6513134972

Committed 13 Oct 2023 09:12PM UTC coverage: 91.709% (+0.001%) from 91.708%

Build # 6513134972

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #3756 from randombit/jack/bufferstuffer-in-ecies-dlies

Use concat in DLIES and ECIES

Run Details

80027 of 87262 relevant lines covered (91.71%)

8505971.38 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.57

/src/lib/pubkey/dlies/dlies.cpp

/*
* DLIES
* (C) 1999-2007 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/dlies.h>
#include <botan/internal/stl_util.h>
#include <limits>

namespace Botan {

DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      DLIES_Encryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<Cipher_Mode> cipher,
                                 size_t cipher_key_len,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      m_other_pub_key(),
      m_own_pub_key(own_priv_key.public_value()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

std::vector<uint8_t> DLIES_Encryptor::enc(const uint8_t in[], size_t length, RandomNumberGenerator& /*unused*/) const {
   if(m_other_pub_key.empty()) {
      throw Invalid_State("DLIES: The other key was never set");
   }

   // calculate secret value
   const SymmetricKey secret_value = m_ka.derive_key(0, m_other_pub_key);

   // derive secret key from secret value
   const size_t required_key_length = m_cipher ? m_cipher_key_len + m_mac_keylen : length + m_mac_keylen;
   const secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());

   if(secret_keys.size() != required_key_length) {
      throw Encoding_Error("DLIES: KDF did not provide sufficient output");
   }

   secure_vector<uint8_t> ciphertext(in, in + length);
   const size_t cipher_key_len = m_cipher ? m_cipher_key_len : length;

   if(m_cipher) {
      SymmetricKey enc_key(secret_keys.data(), cipher_key_len);
      m_cipher->set_key(enc_key);

      if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {
         throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");
      }
      m_cipher->start(m_iv.bits_of());
      m_cipher->finish(ciphertext);
   } else {
      xor_buf(ciphertext, secret_keys, cipher_key_len);
   }

   // calculate MAC
   m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);
   const auto tag = m_mac->process(ciphertext);

   // out = (ephemeral) public key + ciphertext + tag
   return concat(m_own_pub_key, ciphertext, tag);
}

/**
* Return the max size, in bytes, of a message
* We assume DLIES is only used for key transport and limit the maximum size
* to 512 bits
*/
size_t DLIES_Encryptor::maximum_input_size() const {
   return 64;
}

size_t DLIES_Encryptor::ciphertext_length(size_t ptext_len) const {
   return m_own_pub_key.size() + m_mac->output_length() + m_cipher->output_length(ptext_len);
}

DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<Cipher_Mode> cipher,
                                 size_t cipher_key_len,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      m_pub_key_size(own_priv_key.public_value().size()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

size_t DLIES_Decryptor::plaintext_length(size_t ctext_len) const {
   if(ctext_len < m_pub_key_size + m_mac->output_length()) {
      return 0;  // will throw if attempted
   }

   return ctext_len - (m_pub_key_size + m_mac->output_length());
}

secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask, const uint8_t msg[], size_t length) const {
   if(length < m_pub_key_size + m_mac->output_length()) {
      throw Decoding_Error("DLIES decryption: ciphertext is too short");
   }

   // calculate secret value
   std::vector<uint8_t> other_pub_key(msg, msg + m_pub_key_size);
   const SymmetricKey secret_value = m_ka.derive_key(0, other_pub_key);

   const size_t ciphertext_len = length - m_pub_key_size - m_mac->output_length();
   size_t cipher_key_len = m_cipher ? m_cipher_key_len : ciphertext_len;

   // derive secret key from secret value
   const size_t required_key_length = cipher_key_len + m_mac_keylen;
   secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());

   if(secret_keys.size() != required_key_length) {
      throw Encoding_Error("DLIES: KDF did not provide sufficient output");
   }

   secure_vector<uint8_t> ciphertext(msg + m_pub_key_size, msg + m_pub_key_size + ciphertext_len);

   // calculate MAC
   m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);
   secure_vector<uint8_t> calculated_tag = m_mac->process(ciphertext);

   // calculated tag == received tag ?
   secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len,
                              msg + m_pub_key_size + ciphertext_len + m_mac->output_length());

   valid_mask = ct_compare_u8(tag.data(), calculated_tag.data(), tag.size());

