Botan 3.9.0
Crypto and TLS for C&
salsa20.cpp
Go to the documentation of this file.
1/*
2* Salsa20 / XSalsa20
3* (C) 1999-2010,2014 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/salsa20.h>
9
10#include <botan/exceptn.h>
11#include <botan/internal/loadstor.h>
12#include <botan/internal/rotate.h>
13
14namespace Botan {
15
16namespace {
17
18inline void salsa20_quarter_round(uint32_t& x1, uint32_t& x2, uint32_t& x3, uint32_t& x4) {
19 x2 ^= rotl<7>(x1 + x4);
20 x3 ^= rotl<9>(x2 + x1);
21 x4 ^= rotl<13>(x3 + x2);
22 x1 ^= rotl<18>(x4 + x3);
23}
24
25} // namespace
26
27/*
28* Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
29*/
30//static
31void Salsa20::hsalsa20(uint32_t output[8], const uint32_t input[16]) {
32 uint32_t x00 = input[0];
33 uint32_t x01 = input[1];
34 uint32_t x02 = input[2];
35 uint32_t x03 = input[3];
36 uint32_t x04 = input[4];
37 uint32_t x05 = input[5];
38 uint32_t x06 = input[6];
39 uint32_t x07 = input[7];
40 uint32_t x08 = input[8];
41 uint32_t x09 = input[9];
42 uint32_t x10 = input[10];
43 uint32_t x11 = input[11];
44 uint32_t x12 = input[12];
45 uint32_t x13 = input[13];
46 uint32_t x14 = input[14];
47 uint32_t x15 = input[15];
48
49 for(size_t i = 0; i != 10; ++i) {
50 salsa20_quarter_round(x00, x04, x08, x12);
51 salsa20_quarter_round(x05, x09, x13, x01);
52 salsa20_quarter_round(x10, x14, x02, x06);
53 salsa20_quarter_round(x15, x03, x07, x11);
54
55 salsa20_quarter_round(x00, x01, x02, x03);
56 salsa20_quarter_round(x05, x06, x07, x04);
57 salsa20_quarter_round(x10, x11, x08, x09);
58 salsa20_quarter_round(x15, x12, x13, x14);
59 }
60
61 output[0] = x00;
62 output[1] = x05;
63 output[2] = x10;
64 output[3] = x15;
65 output[4] = x06;
66 output[5] = x07;
67 output[6] = x08;
68 output[7] = x09;
69}
70
71/*
72* Generate Salsa20 cipher stream
73*/
74//static
75void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds) {
76 BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
77
78 uint32_t x00 = input[0];
79 uint32_t x01 = input[1];
80 uint32_t x02 = input[2];
81 uint32_t x03 = input[3];
82 uint32_t x04 = input[4];
83 uint32_t x05 = input[5];
84 uint32_t x06 = input[6];
85 uint32_t x07 = input[7];
86 uint32_t x08 = input[8];
87 uint32_t x09 = input[9];
88 uint32_t x10 = input[10];
89 uint32_t x11 = input[11];
90 uint32_t x12 = input[12];
91 uint32_t x13 = input[13];
92 uint32_t x14 = input[14];
93 uint32_t x15 = input[15];
94
95 for(size_t i = 0; i != rounds / 2; ++i) {
96 salsa20_quarter_round(x00, x04, x08, x12);
97 salsa20_quarter_round(x05, x09, x13, x01);
98 salsa20_quarter_round(x10, x14, x02, x06);
99 salsa20_quarter_round(x15, x03, x07, x11);
100
101 salsa20_quarter_round(x00, x01, x02, x03);
102 salsa20_quarter_round(x05, x06, x07, x04);
103 salsa20_quarter_round(x10, x11, x08, x09);
104 salsa20_quarter_round(x15, x12, x13, x14);
105 }
106
107 store_le(x00 + input[0], output + 4 * 0);
108 store_le(x01 + input[1], output + 4 * 1);
109 store_le(x02 + input[2], output + 4 * 2);
110 store_le(x03 + input[3], output + 4 * 3);
111 store_le(x04 + input[4], output + 4 * 4);
112 store_le(x05 + input[5], output + 4 * 5);
113 store_le(x06 + input[6], output + 4 * 6);
114 store_le(x07 + input[7], output + 4 * 7);
115 store_le(x08 + input[8], output + 4 * 8);
116 store_le(x09 + input[9], output + 4 * 9);
117 store_le(x10 + input[10], output + 4 * 10);
118 store_le(x11 + input[11], output + 4 * 11);
119 store_le(x12 + input[12], output + 4 * 12);
120 store_le(x13 + input[13], output + 4 * 13);
121 store_le(x14 + input[14], output + 4 * 14);
122 store_le(x15 + input[15], output + 4 * 15);
123}
124
125/*
126* Combine cipher stream with message
127*/
128void Salsa20::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
130
131 while(length >= m_buffer.size() - m_position) {
132 const size_t available = m_buffer.size() - m_position;
133
134 xor_buf(out, in, &m_buffer[m_position], available);
135 salsa_core(m_buffer.data(), m_state.data(), 20);
136
137 ++m_state[8];
138 if(m_state[8] == 0) {
139 m_state[9] += 1;
140 }
141
142 length -= available;
143 in += available;
144 out += available;
145
146 m_position = 0;
147 }
148
149 xor_buf(out, in, &m_buffer[m_position], length);
150
151 m_position += length;
152}
153
154void Salsa20::initialize_state() {
155 static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};
156
157 static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};
158
159 m_state[1] = m_key[0];
160 m_state[2] = m_key[1];
161 m_state[3] = m_key[2];
162 m_state[4] = m_key[3];
163
