randombit/botan | Build 13535848071 | source/src/lib/stream/chacha/chacha.cpp | Coveralls

23

inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {

2,216,096✔

24

   a += b;

2,216,096✔

25

   d ^= a;

2,216,096✔

26

   d = rotl<16>(d);

2,216,096✔

27

   c += d;

2,216,096✔

28

   b ^= c;

2,216,096✔

29

   b = rotl<12>(b);

2,216,096✔

30

   a += b;

2,216,096✔

31

   d ^= a;

2,216,096✔

32

   d = rotl<8>(d);

2,216,096✔

33

   c += d;

2,216,096✔

34

   b ^= c;

2,216,096✔

35

   b = rotl<7>(b);

2,216,096✔

36

2,216,096✔

41

void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {

23,410✔

42

   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

23,410✔

44

   uint32_t x00 = input[0], x01 = input[1], x02 = input[2], x03 = input[3], x04 = input[4], x05 = input[5],

23,410✔

45

            x06 = input[6], x07 = input[7], x08 = input[8], x09 = input[9], x10 = input[10], x11 = input[11],

23,410✔

46

            x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];

23,410✔

48

   for(size_t i = 0; i != rounds / 2; ++i) {

257,510✔

49

      chacha_quarter_round(x00, x04, x08, x12);

234,100✔

50

      chacha_quarter_round(x01, x05, x09, x13);

234,100✔

51

      chacha_quarter_round(x02, x06, x10, x14);

234,100✔

52

      chacha_quarter_round(x03, x07, x11, x15);

234,100✔

54

      chacha_quarter_round(x00, x05, x10, x15);

234,100✔

55

      chacha_quarter_round(x01, x06, x11, x12);

234,100✔

56

      chacha_quarter_round(x02, x07, x08, x13);

234,100✔

57

      chacha_quarter_round(x03, x04, x09, x14);

234,100✔

60

   output[0] = x00;

23,410✔

61

   output[1] = x01;

23,410✔

62

   output[2] = x02;

23,410✔

63

   output[3] = x03;

23,410✔

64

   output[4] = x12;

23,410✔

65

   output[5] = x13;

23,410✔

66

   output[6] = x14;

23,410✔

67

   output[7] = x15;

23,410✔

68

23,410✔

72

ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {

16,315✔

73

   BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");

16,315✔

74

16,315✔

76

size_t ChaCha::parallelism() {

86,674✔

78

   if(CPUID::has_avx512()) {

86,674✔

84

   if(CPUID::has_avx2()) {

86,674✔

85

      return 8;

86,024✔

92

std::string ChaCha::provider() const {

325✔

94

   if(CPUID::has_avx512()) {

325✔

100

   if(CPUID::has_avx2()) {

325✔

101

      return "avx2";

109✔

106

   if(CPUID::has_simd_32()) {

216✔

107

      return "simd32";

108✔

111

   return "base";

108✔

114

void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {

221,229✔

115

   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

221,229✔

118

   if(CPUID::has_avx512()) {

221,229✔

128

   if(CPUID::has_avx2()) {

221,229✔

129

      while(output_blocks >= 8) {

437,794✔

130

         ChaCha::chacha_avx2_x8(output, state, rounds);

218,897✔

131

         output += 8 * 64;

218,897✔

132

         output_blocks -= 8;

218,897✔

138

   if(CPUID::has_simd_32()) {

221,229✔

139

      while(output_blocks >= 4) {

221,229✔

140

         ChaCha::chacha_simd32_x4(output, state, rounds);

1,166✔

141

         output += 4 * 64;

1,166✔

142

         output_blocks -= 4;

1,166✔

148

   for(size_t i = 0; i != output_blocks; ++i) {

225,893✔

149

      uint32_t x00 = state[0], x01 = state[1], x02 = state[2], x03 = state[3], x04 = state[4], x05 = state[5],

4,664✔

150

               x06 = state[6], x07 = state[7], x08 = state[8], x09 = state[9], x10 = state[10], x11 = state[11],

4,664✔

151

               x12 = state[12], x13 = state[13], x14 = state[14], x15 = state[15];

4,664✔

153

      for(size_t r = 0; r != rounds / 2; ++r) {

47,576✔

154

         chacha_quarter_round(x00, x04, x08, x12);

42,912✔

155

         chacha_quarter_round(x01, x05, x09, x13);

42,912✔

156

         chacha_quarter_round(x02, x06, x10, x14);

