/src/botan/src/lib/modes/cbc/cbc.cpp

Source (jump to first uncovered line)
/*
* CBC Mode
* (C) 1999-2007,2013,2017 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
* (C) 2018 Ribose Inc
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/cbc.h>
#include <botan/internal/mode_pad.h>
#include <botan/internal/rounding.h>

namespace Botan {

CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher,
                   std::unique_ptr<BlockCipherModePaddingMethod> padding) :
   m_cipher(std::move(cipher)),
   m_padding(std::move(padding)),
   m_block_size(m_cipher->block_size())
   {
   if(m_padding && !m_padding->valid_blocksize(m_block_size))
      throw Invalid_Argument("Padding " + m_padding->name() +
                             " cannot be used with " +
                             m_cipher->name() + "/CBC");
   }

void CBC_Mode::clear()
   {
   m_cipher->clear();
   reset();
   }

void CBC_Mode::reset()
   {
   m_state.clear();
   }

std::string CBC_Mode::name() const
   {
   if(m_padding)
      return cipher().name() + "/CBC/" + padding().name();
   else
      return cipher().name() + "/CBC/CTS";
   }

size_t CBC_Mode::update_granularity() const
   {
   return cipher().block_size();
   }

size_t CBC_Mode::ideal_granularity() const
   {
   return cipher().parallel_bytes();
   }

Key_Length_Specification CBC_Mode::key_spec() const
   {
   return cipher().key_spec();
   }

size_t CBC_Mode::default_nonce_length() const
   {
   return block_size();
   }

bool CBC_Mode::valid_nonce_length(size_t n) const
   {
   return (n == 0 || n == block_size());
   }

bool CBC_Mode::has_keying_material() const
   {
   return m_cipher->has_keying_material();
   }

void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
   {
   m_cipher->set_key(key, length);
   m_state.clear();
   }

void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
   {
   if(!valid_nonce_length(nonce_len))
      throw Invalid_IV_Length(name(), nonce_len);

   /*
   * A nonce of zero length means carry the last ciphertext value over
   * as the new IV, as unfortunately some protocols require this. If
   * this is the first message then we use an IV of all zeros.
   */
   if(nonce_len)
      m_state.assign(nonce, nonce + nonce_len);
   else if(m_state.empty())
      m_state.resize(m_cipher->block_size());
   // else leave the state alone
   }

size_t CBC_Encryption::minimum_final_size() const
   {
   return 0;
   }

size_t CBC_Encryption::output_length(size_t input_length) const
   {
   if(input_length == 0)
      return block_size();
   else
      return round_up(input_length, block_size());
   }

size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   const size_t BS = block_size();

   BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
   const size_t blocks = sz / BS;

   if(blocks > 0)
      {
      xor_buf(&buf[0], state_ptr(), BS);
      cipher().encrypt(&buf[0]);

      for(size_t i = 1; i != blocks; ++i)
         {
         xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
         cipher().encrypt(&buf[BS*i]);
         }

      state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
      }

   return sz;
   }

void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t BS = block_size();

   const size_t bytes_in_final_block = (buffer.size()-offset) % BS;

   padding().add_padding(buffer, bytes_in_final_block, BS);

   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");

   update(buffer, offset);
   }

bool CTS_Encryption::valid_nonce_length(size_t n) const
   {
   return (n == block_size());
   }

size_t CTS_Encryption::minimum_final_size() const
   {
   return block_size() + 1;
   }

size_t CTS_Encryption::output_length(size_t input_length) const
   {
   return input_length; // no ciphertext expansion in CTS
   }

void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   uint8_t* buf = buffer.data() + offset;
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz < BS + 1)
      throw Encoding_Error(name() + ": insufficient data to encrypt");

   if(sz % BS == 0)
      {
      update(buffer, offset);

      // swap last two blocks
      for(size_t i = 0; i != BS; ++i)
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
      }
   else
      {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      xor_buf(last.data(), state_ptr(), BS);
      cipher().encrypt(last.data());

      for(size_t i = 0; i != final_bytes - BS; ++i)
         {
         last[i] ^= last[i + BS];
         last[i + BS] ^= last[i];
         }

      cipher().encrypt(last.data());

      buffer += last;
      }
   }

size_t CBC_Decryption::output_length(size_t input_length) const
   {
   return input_length; // precise for CTS, worst case otherwise
   }

size_t CBC_Decryption::minimum_final_size() const
   {
   return block_size();
   }

size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
   {
   BOTAN_STATE_CHECK(state().empty() == false);

   const size_t BS = block_size();

   BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
   size_t blocks = sz / BS;

   while(blocks)
      {
      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());

      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);

      xor_buf(m_tempbuf.data(), state_ptr(), BS);
      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
      copy_mem(state_ptr(), buf + (to_proc - BS), BS);

      copy_mem(buf, m_tempbuf.data(), to_proc);

      buf += to_proc;
      blocks -= to_proc / BS;
      }

   return sz;
   }

void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   const size_t sz = buffer.size() - offset;

   const size_t BS = block_size();

   if(sz == 0 || sz % BS)
      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");

   update(buffer, offset);

   const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
   buffer.resize(buffer.size() - pad_bytes); // remove padding
   if(pad_bytes == 0 && padding().name() != "NoPadding")
      {
      throw Decoding_Error("Invalid CBC padding");
      }
   }

void CBC_Decryption::reset()
   {
   CBC_Mode::reset();
   zeroise(m_tempbuf);
   }

bool CTS_Decryption::valid_nonce_length(size_t n) const
   {
   return (n == block_size());
   }

size_t CTS_Decryption::minimum_final_size() const
   {
   return block_size() + 1;
   }

void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
   {
   BOTAN_STATE_CHECK(state().empty() == false);
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
   const size_t sz = buffer.size() - offset;
   uint8_t* buf = buffer.data() + offset;

   const size_t BS = block_size();

   if(sz < BS + 1)
      throw Encoding_Error(name() + ": insufficient data to decrypt");

   if(sz % BS == 0)
      {
      // swap last two blocks

      for(size_t i = 0; i != BS; ++i)
         std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);

      update(buffer, offset);
      }
   else
      {
      const size_t full_blocks = ((sz / BS) - 1) * BS;
      const size_t final_bytes = sz - full_blocks;
      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");

      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
      buffer.resize(full_blocks + offset);
      update(buffer, offset);

      cipher().decrypt(last.data());

      xor_buf(last.data(), &last[BS], final_bytes - BS);

      for(size_t i = 0; i != final_bytes - BS; ++i)
         std::swap(last[i], last[i + BS]);

      cipher().decrypt(last.data());
      xor_buf(last.data(), state_ptr(), BS);

