gcm.h 10.1 KB
Newer Older
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
1 2 3 4 5 6 7 8 9 10
/* gcm.h
 *
 * Galois counter mode, specified by NIST,
 * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
 *
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2011 Katholieke Universiteit Leuven
Niels Möller's avatar
Niels Möller committed
11
 * Copyright (C) 2011, 2014 Niels Möller
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
 * 
 * Contributed by Nikos Mavrogiannopoulos
 *
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 * 
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
27 28
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02111-1301, USA.
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
29 30 31 32 33
 */

#ifndef NETTLE_GCM_H_INCLUDED
#define NETTLE_GCM_H_INCLUDED

34
#include "aes.h"
Niels Möller's avatar
Niels Möller committed
35
#include "camellia.h"
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
36 37 38 39 40 41 42 43

#ifdef __cplusplus
extern "C" {
#endif

/* Name mangling */
#define gcm_set_key nettle_gcm_set_key
#define gcm_set_iv nettle_gcm_set_iv
44
#define gcm_update nettle_gcm_update
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
45 46 47 48
#define gcm_encrypt nettle_gcm_encrypt
#define gcm_decrypt nettle_gcm_decrypt
#define gcm_digest nettle_gcm_digest

Niels Möller's avatar
Niels Möller committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
#define gcm_aes128_set_key nettle_gcm_aes128_set_key
#define gcm_aes128_set_iv nettle_gcm_aes128_set_iv
#define gcm_aes128_update nettle_gcm_aes128_update
#define gcm_aes128_encrypt nettle_gcm_aes128_encrypt
#define gcm_aes128_decrypt nettle_gcm_aes128_decrypt
#define gcm_aes128_digest nettle_gcm_aes128_digest

#define gcm_aes192_set_key nettle_gcm_aes192_set_key
#define gcm_aes192_set_iv nettle_gcm_aes192_set_iv
#define gcm_aes192_update nettle_gcm_aes192_update
#define gcm_aes192_encrypt nettle_gcm_aes192_encrypt
#define gcm_aes192_decrypt nettle_gcm_aes192_decrypt
#define gcm_aes192_digest nettle_gcm_aes192_digest

#define gcm_aes256_set_key nettle_gcm_aes256_set_key
#define gcm_aes256_set_iv nettle_gcm_aes256_set_iv
#define gcm_aes256_update nettle_gcm_aes256_update
#define gcm_aes256_encrypt nettle_gcm_aes256_encrypt
#define gcm_aes256_decrypt nettle_gcm_aes256_decrypt
#define gcm_aes256_digest nettle_gcm_aes256_digest

70 71
#define gcm_aes_set_key nettle_gcm_aes_set_key
#define gcm_aes_set_iv nettle_gcm_aes_set_iv
72
#define gcm_aes_update nettle_gcm_aes_update
73 74 75 76
#define gcm_aes_encrypt nettle_gcm_aes_encrypt
#define gcm_aes_decrypt nettle_gcm_aes_decrypt
#define gcm_aes_digest nettle_gcm_aes_digest

Niels Möller's avatar
Niels Möller committed
77 78 79 80 81 82 83
#define gcm_camellia128_set_key nettle_gcm_camellia128_set_key
#define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv
#define gcm_camellia128_update nettle_gcm_camellia128_update
#define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt
#define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt
#define gcm_camellia128_digest nettle_gcm_camellia128_digest

Niels Möller's avatar
Niels Möller committed
84 85 86 87 88 89 90
#define gcm_camellia256_set_key nettle_gcm_camellia256_set_key
#define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv
#define gcm_camellia256_update nettle_gcm_camellia256_update
#define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt
#define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt
#define gcm_camellia256_digest nettle_gcm_camellia256_digest

Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
91 92
#define GCM_BLOCK_SIZE 16
#define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4)
93
#define GCM_DIGEST_SIZE 16
94
#define GCM_TABLE_BITS 8
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
95

96 97 98
/* Hashing subkey */
struct gcm_key
{
Niels Möller's avatar
Niels Möller committed
99
  union nettle_block16 h[1 << GCM_TABLE_BITS];
100
};
Niels Möller's avatar
Niels Möller committed
101