42,912✔

157

         chacha_quarter_round(x03, x07, x11, x15);

42,912✔

159

         chacha_quarter_round(x00, x05, x10, x15);

42,912✔

160

         chacha_quarter_round(x01, x06, x11, x12);

42,912✔

161

         chacha_quarter_round(x02, x07, x08, x13);

42,912✔

162

         chacha_quarter_round(x03, x04, x09, x14);

42,912✔

165

      x00 += state[0];

4,664✔

166

      x01 += state[1];

4,664✔

167

      x02 += state[2];

4,664✔

168

      x03 += state[3];

4,664✔

169

      x04 += state[4];

4,664✔

170

      x05 += state[5];

4,664✔

171

      x06 += state[6];

4,664✔

172

      x07 += state[7];

4,664✔

173

      x08 += state[8];

4,664✔

174

      x09 += state[9];

4,664✔

175

      x10 += state[10];

4,664✔

176

      x11 += state[11];

4,664✔

177

      x12 += state[12];

4,664✔

178

      x13 += state[13];

4,664✔

179

      x14 += state[14];

4,664✔

180

      x15 += state[15];

4,664✔

182

      store_le(x00, output + 64 * i + 4 * 0);

4,664✔

183

      store_le(x01, output + 64 * i + 4 * 1);

4,664✔

184

      store_le(x02, output + 64 * i + 4 * 2);

4,664✔

185

      store_le(x03, output + 64 * i + 4 * 3);

4,664✔

186

      store_le(x04, output + 64 * i + 4 * 4);

4,664✔

187

      store_le(x05, output + 64 * i + 4 * 5);

4,664✔

188

      store_le(x06, output + 64 * i + 4 * 6);

4,664✔

189

      store_le(x07, output + 64 * i + 4 * 7);

4,664✔

190

      store_le(x08, output + 64 * i + 4 * 8);

4,664✔

191

      store_le(x09, output + 64 * i + 4 * 9);

4,664✔

192

      store_le(x10, output + 64 * i + 4 * 10);

4,664✔

193

      store_le(x11, output + 64 * i + 4 * 11);

4,664✔

194

      store_le(x12, output + 64 * i + 4 * 12);

4,664✔

195

      store_le(x13, output + 64 * i + 4 * 13);

4,664✔

196

      store_le(x14, output + 64 * i + 4 * 14);

4,664✔

197

      store_le(x15, output + 64 * i + 4 * 15);

4,664✔

199

      state[12]++;

4,664✔

200

      state[13] += (state[12] == 0);

4,664✔

202

221,229✔

207

void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {

285,362✔

208

   assert_key_material_set();

285,362✔

210

   while(length >= m_buffer.size() - m_position) {

570,955✔

211

      const size_t available = m_buffer.size() - m_position;

5,604✔

213

      xor_buf(out, in, &m_buffer[m_position], available);

5,604✔

214

      chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

5,604✔

216

      length -= available;

5,604✔

217

      in += available;

5,604✔

218

      out += available;

5,604✔

219

      m_position = 0;

5,604✔

222

   xor_buf(out, in, &m_buffer[m_position], length);

279,989✔

224

   m_position += length;

279,989✔

225

279,989✔

227

void ChaCha::generate_keystream(uint8_t out[], size_t length) {

152,342✔

228

   assert_key_material_set();

152,342✔

230

   while(length >= m_buffer.size() - m_position) {

326,136✔

231

      const size_t available = m_buffer.size() - m_position;

21,452✔

235

      copy_mem(out, &m_buffer[m_position], available);

21,452✔

236

      chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

21,452✔

238

      length -= available;

21,452✔

239

      out += available;

21,452✔

240

      m_position = 0;

21,452✔

243

   copy_mem(out, &m_buffer[m_position], length);

152,342✔

245

   m_position += length;

152,342✔

246

152,342✔

248

void ChaCha::initialize_state() {

193,282✔

249

   static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};

193,282✔

251

   static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};

193,282✔

253

   m_state[4] = m_key[0];

193,282✔

254

   m_state[5] = m_key[1];

193,282✔

255

   m_state[6] = m_key[2];

193,282✔

256

   m_state[7] = m_key[3];

193,282✔

258

   if(m_key.size() == 4) {

193,282✔

259

      m_state[0] = TAU[0];

210✔

260

      m_state[1] = TAU[1];

210✔

261

      m_state[2] = TAU[2];

