
//                                              (this can always be avoided if cbDst >= cbSrc-8)
6680
//      SYMCRYPT_AUTHENTICATION_FAILURE     :   If pbSrc does not decrypt successfully
6681
//      SYMCRYPT_MEMORY_ALLOCATION_FAILURE  :   If there is insufficient memory for the operation
6682
//      SYMCRYPT_NO_ERROR                   :   On success
6683
//
6684
// Remarks:
6685
//  The standard allows larger plaintexts but there is no requirement to support them, we only support
6686
//  plaintext up to 2^31 bytes because it avoids complexity in handling overflow of 32b buffer sizes, and
6687
//  is larger than practically necessary.
6688
//  The output parameters (pbDst and pcbResult) are only set on success.
6689
//
6690

6691
SYMCRYPT_ERROR
6692
SYMCRYPT_CALL
6693
SymCryptAesKwpEncrypt(
6694
    _In_                                PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
6695
    _In_reads_(cbSrc)                   PCBYTE                      pbSrc,
6696
                                        SIZE_T                      cbSrc,
6697
    _Out_writes_to_(cbDst, *pcbResult)  PBYTE                       pbDst,
6698
                                        SIZE_T                      cbDst,
6699
    _Out_                               SIZE_T*                     pcbResult );
6700
//
6701
// Encrypt a buffer using AES-KWP mode.
6702
//
6703
// - pExpandedKey points to the expanded key to use.
6704
// - pbSrc is the plaintext source buffer. The source and destination buffers may be
6705
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
6706
// - cbSrc. # bytes of plaintext. This must be >0 and <=2^31-8.
6707
// - pbDst is the ciphertext destination buffer. The source and destination buffers may be
6708
//      identical (in-place encryption) or non-overlapping, but they may not partially overlap.
6709
// - cbDst. # bytes in the destination buffer. This must be >= cbSrc + 16 - (cbSrc%8) - ((cbSrc%8)==0 ? 8 : 0)
6710
// - pcbResult pointer to a variable which receives the length of the ciphertext written to pbDst.
6711
//
6712
// Returns:
6713
//      SYMCRYPT_INVALID_ARGUMENT           :   If cbSrc is an invalid size
6714
//      SYMCRYPT_BUFFER_TOO_SMALL           :   If cbDst is not large enough
6715
//                                              (this can always be avoided if cbDst >= cbSrc+15)
6716
//      SYMCRYPT_MEMORY_ALLOCATION_FAILURE  :   If there is insufficient memory for the operation
6717
//      SYMCRYPT_NO_ERROR                   :   On success
6718
//
6719
// Remarks:
6720
//  The standard allows larger plaintexts but there is no requirement to support them, we only support
6721
//  plaintext up to 2^31 bytes because it avoids complexity in handling overflow of 32b buffer sizes, and
6722
//  is larger than practically necessary.
6723
//  The output parameters (pbDst and pcbResult) are only set on success.
6724
//
6725

6726
SYMCRYPT_ERROR
6727
SYMCRYPT_CALL
6728
SymCryptAesKwpDecrypt(
6729
    _In_                                PCSYMCRYPT_AES_EXPANDED_KEY pExpandedKey,
6730
    _In_reads_(cbSrc)                   PCBYTE                      pbSrc,
6731
                                        SIZE_T                      cbSrc,
6732
    _Out_writes_to_(cbDst, *pcbResult)  PBYTE                       pbDst,
6733
                                        SIZE_T                      cbDst,
6734
    _Out_                               SIZE_T*                     pcbResult );
6735
//
6736
// Decrypt a buffer using AES-KWP mode.
6737
//
6738
// - pExpandedKey points to the expanded key to use.
6739
// - pbSrc is the ciphertext source buffer. The source and destination buffers may be
6740
//      identical (in-place decryption) or non-overlapping, but they may not partially overlap.
6741
// - cbSrc. # bytes of ciphertext. This must be a multiple of 8, >=16, and <=2^31.
6742
// - pbDst is the plaintext destination buffer. The source and destination buffers may be
6743
//      identical (in-place decryption) or non-overlapping, but they may not partially overlap.
6744
// - cbDst. # bytes in the destination buffer. This must be large enough to fit the plaintext,
6745
//      a valid plaintext length is in the range [cbSrc-15, cbSrc-8]. If cbDst >= cbSrc-8 then the
6746
//      destination buffer is guaranteed to be large enough.
6747
// - pcbResult pointer to a variable which receives the length of the plaintext written to pbDst.
6748
//
6749
// Returns:
6750
//      SYMCRYPT_INVALID_ARGUMENT           :   If cbSrc is an invalid size
6751
//      SYMCRYPT_BUFFER_TOO_SMALL           :   If cbDst is not large enough
6752
//                                              (this can always be avoided if cbDst >= cbSrc-8)
6753
//      SYMCRYPT_AUTHENTICATION_FAILURE     :   If pbSrc does not decrypt successfully
6754
//      SYMCRYPT_MEMORY_ALLOCATION_FAILURE  :   If there is insufficient memory for the operation
6755
//      SYMCRYPT_NO_ERROR                   :   On success
6756
//
6757
// Remarks:
6758
//  The standard allows larger plaintexts but there is no requirement to support them, we only support
6759
//  plaintext up to 2^31 bytes because it avoids complexity in handling overflow of 32b buffer sizes, and
6760
//  is larger than practically necessary.
6761
//  The output parameters (pbDst and pcbResult) are only set on success.
6762
//
6763
//  If we fail to decrypt due to bad data, we return SYMCRYPT_AUTHENTICATION_FAILURE in constant time with
6764
//  respect to how the decrypted data is corrupted. While there is no known attack on AES-KWP abusing
6765
//  differential timing of different failure cases, being constant time for this is cheap, so is a reasonable
6766
//  hardening measure.
6767
//
6768
//  On success we do not attempt to hide the plaintext length from sidechannels, as this could make it hard
6769
//  for callers with known plaintext length to use precisely sized buffers to decrypt into (i.e. caller
6770
//  knows the valid plaintext is 15 bytes but the API would require caller to provide a 16 byte pbDst). It
6771
//  is expected that in any real use case the length of the plaintext would immediately be used to import the
6772
//  unwrapped key into some other piece of code - so attempting to obscure the plaintext length would not be
6773
//  of any benefit.
6774
//
6775

6776

6777
////////////////////////////////////////////////////////////////////////////////////////////
6778
//
6779
// TLS CBC cipher suites HMAC verification
6780
//
6781
// The TLS cipher suites for block cipher modes (typically CBC) are designed in an unfortunate way.
6782
// The format is:
6783
//      Plaintext | MAC | <padding> | <padding_length>
6784
// Which is then encrypted by the block cipher.
6785
// Plaintext is the data being transferred. MAC is the HMAC value over some header data and the plaintext.
6786
// The padding_length is a byte (range 0-255) that specifies the length of the padding.
6787
// The padding consists of padding_length bytes (up to 255) Each byte is equal to padding_length.
6788
// The padding_length is chosen so that length of the whole structure is a multiple of the block cipher block
6789
// size, so that it can be encrypted with CBC.
6790
//
6791
// The problem is that when decrypting this, the natural code will take actions that depend on the padding_length
6792
// byte before it has been authenticated, and those actions might reveal information about padding_byte. This
6793
// in turn can be used in an attack that lets the attacker decrypt data.
6794
// We are particularly concerned with software side channels, where another thread infers information about what the
6795
// active thread is doing through cache state and other shared CPU state.
6796
//
6797
// To address this issue once and for all, we created an implementation of the HMAC verification with the following
6798
// properties:
6799
// - It verifies the HMAC in the data structure above.
6800
// - This is done in a side-channel safe manner, not revealing anything except whether the structure is valid or not.
6801
// This means that the HMAC computation over the plaintext is constant-time and constant-memory-access pattern
6802
// irrespective of the padding_length; thus this is a fixed-time implementation for variable-sized inputs.
6803
// Similarly, the MAC value has to be extracted from a variable location in the input using a fixed memory access
6804
// pattern.
6805
//
6806

6807
SYMCRYPT_ERROR
6808
SYMCRYPT_CALL
6809
SymCryptTlsCbcHmacVerify(
6810
    _In_                PCSYMCRYPT_MAC  pMacAlgorithm,
6811
    _In_                PVOID           pExpandedKey,
6812
    _Inout_             PVOID           pState,
6813
    _In_reads_(cbData)  PCBYTE          pbData,
6814
                        SIZE_T          cbData);
6815
// Verify a TLS CBC cipher suite MAC value
6816
//  - macAlgorithm: one of SymCryptHmacSha1Algorithm, SymCryptHmacSha256Algorithm, or SymCryptHmacSha384Algorithm.
6817
//      Other MAC algorithms are not supported.
6818
//  - pState points to an SYMCRYPT_HMAC_SHAXXX_STATE. It is allowed to process data into the state before this call,
6819
//      but the total # bytes processed must be < 2^16.
6820
//  - pbData points to a buffer containing the concatenation of plaintext, MAC, padding, and padding_length.
6821
//  - cbData is the size of the buffer.
6822
// Note: callers should pass the entire (plaintext | MAC | padding | padding_length) in a single call to get
6823
// the full side-channel protection.
6824
// This function returns success if the HMAC verification is successful.
6825
// It returns an error if the padding or HMAC verification fails.
6826
// After the call pState is wiped of any sensitive data, just like the SymCryptHmacXxxResult function.
6827
// Callers have to check the padding_length byte pbData[cbData-1] to determine the size of the plaintext.
6828
//
6829

6830

6831

6832
/*
6833

6834
Yes, despite its name, SymCrypt supports asymmetric cryptographic algorithms.
6835
The asymmetric implementations have the following primary design goals:
6836
    - Implement asymmetric cryptographic algorithms like RSA, DSA, DH, ECDSA, ECDH, etc.
6837
    - Protect against all software-based side-channel attacks
6838
    - Protect against those hardware-based side-channel attacks that can be practically protected against in software.
6839
    - High performance, dynamically using CPU features that are available on the current CPU stepping.
6840
    - Support small code and small memory environments.
6841
    - Support environments that need to control memory allocations.
6842

6843
The primary use-case is for SymCrypt to be the crypto library for MS products. This includes high-performance
6844
scenarios such as TLS server termination, and low-footprint uses such as Bootmgr.
6845
SymCrypt supports applications such as firmware updates for embedded CPUs where code and memory
6846
footprint are of overriding importance.
6847

6848
Side channel attacks:
6849
Defence against side channel attacks play an important part in the design and implementation of
6850
SymCrypt. Side channel attacks are a class of attacks on cryptographic systems where the attacker
6851
gets some information about a cryptographic computation in addition to the inputs and outputs.
6852
For example, any of the following information could be retrieved by the attacker:
6853
- The time it takes to perform a computation (either exactly or approximately)
6854
- The power usage over time of the CPU.
6855
- The noise made by the computer's power supply (a function of the CPU power consumption)
6856
- Which cache lines are evicted from the attacker's thread A by a computation in thread B.
6857
These may sound like esoteric attacks, but all of them have been used in practical demonstrations
6858
to attack cryptographic systems.
6859

6860
SymCrypt uses the following API rules to protect against side-channel attacks:
6861
- Information is divided into two classes: public information and private information.
6862
- Public information is allowed to leak through side channels, and the library makes no attempt to hide
6863
    public information.
6864
- Private information is protected against side-channel attacks to the best ability of the library.
6865
Unless otherwise documented, all information is treated as private.
6866
Functions may document that a particular value is "published". This means that the function may use
6867
the value in a way that is not side-channel safe, so any security analysis that considers
6868
side-channel attacks must assume that the published value is public and known by the attacker.
6869

6870
The following information is always assumed to be public, and thus known to any side-channel attacker:
6871
- Which SymCrypt function is being called.
6872
- The location of any of the buffers passed as arguments.
6873
- The size parameter of any buffer passed as an argument.
6874
- Any details that cause a function to return an error.
6875
Thus, it is important that callers who wish to be side-channel safe ensure that their buffer locations and sizes
6876
do not reveal any information, and that they do not make any calls that result in an error, unless there is no
6877
need for secrecy when an error occurs.
6878

6879
Because pointer values are all public (the memory address cannot be hidden on modern CPUs if the buffer is accessed)
6880
side-channel safe code ends up using masked operations, such as masked-copy where the copy is done or not done
6881
depending on a mask parameter to the function.
6882
SymCrypt exposes a set of masked functions that applications can use for their own side-channel safe operations.
6883

6884
The following coding rules are used to protect private information:
6885
- The sequence of instructions executed is independent of private information.
6886
- The sequence of memory operations (read/write) and memory addresses accessed is independent of private information.
6887
- Private information is not used in instructions whose timing may depend on the data being processed.
6888
As far as we know these rules stop all software-based side-channel attacks, and many hardware-based ones.
6889

6890
One remaining line of attack is to feed the algorithm with values that are special. For example, an RSA
6891
decryption may receive a value that contains many zeroes modulo one prime. If the power consumption of the
6892
multiply instruction reveals whether one of the multiplicands is zero, then the attacker might learn
6893
useful information. Note that this is a pure hardware attack, it is not applicable to software attackers.
6894
Protecting against this style of attack is an area that still needs more research. Where applicable we
6895
document the additional protections that SymCrypt provides.
6896

6897

6898
Running with CHKed code:
6899
All binaries that use SymCrypt must build CHKed versions of the binary (linking the CHKed version of SymCrypt)
6900
and perform full test runs on the CHKed version.
6901
Due to the performance and operational requirements, the production-optimized SymCrypt library API cannot
6902
check all buffer sizes or even be fully SAL-annotated.
6903
The necessary size information is simply not available at every call point, and passing
6904
the size information around would add too much overhead.
6905
The CHKed version of the library adds additional code & per-object storage to be able to implement check that
6906
are broadly equivalent to what SAL would normally check.
6907
SAL checks are part of the SDL requirements and need to be done on all Microsoft products.
6908
Though this requirement cannot strictly speaking be satisfied with the SymCrypt library, running the CHKed
6909
version through full validation is the best equivalent, and therefore should be considered mandatory.
6910

6911
Please ensure that the validation runs exercise all the border-cases of largest and smallest sizes, as well as
6912
intermediate sizes for the parameters.
6913

6914
*/
6915

6916

6917
//
6918
// Caller-provided functions
6919
//
6920
// Some of the large-integer and asymmetric algorithm functions use callbacks.
6921
// The callback functions do not have to be functional for binaries that only use the symmetric algorithm
6922
// implementations.
6923
// Use of callbacks is documented in each function that uses them.
6924
//
6925

6926
PVOID
6927
SYMCRYPT_CALL
6928
SymCryptCallbackAlloc( SIZE_T nBytes );
6929
//
6930
// Allocate a buffer of nBytes; returns NULL on failure.
6931
// Returned pointer must be aligned to a multiple of SYMCRYPT_ASYM_ALIGN_VALUE.
6932
//
6933

6934
VOID
6935
SYMCRYPT_CALL
6936
SymCryptCallbackFree( PVOID pMem );
6937
//
6938
// Called by SymCrypt to free a buffer previously allocated by SymCryptCallbackAlloc().
6939
// Note that callers should never call these functions directly. Buffers that were returned
6940
// from the SymCrypt API are freed with SymCryptFree* functions, not this function.
6941
//
6942

6943
SYMCRYPT_ERROR
6944
SYMCRYPT_CALL
6945
SYMCRYPT_WEAK_SYMBOL
6946
SymCryptCallbackRandom(
6947
    _Out_writes_bytes_( cbBuffer )  PBYTE   pbBuffer,
6948
                                    SIZE_T  cbBuffer );
6949
//
6950
// Fill the buffer with uniformly distributed random bytes from a cryptographically strong RNG source.
6951
//
6952

6953
PVOID
6954
SYMCRYPT_CALL
6955
SymCryptCallbackAllocateMutexFastInproc(void);
6956
//
6957
// Allocate and initialize a mutex object; returns NULL on failure.
6958
//
6959
// Fast indicates that users of the mutex will only hold it for a short period of time, so it
6960
// is not expected that threads should need to sleep before acquiring the mutex. (i.e. can be
6961
// implemented by a spinlock in kernel mode).
6962
// Inproc indicates the mutex is only used for synchronization between threads in a single process.
6963
//
6964
// Users of the library in contexts where mutexes are not available can set this callback to always
6965
// return NULL, and attempts to use APIs requiring it will fail at runtime.
6966
//
6967

6968
VOID
6969
SYMCRYPT_CALL
6970
SymCryptCallbackFreeMutexFastInproc( _Inout_ PVOID pMutex );
6971
//
6972
// Free a mutex object previously created by SymCryptCallbackAllocateMutexFastInproc
6973
//
6974

6975
VOID
6976
SYMCRYPT_CALL
6977
SymCryptCallbackAcquireMutexFastInproc( _Inout_ PVOID pMutex );
6978
//
6979
// Take exclusive ownership of a mutex object allocated by SymCryptCallbackAllocateMutexFastInproc.
6980
//
6981
// This call must also ensure memory ordering such that stores before the previous call to
6982
// SymCryptCallbackReleaseMutexFastInproc with this mutex are observable by loads after this call.
6983
//
6984

6985
VOID
6986
SYMCRYPT_CALL
6987
SymCryptCallbackReleaseMutexFastInproc( _Inout_ PVOID pMutex );
6988
//
6989
// Relinquish ownership of a mutex object allocated by SymCryptCallbackAllocateMutexFastInproc and
6990
// acquired by SymCryptCallbackAcquireMutexFastInproc.
6991
//
6992

6993
//==============================================================================================
6994
// Object types for high-level API
6995
//
6996
// SYMCRYPT_RSAKEY       A key that stores the information for the RSA algorithms (encryption and signing).
6997
//                       It always contains the RSA parameters / public key, and may or may not contain
6998
//                       the associated private key.
6999
// SYMCRYPT_DLGROUP      A discrete log group to be used for the DSA and DH algorithms. It contains the
7000
//                       group parameters (P,[Q],G) (The prime Q is optional).
7001
// SYMCRYPT_DLKEY        A "discrete log" key that stores the information for the DSA and DH algorithms. It
7002
//                       always contains a public key, and may or may not contain the associated private key.
7003
// SYMCRYPT_ECURVE       An elliptic curve over a prime field. Contains field prime, curve parameters,
7004
//                       and distinguished point (generator).
7005
// SYMCRYPT_ECKEY        An elliptic curve key for the ECDH and ECDSA algorithms. It always contains a
7006
//                       public key, and may or may not contain the associated private key.
7007
//
7008
// See symcrypt_internal.h for structure definitions.
7009
//
7010

7011
//==============================================================================================
7012
// Supported formats and parameters
7013
//
7014

7015
typedef enum _SYMCRYPT_NUMBER_FORMAT {
7016
    SYMCRYPT_NUMBER_FORMAT_LSB_FIRST = 1,
7017
    SYMCRYPT_NUMBER_FORMAT_MSB_FIRST = 2,
7018
} SYMCRYPT_NUMBER_FORMAT;
7019
//
7020
// SYMCRYPT_NUMBER_FORMAT is used to specify the number format for import and export
7021
// of BYTE arrays. We support the following two number formats:
7022
// Let p[0], ..., p[n-1] be an array containing n bytes:
7023
// LSB_FIRST:
7024
//      Value   = \sum_{i=0}^{n-1} p[i] * 2^{8*i}
7025
//              = p[0] + 2^8 * p[1] + 2^{16} * p[2] + ...
7026
//
7027
// MSB_FIRST:
7028
//      Value   = \sum_{i=0}^{n-1} p[n-1-i] * 2^{8*i}
7029
//              = p[n-1] + 2^8 * p[n-2] + 2^{16} * p[n-3] + ...
7030
//
7031

7032
typedef struct _SYMCRYPT_RSA_PARAMS {
7033
    UINT32              version;            // Version of the parameters structure
7034
    UINT32              nBitsOfModulus;     // Number of bits in the modulus
7035
    UINT32              nPrimes;            // Number of primes, 0 if object is only for public key
7036
    UINT32              nPubExp;            // Number of public exponents (typically 1)
7037
} SYMCRYPT_RSA_PARAMS, *PSYMCRYPT_RSA_PARAMS;
7038
typedef const SYMCRYPT_RSA_PARAMS * PCSYMCRYPT_RSA_PARAMS;
7039
//
7040
// SYMCRYPT_RSA_PARAMS is used to specify all the parameters needed for creation of an
7041
// RSA key object. The above is version 1 of the parameters.
7042
// Currently, we only support nPubExp = 1 and nPrimes = 0 or 2.
7043
// Note: nPrimes > 2 and nPubExp > 1 allow faster and more flexible
7044
// RSA functionality. Though currently not supported, these parameters make it easy to add
7045
// support in the future.
7046
//
7047

7048
// Notation for elliptic curve parameters and functions
7049
// ====================================================
7050

7051
//  E       The elliptic curve group. This is typically represented as the set of 2D points (with
7052
//          coordinates from a finite field) that satisfy a specific curve equation.
7053
//          An example equation is y^2 = x^3 + Ax + B for A,B. The set E also
7054
//          contains a special "zero" point denoted by O.
7055
//  |E|     The total number of points on the elliptic curve group E.
7056
//  G       A special point in E which generates a (prime) order subgroup.
7057
//  GOrd    The (prime) order of the generator point G. Therefore, GOrd * G = O.
7058
//  h       The cofactor of the curve. It is defined as h = |E| / GOrd. Typical
7059
//          cofactors are 4 (NUMS curves), and 8 (curve 25519).
7060

7061
// Definitions
7062
// ===========
7063

7064
// A "proper public key" (PPK) on the curve E is defined to be an arbitrary nonzero point of the
7065
// subgroup generated by the point G.
7066

7067
// A "proper secret key" (PSK) is the logarithm of a "proper public key" with
7068
// respect to G. Therefore, if Q is the PPK, then the corresponding PSK is the unique
7069
// integer s with 0 < s < GOrd such that s*G = Q.
7070

7071
// If the cofactor of the curve is equal to 1, then the entire group E is generated by
7072
// the point G and all nonzero points in E are "proper public keys".
7073

7074
// Otherwise, an arbitrary point on the curve might or might not belong to the subgroup
7075
// generated by G. Furthermore, in this case, an arbitrary point P may have order equal
7076
// to the cofactor (or smaller), i.e. h*P=O, or an order larger than GOrd.
7077

7078
// To securely handle the cases where "non-proper" public keys are imported from possibly malicious
7079
// sources, the creators of curve parameters impose several restrictions on the secret keys
7080
// and the algorithms used. For example, the scalar multiplication algorithm for NUMS curves
7081
// always pre-multiplies a point by the cofactor; in order to zero-out any possible
7082
// components of lower order ("low-order clearing"). Curve 25519 imposes this by asserting
7083
// that all secret keys have the 3 lowest bits set to 0, which is equivalent to multiplying
7084
// by h=8.
7085

7086
typedef enum _SYMCRYPT_ECURVE_GEN_ALG_ID {
7087
    SYMCRYPT_ECURVE_GEN_ALG_ID_NULL = 0,
7088
} SYMCRYPT_ECURVE_GEN_ALG_ID;
7089
//
7090
// SYMCRYPT_ECURVE_GEN_ALG_ID is used to specify (if available) the algorithm that
7091
// generates the curve parameters from the provided seed.
7092
//
7093

7094

7095
typedef struct _SYMCRYPT_ECURVE_PARAMS_V2_EXTENSION {
7096
    UINT32  PrivateKeyDefaultFormat;
7097
    UINT32  HighBitRestrictionNumOfBits;
7098
    UINT32  HighBitRestrictionPosition;
7099
    UINT32  HighBitRestrictionValue;
7100
} SYMCRYPT_ECURVE_PARAMS_V2_EXTENSION, *PSYMCRYPT_ECURVE_PARAMS_V2_EXTENSION;
7101
typedef const SYMCRYPT_ECURVE_PARAMS_V2_EXTENSION * PCSYMCRYPT_ECURVE_PARAMS_V2_EXTENSION;
7102
//
7103
// SYMCRYPT_ECURVE_PARAMS_V2_EXTENSION is used to specify restrictions and default formats
7104
// for known curves. The possible formats and restriction are explained below.
7105
//
7106

7107
// Secret key formats
7108
// ==================
7109
// The possible secret key formats in SymCrypt are shown below. For all formats, s denotes
7110
// a "proper secret key" defined as above. I.e. 0 < s < GOrd.
7111
//
7112
//  1. "Canonical":         s
7113
//  2. "DivH":              s/h mod GOrd
7114
//  3. "DivHTimesH":        h*(s/h mod GOrd)
7115
//  4. "TimesH":            h*s                 <-- This format is currently unsupported
7116
//
7117
// Remarks:
7118
//  -   The above formats apply **only to external formats**: When somebody is
7119
//      importing a secret key (from test vectors, for example) or exporting a key.
7120
//      The internal format of the secret keys might be one of them or something totally
7121
//      different; the internal format is not visible to the caller.
7122
//  -   Formats 3 and 4 have bigger storage requirements compared to 1 and 2, as
7123
//      the key can be up to |E|.
7124
//  -   When h=1 all formats are identical. This is the case for NIST curves.
7125
//  -   The NUMS curves use the "DivH" secret key format in the test vectors and the
7126
//      multiplication algorithm implicitly multiplies by h.
7127
//  -   Curve 25519 uses the "DivHTimesH" secret key format in the test vectors.
7128
typedef enum _SYMCRYPT_ECKEY_PRIVATE_FORMAT {
7129
    SYMCRYPT_ECKEY_PRIVATE_FORMAT_NULL           = 0,
7130
    SYMCRYPT_ECKEY_PRIVATE_FORMAT_CANONICAL      = 1,
7131
    SYMCRYPT_ECKEY_PRIVATE_FORMAT_DIVH           = 2,
7132
    SYMCRYPT_ECKEY_PRIVATE_FORMAT_DIVH_TIMESH    = 3,
7133
} SYMCRYPT_ECKEY_PRIVATE_FORMAT;
7134

7135
// High bit restrictions
7136
// =====================
7137
// A high bit restriction is a requirement for some of the high bits of the secret keys
7138
// (usually the most significant bits of the curve).
7139
// Currently only curve 25519 imposes such a restriction: That the bits 255 and 254 of the
7140
// secret key in the "DivHTimesH" format are 0 and 1, respectively.
7141
//
7142
// The high bit restrictions specification takes the following form:
7143
//     - Number of bits that are specified
7144
//     - Bit position of the lowest bit to be specified (starting from 0 for the LSB)
7145
//     - The bit values
7146
// The bits that are specified refer to the relevant secret key format.
7147
// For Canonical and DivH formats the total number of bits is the # bits of GOrd-1.
7148
// For DivHTimesH and TimesH formats the total number of bits is the # bits of |E|-1.
7149
//
7150
// Note: as GOrd must be prime, #bits(Gord) == #bits(Gord-1). The same is true
7151
// for |E|=h*GOrd as it cannot be a power of 2.
7152
//
7153
// The HighBitRestrictionNumOfBits field is a value between 0 and 32 (inclusive)
7154
// and specifies how many bits of the HighBitRestrictionValue are used (starting
7155
// from the least significant bit of the value). The bits that are restricted are
7156
// the bits [HighBitRestrictionPosition+HighBitRestrictionNumOfBits-1, ..., HighBitRestrictionPosition]
7157
//
7158
//      For example, let's assume it is required that the bits [104, 103, ..., 100]
7159
//      of all private keys of a curve are always 11011.
7160
//      Then the parameters should be set to
7161
//              HighBitRestrictionNumOfBits = 5
7162
//              HighBitRestrictionPosition = 100
7163
//              HighBitRestrictionValue = 0x1B
7164
//
7165

