Botan 3.4.0
Crypto and TLS for C&
Public Member Functions | Protected Member Functions | List of all members
Botan::GHASH Class Referencefinal

#include <ghash.h>

Inheritance diagram for Botan::GHASH:
Botan::SymmetricAlgorithm

Public Member Functions

void add_final_block (secure_vector< uint8_t > &x, size_t ad_len, size_t pt_len)
 
void clear () override
 
void final (std::span< uint8_t > out)
 
void ghash_update (secure_vector< uint8_t > &x, std::span< const uint8_t > input)
 
bool has_keying_material () const override
 
Key_Length_Specification key_spec () const override
 
size_t maximum_keylength () const
 
size_t minimum_keylength () const
 
std::string name () const override
 
void nonce_hash (secure_vector< uint8_t > &y0, std::span< const uint8_t > nonce)
 
std::string provider () const
 
void reset ()
 
void set_associated_data (std::span< const uint8_t > ad)
 
void set_key (const SymmetricKey &key)
 
void set_key (const uint8_t key[], size_t length)
 
void set_key (std::span< const uint8_t > key)
 
void start (std::span< const uint8_t > nonce)
 
void update (std::span< const uint8_t > in)
 
void update_associated_data (std::span< const uint8_t > ad)
 
bool valid_keylength (size_t length) const
 

Protected Member Functions

void assert_key_material_set () const
 
void assert_key_material_set (bool predicate) const
 

Detailed Description

GCM's GHASH

Definition at line 18 of file ghash.h.

Member Function Documentation

◆ add_final_block()

void Botan::GHASH::add_final_block ( secure_vector< uint8_t > & x,
size_t ad_len,
size_t pt_len )

Definition at line 177 of file ghash.cpp.

177 {
178 /*
179 * stack buffer is fine here since the text len is public
180 * and the length of the AD is probably not sensitive either.
181 */
182 std::array<uint8_t, GCM_BS> final_block;
183
184 const uint64_t ad_bits = 8 * ad_len;
185 const uint64_t text_bits = 8 * text_len;
186 store_be(final_block, ad_bits, text_bits);
187 ghash_update(hash, final_block);
188}
Botan::GHASH::ghash_update
void ghash_update(secure_vector< uint8_t > &x, std::span< const uint8_t > input)
Definition ghash.cpp:83
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:711

References ghash_update(), and Botan::store_be().

Referenced by final(), and nonce_hash().

◆ assert_key_material_set() [1/2]

void Botan::SymmetricAlgorithm::assert_key_material_set ( ) const
inlineprotectedinherited

Definition at line 139 of file sym_algo.h.

139{ assert_key_material_set(has_keying_material()); }
Botan::SymmetricAlgorithm::has_keying_material
virtual bool has_keying_material() const =0
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139

References Botan::SymmetricAlgorithm::assert_key_material_set().

Referenced by Botan::SymmetricAlgorithm::assert_key_material_set(), Botan::Salsa20::cipher_bytes(), Botan::AES_128::decrypt_n(), Botan::AES_192::decrypt_n(), Botan::AES_256::decrypt_n(), Botan::ARIA_128::decrypt_n(), Botan::ARIA_192::decrypt_n(), Botan::ARIA_256::decrypt_n(), Botan::Blowfish::decrypt_n(), Botan::Camellia_128::decrypt_n(), Botan::Camellia_192::decrypt_n(), Botan::Camellia_256::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::GOST_28147_89::decrypt_n(), Botan::IDEA::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Lion::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::AES_128::encrypt_n(), Botan::AES_192::encrypt_n(), Botan::AES_256::encrypt_n(), Botan::ARIA_128::encrypt_n(), Botan::ARIA_192::encrypt_n(), Botan::ARIA_256::encrypt_n(), Botan::Blowfish::encrypt_n(), Botan::Camellia_128::encrypt_n(), Botan::Camellia_192::encrypt_n(), Botan::Camellia_256::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::IDEA::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Lion::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), final(), ghash_update(), Botan::ChaCha::seek(), Botan::CTR_BE::seek(), Botan::Salsa20::seek(), Botan::OCB_Mode::set_associated_data_n(), Botan::Salsa20::set_iv_bytes(), update(), and update_associated_data().

◆ assert_key_material_set() [2/2]

void Botan::SymmetricAlgorithm::assert_key_material_set ( bool predicate) const
inlineprotectedinherited

Definition at line 141 of file sym_algo.h.

141 {
142 if(!predicate) {
143 throw_key_not_set_error();
144 }
145 }

◆ clear()

void Botan::GHASH::clear ( )
overridevirtual

Reset the internal state. This includes not just the key, but any partial message that may have been in process.

Implements Botan::SymmetricAlgorithm.

Definition at line 211 of file ghash.cpp.

211 {
212 zap(m_H);
213 zap(m_HM);
214 reset();
215}
Botan::GHASH::reset
void reset()
Definition ghash.cpp:217
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117

References reset(), and Botan::zap().

◆ final()

void Botan::GHASH::final ( std::span< uint8_t > out)

Definition at line 190 of file ghash.cpp.

190 {
191 BOTAN_ARG_CHECK(!mac.empty() && mac.size() <= 16, "GHASH output length");
192
193 assert_key_material_set();
194 add_final_block(m_ghash, m_ad_len, m_text_len);
195
196 for(size_t i = 0; i != mac.size(); ++i) {
197 mac[i] = m_ghash[i] ^ m_nonce[i];
198 }
199
200 m_ghash.clear();
201 m_text_len = 0;
202}
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::GHASH::add_final_block
void add_final_block(secure_vector< uint8_t > &x, size_t ad_len, size_t pt_len)
Definition ghash.cpp:177

References add_final_block(), Botan::SymmetricAlgorithm::assert_key_material_set(), and BOTAN_ARG_CHECK.

◆ ghash_update()

void Botan::GHASH::ghash_update ( secure_vector< uint8_t > & x,
std::span< const uint8_t > input )

Definition at line 83 of file ghash.cpp.

83 {
84 assert_key_material_set(!m_H.empty());
85
86 /*
87 This assumes if less than block size input then we're just on the
88 final block and should pad with zeros
89 */
90
91 const size_t full_blocks = input.size() / GCM_BS;
92 const size_t final_bytes = input.size() - (full_blocks * GCM_BS);
93
94 if(full_blocks > 0) {
95 ghash_multiply(ghash, input.first(full_blocks * GCM_BS), full_blocks);
96 }
97
98 if(final_bytes) {
99 uint8_t last_block[GCM_BS] = {0};
100 copy_mem(last_block, input.subspan(full_blocks * GCM_BS).data(), final_bytes);
101 ghash_multiply(ghash, last_block, 1);
102 secure_scrub_memory(last_block, final_bytes);
103 }
104}
Botan::secure_scrub_memory
void secure_scrub_memory(void *ptr, size_t n)
Definition os_utils.cpp:87
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146

References Botan::SymmetricAlgorithm::assert_key_material_set(), Botan::copy_mem(), and Botan::secure_scrub_memory().

Referenced by add_final_block(), nonce_hash(), set_associated_data(), update(), and update_associated_data().

◆ has_keying_material()

bool Botan::GHASH::has_keying_material ( ) const
overridevirtual
Returns
true if a key has been set on this object

Implements Botan::SymmetricAlgorithm.

Definition at line 106 of file ghash.cpp.

106 {
107 return !m_ghash.empty();
108}

◆ key_spec()

Key_Length_Specification Botan::GHASH::key_spec ( ) const
inlineoverridevirtual
Returns
object describing limits on key size

Implements Botan::SymmetricAlgorithm.

Definition at line 38 of file ghash.h.

38{ return Key_Length_Specification(16); }

◆ maximum_keylength()

size_t Botan::SymmetricAlgorithm::maximum_keylength ( ) const
inlineinherited
Returns
maximum allowed key length

Definition at line 95 of file sym_algo.h.

95{ return key_spec().maximum_keylength(); }
Botan::Key_Length_Specification::maximum_keylength
size_t maximum_keylength() const
Definition sym_algo.h:54
Botan::SymmetricAlgorithm::key_spec
virtual Key_Length_Specification key_spec() const =0

◆ minimum_keylength()

size_t Botan::SymmetricAlgorithm::minimum_keylength ( ) const
inlineinherited
Returns
minimum allowed key length

Definition at line 100 of file sym_algo.h.

100{ return key_spec().minimum_keylength(); }
Botan::Key_Length_Specification::minimum_keylength
size_t minimum_keylength() const
Definition sym_algo.h:49

◆ name()

std::string Botan::GHASH::name ( ) const
inlineoverridevirtual
Returns
the algorithm name

Implements Botan::SymmetricAlgorithm.

Definition at line 46 of file ghash.h.

46{ return "GHASH"; }

◆ nonce_hash()

void Botan::GHASH::nonce_hash ( secure_vector< uint8_t > & y0,
std::span< const uint8_t > nonce )

Definition at line 204 of file ghash.cpp.

204 {
205 BOTAN_ASSERT(m_ghash.empty(), "nonce_hash called during wrong time");
206
207 ghash_update(y0, nonce);
208 add_final_block(y0, 0, nonce.size());
209}
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50

References add_final_block(), BOTAN_ASSERT, and ghash_update().

◆ provider()

std::string Botan::GHASH::provider ( ) const

Definition at line 20 of file ghash.cpp.

20 {
21#if defined(BOTAN_HAS_GHASH_CLMUL_CPU)
22 if(CPUID::has_carryless_multiply()) {
23 return "clmul";
24 }
25#endif
26
27#if defined(BOTAN_HAS_GHASH_CLMUL_VPERM)
28 if(CPUID::has_vperm()) {
29 return "vperm";
30 }
31#endif
32
33 return "base";
34}
Botan::CPUID::has_vperm
static bool has_vperm()
Definition cpuid.h:277
Botan::CPUID::has_carryless_multiply
static bool has_carryless_multiply()
Definition cpuid.h:308

References Botan::CPUID::has_carryless_multiply(), and Botan::CPUID::has_vperm().

◆ reset()

void Botan::GHASH::reset ( )

Definition at line 217 of file ghash.cpp.

217 {
218 zeroise(m_H_ad);
219 m_ghash.clear();
220 m_nonce.clear();
221 m_text_len = m_ad_len = 0;
222}
Botan::zeroise
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:108

References Botan::zeroise().

Referenced by clear().

◆ set_associated_data()

void Botan::GHASH::set_associated_data ( std::span< const uint8_t > ad)

Definition at line 154 of file ghash.cpp.

154 {
155 if(m_ghash.empty() == false) {
156 throw Invalid_State("Too late to set AD in GHASH");
157 }
158
159 zeroise(m_H_ad);
160
161 ghash_update(m_H_ad, input);
162 m_ad_len = input.size();
163}

References ghash_update(), and Botan::zeroise().

◆ set_key() [1/3]

void Botan::SymmetricAlgorithm::set_key ( const SymmetricKey & key)
inlineinherited

Set the symmetric key of this object.

Parameters
keythe SymmetricKey to be set.

Definition at line 113 of file sym_algo.h.

113{ set_key(std::span{key.begin(), key.length()}); }
Botan::SymmetricAlgorithm::set_key
void set_key(const SymmetricKey &key)
Definition sym_algo.h:113

References Botan::OctetString::begin(), Botan::OctetString::length(), and Botan::SymmetricAlgorithm::set_key().

Referenced by Botan::create_aes_row_generator(), Botan::Sodium::crypto_stream_salsa20(), Botan::Sodium::crypto_stream_salsa20_xor_ic(), Botan::Sodium::crypto_stream_xsalsa20(), Botan::Sodium::crypto_stream_xsalsa20_xor_ic(), Botan::FPE::fe1_decrypt(), Botan::FPE::fe1_encrypt(), Botan::Sphincs_Hash_Functions_Sha2::PRF_msg(), Botan::Sodium::randombytes_buf_deterministic(), and Botan::SymmetricAlgorithm::set_key().

◆ set_key() [2/3]

void Botan::SymmetricAlgorithm::set_key ( const uint8_t key[],
size_t length )
inlineinherited

Set the symmetric key of this object.

Parameters
keythe to be set as a byte array.
lengthin bytes of key param

Definition at line 126 of file sym_algo.h.

126{ set_key(std::span{key, length}); }

References Botan::SymmetricAlgorithm::set_key().

Referenced by Botan::SymmetricAlgorithm::set_key().

◆ set_key() [3/3]

void Botan::SymmetricAlgorithm::set_key ( std::span< const uint8_t > key)
inherited

Set the symmetric key of this object.

Parameters
keythe contiguous byte range to be set.

Definition at line 17 of file sym_algo.cpp.

17 {
18 if(!valid_keylength(key.size())) {
19 throw Invalid_Key_Length(name(), key.size());
20 }
21 key_schedule(key);
22}
Botan::SymmetricAlgorithm::valid_keylength
bool valid_keylength(size_t length) const
Definition sym_algo.h:107
Botan::SymmetricAlgorithm::name
virtual std::string name() const =0

References Botan::SymmetricAlgorithm::name(), and Botan::SymmetricAlgorithm::valid_keylength().

◆ start()

void Botan::GHASH::start ( std::span< const uint8_t > nonce)

Definition at line 148 of file ghash.cpp.

148 {
149 BOTAN_ARG_CHECK(nonce.size() == 16, "GHASH requires a 128-bit nonce");
150 m_nonce.assign(nonce.begin(), nonce.end()); // TODO: C++23: assign_range
151 m_ghash = m_H_ad;
152}

References BOTAN_ARG_CHECK.

◆ update()

void Botan::GHASH::update ( std::span< const uint8_t > in)

Definition at line 171 of file ghash.cpp.

171 {
172 assert_key_material_set();
173 m_text_len += input.size();
174 ghash_update(m_ghash, input);
175}

References Botan::SymmetricAlgorithm::assert_key_material_set(), and ghash_update().

◆ update_associated_data()

void Botan::GHASH::update_associated_data ( std::span< const uint8_t > ad)

Definition at line 165 of file ghash.cpp.

165 {
166 assert_key_material_set();
167 m_ad_len += ad.size();
168 ghash_update(m_ghash, ad);
169}

References Botan::SymmetricAlgorithm::assert_key_material_set(), and ghash_update().

◆ valid_keylength()

bool Botan::SymmetricAlgorithm::valid_keylength ( size_t length) const
inlineinherited

Check whether a given key length is valid for this algorithm.

Parameters
lengththe key length to be checked.
Returns
true if the key length is valid.

Definition at line 107 of file sym_algo.h.

107{ return key_spec().valid_keylength(length); }
Botan::Key_Length_Specification::valid_keylength
bool valid_keylength(size_t length) const
Definition sym_algo.h:42

Referenced by Botan::SymmetricAlgorithm::set_key().

The documentation for this class was generated from the following files:
Generated by doxygen 1.10.0