~mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
symm/{chacha,salsa20}.c: Abstract out cipher and rand initialization.
[catacomb] / symm / chacha.c
1 /* -*-c-*-
2 *
3 * ChaCha stream cipher
4 *
5 * (c) 2015 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
16 *
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
21 *
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
28 /*----- Header files ------------------------------------------------------*/
29
30 #include "config.h"
31
32 #include <stdarg.h>
33
34 #include <mLib/bits.h>
35
36 #include "arena.h"
37 #include "chacha.h"
38 #include "chacha-core.h"
39 #include "dispatch.h"
40 #include "gcipher.h"
41 #include "grand.h"
42 #include "keysz.h"
43 #include "paranoia.h"
44
45 /*----- Global variables --------------------------------------------------*/
46
47 const octet chacha_keysz[] = { KSZ_SET, 32, 16, 10, 0 };
48
49 /*----- The ChaCha core function and utilities ----------------------------*/
50
51 /* --- @core@ --- *
52 *
53 * Arguments: @unsigned r@ = number of rounds
54 * @const chacha_matrix src@ = input matrix
55 * @chacha_matrix dest@ = where to put the output
56 *
57 * Returns: ---
58 *
59 *
60 * Use: Apply the ChaCha/r core function to @src@, writing the
61 * result to @dest@. This consists of @r@ rounds followed by
62 * the feedforward step.
63 */
64
65 CPU_DISPATCH(static, (void), void, core,
66 (unsigned r, const chacha_matrix src, chacha_matrix dest),
67 (r, src, dest), pick_core, simple_core);
68
69 static void simple_core(unsigned r, const chacha_matrix src,
70 chacha_matrix dest)
71 { CHACHA_nR(dest, src, r); CHACHA_FFWD(dest, src); }
72
73 #if CPUFAM_X86 || CPUFAM_AMD64
74 extern core__functype chacha_core_x86ish_sse2;
75 #endif
76
77 #if CPUFAM_ARMEL
78 extern core__functype chacha_core_arm_neon;
79 #endif
80
81 static core__functype *pick_core(void)
82 {
83 #if CPUFAM_X86 || CPUFAM_AMD64
84 DISPATCH_PICK_COND(chacha_core, chacha_core_x86ish_sse2,
85 cpu_feature_p(CPUFEAT_X86_SSE2));
86 #endif
87 #if CPUFAM_ARMEL
88 DISPATCH_PICK_COND(chacha_core, chacha_core_arm_neon,
89 cpu_feature_p(CPUFEAT_ARM_NEON));
90 #endif
91 DISPATCH_PICK_FALLBACK(chacha_core, simple_core);
92 }
93
94 /* --- @populate@ --- *
95 *
96 * Arguments: @chacha_matrix a@ = a matrix to fill in
97 * @const void *key@ = pointer to key material
98 * @size_t ksz@ = size of key
99 *
100 * Returns: ---
101 *
102 * Use: Fills in a ChaCha matrix from the key, setting the
103 * appropriate constants according to the key length. The nonce
104 * and position words are left uninitialized.
105 */
106
107 static void populate(chacha_matrix a, const void *key, size_t ksz)
108 {
109 const octet *k = key;
110
111 KSZ_ASSERT(chacha, ksz);
112
113 a[ 4] = LOAD32_L(k + 0);
114 a[ 5] = LOAD32_L(k + 4);
115 if (ksz == 10) {
116 a[ 6] = LOAD16_L(k + 8);
117 a[ 7] = 0;
118 } else {
119 a[ 6] = LOAD32_L(k + 8);
120 a[ 7] = LOAD32_L(k + 12);
121 }
122 if (ksz <= 16) {
123 a[ 8] = a[ 4];
124 a[ 9] = a[ 5];
125 a[10] = a[ 6];
126 a[11] = a[ 7];
127 a[ 0] = CHACHA_A128;
128 a[ 1] = CHACHA_B128;
129 a[ 2] = ksz == 10 ? CHACHA_C80 : CHACHA_C128;
130 a[ 3] = CHACHA_D128;
131 } else {
132 a[ 8] = LOAD32_L(k + 16);
133 a[ 9] = LOAD32_L(k + 20);
134 a[10] = LOAD32_L(k + 24);
135 a[11] = LOAD32_L(k + 28);
136 a[ 0] = CHACHA_A256;
137 a[ 1] = CHACHA_B256;
138 a[ 2] = CHACHA_C256;
139 a[ 3] = CHACHA_D256;
140 }
141 }
142
143 /*----- ChaCha implementation ---------------------------------------------*/
144
145 /* --- @chacha_init@ --- *
146 *
147 * Arguments: @chacha_ctx *ctx@ = context to fill in
148 * @const void *key@ = pointer to key material
149 * @size_t ksz@ = size of key (either 32 or 16)
150 * @const void *nonce@ = initial nonce, or null
151 *
152 * Returns: ---
153 *
154 * Use: Initializes a ChaCha context ready for use.
