Botan 3.7.1
Crypto and TLS for C&
gmac.cpp
Go to the documentation of this file.
1/*
2 * GMAC
3 * (C) 2016 Matthias Gierlings, René Korthaus
4 * (C) 2017 Jack Lloyd
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#include <botan/internal/gmac.h>
10
11#include <botan/block_cipher.h>
12#include <botan/exceptn.h>
13#include <botan/internal/fmt.h>
14#include <botan/internal/ghash.h>
15
16namespace Botan {
17
18GMAC::GMAC(std::unique_ptr<BlockCipher> cipher) :
19 m_cipher(std::move(cipher)), m_ghash(std::make_unique<GHASH>()), m_H(GCM_BS), m_initialized(false) {}
20
22 m_cipher->clear();
23 m_ghash->clear();
24 zeroise(m_H);
25 m_initialized = false;
26}
27
28GMAC::~GMAC() = default;
29
31 return m_cipher->key_spec();
32}
33
34std::string GMAC::name() const {
35 return fmt("GMAC({})", m_cipher->name());
36}
37
38size_t GMAC::output_length() const {
39 return GCM_BS;
40}
41
42void GMAC::add_data(std::span<const uint8_t> input) {
43 m_ghash->update_associated_data(input);
44}
45
47 return m_cipher->has_keying_material();
48}
49
50void GMAC::key_schedule(std::span<const uint8_t> key) {
51 clear();
52 m_cipher->set_key(key);
53
54 m_cipher->encrypt(m_H);
55 m_ghash->set_key(m_H);
56}
57
58void GMAC::start_msg(std::span<const uint8_t> nonce) {
59 secure_vector<uint8_t> y0(GCM_BS);
60
61 if(nonce.size() == 12) {
62 copy_mem(y0.data(), nonce.data(), nonce.size());
63 y0[GCM_BS - 1] = 1;
64 } else {
65 m_ghash->nonce_hash(y0, nonce);
66 }
67
68 secure_vector<uint8_t> m_enc_y0(GCM_BS);
69 m_cipher->encrypt(y0.data(), m_enc_y0.data());
70 m_ghash->start(m_enc_y0);
71 m_initialized = true;
72}
73
74void GMAC::final_result(std::span<uint8_t> mac) {
75 // This ensures the GMAC computation has been initialized with a fresh
76 // nonce. The aim of this check is to prevent developers from re-using
77 // nonces (and potential nonce-reuse attacks).
78 if(m_initialized == false) {
79 throw Invalid_State("GMAC was not used with a fresh nonce");
80 }
81
82 m_ghash->final(mac.first(output_length()));
83 m_ghash->set_key(m_H);
84}
85
86std::unique_ptr<MessageAuthenticationCode> GMAC::new_object() const {
87 return std::make_unique<GMAC>(m_cipher->new_object());
88}
89} // namespace Botan
std::string name() const override
Definition gmac.cpp:34
GMAC(std::unique_ptr< BlockCipher > cipher)
Definition gmac.cpp:18
~GMAC() override
std::unique_ptr< MessageAuthenticationCode > new_object() const override
Definition gmac.cpp:86
Key_Length_Specification key_spec() const override
Definition gmac.cpp:30
bool has_keying_material() const override
Definition gmac.cpp:46
void clear() override
Definition gmac.cpp:21
size_t output_length() const override
Definition gmac.cpp:38
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:108
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147