Commit | Line | Data |
---|---|---|
194e93f2 MW |
1 | /* -*-c-*- |
2 | * | |
3 | * Salsa20 stream cipher | |
4 | * | |
5 | * (c) 2015 Straylight/Edgeware | |
6 | */ | |
7 | ||
8 | /*----- Header files ------------------------------------------------------*/ | |
9 | ||
10 | #include <stdarg.h> | |
11 | ||
12 | #include <mLib/bits.h> | |
13 | ||
14 | #include "arena.h" | |
15 | #include "gcipher.h" | |
16 | #include "grand.h" | |
17 | #include "keysz.h" | |
18 | #include "paranoia.h" | |
19 | #include "salsa20.h" | |
20 | #include "salsa20-core.h" | |
21 | ||
22 | /*----- Global variables --------------------------------------------------*/ | |
23 | ||
24 | const octet salsa20_keysz[] = { KSZ_SET, 32, 16, 10, 0 }; | |
25 | ||
26 | /*----- The Salsa20 core function and utilities ---------------------------*/ | |
27 | ||
28 | /* --- @core@ --- * | |
29 | * | |
30 | * Arguments: @unsigned r@ = number of rounds | |
31 | * @const salsa20_matrix src@ = input matrix | |
32 | * @salsa20_matrix dest@ = where to put the output | |
33 | * | |
34 | * Returns: --- | |
35 | * | |
36 | * | |
37 | * Use: Apply the Salsa20/r core function to @src@, writing the | |
38 | * result to @dest@. This consists of @r@ rounds followed by | |
39 | * the feedforward step. | |
40 | */ | |
41 | ||
42 | static void core(unsigned r, const salsa20_matrix src, salsa20_matrix dest) | |
43 | { SALSA20_nR(dest, src, r); SALSA20_FFWD(dest, src); } | |
44 | ||
45 | /* --- @populate@ --- * | |
46 | * | |
47 | * Arguments: @salsa20_matrix a@ = a matrix to fill in | |
48 | * @const void *key@ = pointer to key material | |
49 | * @size_t ksz@ = size of key | |
50 | * | |
51 | * Returns: --- | |
52 | * | |
53 | * Use: Fills in a Salsa20 matrix from the key, setting the | |
54 | * appropriate constants according to the key length. The nonce | |
55 | * and position words are left uninitialized. | |
56 | */ | |
57 | ||
58 | static void populate(salsa20_matrix a, const void *key, size_t ksz) | |
59 | { | |
60 | const octet *k = key; | |
61 | ||
62 | KSZ_ASSERT(salsa20, ksz); | |
63 | ||
64 | a[ 1] = LOAD32_L(k + 0); | |
65 | a[ 2] = LOAD32_L(k + 4); | |
66 | if (ksz == 10) { | |
67 | a[ 3] = LOAD16_L(k + 8); | |
68 | a[ 4] = 0; | |
69 | } else { | |
70 | a[ 3] = LOAD32_L(k + 8); | |
71 | a[ 4] = LOAD32_L(k + 12); | |
72 | } | |
73 | if (ksz <= 16) { | |
74 | a[11] = a[ 1]; | |
75 | a[12] = a[ 2]; | |
76 | a[13] = a[ 3]; | |
77 | a[14] = a[ 4]; | |
78 | a[ 0] = SALSA20_A128; | |
79 | a[ 5] = SALSA20_B128; | |
80 | a[10] = ksz == 10 ? SALSA20_C80 : SALSA20_C128; | |
81 | a[15] = SALSA20_D128; | |
82 | } else { | |
83 | a[11] = LOAD32_L(k + 16); | |
84 | a[12] = LOAD32_L(k + 20); | |
85 | a[13] = LOAD32_L(k + 24); | |
86 | a[14] = LOAD32_L(k + 28); | |
87 | a[ 0] = SALSA20_A256; | |
88 | a[ 5] = SALSA20_B256; | |
89 | a[10] = SALSA20_C256; | |
90 | a[15] = SALSA20_D256; | |
91 | } | |
92 | } | |
93 | ||
94 | /*----- Salsa20 implementation --------------------------------------------*/ | |
95 | ||
96 | /* --- @salsa20_init@ --- * | |
97 | * | |
98 | * Arguments: @salsa20_ctx *ctx@ = context to fill in | |
99 | * @const void *key@ = pointer to key material | |
100 | * @size_t ksz@ = size of key (either 32 or 16) | |
101 | * @const void *nonce@ = initial nonce, or null | |
102 | * | |
103 | * Returns: --- | |
104 | * | |
105 | * Use: Initializes a Salsa20 context ready for use. | |
106 | */ | |
107 | ||
108 | void salsa20_init(salsa20_ctx *ctx, const void *key, size_t ksz, | |
109 | const void *nonce) | |
110 | { | |
111 | static const octet zerononce[SALSA20_NONCESZ]; | |
112 | ||
113 | populate(ctx->a, key, ksz); | |
114 | salsa20_setnonce(ctx, nonce ? nonce : zerononce); | |
115 | } | |
116 | ||
117 | /* --- @salsa20_setnonce@ --- * | |
118 | * | |
119 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
