Refactor: Cipher_Mode::finish_msg() using std::span

Previously, the internal customization point finish_msg() did take a
std::vector and re-allocated it to accomodate or discard encryption
overhead such as paddings and/or AEAD tags. This forces downstream users
into using a std::vector and potentially copy data, even when they could
pre-allocate enough memory out-of-band in their application.

Additionally, an offset was provided to deal with prefix bytes within
the vector that should not be processed. The handling of this offset was
duplicated in each concrete Cipher_Mode implementation. This is now
factored out into the base class.

The changes in this commit are not public-facing as they just affect the
internal customization point.

Author: reneme

src/fuzzer/mode_padding.cpp

@@ -161,7 +161,7 @@ void fuzz(std::span<const uint8_t> in) {
       FUZZER_ASSERT_EQUAL(ct_esp, ref_esp);
    }
 
-   const uint16_t ct_cbc = Botan::TLS::check_tls_cbc_padding(in.data(), len);
+   const uint16_t ct_cbc = Botan::TLS::check_tls_cbc_padding(in);
    const uint16_t ref_cbc = ref_tls_cbc_unpad(in);
    FUZZER_ASSERT_EQUAL(ct_cbc, ref_cbc);
 }

src/lib/modes/aead/ccm/ccm.cpp

@@ -11,6 +11,7 @@
 #include <botan/internal/ct_utils.h>
 #include <botan/internal/fmt.h>
 #include <botan/internal/loadstor.h>
+#include <botan/internal/stl_util.h>
 
 namespace Botan {
 
@@ -168,24 +169,28 @@ secure_vector<uint8_t> CCM_Mode::format_c0() {
    return C;
 }
 
-void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
-   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
+size_t CCM_Encryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
+   const auto tag_length = tag_size();
+   const auto& buffered = msg_buf();
 
-   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
+   BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes + tag_length == buffer.size());
 
-   const size_t sz = buffer.size() - offset;
-   uint8_t* buf = buffer.data() + offset;
+   const auto entire_payload = buffer.first(buffered.size() + input_bytes);
+   const auto tag = buffer.last(tag_length);
 
    const secure_vector<uint8_t>& ad = ad_buf();
    BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
 
    const BlockCipher& E = cipher();
 
+   // TODO: consider using std::array<> for all those block-size'ed buffers
+   //       (this requires adapting more helper functions like `format_b0`, ...)
    secure_vector<uint8_t> T(CCM_BS);
-   E.encrypt(format_b0(sz), T);
+   E.encrypt(format_b0(entire_payload.size()), T);
 
-   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
-      xor_buf(T.data(), &ad[i], CCM_BS);
+   BufferSlicer ad_bs(ad);
+   while(!ad_bs.empty()) {
+      xor_buf(T, ad_bs.take(CCM_BS));
       E.encrypt(T);
    }
 
@@ -196,48 +201,61 @@ void CCM_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    secure_vector<uint8_t> X(CCM_BS);
 
-   const uint8_t* buf_end = &buf[sz];
+   // copy all buffered input into the in/out buffer if needed
+   if(!buffered.empty()) {
+      copy_mem(entire_payload.last(input_bytes), entire_payload.first(input_bytes));
+      copy_mem(entire_payload.first(buffered.size()), buffered);
+   }
+
+   // TODO: Use BufferTransformer, once it is available
+   //       See https://github.com/randombit/botan/pull/4151
+   BufferSlicer payload_slicer(entire_payload);
+   BufferStuffer payload_stuffer(entire_payload);
 
-   while(buf != buf_end) {
-      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
+   while(!payload_slicer.empty()) {
+      const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());
+      const auto in_chunk = payload_slicer.take(to_proc);
+      const auto out_chunk = payload_stuffer.next(to_proc);
 
-      xor_buf(T.data(), buf, to_proc);
+      xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);
       E.encrypt(T);
 
       E.encrypt(C, X);
-      xor_buf(buf, X.data(), to_proc);
+      xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));
       inc(C);
-
-      buf += to_proc;
    }
 
    T ^= S0;
 
-   buffer += std::make_pair(T.data(), tag_size());
+   BOTAN_DEBUG_ASSERT(tag.size() <= T.size());
+   copy_mem(tag, std::span{T}.first(tag.size()));
 
    reset();
-}
 
-void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
-   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
+   return buffer.size();
+}
 
-   buffer.insert(buffer.begin() + offset, msg_buf().begin(), msg_buf().end());
+size_t CCM_Decryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
+   const auto tag_length = tag_size();
+   const auto& buffered = msg_buf();
 
