Botan 2.19.3
Crypto and TLS for C&
chacha.cpp
Go to the documentation of this file.
1/*
2* ChaCha
3* (C) 2014,2018 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/chacha.h>
9#include <botan/exceptn.h>
10#include <botan/loadstor.h>
11#include <botan/rotate.h>
12#include <botan/cpuid.h>
13
14namespace Botan {
15
16namespace {
17
18#define CHACHA_QUARTER_ROUND(a, b, c, d) \
19 do { \
20 a += b; d ^= a; d = rotl<16>(d); \
21 c += d; b ^= c; b = rotl<12>(b); \
22 a += b; d ^= a; d = rotl<8>(d); \
23 c += d; b ^= c; b = rotl<7>(b); \
24 } while(0)
25
26/*
27* Generate HChaCha cipher stream (for XChaCha IV setup)
28*/
29void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds)
30 {
31 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
32
33 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
34 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
35 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
36 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
37
38 for(size_t i = 0; i != rounds / 2; ++i)
39 {
40 CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
41 CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
42 CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
43 CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
44
45 CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
46 CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
47 CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
48 CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
49 }
50
51 output[0] = x00;
52 output[1] = x01;
53 output[2] = x02;
54 output[3] = x03;
55 output[4] = x12;
56 output[5] = x13;
57 output[6] = x14;
58 output[7] = x15;
59 }
60
61}
62
63ChaCha::ChaCha(size_t rounds) : m_rounds(rounds)
64 {
65 BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20,
66 "ChaCha only supports 8, 12 or 20 rounds");
67 }
68
69std::string ChaCha::provider() const
70 {
71#if defined(BOTAN_HAS_CHACHA_AVX2)
72 if(CPUID::has_avx2())
73 {
74 return "avx2";
75 }
76#endif
77
78#if defined(BOTAN_HAS_CHACHA_SIMD32)
80 {
81 return "simd32";
82 }
83#endif
84
85 return "base";
86 }
87
88//static
89void ChaCha::chacha_x8(uint8_t output[64*8], uint32_t input[16], size_t rounds)
90 {
91 BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
92
93#if defined(BOTAN_HAS_CHACHA_AVX2)
94 if(CPUID::has_avx2())
95 {
96 return ChaCha::chacha_avx2_x8(output, input, rounds);
97 }
98#endif
99
100#if defined(BOTAN_HAS_CHACHA_SIMD32)
102 {
103 ChaCha::chacha_simd32_x4(output, input, rounds);
104 ChaCha::chacha_simd32_x4(output + 4*64, input, rounds);
105 return;
106 }
107#endif
108
109 // TODO interleave rounds
110 for(size_t i = 0; i != 8; ++i)
111 {
112 uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
113 x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
114 x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
115 x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
116
117 for(size_t r = 0; r != rounds / 2; ++r)
118 {
119 CHACHA_QUARTER_ROUND(x00, x04, x08, x12);
120 CHACHA_QUARTER_ROUND(x01, x05, x09, x13);
121 CHACHA_QUARTER_ROUND(x02, x06, x10, x14);
122 CHACHA_QUARTER_ROUND(x03, x07, x11, x15);
123
124 CHACHA_QUARTER_ROUND(x00, x05, x10, x15);
125 CHACHA_QUARTER_ROUND(x01, x06, x11, x12);
126 CHACHA_QUARTER_ROUND(x02, x07, x08, x13);
127 CHACHA_QUARTER_ROUND(x03, x04, x09, x14);
128 }
129
130 x00 += input[0];
131 x01 += input[1];
132 x02 += input[2];
133 x03 += input[3];
134 x04 += input[4];
135 x05 += input[5];
136 x06 += input[6];
137 x07 += input[7];
138 x08 += input[8];
139 x09 += input[9];
140 x10 += input[10];