102 103
/* Per-message state, depending on the iv */
struct gcm_ctx {
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
104
  /* Original counter block */
Niels Möller's avatar
Niels Möller committed
105
  union nettle_block16 iv;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
106
  /* Updated for each block. */
Niels Möller's avatar
Niels Möller committed
107
  union nettle_block16 ctr;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
108
  /* Hashing state */
Niels Möller's avatar
Niels Möller committed
109
  union nettle_block16 x;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
110 111 112 113 114
  uint64_t auth_size;
  uint64_t data_size;
};

void
115
gcm_set_key(struct gcm_key *key,
116
	    const void *cipher, nettle_cipher_func *f);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
117 118

void
119
gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
120
	   size_t length, const uint8_t *iv);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
121 122

void
123
gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
124
	   size_t length, const uint8_t *data);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
125 126

void
127
gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
128
	    const void *cipher, nettle_cipher_func *f,
129
	    size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
130 131

void
132
gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
133
	    const void *cipher, nettle_cipher_func *f,
134
	    size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
135 136

void
137
gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
138
	   const void *cipher, nettle_cipher_func *f,
139
	   size_t length, uint8_t *digest);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
140

141
/* Convenience macrology (not sure how useful it is) */
Niels Möller's avatar
Niels Möller committed
142
/* All-in-one context, with hash subkey, message state, and cipher. */
143
#define GCM_CTX(type) \
Niels Möller's avatar
Niels Möller committed
144
  { struct gcm_key key; struct gcm_ctx gcm; type cipher; }
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
145

146
/* NOTE: Avoid using NULL, as we don't include anything defining it. */
147
#define GCM_SET_KEY(ctx, set_key, encrypt, key)			\
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
148
  do {								\
149
    (set_key)(&(ctx)->cipher, (key));				\
150 151
    if (0) (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0);	\
    gcm_set_key(&(ctx)->key, &(ctx)->cipher,			\
152
		(nettle_cipher_func *) (encrypt));		\
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
153 154
  } while (0)

155 156
#define GCM_SET_IV(ctx, length, data)				\
  gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
157

158 159
#define GCM_UPDATE(ctx, length, data)			\
  gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
160

161 162 163
#define GCM_ENCRYPT(ctx, encrypt, length, dst, src)			\
  (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0)		\
     : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
164
		   (nettle_cipher_func *) (encrypt),			\
165 166 167 168 169
		   (length), (dst), (src)))

#define GCM_DECRYPT(ctx, encrypt, length, dst, src)			\
  (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0)		\
     : gcm_decrypt(&(ctx)->gcm,  &(ctx)->key, &(ctx)->cipher,		\
170
		   (nettle_cipher_func *) (encrypt),			\
171 172 173 174 175
		   (length), (dst), (src)))

#define GCM_DIGEST(ctx, encrypt, length, digest)			\
  (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0)		\
     : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
176
		  (nettle_cipher_func *) (encrypt),			\
177
		  (length), (digest)))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
178

Niels Möller's avatar
Niels Möller committed
179 180 181
struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);

void
182
gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207

/* FIXME: Define _update and _set_iv as some kind of aliaes,
   there's nothing aes-specific. */
void
gcm_aes128_update (struct gcm_aes128_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes128_digest(struct gcm_aes128_ctx *ctx,
		  size_t length, uint8_t *digest);

struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx);

void
208
gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231

void
gcm_aes192_update (struct gcm_aes192_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes192_digest(struct gcm_aes192_ctx *ctx,
		  size_t length, uint8_t *digest);

struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx);

void
232
gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253

void
gcm_aes256_update (struct gcm_aes256_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
		  size_t length, uint8_t *digest);

/* Old aes interface, for backwards compatibility */
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
254 255 256 257
struct gcm_aes_ctx GCM_CTX(struct aes_ctx);

void
gcm_aes_set_key(struct gcm_aes_ctx *ctx,
258
		size_t length, const uint8_t *key);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
259 260 261

void
gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
262
	       size_t length, const uint8_t *iv);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
263 264

void
265
gcm_aes_update(struct gcm_aes_ctx *ctx,
266
	       size_t length, const uint8_t *data);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
267 268 269

void
gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
270
		size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
271 272 273

void
gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
274
		size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
275 276

void
277
gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
278

Niels Möller's avatar
Niels Möller committed
279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294

struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);

void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx,
			     const uint8_t *key);
void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx,
			    size_t length, const uint8_t *iv);
void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx,
			    size_t length, const uint8_t *data);
void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx,
			    size_t length, uint8_t *digest);

Niels Möller's avatar
Niels Möller committed
295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310

struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx);

void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx,
			     const uint8_t *key);
void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx,
			    size_t length, const uint8_t *iv);
void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx,
			    size_t length, const uint8_t *data);
void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx,
			    size_t length, uint8_t *digest);

Niels Möller's avatar
Niels Möller committed
311
  
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
312 313 314 315 316
#ifdef __cplusplus
}
#endif

#endif /* NETTLE_GCM_H_INCLUDED */