Botan  2.7.0
Crypto and TLS for C++11
salsa20.cpp
Go to the documentation of this file.
1 /*
2 * Salsa20 / XSalsa20
3 * (C) 1999-2010,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/salsa20.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 
12 namespace Botan {
13 
14 namespace {
15 
16 #define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
17  do { \
18  x2 ^= rotl<7>(x1 + x4); \
19  x3 ^= rotl<9>(x2 + x1); \
20  x4 ^= rotl<13>(x3 + x2); \
21  x1 ^= rotl<18>(x4 + x3); \
22  } while(0)
23 
24 /*
25 * Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
26 */
27 void hsalsa20(uint32_t output[8], const uint32_t input[16])
28  {
29  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
30  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
31  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
32  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
33 
34  for(size_t i = 0; i != 10; ++i)
35  {
36  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
37  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
38  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
39  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
40 
41  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
42  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
43  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
44  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
45  }
46 
47  output[0] = x00;
48  output[1] = x05;
49  output[2] = x10;
50  output[3] = x15;
51  output[4] = x06;
52  output[5] = x07;
53  output[6] = x08;
54  output[7] = x09;
55  }
56 
57 }
58 
59 /*
60 * Generate Salsa20 cipher stream
61 */
62 //static
63 void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
64  {
65  BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
66 
67  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
68  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
69  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
70  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
71 
72  for(size_t i = 0; i != rounds / 2; ++i)
73  {
74  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
75  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
76  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
77  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
78 
79  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
80  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
81  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
82  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
83  }
84 
85  store_le(x00 + input[ 0], output + 4 * 0);
86  store_le(x01 + input[ 1], output + 4 * 1);
87  store_le(x02 + input[ 2], output + 4 * 2);
88  store_le(x03 + input[ 3], output + 4 * 3);
89  store_le(x04 + input[ 4], output + 4 * 4);
90  store_le(x05 + input[ 5], output + 4 * 5);
91  store_le(x06 + input[ 6], output + 4 * 6);
92  store_le(x07 + input[ 7], output + 4 * 7);
93  store_le(x08 + input[ 8], output + 4 * 8);
94  store_le(x09 + input[ 9], output + 4 * 9);
95  store_le(x10 + input[10], output + 4 * 10);
96  store_le(x11 + input[11], output + 4 * 11);
97  store_le(x12 + input[12], output + 4 * 12);
98  store_le(x13 + input[13], output + 4 * 13);
99  store_le(x14 + input[14], output + 4 * 14);
100  store_le(x15 + input[15], output + 4 * 15);
101  }
102 
103 #undef SALSA20_QUARTER_ROUND
104 
105 /*
106 * Combine cipher stream with message
107 */
108 void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
109  {
110  verify_key_set(m_state.empty() == false);
111 
112  while(length >= m_buffer.size() - m_position)
113  {
114  xor_buf(out, in, &m_buffer[m_position], m_buffer.size() - m_position);
115  length -= (m_buffer.size() - m_position);
116  in += (m_buffer.size() - m_position);
117  out += (m_buffer.size() - m_position);
118  salsa_core(m_buffer.data(), m_state.data(), 20);
119 
120  ++m_state[8];
121  m_state[9] += (m_state[8] == 0);
122 
