Botan 3.0.0
Crypto and TLS for C&
salsa20.cpp
Go to the documentation of this file.
1/*
2* Salsa20 / XSalsa20
3* (C) 1999-2010,2014 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/salsa20.h>
9#include <botan/exceptn.h>
10#include <botan/internal/loadstor.h>
11#include <botan/internal/rotate.h>
12
13namespace Botan {
14
15namespace {
16
17inline void salsa20_quarter_round(uint32_t& x1,
18 uint32_t& x2,
19 uint32_t& x3,
20 uint32_t& x4)
21 {
22 x2 ^= rotl<7>(x1 + x4);
23 x3 ^= rotl<9>(x2 + x1);
24 x4 ^= rotl<13>(x3 + x2);
25 x1 ^= rotl<18>(x4 + x3);
26 }
27
28}
29
30/*
31* Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
32*/
33//static
34void Salsa20::hsalsa20(uint32_t output[8], const uint32_t input[16])
35 {
36 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
37 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
38 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
39 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
40
41 for(size_t i = 0; i != 10; ++i)
42 {
43 salsa20_quarter_round(x00, x04, x08, x12);
44 salsa20_quarter_round(x05, x09, x13, x01);
45 salsa20_quarter_round(x10, x14, x02, x06);
46 salsa20_quarter_round(x15, x03, x07, x11);
47
48 salsa20_quarter_round(x00, x01, x02, x03);
49 salsa20_quarter_round(x05, x06, x07, x04);
50 salsa20_quarter_round(x10, x11, x08, x09);
51 salsa20_quarter_round(x15, x12, x13, x14);
52 }
53
54 output[0] = x00;
55 output[1] = x05;
56 output[2] = x10;
57 output[3] = x15;
58 output[4] = x06;
59 output[5] = x07;
60 output[6] = x08;
61 output[7] = x09;
62 }
63
64/*
65* Generate Salsa20 cipher stream
66*/
67//static
68void Salsa20::salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
69 {
70 BOTAN_ASSERT_NOMSG(rounds % 2 == 0);
71
72 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
73 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
74 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
75 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
76
77 for(size_t i = 0; i != rounds / 2; ++i)
78 {
79 salsa20_quarter_round(x00, x04, x08, x12);
80 salsa20_quarter_round(x05, x09, x13, x01);
81 salsa20_quarter_round(x10, x14, x02, x06);
82 salsa20_quarter_round(x15, x03, x07, x11);
83
84 salsa20_quarter_round(x00, x01, x02, x03);
85 salsa20_quarter_round(x05, x06, x07, x04);
86 salsa20_quarter_round(x10, x11, x08, x09);
87 salsa20_quarter_round(x15, x12, x13, x14);
88 }
89
90 store_le(x00 + input[ 0], output + 4 * 0);
91 store_le(x01 + input[ 1], output + 4 * 1);
92 store_le(x02 + input[ 2], output + 4 * 2);
93 store_le(x03 + input[ 3], output + 4 * 3);
94 store_le(x04 + input[ 4], output + 4 * 4);
95 store_le(x05 + input[ 5], output + 4 * 5);
96 store_le(x06 + input[ 6], output + 4 * 6);
97 store_le(x07 + input[ 7], output + 4 * 7);
98 store_le(x08 + input[ 8], output + 4 * 8);
99 store_le(x09 + input[ 9], output + 4 * 9);
100 store_le(x10 + input[10], output + 4 * 10);
101 store_le(x11 + input[11], output + 4 * 11);
102 store_le(x12 + input[12], output + 4 * 12);
103 store_le(x13 + input[13], output + 4 * 13);
104 store_le(x14 + input[14], output + 4 * 14);
105 store_le(x15 + input[15], output + 4 * 15);
106 }
107
108/*
109* Combine cipher stream with message
110*/
111void Salsa20::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length)
112 {
114
115 while(length >= m_buffer.size() - m_position)
116 {
117 const size_t available = m_buffer.size() - m_position;
118
119 xor_buf(out, in, &m_buffer[m_position], available);
120 salsa_core(m_buffer.data(), m_state.data(), 20);
121
122 ++m_state[8];
123 m_state[9] += (m_state[8] == 0);
124
125 length -= available;
126 in += available;
127 out += available;
128
129 m_position = 0;
130 }
131
132 xor_buf(out, in, &m_buffer[m_position], length);
133
134 m_position += length;
135 }
136
137void Salsa20::initialize_state()
138 {
139 static const uint32_t TAU[] =
140 { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
141
142 static const uint32_t SIGMA[] =
143 { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
144
145 m_state[1] = m_key[0];
146 m_state[2] = m_key[1];
147 m_state[3] = m_key[2];
148 m_state[4] = m_key[3];
149
150 if(m_key.size() == 4)
151 {
152 m_state[0] = TAU[0];
153 m_state[5] = TAU[1];
154 m_state[10] = TAU[2];
155 m_state[15] = TAU[3];
156 m_state[11] = m_key[0];
157 m_state[12] = m_key[1];
158 m_state[13] = m_key[2];
159 m_state[14] = m_key[3];
160 }
161 else
162 {
163 m_state[0] = SIGMA[0];