155 */
156
157 void chacha_init(chacha_ctx *ctx, const void *key, size_t ksz,
158 const void *nonce)
159 {
160 static const octet zerononce[CHACHA_NONCESZ];
161
162 populate(ctx->a, key, ksz);
163 chacha_setnonce(ctx, nonce ? nonce : zerononce);
164 }
165
166 /* --- @chacha_setnonce@ --- *
167 *
168 * Arguments: @chacha_ctx *ctx@ = pointer to context
169 * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ bytes)
170 *
171 * Returns: ---
172 *
173 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
174 * different message. The stream position is reset to zero (see
175 * @chacha_seek@ etc.).
176 */
177
178 void chacha_setnonce(chacha_ctx *ctx, const void *nonce)
179 {
180 const octet *n = nonce;
181
182 ctx->a[14] = LOAD32_L(n + 0);
183 ctx->a[15] = LOAD32_L(n + 4);
184 chacha_seek(ctx, 0);
185 }
186
187 /* --- @chacha_seek{,u64}@ --- *
188 *
189 * Arguments: @chacha_ctx *ctx@ = pointer to context
190 * @unsigned long i@, @kludge64 i@ = new position to set
191 *
192 * Returns: ---
193 *
194 * Use: Sets a new stream position, in units of Chacha output
195 * blocks, which are @CHACHA_OUTSZ@ bytes each. Byte
196 * granularity can be achieved by calling @chachaR_encrypt@
197 * appropriately.
198 */
199
200 void chacha_seek(chacha_ctx *ctx, unsigned long i)
201 { kludge64 ii; ASSIGN64(ii, i); chacha_seeku64(ctx, ii); }
202
203 void chacha_seeku64(chacha_ctx *ctx, kludge64 i)
204 {
205 ctx->a[12] = LO64(i); ctx->a[13] = HI64(i);
206 ctx->bufi = CHACHA_OUTSZ;
207 }
208
209 /* --- @chacha_tell{,u64}@ --- *
210 *
211 * Arguments: @chacha_ctx *ctx@ = pointer to context
212 *
213 * Returns: The current position in the output stream, in blocks,
214 * rounding upwards.
215 */
216
217 unsigned long chacha_tell(chacha_ctx *ctx)
218 { kludge64 i = chacha_tellu64(ctx); return (GET64(unsigned long, i)); }
219
220 kludge64 chacha_tellu64(chacha_ctx *ctx)
221 { kludge64 i; SET64(i, ctx->a[13], ctx->a[12]); return (i); }
222
223 /* --- @chacha{20,12,8}_encrypt@ --- *
224 *
225 * Arguments: @chacha_ctx *ctx@ = pointer to context
226 * @const void *src@ = source buffer (or null)
227 * @void *dest@ = destination buffer (or null)
228 * @size_t sz@ = size of the buffers
229 *
230 * Returns: ---
231 *
232 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
233 * ChaCha works by XORing plaintext with a keystream, so
234 * encryption and decryption are the same operation. If @dest@
235 * is null then ignore @src@ and skip @sz@ bytes of the
236 * keystream. If @src@ is null, then just write the keystream
237 * to @dest@.