210✔

262

      m_state[3] = TAU[3];

210✔

264

      m_state[8] = m_key[0];

210✔

265

      m_state[9] = m_key[1];

210✔

266

      m_state[10] = m_key[2];

210✔

267

      m_state[11] = m_key[3];

210✔

269

      m_state[0] = SIGMA[0];

193,072✔

270

      m_state[1] = SIGMA[1];

193,072✔

271

      m_state[2] = SIGMA[2];

193,072✔

272

      m_state[3] = SIGMA[3];

193,072✔

274

      m_state[8] = m_key[4];

193,072✔

275

      m_state[9] = m_key[5];

193,072✔

276

      m_state[10] = m_key[6];

193,072✔

277

      m_state[11] = m_key[7];

193,072✔

280

   m_state[12] = 0;

193,282✔

281

   m_state[13] = 0;

193,282✔

282

   m_state[14] = 0;

193,282✔

283

   m_state[15] = 0;

193,282✔

285

   m_position = 0;

193,282✔

286

193,282✔

288

bool ChaCha::has_keying_material() const {

645,167✔

289

   return !m_state.empty();

645,167✔

292

size_t ChaCha::buffer_size() const {

324✔

293

   return 64;

324✔

299

void ChaCha::key_schedule(std::span<const uint8_t> key) {

86,674✔

300

   m_key.resize(key.size() / 4);

86,674✔

301

   load_le<uint32_t>(m_key.data(), key.data(), m_key.size());

86,674✔

303

   m_state.resize(16);

86,674✔

305

   const size_t chacha_block = 64;

86,674✔

306

   m_buffer.resize(parallelism() * chacha_block);

86,674✔

308

   set_iv(nullptr, 0);

86,674✔

309

86,674✔

311

size_t ChaCha::default_iv_length() const {

648✔

312

   return 24;

648✔

315

Key_Length_Specification ChaCha::key_spec() const {

87,323✔

316

   return Key_Length_Specification(16, 32, 16);

87,323✔

319

std::unique_ptr<StreamCipher> ChaCha::new_object() const {

324✔

320

   return std::make_unique<ChaCha>(m_rounds);

324✔

323

bool ChaCha::valid_iv_length(size_t iv_len) const {

194,579✔

324

   return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);

973✔

327

void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {

193,927✔

328

   assert_key_material_set();

193,927✔

330

   if(!valid_iv_length(length)) {

193,606✔

331

      throw Invalid_IV_Length(name(), length);

648✔

334

   initialize_state();

193,282✔

336

   if(length == 0) {

193,282✔

338

      m_state[14] = 0;

86,677✔

339

      m_state[15] = 0;

86,677✔

340

   } else if(length == 8) {

106,605✔

341

      m_state[14] = load_le<uint32_t>(iv, 0);

310✔

342

      m_state[15] = load_le<uint32_t>(iv, 1);

310✔

343

   } else if(length == 12) {

106,295✔

344

      m_state[13] = load_le<uint32_t>(iv, 0);

82,885✔

345

      m_state[14] = load_le<uint32_t>(iv, 1);

82,885✔

346

      m_state[15] = load_le<uint32_t>(iv, 2);

82,885✔

347

   } else if(length == 24) {

23,410✔

348

      m_state[12] = load_le<uint32_t>(iv, 0);

23,410✔

349

      m_state[13] = load_le<uint32_t>(iv, 1);

23,410✔

350

      m_state[14] = load_le<uint32_t>(iv, 2);

23,410✔

351

      m_state[15] = load_le<uint32_t>(iv, 3);

23,410✔

353

      secure_vector<uint32_t> hc(8);

23,410✔

354

      hchacha(hc.data(), m_state.data(), m_rounds);

23,410✔

356

      m_state[4] = hc[0];

23,410✔

357

      m_state[5] = hc[1];

23,410✔

358

      m_state[6] = hc[2];

23,410✔

359

      m_state[7] = hc[3];

23,410✔

360

      m_state[8] = hc[4];

23,410✔

361

      m_state[9] = hc[5];

23,410✔

362

      m_state[10] = hc[6];

23,410✔

363

      m_state[11] = hc[7];

23,410✔

364

      m_state[12] = 0;

23,410✔

365

      m_state[13] = 0;

23,410✔

366

      m_state[14] = load_le<uint32_t>(iv, 4);

23,410✔

367

      m_state[15] = load_le<uint32_t>(iv, 5);

