3 * Salsa20 stream cipher
5 * (c) 2015 Straylight/Edgeware
8 /*----- Header files ------------------------------------------------------*/
14 #include <mLib/bits.h>
23 #include "salsa20-core.h"
25 /*----- Global variables --------------------------------------------------*/
27 const octet salsa20_keysz
[] = { KSZ_SET
, 32, 16, 10, 0 };
29 /*----- The Salsa20 core function and utilities ---------------------------*/
33 * Arguments: @unsigned r@ = number of rounds
34 * @const salsa20_matrix src@ = input matrix
35 * @salsa20_matrix dest@ = where to put the output
40 * Use: Apply the Salsa20/r core function to @src@, writing the
41 * result to @dest@. This consists of @r@ rounds followed by
42 * the feedforward step.
45 CPU_DISPATCH(static, (void),
46 void, core
, (unsigned r
, const salsa20_matrix src
,
49 pick_core
, simple_core
);
51 static void simple_core(unsigned r
, const salsa20_matrix src
,
53 { SALSA20_nR(dest
, src
, r
); SALSA20_FFWD(dest
, src
); }
56 extern core__functype salsa20_core_x86_sse2
;
59 static core__functype
*pick_core(void)
62 DISPATCH_PICK_COND(salsa20_core
, salsa20_core_x86_sse2
,
63 cpu_feature_p(CPUFEAT_X86_SSE2
));
65 DISPATCH_PICK_FALLBACK(salsa20_core
, simple_core
);
68 /* --- @populate@ --- *
70 * Arguments: @salsa20_matrix a@ = a matrix to fill in
71 * @const void *key@ = pointer to key material
72 * @size_t ksz@ = size of key
76 * Use: Fills in a Salsa20 matrix from the key, setting the
77 * appropriate constants according to the key length. The nonce
78 * and position words are left uninitialized.
81 static void populate(salsa20_matrix a
, const void *key
, size_t ksz
)
85 KSZ_ASSERT(salsa20
, ksz
);
87 /* Here's the pattern of key, constant, nonce, and counter pieces in the
88 * matrix, before and after our permutation.
90 * [ C0 K0 K1 K2 ] [ C0 C1 C2 C3 ]
91 * [ K3 C1 N0 N1 ] --> [ K3 T1 K7 K2 ]
92 * [ T0 T1 C2 K4 ] [ T0 K6 K1 N1 ]
93 * [ K5 K6 K7 C3 ] [ K5 K0 N0 K4 ]
96 a
[13] = LOAD32_L(k
+ 0);
97 a
[10] = LOAD32_L(k
+ 4);
99 a
[ 7] = LOAD16_L(k
+ 8);
102 a
[ 7] = LOAD32_L(k
+ 8);
103 a
[ 4] = LOAD32_L(k
+ 12);
110 a
[ 0] = SALSA20_A128
;
111 a
[ 1] = SALSA20_B128
;
112 a
[ 2] = ksz
== 10 ? SALSA20_C80
: SALSA20_C128
;
113 a
[ 3] = SALSA20_D128
;
115 a
[15] = LOAD32_L(k
+ 16);
116 a
[12] = LOAD32_L(k
+ 20);
117 a
[ 9] = LOAD32_L(k
+ 24);
118 a
[ 6] = LOAD32_L(k
+ 28);
119 a
[ 0] = SALSA20_A256
;
120 a
[ 1] = SALSA20_B256
;
121 a
[ 2] = SALSA20_C256
;
122 a
[ 3] = SALSA20_D256
;
126 /*----- Salsa20 implementation --------------------------------------------*/
128 /* --- @salsa20_init@ --- *
130 * Arguments: @salsa20_ctx *ctx@ = context to fill in
131 * @const void *key@ = pointer to key material
132 * @size_t ksz@ = size of key (either 32 or 16)
133 * @const void *nonce@ = initial nonce, or null
137 * Use: Initializes a Salsa20 context ready for use.
140 void salsa20_init(salsa20_ctx
*ctx
, const void *key
, size_t ksz
,
143 static const octet zerononce
[SALSA20_NONCESZ
];
145 populate(ctx
->a
, key
, ksz
);
146 salsa20_setnonce(ctx
, nonce ? nonce
: zerononce
);
149 /* --- @salsa20_setnonce@ --- *
151 * Arguments: @salsa20_ctx *ctx@ = pointer to context
152 * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes)
156 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
157 * different message. The stream position is reset to zero (see
158 * @salsa20_seek@ etc.).
161 void salsa20_setnonce(salsa20_ctx
*ctx
, const void *nonce
)
163 const octet
*n
= nonce
;
165 ctx
->a
[14] = LOAD32_L(n
+ 0);
166 ctx
->a
[11] = LOAD32_L(n
+ 4);
167 salsa20_seek(ctx
, 0);
170 /* --- @salsa20_seek@, @salsa20_seeku64@ --- *
172 * Arguments: @salsa20_ctx *ctx@ = pointer to context
173 * @unsigned long i@, @kludge64 i@ = new position to set
177 * Use: Sets a new stream position, in units of Salsa20 output
178 * blocks, which are @SALSA20_OUTSZ@ bytes each. Byte
179 * granularity can be achieved by calling @salsa20R_encrypt@
183 void salsa20_seek(salsa20_ctx
*ctx
, unsigned long i
)
184 { kludge64 ii
; ASSIGN64(ii
, i
); salsa20_seeku64(ctx
, ii
); }
186 void salsa20_seeku64(salsa20_ctx
*ctx
, kludge64 i
)
188 ctx
->a
[8] = LO64(i
); ctx
->a
[5] = HI64(i
);
189 ctx
->bufi
= SALSA20_OUTSZ
;
192 /* --- @salsa20_tell@, @salsa20_tellu64@ --- *
194 * Arguments: @salsa20_ctx *ctx@ = pointer to context
196 * Returns: The current position in the output stream, in blocks,
200 unsigned long salsa20_tell(salsa20_ctx
*ctx
)
201 { kludge64 i
= salsa20_tellu64(ctx
); return (GET64(unsigned long, i
)); }
203 kludge64
salsa20_tellu64(salsa20_ctx
*ctx
)
204 { kludge64 i
; SET64(i
, ctx
->a
[5], ctx
->a
[8]); return (i
); }
206 /* --- @salsa20{,12,8}_encrypt@ --- *
208 * Arguments: @salsa20_ctx *ctx@ = pointer to context
209 * @const void *src@ = source buffer (or null)
210 * @void *dest@ = destination buffer (or null)
211 * @size_t sz@ = size of the buffers
215 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
216 * Salsa20 works by XORing plaintext with a keystream, so
217 * encryption and decryption are the same operation. If @dest@
218 * is null then ignore @src@ and skip @sz@ bytes of the
219 * keystream. If @src@ is null, then just write the keystream
223 #define SALSA20_ENCRYPT(r, ctx, src, dest, sz) \
224 SALSA20_DECOR(salsa20, r, _encrypt)(ctx, src, dest, sz)
225 #define DEFENCRYPT(r) \
226 void SALSA20_ENCRYPT(r, salsa20_ctx *ctx, const void *src, \
227 void *dest, size_t sz) \
230 const octet *s = src; \
233 kludge64 pos, delta; \
235 SALSA20_OUTBUF(ctx, d, s, sz); \
239 n = sz/SALSA20_OUTSZ; \
240 pos = salsa20_tellu64(ctx); \
241 ASSIGN64(delta, n); \
242 ADD64(pos, pos, delta); \
243 salsa20_seeku64(ctx, pos); \
244 sz = sz%SALSA20_OUTSZ; \
246 while (sz >= SALSA20_OUTSZ) { \
247 core(r, ctx->a, b); \
248 SALSA20_STEP(ctx->a); \
249 SALSA20_GENFULL(b, d); \
250 sz -= SALSA20_OUTSZ; \
253 while (sz >= SALSA20_OUTSZ) { \
254 core(r, ctx->a, b); \
255 SALSA20_STEP(ctx->a); \
256 SALSA20_MIXFULL(b, d, s); \
257 sz -= SALSA20_OUTSZ; \
262 core(r, ctx->a, b); \
263 SALSA20_STEP(ctx->a); \
264 SALSA20_PREPBUF(ctx, b); \
265 SALSA20_OUTBUF(ctx, d, s, sz); \
269 SALSA20_VARS(DEFENCRYPT
)
271 /*----- HSalsa20 implementation -------------------------------------------*/
273 #define HSALSA20_RAW(r, ctx, src, dest) \
274 SALSA20_DECOR(hsalsa20, r, _raw)(ctx, src, dest)
275 #define HSALSA20_PRF(r, ctx, src, dest) \
276 SALSA20_DECOR(hsalsa20, r, _prf)(ctx, src, dest)
278 /* --- @hsalsa20{,12,8}_prf@ --- *
280 * Arguments: @salsa20_ctx *ctx@ = pointer to context
281 * @const void *src@ = the input (@HSALSA20_INSZ@ bytes)
282 * @void *dest@ = the output (@HSALSA20_OUTSZ@ bytes)
286 * Use: Apply the HSalsa20/r pseudorandom function to @src@, writing
287 * the result to @out@.
