/src/botan/src/lib/stream/ctr/ctr.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Counter mode |
3 | | * (C) 1999-2011,2014 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/ctr.h> |
9 | | #include <botan/exceptn.h> |
10 | | #include <botan/internal/loadstor.h> |
11 | | #include <botan/internal/bit_ops.h> |
12 | | |
13 | | namespace Botan { |
14 | | |
15 | | CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher) : |
16 | | m_cipher(std::move(cipher)), |
17 | | m_block_size(m_cipher->block_size()), |
18 | | m_ctr_size(m_block_size), |
19 | | m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size), |
20 | | m_counter(m_cipher->parallel_bytes()), |
21 | | m_pad(m_counter.size()), |
22 | | m_pad_pos(0) |
23 | 0 | { |
24 | 0 | } |
25 | | |
26 | | CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher, size_t ctr_size) : |
27 | | m_cipher(std::move(cipher)), |
28 | | m_block_size(m_cipher->block_size()), |
29 | | m_ctr_size(ctr_size), |
30 | | m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size), |
31 | | m_counter(m_cipher->parallel_bytes()), |
32 | | m_pad(m_counter.size()), |
33 | | m_pad_pos(0) |
34 | 398 | { |
35 | 398 | BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size, |
36 | 398 | "Invalid CTR-BE counter size"); |
37 | 398 | } |
38 | | |
39 | | void CTR_BE::clear() |
40 | 0 | { |
41 | 0 | m_cipher->clear(); |
42 | 0 | zeroise(m_pad); |
43 | 0 | zeroise(m_counter); |
44 | 0 | zap(m_iv); |
45 | 0 | m_pad_pos = 0; |
46 | 0 | } |
47 | | |
48 | | size_t CTR_BE::default_iv_length() const |
49 | 0 | { |
50 | 0 | return m_block_size; |
51 | 0 | } |
52 | | |
53 | | bool CTR_BE::valid_iv_length(size_t iv_len) const |
54 | 1.22k | { |
55 | 1.22k | return (iv_len <= m_block_size); |
56 | 1.22k | } |
57 | | |
58 | | Key_Length_Specification CTR_BE::key_spec() const |
59 | 796 | { |
60 | 796 | return m_cipher->key_spec(); |
61 | 796 | } |
62 | | |
63 | | std::unique_ptr<StreamCipher> CTR_BE::new_object() const |
64 | 0 | { |
65 | 0 | return std::make_unique<CTR_BE>(m_cipher->new_object(), m_ctr_size); |
66 | 0 | } |
67 | | |
68 | | void CTR_BE::key_schedule(const uint8_t key[], size_t key_len) |
69 | 398 | { |
70 | 398 | m_cipher->set_key(key, key_len); |
71 | | |
72 | | // Set a default all-zeros IV |
73 | 398 | set_iv(nullptr, 0); |
74 | 398 | } |
75 | | |
76 | | std::string CTR_BE::name() const |
77 | 0 | { |
78 | 0 | if(m_ctr_size == m_block_size) |
79 | 0 | return ("CTR-BE(" + m_cipher->name() + ")"); |
80 | 0 | else |
81 | 0 | return ("CTR-BE(" + m_cipher->name() + "," + std::to_string(m_ctr_size) + ")"); |
82 | |
|
83 | 0 | } |
84 | | |
85 | | void CTR_BE::cipher(const uint8_t in[], uint8_t out[], size_t length) |
86 | 1.25k | { |
87 | 1.25k | verify_key_set(m_iv.empty() == false); |
88 | | |
89 | 1.25k | const uint8_t* pad_bits = &m_pad[0]; |
90 | 1.25k | const size_t pad_size = m_pad.size(); |
91 | | |
92 | 1.25k | if(m_pad_pos > 0) |
93 | 427 | { |
94 | 427 | const size_t avail = pad_size - m_pad_pos; |
95 | 427 | const size_t take = std::min(length, avail); |
96 | 427 | xor_buf(out, in, pad_bits + m_pad_pos, take); |
97 | 427 | length -= take; |
98 | 427 | in += take; |
