/src/botan/src/lib/stream/ctr/ctr.cpp

Source (jump to first uncovered line)
/*
* Counter mode
* (C) 1999-2011,2014 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/ctr.h>
#include <botan/exceptn.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/bit_ops.h>

namespace Botan {

CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher) :
   m_cipher(std::move(cipher)),
   m_block_size(m_cipher->block_size()),
   m_ctr_size(m_block_size),
   m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
   m_counter(m_cipher->parallel_bytes()),
   m_pad(m_counter.size()),
   m_pad_pos(0)
   {
   }

CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher, size_t ctr_size) :
   m_cipher(std::move(cipher)),
   m_block_size(m_cipher->block_size()),
   m_ctr_size(ctr_size),
   m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
   m_counter(m_cipher->parallel_bytes()),
   m_pad(m_counter.size()),
   m_pad_pos(0)
   {
   BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size,
                   "Invalid CTR-BE counter size");
   }

void CTR_BE::clear()
   {
   m_cipher->clear();
   zeroise(m_pad);
   zeroise(m_counter);
   zap(m_iv);
   m_pad_pos = 0;
   }

size_t CTR_BE::default_iv_length() const
   {
   return m_block_size;
   }

bool CTR_BE::valid_iv_length(size_t iv_len) const
   {
   return (iv_len <= m_block_size);
   }

Key_Length_Specification CTR_BE::key_spec() const
   {
   return m_cipher->key_spec();
   }

std::unique_ptr<StreamCipher> CTR_BE::new_object() const
   {
   return std::make_unique<CTR_BE>(m_cipher->new_object(), m_ctr_size);
   }

void CTR_BE::key_schedule(const uint8_t key[], size_t key_len)
   {
   m_cipher->set_key(key, key_len);

   // Set a default all-zeros IV
   set_iv(nullptr, 0);
   }

std::string CTR_BE::name() const
   {
   if(m_ctr_size == m_block_size)
      return ("CTR-BE(" + m_cipher->name() + ")");
   else
      return ("CTR-BE(" + m_cipher->name() + "," + std::to_string(m_ctr_size) + ")");

   }

void CTR_BE::cipher(const uint8_t in[], uint8_t out[], size_t length)
   {
   verify_key_set(m_iv.empty() == false);

   const uint8_t* pad_bits = &m_pad[0];
   const size_t pad_size = m_pad.size();

   if(m_pad_pos > 0)
      {
      const size_t avail = pad_size - m_pad_pos;
      const size_t take = std::min(length, avail);
      xor_buf(out, in, pad_bits + m_pad_pos, take);
      length -= take;
      in += take;
      out += take;
      m_pad_pos += take;

      if(take == avail)
         {
         add_counter(m_ctr_blocks);
         m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
         m_pad_pos = 0;
         }
      }

   while(length >= pad_size)
      {
      xor_buf(out, in, pad_bits, pad_size);
      length -= pad_size;
      in += pad_size;
      out += pad_size;

      add_counter(m_ctr_blocks);
      m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
      }

   xor_buf(out, in, pad_bits, length);
   m_pad_pos += length;
   }

void CTR_BE::write_keystream(uint8_t out[], size_t length)
   {
   verify_key_set(m_iv.empty() == false);

   const size_t avail = m_pad.size() - m_pad_pos;
   const size_t take = std::min(length, avail);
   copy_mem(out, &m_pad[m_pad_pos], take);
   length -= take;
   out += take;
   m_pad_pos += take;

   while(length >= m_pad.size())
      {
      add_counter(m_ctr_blocks);
      m_cipher->encrypt_n(m_counter.data(), out, m_ctr_blocks);

      length -= m_pad.size();
      out += m_pad.size();
      }

   if(m_pad_pos == m_pad.size())
      {
      add_counter(m_ctr_blocks);
      m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
      m_pad_pos = 0;
      }

   copy_mem(out, &m_pad[0], length);
   m_pad_pos += length;
   BOTAN_ASSERT_NOMSG(m_pad_pos < m_pad.size());
   }

void CTR_BE::set_iv(const uint8_t iv[], size_t iv_len)
   {
   if(!valid_iv_length(iv_len))
      throw Invalid_IV_Length(name(), iv_len);

   m_iv.resize(m_block_size);
   zeroise(m_iv);
   buffer_insert(m_iv, 0, iv, iv_len);

   seek(0);
   }

void CTR_BE::add_counter(const uint64_t counter)
   {
   const size_t ctr_size = m_ctr_size;
   const size_t ctr_blocks = m_ctr_blocks;
   const size_t BS = m_block_size;

   if(ctr_size == 4)
      {
      const size_t off = (BS - 4);
      const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0));

      for(size_t i = 0; i != ctr_blocks; ++i)
         {
         store_be(uint32_t(low32 + i), &m_counter[i*BS+off]);
         }
      }
   else if(ctr_size == 8)
      {
      const size_t off = (BS - 8);
      const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0);

      for(size_t i = 0; i != ctr_blocks; ++i)
         {
         store_be(uint64_t(low64 + i), &m_counter[i*BS+off]);
         }
      }
   else if(ctr_size == 16)
      {
      const size_t off = (BS - 16);
      uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0);
      uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1);
      b1 += counter;
      b0 += (b1 < counter) ? 1 : 0; // carry

      for(size_t i = 0; i != ctr_blocks; ++i)
         {
         store_be(b0, &m_counter[i*BS+off]);
         store_be(b1, &m_counter[i*BS+off+8]);
         b1 += 1;
         b0 += (b1 == 0); // carry
         }
      }
   else
      {
      for(size_t i = 0; i != ctr_blocks; ++i)
         {
         uint64_t local_counter = counter;
         uint16_t carry = static_cast<uint8_t>(local_counter);
         for(size_t j = 0; (carry || local_counter) && j != ctr_size; ++j)
            {
            const size_t off = i*BS + (BS-1-j);
            const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry;
            m_counter[off] = static_cast<uint8_t>(cnt);
            local_counter = (local_counter >> 8);
            carry = (cnt >> 8) + static_cast<uint8_t>(local_counter);
            }
         }
      }
   }

void CTR_BE::seek(uint64_t offset)
   {
   verify_key_set(m_iv.empty() == false);

   const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size());

   zeroise(m_counter);
   buffer_insert(m_counter, 0, m_iv);

   const size_t BS = m_block_size;

   // Set m_counter blocks to IV, IV + 1, ... IV + n

   if(m_ctr_size == 4 && BS >= 8)
      {
      const uint32_t low32 = load_be<uint32_t>(&m_counter[BS-4], 0);

      if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks))
         {
         size_t written = 1;
         while(written < m_ctr_blocks)
            {
            copy_mem(&m_counter[written*BS], &m_counter[0], BS*written);
            written *= 2;
            }
         }
      else
         {
         for(size_t i = 1; i != m_ctr_blocks; ++i)
            {
            copy_mem(&m_counter[i*BS], &m_counter[0], BS - 4);
            }
         }

      for(size_t i = 1; i != m_ctr_blocks; ++i)
         {
         const uint32_t c = static_cast<uint32_t>(low32 + i);
         store_be(c, &m_counter[(BS-4)+i*BS]);
         }
      }
   else
      {
      // do everything sequentially:
      for(size_t i = 1; i != m_ctr_blocks; ++i)
         {
         buffer_insert(m_counter, i*BS, &m_counter[(i-1)*BS], BS);

         for(size_t j = 0; j != m_ctr_size; ++j)
            if(++m_counter[i*BS + (BS - 1 - j)])
               break;
         }
      }

   if(base_counter > 0)
      add_counter(base_counter);

   m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
   m_pad_pos = offset % m_counter.size();
   }
}