23,410✔

368

23,410✔

370

   chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

193,282✔

371

   m_position = 0;

193,282✔

372

193,282✔

374

void ChaCha::clear() {

3,476✔

375

   zap(m_key);

3,476✔

376

   zap(m_state);

3,476✔

377

   zap(m_buffer);

3,476✔

378

   m_position = 0;

3,476✔

379

3,476✔

381

std::string ChaCha::name() const {

7,316✔

382

   return fmt("ChaCha({})", m_rounds);

7,316✔

385

void ChaCha::seek(uint64_t offset) {

1,215✔

386

   assert_key_material_set();

1,215✔

389

   const uint64_t counter = offset / 64;

891✔

391

   uint8_t out[8];

891✔

393

   store_le(counter, out);

891✔

395

   m_state[12] = load_le<uint32_t>(out, 0);

891✔

396

   m_state[13] += load_le<uint32_t>(out, 1);

891✔

398

   chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

891✔

399

   m_position = offset % 64;

891✔

400

891✔

randombit / botan / 13535848071

Source File
Press 'n' to go to next uncovered line, 'b' for previous

1	/*
2	* ChaCha
3	* (C) 2014,2018,2023 Jack Lloyd
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include <botan/internal/chacha.h>
9
10	#include <botan/exceptn.h>
11	#include <botan/internal/fmt.h>
12	#include <botan/internal/loadstor.h>
13	#include <botan/internal/rotate.h>
14
15	#if defined(BOTAN_HAS_CPUID)
16	#include <botan/internal/cpuid.h>
17	#endif
18
19	namespace Botan {
20
21	namespace {
22
23	inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {	2,216,096✔
24	a += b;	2,216,096✔
25	d ^= a;	2,216,096✔
26	d = rotl<16>(d);	2,216,096✔
27	c += d;	2,216,096✔
28	b ^= c;	2,216,096✔
29	b = rotl<12>(b);	2,216,096✔
30	a += b;	2,216,096✔
31	d ^= a;	2,216,096✔
32	d = rotl<8>(d);	2,216,096✔
33	c += d;	2,216,096✔
34	b ^= c;	2,216,096✔
35	b = rotl<7>(b);	2,216,096✔
36	}	2,216,096✔
37
38	/*
39	* Generate HChaCha cipher stream (for XChaCha IV setup)
40	*/
41	void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {	23,410✔
42	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");	23,410✔
43
44	uint32_t x00 = input[0], x01 = input[1], x02 = input[2], x03 = input[3], x04 = input[4], x05 = input[5],	23,410✔
45	x06 = input[6], x07 = input[7], x08 = input[8], x09 = input[9], x10 = input[10], x11 = input[11],	23,410✔
46	x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15];	23,410✔
47
48	for(size_t i = 0; i != rounds / 2; ++i) {	257,510✔
49	chacha_quarter_round(x00, x04, x08, x12);	234,100✔
50	chacha_quarter_round(x01, x05, x09, x13);	234,100✔
51	chacha_quarter_round(x02, x06, x10, x14);	234,100✔
52	chacha_quarter_round(x03, x07, x11, x15);	234,100✔
53
54	chacha_quarter_round(x00, x05, x10, x15);	234,100✔
55	chacha_quarter_round(x01, x06, x11, x12);	234,100✔
56	chacha_quarter_round(x02, x07, x08, x13);	234,100✔
57	chacha_quarter_round(x03, x04, x09, x14);	234,100✔
58	}
59
60	output[0] = x00;	23,410✔
61	output[1] = x01;	23,410✔
62	output[2] = x02;	23,410✔
63	output[3] = x03;	23,410✔
64	output[4] = x12;	23,410✔
65	output[5] = x13;	23,410✔
66	output[6] = x14;	23,410✔
67	output[7] = x15;	23,410✔
68	}	23,410✔
69
70	} // namespace
71
72	ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {	16,315✔
73	BOTAN_ARG_CHECK(m_rounds == 8 \|\| m_rounds == 12 \|\| m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");	16,315✔
74	}	16,315✔
75
76	size_t ChaCha::parallelism() {	86,674✔
77	#if defined(BOTAN_HAS_CHACHA_AVX512)