141 x11 += input[11];
142 x12 += input[12];
143 x13 += input[13];
144 x14 += input[14];
145 x15 += input[15];
146
147 store_le(x00, output + 64 * i + 4 * 0);
148 store_le(x01, output + 64 * i + 4 * 1);
149 store_le(x02, output + 64 * i + 4 * 2);
150 store_le(x03, output + 64 * i + 4 * 3);
151 store_le(x04, output + 64 * i + 4 * 4);
152 store_le(x05, output + 64 * i + 4 * 5);
153 store_le(x06, output + 64 * i + 4 * 6);
154 store_le(x07, output + 64 * i + 4 * 7);
155 store_le(x08, output + 64 * i + 4 * 8);
156 store_le(x09, output + 64 * i + 4 * 9);
157 store_le(x10, output + 64 * i + 4 * 10);
158 store_le(x11, output + 64 * i + 4 * 11);
159 store_le(x12, output + 64 * i + 4 * 12);
160 store_le(x13, output + 64 * i + 4 * 13);
161 store_le(x14, output + 64 * i + 4 * 14);
162 store_le(x15, output + 64 * i + 4 * 15);
163
164 input[12]++;
165 input[13] += (input[12] == 0);
166 }
167 }
168
169#undef CHACHA_QUARTER_ROUND
170
171/*
172* Combine cipher stream with message
173*/
174void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length)
175 {
176 verify_key_set(m_state.empty() == false);
177
178 while(length >= m_buffer.size() - m_position)
179 {
180 const size_t available = m_buffer.size() - m_position;
181
182 xor_buf(out, in, &m_buffer[m_position], available);
183 chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
184
185 length -= available;
186 in += available;
187 out += available;
188 m_position = 0;
189 }
190
191 xor_buf(out, in, &m_buffer[m_position], length);
192
193 m_position += length;
194 }
195
196void ChaCha::write_keystream(uint8_t out[], size_t length)
197 {
198 verify_key_set(m_state.empty() == false);
199
200 while(length >= m_buffer.size() - m_position)
201 {
202 const size_t available = m_buffer.size() - m_position;
203
204 copy_mem(out, &m_buffer[m_position], available);
205 chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
206
207 length -= available;
208 out += available;
209 m_position = 0;
210 }
211
212 copy_mem(out, &m_buffer[m_position], length);
213
214 m_position += length;
215 }
216
217void ChaCha::initialize_state()
218 {
219 static const uint32_t TAU[] =
220 { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
221
222 static const uint32_t SIGMA[] =
223 { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
224
225 m_state[4] = m_key[0];
226 m_state[5] = m_key[1];
227 m_state[6] = m_key[2];
228 m_state[7] = m_key[3];
229
230 if(m_key.size() == 4)
231 {
232 m_state[0] = TAU[0];
233 m_state[1] = TAU[1];
234 m_state[2] = TAU[2];
235 m_state[3] = TAU[3];
236
237 m_state[8] = m_key[0];
238 m_state[9] = m_key[1];
239 m_state[10] = m_key[2];
240 m_state[11] = m_key[3];
241 }
242 else
243 {
244 m_state[0] = SIGMA[0];
245 m_state[1] = SIGMA[1];
246 m_state[2] = SIGMA[2];
247 m_state[3] = SIGMA[3];
248
249 m_state[8] = m_key[4];
250 m_state[9] = m_key[5];
251 m_state[10] = m_key[6];
252 m_state[11] = m_key[7];
253 }
254
255 m_state[12] = 0;
256 m_state[13] = 0;
257 m_state[14] = 0;
258 m_state[15] = 0;
259
260 m_position = 0;
261 }
262
263/*
264* ChaCha Key Schedule
265*/
266void ChaCha::key_schedule(const uint8_t key[], size_t length)
267 {
268 m_key.resize(length / 4);
269 load_le<uint32_t>(m_key.data(), key, m_key.size());
270
271 m_state.resize(16);
272
273 const size_t chacha_parallelism = 8; // chacha_x8
274 const size_t chacha_block = 64;
275 m_buffer.resize(chacha_parallelism * chacha_block);
276
277 set_iv(nullptr, 0);
278 }
279
281 {
282 return 24;
283 }
284
286 {
287 return Key_Length_Specification(16, 32, 16);
288 }
289
291 {
292 return new ChaCha(m_rounds);
293 }
294
