Botan 3.6.1
Crypto and TLS for C&
Public Member Functions | Protected Member Functions | List of all members
Botan::GHASH Class Referencefinal

#include <ghash.h>

Inheritance diagram for Botan::GHASH:
Botan::SymmetricAlgorithm

Public Member Functions

void add_final_block (secure_vector< uint8_t > &x, size_t ad_len, size_t pt_len)
 
void clear () override
 
void final (std::span< uint8_t > out)
 
void ghash_update (secure_vector< uint8_t > &x, std::span< const uint8_t > input)
 
bool has_keying_material () const override
 
Key_Length_Specification key_spec () const override
 
size_t maximum_keylength () const
 
size_t minimum_keylength () const
 
std::string name () const override
 
void nonce_hash (secure_vector< uint8_t > &y0, std::span< const uint8_t > nonce)
 
std::string provider () const
 
void reset ()
 
void set_associated_data (std::span< const uint8_t > ad)
 
void set_key (const SymmetricKey &key)
 
void set_key (const uint8_t key[], size_t length)
 
void set_key (std::span< const uint8_t > key)
 
void start (std::span< const uint8_t > nonce)
 
void update (std::span< const uint8_t > in)
 
void update_associated_data (std::span< const uint8_t > ad)
 
bool valid_keylength (size_t length) const
 

Protected Member Functions

void assert_key_material_set () const
 
void assert_key_material_set (bool predicate) const
 

Detailed Description

GCM's GHASH

Definition at line 18 of file ghash.h.

Member Function Documentation

◆ add_final_block()

void Botan::GHASH::add_final_block ( secure_vector< uint8_t > & x,
size_t ad_len,
size_t pt_len )

Definition at line 176 of file ghash.cpp.

176 {
177 /*
178 * stack buffer is fine here since the text len is public
179 * and the length of the AD is probably not sensitive either.
180 */
181 std::array<uint8_t, GCM_BS> final_block;
182
183 const uint64_t ad_bits = 8 * ad_len;
184 const uint64_t text_bits = 8 * text_len;
185 store_be(final_block, ad_bits, text_bits);
186 ghash_update(hash, final_block);
187}
Botan::GHASH::ghash_update
void ghash_update(secure_vector< uint8_t > &x, std::span< const uint8_t > input)
Definition ghash.cpp:82
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:773

References ghash_update(), and Botan::store_be().

Referenced by final(), and nonce_hash().

◆ assert_key_material_set() [1/2]

void Botan::SymmetricAlgorithm::assert_key_material_set ( ) const
inlineprotectedinherited

Definition at line 139 of file sym_algo.h.

139{ assert_key_material_set(has_keying_material()); }
Botan::SymmetricAlgorithm::has_keying_material
virtual bool has_keying_material() const =0
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139

References Botan::SymmetricAlgorithm::assert_key_material_set().

Referenced by Botan::SymmetricAlgorithm::assert_key_material_set(), Botan::Salsa20::cipher_bytes(), Botan::AES_128::decrypt_n(), Botan::AES_192::decrypt_n(), Botan::AES_256::decrypt_n(), Botan::ARIA_128::decrypt_n(), Botan::ARIA_192::decrypt_n(), Botan::ARIA_256::decrypt_n(), Botan::Blowfish::decrypt_n(), Botan::Camellia_128::decrypt_n(), Botan::Camellia_192::decrypt_n(), Botan::Camellia_256::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::GOST_28147_89::decrypt_n(), Botan::IDEA::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Lion::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::AES_128::encrypt_n(), Botan::AES_192::encrypt_n(), Botan::AES_256::encrypt_n(), Botan::ARIA_128::encrypt_n(), Botan::ARIA_192::encrypt_n(), Botan::ARIA_256::encrypt_n(), Botan::Blowfish::encrypt_n(), Botan::Camellia_128::encrypt_n(), Botan::Camellia_192::encrypt_n(), Botan::Camellia_256::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::IDEA::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Lion::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::Twofish::encrypt_n(), final(), ghash_update(), Botan::ChaCha::seek(), Botan::CTR_BE::seek(), Botan::Salsa20::seek(), Botan::OCB_Mode::set_associated_data_n(), Botan::Salsa20::set_iv_bytes(), update(), and update_associated_data().

◆ assert_key_material_set() [2/2]

void Botan::SymmetricAlgorithm::assert_key_material_set ( bool predicate) const
inlineprotectedinherited

Definition at line 141 of file sym_algo.h.

141 {
142 if(!predicate) {
143 throw_key_not_set_error();
144 }
145 }

◆ clear()

void Botan::GHASH::clear ( )
overridevirtual

Reset the internal state. This includes not just the key, but any partial message that may have been in process.

Implements Botan::SymmetricAlgorithm.

Definition at line 210 of file ghash.cpp.

210 {
211 zap(m_H);
212 zap(m_HM);
213 reset();
214}
Botan::GHASH::reset
void reset()
Definition ghash.cpp:216
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117

References reset(), and Botan::zap().

◆ final()

void Botan::GHASH::final ( std::span< uint8_t > out)

Definition at line 189 of file ghash.cpp.

189 {
190 BOTAN_ARG_CHECK(!mac.empty() && mac.size() <= 16, "GHASH output length");
191
192 assert_key_material_set();
193 add_final_block(m_ghash, m_ad_len, m_text_len);
194
195 for(size_t i = 0; i != mac.size(); ++i) {
196 mac[i] = m_ghash[i] ^ m_nonce[i];
197 }
198
199 m_ghash.clear();
200 m_text_len = 0;
201}
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::GHASH::add_final_block
void add_final_block(secure_vector< uint8_t > &x, size_t ad_len, size_t pt_len)
Definition ghash.cpp:176

References add_final_block(), Botan::SymmetricAlgorithm::assert_key_material_set(), and BOTAN_ARG_CHECK.

◆ ghash_update()

void Botan::GHASH::ghash_update ( secure_vector< uint8_t > & x,
std::span< const uint8_t > input )

Definition at line 82 of file ghash.cpp.

82 {
83 assert_key_material_set(!m_H.empty());
84
85 /*
86 This assumes if less than block size input then we're just on the
87 final block and should pad with zeros
88 */
89
90 const size_t full_blocks = input.size() / GCM_BS;
91 const size_t final_bytes = input.size() - (full_blocks * GCM_BS);
92
93 if(full_blocks > 0) {
94 ghash_multiply(ghash, input.first(full_blocks * GCM_BS), full_blocks);
95 }
96
97 if(final_bytes) {
98 uint8_t last_block[GCM_BS] = {0};
99 copy_mem(last_block, input.subspan(full_blocks * GCM_BS).data(), final_bytes);
100 ghash_multiply(ghash, last_block, 1);
101 secure_scrub_memory(last_block, final_bytes);
102 }
103}
Botan::secure_scrub_memory
void secure_scrub_memory(void *ptr, size_t n)
Definition os_utils.cpp:83
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146

References Botan::SymmetricAlgorithm::assert_key_material_set(), Botan::copy_mem(), and Botan::secure_scrub_memory().

Referenced by add_final_block(), nonce_hash(), set_associated_data(), update(), and update_associated_data().

◆ has_keying_material()

bool Botan::GHASH::has_keying_material ( ) const
overridevirtual
Returns
true if a key has been set on this object

Implements Botan::SymmetricAlgorithm.

Definition at line 105 of file ghash.cpp.

105 {
106 return !m_ghash.empty();
107}

◆ key_spec()

Key_Length_Specification Botan::GHASH::key_spec ( ) const
inlineoverridevirtual
Returns
object describing limits on key size

Implements Botan::SymmetricAlgorithm.

Definition at line 38 of file ghash.h.

38{ return Key_Length_Specification(16); }

◆ maximum_keylength()

size_t Botan::SymmetricAlgorithm::maximum_keylength ( ) const
inlineinherited
Returns
maximum allowed key length

Definition at line 95 of file sym_algo.h.

95{ return key_spec().maximum_keylength(); }
Botan::Key_Length_Specification::maximum_keylength
size_t maximum_keylength() const
Definition sym_algo.h:54
Botan::SymmetricAlgorithm::key_spec
virtual Key_Length_Specification key_spec() const =0

◆ minimum_keylength()

size_t Botan::SymmetricAlgorithm::minimum_keylength ( ) const
inlineinherited
Returns
minimum allowed key length

Definition at line 100 of file sym_algo.h.

100{ return key_spec().minimum_keylength(); }
Botan::Key_Length_Specification::minimum_keylength
size_t minimum_keylength() const
Definition sym_algo.h:49

◆ name()

std::string Botan::GHASH::name ( ) const
inlineoverridevirtual
Returns
the algorithm name

Implements Botan::SymmetricAlgorithm.

Definition at line 46 of file ghash.h.

46{ return "GHASH"; }

◆ nonce_hash()

void Botan::GHASH::nonce_hash ( secure_vector< uint8_t > & y0,
std::span< const uint8_t > nonce )

Definition at line 203 of file ghash.cpp.

203 {
204 BOTAN_ASSERT(m_ghash.empty(), "nonce_hash called during wrong time");
205
206 ghash_update(y0, nonce);
207 add_final_block(y0, 0, nonce.size());
208}
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50

References add_final_block(), BOTAN_ASSERT, and ghash_update().

◆ provider()

std::string Botan::GHASH::provider ( ) const

Definition at line 20 of file ghash.cpp.

20 {
21#if defined(BOTAN_HAS_GHASH_CLMUL_CPU)
22 if(CPUID::has_carryless_multiply()) {
23 return "clmul";
24 }
25#endif
26
27#if defined(BOTAN_HAS_GHASH_CLMUL_VPERM)
28 if(CPUID::has_vperm()) {
29 return "vperm";
30 }
31#endif
32
33 return "base";
34}
Botan::CPUID::has_vperm
static bool has_vperm()
Definition cpuid.h:335
Botan::CPUID::has_carryless_multiply
static bool has_carryless_multiply()
Definition cpuid.h:366

References Botan::CPUID::has_carryless_multiply(), and Botan::CPUID::has_vperm().

◆ reset()

void Botan::GHASH::reset ( )

Definition at line 216 of file ghash.cpp.

216 {
217 zeroise(m_H_ad);
218 m_ghash.clear();
219 m_nonce.clear();
220 m_text_len = m_ad_len = 0;
221}
Botan::zeroise
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:108

References Botan::zeroise().

Referenced by clear().

◆ set_associated_data()

void Botan::GHASH::set_associated_data ( std::span< const uint8_t > ad)

Definition at line 153 of file ghash.cpp.

153 {
154 if(m_ghash.empty() == false) {
155 throw Invalid_State("Too late to set AD in GHASH");
156 }
157
158 zeroise(m_H_ad);
159
160 ghash_update(m_H_ad, input);
161 m_ad_len = input.size();
162}

References ghash_update(), and Botan::zeroise().

◆ set_key() [1/3]

void Botan::SymmetricAlgorithm::set_key ( const SymmetricKey & key)
inlineinherited

Set the symmetric key of this object.

Parameters
keythe SymmetricKey to be set.

Definition at line 113 of file sym_algo.h.

113{ set_key(std::span{key.begin(), key.length()}); }
Botan::SymmetricAlgorithm::set_key
void set_key(const SymmetricKey &key)
Definition sym_algo.h:113

References Botan::OctetString::begin(), Botan::OctetString::length(), and Botan::SymmetricAlgorithm::set_key().

Referenced by Botan::create_aes_row_generator(), Botan::Sodium::crypto_stream_salsa20(), Botan::Sodium::crypto_stream_salsa20_xor_ic(), Botan::Sodium::crypto_stream_xsalsa20(), Botan::Sodium::crypto_stream_xsalsa20_xor_ic(), Botan::FPE::fe1_decrypt(), Botan::FPE::fe1_encrypt(), Botan::Sphincs_Hash_Functions_Sha2::PRF_msg(), Botan::Sodium::randombytes_buf_deterministic(), and Botan::SymmetricAlgorithm::set_key().

◆ set_key() [2/3]

void Botan::SymmetricAlgorithm::set_key ( const uint8_t key[],
size_t length )
inlineinherited

Set the symmetric key of this object.

Parameters
keythe to be set as a byte array.
lengthin bytes of key param

Definition at line 126 of file sym_algo.h.

126{ set_key(std::span{key, length}); }

References Botan::SymmetricAlgorithm::set_key().

Referenced by Botan::SymmetricAlgorithm::set_key().

◆ set_key() [3/3]

void Botan::SymmetricAlgorithm::set_key ( std::span< const uint8_t > key)
inherited

Set the symmetric key of this object.

Parameters
keythe contiguous byte range to be set.

Definition at line 17 of file sym_algo.cpp.

17 {
18 if(!valid_keylength(key.size())) {
19 throw Invalid_Key_Length(name(), key.size());
20 }
21 key_schedule(key);
22}
Botan::SymmetricAlgorithm::valid_keylength
bool valid_keylength(size_t length) const
Definition sym_algo.h:107
Botan::SymmetricAlgorithm::name
virtual std::string name() const =0

References Botan::SymmetricAlgorithm::name(), and Botan::SymmetricAlgorithm::valid_keylength().

◆ start()

void Botan::GHASH::start ( std::span< const uint8_t > nonce)

Definition at line 147 of file ghash.cpp.

147 {
148 BOTAN_ARG_CHECK(nonce.size() == 16, "GHASH requires a 128-bit nonce");
149 m_nonce.assign(nonce.begin(), nonce.end()); // TODO: C++23: assign_range
150 m_ghash = m_H_ad;
151}

References BOTAN_ARG_CHECK.

◆ update()

void Botan::GHASH::update ( std::span< const uint8_t > in)

Definition at line 170 of file ghash.cpp.

170 {
171 assert_key_material_set();
172 m_text_len += input.size();
173 ghash_update(m_ghash, input);
174}

References Botan::SymmetricAlgorithm::assert_key_material_set(), and ghash_update().

◆ update_associated_data()

void Botan::GHASH::update_associated_data ( std::span< const uint8_t > ad)

Definition at line 164 of file ghash.cpp.

164 {
165 assert_key_material_set();
166 m_ad_len += ad.size();
167 ghash_update(m_ghash, ad);
168}

References Botan::SymmetricAlgorithm::assert_key_material_set(), and ghash_update().

◆ valid_keylength()

bool Botan::SymmetricAlgorithm::valid_keylength ( size_t length) const
inlineinherited

Check whether a given key length is valid for this algorithm.

Parameters
lengththe key length to be checked.
Returns
true if the key length is valid.

Definition at line 107 of file sym_algo.h.

107{ return key_spec().valid_keylength(length); }
Botan::Key_Length_Specification::valid_keylength
bool valid_keylength(size_t length) const
Definition sym_algo.h:42

Referenced by Botan::SymmetricAlgorithm::set_key().

The documentation for this class was generated from the following files:
Generated by doxygen 1.12.0