/src/botan/src/lib/modes/cbc/cbc.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * CBC Mode |
3 | | * (C) 1999-2007,2013,2017 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * (C) 2018 Ribose Inc |
6 | | * |
7 | | * Botan is released under the Simplified BSD License (see license.txt) |
8 | | */ |
9 | | |
10 | | #include <botan/internal/cbc.h> |
11 | | #include <botan/internal/mode_pad.h> |
12 | | #include <botan/internal/rounding.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) : |
17 | | m_cipher(cipher), |
18 | | m_padding(padding), |
19 | | m_block_size(cipher->block_size()) |
20 | 1.40k | { |
21 | 1.40k | if(m_padding && !m_padding->valid_blocksize(m_block_size)) |
22 | 0 | throw Invalid_Argument("Padding " + m_padding->name() + |
23 | 0 | " cannot be used with " + |
24 | 0 | cipher->name() + "/CBC"); |
25 | 1.40k | } |
26 | | |
27 | | void CBC_Mode::clear() |
28 | 0 | { |
29 | 0 | m_cipher->clear(); |
30 | 0 | reset(); |
31 | 0 | } |
32 | | |
33 | | void CBC_Mode::reset() |
34 | 0 | { |
35 | 0 | m_state.clear(); |
36 | 0 | } |
37 | | |
38 | | std::string CBC_Mode::name() const |
39 | 0 | { |
40 | 0 | if(m_padding) |
41 | 0 | return cipher().name() + "/CBC/" + padding().name(); |
42 | 0 | else |
43 | 0 | return cipher().name() + "/CBC/CTS"; |
44 | 0 | } |
45 | | |
46 | | size_t CBC_Mode::update_granularity() const |
47 | 544 | { |
48 | 544 | return cipher().parallel_bytes(); |
49 | 544 | } |
50 | | |
51 | | Key_Length_Specification CBC_Mode::key_spec() const |
52 | 1.40k | { |
53 | 1.40k | return cipher().key_spec(); |
54 | 1.40k | } |
55 | | |
56 | | size_t CBC_Mode::default_nonce_length() const |
57 | 0 | { |
58 | 0 | return block_size(); |
59 | 0 | } |
60 | | |
61 | | bool CBC_Mode::valid_nonce_length(size_t n) const |
62 | 1.42k | { |
63 | 1.42k | return (n == 0 || n == block_size()); |
64 | 1.42k | } |
65 | | |
66 | | void CBC_Mode::key_schedule(const uint8_t key[], size_t length) |
67 | 1.40k | { |
68 | 1.40k | m_cipher->set_key(key, length); |
69 | 1.40k | m_state.clear(); |
70 | 1.40k | } |
71 | | |
72 | | void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) |
73 | 1.42k | { |
74 | 1.42k | if(!valid_nonce_length(nonce_len)) |
75 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
76 | | |
77 | | /* |
78 | | * A nonce of zero length means carry the last ciphertext value over |
79 | | * as the new IV, as unfortunately some protocols require this. If |
80 | | * this is the first message then we use an IV of all zeros. |
81 | | */ |
82 | 1.42k | if(nonce_len) |
83 | 1.42k | m_state.assign(nonce, nonce + nonce_len); |
84 | 0 | else if(m_state.empty()) |
85 | 0 | m_state.resize(m_cipher->block_size()); |
86 | | // else leave the state alone |
87 | 1.42k | } |
88 | | |
89 | | size_t CBC_Encryption::minimum_final_size() const |
90 | 0 | { |
91 | 0 | return 0; |
92 | 0 | } |
93 | | |
94 | | size_t CBC_Encryption::output_length(size_t input_length) const |
95 | 0 | { |
96 | 0 | if(input_length == 0) |
97 | 0 | return block_size(); |
98 | 0 | else |
99 | 0 | return round_up(input_length, block_size()); |
100 | 0 | } |
101 | | |
102 | | size_t CBC_Encryption::process(uint8_t buf[], size_t sz) |
103 | 1.15k | { |
104 | 1.15k | BOTAN_STATE_CHECK(state().empty() == false); |
105 | 1.15k | const size_t BS = block_size(); |
106 | | |
107 | 1.15k | BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks"); |
108 | 1.15k | const size_t blocks = sz / BS; |
109 | | |
110 | 1.15k | if(blocks > 0) |
111 | 1.15k | { |
