Botan 3.9.0
Crypto and TLS for C&
mode_pad.cpp
Go to the documentation of this file.
1/*
2* CBC Padding Methods
3* (C) 1999-2007,2013,2018,2020 Jack Lloyd
4* (C) 2016 René Korthaus, Rohde & Schwarz Cybersecurity
5* (C) 2025 René Meusel, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/mode_pad.h>
11
12#include <botan/exceptn.h>
13#include <botan/internal/ct_utils.h>
14
15namespace Botan {
16
17/**
18* Get a block cipher padding method by name
19*/
20std::unique_ptr<BlockCipherModePaddingMethod> BlockCipherModePaddingMethod::create(std::string_view algo_spec) {
21 if(algo_spec == "NoPadding") {
22 return std::make_unique<Null_Padding>();
23 }
24
25 if(algo_spec == "PKCS7") {
26 return std::make_unique<PKCS7_Padding>();
27 }
28
29 if(algo_spec == "OneAndZeros") {
30 return std::make_unique<OneAndZeros_Padding>();
31 }
32
33 if(algo_spec == "X9.23") {
34 return std::make_unique<ANSI_X923_Padding>();
35 }
36
37 if(algo_spec == "ESP") {
38 return std::make_unique<ESP_Padding>();
39 }
40
41 return nullptr;
42}
43
44void BlockCipherModePaddingMethod::add_padding(std::span<uint8_t> buffer, size_t last_byte_pos, size_t BS) const {
45 BOTAN_ASSERT_NOMSG(valid_blocksize(BS));
46 BOTAN_ASSERT_NOMSG(last_byte_pos < BS);
47 BOTAN_ASSERT_NOMSG(buffer.size() % BS == 0);
48 BOTAN_ASSERT_NOMSG(buffer.size() >= BS);
49
50 auto poison = CT::scoped_poison(last_byte_pos, buffer);
51 apply_padding(buffer.last(BS), last_byte_pos);
52}
53
54size_t BlockCipherModePaddingMethod::unpad(std::span<const uint8_t> last_block) const {
55 if(!valid_blocksize(last_block.size())) {
56 return last_block.size();
57 }
58
59 auto poison = CT::scoped_poison(last_block);
60 return CT::driveby_unpoison(remove_padding(last_block));
61}
62
63/*
64* Pad with PKCS #7 Method
65*/
66void PKCS7_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
67 /*
68 Padding format is
69 01
70 0202
71 030303
72 ...
73 */
74 const uint8_t BS = static_cast<uint8_t>(last_block.size());
75 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
76 const uint8_t padding_len = BS - start_pos;
77 for(uint8_t i = 0; i < BS; ++i) {
78 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
79 last_block[i] = needs_padding.select(padding_len, last_block[i]);
80 }
81}
82
83/*
84* Unpad with PKCS #7 Method
85*/
86size_t PKCS7_Padding::remove_padding(std::span<const uint8_t> input) const {
87 const size_t BS = input.size();
88 const uint8_t last_byte = input.back();
89
90 /*
91 The input should == the block size so if the last byte exceeds
92 that then the padding is certainly invalid
93 */
94 auto bad_input = CT::Mask<size_t>::is_gt(last_byte, BS);
95
96 const size_t pad_pos = BS - last_byte;
97
98 for(size_t i = 0; i != BS - 1; ++i) {
99 // Does this byte equal the expected pad byte?
100 const auto pad_eq = CT::Mask<size_t>::is_equal(input[i], last_byte);
101
102 // Ignore values that are not part of the padding
103 const auto in_range = CT::Mask<size_t>::is_gte(i, pad_pos);
104 bad_input |= in_range & (~pad_eq);
105 }
106
107 return bad_input.select(BS, pad_pos);
108}
109
110/*
111* Pad with ANSI X9.23 Method
112*/
113void ANSI_X923_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
114 /*
115 Padding format is
116 01
117 0002
118 000003
119 ...
120 */
121 const uint8_t BS = static_cast<uint8_t>(last_block.size());
122 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
123 const uint8_t padding_len = BS - start_pos;
124 for(uint8_t i = 0; i != BS - 1; ++i) {
125 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
126 last_block[i] = needs_padding.select(0, last_block[i]);
127 }
128
129 last_block.back() = padding_len;
130}
131
132/*
133* Unpad with ANSI X9.23 Method
134*/
135size_t ANSI_X923_Padding::remove_padding(std::span<const uint8_t> input) const {
136 const size_t BS = input.size();
137 const size_t last_byte = input.back();
138
139 auto bad_input = CT::Mask<size_t>::is_gt(last_byte, BS);
140
141 const size_t pad_pos = BS - last_byte;
142
143 for(size_t i = 0; i != BS - 1; ++i) {
144 // Ignore values that are not part of the padding
145 const auto in_range = CT::Mask<size_t>::is_gte(i, pad_pos);
146 const auto pad_is_nonzero = CT::Mask<size_t>::expand(input[i]);
147 bad_input |= pad_is_nonzero & in_range;
148 }
149
150 return bad_input.select(BS, pad_pos);
151}
152
153/*
154* Pad with One and Zeros Method
155*/
156void OneAndZeros_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
157 /*
158 Padding format is
159 80
160 8000
161 800000
162 ...