78	if(CPUID::has_avx512()) {	86,674✔
79	return 16;
80	}
81	#endif
82
83	#if defined(BOTAN_HAS_CHACHA_AVX2)
84	if(CPUID::has_avx2()) {	86,674✔
85	return 8;	86,024✔
86	}
87	#endif
88
89	return 4;
90	}
91
92	std::string ChaCha::provider() const {	325✔
93	#if defined(BOTAN_HAS_CHACHA_AVX512)
94	if(CPUID::has_avx512()) {	325✔
95	return "avx512";	×
96	}
97	#endif
98
99	#if defined(BOTAN_HAS_CHACHA_AVX2)
100	if(CPUID::has_avx2()) {	325✔
101	return "avx2";	109✔
102	}
103	#endif
104
105	#if defined(BOTAN_HAS_CHACHA_SIMD32)
106	if(CPUID::has_simd_32()) {	216✔
107	return "simd32";	108✔
108	}
109	#endif
110
111	return "base";	108✔
112	}
113
114	void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {	221,229✔
115	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");	221,229✔
116
117	#if defined(BOTAN_HAS_CHACHA_AVX512)
118	if(CPUID::has_avx512()) {	221,229✔
119	while(output_blocks >= 16) {	×
120	ChaCha::chacha_avx512_x16(output, state, rounds);	×
121	output += 16 * 64;	×
122	output_blocks -= 16;	×
123	}
124	}
125	#endif
126
127	#if defined(BOTAN_HAS_CHACHA_AVX2)
128	if(CPUID::has_avx2()) {	221,229✔
129	while(output_blocks >= 8) {	437,794✔
130	ChaCha::chacha_avx2_x8(output, state, rounds);	218,897✔
131	output += 8 * 64;	218,897✔
132	output_blocks -= 8;	218,897✔
133	}
134	}
135	#endif
136
137	#if defined(BOTAN_HAS_CHACHA_SIMD32)
138	if(CPUID::has_simd_32()) {	221,229✔
139	while(output_blocks >= 4) {	221,229✔
140	ChaCha::chacha_simd32_x4(output, state, rounds);	1,166✔
141	output += 4 * 64;	1,166✔
142	output_blocks -= 4;	1,166✔
143	}
144	}
145	#endif
146
147	// TODO interleave rounds
148	for(size_t i = 0; i != output_blocks; ++i) {	225,893✔
149	uint32_t x00 = state[0], x01 = state[1], x02 = state[2], x03 = state[3], x04 = state[4], x05 = state[5],	4,664✔
150	x06 = state[6], x07 = state[7], x08 = state[8], x09 = state[9], x10 = state[10], x11 = state[11],	4,664✔
151	x12 = state[12], x13 = state[13], x14 = state[14], x15 = state[15];	4,664✔
152
153	for(size_t r = 0; r != rounds / 2; ++r) {	47,576✔
154	chacha_quarter_round(x00, x04, x08, x12);	42,912✔
155	chacha_quarter_round(x01, x05, x09, x13);	42,912✔
156	chacha_quarter_round(x02, x06, x10, x14);	42,912✔
157	chacha_quarter_round(x03, x07, x11, x15);	42,912✔
158
159	chacha_quarter_round(x00, x05, x10, x15);	42,912✔
160	chacha_quarter_round(x01, x06, x11, x12);	42,912✔
161	chacha_quarter_round(x02, x07, x08, x13);	42,912✔
162	chacha_quarter_round(x03, x04, x09, x14);	42,912✔
163	}
164
165	x00 += state[0];	4,664✔
166	x01 += state[1];	4,664✔
167	x02 += state[2];	4,664✔
168	x03 += state[3];	4,664✔
169	x04 += state[4];	4,664✔
170	x05 += state[5];	4,664✔
171	x06 += state[6];	4,664✔
172	x07 += state[7];	4,664✔
173	x08 += state[8];	4,664✔
174	x09 += state[9];	4,664✔
175	x10 += state[10];	4,664✔
176	x11 += state[11];	4,664✔
177	x12 += state[12];	4,664✔
178	x13 += state[13];	4,664✔
179	x14 += state[14];	4,664✔
180	x15 += state[15];	4,664✔
181
182	store_le(x00, output + 64 * i + 4 * 0);	4,664✔
183	store_le(x01, output + 64 * i + 4 * 1);	4,664✔
184	store_le(x02, output + 64 * i + 4 * 2);	4,664✔
185	store_le(x03, output + 64 * i + 4 * 3);	4,664✔
186	store_le(x04, output + 64 * i + 4 * 4);	4,664✔
187	store_le(x05, output + 64 * i + 4 * 5);	4,664✔
188	store_le(x06, output + 64 * i + 4 * 6);	4,664✔