112 | 1.15k | xor_buf(&buf[0], state_ptr(), BS); |
113 | 1.15k | cipher().encrypt(&buf[0]); |
114 | | |
115 | 4.39k | for(size_t i = 1; i != blocks; ++i) |
116 | 3.24k | { |
117 | 3.24k | xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS); |
118 | 3.24k | cipher().encrypt(&buf[BS*i]); |
119 | 3.24k | } |
120 | | |
121 | 1.15k | state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]); |
122 | 1.15k | } |
123 | | |
124 | 1.15k | return sz; |
125 | 1.15k | } |
126 | | |
127 | | void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
128 | 0 | { |
129 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
130 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
131 | |
|
132 | 0 | const size_t BS = block_size(); |
133 | |
|
134 | 0 | const size_t bytes_in_final_block = (buffer.size()-offset) % BS; |
135 | |
|
136 | 0 | padding().add_padding(buffer, bytes_in_final_block, BS); |
137 | |
|
138 | 0 | BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary"); |
139 | |
|
140 | 0 | update(buffer, offset); |
141 | 0 | } |
142 | | |
143 | | bool CTS_Encryption::valid_nonce_length(size_t n) const |
144 | 0 | { |
145 | 0 | return (n == block_size()); |
146 | 0 | } |
147 | | |
148 | | size_t CTS_Encryption::minimum_final_size() const |
149 | 0 | { |
150 | 0 | return block_size() + 1; |
151 | 0 | } |
152 | | |
153 | | size_t CTS_Encryption::output_length(size_t input_length) const |
154 | 0 | { |
155 | 0 | return input_length; // no ciphertext expansion in CTS |
156 | 0 | } |
157 | | |
158 | | void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
159 | 0 | { |
160 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
161 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
162 | 0 | uint8_t* buf = buffer.data() + offset; |
163 | 0 | const size_t sz = buffer.size() - offset; |
164 | |
|
165 | 0 | const size_t BS = block_size(); |
166 | |
|
167 | 0 | if(sz < BS + 1) |
168 | 0 | throw Encoding_Error(name() + ": insufficient data to encrypt"); |
169 | | |
170 | 0 | if(sz % BS == 0) |
171 | 0 | { |
172 | 0 | update(buffer, offset); |
173 | | |
174 | | // swap last two blocks |
175 | 0 | for(size_t i = 0; i != BS; ++i) |
176 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
177 | 0 | } |
178 | 0 | else |
179 | 0 | { |
180 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
181 | 0 | const size_t final_bytes = sz - full_blocks; |
182 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
183 | |
|
184 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
185 | 0 | buffer.resize(full_blocks + offset); |
186 | 0 | update(buffer, offset); |
187 | |
|
188 | 0 | xor_buf(last.data(), state_ptr(), BS); |
189 | 0 | cipher().encrypt(last.data()); |
190 | |
|
191 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
192 | 0 | { |
193 | 0 | last[i] ^= last[i + BS]; |
194 | 0 | last[i + BS] ^= last[i]; |
195 | 0 | } |
196 | |
|
197 | 0 | cipher().encrypt(last.data()); |
198 | |
|
199 | 0 | buffer += last; |
200 | 0 | } |
201 | 0 | } |
202 | | |
203 | | size_t CBC_Decryption::output_length(size_t input_length) const |
204 | 0 | { |
205 | 0 | return input_length; // precise for CTS, worst case otherwise |
206 | 0 | } |
207 | | |
208 | | size_t CBC_Decryption::minimum_final_size() const |
209 | 0 | { |
210 | 0 | return block_size(); |
211 | 0 | } |
212 | | |
213 | | size_t CBC_Decryption::process(uint8_t buf[], size_t sz) |
214 | 264 | { |
215 | 264 | BOTAN_STATE_CHECK(state().empty() == false); |
216 | | |
217 | 264 | const size_t BS = block_size(); |
218 | | |
