chacha20 0.10.0

The ChaCha20 stream cipher (RFC 8439) implemented in pure Rust using traits from the RustCrypto `cipher` crate, with optional architecture-specific hardware acceleration (AVX2, SSE2). Additionally provides the ChaCha8, ChaCha12, XChaCha20, XChaCha12 and XChaCha8 stream ciphers, and also optional rand_core-compatible RNGs based on those ciphers.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344

#![allow(clippy::cast_possible_truncation, reason = "needs triage")]
#![allow(clippy::undocumented_unsafe_blocks, reason = "TODO")]

use core::fmt;

use rand_core::{
    Infallible, SeedableRng, TryCryptoRng, TryRng,
    block::{BlockRng, Generator},
};

#[cfg(feature = "zeroize")]
use zeroize::{Zeroize, ZeroizeOnDrop};

use crate::{
    ChaChaCore, R8, R12, R20, Rounds, backends,
    variants::{Legacy, Variant},
};

use cfg_if::cfg_if;

/// Seed value used to initialize ChaCha-based RNGs.
pub type Seed = [u8; 32];

/// Serialized RNG state.
pub type SerializedRngState = [u8; 49];

/// Number of 32-bit words per ChaCha block (fixed by algorithm definition).
pub(crate) const BLOCK_WORDS: u8 = 16;

/// Number of blocks generated by RNG core.
const BUF_BLOCKS: u8 = 4;
/// Buffer size in words used by buffered RNG.
const BUFFER_SIZE: usize = (BLOCK_WORDS * BUF_BLOCKS) as usize;

impl<R: Rounds, V: Variant> SeedableRng for ChaChaCore<R, V> {
    type Seed = Seed;

    #[inline]
    fn from_seed(seed: Self::Seed) -> Self {
        ChaChaCore::new_internal(&seed, &[0u8; 8])
    }
}

impl<R: Rounds, V: Variant> Generator for ChaChaCore<R, V> {
    type Output = [u32; BUFFER_SIZE];

    /// Generates 4 blocks in parallel with avx2 & neon, but merely fills
    /// 4 blocks with sse2 & soft
    fn generate(&mut self, buffer: &mut [u32; BUFFER_SIZE]) {
        cfg_if! {
            if #[cfg(chacha20_backend = "soft")] {
                backends::soft::Backend(self).gen_ks_blocks(buffer);
            } else if #[cfg(any(target_arch = "x86", target_arch = "x86_64"))] {
                cfg_if! {
                    // AVX-512 doesn't support RNG, so use AVX-2 instead
                    if #[cfg(any(chacha20_backend = "avx2", chacha20_backend = "avx512"))] {
                        unsafe {
                            backends::avx2::rng_inner::<R, V>(self, buffer);
                        }
                    } else if #[cfg(chacha20_backend = "sse2")] {
                        unsafe {
                            backends::sse2::rng_inner::<R, V>(self, buffer);
                        }
                    } else {
                        #[cfg(chacha20_avx512)]
                        let (_avx512_token, avx2_token, sse2_token) = self.tokens;
                        #[cfg(not(chacha20_avx512))]
                        let (avx2_token, sse2_token) = self.tokens;

                        if avx2_token.get() {
                            unsafe {
                                backends::avx2::rng_inner::<R, V>(self, buffer);
                            }
                        } else if sse2_token.get() {
                            unsafe {
                                backends::sse2::rng_inner::<R, V>(self, buffer);
                            }
                        } else {
                            backends::soft::Backend(self).gen_ks_blocks(buffer);
                        }
                    }
                }
            } else if #[cfg(all(target_arch = "aarch64", target_feature = "neon"))] {
                // SAFETY: we have used conditional compilation to ensure NEON is available
                unsafe {
                    backends::neon::rng_inner::<R, V>(self, buffer);
                }
            } else {
                backends::soft::Backend(self).gen_ks_blocks(buffer);
            }
        }
    }