238 */
239
240 #define CHACHA_ENCRYPT(r, ctx, src, dest, sz) \
241 chacha##r##_encrypt(ctx, src, dest, sz)
242 #define DEFENCRYPT(r) \
243 void CHACHA_ENCRYPT(r, chacha_ctx *ctx, const void *src, \
244 void *dest, size_t sz) \
245 { \
246 chacha_matrix b; \
247 const octet *s = src; \
248 octet *d = dest; \
249 size_t n; \
250 kludge64 pos, delta; \
251 \
252 SALSA20_OUTBUF(ctx, d, s, sz); \
253 if (!sz) return; \
254 \
255 if (!dest) { \
256 n = sz/CHACHA_OUTSZ; \
257 pos = chacha_tellu64(ctx); \
258 ASSIGN64(delta, n); \
259 ADD64(pos, pos, delta); \
260 chacha_seeku64(ctx, pos); \
261 sz = sz%CHACHA_OUTSZ; \
262 } else if (!src) { \
263 while (sz >= CHACHA_OUTSZ) { \
264 core(r, ctx->a, b); \
265 CHACHA_STEP(ctx->a); \
266 SALSA20_GENFULL(b, d); \
267 sz -= CHACHA_OUTSZ; \
268 } \
269 } else { \
270 while (sz >= CHACHA_OUTSZ) { \
271 core(r, ctx->a, b); \
272 CHACHA_STEP(ctx->a); \
273 SALSA20_MIXFULL(b, d, s); \
274 sz -= CHACHA_OUTSZ; \
275 } \
276 } \
277 \
278 if (sz) { \
279 core(r, ctx->a, b); \
280 CHACHA_STEP(ctx->a); \
281 SALSA20_PREPBUF(ctx, b); \
282 SALSA20_OUTBUF(ctx, d, s, sz); \
283 assert(!sz); \
284 } \
285 }
286 CHACHA_VARS(DEFENCRYPT)
287
288 /*----- HChaCha implementation --------------------------------------------*/
289
290 #define HCHACHA_RAW(r, ctx, src, dest) hchacha##r##_raw(ctx, src, dest)
291 #define HCHACHA_PRF(r, ctx, src, dest) hchacha##r##_prf(ctx, src, dest)
292
293 /* --- @hchacha{20,12,8}_prf@ --- *
294 *
295 * Arguments: @chacha_ctx *ctx@ = pointer to context
296 * @const void *src@ = the input (@HCHACHA_INSZ@ bytes)
297 * @void *dest@ = the output (@HCHACHA_OUTSZ@ bytes)
298 *
299 * Returns: ---
300 *
301 * Use: Apply the HChacha/r pseudorandom function to @src@, writing
302 * the result to @out@.
303 */
304
305 #define DEFHCHACHA(r) \
306 static void HCHACHA_RAW(r, chacha_matrix k, \
307 const uint32 *src, uint32 *dest) \
308 { \
309 chacha_matrix a; \
310 int i; \
311 \
312 /* --- HChaCha, computed from full ChaCha --- * \
313 * \
314 * The security proof makes use of the fact that HChaCha (i.e., \
315 * without the final feedforward step) can be computed from full \
316 * ChaCha using only knowledge of the non-secret input. I don't \
317 * want to compromise the performance of the main function by \
318 * making the feedforward step separate, but this operation is less \
319 * speed critical, so we do it the harder way. \
320 */ \
321 \
322 for (i = 0; i < 4; i++) k[12 + i] = src[i]; \
323 core(r, k, a); \
324 for (i = 0; i < 8; i++) dest[i] = a[(i + 4)^4] - k[(i + 4)^4]; \
325 } \
326 \
327 void HCHACHA_PRF(r, chacha_ctx *ctx, const void *src, void *dest) \
328 { \
329 const octet *s = src; \
330 octet *d = dest; \
331 uint32 in[4], out[8]; \
332 int i; \
333 \
334 for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \
335 HCHACHA_RAW(r, ctx->a, in, out); \
336 for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \
337 }
338 CHACHA_VARS(DEFHCHACHA)
339
340 /*----- XChaCha implementation -------------------------------------------*/
341
342 /* --- Some convenient macros for naming functions --- *
343 *
344 * Because the crypto core is involved in XChaCha/r's per-nonce setup, we
345 * need to take an interest in the number of rounds in most of the various
346 * functions, and it will probably help if we distinguish the context
347 * structures for the various versions.
