13235046472

Committed 10 Feb 2025 06:40AM UTC coverage: 91.652% (-0.004%) from 91.656%

Build # 13235046472

Build Type

Pull #4647

github

Committed by

web-flow

Commit Message

Merge 1d27f28ee into 7deaa69bb

Pull Request Pull Request #4647: Avoid using mem_ops.h or assert.h in public headers

Run Details

94827 of 103464 relevant lines covered (91.65%)

11135060.49 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.57

/src/lib/pubkey/dlies/dlies.cpp

/*
* DLIES
* (C) 1999-2007 Jack Lloyd
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/dlies.h>
#include <botan/mem_ops.h>
#include <botan/internal/ct_utils.h>
#include <botan/internal/stl_util.h>
#include <limits>

namespace Botan {

DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      DLIES_Encryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<Cipher_Mode> cipher,
                                 size_t cipher_key_len,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      m_other_pub_key(),
      m_own_pub_key(own_priv_key.public_value()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

std::vector<uint8_t> DLIES_Encryptor::enc(const uint8_t in[], size_t length, RandomNumberGenerator& /*unused*/) const {
   if(m_other_pub_key.empty()) {
      throw Invalid_State("DLIES: The other key was never set");
   }

   // calculate secret value
   const SymmetricKey secret_value = m_ka.derive_key(0, m_other_pub_key);

   // derive secret key from secret value
   const size_t required_key_length = m_cipher ? m_cipher_key_len + m_mac_keylen : length + m_mac_keylen;
   const secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());

   if(secret_keys.size() != required_key_length) {
      throw Encoding_Error("DLIES: KDF did not provide sufficient output");
   }

   secure_vector<uint8_t> ciphertext(in, in + length);
   const size_t cipher_key_len = m_cipher ? m_cipher_key_len : length;

   if(m_cipher) {
      SymmetricKey enc_key(secret_keys.data(), cipher_key_len);
      m_cipher->set_key(enc_key);

      if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {
         throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");
      }
      m_cipher->start(m_iv.bits_of());
      m_cipher->finish(ciphertext);
   } else {
      xor_buf(ciphertext, secret_keys, cipher_key_len);
   }

   // calculate MAC
   m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);
   const auto tag = m_mac->process(ciphertext);

   // out = (ephemeral) public key + ciphertext + tag
   return concat(m_own_pub_key, ciphertext, tag);
}

/**
* Return the max size, in bytes, of a message
* We assume DLIES is only used for key transport and limit the maximum size
* to 512 bits
*/
size_t DLIES_Encryptor::maximum_input_size() const {
   return 64;
}

size_t DLIES_Encryptor::ciphertext_length(size_t ptext_len) const {
   return m_own_pub_key.size() + m_mac->output_length() + m_cipher->output_length(ptext_len);
}

DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<Cipher_Mode> cipher,
                                 size_t cipher_key_len,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      m_pub_key_size(own_priv_key.public_value().size()),
      m_ka(own_priv_key, rng, "Raw"),
      m_kdf(std::move(kdf)),
      m_cipher(std::move(cipher)),
      m_cipher_key_len(cipher_key_len),
      m_mac(std::move(mac)),
      m_mac_keylen(mac_key_length),
      m_iv() {
   BOTAN_ASSERT_NONNULL(m_kdf);
   BOTAN_ASSERT_NONNULL(m_mac);
}

DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,
                                 RandomNumberGenerator& rng,
                                 std::unique_ptr<KDF> kdf,
                                 std::unique_ptr<MessageAuthenticationCode> mac,
                                 size_t mac_key_length) :
      DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}

size_t DLIES_Decryptor::plaintext_length(size_t ctext_len) const {
   if(ctext_len < m_pub_key_size + m_mac->output_length()) {
      return 0;  // will throw if attempted
   }

   return ctext_len - (m_pub_key_size + m_mac->output_length());
}

secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask, const uint8_t msg[], size_t length) const {
   if(length < m_pub_key_size + m_mac->output_length()) {
      throw Decoding_Error("DLIES decryption: ciphertext is too short");
   }

   // calculate secret value
   std::vector<uint8_t> other_pub_key(msg, msg + m_pub_key_size);
   const SymmetricKey secret_value = m_ka.derive_key(0, other_pub_key);

   const size_t ciphertext_len = length - m_pub_key_size - m_mac->output_length();
   size_t cipher_key_len = m_cipher ? m_cipher_key_len : ciphertext_len;

   // derive secret key from secret value
   const size_t required_key_length = cipher_key_len + m_mac_keylen;
   secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());

   if(secret_keys.size() != required_key_length) {
      throw Encoding_Error("DLIES: KDF did not provide sufficient output");
   }

   secure_vector<uint8_t> ciphertext(msg + m_pub_key_size, msg + m_pub_key_size + ciphertext_len);

   // calculate MAC
   m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);
   secure_vector<uint8_t> calculated_tag = m_mac->process(ciphertext);

