3 Counter with CBC-MAC mode, specified by NIST,
4 http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
6 Copyright (C) 2014 Exegin Technologies Limited
7 Copyright (C) 2014 Owen Kirby
9 Contributed to GNU Nettle by Owen Kirby
11 This file is part of GNU Nettle.
13 GNU Nettle is free software: you can redistribute it and/or
14 modify it under the terms of either:
16 * the GNU Lesser General Public License as published by the Free
17 Software Foundation; either version 3 of the License, or (at your
18 option) any later version.
22 * the GNU General Public License as published by the Free
23 Software Foundation; either version 2 of the License, or (at your
24 option) any later version.
26 or both in parallel, as here.
28 GNU Nettle is distributed in the hope that it will be useful,
29 but WITHOUT ANY WARRANTY; without even the implied warranty of
30 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
31 General Public License for more details.
33 You should have received copies of the GNU General Public License and
34 the GNU Lesser General Public License along with this program. If
35 not, see http://www.gnu.org/licenses/.
38 /* NIST SP800-38C doesn't specify the particular formatting and
39 * counter generation algorithm for CCM, but it does include an
40 * example algorithm. This example has become the de-factor standard,
41 * and has been adopted by both the IETF and IEEE across a wide
42 * variety of protocols.
45 #ifndef NETTLE_CCM_H_INCLUDED
46 #define NETTLE_CCM_H_INCLUDED
55 #define ccm_set_nonce nettle_ccm_set_nonce
56 #define ccm_update nettle_ccm_update
57 #define ccm_encrypt nettle_ccm_encrypt
58 #define ccm_decrypt nettle_ccm_decrypt
59 #define ccm_digest nettle_ccm_digest
60 #define ccm_encrypt_message nettle_ccm_encrypt_message
61 #define ccm_decrypt_message nettle_ccm_decrypt_message
63 #define ccm_aes128_set_key nettle_ccm_aes128_set_key
64 #define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce
65 #define ccm_aes128_update nettle_ccm_aes128_update
66 #define ccm_aes128_encrypt nettle_ccm_aes128_encrypt
67 #define ccm_aes128_decrypt nettle_ccm_aes128_decrypt
68 #define ccm_aes128_digest nettle_ccm_aes128_digest
69 #define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message
70 #define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message
72 #define ccm_aes192_set_key nettle_ccm_aes192_set_key
73 #define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce
74 #define ccm_aes192_update nettle_ccm_aes192_update
75 #define ccm_aes192_encrypt nettle_ccm_aes192_encrypt
76 #define ccm_aes192_decrypt nettle_ccm_aes192_decrypt
77 #define ccm_aes192_digest nettle_ccm_aes192_digest
78 #define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message
79 #define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message
81 #define ccm_aes256_set_key nettle_ccm_aes256_set_key
82 #define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce
83 #define ccm_aes256_update nettle_ccm_aes256_update
84 #define ccm_aes256_encrypt nettle_ccm_aes256_encrypt
85 #define ccm_aes256_decrypt nettle_ccm_aes256_decrypt
86 #define ccm_aes256_digest nettle_ccm_aes256_digest
87 #define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message
88 #define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message
90 /* For CCM, the block size of the block cipher shall be 128 bits. */
91 #define CCM_BLOCK_SIZE 16
92 #define CCM_DIGEST_SIZE 16
93 #define CCM_MIN_NONCE_SIZE 7
94 #define CCM_MAX_NONCE_SIZE 14
96 /* Maximum cleartext message size, as a function of the nonce size N.
97 The length field is L octets, with L = 15 - N, and then the maximum
98 size M = 2^{8L} - 1. */
99 #define CCM_MAX_MSG_SIZE(N) \
100 ((sizeof(size_t) + (N) <= 15) \
102 : ((size_t) 1 << (8*(15 - N))) - 1)
104 /* Per-message state */
106 union nettle_block16 ctr; /* Counter for CTR encryption. */
107 union nettle_block16 tag; /* CBC-MAC message tag. */
108 /* Length of data processed by the CBC-MAC modulus the block size */
109 unsigned int blength;
113 * CCM mode requires the adata and message lengths when building the IV, which
114 * prevents streaming processing and it incompatible with the AEAD API.
