/src/botan/src/lib/stream/ctr/ctr.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Counter mode |
3 | | * (C) 1999-2011,2014 Jack Lloyd |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/internal/ctr.h> |
9 | | |
10 | | #include <botan/exceptn.h> |
11 | | #include <botan/internal/bit_ops.h> |
12 | | #include <botan/internal/fmt.h> |
13 | | #include <botan/internal/loadstor.h> |
14 | | |
15 | | namespace Botan { |
16 | | |
17 | | CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher) : |
18 | 0 | m_cipher(std::move(cipher)), |
19 | 0 | m_block_size(m_cipher->block_size()), |
20 | 0 | m_ctr_size(m_block_size), |
21 | 0 | m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size), |
22 | 0 | m_counter(m_cipher->parallel_bytes()), |
23 | 0 | m_pad(m_counter.size()), |
24 | 0 | m_pad_pos(0) {} |
25 | | |
26 | | CTR_BE::CTR_BE(std::unique_ptr<BlockCipher> cipher, size_t ctr_size) : |
27 | 196 | m_cipher(std::move(cipher)), |
28 | 196 | m_block_size(m_cipher->block_size()), |
29 | 196 | m_ctr_size(ctr_size), |
30 | 196 | m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size), |
31 | 196 | m_counter(m_cipher->parallel_bytes()), |
32 | 196 | m_pad(m_counter.size()), |
33 | 196 | m_pad_pos(0) { |
34 | 196 | BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size, "Invalid CTR-BE counter size"); |
35 | 196 | } |
36 | | |
37 | 0 | void CTR_BE::clear() { |
38 | 0 | m_cipher->clear(); |
39 | 0 | zeroise(m_pad); |
40 | 0 | zeroise(m_counter); |
41 | 0 | zap(m_iv); |
42 | 0 | m_pad_pos = 0; |
43 | 0 | } |
44 | | |
45 | 0 | size_t CTR_BE::default_iv_length() const { |
46 | 0 | return m_block_size; |
47 | 0 | } |
48 | | |
49 | 586 | bool CTR_BE::valid_iv_length(size_t iv_len) const { |
50 | 586 | return (iv_len <= m_block_size); |
51 | 586 | } |
52 | | |
53 | 0 | size_t CTR_BE::buffer_size() const { |
54 | 0 | return m_pad.size(); |
55 | 0 | } |
56 | | |
57 | 392 | Key_Length_Specification CTR_BE::key_spec() const { |
58 | 392 | return m_cipher->key_spec(); |
59 | 392 | } |
60 | | |
61 | 0 | std::unique_ptr<StreamCipher> CTR_BE::new_object() const { |
62 | 0 | return std::make_unique<CTR_BE>(m_cipher->new_object(), m_ctr_size); |
63 | 0 | } |
64 | | |
65 | 1.16k | bool CTR_BE::has_keying_material() const { |
66 | 1.16k | return m_cipher->has_keying_material(); |
67 | 1.16k | } |
68 | | |
69 | 196 | void CTR_BE::key_schedule(std::span<const uint8_t> key) { |
70 | 196 | m_cipher->set_key(key); |
71 | | |
72 | | // Set a default all-zeros IV |
73 | 196 | set_iv(nullptr, 0); |
74 | 196 | } |
75 | | |
76 | 0 | std::string CTR_BE::name() const { |
77 | 0 | if(m_ctr_size == m_block_size) { |
78 | 0 | return fmt("CTR-BE({})", m_cipher->name()); |
79 | 0 | } else { |
80 | 0 | return fmt("CTR-BE({},{})", m_cipher->name(), m_ctr_size); |
81 | 0 | } |
82 | 0 | } |
83 | | |
84 | 581 | void CTR_BE::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) { |
85 | 581 | assert_key_material_set(); |
86 | | |
87 | 581 | const uint8_t* pad_bits = &m_pad[0]; |
88 | 581 | const size_t pad_size = m_pad.size(); |
89 | | |
90 | 581 | if(m_pad_pos > 0) { |
91 | 191 | const size_t avail = pad_size - m_pad_pos; |
92 | 191 | const size_t take = std::min(length, avail); |
93 | 191 | xor_buf(out, in, pad_bits + m_pad_pos, take); |
94 | 191 | length -= take; |
95 | 191 | in += take; |
96 | 191 | out += take; |
97 | 191 | m_pad_pos += take; |
98 | | |
99 | 191 | if(take == avail) { |
100 | 80 | add_counter(m_ctr_blocks); |
101 | 80 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
102 | 80 | m_pad_pos = 0; |
103 | 80 | } |
104 | 191 | } |
105 | | |
106 | 1.97k | while(length >= pad_size) { |
107 | 1.39k | xor_buf(out, in, pad_bits, pad_size); |
108 | 1.39k | length -= pad_size; |
109 | 1.39k | in += pad_size; |
110 | 1.39k | out += pad_size; |
111 | | |
112 | 1.39k | add_counter(m_ctr_blocks); |
113 | 1.39k | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
114 | 1.39k | } |
115 | | |
116 | 581 | xor_buf(out, in, pad_bits, length); |
117 | 581 | m_pad_pos += length; |
118 | 581 | } |
119 | | |
120 | 0 | void CTR_BE::generate_keystream(uint8_t out[], size_t length) { |
121 | 0 | assert_key_material_set(); |
122 | |
|
123 | 0 | const size_t avail = m_pad.size() - m_pad_pos; |
124 | 0 | const size_t take = std::min(length, avail); |
125 | 0 | copy_mem(out, &m_pad[m_pad_pos], take); |
126 | 0 | length -= take; |
127 | 0 | out += take; |
128 | 0 | m_pad_pos += take; |
129 | |
|
130 | 0 | while(length >= m_pad.size()) { |
131 | 0 | add_counter(m_ctr_blocks); |
132 | 0 | m_cipher->encrypt_n(m_counter.data(), out, m_ctr_blocks); |
133 | |
|
134 | 0 | length -= m_pad.size(); |
135 | 0 | out += m_pad.size(); |
136 | 0 | } |
137 | |
|
138 | 0 | if(m_pad_pos == m_pad.size()) { |
139 | 0 | add_counter(m_ctr_blocks); |
140 | 0 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
141 | 0 | m_pad_pos = 0; |
142 | 0 | } |
143 | |
|
144 | 0 | copy_mem(out, &m_pad[0], length); |
145 | 0 | m_pad_pos += length; |
146 | 0 | BOTAN_ASSERT_NOMSG(m_pad_pos < m_pad.size()); |
147 | 0 | } |
148 | | |
149 | 586 | void CTR_BE::set_iv_bytes(const uint8_t iv[], size_t iv_len) { |
150 | 586 | if(!valid_iv_length(iv_len)) { |
151 | 0 | throw Invalid_IV_Length(name(), iv_len); |
152 | 0 | } |
153 | | |
154 | 586 | m_iv.resize(m_block_size); |
155 | 586 | zeroise(m_iv); |
156 | 586 | copy_mem(&m_iv[0], iv, iv_len); |
157 | | |
158 | 586 | seek(0); |
159 | 586 | } |
160 | | |
161 | 1.47k | void CTR_BE::add_counter(const uint64_t counter) { |
162 | 1.47k | const size_t ctr_size = m_ctr_size; |
163 | 1.47k | const size_t ctr_blocks = m_ctr_blocks; |
164 | 1.47k | const size_t BS = m_block_size; |
165 | | |
166 | 1.47k | if(ctr_size == 4) { |
167 | 1.47k | const size_t off = (BS - 4); |
168 | 1.47k | const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0)); |
169 | | |
170 | 8.43k | for(size_t i = 0; i != ctr_blocks; ++i) { |
171 | 6.96k | store_be(uint32_t(low32 + i), &m_counter[i * BS + off]); |
172 | 6.96k | } |
173 | 1.47k | } else if(ctr_size == 8) { |
174 | 0 | const size_t off = (BS - 8); |
175 | 0 | const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0); |
176 | |
|
177 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) { |
178 | 0 | store_be(uint64_t(low64 + i), &m_counter[i * BS + off]); |
179 | 0 | } |
