/src/botan/src/lib/modes/cbc/cbc.cpp

Source
/*
* CBC Mode
* (C) 1999-2007,2013,2017 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
* (C) 2018 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/cbc.h>

#include <botan/exceptn.h>
#include <botan/mem_ops.h>
#include <botan/internal/fmt.h>
#include <botan/internal/mode_pad.h>

namespace Botan {

CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, std::unique_ptr<BlockCipherModePaddingMethod> padding) :
      m_cipher(std::move(cipher)), m_padding(std::move(padding)), m_block_size(m_cipher->block_size()) {
   if(m_padding && !m_padding->valid_blocksize(m_block_size)) {
      throw Invalid_Argument(fmt("Padding {} cannot be used with {} in CBC mode", m_padding->name(), m_cipher->name()));
   }
}

void CBC_Mode::clear() {
   m_cipher->clear();
   reset();
}

void CBC_Mode::reset() {
   m_state.clear();
}

std::string CBC_Mode::name() const {
   if(m_padding) {
      return fmt("{}/CBC/{}", cipher().name(), padding().name());
   } else {
      return fmt("{}/CBC/CTS", cipher().name());
   }
}

size_t CBC_Mode::update_granularity() const {
   return cipher().block_size();
}

size_t CBC_Mode::ideal_granularity() const {
   return cipher().parallel_bytes();
}

Key_Length_Specification CBC_Mode::key_spec() const {
   return cipher().key_spec();
}

size_t CBC_Mode::default_nonce_length() const {
   return block_size();
}

bool CBC_Mode::valid_nonce_length(size_t n) const {
   return (n == 0 || n == block_size());
}

bool CBC_Mode::has_keying_material() const {
   return m_cipher->has_keying_material();
}

void CBC_Mode::key_schedule(std::span<const uint8_t> key) {
   m_cipher->set_key(key);
   m_state.clear();
}

void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
   if(!valid_nonce_length(nonce_len)) {
      throw Invalid_IV_Length(name(), nonce_len);
   }

   /*
   * A nonce of zero length means carry the last ciphertext value over
   * as the new IV, as unfortunately some protocols require this. If
   * this is the first message then we use an IV of all zeros.
   */
   if(nonce_len > 0) {
      m_state.assign(nonce, nonce + nonce_len);
   } else if(m_state.empty()) {
      m_state.resize(m_cipher->block_size());
   }
   // else leave the state alone
}

size_t CBC_Encryption::minimum_final_size() const {
   return 0;
}

size_t CBC_Encryption::output_length(size_t input_length) const {
   return padding().output_length(input_length, block_size());
}

size_t CBC_Encryption::process_msg(uint8_t buf[], size_t sz) {
   BOTAN_STATE_CHECK(state().empty() == false);
   const size_t BS = block_size();

   BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
   const size_t blocks = sz / BS;

   if(blocks > 0) {
      xor_buf(&buf[0], state_ptr(), BS);
      cipher().encrypt(&buf[0]);

      for(size_t i = 1; i != blocks; ++i) {
         xor_buf(&buf[BS * i], &buf[BS * (i - 1)], BS);
         cipher().encrypt(&buf[BS * i]);
      }

      state().assign(&buf[BS * (blocks - 1)], &buf[BS * blocks]);
   }

   return sz;
}

void CBC_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t BS = block_size();

   const size_t output_bytes = offset + padding().output_length(buffer.size() - offset, BS);
   const size_t bytes_in_final_block = (buffer.size() - offset) % BS;
   buffer.resize(output_bytes);
   padding().add_padding(std::span(buffer).subspan(offset), bytes_in_final_block, BS);

   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");

   update(buffer, offset);
}

bool CTS_Encryption::valid_nonce_length(size_t n) const {
   return (n == block_size());
}

size_t CTS_Encryption::minimum_final_size() const {
   return block_size() + 1;
}

size_t CTS_Encryption::output_length(size_t input_length) const {
   return input_length;  // no ciphertext expansion in CTS
}

void CTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   uint8_t* buf = buffer.data() + offset;
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz < BS + 1) {
      throw Encoding_Error(name() + ": insufficient data to encrypt");
   }

   if(sz % BS == 0) {
      update(buffer, offset);