295bool ChaCha::valid_iv_length(size_t iv_len) const
296 {
297 return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
298 }
299
300void ChaCha::set_iv(const uint8_t iv[], size_t length)
301 {
302 verify_key_set(m_state.empty() == false);
303
304 if(!valid_iv_length(length))
305 throw Invalid_IV_Length(name(), length);
306
307 initialize_state();
308
309 if(length == 0)
310 {
311 // Treat zero length IV same as an all-zero IV
312 m_state[14] = 0;
313 m_state[15] = 0;
314 }
315 else if(length == 8)
316 {
317 m_state[14] = load_le<uint32_t>(iv, 0);
318 m_state[15] = load_le<uint32_t>(iv, 1);
319 }
320 else if(length == 12)
321 {
322 m_state[13] = load_le<uint32_t>(iv, 0);
323 m_state[14] = load_le<uint32_t>(iv, 1);
324 m_state[15] = load_le<uint32_t>(iv, 2);
325 }
326 else if(length == 24)
327 {
328 m_state[12] = load_le<uint32_t>(iv, 0);
329 m_state[13] = load_le<uint32_t>(iv, 1);
330 m_state[14] = load_le<uint32_t>(iv, 2);
331 m_state[15] = load_le<uint32_t>(iv, 3);
332
334 hchacha(hc.data(), m_state.data(), m_rounds);
335
336 m_state[ 4] = hc[0];
337 m_state[ 5] = hc[1];
338 m_state[ 6] = hc[2];
339 m_state[ 7] = hc[3];
340 m_state[ 8] = hc[4];
341 m_state[ 9] = hc[5];
342 m_state[10] = hc[6];
343 m_state[11] = hc[7];
344 m_state[12] = 0;
345 m_state[13] = 0;
346 m_state[14] = load_le<uint32_t>(iv, 4);
347 m_state[15] = load_le<uint32_t>(iv, 5);
348 }
349
350 chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
351 m_position = 0;
352 }
353
355 {
356 zap(m_key);
357 zap(m_state);
358 zap(m_buffer);
359 m_position = 0;
360 }
361
362std::string ChaCha::name() const
363 {
364 return "ChaCha(" + std::to_string(m_rounds) + ")";
365 }
366
367void ChaCha::seek(uint64_t offset)
368 {
369 verify_key_set(m_state.empty() == false);
370
371 // Find the block offset
372 const uint64_t counter = offset / 64;
373
374 uint8_t out[8];
375
376 store_le(counter, out);
377
378 m_state[12] = load_le<uint32_t>(out, 0);
379 m_state[13] += load_le<uint32_t>(out, 1);
380
381 chacha_x8(m_buffer.data(), m_state.data(), m_rounds);
382 m_position = offset % 64;
383 }
384}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:37
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:55
#define CHACHA_QUARTER_ROUND(a, b, c, d)
Definition chacha.cpp:18
static bool has_simd_32()
Definition cpuid.cpp:16
StreamCipher * clone() const override
Definition chacha.cpp:290
void clear() override
Definition chacha.cpp:354
std::string name() const override
Definition chacha.cpp:362
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition chacha.cpp:174
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition chacha.cpp:300
Key_Length_Specification key_spec() const override
Definition chacha.cpp:285
bool valid_iv_length(size_t iv_len) const override
Definition chacha.cpp:295
size_t default_iv_length() const override
Definition chacha.cpp:280
std::string provider() const override
Definition chacha.cpp:69
ChaCha(size_t rounds=20)
Definition chacha.cpp:63
void seek(uint64_t offset) override
Definition chacha.cpp:367
void write_keystream(uint8_t out[], size_t len) override
Definition chacha.cpp:196
void verify_key_set(bool cond) const
Definition sym_algo.h:171
void zap(std::vector< T, Alloc > &vec)
Definition secmem.h:124
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition loadstor.h:198
void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:133
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition mem_ops.h:262
void store_le(uint16_t in, uint8_t out[2])
Definition loadstor.h:454
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65