Botan  2.15.0
Crypto and TLS for C++11
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption Class Referencefinal

#include <tls_cbc.h>

Inheritance diagram for Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption:
Botan::TLS::TLS_CBC_HMAC_AEAD_Mode Botan::AEAD_Mode Botan::Cipher_Mode Botan::SymmetricAlgorithm

Public Member Functions

virtual bool associated_data_requires_key () const
 
bool authenticated () const override
 
void clear () override final
 
size_t default_nonce_length () const override final
 
void finish (secure_vector< uint8_t > &final_block, size_t offset=0) override
 
Key_Length_Specification key_spec () const override final
 
size_t maximum_keylength () const
 
size_t minimum_final_size () const override
 
size_t minimum_keylength () const
 
std::string name () const override final
 
size_t output_length (size_t input_length) const override
 
size_t process (uint8_t buf[], size_t sz) override final
 
virtual std::string provider () const
 
void reset () override final
 
template<typename Alloc >
void set_ad (const std::vector< uint8_t, Alloc > &ad)
 
void set_associated_data (const uint8_t ad[], size_t ad_len) override
 
template<typename Alloc >
void set_associated_data_vec (const std::vector< uint8_t, Alloc > &ad)
 
void set_key (const SymmetricKey &key)
 
template<typename Alloc >
void set_key (const std::vector< uint8_t, Alloc > &key)
 
void set_key (const uint8_t key[], size_t length)
 
template<typename Alloc >
void start (const std::vector< uint8_t, Alloc > &nonce)
 
void start (const uint8_t nonce[], size_t nonce_len)
 
void start ()
 
size_t tag_size () const override final
 
 TLS_CBC_HMAC_AEAD_Decryption (std::unique_ptr< BlockCipher > cipher, std::unique_ptr< MessageAuthenticationCode > mac, const size_t cipher_keylen, const size_t mac_keylen, const Protocol_Version version, bool use_encrypt_then_mac)
 
void update (secure_vector< uint8_t > &buffer, size_t offset=0)
 
size_t update_granularity () const override final
 
bool valid_keylength (size_t length) const
 
bool valid_nonce_length (size_t nl) const override final
 

Static Public Member Functions

static std::unique_ptr< AEAD_Modecreate (const std::string &algo, Cipher_Dir direction, const std::string &provider="")
 
static std::unique_ptr< AEAD_Modecreate_or_throw (const std::string &algo, Cipher_Dir direction, const std::string &provider="")
 
static std::vector< std::string > providers (const std::string &algo_spec)
 

Protected Member Functions

std::vector< uint8_t > & assoc_data ()
 
std::vector< uint8_t > assoc_data_with_len (uint16_t len)
 
size_t block_size () const
 
Cipher_Modecbc () const
 
secure_vector< uint8_t > & cbc_state ()
 
size_t cipher_keylen () const
 
bool is_datagram_protocol () const
 
size_t iv_size () const
 
MessageAuthenticationCodemac () const
 
size_t mac_keylen () const
 
secure_vector< uint8_t > & msg ()
 
bool use_encrypt_then_mac () const
 
void verify_key_set (bool cond) const
 

Detailed Description

TLS_CBC_HMAC_AEAD Decryption

Definition at line 142 of file tls_cbc.h.

Constructor & Destructor Documentation

◆ TLS_CBC_HMAC_AEAD_Decryption()

Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::TLS_CBC_HMAC_AEAD_Decryption ( std::unique_ptr< BlockCipher cipher,
std::unique_ptr< MessageAuthenticationCode mac,
const size_t  cipher_keylen,
const size_t  mac_keylen,
const Protocol_Version  version,
bool  use_encrypt_then_mac 
)
inline

Definition at line 147 of file tls_cbc.h.

152  :
154  std::move(cipher),
155  std::move(mac),
157  mac_keylen,
158  version,
160  {}
TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir direction, std::unique_ptr< BlockCipher > cipher, std::unique_ptr< MessageAuthenticationCode > mac, size_t cipher_keylen, size_t mac_keylen, Protocol_Version version, bool use_encrypt_then_mac)
Definition: tls_cbc.cpp:27
MessageAuthenticationCode & mac() const
Definition: tls_cbc.h:68

Member Function Documentation

◆ assoc_data()

std::vector<uint8_t>& Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::assoc_data ( )
inlineprotectedinherited

◆ assoc_data_with_len()

std::vector< uint8_t > Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len ( uint16_t  len)
protectedinherited

Definition at line 123 of file tls_cbc.cpp.

