Botan 2.19.2
Crypto and TLS for C&
cbc.cpp
Go to the documentation of this file.
1/*
2* CBC Mode
3* (C) 1999-2007,2013,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5* (C) 2018 Ribose Inc
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/cbc.h>
11#include <botan/mode_pad.h>
12#include <botan/internal/rounding.h>
13
14namespace Botan {
15
17 m_cipher(cipher),
18 m_padding(padding),
19 m_block_size(cipher->block_size())
20 {
21 if(m_padding && !m_padding->valid_blocksize(m_block_size))
22 throw Invalid_Argument("Padding " + m_padding->name() +
23 " cannot be used with " +
24 cipher->name() + "/CBC");
25 }
26
28 {
29 m_cipher->clear();
30 reset();
31 }
32
34 {
35 m_state.clear();
36 }
37
38std::string CBC_Mode::name() const
39 {
40 if(m_padding)
41 return cipher().name() + "/CBC/" + padding().name();
42 else
43 return cipher().name() + "/CBC/CTS";
44 }
45
47 {
48 return cipher().parallel_bytes();
49 }
50
52 {
53 return cipher().key_spec();
54 }
55
57 {
58 return block_size();
59 }
60
61bool CBC_Mode::valid_nonce_length(size_t n) const
62 {
63 return (n == 0 || n == block_size());
64 }
65
66void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
67 {
68 m_cipher->set_key(key, length);
69 m_state.clear();
70 }
71
72void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
73 {
74 if(!valid_nonce_length(nonce_len))
75 throw Invalid_IV_Length(name(), nonce_len);
76
77 /*
78 * A nonce of zero length means carry the last ciphertext value over
79 * as the new IV, as unfortunately some protocols require this. If
80 * this is the first message then we use an IV of all zeros.
81 */
82 if(nonce_len)
83 m_state.assign(nonce, nonce + nonce_len);
84 else if(m_state.empty())
85 m_state.resize(m_cipher->block_size());
86 // else leave the state alone
87 }
88
90 {
91 return 0;
92 }
93
94size_t CBC_Encryption::output_length(size_t input_length) const
95 {
96 if(input_length == 0)
97 return block_size();
98 else
99 return round_up(input_length, block_size());
100 }
101
102size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
103 {
104 BOTAN_STATE_CHECK(state().empty() == false);
105 const size_t BS = block_size();
106
107 BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
108 const size_t blocks = sz / BS;
109
110 if(blocks > 0)
111 {
112 xor_buf(&buf[0], state_ptr(), BS);
113 cipher().encrypt(&buf[0]);
114
115 for(size_t i = 1; i != blocks; ++i)
116 {
117 xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
118 cipher().encrypt(&buf[BS*i]);
119 }
120
121 state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
122 }
123
124 return sz;
125 }
126
128 {
129 BOTAN_STATE_CHECK(state().empty() == false);
130 BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
131
132 const size_t BS = block_size();
133
134 const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
135
136 padding().add_padding(buffer, bytes_in_final_block, BS);
137
138 BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
139
140 update(buffer, offset);
141 }
142
144 {
145 return (n == block_size());
146 }
147
149 {
150 return block_size() + 1;
151 }
152
153size_t CTS_Encryption::output_length(size_t input_length) const
154 {
155 return input_length; // no ciphertext expansion in CTS
156 }
157
159 {
160 BOTAN_STATE_CHECK(state().empty() == false);
161 BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
162 uint8_t* buf = buffer.data() + offset;
163 const size_t sz = buffer.size() - offset;
164
165 const size_t BS = block_size();
166
167 if(sz < BS + 1)
168 throw Encoding_Error(name() + ": insufficient data to encrypt");
169
170 if(sz % BS == 0)
171 {
172 update(buffer, offset);
173
174 // swap last two blocks
175 for(size_t i = 0; i != BS; ++i)
176 std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
177 }
178 else
179 {
180 const size_t full_blocks = ((sz / BS) - 1) * BS;
181 const size_t final_bytes = sz - full_blocks;
182 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
183
184 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
185 buffer.resize(full_blocks + offset);
186 update(buffer, offset);
187
188 xor_buf(last.data(), state_ptr(), BS);
189 cipher().encrypt(last.data());
190
191 for(size_t i = 0; i != final_bytes - BS; ++i)
192 {
193 last[i] ^= last[i + BS];
194 last[i + BS] ^= last[i];
195 }
196
197 cipher().encrypt(last.data());
198
199 buffer += last;
200 }
201 }
202
203size_t CBC_Decryption::output_length(size_t input_length) const
204 {
205 return input_length; // precise for CTS, worst case otherwise
206 }
207
209 {
210 return block_size();
211 }
212
213size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
214 {
215 BOTAN_STATE_CHECK(state().empty() == false);
216
217 const size_t BS = block_size();
218
219 BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
220 size_t blocks = sz / BS;
221
222 while(blocks)
223 {
224 const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
