#include <tls_cbc.h>
Public Member Functions | |
| virtual bool | associated_data_requires_key () const |
| bool | authenticated () const |
| void | clear () final |
| size_t | default_nonce_length () const final |
| void | finish (secure_vector< uint8_t > &final_block, size_t offset=0) |
| template<concepts::resizable_byte_buffer T> | |
| void | finish (T &final_block, size_t offset=0) |
| bool | has_keying_material () const final |
| size_t | ideal_granularity () const final |
| Key_Length_Specification | key_spec () const final |
| virtual size_t | maximum_associated_data_inputs () const |
| size_t | maximum_keylength () const |
| virtual size_t | minimum_final_size () const =0 |
| size_t | minimum_keylength () const |
| std::string | name () const final |
| virtual size_t | output_length (size_t input_length) const =0 |
| size_t | process (std::span< uint8_t > msg) |
| size_t | process (uint8_t msg[], size_t msg_len) |
| virtual std::string | provider () const |
| virtual bool | requires_entire_message () const |
| void | reset () final |
| void | set_ad (std::span< const uint8_t > ad) |
| void | set_associated_data (const uint8_t ad[], size_t ad_len) |
| void | set_associated_data (std::span< const uint8_t > ad) |
| void | set_associated_data_n (size_t idx, std::span< const uint8_t > ad) override |
| template<typename Alloc > | |
| void | set_associated_data_vec (const std::vector< uint8_t, Alloc > &ad) |
| void | set_key (const SymmetricKey &key) |
| void | set_key (const uint8_t key[], size_t length) |
| void | set_key (std::span< const uint8_t > key) |
| void | start () |
| void | start (const uint8_t nonce[], size_t nonce_len) |
| void | start (std::span< const uint8_t > nonce) |
| size_t | tag_size () const final |
| template<concepts::resizable_byte_buffer T> | |
| void | update (T &buffer, size_t offset=0) |
| size_t | update_granularity () const final |
| bool | valid_keylength (size_t length) const |
| bool | valid_nonce_length (size_t nl) const final |
Static Public Member Functions | |
| static std::unique_ptr< AEAD_Mode > | create (std::string_view algo, Cipher_Dir direction, std::string_view provider="") |
| static std::unique_ptr< AEAD_Mode > | create_or_throw (std::string_view algo, Cipher_Dir direction, std::string_view provider="") |
| static std::vector< std::string > | providers (std::string_view algo_spec) |
Protected Member Functions | |
| void | assert_key_material_set () const |
| void | assert_key_material_set (bool predicate) const |
| std::vector< uint8_t > & | assoc_data () |
| std::vector< uint8_t > | assoc_data_with_len (uint16_t len) |
| size_t | block_size () const |
| Cipher_Mode & | cbc () const |
| secure_vector< uint8_t > & | cbc_state () |
| size_t | cipher_keylen () const |
| virtual void | finish_msg (secure_vector< uint8_t > &final_block, size_t offset=0)=0 |
| bool | is_datagram_protocol () const |
| size_t | iv_size () const |
| MessageAuthenticationCode & | mac () const |
| size_t | mac_keylen () const |
| secure_vector< uint8_t > & | msg () |
| TLS_CBC_HMAC_AEAD_Mode (Cipher_Dir direction, std::unique_ptr< BlockCipher > cipher, std::unique_ptr< MessageAuthenticationCode > mac, size_t cipher_keylen, size_t mac_keylen, Protocol_Version version, bool use_encrypt_then_mac) | |
| bool | use_encrypt_then_mac () const |
Detailed Description
TLS CBC+HMAC AEAD base class (GenericBlockCipher in TLS spec) This is the weird TLS-specific mode, not for general consumption.
Constructor & Destructor Documentation
◆ TLS_CBC_HMAC_AEAD_Mode()
|
protected |
Definition at line 26 of file tls_cbc.cpp.
References Botan::Encryption, Botan::TLS::Protocol_Version::is_datagram_protocol(), mac(), and Botan::Buffered_Computation::output_length().
Member Function Documentation
◆ assert_key_material_set() [1/2]
|
inlineprotectedinherited |
Definition at line 139 of file sym_algo.h.
References Botan::SymmetricAlgorithm::assert_key_material_set().