    // `Drop` impl of `BlockRng` calls this method and passes reference to
    // its internal buffer in `output`. So we zeroize its contents here.
    #[cfg(feature = "zeroize")]
    fn drop(&mut self, output: &mut Self::Output) {
        output.zeroize();
    }
}

macro_rules! impl_chacha_rng {
    ($Rng:ident, $rounds:ident) => {
        /// A cryptographically secure random number generator that uses the ChaCha stream cipher.
        ///
        /// See the [crate docs][crate] for more information about the underlying stream cipher.
        ///
        /// This RNG implementation uses a 64-bit counter and 64-bit stream identifier (a.k.a nonce).
        /// A 64-bit counter over 64-byte (16 word) blocks allows 1 ZiB of output before cycling,
        /// and the stream identifier allows 2<sup>64</sup> unique streams of output per seed.
        /// Both counter and stream are initialized to zero but may be set via the [`set_word_pos`]
        /// and [`set_stream`] methods.
        ///
        /// [`set_word_pos`]: Self::set_word_pos
        /// [`set_stream`]: Self::set_stream
        ///
        /// # Example
        ///
        /// ```rust
        #[doc = concat!("use chacha20::", stringify!($Rng), ";")]
        /// use rand_core::{SeedableRng, Rng};
        ///
        /// let seed = [42u8; 32];
        #[doc = concat!("let mut rng = ", stringify!($Rng), "::from_seed(seed);")]
        ///
        /// let random_u32 = rng.next_u32();
        /// let random_u64 = rng.next_u64();
        ///
        /// let mut random_bytes = [0u8; 3];
        /// rng.fill_bytes(&mut random_bytes);
        /// ```
        ///
        /// See the [`rand`](https://docs.rs/rand/) crate for more advanced RNG functionality.
        pub struct $Rng {
            core: BlockRng<ChaChaCore<$rounds, Legacy>>,
        }

        impl SeedableRng for $Rng {
            type Seed = Seed;

            #[inline]
            fn from_seed(seed: Self::Seed) -> Self {
                let core = ChaChaCore::new_internal(&seed, &[0u8; 8]);
                Self {
                    core: BlockRng::new(core),
                }
            }
        }

        impl TryRng for $Rng {
            type Error = Infallible;

            #[inline]
            fn try_next_u32(&mut self) -> Result<u32, Self::Error> {
                Ok(self.core.next_word())
            }
            #[inline]
            fn try_next_u64(&mut self) -> Result<u64, Self::Error> {
                Ok(self.core.next_u64_from_u32())
            }
            #[inline]
            fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Self::Error> {
                self.core.fill_bytes(dest);
                Ok(())
            }
        }

        impl TryCryptoRng for $Rng {}

        #[cfg(feature = "zeroize")]
        impl ZeroizeOnDrop for $Rng {}

        // We use custom implementation of `PartialEq` because RNG states
        // may buffer different parts of the same keystream, while keeping
        // buffer cursor pointing towards the same keystream point.
        impl PartialEq<$Rng> for $Rng {
            fn eq(&self, rhs: &$Rng) -> bool {
                (self.get_seed() == rhs.get_seed())
                    && (self.get_stream() == rhs.get_stream())
                    && (self.get_word_pos() == rhs.get_word_pos())
            }
        }

        impl Eq for $Rng {}

        // Custom Debug implementation that does not expose the internal state
        impl fmt::Debug for $Rng {
            fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
                write!(f, concat!(stringify!($Rng), " {{ ... }}"))
            }
        }

        impl $Rng {
            /// Get the offset from the start of the stream, in 32-bit words.
            ///
            /// Since the generated blocks are 64 words (2<sup>6</sup>) long and the
            /// counter is 64-bits, the offset is a 68-bit number. Sub-word offsets are
            /// not supported, hence the result can simply be multiplied by 4 to get a
            /// byte-offset.
            #[inline]
            #[must_use]
            pub fn get_word_pos(&self) -> u128 {
                let mut block_counter = (u64::from(self.core.core.state[13]) << 32)
                    | u64::from(self.core.core.state[12]);
                if self.core.word_offset() != 0 {
                    block_counter = block_counter.wrapping_sub(u64::from(BUF_BLOCKS));
                }
                let word_pos = u128::from(block_counter) * u128::from(BLOCK_WORDS)
                    + self.core.word_offset() as u128;
                // eliminate bits above the 68th bit
                word_pos & ((1 << 68) - 1)
            }

