1 /*
2 * Counter mode
3 * (C) 1999-2011,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/ctr.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/internal/bit_ops.h>
12 
13 namespace Botan {
14 
CTR_BE(BlockCipher * ciph)15 CTR_BE::CTR_BE(BlockCipher* ciph) :
16    m_cipher(ciph),
17    m_block_size(m_cipher->block_size()),
18    m_ctr_size(m_block_size),
19    m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
20    m_counter(m_cipher->parallel_bytes()),
21    m_pad(m_counter.size()),
22    m_pad_pos(0)
23    {
24    }
25 
CTR_BE(BlockCipher * cipher,size_t ctr_size)26 CTR_BE::CTR_BE(BlockCipher* cipher, size_t ctr_size) :
27    m_cipher(cipher),
28    m_block_size(m_cipher->block_size()),
29    m_ctr_size(ctr_size),
30    m_ctr_blocks(m_cipher->parallel_bytes() / m_block_size),
31    m_counter(m_cipher->parallel_bytes()),
32    m_pad(m_counter.size()),
33    m_pad_pos(0)
34    {
35    BOTAN_ARG_CHECK(m_ctr_size >= 4 && m_ctr_size <= m_block_size,
36                    "Invalid CTR-BE counter size");
37    }
38 
clear()39 void CTR_BE::clear()
40    {
41    m_cipher->clear();
42    zeroise(m_pad);
43    zeroise(m_counter);
44    zap(m_iv);
45    m_pad_pos = 0;
46    }
47 
default_iv_length() const48 size_t CTR_BE::default_iv_length() const
49    {
50    return m_block_size;
51    }
52 
valid_iv_length(size_t iv_len) const53 bool CTR_BE::valid_iv_length(size_t iv_len) const
54    {
55    return (iv_len <= m_block_size);
56    }
57 
key_spec() const58 Key_Length_Specification CTR_BE::key_spec() const
59    {
60    return m_cipher->key_spec();
61    }
62 
clone() const63 CTR_BE* CTR_BE::clone() const
64    {
65    return new CTR_BE(m_cipher->clone(), m_ctr_size);
66    }
67 
key_schedule(const uint8_t key[],size_t key_len)68 void CTR_BE::key_schedule(const uint8_t key[], size_t key_len)
69    {
70    m_cipher->set_key(key, key_len);
71 
72    // Set a default all-zeros IV
73    set_iv(nullptr, 0);
74    }
75 
name() const76 std::string CTR_BE::name() const
77    {
78    if(m_ctr_size == m_block_size)
79       return ("CTR-BE(" + m_cipher->name() + ")");
80    else
81       return ("CTR-BE(" + m_cipher->name() + "," + std::to_string(m_ctr_size) + ")");
82 
83    }
84 
cipher(const uint8_t in[],uint8_t out[],size_t length)85 void CTR_BE::cipher(const uint8_t in[], uint8_t out[], size_t length)
86    {
87    verify_key_set(m_iv.empty() == false);
88 
89    const uint8_t* pad_bits = &m_pad[0];
90    const size_t pad_size = m_pad.size();
91 
92    if(m_pad_pos > 0)
93       {
94       const size_t avail = pad_size - m_pad_pos;
95       const size_t take = std::min(length, avail);
96       xor_buf(out, in, pad_bits + m_pad_pos, take);
97       length -= take;
98       in += take;
99       out += take;
100       m_pad_pos += take;
101 
102       if(take == avail)
103          {
104          add_counter(m_ctr_blocks);
105          m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
106          m_pad_pos = 0;
107          }
108       }
109 
110    while(length >= pad_size)
111       {
112       xor_buf(out, in, pad_bits, pad_size);
113       length -= pad_size;
114       in += pad_size;
115       out += pad_size;
116 
117       add_counter(m_ctr_blocks);
118       m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
119       }
120 
121    xor_buf(out, in, pad_bits, length);
122    m_pad_pos += length;
123    }
124 
set_iv(const uint8_t iv[],size_t iv_len)125 void CTR_BE::set_iv(const uint8_t iv[], size_t iv_len)
126    {
127    if(!valid_iv_length(iv_len))
128       throw Invalid_IV_Length(name(), iv_len);
129 
130    m_iv.resize(m_block_size);
131    zeroise(m_iv);
132    buffer_insert(m_iv, 0, iv, iv_len);
133 
134    seek(0);
135    }
136 
add_counter(const uint64_t counter)137 void CTR_BE::add_counter(const uint64_t counter)
138    {
