Botan  2.1.0
Crypto and TLS for C++11
salsa20.cpp
Go to the documentation of this file.
1 /*
2 * Salsa20 / XSalsa20
3 * (C) 1999-2010,2014 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/salsa20.h>
9 #include <botan/loadstor.h>
10 
11 namespace Botan {
12 
13 namespace {
14 
15 #define SALSA20_QUARTER_ROUND(x1, x2, x3, x4) \
16  do { \
17  x2 ^= rotate_left(x1 + x4, 7); \
18  x3 ^= rotate_left(x2 + x1, 9); \
19  x4 ^= rotate_left(x3 + x2, 13); \
20  x1 ^= rotate_left(x4 + x3, 18); \
21  } while(0)
22 
23 /*
24 * Generate HSalsa20 cipher stream (for XSalsa20 IV setup)
25 */
26 void hsalsa20(uint32_t output[8], const uint32_t input[16])
27  {
28  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
29  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
30  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
31  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
32 
33  for(size_t i = 0; i != 10; ++i)
34  {
35  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
36  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
37  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
38  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
39 
40  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
41  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
42  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
43  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
44  }
45 
46  output[0] = x00;
47  output[1] = x05;
48  output[2] = x10;
49  output[3] = x15;
50  output[4] = x06;
51  output[5] = x07;
52  output[6] = x08;
53  output[7] = x09;
54  }
55 
56 /*
57 * Generate Salsa20 cipher stream
58 */
59 void salsa20(uint8_t output[64], const uint32_t input[16])
60  {
61  uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3],
62  x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7],
63  x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11],
64  x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];
65 
66  for(size_t i = 0; i != 10; ++i)
67  {
68  SALSA20_QUARTER_ROUND(x00, x04, x08, x12);
69  SALSA20_QUARTER_ROUND(x05, x09, x13, x01);
70  SALSA20_QUARTER_ROUND(x10, x14, x02, x06);
71  SALSA20_QUARTER_ROUND(x15, x03, x07, x11);
72 
73  SALSA20_QUARTER_ROUND(x00, x01, x02, x03);
74  SALSA20_QUARTER_ROUND(x05, x06, x07, x04);
75  SALSA20_QUARTER_ROUND(x10, x11, x08, x09);
76  SALSA20_QUARTER_ROUND(x15, x12, x13, x14);
77  }
78 
79  store_le(x00 + input[ 0], output + 4 * 0);
80  store_le(x01 + input[ 1], output + 4 * 1);
81  store_le(x02 + input[ 2], output + 4 * 2);
82  store_le(x03 + input[ 3], output + 4 * 3);
83  store_le(x04 + input[ 4], output + 4 * 4);
84  store_le(x05 + input[ 5], output + 4 * 5);
85  store_le(x06 + input[ 6], output + 4 * 6);
86  store_le(x07 + input[ 7], output + 4 * 7);
87  store_le(x08 + input[ 8], output + 4 * 8);
88  store_le(x09 + input[ 9], output + 4 * 9);
89  store_le(x10 + input[10], output + 4 * 10);
90  store_le(x11 + input[11], output + 4 * 11);
91  store_le(x12 + input[12], output + 4 * 12);
92  store_le(x13 + input[13], output + 4 * 13);
93  store_le(x14 + input[14], output + 4 * 14);
94  store_le(x15 + input[15], output + 4 * 15);
95  }
96 
97 }
98 
99 #undef SALSA20_QUARTER_ROUND
100 
101 /*
102 * Combine cipher stream with message
103 */
104 void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length)
105  {
106  while(length >= m_buffer.size() - m_position)
107  {
108  xor_buf(out, in, &m_buffer[m_position], m_buffer.size() - m_position);
109  length -= (m_buffer.size() - m_position);
110  in += (m_buffer.size() - m_position);
111  out += (m_buffer.size() - m_position);
112  salsa20(m_buffer.data(), m_state.data());
113 
114  ++m_state[8];
115  m_state[9] += (m_state[8] == 0);
116 
117  m_position = 0;
118  }
119 
120  xor_buf(out, in, &m_buffer[m_position], length);
121 
122  m_position += length;
123  }
124 
125 /*
126 * Salsa20 Key Schedule
127 */
128 void Salsa20::key_schedule(const uint8_t key[], size_t length)
129  {
130  static const uint32_t TAU[] =
131  { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 };
132 
133  static const uint32_t SIGMA[] =
134  { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 };
135 
136  const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA;
137 
138  m_state.resize(16);
139  m_buffer.resize(64);
140 
141  m_state[0] = CONSTANTS[0];
142  m_state[5] = CONSTANTS[1];
143  m_state[10] = CONSTANTS[2];
144  m_state[15] = CONSTANTS[3];
145 
146  m_state[1] = load_le<uint32_t>(key, 0);
147  m_state[2] = load_le<uint32_t>(key, 1);
148  m_state[3] = load_le<uint32_t>(key, 2);
149  m_state[4] = load_le<uint32_t>(key, 3);
150 
151  if(length == 32)
152  key += 16;
153 
154  m_state[11] = load_le<uint32_t>(key, 0);
155  m_state[12] = load_le<uint32_t>(key, 1);
156  m_state[13] = load_le<uint32_t>(key, 2);
157  m_state[14] = load_le<uint32_t>(key, 3);
158 
159  m_position = 0;
160 
161  set_iv(nullptr, 0); // all-zero IV
162  }
163 
164 /*
165 * Set the Salsa IV
166 */
167 void Salsa20::set_iv(const uint8_t iv[], size_t length)
168  {
169  if(!valid_iv_length(length))
170  throw Invalid_IV_Length(name(), length);
171 
172  if(length == 0)
173  {
174  // Salsa20 null IV
175  m_state[6] = 0;
176  m_state[7] = 0;
177  }
178  else if(length == 8)
179  {
180  // Salsa20
181  m_state[6] = load_le<uint32_t>(iv, 0);
182  m_state[7] = load_le<uint32_t>(iv, 1);
183  }
184  else
185  {
186  // XSalsa20
187  m_state[6] = load_le<uint32_t>(iv, 0);
188  m_state[7] = load_le<uint32_t>(iv, 1);
189  m_state[8] = load_le<uint32_t>(iv, 2);
190  m_state[9] = load_le<uint32_t>(iv, 3);
191 
192  secure_vector<uint32_t> hsalsa(8);
193  hsalsa20(hsalsa.data(), m_state.data());
194 
195  m_state[ 1] = hsalsa[0];
196  m_state[ 2] = hsalsa[1];
197  m_state[ 3] = hsalsa[2];
198  m_state[ 4] = hsalsa[3];
199  m_state[ 6] = load_le<uint32_t>(iv, 4);
200  m_state[ 7] = load_le<uint32_t>(iv, 5);
201  m_state[11] = hsalsa[4];
202  m_state[12] = hsalsa[5];
203  m_state[13] = hsalsa[6];
204  m_state[14] = hsalsa[7];
205  }
206 
207  m_state[8] = 0;
208  m_state[9] = 0;
209 
210  salsa20(m_buffer.data(), m_state.data());
211  ++m_state[8];
212  m_state[9] += (m_state[8] == 0);
213 
214  m_position = 0;
215  }
216 
217 /*
218 * Return the name of this type
219 */
220 std::string Salsa20::name() const
221  {
222  return "Salsa20";
223  }
224 
225 /*
226 * Clear memory of sensitive data
227 */
229  {
230  zap(m_state);
231  zap(m_buffer);
232  m_position = 0;
233  }
234 
235 void Salsa20::seek(uint64_t)
236  {
237  throw Not_Implemented("Salsa20::seek");
238  }
239 }
void xor_buf(T out[], const T in[], size_t length)
Definition: mem_ops.h:115
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:221
std::string name() const override
Definition: salsa20.cpp:220
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:204
void seek(uint64_t offset) override
Definition: salsa20.cpp:235
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
#define SALSA20_QUARTER_ROUND(x1, x2, x3, x4)
Definition: salsa20.cpp:15
Definition: alg_id.cpp:13
bool valid_iv_length(size_t iv_len) const override
Definition: salsa20.h:25
void clear() override
Definition: salsa20.cpp:228
void set_iv(const uint8_t iv[], size_t iv_len) override
Definition: salsa20.cpp:167
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:457
void cipher(const uint8_t in[], uint8_t out[], size_t length) override
Definition: salsa20.cpp:104