   // calculated tag == received tag ?
   secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len,
                              msg + m_pub_key_size + ciphertext_len + m_mac->output_length());

   valid_mask = CT::is_equal(tag.data(), calculated_tag.data(), tag.size()).value();

   // decrypt
   if(m_cipher) {
      if(valid_mask) {
         SymmetricKey dec_key(secret_keys.data(), cipher_key_len);
         m_cipher->set_key(dec_key);

         try {
            // the decryption can fail:
            // e.g. Invalid_Authentication_Tag is thrown if GCM is used and the message does not have a valid tag

            if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {
               throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");
            }
            m_cipher->start(m_iv.bits_of());
            m_cipher->finish(ciphertext);
         } catch(...) {
            valid_mask = 0;
         }

      } else {
         return secure_vector<uint8_t>();
      }
   } else {
      xor_buf(ciphertext, secret_keys.data(), cipher_key_len);
   }

   return ciphertext;
}

}  // namespace Botan

1	/*
2	* DLIES
3	* (C) 1999-2007 Jack Lloyd
4	* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/dlies.h>
10	#include <botan/mem_ops.h>
11	#include <botan/internal/ct_utils.h>
12	#include <botan/internal/stl_util.h>
13	#include <limits>
14
15	namespace Botan {
16
17	DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,	4✔
18	RandomNumberGenerator& rng,
19	std::unique_ptr<KDF> kdf,
20	std::unique_ptr<MessageAuthenticationCode> mac,
21	size_t mac_key_length) :	4✔
22	DLIES_Encryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}	8✔
23
24	DLIES_Encryptor::DLIES_Encryptor(const DH_PrivateKey& own_priv_key,	76✔
25	RandomNumberGenerator& rng,
26	std::unique_ptr<KDF> kdf,
27	std::unique_ptr<Cipher_Mode> cipher,
28	size_t cipher_key_len,
29	std::unique_ptr<MessageAuthenticationCode> mac,
30	size_t mac_key_length) :	76✔
31	m_other_pub_key(),	76✔
32	m_own_pub_key(own_priv_key.public_value()),	76✔
33	m_ka(own_priv_key, rng, "Raw"),	76✔
34	m_kdf(std::move(kdf)),	76✔
35	m_cipher(std::move(cipher)),	76✔
36	m_cipher_key_len(cipher_key_len),	76✔
37	m_mac(std::move(mac)),	76✔
38	m_mac_keylen(mac_key_length),	76✔
39	m_iv() {	152✔
40	BOTAN_ASSERT_NONNULL(m_kdf);	76✔
41	BOTAN_ASSERT_NONNULL(m_mac);	76✔
42	}	76✔
43
44	std::vector<uint8_t> DLIES_Encryptor::enc(const uint8_t in[], size_t length, RandomNumberGenerator& /unused/) const {	80✔
45	if(m_other_pub_key.empty()) {	80✔
46	throw Invalid_State("DLIES: The other key was never set");	4✔
47	}
48
49	// calculate secret value
50	const SymmetricKey secret_value = m_ka.derive_key(0, m_other_pub_key);	76✔
51
52	// derive secret key from secret value
53	const size_t required_key_length = m_cipher ? m_cipher_key_len + m_mac_keylen : length + m_mac_keylen;	76✔
54	const secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());	76✔
55
56	if(secret_keys.size() != required_key_length) {	76✔
57	throw Encoding_Error("DLIES: KDF did not provide sufficient output");	×
58	}
59
60	secure_vector<uint8_t> ciphertext(in, in + length);	76✔
61	const size_t cipher_key_len = m_cipher ? m_cipher_key_len : length;	76✔
62
63	if(m_cipher) {	76✔
64	SymmetricKey enc_key(secret_keys.data(), cipher_key_len);	50✔
65	m_cipher->set_key(enc_key);	50✔
66
67	if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {	50✔
68	throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");	×
69	}
70	m_cipher->start(m_iv.bits_of());	50✔
71	m_cipher->finish(ciphertext);	50✔
72	} else {	50✔
73	xor_buf(ciphertext, secret_keys, cipher_key_len);	26✔
74	}
75
76	// calculate MAC
77	m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);	76✔
78	const auto tag = m_mac->process(ciphertext);	76✔
79
80	// out = (ephemeral) public key + ciphertext + tag
81	return concat(m_own_pub_key, ciphertext, tag);	76✔
82	}	304✔
83
84	/**
85	* Return the max size, in bytes, of a message
86	* We assume DLIES is only used for key transport and limit the maximum size
87	* to 512 bits
88	*/
89	size_t DLIES_Encryptor::maximum_input_size() const {	×
90	return 64;	×
91	}
92
93	size_t DLIES_Encryptor::ciphertext_length(size_t ptext_len) const {	×
94	return m_own_pub_key.size() + m_mac->output_length() + m_cipher->output_length(ptext_len);	×
95	}
96
97	DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,	76✔
98	RandomNumberGenerator& rng,
99	std::unique_ptr<KDF> kdf,
100	std::unique_ptr<Cipher_Mode> cipher,
101	size_t cipher_key_len,
102	std::unique_ptr<MessageAuthenticationCode> mac,
103	size_t mac_key_length) :	76✔
104	m_pub_key_size(own_priv_key.public_value().size()),	76✔
105	m_ka(own_priv_key, rng, "Raw"),	76✔
106	m_kdf(std::move(kdf)),	76✔
107	m_cipher(std::move(cipher)),	76✔
108	m_cipher_key_len(cipher_key_len),	76✔
109	m_mac(std::move(mac)),	76✔
110	m_mac_keylen(mac_key_length),	76✔
111	m_iv() {	152✔
112	BOTAN_ASSERT_NONNULL(m_kdf);	76✔
113	BOTAN_ASSERT_NONNULL(m_mac);	76✔
114	}	76✔
115
116	DLIES_Decryptor::DLIES_Decryptor(const DH_PrivateKey& own_priv_key,	4✔
117	RandomNumberGenerator& rng,
118	std::unique_ptr<KDF> kdf,
119	std::unique_ptr<MessageAuthenticationCode> mac,
120	size_t mac_key_length) :	4✔
121	DLIES_Decryptor(own_priv_key, rng, std::move(kdf), nullptr, 0, std::move(mac), mac_key_length) {}	8✔
122
123	size_t DLIES_Decryptor::plaintext_length(size_t ctext_len) const {	×
124	if(ctext_len < m_pub_key_size + m_mac->output_length()) {	×
125	return 0; // will throw if attempted
126	}
127
128	return ctext_len - (m_pub_key_size + m_mac->output_length());	×
129	}
130
131	secure_vector<uint8_t> DLIES_Decryptor::do_decrypt(uint8_t& valid_mask, const uint8_t msg[], size_t length) const {	1,600✔
132	if(length < m_pub_key_size + m_mac->output_length()) {	1,600✔
133	throw Decoding_Error("DLIES decryption: ciphertext is too short");	4✔
134	}
135
136	// calculate secret value
137	std::vector<uint8_t> other_pub_key(msg, msg + m_pub_key_size);	1,596✔
138	const SymmetricKey secret_value = m_ka.derive_key(0, other_pub_key);	1,596✔
139
140	const size_t ciphertext_len = length - m_pub_key_size - m_mac->output_length();	1,596✔
141	size_t cipher_key_len = m_cipher ? m_cipher_key_len : ciphertext_len;	1,596✔
142
143	// derive secret key from secret value
144	const size_t required_key_length = cipher_key_len + m_mac_keylen;	1,596✔
145	secure_vector<uint8_t> secret_keys = m_kdf->derive_key(required_key_length, secret_value.bits_of());	1,596✔
146
147	if(secret_keys.size() != required_key_length) {	1,596✔
148	throw Encoding_Error("DLIES: KDF did not provide sufficient output");	×
149	}
150
151	secure_vector<uint8_t> ciphertext(msg + m_pub_key_size, msg + m_pub_key_size + ciphertext_len);	1,596✔
152
153	// calculate MAC
154	m_mac->set_key(secret_keys.data() + cipher_key_len, m_mac_keylen);	1,596✔
155	secure_vector<uint8_t> calculated_tag = m_mac->process(ciphertext);	1,596✔
156
157	// calculated tag == received tag ?
158	secure_vector<uint8_t> tag(msg + m_pub_key_size + ciphertext_len,	3,192✔
159	msg + m_pub_key_size + ciphertext_len + m_mac->output_length());	1,596✔
160
161	valid_mask = CT::is_equal(tag.data(), calculated_tag.data(), tag.size()).value();	3,192✔
162
163	// decrypt
164	if(m_cipher) {	1,596✔
165	if(valid_mask) {	1,050✔
166	SymmetricKey dec_key(secret_keys.data(), cipher_key_len);	50✔
167	m_cipher->set_key(dec_key);	50✔
168
169	try {	50✔
170	// the decryption can fail:
171	// e.g. Invalid_Authentication_Tag is thrown if GCM is used and the message does not have a valid tag
172
173	if(m_iv.empty() && !m_cipher->valid_nonce_length(m_iv.size())) {	50✔
174	throw Invalid_Argument("DLIES with " + m_cipher->name() + " requires an IV be set");	×
175	}
176	m_cipher->start(m_iv.bits_of());	50✔
177	m_cipher->finish(ciphertext);	50✔
178	} catch(...) {	×
179	valid_mask = 0;	×
180	}	×
181
182	} else {	50✔
183	return secure_vector<uint8_t>();	1,000✔
184	}
185	} else {
186	xor_buf(ciphertext, secret_keys.data(), cipher_key_len);	546✔
187	}
188
189	return ciphertext;	596✔
190	}	8,980✔
191
192	} // namespace Botan

randombit / botan / 13235046472

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous