Botan 3.9.0
Crypto and TLS for C&
chacha.cpp
Go to the documentation of this file.
1/*
2* ChaCha
3* (C) 2014,2018,2023 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/chacha.h>
9
10#include <botan/exceptn.h>
11#include <botan/internal/fmt.h>
12#include <botan/internal/loadstor.h>
13#include <botan/internal/rotate.h>
14
15#if defined(BOTAN_HAS_CPUID)
16 #include <botan/internal/cpuid.h>
17#endif
18
19namespace Botan {
20
21namespace {
22
23inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {
24 a += b;
25 d ^= a;
26 d = rotl<16>(d);
27 c += d;
28 b ^= c;
29 b = rotl<12>(b);
30 a += b;
31 d ^= a;
32 d = rotl<8>(d);
33 c += d;
34 b ^= c;
35 b = rotl<7>(b);
36}
37
38/*
39* Generate HChaCha cipher stream (for XChaCha IV setup)
40*/
41void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {
42 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
43
44 uint32_t x00 = input[0];
45 uint32_t x01 = input[1];
46 uint32_t x02 = input[2];
47 uint32_t x03 = input[3];
48 uint32_t x04 = input[4];
49 uint32_t x05 = input[5];
50 uint32_t x06 = input[6];
51 uint32_t x07 = input[7];
52 uint32_t x08 = input[8];
53 uint32_t x09 = input[9];
54 uint32_t x10 = input[10];
55 uint32_t x11 = input[11];
56 uint32_t x12 = input[12];
57 uint32_t x13 = input[13];
58 uint32_t x14 = input[14];
59 uint32_t x15 = input[15];
60
61 for(size_t i = 0; i != rounds / 2; ++i) {
62 chacha_quarter_round(x00, x04, x08, x12);
63 chacha_quarter_round(x01, x05, x09, x13);
64 chacha_quarter_round(x02, x06, x10, x14);
65 chacha_quarter_round(x03, x07, x11, x15);
66
67 chacha_quarter_round(x00, x05, x10, x15);
68 chacha_quarter_round(x01, x06, x11, x12);
69 chacha_quarter_round(x02, x07, x08, x13);
70 chacha_quarter_round(x03, x04, x09, x14);
71 }
72
73 output[0] = x00;
74 output[1] = x01;
75 output[2] = x02;
76 output[3] = x03;
77 output[4] = x12;
78 output[5] = x13;
79 output[6] = x14;
80 output[7] = x15;
81}
82
83} // namespace
84
85ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {
86 BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");
87}
88
89size_t ChaCha::parallelism() {
90#if defined(BOTAN_HAS_CHACHA_AVX512)
92 return 16;
93 }
94#endif
95
96#if defined(BOTAN_HAS_CHACHA_AVX2)
98 return 8;
99 }
100#endif
101
102 return 4;
103}
104
105std::string ChaCha::provider() const {
106#if defined(BOTAN_HAS_CHACHA_AVX512)
107 if(auto feat = CPUID::check(CPUID::Feature::AVX512)) {
108 return *feat;
109 }
110#endif
111
112#if defined(BOTAN_HAS_CHACHA_AVX2)
113 if(auto feat = CPUID::check(CPUID::Feature::AVX2)) {
114 return *feat;
115 }
116#endif
117
118#if defined(BOTAN_HAS_CHACHA_SIMD32)
119 if(auto feat = CPUID::check(CPUID::Feature::SIMD_4X32)) {
120 return *feat;
121 }
122#endif
123
124 return "base";
125}
126
127void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {
128 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
129
130#if defined(BOTAN_HAS_CHACHA_AVX512)
132 while(output_blocks >= 16) {
133 ChaCha::chacha_avx512_x16(output, state, rounds);
134 output += 16 * 64;
135 output_blocks -= 16;
136 }
137 }
138#endif
139
140#if defined(BOTAN_HAS_CHACHA_AVX2)
142 while(output_blocks >= 8) {
143 ChaCha::chacha_avx2_x8(output, state, rounds);
144 output += 8 * 64;
145 output_blocks -= 8;
146 }
147 }
148#endif
149
150#if defined(BOTAN_HAS_CHACHA_SIMD32)
152 while(output_blocks >= 4) {
153 ChaCha::chacha_simd32_x4(output, state, rounds);
154 output += 4 * 64;
155 output_blocks -= 4;
156 }
157 }
158#endif
159
160 // TODO interleave rounds
161 for(size_t i = 0; i != output_blocks; ++i) {
162 uint32_t x00 = state[0];
163 uint32_t x01 = state[1];
164 uint32_t x02 = state[2];
165 uint32_t x03 = state[3];
166 uint32_t x04 = state[4];
167 uint32_t x05 = state[5];
168 uint32_t x06 = state[6];
169 uint32_t x07 = state[7];
170 uint32_t x08 = state[8];
171 uint32_t x09 = state[9];
172 uint32_t x10 = state[10];
173 uint32_t x11 = state[11];
174 uint32_t x12 = state[12];
175 uint32_t x13 = state[13];
176 uint32_t x14 = state[14];
177 uint32_t x15 = state[15];
178
179 for(size_t r = 0; r != rounds / 2; ++r) {
180 chacha_quarter_round(x00, x04, x08, x12);
181 chacha_quarter_round(x01, x05, x09, x13);
182 chacha_quarter_round(x02, x06, x10, x14);
183 chacha_quarter_round(x03, x07, x11, x15);
184
185 chacha_quarter_round(x00, x05, x10, x15);
186 chacha_quarter_round(x01, x06, x11, x12);
187 chacha_quarter_round(x02, x07, x08, x13);
188 chacha_quarter_round(x03, x04, x09, x14);
189 }
190
191 x00 += state[0];
192 x01 += state[1];
193 x02 += state[2];
194 x03 += state[3];
195 x04 += state[4];
196 x05 += state[5];
197 x06 += state[6];
198 x07 += state[7];
199 x08 += state[8];
200 x09 += state[9];
201 x10 += state[10];
202 x11 += state[11];
203 x12 += state[12];
204 x13 += state[13];
205 x14 += state[14];
206 x15 += state[15];
207
208 store_le(x00, output + 64 * i + 4 * 0);
209 store_le(x01, output + 64 * i + 4 * 1);
210 store_le(x02, output + 64 * i + 4 * 2);
211 store_le(x03, output + 64 * i + 4 * 3);
212 store_le(x04, output + 64 * i + 4 * 4);
213 store_le(x05, output + 64 * i + 4 * 5);
214 store_le(x06, output + 64 * i + 4 * 6);
215 store_le(x07, output + 64 * i + 4 * 7);
216 store_le(x08, output + 64 * i + 4 * 8);
217 store_le(x09, output + 64 * i + 4 * 9);
218 store_le(x10, output + 64 * i + 4 * 10);
219 store_le(x11, output + 64 * i + 4 * 11);
220 store_le(x12, output + 64 * i + 4 * 12);
221 store_le(x13, output + 64 * i + 4 * 13);
222 store_le(x14, output + 64 * i + 4 * 14);
223 store_le(x15, output + 64 * i + 4 * 15);
224
225 state[12]++;
226 if(state[12] == 0) {
227 state[13] += 1;
228 }
229 }
230}
231
232/*
233* Combine cipher stream with message
234*/
235void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
237
238 while(length >= m_buffer.size() - m_position) {
239 const size_t available = m_buffer.size() - m_position;
240
241 xor_buf(out, in, &m_buffer[m_position], available);
242 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
243
244 length -= available;
245 in += available;
246 out += available;
247 m_position = 0;
248 }
249
250 xor_buf(out, in, &m_buffer[m_position], length);
251
252 m_position += length;
253}
254
255void ChaCha::generate_keystream(uint8_t out[], size_t length) {
257
258 while(length >= m_buffer.size() - m_position) {
259 const size_t available = m_buffer.size() - m_position;
260
261 // TODO: this could write directly to the output buffer
262 // instead of bouncing it through m_buffer first
263 copy_mem(out, &m_buffer[m_position], available);
264 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
265
266 length -= available;
267 out += available;
268 m_position = 0;
269 }
270
271 copy_mem(out, &m_buffer[m_position], length);
272
273 m_position += length;
274}
275
276void ChaCha::initialize_state() {
277 static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};
278
279 static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};
280
281 m_state[4] = m_key[0];
282 m_state[5] = m_key[1];
283 m_state[6] = m_key[2];
284 m_state[7] = m_key[3];
285
286 if(m_key.size() == 4) {
287 m_state[0] = TAU[0];
288 m_state[1] = TAU[1];
289 m_state[2] = TAU[2];
290 m_state[3] = TAU[3];
291
292 m_state[8] = m_key[0];
293 m_state[9] = m_key[1];
294 m_state[10] = m_key[2];
295 m_state[11] = m_key[3];
296 } else {
297 m_state[0] = SIGMA[0];
298 m_state[1] = SIGMA[1];
299 m_state[2] = SIGMA[2];
300 m_state[3] = SIGMA[3];
301
302 m_state[8] = m_key[4];
303 m_state[9] = m_key[5];
304 m_state[10] = m_key[6];
305 m_state[11] = m_key[7];
306 }
307
308 m_state[12] = 0;
309 m_state[13] = 0;
310 m_state[14] = 0;
311 m_state[15] = 0;
312
