2021-01-18 15:20:06 +03:00
|
|
|
// Copyright (c) 2019-2021 Alexander Medvednikov. All rights reserved.
|
2019-07-25 18:49:57 +03:00
|
|
|
// Use of this source code is governed by an MIT license
|
|
|
|
// that can be found in the LICENSE file.
|
|
|
|
// Cipher block chaining (CBC) mode.
|
|
|
|
// CBC provides confidentiality by xoring (chaining) each plaintext block
|
|
|
|
// with the previous ciphertext block before applying the block cipher.
|
|
|
|
// See NIST SP 800-38A, pp 10-11
|
|
|
|
// NOTE this will be moved to crypto.cipher interface (joe-c)
|
|
|
|
module aes
|
|
|
|
|
2020-04-26 14:49:31 +03:00
|
|
|
import crypto.cipher
|
|
|
|
import crypto.internal.subtle
|
2019-07-25 18:49:57 +03:00
|
|
|
|
|
|
|
struct AesCbc {
|
|
|
|
mut:
|
|
|
|
b AesCipher
|
|
|
|
block_size int
|
|
|
|
iv []byte
|
|
|
|
tmp []byte
|
|
|
|
}
|
|
|
|
|
2019-10-10 20:04:11 +03:00
|
|
|
// internal
|
|
|
|
fn new_aes_cbc(b AesCipher, iv []byte) AesCbc {
|
2019-07-25 18:49:57 +03:00
|
|
|
return AesCbc{
|
2020-10-15 00:39:09 +03:00
|
|
|
b: b
|
|
|
|
block_size: b.block_size()
|
|
|
|
iv: iv.clone()
|
|
|
|
tmp: []byte{len: (b.block_size())}
|
2019-07-25 18:49:57 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// new_cbc_encrypter returns a BlockMode which encrypts in cipher block chaining
|
|
|
|
// mode, using the given Block. The length of iv must be the same as the
|
|
|
|
// Block's block size.
|
|
|
|
pub fn new_cbc(b AesCipher, iv []byte) AesCbc {
|
|
|
|
if iv.len != b.block_size() {
|
|
|
|
panic('crypto.cipher.new_cbc_encrypter: IV length must equal block size')
|
|
|
|
}
|
2019-10-10 20:04:11 +03:00
|
|
|
return new_aes_cbc(b, iv)
|
2019-07-25 18:49:57 +03:00
|
|
|
}
|
|
|
|
|
2020-10-15 00:39:09 +03:00
|
|
|
pub fn (x &AesCbc) block_size() int {
|
|
|
|
return x.block_size
|
|
|
|
}
|
2019-07-25 18:49:57 +03:00
|
|
|
|
2020-07-10 19:04:51 +03:00
|
|
|
pub fn (x &AesCbc) encrypt_blocks(mut dst_ []byte, src_ []byte) {
|
2020-12-20 18:08:56 +03:00
|
|
|
unsafe {
|
|
|
|
mut dst := *dst_
|
|
|
|
mut src := src_
|
|
|
|
if src.len % x.block_size != 0 {
|
|
|
|
panic('crypto.cipher: input not full blocks')
|
|
|
|
}
|
|
|
|
if dst.len < src.len {
|
|
|
|
panic('crypto.cipher: output smaller than input')
|
|
|
|
}
|
|
|
|
if subtle.inexact_overlap(dst[..src.len], src_) {
|
|
|
|
panic('crypto.cipher: invalid buffer overlap')
|
|
|
|
}
|
|
|
|
mut iv := x.iv
|
|
|
|
for src.len > 0 {
|
|
|
|
// Write the xor to dst, then encrypt in place.
|
|
|
|
cipher.xor_bytes(mut dst[..x.block_size], src[..x.block_size], iv)
|
|
|
|
x.b.encrypt(mut dst[..x.block_size], mut dst[..x.block_size])
|
|
|
|
// Move to the next block with this block as the next iv.
|
|
|
|
iv = dst[..x.block_size]
|
|
|
|
if x.block_size >= src.len {
|
|
|
|
src = []
|
|
|
|
} else {
|
|
|
|
src = src[x.block_size..]
|
|
|
|
}
|
|
|
|
dst = dst[x.block_size..]
|
2019-07-25 18:49:57 +03:00
|
|
|
}
|
2020-12-20 18:08:56 +03:00
|
|
|
// Save the iv for the next crypt_blocks call.
|
|
|
|
copy(x.iv, iv)
|
2019-07-25 18:49:57 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-06-04 11:35:40 +03:00
|
|
|
pub fn (mut x AesCbc) decrypt_blocks(mut dst []byte, src []byte) {
|
2020-10-15 00:39:09 +03:00
|
|
|
if src.len % x.block_size != 0 {
|
2019-07-25 18:49:57 +03:00
|
|
|
panic('crypto.cipher: input not full blocks')
|
|
|
|
}
|
|
|
|
if dst.len < src.len {
|
|
|
|
panic('crypto.cipher: output smaller than input')
|
|
|
|
}
|
2020-04-23 16:45:25 +03:00
|
|
|
if subtle.inexact_overlap((*dst)[..src.len], src) {
|
2019-07-25 18:49:57 +03:00
|
|
|
panic('crypto.cipher: invalid buffer overlap')
|
|
|
|
}
|
|
|
|
if src.len == 0 {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
// For each block, we need to xor the decrypted data with the previous block's ciphertext (the iv).
|
|
|
|
// To avoid making a copy each time, we loop over the blocks BACKWARDS.
|
|
|
|
mut end := src.len
|
|
|
|
mut start := end - x.block_size
|
|
|
|
mut prev := start - x.block_size
|
|
|
|
// Copy the last block of ciphertext in preparation as the new iv.
|
2021-01-19 15:34:25 +03:00
|
|
|
copy(x.tmp, src[start..end])
|
2019-07-25 18:49:57 +03:00
|
|
|
// Loop over all but the first block.
|
|
|
|
for start > 0 {
|
2021-01-19 15:34:25 +03:00
|
|
|
mut src_chunk := src[start..end]
|
|
|
|
x.b.decrypt(mut (*dst)[start..end], mut src_chunk)
|
|
|
|
cipher.xor_bytes(mut (*dst)[start..end], (*dst)[start..end], src[prev..start])
|
2019-07-25 18:49:57 +03:00
|
|
|
end = start
|
|
|
|
start = prev
|
|
|
|
prev -= x.block_size
|
|
|
|
}
|
|
|
|
// The first block is special because it uses the saved iv.
|
2021-01-19 15:34:25 +03:00
|
|
|
mut src_chunk := src[start..end]
|
|
|
|
x.b.decrypt(mut (*dst)[start..end], mut src_chunk)
|
|
|
|
cipher.xor_bytes(mut (*dst)[start..end], (*dst)[start..end], x.iv)
|
2019-07-25 18:49:57 +03:00
|
|
|
// Set the new iv to the first block we copied earlier.
|
|
|
|
x.iv = x.tmp
|
|
|
|
x.tmp = x.iv
|
|
|
|
}
|
|
|
|
|
2019-12-06 15:24:53 +03:00
|
|
|
fn (x &AesCbc) set_iv(iv []byte) {
|
2019-07-25 18:49:57 +03:00
|
|
|
if iv.len != x.iv.len {
|
|
|
|
panic('cipher: incorrect length IV')
|
|
|
|
}
|
2019-07-29 17:33:35 +03:00
|
|
|
copy(x.iv, iv)
|
2019-07-25 18:49:57 +03:00
|
|
|
}
|