163 */
164 for(size_t i = 0; i != last_block.size(); ++i) {
165 auto needs_80 = CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(i, padding_start_pos));
166 auto needs_00 = CT::Mask<uint8_t>(CT::Mask<size_t>::is_gt(i, padding_start_pos));
167 last_block[i] = needs_00.select(0x00, needs_80.select(0x80, last_block[i]));
168 }
169}
170
171/*
172* Unpad with One and Zeros Method
173*/
174size_t OneAndZeros_Padding::remove_padding(std::span<const uint8_t> input) const {
175 const size_t BS = input.size();
176 auto bad_input = CT::Mask<uint8_t>::cleared();
177 auto seen_0x80 = CT::Mask<uint8_t>::cleared();
178
179 size_t pad_pos = BS - 1;
180
181 for(size_t i = BS; i != 0; --i) {
182 const auto is_0x80 = CT::Mask<uint8_t>::is_equal(input[i - 1], 0x80);
183 const auto is_zero = CT::Mask<uint8_t>::is_zero(input[i - 1]);
184
185 seen_0x80 |= is_0x80;
186 pad_pos -= seen_0x80.if_not_set_return(1);
187 bad_input |= ~seen_0x80 & ~is_zero;
188 }
189 bad_input |= ~seen_0x80;
190
191 return CT::Mask<size_t>::expand(bad_input).select(BS, pad_pos);
192}
193
194/*
195* Pad with ESP Padding Method
196*/
197void ESP_Padding::apply_padding(std::span<uint8_t> last_block, size_t padding_start_pos) const {
198 /*
199 Padding format is
200 01
201 0102
202 010203
203 ...
204 */
205 const uint8_t BS = static_cast<uint8_t>(last_block.size());
206 const uint8_t start_pos = static_cast<uint8_t>(padding_start_pos);
207
208 uint8_t pad_ctr = 0x01;
209 for(uint8_t i = 0; i != BS; ++i) {
210 auto needs_padding = CT::Mask<uint8_t>::is_gte(i, start_pos);
211 last_block[i] = needs_padding.select(pad_ctr, last_block[i]);
212 pad_ctr = needs_padding.select(pad_ctr + 1, pad_ctr);
213 }
214}
215
216/*
217* Unpad with ESP Padding Method
218*/
219size_t ESP_Padding::remove_padding(std::span<const uint8_t> input) const {
220 const size_t BS = input.size();
221 const uint8_t last_byte = input.back();
222
223 auto bad_input = CT::Mask<size_t>::is_zero(last_byte) | CT::Mask<size_t>::is_gt(last_byte, BS);
224
225 const size_t pad_pos = BS - last_byte;
226 for(size_t i = BS - 1; i != 0; --i) {
227 const auto in_range = CT::Mask<size_t>::is_gt(i, pad_pos);
228 const auto incrementing = CT::Mask<size_t>::is_equal(input[i - 1], input[i] - 1);
229
230 bad_input |= CT::Mask<size_t>(in_range) & ~incrementing;
231 }
232
233 return bad_input.select(BS, pad_pos);
234}
235
236} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
Botan::ANSI_X923_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:135
Botan::ANSI_X923_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:113
Botan::BlockCipherModePaddingMethod::create
static std::unique_ptr< BlockCipherModePaddingMethod > create(std::string_view algo_spec)
Definition mode_pad.cpp:20
Botan::BlockCipherModePaddingMethod::remove_padding
virtual size_t remove_padding(std::span< const uint8_t > last_block) const =0
Botan::BlockCipherModePaddingMethod::valid_blocksize
virtual bool valid_blocksize(size_t block_size) const =0
Botan::BlockCipherModePaddingMethod::unpad
size_t unpad(std::span< const uint8_t > last_block) const
Definition mode_pad.cpp:54
Botan::BlockCipherModePaddingMethod::apply_padding
virtual void apply_padding(std::span< uint8_t > last_block, size_t padding_start_pos) const =0
Botan::BlockCipherModePaddingMethod::add_padding
virtual void add_padding(std::span< uint8_t > buffer, size_t final_block_bytes, size_t block_size) const
Definition mode_pad.cpp:44
Botan::CT::Mask::is_gte
static constexpr Mask< T > is_gte(T x, T y)
Definition ct_utils.h:496
Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
Botan::CT::Mask::is_gt
static constexpr Mask< T > is_gt(T x, T y)
Definition ct_utils.h:486
Botan::CT::Mask::is_zero
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:465
Botan::CT::Mask::cleared
static constexpr Mask< T > cleared()
Definition ct_utils.h:415
Botan::ESP_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:219
Botan::ESP_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:197
Botan::OneAndZeros_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:174
Botan::OneAndZeros_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:156
Botan::PKCS7_Padding::remove_padding
size_t remove_padding(std::span< const uint8_t > last_block) const override
Definition mode_pad.cpp:86
Botan::PKCS7_Padding::apply_padding
void apply_padding(std::span< uint8_t > last_block, size_t final_block_bytes) const override
Definition mode_pad.cpp:66
Botan::CT::driveby_unpoison
decltype(auto) driveby_unpoison(T &&v)
Definition ct_utils.h:241
Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:220
Generated by doxygen 1.14.0