290 #define DEFHSALSA20(r) \
291 static void HSALSA20_RAW(r, salsa20_matrix k, \
292 const uint32 *src, uint32 *dest) \
297 /* --- HSalsa20, computed from full Salsa20 --- * \
299 * The security proof makes use of the fact that HSalsa20 (i.e., \
300 * without the final feedforward step) can be computed from full \
301 * Salsa20 using only knowledge of the non-secret input. I don't \
302 * want to compromise the performance of the main function by \
303 * making the feedforward step separate, but this operation is less \
304 * speed critical, so we do it the harder way. \
307 for (i = 0; i < 4; i++) k[14 - 3*i] = src[i]; \
309 for (i = 0; i < 4; i++) dest[i] = a[5*i] - k[i]; \
310 for (i = 4; i < 8; i++) dest[i] = a[i + 2] - k[26 - 3*i]; \
313 void HSALSA20_PRF(r, salsa20_ctx *ctx, const void *src, void *dest) \
315 const octet *s = src; \
317 uint32 in[4], out[8]; \
320 for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \
321 HSALSA20_RAW(r, ctx->a, in, out); \
322 for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \
324 SALSA20_VARS(DEFHSALSA20
)
326 /*----- XSalsa20 implementation -------------------------------------------*/
328 /* --- Some convenient macros for naming functions --- *
330 * Because the crypto core is involved in XSalsa20/r's per-nonce setup, we
331 * need to take an interest in the number of rounds in most of the various
332 * functions, and it will probably help if we distinguish the context
333 * structures for the various versions.
336 #define XSALSA20_CTX(r) SALSA20_DECOR(xsalsa20, r, _ctx)
337 #define XSALSA20_INIT(r, ctx, k, ksz, n) \
338 SALSA20_DECOR(xsalsa20, r, _init)(ctx, k, ksz, n)
339 #define XSALSA20_SETNONCE(r, ctx, n) \
340 SALSA20_DECOR(xsalsa20, r, _setnonce)(ctx, n)
341 #define XSALSA20_SEEK(r, ctx, i) \
342 SALSA20_DECOR(xsalsa20, r, _seek)(ctx, i)
343 #define XSALSA20_SEEKU64(r, ctx, i) \
344 SALSA20_DECOR(xsalsa20, r, _seeku64)(ctx, i)
345 #define XSALSA20_TELL(r, ctx) \
346 SALSA20_DECOR(xsalsa20, r, _tell)(ctx)
347 #define XSALSA20_TELLU64(r, ctx) \
348 SALSA20_DECOR(xsalsa20, r, _tellu64)(ctx)
349 #define XSALSA20_ENCRYPT(r, ctx, src, dest, sz) \
350 SALSA20_DECOR(xsalsa20, r, _encrypt)(ctx, src, dest, sz)
352 /* --- @xsalsa20{,12,8}_init@ --- *
354 * Arguments: @xsalsa20R_ctx *ctx@ = the context to fill in
355 * @const void *key@ = pointer to key material
356 * @size_t ksz@ = size of key (either 32 or 16)
357 * @const void *nonce@ = initial nonce, or null
361 * Use: Initializes an XSalsa20/r context ready for use.
363 * There is a different function for each number of rounds,
364 * unlike for plain Salsa20.
