Botan 2.19.2
Crypto and TLS for C&
salsa20.cpp
Go to the documentation of this file.
1/*
2* Salsa20 / XSalsa20
3* (C) 1999-2010,2014 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/salsa20.h>
9#include <botan/exceptn.h>
10#include <botan/loadstor.h>
11#include <botan/rotate.h>
12
13namespace Botan {
14
15#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
16 do { \
17 x2 ^= rotl<7>(x1 + x4); \
18 x3 ^= rotl<9>(x2 + x1); \
19 x4 ^= rotl<13>(x3 + x2); \
20 x1 ^= rotl<18>(x4 + x3); \
21 } while(0)
22
23/*
24* Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
25*/
26//static
27void Salsa20::hsalsa20(uint32_t output[8], const uint32_t input[16])
28 {
29 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
30 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
31 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
32 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
33
34 for(size_t i = 0; i != 10; ++i)
35 {
36 SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
37 SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
38 SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
39 SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
40
41 SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
42 SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
43 SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
44 SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
45 }
46
47 output[0] = x00;
48 output[1] = x05;
49 output[2] = x10;
50 output[3] = x15;
51 output[4] = x06;
52 output[5] = x07;
53 output[6] = x08;
54 output[7] = x09;
55 }
56
57/*
58* Generate Salsa20 cipher stream
59*/
60//static
61void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
62 {
63 BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
64
65 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
66 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
67 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
68 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
69
70 for(size_t i = 0; i != rounds / 2; ++i)
71 {
72 SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
73 SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
74 SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
75 SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
76
77 SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
78 SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
79 SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
80 SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
81 }
82
83 store_le(x00 + input[ 0], output + 4 * 0);
84 store_le(x01 + input[ 1], output + 4 * 1);
85 store_le(x02 + input[ 2], output + 4 * 2);
86 store_le(x03 + input[ 3], output + 4 * 3);
87 store_le(x04 + input[ 4], output + 4 * 4);
88 store_le(x05 + input[ 5], output + 4 * 5);
89 store_le(x06 + input[ 6], output + 4 * 6);
90 store_le(x07 + input[ 7], output + 4 * 7);
91 store_le(x08 + input[ 8], output + 4 * 8);
92 store_le(x09 + input[ 9], output + 4 * 9);
93 store_le(x10 + input[10], output + 4 * 10);
94 store_le(x11 + input[11], output + 4 * 11);
95 store_le(x12 + input[12], output + 4 * 12);
96 store_le(x13 + input[13], output + 4 * 13);
97 store_le(x14 + input[14], output + 4 * 14);
98 store_le(x15 + input[15], output + 4 * 15);
99 }
100
101#undef SALSA20_QUARTER_ROUND
102
103/*
104* Combine cipher stream with message
105*/
106void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
107 {
108 verify_key_set(m_state.empty() == false);
109
110 while(length >= m_buffer.size() - m_position)
111 {
112 const size_t available = m_buffer.size() - m_position;
113
114 xor_buf(out, in, &m_buffer[m_position], available);
115 salsa_core(m_buffer.data(), m_state.data(), 20);
116
117 ++m_state[8];
118 m_state[9] += (m_state[8] == 0);
119
120 length -= available;
121 in += available;
122 out += available;
123
124 m_position = 0;
125 }
126
127 xor_buf(out, in, &m_buffer[m_position], length);
128
129 m_position += length;
130 }
131
132void Salsa20::initialize_state()
133 {
134 static const uint32_t TAU[] =
135 { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
136
137 static const uint32_t SIGMA[] =
138 { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
139
140 m_state[1] = m_key[0];
141 m_state[2] = m_key[1];
142 m_state[3] = m_key[2];
143 m_state[4] = m_key[3];
