doxygen/cbc_8cpp_source.html

/*

* CBC Mode

* (C) 1999-2007,2013,2017 Jack Lloyd

* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity

* (C) 2018 Ribose Inc

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/cbc.h>


#include <botan/mem_ops.h>

#include <botan/internal/fmt.h>

#include <botan/internal/mode_pad.h>

#include <botan/internal/rounding.h>


namespace Botan {


CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, std::unique_ptr<BlockCipherModePaddingMethod> padding) :

      m_cipher(std::move(cipher)), m_padding(std::move(padding)), m_block_size(m_cipher->block_size()) {

   if(m_padding && !m_padding->valid_blocksize(m_block_size)) {

      throw Invalid_Argument(fmt("Padding {} cannot be used with {} in CBC mode", m_padding->name(), m_cipher->name()));

   }

}


void CBC_Mode::clear() {

   m_cipher->clear();

   reset();

}


void CBC_Mode::reset() {

   m_state.clear();

}


std::string CBC_Mode::name() const {

   if(m_padding) {

      return fmt("{}/CBC/{}", cipher().name(), padding().name());

   } else {

      return fmt("{}/CBC/CTS", cipher().name());

   }

}


size_t CBC_Mode::update_granularity() const {

   return cipher().block_size();

}


size_t CBC_Mode::ideal_granularity() const {

   return cipher().parallel_bytes();

}


Key_Length_Specification CBC_Mode::key_spec() const {

   return cipher().key_spec();

}


size_t CBC_Mode::default_nonce_length() const {

   return block_size();

}


bool CBC_Mode::valid_nonce_length(size_t n) const {

   return (n == 0 || n == block_size());

}


bool CBC_Mode::has_keying_material() const {

   return m_cipher->has_keying_material();

}


void CBC_Mode::key_schedule(std::span<const uint8_t> key) {

   m_cipher->set_key(key);

   m_state.clear();

}


void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {

   if(!valid_nonce_length(nonce_len)) {

      throw Invalid_IV_Length(name(), nonce_len);

   }


   /*

   * A nonce of zero length means carry the last ciphertext value over

   * as the new IV, as unfortunately some protocols require this. If

   * this is the first message then we use an IV of all zeros.

   */

   if(nonce_len > 0) {

      m_state.assign(nonce, nonce + nonce_len);

   } else if(m_state.empty()) {

      m_state.resize(m_cipher->block_size());

   }

   // else leave the state alone

}


size_t CBC_Encryption::minimum_final_size() const {

   return 0;

}


size_t CBC_Encryption::output_length(size_t input_length) const {

   return padding().output_length(input_length, block_size());

}


size_t CBC_Encryption::process_msg(uint8_t buf[], size_t sz) {

   BOTAN_STATE_CHECK(state().empty() == false);

   const size_t BS = block_size();


   BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");

   const size_t blocks = sz / BS;


   if(blocks > 0) {

      xor_buf(&buf[0], state_ptr(), BS);

      cipher().encrypt(&buf[0]);


      for(size_t i = 1; i != blocks; ++i) {

         xor_buf(&buf[BS * i], &buf[BS * (i - 1)], BS);

         cipher().encrypt(&buf[BS * i]);

      }


      state().assign(&buf[BS * (blocks - 1)], &buf[BS * blocks]);

   }


   return sz;

}


void CBC_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_STATE_CHECK(state().empty() == false);

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");


   const size_t BS = block_size();


   const size_t output_bytes = padding().output_length(buffer.size(), BS);

   const size_t bytes_in_final_block = (buffer.size() - offset) % BS;

   buffer.resize(output_bytes);

   padding().add_padding(buffer, bytes_in_final_block, BS);


   BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");


   update(buffer, offset);

}


bool CTS_Encryption::valid_nonce_length(size_t n) const {

   return (n == block_size());

}


size_t CTS_Encryption::minimum_final_size() const {

   return block_size() + 1;

