Botan  2.12.1
Crypto and TLS for C++11
ctr.cpp
Go to the documentation of this file.
1 /*
2 * Counter mode
3 * (C) 1999-2011,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/ctr.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/internal/bit_ops.h>
12 
13 namespace Botan {
14 
16  m_cipher(ciph),
17  m_block_size(m_cipher->block_size()),
18  m_ctr_size(m_block_size),
19  m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
20  m_counter(m_cipher->parallel_bytes()),
21  m_pad(m_counter.size()),
22  m_pad_pos(0)
23  {
24  }
25 
26 CTR_BE::CTR_BE(BlockCipher* cipher, size_t ctr_size) :
27  m_cipher(cipher),
28  m_block_size(m_cipher->block_size()),
29  m_ctr_size(ctr_size),
30  m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
31  m_counter(m_cipher->parallel_bytes()),
32  m_pad(m_counter.size()),
33  m_pad_pos(0)
34  {
35  BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size,
36  "Invalid CTR-BE counter size");
37  }
38 
40  {
41  m_cipher->clear();
42  zeroise(m_pad);
43  zeroise(m_counter);
44  zap(m_iv);
45  m_pad_pos = 0;
46  }
47 
49  {
50  return m_block_size;
51  }
52 
53 bool CTR_BE::valid_iv_length(size_t iv_len) const
54  {
55  return (iv_len <= m_block_size);
56  }
57 
59  {
60  return m_cipher->key_spec();
61  }
62 
64  {
65  return new CTR_BE(m_cipher->clone(), m_ctr_size);
66  }
67 
68 void CTR_BE::key_schedule(const uint8_t key[], size_t key_len)
69  {
70  m_cipher->set_key(key, key_len);
71 
72  // Set a default all-zeros IV
73  set_iv(nullptr, 0);
74  }
75 
76 std::string CTR_BE::name() const
77  {
78  if(m_ctr_size == m_block_size)
79  return ("CTR-BE(" + m_cipher->name() + ")");
80  else
81  return ("CTR-BE(" + m_cipher->name() + "," + std::to_string(m_ctr_size) + ")");
82 
83  }
84 
85 void CTR_BE::cipher(const uint8_t in[], uint8_t out[], size_t length)
86  {
87  verify_key_set(m_iv.empty() == false);
88 
89  const uint8_t* pad_bits = &m_pad[0];
90  const size_t pad_size = m_pad.size();
91 
92  if(m_pad_pos > 0)
93  {
94  const size_t avail = pad_size - m_pad_pos;
95  const size_t take = std::min(length, avail);
96  xor_buf(out, in, pad_bits + m_pad_pos, take);
97  length -= take;
98  in += take;
99  out += take;
100  m_pad_pos += take;
101 
102  if(take == avail)
103  {
104  add_counter(m_ctr_blocks);
105  m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
106  m_pad_pos = 0;
107  }
108  }
109 
110  while(length >= pad_size)
111  {
112  xor_buf(out, in, pad_bits, pad_size);
113  length -= pad_size;
114  in += pad_size;
115  out += pad_size;
116 
117  add_counter(m_ctr_blocks);
118  m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
119  }
120 
121  xor_buf(out, in, pad_bits, length);
122  m_pad_pos += length;
123  }
124 
125 void CTR_BE::set_iv(const uint8_t iv[], size_t iv_len)
126  {
127  if(!valid_iv_length(iv_len))
128  throw Invalid_IV_Length(name(), iv_len);
129 
130  m_iv.resize(m_block_size);
131  zeroise(m_iv);
132  buffer_insert(m_iv, 0, iv, iv_len);
133 
134  seek(0);
135  }
136 
137 void CTR_BE::add_counter(const uint64_t counter)
138  {
139  const size_t ctr_size = m_ctr_size;
140  const size_t ctr_blocks = m_ctr_blocks;
141  const size_t BS = m_block_size;
142 
143  if(ctr_size == 4)
144  {
145  const size_t off = (BS - 4);
146  const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0));
147 
148  for(size_t i = 0; i != ctr_blocks; ++i)
149  {
150  store_be(uint32_t(low32 + i), &m_counter[i*BS+off]);
151  }
152  }
153  else if(ctr_size == 8)
154  {
155  const size_t off = (BS - 8);
156  const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0);
157 
158  for(size_t i = 0; i != ctr_blocks; ++i)
159  {
160  store_be(uint64_t(low64 + i), &m_counter[i*BS+off]);
161  }