   // decrypt
   if(m_cipher) {
      if(valid_mask) {
         SymmetricKey dec_key(secret_keys.data(), cipher_key_len);
         m_cipher->set_key(dec_key);

         try {
            // the decryption can fail:
            // e.g. Invalid_Authentication_Tag is thrown if GCM is used and the message does not have a valid tag

            if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {
               throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");
            }
            m_cipher->start(m_iv.bits_of());
            m_cipher->finish(ciphertext);
         } catch(...) {
            valid_mask = 0;
         }

      } else {
         return secure_vector<uint8_t>();
      }
   } else {
      xor_buf(ciphertext, secret_keys.data(), cipher_key_len);
   }

   return ciphertext;
}

}  // namespace Botan

1	/*
2	* DLIES
3	* (C) 1999-2007 Jack Lloyd
4	* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/dlies.h>
10	#include <botan/internal/stl_util.h>
11	#include <limits>
12
13	namespace Botan {
14
15	DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,	4✔
16	RandomNumberGenerator& rng,
17	std::unique_ptr<KDF> kdf,
18	std::unique_ptr<MessageAuthenticationCode> mac,
19	size_t mac_key_length) :	4✔
20	DLIES_Encryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}	8✔
21
22	DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,	76✔
23	RandomNumberGenerator& rng,
24	std::unique_ptr<KDF> kdf,
25	std::unique_ptr<Cipher_Mode> cipher,
26	size_t cipher_key_len,
27	std::unique_ptr<MessageAuthenticationCode> mac,
28	size_t mac_key_length) :	76✔
29	m_other_pub_key(),	76✔
30	m_own_pub_key(own_priv_key.public_value()),	76✔
31	m_ka(own_priv_key, rng, "Raw"),	76✔
32	m_kdf(std::move(kdf)),	76✔
33	m_cipher(std::move(cipher)),	76✔
34	m_cipher_key_len(cipher_key_len),	76✔
35	m_mac(std::move(mac)),	76✔
36	m_mac_keylen(mac_key_length),	76✔
37	m_iv() {	152✔
38	BOTAN_ASSERT_NONNULL(m_kdf);	76✔
39	BOTAN_ASSERT_NONNULL(m_mac);	76✔
40	}	76✔
41
42	std::vector<uint8_t> DLIES_Encryptor::enc(const uint8_t in[], size_t length, RandomNumberGenerator& /unused/) const {	80✔
43	if(m_other_pub_key.empty()) {	80✔
44	throw Invalid_State("DLIES: The other key was never set");	4✔
45	}
46
47	// calculate secret value
48	const SymmetricKey secret_value = m_ka.derive_key(0, m_other_pub_key);	76✔
49
50	// derive secret key from secret value
51	const size_t required_key_length = m_cipher ? m_cipher_key_len + m_mac_keylen : length + m_mac_keylen;	76✔
52	const secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());	76✔
53
54	if(secret_keys.size() != required_key_length) {	76✔
55	throw Encoding_Error("DLIES: KDF did not provide sufficient output");	×
56	}
57
58	secure_vector<uint8_t> ciphertext(in, in + length);	76✔
59	const size_t cipher_key_len = m_cipher ? m_cipher_key_len : length;	76✔
60
61	if(m_cipher) {	76✔
62	SymmetricKey enc_key(secret_keys.data(), cipher_key_len);	50✔
63	m_cipher->set_key(enc_key);	50✔
64
65	if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {	50✔
66	throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");	×
67	}
68	m_cipher->start(m_iv.bits_of());	50✔
69	m_cipher->finish(ciphertext);	50✔
70	} else {	50✔
71	xor_buf(ciphertext, secret_keys, cipher_key_len);	26✔
72	}
73
74	// calculate MAC
75	m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);	76✔
76	const auto tag = m_mac->process(ciphertext);	76✔
77
78	// out = (ephemeral) public key + ciphertext + tag
79	return concat(m_own_pub_key, ciphertext, tag);	76✔
80	}	304✔
81
82	/**
83	* Return the max size, in bytes, of a message
84	* We assume DLIES is only used for key transport and limit the maximum size
85	* to 512 bits
86	*/
87	size_t DLIES_Encryptor::maximum_input_size() const {	×
88	return 64;	×
89	}
90
91	size_t DLIES_Encryptor::ciphertext_length(size_t ptext_len) const {	×
92	return m_own_pub_key.size() + m_mac->output_length() + m_cipher->output_length(ptext_len);	×
93	}
94
95	DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,	76✔
96	RandomNumberGenerator& rng,
97	std::unique_ptr<KDF> kdf,
98	std::unique_ptr<Cipher_Mode> cipher,
99	size_t cipher_key_len,
100	std::unique_ptr<MessageAuthenticationCode> mac,
101	size_t mac_key_length) :	76✔
102	m_pub_key_size(own_priv_key.public_value().size()),	76✔
103	m_ka(own_priv_key, rng, "Raw"),	76✔
104	m_kdf(std::move(kdf)),	152✔
105	m_cipher(std::move(cipher)),	76✔
106	m_cipher_key_len(cipher_key_len),	76✔
107	m_mac(std::move(mac)),	76✔
108	m_mac_keylen(mac_key_length),	76✔
109	m_iv() {	152✔
110	BOTAN_ASSERT_NONNULL(m_kdf);	76✔
111	BOTAN_ASSERT_NONNULL(m_mac);	76✔
112	}	76✔
113
114	DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,	4✔
115	RandomNumberGenerator& rng,
116	std::unique_ptr<KDF> kdf,
117	std::unique_ptr<MessageAuthenticationCode> mac,
118	size_t mac_key_length) :	4✔
119	DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}	8✔
120
121	size_t DLIES_Decryptor::plaintext_length(size_t ctext_len) const {	×
122	if(ctext_len < m_pub_key_size + m_mac->output_length()) {	×
123	return 0; // will throw if attempted
124	}
125
126	return ctext_len - (m_pub_key_size + m_mac->output_length());	×
127	}
128
129	secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask, const uint8_t msg[], size_t length) const {	1,600✔
130	if(length < m_pub_key_size + m_mac->output_length()) {	1,600✔
131	throw Decoding_Error("DLIES decryption: ciphertext is too short");	4✔
132	}
133
134	// calculate secret value
135	std::vector<uint8_t> other_pub_key(msg, msg + m_pub_key_size);	1,596✔
136	const SymmetricKey secret_value = m_ka.derive_key(0, other_pub_key);	1,596✔
137
138	const size_t ciphertext_len = length - m_pub_key_size - m_mac->output_length();	1,596✔
139	size_t cipher_key_len = m_cipher ? m_cipher_key_len : ciphertext_len;	1,596✔
140
141	// derive secret key from secret value
142	const size_t required_key_length = cipher_key_len + m_mac_keylen;	1,596✔
143	secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());	1,596✔
144
145	if(secret_keys.size() != required_key_length) {	1,596✔
146	throw Encoding_Error("DLIES: KDF did not provide sufficient output");	×
147	}
148
149	secure_vector<uint8_t> ciphertext(msg + m_pub_key_size, msg + m_pub_key_size + ciphertext_len);	1,596✔
150
151	// calculate MAC
152	m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);	1,596✔
153	secure_vector<uint8_t> calculated_tag = m_mac->process(ciphertext);	1,596✔
154
155	// calculated tag == received tag ?
156	secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len,	3,192✔
157	msg + m_pub_key_size + ciphertext_len + m_mac->output_length());	1,596✔
158
159	valid_mask = ct_compare_u8(tag.data(), calculated_tag.data(), tag.size());	1,596✔
160
161	// decrypt
162	if(m_cipher) {	1,596✔
163	if(valid_mask) {	1,050✔
164	SymmetricKey dec_key(secret_keys.data(), cipher_key_len);	50✔
165	m_cipher->set_key(dec_key);	50✔
166
167	try {	50✔
168	// the decryption can fail:
169	// e.g. Invalid_Authentication_Tag is thrown if GCM is used and the message does not have a valid tag
170
171	if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {	50✔
172	throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");	×
173	}
174	m_cipher->start(m_iv.bits_of());	50✔
175	m_cipher->finish(ciphertext);	50✔
176	} catch(...) {	×
177	valid_mask = 0;	×
178	}	×
179
180	} else {	50✔
181	return secure_vector<uint8_t>();	1,000✔
182	}
183	} else {
184	xor_buf(ciphertext, secret_keys.data(), cipher_key_len);	546✔
185	}
186
187	return ciphertext;	1,596✔
188	}	8,980✔
189
190	} // namespace Botan

randombit / botan / 6513134972

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous