/src/botan/src/lib/modes/cbc/cbc.cpp

Source (jump to first uncovered line)
/*
* CBC Mode
* (C) 1999-2007,2013,2017 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
* (C) 2018 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/cbc.h>
#include <botan/internal/mode_pad.h>
#include <botan/internal/rounding.h>

namespace Botan {

CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) :
   m_cipher(cipher),
   m_padding(padding),
   m_block_size(cipher->block_size())
   {
   if(m_padding && !m_padding->valid_blocksize(m_block_size))
      throw Invalid_Argument("Padding " + m_padding->name() +
                             " cannot be used with " +
                             cipher->name() + "/CBC");
   }

void CBC_Mode::clear()
   {
   m_cipher->clear();
   reset();
   }

void CBC_Mode::reset()
   {
   m_state.clear();
   }

std::string CBC_Mode::name() const
   {
   if(m_padding)
      return cipher().name() + "/CBC/" + padding().name();
   else
      return cipher().name() + "/CBC/CTS";
   }

size_t CBC_Mode::update_granularity() const
   {
   return cipher().parallel_bytes();
   }

Key_Length_Specification CBC_Mode::key_spec() const
   {
   return cipher().key_spec();
   }

size_t CBC_Mode::default_nonce_length() const
   {
   return block_size();
   }

bool CBC_Mode::valid_nonce_length(size_t n) const
   {
   return (n == 0 || n == block_size());
   }

void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
   {
   m_cipher->set_key(key, length);
   m_state.clear();
   }

void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
   {
   if(!valid_nonce_length(nonce_len))
      throw Invalid_IV_Length(name(), nonce_len);

   /*
   * A nonce of zero length means carry the last ciphertext value over
   * as the new IV, as unfortunately some protocols require this. If
   * this is the first message then we use an IV of all zeros.
   */
   if(nonce_len)
      m_state.assign(nonce, nonce + nonce_len);
   else if(m_state.empty())
      m_state.resize(m_cipher->block_size());
   // else leave the state alone
   }

size_t CBC_Encryption::minimum_final_size() const
   {
   return 0;
   }

size_t CBC_Encryption::output_length(size_t input_length) const
   {
   if(input_length == 0)
      return block_size();
   else
      return round_up(input_length, block_size());
   }

size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   const size_t BS = block_size();

   BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
   const size_t blocks = sz / BS;

   if(blocks > 0)
      {
      xor_buf(&buf[0], state_ptr(), BS);
      cipher().encrypt(&buf[0]);

      for(size_t i = 1; i != blocks; ++i)
         {
         xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
         cipher().encrypt(&buf[BS*i]);
         }

      state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
      }

   return sz;
   }

void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");

   const size_t BS = block_size();

   const size_t bytes_in_final_block = (buffer.size()-offset) % BS;

   padding().add_padding(buffer, bytes_in_final_block, BS);

   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");

   update(buffer, offset);
   }

bool CTS_Encryption::valid_nonce_length(size_t n) const
   {
   return (n == block_size());
   }

size_t CTS_Encryption::minimum_final_size() const
   {
   return block_size() + 1;
   }

size_t CTS_Encryption::output_length(size_t input_length) const
   {
   return input_length; // no ciphertext expansion in CTS
   }

void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
   uint8_t* buf = buffer.data() + offset;
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz < BS + 1)
      throw Encoding_Error(name() + ": insufficient data to encrypt");

   if(sz % BS == 0)
      {
      update(buffer, offset);

      // swap last two blocks
      for(size_t i = 0; i != BS; ++i)
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
      }
   else
      {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      xor_buf(last.data(), state_ptr(), BS);
      cipher().encrypt(last.data());

      for(size_t i = 0; i != final_bytes - BS; ++i)
         {
         last[i] ^= last[i + BS];
         last[i + BS] ^= last[i];
         }

      cipher().encrypt(last.data());

      buffer += last;
      }
   }

size_t CBC_Decryption::output_length(size_t input_length) const
   {
   return input_length; // precise for CTS, worst case otherwise
   }

size_t CBC_Decryption::minimum_final_size() const
   {
   return block_size();
   }

size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
   {
   BOTAN_STATE_CHECK(state().empty() == false);

   const size_t BS = block_size();

   BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
   size_t blocks = sz / BS;

   while(blocks)
      {
      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());

      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);

      xor_buf(m_tempbuf.data(), state_ptr(), BS);
      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
      copy_mem(state_ptr(), buf + (to_proc - BS), BS);

      copy_mem(buf, m_tempbuf.data(), to_proc);

      buf += to_proc;
      blocks -= to_proc / BS;
      }

   return sz;
   }

void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz == 0 || sz % BS)
      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");

   update(buffer, offset);

   const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
   buffer.resize(buffer.size() - pad_bytes); // remove padding
   if(pad_bytes == 0 && padding().name() != "NoPadding")
      {
      throw Decoding_Error("Invalid CBC padding");
      }
   }

void CBC_Decryption::reset()
   {
   CBC_Mode::reset();
   zeroise(m_tempbuf);
   }

bool CTS_Decryption::valid_nonce_length(size_t n) const
   {
   return (n == block_size());
   }

size_t CTS_Decryption::minimum_final_size() const
   {
   return block_size() + 1;
   }

void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const size_t BS = block_size();

   if(sz < BS + 1)
      throw Encoding_Error(name() + ": insufficient data to decrypt");

   if(sz % BS == 0)
      {
      // swap last two blocks

      for(size_t i = 0; i != BS; ++i)
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);

      update(buffer, offset);
      }
   else
      {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      cipher().decrypt(last.data());

      xor_buf(last.data(), &last[BS], final_bytes - BS);

      for(size_t i = 0; i != final_bytes - BS; ++i)
         std::swap(last[i], last[i + BS]);

      cipher().decrypt(last.data());
      xor_buf(last.data(), state_ptr(), BS);

