1 /** 2 * \file gcm.h 3 * 4 * \brief This file contains GCM definitions and functions. 5 * 6 * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined 7 * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation 8 * (GCM), Natl. Inst. Stand. Technol.</em> 9 * 10 * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for 11 * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>. 12 * 13 */ 14 /* 15 * Copyright The Mbed TLS Contributors 16 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 17 */ 18 19 #ifndef MBEDTLS_GCM_H 20 #define MBEDTLS_GCM_H 21 #include "mbedtls/private_access.h" 22 23 #include "mbedtls/build_info.h" 24 25 #include "mbedtls/cipher.h" 26 27 #if defined(MBEDTLS_BLOCK_CIPHER_C) 28 #include "mbedtls/block_cipher.h" 29 #endif 30 31 #include <stdint.h> 32 33 #define MBEDTLS_GCM_ENCRYPT 1 34 #define MBEDTLS_GCM_DECRYPT 0 35 36 /** Authenticated decryption failed. */ 37 #define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 38 /** Bad input parameters to function. */ 39 #define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 40 /** An output buffer is too small. */ 41 #define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL -0x0016 42 43 #ifdef __cplusplus 44 extern "C" { 45 #endif 46 47 #if !defined(MBEDTLS_GCM_ALT) 48 49 #if defined(MBEDTLS_GCM_LARGE_TABLE) 50 #define MBEDTLS_GCM_HTABLE_SIZE 256 51 #else 52 #define MBEDTLS_GCM_HTABLE_SIZE 16 53 #endif 54 55 /** 56 * \brief The GCM context structure. 57 */ 58 typedef struct mbedtls_gcm_context { 59 #if defined(MBEDTLS_BLOCK_CIPHER_C) 60 mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */ 61 #else 62 mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ 63 #endif 64 uint64_t MBEDTLS_PRIVATE(H)[MBEDTLS_GCM_HTABLE_SIZE][2]; /*!< Precalculated HTable. */ 65 uint64_t MBEDTLS_PRIVATE(len); /*!< The total length of the encrypted data. */ 66 uint64_t MBEDTLS_PRIVATE(add_len); /*!< The total length of the additional data. */ 67 unsigned char MBEDTLS_PRIVATE(base_ectr)[16]; /*!< The first ECTR for tag. */ 68 unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working value. */ 69 unsigned char MBEDTLS_PRIVATE(buf)[16]; /*!< The buf working value. */ 70 unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform: 71 #MBEDTLS_GCM_ENCRYPT or 72 #MBEDTLS_GCM_DECRYPT. */ 73 unsigned char MBEDTLS_PRIVATE(acceleration); /*!< The acceleration to use. */ 74 } 75 mbedtls_gcm_context; 76 77 #else /* !MBEDTLS_GCM_ALT */ 78 #include "gcm_alt.h" 79 #endif /* !MBEDTLS_GCM_ALT */ 80 81 /** 82 * \brief This function initializes the specified GCM context, 83 * to make references valid, and prepares the context 84 * for mbedtls_gcm_setkey() or mbedtls_gcm_free(). 85 * 86 * The function does not bind the GCM context to a particular 87 * cipher, nor set the key. For this purpose, use 88 * mbedtls_gcm_setkey(). 89 * 90 * \param ctx The GCM context to initialize. This must not be \c NULL. 91 */ 92 void mbedtls_gcm_init(mbedtls_gcm_context *ctx); 93 94 /** 95 * \brief This function associates a GCM context with a 96 * cipher algorithm and a key. 97 * 98 * \param ctx The GCM context. This must be initialized. 99 * \param cipher The 128-bit block cipher to use. 100 * \param key The encryption key. This must be a readable buffer of at 101 * least \p keybits bits. 102 * \param keybits The key size in bits. Valid options are: 103 * <ul><li>128 bits</li> 104 * <li>192 bits</li> 105 * <li>256 bits</li></ul> 106 * 107 * \return \c 0 on success. 108 * \return A cipher-specific error code on failure. 109 */ 110 int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx, 111 mbedtls_cipher_id_t cipher, 112 const unsigned char *key, 113 unsigned int keybits); 114 115 /** 116 * \brief This function performs GCM encryption or decryption of a buffer. 117 * 118 * \note The output buffer \p output can be the same as the input 119 * buffer \p input. If \p output is greater than \p input, they 120 * cannot overlap. 121 * 122 * \warning When this function performs a decryption, it outputs the 123 * authentication tag and does not verify that the data is 124 * authentic. You should use this function to perform encryption 125 * only. For decryption, use mbedtls_gcm_auth_decrypt() instead. 126 * 127 * \param ctx The GCM context to use for encryption or decryption. This 128 * must be initialized. 129 * \param mode The operation to perform: 130 * - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption. 131 * The ciphertext is written to \p output and the 132 * authentication tag is written to \p tag. 133 * - #MBEDTLS_GCM_DECRYPT to perform decryption. 134 * The plaintext is written to \p output and the 135 * authentication tag is written to \p tag. 136 * Note that this mode is not recommended, because it does 137 * not verify the authenticity of the data. For this reason, 138 * you should use mbedtls_gcm_auth_decrypt() instead of 139 * calling this function in decryption mode. 140 * \param length The length of the input data, which is equal to the length 141 * of the output data. 142 * \param iv The initialization vector. This must be a readable buffer of 143 * at least \p iv_len Bytes. 