modes.h 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
  1. /*
  2. * cifra - embedded cryptography library
  3. * Written in 2014 by Joseph Birr-Pixton <jpixton@gmail.com>
  4. *
  5. * To the extent possible under law, the author(s) have dedicated all
  6. * copyright and related and neighboring rights to this software to the
  7. * public domain worldwide. This software is distributed without any
  8. * warranty.
  9. *
  10. * You should have received a copy of the CC0 Public Domain Dedication
  11. * along with this software. If not, see
  12. * <http://creativecommons.org/publicdomain/zero/1.0/>.
  13. */
  14. #ifndef MODES_H
  15. #define MODES_H
  16. #include <stddef.h>
  17. #include <stdint.h>
  18. #include "prp.h"
  19. /**
  20. * Block cipher modes
  21. * ==================
  22. */
  23. /**
  24. * CBC mode
  25. * --------
  26. * This implementation allows encryption or decryption of whole
  27. * blocks in CBC mode. It does not offer a byte-wise incremental
  28. * interface, or do any padding.
  29. *
  30. * This mode provides no useful integrity and should not be used
  31. * directly.
  32. */
  33. /* .. c:type:: cf_cbc
  34. * This structure binds together the things needed to encrypt/decrypt whole
  35. * blocks in CBC mode.
  36. *
  37. * .. c:member:: cf_cbc.prp
  38. * How to encrypt or decrypt blocks. This could be, for example, :c:data:`cf_aes`.
  39. *
  40. * .. c:member:: cf_cbc.prpctx
  41. * Private data for prp functions. For a `prp` of `cf_aes`, this would be a
  42. * pointer to a :c:type:`cf_aes_context` instance.
  43. *
  44. * .. c:member:: cf_cbc.block
  45. * The IV or last ciphertext block.
  46. */
  47. typedef struct
  48. {
  49. const cf_prp *prp;
  50. void *prpctx;
  51. uint8_t block[CF_MAXBLOCK];
  52. } cf_cbc;
  53. /* .. c:function:: $DECL
  54. * Initialise CBC encryption/decryption context using selected prp, prp context and IV. */
  55. void cf_cbc_init(cf_cbc *ctx, const cf_prp *prp, void *prpctx, const uint8_t iv[CF_MAXBLOCK]);
  56. /* .. c:function:: $DECL
  57. * Encrypt blocks in CBC mode. input and output
  58. * must point to blocks * ctx->prp->blocksz bytes of storage (and may alias). */
  59. void cf_cbc_encrypt(cf_cbc *ctx, const uint8_t *input, uint8_t *output, size_t blocks);
  60. /* .. c:function:: $DECL
  61. * Decrypt blocks in CBC mode. input and output
  62. * must point to blocks * ctx->prp->blocksz bytes of storage (and may alias). */
  63. void cf_cbc_decrypt(cf_cbc *ctx, const uint8_t *input, uint8_t *output, size_t blocks);
  64. /**
  65. * Counter mode
  66. * ------------
  67. * This implementation allows incremental encryption/decryption of
  68. * messages. Encryption and decryption are the same operation.
  69. *
  70. * The counter is always big-endian, but has configurable location
  71. * and size within the nonce block. The counter wraps, so you
  72. * should make sure the length of a message with a given nonce
  73. * doesn't cause nonce reuse.
  74. *
  75. * This mode provides no integrity and should not be used directly.
  76. */
  77. /* .. c:type:: cf_ctr
  78. *
  79. * .. c:member:: cf_ctr.prp
  80. * How to encrypt or decrypt blocks. This could be, for example, :c:data:`cf_aes`.
  81. *
  82. * .. c:member:: cf_ctr.prpctx
  83. * Private data for prp functions. For a `prp` of `cf_aes`, this would be a
  84. * pointer to a :c:type:`cf_aes_context` instance.
  85. *
  86. * .. c:member:: cf_ctr.nonce
  87. * The next block to encrypt to get another block of key stream.
  88. *
  89. * .. c:member:: cf_ctr.keymat
  90. * The current block of key stream.
  91. *
  92. * .. c:member:: cf_ctr.nkeymat
  93. * The number of bytes at the end of :c:member:`keymat` that are so-far unused.