180 | 0 | } else if(ctr_size == 16) { |
181 | 0 | const size_t off = (BS - 16); |
182 | 0 | uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0); |
183 | 0 | uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1); |
184 | 0 | b1 += counter; |
185 | 0 | b0 += (b1 < counter) ? 1 : 0; // carry |
186 | |
|
187 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) { |
188 | 0 | store_be(b0, &m_counter[i * BS + off]); |
189 | 0 | store_be(b1, &m_counter[i * BS + off + 8]); |
190 | 0 | b1 += 1; |
191 | 0 | b0 += (b1 == 0); // carry |
192 | 0 | } |
193 | 0 | } else { |
194 | 0 | for(size_t i = 0; i != ctr_blocks; ++i) { |
195 | 0 | uint64_t local_counter = counter; |
196 | 0 | uint16_t carry = static_cast<uint8_t>(local_counter); |
197 | 0 | for(size_t j = 0; (carry || local_counter) && j != ctr_size; ++j) { |
198 | 0 | const size_t off = i * BS + (BS - 1 - j); |
199 | 0 | const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry; |
200 | 0 | m_counter[off] = static_cast<uint8_t>(cnt); |
201 | 0 | local_counter = (local_counter >> 8); |
202 | 0 | carry = (cnt >> 8) + static_cast<uint8_t>(local_counter); |
203 | 0 | } |
204 | 0 | } |
205 | 0 | } |
206 | 1.47k | } |
207 | | |
208 | 586 | void CTR_BE::seek(uint64_t offset) { |
209 | 586 | assert_key_material_set(); |
210 | | |
211 | 586 | const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size()); |
212 | | |
213 | 586 | zeroise(m_counter); |
214 | 586 | BOTAN_ASSERT_NOMSG(m_counter.size() >= m_iv.size()); |
215 | 586 | copy_mem(&m_counter[0], &m_iv[0], m_iv.size()); |
216 | | |
217 | 586 | const size_t BS = m_block_size; |
218 | | |
219 | | // Set m_counter blocks to IV, IV + 1, ... IV + n |
220 | | |
221 | 586 | if(m_ctr_size == 4 && BS >= 8) { |
222 | 586 | const uint32_t low32 = load_be<uint32_t>(&m_counter[BS - 4], 0); |
223 | | |
224 | 586 | if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks)) { |
225 | 586 | size_t written = 1; |
226 | 2.11k | while(written < m_ctr_blocks) { |
227 | 1.53k | copy_mem(&m_counter[written * BS], &m_counter[0], BS * written); |
228 | 1.53k | written *= 2; |
229 | 1.53k | } |
230 | 586 | } else { |
231 | 0 | for(size_t i = 1; i != m_ctr_blocks; ++i) { |
232 | 0 | copy_mem(&m_counter[i * BS], &m_counter[0], BS - 4); |
233 | 0 | } |
234 | 0 | } |
235 | | |
236 | 4.49k | for(size_t i = 1; i != m_ctr_blocks; ++i) { |
237 | 3.90k | const uint32_t c = static_cast<uint32_t>(low32 + i); |
238 | 3.90k | store_be(c, &m_counter[(BS - 4) + i * BS]); |
239 | 3.90k | } |
240 | 586 | } else { |
241 | | // do everything sequentially: |
242 | 0 | for(size_t i = 1; i != m_ctr_blocks; ++i) { |
243 | 0 | copy_mem(&m_counter[i * BS], &m_counter[(i - 1) * BS], BS); |
244 | |
|
245 | 0 | for(size_t j = 0; j != m_ctr_size; ++j) { |
246 | 0 | if(++m_counter[i * BS + (BS - 1 - j)]) { |
247 | 0 | break; |
248 | 0 | } |
249 | 0 | } |
250 | 0 | } |
251 | 0 | } |
252 | | |
253 | 586 | if(base_counter > 0) { |
254 | 0 | add_counter(base_counter); |
255 | 0 | } |
256 | | |
257 | 586 | m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks); |
258 | 586 | m_pad_pos = offset % m_counter.size(); |
259 | 586 | } |
260 | | } // namespace Botan |