Use base CBC modes to implement TLS CBC ciphersuites

This reduces code and also lets TLS make use of parallel decryption
which it was not doing before.

3 files changed, 36 insertions, 49 deletions

diff --git a/src/lib/tls/tls_cbc/info.txt b/src/lib/tls/tls_cbc/info.txt
index 321236696..a1d2b18cc 100644
--- a/src/lib/tls/tls_cbc/info.txt
+++ b/src/lib/tls/tls_cbc/info.txt
@@ -5,3 +5,8 @@ TLS_CBC -> 20161008
 <header:internal>
 tls_cbc.h
 </header:internal>
+
+<requires>
+cbc
+hmac
+</requires>
diff --git a/src/lib/tls/tls_cbc/tls_cbc.cpp b/src/lib/tls/tls_cbc/tls_cbc.cpp
index a0b238498..f38419ba7 100644
--- a/src/lib/tls/tls_cbc/tls_cbc.cpp
+++ b/src/lib/tls/tls_cbc/tls_cbc.cpp
@@ -9,6 +9,8 @@
 */
 
 #include <botan/internal/tls_cbc.h>
+#include <botan/cbc.h>
+
 #include <botan/internal/rounding.h>
 #include <botan/internal/ct_utils.h>
 #include <botan/tls_alert.h>
@@ -21,7 +23,8 @@ namespace TLS {
 /*
 * TLS_CBC_HMAC_AEAD_Mode Constructor
 */
-TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
+TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir dir,
+                                               const std::string& cipher_name,
                                                size_t cipher_keylen,
                                                const std::string& mac_name,
                                                size_t mac_keylen,
@@ -33,18 +36,23 @@ TLS_CBC_HMAC_AEAD_Mode::TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
    m_mac_keylen(mac_keylen),
    m_use_encrypt_then_mac(use_encrypt_then_mac)
    {
-   m_cipher = BlockCipher::create_or_throw(m_cipher_name);
    m_mac = MessageAuthenticationCode::create_or_throw("HMAC(" + m_mac_name + ")");
+   std::unique_ptr<BlockCipher> cipher = BlockCipher::create_or_throw(m_cipher_name);
 
    m_tag_size = m_mac->output_length();
-   m_block_size = m_cipher->block_size();
+   m_block_size = cipher->block_size();
 
    m_iv_size = use_explicit_iv ? m_block_size : 0;
+
+   if(dir == ENCRYPTION)
+      m_cbc.reset(new CBC_Encryption(cipher.release(), new Null_Padding));
+   else
+      m_cbc.reset(new CBC_Decryption(cipher.release(), new Null_Padding));
    }
 
 void TLS_CBC_HMAC_AEAD_Mode::clear()
    {
-   cipher().clear();
+   cbc().clear();
    mac().clear();
    reset();
    }
@@ -85,7 +93,7 @@ void TLS_CBC_HMAC_AEAD_Mode::key_schedule(const uint8_t key[], size_t keylen)
    if(keylen != m_cipher_keylen + m_mac_keylen)
       throw Invalid_Key_Length(name(), keylen);
 
-   cipher().set_key(&key[0], m_cipher_keylen);
+   cbc().set_key(&key[0], m_cipher_keylen);
    mac().set_key(&key[m_cipher_keylen], m_mac_keylen);
    }
 
@@ -145,17 +153,10 @@ void TLS_CBC_HMAC_AEAD_Encryption::cbc_encrypt_record(uint8_t buf[], size_t buf_
    const size_t blocks = buf_size / block_size();
    BOTAN_ASSERT(buf_size % block_size() == 0, "Valid CBC input");
 
-   xor_buf(buf, cbc_state().data(), block_size());
-   cipher().encrypt(buf);
+   cbc().start(cbc_state());
+   cbc().process(buf, buf_size);
 
-   for(size_t i = 1; i < blocks; ++i)
-      {
-      xor_buf(&buf[block_size()*i], &buf[block_size()*(i-1)], block_size());
-      cipher().encrypt(&buf[block_size()*i]);
-      }
-
-   cbc_state().assign(&buf[block_size()*(blocks-1)],
-                      &buf[block_size()*blocks]);
+   cbc_state().assign(buf + buf_size - block_size(), buf + buf_size);
    }
 
 size_t TLS_CBC_HMAC_AEAD_Encryption::output_length(size_t input_length) const
@@ -253,32 +254,14 @@ uint16_t check_tls_cbc_padding(const uint8_t record[], size_t record_len)
 
 void TLS_CBC_HMAC_AEAD_Decryption::cbc_decrypt_record(uint8_t record_contents[], size_t record_len)
    {
-   if(record_len % block_size() != 0)
-      throw Decoding_Error("Input CBC ciphertext is not a multiple of block size");
-
-   const size_t blocks = record_len / block_size();
+   if(record_len == 0 || record_len % block_size() != 0)
+      throw Decoding_Error("Received TLS CBC ciphertext with invalid length");
 
-   BOTAN_ASSERT(blocks >= 1, "At least one ciphertext block");
-
-   uint8_t* buf = record_contents;
-
-   secure_vector<uint8_t> last_ciphertext(block_size());
-   copy_mem(last_ciphertext.data(), buf, block_size());
-
-   cipher().decrypt(buf);
-   xor_buf(buf, cbc_state().data(), block_size());
-
-   secure_vector<uint8_t> last_ciphertext2;
-
-   for(size_t i = 1; i < blocks; ++i)
-      {
-      last_ciphertext2.assign(&buf[block_size()*i], &buf[block_size()*(i+1)]);
-      cipher().decrypt(&buf[block_size()*i]);
-      xor_buf(&buf[block_size()*i], last_ciphertext.data(), block_size());
-      std::swap(last_ciphertext, last_ciphertext2);
-      }
+   cbc().start(cbc_state());
+   cbc_state().assign(record_contents + record_len - block_size(),
+                      record_contents + record_len);
 
-   cbc_state().assign(last_ciphertext.begin(), last_ciphertext.end());
+   cbc().process(record_contents, record_len);
    }
 
 size_t TLS_CBC_HMAC_AEAD_Decryption::output_length(size_t) const
diff --git a/src/lib/tls/tls_cbc/tls_cbc.h b/src/lib/tls/tls_cbc/tls_cbc.h
index f09e0ad39..012b9e51f 100644
--- a/src/lib/tls/tls_cbc/tls_cbc.h
+++ b/src/lib/tls/tls_cbc/tls_cbc.h
@@ -45,7 +45,8 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
       void reset() override final;
 
  protected:
-      TLS_CBC_HMAC_AEAD_Mode(const std::string& cipher_name,
+      TLS_CBC_HMAC_AEAD_Mode(Cipher_Dir direction,
+                             const std::string& cipher_name,
                              size_t cipher_keylen,
                              const std::string& mac_name,
                              size_t mac_keylen,
@@ -59,11 +60,7 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
 
       bool use_encrypt_then_mac() const { return m_use_encrypt_then_mac; }
 
-      BlockCipher& cipher() const
-         {
-         BOTAN_ASSERT_NONNULL(m_cipher);
-         return *m_cipher;
-         }
+      Cipher_Mode& cbc() const { return *m_cbc; }
 
       MessageAuthenticationCode& mac() const
          {
@@ -91,7 +88,7 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Mode : public AEAD_Mode
       size_t m_block_size;
       bool m_use_encrypt_then_mac;
 
-      std::unique_ptr<BlockCipher> m_cipher;
+      std::unique_ptr<Cipher_Mode> m_cbc;
       std::unique_ptr<MessageAuthenticationCode> m_mac;
 
       secure_vector<uint8_t> m_cbc_state;
@@ -113,7 +110,8 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Encryption final : public TLS_CBC_HMAC_AE
                                    const size_t mac_keylen,
                                    bool use_explicit_iv,
                                    bool use_encrypt_then_mac) :
-         TLS_CBC_HMAC_AEAD_Mode(cipher_algo,
+         TLS_CBC_HMAC_AEAD_Mode(ENCRYPTION,
+                                cipher_algo,
                                 cipher_keylen,
                                 mac_algo,
                                 mac_keylen,
@@ -146,7 +144,8 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Decryption final : public TLS_CBC_HMAC_AE
                                    const size_t mac_keylen,
                                    bool use_explicit_iv,
                                    bool use_encrypt_then_mac) :
-         TLS_CBC_HMAC_AEAD_Mode(cipher_algo,
+         TLS_CBC_HMAC_AEAD_Mode(DECRYPTION,
+                                cipher_algo,
                                 cipher_keylen,
                                 mac_algo,
                                 mac_keylen,
@@ -162,7 +161,7 @@ class BOTAN_TEST_API TLS_CBC_HMAC_AEAD_Decryption final : public TLS_CBC_HMAC_AE
 
    private:
       void cbc_decrypt_record(uint8_t record_contents[], size_t record_len);
-      
+
       void perform_additional_compressions(size_t plen, size_t padlen);
    };