Botan 3.3.0
Crypto and TLS for C&
chacha.cpp
Go to the documentation of this file.
1/*
2* ChaCha
3* (C) 2014,2018,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/chacha.h>
9
10#include <botan/exceptn.h>
11#include <botan/internal/cpuid.h>
12#include <botan/internal/fmt.h>
13#include <botan/internal/loadstor.h>
14#include <botan/internal/rotate.h>
15
16namespace Botan {
17
18namespace {
19
20inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {
21 a += b;
22 d ^= a;
23 d = rotl<16>(d);
24 c += d;
25 b ^= c;
26 b = rotl<12>(b);
27 a += b;
28 d ^= a;
29 d = rotl<8>(d);
30 c += d;
31 b ^= c;
32 b = rotl<7>(b);
33}
34
35/*
36* Generate HChaCha cipher stream (for XChaCha IV setup)
37*/
38void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {
39 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
40
41 uint32_t x00 = input[0], x01 = input[1], x02 = input[2], x03 = input[3], x04 = input[4], x05 = input[5],
42 x06 = input[6], x07 = input[7], x08 = input[8], x09 = input[9], x10 = input[10], x11 = input[11],
43 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
44
45 for(size_t i = 0; i != rounds / 2; ++i) {
46 chacha_quarter_round(x00, x04, x08, x12);
47 chacha_quarter_round(x01, x05, x09, x13);
48 chacha_quarter_round(x02, x06, x10, x14);
49 chacha_quarter_round(x03, x07, x11, x15);
50
51 chacha_quarter_round(x00, x05, x10, x15);
52 chacha_quarter_round(x01, x06, x11, x12);
53 chacha_quarter_round(x02, x07, x08, x13);
54 chacha_quarter_round(x03, x04, x09, x14);
55 }
56
57 output[0] = x00;
58 output[1] = x01;
59 output[2] = x02;
60 output[3] = x03;
61 output[4] = x12;
62 output[5] = x13;
63 output[6] = x14;
64 output[7] = x15;
65}
66
67} // namespace
68
69ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {
70 BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");
71}
72
73size_t ChaCha::parallelism() {
74#if defined(BOTAN_HAS_CHACHA_AVX512)
75 if(CPUID::has_avx512()) {
76 return 16;
77 }
78#endif
79
80#if defined(BOTAN_HAS_CHACHA_AVX2)
81 if(CPUID::has_avx2()) {
82 return 8;
83 }
84#endif
85
86 return 4;
87}
88
89std::string ChaCha::provider() const {
90#if defined(BOTAN_HAS_CHACHA_AVX512)
91 if(CPUID::has_avx512()) {
92 return "avx512";
93 }
94#endif
95
96#if defined(BOTAN_HAS_CHACHA_AVX2)
97 if(CPUID::has_avx2()) {
98 return "avx2";
99 }
100#endif
101
102#if defined(BOTAN_HAS_CHACHA_SIMD32)
103 if(CPUID::has_simd_32()) {
104 return "simd32";
105 }
106#endif
107
108 return "base";
109}
110
111void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {
112 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
113
114#if defined(BOTAN_HAS_CHACHA_AVX512)
115 if(CPUID::has_avx512()) {
116 while(output_blocks >= 16) {
117 ChaCha::chacha_avx512_x16(output, state, rounds);
118 output += 16 * 64;
119 output_blocks -= 16;
120 }
121 }
122#endif
123
124#if defined(BOTAN_HAS_CHACHA_AVX2)
125 if(CPUID::has_avx2()) {
126 while(output_blocks >= 8) {
127 ChaCha::chacha_avx2_x8(output, state, rounds);
128 output += 8 * 64;
129 output_blocks -= 8;
130 }
131 }
132#endif
133
134#if defined(BOTAN_HAS_CHACHA_SIMD32)
135 if(CPUID::has_simd_32()) {
136 while(output_blocks >= 4) {
137 ChaCha::chacha_simd32_x4(output, state, rounds);
138 output += 4 * 64;
139 output_blocks -= 4;
140 }
141 }
142#endif
143
144 // TODO interleave rounds
145 for(size_t i = 0; i != output_blocks; ++i) {
146 uint32_t x00 = state[0], x01 = state[1], x02 = state[2], x03 = state[3], x04 = state[4], x05 = state[5],
147 x06 = state[6], x07 = state[7], x08 = state[8], x09 = state[9], x10 = state[10], x11 = state[11],
148 x12 = state[12], x13 = state[13], x14 = state[14], x15 = state[15];
149
150 for(size_t r = 0; r != rounds / 2; ++r) {