            /// Set the offset from the start of the stream, in 32-bit words.
            ///
            /// **This value will be erased when calling `set_stream()`,
            /// so call `set_stream()` before calling `set_word_pos()`**
            /// if you intend on using both of them together.
            ///
            /// As with `get_word_pos`, we use a 68-bit number. Since the generator
            /// simply cycles at the end of its period (1 ZiB), we ignore the upper
            /// 60 bits.
            #[inline]
            pub fn set_word_pos(&mut self, word_offset: u128) {
                let index = (word_offset % u128::from(BLOCK_WORDS)) as usize;
                let counter = word_offset / u128::from(BLOCK_WORDS);
                //self.set_block_pos(counter as u64);
                self.core.core.state[12] = counter as u32;
                self.core.core.state[13] = (counter >> 32) as u32;
                self.core.reset_and_skip(index);
            }

            /// Sets the block pos and resets the RNG's index.
            ///
            /// **This value will be erased when calling `set_stream()`,
            /// so call `set_stream()` before calling `set_block_pos()`**
            /// if you intend on using both of them together.
            ///
            /// The word pos will be equal to `block_pos * 16 words per block`.
            #[inline]
            #[allow(unused)]
            pub fn set_block_pos(&mut self, block_pos: u64) {
                self.core.reset_and_skip(0);
                self.core.core.set_block_pos(block_pos);
            }

            /// Get the block pos.
            #[inline]
            #[allow(unused)]
            #[must_use]
            pub fn get_block_pos(&self) -> u64 {
                let counter = self.core.core.get_block_pos();
                let offset = self.core.word_offset();
                if offset != 0 {
                    counter - u64::from(BUF_BLOCKS) + offset as u64 / 16
                } else {
                    counter
                }
            }

            /// Set the stream ID and reset the `word_pos` to 0.
            #[inline]
            pub fn set_stream(&mut self, stream: u64) {
                self.core.core.state[14] = stream as u32;
                self.core.core.state[15] = (stream >> 32) as u32;
                self.set_block_pos(0);
            }

            /// Get the stream number (nonce).
            #[inline]
            #[must_use]
            pub fn get_stream(&self) -> u64 {
                let mut result = [0u8; 8];
                result[..4].copy_from_slice(&self.core.core.state[14].to_le_bytes());
                result[4..].copy_from_slice(&self.core.core.state[15].to_le_bytes());
                u64::from_le_bytes(result)
            }

            /// Get the RNG seed.
            #[inline]
            #[must_use]
            pub fn get_seed(&self) -> [u8; 32] {
                let seed = &self.core.core.state[4..12];
                let mut result = [0u8; 32];
                for (src, dst) in seed.iter().zip(result.chunks_exact_mut(4)) {
                    dst.copy_from_slice(&src.to_le_bytes())
                }
                result
            }

            /// Serialize RNG state.
            ///
            /// # Warning
            /// Leaking serialized RNG state to an attacker defeats security properties
            /// provided by the RNG.
            #[inline]
            pub fn serialize_state(&self) -> SerializedRngState {
                let seed = self.get_seed();
                let stream = self.get_stream().to_le_bytes();
                let word_pos = self.get_word_pos().to_le_bytes();

                let mut res = [0u8; 49];
                let (seed_dst, res_rem) = res.split_at_mut(32);
                let (stream_dst, word_pos_dst) = res_rem.split_at_mut(8);

                seed_dst.copy_from_slice(&seed);
                stream_dst.copy_from_slice(&stream);
                word_pos_dst.copy_from_slice(&word_pos[..9]);

                debug_assert_eq!(&word_pos[9..], &[0u8; 7]);

                res
            }

            /// Deserialize RNG state.
            #[inline]
            pub fn deserialize_state(state: &SerializedRngState) -> Self {
                let (seed, state_rem) = state.split_at(32);
                let (stream, word_pos_raw) = state_rem.split_at(8);

                let seed: &[u8; 32] = seed.try_into().expect("seed.len() is equal to 32");
                let stream: &[u8; 8] = stream.try_into().expect("stream.len() is equal to 8");

                // Note that we use only 68 bits from `word_pos_raw`, i.e. 4 remaining bits
                // get ignored and should be equal to zero in practice.
                let mut word_pos_buf = [0u8; 16];
                word_pos_buf[..9].copy_from_slice(word_pos_raw);
                let word_pos = u128::from_le_bytes(word_pos_buf);

                let core = ChaChaCore::new_internal(seed, stream);
                let mut res = Self {
                    core: BlockRng::new(core),
                };

                res.set_word_pos(word_pos);
                res
            }
        }
    };
}

impl_chacha_rng!(ChaCha8Rng, R8);
impl_chacha_rng!(ChaCha12Rng, R12);
impl_chacha_rng!(ChaCha20Rng, R20);