/src/botan/src/lib/stream/chacha/chacha.cpp

Source
/*
* ChaCha
* (C) 2014,2018,2023 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/internal/chacha.h>

#include <botan/exceptn.h>
#include <botan/internal/fmt.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/rotate.h>

#if defined(BOTAN_HAS_CPUID)
   #include <botan/internal/cpuid.h>
#endif

namespace Botan {

namespace {

inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {
   a += b;
   d ^= a;
   d = rotl<16>(d);
   c += d;
   b ^= c;
   b = rotl<12>(b);
   a += b;
   d ^= a;
   d = rotl<8>(d);
   c += d;
   b ^= c;
   b = rotl<7>(b);
}

/*
* Generate HChaCha cipher stream (for XChaCha IV setup)
*/
void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

   uint32_t x00 = input[0];
   uint32_t x01 = input[1];
   uint32_t x02 = input[2];
   uint32_t x03 = input[3];
   uint32_t x04 = input[4];
   uint32_t x05 = input[5];
   uint32_t x06 = input[6];
   uint32_t x07 = input[7];
   uint32_t x08 = input[8];
   uint32_t x09 = input[9];
   uint32_t x10 = input[10];
   uint32_t x11 = input[11];
   uint32_t x12 = input[12];
   uint32_t x13 = input[13];
   uint32_t x14 = input[14];
   uint32_t x15 = input[15];

   for(size_t i = 0; i != rounds / 2; ++i) {
      chacha_quarter_round(x00, x04, x08, x12);
      chacha_quarter_round(x01, x05, x09, x13);
      chacha_quarter_round(x02, x06, x10, x14);
      chacha_quarter_round(x03, x07, x11, x15);

      chacha_quarter_round(x00, x05, x10, x15);
      chacha_quarter_round(x01, x06, x11, x12);
      chacha_quarter_round(x02, x07, x08, x13);
      chacha_quarter_round(x03, x04, x09, x14);
   }

   output[0] = x00;
   output[1] = x01;
   output[2] = x02;
   output[3] = x03;
   output[4] = x12;
   output[5] = x13;
   output[6] = x14;
   output[7] = x15;
}

}  // namespace

ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {
   BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");
}

size_t ChaCha::parallelism() {
#if defined(BOTAN_HAS_CHACHA_AVX512)
   if(CPUID::has(CPUID::Feature::AVX512)) {
      return 16;
   }
#endif

#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has(CPUID::Feature::AVX2)) {
      return 8;
   }
#endif

   return 4;
}

std::string ChaCha::provider() const {
#if defined(BOTAN_HAS_CHACHA_AVX512)
   if(auto feat = CPUID::check(CPUID::Feature::AVX512)) {
      return *feat;
   }
#endif

#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(auto feat = CPUID::check(CPUID::Feature::AVX2)) {
      return *feat;
   }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(auto feat = CPUID::check(CPUID::Feature::SIMD_4X32)) {
      return *feat;
   }
#endif

   return "base";
}

void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {
   BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");

#if defined(BOTAN_HAS_CHACHA_AVX512)
   if(CPUID::has(CPUID::Feature::AVX512)) {
      while(output_blocks >= 16) {
         ChaCha::chacha_avx512_x16(output, state, rounds);
         output += 16 * 64;
         output_blocks -= 16;
      }
   }
#endif

#if defined(BOTAN_HAS_CHACHA_AVX2)
   if(CPUID::has(CPUID::Feature::AVX2)) {
      while(output_blocks >= 8) {
         ChaCha::chacha_avx2_x8(output, state, rounds);
         output += 8 * 64;
         output_blocks -= 8;
      }
   }
#endif

#if defined(BOTAN_HAS_CHACHA_SIMD32)
   if(CPUID::has(CPUID::Feature::SIMD_4X32)) {
      while(output_blocks >= 4) {
         ChaCha::chacha_simd32_x4(output, state, rounds);
         output += 4 * 64;
         output_blocks -= 4;
      }
   }
#endif