120 | * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes) | |
121 | * | |
122 | * Returns: --- | |
123 | * | |
124 | * Use: Set a new nonce in the context @ctx@, e.g., for processing a | |
125 | * different message. The stream position is reset to zero (see | |
126 | * @salsa20_seek@ etc.). | |
127 | */ | |
128 | ||
129 | void salsa20_setnonce(salsa20_ctx *ctx, const void *nonce) | |
130 | { | |
131 | const octet *n = nonce; | |
132 | ||
133 | ctx->a[6] = LOAD32_L(n + 0); | |
134 | ctx->a[7] = LOAD32_L(n + 4); | |
135 | salsa20_seek(ctx, 0); | |
136 | } | |
137 | ||
138 | /* --- @salsa20_seek@, @salsa20_seeku64@ --- * | |
139 | * | |
140 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
141 | * @unsigned long i@, @kludge64 i@ = new position to set | |
142 | * | |
143 | * Returns: --- | |
144 | * | |
145 | * Use: Sets a new stream position, in units of Salsa20 output | |
146 | * blocks, which are @SALSA20_OUTSZ@ bytes each. Byte | |
147 | * granularity can be achieved by calling @salsa20R_encrypt@ | |
148 | * appropriately. | |
149 | */ | |
150 | ||
151 | void salsa20_seek(salsa20_ctx *ctx, unsigned long i) | |
152 | { kludge64 ii; ASSIGN64(ii, i); salsa20_seeku64(ctx, ii); } | |
153 | ||
154 | void salsa20_seeku64(salsa20_ctx *ctx, kludge64 i) | |
155 | { | |
156 | ctx->a[8] = LO64(i); ctx->a[9] = HI64(i); | |
157 | ctx->bufi = SALSA20_OUTSZ; | |
158 | } | |
159 | ||
160 | /* --- @salsa20_tell@, @salsa20_tellu64@ --- * | |
161 | * | |
162 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
163 | * | |
164 | * Returns: The current position in the output stream, in blocks, | |
165 | * rounding upwards. | |
166 | */ | |
167 | ||
168 | unsigned long salsa20_tell(salsa20_ctx *ctx) | |
169 | { kludge64 i = salsa20_tellu64(ctx); return (GET64(unsigned long, i)); } | |
170 | ||
171 | kludge64 salsa20_tellu64(salsa20_ctx *ctx) | |
172 | { kludge64 i; SET64(i, ctx->a[9], ctx->a[8]); return (i); } | |
173 | ||
174 | /* --- @salsa20{,12,8}_encrypt@ --- * | |
175 | * | |
176 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
177 | * @const void *src@ = source buffer (or null) | |
178 | * @void *dest@ = destination buffer (or null) | |
179 | * @size_t sz@ = size of the buffers | |
180 | * | |
181 | * Returns: --- | |
182 | * | |
183 | * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@. | |
184 | * Salsa20 works by XORing plaintext with a keystream, so | |
185 | * encryption and decryption are the same operation. If @dest@ | |
186 | * is null then ignore @src@ and skip @sz@ bytes of the | |
187 | * keystream. If @src@ is null, then just write the keystream | |
188 | * to @dest@. | |
189 | */ | |
190 | ||
191 | #define SALSA20_ENCRYPT(r, ctx, src, dest, sz) \ | |
192 | SALSA20_DECOR(salsa20, r, _encrypt)(ctx, src, dest, sz) | |
193 | #define DEFENCRYPT(r) \ | |
194 | void SALSA20_ENCRYPT(r, salsa20_ctx *ctx, const void *src, \ | |
195 | void *dest, size_t sz) \ | |
196 | { \ | |
197 | salsa20_matrix b; \ | |
198 | const octet *s = src; \ | |
199 | octet *d = dest; \ | |
200 | size_t n; \ | |
201 | kludge64 pos, delta; \ | |
202 | \ | |
203 | SALSA20_OUTBUF(ctx, d, s, sz); \ | |
204 | if (!sz) return; \ | |
205 | \ | |
206 | if (!dest) { \ | |
207 | n = sz/SALSA20_OUTSZ; \ | |
208 | pos = salsa20_tellu64(ctx); \ | |
209 | ASSIGN64(delta, n); \ | |
210 | ADD64(pos, pos, delta); \ | |
211 | salsa20_seeku64(ctx, pos); \ | |
212 | sz = sz%SALSA20_OUTSZ; \ | |
213 | } else if (!src) { \ | |
214 | while (sz >= SALSA20_OUTSZ) { \ | |
215 | core(r, ctx->a, b); \ | |
216 | SALSA20_STEP(ctx->a); \ | |
217 | SALSA20_GENFULL(b, d); \ | |
218 | sz -= SALSA20_OUTSZ; \ | |
219 | } \ | |
220 | } else { \ | |
221 | while (sz >= SALSA20_OUTSZ) { \ | |
222 | core(r, ctx->a, b); \ | |
223 | SALSA20_STEP(ctx->a); \ | |
224 | SALSA20_MIXFULL(b, d, s); \ | |
225 | sz -= SALSA20_OUTSZ; \ | |