219 | 264 | BOTAN_ASSERT(sz % BS == 0, "Input is full blocks"); |
220 | 264 | size_t blocks = sz / BS; |
221 | | |
222 | 5.30k | while(blocks) |
223 | 5.04k | { |
224 | 5.04k | const size_t to_proc = std::min(BS * blocks, m_tempbuf.size()); |
225 | | |
226 | 5.04k | cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS); |
227 | | |
228 | 5.04k | xor_buf(m_tempbuf.data(), state_ptr(), BS); |
229 | 5.04k | xor_buf(&m_tempbuf[BS], buf, to_proc - BS); |
230 | 5.04k | copy_mem(state_ptr(), buf + (to_proc - BS), BS); |
231 | | |
232 | 5.04k | copy_mem(buf, m_tempbuf.data(), to_proc); |
233 | | |
234 | 5.04k | buf += to_proc; |
235 | 5.04k | blocks -= to_proc / BS; |
236 | 5.04k | } |
237 | | |
238 | 264 | return sz; |
239 | 264 | } |
240 | | |
241 | | void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
242 | 0 | { |
243 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
244 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
245 | 0 | const size_t sz = buffer.size() - offset; |
246 | |
|
247 | 0 | const size_t BS = block_size(); |
248 | |
|
249 | 0 | if(sz == 0 || sz % BS) |
250 | 0 | throw Decoding_Error(name() + ": Ciphertext not a multiple of block size"); |
251 | | |
252 | 0 | update(buffer, offset); |
253 | |
|
254 | 0 | const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS); |
255 | 0 | buffer.resize(buffer.size() - pad_bytes); // remove padding |
256 | 0 | if(pad_bytes == 0 && padding().name() != "NoPadding") |
257 | 0 | { |
258 | 0 | throw Decoding_Error("Invalid CBC padding"); |
259 | 0 | } |
260 | 0 | } |
261 | | |
262 | | void CBC_Decryption::reset() |
263 | 0 | { |
264 | 0 | CBC_Mode::reset(); |
265 | 0 | zeroise(m_tempbuf); |
266 | 0 | } |
267 | | |
268 | | bool CTS_Decryption::valid_nonce_length(size_t n) const |
269 | 0 | { |
270 | 0 | return (n == block_size()); |
271 | 0 | } |
272 | | |
273 | | size_t CTS_Decryption::minimum_final_size() const |
274 | 0 | { |
275 | 0 | return block_size() + 1; |
276 | 0 | } |
277 | | |
278 | | void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
279 | 0 | { |
280 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
281 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
282 | 0 | const size_t sz = buffer.size() - offset; |
283 | 0 | uint8_t* buf = buffer.data() + offset; |
284 | |
|
285 | 0 | const size_t BS = block_size(); |
286 | |
|
287 | 0 | if(sz < BS + 1) |
288 | 0 | throw Encoding_Error(name() + ": insufficient data to decrypt"); |
289 | | |
290 | 0 | if(sz % BS == 0) |
291 | 0 | { |
292 | | // swap last two blocks |
293 | |
|
294 | 0 | for(size_t i = 0; i != BS; ++i) |
295 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
296 | |
|
297 | 0 | update(buffer, offset); |
298 | 0 | } |
299 | 0 | else |
300 | 0 | { |
301 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
302 | 0 | const size_t final_bytes = sz - full_blocks; |
303 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
304 | |
|
305 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
306 | 0 | buffer.resize(full_blocks + offset); |
307 | 0 | update(buffer, offset); |
308 | |
|
309 | 0 | cipher().decrypt(last.data()); |
310 | |
|
311 | 0 | xor_buf(last.data(), &last[BS], final_bytes - BS); |
312 | |
|
313 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
314 | 0 | std::swap(last[i], last[i + BS]); |
315 | |
|
316 | 0 | cipher().decrypt(last.data()); |
317 | 0 | xor_buf(last.data(), state_ptr(), BS); |
318 | |
|
319 | 0 | buffer += last; |
320 | 0 | } |
321 | 0 | } |
322 | | |
323 | | } |