-   const size_t sz = buffer.size() - offset;
-   uint8_t* buf = buffer.data() + offset;
+   BOTAN_ASSERT_NOMSG(buffer.size() >= tag_length);
+   BOTAN_ASSERT_NOMSG(buffered.size() + input_bytes == buffer.size());
 
-   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
+   const auto entire_payload = buffer.first(buffer.size() - tag_length);
+   const auto tag = buffer.last(tag_length);
 
    const secure_vector<uint8_t>& ad = ad_buf();
    BOTAN_ARG_CHECK(ad.size() % CCM_BS == 0, "AD is block size multiple");
 
    const BlockCipher& E = cipher();
 
    secure_vector<uint8_t> T(CCM_BS);
-   E.encrypt(format_b0(sz - tag_size()), T);
+   E.encrypt(format_b0(entire_payload.size()), T);
 
-   for(size_t i = 0; i != ad.size(); i += CCM_BS) {
-      xor_buf(T.data(), &ad[i], CCM_BS);
+   BufferSlicer ad_bs(ad);
+   while(!ad_bs.empty()) {
+      xor_buf(T, ad_bs.take<CCM_BS>());
       E.encrypt(T);
    }
 
@@ -249,30 +267,39 @@ void CCM_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
 
    secure_vector<uint8_t> X(CCM_BS);
 
-   const uint8_t* buf_end = &buf[sz - tag_size()];
+   // copy all buffered input into the in/out buffer if needed
+   if(!buffered.empty()) {
+      copy_mem(buffer.last(input_bytes), buffer.first(input_bytes));
+      copy_mem(buffer.first(buffered.size()), buffered);
+   }
+
+   // TODO: Use BufferTransformer, once it is available
+   //       See https://github.com/randombit/botan/pull/4151
+   BufferSlicer payload_slicer(entire_payload);
+   BufferStuffer payload_stuffer(entire_payload);
 
-   while(buf != buf_end) {
-      const size_t to_proc = std::min<size_t>(CCM_BS, buf_end - buf);
+   while(!payload_slicer.empty()) {
+      const size_t to_proc = std::min<size_t>(CCM_BS, payload_slicer.remaining());
+      const auto in_chunk = payload_slicer.take(to_proc);
+      const auto out_chunk = payload_stuffer.next(to_proc);
 
       E.encrypt(C, X);
-      xor_buf(buf, X.data(), to_proc);
+      xor_buf(out_chunk, std::span{X}.first(out_chunk.size()));
       inc(C);
 
-      xor_buf(T.data(), buf, to_proc);
+      xor_buf(std::span{T}.first(in_chunk.size()), in_chunk);
       E.encrypt(T);
-
-      buf += to_proc;
    }
 
    T ^= S0;
 
-   if(!CT::is_equal(T.data(), buf_end, tag_size()).as_bool()) {
+   if(!CT::is_equal(T.data(), tag.data(), tag.size()).as_bool()) {
       throw Invalid_Authentication_Tag("CCM tag check failed");
    }
 
-   buffer.resize(buffer.size() - tag_size());
-
    reset();
+
+   return entire_payload.size();
 }
 
 }  // namespace Botan

src/lib/modes/aead/ccm/ccm.h

@@ -63,6 +63,8 @@ class CCM_Mode : public AEAD_Mode {
 
       secure_vector<uint8_t>& msg_buf() { return m_msg_buf; }
 
+      const secure_vector<uint8_t>& msg_buf() const { return m_msg_buf; }
+
       secure_vector<uint8_t> format_b0(size_t msg_size);
       secure_vector<uint8_t> format_c0();
 
@@ -96,10 +98,14 @@ class CCM_Encryption final : public CCM_Mode {
 
       size_t output_length(size_t input_length) const override { return input_length + tag_size(); }
 
+      size_t bytes_needed_for_finalization(size_t final_input_length) const override {
+         return output_length(msg_buf().size() + final_input_length);
+      }
+
       size_t minimum_final_size() const override { return 0; }
 
    private:
-      void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
+      size_t finish_msg(std::span<uint8_t> final_block, size_t input_bytes) override;
 };
 
 /**
@@ -122,10 +128,15 @@ class CCM_Decryption final : public CCM_Mode {
          return input_length - tag_size();
       }
 
+      size_t bytes_needed_for_finalization(size_t final_input_length) const override {
+         BOTAN_ARG_CHECK(final_input_length >= tag_size(), "Sufficient input");
+         return msg_buf().size() + final_input_length;
+      }
+
       size_t minimum_final_size() const override { return tag_size(); }
 
    private:
-      void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
+      size_t finish_msg(std::span<uint8_t> final_block, size_t input_bytes) override;
 };
 