123  m_position = 0;
124  }
125 
126  xor_buf(out, in, &m_buffer[m_position], length);
127 
128  m_position += length;
129  }
130 
131 /*
132 * Salsa20 Key Schedule
133 */
134 void Salsa20::key_schedule(const uint8_t key[], size_t length)
135  {
136  static const uint32_t TAU[] =
137  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
138 
139  static const uint32_t SIGMA[] =
140  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
141 
142  const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA;
143 
144  m_state.resize(16);
145  m_buffer.resize(64);
146 
147  m_state[0] = CONSTANTS[0];
148  m_state[5] = CONSTANTS[1];
149  m_state[10] = CONSTANTS[2];
150  m_state[15] = CONSTANTS[3];
151 
152  m_state[1] = load_le<uint32_t>(key, 0);
153  m_state[2] = load_le<uint32_t>(key, 1);
154  m_state[3] = load_le<uint32_t>(key, 2);
155  m_state[4] = load_le<uint32_t>(key, 3);
156 
157  if(length == 32)
158  key += 16;
159 
160  m_state[11] = load_le<uint32_t>(key, 0);
161  m_state[12] = load_le<uint32_t>(key, 1);
162  m_state[13] = load_le<uint32_t>(key, 2);
163  m_state[14] = load_le<uint32_t>(key, 3);
164 
165  m_position = 0;
166 
167  set_iv(nullptr, 0); // all-zero IV
168  }
169 
170 /*
171 * Set the Salsa IV
172 */
173 void Salsa20::set_iv(const uint8_t iv[], size_t length)
174  {
175  if(!valid_iv_length(length))
176  throw Invalid_IV_Length(name(), length);
177 
178  if(length == 0)
179  {
180  // Salsa20 null IV
181  m_state[6] = 0;
182  m_state[7] = 0;
183  }
184  else if(length == 8)
185  {
186  // Salsa20
187  m_state[6] = load_le<uint32_t>(iv, 0);
188  m_state[7] = load_le<uint32_t>(iv, 1);
189  }
190  else
191  {
192  // XSalsa20
193  m_state[6] = load_le<uint32_t>(iv, 0);
194  m_state[7] = load_le<uint32_t>(iv, 1);
195  m_state[8] = load_le<uint32_t>(iv, 2);
196  m_state[9] = load_le<uint32_t>(iv, 3);
197 
198  secure_vector<uint32_t> hsalsa(8);
199  hsalsa20(hsalsa.data(), m_state.data());
200 
201  m_state[ 1] = hsalsa[0];
202  m_state[ 2] = hsalsa[1];
203  m_state[ 3] = hsalsa[2];
204  m_state[ 4] = hsalsa[3];
205  m_state[ 6] = load_le<uint32_t>(iv, 4);
206  m_state[ 7] = load_le<uint32_t>(iv, 5);
207  m_state[11] = hsalsa[4];
208  m_state[12] = hsalsa[5];
209  m_state[13] = hsalsa[6];
210  m_state[14] = hsalsa[7];
211  }
212 
213  m_state[8] = 0;
214  m_state[9] = 0;
215 
216  salsa_core(m_buffer.data(), m_state.data(), 20);
217  ++m_state[8];
218  m_state[9] += (m_state[8] == 0);
219 
220  m_position = 0;
221  }
222 
223 /*
224 * Return the name of this type
225 */
226 std::string Salsa20::name() const
227  {
228  return "Salsa20";
229  }
230 
231 /*
232 * Clear memory of sensitive data
233 */
235  {
236  zap(m_state);
237  zap(m_buffer);
238  m_position = 0;
239  }
240 
241 void Salsa20::seek(uint64_t offset)
242  {
243  verify_key_set(m_state.empty() == false);
244 
245  // Find the block offset
246  const uint64_t counter = offset / 64;
247  uint8_t counter8[8];
248  store_le(counter, counter8);
249 
250  m_state[8] = load_le<uint32_t>(counter8, 0);
251  m_state[9] += load_le<uint32_t>(counter8, 1);
252 
253  salsa_core(m_buffer.data(), m_state.data(), 20);
254 
255  ++m_state[8];
256  m_state[9] += (m_state[8] == 0);
257 
258  m_position = offset % 64;
259  }
260 }
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:193
std::string name() const override
Definition: salsa20.cpp:226
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:56
void seek(uint64_t offset) override
Definition: salsa20.cpp:241
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:16
Definition: alg_id.cpp:13
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition: salsa20.cpp:63
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.h:25
void clear() override
Definition: salsa20.cpp:234
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:173
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:450
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:108