226 | } \ | |
227 | } \ | |
228 | \ | |
229 | if (sz) { \ | |
230 | core(r, ctx->a, b); \ | |
231 | SALSA20_STEP(ctx->a); \ | |
232 | SALSA20_PREPBUF(ctx, b); \ | |
233 | SALSA20_OUTBUF(ctx, d, s, sz); \ | |
234 | assert(!sz); \ | |
235 | } \ | |
236 | } | |
237 | SALSA20_VARS(DEFENCRYPT) | |
238 | ||
239 | /*----- HSalsa20 implementation -------------------------------------------*/ | |
240 | ||
241 | #define HSALSA20_RAW(r, ctx, src, dest) \ | |
242 | SALSA20_DECOR(hsalsa20, r, _raw)(ctx, src, dest) | |
243 | #define HSALSA20_PRF(r, ctx, src, dest) \ | |
244 | SALSA20_DECOR(hsalsa20, r, _prf)(ctx, src, dest) | |
245 | ||
246 | /* --- @hsalsa20{,12,8}_prf@ --- * | |
247 | * | |
248 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
249 | * @const void *src@ = the input (@HSALSA20_INSZ@ bytes) | |
250 | * @void *dest@ = the output (@HSALSA20_OUTSZ@ bytes) | |
251 | * | |
252 | * Returns: --- | |
253 | * | |
254 | * Use: Apply the HSalsa20/r pseudorandom function to @src@, writing | |
255 | * the result to @out@. | |
256 | */ | |
257 | ||
258 | #define DEFHSALSA20(r) \ | |
259 | static void HSALSA20_RAW(r, salsa20_matrix k, \ | |
260 | const uint32 *src, uint32 *dest) \ | |
261 | { \ | |
262 | salsa20_matrix a; \ | |
263 | int i; \ | |
264 | \ | |
265 | /* --- HSalsa20, computed from full Salsa20 --- * \ | |
266 | * \ | |
267 | * The security proof makes use of the fact that HSalsa20 (i.e., \ | |
268 | * without the final feedforward step) can be computed from full \ | |
269 | * Salsa20 using only knowledge of the non-secret input. I don't \ | |
270 | * want to compromise the performance of the main function by \ | |
271 | * making the feedforward step separate, but this operation is less \ | |
272 | * speed critical, so we do it the harder way. \ | |
273 | */ \ | |
274 | \ | |
275 | for (i = 0; i < 4; i++) k[i + 6] = src[i]; \ | |
276 | core(r, k, a); \ | |
277 | for (i = 0; i < 4; i++) dest[i] = a[5*i] - k[5*i]; \ | |
278 | for (i = 4; i < 8; i++) dest[i] = a[i + 2] - k[i + 2]; \ | |
279 | } \ | |
280 | \ | |
281 | void HSALSA20_PRF(r, salsa20_ctx *ctx, const void *src, void *dest) \ | |
282 | { \ | |
283 | const octet *s = src; \ | |
284 | octet *d = dest; \ | |
285 | uint32 in[4], out[8]; \ | |
286 | int i; \ | |
287 | \ | |
288 | for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \ | |
289 | HSALSA20_RAW(r, ctx->a, in, out); \ | |
290 | for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \ | |
291 | } | |
292 | SALSA20_VARS(DEFHSALSA20) | |
293 | ||
294 | /*----- XSalsa20 implementation -------------------------------------------*/ | |
295 | ||
296 | /* --- Some convenient macros for naming functions --- * | |
297 | * | |
298 | * Because the crypto core is involved in XSalsa20/r's per-nonce setup, we | |
299 | * need to take an interest in the number of rounds in most of the various | |
300 | * functions, and it will probably help if we distinguish the context | |
301 | * structures for the various versions. | |
302 | */ | |
303 | ||
304 | #define XSALSA20_CTX(r) SALSA20_DECOR(xsalsa20, r, _ctx) | |
305 | #define XSALSA20_INIT(r, ctx, k, ksz, n) \ | |
306 | SALSA20_DECOR(xsalsa20, r, _init)(ctx, k, ksz, n) | |
307 | #define XSALSA20_SETNONCE(r, ctx, n) \ | |
308 | SALSA20_DECOR(xsalsa20, r, _setnonce)(ctx, n) | |
309 | #define XSALSA20_SEEK(r, ctx, i) \ | |
310 | SALSA20_DECOR(xsalsa20, r, _seek)(ctx, i) | |
311 | #define XSALSA20_SEEKU64(r, ctx, i) \ | |
312 | SALSA20_DECOR(xsalsa20, r, _seeku64)(ctx, i) | |
313 | #define XSALSA20_TELL(r, ctx) \ | |
314 | SALSA20_DECOR(xsalsa20, r, _tell)(ctx) | |
315 | #define XSALSA20_TELLU64(r, ctx) \ | |
316 | SALSA20_DECOR(xsalsa20, r, _tellu64)(ctx) | |
317 | #define XSALSA20_ENCRYPT(r, ctx, src, dest, sz) \ | |
318 | SALSA20_DECOR(xsalsa20, r, _encrypt)(ctx, src, dest, sz) | |
319 | ||
320 | /* --- @xsalsa20{,12,8}_init@ --- * | |
