ccm.h

   1 /* ccm.h
   2
   3    Counter with CBC-MAC mode, specified by NIST,
   4    http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
   5
   6    Copyright (C) 2014 Exegin Technologies Limited
   7    Copyright (C) 2014 Owen Kirby
   8
   9    Contributed to GNU Nettle by Owen Kirby
  10
  11    This file is part of GNU Nettle.
  12
  13    GNU Nettle is free software: you can redistribute it and/or
  14    modify it under the terms of either:
  15
  16      * the GNU Lesser General Public License as published by the Free
  17        Software Foundation; either version 3 of the License, or (at your
  18        option) any later version.
  19
  20    or
  21
  22      * the GNU General Public License as published by the Free
  23        Software Foundation; either version 2 of the License, or (at your
  24        option) any later version.
  25
  26    or both in parallel, as here.
  27
  28    GNU Nettle is distributed in the hope that it will be useful,
  29    but WITHOUT ANY WARRANTY; without even the implied warranty of
  30    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  31    General Public License for more details.
  32
  33    You should have received copies of the GNU General Public License and
  34    the GNU Lesser General Public License along with this program.  If
  35    not, see http://www.gnu.org/licenses/.
  36 */
  37
  38 /* NIST SP800-38C doesn't specify the particular formatting and
  39  * counter generation algorithm for CCM, but it does include an
  40  * example algorithm. This example has become the de-factor standard,
  41  * and has been adopted by both the IETF and IEEE across a wide
  42  * variety of protocols.
  43  */
  44
  45 #ifndef NETTLE_CCM_H_INCLUDED
  46 #define NETTLE_CCM_H_INCLUDED
  47
  48 #include "aes.h"
  49
  50 #ifdef __cplusplus
  51 extern "C" {
  52 #endif
  53
  54 /* Name mangling */
  55 #define ccm_set_nonce nettle_ccm_set_nonce
  56 #define ccm_update nettle_ccm_update
  57 #define ccm_encrypt nettle_ccm_encrypt
  58 #define ccm_decrypt nettle_ccm_decrypt
  59 #define ccm_digest nettle_ccm_digest
  60 #define ccm_encrypt_message nettle_ccm_encrypt_message
  61 #define ccm_decrypt_message nettle_ccm_decrypt_message
  62
  63 #define ccm_aes128_set_key nettle_ccm_aes128_set_key
  64 #define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce
  65 #define ccm_aes128_update nettle_ccm_aes128_update
  66 #define ccm_aes128_encrypt nettle_ccm_aes128_encrypt
  67 #define ccm_aes128_decrypt nettle_ccm_aes128_decrypt
  68 #define ccm_aes128_digest nettle_ccm_aes128_digest
  69 #define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message
  70 #define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message
  71
  72 #define ccm_aes192_set_key nettle_ccm_aes192_set_key
  73 #define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce
  74 #define ccm_aes192_update nettle_ccm_aes192_update
  75 #define ccm_aes192_encrypt nettle_ccm_aes192_encrypt
  76 #define ccm_aes192_decrypt nettle_ccm_aes192_decrypt
  77 #define ccm_aes192_digest nettle_ccm_aes192_digest
  78 #define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message
  79 #define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message
  80
  81 #define ccm_aes256_set_key nettle_ccm_aes256_set_key
  82 #define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce
  83 #define ccm_aes256_update nettle_ccm_aes256_update
  84 #define ccm_aes256_encrypt nettle_ccm_aes256_encrypt
  85 #define ccm_aes256_decrypt nettle_ccm_aes256_decrypt
  86 #define ccm_aes256_digest nettle_ccm_aes256_digest
  87 #define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message
  88 #define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message
  89
  90 /* For CCM, the block size of the block cipher shall be 128 bits. */
  91 #define CCM_BLOCK_SIZE  16
  92 #define CCM_DIGEST_SIZE 16
  93 #define CCM_MIN_NONCE_SIZE 7
  94 #define CCM_MAX_NONCE_SIZE 14
  95
  96 /* Maximum cleartext message size, as a function of the nonce size N.
  97    The length field is L octets, with L = 15 - N, and then the maximum
  98    size M = 2^{8L} - 1. */
  99 #define CCM_MAX_MSG_SIZE(N)                     \
 100   ((sizeof(size_t) + (N) <= 15)                 \
 101    ? ~(size_t) 0                                \
 102    : ((size_t) 1 << (8*(15 - N))) - 1)
 103
 104 /* Per-message state */
 105 struct ccm_ctx {
 106   union nettle_block16 ctr;     /* Counter for CTR encryption. */
 107   union nettle_block16 tag;     /* CBC-MAC message tag. */
 108   /* Length of data processed by the CBC-MAC modulus the block size */
 109   unsigned int blength;
 110 };
 111
 112 /*
 113  * CCM mode requires the adata and message lengths when building the IV, which
 114  * prevents streaming processing and it incompatible with the AEAD API.
 115  */
 116 void
 117 ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
 118               size_t noncelen, const uint8_t *nonce,
 119               size_t authlen, size_t msglen, size_t taglen);
 120
 121 void
 122 ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
 123             size_t length, const uint8_t *data);
 124
 125 void
 126 ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
 127             size_t length, uint8_t *dst, const uint8_t *src);
 128
 129 void
 130 ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
 131             size_t length, uint8_t *dst, const uint8_t *src);
 132
 133 void
 134 ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f,
 135            size_t length, uint8_t *digest);
 136
 137 /*
 138  * All-in-one encryption and decryption API:
 139  *  tlength = sizeof(digest)
 140  *  mlength = sizeof(cleartext)
 141  *  clength = sizeof(ciphertext) = mlength + tlength
 142  *
 143  * The ciphertext will contain the encrypted payload with the message digest
 144  * appended to the end.
 145  */
 146 void
 147 ccm_encrypt_message(const void *cipher, nettle_cipher_func *f,
 148                     size_t nlength, const uint8_t *nonce,
 149                     size_t alength, const uint8_t *adata,
 150                     size_t tlength,
 151                     size_t clength, uint8_t *dst, const uint8_t *src);
 152
 153 /*
 154  * The decryption function will write the plaintext to dst and parse the digest
 155  * from the final tlength bytes of the ciphertext. If the digest matched the
 156  * value computed during decryption then this will return 1, or it will return
 157  * 0 if the digest was invalid.
 158  */
 159 int
 160 ccm_decrypt_message(const void *cipher, nettle_cipher_func *f,
 161                     size_t nlength, const uint8_t *nonce,
 162                     size_t alength, const uint8_t *adata,
 163                     size_t tlength,
 164                     size_t mlength, uint8_t *dst, const uint8_t *src);
 165
 166 /* CCM Mode with AES-128 */
 167 struct ccm_aes128_ctx {
 168     struct ccm_ctx      ccm;
 169     struct aes128_ctx   cipher;
 170 };
 171
 172 void
 173 ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key);
 174
 175 void
 176 ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx,
 177                      size_t length, const uint8_t *nonce,
 178                      size_t authlen, size_t msglen, size_t taglen);
 179
 180 void
 181 ccm_aes128_update (struct ccm_aes128_ctx *ctx,
 182                    size_t length, const uint8_t *data);
 183
 184 void
 185 ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx,
 186                    size_t length, uint8_t *dst, const uint8_t *src);
 187
 188 void
 189 ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx,
 190                    size_t length, uint8_t *dst, const uint8_t *src);
 191
 192 void
 193 ccm_aes128_digest(struct ccm_aes128_ctx *ctx,
 194                   size_t length, uint8_t *digest);
 195
 196 /* FIXME: For next API/ABI break: first argument should be const
 197    struct aes128_ctx *, and similarly for other ccm_*_message
 198    functions below. */
 199 void
 200 ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx,
 201                            size_t nlength, const uint8_t *nonce,
 202                            size_t alength, const uint8_t *adata,
 203                            size_t tlength,
 204                            size_t clength, uint8_t *dst, const uint8_t *src);
 205
 206 int
 207 ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx,
 208                            size_t nlength, const uint8_t *nonce,
 209                            size_t alength, const uint8_t *adata,
 210                            size_t tlength,
 211                            size_t mlength, uint8_t *dst, const uint8_t *src);
 212
 213 struct ccm_aes192_ctx {
 214     struct ccm_ctx      ccm;
 215     struct aes192_ctx   cipher;
 216 };
 217
 218 /* CCM Mode with AES-192 */
 219 void
 220 ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key);
 221
 222 void
 223 ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx,
 224                      size_t length, const uint8_t *nonce,
 225                      size_t authlen, size_t msglen, size_t taglen);
 226
 227 void
 228 ccm_aes192_update(struct ccm_aes192_ctx *ctx,
 229                   size_t length, const uint8_t *data);
 230
 231 void
 232 ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx,
 233                    size_t length, uint8_t *dst, const uint8_t *src);
 234
 235 void
 236 ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx,
 237                    size_t length, uint8_t *dst, const uint8_t *src);
 238
 239 void
 240 ccm_aes192_digest(struct ccm_aes192_ctx *ctx,
 241                   size_t length, uint8_t *digest);
 242
 243 void
 244 ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx,
 245                            size_t nlength, const uint8_t *nonce,
 246                            size_t alength, const uint8_t *adata,
 247                            size_t tlength,
 248                            size_t clength, uint8_t *dst, const uint8_t *src);
 249
 250 int
 251 ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx,
 252                            size_t nlength, const uint8_t *nonce,
 253                            size_t alength, const uint8_t *adata,
 254                            size_t tlength,
 255                            size_t mlength, uint8_t *dst, const uint8_t *src);
 256
 257 /* CCM Mode with AES-256 */
 258 struct ccm_aes256_ctx {
 259     struct ccm_ctx      ccm;
 260     struct aes256_ctx   cipher;
 261 };
 262
 263 void
 264 ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key);
 265
 266 void
 267 ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx,
 268                      size_t length, const uint8_t *nonce,
 269                      size_t authlen, size_t msglen, size_t taglen);
 270
 271 void
 272 ccm_aes256_update(struct ccm_aes256_ctx *ctx,
 273                   size_t length, const uint8_t *data);
 274
 275 void
 276 ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx,
 277                    size_t length, uint8_t *dst, const uint8_t *src);
 278
 279 void
 280 ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx,
 281                    size_t length, uint8_t *dst, const uint8_t *src);
 282
 283 void
 284 ccm_aes256_digest(struct ccm_aes256_ctx *ctx,
 285                   size_t length, uint8_t *digest);
 286
 287 void
 288 ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx,
 289                            size_t nlength, const uint8_t *nonce,
 290                            size_t alength, const uint8_t *adata,
 291                            size_t tlength,
 292                            size_t clength, uint8_t *dst, const uint8_t *src);
 293
 294 int
 295 ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx,
 296                            size_t nlength, const uint8_t *nonce,
 297                            size_t alength, const uint8_t *adata,
 298                            size_t tlength,
 299                            size_t mlength, uint8_t *dst, const uint8_t *src);
 300
 301 #ifdef __cplusplus
 302 }
 303 #endif
 304
 305 #endif /* NETTLE_CCM_H_INCLUDED */