3 Galois counter mode, specified by NIST,
4 http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
6 Copyright (C) 2011 Katholieke Universiteit Leuven
7 Copyright (C) 2011, 2014 Niels Möller
9 Contributed by Nikos Mavrogiannopoulos
11 This file is part of GNU Nettle.
13 GNU Nettle is free software: you can redistribute it and/or
14 modify it under the terms of either:
16 * the GNU Lesser General Public License as published by the Free
17 Software Foundation; either version 3 of the License, or (at your
18 option) any later version.
22 * the GNU General Public License as published by the Free
23 Software Foundation; either version 2 of the License, or (at your
24 option) any later version.
26 or both in parallel, as here.
28 GNU Nettle is distributed in the hope that it will be useful,
29 but WITHOUT ANY WARRANTY; without even the implied warranty of
30 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
31 General Public License for more details.
33 You should have received copies of the GNU General Public License and
34 the GNU Lesser General Public License along with this program. If
35 not, see http://www.gnu.org/licenses/.
38 #ifndef NETTLE_GCM_H_INCLUDED
39 #define NETTLE_GCM_H_INCLUDED
49 #define gcm_set_key nettle_gcm_set_key
50 #define gcm_set_iv nettle_gcm_set_iv
51 #define gcm_update nettle_gcm_update
52 #define gcm_encrypt nettle_gcm_encrypt
53 #define gcm_decrypt nettle_gcm_decrypt
54 #define gcm_digest nettle_gcm_digest
56 #define gcm_aes128_set_key nettle_gcm_aes128_set_key
57 #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv
58 #define gcm_aes128_update nettle_gcm_aes128_update
59 #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt
60 #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt
61 #define gcm_aes128_digest nettle_gcm_aes128_digest
63 #define gcm_aes192_set_key nettle_gcm_aes192_set_key
64 #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv
65 #define gcm_aes192_update nettle_gcm_aes192_update
66 #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt
67 #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt
68 #define gcm_aes192_digest nettle_gcm_aes192_digest
70 #define gcm_aes256_set_key nettle_gcm_aes256_set_key
71 #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv
72 #define gcm_aes256_update nettle_gcm_aes256_update
73 #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt
74 #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt
75 #define gcm_aes256_digest nettle_gcm_aes256_digest
77 #define gcm_aes_set_key nettle_gcm_aes_set_key
78 #define gcm_aes_set_iv nettle_gcm_aes_set_iv
79 #define gcm_aes_update nettle_gcm_aes_update
80 #define gcm_aes_encrypt nettle_gcm_aes_encrypt
81 #define gcm_aes_decrypt nettle_gcm_aes_decrypt
82 #define gcm_aes_digest nettle_gcm_aes_digest
84 #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key
85 #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv
86 #define gcm_camellia128_update nettle_gcm_camellia128_update
87 #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt
88 #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt
89 #define gcm_camellia128_digest nettle_gcm_camellia128_digest
91 #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key
92 #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv
93 #define gcm_camellia256_update nettle_gcm_camellia256_update
94 #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt
95 #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt
96 #define gcm_camellia256_digest nettle_gcm_camellia256_digest
98 #define GCM_BLOCK_SIZE 16
99 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4)
100 #define GCM_DIGEST_SIZE 16
101 #define GCM_TABLE_BITS 8
106 union nettle_block16 h[1 << GCM_TABLE_BITS];
109 /* Per-message state, depending on the iv */
111 /* Original counter block */
112 union nettle_block16 iv;
113 /* Updated for each block. */
114 union nettle_block16 ctr;
116 union nettle_block16 x;
122 gcm_set_key(struct gcm_key *key,
123 const void *cipher, nettle_cipher_func *f);
126 gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key,
127 size_t length, const uint8_t *iv);
130 gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key,
131 size_t length, const uint8_t *data);
134 gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
135 const void *cipher, nettle_cipher_func *f,
136 size_t length, uint8_t *dst, const uint8_t *src);
139 gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key,
140 const void *cipher, nettle_cipher_func *f,
141 size_t length, uint8_t *dst, const uint8_t *src);
144 gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key,
145 const void *cipher, nettle_cipher_func *f,
146 size_t length, uint8_t *digest);
148 /* Convenience macrology (not sure how useful it is) */
149 /* All-in-one context, with hash subkey, message state, and cipher. */
150 #define GCM_CTX(type) \
151 { struct gcm_key key; struct gcm_ctx gcm; type cipher; }
153 /* NOTE: Avoid using NULL, as we don't include anything defining it. */
154 #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \
156 (set_key)(&(ctx)->cipher, (gcm_key)); \
157 if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \
158 (uint8_t *) 0, (const uint8_t *) 0); \
159 gcm_set_key(&(ctx)->key, &(ctx)->cipher, \
160 (nettle_cipher_func *) (encrypt)); \
163 #define GCM_SET_IV(ctx, length, data) \
164 gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data))
166 #define GCM_UPDATE(ctx, length, data) \
167 gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data))
169 #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \
170 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \
171 (uint8_t *) 0, (const uint8_t *) 0) \
172 : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \
173 (nettle_cipher_func *) (encrypt), \
174 (length), (dst), (src)))
176 #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \
177 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \
178 (uint8_t *) 0, (const uint8_t *) 0) \
179 : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \
180 (nettle_cipher_func *) (encrypt), \
181 (length), (dst), (src)))
183 #define GCM_DIGEST(ctx, encrypt, length, digest) \
184 (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \
185 (uint8_t *) 0, (const uint8_t *) 0) \
186 : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \
187 (nettle_cipher_func *) (encrypt), \
190 struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);
193 gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key);
195 /* FIXME: Define _update and _set_iv as some kind of aliaes,
196 there's nothing aes-specific. */
198 gcm_aes128_update (struct gcm_aes128_ctx *ctx,
199 size_t length, const uint8_t *data);
201 gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx,
202 size_t length, const uint8_t *iv);
205 gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx,
206 size_t length, uint8_t *dst, const uint8_t *src);
209 gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx,
210 size_t length, uint8_t *dst, const uint8_t *src);
213 gcm_aes128_digest(struct gcm_aes128_ctx *ctx,
214 size_t length, uint8_t *digest);
216 struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx);
219 gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key);
222 gcm_aes192_update (struct gcm_aes192_ctx *ctx,
223 size_t length, const uint8_t *data);
225 gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx,
226 size_t length, const uint8_t *iv);
229 gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx,
230 size_t length, uint8_t *dst, const uint8_t *src);
233 gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx,
234 size_t length, uint8_t *dst, const uint8_t *src);
237 gcm_aes192_digest(struct gcm_aes192_ctx *ctx,
238 size_t length, uint8_t *digest);
240 struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx);
243 gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key);
246 gcm_aes256_update (struct gcm_aes256_ctx *ctx,
247 size_t length, const uint8_t *data);
249 gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx,
250 size_t length, const uint8_t *iv);
253 gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx,
254 size_t length, uint8_t *dst, const uint8_t *src);
257 gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx,
258 size_t length, uint8_t *dst, const uint8_t *src);
261 gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
262 size_t length, uint8_t *digest);
264 /* Old deprecated aes interface, for backwards compatibility */
265 struct gcm_aes_ctx GCM_CTX(struct aes_ctx);
268 gcm_aes_set_key(struct gcm_aes_ctx *ctx,
269 size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED;
272 gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
273 size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED;
276 gcm_aes_update(struct gcm_aes_ctx *ctx,
277 size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED;
280 gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
281 size_t length, uint8_t *dst, const uint8_t *src)
282 _NETTLE_ATTRIBUTE_DEPRECATED;
285 gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
286 size_t length, uint8_t *dst, const uint8_t *src)
287 _NETTLE_ATTRIBUTE_DEPRECATED;
290 gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
291 _NETTLE_ATTRIBUTE_DEPRECATED;
294 struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);
296 void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx,
298 void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx,
299 size_t length, const uint8_t *iv);
300 void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx,
301 size_t length, const uint8_t *data);
302 void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx,
303 size_t length, uint8_t *dst, const uint8_t *src);
304 void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx,
305 size_t length, uint8_t *dst, const uint8_t *src);
306 void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx,
307 size_t length, uint8_t *digest);
310 struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx);
312 void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx,
314 void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx,
315 size_t length, const uint8_t *iv);
316 void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx,
317 size_t length, const uint8_t *data);
318 void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx,
319 size_t length, uint8_t *dst, const uint8_t *src);
320 void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx,
321 size_t length, uint8_t *dst, const uint8_t *src);
322 void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx,
323 size_t length, uint8_t *digest);
330 #endif /* NETTLE_GCM_H_INCLUDED */