Botan  2.11.0
Crypto and TLS for C++11
salsa20.cpp
Go to the documentation of this file.
1 /*
2 * Salsa20 / XSalsa20
3 * (C) 1999-2010,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/salsa20.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/rotate.h>
12 
13 namespace Botan {
14 
15 #define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
16  do { \
17  x2 ^= rotl<7>(x1 + x4); \
18  x3 ^= rotl<9>(x2 + x1); \
19  x4 ^= rotl<13>(x3 + x2); \
20  x1 ^= rotl<18>(x4 + x3); \
21  } while(0)
22 
23 /*
24 * Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
25 */
26 //static
27 void Salsa20::hsalsa20(uint32_t output[8], const uint32_t input[16])
28  {
29  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
30  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
31  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
32  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
33 
34  for(size_t i = 0; i != 10; ++i)
35  {
36  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
37  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
38  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
39  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
40 
41  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
42  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
43  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
44  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
45  }
46 
47  output[0] = x00;
48  output[1] = x05;
49  output[2] = x10;
50  output[3] = x15;
51  output[4] = x06;
52  output[5] = x07;
53  output[6] = x08;
54  output[7] = x09;
55  }
56 
57 /*
58 * Generate Salsa20 cipher stream
59 */
60 //static
61 void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
62  {
63  BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
64 
65  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
66  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
67  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
68  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
69 
70  for(size_t i = 0; i != rounds / 2; ++i)
71  {
72  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
73  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
74  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
75  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
76 
77  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
78  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
79  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
80  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
81  }
82 
83  store_le(x00 + input[ 0], output + 4 * 0);
84  store_le(x01 + input[ 1], output + 4 * 1);
85  store_le(x02 + input[ 2], output + 4 * 2);
86  store_le(x03 + input[ 3], output + 4 * 3);
87  store_le(x04 + input[ 4], output + 4 * 4);
88  store_le(x05 + input[ 5], output + 4 * 5);
89  store_le(x06 + input[ 6], output + 4 * 6);
90  store_le(x07 + input[ 7], output + 4 * 7);
91  store_le(x08 + input[ 8], output + 4 * 8);
92  store_le(x09 + input[ 9], output + 4 * 9);
93  store_le(x10 + input[10], output + 4 * 10);
94  store_le(x11 + input[11], output + 4 * 11);
95  store_le(x12 + input[12], output + 4 * 12);
96  store_le(x13 + input[13], output + 4 * 13);
97  store_le(x14 + input[14], output + 4 * 14);
98  store_le(x15 + input[15], output + 4 * 15);
99  }
100 
101 #undef SALSA20_QUARTER_ROUND
102 
103 /*
104 * Combine cipher stream with message
105 */
106 void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
107  {
108  verify_key_set(m_state.empty() == false);
109 
110  while(length >= m_buffer.size() - m_position)
111  {
112  const size_t available = m_buffer.size() - m_position;
113 
114  xor_buf(out, in, &m_buffer[m_position], available);
115  salsa_core(m_buffer.data(), m_state.data(), 20);
116 
117  ++m_state[8];
118  m_state[9] += (m_state[8] == 0);
119 
120  length -= available;
121  in += available;
122  out += available;
123 
124  m_position = 0;
125  }
126 
127  xor_buf(out, in, &m_buffer[m_position], length);
128 
129  m_position += length;
130  }
131 
132 void Salsa20::initialize_state()
133  {
134  static const uint32_t TAU[] =
135  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
136 
137  static const uint32_t SIGMA[] =
138  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
139 
140  m_state[1] = m_key[0];
141  m_state[2] = m_key[1];
142  m_state[3] = m_key[2];