348 */
349
350 #define XCHACHA_CTX(r) xchacha##r##_ctx
351 #define XCHACHA_INIT(r, ctx, k, ksz, n) xchacha##r##_init(ctx, k, ksz, n)
352 #define XCHACHA_SETNONCE(r, ctx, n) xchacha##r##_setnonce(ctx, n)
353 #define XCHACHA_SEEK(r, ctx, i) xchacha##r##_seek(ctx, i)
354 #define XCHACHA_SEEKU64(r, ctx, i) xchacha##r##_seeku64(ctx, i)
355 #define XCHACHA_TELL(r, ctx) xchacha##r##_tell(ctx)
356 #define XCHACHA_TELLU64(r, ctx) xchacha##r##_tellu64(ctx)
357 #define XCHACHA_ENCRYPT(r, ctx, src, dest, sz) \
358 xchacha##r##_encrypt(ctx, src, dest, sz)
359
360 /* --- @xchacha{20,12,8}_init@ --- *
361 *
362 * Arguments: @xchachaR_ctx *ctx@ = the context to fill in
363 * @const void *key@ = pointer to key material
364 * @size_t ksz@ = size of key (either 32 or 16)
365 * @const void *nonce@ = initial nonce, or null
366 *
367 * Returns: ---
368 *
369 * Use: Initializes an XChaCha/r context ready for use.
370 *
371 * There is a different function for each number of rounds,
372 * unlike for plain ChaCha.
373 */
374
375 #define DEFXINIT(r) \
376 void XCHACHA_INIT(r, XCHACHA_CTX(r) *ctx, \
377 const void *key, size_t ksz, const void *nonce) \
378 { \
379 static const octet zerononce[XCHACHA_NONCESZ]; \
380 \
381 populate(ctx->k, key, ksz); \
382 ctx->s.a[ 0] = CHACHA_A256; \
383 ctx->s.a[ 1] = CHACHA_B256; \
384 ctx->s.a[ 2] = CHACHA_C256; \
385 ctx->s.a[ 3] = CHACHA_D256; \
386 XCHACHA_SETNONCE(r, ctx, nonce ? nonce : zerononce); \
387 }
388 CHACHA_VARS(DEFXINIT)
389
390 /* --- @xchacha{20,12,8}_setnonce@ --- *
391 *
392 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
393 * @const void *nonce@ = the nonce (@XCHACHA_NONCESZ@ bytes)
394 *
395 * Returns: ---
396 *
397 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
398 * different message. The stream position is reset to zero (see
399 * @chacha_seek@ etc.).
400 *
401 * There is a different function for each number of rounds,
402 * unlike for plain ChaCha.
403 */
404
405 #define DEFXNONCE(r) \
406 void XCHACHA_SETNONCE(r, XCHACHA_CTX(r) *ctx, const void *nonce) \
407 { \
408 const octet *n = nonce; \
409 uint32 in[4]; \
410 int i; \
411 \
412 for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \
413 HCHACHA_RAW(r, ctx->k, in, ctx->s.a + 4); \
414 chacha_setnonce(&ctx->s, n + 16); \
415 }
416 CHACHA_VARS(DEFXNONCE)
417
418 /* --- @xchacha{20,12,8}_seek{,u64}@ --- *
419 *
420 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
421 * @unsigned long i@, @kludge64 i@ = new position to set
422 *
423 * Returns: ---
424 *
425 * Use: Sets a new stream position, in units of ChaCha output
426 * blocks, which are @XCHACHA_OUTSZ@ bytes each. Byte
427 * granularity can be achieved by calling @xchachaR_encrypt@
428 * appropriately.
429 *
430 * There is a different function for each number of rounds,
431 * unlike for plain ChaCha, because the context structures are
432 * different.
433 */
434
435 /* --- @xchacha{20,12,8}_tell{,u64}@ --- *
436 *
437 * Arguments: @chacha_ctx *ctx@ = pointer to context
438 *
439 * Returns: The current position in the output stream, in blocks,
440 * rounding upwards.
441 *
442 * There is a different function for each number of rounds,
443 * unlike for plain ChaCha, because the context structures are
444 * different.
445 */
446
447 /* --- @xchacha{20,12,8}_encrypt@ --- *
448 *
449 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
450 * @const void *src@ = source buffer (or null)
451 * @void *dest@ = destination buffer (or null)
452 * @size_t sz@ = size of the buffers
453 *
454 * Returns: ---
455 *
456 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
457 * XChaCha works by XORing plaintext with a keystream, so
458 * encryption and decryption are the same operation. If @dest@
459 * is null then ignore @src@ and skip @sz@ bytes of the
460 * keystream. If @src@ is null, then just write the keystream
461 * to @dest@.
