Botan 3.3.0
Crypto and TLS for C&
gmac.cpp
Go to the documentation of this file.
1/*
2 * GMAC
3 * (C) 2016 Matthias Gierlings, René Korthaus
4 * (C) 2017 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#include <botan/internal/gmac.h>
10
11#include <botan/block_cipher.h>
12#include <botan/exceptn.h>
13#include <botan/internal/fmt.h>
14#include <botan/internal/ghash.h>
15#include <botan/internal/stl_util.h>
16
17namespace Botan {
18
19GMAC::GMAC(std::unique_ptr<BlockCipher> cipher) :
20 m_cipher(std::move(cipher)), m_ghash(std::make_unique<GHASH>()), m_H(GCM_BS), m_initialized(false) {}
21
23 m_cipher->clear();
24 m_ghash->clear();
25 m_aad_buf.clear();
26 zeroise(m_H);
27 m_initialized = false;
28}
29
30GMAC::~GMAC() = default;
31
33 return m_cipher->key_spec();
34}
35
36std::string GMAC::name() const {
37 return fmt("GMAC({})", m_cipher->name());
38}
39
40size_t GMAC::output_length() const {
41 return GCM_BS;
42}
43
44void GMAC::add_data(std::span<const uint8_t> input) {
45 BufferSlicer in(input);
46
47 while(!in.empty()) {
48 if(const auto one_block = m_aad_buf.handle_unaligned_data(in)) {
49 m_ghash->update_associated_data(one_block.value());
50 }
51
52 if(m_aad_buf.in_alignment()) {
53 const auto [aligned_data, full_blocks] = m_aad_buf.aligned_data_to_process(in);
54 if(full_blocks > 0) {
55 m_ghash->update_associated_data(aligned_data);
56 }
57 }
58 }
59}
60
62 return m_cipher->has_keying_material();
63}
64
65void GMAC::key_schedule(std::span<const uint8_t> key) {
66 clear();
67 m_cipher->set_key(key);
68
69 m_cipher->encrypt(m_H);
70 m_ghash->set_key(m_H);
71}
72
73void GMAC::start_msg(std::span<const uint8_t> nonce) {
74 secure_vector<uint8_t> y0(GCM_BS);
75
76 if(nonce.size() == 12) {
77 copy_mem(y0.data(), nonce.data(), nonce.size());
78 y0[GCM_BS - 1] = 1;
79 } else {
80 m_ghash->ghash_update(y0, nonce);
81 m_ghash->add_final_block(y0, 0, nonce.size());
82 }
83
84 secure_vector<uint8_t> m_enc_y0(GCM_BS);
85 m_cipher->encrypt(y0.data(), m_enc_y0.data());
86 m_ghash->start(m_enc_y0);
87 m_initialized = true;
88}
89
90void GMAC::final_result(std::span<uint8_t> mac) {
91 // This ensures the GMAC computation has been initialized with a fresh
92 // nonce. The aim of this check is to prevent developers from re-using
93 // nonces (and potential nonce-reuse attacks).
94 if(m_initialized == false) {
95 throw Invalid_State("GMAC was not used with a fresh nonce");
96 }
97
98 // Process the rest of the aad buffer.
99 if(!m_aad_buf.in_alignment()) {
100 m_ghash->update_associated_data(m_aad_buf.consume_partial());
101 }
102
103 m_ghash->final(mac.first(output_length()));
104 m_ghash->set_key(m_H);
105 m_aad_buf.clear();
106}
107
108std::unique_ptr<MessageAuthenticationCode> GMAC::new_object() const {
109 return std::make_unique<GMAC>(m_cipher->new_object());
110}
111} // namespace Botan
std::tuple< std::span< const uint8_t >, size_t > aligned_data_to_process(BufferSlicer &slicer) const
std::optional< std::span< const T > > handle_unaligned_data(BufferSlicer &slicer)
std::span< const T > consume_partial()
std::string name() const override
Definition gmac.cpp:36
GMAC(std::unique_ptr< BlockCipher > cipher)
Definition gmac.cpp:19
~GMAC() override
std::unique_ptr< MessageAuthenticationCode > new_object() const override
Definition gmac.cpp:108
Key_Length_Specification key_spec() const override
Definition gmac.cpp:32
bool has_keying_material() const override
Definition gmac.cpp:61
void clear() override
Definition gmac.cpp:22
size_t output_length() const override
Definition gmac.cpp:40
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:108
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146