139    const size_t ctr_size = m_ctr_size;
140    const size_t ctr_blocks = m_ctr_blocks;
141    const size_t BS = m_block_size;
142 
143    if(ctr_size == 4)
144       {
145       const size_t off = (BS - 4);
146       const uint32_t low32 = static_cast<uint32_t>(counter + load_be<uint32_t>(&m_counter[off], 0));
147 
148       for(size_t i = 0; i != ctr_blocks; ++i)
149          {
150          store_be(uint32_t(low32 + i), &m_counter[i*BS+off]);
151          }
152       }
153    else if(ctr_size == 8)
154       {
155       const size_t off = (BS - 8);
156       const uint64_t low64 = counter + load_be<uint64_t>(&m_counter[off], 0);
157 
158       for(size_t i = 0; i != ctr_blocks; ++i)
159          {
160          store_be(uint64_t(low64 + i), &m_counter[i*BS+off]);
161          }
162       }
163    else if(ctr_size == 16)
164       {
165       const size_t off = (BS - 16);
166       uint64_t b0 = load_be<uint64_t>(&m_counter[off], 0);
167       uint64_t b1 = load_be<uint64_t>(&m_counter[off], 1);
168       b1 += counter;
169       b0 += (b1 < counter) ? 1 : 0; // carry
170 
171       for(size_t i = 0; i != ctr_blocks; ++i)
172          {
173          store_be(b0, &m_counter[i*BS+off]);
174          store_be(b1, &m_counter[i*BS+off+8]);
175          b1 += 1;
176          b0 += (b1 == 0); // carry
177          }
178       }
179    else
180       {
181       for(size_t i = 0; i != ctr_blocks; ++i)
182          {
183          uint64_t local_counter = counter;
184          uint16_t carry = static_cast<uint8_t>(local_counter);
185          for(size_t j = 0; (carry || local_counter) && j != ctr_size; ++j)
186             {
187             const size_t off = i*BS + (BS-1-j);
188             const uint16_t cnt = static_cast<uint16_t>(m_counter[off]) + carry;
189             m_counter[off] = static_cast<uint8_t>(cnt);
190             local_counter = (local_counter >> 8);
191             carry = (cnt >> 8) + static_cast<uint8_t>(local_counter);
192             }
193          }
194       }
195    }
196 
seek(uint64_t offset)197 void CTR_BE::seek(uint64_t offset)
198    {
199    verify_key_set(m_iv.empty() == false);
200 
201    const uint64_t base_counter = m_ctr_blocks * (offset / m_counter.size());
202 
203    zeroise(m_counter);
204    buffer_insert(m_counter, 0, m_iv);
205 
206    const size_t BS = m_block_size;
207 
208    // Set m_counter blocks to IV, IV + 1, ... IV + n
209 
210    if(m_ctr_size == 4 && BS >= 8)
211       {
212       const uint32_t low32 = load_be<uint32_t>(&m_counter[BS-4], 0);
213 
214       if(m_ctr_blocks >= 4 && is_power_of_2(m_ctr_blocks))
215          {
216          size_t written = 1;
217          while(written < m_ctr_blocks)
218             {
219             copy_mem(&m_counter[written*BS], &m_counter[0], BS*written);
220             written *= 2;
221             }
222          }
223       else
224          {
225          for(size_t i = 1; i != m_ctr_blocks; ++i)
226             {
227             copy_mem(&m_counter[i*BS], &m_counter[0], BS - 4);
228             }
229          }
230 
231       for(size_t i = 1; i != m_ctr_blocks; ++i)
232          {
233          const uint32_t c = static_cast<uint32_t>(low32 + i);
234          store_be(c, &m_counter[(BS-4)+i*BS]);
235          }
236       }
237    else
238       {
239       // do everything sequentially:
240       for(size_t i = 1; i != m_ctr_blocks; ++i)
241          {
242          buffer_insert(m_counter, i*BS, &m_counter[(i-1)*BS], BS);
243 
244          for(size_t j = 0; j != m_ctr_size; ++j)
245             if(++m_counter[i*BS + (BS - 1 - j)])
246                break;
247          }
248       }
249 
250    if(base_counter > 0)
251       add_counter(base_counter);
252 
253    m_cipher->encrypt_n(m_counter.data(), m_pad.data(), m_ctr_blocks);
254    m_pad_pos = offset % m_counter.size();
255    }
256 }
257