144
145 if(m_key.size() == 4)
146 {
147 m_state[0] = TAU[0];
148 m_state[5] = TAU[1];
149 m_state[10] = TAU[2];
150 m_state[15] = TAU[3];
151 m_state[11] = m_key[0];
152 m_state[12] = m_key[1];
153 m_state[13] = m_key[2];
154 m_state[14] = m_key[3];
155 }
156 else
157 {
158 m_state[0] = SIGMA[0];
159 m_state[5] = SIGMA[1];
160 m_state[10] = SIGMA[2];
161 m_state[15] = SIGMA[3];
162 m_state[11] = m_key[4];
163 m_state[12] = m_key[5];
164 m_state[13] = m_key[6];
165 m_state[14] = m_key[7];
166 }
167
168 m_state[6] = 0;
169 m_state[7] = 0;
170 m_state[8] = 0;
171 m_state[9] = 0;
172
173 m_position = 0;
174 }
175
176/*
177* Salsa20 Key Schedule
178*/
179void Salsa20::key_schedule(const uint8_t key[], size_t length)
180 {
181 m_key.resize(length / 4);
182 load_le<uint32_t>(m_key.data(), key, m_key.size());
183
184 m_state.resize(16);
185 m_buffer.resize(64);
186
187 set_iv(nullptr, 0);
188 }
189
190/*
191* Set the Salsa IV
192*/
193void Salsa20::set_iv(const uint8_t iv[], size_t length)
194 {
195 verify_key_set(m_state.empty() == false);
196
197 if(!valid_iv_length(length))
198 throw Invalid_IV_Length(name(), length);
199
200 initialize_state();
201
202 if(length == 0)
203 {
204 // Salsa20 null IV
205 m_state[6] = 0;
206 m_state[7] = 0;
207 }
208 else if(length == 8)
209 {
210 // Salsa20
211 m_state[6] = load_le<uint32_t>(iv, 0);
212 m_state[7] = load_le<uint32_t>(iv, 1);
213 }
214 else
215 {
216 // XSalsa20
217 m_state[6] = load_le<uint32_t>(iv, 0);
218 m_state[7] = load_le<uint32_t>(iv, 1);
219 m_state[8] = load_le<uint32_t>(iv, 2);
220 m_state[9] = load_le<uint32_t>(iv, 3);
221
222 secure_vector<uint32_t> hsalsa(8);
223 hsalsa20(hsalsa.data(), m_state.data());
224
225 m_state[ 1] = hsalsa[0];
226 m_state[ 2] = hsalsa[1];
227 m_state[ 3] = hsalsa[2];
228 m_state[ 4] = hsalsa[3];
229 m_state[ 6] = load_le<uint32_t>(iv, 4);
230 m_state[ 7] = load_le<uint32_t>(iv, 5);
231 m_state[11] = hsalsa[4];
232 m_state[12] = hsalsa[5];
233 m_state[13] = hsalsa[6];
234 m_state[14] = hsalsa[7];
235 }
236
237 m_state[8] = 0;
238 m_state[9] = 0;
239
240 salsa_core(m_buffer.data(), m_state.data(), 20);
241 ++m_state[8];
242 m_state[9] += (m_state[8] == 0);
243
244 m_position = 0;
245 }
246
247bool Salsa20::valid_iv_length(size_t iv_len) const
248 {
249 return (iv_len == 0 || iv_len == 8 || iv_len == 24);
250 }
251
253 {
254 return 24;
255 }
256
258 {
259 return Key_Length_Specification(16, 32, 16);
260 }
261
263 {
264 return new Salsa20;
265 }
266
267std::string Salsa20::name() const
268 {
269 return "Salsa20";
270 }
271
272/*
273* Clear memory of sensitive data
274*/
276 {
277 zap(m_key);
278 zap(m_state);
279 zap(m_buffer);
280 m_position = 0;
281 }
282
283void Salsa20::seek(uint64_t offset)
284 {
285 verify_key_set(m_state.empty() == false);
286
287 // Find the block offset
288 const uint64_t counter = offset / 64;
289 uint8_t counter8[8];
290 store_le(counter, counter8);
291
292 m_state[8] = load_le<uint32_t>(counter8, 0);
293 m_state[9] += load_le<uint32_t>(counter8, 1);
294
295 salsa_core(m_buffer.data(), m_state.data(), 20);
296
297 ++m_state[8];
298 m_state[9] += (m_state[8] == 0);
299
300 m_position = offset % 64;
301 }
302}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void seek(uint64_t offset) override
Definition: salsa20.cpp:283
void clear() override
Definition: salsa20.cpp:275
static void hsalsa20(uint32_t output[8], const uint32_t input[16])
Definition: salsa20.cpp:27
StreamCipher * clone() const override
Definition: salsa20.cpp:262
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.cpp:247
size_t default_iv_length() const override
Definition: salsa20.cpp:252
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition: salsa20.cpp:61
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:106
std::string name() const override
Definition: salsa20.cpp:267
Key_Length_Specification key_spec() const override
Definition: salsa20.cpp:257
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:193
void verify_key_set(bool cond) const
Definition: sym_algo.h:171
Definition: alg_id.cpp:13
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:124
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:198
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:454
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:15