  94. * If this is zero, all the bytes are used up and/or of undefined value.
  95. *
  96. * .. c:member:: cf_ctr.counter_offset
  97. * The offset (in bytes) of the counter block within the nonce.
  98. *
  99. * .. c:member:: cf_ctr.counter_width
  100. * The width (in bytes) of the counter block in the nonce.
  101. */
  102. typedef struct
  103. {
  104. const cf_prp *prp;
  105. void *prpctx;
  106. uint8_t nonce[CF_MAXBLOCK];
  107. uint8_t keymat[CF_MAXBLOCK];
  108. size_t nkeymat;
  109. size_t counter_offset;
  110. size_t counter_width;
  111. } cf_ctr;
  112. /* .. c:function:: $DECL
  113. * Initialise CTR encryption/decryption context using selected prp and nonce.
  114. * (nb, this only increments the whole nonce as a big endian block) */
  115. void cf_ctr_init(cf_ctr *ctx, const cf_prp *prp, void *prpctx, const uint8_t nonce[CF_MAXBLOCK]);
  116. /* .. c:function:: $DECL
  117. * Set the location and width of the nonce counter.
  118. *
  119. * eg. offset = 12, width = 4 means the counter is mod 2^32 and placed
  120. * at the end of the nonce. */
  121. void cf_ctr_custom_counter(cf_ctr *ctx, size_t offset, size_t width);
  122. /* .. c:function:: $DECL
  123. * Encrypt or decrypt bytes in CTR mode.
  124. * input and output may alias and must point to specified number of bytes. */
  125. void cf_ctr_cipher(cf_ctr *ctx, const uint8_t *input, uint8_t *output, size_t bytes);
  126. /* .. c:function:: $DECL
  127. * Discards the rest of this block of key stream. */
  128. void cf_ctr_discard_block(cf_ctr *ctx);
  129. /**
  130. * CBC-MAC
  131. * -------
  132. * This is a incremental interface to computing a CBC-MAC tag over a message.
  133. *
  134. * It optionally pads the message with PKCS#5/PKCS#7 padding -- if you don't
  135. * do this, messages must be an exact number of blocks long.
  136. *
  137. * You shouldn't use this directly because it isn't secure for variable-length
  138. * messages. Use CMAC instead.
  139. */
  140. /* .. c:type:: cf_cbcmac_stream
  141. * Stream interface to CBC-MAC signing.
  142. *
  143. * .. c:member:: cf_cbcmac.prp
  144. * How to encrypt or decrypt blocks. This could be, for example, :c:data:`cf_aes`.
  145. *
  146. * .. c:member:: cf_cbcmac.prpctx
  147. * Private data for prp functions. For a `prp` of `cf_aes`, this would be a
  148. * pointer to a :c:type:`cf_aes_context` instance.
  149. *
  150. * .. c:member:: cf_cbcmac.cbc
  151. * CBC data.
  152. *
  153. * .. c:member:: cf_cbcmac.buffer
  154. * Buffer for data which can't be processed until we have a full block.
  155. *
  156. * .. c:member:: cf_cbcmac.used
  157. * How many bytes at the front of :c:member:`buffer` are valid.
  158. */
  159. typedef struct
  160. {
  161. const cf_prp *prp;
  162. void *prpctx;
  163. cf_cbc cbc;
  164. uint8_t buffer[CF_MAXBLOCK];
  165. size_t used;
  166. } cf_cbcmac_stream;
  167. /* .. c:function:: $DECL
  168. * Initialise CBC-MAC signing context using selected prp. */
  169. void cf_cbcmac_stream_init(cf_cbcmac_stream *ctx, const cf_prp *prp, void *prpctx);
  170. /* .. c:function:: $DECL
  171. * Reset the streaming signing context, to sign a new message. */
  172. void cf_cbcmac_stream_reset(cf_cbcmac_stream *ctx);
  173. /* .. c:function:: $DECL
  174. * Process ndata bytes at data. */
  175. void cf_cbcmac_stream_update(cf_cbcmac_stream *ctx, const uint8_t *data, size_t ndata);
  176. /* .. c:function:: $DECL
  177. * Finish the current block of data by adding zeroes. Does nothing if there
  178. * are no bytes awaiting processing. */
  179. void cf_cbcmac_stream_finish_block_zero(cf_cbcmac_stream *ctx);
  180. /* .. c:function:: $DECL
  181. * Output the MAC to ctx->prp->blocksz bytes at out.
