Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/modes/aead/gcm/gcm.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* GCM Mode Encryption
3
* (C) 2013,2015 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/gcm.h>
10
#include <botan/ghash.h>
11
#include <botan/block_cipher.h>
12
#include <botan/ctr.h>
13
14
namespace Botan {
15
16
/*
17
* GCM_Mode Constructor
18
*/
19
GCM_Mode::GCM_Mode(BlockCipher* cipher, size_t tag_size) :
20
   m_tag_size(tag_size),
21
   m_cipher_name(cipher->name())
22
899
   {
23
899
   if(cipher->block_size() != GCM_BS)
24
0
      throw Invalid_Argument("Invalid block cipher for GCM");
25
899
26
899
   m_ghash.reset(new GHASH);
27
899
28
899
   m_ctr.reset(new CTR_BE(cipher, 4)); // CTR_BE takes ownership of cipher
29
899
30
899
   /* We allow any of the values 128, 120, 112, 104, or 96 bits as a tag size */
31
899
   /* 64 bit tag is still supported but deprecated and will be removed in the future */
32
899
   if(m_tag_size != 8 && (m_tag_size < 12 || m_tag_size > 16))
33
0
      throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(m_tag_size));
34
899
   }
35
36
899
GCM_Mode::~GCM_Mode() { /* for unique_ptr */ }
37
38
void GCM_Mode::clear()
39
0
   {
40
0
   m_ctr->clear();
41
0
   m_ghash->clear();
42
0
   reset();
43
0
   }
44
45
void GCM_Mode::reset()
46
0
   {
47
0
   m_ghash->reset();
48
0
   }
49
50
std::string GCM_Mode::name() const
51
0
   {
52
0
   return (m_cipher_name + "/GCM(" + std::to_string(tag_size()) + ")");
53
0
   }
54
55
std::string GCM_Mode::provider() const
56
0
   {
57
0
   return m_ghash->provider();
58
0
   }
59
60
size_t GCM_Mode::update_granularity() const
61
0
   {
62
0
   return GCM_BS * std::max<size_t>(2, BOTAN_BLOCK_CIPHER_PAR_MULT);
63
0
   }
64
65
bool GCM_Mode::valid_nonce_length(size_t len) const
66
1.34k
   {
67
1.34k
   // GCM does not support empty nonces
68
1.34k
   return (len > 0);
69
1.34k
   }
70
71
Key_Length_Specification GCM_Mode::key_spec() const
72
899
   {
73
899
   return m_ctr->key_spec();
74
899
   }
75
76
void GCM_Mode::key_schedule(const uint8_t key[], size_t keylen)
77
899
   {
78
899
   m_ctr->set_key(key, keylen);
79
899
80
899
   const std::vector<uint8_t> zeros(GCM_BS);
81
899
   m_ctr->set_iv(zeros.data(), zeros.size());
82
899
83
899
   secure_vector<uint8_t> H(GCM_BS);
84
899
   m_ctr->encipher(H);
85
899
   m_ghash->set_key(H);
86
899
   }
87
88
void GCM_Mode::set_associated_data(const uint8_t ad[], size_t ad_len)
89
1.08k
   {
90
1.08k
   m_ghash->set_associated_data(ad, ad_len);
91
1.08k
   }
92
93
void GCM_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
94
1.08k
   {
95
1.08k
   if(!valid_nonce_length(nonce_len))
96
0
      throw Invalid_IV_Length(name(), nonce_len);
97
1.08k
98
1.08k
   if(m_y0.size() != GCM_BS)
99
830
      m_y0.resize(GCM_BS);
100
1.08k
101
1.08k
   clear_mem(m_y0.data(), m_y0.size());
102
1.08k
103
1.08k
   if(nonce_len == 12)
104
1.08k
      {
105
1.08k
      copy_mem(m_y0.data(), nonce, nonce_len);
106
1.08k
      m_y0[15] = 1;
107
1.08k
      }
108
0
   else
109
0
      {
110
0
      m_ghash->nonce_hash(m_y0, nonce, nonce_len);
111
0
      }
112
1.08k
113
1.08k
   m_ctr->set_iv(m_y0.data(), m_y0.size());
114
1.08k
115
1.08k
   clear_mem(m_y0.data(), m_y0.size());
116
1.08k
   m_ctr->encipher(m_y0);
117
1.08k
118
1.08k
   m_ghash->start(m_y0.data(), m_y0.size());
119
1.08k
   clear_mem(m_y0.data(), m_y0.size());
120
1.08k
   }
121
122
size_t GCM_Encryption::process(uint8_t buf[], size_t sz)
123
0
   {
124
0
   BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid buffer size");
125
0
   m_ctr->cipher(buf, buf, sz);
126
0
   m_ghash->update(buf, sz);
127
0
   return sz;
128
0
   }
129
130
void GCM_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
131
842
   {
132
842
   BOTAN_ARG_CHECK(offset <= buffer.size(), "Invalid offset");
133
842
   const size_t sz = buffer.size() - offset;
134
842
   uint8_t* buf = buffer.data() + offset;
135
842
136
842
   m_ctr->cipher(buf, buf, sz);
137
842
   m_ghash->update(buf, sz);
138
842
139
842
   uint8_t mac[16] = { 0 };
140
842
   m_ghash->final(mac, tag_size());
141
842
   buffer += std::make_pair(mac, tag_size());
142
842
   }
143
144
size_t GCM_Decryption::process(uint8_t buf[], size_t sz)
145
0
   {
146
0
   BOTAN_ARG_CHECK(sz % update_granularity() == 0, "Invalid buffer size");
147
0
   m_ghash->update(buf, sz);
148
0
   m_ctr->cipher(buf, buf, sz);
149
0
   return sz;
150
0
   }
151
152
void GCM_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
153
243
   {
154
243
   BOTAN_ARG_CHECK(offset <= buffer.size(), "Invalid offset");
155
243
   const size_t sz = buffer.size() - offset;
156
243
   uint8_t* buf = buffer.data() + offset;
157
243
158
243
   if(sz < tag_size())
159
0
      throw Decoding_Error("Insufficient input for GCM decryption, tag missing");
160
243
161
243
   const size_t remaining = sz - tag_size();
162
243
163
243
   // handle any final input before the tag
164
243
   if(remaining)
165
240
      {
166
240
      m_ghash->update(buf, remaining);
167
240
      m_ctr->cipher(buf, buf, remaining);
168
240
      }
169
243
170
243
   uint8_t mac[16] = { 0 };
171
243
   m_ghash->final(mac, tag_size());
172
243
173
243
   const uint8_t* included_tag = &buffer[remaining+offset];
174
243
175
243
   if(!constant_time_compare(mac, included_tag, tag_size()))
176
243
      throw Invalid_Authentication_Tag("GCM tag check failed");
177
0
178
0
   buffer.resize(offset + remaining);
179
0
   }
180
181
}