321 | * | |
322 | * Arguments: @xsalsa20R_ctx *ctx@ = the context to fill in | |
323 | * @const void *key@ = pointer to key material | |
324 | * @size_t ksz@ = size of key (either 32 or 16) | |
325 | * @const void *nonce@ = initial nonce, or null | |
326 | * | |
327 | * Returns: --- | |
328 | * | |
329 | * Use: Initializes an XSalsa20/r context ready for use. | |
330 | * | |
331 | * There is a different function for each number of rounds, | |
332 | * unlike for plain Salsa20. | |
333 | */ | |
334 | ||
335 | #define DEFXINIT(r) \ | |
336 | void XSALSA20_INIT(r, XSALSA20_CTX(r) *ctx, \ | |
337 | const void *key, size_t ksz, const void *nonce) \ | |
338 | { \ | |
339 | static const octet zerononce[XSALSA20_NONCESZ]; \ | |
340 | \ | |
341 | populate(ctx->k, key, ksz); \ | |
342 | ctx->s.a[ 0] = SALSA20_A256; \ | |
343 | ctx->s.a[ 5] = SALSA20_B256; \ | |
344 | ctx->s.a[10] = SALSA20_C256; \ | |
345 | ctx->s.a[15] = SALSA20_D256; \ | |
346 | XSALSA20_SETNONCE(r, ctx, nonce ? nonce : zerononce); \ | |
347 | } | |
348 | SALSA20_VARS(DEFXINIT) | |
349 | ||
350 | /* --- @xsalsa20{,12,8}_setnonce@ --- * | |
351 | * | |
352 | * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context | |
353 | * @const void *nonce@ = the nonce (@XSALSA20_NONCESZ@ bytes) | |
354 | * | |
355 | * Returns: --- | |
356 | * | |
357 | * Use: Set a new nonce in the context @ctx@, e.g., for processing a | |
358 | * different message. The stream position is reset to zero (see | |
359 | * @salsa20_seek@ etc.). | |
360 | * | |
361 | * There is a different function for each number of rounds, | |
362 | * unlike for plain Salsa20. | |
363 | */ | |
364 | ||
365 | #define DEFXNONCE(r) \ | |
366 | void XSALSA20_SETNONCE(r, XSALSA20_CTX(r) *ctx, const void *nonce) \ | |
367 | { \ | |
368 | const octet *n = nonce; \ | |
369 | uint32 in[4], out[8]; \ | |
370 | int i; \ | |
371 | \ | |
372 | for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \ | |
373 | HSALSA20_RAW(r, ctx->k, in, out); \ | |
374 | for (i = 0; i < 4; i++) ctx->s.a[i + 1] = out[i]; \ | |
375 | for (i = 4; i < 8; i++) ctx->s.a[i + 7] = out[i]; \ | |
376 | salsa20_setnonce(&ctx->s, n + 16); \ | |
377 | } | |
378 | SALSA20_VARS(DEFXNONCE) | |
379 | ||
380 | /* --- @xsalsa20{,12,8}_seek@, @xsalsa20{,12,8}_seeku64@ --- * | |
381 | * | |
382 | * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context | |
383 | * @unsigned long i@, @kludge64 i@ = new position to set | |
384 | * | |
385 | * Returns: --- | |
386 | * | |
387 | * Use: Sets a new stream position, in units of Salsa20 output | |
388 | * blocks, which are @XSALSA20_OUTSZ@ bytes each. Byte | |
389 | * granularity can be achieved by calling @xsalsa20R_encrypt@ | |
390 | * appropriately. | |
391 | * | |
392 | * There is a different function for each number of rounds, | |
393 | * unlike for plain Salsa20, because the context structures are | |
394 | * different. | |
395 | */ | |
396 | ||
397 | /* --- @xsalsa20{,12,8}_tell@, @xsalsa20{,12,8}_tellu64@ --- * | |
398 | * | |
399 | * Arguments: @salsa20_ctx *ctx@ = pointer to context | |
400 | * | |
401 | * Returns: The current position in the output stream, in blocks, | |
402 | * rounding upwards. | |
403 | * | |
404 | * There is a different function for each number of rounds, | |
405 | * unlike for plain Salsa20, because the context structures are | |
406 | * different. | |
407 | */ | |
408 | ||
409 | /* --- @xsalsa20{,12,8}_encrypt@ --- * | |
410 | * | |
411 | * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context | |
412 | * @const void *src@ = source buffer (or null) | |
413 | * @void *dest@ = destination buffer (or null) | |
414 | * @size_t sz@ = size of the buffers | |
415 | * | |
416 | * Returns: --- | |
417 | * | |
418 | * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@. | |