162  }
163  else if(ctr_size == 16)
164  {
165  const size_t off = (BS - 16);
166  uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0);
167  uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1);
168  b1 += counter;
169  b0 += (b1 < counter) ? 1 : 0; // carry
170 
171  for(size_t i = 0; i != ctr_blocks; ++i)
172  {
173  store_be(b0, &m_counter[i*BS+off]);
174  store_be(b1, &m_counter[i*BS+off+8]);
175  b1 += 1;
176  b0 += (b1 == 0); // carry
177  }
178  }
179  else
180  {
181  for(size_t i = 0; i != ctr_blocks; ++i)
182  {
183  uint64_t local_counter = counter;
184  uint16_t carry = static_cast<uint8_t>(local_counter);
185  for(size_t j = 0; (carry || local_counter) && j != ctr_size; ++j)
186  {
187  const size_t off = i*BS + (BS-1-j);
188  const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry;
189  m_counter[off] = static_cast<uint8_t>(cnt);
190  local_counter = (local_counter >> 8);
191  carry = (cnt >> 8) + static_cast<uint8_t>(local_counter);
192  }
193  }
194  }
195  }
196 
197 void CTR_BE::seek(uint64_t offset)
198  {
199  verify_key_set(m_iv.empty() == false);
200 
201  const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size());
202 
203  zeroise(m_counter);
204  buffer_insert(m_counter, 0, m_iv);
205 
206  const size_t BS = m_block_size;
207 
208  // Set m_counter blocks to IV, IV + 1, ... IV + n
209 
210  if(m_ctr_size == 4 && BS >= 8)
211  {
212  const uint32_t low32 = load_be<uint32_t>(&m_counter[BS-4], 0);
213 
214  if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks))
215  {
216  size_t written = 1;
217  while(written < m_ctr_blocks)
218  {
219  copy_mem(&m_counter[written*BS], &m_counter[0], BS*written);
220  written *= 2;
221  }
222  }
223  else
224  {
225  for(size_t i = 1; i != m_ctr_blocks; ++i)
226  {
227  copy_mem(&m_counter[i*BS], &m_counter[0], BS - 4);
228  }
229  }
230 
231  for(size_t i = 1; i != m_ctr_blocks; ++i)
232  {
233  const uint32_t c = static_cast<uint32_t>(low32 + i);
234  store_be(c, &m_counter[(BS-4)+i*BS]);
235  }
236  }
237  else
238  {
239  // do everything sequentially:
240  for(size_t i = 1; i != m_ctr_blocks; ++i)
241  {
242  buffer_insert(m_counter, i*BS, &m_counter[(i-1)*BS], BS);
243 
244  for(size_t j = 0; j != m_ctr_size; ++j)
245  if(++m_counter[i*BS + (BS - 1 - j)])
246  break;
247  }
248  }
249 
250  if(base_counter > 0)
251  add_counter(base_counter);
252 
253  m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
254  m_pad_pos = offset % m_counter.size();
255  }
256 }
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
void carry(int64_t &h0, int64_t &h1)
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438
uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:179
size_t default_iv_length() const override
Definition: ctr.cpp:48
std::string name() const override
Definition: ctr.cpp:76
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:217
void seek(uint64_t offset) override
Definition: ctr.cpp:197
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:207
CTR_BE * clone() const override
Definition: ctr.cpp:63
void clear() override
Definition: ctr.cpp:39
constexpr bool is_power_of_2(T arg)
Definition: bit_ops.h:43
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
Key_Length_Specification key_spec() const override
Definition: ctr.cpp:58
CTR_BE(BlockCipher *cipher)
Definition: ctr.cpp:15
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: ctr.cpp:125
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: ctr.cpp:85
size_t buffer_insert(std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
Definition: secmem.h:80
bool valid_iv_length(size_t iv_len) const override
Definition: ctr.cpp:53
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:160