gcm.h 10.5 KB
Newer Older
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
1
/* gcm.h
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

   Galois counter mode, specified by NIST,
   http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

   Copyright (C) 2011 Katholieke Universiteit Leuven
   Copyright (C) 2011, 2014 Niels Möller

   Contributed by Nikos Mavrogiannopoulos

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
37 38 39 40

#ifndef NETTLE_GCM_H_INCLUDED
#define NETTLE_GCM_H_INCLUDED

41
#include "aes.h"
Niels Möller's avatar
Niels Möller committed
42
#include "camellia.h"
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
43 44 45 46 47 48 49 50

#ifdef __cplusplus
extern "C" {
#endif

/* Name mangling */
#define gcm_set_key nettle_gcm_set_key
#define gcm_set_iv nettle_gcm_set_iv
51
#define gcm_update nettle_gcm_update
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
52 53 54 55
#define gcm_encrypt nettle_gcm_encrypt
#define gcm_decrypt nettle_gcm_decrypt
#define gcm_digest nettle_gcm_digest

Niels Möller's avatar
Niels Möller committed
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
#define gcm_aes128_set_key nettle_gcm_aes128_set_key
#define gcm_aes128_set_iv nettle_gcm_aes128_set_iv
#define gcm_aes128_update nettle_gcm_aes128_update
#define gcm_aes128_encrypt nettle_gcm_aes128_encrypt
#define gcm_aes128_decrypt nettle_gcm_aes128_decrypt
#define gcm_aes128_digest nettle_gcm_aes128_digest

#define gcm_aes192_set_key nettle_gcm_aes192_set_key
#define gcm_aes192_set_iv nettle_gcm_aes192_set_iv
#define gcm_aes192_update nettle_gcm_aes192_update
#define gcm_aes192_encrypt nettle_gcm_aes192_encrypt
#define gcm_aes192_decrypt nettle_gcm_aes192_decrypt
#define gcm_aes192_digest nettle_gcm_aes192_digest

#define gcm_aes256_set_key nettle_gcm_aes256_set_key
#define gcm_aes256_set_iv nettle_gcm_aes256_set_iv
#define gcm_aes256_update nettle_gcm_aes256_update
#define gcm_aes256_encrypt nettle_gcm_aes256_encrypt
#define gcm_aes256_decrypt nettle_gcm_aes256_decrypt
#define gcm_aes256_digest nettle_gcm_aes256_digest

77 78
#define gcm_aes_set_key nettle_gcm_aes_set_key
#define gcm_aes_set_iv nettle_gcm_aes_set_iv
79
#define gcm_aes_update nettle_gcm_aes_update
80 81 82 83
#define gcm_aes_encrypt nettle_gcm_aes_encrypt
#define gcm_aes_decrypt nettle_gcm_aes_decrypt
#define gcm_aes_digest nettle_gcm_aes_digest

Niels Möller's avatar
Niels Möller committed
84 85 86 87 88 89 90
#define gcm_camellia128_set_key nettle_gcm_camellia128_set_key
#define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv
#define gcm_camellia128_update nettle_gcm_camellia128_update
#define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt
#define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt
#define gcm_camellia128_digest nettle_gcm_camellia128_digest

Niels Möller's avatar
Niels Möller committed
91 92 93 94 95 96 97
#define gcm_camellia256_set_key nettle_gcm_camellia256_set_key
#define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv
#define gcm_camellia256_update nettle_gcm_camellia256_update
#define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt
#define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt
#define gcm_camellia256_digest nettle_gcm_camellia256_digest

Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
98 99
#define GCM_BLOCK_SIZE 16
#define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4)
100
#define GCM_DIGEST_SIZE 16
101
#define GCM_TABLE_BITS 8
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
102

103 104 105
/* Hashing subkey */
struct gcm_key
{
Niels Möller's avatar
Niels Möller committed
106
  union nettle_block16 h[1 << GCM_TABLE_BITS];
107
};
Niels Möller's avatar
Niels Möller committed
108

109 110
/* Per-message state, depending on the iv */
struct gcm_ctx {
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
111
  /* Original counter block */
Niels Möller's avatar
Niels Möller committed
112
  union nettle_block16 iv;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
113
  /* Updated for each block. */
Niels Möller's avatar
Niels Möller committed
114
  union nettle_block16 ctr;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
115
  /* Hashing state */
Niels Möller's avatar
Niels Möller committed
116
  union nettle_block16 x;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
117 118 119 120 121
  uint64_t auth_size;
  uint64_t data_size;
};

void
122
gcm_set_key(struct gcm_key *key,
123
	    const void *cipher, nettle_cipher_func *f);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
124 125

void
126
gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
127
	   size_t length, const uint8_t *iv);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
128 129

void
130
gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
131
	   size_t length, const uint8_t *data);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
132 133

void
134
gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
135
	    const void *cipher, nettle_cipher_func *f,
136
	    size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
137 138

void
139
gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
140
	    const void *cipher, nettle_cipher_func *f,
141
	    size_t length, uint8_t *dst, const uint8_t *src);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
142 143

void
144
gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
145
	   const void *cipher, nettle_cipher_func *f,
146
	   size_t length, uint8_t *digest);
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
147

148
/* Convenience macrology (not sure how useful it is) */
Niels Möller's avatar
Niels Möller committed
149
/* All-in-one context, with hash subkey, message state, and cipher. */
150
#define GCM_CTX(type) \
Niels Möller's avatar
Niels Möller committed
151
  { struct gcm_key key; struct gcm_ctx gcm; type cipher; }
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
152

153
/* NOTE: Avoid using NULL, as we don't include anything defining it. */
154
#define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key)		\
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
155
  do {								\
156 157 158
    (set_key)(&(ctx)->cipher, (gcm_key));			\
    if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0,		\
		     (uint8_t *) 0, (const uint8_t *) 0);	\
159
    gcm_set_key(&(ctx)->key, &(ctx)->cipher,			\
160
		(nettle_cipher_func *) (encrypt));		\
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
161 162
  } while (0)

163 164
#define GCM_SET_IV(ctx, length, data)				\
  gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
165

166 167
#define GCM_UPDATE(ctx, length, data)			\
  gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
168

169
#define GCM_ENCRYPT(ctx, encrypt, length, dst, src)			\
170 171
  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
		 (uint8_t *) 0, (const uint8_t *) 0)			\
172
     : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
173
		   (nettle_cipher_func *) (encrypt),			\
174 175 176
		   (length), (dst), (src)))

#define GCM_DECRYPT(ctx, encrypt, length, dst, src)			\
177 178
  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
		 (uint8_t *) 0, (const uint8_t *) 0)			\
179
     : gcm_decrypt(&(ctx)->gcm,  &(ctx)->key, &(ctx)->cipher,		\
180
		   (nettle_cipher_func *) (encrypt),			\
181 182 183
		   (length), (dst), (src)))

#define GCM_DIGEST(ctx, encrypt, length, digest)			\
184 185
  (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0,				\
		 (uint8_t *) 0, (const uint8_t *) 0)			\
186
     : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher,		\
187
		  (nettle_cipher_func *) (encrypt),			\
188
		  (length), (digest)))
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
189

Niels Möller's avatar
Niels Möller committed
190 191 192
struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);

void
193
gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

/* FIXME: Define _update and _set_iv as some kind of aliaes,
   there's nothing aes-specific. */
void
gcm_aes128_update (struct gcm_aes128_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes128_digest(struct gcm_aes128_ctx *ctx,
		  size_t length, uint8_t *digest);

struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx);

void
219
gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242

void
gcm_aes192_update (struct gcm_aes192_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes192_digest(struct gcm_aes192_ctx *ctx,
		  size_t length, uint8_t *digest);

struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx);

void
243
gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key);
Niels Möller's avatar
Niels Möller committed
244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263

void
gcm_aes256_update (struct gcm_aes256_ctx *ctx,
		   size_t length, const uint8_t *data);
void
gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx,
		   size_t length, const uint8_t *iv);

void
gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx,
		   size_t length, uint8_t *dst, const uint8_t *src);

void
gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
		  size_t length, uint8_t *digest);

Niels Möller's avatar
Niels Möller committed
264
/* Old deprecated aes interface, for backwards compatibility */
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
265 266 267 268
struct gcm_aes_ctx GCM_CTX(struct aes_ctx);

void
gcm_aes_set_key(struct gcm_aes_ctx *ctx,
Niels Möller's avatar
Niels Möller committed
269
		size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
270 271 272

void
gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
Niels Möller's avatar
Niels Möller committed
273
	       size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
274 275

void
276
gcm_aes_update(struct gcm_aes_ctx *ctx,
Niels Möller's avatar
Niels Möller committed
277
	       size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
278 279 280

void
gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
Niels Möller's avatar
Niels Möller committed
281 282
		size_t length, uint8_t *dst, const uint8_t *src)
  _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
283 284 285

void
gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
Niels Möller's avatar
Niels Möller committed
286 287
		size_t length, uint8_t *dst, const uint8_t *src)
  _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
288 289

void
Niels Möller's avatar
Niels Möller committed
290 291
gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
  _NETTLE_ATTRIBUTE_DEPRECATED;
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
292

Niels Möller's avatar
Niels Möller committed
293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308

struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);

void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx,
			     const uint8_t *key);
void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx,
			    size_t length, const uint8_t *iv);
void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx,
			    size_t length, const uint8_t *data);
void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx,
			    size_t length, uint8_t *digest);

Niels Möller's avatar
Niels Möller committed
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324

struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx);

void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx,
			     const uint8_t *key);
void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx,
			    size_t length, const uint8_t *iv);
void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx,
			    size_t length, const uint8_t *data);
void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx,
			     size_t length, uint8_t *dst, const uint8_t *src);
void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx,
			    size_t length, uint8_t *digest);

Niels Möller's avatar
Niels Möller committed
325
  
Nikos Mavrogiannopoulos's avatar
Nikos Mavrogiannopoulos committed
326 327 328 329 330
#ifdef __cplusplus
}
#endif

#endif /* NETTLE_GCM_H_INCLUDED */