References BOTAN_ASSERT, and Botan::get_byte().

Referenced by finish().

124  {
125  std::vector<uint8_t> ad = m_ad;
126  BOTAN_ASSERT(ad.size() == 13, "Expected AAD size");
127  ad[11] = get_byte(0, len);
128  ad[12] = get_byte(1, len);
129  return ad;
130  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55

◆ associated_data_requires_key()

virtual bool Botan::AEAD_Mode::associated_data_requires_key ( ) const
inlinevirtualinherited

Most AEADs require the key to be set prior to setting the AD A few allow the AD to be set even before the cipher is keyed. Such ciphers would return false from this function.

Reimplemented in Botan::ChaCha20Poly1305_Mode, and Botan::CCM_Mode.

Definition at line 68 of file aead.h.

68 { return true; }

◆ authenticated()

bool Botan::AEAD_Mode::authenticated ( ) const
inlineoverridevirtualinherited
Returns
true iff this mode provides authentication as well as confidentiality.

Reimplemented from Botan::Cipher_Mode.

Definition at line 47 of file aead.h.

47 { return true; }

◆ block_size()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::block_size ( ) const
inlineprotectedinherited

◆ cbc()

Cipher_Mode& Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cbc ( ) const
inlineprotectedinherited

Definition at line 66 of file tls_cbc.h.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::clear().

66 { return *m_cbc; }

◆ cbc_state()

secure_vector<uint8_t>& Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cbc_state ( )
inlineprotectedinherited

Definition at line 74 of file tls_cbc.h.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), finish(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::reset().

74 { return m_cbc_state; }

◆ cipher_keylen()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cipher_keylen ( ) const
inlineprotectedinherited

Definition at line 57 of file tls_cbc.h.

57 { return m_cipher_keylen; }

◆ clear()

void Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::clear ( )
finaloverridevirtualinherited

Reset the state.

Implements Botan::SymmetricAlgorithm.

Definition at line 55 of file tls_cbc.cpp.

References Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cbc(), Botan::SymmetricAlgorithm::clear(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::mac(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::reset().

56  {
57  cbc().clear();
58  mac().clear();
59  reset();
60  }
Cipher_Mode & cbc() const
Definition: tls_cbc.h:66
MessageAuthenticationCode & mac() const
Definition: tls_cbc.h:68
virtual void clear()=0
void reset() override final
Definition: tls_cbc.cpp:62

◆ create()

std::unique_ptr< AEAD_Mode > Botan::AEAD_Mode::create ( const std::string &  algo,
Cipher_Dir  direction,
const std::string &  provider = "" 
)
staticinherited

Create an AEAD mode

Parameters
algothe algorithm to create
directionspecify if this should be an encryption or decryption AEAD
provideroptional specification for provider to use
Returns
an AEAD mode or a null pointer if not available

Definition at line 52 of file aead.cpp.

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_count(), BOTAN_UNUSED, Botan::BlockCipher::create(), Botan::ENCRYPTION, Botan::parse_algorithm_name(), Botan::Cipher_Mode::provider(), and Botan::split_on().

Referenced by Botan::Cipher_Mode::create(), Botan::AEAD_Mode::create_or_throw(), and Botan::get_aead().

