1 /* gcm.h 2 3 Galois counter mode, specified by NIST, 4 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf 5 6 Copyright (C) 2011 Katholieke Universiteit Leuven 7 Copyright (C) 2011, 2014 Niels Möller 8 9 Contributed by Nikos Mavrogiannopoulos 10 11 This file is part of GNU Nettle. 12 13 GNU Nettle is free software: you can redistribute it and/or 14 modify it under the terms of either: 15 16 * the GNU Lesser General Public License as published by the Free 17 Software Foundation; either version 3 of the License, or (at your 18 option) any later version. 19 20 or 21 22 * the GNU General Public License as published by the Free 23 Software Foundation; either version 2 of the License, or (at your 24 option) any later version. 25 26 or both in parallel, as here. 27 28 GNU Nettle is distributed in the hope that it will be useful, 29 but WITHOUT ANY WARRANTY; without even the implied warranty of 30 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 31 General Public License for more details. 32 33 You should have received copies of the GNU General Public License and 34 the GNU Lesser General Public License along with this program. If 35 not, see http://www.gnu.org/licenses/. 36 */ 37 38 #ifndef NETTLE_GCM_H_INCLUDED 39 #define NETTLE_GCM_H_INCLUDED 40 41 #include "aes.h" 42 #include "camellia.h" 43 44 #ifdef __cplusplus 45 extern "C" { 46 #endif 47 48 /* Name mangling */ 49 #define gcm_set_key nettle_gcm_set_key 50 #define gcm_set_iv nettle_gcm_set_iv 51 #define gcm_update nettle_gcm_update 52 #define gcm_encrypt nettle_gcm_encrypt 53 #define gcm_decrypt nettle_gcm_decrypt 54 #define gcm_digest nettle_gcm_digest 55 56 #define gcm_aes128_set_key nettle_gcm_aes128_set_key 57 #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv 58 #define gcm_aes128_update nettle_gcm_aes128_update 59 #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt 60 #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt 61 #define gcm_aes128_digest nettle_gcm_aes128_digest 62 63 #define gcm_aes192_set_key nettle_gcm_aes192_set_key 64 #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv 65 #define gcm_aes192_update nettle_gcm_aes192_update 66 #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt 67 #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt 68 #define gcm_aes192_digest nettle_gcm_aes192_digest 69 70 #define gcm_aes256_set_key nettle_gcm_aes256_set_key 71 #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv 72 #define gcm_aes256_update nettle_gcm_aes256_update 73 #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt 74 #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt 75 #define gcm_aes256_digest nettle_gcm_aes256_digest 76 77 #define gcm_aes_set_key nettle_gcm_aes_set_key 78 #define gcm_aes_set_iv nettle_gcm_aes_set_iv 79 #define gcm_aes_update nettle_gcm_aes_update 80 #define gcm_aes_encrypt nettle_gcm_aes_encrypt 81 #define gcm_aes_decrypt nettle_gcm_aes_decrypt 82 #define gcm_aes_digest nettle_gcm_aes_digest 83 84 #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key 85 #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv 86 #define gcm_camellia128_update nettle_gcm_camellia128_update 87 #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt 88 #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt 89 #define gcm_camellia128_digest nettle_gcm_camellia128_digest 90 91 #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key 92 #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv 93 #define gcm_camellia256_update nettle_gcm_camellia256_update 94 #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt 95 #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt 96 #define gcm_camellia256_digest nettle_gcm_camellia256_digest 97 98 #define GCM_BLOCK_SIZE 16 99 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) 100 #define GCM_DIGEST_SIZE 16 101 #define GCM_TABLE_BITS 8 102 103 /* Hashing subkey */ 104 struct gcm_key 105 { 106 union nettle_block16 h[1 << GCM_TABLE_BITS]; 107 }; 108 109 /* Per-message state, depending on the iv */ 110 struct gcm_ctx { 111 /* Original counter block */ 112 union nettle_block16 iv; 113 /* Updated for each block. */ 114 union nettle_block16 ctr; 115 /* Hashing state */ 116 union nettle_block16 x; 117 uint64_t auth_size; 118 uint64_t data_size; 119 }; 120 121 void 122 gcm_set_key(struct gcm_key *key, 123 const void *cipher, nettle_cipher_func *f); 124 125 void 126 gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, 127 size_t length, const uint8_t *iv); 128 129 void 130 gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, 131 size_t length, const uint8_t *data); 132 133 void 134 gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key, 135 const void *cipher, nettle_cipher_func *f, 136 size_t length, uint8_t *dst, const uint8_t *src); 137 138 void 139 gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, 140 const void *cipher, nettle_cipher_func *f, 141 size_t length, uint8_t *dst, const uint8_t *src); 142 143 void 144 gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, 145 const void *cipher, nettle_cipher_func *f, 146 size_t length, uint8_t *digest); 147 148 /* Convenience macrology (not sure how useful it is) */ 149 /* All-in-one context, with hash subkey, message state, and cipher. */ 150 #define GCM_CTX(type) \ 151 { struct gcm_key key; struct gcm_ctx gcm; type cipher; } 152 153 /* NOTE: Avoid using NULL, as we don't include anything defining it. */ 154 #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \ 155 do { \ 156 (set_key)(&(ctx)->cipher, (gcm_key)); \ 157 if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ 158 (uint8_t *) 0, (const uint8_t *) 0); \ 159 gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ 160 (nettle_cipher_func *) (encrypt)); \ 161 } while (0) 162 163 #define GCM_SET_IV(ctx, length, data) \ 164 gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data)) 165 166 #define GCM_UPDATE(ctx, length, data) \ 167 gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data)) 168 169 #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ 170 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ 171 (uint8_t *) 0, (const uint8_t *) 0) \ 172 : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ 173 (nettle_cipher_func *) (encrypt), \ 174 (length), (dst), (src))) 175 176 #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \ 177 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ 178 (uint8_t *) 0, (const uint8_t *) 0) \ 179 : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ 180 (nettle_cipher_func *) (encrypt), \ 181 (length), (dst), (src))) 182 183 #define GCM_DIGEST(ctx, encrypt, length, digest) \ 184 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ 185 (uint8_t *) 0, (const uint8_t *) 0) \ 186 : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ 187 (nettle_cipher_func *) (encrypt), \ 188 (length), (digest))) 189 190 struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); 191 192 void 193 gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key); 194 195 /* FIXME: Define _update and _set_iv as some kind of aliaes, 196 there's nothing aes-specific. */ 197 void 198 gcm_aes128_update (struct gcm_aes128_ctx *ctx, 199 size_t length, const uint8_t *data); 200 void 201 gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, 202 size_t length, const uint8_t *iv); 203 204 void 205 gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, 206 size_t length, uint8_t *dst, const uint8_t *src); 207 208 void 209 gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, 210 size_t length, uint8_t *dst, const uint8_t *src); 211 212 void 213 gcm_aes128_digest(struct gcm_aes128_ctx *ctx, 214 size_t length, uint8_t *digest); 215 216 struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx); 217 218 void 219 gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key); 220 221 void 222 gcm_aes192_update (struct gcm_aes192_ctx *ctx, 223 size_t length, const uint8_t *data); 224 void 225 gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, 226 size_t length, const uint8_t *iv); 227 228 void 229 gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, 230 size_t length, uint8_t *dst, const uint8_t *src); 231 232 void 233 gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, 234 size_t length, uint8_t *dst, const uint8_t *src); 235 236 void 237 gcm_aes192_digest(struct gcm_aes192_ctx *ctx, 238 size_t length, uint8_t *digest); 239 240 struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx); 241 242 void 243 gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key); 244 245 void 246 gcm_aes256_update (struct gcm_aes256_ctx *ctx, 247 size_t length, const uint8_t *data); 248 void 249 gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, 250 size_t length, const uint8_t *iv); 251 252 void 253 gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, 254 size_t length, uint8_t *dst, const uint8_t *src); 255 256 void 257 gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, 258 size_t length, uint8_t *dst, const uint8_t *src); 259 260 void 261 gcm_aes256_digest(struct gcm_aes256_ctx *ctx, 262 size_t length, uint8_t *digest); 263 264 /* Old deprecated aes interface, for backwards compatibility */ 265 struct gcm_aes_ctx GCM_CTX(struct aes_ctx); 266 267 void 268 gcm_aes_set_key(struct gcm_aes_ctx *ctx, 269 size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED; 270 271 void 272 gcm_aes_set_iv(struct gcm_aes_ctx *ctx, 273 size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED; 274 275 void 276 gcm_aes_update(struct gcm_aes_ctx *ctx, 277 size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED; 278 279 void 280 gcm_aes_encrypt(struct gcm_aes_ctx *ctx, 281 size_t length, uint8_t *dst, const uint8_t *src) 282 _NETTLE_ATTRIBUTE_DEPRECATED; 283 284 void 285 gcm_aes_decrypt(struct gcm_aes_ctx *ctx, 286 size_t length, uint8_t *dst, const uint8_t *src) 287 _NETTLE_ATTRIBUTE_DEPRECATED; 288 289 void 290 gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest) 291 _NETTLE_ATTRIBUTE_DEPRECATED; 292 293 294 struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); 295 296 void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, 297 const uint8_t *key); 298 void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx, 299 size_t length, const uint8_t *iv); 300 void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx, 301 size_t length, const uint8_t *data); 302 void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, 303 size_t length, uint8_t *dst, const uint8_t *src); 304 void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, 305 size_t length, uint8_t *dst, const uint8_t *src); 306 void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, 307 size_t length, uint8_t *digest); 308 309 310 struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx); 311 312 void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, 313 const uint8_t *key); 314 void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx, 315 size_t length, const uint8_t *iv); 316 void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx, 317 size_t length, const uint8_t *data); 318 void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, 319 size_t length, uint8_t *dst, const uint8_t *src); 320 void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, 321 size_t length, uint8_t *dst, const uint8_t *src); 322 void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, 323 size_t length, uint8_t *digest); 324 325 326 #ifdef __cplusplus 327 } 328 #endif 329 330 #endif /* NETTLE_GCM_H_INCLUDED */ 331