99 | 427 | out += take; |
100 | 427 | m_pad_pos += take; |
101 | | |
102 | 427 | if(take == avail) |
103 | 74 | { |
104 | 74 | add_counter(m_ctr_blocks); |
105 | 74 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
106 | 74 | m_pad_pos = 0; |
107 | 74 | } |
108 | 427 | } |
109 | | |
110 | 2.04k | while(length >= pad_size) |
111 | 789 | { |
112 | 789 | xor_buf(out, in, pad_bits, pad_size); |
113 | 789 | length -= pad_size; |
114 | 789 | in += pad_size; |
115 | 789 | out += pad_size; |
116 | | |
117 | 789 | add_counter(m_ctr_blocks); |
118 | 789 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
119 | 789 | } |
120 | | |
121 | 1.25k | xor_buf(out, in, pad_bits, length); |
122 | 1.25k | m_pad_pos += length; |
123 | 1.25k | } |
124 | | |
125 | | void CTR_BE::write_keystream(uint8_t out[], size_t length) |
126 | 0 | { |
127 | 0 | verify_key_set(m_iv.empty() == false); |
128 | |
|
129 | 0 | const size_t avail = m_pad.size() - m_pad_pos; |
130 | 0 | const size_t take = std::min(length, avail); |
131 | 0 | copy_mem(out, &m_pad[m_pad_pos], take); |
132 | 0 | length -= take; |
133 | 0 | out += take; |
134 | 0 | m_pad_pos += take; |
135 | |
|
136 | 0 | while(length >= m_pad.size()) |
137 | 0 | { |
138 | 0 | add_counter(m_ctr_blocks); |
139 | 0 | m_cipher->encrypt_n(m_counter.data(), out, m_ctr_blocks); |
140 | |
|
141 | 0 | length -= m_pad.size(); |
142 | 0 | out += m_pad.size(); |
143 | 0 | } |
144 | |
|
145 | 0 | if(m_pad_pos == m_pad.size()) |
146 | 0 | { |
147 | 0 | add_counter(m_ctr_blocks); |
148 | 0 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
149 | 0 | m_pad_pos = 0; |
150 | 0 | } |
151 | |
|
152 | 0 | copy_mem(out, &m_pad[0], length); |
153 | 0 | m_pad_pos += length; |
154 | 0 | BOTAN_ASSERT_NOMSG(m_pad_pos < m_pad.size()); |
155 | 0 | } |
156 | | |
157 | | void CTR_BE::set_iv(const uint8_t iv[], size_t iv_len) |
158 | 1.22k | { |
159 | 1.22k | if(!valid_iv_length(iv_len)) |
160 | 0 | throw Invalid_IV_Length(name(), iv_len); |
161 | | |
162 | 1.22k | m_iv.resize(m_block_size); |
163 | 1.22k | zeroise(m_iv); |
164 | 1.22k | buffer_insert(m_iv, 0, iv, iv_len); |
165 | | |
166 | 1.22k | seek(0); |
167 | 1.22k | } |
168 | | |
169 | | void CTR_BE::add_counter(const uint64_t counter) |
170 | 863 | { |
171 | 863 | const size_t ctr_size = m_ctr_size; |
172 | 863 | const size_t ctr_blocks = m_ctr_blocks; |
173 | 863 | const size_t BS = m_block_size; |
174 | | |
175 | 863 | if(ctr_size == 4) |
176 | 863 | { |
177 | 863 | const size_t off = (BS - 4); |
178 | 863 | const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0)); |
179 | | |
180 | 6.06k | for(size_t i = 0; i != ctr_blocks; ++i) |
181 | 5.20k | { |
182 | 5.20k | store_be(uint32_t(low32 + i), &m_counter[i*BS+off]); |
183 | 5.20k | } |
184 | 863 | } |
185 | 0 | else if(ctr_size == 8) |
186 | 0 | { |
187 | 0 | const size_t off = (BS - 8); |
188 | 0 | const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0); |
189 | |
|
190 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) |
191 | 0 | { |
192 | 0 | store_be(uint64_t(low64 + i), &m_counter[i*BS+off]); |
193 | 0 | } |
194 | 0 | } |
195 | 0 | else if(ctr_size == 16) |
196 | 0 | { |
197 | 0 | const size_t off = (BS - 16); |
