Botan  2.9.0
Crypto and TLS for C++11
salsa20.cpp
Go to the documentation of this file.
1 /*
2 * Salsa20 / XSalsa20
3 * (C) 1999-2010,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/salsa20.h>
9 #include <botan/exceptn.h>
10 #include <botan/loadstor.h>
11 #include <botan/rotate.h>
12 
13 namespace Botan {
14 
15 namespace {
16 
17 #define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
18  do { \
19  x2 ^= rotl<7>(x1 + x4); \
20  x3 ^= rotl<9>(x2 + x1); \
21  x4 ^= rotl<13>(x3 + x2); \
22  x1 ^= rotl<18>(x4 + x3); \
23  } while(0)
24 
25 /*
26 * Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
27 */
28 void hsalsa20(uint32_t output[8], const uint32_t input[16])
29  {
30  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
31  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
32  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
33  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
34 
35  for(size_t i = 0; i != 10; ++i)
36  {
37  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
38  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
39  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
40  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
41 
42  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
43  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
44  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
45  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
46  }
47 
48  output[0] = x00;
49  output[1] = x05;
50  output[2] = x10;
51  output[3] = x15;
52  output[4] = x06;
53  output[5] = x07;
54  output[6] = x08;
55  output[7] = x09;
56  }
57 
58 }
59 
60 /*
61 * Generate Salsa20 cipher stream
62 */
63 //static
64 void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
65  {
66  BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
67 
68  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
69  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
70  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
71  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
72 
73  for(size_t i = 0; i != rounds / 2; ++i)
74  {
75  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
76  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
77  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
78  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
79 
80  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
81  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
82  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
83  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
84  }
85 
86  store_le(x00 + input[ 0], output + 4 * 0);
87  store_le(x01 + input[ 1], output + 4 * 1);
88  store_le(x02 + input[ 2], output + 4 * 2);
89  store_le(x03 + input[ 3], output + 4 * 3);
90  store_le(x04 + input[ 4], output + 4 * 4);
91  store_le(x05 + input[ 5], output + 4 * 5);
92  store_le(x06 + input[ 6], output + 4 * 6);
93  store_le(x07 + input[ 7], output + 4 * 7);
94  store_le(x08 + input[ 8], output + 4 * 8);
95  store_le(x09 + input[ 9], output + 4 * 9);
96  store_le(x10 + input[10], output + 4 * 10);
97  store_le(x11 + input[11], output + 4 * 11);
98  store_le(x12 + input[12], output + 4 * 12);
99  store_le(x13 + input[13], output + 4 * 13);
100  store_le(x14 + input[14], output + 4 * 14);
101  store_le(x15 + input[15], output + 4 * 15);
102  }
103 
104 #undef SALSA20_QUARTER_ROUND
105 
106 /*
107 * Combine cipher stream with message
108 */
109 void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
110  {
111  verify_key_set(m_state.empty() == false);
112 
113  while(length >= m_buffer.size() - m_position)
114  {
115  const size_t available = m_buffer.size() - m_position;
116 
117  xor_buf(out, in, &m_buffer[m_position], available);
118  salsa_core(m_buffer.data(), m_state.data(), 20);
119 
120  ++m_state[8];
121  m_state[9] += (m_state[8] == 0);
122 
123  length -= available;
124  in += available;
125  out += available;
126 
127  m_position = 0;
128  }
129 
130  xor_buf(out, in, &m_buffer[m_position], length);
131 
132  m_position += length;
133  }
134 
135 void Salsa20::initialize_state()
136  {
137  static const uint32_t TAU[] =
138  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
139 
140  static const uint32_t SIGMA[] =
141  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
142 
143  m_state[1] = m_key[0];
144  m_state[2] = m_key[1];