7166

7167
typedef struct _SYMCRYPT_ECURVE_PARAMS {
7168
    UINT32                      version;            // Version of the parameters structure (see comment below)
7169
    SYMCRYPT_ECURVE_TYPE        type;               // Type of the curve
7170
    SYMCRYPT_ECURVE_GEN_ALG_ID  algId;              // Algorithm ID for generation of parameters from seed
7171
    UINT32                      cbFieldLength;      // Length of the field elements in bytes
7172
    UINT32                      cbSubgroupOrder;    // Length of the subgroup in bytes
7173
    UINT32                      cbCofactor;         // Length of the cofactor in bytes
7174
    UINT32                      cbSeed;             // Length of the seed
7175
    // This struct is followed in memory by:
7176
    //P[cbFieldLength]      Prime of the base field
7177
    //A[cbFieldLength]      Coefficient A of all three types of curves
7178
    //B[cbFieldLength]      Coefficient B of Weierstrass and Montgomery curves and D for Twisted Edwards curves
7179
    //Gx[cbFieldLength]     X-coordinate of the distinguished point (assuming SYMCRYPT_ECPOINT_FORMAT_XY)
7180
    //Gy[cbFieldLength]     Y-coordinate of the distinguished point (assuming SYMCRYPT_ECPOINT_FORMAT_XY)
7181
    //n[cbSubGroupOrder]    Order of the subgroup generated by the distinguished point
7182
    //h[cbCofactor]         Cofactor of the distinguished point
7183
    //S[cbSeed]             Seed of the curve
7184

7185
    //ParamsV2Extension[sizeof(SYMCRYPT_ECURVE_PARAMS_V2_EXTENSION)];  // Only on version 2 of the parameters
7186
} SYMCRYPT_ECURVE_PARAMS, *PSYMCRYPT_ECURVE_PARAMS;
7187
typedef const SYMCRYPT_ECURVE_PARAMS * PCSYMCRYPT_ECURVE_PARAMS;
7188
//
7189
// SYMCRYPT_ECURVE_PARAMS is used to specify all the parameters needed for the curve generation. The above
7190
// are versions 1 and 2 of the curve parameters.
7191
//
7192

7193
typedef enum _SYMCRYPT_ECPOINT_FORMAT {
7194
    SYMCRYPT_ECPOINT_FORMAT_X   = 1,   // One value, encoding the X coordinate only of a point
7195
    SYMCRYPT_ECPOINT_FORMAT_XY  = 2,   // Two equally-sized values, the first one encoding X and the second one encoding Y
7196
} SYMCRYPT_ECPOINT_FORMAT;
7197
//
7198
// SYMCRYPT_ECPOINT_FORMAT is used to support different elliptic curve point formats, including possible point compression.
7199
//
7200

7201
//========================================================================
7202
//========================================================================
7203
// Main schema for object creation, deletion, and management.
7204
//
7205
// Object management is the same for most object types. For an object type XXX we have
7206
// the following functions:
7207
//
7208
// PSYMCRYPT_XXX
7209
// SYMCRYPT_CALL
7210
// SymCryptXxxAllocate( <size parameters> )
7211
//  Allocates an object of type XXX according to the specified size parameters.
7212
//  If the allocation fails, NULL is returned.
7213
//  If the allocation succeeds, an XXX pointer is returned, and the caller is responsible
7214
//  for freeing the result using SymCryptXxxFree().
7215
//  The value of the new object is undefined.
7216
//  All the parameters to this function are published. (Object sizes cannot be private information.)
7217
//
7218
// VOID
7219
// SYMCRYPT_CALL
7220
// SymCryptXxxFree( _Inout_ PSYMCRYPT_XXX p )
7221
//  Free an XXX object allocated with SymCryptAllocateXxx().
7222
//  Any storage location in the object that might have contained private information is wiped.
7223
//
7224
// UINT32
7225
// SYMCRYPT_CALL
7226
// SymCryptSizeofXxxFromYyy( <size parameters> );
7227
//  Memory size that is sufficient to store an XXX object with size defined by the <size parameters>.
7228
//  The Yyy specifies the form of the size parameters, for example Ecurve.
7229
//  This is a runtime function as the size of an object is a run-time decision dependent on the CPU stepping.
7230
//  The result is always a multiple of the alignment requirements of this object type, so arrays can be built
7231
//  using this element size.
7232
//
7233
// SYMCRYPT_SIZEOF_XXX_FROM_YYY( <size parameters> )
7234
//  This is a compile-time macro that computes a value not less than the SymCryptSizeofXxxFromYyy function, and
7235
//  is suitable to statically compute the size of a memory buffer for an object.
7236
//  (Not defined for all types.)
7237
//
7238
// PSYMCRYPT_XXX
7239
// SYMCRYPT_CALL
7240
// SymCryptXxxCreate(
7241
//      _Out_writes_bytes_( cbBuffer )  PBYTE   pbBuffer,
7242
//                                      SIZE_T  cbBuffer,
7243
//                                      <size parameters> );
7244
//  Create an XXX object from the provided (pbBuffer, cbBuffer) space.
7245
//  This function performs the necessary initializations of the object, but does not assign or set a value.
7246
//  The object will be able to store values up to size determined by the <size parameters>.
7247
//  Requirement:
7248
//      - pbBuffer is aligned to SYMCRYPT_ASYM_ALIGN_VALUE. Note that this can be a stricter requirement than
7249
//          SYMCRYPT_ALIGNED, and memory allocation functions might not return pointers that are suitably
7250
//          aligned. For some object types and some CPUs, the alignment requirements might be less strict.
7251
//          The main purpose of this relaxation is to always allow objects that are spaced
7252
//          SymCryptSizeofXxxFromYyy apart. The common usage is to create an array of objects. The array
7253
//          starts at a SYMCRYPT_ASYM_ALIGNed location, with each element SymCryptSizeofXxxFromYyy(..) bytes long.
7254
//      - cbBuffer >= SymCryptSizeofXxxFromYyy( <size parameters> )
7255
//      - (pbBuffer,cbBuffer) memory must be exclusively used by this object.
7256
//  The last requirement ensures that all objects are non-overlapping (except for API functions
7257
//  that explicitly create overlapping objects).
7258
//  All parameters are published.
7259
//  It is always safe to choose
7260
//      cbBuffer = SymCryptSizeofXxxFromYyy( <size parameters> )
7261
//  The returned object pointer is simply a cast of the pbBuffer pointer.
7262
//  Callers that manage arrays of objects can reconstruct the PSYMCRYPT_XXX by casting the buffer pointer
7263
//  to the right type.
7264
//  An object that is created with this function should be wiped, even if it doesn't contain private data.
7265
//  The SymCryptXxxWipe() function also frees any associated data that the library may maintain.
7266
//
7267
// VOID
7268
// SYMCRYPT_CALL
7269
// SymCryptXxxWipe( _Out_ PSYMCRYPT_XXX  Dst )
7270
//  All private information in the Dst object is wiped, and any associated data is freed.
7271
//  Unless otherwise specified, the Dst object is left in an undefined state.
7272
//  An SymCryptXxxAllocate-d object does not have to be wiped before it is freed
7273
//  because the SymCryptXxxFree function will perform the wipe.
7274
//  However, SymCryptXxxCreate-d objects should always be wiped even if they don't contain
7275
//  secret data, as the wipe also frees any associated data the library may maintain.
7276
//
7277
// VOID
7278
// SYMCRYPT_CALL
7279
// SymCryptXxxCopy(
7280
//      _In_ PCSYMCRYPT_XXX    pxSrc,
7281
//      _Out_PSYMCRYPT_XXX     pxDst );
7282
// Dst = Src.
7283
//  Requirement: The <size parameters> of both objects should the same.
7284
//  Src must be in a defined state, it is not valid to copy an undefined object.
7285
//  Src and Dst may be the same object (though that is a no-op).
7286
//
7287

7288
//========================================================================
7289
// RSAKEY objects' API
7290
//
7291

7292
#define SYMCRYPT_SIZEOF_RSAKEY_FROM_PARAMS( modBits, nPrimes, nPubExps ) \
7293
    SYMCRYPT_INTERNAL_SIZEOF_RSAKEY_FROM_PARAMS( modBits, nPrimes, nPubExps )
7294
// Return a buffer size large enough to create an RSA key in which the specified
7295
// modulus size, # primes, # public exponents, and upper bound for the bitsize of each public exponent.
7296
// If the object will only contain a public key, nPrimes can be set to 0
7297

7298
PSYMCRYPT_RSAKEY
7299
SYMCRYPT_CALL
7300
SymCryptRsakeyAllocate(
7301
    _In_    PCSYMCRYPT_RSA_PARAMS   pParams,
7302
    _In_    UINT32                  flags );
7303
//
7304
// Allocate and create a new RSAKEY object sized according to the parameters.
7305
// If the SYMCRYPT_RSAKEY object will only be used for a public key, the
7306
// SYMCRYPT_RSA_PARAMS structure may set nPrimes = 0. Use of
7307
// SymCryptRsakeySetValueFromPrivateExponent requires nPrimes = 2.
7308
//
7309
// This call does not initialize the key. It should be
7310
// followed by a call to SymCryptRsakeyGenerate or
7311
// SymCryptRsakeySetValue*.
7312
//
7313
// No flags are specified for this function.
7314
//
7315

7316
VOID
7317
SYMCRYPT_CALL
7318
SymCryptRsakeyFree( _Out_ PSYMCRYPT_RSAKEY pkObj );
7319

7320
UINT32
7321
SYMCRYPT_CALL
7322
SymCryptSizeofRsakeyFromParams( _In_ PCSYMCRYPT_RSA_PARAMS pParams );
7323
// If the to-be-allocated SYMCRYPT_RSAKEY object will only be used for a public key, the
7324
// SYMCRYPT_RSA_PARAMS structure may set nPrimes = 0.
7325

7326
PSYMCRYPT_RSAKEY
7327
SYMCRYPT_CALL
7328
SymCryptRsakeyCreate(
7329
    _Out_writes_bytes_( cbBuffer )  PBYTE                   pbBuffer,
7330
                                    SIZE_T                  cbBuffer,
7331
    _In_                            PCSYMCRYPT_RSA_PARAMS   pParams );
7332
//
7333
// Create an RSAKEY object from a buffer, but does not initialize it.
7334
// If the SYMCRYPT_RSAKEY object will only be used for a public key, the
7335
// SYMCRYPT_RSA_PARAMS structure may set nPrimes = 0. Use of
7336
// SymCryptRsakeySetValueFromPrivateExponent requires nPrimes = 2.
7337
//
7338
// This call does not initialize the key. It should be
7339
// followed by a call to SymCryptRsakeyGenerate or
7340
// SymCryptRsakeySetValue*.
7341
//
7342

7343
VOID
7344
SYMCRYPT_CALL
7345
SymCryptRsakeyWipe( _Out_ PSYMCRYPT_RSAKEY pkDst );
7346

7347
//
7348
//VOID
7349
//SYMCRYPT_CALL
7350
//SymCryptRsakeyCopy(
7351
//    _In_    PCSYMCRYPT_RSAKEY  pkSrc,
7352
//    _Out_   PSYMCRYPT_RSAKEY   pkDst );
7353
//
7354
// This function is currently not available.
7355
//
7356

7357
//========================================================================
7358
// DLGROUP objects' API
7359
//
7360

7361
PSYMCRYPT_DLGROUP
7362
SYMCRYPT_CALL
7363
SymCryptDlgroupAllocate( UINT32  nBitsOfP, UINT32  nBitsOfQ );
7364
//
7365
// Allocate a Discrete Logarithm group object suitable for the given sizes.
7366
//
7367
// nBitsOfP: Maximum number of bits of the field prime P. Specifying a value larger
7368
//  than the actual size is allowed, but inefficient.
7369
// nBitsOfQ: Maximum number of bits of the group order Q. Specify the size of Q,
7370
//  or 0 if the size of Q is not (yet) known.
7371
//
7372
// This call does not initialize the DLGROUP. It should be followed
7373
// by a call to SymCryptDlgroupGenerate or SymCryptDlgroupSetValue.
7374
//
7375
// nBitsOfQ is allowed to be equal to 0 and signifies that the size of Q
7376
// is unknown or Q does not exist. This may be used when creating a DLGROUP
7377
// for the DH algorithm which does not use a prime Q.
7378
//
7379
// Setting nBitsOfQ to something bigger than 0 signifies that the size of
7380
// the prime Q is known and if a future caller tries to import a bigger Q then
7381
// the SymCryptDlgroupSetValue call will fail.
7382
//
7383
// Technically nBitsOfQ should always be strictly less than nBitsOfP, as Q divides
7384
// P-1. For simplicity, it is allowed that callers specify nBitsOfQ equal to nBitsOfP
7385
// in this call, but SymCrypt will treat this as setting nBitsOfQ to (nBitsOfP-1).
7386
//
7387
// Setting nBitsOfQ to 0 might result in a bigger size of the DLGROUP object
7388
// compared to setting it to a specific size (see SymCryptSizeofDlgroupFromBitsizes).
7389
//
7390
// Requirements:
7391
//  - nBitsOfP >= nBitsOfQ
7392
//
7393

7394
VOID
7395
SYMCRYPT_CALL
7396
SymCryptDlgroupFree( _Out_ PSYMCRYPT_DLGROUP pgObj );
7397

7398
UINT32
7399
SYMCRYPT_CALL
7400
SymCryptSizeofDlgroupFromBitsizes( UINT32 nBitsOfP, UINT32 nBitsOfQ );
7401
//
7402
// This call returns the memory size that is sufficient to store a
7403
// DLGROUP object with primes P,Q of size nBitsOfP and nBitsOfQ,
7404
// respectively (L,N parameters in FIPS 186-3 specs).
7405
//
7406
// Requirements:
7407
//  - nBitsOfP >= nBitsOfQ
7408
//
7409
// Remarks:
7410
//  - The value in nBitsOfQ is allowed to be equal to 0
7411
//  (see SymCryptDlgroupAllocate).
7412
//
7413
//  - When nBitsOfQ!=0 this is a monotonic function w.r.t. a partial order on N^2.
7414
//    I.e. for all fixed (nBitsOfP_0,nBitsOfQ_0) and (nBitsOfP_1,nBitsOfQ_1) with
7415
//       nBitsOfQ_0>0 and nBitsOfQ_1>0,
7416
//
7417
//      (nBitsOfP_0<=nBitsOfP_1 AND nBitsOfQ_0<=nBitsOfQ_1) implies that
7418
//          F(nBitsOfP_0,nBitsOfQ_0) <= F(nBitsOfP_1,nBitsOfQ_1)
7419
//      where F is the function SymCryptSizeofDlgroupFromBitsizes.
7420
//
7421
//  - F(nBitsOfP, 0)=F(nBitsOfP, nBitsOfP-1). Thus when nBitsOfQ==0 the
7422
//    function takes the maximum value for a fixed nBitsOfP.
7423
//
7424

7425
PSYMCRYPT_DLGROUP
7426
SYMCRYPT_CALL
7427
SymCryptDlgroupCreate(
7428
    _Out_writes_bytes_( cbBuffer )  PBYTE               pbBuffer,
7429
                                    SIZE_T              cbBuffer,
7430
                                    UINT32              nBitsOfP,
7431
                                    UINT32              nBitsOfQ );
7432
//
7433
// Creates a DL group object, but does not initialize it. It must be followed
7434
// by a call to SymCryptDlgroupGenerate or SymCryptDlgroupSetValue.
7435
//
7436
// - pbBuffer,cbBuffer: memory buffer to create the object out of. The required size
7437
//  can be computed with SymCryptSizeofDlgroupFromBitsizes().
7438
// - nBitsOfP: number of bits of the field prime P.
7439
// - nBitsOfQ: number of bits of the group order Q, or 0 if the size of Q is not (yet) known.
7440
//
7441

7442
VOID
7443
SYMCRYPT_CALL
7444
SymCryptDlgroupWipe( _Out_ PSYMCRYPT_DLGROUP pgDst );
7445

7446
VOID
7447
SYMCRYPT_CALL
7448
SymCryptDlgroupCopy(
7449
    _In_    PCSYMCRYPT_DLGROUP   pgSrc,
7450
    _Out_   PSYMCRYPT_DLGROUP    pgDst );
7451

7452
//========================================================================
7453
// DLKEY objects' API
7454
//
7455

7456
PSYMCRYPT_DLKEY
7457
SYMCRYPT_CALL
7458
SymCryptDlkeyAllocate( _In_ PCSYMCRYPT_DLGROUP pDlgroup );
7459
//
7460
// This call does not initialize the key. It should be
7461
// followed by a call to SymCryptDlkeyGenerate or
7462
// SymCryptDlkeySetValue.
7463
//
7464

7465
VOID
7466
SYMCRYPT_CALL
7467
SymCryptDlkeyFree( _Out_ PSYMCRYPT_DLKEY pkObj );
7468

7469
UINT32
7470
SYMCRYPT_CALL
7471
SymCryptSizeofDlkeyFromDlgroup( _In_ PCSYMCRYPT_DLGROUP pDlgroup );
7472

7473
PSYMCRYPT_DLKEY
7474
SYMCRYPT_CALL
7475
SymCryptDlkeyCreate(
7476
    _Out_writes_bytes_( cbBuffer )  PBYTE               pbBuffer,
7477
                                    SIZE_T              cbBuffer,
7478
    _In_                            PCSYMCRYPT_DLGROUP  pDlgroup );
7479

7480
VOID
7481
SYMCRYPT_CALL
7482
SymCryptDlkeyWipe( _Out_ PSYMCRYPT_DLKEY pkDst );
7483

7484
VOID
7485
SYMCRYPT_CALL
7486
SymCryptDlkeyCopy(
7487
    _In_    PCSYMCRYPT_DLKEY   pkSrc,
7488
    _Out_   PSYMCRYPT_DLKEY    pkDst );
7489

7490
//========================================================================
7491
// ECURVE objects' API is slightly different than the above API schema because of the close
7492
// relation to multiple parameters, the fact that they contain public information,
7493
// and that they are persisted by the callers.
7494
// Thus, the Allocate function takes in all the curve parameters and there are no Create,
7495
// Wipe, or Copy functions.
7496
//
7497

7498
PSYMCRYPT_ECURVE
7499
SYMCRYPT_CALL
7500
SymCryptEcurveAllocate(
7501
    _In_    PCSYMCRYPT_ECURVE_PARAMS    pParams,
7502
    _In_    UINT32                      flags );
7503
//
7504
// Allocate memory and create an ECURVE object which is defined
7505
// by the parameters in pParams.
7506
//
7507
// - pParams: parameters that define the curve
7508
// - flags: Not used, must be zero.
7509
//
7510
// Future versions might use the flags to enable different features/tradeoffs.
7511
// There are a number of interesting memory/speed/pre-computation cost trades that can be made.
7512
// For example, pre-computing multiples of the distinguished point, or (parallel?) pre-computation
7513
// of (r, rG) pairs for random r values.
7514
//
7515
// This function applies limited validation of the pParams. The validation is intended to eliminate
7516
// the threat of denial-of-service when hostile parameters are presented. It does not ensure that
7517
// the parameters make sense, define a proper curve, or that any elliptic-curve operations made on
7518
// the curve built from these parameters will fail, succeed or provide any security.
7519
// The only guarantee provided for invalid parameters is that all operations on this curve will
7520
// not crash and will return in some reasonable amount of time.
7521
//
7522
// Returns NULL if out of memory or the parameters are deemed invalid.
7523
// If the return value is not NULL, the object must later be freed with SymCryptEcurveFree().
7524
//
7525

7526
VOID
7527
SYMCRYPT_CALL
7528
SymCryptEcurveFree( _Out_ PSYMCRYPT_ECURVE pCurve );
7529

7530
//========================================================================
7531
// ECKEY objects' API is slightly different than the above API schema in the sense that they
7532
// take as input an ECURVE object pointer instead of the number of digits.
7533
//
7534

7535
PSYMCRYPT_ECKEY
7536
SYMCRYPT_CALL
7537
SymCryptEckeyAllocate( _In_  PCSYMCRYPT_ECURVE pCurve );
7538

7539
VOID
7540
SYMCRYPT_CALL
7541
SymCryptEckeyFree( _Out_ PSYMCRYPT_ECKEY pkObj );
7542

7543
UINT32
7544
SYMCRYPT_CALL
7545
SymCryptSizeofEckeyFromCurve( _In_ PCSYMCRYPT_ECURVE pCurve );
7546

7547
PSYMCRYPT_ECKEY
7548
SYMCRYPT_CALL
7549
SymCryptEckeyCreate(
7550
    _Out_writes_bytes_( cbBuffer )  PBYTE               pbBuffer,
7551
                                    SIZE_T              cbBuffer,
7552
                                    PCSYMCRYPT_ECURVE   pCurve );
7553

7554
VOID
7555
SYMCRYPT_CALL
7556
SymCryptEckeyWipe( _Out_ PSYMCRYPT_ECKEY pkDst );
7557

7558
VOID
7559
SymCryptEckeyCopy(
7560
    _In_    PCSYMCRYPT_ECKEY  pkSrc,
7561
    _Out_   PSYMCRYPT_ECKEY   pkDst );
7562

7563

7564
//=====================================================
7565
// Flags for asymmetric key generation and import
7566

7567
// These flags are introduced primarily for FIPS purposes. For FIPS 140-3 rather than expose to the
7568
// caller the specifics of what tests will be run with various algorithms, we are sanitizing flags
7569
// provided on asymmetric key generation and import to enable the caller to indicate their intent,
7570
// and for SymCrypt to perform the required testing.
7571
// Below we define the flags that can be passed and when a caller should set them.
7572
// The specifics of what tests will be run are likely to change over time, as FIPS requirements and
7573
// our understanding of how best to implement them, change over time. Callers should not rely on
7574
// specific behavior.
7575

7576

7577
// Validation required by FIPS is enabled by default. This flag enables a caller to opt out of this
7578
// validation.
7579
#define SYMCRYPT_FLAG_KEY_NO_FIPS               (0x100)
7580

7581
// When opting out of FIPS, SymCrypt may still perform some sanity checks on key import
7582
// In very performance sensitive situations where a caller strongly trusts the values it is passing
7583
// to SymCrypt and does not care about FIPS (or can statically prove properties about the imported
7584
// keys), a caller may specify SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION in addition to
7585
// SYMCRYPT_FLAG_KEY_NO_FIPS to skip costly checks
7586
#define SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION    (0x200)
7587

7588
// Callers must specify what algorithm(s) a given asymmetric key will be used for.
7589
// This information will be tracked by SymCrypt, and attempting to use the key in an algorithm it
7590
// was not generated or imported for will result in failure.
7591
// If no algorithm is specified then the key generation or import function will fail.
7592
#define SYMCRYPT_FLAG_DLKEY_DSA         (0x1000)
7593
#define SYMCRYPT_FLAG_DLKEY_DH          (0x2000)
7594

7595
#define SYMCRYPT_FLAG_ECKEY_ECDSA       (0x1000)
7596
#define SYMCRYPT_FLAG_ECKEY_ECDH        (0x2000)
7597

7598
#define SYMCRYPT_FLAG_RSAKEY_SIGN       (0x1000)
7599
#define SYMCRYPT_FLAG_RSAKEY_ENCRYPT    (0x2000)
7600

7601
//=====================================================
7602
// RSA key operations
7603

7604
BOOLEAN
7605
SYMCRYPT_CALL
7606
SymCryptRsakeyHasPrivateKey( _In_ PCSYMCRYPT_RSAKEY pkRsakey );
7607
//
7608
// Returns TRUE if the pkRsakey object has private key information.
7609
//
7610

7611
UINT32
7612
SYMCRYPT_CALL
7613
SymCryptRsakeySizeofModulus( _In_ PCSYMCRYPT_RSAKEY pkRsakey );
7614
//
7615
//  Returns the (tight) size in bytes of a byte array big enough to store
7616
//  the modulus of the key.
7617
//
7618

7619
UINT32
7620
SYMCRYPT_CALL
7621
SymCryptRsakeyModulusBits( _In_ PCSYMCRYPT_RSAKEY pkRsakey );
7622
//
7623
// Return the number of bits in the RSA modulus
7624
//
7625

7626
UINT32
7627
SYMCRYPT_CALL
7628
SymCryptRsakeySizeofPublicExponent(
7629
    _In_    PCSYMCRYPT_RSAKEY pRsakey,
7630
            UINT32            index );
7631
//
7632
// Returns the (tight) size in bytes of a byte array big enough to store
7633
// the public exponent. The index specifies the index
7634
// of the public exponent, starting with 0.
7635
//
7636
// Remarks:
7637
// - Currently, only one public exponent is supported, i.e. the only
7638
//  valid index is 0.
7639
//
7640

7641
UINT32
7642
SYMCRYPT_CALL
7643
SymCryptRsakeySizeofPrime(
7644
    _In_    PCSYMCRYPT_RSAKEY pkRsakey,
7645
            UINT32            index );
7646
//
7647
//  Returns the (tight) size in bytes of a byte array big enough to store
7648
//  the selected prime of the key. The index specifies the index of the
7649
//  prime, starting at 0.
7650
//
7651
//  Remarks:
7652
//  - Currently, only two prime RSA is supported, i.e. the only
7653
//  valid indexes are 0 and 1.
7654
//
7655

7656
UINT32
7657
SYMCRYPT_CALL
7658
SymCryptRsakeyGetNumberOfPublicExponents( _In_ PCSYMCRYPT_RSAKEY pkRsakey );
7659
//
7660
//  Returns the number of public exponents stored in the key.
7661
//
7662

7663
UINT32
7664
SYMCRYPT_CALL
7665
SymCryptRsakeyGetNumberOfPrimes( _In_ PCSYMCRYPT_RSAKEY pkRsakey );
7666
//
7667
//  Returns the number of primes stored in the key.
7668
//
7669

7670
SYMCRYPT_ERROR
7671
SYMCRYPT_CALL
7672
SymCryptRsakeyGenerate(
7673
    _Inout_                     PSYMCRYPT_RSAKEY    pkRsakey,
7674
    _In_reads_opt_( nPubExp )   PCUINT64            pu64PubExp,
7675
                                UINT32              nPubExp,
7676
    _In_                        UINT32              flags );
7677
//
7678
// Generate a new random RSA key using the information from the
7679
// parameters passed to SymCryptRsaKeyAllocate/SymCryptRsaKeyCreate.
7680
// PubExp is the array of nPubExp public exponent values, specifying
7681
// the public exponents for the key.
7682
// nPubExp must match the # public exponents in the parameters.
7683
// If pu64PubExp == NULL, nPubExp == 0, and the key requires only one
7684
// public exponent, then the default exponent 2^16 + 1 is used.
7685
//
7686
// Allowed flags:
7687
//
7688
// - SYMCRYPT_FLAG_KEY_NO_FIPS
7689
//   Opt-out of performing validation required for FIPS
7690
//
7691
// - At least one of the flags indicating what the Rsakey is to be used for must be specified:
7692
//      SYMCRYPT_FLAG_RSAKEY_SIGN
7693
//      SYMCRYPT_FLAG_RSAKEY_ENCRYPT
7694

7695
// Described in more detail in the "Flags for asymmetric key generation and import" section above
7696
//
7697

