Botan 3.10.0
Crypto and TLS for C&
ghash.cpp
Go to the documentation of this file.
1/*
2* GCM GHASH
3* (C) 2013,2015,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5* (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/ghash.h>
11
12#include <botan/internal/ct_utils.h>
13#include <botan/internal/loadstor.h>
14#include <botan/internal/stl_util.h>
15
16#if defined(BOTAN_HAS_CPUID)
17 #include <botan/internal/cpuid.h>
18#endif
19
20namespace Botan {
21
22std::string GHASH::provider() const {
23#if defined(BOTAN_HAS_GHASH_CLMUL_CPU)
24 if(auto feat = CPUID::check(CPUID::Feature::HW_CLMUL)) {
25 return *feat;
26 }
27#endif
28
29#if defined(BOTAN_HAS_GHASH_CLMUL_VPERM)
30 if(auto feat = CPUID::check(CPUID::Feature::SIMD_4X32)) {
31 return *feat;
32 }
33#endif
34
35 return "base";
36}
37
38void GHASH::ghash_multiply(std::span<uint8_t, GCM_BS> x, std::span<const uint8_t> input, size_t blocks) {
39 BOTAN_ASSERT_NOMSG(input.size() % GCM_BS == 0);
40
41#if defined(BOTAN_HAS_GHASH_CLMUL_CPU)
42 if(CPUID::has(CPUID::Feature::HW_CLMUL)) {
43 BOTAN_ASSERT_NOMSG(!m_H_pow.empty());
44 return ghash_multiply_cpu(x.data(), m_H_pow.data(), input.data(), blocks);
45 }
46#endif
47
48#if defined(BOTAN_HAS_GHASH_CLMUL_VPERM)
49 if(CPUID::has(CPUID::Feature::SIMD_4X32)) {
50 return ghash_multiply_vperm(x.data(), m_HM.data(), input.data(), blocks);
51 }
52#endif
53
54 auto scope = CT::scoped_poison(x);
55
56 auto X = load_be<std::array<uint64_t, 2>>(x);
57
58 BufferSlicer in(input);
59 for(size_t b = 0; b != blocks; ++b) {
60 const auto I = load_be<std::array<uint64_t, 2>>(in.take<GCM_BS>());
61 X[0] ^= I[0];
62 X[1] ^= I[1];
63
64 std::array<uint64_t, 2> Z{};
65
66 for(size_t i = 0; i != 64; ++i) {
67 const auto X0MASK = CT::Mask<uint64_t>::expand_top_bit(X[0]);
68 const auto X1MASK = CT::Mask<uint64_t>::expand_top_bit(X[1]);
69
70 X[0] <<= 1;
71 X[1] <<= 1;
72
73 Z[0] = X0MASK.select(Z[0] ^ m_HM[4 * i], Z[0]);
74 Z[1] = X0MASK.select(Z[1] ^ m_HM[4 * i + 1], Z[1]);
75
76 Z[0] = X1MASK.select(Z[0] ^ m_HM[4 * i + 2], Z[0]);
77 Z[1] = X1MASK.select(Z[1] ^ m_HM[4 * i + 3], Z[1]);
78 }
79
80 X[0] = Z[0];
81 X[1] = Z[1];
82 }
83
84 store_be(x, X);
85}
86
87bool GHASH::has_keying_material() const {
88 return !m_HM.empty() || !m_H_pow.empty();
89}
90
91void GHASH::key_schedule(std::span<const uint8_t> key) {
92 m_H_ad = {0};
93 m_ad_len = 0;
94 m_text_len = 0;
95
96 BOTAN_ASSERT_NOMSG(key.size() == GCM_BS);
97 auto H = load_be<std::array<uint64_t, 2>>(key.first<GCM_BS>());
98
99#if defined(BOTAN_HAS_GHASH_CLMUL_CPU)
100 if(CPUID::has(CPUID::Feature::HW_CLMUL)) {
101 zap(m_HM);
102 if(m_H_pow.size() != 8) {
103 m_H_pow.resize(8);
104 }
105 ghash_precompute_cpu(key.data(), m_H_pow.data());
106 // m_HM left empty
107 return;
108 }
109#endif
110
111 const uint64_t R = 0xE100000000000000;
112
113 if(m_HM.size() != 256) {
114 m_HM.resize(256);
115 }
116
117 // precompute the multiples of H
118 for(size_t i = 0; i != 2; ++i) {
119 for(size_t j = 0; j != 64; ++j) {
120 /*
121 we interleave H^1, H^65, H^2, H^66, H3, H67, H4, H68
122 to make indexing nicer in the multiplication code
123 */
124 m_HM[4 * j + 2 * i] = H[0];
125 m_HM[4 * j + 2 * i + 1] = H[1];
126
127 // GCM's bit ops are reversed so we carry out of the bottom
128 const uint64_t carry = CT::Mask<uint64_t>::expand(H[1] & 1).if_set_return(R);
129 H[1] = (H[1] >> 1) | (H[0] << 63);
130 H[0] = (H[0] >> 1) ^ carry;
131 }
132 }
133}
134
135void GHASH::start(std::span<const uint8_t> nonce) {
136 BOTAN_ARG_CHECK(nonce.size() == 16, "GHASH requires a 128-bit nonce");
137 auto& n = m_nonce.emplace();
138 copy_mem(n, nonce);
139 copy_mem(m_ghash, m_H_ad);
140}
141
142void GHASH::set_associated_data(std::span<const uint8_t> input) {
143 BOTAN_STATE_CHECK(!m_nonce);
144
145 assert_key_material_set();
146 m_H_ad = {0};
147 ghash_update(m_H_ad, input);
148 ghash_zeropad(m_H_ad);
149 m_ad_len = input.size();
150}
151
152void GHASH::update_associated_data(std::span<const uint8_t> ad) {
153 assert_key_material_set();
154 ghash_update(m_ghash, ad);
155 m_ad_len += ad.size();
156}
157
158void GHASH::update(std::span<const uint8_t> input) {
159 assert_key_material_set();
160 BOTAN_STATE_CHECK(m_nonce);
161 ghash_update(m_ghash, input);
162 m_text_len += input.size();
163}
164
165void GHASH::final(std::span<uint8_t> mac) {
166 BOTAN_ARG_CHECK(!mac.empty() && mac.size() <= GCM_BS, "GHASH output length");
167 BOTAN_STATE_CHECK(m_nonce);
168 assert_key_material_set();
169
170 ghash_zeropad(m_ghash);
171 ghash_final_block(m_ghash, m_ad_len, m_text_len);
172
173 xor_buf(mac, std::span{m_ghash}.first(mac.size()), std::span{*m_nonce}.first(mac.size()));
174
175 secure_scrub_memory(m_ghash);
176 m_text_len = 0;
177 m_nonce.reset();
178}
179
180void GHASH::nonce_hash(std::span<uint8_t, GCM_BS> y0, std::span<const uint8_t> nonce) {
181 assert_key_material_set();
182 BOTAN_STATE_CHECK(!m_nonce);
183
184 ghash_update(y0, nonce);
185 ghash_zeropad(y0);
186 ghash_final_block(y0, 0, nonce.size());
187}
188
189void GHASH::clear() {
190 zap(m_HM);
191 zap(m_H_pow);
192 this->reset_state();
193}
194
195void GHASH::reset_state() {
196 m_H_ad = {0};
197 secure_scrub_memory(m_ghash);
198 if(m_nonce) {
199 secure_scrub_memory(m_nonce.value());
200 m_nonce.reset();
201 }
202 m_buffer.clear();
203 m_text_len = m_ad_len = 0;
204}
205
206void GHASH::ghash_update(std::span<uint8_t, GCM_BS> x, std::span<const uint8_t> input) {
207 BufferSlicer in(input);
208 while(!in.empty()) {
209 if(const auto one_block = m_buffer.handle_unaligned_data(in)) {
210 ghash_multiply(x, one_block.value(), 1);
211 }
212
213 if(m_buffer.in_alignment()) {
214 const auto [aligned_data, full_blocks] = m_buffer.aligned_data_to_process(in);
215 if(full_blocks > 0) {
216 ghash_multiply(x, aligned_data, full_blocks);
217 }
218 }
219 }
220 BOTAN_ASSERT_NOMSG(in.empty());
221}
222
223void GHASH::ghash_zeropad(std::span<uint8_t, GCM_BS> x) {
224 if(!m_buffer.in_alignment()) {
225 m_buffer.fill_up_with_zeros();
226 ghash_multiply(x, m_buffer.consume(), 1);
227 }
228}
229
230void GHASH::ghash_final_block(std::span<uint8_t, GCM_BS> x, uint64_t ad_len, uint64_t text_len) {
231 BOTAN_STATE_CHECK(m_buffer.in_alignment());
232 const auto final_block = store_be(8 * ad_len, 8 * text_len);
233 ghash_multiply(x, final_block, 1);
234}
235
236} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::AlignmentBuffer::aligned_data_to_process
std::tuple< std::span< const uint8_t >, size_t > aligned_data_to_process(BufferSlicer &slicer) const
Definition alignment_buffer.h:127
Botan::AlignmentBuffer::handle_unaligned_data
std::optional< std::span< const T > > handle_unaligned_data(BufferSlicer &slicer)
Definition alignment_buffer.h:167
Botan::CPUID::check
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67
Botan::CPUID::has
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420
Botan::CT::Mask::expand_top_bit
static constexpr Mask< T > expand_top_bit(T v)
Definition ct_utils.h:443
Botan::GHASH::update_associated_data
void update_associated_data(std::span< const uint8_t > ad)
Incremental update of associated data used in the GMAC use-case.
Definition ghash.cpp:152
Botan::GHASH::provider
std::string provider() const
Definition ghash.cpp:22
Botan::GHASH::final
void final(std::span< uint8_t > out)
Definition ghash.cpp:165
Botan::GHASH::nonce_hash
void nonce_hash(std::span< uint8_t, GCM_BS > y0, std::span< const uint8_t > nonce)
Hashing of non-default length nonce values for both GCM and GMAC use-cases.
Definition ghash.cpp:180
Botan::GHASH::reset_state
void reset_state()
Definition ghash.cpp:195
Botan::GHASH::clear
void clear() override
Definition ghash.cpp:189
Botan::GHASH::update
void update(std::span< const uint8_t > in)
Definition ghash.cpp:158
Botan::GHASH::start
void start(std::span< const uint8_t > nonce)
Definition ghash.cpp:135
Botan::GHASH::has_keying_material
bool has_keying_material() const override
Definition ghash.cpp:87
Botan::GHASH::set_associated_data
void set_associated_data(std::span< const uint8_t > ad)
Monolithic setting of associated data usid in the GCM use-case.
Definition ghash.cpp:142
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:146
Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:220
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
Botan::secure_scrub_memory
void secure_scrub_memory(void *ptr, size_t n)
Definition mem_utils.cpp:24
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:27
Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Generated by doxygen 1.15.0