419 | * XSalsa20 works by XORing plaintext with a keystream, so | |
420 | * encryption and decryption are the same operation. If @dest@ | |
421 | * is null then ignore @src@ and skip @sz@ bytes of the | |
422 | * keystream. If @src@ is null, then just write the keystream | |
423 | * to @dest@. | |
424 | */ | |
425 | ||
426 | #define DEFXPASSTHRU(r) \ | |
427 | void XSALSA20_SEEK(r, XSALSA20_CTX(r) *ctx, unsigned long i) \ | |
428 | { salsa20_seek(&ctx->s, i); } \ | |
429 | void XSALSA20_SEEKU64(r, XSALSA20_CTX(r) *ctx, kludge64 i) \ | |
430 | { salsa20_seeku64(&ctx->s, i); } \ | |
431 | unsigned long XSALSA20_TELL(r, XSALSA20_CTX(r) *ctx) \ | |
432 | { return salsa20_tell(&ctx->s); } \ | |
433 | kludge64 XSALSA20_TELLU64(r, XSALSA20_CTX(r) *ctx) \ | |
434 | { return salsa20_tellu64(&ctx->s); } \ | |
435 | void XSALSA20_ENCRYPT(r, XSALSA20_CTX(r) *ctx, \ | |
436 | const void *src, void *dest, size_t sz) \ | |
437 | { SALSA20_ENCRYPT(r, &ctx->s, src, dest, sz); } | |
438 | SALSA20_VARS(DEFXPASSTHRU) | |
439 | ||
440 | /*----- Generic cipher interface ------------------------------------------*/ | |
441 | ||
442 | typedef struct gctx { gcipher c; salsa20_ctx ctx; } gctx; | |
443 | ||
444 | static void gsetiv(gcipher *c, const void *iv) | |
445 | { gctx *g = (gctx *)c; salsa20_setnonce(&g->ctx, iv); } | |
446 | ||
447 | static void gdestroy(gcipher *c) | |
448 | { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); } | |
449 | ||
450 | #define DEFGCIPHER(r) \ | |
451 | \ | |
452 | static const gcipher_ops gops_##r; \ | |
453 | \ | |
454 | static gcipher *ginit_##r(const void *k, size_t sz) \ | |
455 | { \ | |
456 | gctx *g = S_CREATE(gctx); \ | |
457 | g->c.ops = &gops_##r; \ | |
458 | salsa20_init(&g->ctx, k, sz, 0); \ | |
459 | return (&g->c); \ | |
460 | } \ | |
461 | \ | |
462 | static void gencrypt_##r(gcipher *c, const void *s, \ | |
463 | void *t, size_t sz) \ | |
464 | { gctx *g = (gctx *)c; SALSA20_ENCRYPT(r, &g->ctx, s, t, sz); } \ | |
465 | \ | |
466 | static const gcipher_ops gops_##r = { \ | |
467 | &SALSA20_DECOR(salsa20, r, ), \ | |
468 | gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \ | |
469 | }; \ | |
470 | \ | |
471 | const gccipher SALSA20_DECOR(salsa20, r, ) = { \ | |
472 | SALSA20_NAME_##r, salsa20_keysz, \ | |
473 | SALSA20_NONCESZ, ginit_##r \ | |
474 | }; | |
475 | ||
476 | SALSA20_VARS(DEFGCIPHER) | |
477 | ||
478 | #define DEFGXCIPHER(r) \ | |
479 | \ | |
480 | typedef struct { gcipher c; XSALSA20_CTX(r) ctx; } gxctx_##r; \ | |
481 | \ | |
482 | static void gxsetiv_##r(gcipher *c, const void *iv) \ | |
483 | { gxctx_##r *g = (gxctx_##r *)c; XSALSA20_SETNONCE(r, &g->ctx, iv); } \ | |
484 | \ | |
485 | static void gxdestroy_##r(gcipher *c) \ | |
486 | { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \ | |
487 | \ | |
488 | static const gcipher_ops gxops_##r; \ | |
489 | \ | |
490 | static gcipher *gxinit_##r(const void *k, size_t sz) \ | |
491 | { \ | |
492 | gxctx_##r *g = S_CREATE(gxctx_##r); \ | |
493 | g->c.ops = &gxops_##r; \ | |
494 | XSALSA20_INIT(r, &g->ctx, k, sz, 0); \ | |
495 | return (&g->c); \ | |
496 | } \ | |
497 | \ | |
498 | static void gxencrypt_##r(gcipher *c, const void *s, \ | |
499 | void *t, size_t sz) \ | |
500 | { \ | |
501 | gxctx_##r *g = (gxctx_##r *)c; \ | |
502 | XSALSA20_ENCRYPT(r, &g->ctx, s, t, sz); \ | |
503 | } \ | |
504 | \ | |
505 | static const gcipher_ops gxops_##r = { \ | |
506 | &SALSA20_DECOR(xsalsa20, r, ), \ | |
507 | gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \ | |
508 | }; \ | |
509 | \ | |
510 | const gccipher SALSA20_DECOR(xsalsa20, r, ) = { \ | |
511 | "x" SALSA20_NAME_##r, salsa20_keysz, \ | |
512 | XSALSA20_NONCESZ, gxinit_##r \ | |
513 | }; | |
514 | ||
515 | SALSA20_VARS(DEFGXCIPHER) | |
516 | ||
517 | /*----- Generic random number generator interface -------------------------*/ | |
518 | ||