151 chacha_quarter_round(x00, x04, x08, x12);
152 chacha_quarter_round(x01, x05, x09, x13);
153 chacha_quarter_round(x02, x06, x10, x14);
154 chacha_quarter_round(x03, x07, x11, x15);
155
156 chacha_quarter_round(x00, x05, x10, x15);
157 chacha_quarter_round(x01, x06, x11, x12);
158 chacha_quarter_round(x02, x07, x08, x13);
159 chacha_quarter_round(x03, x04, x09, x14);
160 }
161
162 x00 += state[0];
163 x01 += state[1];
164 x02 += state[2];
165 x03 += state[3];
166 x04 += state[4];
167 x05 += state[5];
168 x06 += state[6];
169 x07 += state[7];
170 x08 += state[8];
171 x09 += state[9];
172 x10 += state[10];
173 x11 += state[11];
174 x12 += state[12];
175 x13 += state[13];
176 x14 += state[14];
177 x15 += state[15];
178
179 store_le(x00, output + 64 * i + 4 * 0);
180 store_le(x01, output + 64 * i + 4 * 1);
181 store_le(x02, output + 64 * i + 4 * 2);
182 store_le(x03, output + 64 * i + 4 * 3);
183 store_le(x04, output + 64 * i + 4 * 4);
184 store_le(x05, output + 64 * i + 4 * 5);
185 store_le(x06, output + 64 * i + 4 * 6);
186 store_le(x07, output + 64 * i + 4 * 7);
187 store_le(x08, output + 64 * i + 4 * 8);
188 store_le(x09, output + 64 * i + 4 * 9);
189 store_le(x10, output + 64 * i + 4 * 10);
190 store_le(x11, output + 64 * i + 4 * 11);
191 store_le(x12, output + 64 * i + 4 * 12);
192 store_le(x13, output + 64 * i + 4 * 13);
193 store_le(x14, output + 64 * i + 4 * 14);
194 store_le(x15, output + 64 * i + 4 * 15);
195
196 state[12]++;
197 state[13] += (state[12] == 0);
198 }
199}
200
201/*
202* Combine cipher stream with message
203*/
204void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
206
207 while(length >= m_buffer.size() - m_position) {
208 const size_t available = m_buffer.size() - m_position;
209
210 xor_buf(out, in, &m_buffer[m_position], available);
211 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
212
213 length -= available;
214 in += available;
215 out += available;
216 m_position = 0;
217 }
218
219 xor_buf(out, in, &m_buffer[m_position], length);
220
221 m_position += length;
222}
223
224void ChaCha::generate_keystream(uint8_t out[], size_t length) {
226
227 while(length >= m_buffer.size() - m_position) {
228 const size_t available = m_buffer.size() - m_position;
229
230 // TODO: this could write directly to the output buffer
231 // instead of bouncing it through m_buffer first
232 copy_mem(out, &m_buffer[m_position], available);
233 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
234
235 length -= available;
236 out += available;
237 m_position = 0;
238 }
239
240 copy_mem(out, &m_buffer[m_position], length);
241
242 m_position += length;
243}
244
245void ChaCha::initialize_state() {
246 static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};
247
248 static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};
249
250 m_state[4] = m_key[0];
251 m_state[5] = m_key[1];
252 m_state[6] = m_key[2];
253 m_state[7] = m_key[3];
254
255 if(m_key.size() == 4) {
256 m_state[0] = TAU[0];
257 m_state[1] = TAU[1];
258 m_state[2] = TAU[2];
259 m_state[3] = TAU[3];
260
261 m_state[8] = m_key[0];
262 m_state[9] = m_key[1];
263 m_state[10] = m_key[2];
264 m_state[11] = m_key[3];
265 } else {
266 m_state[0] = SIGMA[0];
267 m_state[1] = SIGMA[1];
268 m_state[2] = SIGMA[2];
269 m_state[3] = SIGMA[3];
270
271 m_state[8] = m_key[4];
272 m_state[9] = m_key[5];
273 m_state[10] = m_key[6];
274 m_state[11] = m_key[7];
275 }
276
277 m_state[12] = 0;
278 m_state[13] = 0;
279 m_state[14] = 0;
280 m_state[15] = 0;
281
282 m_position = 0;
283}
284
286 return !m_state.empty();
287}
288
289size_t ChaCha::buffer_size() const {
290 return 64;
291}
292
293/*
294* ChaCha Key Schedule
295*/
296void ChaCha::key_schedule(std::span<const uint8_t> key) {
297 m_key.resize(key.size() / 4);
298 load_le<uint32_t>(m_key.data(), key.data(), m_key.size());
299
300 m_state.resize(16);
301
302 const size_t chacha_block = 64;
303 m_buffer.resize(parallelism() * chacha_block);
304
305 set_iv(nullptr, 0);
306}
307
309 return 24;
310}
311
315
316std::unique_ptr<StreamCipher> ChaCha::new_object() const {
317 return std::make_unique<ChaCha>(m_rounds);
318}
319
320bool ChaCha::valid_iv_length(size_t iv_len) const {
321 return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
322}
323
324void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {
326
327 if(!valid_iv_length(length)) {
328 throw Invalid_IV_Length(name(), length);
329 }
330
331 initialize_state();
332
333 if(length == 0) {
334 // Treat zero length IV same as an all-zero IV
335 m_state[14] = 0;
336 m_state[15] = 0;
337 } else if(length == 8) {
338 m_state[14] = load_le<uint32_t>(iv, 0);
339 m_state[15] = load_le<uint32_t>(iv, 1);
340 } else if(length == 12) {
341 m_state[13] = load_le<uint32_t>(iv, 0);
342 m_state[14] = load_le<uint32_t>(iv, 1);
343 m_state[15] = load_le<uint32_t>(iv, 2);
344 } else if(length == 24) {
345 m_state[12] = load_le<uint32_t>(iv, 0);
346 m_state[13] = load_le<uint32_t>(iv, 1);
347 m_state[14] = load_le<uint32_t>(iv, 2);
348 m_state[15] = load_le<uint32_t>(iv, 3);
349
350 secure_vector<uint32_t> hc(8);
351 hchacha(hc.data(), m_state.data(), m_rounds);
352
353 m_state[4] = hc[0];
354 m_state[5] = hc[1];
355 m_state[6] = hc[2];
356 m_state[7] = hc[3];
357 m_state[8] = hc[4];
358 m_state[9] = hc[5];
359 m_state[10] = hc[6];
360 m_state[11] = hc[7];
361 m_state[12] = 0;
362 m_state[13] = 0;
363 m_state[14] = load_le<uint32_t>(iv, 4);
364 m_state[15] = load_le<uint32_t>(iv, 5);
365 }
366
367 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
368 m_position = 0;
369}
370
372 zap(m_key);
373 zap(m_state);
374 zap(m_buffer);
375 m_position = 0;
376}
377
378std::string ChaCha::name() const {
379 return fmt("ChaCha({})", m_rounds);
380}
381
382void ChaCha::seek(uint64_t offset) {
384
385 // Find the block offset
386 const uint64_t counter = offset / 64;
387
388 uint8_t out[8];
389
390 store_le(counter, out);
391
392 m_state[12] = load_le<uint32_t>(out, 0);
393 m_state[13] += load_le<uint32_t>(out, 1);
394
395 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
396 m_position = offset % 64;
397}
398} // namespace Botan
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
static bool has_simd_32()
Definition cpuid.cpp:18
void clear() override
Definition chacha.cpp:371
std::string name() const override
Definition chacha.cpp:378
size_t buffer_size() const override
Definition chacha.cpp:289
std::unique_ptr< StreamCipher > new_object() const override
Definition chacha.cpp:316
Key_Length_Specification key_spec() const override
Definition chacha.cpp:312
bool valid_iv_length(size_t iv_len) const override
Definition chacha.cpp:320
size_t default_iv_length() const override
Definition chacha.cpp:308
std::string provider() const override
Definition chacha.cpp:89
ChaCha(size_t rounds=20)
Definition chacha.cpp:69
bool has_keying_material() const override
Definition chacha.cpp:285
void seek(uint64_t offset) override
Definition chacha.cpp:382
void set_iv(const uint8_t iv[], size_t iv_len)
void assert_key_material_set() const
Definition sym_algo.h:139
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr void store_le(T in, OutR &&out_range)
Definition loadstor.h:383
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:340
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146