Botan 3.10.0
Crypto and TLS for C&
mode_pad.cpp
Go to the documentation of this file.
1/*
2* CBC Padding Methods
3* (C) 1999-2007,2013,2018,2020 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5* (C) 2025 René Meusel, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/mode_pad.h>
11
12#include <botan/internal/ct_utils.h>
13
14namespace Botan {
15
16/**
17* Get a block cipher padding method by name
18*/
19std::unique_ptr<BlockCipherModePaddingMethod> BlockCipherModePaddingMethod::create(std::string_view algo_spec) {
20 if(algo_spec == "NoPadding") {
21 return std::make_unique<Null_Padding>();
22 }
23
24 if(algo_spec == "PKCS7") {
25 return std::make_unique<PKCS7_Padding>();
26 }
27
28 if(algo_spec == "OneAndZeros") {
29 return std::make_unique<OneAndZeros_Padding>();
30 }
31
32 if(algo_spec == "X9.23") {
33 return std::make_unique<ANSI_X923_Padding>();
34 }
35
36 if(algo_spec == "ESP") {
37 return std::make_unique<ESP_Padding>();
38 }
39
40 return nullptr;
41}
42
43void BlockCipherModePaddingMethod::add_padding(std::span<uint8_t> buffer, size_t last_byte_pos, size_t BS) const {
44 BOTAN_ASSERT_NOMSG(valid_blocksize(BS));
45 BOTAN_ASSERT_NOMSG(last_byte_pos < BS);
46 BOTAN_ASSERT_NOMSG(buffer.size() % BS == 0);
47 BOTAN_ASSERT_NOMSG(buffer.size() >= BS);
48
49 auto poison = CT::scoped_poison(last_byte_pos, buffer);
50 apply_padding(buffer.last(BS), last_byte_pos);
51}
52
53size_t BlockCipherModePaddingMethod::unpad(std::span<const uint8_t> last_block) const {
54 if(!valid_blocksize(last_block.size())) {
55 return last_block.size();
56 }
57
58 auto poison = CT::scoped_poison(last_block);
59 return CT::driveby_unpoison(remove_padding(last_block));
60}
61
62/*
63* Pad with PKCS #7 Method
64*/
65void PKCS7_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
66 /*
67 Padding format is
68 01
69 0202
70 030303
71 ...
72 */
73 const uint8_t BS = static_cast<uint8_t>(last_block.size());
74 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
75 const uint8_t padding_len = BS - start_pos;
76 for(uint8_t i = 0; i < BS; ++i) {
77 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
78 last_block[i] = needs_padding.select(padding_len, last_block[i]);
79 }
80}
81
82/*
83* Unpad with PKCS #7 Method
84*/
85size_t PKCS7_Padding::remove_padding(std::span<const uint8_t> input) const {
86 const size_t BS = input.size();
87 const uint8_t last_byte = input.back();
88
89 /*
90 The input should == the block size so if the last byte exceeds
91 that then the padding is certainly invalid
92 */
93 auto bad_input = CT::Mask<size_t>::is_gt(last_byte, BS);
94
95 const size_t pad_pos = BS - last_byte;
96
97 for(size_t i = 0; i != BS - 1; ++i) {
98 // Does this byte equal the expected pad byte?
99 const auto pad_eq = CT::Mask<size_t>::is_equal(input[i], last_byte);
100
101 // Ignore values that are not part of the padding
102 const auto in_range = CT::Mask<size_t>::is_gte(i, pad_pos);
103 bad_input |= in_range & (~pad_eq);
104 }
105
106 return bad_input.select(BS, pad_pos);
107}
108
109/*
110* Pad with ANSI X9.23 Method
111*/
112void ANSI_X923_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
113 /*
114 Padding format is
115 01
116 0002
117 000003
118 ...
119 */
120 const uint8_t BS = static_cast<uint8_t>(last_block.size());
121 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
122 const uint8_t padding_len = BS - start_pos;
123 for(uint8_t i = 0; i != BS - 1; ++i) {
124 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
125 last_block[i] = needs_padding.select(0, last_block[i]);
126 }
127
128 last_block.back() = padding_len;
129}
130
131/*
132* Unpad with ANSI X9.23 Method
133*/
134size_t ANSI_X923_Padding::remove_padding(std::span<const uint8_t> input) const {
135 const size_t BS = input.size();
136 const size_t last_byte = input.back();
137
138 auto bad_input = CT::Mask<size_t>::is_gt(last_byte, BS);
139
140 const size_t pad_pos = BS - last_byte;
141
142 for(size_t i = 0; i != BS - 1; ++i) {
143 // Ignore values that are not part of the padding
144 const auto in_range = CT::Mask<size_t>::is_gte(i, pad_pos);
145 const auto pad_is_nonzero = CT::Mask<size_t>::expand(input[i]);
146 bad_input |= pad_is_nonzero & in_range;
147 }
148
149 return bad_input.select(BS, pad_pos);
150}
151
152/*
153* Pad with One and Zeros Method
154*/
155void OneAndZeros_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
156 /*
157 Padding format is
158 80
159 8000
160 800000
161 ...