}


size_t CTS_Encryption::output_length(size_t input_length) const {

   return input_length;  // no ciphertext expansion in CTS

}


void CTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_STATE_CHECK(state().empty() == false);

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   uint8_t* buf = buffer.data() + offset;

   const size_t sz = buffer.size() - offset;


   const size_t BS = block_size();


   if(sz < BS + 1) {

      throw Encoding_Error(name() + ": insufficient data to encrypt");

   }


   if(sz % BS == 0) {

      update(buffer, offset);


      // swap last two blocks

      for(size_t i = 0; i != BS; ++i) {

         std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);

      }

   } else {

      const size_t full_blocks = ((sz / BS) - 1) * BS;

      const size_t final_bytes = sz - full_blocks;

      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");


      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);

      buffer.resize(full_blocks + offset);

      update(buffer, offset);


      xor_buf(last.data(), state_ptr(), BS);

      cipher().encrypt(last.data());


      for(size_t i = 0; i != final_bytes - BS; ++i) {

         last[i] ^= last[i + BS];

         last[i + BS] ^= last[i];

      }


      cipher().encrypt(last.data());


      buffer += last;

   }

}


size_t CBC_Decryption::output_length(size_t input_length) const {

   return input_length;  // precise for CTS, worst case otherwise

}


size_t CBC_Decryption::minimum_final_size() const {

   return block_size();

}


size_t CBC_Decryption::process_msg(uint8_t buf[], size_t sz) {

   BOTAN_STATE_CHECK(state().empty() == false);


   const size_t BS = block_size();


   BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");

   size_t blocks = sz / BS;


   while(blocks > 0) {

      const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());


      cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);


      xor_buf(m_tempbuf.data(), state_ptr(), BS);

      xor_buf(&m_tempbuf[BS], buf, to_proc - BS);

      copy_mem(state_ptr(), buf + (to_proc - BS), BS);


      copy_mem(buf, m_tempbuf.data(), to_proc);


      buf += to_proc;

      blocks -= to_proc / BS;

   }


   return sz;

}


void CBC_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_STATE_CHECK(state().empty() == false);

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t sz = buffer.size() - offset;


   const size_t BS = block_size();


   if(sz == 0 || sz % BS != 0) {

      throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");

   }


   update(buffer, offset);


   const size_t pad_bytes = BS - padding().unpad(std::span{buffer}.last(BS));

   buffer.resize(buffer.size() - pad_bytes);  // remove padding

   if(pad_bytes == 0 && padding().name() != "NoPadding") {

      throw Decoding_Error("Invalid CBC padding");

   }

}


void CBC_Decryption::reset() {

   CBC_Mode::reset();

   zeroise(m_tempbuf);

}


bool CTS_Decryption::valid_nonce_length(size_t n) const {

   return (n == block_size());

}


size_t CTS_Decryption::minimum_final_size() const {

   return block_size() + 1;

}


void CTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_STATE_CHECK(state().empty() == false);

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t sz = buffer.size() - offset;

   uint8_t* buf = buffer.data() + offset;


   const size_t BS = block_size();


   if(sz < BS + 1) {

      throw Encoding_Error(name() + ": insufficient data to decrypt");

   }


   if(sz % BS == 0) {

      // swap last two blocks


      for(size_t i = 0; i != BS; ++i) {

         std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);

      }


      update(buffer, offset);

   } else {

      const size_t full_blocks = ((sz / BS) - 1) * BS;

      const size_t final_bytes = sz - full_blocks;

      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");


      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);

      buffer.resize(full_blocks + offset);

      update(buffer, offset);


      cipher().decrypt(last.data());


      xor_buf(last.data(), &last[BS], final_bytes - BS);


      for(size_t i = 0; i != final_bytes - BS; ++i) {

         std::swap(last[i], last[i + BS]);

      }


      cipher().decrypt(last.data());

      xor_buf(last.data(), state_ptr(), BS);


      buffer += last;