Referenced by Botan::SymmetricAlgorithm::assert_key_material_set(), Botan::Salsa20::cipher_bytes(), Botan::AES_128::decrypt_n(), Botan::AES_192::decrypt_n(), Botan::AES_256::decrypt_n(), Botan::ARIA_128::decrypt_n(), Botan::ARIA_192::decrypt_n(), Botan::ARIA_256::decrypt_n(), Botan::Blowfish::decrypt_n(), Botan::Camellia_128::decrypt_n(), Botan::Camellia_192::decrypt_n(), Botan::Camellia_256::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::GOST_28147_89::decrypt_n(), Botan::IDEA::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Lion::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::AES_128::encrypt_n(), Botan::AES_192::encrypt_n(), Botan::AES_256::encrypt_n(), Botan::ARIA_128::encrypt_n(), Botan::ARIA_192::encrypt_n(), Botan::ARIA_256::encrypt_n(), Botan::Blowfish::encrypt_n(), Botan::Camellia_128::encrypt_n(), Botan::Camellia_192::encrypt_n(), Botan::Camellia_256::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::IDEA::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Lion::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::GHASH::final(), Botan::GHASH::ghash_update(), Botan::ChaCha::seek(), Botan::CTR_BE::seek(), Botan::Salsa20::seek(), Botan::OCB_Mode::set_associated_data_n(), Botan::Salsa20::set_iv_bytes(), Botan::GHASH::update(), and Botan::GHASH::update_associated_data().
◆ assert_key_material_set() [2/2]
|
inlineprotectedinherited |
Definition at line 141 of file sym_algo.h.
◆ assoc_data()
|
inlineprotected |
Definition at line 77 of file tls_cbc.h.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().
◆ assoc_data_with_len()
|
protected |
Definition at line 122 of file tls_cbc.cpp.
References BOTAN_ASSERT, and Botan::get_byte().
◆ associated_data_requires_key()
|
inlinevirtualinherited |
Most AEADs require the key to be set prior to setting the AD A few allow the AD to be set even before the cipher is keyed. Such ciphers would return false from this function.
Reimplemented in Botan::CCM_Mode, and Botan::ChaCha20Poly1305_Mode.
Definition at line 98 of file aead.h.
◆ authenticated()
|
inlineinherited |
Return the length in bytes of the authentication tag this algorithm generates. If the mode is not authenticated, this will return 0.
- Returns
- true iff this mode provides authentication as well as confidentiality.
Definition at line 264 of file cipher_mode.h.
◆ block_size()
|
inlineprotected |
Definition at line 62 of file tls_cbc.h.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n(), and valid_nonce_length().
◆ cbc()
|
inlineprotected |
Definition at line 68 of file tls_cbc.h.
Referenced by clear(), and has_keying_material().
◆ cbc_state()
|
inlineprotected |
◆ cipher_keylen()
|
inlineprotected |
◆ clear()
|
finalvirtual |
Reset the internal state. This includes not just the key, but any partial message that may have been in process.
Implements Botan::SymmetricAlgorithm.
Definition at line 55 of file tls_cbc.cpp.
References cbc(), Botan::SymmetricAlgorithm::clear(), mac(), and reset().
◆ create()
|
staticinherited |
Create an AEAD mode
- Parameters
-
algo the algorithm to create direction specify if this should be an encryption or decryption AEAD provider optional specification for provider to use
- Returns
- an AEAD mode or a null pointer if not available
Definition at line 53 of file aead.cpp.
References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_count(), BOTAN_UNUSED, Botan::AEAD_Mode::create(), Botan::BlockCipher::create(), Botan::Encryption, Botan::parse_algorithm_name(), Botan::Cipher_Mode::provider(), and Botan::split_on().
Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::AEAD_Mode::create_or_throw(), and Botan::get_aead().
◆ create_or_throw()
|
staticinherited |
Create an AEAD mode, or throw
- Parameters
-
algo the algorithm to create direction specify if this should be an encryption or decryption AEAD provider optional specification for provider to use
- Returns
- an AEAD mode, or throw an exception
Definition at line 43 of file aead.cpp.
References Botan::AEAD_Mode::create(), and Botan::Cipher_Mode::provider().
Referenced by Botan::TLS::Cipher_State::advance_with_server_hello(), Botan::TLS::Connection_Cipher_State::Connection_Cipher_State(), Botan::TLS::Session::decrypt(), and Botan::TLS::Session::encrypt().
◆ default_nonce_length()
|
inlinefinalvirtual |
- Returns
- default AEAD nonce size (a commonly supported value among AEAD modes, and large enough that random collisions are unlikely)
Reimplemented from Botan::AEAD_Mode.
Definition at line 39 of file tls_cbc.h.
