/src/botan/src/lib/modes/cbc/cbc.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * CBC Mode |
3 | | * (C) 1999-2007,2013,2017 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * (C) 2018 Ribose Inc |
6 | | * |
7 | | * Botan is released under the Simplified BSD License (see license.txt) |
8 | | */ |
9 | | |
10 | | #include <botan/internal/cbc.h> |
11 | | #include <botan/internal/mode_pad.h> |
12 | | #include <botan/internal/rounding.h> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | | CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, |
17 | | std::unique_ptr<BlockCipherModePaddingMethod> padding) : |
18 | | m_cipher(std::move(cipher)), |
19 | | m_padding(std::move(padding)), |
20 | | m_block_size(m_cipher->block_size()) |
21 | 564 | { |
22 | 564 | if(m_padding && !m_padding->valid_blocksize(m_block_size)) |
23 | 0 | throw Invalid_Argument("Padding " + m_padding->name() + |
24 | 0 | " cannot be used with " + |
25 | 0 | cipher->name() + "/CBC"); |
26 | 564 | } |
27 | | |
28 | | void CBC_Mode::clear() |
29 | 0 | { |
30 | 0 | m_cipher->clear(); |
31 | 0 | reset(); |
32 | 0 | } |
33 | | |
34 | | void CBC_Mode::reset() |
35 | 0 | { |
36 | 0 | m_state.clear(); |
37 | 0 | } |
38 | | |
39 | | std::string CBC_Mode::name() const |
40 | 0 | { |
41 | 0 | if(m_padding) |
42 | 0 | return cipher().name() + "/CBC/" + padding().name(); |
43 | 0 | else |
44 | 0 | return cipher().name() + "/CBC/CTS"; |
45 | 0 | } |
46 | | |
47 | | size_t CBC_Mode::update_granularity() const |
48 | 325 | { |
49 | 325 | return cipher().parallel_bytes(); |
50 | 325 | } |
51 | | |
52 | | Key_Length_Specification CBC_Mode::key_spec() const |
53 | 564 | { |
54 | 564 | return cipher().key_spec(); |
55 | 564 | } |
56 | | |
57 | | size_t CBC_Mode::default_nonce_length() const |
58 | 0 | { |
59 | 0 | return block_size(); |
60 | 0 | } |
61 | | |
62 | | bool CBC_Mode::valid_nonce_length(size_t n) const |
63 | 427 | { |
64 | 427 | return (n == 0 || n == block_size()); |
65 | 427 | } |
66 | | |
67 | | void CBC_Mode::key_schedule(const uint8_t key[], size_t length) |
68 | 564 | { |
69 | 564 | m_cipher->set_key(key, length); |
70 | 564 | m_state.clear(); |
71 | 564 | } |
72 | | |
73 | | void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) |
74 | 427 | { |
75 | 427 | if(!valid_nonce_length(nonce_len)) |
76 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
77 | | |
78 | | /* |
79 | | * A nonce of zero length means carry the last ciphertext value over |
80 | | * as the new IV, as unfortunately some protocols require this. If |
81 | | * this is the first message then we use an IV of all zeros. |
82 | | */ |
83 | 427 | if(nonce_len) |
84 | 427 | m_state.assign(nonce, nonce + nonce_len); |
85 | 0 | else if(m_state.empty()) |
86 | 0 | m_state.resize(m_cipher->block_size()); |
87 | | // else leave the state alone |
88 | 427 | } |
89 | | |
90 | | size_t CBC_Encryption::minimum_final_size() const |
91 | 0 | { |
92 | 0 | return 0; |
93 | 0 | } |
94 | | |
95 | | size_t CBC_Encryption::output_length(size_t input_length) const |
96 | 0 | { |
97 | 0 | if(input_length == 0) |
98 | 0 | return block_size(); |
99 | 0 | else |
100 | 0 | return round_up(input_length, block_size()); |
101 | 0 | } |
102 | | |
103 | | size_t CBC_Encryption::process(uint8_t buf[], size_t sz) |
104 | 362 | { |
105 | 362 | BOTAN_STATE_CHECK(state().empty() == false); |
106 | 362 | const size_t BS = block_size(); |
107 | | |
108 | 362 | BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks"); |
109 | 362 | const size_t blocks = sz / BS; |
110 | | |
111 | 362 | if(blocks > 0) |
112 | 362 | { |
113 | 362 | xor_buf(&buf[0], state_ptr(), BS); |
114 | 362 | cipher().encrypt(&buf[0]); |
115 | | |
116 | 1.20k | for(size_t i = 1; i != blocks; ++i) |
117 | 846 | { |
118 | 846 | xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS); |
119 | 846 | cipher().encrypt(&buf[BS*i]); |
120 | 846 | } |
121 | | |
122 | 362 | state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]); |
123 | 362 | } |
124 | | |
125 | 362 | return sz; |
126 | 362 | } |
127 | | |
128 | | void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
129 | 0 | { |
130 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
131 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
132 | |
|
133 | 0 | const size_t BS = block_size(); |
134 | |
|
135 | 0 | const size_t bytes_in_final_block = (buffer.size()-offset) % BS; |
136 | |
|
137 | 0 | padding().add_padding(buffer, bytes_in_final_block, BS); |
138 | |
|
139 | 0 | BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary"); |
140 | |
|
141 | 0 | update(buffer, offset); |
142 | 0 | } |
143 | | |
144 | | bool CTS_Encryption::valid_nonce_length(size_t n) const |
145 | 0 | { |
146 | 0 | return (n == block_size()); |
147 | 0 | } |
148 | | |
149 | | size_t CTS_Encryption::minimum_final_size() const |
150 | 0 | { |
151 | 0 | return block_size() + 1; |
152 | 0 | } |
153 | | |
154 | | size_t CTS_Encryption::output_length(size_t input_length) const |
155 | 0 | { |
156 | 0 | return input_length; // no ciphertext expansion in CTS |
157 | 0 | } |
158 | | |
159 | | void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
160 | 0 | { |
161 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
162 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
163 | 0 | uint8_t* buf = buffer.data() + offset; |
164 | 0 | const size_t sz = buffer.size() - offset; |
165 | |
|
166 | 0 | const size_t BS = block_size(); |
167 | |
|
168 | 0 | if(sz < BS + 1) |
169 | 0 | throw Encoding_Error(name() + ": insufficient data to encrypt"); |
170 | | |
171 | 0 | if(sz % BS == 0) |
172 | 0 | { |
173 | 0 | update(buffer, offset); |
174 | | |
175 | | // swap last two blocks |
176 | 0 | for(size_t i = 0; i != BS; ++i) |
177 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
178 | 0 | } |
179 | 0 | else |
180 | 0 | { |
181 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
182 | 0 | const size_t final_bytes = sz - full_blocks; |
183 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
184 | |
|
185 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
186 | 0 | buffer.resize(full_blocks + offset); |
187 | 0 | update(buffer, offset); |
188 | |
|
189 | 0 | xor_buf(last.data(), state_ptr(), BS); |
190 | 0 | cipher().encrypt(last.data()); |
191 | |
|
192 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
193 | 0 | { |
194 | 0 | last[i] ^= last[i + BS]; |
195 | 0 | last[i + BS] ^= last[i]; |
196 | 0 | } |
197 | |
|
198 | 0 | cipher().encrypt(last.data()); |
199 | |
|
200 | 0 | buffer += last; |
201 | 0 | } |
202 | 0 | } |
203 | | |
204 | | size_t CBC_Decryption::output_length(size_t input_length) const |
205 | 0 | { |
206 | 0 | return input_length; // precise for CTS, worst case otherwise |
207 | 0 | } |
208 | | |
209 | | size_t CBC_Decryption::minimum_final_size() const |
210 | 0 | { |
211 | 0 | return block_size(); |
212 | 0 | } |
213 | | |
214 | | size_t CBC_Decryption::process(uint8_t buf[], size_t sz) |
215 | 65 | { |
216 | 65 | BOTAN_STATE_CHECK(state().empty() == false); |
217 | | |
218 | 65 | const size_t BS = block_size(); |
219 | | |