  182. * ctx->used must be zero: the inputed message must be an exact number of
  183. * blocks. */
  184. void cf_cbcmac_stream_nopad_final(cf_cbcmac_stream *ctx, uint8_t out[CF_MAXBLOCK]);
  185. /* .. c:function:: $DECL
  186. * Output the MAC to ctx->prp->blocksz bytes at out.
  187. *
  188. * The message is padded with PKCS#5 padding. */
  189. void cf_cbcmac_stream_pad_final(cf_cbcmac_stream *ctx, uint8_t out[CF_MAXBLOCK]);
  190. /**
  191. * CMAC
  192. * ----
  193. * This is both a one-shot and incremental interface to
  194. * computing a CMAC tag over a message.
  195. *
  196. * The one-shot interface separates out the per-key computation,
  197. * so if you need to compute lots of MACs with one key you don't
  198. * pay that cost more than once.
  199. *
  200. * CMAC is a good choice for a symmetric MAC.
  201. */
  202. /* .. c:type:: cf_cmac
  203. * One-shot interface to CMAC signing.
  204. *
  205. * .. c:member:: cf_cmac.prp
  206. * How to encrypt or decrypt blocks. This could be, for example, :c:data:`cf_aes`.
  207. *
  208. * .. c:member:: cf_cmac.prpctx
  209. * Private data for prp functions. For a `prp` of `cf_aes`, this would be a
  210. * pointer to a :c:type:`cf_aes_context` instance.
  211. *
  212. * .. c:member:: cf_cmac.B
  213. * The XOR offset for the last message block if it is a complete block
  214. * (also known as K\ :sub:`1`).
  215. *
  216. * .. c:member:: cf_cmac.P
  217. * The XOR offset for the last message block if it is a partial block
  218. * (also known as K\ :sub:`2`).
  219. */
  220. typedef struct
  221. {
  222. const cf_prp *prp;
  223. void *prpctx;
  224. uint8_t B[CF_MAXBLOCK];
  225. uint8_t P[CF_MAXBLOCK];
  226. } cf_cmac;
  227. /* .. c:function:: $DECL
  228. * Initialise CMAC signing context using selected prp. */
  229. void cf_cmac_init(cf_cmac *ctx, const cf_prp *prp, void *prpctx);
  230. /* .. c:function:: $DECL
  231. * CMAC sign the given data. The MAC is written to ctx->prp->blocksz
  232. * bytes at out. This is a one-shot function. */
  233. void cf_cmac_sign(cf_cmac *ctx, const uint8_t *data, size_t bytes,
  234. uint8_t out[CF_MAXBLOCK]);
  235. /* .. c:type:: cf_cmac_stream
  236. * Stream interface to CMAC signing.
  237. *
  238. * Input data in arbitrary chunks using :c:func:`cf_cmac_stream_update`.
  239. * The last bit of data must be signalled with the `isfinal` flag to
  240. * that function, and the data cannot be zero length unless the whole
  241. * message is empty.
  242. *
  243. * .. c:member:: cf_cmac_stream.cmac
  244. * CMAC one-shot data.
  245. *
  246. * .. c:member:: cf_cmac_stream.cbc
  247. * CBC block encryption data.
  248. *
  249. * .. c:member:: cf_cmac_stream.buffer
  250. * Buffer for data which can't be processed until we have a full block.
  251. *
  252. * .. c:member:: cf_cmac_stream.used
  253. * How many bytes at the front of :c:member:`buffer` are valid.
  254. *
  255. * .. c:member:: cf_cmac_stream.processed
  256. * How many bytes in total we've processed. This is used to correctly
  257. * process empty messages.
  258. *
  259. * .. c:member:: cf_cmac_stream.finalised
  260. * A flag set when the final chunk of the message has been processed.