7698
SYMCRYPT_ERROR
7699
SYMCRYPT_CALL
7700
SymCryptRsakeySetValue(
7701
    _In_reads_bytes_( cbModulus )   PCBYTE                  pbModulus,
7702
                                    SIZE_T                  cbModulus,
7703
    _In_reads_( nPubExp )           PCUINT64                pu64PubExp,
7704
                                    UINT32                  nPubExp,
7705
    _In_reads_opt_( nPrimes )       PCBYTE *                ppPrimes,
7706
    _In_reads_opt_( nPrimes )       SIZE_T *                pcbPrimes,
7707
                                    UINT32                  nPrimes,
7708
                                    SYMCRYPT_NUMBER_FORMAT  numFormat,
7709
                                    UINT32                  flags,
7710
    _Inout_                         PSYMCRYPT_RSAKEY        pkRsakey );
7711
//
7712
// Import key material to an RSAKEY object. The arguments are the following:
7713
//  - pbModulus is a pointer to a byte buffer of cbModulus bytes. It cannot be NULL.
7714
//  - pu64PubExp is a pointer to an array of nPubExp UINT64 exponent values.
7715
//    nPubExp must match the RSA parameters used to create the key object.
7716
//  - ppPrimes is an array of nPrimes pointers that point to byte buffers storing
7717
//    the primes. pcbPrimes is an array of nPrimes sizes such that
7718
//    the size of ppPrimes[i] is equal to pcbPrimes[i] for each i in [0, nPrimes-1].
7719
//  - numFormat specifies the number format for all inputs
7720
//
7721
// Allowed flags:
7722
//
7723
// - SYMCRYPT_FLAG_KEY_NO_FIPS
7724
//   Opt-out of performing validation required for FIPS
7725
//
7726
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
7727
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
7728
//
7729
// - At least one of the flags indicating what the Rsakey is to be used for must be specified:
7730
//      SYMCRYPT_FLAG_RSAKEY_SIGN
7731
//      SYMCRYPT_FLAG_RSAKEY_ENCRYPT
7732
//
7733
// Described in more detail in the "Flags for asymmetric key generation and import" section above
7734
//
7735
//  Remarks:
7736
//  - Modulus and all primes are stored in the same format specified by numFormat.
7737
//  - ppPrimes, pcbPrimes, and nPrimes can be NULL, NULL, and 0 respectively, when
7738
//    importing a public key.
7739
//  - Currently, the only acceptable value of nPubExps is 1.
7740
//  - Currently, the only acceptable value of nPrimes is 2 or 0.
7741
//  - Elements of ppPrimes must represent prime numbers.
7742
// We allow separate sizes for each prime. This seems redundant because all primes
7743
// are approximately the same size. However, some storage/encoding formats, such as ASN.1,
7744
// strip leading zeroes, or add an additional leading zero depending on the situation.
7745
// Allowing separate sizes avoids the need for the caller to make a copy of the data
7746
// into a possibly slightly larger buffer.
7747
//
7748

7749
SYMCRYPT_ERROR
7750
SYMCRYPT_CALL
7751
SymCryptRsakeySetValueFromPrivateExponent(
7752
    _In_reads_bytes_( cbModulus )           PCBYTE                  pbModulus,
7753
                                            SIZE_T                  cbModulus,
7754
                                            UINT64                  u64PubExp,
7755
    _In_reads_bytes_( cbPrivateExponent )   PCBYTE                  pbPrivateExponent,
7756
                                            SIZE_T                  cbPrivateExponent,
7757
                                            SYMCRYPT_NUMBER_FORMAT  numFormat,
7758
                                            UINT32                  flags,
7759
    _Inout_                                 PSYMCRYPT_RSAKEY        pkRsakey );
7760
//
7761
// Import private key to an RSAKEY object using a private exponent. This is not generally
7762
// recommended - where possible it is more efficient to import a private key using primes
7763
// with SymCryptRsakeySetValue.
7764
//
7765
// The arguments are the following:
7766
//  - pbModulus is a pointer to a byte buffer of cbModulus bytes. It cannot be NULL.
7767
//  - u64PubExp is a UINT64 public exponent value.
7768
//  - pbPrivateExponent is a pointer to a byte buffer of cbPrivateExponent bytes. It
7769
//    cannot be NULL.
7770
//  - numFormat specifies the number format for all inputs
7771
//
7772
// Allowed flags:
7773
//
7774
// - SYMCRYPT_FLAG_KEY_NO_FIPS
7775
//   Opt-out of performing validation required for FIPS
7776
//
7777
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
7778
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
7779
//
7780
// - At least one of the flags indicating what the Rsakey is to be used for must be specified:
7781
//      SYMCRYPT_FLAG_RSAKEY_SIGN
7782
//      SYMCRYPT_FLAG_RSAKEY_ENCRYPT
7783
//
7784
// Described in more detail in the "Flags for asymmetric key generation and import" section above
7785
//
7786
// Remarks:
7787
//
7788
// Modulus and Private exponent are stored in the same format specified by numFormat.
7789
//
7790
// Internally this attempts to recover a pair of primes (p1, p2) that factorize Modulus.
7791
// This procedure has following assumptions:
7792
//      Modulus (n) is the product of two prime factors, p1 and p2
7793
//      e*d == 1 modulo LCM(p1-1, p2-1)
7794
//      e*d != 1 modulo 2^64
7795
// If any of these assumptions are not met, then the method may fail.
7796
//
7797

7798
SYMCRYPT_ERROR
7799
SYMCRYPT_CALL
7800
SymCryptRsakeyGetValue(
7801
    _In_                            PCSYMCRYPT_RSAKEY       pkRsakey,
7802
    _Out_writes_bytes_( cbModulus ) PBYTE                   pbModulus,
7803
                                    SIZE_T                  cbModulus,
7804
    _Out_writes_opt_( nPubExp )     PUINT64                 pu64PubExp,
7805
                                    UINT32                  nPubExp,
7806
    _Out_writes_opt_( nPrimes )     PBYTE *                 ppPrimes,
7807
    _In_reads_opt_( nPrimes )       SIZE_T *                pcbPrimes,
7808
                                    UINT32                  nPrimes,
7809
                                    SYMCRYPT_NUMBER_FORMAT  numFormat,
7810
                                    UINT32                  flags );
7811
//
7812
// Export key material from an RSAKEY object. The arguments are the following:
7813
//  - pbModulus is a pointer to a byte buffer of cbModulus bytes.
7814
//  - pu64PubExp is an pointer to an array of nPubExp elements that receives the public exponent values.
7815
//    nPubExp must match the # public exponents in pkRsaKey.
7816
//  - ppPrimes is an array of nPrimes pointers that point to byte buffers storing
7817
//    the primes. pcbPrimes is an array of nPrimes sizes such that
7818
//    the size of ppPrimes[i] is equal to pcbPrimes[i] for each i in [0, nPrimes-1].
7819
//  Remarks:
7820
//  - All parameters are stored in the same format specified by numFormat.
7821
//  - ppPrimes, pcbPrimes, and nPrimes can be NULL, NULL, and 0 respectively, when
7822
//    exporting a public key.
7823
//  - Currently, the only acceptable value of nPubExp is 1 or 0.
7824
//  - Currently, the only acceptable value of nPrimes is 2 or 0.
7825
// We use separate sizes for each prime. This supports the tight encoding
7826
// used by CNG export blobs, and uses the same format as RsakeySetValue
7827
//
7828

7829
SYMCRYPT_ERROR
7830
SYMCRYPT_CALL
7831
SymCryptRsakeyGetCrtValue(
7832
    _In_                                        PCSYMCRYPT_RSAKEY       pkRsakey,
7833
    _Out_writes_opt_(nCrtExponents)             PBYTE *                 ppCrtExponents,
7834
    _In_reads_(nCrtExponents)                   SIZE_T *                pcbCrtExponents,
7835
                                                UINT32                  nCrtExponents,
7836
    _Out_writes_bytes_opt_(cbCrtCoefficient)    PBYTE                   pbCrtCoefficient,
7837
                                                SIZE_T                  cbCrtCoefficient,
7838
    _Out_writes_bytes_opt_(cbPrivateExponent)   PBYTE                   pbPrivateExponent,
7839
                                                SIZE_T                  cbPrivateExponent,
7840
                                                SYMCRYPT_NUMBER_FORMAT  numFormat,
7841
                                                UINT32                  flags);
7842
//
7843
// Export Crt key material from an RSAKEY object. The arguments are the following:
7844
//    ppCrtExponents is an array of nCrtExponent pointers that point to byte buffers
7845
//    storing the Crt exponents. That is,  d mod p-1, d mod q-1.
7846
//    pcbCrtExponents is an array of nCrtExponent sizes such that
7847
//    the size of ppCrtExponents[i] is equal to pcbCrtExponents[i] for each i in [0, nCrtExponent-1]
7848
//    pbCrtCoefficient is a pointer to a byte buffer of cbCrtCoefficient bytes, that is q^{-1} mod p
7849
//    pbPrivateExponent is a pointer to a byte buffer of cbPrivateExponent bytes, that is, d.
7850

7851
//  Remarks:
7852
//  - All parameters are stored in the same format specified by numFormat.
7853
//  - ppCrtExponents, pcbCrtExponents, and nCrtExponent can be NULL, NULL, and 0 respectively
7854
//  - Currently, the only acceptable value of nCrtExponent is 2 or 0.
7855
//    pbCrtCoefficient, pbPrivateExponent can be NULL;
7856

7857
SYMCRYPT_ERROR
7858
SYMCRYPT_CALL
7859
SymCryptRsakeyExtendKeyUsage(
7860
    _Inout_ PSYMCRYPT_RSAKEY    pkRsakey,
7861
            UINT32              flags );
7862
//
7863
// Enable an existing key which has been generated or imported to be used in specified algorithms.
7864
// Some callers may not know at key generation or import time what algorithms a key will be used for
7865
// and this API allows the key to be extended for use in additional algorithms. Use of this API may
7866
// not be compliant with FIPS 140-3
7867
//
7868
// - flags must be some bitwise OR of the following flags:
7869
//      SYMCRYPT_FLAG_RSAKEY_SIGN
7870
//      SYMCRYPT_FLAG_RSAKEY_ENCRYPT
7871

7872
#define SYMCRYPT_DLGROUP_FIPS_LATEST    (SYMCRYPT_DLGROUP_FIPS_186_3)
7873

7874
SYMCRYPT_ERROR
7875
SYMCRYPT_CALL
7876
SymCryptDlgroupGenerate(
7877
    _In_    PCSYMCRYPT_HASH         hashAlgorithm,
7878
    _In_    SYMCRYPT_DLGROUP_FIPS   fipsStandard,
7879
    _Inout_ PSYMCRYPT_DLGROUP       pDlgroup );
7880
//
7881
// Generate a Discrete Logarithm Group for use in Diffie-Hellman and DSA.
7882
//
7883
// - hashAlgorithm: Hash algorithm to be used for generating the group (if required by the algorithm)
7884
// - fipsStandard: Which FIPS standard algorithm to use for generating the group.
7885
// - pDlgroup: group object that will be initialized with a newly generated group.
7886
//
7887
// pDlGroup must have been created with SymCryptDlgroupAllocate() or SymCryptDlgroupCreate().
7888
//
7889
// If nBitsOfQ was equal to 0 when the DLGROUP was Allocate-d/Create-d
7890
// (and only in this case), then this function picks a default size
7891
// for the prime Q according to the following table:
7892
//      - If        nBitsOfP <=  160 then the function fails with SYMCRYPT_FIPS_FAILURE
7893
//      - If  160 < nBitsOfP <= 1024 then nBitsOfQ = 160
7894
//      - If 1024 < nBitsOfP <= 2048 then nBitsOfQ = 256
7895
//      - If 2048 < nBitsOfP         then nBitsOfQ = 256
7896
//
7897
// If fipsStandard == SYMCRYPT_DLGROUP_FIPS_NONE then no FIPS compliance is requested.
7898
// The code defaults to SYMCRYPT_DLGROUP_FIPS_LATEST.
7899
//
7900
// The requirements below address the parameter values after the defaults have been substituted
7901
// for nBitsOfQ and fipsStandard.
7902
//
7903
// Requirements:
7904
//  - pDlgroup!=NULL. Otherwise it returns SYMCRYPT_INVALID_ARGUMENT.
7905
//
7906
//  - If fipsStandard == SYMCRYPT_DLGROUP_FIPS_186_2, hashAlgorithm MUST be equal to
7907
//    NULL, and nBitsOfQ <= 160 or nBitsOfQ = 0 && nBitsOfP <= 1024.
7908
//
7909
//  - If fipsStandard == SYMCRYPT_DLGROUP_FIPS_186_3, then hashAlgorithm MUST NOT be equal
7910
//    to NULL.
7911
//
7912
//  - If nBitsOfHash is the number of bits of the output block of hashAlgorithm,
7913
//    it is required that:
7914
//              nBitsOfQ <= nBitsOfHash <= nBitsOfP
7915
//    (where nBitsOfQ>0 was either provided by the caller of Allocate/Create
7916
//    or it was picked from the above table).
7917
//
7918
//  - For FIPS 186-2, we have that nBitsOfHash == 160 (SHA1 output size). Therefore
7919
//    this flag can only work with nBitsOfQ up to 160 bits. Anything else will
7920
//    return SYMCRYPT_INVALID_ARGUMENT.
7921
//
7922

7923
SYMCRYPT_ERROR
7924
SYMCRYPT_CALL
7925
SymCryptDlgroupSetValueSafePrime(
7926
            SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE   dhSafePrimeType,
7927
    _Inout_ PSYMCRYPT_DLGROUP                   pDlgroup );
7928
//
7929
// Sets a Discrete Logarithm Group for use in Diffie-Hellman using a named safe-prime group.
7930
//
7931
// - dhSafePrimeType: The type of named safe-prime group to use
7932
//
7933
// pDlGroup must have been created with SymCryptDlgroupAllocate() or SymCryptDlgroupCreate().
7934
//
7935
// Selects the largest named safe-prime group that will fit in the allocated Dlgroup (based on the
7936
// values of nBitsOfP and nBitsOfQ used in allocation). It is recommended that callers set nBitsOfQ
7937
// to 0 in allocation (equivalent to nBitsOfQ = (nBitsOfP-1)) when creating a safe-prime group.
7938
//
7939
// Requirements:
7940
//  - pDlgroup was allocated with sufficient bits for the selected P (and Q) to fit. If there is no
7941
//    named safe-prime group with bit size <= the allocated size, it returns SYMCRYPT_INVALID_ARGUMENT.
7942
//    The minimum currently supported bitsize of named safe-prime groups is nBitsOfP = 2048.
7943
//
7944
//  - dhSafePrimeType!=SYMCRYPT_DLGROUP_DH_SAFEPRIMETYPE_NONE. Otherwise it returns SYMCRYPT_INVALID_ARGUMENT.
7945
//
7946

7947
BOOLEAN
7948
SYMCRYPT_CALL
7949
SymCryptDlgroupIsSame(
7950
    _In_    PCSYMCRYPT_DLGROUP  pDlgroup1,
7951
    _In_    PCSYMCRYPT_DLGROUP  pDlgroup2 );
7952
//
7953
// Returns true if pDlgroup1 and pDlgroup2 have same set of P and G, false otherwise.
7954
//
7955

7956
VOID
7957
SYMCRYPT_CALL
7958
SymCryptDlgroupGetSizes(
7959
    _In_    PCSYMCRYPT_DLGROUP  pDlgroup,
7960
    _Out_   SIZE_T*             pcbPrimeP,
7961
    _Out_   SIZE_T*             pcbPrimeQ,
7962
    _Out_   SIZE_T*             pcbGenG,
7963
    _Out_   SIZE_T*             pcbSeed );
7964
//
7965
// It returns the tight byte-sizes of each parameter of the group: prime P,
7966
// prime Q, generator G, and the FIPS domain_parameter_seed.
7967
//
7968
// If one of the pointers is NULL then the corresponding size is ignored.
7969
//
7970
// Remarks:
7971
//  - If the group has no prime Q, then the returned sizes in *pcbPrimeQ and
7972
//    *pcbSeed will be 0.
7973
//
7974

7975
SYMCRYPT_ERROR
7976
SYMCRYPT_CALL
7977
SymCryptDlgroupSetValue(
7978
    _In_reads_bytes_( cbPrimeP )    PCBYTE                  pbPrimeP,
7979
                                    SIZE_T                  cbPrimeP,
7980
    _In_reads_bytes_( cbPrimeQ )    PCBYTE                  pbPrimeQ,
7981
                                    SIZE_T                  cbPrimeQ,
7982
    _In_reads_bytes_( cbGenG )      PCBYTE                  pbGenG,
7983
                                    SIZE_T                  cbGenG,
7984
                                    SYMCRYPT_NUMBER_FORMAT  numFormat,
7985
    _In_opt_                        PCSYMCRYPT_HASH         pHashAlgorithm,
7986
    _In_reads_bytes_( cbSeed )      PCBYTE                  pbSeed,
7987
                                    SIZE_T                  cbSeed,
7988
                                    UINT32                  genCounter,
7989
                                    SYMCRYPT_DLGROUP_FIPS   fipsStandard,
7990
    _Inout_                         PSYMCRYPT_DLGROUP       pDlgroup );
7991
//
7992
// Import key material to a DLGROUP object.
7993
//  - Prime P is NOT optional and should always be imported.
7994
//  - Prime Q is an optional parameter that may or may not be imported. If not
7995
//    the group will not have a prime Q.
7996
//  - Generator G is an optional parameter. However, if not present, the
7997
//    algorithm will generate a random G of order Q. If both Q and G are missing
7998
//    the calls fails with SYMCRYPT_INVALID_ARGUMENT.
7999
//  - The parameters pHashAlgorithm, pbSeed, cbSeed and genCounter are the generation
8000
//    parameters of the FIPS standards. If fipsStandard is not equal to
8001
//    SYMCRYPT_DLGROUP_FIPS_NONE, the algorithm verifies that the input P,Q,G parameters are properly
8002
//    generated by the corresponding standard.
8003
//    If there is any discrepancy the function returns SYMCRYPT_AUTHENTICATION_FAILURE.
8004
//    Notice that these parameters are imported even if they aren't verified.
8005
//
8006
// Requirements:
8007
//  - The number stored in pbPrimeP and pbGenG must have at most nBitsOfP significant bits.
8008
//    Otherwise the function returns SYMCRYPT_INVALID_ARGUMENT.
8009
//  - The number stored in pbPrimeQ must have at most nBitsOfQ where nBitsOfQ is either
8010
//    the **non-zero** value input in the call of Allocate/Create or equal to nBitsOfP if
8011
//    0 was input.
8012
//    Otherwise the function returns SYMCRYPT_INVALID_ARGUMENT.
8013
//  - The size of the seed cbSeed must be **exactly** equal to the byte-size of the imported
8014
//    modulus Q. Otherwise the function returns SYMCRYPT_INVALID_ARGUMENT.
8015
//
8016
// Remarks:
8017
//  - The buffers pbPrimeP, pbPrimeQ, pbGenG must all have the same number
8018
//    format defined by numFormat.
8019
//  - Primes P and (when provided) Q must represent prime numbers.
8020
//
8021

8022
SYMCRYPT_ERROR
8023
SYMCRYPT_CALL
8024
SymCryptDlgroupGetValue(
8025
    _In_                            PCSYMCRYPT_DLGROUP      pDlgroup,
8026
    _Out_writes_bytes_( cbPrimeP )  PBYTE                   pbPrimeP,
8027
                                    SIZE_T                  cbPrimeP,
8028
    _Out_writes_bytes_( cbPrimeQ )  PBYTE                   pbPrimeQ,
8029
                                    SIZE_T                  cbPrimeQ,
8030
    _Out_writes_bytes_( cbGenG )    PBYTE                   pbGenG,
8031
                                    SIZE_T                  cbGenG,
8032
                                    SYMCRYPT_NUMBER_FORMAT  numFormat,
8033
    _Out_                           PCSYMCRYPT_HASH *       ppHashAlgorithm,
8034
    _Out_writes_bytes_( cbSeed )    PBYTE                   pbSeed,
8035
                                    SIZE_T                  cbSeed,
8036
    _Out_                           PUINT32                 pGenCounter );
8037

8038
//
8039
// Retrieve the group parameters from a DLGROUP. The buffers should be
8040
// allocated by the caller. If a pbXXX parameter is NULL (and the cbXXX==0)
8041
// then this parameter is not returned.
8042
//
8043
// Requirements:
8044
//  - All the buffers must have size at least equal to the corresponding
8045
//    size returned by SymCryptDlgroupGetSizes. For the pbSeed buffer the
8046
//    size must be **exactly** equal to the size returned from SymCryptDlgroupGetSizes.
8047
//
8048
// Remarks:
8049
//  - If the caller requests a Q but the group does not have one, this function
8050
//    will fail with SYMCRYPT_INVALID_BLOB.
8051
//  - The return value of *ppHashAlgorithm can be NULL if the group was generated
8052
//    by FIPS 186-2.
8053
//
8054

8055
//=====================================================
8056
// DL flags
8057
//
8058
// Also see Generic key validation flags above
8059

8060
// SYMCRYPT_FLAG_DLKEY_GEN_MODP:
8061
// When set on SymCryptDlkeyGenerate call, generate a private key between 1 and P-2.
8062
// When Q is known, this overrides the default behavior of generating a private key between 1 and Q-1,
8063
// or 1 and min(2^nBitsPriv-1, Q-1) for named safe-prime groups
8064
// When Q is not known, this does not affect the behavior
8065
#define SYMCRYPT_FLAG_DLKEY_GEN_MODP  (0x01)
8066

8067
//=====================================================
8068
// DL key operations
8069

8070
SYMCRYPT_ERROR
8071
SYMCRYPT_CALL
8072
SymCryptDlkeySetPrivateKeyLength( _Inout_ PSYMCRYPT_DLKEY pkDlkey, UINT32 nBitsPriv, UINT32 flags );
8073
//
8074
// Sets the number of bits that this dlkey can have in its private key
8075
// The set value is only used for when the dlkey is a named safe-prime dlgroup, otherwise the value
8076
// is ignored.
8077
//
8078
// Requirements:
8079
//  - pkDlkey->pDlgroup->nBitsOfQ >= nBitsPriv >= pkDlkey->pDlgroup->nMinBitsPriv
8080
//    Otherwise SYMCRYPT_INVALID_ARGUMENT is returned
8081
//
8082
// Allowed flags:
8083
//  - None.
8084

8085
PCSYMCRYPT_DLGROUP
8086
SYMCRYPT_CALL
8087
SymCryptDlkeyGetGroup( _In_ PCSYMCRYPT_DLKEY pkDlkey );
8088
//
8089
// Returns a pointer to the dlgroup object associated with the key.
8090
//
8091

8092
UINT32
8093
SYMCRYPT_CALL
8094
SymCryptDlkeySizeofPublicKey( _In_ PCSYMCRYPT_DLKEY pkDlkey );
8095
//
8096
// Returns the size in bytes of a blob big enough to retrieve the public key.
8097
//
8098

8099
UINT32
8100
SYMCRYPT_CALL
8101
SymCryptDlkeySizeofPrivateKey( _In_ PCSYMCRYPT_DLKEY pkDlkey );
8102
//
8103
// Returns the size in bytes of a blob big enough to retrieve the private key.
8104
//
8105

8106
BOOLEAN
8107
SYMCRYPT_CALL
8108
SymCryptDlkeyHasPrivateKey( _In_ PCSYMCRYPT_DLKEY pkDlkey );
8109
//
8110
// Returns TRUE if the pkDlkey object has a private key set.
8111
//
8112

8113
SYMCRYPT_ERROR
8114
SYMCRYPT_CALL
8115
SymCryptDlkeyGenerate(
8116
    _In_    UINT32                      flags,
8117
    _Inout_ PSYMCRYPT_DLKEY             pkDlkey );
8118
//
8119
// Allowed flags:
8120
//  - SYMCRYPT_FLAG_DLKEY_GEN_MODP
8121
//  When set, generate a private key between 1 and P-2.
8122
//  When Q is known, this overrides the default behavior of generating a private key between 1 and Q-1,
8123
//  or 1 and min(2^nBitsPriv-1, Q-1) for named safe-prime groups
8124
//  When Q is not known, this does not affect the behavior
8125
//
8126
// - SYMCRYPT_FLAG_KEY_NO_FIPS
8127
//   Opt-out of performing validation required for FIPS
8128
//
8129
// - At least one of the flags indicating what the Dlkey is to be used for must be specified:
8130
//      SYMCRYPT_FLAG_DLKEY_DSA
8131
//      SYMCRYPT_FLAG_DLKEY_DH
8132
//
8133
// Note:
8134
// If SYMCRYPT_FLAG_DLKEY_GEN_MODP is specified then SYMCRYPT_FLAG_KEY_NO_FIPS must also be
8135
// specified to avoid SYMCRYPT_INVALID_ARGUMENT, as FIPS requires the default generation behavior
8136
//
8137

8138
SYMCRYPT_ERROR
8139
SYMCRYPT_CALL
8140
SymCryptDlkeySetValue(
8141
    _In_reads_bytes_( cbPrivateKey )    PCBYTE                  pbPrivateKey,
8142
                                        SIZE_T                  cbPrivateKey,
8143
    _In_reads_bytes_( cbPublicKey )     PCBYTE                  pbPublicKey,
8144
                                        SIZE_T                  cbPublicKey,
8145
                                        SYMCRYPT_NUMBER_FORMAT  numFormat,
8146
                                        UINT32                  flags,
8147
    _Inout_                             PSYMCRYPT_DLKEY         pkDlkey );
8148
//
8149
// Import key material to a DLKEY object.
8150
//
8151
// Allowed flags:
8152
//
8153
// - SYMCRYPT_FLAG_KEY_NO_FIPS
8154
//   Opt-out of performing validation required for FIPS
8155
//
8156
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
8157
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
8158
//
8159
// - At least one of the flags indicating what the Dlkey is to be used for must be specified:
8160
//      SYMCRYPT_FLAG_DLKEY_DSA
8161
//      SYMCRYPT_FLAG_DLKEY_DH
8162
//
8163
// Described in more detail in the "Flags for asymmetric key generation and import" section above
8164
//
8165

8166
SYMCRYPT_ERROR
8167
SYMCRYPT_CALL
8168
SymCryptDlkeyGetValue(
8169
    _In_    PCSYMCRYPT_DLKEY        pkDlkey,
8170
    _Out_writes_bytes_( cbPrivateKey )
8171
            PBYTE                   pbPrivateKey,
8172
            SIZE_T                  cbPrivateKey,
8173
    _Out_writes_bytes_( cbPublicKey )
8174
            PBYTE                   pbPublicKey,
8175
            SIZE_T                  cbPublicKey,
8176
            SYMCRYPT_NUMBER_FORMAT  numFormat,
8177
            UINT32                  flags );
8178
//
8179
// Retrieve the public or the private key (or both) from a DLKEY. The buffers should be
8180
// allocated by the caller.
8181
//
8182

8183
SYMCRYPT_ERROR
8184
SYMCRYPT_CALL
8185
SymCryptDlkeyExtendKeyUsage(
8186
    _Inout_ PSYMCRYPT_DLKEY pkDlkey,
8187
            UINT32          flags );
8188
//
8189
// Enable an existing key which has been generated or imported to be used in specified algorithms.
8190
// Some callers may not know at key generation or import time what algorithms a key will be used for
8191
// and this API allows the key to be extended for use in additional algorithms. Use of this API may
8192
// not be compliant with FIPS 140-3.
8193
//
8194
// - flags must be some bitwise OR of the following flags:
8195
//      SYMCRYPT_FLAG_DLKEY_DSA
8196
//      SYMCRYPT_FLAG_DLKEY_DH
8197