198 | 0 | uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0); |
199 | 0 | uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1); |
200 | 0 | b1 += counter; |
201 | 0 | b0 += (b1 < counter) ? 1 : 0; // carry |
202 | |
|
203 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) |
204 | 0 | { |
205 | 0 | store_be(b0, &m_counter[i*BS+off]); |
206 | 0 | store_be(b1, &m_counter[i*BS+off+8]); |
207 | 0 | b1 += 1; |
208 | 0 | b0 += (b1 == 0); // carry |
209 | 0 | } |
210 | 0 | } |
211 | 0 | else |
212 | 0 | { |
213 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) |
214 | 0 | { |
215 | 0 | uint64_t local_counter = counter; |
216 | 0 | uint16_t carry = static_cast<uint8_t>(local_counter); |
217 | 0 | for(size_t j = 0; (carry || local_counter) && j != ctr_size; ++j) |
218 | 0 | { |
219 | 0 | const size_t off = i*BS + (BS-1-j); |
220 | 0 | const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry; |
221 | 0 | m_counter[off] = static_cast<uint8_t>(cnt); |
222 | 0 | local_counter = (local_counter >> 8); |
223 | 0 | carry = (cnt >> 8) + static_cast<uint8_t>(local_counter); |
224 | 0 | } |
225 | 0 | } |
226 | 0 | } |
227 | 863 | } |
228 | | |
229 | | void CTR_BE::seek(uint64_t offset) |
230 | 1.22k | { |
231 | 1.22k | verify_key_set(m_iv.empty() == false); |
232 | | |
233 | 1.22k | const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size()); |
234 | | |
235 | 1.22k | zeroise(m_counter); |
236 | 1.22k | buffer_insert(m_counter, 0, m_iv); |
237 | | |
238 | 1.22k | const size_t BS = m_block_size; |
239 | | |
240 | | // Set m_counter blocks to IV, IV + 1, ... IV + n |
241 | | |
242 | 1.22k | if(m_ctr_size == 4 && BS >= 8) |
243 | 1.22k | { |
244 | 1.22k | const uint32_t low32 = load_be<uint32_t>(&m_counter[BS-4], 0); |
245 | | |
246 | 1.22k | if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks)) |
247 | 1.22k | { |
248 | 1.22k | size_t written = 1; |
249 | 5.41k | while(written < m_ctr_blocks) |
250 | 4.19k | { |
251 | 4.19k | copy_mem(&m_counter[written*BS], &m_counter[0], BS*written); |
252 | 4.19k | written *= 2; |
253 | 4.19k | } |
254 | 1.22k | } |
255 | 0 | else |
256 | 0 | { |
257 | 0 | for(size_t i = 1; i != m_ctr_blocks; ++i) |
258 | 0 | { |
259 | 0 | copy_mem(&m_counter[i*BS], &m_counter[0], BS - 4); |
260 | 0 | } |
261 | 0 | } |
262 | | |
263 | 15.3k | for(size_t i = 1; i != m_ctr_blocks; ++i) |
264 | 14.1k | { |
265 | 14.1k | const uint32_t c = static_cast<uint32_t>(low32 + i); |
266 | 14.1k | store_be(c, &m_counter[(BS-4)+i*BS]); |
267 | 14.1k | } |
268 | 1.22k | } |
269 | 0 | else |
270 | 0 | { |
271 | | // do everything sequentially: |
272 | 0 | for(size_t i = 1; i != m_ctr_blocks; ++i) |
273 | 0 | { |
274 | 0 | buffer_insert(m_counter, i*BS, &m_counter[(i-1)*BS], BS); |
275 | |
|
276 | 0 | for(size_t j = 0; j != m_ctr_size; ++j) |
277 | 0 | if(++m_counter[i*BS + (BS - 1 - j)]) |
278 | 0 | break; |
279 | 0 | } |
280 | 0 | } |
281 | | |
282 | 1.22k | if(base_counter > 0) |
283 | 0 | add_counter(base_counter); |
284 | | |
285 | 1.22k | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
286 | 1.22k | m_pad_pos = offset % m_counter.size(); |
287 | 1.22k | } |
288 | | } |