55  {
57 #if defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
58  if(algo == "ChaCha20Poly1305")
59  {
60  if(dir == ENCRYPTION)
61  return std::unique_ptr<AEAD_Mode>(new ChaCha20Poly1305_Encryption);
62  else
63  return std::unique_ptr<AEAD_Mode>(new ChaCha20Poly1305_Decryption);
64 
65  }
66 #endif
67 
68  if(algo.find('/') != std::string::npos)
69  {
70  const std::vector<std::string> algo_parts = split_on(algo, '/');
71  const std::string cipher_name = algo_parts[0];
72  const std::vector<std::string> mode_info = parse_algorithm_name(algo_parts[1]);
73 
74  if(mode_info.empty())
75  return std::unique_ptr<AEAD_Mode>();
76 
77  std::ostringstream alg_args;
78 
79  alg_args << '(' << cipher_name;
80  for(size_t i = 1; i < mode_info.size(); ++i)
81  alg_args << ',' << mode_info[i];
82  for(size_t i = 2; i < algo_parts.size(); ++i)
83  alg_args << ',' << algo_parts[i];
84  alg_args << ')';
85 
86  const std::string mode_name = mode_info[0] + alg_args.str();
87  return AEAD_Mode::create(mode_name, dir);
88  }
89 
90 #if defined(BOTAN_HAS_BLOCK_CIPHER)
91 
92  SCAN_Name req(algo);
93 
94  if(req.arg_count() == 0)
95  {
96  return std::unique_ptr<AEAD_Mode>();
97  }
98 
99  std::unique_ptr<BlockCipher> bc(BlockCipher::create(req.arg(0), provider));
100 
101  if(!bc)
102  {
103  return std::unique_ptr<AEAD_Mode>();
104  }
105 
106 #if defined(BOTAN_HAS_AEAD_CCM)
107  if(req.algo_name() == "CCM")
108  {
109  size_t tag_len = req.arg_as_integer(1, 16);
110  size_t L_len = req.arg_as_integer(2, 3);
111  if(dir == ENCRYPTION)
112  return std::unique_ptr<AEAD_Mode>(new CCM_Encryption(bc.release(), tag_len, L_len));
113  else
114  return std::unique_ptr<AEAD_Mode>(new CCM_Decryption(bc.release(), tag_len, L_len));
115  }
116 #endif
117 
118 #if defined(BOTAN_HAS_AEAD_GCM)
119  if(req.algo_name() == "GCM")
120  {
121  size_t tag_len = req.arg_as_integer(1, 16);
122  if(dir == ENCRYPTION)
123  return std::unique_ptr<AEAD_Mode>(new GCM_Encryption(bc.release(), tag_len));
124  else
125  return std::unique_ptr<AEAD_Mode>(new GCM_Decryption(bc.release(), tag_len));
126  }
127 #endif
128 
129 #if defined(BOTAN_HAS_AEAD_OCB)
130  if(req.algo_name() == "OCB")
131  {
132  size_t tag_len = req.arg_as_integer(1, 16);
133  if(dir == ENCRYPTION)
134  return std::unique_ptr<AEAD_Mode>(new OCB_Encryption(bc.release(), tag_len));
135  else
136  return std::unique_ptr<AEAD_Mode>(new OCB_Decryption(bc.release(), tag_len));
137  }
138 #endif
139 
140 #if defined(BOTAN_HAS_AEAD_EAX)
141  if(req.algo_name() == "EAX")
142  {
143  size_t tag_len = req.arg_as_integer(1, bc->block_size());
144  if(dir == ENCRYPTION)
145  return std::unique_ptr<AEAD_Mode>(new EAX_Encryption(bc.release(), tag_len));
146  else
147  return std::unique_ptr<AEAD_Mode>(new EAX_Decryption(bc.release(), tag_len));
148  }
149 #endif
150 
151 #if defined(BOTAN_HAS_AEAD_SIV)
152  if(req.algo_name() == "SIV")
153  {
154  if(dir == ENCRYPTION)
155  return std::unique_ptr<AEAD_Mode>(new SIV_Encryption(bc.release()));
156  else
157  return std::unique_ptr<AEAD_Mode>(new SIV_Decryption(bc.release()));
158  }
159 #endif
160 
161 #endif
162 
163  return std::unique_ptr<AEAD_Mode>();
164  }
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
static std::unique_ptr< AEAD_Mode > create(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
Definition: aead.cpp:52
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:95
#define BOTAN_UNUSED(...)
Definition: assert.h:142
static std::unique_ptr< BlockCipher > create(const std::string &algo_spec, const std::string &provider="")
virtual std::string provider() const
Definition: cipher_mode.h:180

◆ create_or_throw()

std::unique_ptr< AEAD_Mode > Botan::AEAD_Mode::create_or_throw ( const std::string &  algo,
Cipher_Dir  direction,
const std::string &  provider = "" 
)
staticinherited

Create an AEAD mode, or throw

Parameters
algothe algorithm to create
directionspecify if this should be an encryption or decryption AEAD
provideroptional specification for provider to use
Returns
an AEAD mode, or throw an exception

Definition at line 42 of file aead.cpp.

References Botan::AEAD_Mode::create(), and Botan::Cipher_Mode::provider().

Referenced by Botan::TLS::Connection_Cipher_State::Connection_Cipher_State(), Botan::TLS::Session::decrypt(), Botan::TLS::Session::encrypt(), Botan::mceies_decrypt(), and Botan::mceies_encrypt().