8198
//=====================================================
8199
// Elliptic curve operations and supported curves
8200
//
8201

8202
UINT32
8203
SYMCRYPT_CALL
8204
SymCryptEcurvePrivateKeyDefaultFormat( _In_ PCSYMCRYPT_ECURVE pCurve );
8205
//
8206
// This function returns the private key default format of the input curve.
8207
//
8208

8209
UINT32
8210
SYMCRYPT_CALL
8211
SymCryptEcurveHighBitRestrictionNumOfBits( _In_ PCSYMCRYPT_ECURVE pCurve );
8212
//
8213
// This function returns the number of bits specified by the high bit restriction
8214
// value of the input curve.
8215
//
8216

8217
UINT32
8218
SYMCRYPT_CALL
8219
SymCryptEcurveHighBitRestrictionPosition( _In_ PCSYMCRYPT_ECURVE pCurve );
8220
//
8221
// This function returns the position of the high bit restriction
8222
// value of the input curve.
8223
//
8224

8225
UINT32
8226
SYMCRYPT_CALL
8227
SymCryptEcurveHighBitRestrictionValue( _In_ PCSYMCRYPT_ECURVE pCurve );
8228
//
8229
// This function returns the high bit restriction value of the input curve.
8230
//
8231

8232
UINT32
8233
SYMCRYPT_CALL
8234
SymCryptEcurveBitsizeofFieldModulus( _In_ PCSYMCRYPT_ECURVE pCurve );
8235
//
8236
// This function returns the number of bits of a field element on which
8237
// the curve is defined.
8238
//
8239

8240
UINT32
8241
SYMCRYPT_CALL
8242
SymCryptEcurveBitsizeofGroupOrder( _In_ PCSYMCRYPT_ECURVE pCurve );
8243
//
8244
// This function returns the number of bits of the order of the subgroup generated by
8245
// the distinguished point of the curve.
8246
//
8247

8248
UINT32
8249
SYMCRYPT_CALL
8250
SymCryptEcurveSizeofFieldElement( _In_    PCSYMCRYPT_ECURVE   pCurve );
8251
//
8252
// This function returns the number of bytes of a field element. It is used to
8253
// construct buffers for setting and getting the value of elliptic curve points (most
8254
// notably the public key of an ECKEY object).
8255
//
8256
// The result is equal to the cbFieldLength field of the parameters that created the curve.
8257
//
8258

8259
UINT32
8260
SYMCRYPT_CALL
8261
SymCryptEcurveSizeofScalarMultiplier( _In_    PCSYMCRYPT_ECURVE   pCurve );
8262
//
8263
// This function returns the number of bytes of a scalar integer that is big enough to
8264
// store a private key (or a multiplier of an elliptic curve point). It is used to
8265
// construct buffers for setting and getting the value of a scalar multiplier (most
8266
// notably the private key of an ECKEY object - see SymCryptEckeySetValue and
8267
// SymCryptEckeyGetValue).
8268
//
8269
// The result is equal to sizeof( subgroupOrder * co-factor ).
8270
//
8271

8272
BOOLEAN
8273
SYMCRYPT_CALL
8274
SymCryptEcurveIsSame(
8275
    _In_    PCSYMCRYPT_ECURVE  pCurve1,
8276
    _In_    PCSYMCRYPT_ECURVE  pCurve2);
8277
//
8278
// Returns true if pCurve1 and pCurve2 have same type, P, A, and B - false otherwise.
8279
//
8280
// Note: This does not check that the curves have the same G set, callers may additionally
8281
// consider calling SymCryptEcpointIsEqual to compare the curves' distinguished points.
8282
//
8283

8284
// Internally supported curves
8285
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNistP192;
8286
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNistP224;
8287
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNistP256;
8288
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNistP384;
8289
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNistP521;
8290

8291
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNumsP256t1;
8292
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNumsP384t1;
8293
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsNumsP512t1;
8294

8295
extern const PCSYMCRYPT_ECURVE_PARAMS    SymCryptEcurveParamsCurve25519;
8296

8297
typedef enum _SYMCRYPT_ECURVE_ID
8298
{
8299
    SYMCRYPT_ECURVE_ID_NULL             = 0,
8300
    SYMCRYPT_ECURVE_ID_NIST_P192        = 1,
8301
    SYMCRYPT_ECURVE_ID_NIST_P224        = 2,
8302
    SYMCRYPT_ECURVE_ID_NIST_P256        = 3,
8303
    SYMCRYPT_ECURVE_ID_NIST_P384        = 4,
8304
    SYMCRYPT_ECURVE_ID_NIST_P521        = 5,
8305
    SYMCRYPT_ECURVE_ID_NUMS_P256T1      = 6,
8306
    SYMCRYPT_ECURVE_ID_NUMS_P384T1      = 7,
8307
    SYMCRYPT_ECURVE_ID_NUMS_P512T1      = 8,
8308
    SYMCRYPT_ECURVE_ID_CURVE25519       = 9
8309
} SYMCRYPT_ECURVE_ID;
8310

8311
PCSYMCRYPT_ECURVE_PARAMS
8312
SYMCRYPT_CALL
8313
SymCryptGetEcurveParams( SYMCRYPT_ECURVE_ID ecurveId );
8314
//
8315
// Returns a pointer to the elliptic curve parameters structure for the specified curve ID.
8316
// Returns NULL if the curve ID is invalid.
8317
//
8318

8319
//=====================================================
8320
// ECC flags
8321
//
8322
// Also see Generic key validation flags above
8323

8324
// SYMCRYPT_FLAG_ECDSA_NO_TRUNCATION: This flag applies only to the ECDSA algorithm. When set, the sign
8325
//      and verify algorithms will not do hash truncation. The caller can use their own truncation method in such case.
8326
//      (default: according to the ECDSA standard)
8327
#define SYMCRYPT_FLAG_ECDSA_NO_TRUNCATION        (0x08)
8328

8329
//=====================================================
8330
// EC key operations
8331

8332
UINT32
8333
SYMCRYPT_CALL
8334
SymCryptEckeySizeofPublicKey(
8335
    _In_ PCSYMCRYPT_ECKEY           pkEckey,
8336
    _In_ SYMCRYPT_ECPOINT_FORMAT    ecPointFormat );
8337
//
8338
// Returns the size in bytes of a blob big enough to retrieve the public key in
8339
// the specified ECPOINT format.
8340
//
8341

8342
UINT32
8343
SYMCRYPT_CALL
8344
SymCryptEckeySizeofPrivateKey( _In_ PCSYMCRYPT_ECKEY pkEckey );
8345
//
8346
// Returns the size in bytes of a blob big enough to retrieve the private key.
8347
// It is equal to SymCryptEcurveSizeofScalarMultiplier( pCurve ) where pCurve is the
8348
// curve that created the key.
8349
//
8350

8351
BOOLEAN
8352
SYMCRYPT_CALL
8353
SymCryptEckeyHasPrivateKey( _In_ PCSYMCRYPT_ECKEY pkEckey );
8354
//
8355
// Returns TRUE if the pkEckey object has a private key set.
8356
//
8357

8358
SYMCRYPT_ERROR
8359
SYMCRYPT_CALL
8360
SymCryptEckeySetValue(
8361
    _In_reads_bytes_( cbPrivateKey )    PCBYTE                  pbPrivateKey,
8362
                                        SIZE_T                  cbPrivateKey,
8363
    _In_reads_bytes_( cbPublicKey )     PCBYTE                  pbPublicKey,
8364
                                        SIZE_T                  cbPublicKey,
8365
                                        SYMCRYPT_NUMBER_FORMAT  numFormat,
8366
                                        SYMCRYPT_ECPOINT_FORMAT ecPointFormat,
8367
                                        UINT32                  flags,
8368
    _Inout_                             PSYMCRYPT_ECKEY         pEckey );
8369
//
8370
// Import key material to an ECKEY object.
8371
//
8372
// Requirements:
8373
//      (pbPrivateKey, cbPrivateKey): a buffer that contains the private key, encoded
8374
//      in the format specified by the numFormat parameter.
8375
//      Note that the integer encoded in (pbPrivateKey, cbPrivateKey) is taken modulo the order of the
8376
//      subgroup generated by the curve generator. Callers that want a uniform private key value
8377
//      should ensure that the input is uniform in the range [1..GOrd-1].
8378
//
8379
//      Requirements: cbPrivateKey == SymCryptEckeySizeofPrivateKey( pEckey )
8380
//
8381
//      If pbPrivateKey == NULL && cbPrivateKey == 0, then no private key is imported, and the
8382
//      resulting ECKEY object will not have a private key.
8383
//
8384
//      (pbPublicKey, cbPublicKey): buffer that contains the public key, encoded in the format
8385
//      specified by the format parameter, the buffer length, and the curve properties.
8386
//
8387
//      Requirements: cbPublicKey == SymCryptEckeySizeofPublicKey( pEckey, ecPointFormat )
8388
//
8389
//      If no public key is presented (pbPublicKey == NULL && cbPublicKey == 0) then the public
8390
//      key is computed from the provided private key.
8391
//
8392
//      At least one of the public and private keys must be provided.
8393
//
8394
//      If both are provided, then they must match.
8395
//
8396
//      The algorithm always sets the corresponding public key
8397
//
8398
// Allowed flags:
8399
//
8400
// - SYMCRYPT_FLAG_KEY_NO_FIPS
8401
//   Opt-out of performing validation required for FIPS
8402
//
8403
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
8404
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
8405
//
8406
// - At least one of the flags indicating what the Eckey is to be used for must be specified:
8407
//      SYMCRYPT_FLAG_ECKEY_ECDSA
8408
//      SYMCRYPT_FLAG_ECKEY_ECDH
8409
//
8410
// Described in more detail in the "Flags for asymmetric key generation and import" section above
8411
//
8412

8413
SYMCRYPT_ERROR
8414
SYMCRYPT_CALL
8415
SymCryptEckeySetRandom(
8416
    _In_    UINT32                  flags,
8417
    _Inout_ PSYMCRYPT_ECKEY         pEckey );
8418
//
8419
// Generates a new Eckey public/private key pair using the specified curve. The public key
8420
// is a uniformly random non-zero point of the subgroup generated by the distinguished point
8421
// of the curve. This complies with the FIPS 186-4 standard.
8422
//
8423
// Remarks:
8424
//  - In the case that the highbit restrictions on the curve are unsatisfiable, i.e.
8425
//    there is no private key smaller than the group order it returns
8426
//    SYMCRYPT_INVALID_ARGUMENT.
8427
//
8428
// Allowed flags:
8429
//
8430
// - SYMCRYPT_FLAG_KEY_NO_FIPS
8431
//   Opt-out of performing validation required for FIPS
8432
//
8433
// - At least one of the flags indicating what the Eckey is to be used for must be specified:
8434
//      SYMCRYPT_FLAG_ECKEY_ECDSA
8435
//      SYMCRYPT_FLAG_ECKEY_ECDH
8436

8437
// Described in more detail in the "Flags for asymmetric key generation and import" section above
8438
//
8439

8440
SYMCRYPT_ERROR
8441
SYMCRYPT_CALL
8442
SymCryptEckeyGetValue(
8443
    _In_    PCSYMCRYPT_ECKEY        pEckey,
8444
    _Out_writes_bytes_( cbPrivateKey )
8445
            PBYTE                   pbPrivateKey,
8446
            SIZE_T                  cbPrivateKey,
8447
    _Out_writes_bytes_( cbPublicKey )
8448
            PBYTE                   pbPublicKey,
8449
            SIZE_T                  cbPublicKey,
8450
            SYMCRYPT_NUMBER_FORMAT  numFormat,
8451
            SYMCRYPT_ECPOINT_FORMAT ecPointFormat,
8452
            UINT32                  flags );
8453
//
8454
// Retrieve the public or the private key (or both) from an ECKEY. The buffers should be
8455
// allocated by the caller.
8456
//
8457
// If (pbPrivateKey != NULL), then the function will return the private key in pbPrivateKey
8458
// in the format specified by the numFormat parameter **as long as** the following three
8459
// requirements are satisfied:
8460
//      1. cbPrivateKey >= SymCryptEckeySizeofPrivateKey( pEckey )
8461
//      2. pEckey contains a private key part (If this fails the function returns SYMCRYPT_INVALID_BLOB)
8462
// If (pbPrivateKey == NULL) and (cbPrivateKey == 0), then these parameters are ignored
8463
// and no private key is returned.
8464
//
8465
// If (pbPublicKey != NULL), then the function will return the public key in pbPublicKey
8466
// in the format specified by the numFormat and the ecPointFormat parameters
8467
// **as long as** the following requirement is satisfied:
8468
//      1. cbPublicKey >= SymCryptEckeySizeofPublicKey( pEckey, ecPointFormat )
8469
// If (pbPublicKey == NULL) and (cbPublicKey == 0), then these parameters are ignored
8470
// and no public key is returned.
8471
//
8472
// Allowed flags:
8473
//      - None.
8474
//
8475

8476
SYMCRYPT_ERROR
8477
SYMCRYPT_CALL
8478
SymCryptEckeyExtendKeyUsage(
8479
    _Inout_ PSYMCRYPT_ECKEY pEckey,
8480
            UINT32          flags );
8481
//
8482
// Enable an existing key which has been generated or imported to be used in specified algorithms.
8483
// Some callers may not know at key generation or import time what algorithms a key will be used for
8484
// and this API allows the key to be extended for use in additional algorithms. Use of this API may
8485
// not be compliant with FIPS 140-3
8486
//
8487
// - flags must be some bitwise OR of the following flags:
8488
//      SYMCRYPT_FLAG_ECKEY_ECDSA
8489
//      SYMCRYPT_FLAG_ECKEY_ECDH
8490

8491
/************************
8492
 * Crypto algorithm API *
8493
 ************************/
8494

8495
//
8496
// The Crypto algorithm API implements various cryptographic algorithms that use large-integer arithmetic.
8497
//
8498

8499
//
8500
// RSA Encryption Algorithms
8501
//
8502

8503
SYMCRYPT_ERROR
8504
SYMCRYPT_CALL
8505
SymCryptRsaRawEncrypt(
8506
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8507
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8508
                                SIZE_T                      cbSrc,
8509
                                SYMCRYPT_NUMBER_FORMAT      numFormat,
8510
                                UINT32                      flags,
8511
    _Out_writes_( cbDst )       PBYTE                       pbDst,
8512
                                SIZE_T                      cbDst );
8513
//
8514
// This function encrypts the buffer pbSrc (of size cbSrc bytes) under the pkRsakey key using textbook RSA.
8515
// The output is stored in the pbDst buffer (of size cbDst bytes).
8516
// For in place encryption pbSrc = pbDst.
8517
//
8518
// Both input and output buffers store a number in the number format numFormat.
8519
//
8520
// Requirements:
8521
//  - If cbDst is too small for the result then SYMCRYPT_BUFFER_TOO_SMALL is returned.
8522
//    Safe size is cbDst = SymCryptRsakeySizeofModulus(pkRsakey).
8523
//  - The number stored in the pbSrc buffer must be strictly smaller than the value
8524
//    of the public modulus in pkRsakey.
8525
//
8526
// Allowed flags:
8527
//      None
8528
//
8529

8530
SYMCRYPT_ERROR
8531
SYMCRYPT_CALL
8532
SymCryptRsaRawDecrypt(
8533
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8534
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8535
                                SIZE_T                      cbSrc,
8536
                                SYMCRYPT_NUMBER_FORMAT      numFormat,
8537
                                UINT32                      flags,
8538
    _Out_writes_( cbDst )       PBYTE                       pbDst,
8539
                                SIZE_T                      cbDst );
8540
//
8541
// This function decrypts the buffer pbSrc (of size cbSrc bytes) with the pkRsakey key using textbook RSA.
8542
// The output is stored in the pbDst buffer (of size cbDst bytes).
8543
// For in place decryption pbSrc = pbDst.
8544
//
8545
// Both input and output buffers store a number in the number format numFormat.
8546
//
8547
// Requirements:
8548
//  - If cbDst is too small for the result then SYMCRYPT_BUFFER_TOO_SMALL is returned.
8549
//    Safe size is cbDst = SymCryptRsakeySizeofModulus(pkRsakey).
8550
//  - The number stored in the pbSrc buffer must be strictly smaller than the value
8551
//    of the public modulus in pkRsakey.
8552
//  - The RSAKEY pkRsakey must have a private key part. Otherwise SYMCRYPT_INVALID_ARGUMENT is returned.
8553
//
8554
// Allowed flags:
8555
//      None
8556
//
8557

8558
SYMCRYPT_ERROR
8559
SYMCRYPT_CALL
8560
SymCryptRsaPkcs1Encrypt(
8561
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8562
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8563
                                SIZE_T                      cbSrc,
8564
                                UINT32                      flags,
8565
                                SYMCRYPT_NUMBER_FORMAT      nfDst,
8566
    _Out_writes_opt_( cbDst )   PBYTE                       pbDst,
8567
                                SIZE_T                      cbDst,
8568
    _Out_                       SIZE_T                      *pcbDst );
8569
//
8570
// This function encrypts the buffer pbSrc under the pkRsakey key using RSA PKCS1 v1.5.
8571
// The output is stored in the pbDst buffer and the number of bytes written in *pcbDst.
8572
//
8573
// If pbDst == NULL then only the *pcbDst is output.
8574
//
8575
// nfDst is the number format of the ciphertext (i.e. the pbDst buffer).
8576
//
8577
// Allowed flags:
8578
//      None
8579
//
8580

8581
SYMCRYPT_ERROR
8582
SYMCRYPT_CALL
8583
SymCryptRsaPkcs1Decrypt(
8584
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8585
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8586
                                SIZE_T                      cbSrc,
8587
                                SYMCRYPT_NUMBER_FORMAT      nfSrc,
8588
                                UINT32                      flags,
8589
    _Out_writes_opt_( cbDst )   PBYTE                       pbDst,
8590
                                SIZE_T                      cbDst,
8591
    _Out_                       SIZE_T                      *pcbDst );
8592
//
8593
// Perform an RSA-PKCS1 decryption.
8594
//  - pbSrc/cbSrc: source buffer
8595
//  - nfSrc: format of source buffer
8596
//  - flags: must be 0
8597
//  - pbDst/cbDst: destination buffer
8598
//  - pcbDst: receives the size of the decrypted data.
8599
//
8600
// If the data in improperly formatted, an error is returned.
8601
// If pbDst == NULL, then *pcbDst is set to the decrypted data length, and the functions succeeds.
8602
//      This is not recommended as retrieving the actual data requires a second RSA decryption,
8603
//      which is expensive. We recommend that callers provide a large enough buffer the first time.
8604
// If pbDst != NULL and cbDst is too small, then *pcbDst is set to the required size of pbDst
8605
//      and SYMCRYPT_BUFFER_TOO_SMALL is returned.
8606
//
8607
// Allowed flags:
8608
//      None
8609
//
8610

8611
SYMCRYPT_ERROR
8612
SYMCRYPT_CALL
8613
SymCryptRsaOaepEncrypt(
8614
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8615
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8616
                                SIZE_T                      cbSrc,
8617
    _In_                        PCSYMCRYPT_HASH             hashAlgorithm,
8618
    _In_reads_bytes_( cbLabel ) PCBYTE                      pbLabel,
8619
                                SIZE_T                      cbLabel,
8620
                                UINT32                      flags,
8621
                                SYMCRYPT_NUMBER_FORMAT      nfDst,
8622
    _Out_writes_opt_( cbDst )   PBYTE                       pbDst,
8623
                                SIZE_T                      cbDst,
8624
    _Out_                       SIZE_T                      *pcbDst );
8625
//
8626
// This function encrypts the buffer pbSrc under the pkRsakey key using RSA OAEP.
8627
// The output is stored in the pbDst buffer and the number of bytes written in *pcbDst.
8628
//
8629
// If pbDst == NULL then only the *pcbDst is output.
8630
//
8631
// nfDst is the number format of the ciphertext (i.e. the pbDst buffer).
8632
//
8633
// Allowed flags:
8634
//      None
8635
//
8636

8637
SYMCRYPT_ERROR
8638
SYMCRYPT_CALL
8639
SymCryptRsaOaepDecrypt(
8640
    _In_                        PCSYMCRYPT_RSAKEY           pkRsakey,
8641
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
8642
                                SIZE_T                      cbSrc,
8643
                                SYMCRYPT_NUMBER_FORMAT      nfSrc,
8644
    _In_                        PCSYMCRYPT_HASH             hashAlgorithm,
8645
    _In_reads_bytes_( cbLabel ) PCBYTE                      pbLabel,
8646
                                SIZE_T                      cbLabel,
8647
                                UINT32                      flags,
8648
    _Out_writes_opt_( cbDst )   PBYTE                       pbDst,
8649
                                SIZE_T                      cbDst,
8650
    _Out_                       SIZE_T                      *pcbDst );
8651
//
8652
// This function decrypts the buffer pbSrc with the pkRsakey key using RSA OAEP.
8653
// The output is stored in the pbDst buffer and the number of bytes written in *pcbDst.
8654
//
8655
// If pbDst == NULL then only the *pcbDst is output.
8656
//
8657
// nfSrc is the number format of the ciphertext (i.e. the pbSrc buffer).
8658
//
8659
// Requirement:
8660
//  - cbSrc <= SymCryptRsakeySizeofModulus( pkRsakey ). Otherwise the function
8661
//    returns SYMCRYPT_INVALID_ARGUMENT.
8662
//
8663
// Allowed flags:
8664
//      None
8665
//
8666

8667
//
8668
// RSA Signing Algorithms
8669
//
8670

8671
#define SYMCRYPT_FLAG_RSA_PKCS1_NO_ASN1                 (0x01)
8672
#define SYMCRYPT_FLAG_RSA_PKCS1_OPTIONAL_HASH_OID       (0x02)
8673

8674
#define SYMCRYPT_FLAG_RSA_PSS_VERIFY_WITH_MINIMUM_SALT  (0x04)
8675

8676
//
8677
// SYMCRYPT_FLAG_RSA_PKCS1_NO_ASN1: For RSA PKCS1 to not use the OID on signing or verifying.
8678
//
8679

8680
SYMCRYPT_ERROR
8681
SYMCRYPT_CALL
8682
SymCryptRsaPkcs1Sign(
8683
    _In_                                PCSYMCRYPT_RSAKEY           pkRsakey,
8684
    _In_reads_bytes_( cbHashValue )     PCBYTE                      pbHashValue,
8685
                                        SIZE_T                      cbHashValue,
8686
    _In_                                PCSYMCRYPT_OID              pHashOIDs,
8687
    _In_                                SIZE_T                      nOIDCount,
8688
                                        UINT32                      flags,
8689
                                        SYMCRYPT_NUMBER_FORMAT      nfSignature,
8690
    _Out_writes_opt_( cbSignature )     PBYTE                       pbSignature,
8691
                                        SIZE_T                      cbSignature,
8692
    _Out_                               SIZE_T                      *pcbSignature );
8693
//
8694
// This function signs a message (its hash value is stored in pbHashValue) with
8695
// the pkRsakey key using RSA PKCS1 v1.5. The signature is stored in the pbSignature
8696
// buffer and the number of bytes written in *pcbSignature.
8697
//
8698
// pHashOIDs points to an array of SYMCRYPT_OID and the array size is nOIDCount
8699
//
8700
// If pbSignature == NULL then only the *pcbSignature is output.
8701
//
8702
// nfSignature is the number format of the signature (i.e. the pbSignature buffer). Currently
8703
// only SYMCRYPT_NUMBER_FORMAT_MSB_FIRST is supported.
8704
//
8705
// Allowed flags:
8706
//      SYMCRYPT_FLAG_RSA_PKCS1_NO_ASN1
8707
//
8708

8709
SYMCRYPT_ERROR
8710
SYMCRYPT_CALL
8711
SymCryptRsaPkcs1Verify(
8712
    _In_                                PCSYMCRYPT_RSAKEY           pkRsakey,
8713
    _In_reads_bytes_( cbHashValue )     PCBYTE                      pbHashValue,
8714
                                        SIZE_T                      cbHashValue,
8715
    _In_reads_bytes_( cbSignature )     PCBYTE                      pbSignature,
8716
                                        SIZE_T                      cbSignature,
8717
                                        SYMCRYPT_NUMBER_FORMAT      nfSignature,
8718
    _In_reads_opt_( nOIDCount )         PCSYMCRYPT_OID              pHashOID,
8719
    _In_                                SIZE_T                      nOIDCount,
8720
                                        UINT32                      flags );
8721
//
8722
// This function verifies the signature of a message (its hash value is input in
8723
// pbHashValue) with the pkRsakey key using RSA PKCS1 v1.5. The signature is input
8724
// in the pbSignature buffer.
8725
//
8726
// pHashOIDs points to an array of SYMCRYPT_OID and the array size is nOIDCount
8727
//
8728
// It returns SYMCRYPT_NO_ERROR if the verification succeeded or SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE
8729
// if it failed.
8730
//
8731
// nfSignature is the number format of the signature (i.e. the pbSignature buffer). Currently
8732
// only SYMCRYPT_NUMBER_FORMAT_MSB_FIRST is supported.
8733
//
8734
// Allowed flags:
8735
//      SYMCRYPT_FLAG_RSA_PKCS1_OPTIONAL_HASH_OID
8736
//
8737
//      When the flag is set, this function will do signature verification by not using hash OID when needed
8738
//
8739

8740

8741
SYMCRYPT_ERROR
8742
SYMCRYPT_CALL
8743
SymCryptRsaPssSign(
8744
    _In_                                PCSYMCRYPT_RSAKEY           pkRsakey,
8745
    _In_reads_bytes_( cbHashValue )     PCBYTE                      pbHashValue,
8746
                                        SIZE_T                      cbHashValue,
8747
    _In_                                PCSYMCRYPT_HASH             hashAlgorithm,
8748
                                        SIZE_T                      cbSalt,
8749
                                        UINT32                      flags,
8750
                                        SYMCRYPT_NUMBER_FORMAT      nfSignature,
8751
    _Out_writes_opt_( cbSignature )     PBYTE                       pbSignature,
8752
                                        SIZE_T                      cbSignature,
8753
    _Out_                               SIZE_T                      *pcbSignature );
8754
//
8755
// Sign a message using RSA-PSS
8756
// - pkRsaKey: Key to sign with; must contain a private key
8757
// - pbHashValue/cbHashValue: Value to sign
8758
// - hashAlgorithm: Hash algorithm to use in the MGF of PSS
8759
// - cbSalt: # bytes of salt to use (typically equal to size of hash value)
8760
// - flags: must be 0
8761
// - nfSignature: Number format of signature. Typically SYMCRYPT_NUMBER_FORMAT_MSB_FIRST
8762
// - pbSignature/cbSignature: buffer that receives the signature.
8763
//              If pbSignature == NULL< only *pcbSignature is returned.
8764
//              Note: pbSignature receives an integer, so if the buffer is larger than the modulus size
8765
//              it will be padded with zeroes. For MSB-first format the zeroes are at the start of the buffer.
8766
//              Typically this buffer is the same size as the RSA modulus.
8767
// - pcbSignature: receives the size of the signature.
8768
//
8769
// Return value:
8770
//  If cbHashValue + cbSalt is too large (above modulus size minus 2 or 3 depending on details) then
8771
//  signature generation fails.
8772
//
8773
// Allowed flags:
8774
//      None
8775
//
8776