   // TODO interleave rounds
   for(size_t i = 0; i != output_blocks; ++i) {
      uint32_t x00 = state[0];
      uint32_t x01 = state[1];
      uint32_t x02 = state[2];
      uint32_t x03 = state[3];
      uint32_t x04 = state[4];
      uint32_t x05 = state[5];
      uint32_t x06 = state[6];
      uint32_t x07 = state[7];
      uint32_t x08 = state[8];
      uint32_t x09 = state[9];
      uint32_t x10 = state[10];
      uint32_t x11 = state[11];
      uint32_t x12 = state[12];
      uint32_t x13 = state[13];
      uint32_t x14 = state[14];
      uint32_t x15 = state[15];

      for(size_t r = 0; r != rounds / 2; ++r) {
         chacha_quarter_round(x00, x04, x08, x12);
         chacha_quarter_round(x01, x05, x09, x13);
         chacha_quarter_round(x02, x06, x10, x14);
         chacha_quarter_round(x03, x07, x11, x15);

         chacha_quarter_round(x00, x05, x10, x15);
         chacha_quarter_round(x01, x06, x11, x12);
         chacha_quarter_round(x02, x07, x08, x13);
         chacha_quarter_round(x03, x04, x09, x14);
      }

      x00 += state[0];
      x01 += state[1];
      x02 += state[2];
      x03 += state[3];
      x04 += state[4];
      x05 += state[5];
      x06 += state[6];
      x07 += state[7];
      x08 += state[8];
      x09 += state[9];
      x10 += state[10];
      x11 += state[11];
      x12 += state[12];
      x13 += state[13];
      x14 += state[14];
      x15 += state[15];

      store_le(x00, output + 64 * i + 4 * 0);
      store_le(x01, output + 64 * i + 4 * 1);
      store_le(x02, output + 64 * i + 4 * 2);
      store_le(x03, output + 64 * i + 4 * 3);
      store_le(x04, output + 64 * i + 4 * 4);
      store_le(x05, output + 64 * i + 4 * 5);
      store_le(x06, output + 64 * i + 4 * 6);
      store_le(x07, output + 64 * i + 4 * 7);
      store_le(x08, output + 64 * i + 4 * 8);
      store_le(x09, output + 64 * i + 4 * 9);
      store_le(x10, output + 64 * i + 4 * 10);
      store_le(x11, output + 64 * i + 4 * 11);
      store_le(x12, output + 64 * i + 4 * 12);
      store_le(x13, output + 64 * i + 4 * 13);
      store_le(x14, output + 64 * i + 4 * 14);
      store_le(x15, output + 64 * i + 4 * 15);

      state[12]++;
      if(state[12] == 0) {
         state[13] += 1;
      }
   }
}

/*
* Combine cipher stream with message
*/
void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
   assert_key_material_set();

   while(length >= m_buffer.size() - m_position) {
      const size_t available = m_buffer.size() - m_position;

      xor_buf(out, in, &m_buffer[m_position], available);
      chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

      length -= available;
      in += available;
      out += available;
      m_position = 0;
   }

   xor_buf(out, in, &m_buffer[m_position], length);

   m_position += length;
}

void ChaCha::generate_keystream(uint8_t out[], size_t length) {
   assert_key_material_set();

   while(length >= m_buffer.size() - m_position) {
      const size_t available = m_buffer.size() - m_position;

      // TODO: this could write directly to the output buffer
      // instead of bouncing it through m_buffer first
      copy_mem(out, &m_buffer[m_position], available);
      chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);

      length -= available;
      out += available;
      m_position = 0;
   }

   copy_mem(out, &m_buffer[m_position], length);

   m_position += length;
}

void ChaCha::initialize_state() {
   static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};

   static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};

   m_state[4] = m_key[0];
   m_state[5] = m_key[1];
   m_state[6] = m_key[2];
   m_state[7] = m_key[3];

   if(m_key.size() == 4) {
      m_state[0] = TAU[0];
      m_state[1] = TAU[1];
      m_state[2] = TAU[2];
      m_state[3] = TAU[3];

