Botan  2.10.0
Crypto and TLS for C++11
chacha.cpp
Go to the documentation of this file.
1 /*
2 * ChaCha
3 * (C) 2014,2018 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/chacha.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/rotate.h>
12 #include <botan/cpuid.h>
13 
14 namespace Botan {
15 
16 namespace {
17 
18 #define CHACHA_QUARTER_ROUND(a, b, c, d) \
19  do { \
20  a += b; d ^= a; d = rotl<16>(d); \
21  c += d; b ^= c; b = rotl<12>(b); \
22  a += b; d ^= a; d = rotl<8>(d); \
23  c += d; b ^= c; b = rotl<7>(b); \
24  } while(0)
25 
26 /*
27 * Generate HChaCha cipher stream (for XChaCha IV setup)
28 */
29 void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
30  {
31  BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
32 
33  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
34  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
35  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
36  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
37 
38  for(size_t i = 0; i != rounds / 2; ++i)
39  {
40  CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
41  CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
42  CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
43  CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
44 
45  CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
46  CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
47  CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
48  CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
49  }
50 
51  output[0] = x00;
52  output[1] = x01;
53  output[2] = x02;
54  output[3] = x03;
55  output[4] = x12;
56  output[5] = x13;
57  output[6] = x14;
58  output[7] = x15;
59  }
60 
61 }
62 
63 ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
64  {
65  BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20,
66  "ChaCha only supports 8, 12 or 20 rounds");
67  }
68 
69 std::string ChaCha::provider() const
70  {
71 #if defined(BOTAN_HAS_CHACHA_AVX2)
72  if(CPUID::has_avx2())
73  {
74  return "avx2";
75  }
76 #endif
77 
78 #if defined(BOTAN_HAS_CHACHA_SIMD32)
79  if(CPUID::has_simd_32())
80  {
81  return "simd32";
82  }
83 #endif
84 
85  return "base";
86  }
87 
88 //static
89 void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
90  {
91  BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
92 
93 #if defined(BOTAN_HAS_CHACHA_AVX2)
94  if(CPUID::has_avx2())
95  {
96  return ChaCha::chacha_avx2_x8(output, input, rounds);
97  }
98 #endif
99 
100 #if defined(BOTAN_HAS_CHACHA_SIMD32)
101  if(CPUID::has_simd_32())
102  {
103  ChaCha::chacha_simd32_x4(output, input, rounds);
104  ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
105  return;
106  }
107 #endif
108 
109  // TODO interleave rounds
110  for(size_t i = 0; i != 8; ++i)
111  {
112  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
113  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
114  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
115  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
116 
117  for(size_t r = 0; r != rounds / 2; ++r)
118  {
119  CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
120  CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
121  CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
122  CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
123 
124  CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
125  CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
126  CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
127  CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
128  }
129 
130  x00 += input[0];
131  x01 += input[1];
132  x02 += input[2];
133  x03 += input[3];
134  x04 += input[4];
135  x05 += input[5];
136  x06 += input[6];
137  x07 += input[7];
138  x08 += input[8];
139  x09 += input[9];
140  x10 += input[10];
141  x11 += input[11];
142  x12 += input[12];
143  x13 += input[13];
144  x14 += input[14];
145  x15 += input[15];
146 
147  store_le(x00, output + 64 * i + 4 * 0);
148  store_le(x01, output + 64 * i + 4 * 1);
149  store_le(x02, output + 64 * i + 4 * 2);
150  store_le(x03, output + 64 * i + 4 * 3);
151  store_le(x04, output + 64 * i + 4 * 4);
152  store_le(x05, output + 64 * i + 4 * 5);
153  store_le(x06, output + 64 * i + 4 * 6);
154  store_le(x07, output + 64 * i + 4 * 7);
155  store_le(x08, output + 64 * i + 4 * 8);
156  store_le(x09, output + 64 * i + 4 * 9);
157  store_le(x10, output + 64 * i + 4 * 10);
158  store_le(x11, output + 64 * i + 4 * 11);
159  store_le(x12, output + 64 * i + 4 * 12);
160  store_le(x13, output + 64 * i + 4 * 13);
161  store_le(x14, output + 64 * i + 4 * 14);
162  store_le(x15, output + 64 * i + 4 * 15);
163 
164  input[12]++;
165  input[13] += (input[12] == 0);
166  }
167  }
168 
169 #undef CHACHA_QUARTER_ROUND
170 
171 /*
172 * Combine cipher stream with message
173 */
174 void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
175  {
176  verify_key_set(m_state.empty() == false);
177 
178  while(length >= m_buffer.size() - m_position)
179  {
180  const size_t available = m_buffer.size() - m_position;
181 
182  xor_buf(out, in, &m_buffer[m_position], available);
183  chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
184 
185  length -= available;
186  in += available;
187  out += available;
188  m_position = 0;
189  }
190 
191  xor_buf(out, in, &m_buffer[m_position], length);
192 
193  m_position += length;
194  }
195 
196 void ChaCha::write_keystream(uint8_t out[], size_t length)
197  {