 }  // namespace Botan

src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp

@@ -102,21 +102,29 @@ size_t ChaCha20Poly1305_Encryption::process_msg(uint8_t buf[], size_t sz) {
    return sz;
 }
 
-void ChaCha20Poly1305_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
-   update(buffer, offset);
+size_t ChaCha20Poly1305_Encryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
+   const auto tag_length = tag_size();
+
+   BOTAN_ASSERT_NOMSG(input_bytes + tag_length == buffer.size());
+
+   const auto payload = buffer.first(input_bytes);
+   const auto tag = buffer.last(tag_length);
+
+   process(payload);
    if(cfrg_version()) {
       if(m_ctext_len % 16) {
-         const uint8_t zeros[16] = {0};
-         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+         std::array<uint8_t, 16> zeros{};
+         m_poly1305->update(std::span{zeros}.first(16 - m_ctext_len % 16));
       }
       update_len(m_ad.size());
    }
    update_len(m_ctext_len);
 
-   buffer.resize(buffer.size() + tag_size());
-   m_poly1305->final(&buffer[buffer.size() - tag_size()]);
+   m_poly1305->final(tag);
    m_ctext_len = 0;
    m_nonce_len = 0;
+
+   return buffer.size();
 }
 
 size_t ChaCha20Poly1305_Decryption::process_msg(uint8_t buf[], size_t sz) {
@@ -126,43 +134,40 @@ size_t ChaCha20Poly1305_Decryption::process_msg(uint8_t buf[], size_t sz) {
    return sz;
 }
 
-void ChaCha20Poly1305_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
-   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
-   const size_t sz = buffer.size() - offset;
-   uint8_t* buf = buffer.data() + offset;
+size_t ChaCha20Poly1305_Decryption::finish_msg(std::span<uint8_t> buffer, size_t input_bytes) {
+   const auto tag_length = tag_size();
 
-   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
+   BOTAN_ASSERT_NOMSG(buffer.size() == input_bytes);
+   BOTAN_ASSERT_NOMSG(buffer.size() >= tag_length);
 
-   const size_t remaining = sz - tag_size();
+   const auto remaining = buffer.first(buffer.size() - tag_length);
+   const auto tag = buffer.last(tag_length);
 
-   if(remaining) {
-      m_poly1305->update(buf, remaining);  // poly1305 of ciphertext
-      m_chacha->cipher1(buf, remaining);
-      m_ctext_len += remaining;
+   if(!remaining.empty()) {
+      process(remaining);
    }
 
    if(cfrg_version()) {
       if(m_ctext_len % 16) {
-         const uint8_t zeros[16] = {0};
-         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+         std::array<uint8_t, 16> zeros{};
+         m_poly1305->update(std::span{zeros}.first(16 - m_ctext_len % 16));
       }
       update_len(m_ad.size());
    }
 
    update_len(m_ctext_len);
 
-   uint8_t mac[16];
+   std::array<uint8_t, 16> mac;
    m_poly1305->final(mac);
 
-   const uint8_t* included_tag = &buf[remaining];
-
    m_ctext_len = 0;
    m_nonce_len = 0;
 
-   if(!CT::is_equal(mac, included_tag, tag_size()).as_bool()) {
+   if(!CT::is_equal(mac.data(), tag.data(), tag.size()).as_bool()) {
       throw Invalid_Authentication_Tag("ChaCha20Poly1305 tag check failed");
    }
-   buffer.resize(offset + remaining);
+
+   return remaining.size();
 }
 
 }  // namespace Botan

src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h

@@ -77,9 +77,13 @@ class ChaCha20Poly1305_Encryption final : public ChaCha20Poly1305_Mode {
 
       size_t minimum_final_size() const override { return 0; }
 
+      size_t bytes_needed_for_finalization(size_t final_input_length) const override {
+         return output_length(final_input_length);
+      }
+
    private:
       size_t process_msg(uint8_t buf[], size_t size) override;
-      void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
+      size_t finish_msg(std::span<uint8_t> final_block, size_t input_bytes) override;
 };
 
 /**
@@ -94,9 +98,14 @@ class ChaCha20Poly1305_Decryption final : public ChaCha20Poly1305_Mode {
 
       size_t minimum_final_size() const override { return tag_size(); }
 
+      size_t bytes_needed_for_finalization(size_t final_input_length) const override {
+         BOTAN_ARG_CHECK(final_input_length >= tag_size(), "Sufficient input");
+         return final_input_length;
+      }
+
    private:
       size_t process_msg(uint8_t buf[], size_t size) override;
-      void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
+      size_t finish_msg(std::span<uint8_t> final_block, size_t input_bytes) override;
 };
 
 }  // namespace Botan