      // swap last two blocks
      for(size_t i = 0; i != BS; ++i) {
         std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
      }
   } else {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      xor_buf(last.data(), state_ptr(), BS);
      cipher().encrypt(last.data());

      for(size_t i = 0; i != final_bytes - BS; ++i) {
         last[i] ^= last[i + BS];
         last[i + BS] ^= last[i];
      }

      cipher().encrypt(last.data());

      buffer += last;
   }
}

size_t CBC_Decryption::output_length(size_t input_length) const {
   return input_length;  // precise for CTS, worst case otherwise
}

size_t CBC_Decryption::minimum_final_size() const {
   return block_size();
}

size_t CBC_Decryption::process_msg(uint8_t buf[], size_t sz) {
   BOTAN_STATE_CHECK(state().empty() == false);

   const size_t BS = block_size();

   BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
   size_t blocks = sz / BS;

   while(blocks > 0) {
      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());

      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);

      xor_buf(m_tempbuf.data(), state_ptr(), BS);
      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
      copy_mem(state_ptr(), buf + (to_proc - BS), BS);

      copy_mem(buf, m_tempbuf.data(), to_proc);

      buf += to_proc;
      blocks -= to_proc / BS;
   }

   return sz;
}

void CBC_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz == 0 || sz % BS != 0) {
      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
   }

   update(buffer, offset);

   const size_t pad_bytes = BS - padding().unpad(std::span{buffer}.last(BS));
   buffer.resize(buffer.size() - pad_bytes);  // remove padding
   if(pad_bytes == 0 && padding().name() != "NoPadding") {
      throw Decoding_Error("Invalid CBC padding");
   }
}

void CBC_Decryption::reset() {
   CBC_Mode::reset();
   zeroise(m_tempbuf);
}

bool CTS_Decryption::valid_nonce_length(size_t n) const {
   return (n == block_size());
}

size_t CTS_Decryption::minimum_final_size() const {
   return block_size() + 1;
}

void CTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const size_t BS = block_size();

   if(sz < BS + 1) {
      throw Encoding_Error(name() + ": insufficient data to decrypt");
   }

   if(sz % BS == 0) {
      // swap last two blocks

      for(size_t i = 0; i != BS; ++i) {
         std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
      }

      update(buffer, offset);
   } else {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      cipher().decrypt(last.data());

      xor_buf(last.data(), &last[BS], final_bytes - BS);

      for(size_t i = 0; i != final_bytes - BS; ++i) {
         std::swap(last[i], last[i + BS]);
      }

      cipher().decrypt(last.data());
      xor_buf(last.data(), state_ptr(), BS);