367 #define DEFXINIT(r) \
368 void XSALSA20_INIT(r, XSALSA20_CTX(r) *ctx, \
369 const void *key, size_t ksz, const void *nonce) \
371 static const octet zerononce[XSALSA20_NONCESZ]; \
373 populate(ctx->k, key, ksz); \
374 ctx->s.a[ 0] = SALSA20_A256; \
375 ctx->s.a[ 1] = SALSA20_B256; \
376 ctx->s.a[ 2] = SALSA20_C256; \
377 ctx->s.a[ 3] = SALSA20_D256; \
378 XSALSA20_SETNONCE(r, ctx, nonce ? nonce : zerononce); \
380 SALSA20_VARS(DEFXINIT
)
382 /* --- @xsalsa20{,12,8}_setnonce@ --- *
384 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
385 * @const void *nonce@ = the nonce (@XSALSA20_NONCESZ@ bytes)
389 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
390 * different message. The stream position is reset to zero (see
391 * @salsa20_seek@ etc.).
393 * There is a different function for each number of rounds,
394 * unlike for plain Salsa20.
397 #define DEFXNONCE(r) \
398 void XSALSA20_SETNONCE(r, XSALSA20_CTX(r) *ctx, const void *nonce) \
400 const octet *n = nonce; \
401 uint32 in[4], out[8]; \
404 for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \
405 HSALSA20_RAW(r, ctx->k, in, out); \
406 for (i = 0; i < 4; i++) ctx->s.a[13 - 3*i] = out[i]; \
407 for (i = 4; i < 8; i++) ctx->s.a[27 - 3*i] = out[i]; \
408 salsa20_setnonce(&ctx->s, n + 16); \
410 SALSA20_VARS(DEFXNONCE
)
412 /* --- @xsalsa20{,12,8}_seek@, @xsalsa20{,12,8}_seeku64@ --- *
414 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
415 * @unsigned long i@, @kludge64 i@ = new position to set
419 * Use: Sets a new stream position, in units of Salsa20 output
420 * blocks, which are @XSALSA20_OUTSZ@ bytes each. Byte
421 * granularity can be achieved by calling @xsalsa20R_encrypt@
424 * There is a different function for each number of rounds,
425 * unlike for plain Salsa20, because the context structures are
429 /* --- @xsalsa20{,12,8}_tell@, @xsalsa20{,12,8}_tellu64@ --- *
431 * Arguments: @salsa20_ctx *ctx@ = pointer to context
433 * Returns: The current position in the output stream, in blocks,
436 * There is a different function for each number of rounds,
437 * unlike for plain Salsa20, because the context structures are
441 /* --- @xsalsa20{,12,8}_encrypt@ --- *
443 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
444 * @const void *src@ = source buffer (or null)
445 * @void *dest@ = destination buffer (or null)
446 * @size_t sz@ = size of the buffers
450 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
451 * XSalsa20 works by XORing plaintext with a keystream, so
452 * encryption and decryption are the same operation. If @dest@
453 * is null then ignore @src@ and skip @sz@ bytes of the
454 * keystream. If @src@ is null, then just write the keystream
458 #define DEFXPASSTHRU(r) \
459 void XSALSA20_SEEK(r, XSALSA20_CTX(r) *ctx, unsigned long i) \
460 { salsa20_seek(&ctx->s, i); } \
461 void XSALSA20_SEEKU64(r, XSALSA20_CTX(r) *ctx, kludge64 i) \
462 { salsa20_seeku64(&ctx->s, i); } \
463 unsigned long XSALSA20_TELL(r, XSALSA20_CTX(r) *ctx) \
464 { return salsa20_tell(&ctx->s); } \
465 kludge64 XSALSA20_TELLU64(r, XSALSA20_CTX(r) *ctx) \
466 { return salsa20_tellu64(&ctx->s); } \
467 void XSALSA20_ENCRYPT(r, XSALSA20_CTX(r) *ctx, \
468 const void *src, void *dest, size_t sz) \
469 { SALSA20_ENCRYPT(r, &ctx->s, src, dest, sz); }
470 SALSA20_VARS(DEFXPASSTHRU
)
472 /*----- Generic cipher interface ------------------------------------------*/
474 typedef struct gctx
{ gcipher c
; salsa20_ctx ctx
; } gctx
;
476 static void gsetiv(gcipher
*c
, const void *iv
)
477 { gctx
*g
= (gctx
*)c
; salsa20_setnonce(&g
->ctx
, iv
); }
479 static void gdestroy(gcipher
*c
)
480 { gctx
*g
= (gctx
*)c
; BURN(*g
); S_DESTROY(g
); }
482 #define DEFGCIPHER(r) \
484 static const gcipher_ops gops_##r; \
486 static gcipher *ginit_##r(const void *k, size_t sz) \
488 gctx *g = S_CREATE(gctx); \
489 g->c.ops = &gops_##r; \
490 salsa20_init(&g->ctx, k, sz, 0); \
494 static void gencrypt_##r(gcipher *c, const void *s, \
495 void *t, size_t sz) \
496 { gctx *g = (gctx *)c; SALSA20_ENCRYPT(r, &g->ctx, s, t, sz); } \
498 static const gcipher_ops gops_##r = { \
499 &SALSA20_DECOR(salsa20, r, ), \
500 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \
503 const gccipher SALSA20_DECOR(salsa20, r, ) = { \
504 SALSA20_NAME_##r, salsa20_keysz, \
505 SALSA20_NONCESZ, ginit_##r \
508 SALSA20_VARS(DEFGCIPHER
)
510 #define DEFGXCIPHER(r) \
512 typedef struct { gcipher c; XSALSA20_CTX(r) ctx; } gxctx_##r; \
514 static void gxsetiv_##r(gcipher *c, const void *iv) \
515 { gxctx_##r *g = (gxctx_##r *)c; XSALSA20_SETNONCE(r, &g->ctx, iv); } \
517 static void gxdestroy_##r(gcipher *c) \
518 { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \
520 static const gcipher_ops gxops_##r; \
522 static gcipher *gxinit_##r(const void *k, size_t sz) \
524 gxctx_##r *g = S_CREATE(gxctx_##r); \
525 g->c.ops = &gxops_##r; \
526 XSALSA20_INIT(r, &g->ctx, k, sz, 0); \
530 static void gxencrypt_##r(gcipher *c, const void *s, \
531 void *t, size_t sz) \
533 gxctx_##r *g = (gxctx_##r *)c; \
534 XSALSA20_ENCRYPT(r, &g->ctx, s, t, sz); \
537 static const gcipher_ops gxops_##r = { \
538 &SALSA20_DECOR(xsalsa20, r, ), \
539 gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \
542 const gccipher SALSA20_DECOR(xsalsa20, r, ) = { \
543 "x" SALSA20_NAME_##r, salsa20_keysz, \
544 XSALSA20_NONCESZ, gxinit_##r \
547 SALSA20_VARS(DEFGXCIPHER
)
549 /*----- Generic random number generator interface -------------------------*/
551 typedef struct grops
{
553 void (*seek
)(void *, kludge64
);
554 kludge64 (*tell
)(void *);
555 void (*setnonce
)(void *, const void *);
556 void (*generate
)(void *, void *, size_t);
559 typedef struct grbasectx
{
564 static int grmisc(grand
*r
, unsigned op
, ...)
566 octet buf
[XSALSA20_NONCESZ
];
567 grbasectx
*g
= (grbasectx
*)r
;
581 switch (va_arg(ap
, unsigned)) {
584 case GRAND_SEEDUINT32
:
585 case GRAND_SEEDBLOCK
:
588 case SALSA20_SEEKU64
:
590 case SALSA20_TELLU64
:
600 i
= va_arg(ap
, unsigned); STORE32_L(buf
, i
);
601 memset(buf
+ 4, 0, g
->ops
->noncesz
- 4);
602 g
->ops
->setnonce(g
, buf
);
604 case GRAND_SEEDUINT32
:
605 i
= va_arg(ap
, uint32
); STORE32_L(buf
, i
);
606 memset(buf
+ 4, 0, g
->ops
->noncesz
- 4);
607 g
->ops
->setnonce(g
, buf
);
609 case GRAND_SEEDBLOCK
:
610 p
= va_arg(ap
, const void *);
611 sz
= va_arg(ap
, size_t);
612 if (sz
< g
->ops
->noncesz
) {
614 memset(buf
+ sz
, 0, g
->ops
->noncesz
- sz
);
617 g
->ops
->setnonce(g
, p
);
620 rr
= va_arg(ap
, grand
*);
621 rr
->ops
->fill(rr
, buf
, g
->ops
->noncesz
);
622 g
->ops
->setnonce(g
, buf
);
625 ul
= va_arg(ap
