Coverage Report

Created: 2020-06-30 13:58

/src/botan/src/lib/modes/cbc/cbc.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CBC Mode
3
* (C) 1999-2007,2013,2017 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
* (C) 2018 Ribose Inc
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/cbc.h>
11
#include <botan/mode_pad.h>
12
#include <botan/internal/rounding.h>
13
14
namespace Botan {
15
16
CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) :
17
   m_cipher(cipher),
18
   m_padding(padding),
19
   m_block_size(cipher->block_size())
20
1.03k
   {
21
1.03k
   if(m_padding && !m_padding->valid_blocksize(m_block_size))
22
0
      throw Invalid_Argument("Padding " + m_padding->name() +
23
0
                             " cannot be used with " +
24
0
                             cipher->name() + "/CBC");
25
1.03k
   }
26
27
void CBC_Mode::clear()
28
0
   {
29
0
   m_cipher->clear();
30
0
   reset();
31
0
   }
32
33
void CBC_Mode::reset()
34
0
   {
35
0
   m_state.clear();
36
0
   }
37
38
std::string CBC_Mode::name() const
39
0
   {
40
0
   if(m_padding)
41
0
      return cipher().name() + "/CBC/" + padding().name();
42
0
   else
43
0
      return cipher().name() + "/CBC/CTS";
44
0
   }
45
46
size_t CBC_Mode::update_granularity() const
47
543
   {
48
543
   return cipher().parallel_bytes();
49
543
   }
50
51
Key_Length_Specification CBC_Mode::key_spec() const
52
1.03k
   {
53
1.03k
   return cipher().key_spec();
54
1.03k
   }
55
56
size_t CBC_Mode::default_nonce_length() const
57
0
   {
58
0
   return block_size();
59
0
   }
60
61
bool CBC_Mode::valid_nonce_length(size_t n) const
62
1.03k
   {
63
1.03k
   return (n == 0 || n == block_size());
64
1.03k
   }
65
66
void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
67
1.03k
   {
68
1.03k
   m_cipher->set_key(key, length);
69
1.03k
   m_state.clear();
70
1.03k
   }
71
72
void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
73
1.03k
   {
74
1.03k
   if(!valid_nonce_length(nonce_len))
75
0
      throw Invalid_IV_Length(name(), nonce_len);
76
1.03k
77
1.03k
   /*
78
1.03k
   * A nonce of zero length means carry the last ciphertext value over
79
1.03k
   * as the new IV, as unfortunately some protocols require this. If
80
1.03k
   * this is the first message then we use an IV of all zeros.
81
1.03k
   */
82
1.03k
   if(nonce_len)
83
1.03k
      m_state.assign(nonce, nonce + nonce_len);
84
0
   else if(m_state.empty())
85
0
      m_state.resize(m_cipher->block_size());
86
1.03k
   // else leave the state alone
87
1.03k
   }
88
89
size_t CBC_Encryption::minimum_final_size() const
90
0
   {
91
0
   return 0;
92
0
   }
93
94
size_t CBC_Encryption::output_length(size_t input_length) const
95
0
   {
96
0
   if(input_length == 0)
97
0
      return block_size();
98
0
   else
99
0
      return round_up(input_length, block_size());
100
0
   }
101
102
size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
103
768
   {
104
768
   BOTAN_STATE_CHECK(state().empty() == false);
105
768
   const size_t BS = block_size();
106
768
107
768
   BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
108
768
   const size_t blocks = sz / BS;
109
768
110
768
   if(blocks > 0)
111
768
      {
112
768
      xor_buf(&buf[0], state_ptr(), BS);
113
768
      cipher().encrypt(&buf[0]);
114
768
115
2.85k
      for(size_t i = 1; i != blocks; ++i)
116
2.08k
         {
117
2.08k
         xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
118
2.08k
         cipher().encrypt(&buf[BS*i]);
119
2.08k
         }
120
768
121
768
      state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
122
768
      }
123
768
124
768
   return sz;
125
768
   }
126
127
void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
128
0
   {
129
0
   BOTAN_STATE_CHECK(state().empty() == false);
130
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
131
0
132
0
   const size_t BS = block_size();
133
0
134
0
   const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
135
0
136
0
   padding().add_padding(buffer, bytes_in_final_block, BS);
137
0
138
0
   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
139
0
140
0
   update(buffer, offset);
141
0
   }
142
143
bool CTS_Encryption::valid_nonce_length(size_t n) const
144
0
   {
145
0
   return (n == block_size());
146
0
   }
147
148
size_t CTS_Encryption::minimum_final_size() const
149
0
   {
150
0
   return block_size() + 1;
151
0
   }
152
153
size_t CTS_Encryption::output_length(size_t input_length) const
154
0
   {
155
0
   return input_length; // no ciphertext expansion in CTS
156
0
   }
157
158
void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
159
0
   {
160
0
   BOTAN_STATE_CHECK(state().empty() == false);
161
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
162
0
   uint8_t* buf = buffer.data() + offset;
163
0
   const size_t sz = buffer.size() - offset;
164
0
165
0
   const size_t BS = block_size();
166
0
167
0
   if(sz < BS + 1)
168
0
      throw Encoding_Error(name() + ": insufficient data to encrypt");
169
0
170
0
   if(sz % BS == 0)
171
0
      {
172
0
      update(buffer, offset);
173
0
174
0
      // swap last two blocks
175
0
      for(size_t i = 0; i != BS; ++i)
176
0
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
177
0
      }
178
0
   else
179
0
      {
180
0
      const size_t full_blocks = ((sz / BS) - 1) * BS;
181
0
      const size_t final_bytes = sz - full_blocks;
182
0
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
183
0
184
0
      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
185
0
      buffer.resize(full_blocks + offset);
186
0
      update(buffer, offset);
187
0
188
0
      xor_buf(last.data(), state_ptr(), BS);
189
0
      cipher().encrypt(last.data());
190
0
191
0
      for(size_t i = 0; i != final_bytes - BS; ++i)
192
0
         {
193
0
         last[i] ^= last[i + BS];
194
0
         last[i + BS] ^= last[i];
195
0
         }
196
0
197
0
      cipher().encrypt(last.data());
198
0
199
0
      buffer += last;
200
0
      }
201
0
   }
202
203
size_t CBC_Decryption::output_length(size_t input_length) const
204
0
   {
205
0
   return input_length; // precise for CTS, worst case otherwise
206
0
   }
207
208
size_t CBC_Decryption::minimum_final_size() const
209
0
   {
210
0
   return block_size();
211
0
   }
212
213
size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
214
269
   {
215
269
   BOTAN_STATE_CHECK(state().empty() == false);
216
269
217
269
   const size_t BS = block_size();
218
269
219
269
   BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
220
269
   size_t blocks = sz / BS;
221
269
222
7.12k
   while(blocks)
223
6.86k
      {
224
6.86k
      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
225
6.86k
226
6.86k
      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
227
6.86k
228
6.86k
      xor_buf(m_tempbuf.data(), state_ptr(), BS);
229
6.86k
      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
230
6.86k
      copy_mem(state_ptr(), buf + (to_proc - BS), BS);
231
6.86k
232
6.86k
      copy_mem(buf, m_tempbuf.data(), to_proc);
233
6.86k
234
6.86k
      buf += to_proc;
235
6.86k
      blocks -= to_proc / BS;
236
6.86k
      }
237
269
238
269
   return sz;
239
269
   }
240
241
void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
242
0
   {
243
0
   BOTAN_STATE_CHECK(state().empty() == false);
244
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
245
0
   const size_t sz = buffer.size() - offset;
246
0
247
0
   const size_t BS = block_size();
248
0
249
0
   if(sz == 0 || sz % BS)
250
0
      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
251
0
252
0
   update(buffer, offset);
253
0
254
0
   const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
255
0
   buffer.resize(buffer.size() - pad_bytes); // remove padding
256
0
   if(pad_bytes == 0 && padding().name() != "NoPadding")
257
0
      {
258
0
      throw Decoding_Error("Invalid CBC padding");
259
0
      }
260
0
   }
261
262
void CBC_Decryption::reset()
263
0
   {
264
0
   CBC_Mode::reset();
265
0
   zeroise(m_tempbuf);
266
0
   }
267
268
bool CTS_Decryption::valid_nonce_length(size_t n) const
269
0
   {
270
0
   return (n == block_size());
271
0
   }
272
273
size_t CTS_Decryption::minimum_final_size() const
274
0
   {
275
0
   return block_size() + 1;
276
0
   }
277
278
void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
279
0
   {
280
0
   BOTAN_STATE_CHECK(state().empty() == false);
281
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
282
0
   const size_t sz = buffer.size() - offset;
283
0
   uint8_t* buf = buffer.data() + offset;
284
0
285
0
   const size_t BS = block_size();
286
0
287
0
   if(sz < BS + 1)
288
0
      throw Encoding_Error(name() + ": insufficient data to decrypt");
289
0
290
0
   if(sz % BS == 0)
291
0
      {
292
0
      // swap last two blocks
293
0
294
0
      for(size_t i = 0; i != BS; ++i)
295
0
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
296
0
297
0
      update(buffer, offset);
298
0
      }
299
0
   else
300
0
      {
301
0
      const size_t full_blocks = ((sz / BS) - 1) * BS;
302
0
      const size_t final_bytes = sz - full_blocks;
303
0
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
304
0
305
0
      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
306
0
      buffer.resize(full_blocks + offset);
307
0
      update(buffer, offset);
308
0
309
0
      cipher().decrypt(last.data());
310
0
311
0
      xor_buf(last.data(), &last[BS], final_bytes - BS);
312
0
313
0
      for(size_t i = 0; i != final_bytes - BS; ++i)
314
0
         std::swap(last[i], last[i + BS]);
315
0
316
0
      cipher().decrypt(last.data());
317
0
      xor_buf(last.data(), state_ptr(), BS);
318
0
319
0
      buffer += last;
320
0
      }
321
0
   }
322
323
}