      buffer += last;
      }
   }

}

Coverage Report

Created: 2020-11-21 08:34

Line	Count	Source (jump to first uncovered line)
1		/*
2		* CBC Mode
3		* (C) 1999-2007,2013,2017 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		* (C) 2018 Ribose Inc
6		*
7		* Botan is released under the Simplified BSD License (see license.txt)
8		*/
9
10		#include <botan/internal/cbc.h>
11		#include <botan/internal/mode_pad.h>
12		#include <botan/internal/rounding.h>
13
14		namespace Botan {
15
16		CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) :
17		m_cipher(cipher),
18		m_padding(padding),
19		m_block_size(cipher->block_size())
20	1.40k	{
21	1.40k	if(m_padding && !m_padding->valid_blocksize(m_block_size))
22	0	throw Invalid_Argument("Padding " + m_padding->name() +
23	0	" cannot be used with " +
24	0	cipher->name() + "/CBC");
25	1.40k	}
26
27		void CBC_Mode::clear()
28	0	{
29	0	m_cipher->clear();
30	0	reset();
31	0	}
32
33		void CBC_Mode::reset()
34	0	{
35	0	m_state.clear();
36	0	}
37
38		std::string CBC_Mode::name() const
39	0	{
40	0	if(m_padding)
41	0	return cipher().name() + "/CBC/" + padding().name();
42	0	else
43	0	return cipher().name() + "/CBC/CTS";
44	0	}
45
46		size_t CBC_Mode::update_granularity() const
47	544	{
48	544	return cipher().parallel_bytes();
49	544	}
50
51		Key_Length_Specification CBC_Mode::key_spec() const
52	1.40k	{
53	1.40k	return cipher().key_spec();
54	1.40k	}
55
56		size_t CBC_Mode::default_nonce_length() const
57	0	{
58	0	return block_size();
59	0	}
60
61		bool CBC_Mode::valid_nonce_length(size_t n) const
62	1.42k	{
63	1.42k	return (n == 0 \|\| n == block_size());
64	1.42k	}
65
66		void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
67	1.40k	{
68	1.40k	m_cipher->set_key(key, length);
69	1.40k	m_state.clear();
70	1.40k	}
71
72		void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
73	1.42k	{
74	1.42k	if(!valid_nonce_length(nonce_len))
75	0	throw Invalid_IV_Length(name(), nonce_len);
76
77		/*
78		* A nonce of zero length means carry the last ciphertext value over
79		* as the new IV, as unfortunately some protocols require this. If
80		* this is the first message then we use an IV of all zeros.
81		*/
82	1.42k	if(nonce_len)
83	1.42k	m_state.assign(nonce, nonce + nonce_len);
84	0	else if(m_state.empty())
85	0	m_state.resize(m_cipher->block_size());
86		// else leave the state alone
87	1.42k	}
88
89		size_t CBC_Encryption::minimum_final_size() const
90	0	{
91	0	return 0;
92	0	}
93
94		size_t CBC_Encryption::output_length(size_t input_length) const
95	0	{
96	0	if(input_length == 0)
97	0	return block_size();
98	0	else
99	0	return round_up(input_length, block_size());
100	0	}
101
102		size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
103	1.15k	{
104	1.15k	BOTAN_STATE_CHECK(state().empty() == false);
105	1.15k	const size_t BS = block_size();
106
107	1.15k	BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
108	1.15k	const size_t blocks = sz / BS;
109
110	1.15k	if(blocks > 0)
111	1.15k	{
112	1.15k	xor_buf(&buf[0], state_ptr(), BS);
113	1.15k	cipher().encrypt(&buf[0]);
114
115	4.39k	for(size_t i = 1; i != blocks; ++i)
116	3.24k	{
117	3.24k	xor_buf(&buf[BSi], &buf[BS(i-1)], BS);
118	3.24k	cipher().encrypt(&buf[BS*i]);
119	3.24k	}
120
121	1.15k	state().assign(&buf[BS(blocks-1)], &buf[BSblocks]);
122	1.15k	}
123
124	1.15k	return sz;
125	1.15k	}
126
127		void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
128	0	{
129	0	BOTAN_STATE_CHECK(state().empty() == false);
130	0	BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
131
132	0	const size_t BS = block_size();
133
134	0	const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
135
136	0	padding().add_padding(buffer, bytes_in_final_block, BS);
137
138	0	BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
139
140	0	update(buffer, offset);
141	0	}
142
143		bool CTS_Encryption::valid_nonce_length(size_t n) const
144	0	{
145	0	return (n == block_size());
146	0	}
147
148		size_t CTS_Encryption::minimum_final_size() const
149	0	{
150	0	return block_size() + 1;
151	0	}
152
153		size_t CTS_Encryption::output_length(size_t input_length) const
154	0	{
155	0	return input_length; // no ciphertext expansion in CTS
156	0	}
157
158		void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
159	0	{
160	0	BOTAN_STATE_CHECK(state().empty() == false);
161	0	BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