462 */
463
464 #define DEFXPASSTHRU(r) \
465 void XCHACHA_SEEK(r, XCHACHA_CTX(r) *ctx, unsigned long i) \
466 { chacha_seek(&ctx->s, i); } \
467 void XCHACHA_SEEKU64(r, XCHACHA_CTX(r) *ctx, kludge64 i) \
468 { chacha_seeku64(&ctx->s, i); } \
469 unsigned long XCHACHA_TELL(r, XCHACHA_CTX(r) *ctx) \
470 { return chacha_tell(&ctx->s); } \
471 kludge64 XCHACHA_TELLU64(r, XCHACHA_CTX(r) *ctx) \
472 { return chacha_tellu64(&ctx->s); } \
473 void XCHACHA_ENCRYPT(r, XCHACHA_CTX(r) *ctx, \
474 const void *src, void *dest, size_t sz) \
475 { CHACHA_ENCRYPT(r, &ctx->s, src, dest, sz); }
476 CHACHA_VARS(DEFXPASSTHRU)
477
478 /*----- Generic cipher interface ------------------------------------------*/
479
480 typedef struct gctx { gcipher c; chacha_ctx ctx; } gctx;
481
482 static void gsetiv(gcipher *c, const void *iv)
483 { gctx *g = (gctx *)c; chacha_setnonce(&g->ctx, iv); }
484
485 static void gdestroy(gcipher *c)
486 { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); }
487
488 static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops)
489 {
490 gctx *g = S_CREATE(gctx);
491 g->c.ops = ops;
492 chacha_init(&g->ctx, k, sz, 0);
493 return (&g->c);
494 }
495
496 #define DEFGCIPHER(r) \
497 \
498 static const gcipher_ops gops_##r; \
499 \
500 static gcipher *ginit_##r(const void *k, size_t sz) \
501 { return (ginit(k, sz, &gops_##r)); } \
502 \
503 static void gencrypt_##r(gcipher *c, const void *s, \
504 void *t, size_t sz) \
505 { gctx *g = (gctx *)c; CHACHA_ENCRYPT(r, &g->ctx, s, t, sz); } \
506 \
507 static const gcipher_ops gops_##r = { \
508 &chacha##r, \
509 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \
510 }; \
511 \
512 const gccipher chacha##r = { \
513 "chacha" #r, chacha_keysz, \
514 CHACHA_NONCESZ, ginit_##r \
515 };
516
517 CHACHA_VARS(DEFGCIPHER)
518
519 #define DEFGXCIPHER(r) \
520 \
521 typedef struct { gcipher c; XCHACHA_CTX(r) ctx; } gxctx_##r; \
522 \
523 static void gxsetiv_##r(gcipher *c, const void *iv) \
524 { gxctx_##r *g = (gxctx_##r *)c; XCHACHA_SETNONCE(r, &g->ctx, iv); } \
525 \
526 static void gxdestroy_##r(gcipher *c) \
527 { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \
528 \
529 static const gcipher_ops gxops_##r; \
530 \
531 static gcipher *gxinit_##r(const void *k, size_t sz) \
532 { \
533 gxctx_##r *g = S_CREATE(gxctx_##r); \
534 g->c.ops = &gxops_##r; \
535 XCHACHA_INIT(r, &g->ctx, k, sz, 0); \
536 return (&g->c); \
537 } \
538 \
539 static void gxencrypt_##r(gcipher *c, const void *s, \
540 void *t, size_t sz) \
541 { \
542 gxctx_##r *g = (gxctx_##r *)c; \
543 XCHACHA_ENCRYPT(r, &g->ctx, s, t, sz); \
544 } \
545 \
546 static const gcipher_ops gxops_##r = { \
547 &xchacha##r, \
548 gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \
549 }; \
550 \
551 const gccipher xchacha##r = { \
552 "xchacha" #r, chacha_keysz, \
553 CHACHA_NONCESZ, gxinit_##r \
554 };
555
556 CHACHA_VARS(DEFGXCIPHER)
557
558 /*----- Generic random number generator interface -------------------------*/
559
560 typedef struct grops {
561 size_t noncesz;
562 void (*seek)(void *, kludge64);
563 kludge64 (*tell)(void *);
564 void (*setnonce)(void *, const void *);
565 void (*generate)(void *, void *, size_t);
566 } grops;
567
568 typedef struct grbasectx {
569 grand r;
570 const grops *ops;
571 } grbasectx;
572
573 static int grmisc(grand *r, unsigned op, ...)
