Botan 3.3.0
Crypto and TLS for C&
cbc.cpp
Go to the documentation of this file.
1/*
2* CBC Mode
3* (C) 1999-2007,2013,2017 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5* (C) 2018 Ribose Inc
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/cbc.h>
11
12#include <botan/internal/fmt.h>
13#include <botan/internal/mode_pad.h>
14#include <botan/internal/rounding.h>
15
16namespace Botan {
17
18CBC_Mode::CBC_Mode(std::unique_ptr<BlockCipher> cipher, std::unique_ptr<BlockCipherModePaddingMethod> padding) :
19 m_cipher(std::move(cipher)), m_padding(std::move(padding)), m_block_size(m_cipher->block_size()) {
20 if(m_padding && !m_padding->valid_blocksize(m_block_size)) {
21 throw Invalid_Argument(fmt("Padding {} cannot be used with {} in CBC mode", m_padding->name(), m_cipher->name()));
22 }
23}
24
26 m_cipher->clear();
27 reset();
28}
29
31 m_state.clear();
32}
33
34std::string CBC_Mode::name() const {
35 if(m_padding) {
36 return fmt("{}/CBC/{}", cipher().name(), padding().name());
37 } else {
38 return fmt("{}/CBC/CTS", cipher().name());
39 }
40}
41
43 return cipher().block_size();
44}
45
47 return cipher().parallel_bytes();
48}
49
53
55 return block_size();
56}
57
58bool CBC_Mode::valid_nonce_length(size_t n) const {
59 return (n == 0 || n == block_size());
60}
61
63 return m_cipher->has_keying_material();
64}
65
66void CBC_Mode::key_schedule(std::span<const uint8_t> key) {
67 m_cipher->set_key(key);
68 m_state.clear();
69}
70
71void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
72 if(!valid_nonce_length(nonce_len)) {
73 throw Invalid_IV_Length(name(), nonce_len);
74 }
75
76 /*
77 * A nonce of zero length means carry the last ciphertext value over
78 * as the new IV, as unfortunately some protocols require this. If
79 * this is the first message then we use an IV of all zeros.
80 */
81 if(nonce_len) {
82 m_state.assign(nonce, nonce + nonce_len);
83 } else if(m_state.empty()) {
84 m_state.resize(m_cipher->block_size());
85 }
86 // else leave the state alone
87}
88
90 return 0;
91}
92
93size_t CBC_Encryption::output_length(size_t input_length) const {
94 if(input_length == 0) {
95 return block_size();
96 } else {
97 return round_up(input_length, block_size());
98 }
99}
100
101size_t CBC_Encryption::process_msg(uint8_t buf[], size_t sz) {
102 BOTAN_STATE_CHECK(state().empty() == false);
103 const size_t BS = block_size();
104
105 BOTAN_ARG_CHECK(sz % BS == 0, "CBC input is not full blocks");
106 const size_t blocks = sz / BS;
107
108 if(blocks > 0) {
109 xor_buf(&buf[0], state_ptr(), BS);
110 cipher().encrypt(&buf[0]);
111
112 for(size_t i = 1; i != blocks; ++i) {
113 xor_buf(&buf[BS * i], &buf[BS * (i - 1)], BS);
114 cipher().encrypt(&buf[BS * i]);
115 }
116
117 state().assign(&buf[BS * (blocks - 1)], &buf[BS * blocks]);
118 }
119
120 return sz;
121}
122
123void CBC_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
124 BOTAN_STATE_CHECK(state().empty() == false);
125 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
126
127 const size_t BS = block_size();
128
129 const size_t bytes_in_final_block = (buffer.size() - offset) % BS;
130
131 padding().add_padding(buffer, bytes_in_final_block, BS);
132
133 BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
134
135 update(buffer, offset);
136}
137
139 return (n == block_size());
140}
141
143 return block_size() + 1;
144}
145
146size_t CTS_Encryption::output_length(size_t input_length) const {
147 return input_length; // no ciphertext expansion in CTS
148}
149
150void CTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
151 BOTAN_STATE_CHECK(state().empty() == false);
152 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
153 uint8_t* buf = buffer.data() + offset;
154 const size_t sz = buffer.size() - offset;
155
156 const size_t BS = block_size();
157
158 if(sz < BS + 1) {
159 throw Encoding_Error(name() + ": insufficient data to encrypt");
160 }
161
162 if(sz % BS == 0) {
163 update(buffer, offset);
164
165 // swap last two blocks
166 for(size_t i = 0; i != BS; ++i) {
167 std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
168 }
169 } else {
170 const size_t full_blocks = ((sz / BS) - 1) * BS;
171 const size_t final_bytes = sz - full_blocks;
172 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
173
174 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
175 buffer.resize(full_blocks + offset);
176 update(buffer, offset);
177
178 xor_buf(last.data(), state_ptr(), BS);
179 cipher().encrypt(last.data());
180
181 for(size_t i = 0; i != final_bytes - BS; ++i) {
182 last[i] ^= last[i + BS];
183 last[i + BS] ^= last[i];
184 }
185
186 cipher().encrypt(last.data());
187
188 buffer += last;
189 }
190}
191
192size_t CBC_Decryption::output_length(size_t input_length) const {
193 return input_length; // precise for CTS, worst case otherwise
194}
195
197 return block_size();
198}
199
200size_t CBC_Decryption::process_msg(uint8_t buf[], size_t sz) {
201 BOTAN_STATE_CHECK(state().empty() == false);
202
203 const size_t BS = block_size();
204
205 BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
206 size_t blocks = sz / BS;
207
208 while(blocks) {
209 const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
210
211 cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
212
213 xor_buf(m_tempbuf.data(), state_ptr(), BS);
214 xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
215 copy_mem(state_ptr(), buf + (to_proc - BS), BS);
216
217 copy_mem(buf, m_tempbuf.data(), to_proc);
218
219 buf += to_proc;
220 blocks -= to_proc / BS;
221 }
222
223 return sz;
224}
225
226void CBC_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
227 BOTAN_STATE_CHECK(state().empty() == false);
228 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
229 const size_t sz = buffer.size() - offset;
230
231 const size_t BS = block_size();
232
233 if(sz == 0 || sz % BS) {
234 throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
235 }
236
237 update(buffer, offset);
238
239 const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size() - BS], BS);
240 buffer.resize(buffer.size() - pad_bytes); // remove padding
241 if(pad_bytes == 0 && padding().name() != "NoPadding") {
242 throw Decoding_Error("Invalid CBC padding");
243 }
244}
245
248 zeroise(m_tempbuf);
249}
250
252 return (n == block_size());
253}
254
256 return block_size() + 1;
257}
258
259void CTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
260 BOTAN_STATE_CHECK(state().empty() == false);
261 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
262 const size_t sz = buffer.size() - offset;
263 uint8_t* buf = buffer.data() + offset;
264
265 const size_t BS = block_size();
266
267 if(sz < BS + 1) {
268 throw Encoding_Error(name() + ": insufficient data to decrypt");
269 }
270
271 if(sz % BS == 0) {
272 // swap last two blocks
273
274 for(size_t i = 0; i != BS; ++i) {
275 std::swap(buffer[buffer.size() - BS + i], buffer[buffer.size() - 2 * BS + i]);
276 }
277
278 update(buffer, offset);
279 } else {
280 const size_t full_blocks = ((sz / BS) - 1) * BS;
281 const size_t final_bytes = sz - full_blocks;
282 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
283
284 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
285 buffer.resize(full_blocks + offset);
286 update(buffer, offset);
287
288 cipher().decrypt(last.data());
289
290 xor_buf(last.data(), &last[BS], final_bytes - BS);
291
292 for(size_t i = 0; i != final_bytes - BS; ++i) {
293 std::swap(last[i], last[i + BS]);
294 }
295
296 cipher().decrypt(last.data());
297 xor_buf(last.data(), state_ptr(), BS);
298
299 buffer += last;
300 }
301}
302
303} // namespace Botan
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:68
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
virtual size_t unpad(const uint8_t block[], size_t len) const =0
virtual void add_padding(secure_vector< uint8_t > &buffer, size_t final_block_bytes, size_t block_size) const =0
void encrypt(const uint8_t in[], uint8_t out[]) const
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
virtual size_t block_size() const =0
size_t parallel_bytes() const
size_t minimum_final_size() const override
Definition cbc.cpp:196
size_t output_length(size_t input_length) const override
Definition cbc.cpp:192
void reset() override
Definition cbc.cpp:246
size_t minimum_final_size() const override
Definition cbc.cpp:89
size_t output_length(size_t input_length) const override
Definition cbc.cpp:93
std::string name() const final
Definition cbc.cpp:34
size_t update_granularity() const final
Definition cbc.cpp:42
size_t ideal_granularity() const final
Definition cbc.cpp:46
const BlockCipherModePaddingMethod & padding() const
Definition cbc.h:46
size_t block_size() const
Definition cbc.h:51
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:58
CBC_Mode(std::unique_ptr< BlockCipher > cipher, std::unique_ptr< BlockCipherModePaddingMethod > padding)
Definition cbc.cpp:18
void reset() override
Definition cbc.cpp:30
size_t default_nonce_length() const final
Definition cbc.cpp:54
const BlockCipher & cipher() const
Definition cbc.h:44
void clear() final
Definition cbc.cpp:25
secure_vector< uint8_t > & state()
Definition cbc.h:53
uint8_t * state_ptr()
Definition cbc.h:55
Key_Length_Specification key_spec() const final
Definition cbc.cpp:50
bool has_keying_material() const final
Definition cbc.cpp:62
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:251
size_t minimum_final_size() const override
Definition cbc.cpp:255
size_t output_length(size_t input_length) const override
Definition cbc.cpp:146
size_t minimum_final_size() const override
Definition cbc.cpp:142
bool valid_nonce_length(size_t n) const override
Definition cbc.cpp:138
virtual Key_Length_Specification key_spec() const =0
int(* update)(CTX *, const void *, CC_LONG len)
void zeroise(std::vector< T, Alloc > &vec)
Definition secmem.h:108
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:340
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146
size_t round_up(size_t n, size_t align_to)
Definition rounding.h:21