Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/modes/cbc/cbc.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* CBC Mode
3
* (C) 1999-2007,2013,2017 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
* (C) 2018 Ribose Inc
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/internal/cbc.h>
11
#include <botan/internal/mode_pad.h>
12
#include <botan/internal/rounding.h>
13
14
namespace Botan {
15
16
CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher,
17
                   std::unique_ptr<BlockCipherModePaddingMethod> padding) :
18
   m_cipher(std::move(cipher)),
19
   m_padding(std::move(padding)),
20
   m_block_size(m_cipher->block_size())
21
564
   {
22
564
   if(m_padding && !m_padding->valid_blocksize(m_block_size))
23
0
      throw Invalid_Argument("Padding " + m_padding->name() +
24
0
                             " cannot be used with " +
25
0
                             cipher->name() + "/CBC");
26
564
   }
27
28
void CBC_Mode::clear()
29
0
   {
30
0
   m_cipher->clear();
31
0
   reset();
32
0
   }
33
34
void CBC_Mode::reset()
35
0
   {
36
0
   m_state.clear();
37
0
   }
38
39
std::string CBC_Mode::name() const
40
0
   {
41
0
   if(m_padding)
42
0
      return cipher().name() + "/CBC/" + padding().name();
43
0
   else
44
0
      return cipher().name() + "/CBC/CTS";
45
0
   }
46
47
size_t CBC_Mode::update_granularity() const
48
325
   {
49
325
   return cipher().parallel_bytes();
50
325
   }
51
52
Key_Length_Specification CBC_Mode::key_spec() const
53
564
   {
54
564
   return cipher().key_spec();
55
564
   }
56
57
size_t CBC_Mode::default_nonce_length() const
58
0
   {
59
0
   return block_size();
60
0
   }
61
62
bool CBC_Mode::valid_nonce_length(size_t n) const
63
427
   {
64
427
   return (n == 0 || n == block_size());
65
427
   }
66
67
void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
68
564
   {
69
564
   m_cipher->set_key(key, length);
70
564
   m_state.clear();
71
564
   }
72
73
void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
74
427
   {
75
427
   if(!valid_nonce_length(nonce_len))
76
0
      throw Invalid_IV_Length(name(), nonce_len);
77
78
   /*
79
   * A nonce of zero length means carry the last ciphertext value over
80
   * as the new IV, as unfortunately some protocols require this. If
81
   * this is the first message then we use an IV of all zeros.
82
   */
83
427
   if(nonce_len)
84
427
      m_state.assign(nonce, nonce + nonce_len);
85
0
   else if(m_state.empty())
86
0
      m_state.resize(m_cipher->block_size());
87
   // else leave the state alone
88
427
   }
89
90
size_t CBC_Encryption::minimum_final_size() const
91
0
   {
92
0
   return 0;
93
0
   }
94
95
size_t CBC_Encryption::output_length(size_t input_length) const
96
0
   {
97
0
   if(input_length == 0)
98
0
      return block_size();
99
0
   else
100
0
      return round_up(input_length, block_size());
101
0
   }
102
103
size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
104
362
   {
105
362
   BOTAN_STATE_CHECK(state().empty() == false);
106
362
   const size_t BS = block_size();
107
108
362
   BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
109
362
   const size_t blocks = sz / BS;
110
111
362
   if(blocks > 0)
112
362
      {
113
362
      xor_buf(&buf[0], state_ptr(), BS);
114
362
      cipher().encrypt(&buf[0]);
115
116
1.20k
      for(size_t i = 1; i != blocks; ++i)
117
846
         {
118
846
         xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
119
846
         cipher().encrypt(&buf[BS*i]);
120
846
         }
121
122
362
      state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
123
362
      }
124
125
362
   return sz;
126
362
   }
127
128
void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
129
0
   {
130
0
   BOTAN_STATE_CHECK(state().empty() == false);
131
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
132
133
0
   const size_t BS = block_size();
134
135
0
   const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
136
137
0
   padding().add_padding(buffer, bytes_in_final_block, BS);
138
139
0
   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
140
141
0
   update(buffer, offset);
142
0
   }
143
144
bool CTS_Encryption::valid_nonce_length(size_t n) const
145
0
   {
146
0
   return (n == block_size());
147
0
   }
148
149
size_t CTS_Encryption::minimum_final_size() const
150
0
   {
151
0
   return block_size() + 1;
152
0
   }
153
154
size_t CTS_Encryption::output_length(size_t input_length) const
155
0
   {
156
0
   return input_length; // no ciphertext expansion in CTS
157
0
   }
158
159
void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
160
0
   {
161
0
   BOTAN_STATE_CHECK(state().empty() == false);
162
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
163
0
   uint8_t* buf = buffer.data() + offset;
164
0