117 ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
118 size_t noncelen, const uint8_t *nonce,
119 size_t authlen, size_t msglen, size_t taglen);
122 ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
123 size_t length, const uint8_t *data);
126 ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
127 size_t length, uint8_t *dst, const uint8_t *src);
130 ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
131 size_t length, uint8_t *dst, const uint8_t *src);
134 ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
135 size_t length, uint8_t *digest);
138 * All-in-one encryption and decryption API:
139 * tlength = sizeof(digest)
140 * mlength = sizeof(cleartext)
141 * clength = sizeof(ciphertext) = mlength + tlength
143 * The ciphertext will contain the encrypted payload with the message digest
144 * appended to the end.
147 ccm_encrypt_message(const void *cipher, nettle_cipher_func *f,
148 size_t nlength, const uint8_t *nonce,
149 size_t alength, const uint8_t *adata,
151 size_t clength, uint8_t *dst, const uint8_t *src);
154 * The decryption function will write the plaintext to dst and parse the digest
155 * from the final tlength bytes of the ciphertext. If the digest matched the
156 * value computed during decryption then this will return 1, or it will return
157 * 0 if the digest was invalid.
160 ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
161 size_t nlength, const uint8_t *nonce,
162 size_t alength, const uint8_t *adata,
164 size_t mlength, uint8_t *dst, const uint8_t *src);
166 /* CCM Mode with AES-128 */
167 struct ccm_aes128_ctx {
169 struct aes128_ctx cipher;
173 ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key);
176 ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx,
177 size_t length, const uint8_t *nonce,
178 size_t authlen, size_t msglen, size_t taglen);
181 ccm_aes128_update (struct ccm_aes128_ctx *ctx,
182 size_t length, const uint8_t *data);
185 ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx,
186 size_t length, uint8_t *dst, const uint8_t *src);
189 ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx,
190 size_t length, uint8_t *dst, const uint8_t *src);
193 ccm_aes128_digest(struct ccm_aes128_ctx *ctx,
194 size_t length, uint8_t *digest);
197 ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx,
198 size_t nlength, const uint8_t *nonce,
199 size_t alength, const uint8_t *adata,
201 size_t clength, uint8_t *dst, const uint8_t *src);
204 ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx,
205 size_t nlength, const uint8_t *nonce,
206 size_t alength, const uint8_t *adata,
208 size_t mlength, uint8_t *dst, const uint8_t *src);
210 struct ccm_aes192_ctx {
212 struct aes192_ctx cipher;
215 /* CCM Mode with AES-192 */
217 ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key);
220 ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx,
221 size_t length, const uint8_t *nonce,
222 size_t authlen, size_t msglen, size_t taglen);
225 ccm_aes192_update(struct ccm_aes192_ctx *ctx,
226 size_t length, const uint8_t *data);
229 ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx,
230 size_t length, uint8_t *dst, const uint8_t *src);
233 ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx,
234 size_t length, uint8_t *dst, const uint8_t *src);
237 ccm_aes192_digest(struct ccm_aes192_ctx *ctx,
238 size_t length, uint8_t *digest);
241 ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx,
242 size_t nlength, const uint8_t *nonce,
243 size_t alength, const uint8_t *adata,
245 size_t clength, uint8_t *dst, const uint8_t *src);
248 ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx,
249 size_t nlength, const uint8_t *nonce,
250 size_t alength, const uint8_t *adata,
252 size_t mlength, uint8_t *dst, const uint8_t *src);
254 /* CCM Mode with AES-256 */
255 struct ccm_aes256_ctx {
257 struct aes256_ctx cipher;
261 ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key);
264 ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx,
265 size_t length, const uint8_t *nonce,
266 size_t authlen, size_t msglen, size_t taglen);
269 ccm_aes256_update(struct ccm_aes256_ctx *ctx,
270 size_t length, const uint8_t *data);
273 ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx,
274 size_t length, uint8_t *dst, const uint8_t *src);
277 ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx,
278 size_t length, uint8_t *dst, const uint8_t *src);
281 ccm_aes256_digest(struct ccm_aes256_ctx *ctx,
282 size_t length, uint8_t *digest);
285 ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx,
286 size_t nlength, const uint8_t *nonce,
287 size_t alength, const uint8_t *adata,
289 size_t clength, uint8_t *dst, const uint8_t *src);
292 ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx,
293 size_t nlength, const uint8_t *nonce,
294 size_t alength, const uint8_t *adata,
296 size_t mlength, uint8_t *dst, const uint8_t *src);
302 #endif /* NETTLE_CCM_H_INCLUDED */