      buffer += last;
   }
}

}  // namespace Botan

Coverage Report

Created: 2026-04-08 06:11

Line	Count	Source
1		/*
2		* CBC Mode
3		* (C) 1999-2007,2013,2017 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		* (C) 2018 Ribose Inc
6		*
7		* Botan is released under the Simplified BSD License (see license.txt)
8		*/
9
10		#include <botan/internal/cbc.h>
11
12		#include <botan/exceptn.h>
13		#include <botan/mem_ops.h>
14		#include <botan/internal/fmt.h>
15		#include <botan/internal/mode_pad.h>
16
17		namespace Botan {
18
19		CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, std::unique_ptr<BlockCipherModePaddingMethod> padding) :
20	740	m_cipher(std::move(cipher)), m_padding(std::move(padding)), m_block_size(m_cipher->block_size()) {
21	740	if(m_padding && !m_padding->valid_blocksize(m_block_size)) {
22	0	throw Invalid_Argument(fmt("Padding {} cannot be used with {} in CBC mode", m_padding->name(), m_cipher->name()));
23	0	}
24	740	}
25
26	0	void CBC_Mode::clear() {
27	0	m_cipher->clear();
28	0	reset();
29	0	}
30
31	0	void CBC_Mode::reset() {
32	0	m_state.clear();
33	0	}
34
35	0	std::string CBC_Mode::name() const {
36	0	if(m_padding) {
37	0	return fmt("{}/CBC/{}", cipher().name(), padding().name());
38	0	} else {
39	0	return fmt("{}/CBC/CTS", cipher().name());
40	0	}
41	0	}
42
43	0	size_t CBC_Mode::update_granularity() const {
44	0	return cipher().block_size();
45	0	}
46
47	193	size_t CBC_Mode::ideal_granularity() const {
48	193	return cipher().parallel_bytes();
49	193	}
50
51	740	Key_Length_Specification CBC_Mode::key_spec() const {
52	740	return cipher().key_spec();
53	740	}
54
55	0	size_t CBC_Mode::default_nonce_length() const {
56	0	return block_size();
57	0	}
58
59	831	bool CBC_Mode::valid_nonce_length(size_t n) const {
60	831	return (n == 0 \|\| n == block_size());
61	831	}
62
63	0	bool CBC_Mode::has_keying_material() const {
64	0	return m_cipher->has_keying_material();
65	0	}
66
67	740	void CBC_Mode::key_schedule(std::span<const uint8_t> key) {
68	740	m_cipher->set_key(key);
69	740	m_state.clear();
70	740	}
71
72	831	void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
73	831	if(!valid_nonce_length(nonce_len)) {
74	0	throw Invalid_IV_Length(name(), nonce_len);
75	0	}
76
77		/*
78		* A nonce of zero length means carry the last ciphertext value over
79		* as the new IV, as unfortunately some protocols require this. If
80		* this is the first message then we use an IV of all zeros.
81		*/
82	831	if(nonce_len > 0) {
83	831	m_state.assign(nonce, nonce + nonce_len);
84	831	} else if(m_state.empty()) {
85	0	m_state.resize(m_cipher->block_size());
86	0	}
87		// else leave the state alone
88	831	}
89
90	0	size_t CBC_Encryption::minimum_final_size() const {
91	0	return 0;
92	0	}
93
94	0	size_t CBC_Encryption::output_length(size_t input_length) const {
95	0	return padding().output_length(input_length, block_size());
96	0	}
97
98	711	size_t CBC_Encryption::process_msg(uint8_t buf[], size_t sz) {
99	711	BOTAN_STATE_CHECK(state().empty() == false);
100	711	const size_t BS = block_size();
101
102	711	BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
103	711	const size_t blocks = sz / BS;
104
105	711	if(blocks > 0) {
106	711	xor_buf(&buf[0], state_ptr(), BS);
107	711	cipher().encrypt(&buf[0]);
108
109	2.74k	for(size_t i = 1; i != blocks; ++i) {
110	2.02k	xor_buf(&buf[BS * i], &buf[BS * (i - 1)], BS);
111	2.02k	cipher().encrypt(&buf[BS * i]);
112	2.02k	}
113
114	711	state().assign(&buf[BS * (blocks - 1)], &buf[BS * blocks]);
115	711	}
116
117	711	return sz;
118	711	}
119
120	0	void CBC_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
121	0	BOTAN_STATE_CHECK(state().empty() == false);
122	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
123
124	0	const size_t BS = block_size();
125
126	0	const size_t output_bytes = offset + padding().output_length(buffer.size() - offset, BS);
127	0	const size_t bytes_in_final_block = (buffer.size() - offset) % BS;
128	0	buffer.resize(output_bytes);
129	0	padding().add_padding(std::span(buffer).subspan(offset), bytes_in_final_block, BS);
130
131	0	BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
132
133	0	update(buffer, offset);
134	0	}
135
136	0	bool CTS_Encryption::valid_nonce_length(size_t n) const {
137	0	return (n == block_size());
138	0	}
139
140	0	size_t CTS_Encryption::minimum_final_size() const {
141	0	return block_size() + 1;
142	0	}
143
144	0	size_t CTS_Encryption::output_length(size_t input_length) const {
145	0	return input_length; // no ciphertext expansion in CTS
146	0	}
147