   }

}


}  // namespace Botan

BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49

BOTAN_ASSERT_EQUAL
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:88

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62

Botan::BlockCipherModePaddingMethod::unpad
size_t unpad(std::span< const uint8_t > last_block) const
Definition mode_pad.cpp:54

Botan::BlockCipherModePaddingMethod::output_length
virtual size_t output_length(size_t input_length, size_t block_size) const
Definition mode_pad.h:66

Botan::BlockCipherModePaddingMethod::add_padding
virtual void add_padding(std::span< uint8_t > buffer, size_t final_block_bytes, size_t block_size) const
Definition mode_pad.cpp:44

Botan::BlockCipher::encrypt
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:82

Botan::BlockCipher::decrypt
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:91

Botan::BlockCipher::decrypt_n
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0

Botan::BlockCipher::block_size
virtual size_t block_size() const =0

Botan::BlockCipher::parallel_bytes
size_t parallel_bytes() const
Definition block_cipher.h:67

Botan::CBC_Decryption::minimum_final_size
size_t minimum_final_size() const override
Definition cbc.cpp:194

Botan::CBC_Decryption::output_length
size_t output_length(size_t input_length) const override
Definition cbc.cpp:190

Botan::CBC_Decryption::reset
void reset() override
Definition cbc.cpp:244

Botan::CBC_Encryption::minimum_final_size
size_t minimum_final_size() const override
Definition cbc.cpp:90

Botan::CBC_Encryption::output_length
size_t output_length(size_t input_length) const override
Definition cbc.cpp:94

Botan::CBC_Mode::name
std::string name() const final
Definition cbc.cpp:35

Botan::CBC_Mode::update_granularity
size_t update_granularity() const final
Definition cbc.cpp:43

Botan::CBC_Mode::ideal_granularity
size_t ideal_granularity() const final
Definition cbc.cpp:47

Botan::CBC_Mode::padding
const BlockCipherModePaddingMethod & padding() const
Definition cbc.h:47

Botan::CBC_Mode::block_size
size_t block_size() const
Definition cbc.h:52

Botan::CBC_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:59

Botan::CBC_Mode::CBC_Mode
CBC_Mode(std::unique_ptr< BlockCipher > cipher, std::unique_ptr< BlockCipherModePaddingMethod > padding)
Definition cbc.cpp:19

Botan::CBC_Mode::reset
void reset() override
Definition cbc.cpp:31

Botan::CBC_Mode::default_nonce_length
size_t default_nonce_length() const final
Definition cbc.cpp:55

Botan::CBC_Mode::cipher
const BlockCipher & cipher() const
Definition cbc.h:45

Botan::CBC_Mode::clear
void clear() final
Definition cbc.cpp:26

Botan::CBC_Mode::state
secure_vector< uint8_t > & state()
Definition cbc.h:54

Botan::CBC_Mode::state_ptr
uint8_t * state_ptr()
Definition cbc.h:56

Botan::CBC_Mode::key_spec
Key_Length_Specification key_spec() const final
Definition cbc.cpp:51

Botan::CBC_Mode::has_keying_material
bool has_keying_material() const final
Definition cbc.cpp:63

Botan::CTS_Decryption::valid_nonce_length
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:249

Botan::CTS_Decryption::minimum_final_size
size_t minimum_final_size() const override
Definition cbc.cpp:253

Botan::CTS_Encryption::output_length
size_t output_length(size_t input_length) const override
Definition cbc.cpp:144

Botan::CTS_Encryption::minimum_final_size
size_t minimum_final_size() const override
Definition cbc.cpp:140

Botan::CTS_Encryption::valid_nonce_length
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:136

Botan::Cipher_Mode::update
void update(T &buffer, size_t offset=0)
Definition cipher_mode.h:149

Botan::Encoding_Error
Definition exceptn.h:181

Botan::Key_Length_Specification
Definition sym_algo.h:23

Botan::SymmetricAlgorithm::key_spec
virtual Key_Length_Specification key_spec() const =0

Botan
Definition alg_id.cpp:13

Botan::zeroise
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:125

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69