574 {
575 octet buf[XCHACHA_NONCESZ];
576 grbasectx *g = (grbasectx *)r;
577 grand *rr;
578 const octet *p;
579 size_t sz;
580 uint32 i;
581 unsigned long ul;
582 kludge64 pos;
583 va_list ap;
584 int rc = 0;
585
586 va_start(ap, op);
587
588 switch (op) {
589 case GRAND_CHECK:
590 switch (va_arg(ap, unsigned)) {
591 case GRAND_CHECK:
592 case GRAND_SEEDINT:
593 case GRAND_SEEDUINT32:
594 case GRAND_SEEDBLOCK:
595 case GRAND_SEEDRAND:
596 case CHACHA_SEEK:
597 case CHACHA_SEEKU64:
598 case CHACHA_TELL:
599 case CHACHA_TELLU64:
600 rc = 1;
601 break;
602 default:
603 rc = 0;
604 break;
605 }
606 break;
607
608 case GRAND_SEEDINT:
609 i = va_arg(ap, unsigned); STORE32_L(buf, i);
610 memset(buf + 4, 0, g->ops->noncesz - 4);
611 g->ops->setnonce(g, buf);
612 break;
613 case GRAND_SEEDUINT32:
614 i = va_arg(ap, uint32); STORE32_L(buf, i);
615 memset(buf + 4, 0, g->ops->noncesz - 4);
616 g->ops->setnonce(g, buf);
617 break;
618 case GRAND_SEEDBLOCK:
619 p = va_arg(ap, const void *);
620 sz = va_arg(ap, size_t);
621 if (sz < g->ops->noncesz) {
622 memcpy(buf, p, sz);
623 memset(buf + sz, 0, g->ops->noncesz - sz);
624 p = buf;
625 }
626 g->ops->setnonce(g, p);
627 break;
628 case GRAND_SEEDRAND:
629 rr = va_arg(ap, grand *);
630 rr->ops->fill(rr, buf, g->ops->noncesz);
631 g->ops->setnonce(g, buf);
632 break;
633 case CHACHA_SEEK:
634 ul = va_arg(ap, unsigned long); ASSIGN64(pos, ul);
635 g->ops->seek(g, pos);
636 break;
637 case CHACHA_SEEKU64:
638 pos = va_arg(ap, kludge64);
639 g->ops->seek(g, pos);
640 break;
641 case CHACHA_TELL:
642 pos = g->ops->tell(g);
643 *va_arg(ap, unsigned long *) = GET64(unsigned long, pos);
644 break;
645 case CHACHA_TELLU64:
646 *va_arg(ap, kludge64 *) = g->ops->tell(g);
647 break;
648 default:
649 GRAND_BADOP;
650 break;
651 }
652
653 return (rc);
654 }
655
656 static octet grbyte(grand *r)
657 {
658 grbasectx *g = (grbasectx *)r;
659 octet o;
660 g->ops->generate(g, &o, 1);
661 return (o);
662 }
663
664 static uint32 grword(grand *r)
665 {
666 grbasectx *g = (grbasectx *)r;
667 octet b[4];
668 g->ops->generate(g, b, sizeof(b));
669 return (LOAD32_L(b));
670 }
671
672 static void grfill(grand *r, void *p, size_t sz)
673 {
674 grbasectx *g = (grbasectx *)r;
675 g->ops->generate(r, p, sz);
676 }
677
678 typedef struct grctx {
679 grbasectx r;
680 chacha_ctx ctx;
681 } grctx;
682
683 static void gr_seek(void *r, kludge64 pos)
684 { grctx *g = r; chacha_seeku64(&g->ctx, pos); }
685
686 static kludge64 gr_tell(void *r)
687 { grctx *g = r; return (chacha_tellu64(&g->ctx)); }
688
689 static void gr_setnonce(void *r, const void *n)
690 { grctx *g = r; chacha_setnonce(&g->ctx, n); }
691
692 static void grdestroy(grand *r)
693 { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); }
694
695 static grand *grinit(const void *k, size_t ksz, const void *n,
696 const grand_ops *ops, const grops *myops)
697 {
698 grctx *g = S_CREATE(grctx);
699 g->r.r.ops = ops;
700 g->r.ops = myops;
701 chacha_init(&g->ctx, k, ksz, 0);