, unsigned long); ASSIGN64(pos
, ul
);
626 g
->ops
->seek(g
, pos
);
628 case SALSA20_SEEKU64
:
629 pos
= va_arg(ap
, kludge64
);
630 g
->ops
->seek(g
, pos
);
633 pos
= g
->ops
->tell(g
);
634 *va_arg(ap
, unsigned long *) = GET64(unsigned long, pos
);
636 case SALSA20_TELLU64
:
637 *va_arg(ap
, kludge64
*) = g
->ops
->tell(g
);
647 static octet
grbyte(grand
*r
)
649 grbasectx
*g
= (grbasectx
*)r
;
651 g
->ops
->generate(g
, &o
, 1);
655 static uint32
grword(grand
*r
)
657 grbasectx
*g
= (grbasectx
*)r
;
659 g
->ops
->generate(g
, b
, sizeof(b
));
660 return (LOAD32_L(b
));
663 static void grfill(grand
*r
, void *p
, size_t sz
)
665 grbasectx
*g
= (grbasectx
*)r
;
666 g
->ops
->generate(r
, p
, sz
);
669 typedef struct grctx
{
674 static void gr_seek(void *r
, kludge64 pos
)
675 { grctx
*g
= r
; salsa20_seeku64(&g
->ctx
, pos
); }
677 static kludge64
gr_tell(void *r
)
678 { grctx
*g
= r
; return (salsa20_tellu64(&g
->ctx
)); }
680 static void gr_setnonce(void *r
, const void *n
)
681 { grctx
*g
= r
; salsa20_setnonce(&g
->ctx
, n
); }
683 static void grdestroy(grand
*r
)
684 { grctx
*g
= (grctx
*)r
; BURN(*g
); S_DESTROY(g
); }
686 #define DEFGRAND(rr) \
688 static void gr_generate_##rr(void *r, void *b, size_t sz) \
689 { grctx *g = r; SALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
691 static const grops grops_##rr = \
692 { SALSA20_NONCESZ, gr_seek, gr_tell, \
693 gr_setnonce, gr_generate_##rr }; \
695 static const grand_ops grops_rand_##rr = { \
696 SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
697 grmisc, grdestroy, grword, \
698 grbyte, grword, grand_range, grfill \
701 grand *SALSA20_DECOR(salsa20, rr, _rand) \
702 (const void *k, size_t ksz, const void *n) \
704 grctx *g = S_CREATE(g); \
705 g->r.r.ops = &grops_rand_##rr; \
706 g->r.ops = &grops_##rr; \
707 salsa20_init(&g->ctx, k, ksz, n); \
710 SALSA20_VARS(DEFGRAND
)
712 #define DEFXGRAND(rr) \
714 typedef struct grxctx_##rr { \
716 XSALSA20_CTX(rr) ctx; \
719 static void grx_seek_##rr(void *r, kludge64 pos) \
720 { grxctx_##rr *g = r; XSALSA20_SEEKU64(rr, &g->ctx, pos); } \
722 static kludge64 grx_tell_##rr(void *r) \
723 { grxctx_##rr *g = r; return (XSALSA20_TELLU64(rr, &g->ctx)); } \
725 static void grx_setnonce_##rr(void *r, const void *n) \
726 { grxctx_##rr *g = r; XSALSA20_SETNONCE(rr, &g->ctx, n); } \
728 static void grxdestroy_##rr(grand *r) \
729 { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \
731 static void grx_generate_##rr(void *r, void *b, size_t sz) \
732 { grxctx_##rr *g = r; XSALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
734 static const grops grxops_##rr = \
735 { XSALSA20_NONCESZ, grx_seek_##rr, grx_tell_##rr, \
736 grx_setnonce_##rr, grx_generate_##rr }; \
738 static const grand_ops grxops_rand_##rr = { \
739 "x" SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
740 grmisc, grxdestroy_##rr, grword, \
741 grbyte, grword, grand_range, grfill \
744 grand *SALSA20_DECOR(xsalsa20, rr, _rand) \
745 (const void *k, size_t ksz, const void *n) \
747 grxctx_##rr *g = S_CREATE(g); \
748 g->r.r.ops = &grxops_rand_##rr; \
749 g->r.ops = &grxops_##rr; \
750 XSALSA20_INIT(rr, &g->ctx, k, ksz, n); \
753 SALSA20_VARS(DEFXGRAND
)
755 /*----- Test rig ----------------------------------------------------------*/
762 #include <mLib/quis.h>
