Have cipher modes also verify that the nonce is set prior to use

author: Jack Lloyd <[email protected]> 2018-08-17 17:51:14 -0400
committer: Jack Lloyd <[email protected]> 2018-08-17 17:51:14 -0400
commit: d1dfc93595098f75d6dc0c461f833627252fbf4e (patch)
tree: bf921df789e7d0066308a75016f6aeb569865380 /src/lib/modes
parent: 2c1f5b5fb8288fd8d48fcb9d0a7586609169a96f (diff)
5 files changed, 20 insertions, 7 deletions
diff --git a/src/lib/modes/cbc/cbc.cpp b/src/lib/modes/cbc/cbc.cpp
index c67664a6e..76b78e4f6 100644
--- a/src/lib/modes/cbc/cbc.cpp
+++ b/src/lib/modes/cbc/cbc.cpp
@@ -15,9 +15,9 @@ namespace Botan {
 CBC_Mode::CBC_Mode(BlockCipher* cipher, BlockCipherModePaddingMethod* padding) :
    m_cipher(cipher),
    m_padding(padding),
-   m_state(m_cipher->block_size())
+   m_block_size(cipher->block_size())
    {
-   if(m_padding && !m_padding->valid_blocksize(cipher->block_size()))
+   if(m_padding && !m_padding->valid_blocksize(m_block_size))
       throw Invalid_Argument("Padding " + m_padding->name() +
                              " cannot be used with " +
                              cipher->name() + "/CBC");
@@ -31,7 +31,7 @@ void CBC_Mode::clear()
 
 void CBC_Mode::reset()
    {
-   zeroise(m_state);
+   m_state.clear();
    }
 
 std::string CBC_Mode::name() const
@@ -79,6 +79,9 @@ void CBC_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
    */
    if(nonce_len)
       m_state.assign(nonce, nonce + nonce_len);
+   else if(m_state.empty())
+      m_state.resize(m_cipher->block_size());
+   // else leave the state alone
    }
 
 size_t CBC_Encryption::minimum_final_size() const
@@ -96,6 +99,7 @@ size_t CBC_Encryption::output_length(size_t input_length) const
 
 size_t CBC_Encryption::process(uint8_t buf[], size_t sz)
    {
+   BOTAN_STATE_CHECK(state().empty() == false);
    const size_t BS = block_size();
 
    BOTAN_ASSERT(sz % BS == 0, "CBC input is full blocks");
@@ -205,6 +209,8 @@ size_t CBC_Decryption::minimum_final_size() const
 
 size_t CBC_Decryption::process(uint8_t buf[], size_t sz)
    {
+   BOTAN_STATE_CHECK(state().empty() == false);
+
    const size_t BS = block_size();
 
    BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
diff --git a/src/lib/modes/cbc/cbc.h b/src/lib/modes/cbc/cbc.h
index 65b639511..aaa425712 100644
--- a/src/lib/modes/cbc/cbc.h
+++ b/src/lib/modes/cbc/cbc.h
@@ -46,9 +46,9 @@ class BOTAN_PUBLIC_API(2,0) CBC_Mode : public Cipher_Mode
          return *m_padding;
          }
 
-      secure_vector<uint8_t>& state() { return m_state; }
+      size_t block_size() const { return m_block_size; }
 
-      size_t block_size() const { return m_state.size(); }
+      secure_vector<uint8_t>& state() { return m_state; }
 
       uint8_t* state_ptr() { return m_state.data(); }
 
@@ -60,6 +60,7 @@ class BOTAN_PUBLIC_API(2,0) CBC_Mode : public Cipher_Mode
       std::unique_ptr<BlockCipher> m_cipher;
       std::unique_ptr<BlockCipherModePaddingMethod> m_padding;
       secure_vector<uint8_t> m_state;
+      size_t m_block_size;
    };
 
 /**
diff --git a/src/lib/modes/cfb/cfb.cpp b/src/lib/modes/cfb/cfb.cpp
index 1010cf450..e1bee0427 100644
--- a/src/lib/modes/cfb/cfb.cpp
+++ b/src/lib/modes/cfb/cfb.cpp
@@ -117,6 +117,7 @@ void CFB_Mode::shift_register()
 size_t CFB_Encryption::process(uint8_t buf[], size_t sz)
    {
    verify_key_set(m_keystream.size());
+   BOTAN_STATE_CHECK(m_state.empty() == false);
 
    const size_t shift = feedback();
 
@@ -181,6 +182,7 @@ inline void xor_copy(uint8_t buf[], uint8_t key_buf[], size_t len)
 size_t CFB_Decryption::process(uint8_t buf[], size_t sz)
    {
    verify_key_set(m_keystream.size());
+   BOTAN_STATE_CHECK(m_state.empty() == false);
 
    const size_t shift = feedback();
 
diff --git a/src/lib/modes/xts/xts.cpp b/src/lib/modes/xts/xts.cpp
index 0b10faa92..e562c2cff 100644
--- a/src/lib/modes/xts/xts.cpp
+++ b/src/lib/modes/xts/xts.cpp
@@ -19,7 +19,6 @@ XTS_Mode::XTS_Mode(BlockCipher* cipher) : m_cipher(cipher)
       }
 
    m_tweak_cipher.reset(m_cipher->clone());
-   m_tweak.resize(update_granularity());
    }
 
 void XTS_Mode::clear()
@@ -31,7 +30,7 @@ void XTS_Mode::clear()
 
 void XTS_Mode::reset()
    {
-   zeroise(m_tweak);
+   m_tweak.clear();
    }
 
 std::string XTS_Mode::name() const
@@ -80,6 +79,7 @@ void XTS_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
    if(!valid_nonce_length(nonce_len))
       throw Invalid_IV_Length(name(), nonce_len);
 
+   m_tweak.resize(update_granularity());
    copy_mem(m_tweak.data(), nonce, nonce_len);
    m_tweak_cipher->encrypt(m_tweak.data());
 
@@ -106,6 +106,7 @@ size_t XTS_Encryption::output_length(size_t input_length) const
 
 size_t XTS_Encryption::process(uint8_t buf[], size_t sz)
    {
+   BOTAN_STATE_CHECK(tweak_set());
    const size_t BS = cipher().block_size();
 
    BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
@@ -179,6 +180,7 @@ size_t XTS_Decryption::output_length(size_t input_length) const
 
 size_t XTS_Decryption::process(uint8_t buf[], size_t sz)
    {
+   BOTAN_STATE_CHECK(tweak_set());
    const size_t BS = cipher().block_size();
 
    BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
diff --git a/src/lib/modes/xts/xts.h b/src/lib/modes/xts/xts.h
index 4b25a8294..1fd86b2f4 100644
--- a/src/lib/modes/xts/xts.h
+++ b/src/lib/modes/xts/xts.h
@@ -41,6 +41,8 @@ class BOTAN_PUBLIC_API(2,0) XTS_Mode : public Cipher_Mode
 
       const uint8_t* tweak() const { return m_tweak.data(); }
 
+      bool tweak_set() const { return m_tweak.empty() == false; }
+
       const BlockCipher& cipher() const { return *m_cipher; }
 
       void update_tweak(size_t last_used);
author	Jack Lloyd <[email protected]>	2018-08-17 17:51:14 -0400
committer	Jack Lloyd <[email protected]>	2018-08-17 17:51:14 -0400
commit	d1dfc93595098f75d6dc0c461f833627252fbf4e (patch)
tree	bf921df789e7d0066308a75016f6aeb569865380 /src/lib/modes
parent	2c1f5b5fb8288fd8d48fcb9d0a7586609169a96f (diff)