      buffer += last;
      }
   }

}

Coverage Report

Created: 2023-02-22 06:14

Line	Count	Source (jump to first uncovered line)
1		/*
2		* CBC Mode
3		* (C) 1999-2007,2013,2017 Jack Lloyd
4		* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5		* (C) 2018 Ribose Inc
6		*
7		* Botan is released under the Simplified BSD License (see license.txt)
8		*/
9
10		#include <botan/internal/cbc.h>
11		#include <botan/internal/mode_pad.h>
12		#include <botan/internal/rounding.h>
13
14		namespace Botan {
15
16		CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher,
17		std::unique_ptr<BlockCipherModePaddingMethod> padding) :
18		m_cipher(std::move(cipher)),
19		m_padding(std::move(padding)),
20		m_block_size(m_cipher->block_size())
21	0	{
22	0	if(m_padding && !m_padding->valid_blocksize(m_block_size))
23	0	throw Invalid_Argument("Padding " + m_padding->name() +
24	0	" cannot be used with " +
25	0	m_cipher->name() + "/CBC");
26	0	}
27
28		void CBC_Mode::clear()
29	0	{
30	0	m_cipher->clear();
31	0	reset();
32	0	}
33
34		void CBC_Mode::reset()
35	0	{
36	0	m_state.clear();
37	0	}
38
39		std::string CBC_Mode::name() const
40	0	{
41	0	if(m_padding)
42	0	return cipher().name() + "/CBC/" + padding().name();
43	0	else
44	0	return cipher().name() + "/CBC/CTS";
45	0	}
46
47		size_t CBC_Mode::update_granularity() const
48	0	{
49	0	return cipher().block_size();
50	0	}
51
52		size_t CBC_Mode::ideal_granularity() const
53	0	{
54	0	return cipher().parallel_bytes();
55	0	}
56
57		Key_Length_Specification CBC_Mode::key_spec() const
58	0	{
59	0	return cipher().key_spec();
60	0	}
61
62		size_t CBC_Mode::default_nonce_length() const
63	0	{
64	0	return block_size();
65	0	}
66
67		bool CBC_Mode::valid_nonce_length(size_t n) const
68	0	{
69	0	return (n == 0 \|\| n == block_size());
70	0	}
71
72		bool CBC_Mode::has_keying_material() const
73	0	{
74	0	return m_cipher->has_keying_material();
75	0	}
76
77		void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
78	0	{
79	0	m_cipher->set_key(key, length);
80	0	m_state.clear();
81	0	}
82
83		void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
84	0	{
85	0	if(!valid_nonce_length(nonce_len))
86	0	throw Invalid_IV_Length(name(), nonce_len);
87
88		/*
89		* A nonce of zero length means carry the last ciphertext value over
90		* as the new IV, as unfortunately some protocols require this. If
91		* this is the first message then we use an IV of all zeros.
92		*/
93	0	if(nonce_len)
94	0	m_state.assign(nonce, nonce + nonce_len);
95	0	else if(m_state.empty())
96	0	m_state.resize(m_cipher->block_size());
97		// else leave the state alone
98	0	}
99
100		size_t CBC_Encryption::minimum_final_size() const
101	0	{
102	0	return 0;
103	0	}
104
105		size_t CBC_Encryption::output_length(size_t input_length) const
106	0	{
107	0	if(input_length == 0)
108	0	return block_size();
109	0	else
110	0	return round_up(input_length, block_size());
111	0	}
112
113		size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
114	0	{
115	0	BOTAN_STATE_CHECK(state().empty() == false);
116	0	const size_t BS = block_size();
117
118	0	BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
119	0	const size_t blocks = sz / BS;
120
121	0	if(blocks > 0)
122	0	{
123	0	xor_buf(&buf[0], state_ptr(), BS);
124	0	cipher().encrypt(&buf[0]);
125
126	0	for(size_t i = 1; i != blocks; ++i)
127	0	{
128	0	xor_buf(&buf[BSi], &buf[BS(i-1)], BS);
129	0	cipher().encrypt(&buf[BS*i]);
130	0	}
131
132	0	state().assign(&buf[BS(blocks-1)], &buf[BSblocks]);
133	0	}
134
135	0	return sz;
136	0	}
137
138		void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
139	0	{
140	0	BOTAN_STATE_CHECK(state().empty() == false);
141	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
142
143	0	const size_t BS = block_size();
144
145	0	const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
146
147	0	padding().add_padding(buffer, bytes_in_final_block, BS);
148
149	0	BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
150
151	0	update(buffer, offset);
152	0	}
153
154		bool CTS_Encryption::valid_nonce_length(size_t n) const
155	0	{
156	0	return (n == block_size());
157	0	}
158
159		size_t CTS_Encryption::minimum_final_size() const
160	0	{
161	0	return block_size() + 1;
162	0	}
163
164		size_t CTS_Encryption::output_length(size_t input_length) const
165	0	{
166	0	return input_length; // no ciphertext expansion in CTS
167	0	}
168
169		void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
170	0	{
171	0	BOTAN_STATE_CHECK(state().empty() == false);
172	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
173	0	uint8_t* buf = buffer.data() + offset;
174	0	const size_t sz = buffer.size() - offset;
175
176	0	const size_t BS = block_size();
177
178	0	if(sz < BS + 1)
179	0	throw Encoding_Error(name() + ": insufficient data to encrypt");
180
181	0	if(sz % BS == 0)
182	0	{
183	0	update(buffer, offset);
184
185		// swap last two blocks
186	0	for(size_t i = 0; i != BS; ++i)
187	0	std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
188	0	}
189	0	else
190	0	{
191	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
192	0	const size_t final_bytes = sz - full_blocks;
193	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
194
195	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
196	0	buffer.resize(full_blocks + offset);
197	0	update(buffer, offset);
198
199	0	xor_buf(last.data(), state_ptr(), BS);
200	0	cipher().encrypt(last.data());
201
202	0	for(size_t i = 0; i != final_bytes - BS; ++i)
203	0	{
204	0	last[i] ^= last[i + BS];
205	0	last[i + BS] ^= last[i];
206	0	}
207
208	0	cipher().encrypt(last.data());
209
210	0	buffer += last;
211	0	}
212	0	}
213
214		size_t CBC_Decryption::output_length(size_t input_length) const
215	0	{
216	0	return input_length; // precise for CTS, worst case otherwise
217	0	}
218
219		size_t CBC_Decryption::minimum_final_size() const
220	0	{
221	0	return block_size();
222	0	}
223
224		size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
225	0	{
226	0	BOTAN_STATE_CHECK(state().empty() == false);
227
228	0	const size_t BS = block_size();
229
230	0	BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
231	0	size_t blocks = sz / BS;
232
233	0	while(blocks)
234	0	{
235	0	const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
236
237	0	cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
238
239	0	xor_buf(m_tempbuf.data(), state_ptr(), BS);
240	0	xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
241	0	copy_mem(state_ptr(), buf + (to_proc - BS), BS);
242
243	0	copy_mem(buf, m_tempbuf.data(), to_proc);
244
245	0	buf += to_proc;
246	0	blocks -= to_proc / BS;
247	0	}
248
249	0	return sz;
250	0	}
251
252		void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
253	0	{
254	0	BOTAN_STATE_CHECK(state().empty() == false);
255	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
256	0	const size_t sz = buffer.size() - offset;
257
258	0	const size_t BS = block_size();
259
260	0	if(sz == 0 \|\| sz % BS)
261	0	throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
262
263	0	update(buffer, offset);
264
265	0	const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
266	0	buffer.resize(buffer.size() - pad_bytes); // remove padding
267	0	if(pad_bytes == 0 && padding().name() != "NoPadding")
268	0	{
269	0	throw Decoding_Error("Invalid CBC padding");
270	0	}
271	0	}
272
273		void CBC_Decryption::reset()
274	0	{
275	0	CBC_Mode::reset();
276	0	zeroise(m_tempbuf);
277	0	}
278
279		bool CTS_Decryption::valid_nonce_length(size_t n) const
280	0	{
281	0	return (n == block_size());
282	0	}
283
284		size_t CTS_Decryption::minimum_final_size() const
285	0	{
286	0	return block_size() + 1;
287	0	}
288
289		void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
290	0	{
291	0	BOTAN_STATE_CHECK(state().empty() == false);
292	0	BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
293	0	const size_t sz = buffer.size() - offset;
294	0	uint8_t* buf = buffer.data() + offset;
295
296	0	const size_t BS = block_size();
297
298	0	if(sz < BS + 1)
299	0	throw Encoding_Error(name() + ": insufficient data to decrypt");
300
301	0	if(sz % BS == 0)
302	0	{
303		// swap last two blocks
304
305	0	for(size_t i = 0; i != BS; ++i)
306	0	std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
307
308	0	update(buffer, offset);
309	0	}
310	0	else
311	0	{
312	0	const size_t full_blocks = ((sz / BS) - 1) * BS;
313	0	const size_t final_bytes = sz - full_blocks;
314	0	BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
315
316	0	secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
317	0	buffer.resize(full_blocks + offset);
318	0	update(buffer, offset);
319
320	0	cipher().decrypt(last.data());
321
322	0	xor_buf(last.data(), &last[BS], final_bytes - BS);
323
324	0	for(size_t i = 0; i != final_bytes - BS; ++i)
325	0	std::swap(last[i], last[i + BS]);
326
327	0	cipher().decrypt(last.data());
328	0	xor_buf(last.data(), state_ptr(), BS);
329
330	0	buffer += last;
331	0	}
332	0	}
333
334		}