189	store_le(x07, output + 64 * i + 4 * 7);	4,664✔
190	store_le(x08, output + 64 * i + 4 * 8);	4,664✔
191	store_le(x09, output + 64 * i + 4 * 9);	4,664✔
192	store_le(x10, output + 64 * i + 4 * 10);	4,664✔
193	store_le(x11, output + 64 * i + 4 * 11);	4,664✔
194	store_le(x12, output + 64 * i + 4 * 12);	4,664✔
195	store_le(x13, output + 64 * i + 4 * 13);	4,664✔
196	store_le(x14, output + 64 * i + 4 * 14);	4,664✔
197	store_le(x15, output + 64 * i + 4 * 15);	4,664✔
198
199	state[12]++;	4,664✔
200	state[13] += (state[12] == 0);	4,664✔
201	}
202	}	221,229✔
203
204	/*
205	* Combine cipher stream with message
206	*/
207	void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {	285,362✔
208	assert_key_material_set();	285,362✔
209
210	while(length >= m_buffer.size() - m_position) {	570,955✔
211	const size_t available = m_buffer.size() - m_position;	5,604✔
212
213	xor_buf(out, in, &m_buffer[m_position], available);	5,604✔
214	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);	5,604✔
215
216	length -= available;	5,604✔
217	in += available;	5,604✔
218	out += available;	5,604✔
219	m_position = 0;	5,604✔
220	}
221
222	xor_buf(out, in, &m_buffer[m_position], length);	279,989✔
223
224	m_position += length;	279,989✔
225	}	279,989✔
226
227	void ChaCha::generate_keystream(uint8_t out[], size_t length) {	152,342✔
228	assert_key_material_set();	152,342✔
229
230	while(length >= m_buffer.size() - m_position) {	326,136✔
231	const size_t available = m_buffer.size() - m_position;	21,452✔
232
233	// TODO: this could write directly to the output buffer
234	// instead of bouncing it through m_buffer first
235	copy_mem(out, &m_buffer[m_position], available);	21,452✔
236	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);	21,452✔
237
238	length -= available;	21,452✔
239	out += available;	21,452✔
240	m_position = 0;	21,452✔
241	}
242
243	copy_mem(out, &m_buffer[m_position], length);	152,342✔
244
245	m_position += length;	152,342✔
246	}	152,342✔
247
248	void ChaCha::initialize_state() {	193,282✔
249	static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};	193,282✔
250
251	static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};	193,282✔
252
253	m_state[4] = m_key[0];	193,282✔
254	m_state[5] = m_key[1];	193,282✔
255	m_state[6] = m_key[2];	193,282✔
256	m_state[7] = m_key[3];	193,282✔
257
258	if(m_key.size() == 4) {	193,282✔
259	m_state[0] = TAU[0];	210✔
260	m_state[1] = TAU[1];	210✔
261	m_state[2] = TAU[2];	210✔
262	m_state[3] = TAU[3];	210✔
263
264	m_state[8] = m_key[0];	210✔
265	m_state[9] = m_key[1];	210✔
266	m_state[10] = m_key[2];	210✔
267	m_state[11] = m_key[3];	210✔
268	} else {
269	m_state[0] = SIGMA[0];	193,072✔
270	m_state[1] = SIGMA[1];	193,072✔
271	m_state[2] = SIGMA[2];	193,072✔
272	m_state[3] = SIGMA[3];	193,072✔
273
274	m_state[8] = m_key[4];	193,072✔
275	m_state[9] = m_key[5];	193,072✔
276	m_state[10] = m_key[6];	193,072✔
277	m_state[11] = m_key[7];	193,072✔
278	}
279
280	m_state[12] = 0;	193,282✔
281	m_state[13] = 0;	193,282✔
282	m_state[14] = 0;	193,282✔
283	m_state[15] = 0;	193,282✔
284
285	m_position = 0;	193,282✔
286	}	193,282✔
287
288	bool ChaCha::has_keying_material() const {	645,167✔
289	return !m_state.empty();	645,167✔
290	}
291
292	size_t ChaCha::buffer_size() const {	324✔
293	return 64;	324✔
294	}
295
296	/*
297	* ChaCha Key Schedule
298	*/