  261. * Only when this flag is set can you get the MAC out.
  262. */
  263. typedef struct
  264. {
  265. cf_cmac cmac;
  266. cf_cbc cbc;
  267. uint8_t buffer[CF_MAXBLOCK];
  268. size_t used;
  269. size_t processed;
  270. int finalised;
  271. } cf_cmac_stream;
  272. /* .. c:function:: $DECL
  273. * Initialise CMAC streaming signing context using selected prp. */
  274. void cf_cmac_stream_init(cf_cmac_stream *ctx, const cf_prp *prp, void *prpctx);
  275. /* .. c:function:: $DECL
  276. * Reset the streaming signing context, to sign a new message. */
  277. void cf_cmac_stream_reset(cf_cmac_stream *ctx);
  278. /* .. c:function:: $DECL
  279. * Process ndata bytes at data. isfinal is non-zero if this is the last piece
  280. * of data. */
  281. void cf_cmac_stream_update(cf_cmac_stream *ctx, const uint8_t *data, size_t ndata,
  282. int isfinal);
  283. /* .. c:function:: $DECL
  284. * Output the MAC to ctx->cmac->prp->blocksz bytes at out.
  285. * cf_cmac_stream_update with isfinal non-zero must have been called
  286. * since the last _init/_reset. */
  287. void cf_cmac_stream_final(cf_cmac_stream *ctx, uint8_t out[CF_MAXBLOCK]);
  288. /**
  289. * EAX
  290. * ---
  291. *
  292. * The EAX authenticated encryption mode. This is a one-shot
  293. * interface.
  294. *
  295. * EAX is a pretty respectable and fast AEAD mode.
  296. */
  297. /* .. c:function:: $DECL
  298. * EAX authenticated encryption.
  299. *
  300. * This function does not fail.
  301. *
  302. * :param prp/prpctx: describe the block cipher to use.
  303. * :param plain: message plaintext.
  304. * :param nplain: length of message. May be zero.
  305. * :param header: additionally authenticated data (AAD).
  306. * :param nheader: length of AAD. May be zero.
  307. * :param nonce: nonce. This must not repeat for a given key.
  308. * :param nnonce: length of nonce. The nonce can be any length.
  309. * :param cipher: ciphertext output. `nplain` bytes are written here.
  310. * :param tag: authentication tag. `ntag` bytes are written here.
  311. * :param ntag: authentication tag length. This must be non-zero and no greater than `prp->blocksz`.
  312. */
  313. void cf_eax_encrypt(const cf_prp *prp, void *prpctx,
  314. const uint8_t *plain, size_t nplain,
  315. const uint8_t *header, size_t nheader,
  316. const uint8_t *nonce, size_t nnonce,
  317. uint8_t *cipher,
  318. uint8_t *tag, size_t ntag);
  319. /* .. c:function:: $DECL
  320. * EAX authenticated decryption.
  321. *
  322. * :return: 0 on success, non-zero on error. Nothing is written to plain on error.
  323. *
  324. * :param prp/prpctx: describe the block cipher to use.
  325. * :param cipher: message ciphertext.
  326. * :param ncipher: message length.
  327. * :param header: additionally authenticated data (AAD).
  328. * :param nheader: length of AAD.
  329. * :param nonce: nonce.
  330. * :param nnonce: length of nonce.
  331. * :param tag: authentication tag. `ntag` bytes are read from here.
  332. * :param ntag: authentication tag length.
  333. * :param plain: plaintext output. `ncipher` bytes are written here.
  334. */
  335. int cf_eax_decrypt(const cf_prp *prp, void *prpctx,
  336. const uint8_t *cipher, size_t ncipher,
  337. const uint8_t *header, size_t nheader,
  338. const uint8_t *nonce, size_t nnonce,
  339. const uint8_t *tag, size_t ntag,
  340. uint8_t *plain);
  341. /**
  342. * GCM
  343. * ---
  344. * The GCM ('Galois counter mode') authenticated encryption mode.
  345. * This is a one-shot interface.
  346. *
  347. * GCM is a reasonably respectable AEAD mode. It's somewhat more
  348. * complex than EAX, and side channel-free implementations can
  349. * be quite slow.
  350. */
  351. /* .. c:function:: $DECL
  352. * GCM authenticated encryption.
  353. *
  354. * This function does not fail.
  355. *
  356. * :param prp/prpctx: describe the block cipher to use.
  357. * :param plain: message plaintext.
  358. * :param nplain: length of message. May be zero.
  359. * :param header: additionally authenticated data (AAD).
  360. * :param nheader: length of AAD. May be zero.
  361. * :param nonce: nonce. This must not repeat for a given key.
  362. * :param nnonce: length of nonce. The nonce can be any length, but 12 bytes is strongly recommended.
  363. * :param cipher: ciphertext output. `nplain` bytes are written here.
  364. * :param tag: authentication tag. `ntag` bytes are written here.
  365. * :param ntag: authentication tag length. This must be non-zero and no greater than `prp->blocksz`.
  366. *
  367. * This function does not fail.
  368. */
  369. void cf_gcm_encrypt(const cf_prp *prp, void *prpctx,
  370. const uint8_t *plain, size_t nplain,
  371. const uint8_t *header, size_t nheader,
  372. const uint8_t *nonce, size_t nnonce,
  373. uint8_t *cipher,
  374. uint8_t *tag, size_t ntag);
  375. /* .. c:function:: $DECL
  376. * GCM authenticated decryption.
  377. *
  378. * :return: 0 on success, non-zero on error. Nothing is written to plain on error.
  379. *
  380. * :param prp: describe the block cipher to use.
  381. * :param prpctx: describe the block cipher to use.
  382. * :param cipher: message ciphertext.
  383. * :param ncipher: message length.
  384. * :param header: additionally authenticated data (AAD).
  385. * :param nheader: length of AAD.
  386. * :param nonce: nonce.
  387. * :param nnonce: length of nonce.
  388. * :param tag: authentication tag. `ntag` bytes are read from here.
  389. * :param ntag: authentication tag length.
  390. * :param plain: plaintext output. `ncipher` bytes are written here.
  391. */
  392. int cf_gcm_decrypt(const cf_prp *prp, void *prpctx,
  393. const uint8_t *cipher, size_t ncipher,
  394. const uint8_t *header, size_t nheader,
  395. const uint8_t *nonce, size_t nnonce,
  396. const uint8_t *tag, size_t ntag,
  397. uint8_t *plain);
  398. /**
  399. * CCM
  400. * ---
  401. *
  402. * The CCM ('Counter with CBC-MAC') authenticated encryption mode.
  403. * CCM is a widely used AEAD mode (in IPSec, WPA2, Bluetooth, etc.)
  404. *
  405. * It works (at a high level) by just gluing together CTR and CBC-MAC
  406. * modes (in MAC-then-encrypt mode) and then fixing the problems inherent
  407. * with CBC-MAC in over-complicated ways.
  408. *
  409. * This is a one-shot interface, which is good because the underlying
  410. * mechanism isn't actually online: you need to know the message length
  411. * before you start, or do everything in two passes.
  412. */
  413. /* .. c:function:: $DECL
  414. * CCM authenticated encryption.
  415. *
  416. * This function does not fail.
  417. *
  418. * :param prp/prpctx: describe the block cipher to use.
  419. * :param plain: message plaintext.
  420. * :param nplain: length of message. May be zero. Must meet the constraints placed on it by `L`.
  421. * :param L: length of the message length encoding. This must be in the interval `[2,8]` and gives a maximum message size of 2\ :sup:`8L` bytes.
  422. * :param header: additionally authenticated data (AAD).
  423. * :param nheader: length of AAD. May be zero.
  424. * :param nonce: nonce. This must not repeat for a given key.
  425. * :param nnonce: length of nonce. Must be exactly `15 - L` bytes for a 128-bit block cipher.
  426. * :param cipher: ciphertext output. `nplain` bytes are written here.
  427. * :param tag: authentication tag. `ntag` bytes are written here.
  428. * :param ntag: authentication tag length. This must be 4, 6, 8, 10, 12, 14 or 16.