8777
SYMCRYPT_ERROR
8778
SYMCRYPT_CALL
8779
SymCryptRsaPssVerify(
8780
    _In_                                PCSYMCRYPT_RSAKEY           pkRsakey,
8781
    _In_reads_bytes_( cbHashValue )     PCBYTE                      pbHashValue,
8782
                                        SIZE_T                      cbHashValue,
8783
    _In_reads_bytes_( cbSignature )     PCBYTE                      pbSignature,
8784
                                        SIZE_T                      cbSignature,
8785
                                        SYMCRYPT_NUMBER_FORMAT      nfSignature,
8786
    _In_                                PCSYMCRYPT_HASH             hashAlgorithm,
8787
                                        SIZE_T                      cbSalt,
8788
                                        UINT32                      flags );
8789
//
8790
// This function verifies the signature of a message (its hash value is input in
8791
// pbHashValue) with the pkRsakey key using RSA PSS. The signature is input
8792
// in the pbSignature buffer.
8793
//
8794
// It returns SYMCRYPT_NO_ERROR if the verification succeeded or SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE
8795
// if it failed.
8796
//
8797
// nfSignature is the number format of the signature (i.e. the pbSignature buffer). Currently
8798
// only SYMCRYPT_NUMBER_FORMAT_MSB_FIRST is supported.
8799
//
8800
// Requirements:
8801
//  - cbHashValue <= SymCryptRsakeySizeofModulus( pkRsakey )
8802
//  - cbSalt <= SymCryptRsakeySizeofModulus( pkRsakey )
8803
//  - cbSignature <= SymCryptRsakeySizeofModulus( pkRsakey )
8804
//
8805
// Allowed flags:
8806
//      SYMCRYPT_FLAG_RSA_PSS_VERIFY_WITH_MINIMUM_SALT
8807
//
8808
//      When the flag is set, this function will do signature verification using the cbSalt parameter as
8809
//      a minimum value for the salt length, rather than using it as an exact value. Specifying this and
8810
//      setting cbSalt = 0 allows callers to verify a signature which has a valid encoding with any salt
8811
//      length using a single call.
8812
//
8813

8814
VOID
8815
SYMCRYPT_CALL
8816
SymCryptRsaSelftest(void);
8817
//
8818
// FIPS self-test for RSA sign/verify. This function uses a hardcoded key to perform the self-test
8819
// without having to generate a key. If the self-test fails, SymCryptFatal will be called to
8820
// fastfail.
8821
// The self-test will automatically be performed before first operational use of RSA if using a key
8822
// with FIPS validation, so most callers should never use this function.
8823
//
8824

8825

8826
//
8827
// DSA
8828
//
8829

8830
SYMCRYPT_ERROR
8831
SYMCRYPT_CALL
8832
SymCryptDsaSign(
8833
    _In_                                PCSYMCRYPT_DLKEY        pKey,
8834
    _In_reads_bytes_( cbHashValue )     PCBYTE                  pbHashValue,
8835
                                        SIZE_T                  cbHashValue,
8836
                                        SYMCRYPT_NUMBER_FORMAT  format,
8837
                                        UINT32                  flags,
8838
    _Out_writes_bytes_( cbSignature )   PBYTE                   pbSignature,
8839
                                        SIZE_T                  cbSignature );
8840
//
8841
// Sign a message using the DSA signature algorithm.
8842
// (pbHashValue,cbHashValue) is the output of the hash function that hashed the message to be signed.
8843
// (pbSignature,cbSignature) is the output buffer that receives the signature.
8844
// The signature is encoded as two integers (R,S) mod Q in the format specified by the 'format' parameter.
8845
//
8846
// Allowed flags:
8847
//      None
8848
//
8849

8850

8851
SYMCRYPT_ERROR
8852
SYMCRYPT_CALL
8853
SymCryptDsaVerify(
8854
    _In_                                PCSYMCRYPT_DLKEY        pKey,
8855
    _In_reads_bytes_( cbHashValue )     PCBYTE                  pbHashValue,
8856
                                        SIZE_T                  cbHashValue,
8857
    _In_reads_bytes_( cbSignature )     PCBYTE                  pbSignature,
8858
                                        SIZE_T                  cbSignature,
8859
                                        SYMCRYPT_NUMBER_FORMAT  format,
8860
                                        UINT32                  flags );
8861
//
8862
// Verifies a DSA signature using the public part of Key.
8863
//
8864
// It returns SYMCRYPT_NO_ERROR if the verification succeeded or SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE
8865
// if it failed.
8866
//
8867
// Allowed flags:
8868
//      None
8869
//
8870

8871
VOID
8872
SYMCRYPT_CALL
8873
SymCryptDsaSelftest(void);
8874
//
8875
// FIPS self-test for DSA sign/verify. This function uses a hardcoded key to perform the self-test
8876
// without having to generate a key. If the self-test fails, SymCryptFatal will be called to
8877
// fastfail.
8878
// The self-test will automatically be performed before first operational use of DSA if using a key
8879
// with FIPS validation, so most callers should never use this function.
8880
//
8881

8882
//
8883
// DH
8884
//
8885

8886
SYMCRYPT_ERROR
8887
SYMCRYPT_CALL
8888
SymCryptDhSecretAgreement(
8889
    _In_                            PCSYMCRYPT_DLKEY        pkPrivate,
8890
    _In_                            PCSYMCRYPT_DLKEY        pkPublic,
8891
                                    SYMCRYPT_NUMBER_FORMAT  format,
8892
                                    UINT32                  flags,
8893
    _Out_writes_( cbAgreedSecret )  PBYTE                   pbAgreedSecret,
8894
                                    SIZE_T                  cbAgreedSecret );
8895
//
8896
// Calculates the agreed secret of a DH key exchange and stores it
8897
// in the pbAgreedSecret buffer under the specified number format.
8898
//
8899
// format is the number format of the agreed secret (pbAgreedSecret buffer).
8900
//
8901
// Allowed flags:
8902
//      - None
8903
//
8904

8905
VOID
8906
SYMCRYPT_CALL
8907
SymCryptDhSecretAgreementSelftest(void);
8908
//
8909
// FIPS self-test for DH secret agreement. This function uses two hardcoded keys and a precalculated
8910
// known answer to perform the self-test without having to generate a key. If the self-test fails,
8911
// SymCryptFatal will be called to fastfail.
8912
// The self-test will automatically be performed before first operational use of DH if using keys
8913
// with FIPS validation, so most callers should never use this function.
8914
//
8915

8916
//
8917
// For both ECDSA and ECDH algorithms the key generation and management is the same. The main algorithms are:
8918
//      - SymCryptEckeyAllocate or SymCryptEckeyCreate for creation of the ECKEY object.
8919
//      - SymCryptEckeySetValue or SymCryptEckeySetRandom for filling the key with the preferred key material.
8920
//      - SymCryptEckeyFree or SymCryptEckeyWipe for freeing or wiping the key.
8921
//
8922

8923
//
8924
// ECDSA
8925
//
8926

8927
SYMCRYPT_ERROR
8928
SYMCRYPT_CALL
8929
SymCryptEcDsaSign(
8930
    _In_                                PCSYMCRYPT_ECKEY        pKey,
8931
    _In_reads_bytes_( cbHashValue )     PCBYTE                  pbHashValue,
8932
                                        SIZE_T                  cbHashValue,
8933
                                        SYMCRYPT_NUMBER_FORMAT  format,
8934
                                        UINT32                  flags,
8935
    _Out_writes_bytes_( cbSignature )   PBYTE                   pbSignature,
8936
                                        SIZE_T                  cbSignature );
8937
//
8938
// Sign a message using the ECDSA signature algorithm.
8939
// (pbHashValue,cbHashValue) is the output of the hash function that hashed the message to be signed.
8940
// (pbSignature,cbSignature) is the output buffer that receives the signature.
8941
// The signature is encoded as two integers in the format specified by the 'format' parameter.
8942
//
8943
// Allowed flags:
8944
//      SYMCRYPT_FLAG_ECDSA_NO_TRUNCATION: If set then the hash value will
8945
//      not be truncated.
8946
//
8947

8948
SYMCRYPT_ERROR
8949
SYMCRYPT_CALL
8950
SymCryptEcDsaVerify(
8951
    _In_                                PCSYMCRYPT_ECKEY        pKey,
8952
    _In_reads_bytes_( cbHashValue )     PCBYTE                  pbHashValue,
8953
                                        SIZE_T                  cbHashValue,
8954
    _In_reads_bytes_( cbSignature )     PCBYTE                  pbSignature,
8955
                                        SIZE_T                  cbSignature,
8956
                                        SYMCRYPT_NUMBER_FORMAT  format,
8957
                                        UINT32                  flags );
8958

8959
//
8960
// Verifies an ECDSA signature using the public part of Key.
8961
//
8962
// It returns SYMCRYPT_NO_ERROR if the verification succeeded or SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE
8963
// if it failed.
8964
//
8965
// Allowed flags:
8966
//      SYMCRYPT_FLAG_ECDSA_NO_TRUNCATION: If set then the hash value will
8967
//      not be truncated.
8968

8969
VOID
8970
SYMCRYPT_CALL
8971
SymCryptEcDsaSelftest(void);
8972
//
8973
// FIPS self-test for ECDSA sign/verify. This function uses a hardcoded key to perform the self-test
8974
// without having to generate a key. If the self-test fails, SymCryptFatal will be called to
8975
// fastfail.
8976
// The self-test will automatically be performed before first operational use of ECDSA if using a
8977
// key with FIPS validation, so most callers should never use this function.
8978
//
8979

8980
//
8981
// ECDH
8982
//
8983

8984
SYMCRYPT_ERROR
8985
SYMCRYPT_CALL
8986
SymCryptEcDhSecretAgreement(
8987
    _In_                            PCSYMCRYPT_ECKEY        pkPrivate,
8988
    _In_                            PCSYMCRYPT_ECKEY        pkPublic,
8989
                                    SYMCRYPT_NUMBER_FORMAT  format,
8990
                                    UINT32                  flags,
8991
    _Out_writes_( cbAgreedSecret )  PBYTE                   pbAgreedSecret,
8992
                                    SIZE_T                  cbAgreedSecret );
8993

8994
//
8995
// Calculates the agreed secret of a DH key exchange and stores it
8996
// in the pbAgreedSecret buffer under the specified number format.
8997
//
8998
// Allowed flags:
8999
//      - None
9000
//
9001

9002
VOID
9003
SYMCRYPT_CALL
9004
SymCryptEcDhSecretAgreementSelftest(void);
9005
//
9006
// FIPS self-test for ECDH secret agreement. This function uses two hardcoded keys and a
9007
// precalculated known answer to perform the self-test without having to generate a key. If the
9008
// self-test fails, SymCryptFatal will be called to fastfail.
9009
// The self-test will automatically be performed before first operational use of ECDH if using keys
9010
// with FIPS validation, so most callers should never use this function.
9011
//
9012

9013
//========================================================================
9014
//
9015
// Stateful Hash-based Signatures
9016
//
9017
// Hash-based signature schemes are digital signature schemes built out of hash
9018
// functions. Stateful hash-based signatures are many-time signature schemes
9019
// composed of a one-time-signature (OTS) scheme and a Merkle-tree representing
9020
// multiple OTS with a public root value. At each signing operation, one of the
9021
// (unused) OTS keys is used to sign the message, and the private key is updated
9022
// so that the same OTS is not used again. Because there is a limited number of
9023
// OTS keys determined at key generation time, signing cannot be performed after
9024
// all OTSs are used. This is an important distinction from other digital signature
9025
// schemes such as RSA or ECDSA.
9026
//
9027
// It is crucial for the security of the *stateful* hash-based signatures that the
9028
// same private key state NOT be used more than once to sign messages, otherwise all
9029
// security is lost.
9030
//
9031

9032

9033
//========================================================================
9034
// XMSS API
9035
//
9036
//  XMSS is a stateful hash-based signature scheme specified in RFC 8391. The
9037
//  multi-tree variant is named XMSS^MT.
9038
//
9039
//  XMSS uses WOTS+ as the one-time-signature (OTS) scheme. Public key consists
9040
//  of two parts; Merkle-tree hash of OTS public keys called the Root, and a Seed value
9041
//  used in in hash computations. The private key consists of SK_XMSS which is
9042
//  used to deterministically create OTS keys, SK_PRF which is used to generate
9043
//  the randomizer for hashing, and an integer Idx is used to select the next OTS key
9044
//  for signing.
9045
//
9046

9047
typedef enum _SYMCRYPT_XMSS_ALGID
9048
{
9049
    //                                              Hash Fn.    RFC-8391    SP800-208
9050
    SYMCRYPT_XMSS_SHA2_10_256       = 0x00000001,   // SHA-256      X           X
9051
    SYMCRYPT_XMSS_SHA2_16_256       = 0x00000002,   // SHA-256      X           X
9052
    SYMCRYPT_XMSS_SHA2_20_256       = 0x00000003,   // SHA-256      X           X
9053
    SYMCRYPT_XMSS_SHA2_10_512       = 0x00000004,   // SHA-512      X
9054
    SYMCRYPT_XMSS_SHA2_16_512       = 0x00000005,   // SHA-512      X
9055
    SYMCRYPT_XMSS_SHA2_20_512       = 0x00000006,   // SHA-512      X
9056
    SYMCRYPT_XMSS_SHAKE_10_256      = 0x00000007,   // SHAKE128     X
9057
    SYMCRYPT_XMSS_SHAKE_16_256      = 0x00000008,   // SHAKE128     X
9058
    SYMCRYPT_XMSS_SHAKE_20_256      = 0x00000009,   // SHAKE128     X
9059
    SYMCRYPT_XMSS_SHAKE_10_512      = 0x0000000A,   // SHAKE256     X
9060
    SYMCRYPT_XMSS_SHAKE_16_512      = 0x0000000B,   // SHAKE256     X
9061
    SYMCRYPT_XMSS_SHAKE_20_512      = 0x0000000C,   // SHAKE256     X
9062
    SYMCRYPT_XMSS_SHA2_10_192       = 0x0000000D,   // SHA-256                  X
9063
    SYMCRYPT_XMSS_SHA2_16_192       = 0x0000000E,   // SHA-256                  X
9064
    SYMCRYPT_XMSS_SHA2_20_192       = 0x0000000F,   // SHA-256                  X
9065
    SYMCRYPT_XMSS_SHAKE256_10_256   = 0x00000010,   // SHAKE256                 X
9066
    SYMCRYPT_XMSS_SHAKE256_16_256   = 0x00000011,   // SHAKE256                 X
9067
    SYMCRYPT_XMSS_SHAKE256_20_256   = 0x00000012,   // SHAKE256                 X
9068
    SYMCRYPT_XMSS_SHAKE256_10_192   = 0x00000013,   // SHAKE256                 X
9069
    SYMCRYPT_XMSS_SHAKE256_16_192   = 0x00000014,   // SHAKE256                 X
9070
    SYMCRYPT_XMSS_SHAKE256_20_192   = 0x00000015,   // SHAKE256                 X
9071

9072
} SYMCRYPT_XMSS_ALGID;
9073

9074
typedef enum _SYMCRYPT_XMSSMT_ALGID
9075
{
9076
    //                                                  Hash Fn.    RFC-8391    SP800-208
9077
    //                                                  SHA-256         X           X
9078
    SYMCRYPT_XMSSMT_SHA2_20_2_256       = 0x00000001,
9079
    SYMCRYPT_XMSSMT_SHA2_20_4_256       = 0x00000002,
9080
    SYMCRYPT_XMSSMT_SHA2_40_2_256       = 0x00000003,
9081
    SYMCRYPT_XMSSMT_SHA2_40_4_256       = 0x00000004,
9082
    SYMCRYPT_XMSSMT_SHA2_40_8_256       = 0x00000005,
9083
    SYMCRYPT_XMSSMT_SHA2_60_3_256       = 0x00000006,
9084
    SYMCRYPT_XMSSMT_SHA2_60_6_256       = 0x00000007,
9085
    SYMCRYPT_XMSSMT_SHA2_60_12_256      = 0x00000008,
9086

9087
    //                                                  SHA-512         X
9088
    SYMCRYPT_XMSSMT_SHA2_20_2_512       = 0x00000009,
9089
    SYMCRYPT_XMSSMT_SHA2_20_4_512       = 0x0000000A,
9090
    SYMCRYPT_XMSSMT_SHA2_40_2_512       = 0x0000000B,
9091
    SYMCRYPT_XMSSMT_SHA2_40_4_512       = 0x0000000C,
9092
    SYMCRYPT_XMSSMT_SHA2_40_8_512       = 0x0000000D,
9093
    SYMCRYPT_XMSSMT_SHA2_60_3_512       = 0x0000000E,
9094
    SYMCRYPT_XMSSMT_SHA2_60_6_512       = 0x0000000F,
9095
    SYMCRYPT_XMSSMT_SHA2_60_12_512      = 0x00000010,
9096

9097
    //                                                  SHAKE128        X
9098
    SYMCRYPT_XMSSMT_SHAKE_20_2_256      = 0x00000011,
9099
    SYMCRYPT_XMSSMT_SHAKE_20_4_256      = 0x00000012,
9100
    SYMCRYPT_XMSSMT_SHAKE_40_2_256      = 0x00000013,
9101
    SYMCRYPT_XMSSMT_SHAKE_40_4_256      = 0x00000014,
9102
    SYMCRYPT_XMSSMT_SHAKE_40_8_256      = 0x00000015,
9103
    SYMCRYPT_XMSSMT_SHAKE_60_3_256      = 0x00000016,
9104
    SYMCRYPT_XMSSMT_SHAKE_60_6_256      = 0x00000017,
9105
    SYMCRYPT_XMSSMT_SHAKE_60_12_256     = 0x00000018,
9106

9107
    //                                                  SHAKE256        X
9108
    SYMCRYPT_XMSSMT_SHAKE_20_2_512      = 0x00000019,
9109
    SYMCRYPT_XMSSMT_SHAKE_20_4_512      = 0x0000001A,
9110
    SYMCRYPT_XMSSMT_SHAKE_40_2_512      = 0x0000001B,
9111
    SYMCRYPT_XMSSMT_SHAKE_40_4_512      = 0x0000001C,
9112
    SYMCRYPT_XMSSMT_SHAKE_40_8_512      = 0x0000001D,
9113
    SYMCRYPT_XMSSMT_SHAKE_60_3_512      = 0x0000001E,
9114
    SYMCRYPT_XMSSMT_SHAKE_60_6_512      = 0x0000001F,
9115
    SYMCRYPT_XMSSMT_SHAKE_60_12_512     = 0x00000020,
9116

9117
    //                                                  SHA-256                     X
9118
    SYMCRYPT_XMSSMT_SHA2_20_2_192       = 0x00000021,
9119
    SYMCRYPT_XMSSMT_SHA2_20_4_192       = 0x00000022,
9120
    SYMCRYPT_XMSSMT_SHA2_40_2_192       = 0x00000023,
9121
    SYMCRYPT_XMSSMT_SHA2_40_4_192       = 0x00000024,
9122
    SYMCRYPT_XMSSMT_SHA2_40_8_192       = 0x00000025,
9123
    SYMCRYPT_XMSSMT_SHA2_60_3_192       = 0x00000026,
9124
    SYMCRYPT_XMSSMT_SHA2_60_6_192       = 0x00000027,
9125
    SYMCRYPT_XMSSMT_SHA2_60_12_192      = 0x00000028,
9126

9127
    //                                                  SHAKE256                    X
9128
    SYMCRYPT_XMSSMT_SHAKE256_20_2_256   = 0x00000029,
9129
    SYMCRYPT_XMSSMT_SHAKE256_20_4_256   = 0x0000002A,
9130
    SYMCRYPT_XMSSMT_SHAKE256_40_2_256   = 0x0000002B,
9131
    SYMCRYPT_XMSSMT_SHAKE256_40_4_256   = 0x0000002C,
9132
    SYMCRYPT_XMSSMT_SHAKE256_40_8_256   = 0x0000002D,
9133
    SYMCRYPT_XMSSMT_SHAKE256_60_3_256   = 0x0000002E,
9134
    SYMCRYPT_XMSSMT_SHAKE256_60_6_256   = 0x0000002F,
9135
    SYMCRYPT_XMSSMT_SHAKE256_60_12_256  = 0x00000030,
9136

9137
    //                                                  SHAKE256                    X
9138
    SYMCRYPT_XMSSMT_SHAKE256_20_2_192   = 0x00000031,
9139
    SYMCRYPT_XMSSMT_SHAKE256_20_4_192   = 0x00000032,
9140
    SYMCRYPT_XMSSMT_SHAKE256_40_2_192   = 0x00000033,
9141
    SYMCRYPT_XMSSMT_SHAKE256_40_4_192   = 0x00000034,
9142
    SYMCRYPT_XMSSMT_SHAKE256_40_8_192   = 0x00000035,
9143
    SYMCRYPT_XMSSMT_SHAKE256_60_3_192   = 0x00000036,
9144
    SYMCRYPT_XMSSMT_SHAKE256_60_6_192   = 0x00000037,
9145
    SYMCRYPT_XMSSMT_SHAKE256_60_12_192  = 0x00000038,
9146

9147
} SYMCRYPT_XMSSMT_ALGID;
9148

9149

9150
typedef enum _SYMCRYPT_XMSSKEY_TYPE
9151
{
9152
    SYMCRYPT_XMSSKEY_TYPE_NONE      = 0,
9153
    SYMCRYPT_XMSSKEY_TYPE_PUBLIC    = 1,    // Key object contains only public key
9154
    SYMCRYPT_XMSSKEY_TYPE_PRIVATE   = 2,    // Key object contains both public key and private key
9155
} SYMCRYPT_XMSSKEY_TYPE;
9156

9157

9158
SYMCRYPT_ERROR
9159
SYMCRYPT_CALL
9160
SymCryptXmssParamsFromAlgId(
9161
            SYMCRYPT_XMSS_ALGID     id,
9162
    _Out_   PSYMCRYPT_XMSS_PARAMS   pParams);
9163
//
9164
// Populate SYMCRYPT_XMSS_PARAMS structure for the specified XMSS algorithm identifier
9165
// using the predefined parameter sets from RFC 8391 and NIST SP800-208
9166
//
9167

9168
SYMCRYPT_ERROR
9169
SYMCRYPT_CALL
9170
SymCryptXmssMtParamsFromAlgId(
9171
            SYMCRYPT_XMSSMT_ALGID   id,
9172
    _Out_   PSYMCRYPT_XMSS_PARAMS   pParams);
9173
//
9174
// Populate SYMCRYPT_XMSS_PARAMS structure for the specified XMSS^MT algorithm identifier
9175
// using the predefined parameter sets from RFC 8391 and NIST SP800-208
9176
//
9177

9178
SYMCRYPT_ERROR
9179
SYMCRYPT_CALL
9180
SymCryptXmssSetParams(
9181
    _Out_   PSYMCRYPT_XMSS_PARAMS   pParams,
9182
            UINT32                  id,                 // algorithm identifier
9183
    _In_    PCSYMCRYPT_HASH         pHash,              // hash algorithm
9184
            UINT32                  cbHashOutput,       // hash output size
9185
            UINT32                  nWinternitzWidth,   // Winternitz parameter (width of digits)
9186
            UINT32                  nTotalTreeHeight,   // total tree height
9187
            UINT32                  nLayers,            // number of levels
9188
            UINT32                  cbPrefix            // domain separator prefix length
9189
    );
9190
//
9191
// Populates SYMCRYPT_XMSS_PARAMS structure by user defined parameters
9192
//
9193
//
9194
// Parameters:
9195
//
9196
//		pParams. Pointer to the structure that will be populated with the
9197
//		supplied parameters.
9198
//
9199
//		id. Algorithm identifier, will be embedded in key and signature objects.
9200
//
9201
//		pHash. Pointer to a hash object that implements a hash function which
9202
//		will be used in XMSS/XMSS^MT operations.
9203
//
9204
//		cbHashOutput. Output size of the hash function in bytes. Leading cbHashOutput
9205
//      bytes are taken as hash output if the hash algorithm's actual output size is larger.
9206
//
9207
//		nWinternitzWidth. Winternitz parameter, width of digits in byte sequences.
9208
//      See remark below for more explanation.
9209
//
9210
//		nTotalTreeHeight. Height of the XMSS/XMSS^MT tree. In a multi-tree setting,
9211
//      it is the sum of the tree heights of each layer.
9212
//
9213
//		nLayers. Number of layers. For XMSS nLayers=1, otherwise nLayers > 1. When nLayers > 1,
9214
//      it must divide nTotalTreeHeight without remainder, so that each layer has height
9215
//      nTotalTreeHeight/nLayers.
9216
//
9217
//		cbPrefix. Number of bytes in the prefix to the hash inputs used to domain separate
9218
//		PRF functions.
9219
//
9220
// Requirements:
9221
//
9222
//      cbHashOutput must be nonzero, must be less than or equal to pHash->resultSize,
9223
//      and must be less than or equal to SYMCRYPT_HASH_MAX_RESULT_SIZE
9224
//
9225
//      nWinternitzWidth must be one of 1, 2, 4, or 8
9226
//
9227
//      nTotalTreeHeight must be non-zero, it must be less than or equal to 32 for
9228
//      single-tree (nLayers = 1), and must be less than 64 for multi-tree (nLayers > 1)
9229
//
9230
//      nLayers must be non-zero and must divide nTotalTreeHeight without remainder
9231
//
9232
//      cbPrefix must be non-zero
9233
//
9234
// Remarks:
9235
//
9236
//      RFC 8391 specifies w as the length of the Winternitz chains. Here,
9237
//      it is used as the width of the digits in an octet string, i.e.,
9238
//		base2 logarithm of the chain length, which is similar to its use
9239
//		in LMS/HSS in RFC 8554.
9240
//
9241

9242

9243
#define SYMCRYPT_FLAG_XMSSKEY_VERIFY_ROOT           (0x00000001)
9244
// Verifies the public root value when importing a private key
9245

9246
SYMCRYPT_ERROR
9247
SYMCRYPT_CALL
9248
SymCryptXmssSizeofKeyBlobFromParams(
9249
    _In_    PCSYMCRYPT_XMSS_PARAMS  pParams,
9250
            SYMCRYPT_XMSSKEY_TYPE   keyType,
9251
    _Out_   SIZE_T*                 pcbKey );
9252
//
9253
// Return the size of an XMSS/XMSS^MT key blob associated with the provided XMSS parameters
9254
//
9255
//
9256
// Parameters:
9257
//
9258
//		pParams. Pointer to an XMSS parameters structure that has been properly
9259
//      initialized before this call.
9260
//
9261
//      keyType. SYMCRYPT_XMSSKEY_TYPE_PUBLIC (resp. SYMCRYPT_XMSSKEY_TYPE_PRIVATE) to
9262
//      retrieve the size of the public key (resp. private key) blob.
9263
//
9264
//      pcbKey. Pointer to the variable to store the size of a public/private
9265
//      key blob associated with the XMSS parameters.
9266
//
9267

9268
PSYMCRYPT_XMSS_KEY
9269
SYMCRYPT_CALL
9270
SymCryptXmsskeyAllocate(
9271
    _In_    PCSYMCRYPT_XMSS_PARAMS  pParams,
9272
            UINT32                  flags );
9273
//
9274
// Allocate an XMSS/XMSS^MT key object and initialize it
9275
//
9276
// After this call, the key object does not contain a key yet. It must be
9277
// followed by a call to SymCryptXmsskeyGenerate or SymCryptXmsskeySetValue.
9278
//
9279
// Allowed flags:
9280
//
9281
//      No flags defined for this function
9282
//
9283

