Botan  2.7.0
Crypto and TLS for C++11
chacha.cpp
Go to the documentation of this file.
1 /*
2 * ChaCha
3 * (C) 2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/chacha.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/cpuid.h>
12 
13 namespace Botan {
14 
15 ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
16  {
17  BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20,
18  "ChaCha only supports 8, 12 or 20 rounds");
19  }
20 
21 std::string ChaCha::provider() const
22  {
23 #if defined(BOTAN_HAS_CHACHA_SSE2)
24  if(CPUID::has_sse2())
25  {
26  return "sse2";
27  }
28 #endif
29 
30  return "base";
31  }
32 
33 //static
34 void ChaCha::chacha_x4(uint8_t output[64*4], uint32_t input[16], size_t rounds)
35  {
36  BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
37 
38 #if defined(BOTAN_HAS_CHACHA_SSE2)
39  if(CPUID::has_sse2())
40  {
41  return ChaCha::chacha_sse2_x4(output, input, rounds);
42  }
43 #endif
44 
45  // TODO interleave rounds
46  for(size_t i = 0; i != 4; ++i)
47  {
48  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
49  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
50  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
51  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
52 
53 #define CHACHA_QUARTER_ROUND(a, b, c, d) \
54  do { \
55  a += b; d ^= a; d = rotl<16>(d); \
56  c += d; b ^= c; b = rotl<12>(b); \
57  a += b; d ^= a; d = rotl<8>(d); \
58  c += d; b ^= c; b = rotl<7>(b); \
59  } while(0)
60 
61  for(size_t r = 0; r != rounds / 2; ++r)
62  {
63  CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
64  CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
65  CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
66  CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
67 
68  CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
69  CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
70  CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
71  CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
72  }
73 
74 #undef CHACHA_QUARTER_ROUND
75 
76  x00 += input[0];
77  x01 += input[1];
78  x02 += input[2];
79  x03 += input[3];
80  x04 += input[4];
81  x05 += input[5];
82  x06 += input[6];
83  x07 += input[7];
84  x08 += input[8];
85  x09 += input[9];
86  x10 += input[10];
87  x11 += input[11];
88  x12 += input[12];
89  x13 += input[13];
90  x14 += input[14];
91  x15 += input[15];
92 
93  store_le(x00, output + 64 * i + 4 * 0);
94  store_le(x01, output + 64 * i + 4 * 1);
95  store_le(x02, output + 64 * i + 4 * 2);
96  store_le(x03, output + 64 * i + 4 * 3);
97  store_le(x04, output + 64 * i + 4 * 4);
98  store_le(x05, output + 64 * i + 4 * 5);
99  store_le(x06, output + 64 * i + 4 * 6);
100  store_le(x07, output + 64 * i + 4 * 7);
101  store_le(x08, output + 64 * i + 4 * 8);
102  store_le(x09, output + 64 * i + 4 * 9);
103  store_le(x10, output + 64 * i + 4 * 10);
104  store_le(x11, output + 64 * i + 4 * 11);
105  store_le(x12, output + 64 * i + 4 * 12);
106  store_le(x13, output + 64 * i + 4 * 13);
107  store_le(x14, output + 64 * i + 4 * 14);
108  store_le(x15, output + 64 * i + 4 * 15);
109 
110  input[12]++;
111  input[13] += input[12] < i; // carry?
112  }
113  }
114 
115 /*
116 * Combine cipher stream with message
117 */
118 void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
119  {
120  verify_key_set(m_state.empty() == false);
121 
122  while(length >= m_buffer.size() - m_position)
123  {
124  xor_buf(out, in, &m_buffer[m_position], m_buffer.size() - m_position);
125  length -= (m_buffer.size() - m_position);
126  in += (m_buffer.size() - m_position);
127  out += (m_buffer.size() - m_position);
128  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
129  m_position = 0;
130  }
131 
132  xor_buf(out, in, &m_buffer[m_position], length);
133 
134  m_position += length;
135  }
136 
137 /*
138 * ChaCha Key Schedule
139 */
140 void ChaCha::key_schedule(const uint8_t key[], size_t length)
141  {
142  static const uint32_t TAU[] =
143  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
144 
145  static const uint32_t SIGMA[] =
146  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
147 
148  const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA;
149 
150  // Repeat the key if 128 bits
151  const uint8_t* key2 = (length == 32) ? key + 16 : key;
152 
153  m_position = 0;
154  m_state.resize(16);
155  m_buffer.resize(4*64);
156 
157  m_state[0] = CONSTANTS[0];
158  m_state[1] = CONSTANTS[1];
159  m_state[2] = CONSTANTS[2];
160  m_state[3] = CONSTANTS[3];
161 
162  m_state[4] = load_le<uint32_t>(key, 0);
163  m_state[5] = load_le<uint32_t>(key, 1);
164  m_state[6] = load_le<uint32_t>(key, 2);
165  m_state[7] = load_le<uint32_t>(key, 3);
166 
167  m_state[8] = load_le<uint32_t>(key2, 0);
168  m_state[9] = load_le<uint32_t>(key2, 1);
169  m_state[10] = load_le<uint32_t>(key2, 2);
170  m_state[11] = load_le<uint32_t>(key2, 3);
171 
172  // Default all-zero IV
173  const uint8_t ZERO[8] = { 0 };
174  set_iv(ZERO, sizeof(ZERO));
175  }
176 
177 bool ChaCha::valid_iv_length(size_t iv_len) const
178  {
179  return (iv_len == 0 || iv_len == 8 || iv_len == 12);
180  }
181 
182 void ChaCha::set_iv(const uint8_t iv[], size_t length)
183  {
184  if(!valid_iv_length(length))
185  throw Invalid_IV_Length(name(), length);
186 
187  m_state[12] = 0;
188  m_state[13] = 0;
189 
190  if(length == 0)
191  {
192  // Treat zero length IV same as an all-zero IV
193  m_state[14] = 0;
194  m_state[15] = 0;
195  }
196  else if(length == 8)
197  {
198  m_state[14] = load_le<uint32_t>(iv, 0);
199  m_state[15] = load_le<uint32_t>(iv, 1);
200  }
201  else if(length == 12)
202  {
203  m_state[13] = load_le<uint32_t>(iv, 0);
204  m_state[14] = load_le<uint32_t>(iv, 1);
205  m_state[15] = load_le<uint32_t>(iv, 2);
206  }
207 
208  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
209  m_position = 0;
210  }
211 
213  {
214  zap(m_state);
215  zap(m_buffer);
216  m_position = 0;
217  }
218 
219 std::string ChaCha::name() const
220  {
221  return "ChaCha(" + std::to_string(m_rounds) + ")";
222  }
223 
224 void ChaCha::seek(uint64_t offset)
225  {
226  verify_key_set(m_state.empty() == false);
227 
228  // Find the block offset
229  uint64_t counter = offset / 64;
230 
231  uint8_t out[8];
232 
233  store_le(counter, out);
234 
235  m_state[12] = load_le<uint32_t>(out, 0);
236  m_state[13] += load_le<uint32_t>(out, 1);
237 
238  chacha_x4(m_buffer.data(), m_state.data(), m_rounds);
239  m_position = offset % 64;
240  }
241 }
ChaCha(size_t rounds=20)
Definition: chacha.cpp:15
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:193
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: chacha.cpp:118
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:210
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: chacha.cpp:182
void clear() override
Definition: chacha.cpp:212
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:43
bool valid_iv_length(size_t iv_len) const override
Definition: chacha.cpp:177
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
Definition: alg_id.cpp:13
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::string name() const override
Definition: chacha.cpp:219
void seek(uint64_t offset) override
Definition: chacha.cpp:224
#define CHACHA_QUARTER_ROUND(a, b, c, d)
std::string provider() const override
Definition: chacha.cpp:21
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:450