299	void ChaCha::key_schedule(std::span<const uint8_t> key) {	86,674✔
300	m_key.resize(key.size() / 4);	86,674✔
301	load_le<uint32_t>(m_key.data(), key.data(), m_key.size());	86,674✔
302
303	m_state.resize(16);	86,674✔
304
305	const size_t chacha_block = 64;	86,674✔
306	m_buffer.resize(parallelism() * chacha_block);	86,674✔
307
308	set_iv(nullptr, 0);	86,674✔
309	}	86,674✔
310
311	size_t ChaCha::default_iv_length() const {	648✔
312	return 24;	648✔
313	}
314
315	Key_Length_Specification ChaCha::key_spec() const {	87,323✔
316	return Key_Length_Specification(16, 32, 16);	87,323✔
317	}
318
319	std::unique_ptr<StreamCipher> ChaCha::new_object() const {	324✔
320	return std::make_unique<ChaCha>(m_rounds);	324✔
321	}
322
323	bool ChaCha::valid_iv_length(size_t iv_len) const {	194,579✔
324	return (iv_len == 0 \|\| iv_len == 8 \|\| iv_len == 12 \|\| iv_len == 24);	973✔
325	}
326
327	void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {	193,927✔
328	assert_key_material_set();	193,927✔
329
330	if(!valid_iv_length(length)) {	193,606✔
331	throw Invalid_IV_Length(name(), length);	648✔
332	}
333
334	initialize_state();	193,282✔
335
336	if(length == 0) {	193,282✔
337	// Treat zero length IV same as an all-zero IV
338	m_state[14] = 0;	86,677✔
339	m_state[15] = 0;	86,677✔
340	} else if(length == 8) {	106,605✔
341	m_state[14] = load_le<uint32_t>(iv, 0);	310✔
342	m_state[15] = load_le<uint32_t>(iv, 1);	310✔
343	} else if(length == 12) {	106,295✔
344	m_state[13] = load_le<uint32_t>(iv, 0);	82,885✔
345	m_state[14] = load_le<uint32_t>(iv, 1);	82,885✔
346	m_state[15] = load_le<uint32_t>(iv, 2);	82,885✔
347	} else if(length == 24) {	23,410✔
348	m_state[12] = load_le<uint32_t>(iv, 0);	23,410✔
349	m_state[13] = load_le<uint32_t>(iv, 1);	23,410✔
350	m_state[14] = load_le<uint32_t>(iv, 2);	23,410✔
351	m_state[15] = load_le<uint32_t>(iv, 3);	23,410✔
352
353	secure_vector<uint32_t> hc(8);	23,410✔
354	hchacha(hc.data(), m_state.data(), m_rounds);	23,410✔
355
356	m_state[4] = hc[0];	23,410✔
357	m_state[5] = hc[1];	23,410✔
358	m_state[6] = hc[2];	23,410✔
359	m_state[7] = hc[3];	23,410✔
360	m_state[8] = hc[4];	23,410✔
361	m_state[9] = hc[5];	23,410✔
362	m_state[10] = hc[6];	23,410✔
363	m_state[11] = hc[7];	23,410✔
364	m_state[12] = 0;	23,410✔
365	m_state[13] = 0;	23,410✔
366	m_state[14] = load_le<uint32_t>(iv, 4);	23,410✔
367	m_state[15] = load_le<uint32_t>(iv, 5);	23,410✔
368	}	23,410✔
369
370	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);	193,282✔
371	m_position = 0;	193,282✔
372	}	193,282✔
373
374	void ChaCha::clear() {	3,476✔
375	zap(m_key);	3,476✔
376	zap(m_state);	3,476✔
377	zap(m_buffer);	3,476✔
378	m_position = 0;	3,476✔
379	}	3,476✔
380
381	std::string ChaCha::name() const {	7,316✔
382	return fmt("ChaCha({})", m_rounds);	7,316✔
383	}
384
385	void ChaCha::seek(uint64_t offset) {	1,215✔
386	assert_key_material_set();	1,215✔
387
388	// Find the block offset
389	const uint64_t counter = offset / 64;	891✔
390
391	uint8_t out[8];	891✔
392
393	store_le(counter, out);	891✔
394
395	m_state[12] = load_le<uint32_t>(out, 0);	891✔
396	m_state[13] += load_le<uint32_t>(out, 1);	891✔
397
398	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);	891✔
399	m_position = offset % 64;	891✔
400	}	891✔
401	} // namespace Botan

randombit / botan / 13535848071

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous