Botan 3.9.0
Crypto and TLS for C&
cbc.cpp
Go to the documentation of this file.
1/*
2* CBC Mode
3* (C) 1999-2007,2013,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5* (C) 2018 Ribose Inc
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/cbc.h>
11
12#include <botan/mem_ops.h>
13#include <botan/internal/fmt.h>
14#include <botan/internal/mode_pad.h>
15#include <botan/internal/rounding.h>
16
17namespace Botan {
18
19CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, std::unique_ptr<BlockCipherModePaddingMethod> padding) :
20 m_cipher(std::move(cipher)), m_padding(std::move(padding)), m_block_size(m_cipher->block_size()) {
21 if(m_padding && !m_padding->valid_blocksize(m_block_size)) {
22 throw Invalid_Argument(fmt("Padding {} cannot be used with {} in CBC mode", m_padding->name(), m_cipher->name()));
23 }
24}
25
27 m_cipher->clear();
28 reset();
29}
30
32 m_state.clear();
33}
34
35std::string CBC_Mode::name() const {
36 if(m_padding) {
37 return fmt("{}/CBC/{}", cipher().name(), padding().name());
38 } else {
39 return fmt("{}/CBC/CTS", cipher().name());
40 }
41}
42
44 return cipher().block_size();
45}
46
48 return cipher().parallel_bytes();
49}
50
54
56 return block_size();
57}
58
59bool CBC_Mode::valid_nonce_length(size_t n) const {
60 return (n == 0 || n == block_size());
61}
62
64 return m_cipher->has_keying_material();
65}
66
67void CBC_Mode::key_schedule(std::span<const uint8_t> key) {
68 m_cipher->set_key(key);
69 m_state.clear();
70}
71
72void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
73 if(!valid_nonce_length(nonce_len)) {
74 throw Invalid_IV_Length(name(), nonce_len);
75 }
76
77 /*
78 * A nonce of zero length means carry the last ciphertext value over
79 * as the new IV, as unfortunately some protocols require this. If
80 * this is the first message then we use an IV of all zeros.
81 */
82 if(nonce_len > 0) {
83 m_state.assign(nonce, nonce + nonce_len);
84 } else if(m_state.empty()) {
85 m_state.resize(m_cipher->block_size());
86 }
87 // else leave the state alone
88}
89
91 return 0;
92}
93
94size_t CBC_Encryption::output_length(size_t input_length) const {
95 return padding().output_length(input_length, block_size());
96}
97
98size_t CBC_Encryption::process_msg(uint8_t buf[], size_t sz) {
99 BOTAN_STATE_CHECK(state().empty() == false);
100 const size_t BS = block_size();
101
102 BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
103 const size_t blocks = sz / BS;
104
105 if(blocks > 0) {
106 xor_buf(&buf[0], state_ptr(), BS);
107 cipher().encrypt(&buf[0]);
108
109 for(size_t i = 1; i != blocks; ++i) {
110 xor_buf(&buf[BS * i], &buf[BS * (i - 1)], BS);
111 cipher().encrypt(&buf[BS * i]);
112 }
113
114 state().assign(&buf[BS * (blocks - 1)], &buf[BS * blocks]);
115 }
116
117 return sz;
118}
119
120void CBC_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
121 BOTAN_STATE_CHECK(state().empty() == false);
122 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
123
124 const size_t BS = block_size();
125
126 const size_t output_bytes = padding().output_length(buffer.size(), BS);
127 const size_t bytes_in_final_block = (buffer.size() - offset) % BS;
128 buffer.resize(output_bytes);
129 padding().add_padding(buffer, bytes_in_final_block, BS);
130
131 BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
132
133 update(buffer, offset);
134}
135
137 return (n == block_size());
138}
139
141 return block_size() + 1;
142}
143
144size_t CTS_Encryption::output_length(size_t input_length) const {
145 return input_length; // no ciphertext expansion in CTS
146}
147
148void CTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
149 BOTAN_STATE_CHECK(state().empty() == false);
150 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
151 uint8_t* buf = buffer.data() + offset;
152 const size_t sz = buffer.size() - offset;
153
154 const size_t BS = block_size();
155
156 if(sz < BS + 1) {
157 throw Encoding_Error(name() + ": insufficient data to encrypt");
158 }
159
160 if(sz % BS == 0) {
161 update(buffer, offset);
162
163 // swap last two blocks
164 for(size_t i = 0; i != BS; ++i) {
165 std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
166 }
167 } else {
168 const size_t full_blocks = ((sz / BS) - 1) * BS;
169 const size_t final_bytes = sz - full_blocks;
170 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
171
172 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
173 buffer.resize(full_blocks + offset);
174 update(buffer, offset);
175
176 xor_buf(last.data(), state_ptr(), BS);
177 cipher().encrypt(last.data());
178
179 for(size_t i = 0; i != final_bytes - BS; ++i) {
180 last[i] ^= last[i + BS];
181 last[i + BS] ^= last[i];
182 }
183
184 cipher().encrypt(last.data());
185
186 buffer += last;
187 }
188}
189
190size_t CBC_Decryption::output_length(size_t input_length) const {
191 return input_length; // precise for CTS, worst case otherwise
192}
193
195 return block_size();
196}
197
198size_t CBC_Decryption::process_msg(uint8_t buf[], size_t sz) {
199 BOTAN_STATE_CHECK(state().empty() == false);
200
201 const size_t BS = block_size();
202
203 BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
204 size_t blocks = sz / BS;
205
206 while(blocks > 0) {
207 const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
208
209 cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
210
211 xor_buf(m_tempbuf.data(), state_ptr(), BS);
212 xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
213 copy_mem(state_ptr(), buf + (to_proc - BS), BS);
214
215 copy_mem(buf, m_tempbuf.data(), to_proc);
216
217 buf += to_proc;
218 blocks -= to_proc / BS;
219 }
220
221 return sz;
222}
223
224void CBC_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
225 BOTAN_STATE_CHECK(state().empty() == false);
226 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
227 const size_t sz = buffer.size() - offset;
228
229 const size_t BS = block_size();
230
231 if(sz == 0 || sz % BS != 0) {
232 throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
233 }
234
235 update(buffer, offset);
236
237 const size_t pad_bytes = BS - padding().unpad(std::span{buffer}.last(BS));
238 buffer.resize(buffer.size() - pad_bytes); // remove padding
239 if(pad_bytes == 0 && padding().name() != "NoPadding") {
240 throw Decoding_Error("Invalid CBC padding");
241 }
242}
243
246 zeroise(m_tempbuf);
247}
248
250 return (n == block_size());
251}
252
254 return block_size() + 1;
255}
256
257void CTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
258 BOTAN_STATE_CHECK(state().empty() == false);
259 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
260 const size_t sz = buffer.size() - offset;
261 uint8_t* buf = buffer.data() + offset;
262
263 const size_t BS = block_size();
264
265 if(sz < BS + 1) {
266 throw Encoding_Error(name() + ": insufficient data to decrypt");
267 }
268
269 if(sz % BS == 0) {
270 // swap last two blocks
271
272 for(size_t i = 0; i != BS; ++i) {
273 std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
274 }
275
276 update(buffer, offset);
277 } else {
278 const size_t full_blocks = ((sz / BS) - 1) * BS;
279 const size_t final_bytes = sz - full_blocks;
280 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
281
282 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
283 buffer.resize(full_blocks + offset);
284 update(buffer, offset);
285
286 cipher().decrypt(last.data());
287
288 xor_buf(last.data(), &last[BS], final_bytes - BS);
289
290 for(size_t i = 0; i != final_bytes - BS; ++i) {
291 std::swap(last[i], last[i + BS]);
292 }
293
294 cipher().decrypt(last.data());
295 xor_buf(last.data(), state_ptr(), BS);
296
297 buffer += last;
298 }
299}
300
301} // namespace Botan
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:88
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
size_t unpad(std::span< const uint8_t > last_block) const
Definition mode_pad.cpp:54
virtual size_t output_length(size_t input_length, size_t block_size) const
Definition mode_pad.h:66
virtual void add_padding(std::span< uint8_t > buffer, size_t final_block_bytes, size_t block_size) const
Definition mode_pad.cpp:44
void encrypt(const uint8_t in[], uint8_t out[]) const
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
virtual size_t block_size() const =0
size_t parallel_bytes() const
size_t minimum_final_size() const override
Definition cbc.cpp:194
size_t output_length(size_t input_length) const override
Definition cbc.cpp:190
void reset() override
Definition cbc.cpp:244
size_t minimum_final_size() const override
Definition cbc.cpp:90
size_t output_length(size_t input_length) const override
Definition cbc.cpp:94
std::string name() const final
Definition cbc.cpp:35
size_t update_granularity() const final
Definition cbc.cpp:43
size_t ideal_granularity() const final
Definition cbc.cpp:47
const BlockCipherModePaddingMethod & padding() const
Definition cbc.h:47
size_t block_size() const
Definition cbc.h:52
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:59
CBC_Mode(std::unique_ptr< BlockCipher > cipher, std::unique_ptr< BlockCipherModePaddingMethod > padding)
Definition cbc.cpp:19
void reset() override
Definition cbc.cpp:31
size_t default_nonce_length() const final
Definition cbc.cpp:55
const BlockCipher & cipher() const
Definition cbc.h:45
void clear() final
Definition cbc.cpp:26
secure_vector< uint8_t > & state()
Definition cbc.h:54
uint8_t * state_ptr()
Definition cbc.h:56
Key_Length_Specification key_spec() const final
Definition cbc.cpp:51
bool has_keying_material() const final
Definition cbc.cpp:63
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:249
size_t minimum_final_size() const override
Definition cbc.cpp:253
size_t output_length(size_t input_length) const override
Definition cbc.cpp:144
size_t minimum_final_size() const override
Definition cbc.cpp:140
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:136
void update(T &buffer, size_t offset=0)
virtual Key_Length_Specification key_spec() const =0
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:125
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69