198  verify_key_set(m_state.empty() == false);
199 
200  while(length >= m_buffer.size() - m_position)
201  {
202  const size_t available = m_buffer.size() - m_position;
203 
204  copy_mem(out, &m_buffer[m_position], available);
205  chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
206 
207  length -= available;
208  out += available;
209  m_position = 0;
210  }
211 
212  copy_mem(out, &m_buffer[m_position], length);
213 
214  m_position += length;
215  }
216 
217 void ChaCha::initialize_state()
218  {
219  static const uint32_t TAU[] =
220  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
221 
222  static const uint32_t SIGMA[] =
223  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
224 
225  m_state[4] = m_key[0];
226  m_state[5] = m_key[1];
227  m_state[6] = m_key[2];
228  m_state[7] = m_key[3];
229 
230  if(m_key.size() == 4)
231  {
232  m_state[0] = TAU[0];
233  m_state[1] = TAU[1];
234  m_state[2] = TAU[2];
235  m_state[3] = TAU[3];
236 
237  m_state[8] = m_key[0];
238  m_state[9] = m_key[1];
239  m_state[10] = m_key[2];
240  m_state[11] = m_key[3];
241  }
242  else
243  {
244  m_state[0] = SIGMA[0];
245  m_state[1] = SIGMA[1];
246  m_state[2] = SIGMA[2];
247  m_state[3] = SIGMA[3];
248 
249  m_state[8] = m_key[4];
250  m_state[9] = m_key[5];
251  m_state[10] = m_key[6];
252  m_state[11] = m_key[7];
253  }
254 
255  m_state[12] = 0;
256  m_state[13] = 0;
257  m_state[14] = 0;
258  m_state[15] = 0;
259 
260  m_position = 0;
261  }
262 
263 /*
264 * ChaCha Key Schedule
265 */
266 void ChaCha::key_schedule(const uint8_t key[], size_t length)
267  {
268  m_key.resize(length / 4);
269  load_le<uint32_t>(m_key.data(), key, m_key.size());
270 
271  m_state.resize(16);
272 
273  const size_t chacha_parallelism = 8; // chacha_x8
274  const size_t chacha_block = 64;
275  m_buffer.resize(chacha_parallelism * chacha_block);
276 
277  set_iv(nullptr, 0);
278  }
279 
280 size_t ChaCha::default_iv_length() const
281  {
282  return 24;
283  }
284 
285 Key_Length_Specification ChaCha::key_spec() const
286  {
287  return Key_Length_Specification(16, 32, 16);
288  }
289 
290 StreamCipher* ChaCha::clone() const
291  {
292  return new ChaCha(m_rounds);
293  }
294 
295 bool ChaCha::valid_iv_length(size_t iv_len) const
296  {
297  return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
298  }
299 
300 void ChaCha::set_iv(const uint8_t iv[], size_t length)
301  {
302  verify_key_set(m_state.empty() == false);
303 
304  if(!valid_iv_length(length))
305  throw Invalid_IV_Length(name(), length);
306 
307  initialize_state();
308 
309  if(length == 0)
310  {
311  // Treat zero length IV same as an all-zero IV
312  m_state[14] = 0;
313  m_state[15] = 0;
314  }
315  else if(length == 8)
316  {
317  m_state[14] = load_le<uint32_t>(iv, 0);
318  m_state[15] = load_le<uint32_t>(iv, 1);
319  }
320  else if(length == 12)
321  {
322  m_state[13] = load_le<uint32_t>(iv, 0);
323  m_state[14] = load_le<uint32_t>(iv, 1);
324  m_state[15] = load_le<uint32_t>(iv, 2);
325  }
326  else if(length == 24)
327  {
328  m_state[12] = load_le<uint32_t>(iv, 0);
329  m_state[13] = load_le<uint32_t>(iv, 1);
330  m_state[14] = load_le<uint32_t>(iv, 2);
331  m_state[15] = load_le<uint32_t>(iv, 3);
332 
333  secure_vector<uint32_t> hc(8);
334  hchacha(hc.data(), m_state.data(), m_rounds);
335 
336  m_state[ 4] = hc[0];
337  m_state[ 5] = hc[1];
338  m_state[ 6] = hc[2];
339  m_state[ 7] = hc[3];
340  m_state[ 8] = hc[4];
341  m_state[ 9] = hc[5];
342  m_state[10] = hc[6];
343  m_state[11] = hc[7];
344  m_state[12] = 0;
345  m_state[13] = 0;
346  m_state[14] = load_le<uint32_t>(iv, 4);
347  m_state[15] = load_le<uint32_t>(iv, 5);
348  }
349 
350  chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
351  m_position = 0;
352  }
353 
354 void ChaCha::clear()
355  {
356  zap(m_key);
357  zap(m_state);
358  zap(m_buffer);
359  m_position = 0;
360  }
361 
362 std::string ChaCha::name() const
363  {
364  return "ChaCha(" + std::to_string(m_rounds) + ")";
365  }
366 
367 void ChaCha::seek(uint64_t offset)
368  {
369  verify_key_set(m_state.empty() == false);
370 
371  // Find the block offset
372  const uint64_t counter = offset / 64;
373 
374  uint8_t out[8];
375 
376  store_le(counter, out);
377 
378  m_state[12] = load_le<uint32_t>(out, 0);
379  m_state[13] += load_le<uint32_t>(out, 1);
380 
381  chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
382  m_position = offset % 64;
383  }
384 }
uint32_t uint8_t output[]
Definition: ffi.h:509
bool BigInt BigInt size_t size_t const std::vector< uint8_t > size_t offset
Definition: numthry.h:271
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
size_t const char const uint8_t size_t size_t size_t r
Definition: ffi.h:624
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
char * name
Definition: ffi.h:327
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
const uint8_t * in
Definition: ffi.h:294
size_t char * out
Definition: ffi.h:162
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:202
void BlockCipher * cipher
Definition: package.h:29
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:122
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
const uint8_t * key
Definition: ffi.h:359
#define CHACHA_QUARTER_ROUND(a, b, c, d)
Definition: chacha.cpp:18
size_t const uint8_t input[]
Definition: base32.h:30
void BlockCipher const uint8_t size_t uint8_t output[]
Definition: package.h:29
const RSA_PrivateKey & m_key
Definition: rsa.cpp:296
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:452