      m_state[8] = m_key[0];
      m_state[9] = m_key[1];
      m_state[10] = m_key[2];
      m_state[11] = m_key[3];
   } else {
      m_state[0] = SIGMA[0];
      m_state[1] = SIGMA[1];
      m_state[2] = SIGMA[2];
      m_state[3] = SIGMA[3];

      m_state[8] = m_key[4];
      m_state[9] = m_key[5];
      m_state[10] = m_key[6];
      m_state[11] = m_key[7];
   }

   m_state[12] = 0;
   m_state[13] = 0;
   m_state[14] = 0;
   m_state[15] = 0;

   m_position = 0;
}

bool ChaCha::has_keying_material() const {
   return !m_state.empty();
}

size_t ChaCha::buffer_size() const {
   return 64;
}

/*
* ChaCha Key Schedule
*/
void ChaCha::key_schedule(std::span<const uint8_t> key) {
   m_key.resize(key.size() / 4);
   load_le<uint32_t>(m_key.data(), key.data(), m_key.size());

   m_state.resize(16);

   const size_t chacha_block = 64;
   m_buffer.resize(parallelism() * chacha_block);

   set_iv(nullptr, 0);
}

size_t ChaCha::default_iv_length() const {
   return 24;
}

Key_Length_Specification ChaCha::key_spec() const {
   return Key_Length_Specification(16, 32, 16);
}

std::unique_ptr<StreamCipher> ChaCha::new_object() const {
   return std::make_unique<ChaCha>(m_rounds);
}

bool ChaCha::valid_iv_length(size_t iv_len) const {
   return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24);
}

void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {
   assert_key_material_set();

   if(!valid_iv_length(length)) {
      throw Invalid_IV_Length(name(), length);
   }

   initialize_state();

   if(length == 0) {
      // Treat zero length IV same as an all-zero IV
      m_state[14] = 0;
      m_state[15] = 0;
   } else if(length == 8) {
      m_state[14] = load_le<uint32_t>(iv, 0);
      m_state[15] = load_le<uint32_t>(iv, 1);
   } else if(length == 12) {
      m_state[13] = load_le<uint32_t>(iv, 0);
      m_state[14] = load_le<uint32_t>(iv, 1);
      m_state[15] = load_le<uint32_t>(iv, 2);
   } else if(length == 24) {
      m_state[12] = load_le<uint32_t>(iv, 0);
      m_state[13] = load_le<uint32_t>(iv, 1);
      m_state[14] = load_le<uint32_t>(iv, 2);
      m_state[15] = load_le<uint32_t>(iv, 3);

      secure_vector<uint32_t> hc(8);
      hchacha(hc.data(), m_state.data(), m_rounds);

      m_state[4] = hc[0];
      m_state[5] = hc[1];
      m_state[6] = hc[2];
      m_state[7] = hc[3];
      m_state[8] = hc[4];
      m_state[9] = hc[5];
      m_state[10] = hc[6];
      m_state[11] = hc[7];
      m_state[12] = 0;
      m_state[13] = 0;
      m_state[14] = load_le<uint32_t>(iv, 4);
      m_state[15] = load_le<uint32_t>(iv, 5);
   }

   chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
   m_position = 0;
}

void ChaCha::clear() {
   zap(m_key);
   zap(m_state);
   zap(m_buffer);
   m_position = 0;
}

std::string ChaCha::name() const {
   return fmt("ChaCha({})", m_rounds);
}

void ChaCha::seek(uint64_t offset) {
   assert_key_material_set();

   // Find the block offset
   const uint64_t counter = offset / 64;

   uint8_t out[8];

   store_le(counter, out);

   m_state[12] = load_le<uint32_t>(out, 0);
   m_state[13] += load_le<uint32_t>(out, 1);

   chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
   m_position = offset % 64;
}
}  // namespace Botan

Coverage Report

Created: 2025-12-31 06:16

Line	Count	Source
1		/*
2		* ChaCha
3		* (C) 2014,2018,2023 Jack Lloyd
4		*
5		* Botan is released under the Simplified BSD License (see license.txt)
6		*/
7
8		#include <botan/internal/chacha.h>
9
10		#include <botan/exceptn.h>
11		#include <botan/internal/fmt.h>
12		#include <botan/internal/loadstor.h>
13		#include <botan/internal/rotate.h>
14
15		#if defined(BOTAN_HAS_CPUID)
16		#include <botan/internal/cpuid.h>
17		#endif
18
19		namespace Botan {
20
21		namespace {
22
23	0	inline void chacha_quarter_round(uint32_t& a, uint32_t& b, uint32_t& c, uint32_t& d) {
24	0	a += b;
25	0	d ^= a;
26	0	d = rotl<16>(d);
27	0	c += d;
28	0	b ^= c;
29	0	b = rotl<12>(b);
30	0	a += b;
31	0	d ^= a;
32	0	d = rotl<8>(d);
33	0	c += d;
34	0	b ^= c;
35	0	b = rotl<7>(b);
36	0	}
37
38		/*
39		* Generate HChaCha cipher stream (for XChaCha IV setup)
40		*/
41	0	void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) {
42	0	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
43
44	0	uint32_t x00 = input[0];
45	0	uint32_t x01 = input[1];
46	0	uint32_t x02 = input[2];
47	0	uint32_t x03 = input[3];
48	0	uint32_t x04 = input[4];
49	0	uint32_t x05 = input[5];
50	0	uint32_t x06 = input[6];
51	0	uint32_t x07 = input[7];
52	0	uint32_t x08 = input[8];
53	0	uint32_t x09 = input[9];
54	0	uint32_t x10 = input[10];
55	0	uint32_t x11 = input[11];
56	0	uint32_t x12 = input[12];
57	0	uint32_t x13 = input[13];
58	0	uint32_t x14 = input[14];
59	0	uint32_t x15 = input[15];
60
61	0	for(size_t i = 0; i != rounds / 2; ++i) {
62	0	chacha_quarter_round(x00, x04, x08, x12);
63	0	chacha_quarter_round(x01, x05, x09, x13);
64	0	chacha_quarter_round(x02, x06, x10, x14);
65	0	chacha_quarter_round(x03, x07, x11, x15);
66
67	0	chacha_quarter_round(x00, x05, x10, x15);
68	0	chacha_quarter_round(x01, x06, x11, x12);
69	0	chacha_quarter_round(x02, x07, x08, x13);
70	0	chacha_quarter_round(x03, x04, x09, x14);
71	0	}
72
73	0	output[0] = x00;
74	0	output[1] = x01;
75	0	output[2] = x02;
76	0	output[3] = x03;
77	0	output[4] = x12;
78	0	output[5] = x13;
79	0	output[6] = x14;
80	0	output[7] = x15;
81	0	}
82
83		} // namespace
84
85	0	ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) {
86	0	BOTAN_ARG_CHECK(m_rounds == 8 \|\| m_rounds == 12 \|\| m_rounds == 20, "ChaCha only supports 8, 12 or 20 rounds");
87	0	}
88
89	0	size_t ChaCha::parallelism() {
90	0	#if defined(BOTAN_HAS_CHACHA_AVX512)
91	0	if(CPUID::has(CPUID::Feature::AVX512)) {
92	0	return 16;
93	0	}
94	0	#endif
95
96	0	#if defined(BOTAN_HAS_CHACHA_AVX2)
97	0	if(CPUID::has(CPUID::Feature::AVX2)) {
98	0	return 8;
99	0	}
100	0	#endif
101
102	0	return 4;
103	0	}
104
105	0	std::string ChaCha::provider() const {
106	0	#if defined(BOTAN_HAS_CHACHA_AVX512)
107	0	if(auto feat = CPUID::check(CPUID::Feature::AVX512)) {
108	0	return *feat;
109	0	}
110	0	#endif
111
112	0	#if defined(BOTAN_HAS_CHACHA_AVX2)
113	0	if(auto feat = CPUID::check(CPUID::Feature::AVX2)) {
114	0	return *feat;
115	0	}
116	0	#endif
117
118	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
119	0	if(auto feat = CPUID::check(CPUID::Feature::SIMD_4X32)) {
120	0	return *feat;
121	0	}
122	0	#endif
123
124	0	return "base";
125	0	}
126
127	0	void ChaCha::chacha(uint8_t output[], size_t output_blocks, uint32_t state[16], size_t rounds) {
128	0	BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds");
129
130	0	#if defined(BOTAN_HAS_CHACHA_AVX512)
131	0	if(CPUID::has(CPUID::Feature::AVX512)) {
132	0	while(output_blocks >= 16) {
133	0	ChaCha::chacha_avx512_x16(output, state, rounds);
134	0	output += 16 * 64;
135	0	output_blocks -= 16;
136	0	}
137	0	}
138	0	#endif
139
140	0	#if defined(BOTAN_HAS_CHACHA_AVX2)
141	0	if(CPUID::has(CPUID::Feature::AVX2)) {
142	0	while(output_blocks >= 8) {
143	0	ChaCha::chacha_avx2_x8(output, state, rounds);
144	0	output += 8 * 64;
145	0	output_blocks -= 8;
146	0	}
147	0	}
148	0	#endif
149
150	0	#if defined(BOTAN_HAS_CHACHA_SIMD32)
151	0	if(CPUID::has(CPUID::Feature::SIMD_4X32)) {
152	0	while(output_blocks >= 4) {
153	0	ChaCha::chacha_simd32_x4(output, state, rounds);
154	0	output += 4 * 64;
155	0	output_blocks -= 4;
156	0	}
157	0	}
158	0	#endif
159
160		// TODO interleave rounds
161	0	for(size_t i = 0; i != output_blocks; ++i) {
162	0	uint32_t x00 = state[0];
163	0	uint32_t x01 = state[1];
164	0	uint32_t x02 = state[2];
165	0	uint32_t x03 = state[3];
166	0	uint32_t x04 = state[4];
167	0	uint32_t x05 = state[5];
168	0	uint32_t x06 = state[6];
169	0	uint32_t x07 = state[7];
170	0	uint32_t x08 = state[8];
171	0	uint32_t x09 = state[9];
172	0	uint32_t x10 = state[10];
173	0	uint32_t x11 = state[11];
174	0	uint32_t x12 = state[12];
175	0	uint32_t x13 = state[13];
176	0	uint32_t x14 = state[14];
177	0	uint32_t x15 = state[15];
178
179	0	for(size_t r = 0; r != rounds / 2; ++r) {
180	0	chacha_quarter_round(x00, x04, x08, x12);
181	0	chacha_quarter_round(x01, x05, x09, x13);
182	0	chacha_quarter_round(x02, x06, x10, x14);
183	0	chacha_quarter_round(x03, x07, x11, x15);
184
185	0	chacha_quarter_round(x00, x05, x10, x15);
186	0	chacha_quarter_round(x01, x06, x11, x12);
187	0	chacha_quarter_round(x02, x07, x08, x13);
188	0	chacha_quarter_round(x03, x04, x09, x14);
189	0	}
190
191	0	x00 += state[0];
192	0	x01 += state[1];
193	0	x02 += state[2];
194	0	x03 += state[3];
195	0	x04 += state[4];
196	0	x05 += state[5];
197	0	x06 += state[6];
198	0	x07 += state[7];
199	0	x08 += state[8];
200	0	x09 += state[9];
201	0	x10 += state[10];
202	0	x11 += state[11];
203	0	x12 += state[12];
204	0	x13 += state[13];
205	0	x14 += state[14];
206	0	x15 += state[15];
207
208	0	store_le(x00, output + 64 * i + 4 * 0);
209	0	store_le(x01, output + 64 * i + 4 * 1);
210	0	store_le(x02, output + 64 * i + 4 * 2);
211	0	store_le(x03, output + 64 * i + 4 * 3);
212	0	store_le(x04, output + 64 * i + 4 * 4);
213	0	store_le(x05, output + 64 * i + 4 * 5);
214	0	store_le(x06, output + 64 * i + 4 * 6);
215	0	store_le(x07, output + 64 * i + 4 * 7);
216	0	store_le(x08, output + 64 * i + 4 * 8);
217	0	store_le(x09, output + 64 * i + 4 * 9);
218	0	store_le(x10, output + 64 * i + 4 * 10);
219	0	store_le(x11, output + 64 * i + 4 * 11);
220	0	store_le(x12, output + 64 * i + 4 * 12);
221	0	store_le(x13, output + 64 * i + 4 * 13);
222	0	store_le(x14, output + 64 * i + 4 * 14);
223	0	store_le(x15, output + 64 * i + 4 * 15);
224
225	0	state[12]++;
226	0	if(state[12] == 0) {
227	0	state[13] += 1;
228	0	}
229	0	}
230	0	}
231
232		/*
233		* Combine cipher stream with message
234		*/
235	0	void ChaCha::cipher_bytes(const uint8_t in[], uint8_t out[], size_t length) {
236	0	assert_key_material_set();
237
238	0	while(length >= m_buffer.size() - m_position) {
239	0	const size_t available = m_buffer.size() - m_position;
240
241	0	xor_buf(out, in, &m_buffer[m_position], available);
242	0	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
243
244	0	length -= available;
245	0	in += available;
246	0	out += available;
247	0	m_position = 0;
248	0	}
249
250	0	xor_buf(out, in, &m_buffer[m_position], length);
251
252	0	m_position += length;
253	0	}
254
255	0	void ChaCha::generate_keystream(uint8_t out[], size_t length) {
256	0	assert_key_material_set();
257
258	0	while(length >= m_buffer.size() - m_position) {
259	0	const size_t available = m_buffer.size() - m_position;
260
261		// TODO: this could write directly to the output buffer
262		// instead of bouncing it through m_buffer first
263	0	copy_mem(out, &m_buffer[m_position], available);
264	0	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
265
266	0	length -= available;
267	0	out += available;
268	0	m_position = 0;
269	0	}
270
271	0	copy_mem(out, &m_buffer[m_position], length);
272
273	0	m_position += length;
274	0	}
275
276	0	void ChaCha::initialize_state() {
277	0	static const uint32_t TAU[] = {0x61707865, 0x3120646e, 0x79622d36, 0x6b206574};
278
279	0	static const uint32_t SIGMA[] = {0x61707865, 0x3320646e, 0x79622d32, 0x6b206574};
280
281	0	m_state[4] = m_key[0];
282	0	m_state[5] = m_key[1];
283	0	m_state[6] = m_key[2];
284	0	m_state[7] = m_key[3];
285
286	0	if(m_key.size() == 4) {
287	0	m_state[0] = TAU[0];
288	0	m_state[1] = TAU[1];
289	0	m_state[2] = TAU[2];
290	0	m_state[3] = TAU[3];
291
292	0	m_state[8] = m_key[0];
293	0	m_state[9] = m_key[1];
294	0	m_state[10] = m_key[2];
295	0	m_state[11] = m_key[3];
296	0	} else {
297	0	m_state[0] = SIGMA[0];
298	0	m_state[1] = SIGMA[1];
299	0	m_state[2] = SIGMA[2];
300	0	m_state[3] = SIGMA[3];
301
302	0	m_state[8] = m_key[4];
303	0	m_state[9] = m_key[5];
304	0	m_state[10] = m_key[6];
305	0	m_state[11] = m_key[7];
306	0	}
307
308	0	m_state[12] = 0;
309	0	m_state[13] = 0;
310	0	m_state[14] = 0;
311	0	m_state[15] = 0;
312
313	0	m_position = 0;
314	0	}
315
316	0	bool ChaCha::has_keying_material() const {
317	0	return !m_state.empty();
318	0	}
319
320	0	size_t ChaCha::buffer_size() const {
321	0	return 64;
322	0	}
323
324		/*
325		* ChaCha Key Schedule
326		*/
327	0	void ChaCha::key_schedule(std::span<const uint8_t> key) {
328	0	m_key.resize(key.size() / 4);
329	0	load_le<uint32_t>(m_key.data(), key.data(), m_key.size());
330
331	0	m_state.resize(16);
332
333	0	const size_t chacha_block = 64;
334	0	m_buffer.resize(parallelism() * chacha_block);
335
336	0	set_iv(nullptr, 0);
337	0	}
338
339	0	size_t ChaCha::default_iv_length() const {
340	0	return 24;
341	0	}
342
343	0	Key_Length_Specification ChaCha::key_spec() const {
344	0	return Key_Length_Specification(16, 32, 16);
345	0	}
346
347	0	std::unique_ptr<StreamCipher> ChaCha::new_object() const {
348	0	return std::make_unique<ChaCha>(m_rounds);
349	0	}
350
351	0	bool ChaCha::valid_iv_length(size_t iv_len) const {
352	0	return (iv_len == 0 \|\| iv_len == 8 \|\| iv_len == 12 \|\| iv_len == 24);
353	0	}
354
355	0	void ChaCha::set_iv_bytes(const uint8_t iv[], size_t length) {
356	0	assert_key_material_set();
357
358	0	if(!valid_iv_length(length)) {
359	0	throw Invalid_IV_Length(name(), length);
360	0	}
361
362	0	initialize_state();
363
364	0	if(length == 0) {
365		// Treat zero length IV same as an all-zero IV
366	0	m_state[14] = 0;
367	0	m_state[15] = 0;
368	0	} else if(length == 8) {
369	0	m_state[14] = load_le<uint32_t>(iv, 0);
370	0	m_state[15] = load_le<uint32_t>(iv, 1);
371	0	} else if(length == 12) {
372	0	m_state[13] = load_le<uint32_t>(iv, 0);
373	0	m_state[14] = load_le<uint32_t>(iv, 1);
374	0	m_state[15] = load_le<uint32_t>(iv, 2);
375	0	} else if(length == 24) {
376	0	m_state[12] = load_le<uint32_t>(iv, 0);
377	0	m_state[13] = load_le<uint32_t>(iv, 1);
378	0	m_state[14] = load_le<uint32_t>(iv, 2);
379	0	m_state[15] = load_le<uint32_t>(iv, 3);
380
381	0	secure_vector<uint32_t> hc(8);
382	0	hchacha(hc.data(), m_state.data(), m_rounds);
383
384	0	m_state[4] = hc[0];
385	0	m_state[5] = hc[1];
386	0	m_state[6] = hc[2];
387	0	m_state[7] = hc[3];
388	0	m_state[8] = hc[4];
389	0	m_state[9] = hc[5];
390	0	m_state[10] = hc[6];
391	0	m_state[11] = hc[7];
392	0	m_state[12] = 0;
393	0	m_state[13] = 0;
394	0	m_state[14] = load_le<uint32_t>(iv, 4);
395	0	m_state[15] = load_le<uint32_t>(iv, 5);
396	0	}
397
398	0	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
399	0	m_position = 0;
400	0	}
401
402	0	void ChaCha::clear() {
403	0	zap(m_key);
404	0	zap(m_state);
405	0	zap(m_buffer);
406	0	m_position = 0;
407	0	}
408
409	0	std::string ChaCha::name() const {
410	0	return fmt("ChaCha({})", m_rounds);
411	0	}
412
413	0	void ChaCha::seek(uint64_t offset) {
414	0	assert_key_material_set();
415
416		// Find the block offset
417	0	const uint64_t counter = offset / 64;
418
419	0	uint8_t out[8];
420
421	0	store_le(counter, out);
422
423	0	m_state[12] = load_le<uint32_t>(out, 0);
424	0	m_state[13] += load_le<uint32_t>(out, 1);
425
426	0	chacha(m_buffer.data(), m_buffer.size() / 64, m_state.data(), m_rounds);
427	0	m_position = offset % 64;
428	0	}
429		} // namespace Botan