Botan  2.4.0
Crypto and TLS for C++11
salsa20.cpp
Go to the documentation of this file.
1 /*
2 * Salsa20 / XSalsa20
3 * (C) 1999-2010,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/salsa20.h>
9 #include <botan/loadstor.h>
10 
11 namespace Botan {
12 
13 namespace {
14 
15 #define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
16  do { \
17  x2 ^= rotl<7>(x1 + x4); \
18  x3 ^= rotl<9>(x2 + x1); \
19  x4 ^= rotl<13>(x3 + x2); \
20  x1 ^= rotl<18>(x4 + x3); \
21  } while(0)
22 
23 /*
24 * Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
25 */
26 void hsalsa20(uint32_t output[8], const uint32_t input[16])
27  {
28  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
29  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
30  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
31  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
32 
33  for(size_t i = 0; i != 10; ++i)
34  {
35  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
36  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
37  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
38  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
39 
40  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
41  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
42  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
43  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
44  }
45 
46  output[0] = x00;
47  output[1] = x05;
48  output[2] = x10;
49  output[3] = x15;
50  output[4] = x06;
51  output[5] = x07;
52  output[6] = x08;
53  output[7] = x09;
54  }
55 
56 /*
57 * Generate Salsa20 cipher stream
58 */
59 void salsa20(uint8_t output[64], const uint32_t input[16])
60  {
61  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
62  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
63  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
64  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
65 
66  for(size_t i = 0; i != 10; ++i)
67  {
68  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
69  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
70  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
71  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
72 
73  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
74  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
75  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
76  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
77  }
78 
79  store_le(x00 + input[ 0], output + 4 * 0);
80  store_le(x01 + input[ 1], output + 4 * 1);
81  store_le(x02 + input[ 2], output + 4 * 2);
82  store_le(x03 + input[ 3], output + 4 * 3);
83  store_le(x04 + input[ 4], output + 4 * 4);
84  store_le(x05 + input[ 5], output + 4 * 5);
85  store_le(x06 + input[ 6], output + 4 * 6);
86  store_le(x07 + input[ 7], output + 4 * 7);
87  store_le(x08 + input[ 8], output + 4 * 8);
88  store_le(x09 + input[ 9], output + 4 * 9);
89  store_le(x10 + input[10], output + 4 * 10);
90  store_le(x11 + input[11], output + 4 * 11);
91  store_le(x12 + input[12], output + 4 * 12);
92  store_le(x13 + input[13], output + 4 * 13);
93  store_le(x14 + input[14], output + 4 * 14);
94  store_le(x15 + input[15], output + 4 * 15);
95  }
96 
97 }
98 
99 #undef SALSA20_QUARTER_ROUND
100 
101 /*
102 * Combine cipher stream with message
103 */
104 void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
105  {
106  verify_key_set(m_state.empty() == false);
107 
108  while(length >= m_buffer.size() - m_position)
109  {
110  xor_buf(out, in, &m_buffer[m_position], m_buffer.size() - m_position);
111  length -= (m_buffer.size() - m_position);
112  in += (m_buffer.size() - m_position);
113  out += (m_buffer.size() - m_position);
114  salsa20(m_buffer.data(), m_state.data());
115 
116  ++m_state[8];
117  m_state[9] += (m_state[8] == 0);
118 
119  m_position = 0;
120  }
121 
122  xor_buf(out, in, &m_buffer[m_position], length);