  429. */
  430. void cf_ccm_encrypt(const cf_prp *prp, void *prpctx,
  431. const uint8_t *plain, size_t nplain, size_t L,
  432. const uint8_t *header, size_t nheader,
  433. const uint8_t *nonce, size_t nnonce,
  434. uint8_t *cipher,
  435. uint8_t *tag, size_t ntag);
  436. /* .. c:function:: $DECL
  437. * CCM authenticated decryption.
  438. *
  439. * :return: 0 on success, non-zero on error. Plain is cleared on error.
  440. *
  441. * :param prp: describe the block cipher to use.
  442. * :param prpctx: describe the block cipher to use.
  443. * :param cipher: message ciphertext.
  444. * :param ncipher: length of message.
  445. * :param L: length of the message length encoding. See :c:func:`cf_ccm_encrypt`.
  446. * :param header: additionally authenticated data (AAD).
  447. * :param nheader: length of AAD.
  448. * :param nonce: nonce.
  449. * :param nnonce: length of nonce.
  450. * :param tag: authentication tag. `ntag` bytes are read from here.
  451. * :param ntag: authentication tag length. This must be 4, 6, 8, 10, 12, 14 or 16.
  452. * :param plain: plaintext output. `ncipher` bytes are written here.
  453. */
  454. int cf_ccm_decrypt(const cf_prp *prp, void *prpctx,
  455. const uint8_t *cipher, size_t ncipher, size_t L,
  456. const uint8_t *header, size_t nheader,
  457. const uint8_t *nonce, size_t nnonce,
  458. const uint8_t *tag, size_t ntag,
  459. uint8_t *plain);
  460. /**
  461. * OCB
  462. * ---
  463. *
  464. * OCB is an authenticated encryption mode by Phil Rogaway.
  465. *
  466. * This is version 3, as standardised in RFC7253. It's defined
  467. * only for block ciphers with a 128-bit block size.
  468. *
  469. * This is a one-shot interface.
  470. */
  471. /* .. c:function:: $DECL
  472. * OCB authenticated encryption.
  473. *
  474. * This function does not fail.
  475. *
  476. * :param prp/prpctx: describe the block cipher to use.
  477. * :param plain: message plaintext.
  478. * :param nplain: length of message. May be zero.
  479. * :param header: additionally authenticated data (AAD).
  480. * :param nheader: length of AAD. May be zero.
  481. * :param nonce: nonce. This must not repeat for a given key.
  482. * :param nnonce: length of nonce. Must be 15 or fewer bytes.
  483. * :param cipher: ciphertext output. `nplain` bytes are written here.
  484. * :param tag: authentication tag. `ntag` bytes are written here.
  485. * :param ntag: authentication tag length. Must be 16 or fewer bytes.
  486. */
  487. void cf_ocb_encrypt(const cf_prp *prp, void *prpctx,
  488. const uint8_t *plain, size_t nplain,
  489. const uint8_t *header, size_t nheader,
  490. const uint8_t *nonce, size_t nnonce,
  491. uint8_t *cipher,
  492. uint8_t *tag, size_t ntag);
  493. /* .. c:function:: $DECL
  494. * OCB authenticated decryption.
  495. *
  496. * :return: 0 on success, non-zero on error. `plain` is cleared on error.
  497. *
  498. * :param prp: describe the block cipher to use.
  499. * :param prpctx: describe the block cipher to use.
  500. * :param cipher: message ciphertext.
  501. * :param ncipher: length of message.
  502. * :param header: additionally authenticated data (AAD).
  503. * :param nheader: length of AAD.
  504. * :param nonce: nonce.
  505. * :param nnonce: length of nonce.
  506. * :param tag: authentication tag. `ntag` bytes are read from here.
  507. * :param ntag: authentication tag length.
  508. * :param plain: plaintext output. `ncipher` bytes are written here.
  509. */
  510. int cf_ocb_decrypt(const cf_prp *prp, void *prpctx,
  511. const uint8_t *cipher, size_t ncipher,
  512. const uint8_t *header, size_t nheader,
  513. const uint8_t *nonce, size_t nnonce,
  514. const uint8_t *tag, size_t ntag,
  515. uint8_t *plain);
  516. #endif