Botan  2.6.0
Crypto and TLS for C++11
chacha.cpp
Go to the documentation of this file.
1 /*
2 * ChaCha
3 * (C) 2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/chacha.h>
9 #include <botan/loadstor.h>
10 #include <botan/cpuid.h>
11 
12 namespace Botan {
13 
14 ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
15  {
16  if(m_rounds != 8 && m_rounds != 12 && m_rounds != 20)
17  throw Invalid_Argument("ChaCha only supports 8, 12 or 20 rounds");
18  }
19 
20 std::string ChaCha::provider() const
21  {
22 #if defined(BOTAN_HAS_CHACHA_SSE2)
23  if(CPUID::has_sse2())
24  {
25  return "sse2";
26  }
27 #endif
28 
29  return "base";
30  }
31 
32 //static
33 void ChaCha::chacha_x4(uint8_t output[64*4], uint32_t input[16], size_t rounds)
34  {
35  BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
36 
37 #if defined(BOTAN_HAS_CHACHA_SSE2)
38  if(CPUID::has_sse2())
39  {
40  return ChaCha::chacha_sse2_x4(output, input, rounds);
41  }
42 #endif
43 
44  // TODO interleave rounds
45  for(size_t i = 0; i != 4; ++i)
46  {
47  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
48  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
49  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
50  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
51 
52 #define CHACHA_QUARTER_ROUND(a, b, c, d) \
53  do { \
54  a += b; d ^= a; d = rotl<16>(d); \
55  c += d; b ^= c; b = rotl<12>(b); \
56  a += b; d ^= a; d = rotl<8>(d); \
57  c += d; b ^= c; b = rotl<7>(b); \
58  } while(0)
59 
60  for(size_t r = 0; r != rounds / 2; ++r)
61  {
62  CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
63  CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
64  CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
65  CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
66 
67  CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
68  CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
69  CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
70  CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
71  }
72 
73 #undef CHACHA_QUARTER_ROUND
74 
75  x00 += input[0];
76  x01 += input[1];
77  x02 += input[2];
78  x03 += input[3];
79  x04 += input[4];
80  x05 += input[5];
81  x06 += input[6];
82  x07 += input[7];
83  x08 += input[8];
84  x09 += input[9];
85  x10 += input[10];
86  x11 += input[11];
87  x12 += input[12];
88  x13 += input[13];
89  x14 += input[14];
90  x15 += input[15];
91 
92  store_le(x00, output + 64 * i + 4 * 0);
93  store_le(x01, output + 64 * i + 4 * 1);
94  store_le(x02, output + 64 * i + 4 * 2);
95  store_le(x03, output + 64 * i + 4 * 3);
96  store_le(x04, output + 64 * i + 4 * 4);
97  store_le(x05, output + 64 * i + 4 * 5);
98  store_le(x06, output + 64 * i + 4 * 6);
99  store_le(x07, output + 64 * i + 4 * 7);
100  store_le(x08, output + 64 * i + 4 * 8);
101  store_le(x09, output + 64 * i + 4 * 9);
102  store_le(x10, output + 64 * i + 4 * 10);
103  store_le(x11, output + 64 * i + 4 * 11);
104  store_le(x12, output + 64 * i + 4 * 12);
105  store_le(x13, output + 64 * i + 4 * 13);
106  store_le(x14, output + 64 * i + 4 * 14);
107  store_le(x15, output + 64 * i + 4 * 15);
108 
109  input[12]++;
110  input[13] += input[12] < i; // carry?