162	0	uint8_t* buf = buffer.data() + offset;
163	0	const size_t sz = buffer.size() - offset;
164
165	0	const size_t BS = block_size();
166
167	0	if(sz < BS + 1)
168	0	throw Encoding_Error(name() + ": insufficient data to encrypt");
169
170	0	if(sz % BS == 0)
171	0	{
172	0	update(buffer, offset);
173
174		// swap last two blocks
175	0	for(size_t i = 0; i != BS; ++i)
176	0	std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
177	0	}
178	0	else
179	0	{
180	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
181	0	const size_t final_bytes = sz - full_blocks;
182	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
183
184	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
185	0	buffer.resize(full_blocks + offset);
186	0	update(buffer, offset);
187
188	0	xor_buf(last.data(), state_ptr(), BS);
189	0	cipher().encrypt(last.data());
190
191	0	for(size_t i = 0; i != final_bytes - BS; ++i)
192	0	{
193	0	last[i] ^= last[i + BS];
194	0	last[i + BS] ^= last[i];
195	0	}
196
197	0	cipher().encrypt(last.data());
198
199	0	buffer += last;
200	0	}
201	0	}
202
203		size_t CBC_Decryption::output_length(size_t input_length) const
204	0	{
205	0	return input_length; // precise for CTS, worst case otherwise
206	0	}
207
208		size_t CBC_Decryption::minimum_final_size() const
209	0	{
210	0	return block_size();
211	0	}
212
213		size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
214	264	{
215	264	BOTAN_STATE_CHECK(state().empty() == false);
216
217	264	const size_t BS = block_size();
218
219	264	BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
220	264	size_t blocks = sz / BS;
221
222	5.30k	while(blocks)
223	5.04k	{
224	5.04k	const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
225
226	5.04k	cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
227
228	5.04k	xor_buf(m_tempbuf.data(), state_ptr(), BS);
229	5.04k	xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
230	5.04k	copy_mem(state_ptr(), buf + (to_proc - BS), BS);
231
232	5.04k	copy_mem(buf, m_tempbuf.data(), to_proc);
233
234	5.04k	buf += to_proc;
235	5.04k	blocks -= to_proc / BS;
236	5.04k	}
237
238	264	return sz;
239	264	}
240
241		void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
242	0	{
243	0	BOTAN_STATE_CHECK(state().empty() == false);
244	0	BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
245	0	const size_t sz = buffer.size() - offset;
246
247	0	const size_t BS = block_size();
248
249	0	if(sz == 0 \|\| sz % BS)
250	0	throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
251
252	0	update(buffer, offset);
253
254	0	const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
255	0	buffer.resize(buffer.size() - pad_bytes); // remove padding
256	0	if(pad_bytes == 0 && padding().name() != "NoPadding")
257	0	{
258	0	throw Decoding_Error("Invalid CBC padding");
259	0	}
260	0	}
261
262		void CBC_Decryption::reset()
263	0	{
264	0	CBC_Mode::reset();
265	0	zeroise(m_tempbuf);
266	0	}
267
268		bool CTS_Decryption::valid_nonce_length(size_t n) const
269	0	{
270	0	return (n == block_size());
271	0	}
272
273		size_t CTS_Decryption::minimum_final_size() const
274	0	{
275	0	return block_size() + 1;
276	0	}
277
278		void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
279	0	{
280	0	BOTAN_STATE_CHECK(state().empty() == false);
281	0	BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
282	0	const size_t sz = buffer.size() - offset;
283	0	uint8_t* buf = buffer.data() + offset;
284
285	0	const size_t BS = block_size();
286
287	0	if(sz < BS + 1)
288	0	throw Encoding_Error(name() + ": insufficient data to decrypt");
289
290	0	if(sz % BS == 0)
291	0	{
292		// swap last two blocks
293
294	0	for(size_t i = 0; i != BS; ++i)
295	0	std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
296
297	0	update(buffer, offset);
298	0	}
299	0	else
300	0	{
301	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
302	0	const size_t final_bytes = sz - full_blocks;
303	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
304
305	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
306	0	buffer.resize(full_blocks + offset);
307	0	update(buffer, offset);
308
309	0	cipher().decrypt(last.data());
310
311	0	xor_buf(last.data(), &last[BS], final_bytes - BS);
312
313	0	for(size_t i = 0; i != final_bytes - BS; ++i)
314	0	std::swap(last[i], last[i + BS]);
315
316	0	cipher().decrypt(last.data());
317	0	xor_buf(last.data(), state_ptr(), BS);
318
319	0	buffer += last;
320	0	}
321	0	}
322
323		}