Coverage Report

Created: 2023-01-25 06:35

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Counter mode
3		* (C) 1999-2011,2014 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/ctr.h>
9		#include <botan/exceptn.h>
10		#include <botan/internal/loadstor.h>
11		#include <botan/internal/bit_ops.h>
12
13		namespace Botan {
14
15		CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher) :
16		m_cipher(std::move(cipher)),
17		m_block_size(m_cipher->block_size()),
18		m_ctr_size(m_block_size),
19		m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
20		m_counter(m_cipher->parallel_bytes()),
21		m_pad(m_counter.size()),
22		m_pad_pos(0)
23	0	{
24	0	}
25
26		CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher, size_t ctr_size) :
27		m_cipher(std::move(cipher)),
28		m_block_size(m_cipher->block_size()),
29		m_ctr_size(ctr_size),
30		m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
31		m_counter(m_cipher->parallel_bytes()),
32		m_pad(m_counter.size()),
33		m_pad_pos(0)
34	398	{
35	398	BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size,
36	398	"Invalid CTR-BE counter size");
37	398	}
38
39		void CTR_BE::clear()
40	0	{
41	0	m_cipher->clear();
42	0	zeroise(m_pad);
43	0	zeroise(m_counter);
44	0	zap(m_iv);
45	0	m_pad_pos = 0;
46	0	}
47
48		size_t CTR_BE::default_iv_length() const
49	0	{
50	0	return m_block_size;
51	0	}
52
53		bool CTR_BE::valid_iv_length(size_t iv_len) const
54	1.22k	{
55	1.22k	return (iv_len <= m_block_size);
56	1.22k	}
57
58		Key_Length_Specification CTR_BE::key_spec() const
59	796	{
60	796	return m_cipher->key_spec();
61	796	}
62
63		std::unique_ptr<StreamCipher> CTR_BE::new_object() const
64	0	{
65	0	return std::make_unique<CTR_BE>(m_cipher->new_object(), m_ctr_size);
66	0	}
67
68		void CTR_BE::key_schedule(const uint8_t key[], size_t key_len)
69	398	{
70	398	m_cipher->set_key(key, key_len);
71
72		// Set a default all-zeros IV
73	398	set_iv(nullptr, 0);
74	398	}
75
76		std::string CTR_BE::name() const
77	0	{
78	0	if(m_ctr_size == m_block_size)
79	0	return ("CTR-BE(" + m_cipher->name() + ")");
80	0	else
81	0	return ("CTR-BE(" + m_cipher->name() + "," + std::to_string(m_ctr_size) + ")");
82
83	0	}
84
85		void CTR_BE::cipher(const uint8_t in[], uint8_t out[], size_t length)
86	1.25k	{
87	1.25k	verify_key_set(m_iv.empty() == false);
88
89	1.25k	const uint8_t* pad_bits = &m_pad[0];
90	1.25k	const size_t pad_size = m_pad.size();
91
92	1.25k	if(m_pad_pos > 0)
93	427	{
94	427	const size_t avail = pad_size - m_pad_pos;
95	427	const size_t take = std::min(length, avail);
96	427	xor_buf(out, in, pad_bits + m_pad_pos, take);
97	427	length -= take;
98	427	in += take;
99	427	out += take;
100	427	m_pad_pos += take;
101
102	427	if(take == avail)
103	74	{
104	74	add_counter(m_ctr_blocks);
105	74	m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
106	74	m_pad_pos = 0;
107	74	}
108	427	}
109
110	2.04k	while(length >= pad_size)
111	789	{
112	789	xor_buf(out, in, pad_bits, pad_size);
113	789	length -= pad_size;
114	789	in += pad_size;
115	789	out += pad_size;
116
117	789	add_counter(m_ctr_blocks);
118	789	m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
119	789	}
120
121	1.25k	xor_buf(out, in, pad_bits, length);
122	1.25k	m_pad_pos += length;
123	1.25k	}
124
125		void CTR_BE::write_keystream(uint8_t out[], size_t length)
126	0	{
127	0	verify_key_set(m_iv.empty() == false);
128
129	0	const size_t avail = m_pad.size() - m_pad_pos;
130	0	const size_t take = std::min(length, avail);
131	0	copy_mem(out, &m_pad[m_pad_pos], take);
132	0	length -= take;
133	0	out += take;
134	0	m_pad_pos += take;
135
136	0	while(length >= m_pad.size())
137	0	{
138	0	add_counter(m_ctr_blocks);
139	0	m_cipher->encrypt_n(m_counter.data(), out, m_ctr_blocks);
140
141	0	length -= m_pad.size();
142	0	out += m_pad.size();
143	0	}
144
145	0	if(m_pad_pos == m_pad.size())
146	0	{
147	0	add_counter(m_ctr_blocks);
148	0	m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