143  m_state[4] = m_key[3];
144 
145  if(m_key.size() == 4)
146  {
147  m_state[0] = TAU[0];
148  m_state[5] = TAU[1];
149  m_state[10] = TAU[2];
150  m_state[15] = TAU[3];
151  m_state[11] = m_key[0];
152  m_state[12] = m_key[1];
153  m_state[13] = m_key[2];
154  m_state[14] = m_key[3];
155  }
156  else
157  {
158  m_state[0] = SIGMA[0];
159  m_state[5] = SIGMA[1];
160  m_state[10] = SIGMA[2];
161  m_state[15] = SIGMA[3];
162  m_state[11] = m_key[4];
163  m_state[12] = m_key[5];
164  m_state[13] = m_key[6];
165  m_state[14] = m_key[7];
166  }
167 
168  m_state[6] = 0;
169  m_state[7] = 0;
170  m_state[8] = 0;
171  m_state[9] = 0;
172 
173  m_position = 0;
174  }
175 
176 /*
177 * Salsa20 Key Schedule
178 */
179 void Salsa20::key_schedule(const uint8_t key[], size_t length)
180  {
181  m_key.resize(length / 4);
182  load_le<uint32_t>(m_key.data(), key, m_key.size());
183 
184  m_state.resize(16);
185  m_buffer.resize(64);
186 
187  set_iv(nullptr, 0);
188  }
189 
190 /*
191 * Set the Salsa IV
192 */
193 void Salsa20::set_iv(const uint8_t iv[], size_t length)
194  {
195  verify_key_set(m_state.empty() == false);
196 
197  if(!valid_iv_length(length))
198  throw Invalid_IV_Length(name(), length);
199 
200  initialize_state();
201 
202  if(length == 0)
203  {
204  // Salsa20 null IV
205  m_state[6] = 0;
206  m_state[7] = 0;
207  }
208  else if(length == 8)
209  {
210  // Salsa20
211  m_state[6] = load_le<uint32_t>(iv, 0);
212  m_state[7] = load_le<uint32_t>(iv, 1);
213  }
214  else
215  {
216  // XSalsa20
217  m_state[6] = load_le<uint32_t>(iv, 0);
218  m_state[7] = load_le<uint32_t>(iv, 1);
219  m_state[8] = load_le<uint32_t>(iv, 2);
220  m_state[9] = load_le<uint32_t>(iv, 3);
221 
222  secure_vector<uint32_t> hsalsa(8);
223  hsalsa20(hsalsa.data(), m_state.data());
224 
225  m_state[ 1] = hsalsa[0];
226  m_state[ 2] = hsalsa[1];
227  m_state[ 3] = hsalsa[2];
228  m_state[ 4] = hsalsa[3];
229  m_state[ 6] = load_le<uint32_t>(iv, 4);
230  m_state[ 7] = load_le<uint32_t>(iv, 5);
231  m_state[11] = hsalsa[4];
232  m_state[12] = hsalsa[5];
233  m_state[13] = hsalsa[6];
234  m_state[14] = hsalsa[7];
235  }
236 
237  m_state[8] = 0;
238  m_state[9] = 0;
239 
240  salsa_core(m_buffer.data(), m_state.data(), 20);
241  ++m_state[8];
242  m_state[9] += (m_state[8] == 0);
243 
244  m_position = 0;
245  }
246 
247 bool Salsa20::valid_iv_length(size_t iv_len) const
248  {
249  return (iv_len == 0 || iv_len == 8 || iv_len == 24);
250  }
251 
253  {
254  return 24;
255  }
256 
258  {
259  return Key_Length_Specification(16, 32, 16);
260  }
261 
263  {
264  return new Salsa20;
265  }
266 
267 std::string Salsa20::name() const
268  {
269  return "Salsa20";
270  }
271 
272 /*
273 * Clear memory of sensitive data
274 */
276  {
277  zap(m_key);
278  zap(m_state);
279  zap(m_buffer);
280  m_position = 0;
281  }
282 
283 void Salsa20::seek(uint64_t offset)
284  {
285  verify_key_set(m_state.empty() == false);
286 
287  // Find the block offset
288  const uint64_t counter = offset / 64;
289  uint8_t counter8[8];
290  store_le(counter, counter8);
291 
292  m_state[8] = load_le<uint32_t>(counter8, 0);
293  m_state[9] += load_le<uint32_t>(counter8, 1);
294 
295  salsa_core(m_buffer.data(), m_state.data(), 20);
296 
297  ++m_state[8];
298  m_state[9] += (m_state[8] == 0);
299 
300  m_position = offset % 64;
301  }
302 }
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
std::string name() const override
Definition: salsa20.cpp:267
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void seek(uint64_t offset) override
Definition: salsa20.cpp:283
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:202
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:15
static void hsalsa20(uint32_t output[8], const uint32_t input[16])
Definition: salsa20.cpp:27
Definition: alg_id.cpp:13
size_t default_iv_length() const override
Definition: salsa20.cpp:252
StreamCipher * clone() const override
Definition: salsa20.cpp:262
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition: salsa20.cpp:61
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.cpp:247
void clear() override
Definition: salsa20.cpp:275
Key_Length_Specification key_spec() const override
Definition: salsa20.cpp:257
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:193
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:452
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:106