702 myops->setnonce(g, n);
703 return (&g->r.r);
704 }
705
706 #define DEFGRAND(rr) \
707 \
708 static void gr_generate_##rr(void *r, void *b, size_t sz) \
709 { grctx *g = r; CHACHA_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
710 \
711 static const grops grops_##rr = \
712 { CHACHA_NONCESZ, gr_seek, gr_tell, \
713 gr_setnonce, gr_generate_##rr }; \
714 \
715 static const grand_ops grops_rand_##rr = { \
716 "chacha" #rr, GRAND_CRYPTO, 0, \
717 grmisc, grdestroy, grword, \
718 grbyte, grword, grand_defaultrange, grfill \
719 }; \
720 \
721 grand *chacha##rr##_rand(const void *k, size_t ksz, const void *n) \
722 { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); }
723 CHACHA_VARS(DEFGRAND)
724
725 #define DEFXGRAND(rr) \
726 \
727 typedef struct grxctx_##rr { \
728 grbasectx r; \
729 XCHACHA_CTX(rr) ctx; \
730 } grxctx_##rr; \
731 \
732 static void grx_seek_##rr(void *r, kludge64 pos) \
733 { grxctx_##rr *g = r; XCHACHA_SEEKU64(rr, &g->ctx, pos); } \
734 \
735 static kludge64 grx_tell_##rr(void *r) \
736 { grxctx_##rr *g = r; return (XCHACHA_TELLU64(rr, &g->ctx)); } \
737 \
738 static void grx_setnonce_##rr(void *r, const void *n) \
739 { grxctx_##rr *g = r; XCHACHA_SETNONCE(rr, &g->ctx, n); } \
740 \
741 static void grxdestroy_##rr(grand *r) \
742 { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \
743 \
744 static void grx_generate_##rr(void *r, void *b, size_t sz) \
745 { grxctx_##rr *g = r; XCHACHA_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
746 \
747 static const grops grxops_##rr = \
748 { XCHACHA_NONCESZ, grx_seek_##rr, grx_tell_##rr, \
749 grx_setnonce_##rr, grx_generate_##rr }; \
750 \
751 static const grand_ops grxops_rand_##rr = { \
752 "xchacha" #rr, GRAND_CRYPTO, 0, \
753 grmisc, grxdestroy_##rr, grword, \
754 grbyte, grword, grand_defaultrange, grfill \
755 }; \
756 \
757 grand *xchacha##rr##_rand(const void *k, size_t ksz, const void *n) \
758 { \
759 grxctx_##rr *g = S_CREATE(grxctx_##rr); \
760 g->r.r.ops = &grxops_rand_##rr; \
761 g->r.ops = &grxops_##rr; \
762 XCHACHA_INIT(rr, &g->ctx, k, ksz, n); \
763 return (&g->r.r); \
764 }
765 CHACHA_VARS(DEFXGRAND)
766
767 /*----- Test rig ----------------------------------------------------------*/
768
769 #ifdef TEST_RIG
770
771 #include <stdio.h>
772 #include <string.h>
773
774 #include <mLib/quis.h>
775 #include <mLib/testrig.h>
776
777 #define DEFVCORE(r) \
778 static int v_core_##r(dstr *v) \
779 { \
780 chacha_matrix a, b; \
781 dstr d = DSTR_INIT; \
782 int i, n; \
783 int ok = 1; \
784 \
785 DENSURE(&d, CHACHA_OUTSZ); d.len = CHACHA_OUTSZ; \
786 n = *(int *)v[0].buf; \
787 for (i = 0; i < CHACHA_OUTSZ/4; i++) \
788 a[i] = LOAD32_L(v[1].buf + 4*i); \
789 for (i = 0; i < n; i++) { \
790 core(r, a, b); \
791 memcpy(a, b, sizeof(a)); \
792 } \
793 for (i = 0; i < CHACHA_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, a[i]); \
794 \
795 if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \
796 ok = 0; \
797 printf("\nfail core:" \