164 m_state[5] = SIGMA[1];
165 m_state[10] = SIGMA[2];
166 m_state[15] = SIGMA[3];
167 m_state[11] = m_key[4];
168 m_state[12] = m_key[5];
169 m_state[13] = m_key[6];
170 m_state[14] = m_key[7];
171 }
172
173 m_state[6] = 0;
174 m_state[7] = 0;
175 m_state[8] = 0;
176 m_state[9] = 0;
177
178 m_position = 0;
179 }
180
182 {
183 return !m_state.empty();
184 }
185
187 {
188 return 64;
189 }
190
191/*
192* Salsa20 Key Schedule
193*/
194void Salsa20::key_schedule(const uint8_t key[], size_t length)
195 {
196 m_key.resize(length / 4);
197 load_le<uint32_t>(m_key.data(), key, m_key.size());
198
199 m_state.resize(16);
200 m_buffer.resize(64);
201
202 set_iv(nullptr, 0);
203 }
204
205/*
206* Set the Salsa IV
207*/
208void Salsa20::set_iv_bytes(const uint8_t iv[], size_t length)
209 {
211
212 if(!valid_iv_length(length))
213 throw Invalid_IV_Length(name(), length);
214
215 initialize_state();
216
217 if(length == 0)
218 {
219 // Salsa20 null IV
220 m_state[6] = 0;
221 m_state[7] = 0;
222 }
223 else if(length == 8)
224 {
225 // Salsa20
226 m_state[6] = load_le<uint32_t>(iv, 0);
227 m_state[7] = load_le<uint32_t>(iv, 1);
228 }
229 else
230 {
231 // XSalsa20
232 m_state[6] = load_le<uint32_t>(iv, 0);
233 m_state[7] = load_le<uint32_t>(iv, 1);
234 m_state[8] = load_le<uint32_t>(iv, 2);
235 m_state[9] = load_le<uint32_t>(iv, 3);
236
237 secure_vector<uint32_t> hsalsa(8);
238 hsalsa20(hsalsa.data(), m_state.data());
239
240 m_state[ 1] = hsalsa[0];
241 m_state[ 2] = hsalsa[1];
242 m_state[ 3] = hsalsa[2];
243 m_state[ 4] = hsalsa[3];
244 m_state[ 6] = load_le<uint32_t>(iv, 4);
245 m_state[ 7] = load_le<uint32_t>(iv, 5);
246 m_state[11] = hsalsa[4];
247 m_state[12] = hsalsa[5];
248 m_state[13] = hsalsa[6];
249 m_state[14] = hsalsa[7];
250 }
251
252 m_state[8] = 0;
253 m_state[9] = 0;
254
255 salsa_core(m_buffer.data(), m_state.data(), 20);
256 ++m_state[8];
257 m_state[9] += (m_state[8] == 0);
258
259 m_position = 0;
260 }
261
262bool Salsa20::valid_iv_length(size_t iv_len) const
263 {
264 return (iv_len == 0 || iv_len == 8 || iv_len == 24);
265 }
266
268 {
269 return 24;
270 }
271
273 {
274 return Key_Length_Specification(16, 32, 16);
275 }
276
277std::unique_ptr<StreamCipher> Salsa20::new_object() const
278 {
279 return std::make_unique<Salsa20>();
280 }
281
282std::string Salsa20::name() const
283 {
284 return "Salsa20";
285 }
286
287/*
288* Clear memory of sensitive data
289*/
291 {
292 zap(m_key);
293 zap(m_state);
294 zap(m_buffer);
295 m_position = 0;
296 }
297
298void Salsa20::seek(uint64_t offset)
299 {
301
302 // Find the block offset
303 const uint64_t counter = offset / 64;
304 uint8_t counter8[8];
305 store_le(counter, counter8);
306
307 m_state[8] = load_le<uint32_t>(counter8, 0);
308 m_state[9] += load_le<uint32_t>(counter8, 1);
309
310 salsa_core(m_buffer.data(), m_state.data(), 20);
311
312 ++m_state[8];
313 m_state[9] += (m_state[8] == 0);
314
315 m_position = offset % 64;
316 }
317}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
void seek(uint64_t offset) override
Definition: salsa20.cpp:298
bool has_keying_material() const override
Definition: salsa20.cpp:181
void clear() override
Definition: salsa20.cpp:290
size_t buffer_size() const override
Definition: salsa20.cpp:186
void set_iv_bytes(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:208
void cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:111
static void hsalsa20(uint32_t output[8], const uint32_t input[16])
Definition: salsa20.cpp:34
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.cpp:262
size_t default_iv_length() const override
Definition: salsa20.cpp:267
static void salsa_core(uint8_t output[64], const uint32_t input[16], size_t rounds)
Definition: salsa20.cpp:68
std::unique_ptr< StreamCipher > new_object() const override
Definition: salsa20.cpp:277
std::string name() const override
Definition: salsa20.cpp:282
Key_Length_Specification key_spec() const override
Definition: salsa20.cpp:272
void set_iv(const uint8_t iv[], size_t iv_len)
void assert_key_material_set() const
Definition: sym_algo.h:182
Definition: alg_id.cpp:12
constexpr uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:209
constexpr void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:465
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:129
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:255
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64