Botan 3.6.1
Crypto and TLS for C&
salsa20.cpp
Go to the documentation of this file.
1/*
2* Salsa20 / XSalsa20
3* (C) 1999-2010,2014 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/salsa20.h>
9
10#include <botan/exceptn.h>
11#include <botan/internal/loadstor.h>
12#include <botan/internal/rotate.h>
13
14namespace Botan {
15
16namespace {
17
18inline void salsa20_quarter_round(uint32_t& x1, uint32_t& x2, uint32_t& x3, uint32_t& x4) {
19 x2 ^= rotl<7>(x1 + x4);
20 x3 ^= rotl<9>(x2 + x1);
21 x4 ^= rotl<13>(x3 + x2);
22 x1 ^= rotl<18>(x4 + x3);
23}
24
25} // namespace
26
27/*
28* Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
29*/
30//static
31void Salsa20::hsalsa20(uint32_t output[8], const uint32_t input[16]) {
32 uint32_t x00 = input[0], x01 = input[1], x02 = input[2], x03 = input[3], x04 = input[4], x05 = input[5],
33 x06 = input[6], x07 = input[7], x08 = input[8], x09 = input[9], x10 = input[10], x11 = input[11],
34 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
35
36 for(size_t i = 0; i != 10; ++i) {
37 salsa20_quarter_round(x00, x04, x08, x12);
38 salsa20_quarter_round(x05, x09, x13, x01);
39 salsa20_quarter_round(x10, x14, x02, x06);
40 salsa20_quarter_round(x15, x03, x07, x11);
41
42 salsa20_quarter_round(x00, x01, x02, x03);
43 salsa20_quarter_round(x05, x06, x07, x04);
44 salsa20_quarter_round(x10, x11, x08, x09);
45 salsa20_quarter_round(x15, x12, x13, x14);
46 }
47
48 output[0] = x00;
49 output[1] = x05;
50 output[2] = x10;
51 output[3] = x15;
52 output[4] = x06;
53 output[5] = x07;
54 output[6] = x08;
55 output[7] = x09;
56}
57
58/*
59* Generate Salsa20 cipher stream
60*/
61//static
62void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds) {
63 BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
64
65 uint32_t x00 = input[0], x01 = input[1], x02 = input[2], x03 = input[3], x04 = input[4], x05 = input[5],
66 x06 = input[6], x07 = input[7], x08 = input[8], x09 = input[9], x10 = input[10], x11 = input[11],
67 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
68
69 for(size_t i = 0; i != rounds / 2; ++i) {
70 salsa20_quarter_round(x00, x04, x08, x12);
71 salsa20_quarter_round(x05, x09, x13, x01);
72 salsa20_quarter_round(x10, x14, x02, x06);
73 salsa20_quarter_round(x15, x03, x07, x11);
74
75 salsa20_quarter_round(x00, x01, x02, x03);
76 salsa20_quarter_round(x05, x06, x07, x04);
77 salsa20_quarter_round(x10, x11, x08, x09);
78 salsa20_quarter_round(x15, x12, x13, x14);
79 }
80
81 store_le(x00 + input[0], output + 4 * 0);
82 store_le(x01 + input[1], output + 4 * 1);
83 store_le(x02 + input[2], output + 4 * 2);
84 store_le(x03 + input[3], output + 4 * 3);
85 store_le(x04 + input[4], output + 4 * 4);
86 store_le(x05 + input[5], output + 4 * 5);
87 store_le(x06 + input[6], output + 4 * 6);
88 store_le(x07 + input[7], output + 4 * 7);
89 store_le(x08 + input[8], output + 4 * 8);
90 store_le(x09 + input[9], output + 4 * 9);
91 store_le(x10 + input[10], output + 4 * 10);
92 store_le(x11 + input[11], output + 4 * 11);
93 store_le(x12 + input[12], output + 4 * 12);
94 store_le(x13 + input[13], output + 4 * 13);
95 store_le(x14 + input[14], output + 4 * 14);
96 store_le(x15 + input[15], output + 4 * 15);
97}
98
99/*
100* Combine cipher stream with message
101*/
102void Salsa20::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
103 assert_key_material_set();
104
105 while(length >= m_buffer.size() - m_position) {
106 const size_t available = m_buffer.size() - m_position;
107
108 xor_buf(out, in, &m_buffer[m_position], available);
109 salsa_core(m_buffer.data(), m_state.data(), 20);
110
111 ++m_state[8];
112 m_state[9] += (m_state[8] == 0);
113
114 length -= available;
115 in += available;
116 out += available;
117
118 m_position = 0;
119 }
120
121 xor_buf(out, in, &m_buffer[m_position], length);
122
123 m_position += length;
124}
125
126void Salsa20::initialize_state() {
127 static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};
128
129 static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};
130
131 m_state[1] = m_key[0];
132 m_state[2] = m_key[1];
133 m_state[3] = m_key[2];
134 m_state[4] = m_key[3];
135
136 if(m_key.size() == 4) {
137 m_state[0] = TAU[0];
138 m_state[5] = TAU[1];
139 m_state[10] = TAU[2];
140 m_state[15] = TAU[3];
141 m_state[11] = m_key[0];
142 m_state[12] = m_key[1];
143 m_state[13] = m_key[2];
144 m_state[14] = m_key[3];
145 } else {
146 m_state[0] = SIGMA[0];
147 m_state[5] = SIGMA[1];
148 m_state[10] = SIGMA[2];
149 m_state[15] = SIGMA[3];
150 m_state[11] = m_key[4];
151 m_state[12] = m_key[5];
152 m_state[13] = m_key[6];
153 m_state[14] = m_key[7];
154 }
155
156 m_state[6] = 0;
157 m_state[7] = 0;
158 m_state[8] = 0;
159 m_state[9] = 0;
160
161 m_position = 0;
162}
163