◆ finish() [1/2]
|
inlineinherited |
Complete procession of a message with a final input of buffer, which is treated the same as with update(). If you have the entire message in hand, calling finish() without ever calling update() is both efficient and convenient.
When using an AEAD_Mode, if the supplied authentication tag does not validate, this will throw an instance of Invalid_Authentication_Tag.
If this occurs, all plaintext previously output via calls to update must be destroyed and not used in any way that an attacker could observe the effects of. This could be anything from echoing the plaintext back (perhaps in an error message), or by making an external RPC whose destination or contents depend on the plaintext. The only thing you can do is buffer it, and in the event of an invalid tag, erase the previously decrypted content from memory.
One simple way to assure this could never happen is to never call update, and instead always marshal the entire message into a single buffer and call finish on it when decrypting.
- Parameters
-
final_block in/out parameter which must be at least minimum_final_size() bytes, and will be set to any final output offset an offset into final_block to begin processing
Definition at line 180 of file cipher_mode.h.
Referenced by botan_cipher_update(), and Botan::TLS::write_record().
◆ finish() [2/2]
|
inlineinherited |
Complete procession of a message.
Note: Using this overload with anything but a Botan::secure_vector<> is copying the bytes in the in/out buffer.
- Parameters
-
final_block in/out parameter which must be at least minimum_final_size() bytes, and will be set to any final output offset an offset into final_block to begin processing
Definition at line 193 of file cipher_mode.h.
◆ finish_msg()
|
protectedpure virtualinherited |
◆ has_keying_material()
|
finalvirtual |
- Returns
- true if a key has been set on this object
Implements Botan::SymmetricAlgorithm.
Definition at line 90 of file tls_cbc.cpp.
References cbc(), Botan::SymmetricAlgorithm::has_keying_material(), and mac().
◆ ideal_granularity()
|
finalvirtual |
Return an ideal granularity. This will be a multiple of the result of update_granularity but may be larger. If so it indicates that better performance may be achieved by providing buffers that are at least that size (due to SIMD execution, etc).
Implements Botan::Cipher_Mode.
Definition at line 75 of file tls_cbc.cpp.
◆ is_datagram_protocol()
|
inlineprotected |
◆ iv_size()
|
inlineprotected |
Definition at line 60 of file tls_cbc.h.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n(), and valid_nonce_length().
◆ key_spec()
|
finalvirtual |
- Returns
- object describing limits on key size
Implements Botan::SymmetricAlgorithm.
Definition at line 86 of file tls_cbc.cpp.
◆ mac()
|
inlineprotected |
Definition at line 70 of file tls_cbc.h.
References BOTAN_ASSERT_NONNULL.
Referenced by clear(), has_keying_material(), and TLS_CBC_HMAC_AEAD_Mode().
◆ mac_keylen()
|
inlineprotected |
◆ maximum_associated_data_inputs()
|
inlinevirtualinherited |
Returns the maximum supported number of associated data inputs which can be provided to set_associated_data_n
If returns 0, then no associated data is supported.
Reimplemented in Botan::SIV_Mode.
Definition at line 91 of file aead.h.
◆ maximum_keylength()
|
inlineinherited |
- Returns
- maximum allowed key length
Definition at line 95 of file sym_algo.h.
◆ minimum_final_size()
|
pure virtualinherited |
- Returns
- required minimium size to finalize() - may be any length larger than this.
Implemented in Botan::CBC_Decryption, Botan::CBC_Encryption, Botan::CCM_Decryption, Botan::CCM_Encryption, Botan::CFB_Mode, Botan::ChaCha20Poly1305_Decryption, Botan::ChaCha20Poly1305_Encryption, Botan::CTS_Decryption, Botan::CTS_Encryption, Botan::EAX_Decryption, Botan::EAX_Encryption, Botan::GCM_Decryption, Botan::GCM_Encryption, Botan::OCB_Decryption, Botan::OCB_Encryption, Botan::SIV_Decryption, Botan::SIV_Encryption, Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption, Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption, and Botan::XTS_Mode.
◆ minimum_keylength()
|
inlineinherited |
- Returns
- minimum allowed key length
Definition at line 100 of file sym_algo.h.
◆ msg()
|
inlineprotected |
◆ name()
|
finalvirtual |
- Returns
- the algorithm name
Implements Botan::SymmetricAlgorithm.
Definition at line 67 of file tls_cbc.cpp.
◆ output_length()
|
pure virtualinherited |
Returns the size of the output if this transform is used to process a message with input_length bytes. In most cases the answer is precise. If it is not possible to precise (namely for CBC decryption) instead an upper bound is returned.
Implemented in Botan::CBC_Decryption, Botan::CBC_Encryption, Botan::CCM_Decryption, Botan::CCM_Encryption, Botan::CFB_Mode, Botan::ChaCha20Poly1305_Decryption, Botan::ChaCha20Poly1305_Encryption, Botan::CTS_Encryption, Botan::EAX_Decryption, Botan::EAX_Encryption, Botan::GCM_Decryption, Botan::GCM_Encryption, Botan::OCB_Decryption, Botan::OCB_Encryption, Botan::SIV_Decryption, Botan::SIV_Encryption, Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption, Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption, Botan::XTS_Decryption, and Botan::XTS_Encryption.
Referenced by Botan::TLS::write_record().
◆ process() [1/2]
|
inlineinherited |
Process message blocks
Input must be a multiple of update_granularity
Processes msg in place and returns bytes written. Normally this will be either msg_len (indicating the entire message was processed) or for certain AEAD modes zero (indicating that the mode requires the entire message be processed in one pass).
- Parameters
-
msg the message to be processed
- Returns
- bytes written in-place
Definition at line 132 of file cipher_mode.h.
Referenced by botan_cipher_update().
◆ process() [2/2]
|
inlineinherited |
Definition at line 134 of file cipher_mode.h.
◆ provider()
|
inlinevirtualinherited |
- Returns
- provider information about this implementation. Default is "base", might also return "sse2", "avx2", "openssl", or some other arbitrary string.
Reimplemented in Botan::GCM_Mode.
Definition at line 275 of file cipher_mode.h.
Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::AEAD_Mode::create_or_throw(), and Botan::Cipher_Mode::create_or_throw().
◆ providers()
|
staticinherited |
- Returns
- list of available providers for this algorithm, empty if not available
- Parameters
-
algo_spec algorithm name
Definition at line 168 of file cipher_mode.cpp.
References Botan::Cipher_Mode::create(), Botan::Encryption, and Botan::Cipher_Mode::providers().
Referenced by Botan::Cipher_Mode::providers().
◆ requires_entire_message()
|
inlinevirtualinherited |
Certain modes require the entire message be available before any processing can occur. For such modes, input will be consumed but not returned, until finish is called, which returns the entire message.
This function returns true if this mode has this style of operation.
Reimplemented in Botan::CCM_Mode, and Botan::SIV_Mode.
Definition at line 234 of file cipher_mode.h.
Referenced by botan_cipher_update().
◆ reset()
|
finalvirtual |
Resets just the message specific state and allows encrypting again under the existing key
Implements Botan::Cipher_Mode.
Definition at line 61 of file tls_cbc.cpp.
References cbc_state().
Referenced by clear().
◆ set_ad()
|
inlineinherited |
Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key() and before start().
- Parameters
-
ad the associated data
Definition at line 124 of file aead.h.
◆ set_associated_data() [1/2]
|
inlineinherited |
Definition at line 61 of file aead.h.
References Botan::AEAD_Mode::set_associated_data().
Referenced by Botan::AEAD_Mode::set_associated_data().
◆ set_associated_data() [2/2]
|
inlineinherited |
Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key() and before start().
Unless reset by another call, the associated data is kept between messages. Thus, if the AD does not change, calling once (after set_key()) is the optimum.
- Parameters
-
ad the associated data
Definition at line 59 of file aead.h.
Referenced by Botan::TLS::write_record().
◆ set_associated_data_n()
|
overridevirtual |
Set associated data that is not included in the ciphertext but that should be authenticated. Must be called after set_key() and before start().
Unless reset by another call, the associated data is kept between messages. Thus, if the AD does not change, calling once (after set_key()) is the optimum.
Some AEADs (namely SIV) support multiple AD inputs. For all other modes only nominal AD input 0 is supported; all other values of idx will cause an exception.
Derived AEADs must implement this. For AEADs where maximum_associated_data_inputs() returns 1 (the default), the idx must simply be ignored.
- Parameters
-
idx which associated data to set ad the associated data
Implements Botan::AEAD_Mode.
Definition at line 130 of file tls_cbc.cpp.
References BOTAN_ARG_CHECK.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().
◆ set_associated_data_vec()
|
inlineinherited |
◆ set_key() [1/3]
|
inlineinherited |
Set the symmetric key of this object.
- Parameters
-
key the SymmetricKey to be set.
Definition at line 113 of file sym_algo.h.
References Botan::OctetString::begin(), Botan::OctetString::length(), and Botan::SymmetricAlgorithm::set_key().
Referenced by Botan::create_aes_row_generator(), Botan::Sodium::crypto_stream_salsa20(), Botan::Sodium::crypto_stream_salsa20_xor_ic(), Botan::Sodium::crypto_stream_xsalsa20(), Botan::Sodium::crypto_stream_xsalsa20_xor_ic(), Botan::FPE::fe1_decrypt(), Botan::FPE::fe1_encrypt(), Botan::Sphincs_Hash_Functions_Sha2::PRF_msg(), Botan::Sodium::randombytes_buf_deterministic(), and Botan::SymmetricAlgorithm::set_key().
◆ set_key() [2/3]
|
inlineinherited |
Set the symmetric key of this object.
- Parameters
-
key the to be set as a byte array. length in bytes of key param
Definition at line 126 of file sym_algo.h.
References Botan::SymmetricAlgorithm::set_key().
Referenced by Botan::SymmetricAlgorithm::set_key().
◆ set_key() [3/3]
|
inherited |
Set the symmetric key of this object.
- Parameters
-
key the contiguous byte range to be set.
Definition at line 17 of file sym_algo.cpp.
References Botan::SymmetricAlgorithm::name(), and Botan::SymmetricAlgorithm::valid_keylength().
◆ start() [1/3]
|
inlineinherited |
Begin processing a message.
The exact semantics of this depend on the mode. For many modes, the call will fail since a nonce must be provided.
For certain modes such as CBC this will instead cause the last ciphertext block to be used as the nonce of the new message; doing this isn't a good idea, but some (mostly older) protocols do this.
Definition at line 117 of file cipher_mode.h.
◆ start() [2/3]
|
inlineinherited |
Begin processing a message with a fresh nonce.
- Parameters
-
nonce the per message nonce nonce_len length of nonce
Definition at line 105 of file cipher_mode.h.
◆ start() [3/3]
|
inlineinherited |
Begin processing a message with a fresh nonce.
- Warning
- Typically one must not reuse the same nonce for more than one message under the same key. For most cipher modes this would mean total loss of security and/or authenticity guarantees.
- Note
- If reliably generating unique nonces is difficult in your environment, use SIV which retains security even if nonces are repeated.
- Parameters
-
nonce the per message nonce
Definition at line 98 of file cipher_mode.h.
Referenced by botan_cipher_start(), and Botan::TLS::write_record().
◆ tag_size()
|
inlinefinalvirtual |
- Returns
- the size of the authentication tag used (in bytes)
Reimplemented from Botan::Cipher_Mode.
Definition at line 37 of file tls_cbc.h.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length().
◆ update()
|
inlineinherited |
Process some data. Input must be in size update_granularity() uint8_t blocks. The buffer is an in/out parameter and may be resized. In particular, some modes require that all input be consumed before any output is produced; with these modes, buffer will be returned empty.
The first offset bytes of buffer will be ignored (this allows in place processing of a buffer that contains an initial plaintext header).
- Parameters
-
buffer in/out parameter which will possibly be resized offset an offset into blocks to begin processing
Definition at line 149 of file cipher_mode.h.
References BOTAN_ASSERT.
◆ update_granularity()
|
finalvirtual |
The :cpp:class:Cipher_Mode interface requires message processing in multiples of the block size. This returns size of required blocks to update. If the mode implementation does not require buffering it will return 1.
- Returns
- size of required blocks to update
Implements Botan::Cipher_Mode.
Definition at line 71 of file tls_cbc.cpp.
◆ use_encrypt_then_mac()
|
inlineprotected |
Definition at line 64 of file tls_cbc.h.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().
◆ valid_keylength()
|
inlineinherited |
Check whether a given key length is valid for this algorithm.
- Parameters
-
length the key length to be checked.
- Returns
- true if the key length is valid.
Definition at line 107 of file sym_algo.h.
Referenced by Botan::SymmetricAlgorithm::set_key().
◆ valid_nonce_length()
|
finalvirtual |
- Returns
- true iff nonce_len is a valid length for the nonce
Implements Botan::Cipher_Mode.
Definition at line 79 of file tls_cbc.cpp.
References block_size(), and iv_size().
The documentation for this class was generated from the following files:
- src/lib/tls/tls12/tls_cbc/tls_cbc.h
- src/lib/tls/tls12/tls_cbc/tls_cbc.cpp
Generated by
1.12.0