149	0	m_pad_pos = 0;
150	0	}
151
152	0	copy_mem(out, &m_pad[0], length);
153	0	m_pad_pos += length;
154	0	BOTAN_ASSERT_NOMSG(m_pad_pos < m_pad.size());
155	0	}
156
157		void CTR_BE::set_iv(const uint8_t iv[], size_t iv_len)
158	1.22k	{
159	1.22k	if(!valid_iv_length(iv_len))
160	0	throw Invalid_IV_Length(name(), iv_len);
161
162	1.22k	m_iv.resize(m_block_size);
163	1.22k	zeroise(m_iv);
164	1.22k	buffer_insert(m_iv, 0, iv, iv_len);
165
166	1.22k	seek(0);
167	1.22k	}
168
169		void CTR_BE::add_counter(const uint64_t counter)
170	863	{
171	863	const size_t ctr_size = m_ctr_size;
172	863	const size_t ctr_blocks = m_ctr_blocks;
173	863	const size_t BS = m_block_size;
174
175	863	if(ctr_size == 4)
176	863	{
177	863	const size_t off = (BS - 4);
178	863	const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0));
179
180	6.06k	for(size_t i = 0; i != ctr_blocks; ++i)
181	5.20k	{
182	5.20k	store_be(uint32_t(low32 + i), &m_counter[i*BS+off]);
183	5.20k	}
184	863	}
185	0	else if(ctr_size == 8)
186	0	{
187	0	const size_t off = (BS - 8);
188	0	const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0);
189
190	0	for(size_t i = 0; i != ctr_blocks; ++i)
191	0	{
192	0	store_be(uint64_t(low64 + i), &m_counter[i*BS+off]);
193	0	}
194	0	}
195	0	else if(ctr_size == 16)
196	0	{
197	0	const size_t off = (BS - 16);
198	0	uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0);
199	0	uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1);
200	0	b1 += counter;
201	0	b0 += (b1 < counter) ? 1 : 0; // carry
202
203	0	for(size_t i = 0; i != ctr_blocks; ++i)
204	0	{
205	0	store_be(b0, &m_counter[i*BS+off]);
206	0	store_be(b1, &m_counter[i*BS+off+8]);
207	0	b1 += 1;
208	0	b0 += (b1 == 0); // carry
209	0	}
210	0	}
211	0	else
212	0	{
213	0	for(size_t i = 0; i != ctr_blocks; ++i)
214	0	{
215	0	uint64_t local_counter = counter;
216	0	uint16_t carry = static_cast<uint8_t>(local_counter);
217	0	for(size_t j = 0; (carry \|\| local_counter) && j != ctr_size; ++j)
218	0	{
219	0	const size_t off = i*BS + (BS-1-j);
220	0	const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry;
221	0	m_counter[off] = static_cast<uint8_t>(cnt);
222	0	local_counter = (local_counter >> 8);
223	0	carry = (cnt >> 8) + static_cast<uint8_t>(local_counter);
224	0	}
225	0	}
226	0	}
227	863	}
228
229		void CTR_BE::seek(uint64_t offset)
230	1.22k	{
231	1.22k	verify_key_set(m_iv.empty() == false);
232
233	1.22k	const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size());
234
235	1.22k	zeroise(m_counter);
236	1.22k	buffer_insert(m_counter, 0, m_iv);
237
238	1.22k	const size_t BS = m_block_size;
239
240		// Set m_counter blocks to IV, IV + 1, ... IV + n
241
242	1.22k	if(m_ctr_size == 4 && BS >= 8)
243	1.22k	{
244	1.22k	const uint32_t low32 = load_be<uint32_t>(&m_counter[BS-4], 0);
245
246	1.22k	if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks))
247	1.22k	{
248	1.22k	size_t written = 1;
249	5.41k	while(written < m_ctr_blocks)
250	4.19k	{
251	4.19k	copy_mem(&m_counter[writtenBS], &m_counter[0], BSwritten);
252	4.19k	written *= 2;
253	4.19k	}
254	1.22k	}
255	0	else
256	0	{
257	0	for(size_t i = 1; i != m_ctr_blocks; ++i)
258	0	{
259	0	copy_mem(&m_counter[i*BS], &m_counter[0], BS - 4);
260	0	}
261	0	}
262
263	15.3k	for(size_t i = 1; i != m_ctr_blocks; ++i)
264	14.1k	{
265	14.1k	const uint32_t c = static_cast<uint32_t>(low32 + i);
266	14.1k	store_be(c, &m_counter[(BS-4)+i*BS]);
267	14.1k	}
268	1.22k	}
269	0	else
270	0	{
271		// do everything sequentially:
272	0	for(size_t i = 1; i != m_ctr_blocks; ++i)
273	0	{
274	0	buffer_insert(m_counter, iBS, &m_counter[(i-1)BS], BS);
275
276	0	for(size_t j = 0; j != m_ctr_size; ++j)
277	0	if(++m_counter[i*BS + (BS - 1 - j)])
278	0	break;
279	0	}
280	0	}
281
282	1.22k	if(base_counter > 0)
283	0	add_counter(base_counter);
284
285	1.22k	m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
286	1.22k	m_pad_pos = offset % m_counter.size();
287	1.22k	}
288		}