225
226 cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
227
228 xor_buf(m_tempbuf.data(), state_ptr(), BS);
229 xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
230 copy_mem(state_ptr(), buf + (to_proc - BS), BS);
231
232 copy_mem(buf, m_tempbuf.data(), to_proc);
233
234 buf += to_proc;
235 blocks -= to_proc / BS;
236 }
237
238 return sz;
239 }
240
242 {
243 BOTAN_STATE_CHECK(state().empty() == false);
244 BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
245 const size_t sz = buffer.size() - offset;
246
247 const size_t BS = block_size();
248
249 if(sz == 0 || sz % BS)
250 throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
251
252 update(buffer, offset);
253
254 const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
255 buffer.resize(buffer.size() - pad_bytes); // remove padding
256 if(pad_bytes == 0 && padding().name() != "NoPadding")
257 {
258 throw Decoding_Error("Invalid CBC padding");
259 }
260 }
261
263 {
265 zeroise(m_tempbuf);
266 }
267
269 {
270 return (n == block_size());
271 }
272
274 {
275 return block_size() + 1;
276 }
277
279 {
280 BOTAN_STATE_CHECK(state().empty() == false);
281 BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
282 const size_t sz = buffer.size() - offset;
283 uint8_t* buf = buffer.data() + offset;
284
285 const size_t BS = block_size();
286
287 if(sz < BS + 1)
288 throw Encoding_Error(name() + ": insufficient data to decrypt");
289
290 if(sz % BS == 0)
291 {
292 // swap last two blocks
293
294 for(size_t i = 0; i != BS; ++i)
295 std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
296
297 update(buffer, offset);
298 }
299 else
300 {
301 const size_t full_blocks = ((sz / BS) - 1) * BS;
302 const size_t final_bytes = sz - full_blocks;
303 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
304
305 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
306 buffer.resize(full_blocks + offset);
307 update(buffer, offset);
308
309 cipher().decrypt(last.data());
310
311 xor_buf(last.data(), &last[BS], final_bytes - BS);
312
313 for(size_t i = 0; i != final_bytes - BS; ++i)
314 std::swap(last[i], last[i + BS]);
315
316 cipher().decrypt(last.data());
317 xor_buf(last.data(), state_ptr(), BS);
318
319 buffer += last;
320 }
321 }
322
323}
#define BOTAN_STATE_CHECK(expr)
Definition: assert.h:49
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
virtual std::string name() const =0
virtual size_t unpad(const uint8_t block[], size_t len) const =0
virtual void add_padding(secure_vector< uint8_t > &buffer, size_t final_block_bytes, size_t block_size) const =0
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:82
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:92
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
size_t parallel_bytes() const
Definition: block_cipher.h:64
size_t minimum_final_size() const override
Definition: cbc.cpp:208
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:213
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:241
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:203
void reset() override
Definition: cbc.cpp:262
size_t minimum_final_size() const override
Definition: cbc.cpp:89
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:94
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:102
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:127
size_t default_nonce_length() const override
Definition: cbc.cpp:56
const BlockCipherModePaddingMethod & padding() const
Definition: cbc.h:45
size_t block_size() const
Definition: cbc.h:51
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:61
CBC_Mode(BlockCipher *cipher, BlockCipherModePaddingMethod *padding)
Definition: cbc.cpp:16
void reset() override
Definition: cbc.cpp:33
const BlockCipher & cipher() const
Definition: cbc.h:43
size_t update_granularity() const override
Definition: cbc.cpp:46
void clear() override
Definition: cbc.cpp:27
secure_vector< uint8_t > & state()
Definition: cbc.h:53
std::string name() const override
Definition: cbc.cpp:38
uint8_t * state_ptr()
Definition: cbc.h:55
Key_Length_Specification key_spec() const override
Definition: cbc.cpp:51
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:278
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:268
size_t minimum_final_size() const override
Definition: cbc.cpp:273
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:153
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:158
size_t minimum_final_size() const override
Definition: cbc.cpp:148
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:143
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:112
virtual std::string name() const =0
virtual Key_Length_Specification key_spec() const =0
Definition: alg_id.cpp:13
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:114
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
size_t round_up(size_t n, size_t align_to)
Definition: rounding.h:21