45  {
46  if(auto aead = AEAD_Mode::create(algo, dir, provider))
47  return aead;
48 
49  throw Lookup_Error("AEAD", algo, provider);
50  }
static std::unique_ptr< AEAD_Mode > create(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
Definition: aead.cpp:52
virtual std::string provider() const
Definition: cipher_mode.h:180

◆ default_nonce_length()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::default_nonce_length ( ) const
inlinefinaloverridevirtualinherited
Returns
default AEAD nonce size (a commonly supported value among AEAD modes, and large enough that random collisions are unlikely)

Reimplemented from Botan::AEAD_Mode.

Definition at line 42 of file tls_cbc.h.

42 { return m_iv_size; }

◆ finish()

void Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish ( secure_vector< uint8_t > &  final_block,
size_t  offset = 0 
)
overridevirtual

Complete processing of a message.

Parameters
final_blockin/out parameter which must be at least minimum_final_size() bytes, and will be set to any final output
offsetan offset into final_block to begin processing

Implements Botan::Cipher_Mode.

Definition at line 371 of file tls_cbc.cpp.

References Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(), Botan::TLS::Alert::BAD_RECORD_MAC, Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::block_size(), BOTAN_ASSERT_NOMSG, Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cbc_state(), Botan::TLS::check_tls_cbc_padding(), Botan::constant_time_compare(), Botan::CT::Mask< T >::expand(), Botan::Buffered_Computation::final(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::is_datagram_protocol(), Botan::CT::Mask< T >::is_lte(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::iv_size(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::mac(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::msg(), Botan::CT::poison(), Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::tag_size(), Botan::CT::unpoison(), Botan::Buffered_Computation::update(), Botan::Cipher_Mode::update(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::use_encrypt_then_mac().

372  {
373  update(buffer, offset);
374  buffer.resize(offset);
375 
376  const size_t record_len = msg().size();
377  uint8_t* record_contents = msg().data();
378 
379  // This early exit does not leak info because all the values compared are public
380  if(record_len < tag_size() ||
381  (record_len - (use_encrypt_then_mac() ? tag_size() : 0)) % block_size() != 0)
382  {
383  throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
384  }
385 
387  {
388  const size_t enc_size = record_len - tag_size();
389  const size_t enc_iv_size = enc_size + iv_size();
390 
391  BOTAN_ASSERT_NOMSG(enc_iv_size <= 0xFFFF);
392 
393  mac().update(assoc_data_with_len(static_cast<uint16_t>(enc_iv_size)));
394  if(iv_size() > 0)
395  {
396  mac().update(cbc_state());
397  }
398  mac().update(record_contents, enc_size);
399 
400  std::vector<uint8_t> mac_buf(tag_size());
401  mac().final(mac_buf.data());
402 
403  const size_t mac_offset = enc_size;
404 
405  const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
406 
407  if(!mac_ok)
408  {
409  throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
410  }
411 
412  cbc_decrypt_record(record_contents, enc_size);
413 
414  // 0 if padding was invalid, otherwise 1 + padding_bytes
415  const uint16_t pad_size = check_tls_cbc_padding(record_contents, enc_size);
416 
417  // No oracle here, whoever sent us this had the key since MAC check passed
418  if(pad_size == 0)
419  {
420  throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
421  }
422 
423  const uint8_t* plaintext_block = &record_contents[0];
424  const size_t plaintext_length = enc_size - pad_size;
425 
426  buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
427  }
428  else
429  {
430  cbc_decrypt_record(record_contents, record_len);
431 
432  CT::poison(record_contents, record_len);
433 
434  // 0 if padding was invalid, otherwise 1 + padding_bytes
435  uint16_t pad_size = check_tls_cbc_padding(record_contents, record_len);
436 
437  /*
438  This mask is zero if there is not enough room in the packet to get a valid MAC.
439 
440  We have to accept empty packets, since otherwise we are not compatible
441  with how OpenSSL's countermeasure for fixing BEAST in TLS 1.0 CBC works
442  (sending empty records, instead of 1/(n-1) splitting)
443  */
444 
445  // We know the cast cannot overflow as pad_size <= 256 && tag_size <= 32
446  const auto size_ok_mask = CT::Mask<uint16_t>::is_lte(
447  static_cast<uint16_t>(tag_size() + pad_size),
448  static_cast<uint16_t>(record_len));
449 
450  pad_size = size_ok_mask.if_set_return(pad_size);
451 
452  CT::unpoison(record_contents, record_len);
453 
454  /*
455  This is unpoisoned sooner than it should. The pad_size leaks to plaintext_length and
456  then to the timing channel in the MAC computation described in the Lucky 13 paper.
457  */
458  CT::unpoison(pad_size);
459 
460  const uint8_t* plaintext_block = &record_contents[0];
461  const uint16_t plaintext_length = static_cast<uint16_t>(record_len - tag_size() - pad_size);
462 
463  mac().update(assoc_data_with_len(plaintext_length));
464  mac().update(plaintext_block, plaintext_length);
465 
466  std::vector<uint8_t> mac_buf(tag_size());
467  mac().final(mac_buf.data());
468 
469  const size_t mac_offset = record_len - (tag_size() + pad_size);
470 
471  const bool mac_ok = constant_time_compare(&record_contents[mac_offset], mac_buf.data(), tag_size());
472 
473  const auto ok_mask = size_ok_mask & CT::Mask<uint16_t>::expand(mac_ok) & CT::Mask<uint16_t>::expand(pad_size);
474 
475  CT::unpoison(ok_mask);
476 
477  if(ok_mask.is_set())
478  {
479  buffer.insert(buffer.end(), plaintext_block, plaintext_block + plaintext_length);
480  }
481  else
482  {
483  perform_additional_compressions(record_len, pad_size);
484 
485  /*
486  * In DTLS case we have to finish computing the MAC since we require the
487  * MAC state be reset for future packets. This extra timing channel may
488  * be exploitable in a Lucky13 variant.
489  */
491  mac().final(mac_buf);
492  throw TLS_Exception(Alert::BAD_RECORD_MAC, "Message authentication failure");
493  }
494  }
495  }
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:112
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void poison(const T *p, size_t n)
Definition: ct_utils.h:48
MessageAuthenticationCode & mac() const
Definition: tls_cbc.h:68
secure_vector< uint8_t > & cbc_state()
Definition: tls_cbc.h:74
void final(uint8_t out[])
Definition: buf_comp.h:83
static Mask< T > is_lte(T x, T y)
Definition: ct_utils.h:173
static Mask< T > expand(T v)
Definition: ct_utils.h:123
size_t tag_size() const override final
Definition: tls_cbc.h:40
std::vector< uint8_t > assoc_data_with_len(uint16_t len)
Definition: tls_cbc.cpp:123
void update(const uint8_t in[], size_t length)
Definition: buf_comp.h:33
uint16_t check_tls_cbc_padding(const uint8_t record[], size_t record_len)
Definition: tls_cbc.cpp:243
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
secure_vector< uint8_t > & msg()
Definition: tls_cbc.h:76

◆ is_datagram_protocol()

bool Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::is_datagram_protocol ( ) const
inlineprotectedinherited

Definition at line 64 of file tls_cbc.h.

Referenced by finish().

64 { return m_is_datagram; }

◆ iv_size()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::iv_size ( ) const
inlineprotectedinherited

◆ key_spec()

Key_Length_Specification Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::key_spec ( ) const
finaloverridevirtualinherited
Returns
object describing limits on key size

Implements Botan::SymmetricAlgorithm.

Definition at line 86 of file tls_cbc.cpp.

87  {
88  return Key_Length_Specification(m_cipher_keylen + m_mac_keylen);
89  }

◆ mac()

MessageAuthenticationCode& Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::mac ( ) const
inlineprotectedinherited

Definition at line 68 of file tls_cbc.h.

References BOTAN_ASSERT_NONNULL.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::clear(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), finish(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode().

69  {
70  BOTAN_ASSERT_NONNULL(m_mac);
71  return *m_mac;
72  }
#define BOTAN_ASSERT_NONNULL(ptr)
Definition: assert.h:107

◆ mac_keylen()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::mac_keylen ( ) const
inlineprotectedinherited

Definition at line 58 of file tls_cbc.h.

58 { return m_mac_keylen; }

◆ maximum_keylength()

size_t Botan::SymmetricAlgorithm::maximum_keylength ( ) const
inlineinherited
Returns
minimum allowed key length

Definition at line 38 of file sym_algo.h.

39  {
40  return key_spec().maximum_keylength();
41  }
size_t maximum_keylength() const
Definition: key_spec.h:69
virtual Key_Length_Specification key_spec() const =0

◆ minimum_final_size()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::minimum_final_size ( ) const
inlineoverridevirtual
Returns
required minimium size to finalize() - may be any length larger than this.

Implements Botan::Cipher_Mode.

Definition at line 164 of file tls_cbc.h.

164 { return tag_size(); }
size_t tag_size() const override final
Definition: tls_cbc.h:40

◆ minimum_keylength()

size_t Botan::SymmetricAlgorithm::minimum_keylength ( ) const
inlineinherited
Returns
maximum allowed key length

Definition at line 46 of file sym_algo.h.

Referenced by botan_block_cipher_get_keyspec(), and botan_mac_get_keyspec().

47  {
48  return key_spec().minimum_keylength();
49  }
virtual Key_Length_Specification key_spec() const =0
size_t minimum_keylength() const
Definition: key_spec.h:61

◆ msg()

secure_vector<uint8_t>& Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::msg ( )
inlineprotectedinherited

Definition at line 76 of file tls_cbc.h.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), and finish().

76 { return m_msg; }

◆ name()

std::string Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::name ( ) const
finaloverridevirtualinherited
Returns
the algorithm name

Implements Botan::SymmetricAlgorithm.

Definition at line 69 of file tls_cbc.cpp.

70  {
71  return "TLS_CBC(" + m_cipher_name + "," + m_mac_name + ")";
72  }

◆ output_length()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::output_length ( size_t  input_length) const
overridevirtual

Returns the size of the output if this transform is used to process a message with input_length bytes. In most cases the answer is precise. If it is not possible to precise (namely for CBC decryption) instead a lower bound is returned.

Implements Botan::Cipher_Mode.

Definition at line 284 of file tls_cbc.cpp.

285  {
286  /*
287  * We don't know this because the padding is arbitrary
288  */
289  return 0;
290  }

◆ process()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::process ( uint8_t  msg[],
size_t  msg_len 
)
finaloverridevirtualinherited

Process message blocks

Input must be a multiple of update_granularity

Processes msg in place and returns bytes written. Normally this will be either msg_len (indicating the entire message was processed) or for certain AEAD modes zero (indicating that the mode requires the entire message be processed in one pass).

Parameters
msgthe message to be processed
msg_lenlength of the message in bytes

Implements Botan::Cipher_Mode.

Definition at line 117 of file tls_cbc.cpp.

118  {
119  m_msg.insert(m_msg.end(), buf, buf + sz);
120  return 0;
121  }

◆ provider()

virtual std::string Botan::Cipher_Mode::provider ( ) const
inlinevirtualinherited
Returns
provider information about this implementation. Default is "base", might also return "sse2", "avx2", "openssl", or some other arbitrary string.

Reimplemented in Botan::GCM_Mode.

Definition at line 180 of file cipher_mode.h.

Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::AEAD_Mode::create_or_throw(), and Botan::Cipher_Mode::create_or_throw().

180 { return "base"; }

◆ providers()

std::vector< std::string > Botan::Cipher_Mode::providers ( const std::string &  algo_spec)
staticinherited
Returns
list of available providers for this algorithm, empty if not available
Parameters
algo_specalgorithm name

Definition at line 190 of file cipher_mode.cpp.

References Botan::Cipher_Mode::create(), and Botan::ENCRYPTION.

191  {
192  const std::vector<std::string>& possible = { "base", "openssl", "commoncrypto" };
193  std::vector<std::string> providers;
194  for(auto&& prov : possible)
195  {
196  std::unique_ptr<Cipher_Mode> mode = Cipher_Mode::create(algo_spec, ENCRYPTION, prov);
197  if(mode)
198  {
199  providers.push_back(prov); // available
200  }
201  }
202  return providers;
203  }
static std::unique_ptr< Cipher_Mode > create(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
Definition: cipher_mode.cpp:54
static std::vector< std::string > providers(const std::string &algo_spec)

◆ reset()

void Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::reset ( )
finaloverridevirtualinherited

Resets just the message specific state and allows encrypting again under the existing key

Implements Botan::Cipher_Mode.

Definition at line 62 of file tls_cbc.cpp.

References Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::cbc_state().

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::clear().

63  {
64  cbc_state().clear();
65  m_ad.clear();
66  m_msg.clear();
67  }
secure_vector< uint8_t > & cbc_state()
Definition: tls_cbc.h:74

◆ set_ad()

template<typename Alloc >
void Botan::AEAD_Mode::set_ad ( const std::vector< uint8_t, Alloc > &  ad)
inlineinherited

Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key and before start.

See set_associated_data().

Parameters
adthe associated data

Definition at line 95 of file aead.h.

Referenced by Botan::TLS::write_record().

96  {
97  set_associated_data(ad.data(), ad.size());
98  }
virtual void set_associated_data(const uint8_t ad[], size_t ad_len)=0

◆ set_associated_data()

void Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::set_associated_data ( const uint8_t  ad[],
size_t  ad_len 
)
overridevirtualinherited

Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key and before start.

Unless reset by another call, the associated data is kept between messages. Thus, if the AD does not change, calling once (after set_key) is the optimum.

Parameters
adthe associated data
ad_lenlength of add in bytes

Implements Botan::AEAD_Mode.

Reimplemented in Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption.

Definition at line 132 of file tls_cbc.cpp.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data().

133  {
134  if(ad_len != 13)
135  throw Invalid_Argument("Invalid TLS AEAD associated data length");
136  m_ad.assign(ad, ad + ad_len);
137  }

◆ set_associated_data_vec()

template<typename Alloc >
void Botan::AEAD_Mode::set_associated_data_vec ( const std::vector< uint8_t, Alloc > &  ad)
inlineinherited

Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key and before start.

See set_associated_data().

Parameters
adthe associated data

Definition at line 80 of file aead.h.

81  {
82  set_associated_data(ad.data(), ad.size());
83  }
virtual void set_associated_data(const uint8_t ad[], size_t ad_len)=0

◆ set_key() [1/3]

void Botan::SymmetricAlgorithm::set_key ( const SymmetricKey key)
inlineinherited

◆ set_key() [2/3]

template<typename Alloc >
void Botan::SymmetricAlgorithm::set_key ( const std::vector< uint8_t, Alloc > &  key)
inlineinherited

Definition at line 71 of file sym_algo.h.

72  {
73  set_key(key.data(), key.size());
74  }
void set_key(const SymmetricKey &key)
Definition: sym_algo.h:65

◆ set_key() [3/3]

void Botan::SymmetricAlgorithm::set_key ( const uint8_t  key[],
size_t  length 
)
inherited

Set the symmetric key of this object.

Parameters
keythe to be set as a byte array.
lengthin bytes of key param

Definition at line 17 of file sym_algo.cpp.

References Botan::SymmetricAlgorithm::name(), and Botan::SymmetricAlgorithm::valid_keylength().

18  {
19  if(!valid_keylength(length))
20  throw Invalid_Key_Length(name(), length);
21  key_schedule(key, length);
22  }
bool valid_keylength(size_t length) const
Definition: sym_algo.h:56
virtual std::string name() const =0

◆ start() [1/3]

template<typename Alloc >
void Botan::Cipher_Mode::start ( const std::vector< uint8_t, Alloc > &  nonce)
inlineinherited

Begin processing a message.

Parameters
noncethe per message nonce

Definition at line 69 of file cipher_mode.h.

Referenced by botan_cipher_start(), and Botan::TLS::write_record().

70  {
71  start_msg(nonce.data(), nonce.size());
72  }
virtual void start_msg(const uint8_t nonce[], size_t nonce_len)=0

◆ start() [2/3]

void Botan::Cipher_Mode::start ( const uint8_t  nonce[],
size_t  nonce_len 
)
inlineinherited

Begin processing a message.

Parameters
noncethe per message nonce
nonce_lenlength of nonce

Definition at line 79 of file cipher_mode.h.

80  {
81  start_msg(nonce, nonce_len);
82  }
virtual void start_msg(const uint8_t nonce[], size_t nonce_len)=0

◆ start() [3/3]

void Botan::Cipher_Mode::start ( )
inlineinherited

Begin processing a message.

Definition at line 87 of file cipher_mode.h.

88  {
89  return start_msg(nullptr, 0);
90  }
virtual void start_msg(const uint8_t nonce[], size_t nonce_len)=0

◆ tag_size()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::tag_size ( ) const
inlinefinaloverridevirtualinherited
Returns
the size of the authentication tag used (in bytes)

Reimplemented from Botan::Cipher_Mode.

Definition at line 40 of file tls_cbc.h.

Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), finish(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length().

40 { return m_tag_size; }

◆ update()

void Botan::Cipher_Mode::update ( secure_vector< uint8_t > &  buffer,
size_t  offset = 0 
)
inlineinherited

Process some data. Input must be in size update_granularity() uint8_t blocks.

Parameters
bufferin/out parameter which will possibly be resized
offsetan offset into blocks to begin processing

Definition at line 112 of file cipher_mode.h.

References BOTAN_ASSERT.

Referenced by botan_cipher_update(), Botan::XTS_Encryption::finish(), Botan::ChaCha20Poly1305_Encryption::finish(), Botan::CFB_Encryption::finish(), Botan::CBC_Encryption::finish(), Botan::EAX_Encryption::finish(), Botan::XTS_Decryption::finish(), Botan::CFB_Decryption::finish(), Botan::CTS_Encryption::finish(), Botan::CBC_Decryption::finish(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), Botan::CTS_Decryption::finish(), and finish().