519 | typedef struct grops { | |
520 | size_t noncesz; | |
521 | void (*seek)(void *, kludge64); | |
522 | kludge64 (*tell)(void *); | |
523 | void (*setnonce)(void *, const void *); | |
524 | void (*generate)(void *, void *, size_t); | |
525 | } grops; | |
526 | ||
527 | typedef struct grbasectx { | |
528 | grand r; | |
529 | const grops *ops; | |
530 | } grbasectx; | |
531 | ||
532 | static int grmisc(grand *r, unsigned op, ...) | |
533 | { | |
534 | octet buf[XSALSA20_NONCESZ]; | |
535 | grbasectx *g = (grbasectx *)r; | |
536 | grand *rr; | |
537 | const octet *p; | |
538 | size_t sz; | |
539 | uint32 i; | |
540 | unsigned long ul; | |
541 | kludge64 pos; | |
542 | va_list ap; | |
543 | int rc = 0; | |
544 | ||
545 | va_start(ap, op); | |
546 | ||
547 | switch (op) { | |
548 | case GRAND_CHECK: | |
549 | switch (va_arg(ap, unsigned)) { | |
550 | case GRAND_CHECK: | |
551 | case GRAND_SEEDINT: | |
552 | case GRAND_SEEDUINT32: | |
553 | case GRAND_SEEDBLOCK: | |
554 | case GRAND_SEEDRAND: | |
555 | case SALSA20_SEEK: | |
556 | case SALSA20_SEEKU64: | |
557 | case SALSA20_TELL: | |
558 | case SALSA20_TELLU64: | |
559 | rc = 1; | |
560 | break; | |
561 | default: | |
562 | rc = 0; | |
563 | break; | |
564 | } | |
565 | break; | |
566 | ||
567 | case GRAND_SEEDINT: | |
568 | i = va_arg(ap, unsigned); STORE32_L(buf, i); | |
569 | memset(buf + 4, 0, g->ops->noncesz - 4); | |
570 | g->ops->setnonce(g, buf); | |
571 | break; | |
572 | case GRAND_SEEDUINT32: | |
573 | i = va_arg(ap, uint32); STORE32_L(buf, i); | |
574 | memset(buf + 4, 0, g->ops->noncesz - 4); | |
575 | g->ops->setnonce(g, buf); | |
576 | break; | |
577 | case GRAND_SEEDBLOCK: | |
578 | p = va_arg(ap, const void *); | |
579 | sz = va_arg(ap, size_t); | |
580 | if (sz < g->ops->noncesz) { | |
581 | memcpy(buf, p, sz); | |
582 | memset(buf + sz, 0, g->ops->noncesz - sz); | |
583 | p = buf; | |
584 | } | |
585 | g->ops->setnonce(g, p); | |
586 | break; | |
587 | case GRAND_SEEDRAND: | |
588 | rr = va_arg(ap, grand *); | |
589 | rr->ops->fill(rr, buf, g->ops->noncesz); | |
590 | g->ops->setnonce(g, buf); | |
591 | break; | |
592 | case SALSA20_SEEK: | |
593 | ul = va_arg(ap, unsigned long); ASSIGN64(pos, ul); | |
594 | g->ops->seek(g, pos); | |
595 | break; | |
596 | case SALSA20_SEEKU64: | |
597 | pos = va_arg(ap, kludge64); | |
598 | g->ops->seek(g, pos); | |
599 | break; | |
600 | case SALSA20_TELL: | |
601 | pos = g->ops->tell(g); | |
602 | *va_arg(ap, unsigned long *) = GET64(unsigned long, pos); | |
603 | break; | |
604 | case SALSA20_TELLU64: | |
605 | *va_arg(ap, kludge64 *) = g->ops->tell(g); | |
606 | break; | |
607 | default: | |
608 | GRAND_BADOP; | |
609 | break; | |
610 | } | |
611 | ||
612 | return (rc); | |
613 | } | |
614 | ||
615 | static octet grbyte(grand *r) | |
616 | { | |
617 | grbasectx *g = (grbasectx *)r; | |
618 | octet o; | |
619 | g->ops->generate(g, &o, 1); | |
620 | return (o); | |
621 | } | |
622 | ||
623 | static uint32 grword(grand *r) | |
624 | { | |
625 | grbasectx *g = (grbasectx *)r; | |
626 | octet b[4]; | |
627 | g->ops->generate(g, b, sizeof(b)); | |
628 | return (LOAD32_L(b)); | |
629 | } | |
630 | ||
631 | static void grfill(grand *r, void *p, size_t sz) | |
632 | { | |
633 | grbasectx *g = (grbasectx *)r; | |
634 | g->ops->generate(r, p, sz); | |
635 | } | |
636 | ||
637 | typedef struct grctx { | |
638 | grbasectx r; | |
639 | salsa20_ctx ctx; | |
640 | } grctx; | |
641 | ||
642 | static void gr_seek(void *r, kludge64 pos) | |
643 | { grctx *g = r; salsa20_seeku64(&g->ctx, pos); } | |
644 | ||
645 | static kludge64 gr_tell(void *r) | |
646 | { grctx *g = r; return (salsa20_tellu64(&g->ctx)); } | |
647 | ||
648 | static void gr_setnonce(void *r, const void *n) | |
649 | { grctx *g = r; salsa20_setnonce(&g->ctx, n); } | |
650 | ||
651 | static void grdestroy(grand *r) | |
652 | { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); } | |
653 | ||
654 | #define DEFGRAND(rr) \ | |
655 | \ | |
656 | static void gr_generate_##rr(void *r, void *b, size_t sz) \ | |
657 | { grctx *g = r; SALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \ | |
658 | \ | |
659 | static const grops grops_##rr = \ | |
660 | { SALSA20_NONCESZ, gr_seek, gr_tell, \ | |
661 | gr_setnonce, gr_generate_##rr }; \ | |
662 | \ | |
663 | static const grand_ops grops_rand_##rr = { \ | |
664 | SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \ | |
665 | grmisc, grdestroy, grword, \ | |
666 | grbyte, grword, grand_range, grfill \ | |
667 | }; \ | |
668 | \ | |
669 | grand *SALSA20_DECOR(salsa20, rr, _rand) \ | |
670 | (const void *k, size_t ksz, const void *n) \ | |
671 | { \ | |
672 | grctx *g = S_CREATE(g); \ | |
673 | g->r.r.ops = &grops_rand_##rr; \ | |
674 | g->r.ops = &grops_##rr; \ | |
675 | salsa20_init(&g->ctx, k, ksz, n); \ | |
676 | return (&g->r.r); \ | |
677 | } | |
678 | SALSA20_VARS(DEFGRAND) | |
679 | ||
680 | #define DEFXGRAND(rr) \ | |
681 | \ | |
682 | typedef struct grxctx_##rr { \ | |
683 | grbasectx r; \ | |
684 | XSALSA20_CTX(rr) ctx; \ | |
685 | } grxctx_##rr; \ | |
686 | \ | |
687 | static void grx_seek_##rr(void *r, kludge64 pos) \ | |
688 | { grxctx_##rr *g = r; XSALSA20_SEEKU64(rr, &g->ctx, pos); } \ | |
689 | \ | |
690 | static kludge64 grx_tell_##rr(void *r) \ | |
691 | { grxctx_##rr *g = r; return (XSALSA20_TELLU64(rr, &g->ctx)); } \ | |
692 | \ | |
693 | static void grx_setnonce_##rr(void *r, const void *n) \ | |
694 | { grxctx_##rr *g = r; XSALSA20_SETNONCE(rr, &g->ctx, n); } \ | |
695 | \ | |
696 | static void grxdestroy_##rr(grand *r) \ | |
697 | { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \ | |
698 | \ | |
699 | static void grx_generate_##rr(void *r, void *b, size_t sz) \ | |
700 | { grxctx_##rr *g = r; XSALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \ | |
701 | \ | |
702 | static const grops grxops_##rr = \ | |
703 | { XSALSA20_NONCESZ, grx_seek_##rr, grx_tell_##rr, \ | |
704 | grx_setnonce_##rr, grx_generate_##rr }; \ | |
705 | \ | |
706 | static const grand_ops grxops_rand_##rr = { \ | |
707 | "x" SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \ | |
708 | grmisc, grxdestroy_##rr, grword, \ | |
709 | grbyte, grword, grand_range, grfill \ | |
710 | }; \ | |
711 | \ | |
712 | grand *SALSA20_DECOR(xsalsa20, rr, _rand) \ | |
713 | (const void *k, size_t ksz, const void *n) \ | |
714 | { \ | |
715 | grxctx_##rr *g = S_CREATE(g); \ | |
716 | g->r.r.ops = &grxops_rand_##rr; \ | |
717 | g->r.ops = &grxops_##rr; \ | |
718 | XSALSA20_INIT(rr, &g->ctx, k, ksz, n); \ | |
719 | return (&g->r.r); \ | |
720 | } | |
721 | SALSA20_VARS(DEFXGRAND) | |
722 | ||
723 | /*----- Test rig ----------------------------------------------------------*/ | |
724 | ||
725 | #ifdef TEST_RIG | |
726 | ||
727 | #include <stdio.h> | |
728 | #include <string.h> | |
729 | ||
730 | #include <mLib/quis.h> | |
731 | #include <mLib/testrig.h> | |
732 | ||
733 | #define DEFVCORE(r) \ | |
734 | static int v_core_##r(dstr *v) \ | |
735 | { \ | |
736 | salsa20_matrix a, b; \ | |
737 | dstr d = DSTR_INIT; \ | |
738 | int i, n; \ | |
739 | int ok = 1; \ | |
740 | \ | |
741 | DENSURE(&d, SALSA20_OUTSZ); d.len = SALSA20_OUTSZ; \ | |
742 | n = *(int *)v[0].buf; \ | |
743 | for (i = 0; i < SALSA20_OUTSZ/4; i++) \ | |
744 | a[i] = LOAD32_L(v[1].buf + 4*i); \ | |
745 | for (i = 0; i < n; i++) { \ | |
746 | core(r, a, b); \ | |
747 | memcpy(a, b, sizeof(a)); \ | |
748 | } \ | |
749 | for (i = 0; i < SALSA20_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, a[i]); \ | |
750 | \ | |
751 | if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \ | |
752 | ok = 0; \ | |
753 | printf("\nfail core:" \ | |
754 | "\n\titerations = %d" \ | |
755 | "\n\tin = ", n); \ | |
756 | type_hex.dump(&v[1], stdout); \ | |
757 | printf("\n\texpected = "); \ | |
758 | type_hex.dump(&v[2], stdout); \ | |
759 | printf("\n\tcalculated = "); \ | |
760 | type_hex.dump(&d, stdout); \ | |
761 | putchar('\n'); \ | |
762 | } \ | |
763 | \ | |
764 | dstr_destroy(&d); \ | |
765 | return (ok); \ | |
766 | } | |
767 | SALSA20_VARS(DEFVCORE) | |
768 | ||
769 | #define SALSA20_CTX(r) salsa20_ctx | |
770 | #define SALSA20_INIT(r, ctx, k, ksz, n) salsa20_init(ctx, k, ksz, n) | |
771 | #define SALSA20_SEEKU64(r, ctx, i) salsa20_seeku64(ctx, i) | |
772 | ||
773 | #define DEFxVENC(base, BASE, r) \ | |
774 | static int v_encrypt_##base##_##r(dstr *v) \ | |
775 | { \ | |
776 | BASE##_CTX(r) ctx; \ | |
777 | dstr d = DSTR_INIT; \ | |
778 | kludge64 pos; \ | |
779 | const octet *p, *p0; \ | |
780 | octet *q; \ | |
781 | size_t sz, sz0, step; \ | |
782 | unsigned long skip; \ | |
783 | int ok = 1; \ | |
784 | \ | |
785 | if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \ | |
786 | else { p0 = 0; sz0 = v[5].len; } \ | |
787 | DENSURE(&d, sz0); d.len = sz0; \ | |
788 | skip = *(unsigned long *)v[3].buf; \ | |
789 | \ | |
790 | step = 0; \ | |
791 | while (step < sz0 + skip) { \ | |
792 | step = step ? 3*step + 4 : 1; \ | |
793 | if (step > sz0 + skip) step = sz0 + skip; \ | |
794 | BASE##_INIT(r, &ctx, v[0].buf, v[0].len, v[1].buf); \ | |
795 | if (v[2].len) { \ | |
796 | LOAD64_(pos, v[2].buf); \ | |
797 | BASE##_SEEKU64(r, &ctx, pos); \ | |
798 | } \ | |
799 | \ | |
800 | for (sz = skip; sz >= step; sz -= step) \ | |
801 | BASE##_ENCRYPT(r, &ctx, 0, 0, step); \ | |
802 | if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \ | |
803 | for (p = p0, q = (octet *)d.buf, sz = sz0; \ | |
804 | sz >= step; \ | |
805 | sz -= step, q += step) { \ | |
806 | BASE##_ENCRYPT(r, &ctx, p, q, step); \ | |
807 | if (p) p += step; \ | |
808 | } \ | |
809 | if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \ | |
810 | \ | |
811 | if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \ | |
812 | ok = 0; \ | |
813 | printf("\nfail encrypt:" \ | |
814 | "\n\tstep = %lu" \ | |
815 | "\n\tkey = ", (unsigned long)step); \ | |
816 | type_hex.dump(&v[0], stdout); \ | |
817 | printf("\n\tnonce = "); \ | |
818 | type_hex.dump(&v[1], stdout); \ | |
819 | printf("\n\tposition = "); \ | |
820 | type_hex.dump(&v[2], stdout); \ | |
821 | printf("\n\tskip = %lu", skip); \ | |
822 | printf("\n\tmessage = "); \ | |
823 | type_hex.dump(&v[4], stdout); \ | |
824 | printf("\n\texpected = "); \ | |
825 | type_hex.dump(&v[5], stdout); \ | |
826 | printf("\n\tcalculated = "); \ | |
827 | type_hex.dump(&d, stdout); \ | |
828 | putchar('\n'); \ | |
829 | } \ | |
830 | } \ | |
831 | \ | |
832 | dstr_destroy(&d); \ | |
833 | return (ok); \ | |
834 | } | |
835 | #define DEFVENC(r) DEFxVENC(salsa20, SALSA20, r) | |
836 | #define DEFXVENC(r) DEFxVENC(xsalsa20, XSALSA20, r) | |
837 | SALSA20_VARS(DEFVENC) | |
838 | SALSA20_VARS(DEFXVENC) | |
839 | ||
840 | static test_chunk defs[] = { | |
841 | #define DEFxTAB(pre, base, r) \ | |
842 | { pre SALSA20_NAME_##r, v_encrypt_##base##_##r, \ | |
843 | { &type_hex, &type_hex, &type_hex, &type_ulong, \ | |
844 | &type_hex, &type_hex, 0 } }, | |
845 | #define DEFTAB(r) \ | |
846 | { SALSA20_NAME_##r "-core", v_core_##r, \ | |
847 | { &type_int, &type_hex, &type_hex, 0 } }, \ | |
848 | DEFxTAB("", salsa20, r) | |
849 | #define DEFXTAB(r) DEFxTAB("x", xsalsa20, r) | |
850 | SALSA20_VARS(DEFTAB) | |
851 | SALSA20_VARS(DEFXTAB) | |
852 | { 0, 0, { 0 } } | |
853 | }; | |
854 | ||
855 | int main(int argc, char *argv[]) | |
856 | { | |
857 | test_run(argc, argv, defs, SRCDIR"/t/salsa20"); | |
858 | return (0); | |
859 | } | |
860 | ||
861 | #endif | |
862 | ||
863 | /*----- That's all, folks -------------------------------------------------*/ |