Botan  2.18.1
Crypto and TLS for C++11
cbc.cpp
Go to the documentation of this file.
1 /*
2 * CBC Mode
3 * (C) 1999-2007,2013,2017 Jack Lloyd
4 * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5 * (C) 2018 Ribose Inc
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/cbc.h>
11 #include <botan/mode_pad.h>
12 #include <botan/internal/rounding.h>
13 
14 namespace Botan {
15 
17  m_cipher(cipher),
18  m_padding(padding),
19  m_block_size(cipher->block_size())
20  {
21  if(m_padding && !m_padding->valid_blocksize(m_block_size))
22  throw Invalid_Argument("Padding " + m_padding->name() +
23  " cannot be used with " +
24  cipher->name() + "/CBC");
25  }
26 
28  {
29  m_cipher->clear();
30  reset();
31  }
32 
34  {
35  m_state.clear();
36  }
37 
38 std::string CBC_Mode::name() const
39  {
40  if(m_padding)
41  return cipher().name() + "/CBC/" + padding().name();
42  else
43  return cipher().name() + "/CBC/CTS";
44  }
45 
47  {
48  return cipher().parallel_bytes();
49  }
50 
52  {
53  return cipher().key_spec();
54  }
55 
57  {
58  return block_size();
59  }
60 
61 bool CBC_Mode::valid_nonce_length(size_t n) const
62  {
63  return (n == 0 || n == block_size());
64  }
65 
66 void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
67  {
68  m_cipher->set_key(key, length);
69  m_state.clear();
70  }
71 
72 void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
73  {
74  if(!valid_nonce_length(nonce_len))
75  throw Invalid_IV_Length(name(), nonce_len);
76 
77  /*
78  * A nonce of zero length means carry the last ciphertext value over
79  * as the new IV, as unfortunately some protocols require this. If
80  * this is the first message then we use an IV of all zeros.
81  */
82  if(nonce_len)
83  m_state.assign(nonce, nonce + nonce_len);
84  else if(m_state.empty())
85  m_state.resize(m_cipher->block_size());
86  // else leave the state alone
87  }
88 
90  {
91  return 0;
92  }
93 
94 size_t CBC_Encryption::output_length(size_t input_length) const
95  {
96  if(input_length == 0)
97  return block_size();
98  else
99  return round_up(input_length, block_size());
100  }
101 
102 size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
103  {
104  BOTAN_STATE_CHECK(state().empty() == false);
105  const size_t BS = block_size();
106 
107  BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
108  const size_t blocks = sz / BS;
109 
110  if(blocks > 0)
111  {
112  xor_buf(&buf[0], state_ptr(), BS);
113  cipher().encrypt(&buf[0]);
114 
115  for(size_t i = 1; i != blocks; ++i)
116  {
117  xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
118  cipher().encrypt(&buf[BS*i]);
119  }
120 
121  state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
122  }
123 
124  return sz;
125  }
126 
127 void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
128  {
129  BOTAN_STATE_CHECK(state().empty() == false);
130  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
131 
132  const size_t BS = block_size();
133 
134  const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
135 
136  padding().add_padding(buffer, bytes_in_final_block, BS);
137 
138  BOTAN_ASSERT_EQUAL(buffer.size() % BS, offset % BS, "Padded to block boundary");
139 
140  update(buffer, offset);
141  }
142 
144  {
145  return (n == block_size());
146  }
147 
149  {
150  return block_size() + 1;
151  }
152 
153 size_t CTS_Encryption::output_length(size_t input_length) const
154  {
155  return input_length; // no ciphertext expansion in CTS
156  }
157 
158 void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
159  {
160  BOTAN_STATE_CHECK(state().empty() == false);
161  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
162  uint8_t* buf = buffer.data() + offset;
163  const size_t sz = buffer.size() - offset;
164 
165  const size_t BS = block_size();
166 
167  if(sz < BS + 1)
168  throw Encoding_Error(name() + ": insufficient data to encrypt");
169 
170  if(sz % BS == 0)
171  {
172  update(buffer, offset);
173 
174  // swap last two blocks
175  for(size_t i = 0; i != BS; ++i)
176  std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
177  }
178  else
179  {
180  const size_t full_blocks = ((sz / BS) - 1) * BS;
181  const size_t final_bytes = sz - full_blocks;
182  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
183 
184  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
185  buffer.resize(full_blocks + offset);
186  update(buffer, offset);
187 
188  xor_buf(last.data(), state_ptr(), BS);
189  cipher().encrypt(last.data());
190 
191  for(size_t i = 0; i != final_bytes - BS; ++i)
192  {
193  last[i] ^= last[i + BS];
194  last[i + BS] ^= last[i];
195  }
196 
197  cipher().encrypt(last.data());
198 
199  buffer += last;
200  }
201  }
202 
203 size_t CBC_Decryption::output_length(size_t input_length) const
204  {
205  return input_length; // precise for CTS, worst case otherwise
206  }
207 
209  {
210  return block_size();
211  }
212 
213 size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
214  {
215  BOTAN_STATE_CHECK(state().empty() == false);
216 
217  const size_t BS = block_size();
218 
219  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
220  size_t blocks = sz / BS;
221 
222  while(blocks)
223  {
224  const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
225 