763 #include <mLib/testrig.h>
765 static const int perm
[] = {
772 #define DEFVCORE(r) \
773 static int v_core_##r(dstr *v) \
775 salsa20_matrix a, b; \
776 dstr d = DSTR_INIT; \
780 DENSURE(&d, SALSA20_OUTSZ); d.len = SALSA20_OUTSZ; \
781 n = *(int *)v[0].buf; \
782 for (i = 0; i < SALSA20_OUTSZ/4; i++) \
783 b[i] = LOAD32_L(v[1].buf + 4*i); \
784 for (i = 0; i < n; i++) { \
785 for (j = 0; j < 16; j++) a[perm[j]] = b[j]; \
787 memcpy(a, b, sizeof(a)); \
789 for (i = 0; i < SALSA20_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, b[i]); \
791 if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \
793 printf("\nfail core:" \
794 "\n\titerations = %d" \
796 type_hex.dump(&v[1], stdout); \
797 printf("\n\texpected = "); \
798 type_hex.dump(&v[2], stdout); \
799 printf("\n\tcalculated = "); \
800 type_hex.dump(&d, stdout); \
807 SALSA20_VARS(DEFVCORE
)
809 #define SALSA20_CTX(r) salsa20_ctx
810 #define SALSA20_INIT(r, ctx, k, ksz, n) salsa20_init(ctx, k, ksz, n)
811 #define SALSA20_SEEKU64(r, ctx, i) salsa20_seeku64(ctx, i)
813 #define DEFxVENC(base, BASE, r) \
814 static int v_encrypt_##base##_##r(dstr *v) \
817 dstr d = DSTR_INIT; \
819 const octet *p, *p0; \
821 size_t sz, sz0, step; \
822 unsigned long skip; \
825 if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \
826 else { p0 = 0; sz0 = v[5].len; } \
827 DENSURE(&d, sz0); d.len = sz0; \
828 skip = *(unsigned long *)v[3].buf; \
831 while (step < sz0 + skip) { \
832 step = step ? 3*step + 4 : 1; \
833 if (step > sz0 + skip) step = sz0 + skip; \
834 BASE##_INIT(r, &ctx, v[0].buf, v[0].len, v[1].buf); \
836 LOAD64_(pos, v[2].buf); \
837 BASE##_SEEKU64(r, &ctx, pos); \
840 for (sz = skip; sz >= step; sz -= step) \
841 BASE##_ENCRYPT(r, &ctx, 0, 0, step); \
842 if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \
843 for (p = p0, q = (octet *)d.buf, sz = sz0; \
845 sz -= step, q += step) { \
846 BASE##_ENCRYPT(r, &ctx, p, q, step); \
849 if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \
851 if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \
853 printf("\nfail encrypt:" \
855 "\n\tkey = ", (unsigned long)step); \
856 type_hex.dump(&v[0], stdout); \
857 printf("\n\tnonce = "); \
858 type_hex.dump(&v[1], stdout); \
859 printf("\n\tposition = "); \
860 type_hex.dump(&v[2], stdout); \
861 printf("\n\tskip = %lu", skip); \
862 printf("\n\tmessage = "); \
863 type_hex.dump(&v[4], stdout); \
864 printf("\n\texpected = "); \
865 type_hex.dump(&v[5], stdout); \
866 printf("\n\tcalculated = "); \
867 type_hex.dump(&d, stdout); \
875 #define DEFVENC(r) DEFxVENC(salsa20, SALSA20, r)
876 #define DEFXVENC(r) DEFxVENC(xsalsa20, XSALSA20, r)
877 SALSA20_VARS(DEFVENC
)
878 SALSA20_VARS(DEFXVENC
)
880 static test_chunk defs
[] = {
881 #define DEFxTAB(pre, base, r) \
882 { pre SALSA20_NAME_##r, v_encrypt_##base##_##r, \
883 { &type_hex, &type_hex, &type_hex, &type_ulong, \
884 &type_hex, &type_hex, 0 } },
886 { SALSA20_NAME_##r "-core", v_core_##r, \
887 { &type_int, &type_hex, &type_hex, 0 } }, \
888 DEFxTAB("", salsa20, r)
889 #define DEFXTAB(r) DEFxTAB("x", xsalsa20, r)
891 SALSA20_VARS(DEFXTAB
)
895 int main(int argc
, char *argv
[])
897 test_run(argc
, argv
, defs
, SRCDIR
"/t/salsa20");
903 /*----- That's all, folks -------------------------------------------------*/