17517838244

Committed 06 Sep 2025 06:09PM UTC coverage: 90.671% (+0.004%) from 90.667%

Build # 17517838244

Build Type

Pull #5097

github

Committed by

web-flow

Commit Message

Merge 68a3e539f into ce0eeaec5

Pull Request Pull Request #5097: Refactor: Clarify Padding Specification in Keccak-based Functions

Run Details

100386 of 110714 relevant lines covered (90.67%)

12145542.39 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.18

/src/lib/stream/shake_cipher/shake_cipher.cpp

/*
 * SHAKE-128 and SHAKE-256
 * (C) 2016 Jack Lloyd
 *     2022 René Meusel, Michael Boric - Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */

#include <botan/internal/shake_cipher.h>

#include <botan/exceptn.h>
#include <botan/mem_ops.h>

namespace Botan {

// NIST FIPS 202 Section 6.2
constexpr auto shake_padding = KeccakPaddingBits<1, 1, 1, 1>;

SHAKE_Cipher::SHAKE_Cipher(size_t keccak_capacity) :
      m_keccak({.capacity_bits = keccak_capacity, .padding = shake_padding}),
      m_has_keying_material(false),
      m_keystream_buffer(buffer_size()),
      m_bytes_generated(0) {}

void SHAKE_Cipher::set_iv_bytes(const uint8_t /*iv*/[], size_t length) {
   /*
   * This could be supported in some way (say, by treating iv as
   * a prefix or suffix of the key).
   */
   if(length != 0) {
      throw Invalid_IV_Length(name(), length);
   }
}

void SHAKE_Cipher::seek(uint64_t /*offset*/) {
   throw Not_Implemented("SHAKE_Cipher::seek");
}

void SHAKE_Cipher::clear() {
   m_keccak.clear();
   m_has_keying_material = false;
   zeroise(m_keystream_buffer);
   m_bytes_generated = 0;
}

void SHAKE_Cipher::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
   assert_key_material_set();

   const auto block_size = m_keystream_buffer.size();

   auto cipher_some = [&](size_t bytes) {
      if(bytes > 0) {
         BOTAN_ASSERT_NOMSG(bytes <= block_size);
         BOTAN_ASSERT_NOMSG(bytes <= length);
         generate_keystream_internal(std::span(m_keystream_buffer).first(bytes));
         xor_buf(out, m_keystream_buffer.data(), in, bytes);
         out += bytes;
         in += bytes;
         length -= bytes;
      }
   };

   // Bring us back into alignment with the XOF's underlying blocks
   if(length > block_size) {
      const auto bytes_to_alignment = block_size - m_bytes_generated % block_size;
      cipher_some(bytes_to_alignment);
   }

   // Consume the XOF's output stream block-wise as long as we can
   while(length >= block_size) {
      cipher_some(block_size);
   }

   // Process remaining data, potentially causing misalignment
   cipher_some(length);
}

void SHAKE_Cipher::generate_keystream(uint8_t out[], size_t length) {
   assert_key_material_set();
   generate_keystream_internal({out, length});
}

void SHAKE_Cipher::generate_keystream_internal(std::span<uint8_t> out) {
   m_keccak.squeeze(out);
   m_bytes_generated += out.size();
}

void SHAKE_Cipher::key_schedule(std::span<const uint8_t> key) {
   clear();
   m_keccak.absorb(key);
   m_keccak.finish();
   m_has_keying_material = true;
}

Key_Length_Specification SHAKE_Cipher::key_spec() const {
   return Key_Length_Specification(1, 160);
}