226  cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
227 
228  xor_buf(m_tempbuf.data(), state_ptr(), BS);
229  xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
230  copy_mem(state_ptr(), buf + (to_proc - BS), BS);
231 
232  copy_mem(buf, m_tempbuf.data(), to_proc);
233 
234  buf += to_proc;
235  blocks -= to_proc / BS;
236  }
237 
238  return sz;
239  }
240 
241 void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
242  {
243  BOTAN_STATE_CHECK(state().empty() == false);
244  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
245  const size_t sz = buffer.size() - offset;
246 
247  const size_t BS = block_size();
248 
249  if(sz == 0 || sz % BS)
250  throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
251 
252  update(buffer, offset);
253 
254  const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
255  buffer.resize(buffer.size() - pad_bytes); // remove padding
256  if(pad_bytes == 0 && padding().name() != "NoPadding")
257  {
258  throw Decoding_Error("Invalid CBC padding");
259  }
260  }
261 
263  {
264  CBC_Mode::reset();
265  zeroise(m_tempbuf);
266  }
267 
269  {
270  return (n == block_size());
271  }
272 
274  {
275  return block_size() + 1;
276  }
277 
278 void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
279  {
280  BOTAN_STATE_CHECK(state().empty() == false);
281  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
282  const size_t sz = buffer.size() - offset;
283  uint8_t* buf = buffer.data() + offset;
284 
285  const size_t BS = block_size();
286 
287  if(sz < BS + 1)
288  throw Encoding_Error(name() + ": insufficient data to decrypt");
289 
290  if(sz % BS == 0)
291  {
292  // swap last two blocks
293 
294  for(size_t i = 0; i != BS; ++i)
295  std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
296 
297  update(buffer, offset);
298  }
299  else
300  {
301  const size_t full_blocks = ((sz / BS) - 1) * BS;
302  const size_t final_bytes = sz - full_blocks;
303  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
304 
305  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
306  buffer.resize(full_blocks + offset);
307  update(buffer, offset);
308 
309  cipher().decrypt(last.data());
310 
311  xor_buf(last.data(), &last[BS], final_bytes - BS);
312 
313  for(size_t i = 0; i != final_bytes - BS; ++i)
314  std::swap(last[i], last[i + BS]);
315 
316  cipher().decrypt(last.data());
317  xor_buf(last.data(), state_ptr(), BS);
318 
319  buffer += last;
320  }
321  }
322 
323 }
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:158
secure_vector< uint8_t > & state()
Definition: cbc.h:53
Key_Length_Specification key_spec() const override
Definition: cbc.cpp:51
size_t parallel_bytes() const
Definition: block_cipher.h:64
void clear() override
Definition: cbc.cpp:27
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:241
std::string name() const override
Definition: cbc.cpp:38
virtual size_t unpad(const uint8_t block[], size_t len) const =0
const BlockCipherModePaddingMethod & padding() const
Definition: cbc.h:45
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:61
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
size_t update_granularity() const override
Definition: cbc.cpp:46
CBC_Mode(BlockCipher *cipher, BlockCipherModePaddingMethod *padding)
Definition: cbc.cpp:16
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:112
#define BOTAN_STATE_CHECK(expr)
Definition: assert.h:49
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:92
size_t default_nonce_length() const override
Definition: cbc.cpp:56
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
size_t minimum_final_size() const override
Definition: cbc.cpp:208
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:143
void reset() override
Definition: cbc.cpp:262
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
virtual std::string name() const =0
void reset() override
Definition: cbc.cpp:33
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:203
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
uint8_t * state_ptr()
Definition: cbc.h:55
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:102
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
Definition: alg_id.cpp:13
size_t block_size() const
Definition: cbc.h:51
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:82
virtual Key_Length_Specification key_spec() const =0
virtual void add_padding(secure_vector< uint8_t > &buffer, size_t final_block_bytes, size_t block_size) const =0
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:127
size_t minimum_final_size() const override
Definition: cbc.cpp:89
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:278
const BlockCipher & cipher() const
Definition: cbc.h:43
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
size_t minimum_final_size() const override
Definition: cbc.cpp:148
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:153
size_t round_up(size_t n, size_t align_to)
Definition: rounding.h:21
virtual std::string name() const =0
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:94
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:213
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:268
size_t minimum_final_size() const override
Definition: cbc.cpp:273
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:117