TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / b9309b69b76b04fcdfe331fbd96d1fc5e040f85a / . / interface / include / mbedtls / gcm.h
blob: 390ed4c6d04fd18817efa207e98bf0e87b95082b [file] [log] [blame]
Antonio de Angelis8bb98512024-01-16 14:13:36 +0000[diff] [blame]1/**
2 * \file gcm.h
3 *
4 * \brief This file contains GCM definitions and functions.
5 *
6 * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
7 * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
8 * (GCM), Natl. Inst. Stand. Technol.</em>
9 *
10 * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
11 * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
12 *
13 */
14/*
15 * Copyright The Mbed TLS Contributors
16 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
17 */
18
19#ifndef MBEDTLS_GCM_H
20#define MBEDTLS_GCM_H
21#include "mbedtls/private_access.h"
22
23#include "mbedtls/build_info.h"
24
25#include "mbedtls/cipher.h"
26
27#if defined(MBEDTLS_BLOCK_CIPHER_C)
28#include "mbedtls/block_cipher.h"
29#endif
30
31#include <stdint.h>
32
33#define MBEDTLS_GCM_ENCRYPT 1
34#define MBEDTLS_GCM_DECRYPT 0
35
36/** Authenticated decryption failed. */
37#define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012
38/** Bad input parameters to function. */
39#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014
40/** An output buffer is too small. */
41#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL -0x0016
42
43#ifdef __cplusplus
44extern "C" {
45#endif
46
47#if !defined(MBEDTLS_GCM_ALT)
48
49#if defined(MBEDTLS_GCM_LARGE_TABLE)
50#define MBEDTLS_GCM_HTABLE_SIZE 256
51#else
52#define MBEDTLS_GCM_HTABLE_SIZE 16
53#endif
54
55/**
56 * \brief The GCM context structure.
57 */
58typedef struct mbedtls_gcm_context {
59#if defined(MBEDTLS_BLOCK_CIPHER_C)
60 mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */
61#else
62 mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */
63#endif
64 uint64_t MBEDTLS_PRIVATE(H)[MBEDTLS_GCM_HTABLE_SIZE][2]; /*!< Precalculated HTable. */
65 uint64_t MBEDTLS_PRIVATE(len); /*!< The total length of the encrypted data. */
66 uint64_t MBEDTLS_PRIVATE(add_len); /*!< The total length of the additional data. */
67 unsigned char MBEDTLS_PRIVATE(base_ectr)[16]; /*!< The first ECTR for tag. */
68 unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working value. */
69 unsigned char MBEDTLS_PRIVATE(buf)[16]; /*!< The buf working value. */
70 unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform:
71 #MBEDTLS_GCM_ENCRYPT or
72 #MBEDTLS_GCM_DECRYPT. */
73 unsigned char MBEDTLS_PRIVATE(acceleration); /*!< The acceleration to use. */
74}
75mbedtls_gcm_context;
76
77#else /* !MBEDTLS_GCM_ALT */
78#include "gcm_alt.h"
79#endif /* !MBEDTLS_GCM_ALT */
80
81/**
82 * \brief This function initializes the specified GCM context,
83 * to make references valid, and prepares the context
84 * for mbedtls_gcm_setkey() or mbedtls_gcm_free().
85 *
86 * The function does not bind the GCM context to a particular
87 * cipher, nor set the key. For this purpose, use
88 * mbedtls_gcm_setkey().
89 *
90 * \param ctx The GCM context to initialize. This must not be \c NULL.
91 */
92void mbedtls_gcm_init(mbedtls_gcm_context *ctx);
93
94/**
95 * \brief This function associates a GCM context with a
96 * cipher algorithm and a key.
97 *
98 * \param ctx The GCM context. This must be initialized.
99 * \param cipher The 128-bit block cipher to use.
100 * \param key The encryption key. This must be a readable buffer of at
101 * least \p keybits bits.
102 * \param keybits The key size in bits. Valid options are:
103 * <ul><li>128 bits</li>
104 * <li>192 bits</li>
105 * <li>256 bits</li></ul>
106 *
107 * \return \c 0 on success.
108 * \return A cipher-specific error code on failure.
109 */
110int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
111 mbedtls_cipher_id_t cipher,
112 const unsigned char *key,
113 unsigned int keybits);
114
115/**
116 * \brief This function performs GCM encryption or decryption of a buffer.
117 *
David Vincze485c5ac2025-03-21 11:14:56 +0000[diff] [blame]118 * \note The output buffer \p output can be the same as the input
119 * buffer \p input. If \p output is greater than \p input, they
120 * cannot overlap.
Antonio de Angelis8bb98512024-01-16 14:13:36 +0000[diff] [blame]121 *
122 * \warning When this function performs a decryption, it outputs the
123 * authentication tag and does not verify that the data is
124 * authentic. You should use this function to perform encryption
125 * only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
126 *
127 * \param ctx The GCM context to use for encryption or decryption. This
128 * must be initialized.
129 * \param mode The operation to perform:
130 * - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
131 * The ciphertext is written to \p output and the
132 * authentication tag is written to \p tag.
133 * - #MBEDTLS_GCM_DECRYPT to perform decryption.
134 * The plaintext is written to \p output and the
135 * authentication tag is written to \p tag.
136 * Note that this mode is not recommended, because it does
137 * not verify the authenticity of the data. For this reason,
138 * you should use mbedtls_gcm_auth_decrypt() instead of
139 * calling this function in decryption mode.
140 * \param length The length of the input data, which is equal to the length
141 * of the output data.
142 * \param iv The initialization vector. This must be a readable buffer of
143 * at least \p iv_len Bytes.
144 * \param iv_len The length of the IV.
145 * \param add The buffer holding the additional data. This must be of at
146 * least that size in Bytes.
147 * \param add_len The length of the additional data.
148 * \param input The buffer holding the input data. If \p length is greater
149 * than zero, this must be a readable buffer of at least that
150 * size in Bytes.
151 * \param output The buffer for holding the output data. If \p length is greater
152 * than zero, this must be a writable buffer of at least that
153 * size in Bytes.
154 * \param tag_len The length of the tag to generate.
155 * \param tag The buffer for holding the tag. This must be a writable
156 * buffer of at least \p tag_len Bytes.
157 *
158 * \return \c 0 if the encryption or decryption was performed
159 * successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
160 * this does not indicate that the data is authentic.
161 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
162 * not valid or a cipher-specific error code if the encryption
163 * or decryption failed.
164 */
165int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
166 int mode,
167 size_t length,
168 const unsigned char *iv,
169 size_t iv_len,
170 const unsigned char *add,
171 size_t add_len,
172 const unsigned char *input,
173 unsigned char *output,
174 size_t tag_len,
175 unsigned char *tag);
176
177/**
178 * \brief This function performs a GCM authenticated decryption of a
179 * buffer.
180 *
David Vincze485c5ac2025-03-21 11:14:56 +0000[diff] [blame]181 * \note The output buffer \p output can be the same as the input
182 * buffer \p input. If \p output is greater than \p input, they
183 * cannot overlap. Implementations which require
184 * MBEDTLS_GCM_ALT to be enabled may not provide support for
185 * overlapping buffers.
Antonio de Angelis8bb98512024-01-16 14:13:36 +0000[diff] [blame]186 *
187 * \param ctx The GCM context. This must be initialized.
188 * \param length The length of the ciphertext to decrypt, which is also
189 * the length of the decrypted plaintext.
190 * \param iv The initialization vector. This must be a readable buffer
191 * of at least \p iv_len Bytes.
192 * \param iv_len The length of the IV.
193 * \param add The buffer holding the additional data. This must be of at
194 * least that size in Bytes.
195 * \param add_len The length of the additional data.
196 * \param tag The buffer holding the tag to verify. This must be a
197 * readable buffer of at least \p tag_len Bytes.
198 * \param tag_len The length of the tag to verify.
199 * \param input The buffer holding the ciphertext. If \p length is greater
200 * than zero, this must be a readable buffer of at least that
201 * size.
202 * \param output The buffer for holding the decrypted plaintext. If \p length
203 * is greater than zero, this must be a writable buffer of at
204 * least that size.
205 *
206 * \return \c 0 if successful and authenticated.
207 * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
208 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
209 * not valid or a cipher-specific error code if the decryption
210 * failed.
211 */
212int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
213 size_t length,
214 const unsigned char *iv,
215 size_t iv_len,
216 const unsigned char *add,
217 size_t add_len,
218 const unsigned char *tag,
219 size_t tag_len,
220 const unsigned char *input,
221 unsigned char *output);
222
223/**
224 * \brief This function starts a GCM encryption or decryption
225 * operation.
226 *
227 * \param ctx The GCM context. This must be initialized.
228 * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or
229 * #MBEDTLS_GCM_DECRYPT.
230 * \param iv The initialization vector. This must be a readable buffer of
231 * at least \p iv_len Bytes.
232 * \param iv_len The length of the IV.
233 *
234 * \return \c 0 on success.
235 */
236int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
237 int mode,
238 const unsigned char *iv,
239 size_t iv_len);
240
241/**
242 * \brief This function feeds an input buffer as associated data
243 * (authenticated but not encrypted data) in a GCM
244 * encryption or decryption operation.
245 *
246 * Call this function after mbedtls_gcm_starts() to pass
247 * the associated data. If the associated data is empty,
248 * you do not need to call this function. You may not
249 * call this function after calling mbedtls_cipher_update().
250 *
251 * \param ctx The GCM context. This must have been started with
252 * mbedtls_gcm_starts() and must not have yet received
253 * any input with mbedtls_gcm_update().
254 * \param add The buffer holding the additional data, or \c NULL
255 * if \p add_len is \c 0.
256 * \param add_len The length of the additional data. If \c 0,
257 * \p add may be \c NULL.
258 *
259 * \return \c 0 on success.
260 */
261int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
262 const unsigned char *add,
263 size_t add_len);
264
265/**
266 * \brief This function feeds an input buffer into an ongoing GCM
267 * encryption or decryption operation.
268 *
269 * You may call this function zero, one or more times
270 * to pass successive parts of the input: the plaintext to
271 * encrypt, or the ciphertext (not including the tag) to
272 * decrypt. After the last part of the input, call
273 * mbedtls_gcm_finish().
274 *
275 * This function may produce output in one of the following
276 * ways:
277 * - Immediate output: the output length is always equal
278 * to the input length.
279 * - Buffered output: the output consists of a whole number
280 * of 16-byte blocks. If the total input length so far
281 * (not including associated data) is 16 \* *B* + *A*
282 * with *A* < 16 then the total output length is 16 \* *B*.
283 *
284 * In particular:
285 * - It is always correct to call this function with
286 * \p output_size >= \p input_length + 15.
287 * - If \p input_length is a multiple of 16 for all the calls
288 * to this function during an operation, then it is
289 * correct to use \p output_size = \p input_length.
290 *
David Vincze485c5ac2025-03-21 11:14:56 +0000[diff] [blame]291 * \note The output buffer \p output can be the same as the input
292 * buffer \p input. If \p output is greater than \p input, they
293 * cannot overlap. Implementations which require
294 * MBEDTLS_GCM_ALT to be enabled may not provide support for
295 * overlapping buffers.
Antonio de Angelis8bb98512024-01-16 14:13:36 +0000[diff] [blame]296 *
297 * \param ctx The GCM context. This must be initialized.
298 * \param input The buffer holding the input data. If \p input_length
299 * is greater than zero, this must be a readable buffer
300 * of at least \p input_length bytes.
301 * \param input_length The length of the input data in bytes.
302 * \param output The buffer for the output data. If \p output_size
303 * is greater than zero, this must be a writable buffer of
304 * of at least \p output_size bytes.
305 * \param output_size The size of the output buffer in bytes.
306 * See the function description regarding the output size.
307 * \param output_length On success, \p *output_length contains the actual
308 * length of the output written in \p output.
309 * On failure, the content of \p *output_length is
310 * unspecified.
311 *
312 * \return \c 0 on success.
313 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
314 * total input length too long,
315 * unsupported input/output buffer overlap detected,
316 * or \p output_size too small.
317 */
318int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
319 const unsigned char *input, size_t input_length,
320 unsigned char *output, size_t output_size,
321 size_t *output_length);
322
323/**
324 * \brief This function finishes the GCM operation and generates
325 * the authentication tag.
326 *
327 * It wraps up the GCM stream, and generates the
328 * tag. The tag can have a maximum length of 16 Bytes.
329 *
330 * \param ctx The GCM context. This must be initialized.
331 * \param tag The buffer for holding the tag. This must be a writable
332 * buffer of at least \p tag_len Bytes.
333 * \param tag_len The length of the tag to generate. This must be at least
334 * four.
335 * \param output The buffer for the final output.
336 * If \p output_size is nonzero, this must be a writable
337 * buffer of at least \p output_size bytes.
338 * \param output_size The size of the \p output buffer in bytes.
339 * This must be large enough for the output that
340 * mbedtls_gcm_update() has not produced. In particular:
341 * - If mbedtls_gcm_update() produces immediate output,
342 * or if the total input size is a multiple of \c 16,
343 * then mbedtls_gcm_finish() never produces any output,
344 * so \p output_size can be \c 0.
345 * - \p output_size never needs to be more than \c 15.
346 * \param output_length On success, \p *output_length contains the actual
347 * length of the output written in \p output.
348 * On failure, the content of \p *output_length is
349 * unspecified.
350 *
351 * \return \c 0 on success.
352 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
353 * invalid value of \p tag_len,
354 * or \p output_size too small.
355 */
356int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
357 unsigned char *output, size_t output_size,
358 size_t *output_length,
359 unsigned char *tag, size_t tag_len);
360
361/**
362 * \brief This function clears a GCM context and the underlying
363 * cipher sub-context.
364 *
365 * \param ctx The GCM context to clear. If this is \c NULL, the call has
366 * no effect. Otherwise, this must be initialized.
367 */
368void mbedtls_gcm_free(mbedtls_gcm_context *ctx);
369
370#if defined(MBEDTLS_SELF_TEST)
371
372/**
373 * \brief The GCM checkup routine.
374 *
375 * \return \c 0 on success.
376 * \return \c 1 on failure.
377 */
378int mbedtls_gcm_self_test(int verbose);
379
380#endif /* MBEDTLS_SELF_TEST */
381
382#ifdef __cplusplus
383}
384#endif
385
386
387#endif /* gcm.h */