145  m_state[3] = m_key[2];
146  m_state[4] = m_key[3];
147 
148  if(m_key.size() == 4)
149  {
150  m_state[0] = TAU[0];
151  m_state[5] = TAU[1];
152  m_state[10] = TAU[2];
153  m_state[15] = TAU[3];
154  m_state[11] = m_key[0];
155  m_state[12] = m_key[1];
156  m_state[13] = m_key[2];
157  m_state[14] = m_key[3];
158  }
159  else
160  {
161  m_state[0] = SIGMA[0];
162  m_state[5] = SIGMA[1];
163  m_state[10] = SIGMA[2];
164  m_state[15] = SIGMA[3];
165  m_state[11] = m_key[4];
166  m_state[12] = m_key[5];
167  m_state[13] = m_key[6];
168  m_state[14] = m_key[7];
169  }
170 
171  m_state[6] = 0;
172  m_state[7] = 0;
173  m_state[8] = 0;
174  m_state[9] = 0;
175 
176  m_position = 0;
177  }
178 
179 /*
180 * Salsa20 Key Schedule
181 */
182 void Salsa20::key_schedule(const uint8_t key[], size_t length)
183  {
184  m_key.resize(length / 4);
185  load_le<uint32_t>(m_key.data(), key, m_key.size());
186 
187  m_state.resize(16);
188  m_buffer.resize(64);
189 
190  set_iv(nullptr, 0);
191  }
192 
193 /*
194 * Set the Salsa IV
195 */
196 void Salsa20::set_iv(const uint8_t iv[], size_t length)
197  {
198  verify_key_set(m_state.empty() == false);
199 
200  if(!valid_iv_length(length))
201  throw Invalid_IV_Length(name(), length);
202 
203  initialize_state();
204 
205  if(length == 0)
206  {
207  // Salsa20 null IV
208  m_state[6] = 0;
209  m_state[7] = 0;
210  }
211  else if(length == 8)
212  {
213  // Salsa20
214  m_state[6] = load_le<uint32_t>(iv, 0);
215  m_state[7] = load_le<uint32_t>(iv, 1);
216  }
217  else
218  {
219  // XSalsa20
220  m_state[6] = load_le<uint32_t>(iv, 0);
221  m_state[7] = load_le<uint32_t>(iv, 1);
222  m_state[8] = load_le<uint32_t>(iv, 2);
223  m_state[9] = load_le<uint32_t>(iv, 3);
224 
225  secure_vector<uint32_t> hsalsa(8);
226  hsalsa20(hsalsa.data(), m_state.data());
227 
228  m_state[ 1] = hsalsa[0];
229  m_state[ 2] = hsalsa[1];
230  m_state[ 3] = hsalsa[2];
231  m_state[ 4] = hsalsa[3];
232  m_state[ 6] = load_le<uint32_t>(iv, 4);
233  m_state[ 7] = load_le<uint32_t>(iv, 5);
234  m_state[11] = hsalsa[4];
235  m_state[12] = hsalsa[5];
236  m_state[13] = hsalsa[6];
237  m_state[14] = hsalsa[7];
238  }
239 
240  m_state[8] = 0;
241  m_state[9] = 0;
242 
243  salsa_core(m_buffer.data(), m_state.data(), 20);
244  ++m_state[8];
245  m_state[9] += (m_state[8] == 0);
246 
247  m_position = 0;
248  }
249 
250 bool Salsa20::valid_iv_length(size_t iv_len) const
251  {
252  return (iv_len == 0 || iv_len == 8 || iv_len == 24);
253  }
254 
256  {
257  return 24;
258  }
259 
261  {
262  return Key_Length_Specification(16, 32, 16);
263  }
264 
266  {
267  return new Salsa20;
268  }
269 
270 std::string Salsa20::name() const
271  {
272  return "Salsa20";
273  }
274 
275 /*
276 * Clear memory of sensitive data
277 */
279  {
280  zap(m_key);
281  zap(m_state);
282  zap(m_buffer);
283  m_position = 0;
284  }
285 
286 void Salsa20::seek(uint64_t offset)
287  {
288  verify_key_set(m_state.empty() == false);
289 
290  // Find the block offset
291  const uint64_t counter = offset / 64;
292  uint8_t counter8[8];
293  store_le(counter, counter8);
294 
295  m_state[8] = load_le<uint32_t>(counter8, 0);
296  m_state[9] += load_le<uint32_t>(counter8, 1);
297 
298  salsa_core(m_buffer.data(), m_state.data(), 20);
299 
300  ++m_state[8];
301  m_state[9] += (m_state[8] == 0);
302 
303  m_position = offset % 64;
304  }
305 }
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
std::string name() const override
Definition: salsa20.cpp:270
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:196
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void seek(uint64_t offset) override
Definition: salsa20.cpp:286
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:203
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:17
Definition: alg_id.cpp:13
size_t default_iv_length() const override
Definition: salsa20.cpp:255
StreamCipher * clone() const override
Definition: salsa20.cpp:265
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition: salsa20.cpp:64
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.cpp:250
void clear() override
Definition: salsa20.cpp:278
Key_Length_Specification key_spec() const override
Definition: salsa20.cpp:260
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:196
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:452
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:109