SHAKE_128_Cipher::SHAKE_128_Cipher() : SHAKE_Cipher(256) {}

SHAKE_256_Cipher::SHAKE_256_Cipher() : SHAKE_Cipher(512) {}

}  // namespace Botan

1	/*
2	* SHAKE-128 and SHAKE-256
3	* (C) 2016 Jack Lloyd
4	* 2022 René Meusel, Michael Boric - Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/internal/shake_cipher.h>
10
11	#include <botan/exceptn.h>
12	#include <botan/mem_ops.h>
13
14	namespace Botan {
15
16	// NIST FIPS 202 Section 6.2
17	constexpr auto shake_padding = KeccakPaddingBits<1, 1, 1, 1>;
18
19	SHAKE_Cipher::SHAKE_Cipher(size_t keccak_capacity) :	6,870✔
20	m_keccak({.capacity_bits = keccak_capacity, .padding = shake_padding}),	6,870✔
21	m_has_keying_material(false),	6,870✔
22	m_keystream_buffer(buffer_size()),	6,870✔
23	m_bytes_generated(0) {}	13,740✔
24
25	void SHAKE_Cipher::set_iv_bytes(const uint8_t /iv/[], size_t length) {	6,870✔
26	/*
27	* This could be supported in some way (say, by treating iv as
28	* a prefix or suffix of the key).
29	*/
30	if(length != 0) {	6,870✔
31	throw Invalid_IV_Length(name(), length);	4,580✔
32	}
33	}	4,580✔
34
35	void SHAKE_Cipher::seek(uint64_t /offset/) {	2,290✔
36	throw Not_Implemented("SHAKE_Cipher::seek");	2,290✔
37	}
38
39	void SHAKE_Cipher::clear() {	11,450✔
40	m_keccak.clear();	11,450✔
41	m_has_keying_material = false;	11,450✔
42	zeroise(m_keystream_buffer);	11,450✔
43	m_bytes_generated = 0;	11,450✔
44	}	11,450✔
45
46	void SHAKE_Cipher::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {	9,160✔
47	assert_key_material_set();	9,160✔
48
49	const auto block_size = m_keystream_buffer.size();	4,580✔
50
51	auto cipher_some = [&](size_t bytes) {	9,252✔
52	if(bytes > 0) {	4,672✔
53	BOTAN_ASSERT_NOMSG(bytes <= block_size);	4,654✔
54	BOTAN_ASSERT_NOMSG(bytes <= length);	4,654✔
55	generate_keystream_internal(std::span(m_keystream_buffer).first(bytes));	4,654✔
56	xor_buf(out, m_keystream_buffer.data(), in, bytes);	4,654✔
57	out += bytes;	4,654✔
58	in += bytes;	4,654✔
59	length -= bytes;	4,654✔
60	}
61	};	9,252✔
62
63	// Bring us back into alignment with the XOF's underlying blocks
64	if(length > block_size) {	4,580✔
65	const auto bytes_to_alignment = block_size - m_bytes_generated % block_size;	74✔
66	cipher_some(bytes_to_alignment);	74✔
67	}
68
69	// Consume the XOF's output stream block-wise as long as we can
70	while(length >= block_size) {	4,598✔
71	cipher_some(block_size);	18✔
72	}
73
74	// Process remaining data, potentially causing misalignment
75	cipher_some(length);	4,580✔
76	}	4,580✔
77
78	void SHAKE_Cipher::generate_keystream(uint8_t out[], size_t length) {	3,042✔
79	assert_key_material_set();	3,042✔
80	generate_keystream_internal({out, length});	3,042✔
81	}	3,042✔
82
83	void SHAKE_Cipher::generate_keystream_internal(std::span<uint8_t> out) {	7,696✔
84	m_keccak.squeeze(out);	7,696✔
85	m_bytes_generated += out.size();	4,654✔
86	}	×
87
88	void SHAKE_Cipher::key_schedule(std::span<const uint8_t> key) {	9,160✔
89	clear();	9,160✔
90	m_keccak.absorb(key);	9,160✔
91	m_keccak.finish();	9,160✔
92	m_has_keying_material = true;	9,160✔
93	}	9,160✔
94
95	Key_Length_Specification SHAKE_Cipher::key_spec() const {	13,740✔
96	return Key_Length_Specification(1, 160);	13,740✔
97	}
98
99	SHAKE_128_Cipher::SHAKE_128_Cipher() : SHAKE_Cipher(256) {}	3,435✔
100
101	SHAKE_256_Cipher::SHAKE_256_Cipher() : SHAKE_Cipher(512) {}	3,435✔
102
103	} // namespace Botan

randombit / botan / 17517838244

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous