/src/botan/src/lib/modes/cbc/cbc.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * CBC Mode |
3 | | * (C) 1999-2007,2013,2017 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * (C) 2018 Ribose Inc |
6 | | * |
7 | | * Botan is released under the Simplified BSD License (see license.txt) |
8 | | */ |
9 | | |
10 | | #include <botan/cbc.h> |
11 | | #include <botan/mode_pad.h> |
12 | | #include <botan/internal/rounding.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) : |
17 | | m_cipher(cipher), |
18 | | m_padding(padding), |
19 | | m_block_size(cipher->block_size()) |
20 | 1.19k | { |
21 | 1.19k | if(m_padding && !m_padding->valid_blocksize(m_block_size)) |
22 | 0 | throw Invalid_Argument("Padding " + m_padding->name() + |
23 | 0 | " cannot be used with " + |
24 | 0 | cipher->name() + "/CBC"); |
25 | 1.19k | } |
26 | | |
27 | | void CBC_Mode::clear() |
28 | 0 | { |
29 | 0 | m_cipher->clear(); |
30 | 0 | reset(); |
31 | 0 | } |
32 | | |
33 | | void CBC_Mode::reset() |
34 | 0 | { |
35 | 0 | m_state.clear(); |
36 | 0 | } |
37 | | |
38 | | std::string CBC_Mode::name() const |
39 | 0 | { |
40 | 0 | if(m_padding) |
41 | 0 | return cipher().name() + "/CBC/" + padding().name(); |
42 | 0 | else |
43 | 0 | return cipher().name() + "/CBC/CTS"; |
44 | 0 | } |
45 | | |
46 | | size_t CBC_Mode::update_granularity() const |
47 | 638 | { |
48 | 638 | return cipher().parallel_bytes(); |
49 | 638 | } |
50 | | |
51 | | Key_Length_Specification CBC_Mode::key_spec() const |
52 | 1.19k | { |
53 | 1.19k | return cipher().key_spec(); |
54 | 1.19k | } |
55 | | |
56 | | size_t CBC_Mode::default_nonce_length() const |
57 | 0 | { |
58 | 0 | return block_size(); |
59 | 0 | } |
60 | | |
61 | | bool CBC_Mode::valid_nonce_length(size_t n) const |
62 | 1.19k | { |
63 | 1.19k | return (n == 0 || n == block_size()); |
64 | 1.19k | } |
65 | | |
66 | | void CBC_Mode::key_schedule(const uint8_t key[], size_t length) |
67 | 1.19k | { |
68 | 1.19k | m_cipher->set_key(key, length); |
69 | 1.19k | m_state.clear(); |
70 | 1.19k | } |
71 | | |
72 | | void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) |
73 | 1.19k | { |
74 | 1.19k | if(!valid_nonce_length(nonce_len)) |
75 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
76 | 1.19k | |
77 | 1.19k | /* |
78 | 1.19k | * A nonce of zero length means carry the last ciphertext value over |
79 | 1.19k | * as the new IV, as unfortunately some protocols require this. If |
80 | 1.19k | * this is the first message then we use an IV of all zeros. |
81 | 1.19k | */ |
82 | 1.19k | if(nonce_len) |
83 | 1.19k | m_state.assign(nonce, nonce + nonce_len); |
84 | 0 | else if(m_state.empty()) |
85 | 0 | m_state.resize(m_cipher->block_size()); |
86 | 1.19k | // else leave the state alone |
87 | 1.19k | } |
88 | | |
89 | | size_t CBC_Encryption::minimum_final_size() const |
90 | 0 | { |
91 | 0 | return 0; |
92 | 0 | } |
93 | | |
94 | | size_t CBC_Encryption::output_length(size_t input_length) const |
95 | 0 | { |
96 | 0 | if(input_length == 0) |
97 | 0 | return block_size(); |
98 | 0 | else |
99 | 0 | return round_up(input_length, block_size()); |
100 | 0 | } |
101 | | |
102 | | size_t CBC_Encryption::process(uint8_t buf[], size_t sz) |
103 | 900 | { |
104 | 900 | BOTAN_STATE_CHECK(state().empty() == false); |
105 | 900 | const size_t BS = block_size(); |
106 | 900 | |
107 | 900 | BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks"); |
108 | 900 | const size_t blocks = sz / BS; |
109 | 900 | |
110 | 900 | if(blocks > 0) |
111 | 900 | { |
112 | 900 | xor_buf(&buf[0], state_ptr(), BS); |
113 | 900 | cipher().encrypt(&buf[0]); |
114 | 900 | |
115 | 3.25k | for(size_t i = 1; i != blocks; ++i) |
116 | 2.35k | { |
117 | 2.35k | xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS); |
118 | 2.35k | cipher().encrypt(&buf[BS*i]); |
119 | 2.35k | } |
120 | 900 | |
121 | 900 | state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]); |
122 | 900 | } |
123 | 900 | |
124 | 900 | return sz; |
125 | 900 | } |
126 | | |
127 | | void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
128 | 0 | { |
129 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
130 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
131 | 0 |
|
132 | 0 | const size_t BS = block_size(); |
133 | 0 |
|
134 | 0 | const size_t bytes_in_final_block = (buffer.size()-offset) % BS; |
135 | 0 |
|
136 | 0 | padding().add_padding(buffer, bytes_in_final_block, BS); |
137 | 0 |
|
138 | 0 | if((buffer.size()-offset) % BS) |
139 | 0 | throw Internal_Error("Did not pad to full block size in " + name()); |
140 | 0 | |
141 | 0 | update(buffer, offset); |
142 | 0 | } |
143 | | |
144 | | bool CTS_Encryption::valid_nonce_length(size_t n) const |
145 | 0 | { |
146 | 0 | return (n == block_size()); |
147 | 0 | } |
148 | | |
149 | | size_t CTS_Encryption::minimum_final_size() const |
150 | 0 | { |
151 | 0 | return block_size() + 1; |
152 | 0 | } |
153 | | |
154 | | size_t CTS_Encryption::output_length(size_t input_length) const |
155 | 0 | { |
156 | 0 | return input_length; // no ciphertext expansion in CTS |
157 | 0 | } |
158 | | |
159 | | void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
160 | 0 | { |
161 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
162 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
163 | 0 | uint8_t* buf = buffer.data() + offset; |
164 | 0 | const size_t sz = buffer.size() - offset; |
165 | 0 |
|
166 | 0 | const size_t BS = block_size(); |
167 | 0 |
|
168 | 0 | if(sz < BS + 1) |
169 | 0 | throw Encoding_Error(name() + ": insufficient data to encrypt"); |
170 | 0 | |
171 | 0 | if(sz % BS == 0) |
172 | 0 | { |
173 | 0 | update(buffer, offset); |
174 | 0 |
|
175 | 0 | // swap last two blocks |
176 | 0 | for(size_t i = 0; i != BS; ++i) |
177 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
178 | 0 | } |
179 | 0 | else |
180 | 0 | { |
181 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
182 | 0 | const size_t final_bytes = sz - full_blocks; |
183 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
184 | 0 |
|
185 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
186 | 0 | buffer.resize(full_blocks + offset); |
187 | 0 | update(buffer, offset); |
188 | 0 |
|
189 | 0 | xor_buf(last.data(), state_ptr(), BS); |
190 | 0 | cipher().encrypt(last.data()); |
191 | 0 |
|
192 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
193 | 0 | { |
194 | 0 | last[i] ^= last[i + BS]; |
195 | 0 | last[i + BS] ^= last[i]; |
196 | 0 | } |
197 | 0 |
|
198 | 0 | cipher().encrypt(last.data()); |
199 | 0 |
|
200 | 0 | buffer += last; |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | | size_t CBC_Decryption::output_length(size_t input_length) const |
205 | 0 | { |
206 | 0 | return input_length; // precise for CTS, worst case otherwise |
207 | 0 | } |
208 | | |
209 | | size_t CBC_Decryption::minimum_final_size() const |
210 | 0 | { |
211 | 0 | return block_size(); |
212 | 0 | } |
213 | | |
214 | | size_t CBC_Decryption::process(uint8_t buf[], size_t sz) |
215 | 291 | { |
216 | 291 | BOTAN_STATE_CHECK(state().empty() == false); |
217 | 291 | |
218 | 291 | const size_t BS = block_size(); |
219 | 291 | |
220 | 291 | BOTAN_ASSERT(sz % BS == 0, "Input is full blocks"); |
221 | 291 | size_t blocks = sz / BS; |
222 | 291 | |
223 | 6.79k | while(blocks) |
224 | 6.50k | { |
225 | 6.50k | const size_t to_proc = std::min(BS * blocks, m_tempbuf.size()); |
226 | 6.50k | |
227 | 6.50k | cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS); |
228 | 6.50k | |
229 | 6.50k | xor_buf(m_tempbuf.data(), state_ptr(), BS); |
230 | 6.50k | xor_buf(&m_tempbuf[BS], buf, to_proc - BS); |
231 | 6.50k | copy_mem(state_ptr(), buf + (to_proc - BS), BS); |
232 | 6.50k | |
233 | 6.50k | copy_mem(buf, m_tempbuf.data(), to_proc); |
234 | 6.50k | |
235 | 6.50k | buf += to_proc; |
236 | 6.50k | blocks -= to_proc / BS; |
237 | 6.50k | } |
238 | 291 | |
239 | 291 | return sz; |
240 | 291 | } |
241 | | |
242 | | void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
243 | 0 | { |
244 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
245 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
246 | 0 | const size_t sz = buffer.size() - offset; |
247 | 0 |
|
248 | 0 | const size_t BS = block_size(); |
249 | 0 |
|
250 | 0 | if(sz == 0 || sz % BS) |
251 | 0 | throw Decoding_Error(name() + ": Ciphertext not a multiple of block size"); |
252 | 0 | |
253 | 0 | update(buffer, offset); |
254 | 0 |
|
255 | 0 | const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS); |
256 | 0 | buffer.resize(buffer.size() - pad_bytes); // remove padding |
257 | 0 | if(pad_bytes == 0 && padding().name() != "NoPadding") |
258 | 0 | { |
259 | 0 | throw Decoding_Error("Invalid CBC padding"); |
260 | 0 | } |
261 | 0 | } |
262 | | |
263 | | void CBC_Decryption::reset() |
264 | 0 | { |
265 | 0 | CBC_Mode::reset(); |
266 | 0 | zeroise(m_tempbuf); |
267 | 0 | } |
268 | | |
269 | | bool CTS_Decryption::valid_nonce_length(size_t n) const |
270 | 0 | { |
271 | 0 | return (n == block_size()); |
272 | 0 | } |
273 | | |
274 | | size_t CTS_Decryption::minimum_final_size() const |
275 | 0 | { |
276 | 0 | return block_size() + 1; |
277 | 0 | } |
278 | | |
279 | | void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
280 | 0 | { |
281 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
282 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
283 | 0 | const size_t sz = buffer.size() - offset; |
284 | 0 | uint8_t* buf = buffer.data() + offset; |
285 | 0 |
|
286 | 0 | const size_t BS = block_size(); |
287 | 0 |
|
288 | 0 | if(sz < BS + 1) |
289 | 0 | throw Encoding_Error(name() + ": insufficient data to decrypt"); |
290 | 0 | |
291 | 0 | if(sz % BS == 0) |
292 | 0 | { |
293 | 0 | // swap last two blocks |
294 | 0 |
|
295 | 0 | for(size_t i = 0; i != BS; ++i) |
296 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
297 | 0 |
|
298 | 0 | update(buffer, offset); |
299 | 0 | } |
300 | 0 | else |
301 | 0 | { |
302 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
303 | 0 | const size_t final_bytes = sz - full_blocks; |
304 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
305 | 0 |
|
306 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
307 | 0 | buffer.resize(full_blocks + offset); |
308 | 0 | update(buffer, offset); |
309 | 0 |
|
310 | 0 | cipher().decrypt(last.data()); |
311 | 0 |
|
312 | 0 | xor_buf(last.data(), &last[BS], final_bytes - BS); |
313 | 0 |
|
314 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
315 | 0 | std::swap(last[i], last[i + BS]); |
316 | 0 |
|
317 | 0 | cipher().decrypt(last.data()); |
318 | 0 | xor_buf(last.data(), state_ptr(), BS); |
319 | 0 |
|
320 | 0 | buffer += last; |
321 | 0 | } |
322 | 0 | } |
323 | | |
324 | | } |