1 /* gcm.h
2 
3    Galois counter mode, specified by NIST,
4    http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
5 
6    Copyright (C) 2011 Katholieke Universiteit Leuven
7    Copyright (C) 2011, 2014 Niels Möller
8 
9    Contributed by Nikos Mavrogiannopoulos
10 
11    This file is part of GNU Nettle.
12 
13    GNU Nettle is free software: you can redistribute it and/or
14    modify it under the terms of either:
15 
16      * the GNU Lesser General Public License as published by the Free
17        Software Foundation; either version 3 of the License, or (at your
18        option) any later version.
19 
20    or
21 
22      * the GNU General Public License as published by the Free
23        Software Foundation; either version 2 of the License, or (at your
24        option) any later version.
25 
26    or both in parallel, as here.
27 
28    GNU Nettle is distributed in the hope that it will be useful,
29    but WITHOUT ANY WARRANTY; without even the implied warranty of
30    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
31    General Public License for more details.
32 
33    You should have received copies of the GNU General Public License and
34    the GNU Lesser General Public License along with this program.  If
35    not, see http://www.gnu.org/licenses/.
36 */
37 
38 #ifndef NETTLE_GCM_H_INCLUDED
39 #define NETTLE_GCM_H_INCLUDED
40 
41 #include "aes.h"
42 #include "camellia.h"
43 
44 #ifdef __cplusplus
45 extern "C" {
46 #endif
47 
48 /* Name mangling */
49 #define gcm_set_key nettle_gcm_set_key
50 #define gcm_set_iv nettle_gcm_set_iv
51 #define gcm_update nettle_gcm_update
52 #define gcm_encrypt nettle_gcm_encrypt
53 #define gcm_decrypt nettle_gcm_decrypt
54 #define gcm_digest nettle_gcm_digest
55 
56 #define gcm_aes128_set_key nettle_gcm_aes128_set_key
57 #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv
58 #define gcm_aes128_update nettle_gcm_aes128_update
59 #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt
60 #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt
61 #define gcm_aes128_digest nettle_gcm_aes128_digest
62 
63 #define gcm_aes192_set_key nettle_gcm_aes192_set_key
64 #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv
65 #define gcm_aes192_update nettle_gcm_aes192_update
66 #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt
67 #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt
68 #define gcm_aes192_digest nettle_gcm_aes192_digest
69 
70 #define gcm_aes256_set_key nettle_gcm_aes256_set_key
71 #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv
72 #define gcm_aes256_update nettle_gcm_aes256_update
73 #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt
74 #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt
75 #define gcm_aes256_digest nettle_gcm_aes256_digest
76 
77 #define gcm_aes_set_key nettle_gcm_aes_set_key
78 #define gcm_aes_set_iv nettle_gcm_aes_set_iv
79 #define gcm_aes_update nettle_gcm_aes_update
80 #define gcm_aes_encrypt nettle_gcm_aes_encrypt
81 #define gcm_aes_decrypt nettle_gcm_aes_decrypt
82 #define gcm_aes_digest nettle_gcm_aes_digest
83 
84 #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key
85 #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv
86 #define gcm_camellia128_update nettle_gcm_camellia128_update
87 #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt
88 #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt
89 #define gcm_camellia128_digest nettle_gcm_camellia128_digest
90 
91 #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key
92 #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv
93 #define gcm_camellia256_update nettle_gcm_camellia256_update
94 #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt
95 #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt
96 #define gcm_camellia256_digest nettle_gcm_camellia256_digest
97 
98 #define GCM_BLOCK_SIZE 16
99 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4)
100 #define GCM_DIGEST_SIZE 16
101 #define GCM_TABLE_BITS 8
102 
103 /* Hashing subkey */
104 struct gcm_key
105 {
106   union nettle_block16 h[1 << GCM_TABLE_BITS];
107 };
108 
109 /* Per-message state, depending on the iv */
110 struct gcm_ctx {
111   /* Original counter block */
112   union nettle_block16 iv;
113   /* Updated for each block. */
114   union nettle_block16 ctr;
115   /* Hashing state */
116   union nettle_block16 x;
117   uint64_t auth_size;
118   uint64_t data_size;
119 };
120 
121 void
122 gcm_set_key(struct gcm_key *key,
123 	    const void *cipher, nettle_cipher_func *f);
124 
125 void
126 gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
127 	   size_t length, const uint8_t *iv);
128 
129 void
130 gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
131 	   size_t length, const uint8_t *data);
132 
133 void
134 gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
135 	    const void *cipher, nettle_cipher_func *f,
136 	    size_t length, uint8_t *dst, const uint8_t *src);
137 
138 void
139 gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
140 	    const void *cipher, nettle_cipher_func *f,
141 	    size_t length, uint8_t *dst, const uint8_t *src);
142 
143 void
144 gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
145 	   const void *cipher, nettle_cipher_func *f,
146 	   size_t length, uint8_t *digest);
147 
148 /* Convenience macrology (not sure how useful it is) */
149 /* All-in-one context, with hash subkey, message state, and cipher. */
150 #define GCM_CTX(type) \
151   { struct gcm_key key; struct gcm_ctx gcm; type cipher; }
152 
153 /* NOTE: Avoid using NULL, as we don't include anything defining it. */
154 #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key)		\
155   do {								\
156     (set_key)(&(ctx)->cipher, (gcm_key));			\
157     if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0,		\
158 		     (uint8_t *) 0, (const uint8_t *) 0);	\
159     gcm_set_key(&(ctx)->key, &(ctx)->cipher,			\
160 		(nettle_cipher_func *) (encrypt));		\
161   } while (0)
162 
163 #define GCM_SET_IV(ctx, length, data)				\