111  }
112  }
113 
114 /*
115 * Combine cipher stream with message
116 */
117 void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
118  {
119  verify_key_set(m_state.empty() == false);
120 
121  while(length >= m_buffer.size() - m_position)
122  {
123  xor_buf(out, in, &m_buffer[m_position], m_buffer.size() - m_position);
124  length -= (m_buffer.size() - m_position);
125  in += (m_buffer.size() - m_position);
126  out += (m_buffer.size() - m_position);
127  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
128  m_position = 0;
129  }
130 
131  xor_buf(out, in, &m_buffer[m_position], length);
132 
133  m_position += length;
134  }
135 
136 /*
137 * ChaCha Key Schedule
138 */
139 void ChaCha::key_schedule(const uint8_t key[], size_t length)
140  {
141  static const uint32_t TAU[] =
142  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
143 
144  static const uint32_t SIGMA[] =
145  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
146 
147  const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA;
148 
149  // Repeat the key if 128 bits
150  const uint8_t* key2 = (length == 32) ? key + 16 : key;
151 
152  m_position = 0;
153  m_state.resize(16);
154  m_buffer.resize(4*64);
155 
156  m_state[0] = CONSTANTS[0];
157  m_state[1] = CONSTANTS[1];
158  m_state[2] = CONSTANTS[2];
159  m_state[3] = CONSTANTS[3];
160 
161  m_state[4] = load_le<uint32_t>(key, 0);
162  m_state[5] = load_le<uint32_t>(key, 1);
163  m_state[6] = load_le<uint32_t>(key, 2);
164  m_state[7] = load_le<uint32_t>(key, 3);
165 
166  m_state[8] = load_le<uint32_t>(key2, 0);
167  m_state[9] = load_le<uint32_t>(key2, 1);
168  m_state[10] = load_le<uint32_t>(key2, 2);
169  m_state[11] = load_le<uint32_t>(key2, 3);
170 
171  // Default all-zero IV
172  const uint8_t ZERO[8] = { 0 };
173  set_iv(ZERO, sizeof(ZERO));
174  }
175 
176 bool ChaCha::valid_iv_length(size_t iv_len) const
177  {
178  return (iv_len == 0 || iv_len == 8 || iv_len == 12);
179  }
180 
181 void ChaCha::set_iv(const uint8_t iv[], size_t length)
182  {
183  if(!valid_iv_length(length))
184  throw Invalid_IV_Length(name(), length);
185 
186  m_state[12] = 0;
187  m_state[13] = 0;
188 
189  if(length == 0)
190  {
191  // Treat zero length IV same as an all-zero IV
192  m_state[14] = 0;
193  m_state[15] = 0;
194  }
195  else if(length == 8)
196  {
197  m_state[14] = load_le<uint32_t>(iv, 0);
198  m_state[15] = load_le<uint32_t>(iv, 1);
199  }
200  else if(length == 12)
201  {
202  m_state[13] = load_le<uint32_t>(iv, 0);
203  m_state[14] = load_le<uint32_t>(iv, 1);
204  m_state[15] = load_le<uint32_t>(iv, 2);
205  }
206 
207  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
208  m_position = 0;
209  }
210 
212  {
213  zap(m_state);
214  zap(m_buffer);
215  m_position = 0;
216  }
217 
218 std::string ChaCha::name() const
219  {
220  return "ChaCha(" + std::to_string(m_rounds) + ")";
221  }
222 
223 void ChaCha::seek(uint64_t offset)
224  {
225  verify_key_set(m_state.empty() == false);
226 
227  // Find the block offset
228  uint64_t counter = offset / 64;
229 
230  uint8_t out[8];
231 
232  store_le(counter, out);
233 
234  m_state[12] = load_le<uint32_t>(out, 0);
235  m_state[13] += load_le<uint32_t>(out, 1);
236 
237  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
238  m_position = offset % 64;
239  }
240 }
ChaCha(size_t rounds=20)
Definition: chacha.cpp:14
void verify_key_set(bool cond) const
Definition: sym_algo.h:95
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:193
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: chacha.cpp:117
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:145
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: chacha.cpp:181
void clear() override
Definition: chacha.cpp:211
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:30
bool valid_iv_length(size_t iv_len) const override
Definition: chacha.cpp:176
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
Definition: alg_id.cpp:13
std::string name() const override
Definition: chacha.cpp:218
void seek(uint64_t offset) override
Definition: chacha.cpp:223
#define CHACHA_QUARTER_ROUND(a, b, c, d)
std::string provider() const override
Definition: chacha.cpp:20
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:450