148	0	void CTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
149	0	BOTAN_STATE_CHECK(state().empty() == false);
150	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
151	0	uint8_t* buf = buffer.data() + offset;
152	0	const size_t sz = buffer.size() - offset;
153
154	0	const size_t BS = block_size();
155
156	0	if(sz < BS + 1) {
157	0	throw Encoding_Error(name() + ": insufficient data to encrypt");
158	0	}
159
160	0	if(sz % BS == 0) {
161	0	update(buffer, offset);
162
163		// swap last two blocks
164	0	for(size_t i = 0; i != BS; ++i) {
165	0	std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
166	0	}
167	0	} else {
168	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
169	0	const size_t final_bytes = sz - full_blocks;
170	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
171
172	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
173	0	buffer.resize(full_blocks + offset);
174	0	update(buffer, offset);
175
176	0	xor_buf(last.data(), state_ptr(), BS);
177	0	cipher().encrypt(last.data());
178
179	0	for(size_t i = 0; i != final_bytes - BS; ++i) {
180	0	last[i] ^= last[i + BS];
181	0	last[i + BS] ^= last[i];
182	0	}
183
184	0	cipher().encrypt(last.data());
185
186	0	buffer += last;
187	0	}
188	0	}
189
190	0	size_t CBC_Decryption::output_length(size_t input_length) const {
191	0	return input_length; // precise for CTS, worst case otherwise
192	0	}
193
194	0	size_t CBC_Decryption::minimum_final_size() const {
195	0	return block_size();
196	0	}
197
198	120	size_t CBC_Decryption::process_msg(uint8_t buf[], size_t sz) {
199	120	BOTAN_STATE_CHECK(state().empty() == false);
200
201	120	const size_t BS = block_size();
202
203	120	BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
204	120	size_t blocks = sz / BS;
205
206	575	while(blocks > 0) {
207	455	const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
208
209	455	cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
210
211	455	xor_buf(m_tempbuf.data(), state_ptr(), BS);
212	455	xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
213	455	copy_mem(state_ptr(), buf + (to_proc - BS), BS);
214
215	455	copy_mem(buf, m_tempbuf.data(), to_proc);
216
217	455	buf += to_proc;
218	455	blocks -= to_proc / BS;
219	455	}
220
221	120	return sz;
222	120	}
223
224	0	void CBC_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
225	0	BOTAN_STATE_CHECK(state().empty() == false);
226	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
227	0	const size_t sz = buffer.size() - offset;
228
229	0	const size_t BS = block_size();
230
231	0	if(sz == 0 \|\| sz % BS != 0) {
232	0	throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
233	0	}
234
235	0	update(buffer, offset);
236
237	0	const size_t pad_bytes = BS - padding().unpad(std::span{buffer}.last(BS));
238	0	buffer.resize(buffer.size() - pad_bytes); // remove padding
239	0	if(pad_bytes == 0 && padding().name() != "NoPadding") {
240	0	throw Decoding_Error("Invalid CBC padding");
241	0	}
242	0	}
243
244	0	void CBC_Decryption::reset() {
245	0	CBC_Mode::reset();
246	0	zeroise(m_tempbuf);
247	0	}
248
249	0	bool CTS_Decryption::valid_nonce_length(size_t n) const {
250	0	return (n == block_size());
251	0	}
252
253	0	size_t CTS_Decryption::minimum_final_size() const {
254	0	return block_size() + 1;
255	0	}
256
257	0	void CTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
258	0	BOTAN_STATE_CHECK(state().empty() == false);
259	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
260	0	const size_t sz = buffer.size() - offset;
261	0	uint8_t* buf = buffer.data() + offset;
262
263	0	const size_t BS = block_size();
264
265	0	if(sz < BS + 1) {
266	0	throw Encoding_Error(name() + ": insufficient data to decrypt");
267	0	}
268
269	0	if(sz % BS == 0) {
270		// swap last two blocks
271
272	0	for(size_t i = 0; i != BS; ++i) {
273	0	std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
274	0	}
275
276	0	update(buffer, offset);
277	0	} else {
278	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
279	0	const size_t final_bytes = sz - full_blocks;
280	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
281
282	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
283	0	buffer.resize(full_blocks + offset);
284	0	update(buffer, offset);
285
286	0	cipher().decrypt(last.data());
287
288	0	xor_buf(last.data(), &last[BS], final_bytes - BS);
289
290	0	for(size_t i = 0; i != final_bytes - BS; ++i) {
291	0	std::swap(last[i], last[i + BS]);
292	0	}
293
294	0	cipher().decrypt(last.data());
295	0	xor_buf(last.data(), state_ptr(), BS);
296
297	0	buffer += last;
298	0	}
299	0	}
300
301		} // namespace Botan