aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes/aead/gcm/gcm.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/modes/aead/gcm/gcm.cpp')
-rw-r--r--src/lib/modes/aead/gcm/gcm.cpp63
1 files changed, 31 insertions, 32 deletions
diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp
index e23551cb4..78792b79a 100644
--- a/src/lib/modes/aead/gcm/gcm.cpp
+++ b/src/lib/modes/aead/gcm/gcm.cpp
@@ -17,6 +17,8 @@
namespace Botan {
+static const size_t GCM_BS = 16;
+
void GHASH::gcm_multiply(secure_vector<byte>& x) const
{
#if defined(BOTAN_HAS_GCM_CLMUL)
@@ -66,15 +68,13 @@ void GHASH::gcm_multiply(secure_vector<byte>& x) const
void GHASH::ghash_update(secure_vector<byte>& ghash,
const byte input[], size_t length)
{
- const size_t BS = 16;
-
/*
This assumes if less than block size input then we're just on the
final block and should pad with zeros
*/
while(length)
{
- const size_t to_proc = std::min(length, BS);
+ const size_t to_proc = std::min(length, GCM_BS);
xor_buf(ghash.data(), input, to_proc);
@@ -88,7 +88,7 @@ void GHASH::ghash_update(secure_vector<byte>& ghash,
void GHASH::key_schedule(const byte key[], size_t length)
{
m_H.assign(key, key+length);
- m_H_ad.resize(16);
+ m_H_ad.resize(GCM_BS);
m_ad_len = 0;
m_text_len = 0;
}
@@ -109,7 +109,7 @@ void GHASH::set_associated_data(const byte input[], size_t length)
void GHASH::update(const byte input[], size_t length)
{
- BOTAN_ASSERT(m_ghash.size() == 16, "Key was set");
+ BOTAN_ASSERT(m_ghash.size() == GCM_BS, "Key was set");
m_text_len += length;
@@ -119,7 +119,7 @@ void GHASH::update(const byte input[], size_t length)
void GHASH::add_final_block(secure_vector<byte>& hash,
size_t ad_len, size_t text_len)
{
- secure_vector<byte> final_block(16);
+ secure_vector<byte> final_block(GCM_BS);
store_be<u64bit>(final_block.data(), 8*ad_len, 8*text_len);
ghash_update(hash, final_block.data(), final_block.size());
}
@@ -139,7 +139,7 @@ secure_vector<byte> GHASH::final()
secure_vector<byte> GHASH::nonce_hash(const byte nonce[], size_t nonce_len)
{
BOTAN_ASSERT(m_ghash.size() == 0, "nonce_hash called during wrong time");
- secure_vector<byte> y0(16);
+ secure_vector<byte> y0(GCM_BS);
ghash_update(y0, nonce, nonce_len);
add_final_block(y0, 0, nonce_len);
@@ -162,15 +162,14 @@ GCM_Mode::GCM_Mode(BlockCipher* cipher, size_t tag_size) :
m_tag_size(tag_size),
m_cipher_name(cipher->name())
{
- if(cipher->block_size() != m_BS)
- throw Invalid_Argument("GCM requires a 128 bit cipher so cannot be used with " +
- cipher->name());
+ if(cipher->block_size() != GCM_BS)
+ throw Invalid_Argument("Invalid block cipher for GCM");
m_ghash.reset(new GHASH);
m_ctr.reset(new CTR_BE(cipher, 4)); // CTR_BE takes ownership of cipher
- if(m_tag_size != 8 && m_tag_size != 16)
+ if(m_tag_size != 8 && m_tag_size != GCM_BS)
throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(m_tag_size));
}
@@ -187,7 +186,7 @@ std::string GCM_Mode::name() const
size_t GCM_Mode::update_granularity() const
{
- return m_BS;
+ return GCM_BS;
}
Key_Length_Specification GCM_Mode::key_spec() const
@@ -199,10 +198,10 @@ void GCM_Mode::key_schedule(const byte key[], size_t keylen)
{
m_ctr->set_key(key, keylen);
- const std::vector<byte> zeros(m_BS);
+ const std::vector<byte> zeros(GCM_BS);
m_ctr->set_iv(zeros.data(), zeros.size());
- secure_vector<byte> H(m_BS);
+ secure_vector<byte> H(GCM_BS);
m_ctr->encipher(H);
m_ghash->set_key(H);
}
@@ -212,12 +211,12 @@ void GCM_Mode::set_associated_data(const byte ad[], size_t ad_len)
m_ghash->set_associated_data(ad, ad_len);
}
-secure_vector<byte> GCM_Mode::start_raw(const byte nonce[], size_t nonce_len)
+void GCM_Mode::start_msg(const byte nonce[], size_t nonce_len)
{
if(!valid_nonce_length(nonce_len))
throw Invalid_IV_Length(name(), nonce_len);
- secure_vector<byte> y0(m_BS);
+ secure_vector<byte> y0(GCM_BS);
if(nonce_len == 12)
{
@@ -231,48 +230,48 @@ secure_vector<byte> GCM_Mode::start_raw(const byte nonce[], size_t nonce_len)
m_ctr->set_iv(y0.data(), y0.size());
- secure_vector<byte> m_enc_y0(m_BS);
+ secure_vector<byte> m_enc_y0(GCM_BS);
m_ctr->encipher(m_enc_y0);
m_ghash->start(m_enc_y0.data(), m_enc_y0.size());
-
- return secure_vector<byte>();
}
-void GCM_Encryption::update(secure_vector<byte>& buffer, size_t offset)
+size_t GCM_Encryption::process(uint8_t buf[], size_t sz)
{
- BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
- const size_t sz = buffer.size() - offset;
- byte* buf = buffer.data() + offset;
-
+ BOTAN_ARG_CHECK(sz % update_granularity() == 0);
m_ctr->cipher(buf, buf, sz);
m_ghash->update(buf, sz);
+ return sz;
}
void GCM_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
{
- update(buffer, offset);
+ BOTAN_ARG_CHECK(offset <= buffer.size());
+ const size_t sz = buffer.size() - offset;
+ byte* buf = buffer.data() + offset;
+
+ m_ctr->cipher(buf, buf, sz);
+ m_ghash->update(buf, sz);
auto mac = m_ghash->final();
buffer += std::make_pair(mac.data(), tag_size());
}
-void GCM_Decryption::update(secure_vector<byte>& buffer, size_t offset)
+size_t GCM_Decryption::process(uint8_t buf[], size_t sz)
{
- BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
- const size_t sz = buffer.size() - offset;
- byte* buf = buffer.data() + offset;
-
+ BOTAN_ARG_CHECK(sz % update_granularity() == 0);
m_ghash->update(buf, sz);
m_ctr->cipher(buf, buf, sz);
+ return sz;
}
void GCM_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
{
- BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
+ BOTAN_ARG_CHECK(offset <= buffer.size());
const size_t sz = buffer.size() - offset;
byte* buf = buffer.data() + offset;
- BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input");
+ if(sz < tag_size())
+ throw Exception("Insufficient input for GCM decryption, tag missing");
const size_t remaining = sz - tag_size();