   const size_t sz = buffer.size() - offset;
165
166
0
   const size_t BS = block_size();
167
168
0
   if(sz < BS + 1)
169
0
      throw Encoding_Error(name() + ": insufficient data to encrypt");
170
171
0
   if(sz % BS == 0)
172
0
      {
173
0
      update(buffer, offset);
174
175
      // swap last two blocks
176
0
      for(size_t i = 0; i != BS; ++i)
177
0
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
178
0
      }
179
0
   else
180
0
      {
181
0
      const size_t full_blocks = ((sz / BS) - 1) * BS;
182
0
      const size_t final_bytes = sz - full_blocks;
183
0
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
184
185
0
      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
186
0
      buffer.resize(full_blocks + offset);
187
0
      update(buffer, offset);
188
189
0
      xor_buf(last.data(), state_ptr(), BS);
190
0
      cipher().encrypt(last.data());
191
192
0
      for(size_t i = 0; i != final_bytes - BS; ++i)
193
0
         {
194
0
         last[i] ^= last[i + BS];
195
0
         last[i + BS] ^= last[i];
196
0
         }
197
198
0
      cipher().encrypt(last.data());
199
200
0
      buffer += last;
201
0
      }
202
0
   }
203
204
size_t CBC_Decryption::output_length(size_t input_length) const
205
0
   {
206
0
   return input_length; // precise for CTS, worst case otherwise
207
0
   }
208
209
size_t CBC_Decryption::minimum_final_size() const
210
0
   {
211
0
   return block_size();
212
0
   }
213
214
size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
215
65
   {
216
65
   BOTAN_STATE_CHECK(state().empty() == false);
217
218
65
   const size_t BS = block_size();
219
220
65
   BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
221
65
   size_t blocks = sz / BS;
222
223
1.15k
   while(blocks)
224
1.09k
      {
225
1.09k
      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
226
227
1.09k
      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
228
229
1.09k
      xor_buf(m_tempbuf.data(), state_ptr(), BS);
230
1.09k
      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
231
1.09k
      copy_mem(state_ptr(), buf + (to_proc - BS), BS);
232
233
1.09k
      copy_mem(buf, m_tempbuf.data(), to_proc);
234
235
1.09k
      buf += to_proc;
236
1.09k
      blocks -= to_proc / BS;
237
1.09k
      }
238
239
65
   return sz;
240
65
   }
241
242
void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
243
0
   {
244
0
   BOTAN_STATE_CHECK(state().empty() == false);
245
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
246
0
   const size_t sz = buffer.size() - offset;
247
248
0
   const size_t BS = block_size();
249
250
0
   if(sz == 0 || sz % BS)
251
0
      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
252
253
0
   update(buffer, offset);
254
255
0
   const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
256
0
   buffer.resize(buffer.size() - pad_bytes); // remove padding
257
0
   if(pad_bytes == 0 && padding().name() != "NoPadding")
258
0
      {
259
0
      throw Decoding_Error("Invalid CBC padding");
260
0
      }
261
0
   }
262
263
void CBC_Decryption::reset()
264
0
   {
265
0
   CBC_Mode::reset();
266
0
   zeroise(m_tempbuf);
267
0
   }
268
269
bool CTS_Decryption::valid_nonce_length(size_t n) const
270
0
   {
271
0
   return (n == block_size());
272
0
   }
273
274
size_t CTS_Decryption::minimum_final_size() const
275
0
   {
276
0
   return block_size() + 1;
277
0
   }
278
279
void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
280
0
   {
281
0
   BOTAN_STATE_CHECK(state().empty() == false);
282
0
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
283
0
   const size_t sz = buffer.size() - offset;
284
0
   uint8_t* buf = buffer.data() + offset;
285
286
0
   const size_t BS = block_size();
287
288
0
   if(sz < BS + 1)
289
0
      throw Encoding_Error(name() + ": insufficient data to decrypt");
290
291
0
   if(sz % BS == 0)
292
0
      {
293
      // swap last two blocks
294
295
0
      for(size_t i = 0; i != BS; ++i)
296
0
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
297
298
0
      update(buffer, offset);
299
0
      }
300
0
   else
301
0
      {
302
0
      const size_t full_blocks = ((sz / BS) - 1) * BS;
303
0
      const size_t final_bytes = sz - full_blocks;
304
0
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
305
306
0
      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
307
0
      buffer.resize(full_blocks + offset);
308
0
      update(buffer, offset);
309
310
0
      cipher().decrypt(last.data());
311
312
0
      xor_buf(last.data(), &last[BS], final_bytes - BS);
313
314
0
      for(size_t i = 0; i != final_bytes - BS; ++i)
315
0
         std::swap(last[i], last[i + BS]);
316
317
0
      cipher().decrypt(last.data());
318
0
      xor_buf(last.data(), state_ptr(), BS);
319
320
0
      buffer += last;
321
0
      }
322
0
   }
323
324
}