113  {
114  BOTAN_ASSERT(buffer.size() >= offset, "Offset ok");
115  uint8_t* buf = buffer.data() + offset;
116  const size_t buf_size = buffer.size() - offset;
117 
118  const size_t written = process(buf, buf_size);
119  buffer.resize(offset + written);
120  }
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
virtual size_t process(uint8_t msg[], size_t msg_len)=0

◆ update_granularity()

size_t Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::update_granularity ( ) const
finaloverridevirtualinherited
Returns
size of required blocks to update

Implements Botan::Cipher_Mode.

Definition at line 74 of file tls_cbc.cpp.

75  {
76  return 1; // just buffers anyway
77  }

◆ use_encrypt_then_mac()

bool Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::use_encrypt_then_mac ( ) const
inlineprotectedinherited

◆ valid_keylength()

bool Botan::SymmetricAlgorithm::valid_keylength ( size_t  length) const
inlineinherited

Check whether a given key length is valid for this algorithm.

Parameters
lengththe key length to be checked.
Returns
true if the key length is valid.

Definition at line 56 of file sym_algo.h.

Referenced by Botan::aont_package(), Botan::aont_unpackage(), and Botan::SymmetricAlgorithm::set_key().

57  {
58  return key_spec().valid_keylength(length);
59  }
bool valid_keylength(size_t length) const
Definition: key_spec.h:51
virtual Key_Length_Specification key_spec() const =0

◆ valid_nonce_length()

bool Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::valid_nonce_length ( size_t  nonce_len) const
finaloverridevirtualinherited
Returns
true iff nonce_len is a valid length for the nonce

Implements Botan::Cipher_Mode.

Definition at line 79 of file tls_cbc.cpp.

References Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::block_size(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::iv_size().

80  {
81  if(m_cbc_state.empty())
82  return nl == block_size();
83  return nl == iv_size();
84  }

◆ verify_key_set()

void Botan::SymmetricAlgorithm::verify_key_set ( bool  cond) const
inlineprotectedinherited

Definition at line 89 of file sym_algo.h.

Referenced by Botan::Salsa20::cipher(), Botan::CTR_BE::cipher(), Botan::RC4::cipher(), Botan::SHAKE_128_Cipher::cipher(), Botan::ChaCha::cipher(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::KASUMI::decrypt_n(), Botan::XTEA::decrypt_n(), Botan::IDEA::decrypt_n(), Botan::Blowfish::decrypt_n(), Botan::MISTY1::decrypt_n(), Botan::Camellia_128::decrypt_n(), Botan::AES_128::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DESX::decrypt_n(), Botan::CAST_256::decrypt_n(), Botan::SM4::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Lion::decrypt_n(), Botan::ARIA_128::decrypt_n(), Botan::Camellia_192::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::ARIA_192::decrypt_n(), Botan::Camellia_256::decrypt_n(), Botan::AES_192::decrypt_n(), Botan::GOST_28147_89::decrypt_n(), Botan::ARIA_256::decrypt_n(), Botan::AES_256::decrypt_n(), Botan::IDEA::encrypt_n(), Botan::KASUMI::encrypt_n(), Botan::AES_128::encrypt_n(), Botan::MISTY1::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::SEED::encrypt_n(), Botan::CAST_256::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::DES::encrypt_n(), Botan::Blowfish::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Camellia_128::encrypt_n(), Botan::XTEA::encrypt_n(), Botan::DESX::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Lion::encrypt_n(), Botan::ARIA_128::encrypt_n(), Botan::Camellia_192::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::ARIA_192::encrypt_n(), Botan::Camellia_256::encrypt_n(), Botan::AES_192::encrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::ARIA_256::encrypt_n(), Botan::AES_256::encrypt_n(), Botan::OCB_Encryption::finish(), Botan::OCB_Decryption::finish(), Botan::GHASH::ghash_update(), Botan::CFB_Encryption::process(), Botan::CFB_Decryption::process(), Botan::Salsa20::seek(), Botan::CTR_BE::seek(), Botan::ChaCha::seek(), Botan::OCB_Mode::set_associated_data(), Botan::Salsa20::set_iv(), Botan::ChaCha::set_iv(), Botan::GHASH::update(), Botan::GHASH::update_associated_data(), and Botan::ChaCha::write_keystream().

90  {
91  if(cond == false)
92  throw_key_not_set_error();
93  }

The documentation for this class was generated from the following files: