Botan  2.7.0
Crypto and TLS for C++11
cbc.cpp
Go to the documentation of this file.
1 /*
2 * CBC Mode
3 * (C) 1999-2007,2013,2017 Jack Lloyd
4 * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/cbc.h>
10 #include <botan/mode_pad.h>
11 #include <botan/internal/rounding.h>
12 
13 namespace Botan {
14 
16  m_cipher(cipher),
17  m_padding(padding),
18  m_state(m_cipher->block_size())
19  {
20  if(m_padding && !m_padding->valid_blocksize(cipher->block_size()))
21  throw Invalid_Argument("Padding " + m_padding->name() +
22  " cannot be used with " +
23  cipher->name() + "/CBC");
24  }
25 
27  {
28  m_cipher->clear();
29  reset();
30  }
31 
33  {
34  zeroise(m_state);
35  }
36 
37 std::string CBC_Mode::name() const
38  {
39  if(m_padding)
40  return cipher().name() + "/CBC/" + padding().name();
41  else
42  return cipher().name() + "/CBC/CTS";
43  }
44 
46  {
47  return cipher().parallel_bytes();
48  }
49 
51  {
52  return cipher().key_spec();
53  }
54 
56  {
57  return block_size();
58  }
59 
60 bool CBC_Mode::valid_nonce_length(size_t n) const
61  {
62  return (n == 0 || n == block_size());
63  }
64 
65 void CBC_Mode::key_schedule(const uint8_t key[], size_t length)
66  {
67  m_cipher->set_key(key, length);
68  }
69 
70 void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
71  {
72  if(!valid_nonce_length(nonce_len))
73  throw Invalid_IV_Length(name(), nonce_len);
74 
75  /*
76  * A nonce of zero length means carry the last ciphertext value over
77  * as the new IV, as unfortunately some protocols require this. If
78  * this is the first message then we use an IV of all zeros.
79  */
80  if(nonce_len)
81  m_state.assign(nonce, nonce + nonce_len);
82  }
83 
85  {
86  return 0;
87  }
88 
89 size_t CBC_Encryption::output_length(size_t input_length) const
90  {
91  if(input_length == 0)
92  return block_size();
93  else
94  return round_up(input_length, block_size());
95  }
96 
97 size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
98  {
99  const size_t BS = block_size();
100 
101  BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
102  const size_t blocks = sz / BS;
103 
104  if(blocks > 0)
105  {
106  xor_buf(&buf[0], state_ptr(), BS);
107  cipher().encrypt(&buf[0]);
108 
109  for(size_t i = 1; i != blocks; ++i)
110  {
111  xor_buf(&buf[BS*i], &buf[BS*(i-1)], BS);
112  cipher().encrypt(&buf[BS*i]);
113  }
114 
115  state().assign(&buf[BS*(blocks-1)], &buf[BS*blocks]);
116  }
117 
118  return sz;
119  }
120 
121 void CBC_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
122  {
123  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
124 
125  const size_t BS = block_size();
126 
127  const size_t bytes_in_final_block = (buffer.size()-offset) % BS;
128 
129  padding().add_padding(buffer, bytes_in_final_block, BS);
130 
131  if((buffer.size()-offset) % BS)
132  throw Exception("Did not pad to full block size in " + name());
133 
134  update(buffer, offset);
135  }
136 
138  {
139  return (n == block_size());
140  }
141 
143  {
144  return block_size() + 1;
145  }
146 
147 size_t CTS_Encryption::output_length(size_t input_length) const
148  {
149  return input_length; // no ciphertext expansion in CTS
150  }
151 
152 void CTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
153  {
154  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
155  uint8_t* buf = buffer.data() + offset;
156  const size_t sz = buffer.size() - offset;
157 
158  const size_t BS = block_size();
159 
160  if(sz < BS + 1)
161  throw Encoding_Error(name() + ": insufficient data to encrypt");
162 
163  if(sz % BS == 0)
164  {
165  update(buffer, offset);
166 
167  // swap last two blocks
168  for(size_t i = 0; i != BS; ++i)
169  std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
170  }
171  else
172  {
173  const size_t full_blocks = ((sz / BS) - 1) * BS;
174  const size_t final_bytes = sz - full_blocks;
175  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
176 
177  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
178  buffer.resize(full_blocks + offset);
179  update(buffer, offset);
180 
181  xor_buf(last.data(), state_ptr(), BS);
182  cipher().encrypt(last.data());
183 
184  for(size_t i = 0; i != final_bytes - BS; ++i)
185  {
186  last[i] ^= last[i + BS];
187  last[i + BS] ^= last[i];
188  }
189 
190  cipher().encrypt(last.data());
191 
192  buffer += last;
193  }
194  }
195 
196 size_t CBC_Decryption::output_length(size_t input_length) const
197  {
198  return input_length; // precise for CTS, worst case otherwise
199  }
200 
202  {
203  return block_size();
204  }
205 
206 size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
207  {
208  const size_t BS = block_size();
209 
210  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
211  size_t blocks = sz / BS;
212 
213  while(blocks)
214  {
215  const size_t to_proc = std::min(BS * blocks, m_tempbuf.size());
216 
217  cipher().decrypt_n(buf, m_tempbuf.data(), to_proc / BS);
218 
219  xor_buf(m_tempbuf.data(), state_ptr(), BS);
220  xor_buf(&m_tempbuf[BS], buf, to_proc - BS);
221  copy_mem(state_ptr(), buf + (to_proc - BS), BS);
222 
223  copy_mem(buf, m_tempbuf.data(), to_proc);
224 
225  buf += to_proc;
226  blocks -= to_proc / BS;
227  }
228 
229  return sz;
230  }
231 
232 void CBC_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
233  {
234  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
235  const size_t sz = buffer.size() - offset;
236 
237  const size_t BS = block_size();
238 
239  if(sz == 0 || sz % BS)
240  throw Decoding_Error(name() + ": Ciphertext not a multiple of block size");
241 
242  update(buffer, offset);
243 
244  const size_t pad_bytes = BS - padding().unpad(&buffer[buffer.size()-BS], BS);
245  buffer.resize(buffer.size() - pad_bytes); // remove padding
246  if(pad_bytes == 0 && padding().name() != "NoPadding")
247  {
248  throw Decoding_Error(name());
249  }
250  }
251 
253  {
254  zeroise(state());
255  zeroise(m_tempbuf);
256  }
257 
259  {
260  return (n == block_size());
261  }
262 
264  {
265  return block_size() + 1;
266  }
267 
268 void CTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
269  {
270  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
271  const size_t sz = buffer.size() - offset;
272  uint8_t* buf = buffer.data() + offset;
273 
274  const size_t BS = block_size();
275 
276  if(sz < BS + 1)
277  throw Encoding_Error(name() + ": insufficient data to decrypt");
278 
279  if(sz % BS == 0)
280  {
281  // swap last two blocks
282 
283  for(size_t i = 0; i != BS; ++i)
284  std::swap(buffer[buffer.size()-BS+i], buffer[buffer.size()-2*BS+i]);
285 
286  update(buffer, offset);
287  }
288  else
289  {
290  const size_t full_blocks = ((sz / BS) - 1) * BS;
291  const size_t final_bytes = sz - full_blocks;
292  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
293 
294  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
295  buffer.resize(full_blocks + offset);
296  update(buffer, offset);
297 
298  cipher().decrypt(last.data());
299 
300  xor_buf(last.data(), &last[BS], final_bytes - BS);
301 
302  for(size_t i = 0; i != final_bytes - BS; ++i)
303  std::swap(last[i], last[i + BS]);
304 
305  cipher().decrypt(last.data());
306  xor_buf(last.data(), state_ptr(), BS);
307 
308  buffer += last;
309  }
310  }
311 
312 }
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:152
secure_vector< uint8_t > & state()
Definition: cbc.h:49
Key_Length_Specification key_spec() const override
Definition: cbc.cpp:50
size_t parallel_bytes() const
Definition: block_cipher.h:63
void clear() override
Definition: cbc.cpp:26
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:232
std::string name() const override
Definition: cbc.cpp:37
const BlockCipherModePaddingMethod & padding() const
Definition: cbc.h:43
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:60
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
size_t update_granularity() const override
Definition: cbc.cpp:45
CBC_Mode(BlockCipher *cipher, BlockCipherModePaddingMethod *padding)
Definition: cbc.cpp:15
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:115
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:91
size_t default_nonce_length() const override
Definition: cbc.cpp:55
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:43
size_t minimum_final_size() const override
Definition: cbc.cpp:201
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:137
void reset() override
Definition: cbc.cpp:252
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
virtual std::string name() const =0
void reset() override
Definition: cbc.cpp:32
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:196
uint8_t * state_ptr()
Definition: cbc.h:53
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:97
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
size_t block_size() const
Definition: cbc.h:51
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:81
virtual Key_Length_Specification key_spec() const =0
virtual void add_padding(secure_vector< uint8_t > &buffer, size_t final_block_bytes, size_t block_size) const =0
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:121
size_t minimum_final_size() const override
Definition: cbc.cpp:84
virtual size_t unpad(const uint8_t block[], size_t size) const =0
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: cbc.cpp:268
const BlockCipher & cipher() const
Definition: cbc.h:41
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
size_t minimum_final_size() const override
Definition: cbc.cpp:142
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:147
size_t round_up(size_t n, size_t align_to)
Definition: rounding.h:21
virtual std::string name() const =0
virtual size_t block_size() const =0
size_t output_length(size_t input_length) const override
Definition: cbc.cpp:89
size_t process(uint8_t buf[], size_t size) override
Definition: cbc.cpp:206
bool valid_nonce_length(size_t n) const override
Definition: cbc.cpp:258
size_t minimum_final_size() const override
Definition: cbc.cpp:263
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:183