220 | 65 | BOTAN_ASSERT(sz % BS == 0, "Input is full blocks"); |
221 | 65 | size_t blocks = sz / BS; |
222 | | |
223 | 1.15k | while(blocks) |
224 | 1.09k | { |
225 | 1.09k | const size_t to_proc = std::min(BS * blocks, m_tempbuf.size()); |
226 | | |
227 | 1.09k | cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS); |
228 | | |
229 | 1.09k | xor_buf(m_tempbuf.data(), state_ptr(), BS); |
230 | 1.09k | xor_buf(&m_tempbuf[BS], buf, to_proc - BS); |
231 | 1.09k | copy_mem(state_ptr(), buf + (to_proc - BS), BS); |
232 | | |
233 | 1.09k | copy_mem(buf, m_tempbuf.data(), to_proc); |
234 | | |
235 | 1.09k | buf += to_proc; |
236 | 1.09k | blocks -= to_proc / BS; |
237 | 1.09k | } |
238 | | |
239 | 65 | return sz; |
240 | 65 | } |
241 | | |
242 | | void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
243 | 0 | { |
244 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
245 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
246 | 0 | const size_t sz = buffer.size() - offset; |
247 | |
|
248 | 0 | const size_t BS = block_size(); |
249 | |
|
250 | 0 | if(sz == 0 || sz % BS) |
251 | 0 | throw Decoding_Error(name() + ": Ciphertext not a multiple of block size"); |
252 | | |
253 | 0 | update(buffer, offset); |
254 | |
|
255 | 0 | const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS); |
256 | 0 | buffer.resize(buffer.size() - pad_bytes); // remove padding |
257 | 0 | if(pad_bytes == 0 && padding().name() != "NoPadding") |
258 | 0 | { |
259 | 0 | throw Decoding_Error("Invalid CBC padding"); |
260 | 0 | } |
261 | 0 | } |
262 | | |
263 | | void CBC_Decryption::reset() |
264 | 0 | { |
265 | 0 | CBC_Mode::reset(); |
266 | 0 | zeroise(m_tempbuf); |
267 | 0 | } |
268 | | |
269 | | bool CTS_Decryption::valid_nonce_length(size_t n) const |
270 | 0 | { |
271 | 0 | return (n == block_size()); |
272 | 0 | } |
273 | | |
274 | | size_t CTS_Decryption::minimum_final_size() const |
275 | 0 | { |
276 | 0 | return block_size() + 1; |
277 | 0 | } |
278 | | |
279 | | void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset) |
280 | 0 | { |
281 | 0 | BOTAN_STATE_CHECK(state().empty() == false); |
282 | 0 | BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); |
283 | 0 | const size_t sz = buffer.size() - offset; |
284 | 0 | uint8_t* buf = buffer.data() + offset; |
285 | |
|
286 | 0 | const size_t BS = block_size(); |
287 | |
|
288 | 0 | if(sz < BS + 1) |
289 | 0 | throw Encoding_Error(name() + ": insufficient data to decrypt"); |
290 | | |
291 | 0 | if(sz % BS == 0) |
292 | 0 | { |
293 | | // swap last two blocks |
294 | |
|
295 | 0 | for(size_t i = 0; i != BS; ++i) |
296 | 0 | std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]); |
297 | |
|
298 | 0 | update(buffer, offset); |
299 | 0 | } |
300 | 0 | else |
301 | 0 | { |
302 | 0 | const size_t full_blocks = ((sz / BS) - 1) * BS; |
303 | 0 | const size_t final_bytes = sz - full_blocks; |
304 | 0 | BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range"); |
305 | |
|
306 | 0 | secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes); |
307 | 0 | buffer.resize(full_blocks + offset); |
308 | 0 | update(buffer, offset); |
309 | |
|
310 | 0 | cipher().decrypt(last.data()); |
311 | |
|
312 | 0 | xor_buf(last.data(), &last[BS], final_bytes - BS); |
313 | |
|
314 | 0 | for(size_t i = 0; i != final_bytes - BS; ++i) |
315 | 0 | std::swap(last[i], last[i + BS]); |
316 | |
|
317 | 0 | cipher().decrypt(last.data()); |
318 | 0 | xor_buf(last.data(), state_ptr(), BS); |
319 | |
|
320 | 0 | buffer += last; |
321 | 0 | } |
322 | 0 | } |
323 | | |
324 | | } |