164   gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data))
165 
166 #define GCM_UPDATE(ctx, length, data)			\
167   gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data))
168 
169 #define GCM_ENCRYPT(ctx, encrypt, length, dst, src)			\
170   (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
171 		 (uint8_t *) 0, (const uint8_t *) 0)			\
172      : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
173 		   (nettle_cipher_func *) (encrypt),			\
174 		   (length), (dst), (src)))
175 
176 #define GCM_DECRYPT(ctx, encrypt, length, dst, src)			\
177   (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
178 		 (uint8_t *) 0, (const uint8_t *) 0)			\
179      : gcm_decrypt(&(ctx)->gcm,  &(ctx)->key, &(ctx)->cipher,		\
180 		   (nettle_cipher_func *) (encrypt),			\
181 		   (length), (dst), (src)))
182 
183 #define GCM_DIGEST(ctx, encrypt, length, digest)			\
184   (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
185 		 (uint8_t *) 0, (const uint8_t *) 0)			\
186      : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
187 		  (nettle_cipher_func *) (encrypt),			\
188 		  (length), (digest)))
189 
190 struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);
191 
192 void
193 gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key);
194 
195 /* FIXME: Define _update and _set_iv as some kind of aliaes,
196    there's nothing aes-specific. */
197 void
198 gcm_aes128_update (struct gcm_aes128_ctx *ctx,
199 		   size_t length, const uint8_t *data);
200 void
201 gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx,
202 		   size_t length, const uint8_t *iv);
203 
204 void
205 gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx,
206 		   size_t length, uint8_t *dst, const uint8_t *src);
207 
208 void
209 gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx,
210 		   size_t length, uint8_t *dst, const uint8_t *src);
211 
212 void
213 gcm_aes128_digest(struct gcm_aes128_ctx *ctx,
214 		  size_t length, uint8_t *digest);
215 
216 struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx);
217 
218 void
219 gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key);
220 
221 void
222 gcm_aes192_update (struct gcm_aes192_ctx *ctx,
223 		   size_t length, const uint8_t *data);
224 void
225 gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx,
226 		   size_t length, const uint8_t *iv);
227 
228 void
229 gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx,
230 		   size_t length, uint8_t *dst, const uint8_t *src);
231 
232 void
233 gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx,
234 		   size_t length, uint8_t *dst, const uint8_t *src);
235 
236 void
237 gcm_aes192_digest(struct gcm_aes192_ctx *ctx,
238 		  size_t length, uint8_t *digest);
239 
240 struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx);
241 
242 void
243 gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key);
244 
245 void
246 gcm_aes256_update (struct gcm_aes256_ctx *ctx,
247 		   size_t length, const uint8_t *data);
248 void
249 gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx,
250 		   size_t length, const uint8_t *iv);
251 
252 void
253 gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx,
254 		   size_t length, uint8_t *dst, const uint8_t *src);
255 
256 void
257 gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx,
258 		   size_t length, uint8_t *dst, const uint8_t *src);
259 
260 void
261 gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
262 		  size_t length, uint8_t *digest);
263 
264 /* Old deprecated aes interface, for backwards compatibility */
265 struct gcm_aes_ctx GCM_CTX(struct aes_ctx);
266 
267 void
268 gcm_aes_set_key(struct gcm_aes_ctx *ctx,
269 		size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED;
270 
271 void
272 gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
273 	       size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED;
274 
275 void
276 gcm_aes_update(struct gcm_aes_ctx *ctx,
277 	       size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED;
278 
279 void
280 gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
281 		size_t length, uint8_t *dst, const uint8_t *src)
282   _NETTLE_ATTRIBUTE_DEPRECATED;
283 
284 void
285 gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
286 		size_t length, uint8_t *dst, const uint8_t *src)
287   _NETTLE_ATTRIBUTE_DEPRECATED;
288 
289 void
290 gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
291   _NETTLE_ATTRIBUTE_DEPRECATED;
292 
293 
294 struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);
295 
296 void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx,
297 			     const uint8_t *key);
298 void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx,
299 			    size_t length, const uint8_t *iv);
300 void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx,
301 			    size_t length, const uint8_t *data);
302 void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx,
303 			     size_t length, uint8_t *dst, const uint8_t *src);
304 void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx,
305 			     size_t length, uint8_t *dst, const uint8_t *src);
306 void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx,
307 			    size_t length, uint8_t *digest);
308 
309 
310 struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx);
311 
312 void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx,
313 			     const uint8_t *key);
314 void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx,
315 			    size_t length, const uint8_t *iv);
316 void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx,
317 			    size_t length, const uint8_t *data);
318 void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx,
319 			     size_t length, uint8_t *dst, const uint8_t *src);
320 void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx,
321 			     size_t length, uint8_t *dst, const uint8_t *src);
322 void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx,
323 			    size_t length, uint8_t *digest);
324 
325 
326 #ifdef __cplusplus
327 }
328 #endif
329 
330 #endif /* NETTLE_GCM_H_INCLUDED */
331