162 */
163 for(size_t i = 0; i != last_block.size(); ++i) {
164 auto needs_80 = CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(i, padding_start_pos));
165 auto needs_00 = CT::Mask<uint8_t>(CT::Mask<size_t>::is_gt(i, padding_start_pos));
166 last_block[i] = needs_00.select(0x00, needs_80.select(0x80, last_block[i]));
167 }
168}
169
170/*
171* Unpad with One and Zeros Method
172*/
173size_t OneAndZeros_Padding::remove_padding(std::span<const uint8_t> input) const {
174 const size_t BS = input.size();
175 auto bad_input = CT::Mask<uint8_t>::cleared();
176 auto seen_0x80 = CT::Mask<uint8_t>::cleared();
177
178 size_t pad_pos = BS - 1;
179
180 for(size_t i = BS; i != 0; --i) {
181 const auto is_0x80 = CT::Mask<uint8_t>::is_equal(input[i - 1], 0x80);
182 const auto is_zero = CT::Mask<uint8_t>::is_zero(input[i - 1]);
183
184 seen_0x80 |= is_0x80;
185 pad_pos -= seen_0x80.if_not_set_return(1);
186 bad_input |= ~seen_0x80 & ~is_zero;
187 }
188 bad_input |= ~seen_0x80;
189
190 return CT::Mask<size_t>::expand(bad_input).select(BS, pad_pos);
191}
192
193/*
194* Pad with ESP Padding Method
195*/
196void ESP_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
197 /*
198 Padding format is
199 01
200 0102
201 010203
202 ...
203 */
204 const uint8_t BS = static_cast<uint8_t>(last_block.size());
205 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
206
207 uint8_t pad_ctr = 0x01;
208 for(uint8_t i = 0; i != BS; ++i) {
209 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
210 last_block[i] = needs_padding.select(pad_ctr, last_block[i]);
211 pad_ctr = needs_padding.select(pad_ctr + 1, pad_ctr);
212 }
213}
214
215/*
216* Unpad with ESP Padding Method
217*/
218size_t ESP_Padding::remove_padding(std::span<const uint8_t> input) const {
219 const size_t BS = input.size();
220 const uint8_t last_byte = input.back();
221
222 auto bad_input = CT::Mask<size_t>::is_zero(last_byte) | CT::Mask<size_t>::is_gt(last_byte, BS);
223
224 const size_t pad_pos = BS - last_byte;
225 for(size_t i = BS - 1; i != 0; --i) {
226 const auto in_range = CT::Mask<size_t>::is_gt(i, pad_pos);
227 const auto incrementing = CT::Mask<size_t>::is_equal(input[i - 1], input[i] - 1);
228
229 bad_input |= CT::Mask<size_t>(in_range) & ~incrementing;
230 }
231
232 return bad_input.select(BS, pad_pos);
233}
234
235} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
Botan::ANSI_X923_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:134
Botan::ANSI_X923_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:112
Botan::BlockCipherModePaddingMethod::create
static std::unique_ptr< BlockCipherModePaddingMethod > create(std::string_view algo_spec)
Definition mode_pad.cpp:19
Botan::BlockCipherModePaddingMethod::remove_padding
virtual size_t remove_padding(std::span< const uint8_t > last_block) const =0
Botan::BlockCipherModePaddingMethod::valid_blocksize
virtual bool valid_blocksize(size_t block_size) const =0
Botan::BlockCipherModePaddingMethod::unpad
size_t unpad(std::span< const uint8_t > last_block) const
Definition mode_pad.cpp:53
Botan::BlockCipherModePaddingMethod::apply_padding
virtual void apply_padding(std::span< uint8_t > last_block, size_t padding_start_pos) const =0
Botan::BlockCipherModePaddingMethod::add_padding
virtual void add_padding(std::span< uint8_t > buffer, size_t final_block_bytes, size_t block_size) const
Definition mode_pad.cpp:43
Botan::CT::Mask::is_gte
static constexpr Mask< T > is_gte(T x, T y)
Definition ct_utils.h:496
Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
Botan::CT::Mask::is_gt
static constexpr Mask< T > is_gt(T x, T y)
Definition ct_utils.h:486
Botan::CT::Mask::is_zero
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:465
Botan::CT::Mask::cleared
static constexpr Mask< T > cleared()
Definition ct_utils.h:415
Botan::ESP_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:218
Botan::ESP_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:196
Botan::OneAndZeros_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:173
Botan::OneAndZeros_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:155
Botan::PKCS7_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:85
Botan::PKCS7_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:65
Botan::CT::driveby_unpoison
decltype(auto) driveby_unpoison(T &&v)
Definition ct_utils.h:241
Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:220
Generated by doxygen 1.15.0