1 /**
2  * \file gcm.h
3  *
4  * \brief This file contains GCM definitions and functions.
5  *
6  * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
7  * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
8  * (GCM), Natl. Inst. Stand. Technol.</em>
9  *
10  * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
11  * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
12  *
13  */
14 /*
15  *  Copyright The Mbed TLS Contributors
16  *  SPDX-License-Identifier: Apache-2.0
17  *
18  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
19  *  not use this file except in compliance with the License.
20  *  You may obtain a copy of the License at
21  *
22  *  http://www.apache.org/licenses/LICENSE-2.0
23  *
24  *  Unless required by applicable law or agreed to in writing, software
25  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
26  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
27  *  See the License for the specific language governing permissions and
28  *  limitations under the License.
29  */
30 
31 #ifndef MBEDTLS_GCM_H
32 #define MBEDTLS_GCM_H
33 
34 #if !defined(MBEDTLS_CONFIG_FILE)
35 #include "mbedtls/config.h"
36 #else
37 #include MBEDTLS_CONFIG_FILE
38 #endif
39 
40 #include "mbedtls/cipher.h"
41 
42 #include <stdint.h>
43 
44 #define MBEDTLS_GCM_ENCRYPT     1
45 #define MBEDTLS_GCM_DECRYPT     0
46 
47 /** Authenticated decryption failed. */
48 #define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012
49 
50 /* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
51 /** GCM hardware accelerator failed. */
52 #define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013
53 
54 /** Bad input parameters to function. */
55 #define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014
56 
57 #ifdef __cplusplus
58 extern "C" {
59 #endif
60 
61 #if !defined(MBEDTLS_GCM_ALT)
62 
63 /**
64  * \brief          The GCM context structure.
65  */
66 typedef struct mbedtls_gcm_context
67 {
68     mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
69     uint64_t HL[16];                      /*!< Precalculated HTable low. */
70     uint64_t HH[16];                      /*!< Precalculated HTable high. */
71     uint64_t len;                         /*!< The total length of the encrypted data. */
72     uint64_t add_len;                     /*!< The total length of the additional data. */
73     unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
74     unsigned char y[16];                  /*!< The Y working value. */
75     unsigned char buf[16];                /*!< The buf working value. */
76     int mode;                             /*!< The operation to perform:
77                                                #MBEDTLS_GCM_ENCRYPT or
78                                                #MBEDTLS_GCM_DECRYPT. */
79 }
80 mbedtls_gcm_context;
81 
82 #else  /* !MBEDTLS_GCM_ALT */
83 #include "gcm_alt.h"
84 #endif /* !MBEDTLS_GCM_ALT */
85 
86 /**
87  * \brief           This function initializes the specified GCM context,
88  *                  to make references valid, and prepares the context
89  *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
90  *
91  *                  The function does not bind the GCM context to a particular
92  *                  cipher, nor set the key. For this purpose, use
93  *                  mbedtls_gcm_setkey().
94  *
95  * \param ctx       The GCM context to initialize. This must not be \c NULL.
96  */
97 void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
98 
99 /**
100  * \brief           This function associates a GCM context with a
101  *                  cipher algorithm and a key.
102  *
103  * \param ctx       The GCM context. This must be initialized.
104  * \param cipher    The 128-bit block cipher to use.
105  * \param key       The encryption key. This must be a readable buffer of at
106  *                  least \p keybits bits.
107  * \param keybits   The key size in bits. Valid options are:
108  *                  <ul><li>128 bits</li>
109  *                  <li>192 bits</li>
110  *                  <li>256 bits</li></ul>
111  *
112  * \return          \c 0 on success.
113  * \return          A cipher-specific error code on failure.
114  */
115 int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
116                         mbedtls_cipher_id_t cipher,
117                         const unsigned char *key,
118                         unsigned int keybits );
119 
120 /**
121  * \brief           This function performs GCM encryption or decryption of a buffer.
122  *
123  * \note            For encryption, the output buffer can be the same as the
124  *                  input buffer. For decryption, the output buffer cannot be
125  *                  the same as input buffer. If the buffers overlap, the output
126  *                  buffer must trail at least 8 Bytes behind the input buffer.
127  *
128  * \warning         When this function performs a decryption, it outputs the
129  *                  authentication tag and does not verify that the data is
130  *                  authentic. You should use this function to perform encryption
131  *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
132  *
133  * \param ctx       The GCM context to use for encryption or decryption. This
134  *                  must be initialized.
135  * \param mode      The operation to perform:
136  *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
137  *                    The ciphertext is written to \p output and the
138  *                    authentication tag is written to \p tag.
139  *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
140  *                    The plaintext is written to \p output and the
141  *                    authentication tag is written to \p tag.
142  *                    Note that this mode is not recommended, because it does
143  *                    not verify the authenticity of the data. For this reason,
144  *                    you should use mbedtls_gcm_auth_decrypt() instead of
145  *                    calling this function in decryption mode.
146  * \param length    The length of the input data, which is equal to the length
147  *                  of the output data.
148  * \param iv        The initialization vector. This must be a readable buffer of
149  *                  at least \p iv_len Bytes.
150  * \param iv_len    The length of the IV.
151  * \param add       The buffer holding the additional data. This must be of at
152  *                  least that size in Bytes.
153  * \param add_len   The length of the additional data.
154  * \param input     The buffer holding the input data. If \p length is greater
155  *                  than zero, this must be a readable buffer of at least that
156  *                  size in Bytes.
157  * \param output    The buffer for holding the output data. If \p length is greater
158  *                  than zero, this must be a writable buffer of at least that
159  *                  size in Bytes.
160  * \param tag_len   The length of the tag to generate.
161  * \param tag       The buffer for holding the tag. This must be a writable
162  *                  buffer of at least \p tag_len Bytes.
163  *
164  * \return          \c 0 if the encryption or decryption was performed
165  *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
166  *                  this does not indicate that the data is authentic.
167  * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
168  *                  not valid or a cipher-specific error code if the encryption
169  *                  or decryption failed.
170  */
171 int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
172                        int mode,
173                        size_t length,
174                        const unsigned char *iv,
175                        size_t iv_len,
176                        const unsigned char *add,
177                        size_t add_len,
178                        const unsigned char *input,
179                        unsigned char *output,
180                        size_t tag_len,
181                        unsigned char *tag );
182 
183 /**
184  * \brief           This function performs a GCM authenticated decryption of a
185  *                  buffer.
186  *
187  * \note            For decryption, the output buffer cannot be the same as
188  *                  input buffer. If the buffers overlap, the output buffer
189  *                  must trail at least 8 Bytes behind the input buffer.
190  *
191  * \param ctx       The GCM context. This must be initialized.
192  * \param length    The length of the ciphertext to decrypt, which is also
193  *                  the length of the decrypted plaintext.
194  * \param iv        The initialization vector. This must be a readable buffer
195  *                  of at least \p iv_len Bytes.
196  * \param iv_len    The length of the IV.
197  * \param add       The buffer holding the additional data. This must be of at
198  *                  least that size in Bytes.
199  * \param add_len   The length of the additional data.
200  * \param tag       The buffer holding the tag to verify. This must be a
201  *                  readable buffer of at least \p tag_len Bytes.
202  * \param tag_len   The length of the tag to verify.
203  * \param input     The buffer holding the ciphertext. If \p length is greater
204  *                  than zero, this must be a readable buffer of at least that
205  *                  size.
206  * \param output    The buffer for holding the decrypted plaintext. If \p length
207  *                  is greater than zero, this must be a writable buffer of at
208  *                  least that size.
209  *
210  * \return          \c 0 if successful and authenticated.
211  * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
212  * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
213  *                  not valid or a cipher-specific error code if the decryption
214  *                  failed.
215  */
216 int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
217                       size_t length,
218                       const unsigned char *iv,
219                       size_t iv_len,
220                       const unsigned char *add,
221                       size_t add_len,
222                       const unsigned char *tag,
223                       size_t tag_len,
224                       const unsigned char *input,
225                       unsigned char *output );
226 
227 /**
228  * \brief           This function starts a GCM encryption or decryption
229  *                  operation.
230  *
231  * \param ctx       The GCM context. This must be initialized.
232  * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
233  *                  #MBEDTLS_GCM_DECRYPT.
234  * \param iv        The initialization vector. This must be a readable buffer of
235  *                  at least \p iv_len Bytes.
236  * \param iv_len    The length of the IV.
237  * \param add       The buffer holding the additional data, or \c NULL
238  *                  if \p add_len is \c 0.
239  * \param add_len   The length of the additional data. If \c 0,
240  *                  \p add may be \c NULL.
241  *
242  * \return          \c 0 on success.
243  */
244 int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
245                 int mode,
246                 const unsigned char *iv,
247                 size_t iv_len,
248                 const unsigned char *add,
249                 size_t add_len );
250 
251 /**
252  * \brief           This function feeds an input buffer into an ongoing GCM
253  *                  encryption or decryption operation.
254  *
255  *    `             The function expects input to be a multiple of 16
256  *                  Bytes. Only the last call before calling
257  *                  mbedtls_gcm_finish() can be less than 16 Bytes.
258  *
259  * \note            For decryption, the output buffer cannot be the same as
260  *                  input buffer. If the buffers overlap, the output buffer
261  *                  must trail at least 8 Bytes behind the input buffer.
262  *
263  * \param ctx       The GCM context. This must be initialized.
264  * \param length    The length of the input data. This must be a multiple of
265  *                  16 except in the last call before mbedtls_gcm_finish().
266  * \param input     The buffer holding the input data. If \p length is greater
267  *                  than zero, this must be a readable buffer of at least that
268  *                  size in Bytes.
269  * \param output    The buffer for holding the output data. If \p length is
270  *                  greater than zero, this must be a writable buffer of at
271  *                  least that size in Bytes.
272  *
273  * \return         \c 0 on success.
274  * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
275  */
276 int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
277                 size_t length,
278                 const unsigned char *input,
279                 unsigned char *output );
280 
281 /**
282  * \brief           This function finishes the GCM operation and generates
283  *                  the authentication tag.
284  *
285  *                  It wraps up the GCM stream, and generates the
286  *                  tag. The tag can have a maximum length of 16 Bytes.
287  *
288  * \param ctx       The GCM context. This must be initialized.
289  * \param tag       The buffer for holding the tag. This must be a writable
290  *                  buffer of at least \p tag_len Bytes.
291  * \param tag_len   The length of the tag to generate. This must be at least
292  *                  four.
293  *
294  * \return          \c 0 on success.
295  * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
296  */
297 int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
298                 unsigned char *tag,
299                 size_t tag_len );
300 
301 /**
302  * \brief           This function clears a GCM context and the underlying
303  *                  cipher sub-context.
304  *
305  * \param ctx       The GCM context to clear. If this is \c NULL, the call has
306  *                  no effect. Otherwise, this must be initialized.
307  */
308 void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
309 
310 #if defined(MBEDTLS_SELF_TEST)
311 
312 /**
313  * \brief          The GCM checkup routine.
314  *
315  * \return         \c 0 on success.
316  * \return         \c 1 on failure.
317  */
318 int mbedtls_gcm_self_test( int verbose );
319 
320 #endif /* MBEDTLS_SELF_TEST */
321 
322 #ifdef __cplusplus
323 }
324 #endif
325 
326 
327 #endif /* gcm.h */
328