123 
124  m_position += length;
125  }
126 
127 /*
128 * Salsa20 Key Schedule
129 */
130 void Salsa20::key_schedule(const uint8_t key[], size_t length)
131  {
132  static const uint32_t TAU[] =
133  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
134 
135  static const uint32_t SIGMA[] =
136  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
137 
138  const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA;
139 
140  m_state.resize(16);
141  m_buffer.resize(64);
142 
143  m_state[0] = CONSTANTS[0];
144  m_state[5] = CONSTANTS[1];
145  m_state[10] = CONSTANTS[2];
146  m_state[15] = CONSTANTS[3];
147 
148  m_state[1] = load_le<uint32_t>(key, 0);
149  m_state[2] = load_le<uint32_t>(key, 1);
150  m_state[3] = load_le<uint32_t>(key, 2);
151  m_state[4] = load_le<uint32_t>(key, 3);
152 
153  if(length == 32)
154  key += 16;
155 
156  m_state[11] = load_le<uint32_t>(key, 0);
157  m_state[12] = load_le<uint32_t>(key, 1);
158  m_state[13] = load_le<uint32_t>(key, 2);
159  m_state[14] = load_le<uint32_t>(key, 3);
160 
161  m_position = 0;
162 
163  set_iv(nullptr, 0); // all-zero IV
164  }
165 
166 /*
167 * Set the Salsa IV
168 */
169 void Salsa20::set_iv(const uint8_t iv[], size_t length)
170  {
171  if(!valid_iv_length(length))
172  throw Invalid_IV_Length(name(), length);
173 
174  if(length == 0)
175  {
176  // Salsa20 null IV
177  m_state[6] = 0;
178  m_state[7] = 0;
179  }
180  else if(length == 8)
181  {
182  // Salsa20
183  m_state[6] = load_le<uint32_t>(iv, 0);
184  m_state[7] = load_le<uint32_t>(iv, 1);
185  }
186  else
187  {
188  // XSalsa20
189  m_state[6] = load_le<uint32_t>(iv, 0);
190  m_state[7] = load_le<uint32_t>(iv, 1);
191  m_state[8] = load_le<uint32_t>(iv, 2);
192  m_state[9] = load_le<uint32_t>(iv, 3);
193 
194  secure_vector<uint32_t> hsalsa(8);
195  hsalsa20(hsalsa.data(), m_state.data());
196 
197  m_state[ 1] = hsalsa[0];
198  m_state[ 2] = hsalsa[1];
199  m_state[ 3] = hsalsa[2];
200  m_state[ 4] = hsalsa[3];
201  m_state[ 6] = load_le<uint32_t>(iv, 4);
202  m_state[ 7] = load_le<uint32_t>(iv, 5);
203  m_state[11] = hsalsa[4];
204  m_state[12] = hsalsa[5];
205  m_state[13] = hsalsa[6];
206  m_state[14] = hsalsa[7];
207  }
208 
209  m_state[8] = 0;
210  m_state[9] = 0;
211 
212  salsa20(m_buffer.data(), m_state.data());
213  ++m_state[8];
214  m_state[9] += (m_state[8] == 0);
215 
216  m_position = 0;
217  }
218 
219 /*
220 * Return the name of this type
221 */
222 std::string Salsa20::name() const
223  {
224  return "Salsa20";
225  }
226 
227 /*
228 * Clear memory of sensitive data
229 */
231  {
232  zap(m_state);
233  zap(m_buffer);
234  m_position = 0;
235  }
236 
237 void Salsa20::seek(uint64_t offset)
238  {
239  verify_key_set(m_state.empty() == false);
240 
241  // Find the block offset
242  const uint64_t counter = offset / 64;
243  uint8_t counter8[8];
244  store_le(counter, counter8);
245 
246  m_state[8] = load_le<uint32_t>(counter8, 0);
247  m_state[9] += load_le<uint32_t>(counter8, 1);
248 
249  salsa20(m_buffer.data(), m_state.data());
250 
251  ++m_state[8];
252  m_state[9] += (m_state[8] == 0);
253 
254  m_position = offset % 64;
255  }
256 }
void verify_key_set(bool cond) const
Definition: sym_algo.h:95
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:191
std::string name() const override
Definition: salsa20.cpp:222
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
void seek(uint64_t offset) override
Definition: salsa20.cpp:237
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:163
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:15
Definition: alg_id.cpp:13
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.h:25
void clear() override
Definition: salsa20.cpp:230
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:169
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:450
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:104