164bool Salsa20::has_keying_material() const {
165 return !m_state.empty();
166}
167
168size_t Salsa20::buffer_size() const {
169 return 64;
170}
171
172/*
173* Salsa20 Key Schedule
174*/
175void Salsa20::key_schedule(std::span<const uint8_t> key) {
176 m_key.resize(key.size() / 4);
177 load_le<uint32_t>(m_key.data(), key.data(), m_key.size());
178
179 m_state.resize(16);
180 m_buffer.resize(64);
181
182 set_iv(nullptr, 0);
183}
184
185/*
186* Set the Salsa IV
187*/
188void Salsa20::set_iv_bytes(const uint8_t iv[], size_t length) {
189 assert_key_material_set();
190
191 if(!valid_iv_length(length)) {
192 throw Invalid_IV_Length(name(), length);
193 }
194
195 initialize_state();
196
197 if(length == 0) {
198 // Salsa20 null IV
199 m_state[6] = 0;
200 m_state[7] = 0;
201 } else if(length == 8) {
202 // Salsa20
203 m_state[6] = load_le<uint32_t>(iv, 0);
204 m_state[7] = load_le<uint32_t>(iv, 1);
205 } else {
206 // XSalsa20
207 m_state[6] = load_le<uint32_t>(iv, 0);
208 m_state[7] = load_le<uint32_t>(iv, 1);
209 m_state[8] = load_le<uint32_t>(iv, 2);
210 m_state[9] = load_le<uint32_t>(iv, 3);
211
212 secure_vector<uint32_t> hsalsa(8);
213 hsalsa20(hsalsa.data(), m_state.data());
214
215 m_state[1] = hsalsa[0];
216 m_state[2] = hsalsa[1];
217 m_state[3] = hsalsa[2];
218 m_state[4] = hsalsa[3];
219 m_state[6] = load_le<uint32_t>(iv, 4);
220 m_state[7] = load_le<uint32_t>(iv, 5);
221 m_state[11] = hsalsa[4];
222 m_state[12] = hsalsa[5];
223 m_state[13] = hsalsa[6];
224 m_state[14] = hsalsa[7];
225 }
226
227 m_state[8] = 0;
228 m_state[9] = 0;
229
230 salsa_core(m_buffer.data(), m_state.data(), 20);
231 ++m_state[8];
232 m_state[9] += (m_state[8] == 0);
233
234 m_position = 0;
235}
236
237bool Salsa20::valid_iv_length(size_t iv_len) const {
238 return (iv_len == 0 || iv_len == 8 || iv_len == 24);
239}
240
241size_t Salsa20::default_iv_length() const {
242 return 24;
243}
244
248
249std::unique_ptr<StreamCipher> Salsa20::new_object() const {
250 return std::make_unique<Salsa20>();
251}
252
253std::string Salsa20::name() const {
254 return "Salsa20";
255}
256
257/*
258* Clear memory of sensitive data
259*/
260void Salsa20::clear() {
261 zap(m_key);
262 zap(m_state);
263 zap(m_buffer);
264 m_position = 0;
265}
266
267void Salsa20::seek(uint64_t offset) {
268 assert_key_material_set();
269
270 // Find the block offset
271 const uint64_t counter = offset / 64;
272 uint8_t counter8[8];
273 store_le(counter, counter8);
274
275 m_state[8] = load_le<uint32_t>(counter8, 0);
276 m_state[9] += load_le<uint32_t>(counter8, 1);
277
278 salsa_core(m_buffer.data(), m_state.data(), 20);
279
280 ++m_state[8];
281 m_state[9] += (m_state[8] == 0);
282
283 m_position = offset % 64;
284}
285} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::Invalid_IV_Length
Definition exceptn.h:163
Botan::Key_Length_Specification
Definition sym_algo.h:21
Botan::Salsa20::seek
void seek(uint64_t offset) override
Definition salsa20.cpp:267
Botan::Salsa20::has_keying_material
bool has_keying_material() const override
Definition salsa20.cpp:164
Botan::Salsa20::clear
void clear() override
Definition salsa20.cpp:260
Botan::Salsa20::buffer_size
size_t buffer_size() const override
Definition salsa20.cpp:168
Botan::Salsa20::set_iv_bytes
void set_iv_bytes(const uint8_t iv[], size_t iv_len) override
Definition salsa20.cpp:188
Botan::Salsa20::cipher_bytes
void cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) override
Definition salsa20.cpp:102
Botan::Salsa20::hsalsa20
static void hsalsa20(uint32_t output[8], const uint32_t input[16])
Definition salsa20.cpp:31
Botan::Salsa20::valid_iv_length
bool valid_iv_length(size_t iv_len) const override
Definition salsa20.cpp:237
Botan::Salsa20::default_iv_length
size_t default_iv_length() const override
Definition salsa20.cpp:241
Botan::Salsa20::salsa_core
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition salsa20.cpp:62
Botan::Salsa20::new_object
std::unique_ptr< StreamCipher > new_object() const override
Definition salsa20.cpp:249
Botan::Salsa20::name
std::string name() const override
Definition salsa20.cpp:253
Botan::Salsa20::key_spec
Key_Length_Specification key_spec() const override
Definition salsa20.cpp:245
Botan::StreamCipher::set_iv
void set_iv(const uint8_t iv[], size_t iv_len)
Definition stream_cipher.h:171
Botan::SymmetricAlgorithm::assert_key_material_set
void assert_key_material_set() const
Definition sym_algo.h:139
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:117
Botan::rotl
constexpr T rotl(T input)
Definition rotate.h:21
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:764
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:521
Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Generated by doxygen 1.12.0