144 * \param iv_len The length of the IV. 145 * \param add The buffer holding the additional data. This must be of at 146 * least that size in Bytes. 147 * \param add_len The length of the additional data. 148 * \param input The buffer holding the input data. If \p length is greater 149 * than zero, this must be a readable buffer of at least that 150 * size in Bytes. 151 * \param output The buffer for holding the output data. If \p length is greater 152 * than zero, this must be a writable buffer of at least that 153 * size in Bytes. 154 * \param tag_len The length of the tag to generate. 155 * \param tag The buffer for holding the tag. This must be a writable 156 * buffer of at least \p tag_len Bytes. 157 * 158 * \return \c 0 if the encryption or decryption was performed 159 * successfully. Note that in #MBEDTLS_GCM_DECRYPT mode, 160 * this does not indicate that the data is authentic. 161 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are 162 * not valid or a cipher-specific error code if the encryption 163 * or decryption failed. 164 */ 165 int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx, 166 int mode, 167 size_t length, 168 const unsigned char *iv, 169 size_t iv_len, 170 const unsigned char *add, 171 size_t add_len, 172 const unsigned char *input, 173 unsigned char *output, 174 size_t tag_len, 175 unsigned char *tag); 176 177 /** 178 * \brief This function performs a GCM authenticated decryption of a 179 * buffer. 180 * 181 * \note The output buffer \p output can be the same as the input 182 * buffer \p input. If \p output is greater than \p input, they 183 * cannot overlap. Implementations which require 184 * MBEDTLS_GCM_ALT to be enabled may not provide support for 185 * overlapping buffers. 186 * 187 * \param ctx The GCM context. This must be initialized. 188 * \param length The length of the ciphertext to decrypt, which is also 189 * the length of the decrypted plaintext. 190 * \param iv The initialization vector. This must be a readable buffer 191 * of at least \p iv_len Bytes. 192 * \param iv_len The length of the IV. 193 * \param add The buffer holding the additional data. This must be of at 194 * least that size in Bytes. 195 * \param add_len The length of the additional data. 196 * \param tag The buffer holding the tag to verify. This must be a 197 * readable buffer of at least \p tag_len Bytes. 198 * \param tag_len The length of the tag to verify. 199 * \param input The buffer holding the ciphertext. If \p length is greater 200 * than zero, this must be a readable buffer of at least that 201 * size. 202 * \param output The buffer for holding the decrypted plaintext. If \p length 203 * is greater than zero, this must be a writable buffer of at 204 * least that size. 205 * 206 * \return \c 0 if successful and authenticated. 207 * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match. 208 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are 209 * not valid or a cipher-specific error code if the decryption 210 * failed. 211 */ 212 int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx, 213 size_t length, 214 const unsigned char *iv, 215 size_t iv_len, 216 const unsigned char *add, 217 size_t add_len, 218 const unsigned char *tag, 219 size_t tag_len, 220 const unsigned char *input, 221 unsigned char *output); 222 223 /** 224 * \brief This function starts a GCM encryption or decryption 225 * operation. 226 * 227 * \param ctx The GCM context. This must be initialized. 228 * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or 229 * #MBEDTLS_GCM_DECRYPT. 230 * \param iv The initialization vector. This must be a readable buffer of 231 * at least \p iv_len Bytes. 232 * \param iv_len The length of the IV. 233 * 234 * \return \c 0 on success. 235 */ 236 int mbedtls_gcm_starts(mbedtls_gcm_context *ctx, 237 int mode, 238 const unsigned char *iv, 239 size_t iv_len); 240 241 /** 242 * \brief This function feeds an input buffer as associated data 243 * (authenticated but not encrypted data) in a GCM 244 * encryption or decryption operation. 245 * 246 * Call this function after mbedtls_gcm_starts() to pass 247 * the associated data. If the associated data is empty, 248 * you do not need to call this function. You may not 249 * call this function after calling mbedtls_cipher_update(). 250 * 251 * \param ctx The GCM context. This must have been started with 252 * mbedtls_gcm_starts() and must not have yet received 253 * any input with mbedtls_gcm_update(). 254 * \param add The buffer holding the additional data, or \c NULL 255 * if \p add_len is \c 0. 256 * \param add_len The length of the additional data. If \c 0, 257 * \p add may be \c NULL. 258 * 259 * \return \c 0 on success. 260 */ 261 int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx, 262 const unsigned char *add, 263 size_t add_len); 264 265 /** 266 * \brief This function feeds an input buffer into an ongoing GCM 267 * encryption or decryption operation. 268 * 269 * You may call this function zero, one or more times 270 * to pass successive parts of the input: the plaintext to 271 * encrypt, or the ciphertext (not including the tag) to 272 * decrypt. After the last part of the input, call 273 * mbedtls_gcm_finish(). 274 * 275 * This function may produce output in one of the following 276 * ways: 277 * - Immediate output: the output length is always equal 278 * to the input length. 279 * - Buffered output: the output consists of a whole number 280 * of 16-byte blocks. If the total input length so far 281 * (not including associated data) is 16 \* *B* + *A* 282 * with *A* < 16 then the total output length is 16 \* *B*. 283 * 284 * In particular: 285 * - It is always correct to call this function with 286 * \p output_size >= \p input_length + 15. 287 * - If \p input_length is a multiple of 16 for all the calls 288 * to this function during an operation, then it is 289 * correct to use \p output_size = \p input_length. 290 * 291 * \note The output buffer \p output can be the same as the input 292 * buffer \p input. If \p output is greater than \p input, they 293 * cannot overlap. Implementations which require 294 * MBEDTLS_GCM_ALT to be enabled may not provide support for 295 * overlapping buffers. 296 * 297 * \param ctx The GCM context. This must be initialized. 298 * \param input The buffer holding the input data. If \p input_length 299 * is greater than zero, this must be a readable buffer 300 * of at least \p input_length bytes. 301 * \param input_length The length of the input data in bytes. 302 * \param output The buffer for the output data. If \p output_size 303 * is greater than zero, this must be a writable buffer of 304 * of at least \p output_size bytes. 305 * \param output_size The size of the output buffer in bytes. 306 * See the function description regarding the output size. 307 * \param output_length On success, \p *output_length contains the actual 308 * length of the output written in \p output. 309 * On failure, the content of \p *output_length is 310 * unspecified. 311 * 312 * \return \c 0 on success. 313 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: 314 * total input length too long, 315 * unsupported input/output buffer overlap detected, 316 * or \p output_size too small. 317 */ 318 int mbedtls_gcm_update(mbedtls_gcm_context *ctx, 319 const unsigned char *input, size_t input_length, 320 unsigned char *output, size_t output_size, 321 size_t *output_length); 322 323 /** 324 * \brief This function finishes the GCM operation and generates 325 * the authentication tag. 326 * 327 * It wraps up the GCM stream, and generates the 328 * tag. The tag can have a maximum length of 16 Bytes. 329 * 330 * \param ctx The GCM context. This must be initialized. 331 * \param tag The buffer for holding the tag. This must be a writable 332 * buffer of at least \p tag_len Bytes. 333 * \param tag_len The length of the tag to generate. This must be at least 334 * four. 335 * \param output The buffer for the final output. 336 * If \p output_size is nonzero, this must be a writable 337 * buffer of at least \p output_size bytes. 338 * \param output_size The size of the \p output buffer in bytes. 339 * This must be large enough for the output that 340 * mbedtls_gcm_update() has not produced. In particular: 341 * - If mbedtls_gcm_update() produces immediate output, 342 * or if the total input size is a multiple of \c 16, 343 * then mbedtls_gcm_finish() never produces any output, 344 * so \p output_size can be \c 0. 345 * - \p output_size never needs to be more than \c 15. 346 * \param output_length On success, \p *output_length contains the actual 347 * length of the output written in \p output. 348 * On failure, the content of \p *output_length is 349 * unspecified. 350 * 351 * \return \c 0 on success. 352 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure: 353 * invalid value of \p tag_len, 354 * or \p output_size too small. 355 */ 356 int mbedtls_gcm_finish(mbedtls_gcm_context *ctx, 357 unsigned char *output, size_t output_size, 358 size_t *output_length, 359 unsigned char *tag, size_t tag_len); 360 361 /** 362 * \brief This function clears a GCM context and the underlying 363 * cipher sub-context. 364 * 365 * \param ctx The GCM context to clear. If this is \c NULL, the call has 366 * no effect. Otherwise, this must be initialized. 367 */ 368 void mbedtls_gcm_free(mbedtls_gcm_context *ctx); 369 370 #if defined(MBEDTLS_SELF_TEST) 371 372 /** 373 * \brief The GCM checkup routine. 374 * 375 * \return \c 0 on success. 376 * \return \c 1 on failure. 377 */ 378 int mbedtls_gcm_self_test(int verbose); 379 380 #endif /* MBEDTLS_SELF_TEST */ 381 382 #ifdef __cplusplus 383 } 384 #endif 385 386 387 #endif /* gcm.h */ 388