313 m_position = 0;
314}
315
317 return !m_state.empty();
318}
319
320size_t ChaCha::buffer_size() const {
321 return 64;
322}
323
324/*
325* ChaCha Key Schedule
326*/
327void ChaCha::key_schedule(std::span<const uint8_t> key) {
328 m_key.resize(key.size() / 4);
329 load_le<uint32_t>(m_key.data(), key.data(), m_key.size());
330
331 m_state.resize(16);
332
333 const size_t chacha_block = 64;
334 m_buffer.resize(parallelism() * chacha_block);
335
336 set_iv(nullptr, 0);
337}
338
340 return 24;
341}
342
346
347std::unique_ptr<StreamCipher> ChaCha::new_object() const {
348 return std::make_unique<ChaCha>(m_rounds);
349}
350
351bool ChaCha::valid_iv_length(size_t iv_len) const {
352 return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
353}
354
355void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {
357
358 if(!valid_iv_length(length)) {
359 throw Invalid_IV_Length(name(), length);
360 }
361
362 initialize_state();
363
364 if(length == 0) {
365 // Treat zero length IV same as an all-zero IV
366 m_state[14] = 0;
367 m_state[15] = 0;
368 } else if(length == 8) {
369 m_state[14] = load_le<uint32_t>(iv, 0);
370 m_state[15] = load_le<uint32_t>(iv, 1);
371 } else if(length == 12) {
372 m_state[13] = load_le<uint32_t>(iv, 0);
373 m_state[14] = load_le<uint32_t>(iv, 1);
374 m_state[15] = load_le<uint32_t>(iv, 2);
375 } else if(length == 24) {
376 m_state[12] = load_le<uint32_t>(iv, 0);
377 m_state[13] = load_le<uint32_t>(iv, 1);
378 m_state[14] = load_le<uint32_t>(iv, 2);
379 m_state[15] = load_le<uint32_t>(iv, 3);
380
382 hchacha(hc.data(), m_state.data(), m_rounds);
383
384 m_state[4] = hc[0];
385 m_state[5] = hc[1];
386 m_state[6] = hc[2];
387 m_state[7] = hc[3];
388 m_state[8] = hc[4];
389 m_state[9] = hc[5];
390 m_state[10] = hc[6];
391 m_state[11] = hc[7];
392 m_state[12] = 0;
393 m_state[13] = 0;
394 m_state[14] = load_le<uint32_t>(iv, 4);
395 m_state[15] = load_le<uint32_t>(iv, 5);
396 }
397
398 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
399 m_position = 0;
400}
401
403 zap(m_key);
404 zap(m_state);
405 zap(m_buffer);
406 m_position = 0;
407}
408
409std::string ChaCha::name() const {
410 return fmt("ChaCha({})", m_rounds);
411}
412
413void ChaCha::seek(uint64_t offset) {
415
416 // Find the block offset
417 const uint64_t counter = offset / 64;
418
419 uint8_t out[8];
420
421 store_le(counter, out);
422
423 m_state[12] = load_le<uint32_t>(out, 0);
424 m_state[13] += load_le<uint32_t>(out, 1);
425
426 chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
427 m_position = offset % 64;
428}
429} // namespace Botan
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
static std::optional< std::string > check(CPUID::Feature feat)
Definition cpuid.h:67
static bool has(CPUID::Feature feat)
Definition cpuid.h:94
void clear() override
Definition chacha.cpp:402
std::string name() const override
Definition chacha.cpp:409
size_t buffer_size() const override
Definition chacha.cpp:320
std::unique_ptr< StreamCipher > new_object() const override
Definition chacha.cpp:347
Key_Length_Specification key_spec() const override
Definition chacha.cpp:343
bool valid_iv_length(size_t iv_len) const override
Definition chacha.cpp:351
size_t default_iv_length() const override
Definition chacha.cpp:339
std::string provider() const override
Definition chacha.cpp:105
ChaCha(size_t rounds=20)
Definition chacha.cpp:85
bool has_keying_material() const override
Definition chacha.cpp:316
void seek(uint64_t offset) override
Definition chacha.cpp:413
void set_iv(const uint8_t iv[], size_t iv_len)
void assert_key_material_set() const
Definition sym_algo.h:146
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
BOTAN_FORCE_INLINE constexpr T rotl(T input)
Definition rotate.h:23
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69