9284
SYMCRYPT_ERROR
9285
SYMCRYPT_CALL
9286
SymCryptXmsskeyGenerate(
9287
    _Inout_ PSYMCRYPT_XMSS_KEY pKey,
9288
            UINT32             flags );
9289
//
9290
// Generate a public/private XMSS/XMSS^MT key-pair
9291
//
9292
// Parameters:
9293
//
9294
//      pKey. Key object to store the public/private key-pair
9295
//
9296
//      flags. No flags defined for this function
9297
//
9298
// Return values:
9299
//
9300
//      - SYMCRYPT_NO_ERROR
9301
//      On successful key generation
9302
//
9303
//      - SYMCRYPT_MEMORY_ALLOCATION_FAILURE
9304
//      If there is not enough memory to perform key generation
9305
//
9306
// Remarks:
9307
//
9308
//      - Generates a random private key (SK_XMSS, SK_PRF) and a random
9309
//      public seed SEED, and computes the public value Root from it.
9310
//      - If the function fails, the key object will be in an invalid state.
9311
//
9312

9313
SYMCRYPT_ERROR
9314
SYMCRYPT_CALL
9315
SymCryptXmsskeySetValue(
9316
    _In_reads_bytes_( cbInput ) PCBYTE                  pbInput,
9317
                                SIZE_T                  cbInput,
9318
                                SYMCRYPT_XMSSKEY_TYPE   keyType,
9319
                                UINT32                  flags,
9320
    _Inout_                     PSYMCRYPT_XMSS_KEY      pKey );
9321
//
9322
//  Set an XMSS/XMSS^MT public/private key from key blob
9323
//
9324
//  Key formats:
9325
//
9326
//      PubKey: algId | Root | Seed
9327
//      PrvKey: algId | Root | Seed | Idx | SK_XMSS | SK_PRF
9328
//
9329
//  algId and Idx are 32-bit and 64-bit integers respectively, stored in big-endian format.
9330
//  Other values are n-bytes where n is the output size (in bytes) of the hash
9331
//  algorithm (or the truncated size if the hash output is truncated).
9332
//
9333
//  Public-key format is specified in RFC 8391, whereas private-key format is not.
9334
//  We define the private-key as an extension of the public-key with the private key
9335
//  material.
9336
//
9337
//  Parameters:
9338
//
9339
//      (pbInput, cbInput). Input key blob to import the key from
9340
//
9341
//      keyType. Indicates whether (pbInput, cbInput) contains a public or a private key.
9342
//      Must be one of SYMCRYPT_XMSSKEY_TYPE_PUBLIC, or SYMCRYPT_XMSSKEY_TYPE_PRIVATE.
9343
//
9344
//      flags. See below
9345
//
9346
//      pKey. Pointer to the XMSS key object to be initialized from the key blob
9347
//
9348
//  Allowed flags:
9349
//
9350
//      - SYMCRYPT_FLAG_XMSSKEY_VERIFY_ROOT
9351
//      Can only be specified when importing a private key. Recomputes the
9352
//      public root value and compares it to the one that is imported from the
9353
//      key blob.
9354
//
9355
//  Return values:
9356
//
9357
//      - SYMCRYPT_NO_ERROR
9358
//       On successfully updating the key object from the provided key blob
9359
//
9360
//      - SYMCRYPT_INVALID_ARGUMENT
9361
//       If cbInput does not match a public/private key size indicated by keyType parameter
9362
//       If an invalid flag is specified, or SYMCRYPT_FLAG_XMSSKEY_VERIFY_ROOT is
9363
//      specified when setting a public key
9364
//
9365
//      - SYMCRYPT_INVALID_BLOB
9366
//       If the XMSS algorithm ID in the key blob does not match the algorithm ID
9367
//      used in creating the key object pointed to by pKey
9368
//
9369
//      - SYMCRYPT_MEMORY_ALLOCATION_FAILURE
9370
//       If there is not sufficient memory for public root verification (only if
9371
//      SYMCRYPT_FLAG_XMSSKEY_VERIFY_ROOT is set in flags)
9372
//
9373
//      - SYMCRYPT_HBS_PUBLIC_ROOT_MISMATCH
9374
//       If public root value in the key blob does not match the recomputed root value
9375
//      (only if key blob is for a private key and SYMCRYPT_FLAG_XMSSKEY_VERIFY_ROOT is
9376
//      specified)
9377
//
9378
//  Remarks:
9379
//
9380
//      - The key blob size pbInput must match the size returned by SymCryptXmssSizeofKeyBlobFromParams
9381
//      for the same keyType and XMSS parameters the key object is created with.
9382
//      - If the function fails, the key object will be in an invalid state.
9383
//
9384

9385
SYMCRYPT_ERROR
9386
SYMCRYPT_CALL
9387
SymCryptXmsskeyGetValue(
9388
    _In_                            PCSYMCRYPT_XMSS_KEY     pKey,
9389
                                    SYMCRYPT_XMSSKEY_TYPE   keyType,
9390
                                    UINT32                  flags,
9391
    _Out_writes_bytes_( cbOutput )  PBYTE                   pbOutput,
9392
                                    SIZE_T                  cbOutput );
9393
//
9394
//  Get public/private key value from an XMSS/XMSS^MT key object
9395
//
9396
//  Key formats:
9397
//
9398
//      PubKey: algId | Root | Seed
9399
//      PrvKey: algId | Root | Seed | Idx | SK_XMSS | SK_PRF
9400
//
9401
//  algId and Idx are 32-bit and 64-bit integers respectively, stored in big-endian format.
9402
//  Other values are n-bytes where n is the output size (in bytes) of the hash
9403
//  algorithm (or the truncated size if the hash output is truncated).
9404
//
9405
//  Public-key format is specified in RFC 8391, whereas private-key format is not.
9406
//  We define the private-key as an extension of the public-key with the private key
9407
//  material.
9408
//
9409
// Parameters:
9410
//
9411
//      pKey. The key object to export the key material from
9412
//
9413
//      keyType. Type of the key (public or private) to get. If the key object
9414
//      contains a public key, keyType must be SYMCRYPT_XMSSKEY_TYPE_PUBLIC. If
9415
//      the key object contains a private key, keyType can be one of
9416
//      SYMCRYPT_XMSSKEY_TYPE_PUBLIC or SYMCRYPT_XMSSKEY_TYPE_PRIVATE
9417
//
9418
//      flags. No flags defined for this function
9419
//
9420
//      (pbOutput, cbOutput). Buffer to store the exported key blob. cbOutput must match
9421
//      the size of the key to be exported, which can be queried by calling
9422
//      SymCryptXmssSizeofKeyBlobFromParams.
9423
//
9424
// Return values:
9425
//
9426
//      - SYMCRYPT_NO_ERROR
9427
//       On successful exporting of the key
9428
//
9429
//      - SYMCRYPT_INVALID_ARGUMENT
9430
//       If cbOutput does not match the exact size of the key blob for the specified
9431
//      keyType
9432
//       If the key object does not contain private key material when keyType
9433
//      equals SYMCRYPT_XMSSKEY_TYPE_PRIVATE
9434
//       If unsupported flags are specified in flags parameter
9435
//
9436

9437
VOID
9438
SYMCRYPT_CALL
9439
SymCryptXmsskeyFree(
9440
    _Inout_ PSYMCRYPT_XMSS_KEY pKey);
9441
//
9442
// Free an allocated XMSS/XMSS^MT key object
9443
//
9444

9445
SIZE_T
9446
SYMCRYPT_CALL
9447
SymCryptXmssSizeofSignatureFromParams(
9448
    _In_ PCSYMCRYPT_XMSS_PARAMS pParams );
9449
//
9450
// Return the size of the signature for given XMSS parameters
9451
//
9452

9453
SYMCRYPT_ERROR
9454
SYMCRYPT_CALL
9455
SymCryptXmssSign(
9456
    _Inout_                             PSYMCRYPT_XMSS_KEY  pKey,
9457
    _In_reads_bytes_( cbMessage )       PCBYTE              pbMessage,
9458
                                        SIZE_T              cbMessage,
9459
                                        UINT32              flags,
9460
    _Out_writes_bytes_( cbSignature )   PBYTE               pbSignature,
9461
                                        SIZE_T              cbSignature );
9462
//
9463
// Sign a message using XMSS/XMSS^MT
9464
//
9465
//  Parameters:
9466
//
9467
//      pKey. Private XMSS/XMSS^MT key used in signing
9468
//
9469
//      (pbMessage, cbMessage). Message to be signed
9470
//
9471
//      flags. No flags defined for this function
9472
//
9473
//      (pbSignature, cbSignature). Buffer to store the generated signature
9474
//
9475
//  Requirements:
9476
//
9477
//      pKey must contain the private key
9478
//
9479
//      cbSignature must be equal to the generated signature size
9480
//
9481
//  Return values:
9482
//
9483
//      - SYMCRYPT_NO_ERROR on successful signature generation
9484
//
9485
//      - SYMCRYPT_INVALID_ARGUMENT
9486
//      If flags parameter is invalid,
9487
//      or if the key object does not contain private key,
9488
//      or cbSignature is not of correct size
9489
//
9490
//      - SYMCRYPT_HBS_NO_OTS_KEYS_LEFT
9491
//      If the key doesn't have any one-time-signatures left for signing
9492
//
9493
//  Remarks:
9494
//
9495
//      The input pbMessage can be of arbitrary length and its randomized hash will be the actual
9496
//      value that is going to be signed with a WOTSP signature. Applications wanting to pass the hash
9497
//      value of a message to be signed as opposed to the message itself must make sure to have
9498
//      domain separation between the space of messages and the hashes of the messages.
9499
//
9500
//      The signature size can be queried with SymCryptSizeofXmssSignatureFromParams function.
9501
//
9502

9503

9504
SYMCRYPT_ERROR
9505
SYMCRYPT_CALL
9506
SymCryptXmssVerify(
9507
    _Inout_                         PSYMCRYPT_XMSS_KEY  pKey,
9508
    _In_reads_bytes_( cbMessage )   PCBYTE              pbMessage,
9509
                                    SIZE_T              cbMessage,
9510
                                    UINT32              flags,
9511
    _In_reads_bytes_( cbSignature ) PCBYTE              pbSignature,
9512
                                    SIZE_T              cbSignature );
9513
//
9514
//  Verify an XMSS/XMSS^MT signature on a message
9515
//
9516
//  Parameters:
9517
//
9518
//      pKey. XMSS key used to verify the signature
9519
//
9520
//      (pbMessage, cbMessage) Message for which the signature was created
9521
//
9522
//      flags. No flags defined for this function
9523
//
9524
//      (pbSignature, cbSignature) XMSS or XMSS^MT signature
9525
//
9526
//  Return values:
9527
//
9528
//      - SYMCRYPT_NO_ERROR
9529
//      If signature verification succeeds
9530
//
9531
//		- SYMCRYPT_INVALID_ARGUMENT
9532
//		If flags is invalid or cbSignature is of incorrect size
9533
//
9534
//      - SYMCRYPT_SIGNATURE_VERIFICATION_ERROR
9535
//      If the signature is not valid
9536
//
9537
//  Requirements:
9538
//
9539
//      cbSignature must be equal to the exact signature size associated with
9540
//      the XMSS parameters.
9541
//
9542
//  Remarks:
9543
//
9544
//      In XMSS, the message can be arbitrarily long and a randomized hash of the message
9545
//      will be computed first to be signed by the WOTSP internally.
9546
//
9547

9548
VOID
9549
SYMCRYPT_CALL
9550
SymCryptXmssSelftest(void);
9551
//
9552
//  FIPS self-test for signature verification
9553
//
9554

9555
//========================================================================
9556
// Leighton-Micali Hash-Based Signatures (LMS) - LMS external struct definitions - implementing
9557
// RFC8554/NIST Special Publication 800-208
9558
//
9559
typedef enum _SYMCRYPT_LMS_ALGID
9560
{
9561
    //
9562
    // Algorithm IDs for Leighton-Micali Hash-Based Signatures (LMS)
9563
    // M equals the output length of the hash function, where H is the tree height.
9564
    // The M parameter primarily affects the security and size of the signatures, while the H parameter
9565
    // impacts the number of possible signatures and the computational cost for signing and verification.
9566
    // Larger M increases security and signature size, but increases the computational cost
9567
    // Higher H means more signatures but higher computational cost for signing and verification
9568
    //
9569
    SYMCRYPT_LMS_SHA256_M32_H5      = 0x00000005,
9570
    SYMCRYPT_LMS_SHA256_M32_H10     = 0x00000006,
9571
    SYMCRYPT_LMS_SHA256_M32_H15     = 0x00000007,
9572
    SYMCRYPT_LMS_SHA256_M32_H20     = 0x00000008,
9573
    SYMCRYPT_LMS_SHA256_M32_H25     = 0x00000009,
9574
    SYMCRYPT_LMS_SHA256_M24_H5      = 0x0000000A,
9575
    SYMCRYPT_LMS_SHA256_M24_H10     = 0x0000000B,
9576
    SYMCRYPT_LMS_SHA256_M24_H15     = 0x0000000C,
9577
    SYMCRYPT_LMS_SHA256_M24_H20     = 0x0000000D,
9578
    SYMCRYPT_LMS_SHA256_M24_H25     = 0x0000000E,
9579
    SYMCRYPT_LMS_SHAKE_M32_H5       = 0x0000000F,
9580
    SYMCRYPT_LMS_SHAKE_M32_H10      = 0x00000010,
9581
    SYMCRYPT_LMS_SHAKE_M32_H15      = 0x00000011,
9582
    SYMCRYPT_LMS_SHAKE_M32_H20      = 0x00000012,
9583
    SYMCRYPT_LMS_SHAKE_M32_H25      = 0x00000013,
9584
    SYMCRYPT_LMS_SHAKE_M24_H5       = 0x00000014,
9585
    SYMCRYPT_LMS_SHAKE_M24_H10      = 0x00000015,
9586
    SYMCRYPT_LMS_SHAKE_M24_H15      = 0x00000016,
9587
    SYMCRYPT_LMS_SHAKE_M24_H20      = 0x00000017,
9588
    SYMCRYPT_LMS_SHAKE_M24_H25      = 0x00000018,
9589
} SYMCRYPT_LMS_ALGID;
9590

9591
typedef enum _SYMCRYPT_LMS_OTS_ALGID
9592
{
9593
    // Algorithm IDs for Leighton-Micali Hash-Based Signatures (LMS) One-Time-Signature (OTS)
9594
    // N parameter represents the number of bytes in the hash function output. It determines the size of the hash values used in
9595
    // the LMS OTS scheme.
9596
    // W parameter represents the width of the Winternitz parameter used in LMS OTS. A larger value of w results in shorter
9597
    // signatures but requires more computation during key generation, signature generation, and signature verification.
9598
    //
9599
    SYMCRYPT_LMS_OTS_SHA256_N32_W1      = 0x00000001,
9600
    SYMCRYPT_LMS_OTS_SHA256_N32_W2      = 0x00000002,
9601
    SYMCRYPT_LMS_OTS_SHA256_N32_W4      = 0x00000003,
9602
    SYMCRYPT_LMS_OTS_SHA256_N32_W8      = 0x00000004,
9603
    SYMCRYPT_LMS_OTS_SHA256_N24_W1      = 0x00000005,
9604
    SYMCRYPT_LMS_OTS_SHA256_N24_W2      = 0x00000006,
9605
    SYMCRYPT_LMS_OTS_SHA256_N24_W4      = 0x00000007,
9606
    SYMCRYPT_LMS_OTS_SHA256_N24_W8      = 0x00000008,
9607
    SYMCRYPT_LMS_OTS_SHAKE_N32_W1       = 0x00000009,
9608
    SYMCRYPT_LMS_OTS_SHAKE_N32_W2       = 0x0000000A,
9609
    SYMCRYPT_LMS_OTS_SHAKE_N32_W4       = 0x0000000B,
9610
    SYMCRYPT_LMS_OTS_SHAKE_N32_W8       = 0x0000000C,
9611
    SYMCRYPT_LMS_OTS_SHAKE_N24_W1       = 0x0000000D,
9612
    SYMCRYPT_LMS_OTS_SHAKE_N24_W2       = 0x0000000E,
9613
    SYMCRYPT_LMS_OTS_SHAKE_N24_W4       = 0x0000000F,
9614
    SYMCRYPT_LMS_OTS_SHAKE_N24_W8       = 0x00000010,
9615
} SYMCRYPT_LMS_OTS_ALGID;
9616

9617
// Verifies the public key root value when importing a private key
9618
#define SYMCRYPT_FLAG_LMSKEY_VERIFY_ROOT           (0x00000001)
9619

9620
typedef enum _SYMCRYPT_LMSKEY_TYPE
9621
{
9622
    SYMCRYPT_LMSKEY_TYPE_NONE       = 0,   // Key object does not contain any key material
9623
    SYMCRYPT_LMSKEY_TYPE_PUBLIC     = 1,   // Key object contains only public key
9624
    SYMCRYPT_LMSKEY_TYPE_PRIVATE    = 2,   // Key object contains both public key and private key
9625
} SYMCRYPT_LMSKEY_TYPE;
9626
//      The format of the private key blob is as follows:
9627
//                                        [         Public key parts                   ||      Private key parts       ]
9628
//                                        [    4     ||      4      ||  16 ||    m     ||      4         ||      m     ]
9629
//                                        [ LmsAlgId || LmsOtsAlgId ||  I  || RootNode || NextUnusedLeaf || Seed ]
9630
//
9631
//      The format of the public key blob is as follows:
9632
//                                        [     4    ||      4      ||  16 ||    m     ]
9633
//                                        [ LmsAlgId || LmsOtsAlgId ||  I  || RootNode ]
9634

9635
//=====================================================
9636
// LMS operations
9637

9638
SYMCRYPT_ERROR
9639
SYMCRYPT_CALL
9640
SymCryptLmsParamsFromAlgId(
9641
            SYMCRYPT_LMS_ALGID      lmsAlgID,
9642
            SYMCRYPT_LMS_OTS_ALGID  lmsOtsAlgID,
9643
    _Out_   PSYMCRYPT_LMS_PARAMS    pParams);
9644
//
9645
// This function populates a SYMCRYPT_LMS_PARAMS structure with the predefined parameter sets for a given LMS
9646
// algorithm identifier and LMS OTS algorithm identifier. The resulting structure can be used to create LMS key objects.
9647
// The values defined by SYMCRYPT_LMS_OTS_ALGID and SYMCRYPT_LMS_ALGID are all of the NIST SP 800-208 parameter
9648
// sets supported by SymCrypt.
9649
//
9650
// Parameters:
9651
//      lmsAlgID: The LMS algorithm identifier to use
9652
//
9653
//      lmsOtsAlgID: The LMS OTS algorithm identifier to use
9654
//
9655
//      pParams: A pointer to a SYMCRYPT_LMS_PARAMS structure that will be populated with the predefined parameter sets
9656
//
9657
// Return value:
9658
//      If the function succeeds, it returns SYMCRYPT_NO_ERROR
9659
//      If the function fails, it returns SYMCRYPT_INVALID_ARGUMENT
9660
//
9661

9662
SYMCRYPT_ERROR
9663
SYMCRYPT_CALL
9664
SymCryptLmsSetParams(
9665
    _Out_   PSYMCRYPT_LMS_PARAMS    pParams,
9666
            UINT32                  lmsAlgID,
9667
            UINT32                  lmsOtsAlgID,
9668
    _In_    PCSYMCRYPT_HASH         pLmsHashFunction,
9669
            UINT32                  cbHashOutput,
9670
            UINT32                  nTreeHeight,
9671
            UINT32                  nWinternitzChainWidth);
9672
//
9673
// This function allows for the customization of non-standard parameter sets, which cannot be set using LmsParamsFromAlgId.
9674
//
9675
// Parameters:
9676
//      pParams: A pointer to a SYMCRYPT_LMS_PARAMS structure to be initialized.
9677
//
9678
//      lmsAlgID: LMS algorithm identifier, will be embedded in key and signature objects.
9679
//
9680
//      lmsOtsAlgID: LMS OTS algorithm identifier, will be embedded in key and signature objects.
9681
//
9682
//      pLmsHashFunction: A pointer to the hash function to be used for the LMS system.
9683
//
9684
//      cbHashOutput: The number of bytes for each tree node, equal to the output length of the hash function.
9685
//      Must be less than or equal to 32.
9686
//
9687
//      nTreeHeight: The height of the LMS tree. Must be < 32, there are (2^nTreeHeight) leaves in the tree.
9688
//
9689
//      nWinternitzChainWidth: An integer that specifies the base2 logarithm of Winternitz chain lengths.
9690
//      Must be one of 1, 2, 4, or 8
9691
//
9692
// Return value:
9693
//      If the function succeeds, it fills PSYMCRYPT_LMS_PARAMS structure by user defined values and return SYMCRYPT_NO_ERROR.
9694
//      Otherwise, it sets the values of PSYMCRYPT_LMS_PARAMS to 0 and returns SYMCRYPT_INVALID_ARGUMENT.
9695
//
9696

9697
SYMCRYPT_ERROR
9698
SYMCRYPT_CALL
9699
SymCryptLmsSizeofKeyBlobFromParams(
9700
    _In_    PCSYMCRYPT_LMS_PARAMS   pParams,
9701
            SYMCRYPT_LMSKEY_TYPE    keyType,
9702
    _Out_   SIZE_T*                 pcbKey);
9703
//
9704
// Returns the size of an LMS key blob based on the provided LMS parameters and keyType.
9705
//
9706
// Parameters:
9707
//      pParams: A pointer to a SYMCRYPT_LMS_PARAMS structure that specifies the parameters of the LMS key.
9708
//
9709
//      keyType: Specifies the type of blob for which to retrieve the size.
9710
//      Must be one of SYMCRYPT_LMSKEY_TYPE_PUBLIC or SYMCRYPT_LMSKEY_TYPE_PRIVATE.
9711
//
9712
//      pcbKey: Pointer to the variable to store the size of a public/private
9713
//      key blob associated with the LMS parameters.
9714
//
9715
// Return value:
9716
//      If the function succeeds, it returns SYMCRYPT_NO_ERROR. In case keyType is not recognized
9717
//      it returns SYMCRYPT_INVALID_ARGUMENT.
9718
//
9719

9720
PSYMCRYPT_LMS_KEY
9721
SYMCRYPT_CALL
9722
SymCryptLmskeyAllocate(
9723
    _In_    PCSYMCRYPT_LMS_PARAMS   pParams,
9724
            UINT32                  flags);
9725
//
9726
// This function allocates a new SYMCRYPT_LMS_KEY object, which represents a key for the Leighton-Micali Signature (LMS)
9727
// scheme, based on the given PCSYMCRYPT_LMS_PARAMS. The function allocates memory for the key object, and returns a pointer to it.
9728
// The caller is responsible for freeing the memory when the key is no longer needed, using the SymCryptLmskeyFree function.
9729
//
9730
// Parameters:
9731
//      pParams: A pointer to a constant SYMCRYPT_LMS_PARAMS structure that describes
9732
//          the LMS parameters to be used for the key.
9733
//          The structure must be non-null, and must be initialized by one of the initialization functions:
9734
//          SymCryptLmsParamsFromAlgId or SymCryptLmsSetParams.
9735
//
9736
//      flags: Currently not used. Must be set to 0.
9737
//
9738
// Return value:
9739
//      If the function succeeds, it returns a pointer to the newly created SYMCRYPT_LMS_KEY object.
9740
//      Otherwise, it returns NULL, indicating an error that should be handled by the caller.
9741
//
9742

9743
SYMCRYPT_ERROR
9744
SYMCRYPT_CALL
9745
SymCryptLmskeyGenerate(
9746
    _Inout_ PSYMCRYPT_LMS_KEY   pKey,
9747
            UINT32              flags);
9748
//
9749
// This function generates an LMS public/private key pair in the pKey object.
9750
//
9751
// Parameters:
9752
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that represents the LMS key object to be initialized. The structure
9753
//      must be valid and non-null, and must have been previously created using the SymCryptLmskeyAllocate
9754
//      function. If the key object already contains key values, they will be overwritten by the generated values.
9755
//
9756
//      flags: Currently not used. Must be set to 0.
9757
//
9758
// Return value:
9759
//      If the function succeeds, it returns SYMCRYPT_NO_ERROR. Otherwise, it returns an error code that describes the nature of the
9760
//      failure, such as SYMCRYPT_INVALID_ARGUMENT.
9761
//
9762

9763
SYMCRYPT_ERROR
9764
SYMCRYPT_CALL
9765
SymCryptLmskeySetValue(
9766
    _In_reads_bytes_(cbInput)   PCBYTE                  pbInput,
9767
                                SIZE_T                  cbInput,
9768
                                SYMCRYPT_LMSKEY_TYPE    keyType,
9769
                                UINT32                  flags,
9770
    _Inout_                     PSYMCRYPT_LMS_KEY       pKey);
9771
//
9772
// This function imports an LMS key from a buffer, setting the key object with the provided data.
9773
//
9774
// Parameters:
9775
//      pbInput: A pointer to a byte buffer containing the key data to be imported into the LMS key object
9776
//      The format of the input buffer is specified by the SYMCRYPT_LMSKEY_TYPE enumeration.
9777
//
9778
//      cbInput: The size, in bytes, of the key data buffer pointed to by pbInput
9779
//
9780
//      keyType: Indicates whether (pbInput, cbInput) contains a public or a private key.
9781
//      Must be one of SYMCRYPT_LMSKEY_TYPE_PUBLIC, or SYMCRYPT_LMSKEY_TYPE_PRIVATE.
9782
//
9783
//      flags: See allowed flags below.
9784
//
9785
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that will receive the imported key from the buffer pbInput
9786
//
9787
// Allowed flags:
9788
//      SYMCRYPT_FLAG_LMSKEY_VERIFY_ROOT: Can only be specified when importing a private key. Recomputes the
9789
//      public root value and compares it to the one that is imported from the key blob.
9790
//
9791
// Return value:
9792
//      If the function succeeds, it returns SYMCRYPT_NO_ERROR and the SYMCRYPT_LMS_KEY structure is set with the imported key data.
9793
//      If the function fails, it returns an error code that describes the nature of the failure, such as SYMCRYPT_INVALID_ARGUMENT.
9794
//
9795

9796
SYMCRYPT_ERROR
9797
SYMCRYPT_CALL
9798
SymCryptLmskeyGetValue(
9799
    _In_                                PCSYMCRYPT_LMS_KEY      pKey,
9800
                                        SYMCRYPT_LMSKEY_TYPE    keyType,
9801
                                        UINT32                  flags,
9802
    _Out_writes_bytes_(cbOutput)        PBYTE                   pbOutput,
9803
                                        SIZE_T                  cbOutput);
9804
//
9805
// This function retrieves the public or private key value from an LMS key object, depending on the keyType parameter
9806
//
9807
// Parameters:
9808
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that represents the LMS key object to retrieve the key value from.
9809
//      The structure must be valid and non-null, and must contain the key values to retrieve
9810
//
9811
//      keyType: Type of the key (public or private) to get. If the key object only
9812
//      contains a public key, keyType must be SYMCRYPT_LMSKEY_TYPE_PUBLIC. If
9813
//      the key object contains a private key, keyType can be one of
9814
//      SYMCRYPT_LMSKEY_TYPE_PUBLIC or SYMCRYPT_LMSKEY_TYPE_PRIVATE
9815
//
9816
//      flags: Currently not used. Must be set to 0.
9817
//
9818
//      pbOutput: A buffer to hold the key value. The buffer must be large enough to hold the key value.
9819
//      The format of the output buffer is specified by the SYMCRYPT_LMSKEY_TYPE enumeration.
9820
//
9821
//      cbOutput: The size of the pbOutput buffer in bytes
9822
//
9823
// Return value:
9824
//      If the function succeeds, it returns SYMCRYPT_NO_ERROR. Otherwise, it returns SYMCRYPT_INVALID_ARGUMENT.
9825
//
9826

9827
VOID
9828
SYMCRYPT_CALL
9829
SymCryptLmskeyFree(
9830
    _Inout_ PSYMCRYPT_LMS_KEY   pKey);
9831
//
9832
// This function frees the memory that was allocated for the given LMS key object, which was previously created using the
9833
// SymCryptLmskeyAllocate function. The function wipes and deallocates the memory.
9834
//
9835
// Parameters:
9836
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that represents the LMS key object to be freed. The structure
9837
//      must be valid and non-null, and must have been previously created using the SymCryptLmskeyAllocate function.
9838
//
9839
// Return value:
9840
//      The function does not return a value.
9841
//
9842

9843
SIZE_T
9844
SYMCRYPT_CALL
9845
SymCryptLmsSizeofSignatureFromParams(
9846
    _In_ PCSYMCRYPT_LMS_PARAMS pParams);
9847
//
9848
// This function returns the size, in bytes, of the signature that will be generated by the LMS signature scheme, based on the
9849
// specified LMS parameters.
9850
//
9851
// Parameters:
9852
//      pParams: A pointer to a SYMCRYPT_LMS_PARAMS structure that represents the parameters associated with the LMS key to
9853
//      use for computing the signature size. The structure must be valid and non-null.
9854
//
9855
// Return value:
9856
//      Signature size in bytes.
9857
//
9858

9859
SYMCRYPT_ERROR
9860
SYMCRYPT_CALL
9861
SymCryptLmsSign(
9862
    _Inout_                             PSYMCRYPT_LMS_KEY   pKey,
9863
    _In_reads_bytes_(cbMessage)         PCBYTE              pbMessage,
9864
                                        SIZE_T              cbMessage,
9865
                                        UINT32              flags,
9866
    _Out_writes_bytes_(cbSignature)     PBYTE               pbSignature,
9867
                                        SIZE_T              cbSignature);
9868
//
9869
// This function generates an LMS signature for the given message, using the private key in the given LMS key object.
9870
// The function fills the buffer pointed to by pbSignature with the LMS signature. It uses the LMS parameters
9871
// and key values that were specified when the key object was created to generate the signature.
9872
// Stateful hash-based signatures are not approved by FIPS for key generation and signature generation in software
9873
// modules. Special care must be taken to ensure that the same private key state is not used more than once to
9874
// sign messages. This can be done, for instance, by releasing a signature only after verifying that the private
9875
// key has been updated and serialized to a physical storage.
9876
//
9877
// Parameters:
9878
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that represents the LMS key object to be used for signing the message.
9879
//      The structure must be valid and non-null, and must contain the private key values for the LMS scheme. The private key
9880
//      must have been initialized previously using the SymCryptLmsKeyGenerate or SymCryptLmskeySetValue function.
9881
//
9882
//      pbMessage: A pointer to a buffer that contains the message to be signed.
9883
//
9884
//      cbMessage: The length in bytes of the message to be signed.
9885
//
9886
//      flags: Currently not used. Must be set to 0.
9887
//
9888
//      pbSignature: A pointer to the buffer that receives the computed signature. It must be large enough to hold the
9889
//      generated signature. The required size can be retrieved using: SymCryptLmsSizeofSignatureFromParams.
9890
//
9891
//      cbSignature: The size of the signature buffer pbSignature. If the passed size is different than the
9892
//      required signature size an error will be returned.
9893
//
9894
// Return value:
9895
//      SYMCRYPT_NO_ERROR - If the function succeeds
9896
//
9897
//      SYMCRYPT_HBS_NO_OTS_KEYS_LEFT - If the key has run out of available OTS keys
9898
//
9899
//      SYMCRYPT_INVALID_ARGUMENT - If one of the input parameters is invalid
9900
//
9901
// Remarks:
9902
//      The LMS signing process inherits its signature from the LMS OTS, which means that it will always compute a digest of the
9903
//      given message before signing, even if a hash value is provided as the message.
9904
//      Developers should always be consistent with the input to the LMS sign and verify functions and ensure that the input message
9905
//      is in the correct format before passing it to these functions
9906
//
9907

9908
SYMCRYPT_ERROR
9909
SYMCRYPT_CALL
9910
SymCryptLmsVerify(
9911
    _In_                            PCSYMCRYPT_LMS_KEY  pKey,
9912
    _In_reads_bytes_(cbMessage)     PCBYTE              pbMessage,
9913
                                    SIZE_T              cbMessage,
9914
                                    UINT32              flags,
9915
    _In_reads_bytes_(cbSignature)   PCBYTE              pbSignature,
9916
                                    SIZE_T              cbSignature);
9917
//
9918
// This function verifies the given LMS signature (pbSignature) for the given message (pbMessage), using the public key
9919
// in the given LMS key object. The function returns SYMCRYPT_NO_ERROR if the signature is valid, and an error code otherwise.
9920
//
9921
// Parameters:
9922
//      pKey: A pointer to a SYMCRYPT_LMS_KEY structure that represents the LMS key object to be used for verifying
9923
//      the signature. The structure must be valid and non-null, and must contain the public or private key values for the LMS scheme.
9924
//      The public key must have been generated previously using the SymCryptLmsKeyGenerate or SymCryptLmskeySetValue functions, and must match the
9925
//      private key that was used to generate the signature.
9926
//
9927
//      pbMessage: A pointer to a buffer that contains the message that was signed.The buffer must be valid and non-null, and
9928
//      must contain at least cbMessage bytes of data.
9929
//
9930
//      cbMessage: The length in bytes of the message that was signed. The length should be set to the actual size of the message.
9931
//      If the message is larger than the maximum size allowed by the LMS parameters, the function will return an error.
9932
//
9933
//      flags: Currently not used. Must be set to 0.
9934
//
9935
//      pbSignature: A pointer to a buffer that contains the signature that was generated for the message. The buffer must
9936
//      be valid and non-null, and must contain at least cbSignature bytes.
9937
//
9938
//      cbSignature: The length in bytes of the signature buffer that contains the signature. The length must be
9939
//      equal to the exact signature size associated with the given LMS parameters and key values.
9940
//
9941
// Return value:
9942
//      SYMCRYPT_NO_ERROR - If the function succeeds
9943
//
9944
//      SYMCRYPT_INVALID_ARGUMENT - If the signature structure is not correct or if there is a mismatch between the
9945
//          input parameters.
9946
//
9947
//      SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE - If the signature verification fails
9948
//
9949

9950
VOID
9951
SYMCRYPT_CALL
9952
SymCryptLmsSelftest(void);
9953

9954

9955
// MLKEMKEY objects' API
9956
//
9957

9958
// MLKEM key formats
9959
// ==================
9960
// The below formats apply **only to external formats**: When somebody is importing or exporting
9961
// a key. The internal format of the keys is not visible to the caller.
9962
typedef enum _SYMCRYPT_MLKEMKEY_FORMAT {
9963
    SYMCRYPT_MLKEMKEY_FORMAT_NULL               = 0,
9964
    SYMCRYPT_MLKEMKEY_FORMAT_PRIVATE_SEED       = 1,
9965
        // 64-byte concatenation of d || z from FIPS 203. Smallest representation of a full
9966
        // ML-KEM key.
9967
        // On its own it is ambiguous which ML-KEM parameter set this represents; callers wanting to
9968
        // store this format must track the parameter set alongside the key.
9969
    SYMCRYPT_MLKEMKEY_FORMAT_DECAPSULATION_KEY  = 2,
9970
        // Standard byte encoding of an ML-KEM Decapsulation key, per FIPS 203.
9971
        // Size is 1632, 2400, or 3168 bytes for ML-KEM 512, 768, and 1024 respectively.
9972
    SYMCRYPT_MLKEMKEY_FORMAT_ENCAPSULATION_KEY  = 3,
9973
        // Standard byte encoding of an ML-KEM Encapsulation key, per FIPS 203.
9974
        // Size is 800, 1184, or 1568 bytes for ML-KEM 512, 768, and 1024 respectively.
9975
} SYMCRYPT_MLKEMKEY_FORMAT;
9976

9977

9978
typedef enum _SYMCRYPT_MLKEM_PARAMS {
9979
    SYMCRYPT_MLKEM_PARAMS_NULL          = 0,
9980
    SYMCRYPT_MLKEM_PARAMS_MLKEM512      = 1,
9981
    SYMCRYPT_MLKEM_PARAMS_MLKEM768      = 2,
9982
    SYMCRYPT_MLKEM_PARAMS_MLKEM1024     = 3,
9983
} SYMCRYPT_MLKEM_PARAMS;
9984
//
9985
// Currently supported ML-KEM parameter sets are represented externally only by the enum
9986
//
9987

9988
PSYMCRYPT_MLKEMKEY
9989
SYMCRYPT_CALL
9990
SymCryptMlKemkeyAllocate(
9991
    SYMCRYPT_MLKEM_PARAMS   params );
9992
//
9993
// Allocate and create a new MLKEMKEY object sized according to the specified parameters.
9994
//
9995
// This call does not initialize the key. It should be
9996
// followed by a call to SymCryptMlKemkeyGenerate or
9997
// SymCryptMlKemkeySetValue.
9998
//
9999

10000
VOID
10001
SYMCRYPT_CALL
10002
SymCryptMlKemkeyFree(
10003
    _Inout_ PSYMCRYPT_MLKEMKEY  pkMlKemkey );
10004

10005

10006
// d and z are each 32 bytes
10007
#define SYMCRYPT_MLKEM_PRIVATE_SEED_SIZE    (2*32)
10008

10009
#define SYMCRYPT_MLKEM_ENCAPSULATION_KEY_SIZE_MLKEM512   (800)
10010
#define SYMCRYPT_MLKEM_ENCAPSULATION_KEY_SIZE_MLKEM768   (1184)
10011
#define SYMCRYPT_MLKEM_ENCAPSULATION_KEY_SIZE_MLKEM1024  (1568)
10012

10013
#define SYMCRYPT_MLKEM_DECAPSULATION_KEY_SIZE_MLKEM512   (1632)
10014
#define SYMCRYPT_MLKEM_DECAPSULATION_KEY_SIZE_MLKEM768   (2400)
10015
#define SYMCRYPT_MLKEM_DECAPSULATION_KEY_SIZE_MLKEM1024  (3168)
10016

10017
SYMCRYPT_ERROR
10018
SYMCRYPT_CALL
10019
SymCryptMlKemSizeofKeyFormatFromParams(
10020
            SYMCRYPT_MLKEM_PARAMS       params,
10021
            SYMCRYPT_MLKEMKEY_FORMAT    mlKemkeyformat,
10022
    _Out_   SIZE_T*                     pcbKeyFormat );
10023
//
10024
// Gives the size in bytes of the blob of the given format for the given ML-KEM
10025
// parameters via pcbKeyFormat output.
10026
// Returns SYMCRYPT_INCOMPATIBLE_FORMAT if mlKemkeyFormat is an unsupported value,
10027
// or SYMCRYPT_INVALID_ARGUMENT if other parameters are invalid.
10028
//
10029

10030
#define SYMCRYPT_MLKEM_CIPHERTEXT_SIZE_MLKEM512    (768)
10031
#define SYMCRYPT_MLKEM_CIPHERTEXT_SIZE_MLKEM768    (1088)
10032
#define SYMCRYPT_MLKEM_CIPHERTEXT_SIZE_MLKEM1024   (1568)
10033

10034
SYMCRYPT_ERROR
10035
SYMCRYPT_CALL
10036
SymCryptMlKemSizeofCiphertextFromParams(
10037
            SYMCRYPT_MLKEM_PARAMS       params,
10038
    _Out_   SIZE_T*                     pcbCiphertext );
10039
//
10040
// Gives the size in bytes of the ciphertext for the given ML-KEM parameters.
10041
// Returns SYMCRYPT_INVALID_ARGUMENT if parameters are invalid.
10042
//
10043

10044
SYMCRYPT_ERROR
10045
SYMCRYPT_CALL
10046
SymCryptMlKemkeyGenerate(
10047
    _Inout_                     PSYMCRYPT_MLKEMKEY  pkMlKemkey,
10048
                                UINT32              flags );
10049
//
10050
// Generate a new random ML-KEM key using the information from the
10051
// parameters passed to SymCryptMlKemkeyAllocate.
10052
//
10053
// Allowed flags:
10054
//
10055
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10056
//   Opt-out of performing validation required for FIPS
10057
//
10058
// Described in more detail in the "Flags for asymmetric key generation and import" section above
10059
//
10060

10061
SYMCRYPT_ERROR
10062
SYMCRYPT_CALL
10063
SymCryptMlKemkeySetValue(
10064
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
10065
                                SIZE_T                      cbSrc,
10066
                                SYMCRYPT_MLKEMKEY_FORMAT    mlKemkeyFormat,
10067
                                UINT32                      flags,
10068
    _Inout_                     PSYMCRYPT_MLKEMKEY          pkMlKemkey );
10069
//
10070
// Import key material to an ML-KEM key object. The arguments are the following:
10071
//  - (pbSrc, cbSrc): a buffer containing a representation of an ML-KEM key,
10072
//    in format specified by mlKemkeyFormat.
10073
//  - mlKemkeyFormat format of the input
10074
//
10075
// Allowed flags:
10076
//
10077
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10078
//   Opt-out of performing validation required for FIPS
10079
//
10080
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
10081
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
10082
//
10083
// Remarks:
10084
// - cbSrc must be equal to the cbKeyFormat returned from
10085
//   SymCryptMlKemSizeofKeyFormatFromParams(params, mlKemkeyFormat, &cbKeyFormat), though typically this
10086
//   value can be known statically (see definition of SYMCRYPT_MLKEMKEY_FORMAT)
10087
//
10088

10089
SYMCRYPT_ERROR
10090
SYMCRYPT_CALL
10091
SymCryptMlKemkeyGetValue(
10092
    _In_                        PCSYMCRYPT_MLKEMKEY         pkMlKemkey,
10093
    _Out_writes_bytes_( cbDst ) PBYTE                       pbDst,
10094
                                SIZE_T                      cbDst,
10095
                                SYMCRYPT_MLKEMKEY_FORMAT    mlKemkeyFormat,
10096
                                UINT32                      flags );
10097
//
10098
// Export key material from an ML-KEM key object. The arguments are the following:
10099
//  - (pbDst, cbDst): a buffer into which a representation of an ML-KEM key is
10100
//    written, in the format specified by mlKemkeyFormat.
10101
//  - mlKemkeyFormat format of the output
10102
//
10103
// Allowed flags:
10104
//      - None.
10105
//
10106
//  Remarks:
10107
//  - If the key object does not have the information required to export to the format
10108
//    specified by mlKemkeyFormat this function will return SYMCRYPT_INCOMPATIBLE_FORMAT.
10109
//  - cbDst must be equal to the cbKeyFormat returned from
10110
//    SymCryptMlKemSizeofKeyFormatFromParams(params, mlKemkeyFormat, &cbKeyFormat), though typically this
10111
//    value can be known statically (see definition of SYMCRYPT_MLKEMKEY_FORMAT)
10112
//
10113

10114
SYMCRYPT_ERROR
10115
SYMCRYPT_CALL
10116
SymCryptMlKemEncapsulate(
10117
    _In_                                    PCSYMCRYPT_MLKEMKEY pkMlKemkey,
10118
    _Out_writes_bytes_( cbAgreedSecret )    PBYTE               pbAgreedSecret,
10119
                                            SIZE_T              cbAgreedSecret,
10120
    _Out_writes_bytes_( cbCiphertext )      PBYTE               pbCiphertext,
10121
                                            SIZE_T              cbCiphertext );
10122
//
10123
// Performs the Encapsulate operation of ML-KEM.
10124
// This uses the public information of an ML-KEM keypair to generate an agreed secret
10125
// and a ciphertext. Only a peer with the private information of an ML-KEM keypair can
10126
// decapsulate the ciphertext to compute the agreed secret.
10127
//
10128
// The arguments are the following:
10129
// - pkMlKemkey: a key which contains public information required for encapsulation.
10130
// - (pbAgreedSecret, cbAgreedSecret): a buffer into which the generated secret is written.
10131
//   Currently cbAgreedSecret must be 32 for all parameterizations of ML-KEM.
10132
// - (pbCiphertext, cbCiphertext): a buffer into which the encapsulated secret is written.
10133
//   cbCiphertext must equal cbCiphertext given by SymCryptMlKemSizeofCiphertextFromParams,
10134
//   though typically this value can be known statically (see definition of
10135
//   SYMCRYPT_MLKEM_CIPHERTEXT_SIZE_*).
10136
//
10137

10138
SYMCRYPT_ERROR
10139
SYMCRYPT_CALL
10140
SymCryptMlKemDecapsulate(
10141
    _In_                                    PCSYMCRYPT_MLKEMKEY pkMlKemkey,
10142
    _In_reads_bytes_( cbCiphertext )        PCBYTE              pbCiphertext,
10143
                                            SIZE_T              cbCiphertext,
10144
    _Out_writes_bytes_( cbAgreedSecret )    PBYTE               pbAgreedSecret,
10145
                                            SIZE_T              cbAgreedSecret );
10146
//
10147
// Performs the Decapsulate operation of ML-KEM.
10148
// This uses the private information of an ML-KEM keypair to generate an agreed
10149
// secret from a ciphertext.
10150
//
10151
// The arguments are the following:
10152
// - pkMlKemkey: a key which contains private information required for decapsulation.
10153
// - (pbCiphertext, cbCiphertext): a buffer containing an encapsulated secret.
10154
//   cbCiphertext must equal cbCiphertext given by SymCryptMlKemSizeofCiphertextFromParams,
10155
//   though typically this value can be known statically (see definition of
10156
//   SYMCRYPT_MLKEM_CIPHERTEXT_SIZE_*).
10157
// - (pbAgreedSecret, cbAgreedSecret): a buffer into which the generated secret is written.
10158
//   Currently cbAgreedSecret must be 32 for all parameterizations of ML-KEM.
10159
//
10160
// Note: Given an invalid, but correctly-sized, ciphertext, the ML-KEM Decapsulation operation
10161
// will "implicitly reject" the ciphertext, by returning success in equal time to a valid
10162
// decapsulation operation, with pseudo-random agreed secret output. This forces higher
10163
// level protocols to fail later when symmetric keys of peers do not match.
10164
// So decapsulate will only ever return an error if there are programming errors (e.g. incorrect size),
10165
// or something fundamentally goes wrong with the environment (e.g. internal memory allocation fails).
10166
//
10167

10168
VOID
10169
SYMCRYPT_CALL
10170
SymCryptMlKemSelftest(void);
10171
//
10172
// FIPS self-test for ML-KEM. If the self-test fails, SymCryptFatal will be called to fastfail.
10173
// The self-test will automatically be performed before first operational use of ML-KEM if using
10174
// keys with FIPS validation, so most callers should never use this function.
10175
//
10176

10177
//
10178
// COMPOSITE MLKEMKEY objects' API
10179
//
10180
// The below formats apply **only to external formats**: When somebody is importing or exporting
10181
// a key. The internal format of the keys is not visible to the caller.
10182
typedef enum _SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT {
10183
    SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT_NULL              = 0,
10184
    SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT_IRTF_PRIVATE_SEED = 1,
10185
        // 32-byte seed for deriving Composite ML-KEM key, per irtf-cfrg-hybrid-kems CG framework
10186
    SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT_LAMPS_PRIVATE_KEY = 2,
10187
        // Standard byte encoding of a Composite ML-KEM private key, per LAMPS composite ML-KEM draft 12.
10188
        // Concatenation of ML-KEM private seed and private key of the traditional component:
10189
        //   mlkemSeed || tradSK
10190
        // Size in bytes are MLKEM768_P256: 115, MLKEM768_X25519: 96, MLKEM1024_P384: 128
10191
    SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT_PUBLIC_KEY        = 3,
10192
        // Standard byte encoding of a Composite ML-KEM public key, per irtf-cfrg-hybrid-kems CG framework
10193
        // and LAMPS composite ML-KEM draft 12.
10194
        // Concatenation of ML-KEM encapsulation key and public key of the traditional component:
10195
        //   mlkemPK || tradPK
10196
        // Size in bytes are MLKEM768_P256: 1249, MLKEM768_X25519: 1216, MLKEM1024_P384: 1665
10197
} SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT;
10198

10199

10200
typedef enum _SYMCRYPT_COMPOSITE_MLKEM_PARAMS {
10201
    SYMCRYPT_COMPOSITE_MLKEM_PARAMS_NULL            = 0,
10202
    SYMCRYPT_COMPOSITE_MLKEM_PARAMS_MLKEM768_P256   = 1,
10203
    SYMCRYPT_COMPOSITE_MLKEM_PARAMS_MLKEM768_X25519 = 2,
10204
    SYMCRYPT_COMPOSITE_MLKEM_PARAMS_MLKEM1024_P384  = 3,
10205
} SYMCRYPT_COMPOSITE_MLKEM_PARAMS;
10206
//
10207
// Currently supported Composite ML-KEM parameter sets are represented externally only by the enum
10208
//
10209

10210
PSYMCRYPT_COMPOSITE_MLKEMKEY
10211
SYMCRYPT_CALL
10212
SymCryptCompositeMlKemkeyAllocate(
10213
    SYMCRYPT_COMPOSITE_MLKEM_PARAMS   params );
10214
//
10215
// Allocate and create a new COMPOSITE_MLKEMKEY object sized according to the specified parameters.
10216
//
10217
// This call does not initialize the key. It should be
10218
// followed by a call to SymCryptCompositeMlKemkeyGenerate or
10219
// SymCryptCompositeMlKemkeySetValue.
10220
//
10221

10222
VOID
10223
SYMCRYPT_CALL
10224
SymCryptCompositeMlKemkeyFree(
10225
    _Inout_ PSYMCRYPT_COMPOSITE_MLKEMKEY    pkCompositeMlKemkey );
10226

10227

10228
#define SYMCRYPT_COMPOSITE_MLKEM_IRTF_PRIVATE_SEED_SIZE (32)
10229

10230
#define SYMCRYPT_COMPOSITE_MLKEM_LAMPS_PRIVATE_KEY_SIZE_MLKEM768_P256   (115)
10231
#define SYMCRYPT_COMPOSITE_MLKEM_LAMPS_PRIVATE_KEY_SIZE_MLKEM768_X25519 (96)
10232
#define SYMCRYPT_COMPOSITE_MLKEM_LAMPS_PRIVATE_KEY_SIZE_MLKEM1024_P384  (128)
10233

10234
#define SYMCRYPT_COMPOSITE_MLKEM_PUBLIC_KEY_SIZE_MLKEM768_P256      (1249)
10235
#define SYMCRYPT_COMPOSITE_MLKEM_PUBLIC_KEY_SIZE_MLKEM768_X25519    (1216)
10236
#define SYMCRYPT_COMPOSITE_MLKEM_PUBLIC_KEY_SIZE_MLKEM1024_P384     (1665)
10237

10238

10239
SYMCRYPT_ERROR
10240
SYMCRYPT_CALL
10241
SymCryptCompositeMlKemSizeofKeyFormatFromParams(
10242
            SYMCRYPT_COMPOSITE_MLKEM_PARAMS     params,
10243
            SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT  compositeMlKemkeyformat,
10244
    _Out_   SIZE_T*                             pcbKeyFormat );
10245
//
10246
// Gives the size in bytes of the blob of the given format for the given Composite ML-KEM
10247
// parameters via pcbKeyFormat output.
10248
// Returns SYMCRYPT_INCOMPATIBLE_FORMAT if compositeMlKemkeyformat is an unsupported value,
10249
// or SYMCRYPT_INVALID_ARGUMENT if other parameters are invalid.
10250
//
10251

10252
#define SYMCRYPT_COMPOSITE_MLKEM_CIPHERTEXT_SIZE_MLKEM768_P256    (1153)
10253
#define SYMCRYPT_COMPOSITE_MLKEM_CIPHERTEXT_SIZE_MLKEM768_X25519  (1120)
10254
#define SYMCRYPT_COMPOSITE_MLKEM_CIPHERTEXT_SIZE_MLKEM1024_P384   (1665)
10255

10256
SYMCRYPT_ERROR
10257
SYMCRYPT_CALL
10258
SymCryptCompositeMlKemSizeofCiphertextFromParams(
10259
            SYMCRYPT_COMPOSITE_MLKEM_PARAMS params,
10260
    _Out_   SIZE_T*                         pcbCiphertext );
10261
//
10262
// Gives the size in bytes of the ciphertext for the given Composite ML-KEM parameters.
10263
// Returns SYMCRYPT_INVALID_ARGUMENT if parameters are invalid.
10264
//
10265

10266
SYMCRYPT_ERROR
10267
SYMCRYPT_CALL
10268
SymCryptCompositeMlKemkeyGenerate(
10269
    _Inout_ PSYMCRYPT_COMPOSITE_MLKEMKEY    pkCompositeMlKemkey,
10270
            UINT32                          flags );
10271
//
10272
// Generate a new random Composite ML-KEM key using the information from the
10273
// parameters passed to SymCryptCompositeMlKemkeyAllocate.
10274
//
10275
// Allowed flags:
10276
//
10277
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10278
//   Opt-out of performing validation required for FIPS
10279
//
10280
// Described in more detail in the "Flags for asymmetric key generation and import" section above
10281
//
10282

10283
SYMCRYPT_ERROR
10284
SYMCRYPT_CALL
10285
SymCryptCompositeMlKemkeySetValue(
10286
    _In_reads_bytes_( cbSrc )   PCBYTE                              pbSrc,
10287
                                SIZE_T                              cbSrc,
10288
                                SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT  compositeMlKemkeyFormat,
10289
                                UINT32                              flags,
10290
    _Inout_                     PSYMCRYPT_COMPOSITE_MLKEMKEY        pkCompositeMlKemkey );
10291
//
10292
// Import key material to a Composite ML-KEM key object. The arguments are the following:
10293
//  - (pbSrc, cbSrc): a buffer containing a representation of a Composite ML-KEM key,
10294
//    in format specified by compositeMlKemkeyFormat.
10295
//  - compositeMlKemkeyFormat format of the input
10296
//
10297
// Allowed flags:
10298
//
10299
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10300
//   Opt-out of performing validation required for FIPS
10301
//
10302
// - SYMCRYPT_FLAG_KEY_MINIMAL_VALIDATION
10303
//   Opt-out of performing almost all validation - must be specified with SYMCRYPT_FLAG_KEY_NO_FIPS
10304
//
10305
// Remarks:
10306
// - cbSrc must be equal to the cbKeyFormat returned from
10307
//   SymCryptCompositeMlKemSizeofKeyFormatFromParams(params, compositeMlKemkeyFormat, &cbKeyFormat), though
10308
//   typically this value can be known statically (see definition of SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT)
10309
//
10310

10311
SYMCRYPT_ERROR
10312
SYMCRYPT_CALL
10313
SymCryptCompositeMlKemkeyGetValue(
10314
    _In_                        PCSYMCRYPT_COMPOSITE_MLKEMKEY       pkCompositeMlKemkey,
10315
    _Out_writes_bytes_( cbDst ) PBYTE                               pbDst,
10316
                                SIZE_T                              cbDst,
10317
                                SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT  compositeMlKemkeyFormat,
10318
                                UINT32                              flags );
10319
//
10320
// Export key material from a Composite ML-KEM key object. The arguments are the following:
10321
//  - (pbDst, cbDst): a buffer into which a representation of a Composite ML-KEM key is
10322
//    written, in the format specified by compositeMlKemkeyFormat.
10323
//  - compositeMlKemkeyFormat format of the output
10324
//
10325
// Allowed flags:
10326
//      - None.
10327
//
10328
//  Remarks:
10329
//  - If the key object does not have the information required to export to the format
10330
//    specified by compositeMlKemkeyFormat this function will return SYMCRYPT_INCOMPATIBLE_FORMAT.
10331
//  - cbDst must be equal to the cbKeyFormat returned from
10332
//    SymCryptCompositeMlKemSizeofKeyFormatFromParams(params, compositeMlKemkeyFormat, &cbKeyFormat), though typically this
10333
//    value can be known statically (see definition of SYMCRYPT_COMPOSITE_MLKEMKEY_FORMAT)
10334
//
10335

10336
SYMCRYPT_ERROR
10337
SYMCRYPT_CALL
10338
SymCryptCompositeMlKemEncapsulate(
10339
    _In_                                    PCSYMCRYPT_COMPOSITE_MLKEMKEY   pkCompositeMlKemkey,
10340
    _Out_writes_bytes_( cbAgreedSecret )    PBYTE                           pbAgreedSecret,
10341
                                            SIZE_T                          cbAgreedSecret,
10342
    _Out_writes_bytes_( cbCiphertext )      PBYTE                           pbCiphertext,
10343
                                            SIZE_T                          cbCiphertext );
10344
//
10345
// Performs the Encapsulate operation of Composite ML-KEM.
10346
// This uses the public information of a Composite ML-KEM keypair to generate an agreed secret
10347
// and a ciphertext. Only a peer with the private information of a Composite ML-KEM keypair can
10348
// decapsulate the ciphertext to compute the agreed secret.
10349
//
10350
// The arguments are the following:
10351
// - pkCompositeMlKemkey: a key which contains public information required for encapsulation.
10352
// - (pbAgreedSecret, cbAgreedSecret): a buffer into which the generated secret is written.
10353
//   Currently cbAgreedSecret must be 32 for all parameterizations of Composite ML-KEM.
10354
// - (pbCiphertext, cbCiphertext): a buffer into which the encapsulated secret is written.
10355
//   cbCiphertext must equal cbCiphertext given by SymCryptCompositeMlKemSizeofCiphertextFromParams,
10356
//   though typically this value can be known statically (see definition of
10357
//   SYMCRYPT_COMPOSITE_MLKEM_CIPHERTEXT_SIZE_*).
10358
//
10359

10360
SYMCRYPT_ERROR
10361
SYMCRYPT_CALL
10362
SymCryptCompositeMlKemDecapsulate(
10363
    _In_                                    PCSYMCRYPT_COMPOSITE_MLKEMKEY   pkCompositeMlKemkey,
10364
    _In_reads_bytes_( cbCiphertext )        PCBYTE                          pbCiphertext,
10365
                                            SIZE_T                          cbCiphertext,
10366
    _Out_writes_bytes_( cbAgreedSecret )    PBYTE                           pbAgreedSecret,
10367
                                            SIZE_T                          cbAgreedSecret );
10368
//
10369
// Performs the Decapsulate operation of Composite ML-KEM.
10370
// This uses the private information of a Composite ML-KEM keypair to generate an agreed
10371
// secret from a ciphertext.
10372
//
10373
// The arguments are the following:
10374
// - pkCompositeMlKemkey: a key which contains private information required for decapsulation.
10375
// - (pbCiphertext, cbCiphertext): a buffer containing an encapsulated secret.
10376
//   cbCiphertext must equal cbCiphertext given by SymCryptCompositeMlKemSizeofCiphertextFromParams,
10377
//   though typically this value can be known statically (see definition of
10378
//   SYMCRYPT_COMPOSITE_MLKEM_CIPHERTEXT_SIZE_*).
10379
// - (pbAgreedSecret, cbAgreedSecret): a buffer into which the generated secret is written.
10380
//   Currently cbAgreedSecret must be 32 for all parameterizations of Composite ML-KEM.
10381
//
10382
// Note: Given an invalid, but correctly-sized, ciphertext, the Composite ML-KEM Decapsulation operation
10383
// will "implicitly reject" the ciphertext, by returning success in equal time to a valid
10384
// decapsulation operation, with pseudo-random agreed secret output. This forces higher
10385
// level protocols to fail later when symmetric keys of peers do not match.
10386
// So decapsulate will only ever return an error if there are programming errors (e.g. incorrect size),
10387
// or something fundamentally goes wrong with the environment (e.g. internal memory allocation fails).
10388
//
10389

10390
////////////////////////////////////////////////////////////
10391
// Module-Lattice-Based Digital Signature Algorithm (ML-DSA)
10392
////////////////////////////////////////////////////////////
10393

10394
// Maximum length of the context string used in signing and verification
10395
#define SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH   (255)
10396

10397
// ML-DSA key formats
10398
// ==================
10399
// The below formats apply **only to external formats**: When somebody is importing or exporting
10400
// a key. The internal format of the keys is not visible to the caller.
10401
typedef enum _SYMCRYPT_MLDSAKEY_FORMAT {
10402
    SYMCRYPT_MLDSAKEY_FORMAT_NULL               = 0,
10403
    SYMCRYPT_MLDSAKEY_FORMAT_PRIVATE_SEED       = 1,
10404
        // 32-byte private root seed xi from which all other parameters can be derived.
10405
        // On its own it is ambiguous which ML-DSA parameter set this represents; callers wanting to
10406
        // store this format must track the parameter set alongside the key.
10407
    SYMCRYPT_MLDSAKEY_FORMAT_PRIVATE_KEY        = 2,
10408
        // Standard byte encoding of an ML-DSA private key, per FIPS 204.
10409
        // Size is 2560, 4032, or 4896 bytes for ML-DSA 44, 65, and 87 respectively.
10410
    SYMCRYPT_MLDSAKEY_FORMAT_PUBLIC_KEY         = 3,
10411
        // Standard byte encoding of an ML-DSA public key, per FIPS 204.
10412
        // Size is 1312, 1952, or 2592 bytes for ML-DSA 44, 65, and 87 respectively.
10413
} SYMCRYPT_MLDSAKEY_FORMAT;
10414

10415
typedef enum _SYMCRYPT_MLDSA_PARAMS {
10416
    SYMCRYPT_MLDSA_PARAMS_NULL                  = 0,
10417
    SYMCRYPT_MLDSA_PARAMS_MLDSA44               = 1,
10418
    SYMCRYPT_MLDSA_PARAMS_MLDSA65               = 2,
10419
    SYMCRYPT_MLDSA_PARAMS_MLDSA87               = 3,
10420
} SYMCRYPT_MLDSA_PARAMS;
10421
// Currently supported ML-DSA parameter sets are represented externally only by the enum
10422

10423
typedef enum _SYMCRYPT_PQDSA_HASH_ID {
10424
    SYMCRYPT_PQDSA_HASH_ID_NULL                = 0,
10425
    SYMCRYPT_PQDSA_HASH_ID_SHA256              = 1,
10426
    SYMCRYPT_PQDSA_HASH_ID_SHA384              = 2,
10427
    SYMCRYPT_PQDSA_HASH_ID_SHA512              = 3,
10428
    SYMCRYPT_PQDSA_HASH_ID_SHA512_256          = 4,
10429
    SYMCRYPT_PQDSA_HASH_ID_SHA3_256            = 5,
10430
    SYMCRYPT_PQDSA_HASH_ID_SHA3_384            = 6,
10431
    SYMCRYPT_PQDSA_HASH_ID_SHA3_512            = 7,
10432
    SYMCRYPT_PQDSA_HASH_ID_SHAKE128            = 8,
10433
    SYMCRYPT_PQDSA_HASH_ID_SHAKE256            = 9,
10434
} SYMCRYPT_PQDSA_HASH_ID;
10435
// Supported hash algorithms for use with Hash-ML-DSA
10436

10437
//========================================================================
10438
// MLDSAKEY objects' API
10439
//
10440

10441
SYMCRYPT_ERROR
10442
SYMCRYPT_CALL
10443
SymCryptMlDsaSizeofKeyFormatFromParams(
10444
            SYMCRYPT_MLDSA_PARAMS       params,
10445
            SYMCRYPT_MLDSAKEY_FORMAT    mlDsakeyFormat,
10446
    _Out_   SIZE_T*                     pcbKeyFormat );
10447
//
10448
// Gives the size in bytes of the blob of the given format for the given ML-DSA
10449
// parameters and the specified format via pcbKeyFormat output.
10450
//
10451
// Return values:
10452
// - SYMCRYPT_NO_ERROR on success.
10453
// - SYMCRYPT_INCOMPATIBLE_FORMAT if mlDsakeyFormat is an unsupported value.
10454
// - SYMCRYPT_INVALID_ARGUMENT if other parameters are invalid.
10455
//
10456

10457
#define SYMCRYPT_MLDSA_SIGNATURE_SIZE_MLDSA44    (2420)
10458
#define SYMCRYPT_MLDSA_SIGNATURE_SIZE_MLDSA65    (3309)
10459
#define SYMCRYPT_MLDSA_SIGNATURE_SIZE_MLDSA87    (4627)
10460

10461
SYMCRYPT_ERROR
10462
SYMCRYPT_CALL
10463
SymCryptMlDsaSizeofSignatureFromParams(
10464
            SYMCRYPT_MLDSA_PARAMS       params,
10465
    _Out_   SIZE_T*                     pcbSignature );
10466
//
10467
// Gives the size in bytes of the signature for the given ML-DSA parameters.
10468
//
10469
// Return values:
10470
// - SYMCRYPT_NO_ERROR on success.
10471
// - SYMCRYPT_INVALID_ARGUMENT if parameters are invalid.
10472
//
10473

10474
_Success_( return != NULL )
10475
PSYMCRYPT_MLDSAKEY
10476
SYMCRYPT_CALL
10477
SymCryptMlDsakeyAllocate(
10478
            SYMCRYPT_MLDSA_PARAMS       params );
10479
//
10480
// Allocate a new ML-DSA key object sized according to the parameters.
10481
//
10482
// This call does not generate key material. It should be followed by a call to
10483
// SymCryptMlDsakeyGenerate or SymCryptMlDsakeySetValue.
10484
//
10485
// May return NULL if memory allocation fails.
10486
//
10487

10488
VOID
10489
SYMCRYPT_CALL
10490
SymCryptMlDsakeyFree(
10491
    _Post_invalid_  PSYMCRYPT_MLDSAKEY  pkMlDsakey );
10492
//
10493
// Free an ML-DSA key object that was allocated with SymCryptMlDsakeyAllocate.
10494
//
10495

10496
SYMCRYPT_ERROR
10497
SYMCRYPT_CALL
10498
SymCryptMlDsakeyGenerate(
10499
    _Inout_     PSYMCRYPT_MLDSAKEY      pkMlDsakey,
10500
                UINT32                  flags );
10501
//
10502
// Generate a new random ML-DSA key using the information from the
10503
// parameters passed to SymCryptMlDsakeyAllocate.
10504
//
10505
// Parameters:
10506
// - pkMlDsakey: a pointer to an ML-DSA key object allocated with SymCryptMlDsakeyAllocate
10507
//
10508
// Allowed flags:
10509
//
10510
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10511
//   Opt-out of performing validation required for FIPS
10512
//
10513
// Return values:
10514
// - SYMCRYPT_NO_ERROR on success.
10515
// - SYMCRYPT_MEMORY_ALLOCATION_FAILURE if memory allocation fails.
10516
//
10517

10518
SYMCRYPT_ERROR
10519
SYMCRYPT_CALL
10520
SymCryptMlDsakeySetValue(
10521
    _In_reads_bytes_( cbSrc )   PCBYTE                      pbSrc,
10522
                                SIZE_T                      cbSrc,
10523
                                SYMCRYPT_MLDSAKEY_FORMAT    mlDsakeyFormat,
10524
                                UINT32                      flags,
10525
    _Inout_                     PSYMCRYPT_MLDSAKEY          pkMlDsakey );
10526
//
10527
// Import key material to an ML-DSA key object from a byte blob.
10528
//
10529
// Parameters:
10530
// - (pbSrc, cbSrc): a buffer containing a representation of an ML-DSA key, in the format specified
10531
//   by the format parameter.
10532
// - mlDsakeyFormat: format of the input
10533
// - pkMlDsakey: a pointer to an ML-DSA key object allocated with SymCryptMlDsakeyAllocate.
10534
//
10535
// Allowed flags:
10536
//
10537
// - SYMCRYPT_FLAG_KEY_NO_FIPS
10538
//   Opt-out of performing validation required for FIPS
10539
//
10540
// Remarks:
10541
// - cbSrc must be equal to the cbKeyFormat returned from
10542
//   SymCryptMlDsaSizeofKeyFormatFromParams(params, format, &cbKeyFormat), though typically this
10543
//   value can be known statically (see definition of SYMCRYPT_MLDSAKEY_FORMAT)
10544
//
10545
// Return values:
10546
// - SYMCRYPT_NO_ERROR on success.
10547
// - SYMCRYPT_INCOMPATIBLE_FORMAT if the key format is invalid.
10548
// - SYMCRYPT_INVALID_ARGUMENT if other arguments are invalid.
10549
// - SYMCRYPT_WRONG_KEY_SIZE if cbSrc does not match the expected size for the key format.
10550
// - SYMCRYPT_INVALID_BLOB if the encoded key is invalid.
10551
// - SYMCRYPT_MEMORY_ALLOCATION_FAILURE if memory allocation fails.
10552
//
10553

10554
SYMCRYPT_ERROR
10555
SYMCRYPT_CALL
10556
SymCryptMlDsakeyGetValue(
10557
    _In_                        PCSYMCRYPT_MLDSAKEY         pkMlDsakey,
10558
    _Out_writes_bytes_( cbDst ) PBYTE                       pbDst,
10559
                                SIZE_T                      cbDst,
10560
                                SYMCRYPT_MLDSAKEY_FORMAT    mlDsakeyFormat,
10561
                                UINT32                      flags );
10562
//
10563
// Export key material from an ML-DSA key object to a byte blob.
10564
//
10565
// Parameters:
10566
// - pkMlDsakey: pointer to a valid ML-DSA key object.
10567
// - (pbDst, cbDst): buffer for the exported ML-DSA key, in the format specified by the format
10568
//   parameter.
10569
// - mlDsakeyFormat: format of the output
10570
// - flags: no flags are currently defined; must be set to 0
10571
//
10572
// Return values:
10573
// - SYMCRYPT_NO_ERROR on success.
10574
// - SYMCRYPT_INCOMPATIBLE_FORMAT if the key object does not have the information required to export
10575
//   the format specified by mlDsakeyFormat.
10576
// - SYMCRYPT_INVALID_ARGUMENT if the output buffer size or other arguments are incorrect.
10577
//
10578
// Remarks:
10579
// - cbDst must be equal to the cbKeyFormat returned from
10580
//   SymCryptMlDsaSizeofKeyFormatFromParams(params, format, &cbKeyFormat), though typically this
10581
//   value can be known statically (see definition of SYMCRYPT_MLDSAKEY_FORMAT)
10582
//
10583

10584
SYMCRYPT_ERROR
10585
SYMCRYPT_CALL
10586
SymCryptMlDsaSign(
10587
    _In_                                                PCSYMCRYPT_MLDSAKEY pkMlDsakey,
10588
    _In_reads_bytes_( cbMessage )                       PCBYTE              pbMessage,
10589
                                                        SIZE_T              cbMessage,
10590
    _In_reads_bytes_opt_( cbContext )                   PCBYTE              pbContext,
10591
    _In_range_( 0, SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH )  SIZE_T              cbContext,
10592
                                                        UINT32              flags,
10593
    _Out_writes_bytes_( cbSignature )                   PBYTE               pbSignature,
10594
                                                        SIZE_T              cbSignature );
10595
//
10596
// Sign a message using "pure" ML-DSA. The message can be of arbitrary length.
10597
//
10598
// Parameters:
10599
// - pkMlDsakey: an ML-DSA key object. Must contain the private key material.
10600
// - (pbMessage, cbMessage): the message to sign. May be of arbitrary length.
10601
// - (pbContext, cbContext): an optional context string which will be included in the message
10602
//   representative to be signed. Length must be <= SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH.
10603
// - flags: no flags are currently defined; must be set to 0
10604
// - (pbSignature, cbSignature): the buffer into which the signature is written.
10605
//
10606
// Return values:
10607
// - SYMCRYPT_NO_ERROR on success.
10608
// - SYMCRYPT_INVALID_ARGUMENT if the key object does not contain a private key, or if other
10609
//   parameters are invalid.
10610
// - SYMCRYPT_MEMORY_ALLOCATION_FAILURE if memory allocation fails.
10611
//
10612
// Remarks:
10613
//   cbSignature must be equal to the cbKeyFormat returned from
10614
//   SymCryptMlDsaSizeofSignatureFromParams( params, &cbSignature ), though typically this
10615
//   value can be known statically (see definition of SYMCRYPT_MLDSA_SIGNATURE_SIZE_*).
10616
//
10617

10618
SYMCRYPT_ERROR
10619
SYMCRYPT_CALL
10620
SymCryptExternalMuMlDsaSign(
10621
    _In_                                                PCSYMCRYPT_MLDSAKEY pkMlDsakey,
10622
    _In_reads_bytes_( cbMu )                            PCBYTE              pbMu,
10623
                                                        SIZE_T              cbMu,
10624
                                                        UINT32              flags,
10625
    _Out_writes_bytes_( cbSignature )                   PBYTE               pbSignature,
10626
                                                        SIZE_T              cbSignature );
10627
//
10628
// Sign a precomputed message representative Mu.
10629
//
10630
// Parameters:
10631
// - (pbMu, cbMu): the message representative to sign,
10632
//   which must be of size 64 (SYMCRYPT_SHAKE256_RESULT_SIZE).
10633
// - All other parameters are the same as for SymCryptMlDsaSign.
10634
//
10635

10636
SYMCRYPT_ERROR
10637
SYMCRYPT_CALL
10638
SymCryptHashMlDsaSign(
10639
    _In_                                                PCSYMCRYPT_MLDSAKEY     pkMlDsakey,
10640
                                                        SYMCRYPT_PQDSA_HASH_ID  hashAlg,
10641
    _In_reads_bytes_( cbHash )                          PCBYTE                  pbHash,
10642
                                                        SIZE_T                  cbHash,
10643
    _In_reads_bytes_opt_( cbContext )                   PCBYTE                  pbContext,
10644
    _In_range_( 0, SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH )  SIZE_T                  cbContext,
10645
                                                        UINT32                  flags,
10646
    _Out_writes_bytes_( cbSignature )                   PBYTE                   pbSignature,
10647
                                                        SIZE_T                  cbSignature );
10648
//
10649
// Sign a message using "pre-hash" ML-DSA. The caller precomputes the hash of the message.
10650
//
10651
// Parameters:
10652
// - hashAlg: the ID of the hash algorithm used to compute pbHash.
10653
// - (pbHash, cbHash): the hash of the message to sign.
10654
// - All other parameters are the same as for SymCryptMlDsaSign.
10655
//
10656
// Return values:
10657
// - SYMCRYPT_NO_ERROR on success.
10658
// - SYMCRYPT_INVALID_ARGUMENT if the key object does not contain a private key, or if other
10659
//   parameters are invalid.
10660
// - SYMCRYPT_MEMORY_ALLOCATION_FAILURE if memory allocation fails.
10661
//
10662
// Remarks:
10663
//   The hash algorithm provided must meet the minimum required collision strength defined for the
10664
//   chosen ML-DSA parameter set. This is the lambda parameter in FIPS 204. This means that the
10665
//   following hash algorithms are supported:
10666
//
10667
//   ML-DSA-44 (lambda = 128): SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256
10668
//   ML-DSA-65 (lambda = 192): SHA-384, SHA-512, SHA3-384, SHA3-512, SHAKE256
10669
//   ML-DSA-87 (lambda = 256): SHA-512, SHA3-512, SHAKE256
10670
//
10671
//   Additionally, cbHash must match the output length of the hash algorithm.
10672
//   For XOFs, the any output length >= the minimum collision strength is acceptable. If this
10673
//   requirement is not met, the function returns SYMCRYPT_INVALID_ARGUMENT.
10674
//
10675
//   As with SymCryptMlDsaSign, cbSignature must be equal to the cbKeyFormat returned from
10676
//   SymCryptMlDsaSizeofSignatureFromParams( params, &cbSignature ), though typically this
10677
//   value can be known statically (see definition of SYMCRYPT_MLDSA_SIGNATURE_SIZE_*).
10678
//
10679

10680
SYMCRYPT_ERROR
10681
SYMCRYPT_CALL
10682
SymCryptMlDsaVerify(
10683
    _In_                                                PCSYMCRYPT_MLDSAKEY pkMlDsakey,
10684
    _In_reads_bytes_( cbMessage )                       PCBYTE              pbMessage,
10685
                                                        SIZE_T              cbMessage,
10686
    _In_reads_bytes_opt_( cbContext )                   PCBYTE              pbContext,
10687
    _In_range_( 0, SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH )  SIZE_T              cbContext,
10688
    _In_reads_bytes_( cbSignature )                     PCBYTE              pbSignature,
10689
                                                        SIZE_T              cbSignature,
10690
                                                        UINT32              flags );
10691
//
10692
// Verify a signature using "pure" ML-DSA. The message can be of arbitrary length.
10693
//
10694
// Parameters:
10695
// - pkMlDsakey: the ML-DSA key object used to verify the signature.
10696
// - (pbMessage, cbMessage): the message that the signature was generated from.
10697
// - (pbContext, cbContext): an optional context string which will be included in the message
10698
//   representative to be signed. Length must be <= SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH.
10699
// - (pbSignature, cbSignature): the signature to verify.
10700
// - flags: no flags are currently defined; must be set to 0
10701
//
10702
// Return values:
10703
// - SYMCRYPT_NO_ERROR if the signature was verified successfully.
10704
// - SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE if the signature is invalid.
10705
// - SYMCRYPT_INVALID_ARGUMENT if the parameters are invalid.
10706

10707
SYMCRYPT_ERROR
10708
SYMCRYPT_CALL
10709
SymCryptExternalMuMlDsaVerify(
10710
    _In_                                                PCSYMCRYPT_MLDSAKEY pkMlDsakey,
10711
    _In_reads_bytes_( cbMu )                            PCBYTE              pbMu,
10712
                                                        SIZE_T              cbMu,
10713
    _In_reads_bytes_( cbSignature )                     PCBYTE              pbSignature,
10714
                                                        SIZE_T              cbSignature,
10715
                                                        UINT32              flags );
10716
//
10717
// Verify a signature of a precomputed message representative Mu.
10718
//
10719
// Parameters:
10720
// - (pbMu, cbMu): the message representative that was signed,
10721
//   which must be of size 64 (SYMCRYPT_SHAKE256_RESULT_SIZE).
10722
// - All other parameters are the same as for SymCryptMlDsaVerify.
10723
//
10724

10725
SYMCRYPT_ERROR
10726
SYMCRYPT_CALL
10727
SymCryptHashMlDsaVerify(
10728
    _In_                                                PCSYMCRYPT_MLDSAKEY     pkMlDsakey,
10729
                                                        SYMCRYPT_PQDSA_HASH_ID  hashAlg,
10730
    _In_reads_bytes_( cbHash )                          PCBYTE                  pbHash,
10731
                                                        SIZE_T                  cbHash,
10732
    _In_reads_bytes_opt_( cbContext )                   PCBYTE                  pbContext,
10733
    _In_range_( 0, SYMCRYPT_MLDSA_CONTEXT_MAX_LENGTH )  SIZE_T                  cbContext,
10734
    _In_reads_bytes_( cbSignature )                     PCBYTE                  pbSignature,
10735
                                                        SIZE_T                  cbSignature,
10736
                                                        UINT32                  flags );
10737
//
10738
// Verify a signature using "pre-hash" ML-DSA. The caller precomputes the hash of the message.
10739
//
10740
// Parameters:
10741
// - hashAlg: the ID of the hash algorithm used to compute pbHash.
10742
// - (pbHash, cbHash): the hash of the message that the signature was generated from.
10743
// - All other parameters are the same as for SymCryptMlDsaVerify.
10744
//
10745
// Return values:
10746
// - SYMCRYPT_NO_ERROR if the signature was validated successfully.
10747
// - SYMCRYPT_SIGNATURE_VERIFICATION_FAILURE if the signature is invalid.
10748
// - SYMCRYPT_INVALID_ARGUMENT if the parameters are invalid.
10749
//
10750
// Remarks:
10751
//   See the remarks for SymCryptHashMlDsaSign regarding the required security strength of the hash
10752
//   algorithm. For unsupported hash algorithms, the function will return SYMCRYPT_INVALID_ARGUMENT.
10753

10754
VOID
10755
SYMCRYPT_CALL
10756
SymCryptMlDsaSelftest( void );
10757
//
10758
// FIPS selftest for ML-DSA
10759
//
10760

10761
_Analysis_noreturn_
10762
VOID
10763
SYMCRYPT_CALL
10764
SymCryptFatal( UINT32 fatalCode );
10765
//
10766
// Call the Fatal routine passed to the library upon initialization
10767
// We use the SYMCRYPT_ASSERT macro to catch problems in Debug builds
10768
//
10769

10770

10771
typedef struct _SYMCRYPT_UINT32_MAP {
10772
    UINT32              from;       // map this value...
10773
    UINT32              to;         // ...into this value
10774
} SYMCRYPT_UINT32_MAP, *PSYMCRYPT_UINT32_MAP;
10775
typedef const SYMCRYPT_UINT32_MAP * PCSYMCRYPT_UINT32_MAP;
10776

10777

10778
UINT32
10779
SYMCRYPT_CALL
10780
SymCryptMapUint32(
10781
                        UINT32                  u32Input,
10782
                        UINT32                  u32Default,
10783
    _In_reads_( nMap )  PCSYMCRYPT_UINT32_MAP   pcMap,
10784
                        SIZE_T                  nMap );
10785
//
10786
// Map values in a side-channel safe way, typically used for mapping error codes.
10787
//
10788
// (pcMap, nMap) point to an array of nMap entries of type SYMCRYPT_UINT32_MAP;
10789
// each entry specifies a single mapping. If u32Input matches the
10790
// 'from' field, the return value will be the 'to' field value.
10791
// If u32Input is not equal to any 'from' field values, the return value is u32Default.
10792
// Both u32Input and the return value are treated as secrets w.r.t. side channels.
10793
//
10794
// If multiple map entries have the same 'from' field value, then the return value
10795
// is one of the several 'to' field values; which one is not defined.
10796
//
10797
// This function is particularly useful when mapping error codes in situations where
10798
// the actual error cannot be revealed through side channels.
10799

10800
#if SYMCRYPT_DEBUG
10801
#define SYMCRYPT_ASSERT( _x ) \
10802
    {\
10803
        if( !(_x) ){ SymCryptFatal( 'asrt' ); }\
10804
    }\
10805
    _Analysis_assume_( _x )
10806
#else
10807
#define SYMCRYPT_ASSERT( _x ) \
10808
    _Analysis_assume_( _x )
10809
#endif
10810

10811

10812
#ifdef __cplusplus
10813
}
10814
#endif
10815

10816