164 if(m_key.size() == 4) {
165 m_state[0] = TAU[0];
166 m_state[5] = TAU[1];
167 m_state[10] = TAU[2];
168 m_state[15] = TAU[3];
169 m_state[11] = m_key[0];
170 m_state[12] = m_key[1];
171 m_state[13] = m_key[2];
172 m_state[14] = m_key[3];
173 } else {
174 m_state[0] = SIGMA[0];
175 m_state[5] = SIGMA[1];
176 m_state[10] = SIGMA[2];
177 m_state[15] = SIGMA[3];
178 m_state[11] = m_key[4];
179 m_state[12] = m_key[5];
180 m_state[13] = m_key[6];
181 m_state[14] = m_key[7];
182 }
183
184 m_state[6] = 0;
185 m_state[7] = 0;
186 m_state[8] = 0;
187 m_state[9] = 0;
188
189 m_position = 0;
190}
191
193 return !m_state.empty();
194}
195
196size_t Salsa20::buffer_size() const {
197 return 64;
198}
199
200/*
201* Salsa20 Key Schedule
202*/
203void Salsa20::key_schedule(std::span<const uint8_t> key) {
204 m_key.resize(key.size() / 4);
205 load_le<uint32_t>(m_key.data(), key.data(), m_key.size());
206
207 m_state.resize(16);
208 m_buffer.resize(64);
209
210 set_iv(nullptr, 0);
211}
212
213/*
214* Set the Salsa IV
215*/
216void Salsa20::set_iv_bytes(const uint8_t iv[], size_t length) {
218
219 if(!valid_iv_length(length)) {
220 throw Invalid_IV_Length(name(), length);
221 }
222
223 initialize_state();
224
225 if(length == 0) {
226 // Salsa20 null IV
227 m_state[6] = 0;
228 m_state[7] = 0;
229 } else if(length == 8) {
230 // Salsa20
231 m_state[6] = load_le<uint32_t>(iv, 0);
232 m_state[7] = load_le<uint32_t>(iv, 1);
233 } else {
234 // XSalsa20
235 m_state[6] = load_le<uint32_t>(iv, 0);
236 m_state[7] = load_le<uint32_t>(iv, 1);
237 m_state[8] = load_le<uint32_t>(iv, 2);
238 m_state[9] = load_le<uint32_t>(iv, 3);
239
240 secure_vector<uint32_t> hsalsa(8);
241 hsalsa20(hsalsa.data(), m_state.data());
242
243 m_state[1] = hsalsa[0];
244 m_state[2] = hsalsa[1];
245 m_state[3] = hsalsa[2];
246 m_state[4] = hsalsa[3];
247 m_state[6] = load_le<uint32_t>(iv, 4);
248 m_state[7] = load_le<uint32_t>(iv, 5);
249 m_state[11] = hsalsa[4];
250 m_state[12] = hsalsa[5];
251 m_state[13] = hsalsa[6];
252 m_state[14] = hsalsa[7];
253 }
254
255 m_state[8] = 0;
256 m_state[9] = 0;
257
258 salsa_core(m_buffer.data(), m_state.data(), 20);
259 ++m_state[8];
260 if(m_state[8] == 0) {
261 m_state[9] += 1;
262 }
263
264 m_position = 0;
265}
266
267bool Salsa20::valid_iv_length(size_t iv_len) const {
268 return (iv_len == 0 || iv_len == 8 || iv_len == 24);
269}
270
272 return 24;
273}
274
278
279std::unique_ptr<StreamCipher> Salsa20::new_object() const {
280 return std::make_unique<Salsa20>();
281}
282
283std::string Salsa20::name() const {
284 return "Salsa20";
285}
286
287/*
288* Clear memory of sensitive data
289*/
291 zap(m_key);
292 zap(m_state);
293 zap(m_buffer);
294 m_position = 0;
295}
296
297void Salsa20::seek(uint64_t offset) {
299
300 // Find the block offset
301 const uint64_t counter = offset / 64;
302 uint8_t counter8[8];
303 store_le(counter, counter8);
304
305 m_state[8] = load_le<uint32_t>(counter8, 0);
306 m_state[9] += load_le<uint32_t>(counter8, 1);
307
308 salsa_core(m_buffer.data(), m_state.data(), 20);
309
310 ++m_state[8];
311 if(m_state[8] == 0) {
312 m_state[9] += 1;
313 }
314
315 m_position = offset % 64;
316}
317} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
void seek(uint64_t offset) override
Definition salsa20.cpp:297
bool has_keying_material() const override
Definition salsa20.cpp:192
void clear() override
Definition salsa20.cpp:290
size_t buffer_size() const override
Definition salsa20.cpp:196
void set_iv_bytes(const uint8_t iv[], size_t iv_len) override
Definition salsa20.cpp:216
void cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) override
Definition salsa20.cpp:128
static void hsalsa20(uint32_t output[8], const uint32_t input[16])
Definition salsa20.cpp:31
bool valid_iv_length(size_t iv_len) const override
Definition salsa20.cpp:267
size_t default_iv_length() const override
Definition salsa20.cpp:271
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition salsa20.cpp:75
std::unique_ptr< StreamCipher > new_object() const override
Definition salsa20.cpp:279
std::string name() const override
Definition salsa20.cpp:283
Key_Length_Specification key_spec() const override
Definition salsa20.cpp:275
void set_iv(const uint8_t iv[], size_t iv_len)
void assert_key_material_set() const
Definition sym_algo.h:146
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:134
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736
BOTAN_FORCE_INLINE constexpr T rotl(T input)
Definition rotate.h:23
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69