798 "\n\titerations = %d" \
799 "\n\tin = ", n); \
800 type_hex.dump(&v[1], stdout); \
801 printf("\n\texpected = "); \
802 type_hex.dump(&v[2], stdout); \
803 printf("\n\tcalculated = "); \
804 type_hex.dump(&d, stdout); \
805 putchar('\n'); \
806 } \
807 \
808 dstr_destroy(&d); \
809 return (ok); \
810 }
811 CHACHA_VARS(DEFVCORE)
812
813 #define CHACHA_CTX(r) chacha_ctx
814 #define CHACHA_INIT(r, ctx, k, ksz, n) chacha_init(ctx, k, ksz, n)
815 #define CHACHA_SEEKU64(r, ctx, i) chacha_seeku64(ctx, i)
816 #define XCHACHA_SEEKU64(r, ctx, i) xchacha##r##_seeku64(ctx, i)
817
818 #define DEFxVENC(base, BASE, r) \
819 static int v_encrypt_##base##_##r(dstr *v) \
820 { \
821 BASE##_CTX(r) ctx; \
822 dstr d = DSTR_INIT; \
823 kludge64 pos; \
824 const octet *p, *p0; \
825 octet *q; \
826 size_t sz, sz0, step; \
827 unsigned long skip; \
828 int ok = 1; \
829 \
830 if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \
831 else { p0 = 0; sz0 = v[5].len; } \
832 DENSURE(&d, sz0); d.len = sz0; \
833 skip = *(unsigned long *)v[3].buf; \
834 \
835 step = 0; \
836 while (step < sz0 + skip) { \
837 step = step ? 3*step + 4 : 1; \
838 if (step > sz0 + skip) step = sz0 + skip; \
839 BASE##_INIT(r, &ctx, v[0].buf, v[0].len, v[1].buf); \
840 if (v[2].len) { \
841 LOAD64_(pos, v[2].buf); \
842 BASE##_SEEKU64(r, &ctx, pos); \
843 } \
844 \
845 for (sz = skip; sz >= step; sz -= step) \
846 BASE##_ENCRYPT(r, &ctx, 0, 0, step); \
847 if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \
848 for (p = p0, q = (octet *)d.buf, sz = sz0; \
849 sz >= step; \
850 sz -= step, q += step) { \
851 BASE##_ENCRYPT(r, &ctx, p, q, step); \
852 if (p) p += step; \
853 } \
854 if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \
855 \
856 if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \
857 ok = 0; \
858 printf("\nfail encrypt:" \
859 "\n\tstep = %lu" \
860 "\n\tkey = ", (unsigned long)step); \
861 type_hex.dump(&v[0], stdout); \
862 printf("\n\tnonce = "); \
863 type_hex.dump(&v[1], stdout); \
864 printf("\n\tposition = "); \
865 type_hex.dump(&v[2], stdout); \
866 printf("\n\tskip = %lu", skip); \
867 printf("\n\tmessage = "); \
868 type_hex.dump(&v[4], stdout); \
869 printf("\n\texpected = "); \
870 type_hex.dump(&v[5], stdout); \
871 printf("\n\tcalculated = "); \
872 type_hex.dump(&d, stdout); \
873 putchar('\n'); \
874 } \
875 } \
876 \
877 dstr_destroy(&d); \
878 return (ok); \
879 }
880 #define DEFVENC(r) DEFxVENC(chacha, CHACHA, r)
881 #define DEFXVENC(r) DEFxVENC(xchacha, XCHACHA, r)
882 CHACHA_VARS(DEFVENC)
883 CHACHA_VARS(DEFXVENC)
884
885 static test_chunk defs[] = {
886 #define DEFxTAB(base, r) \
887 { #base #r, v_encrypt_##base##_##r, \
888 { &type_hex, &type_hex, &type_hex, &type_ulong, \
889 &type_hex, &type_hex, 0 } },
890 #define DEFTAB(r) \
891 { "chacha" #r "-core", v_core_##r, \
892 { &type_int, &type_hex, &type_hex, 0 } }, \
893 DEFxTAB(chacha, r)
894 #define DEFXTAB(r) DEFxTAB(xchacha, r)
895 CHACHA_VARS(DEFTAB)
896 CHACHA_VARS(DEFXTAB)
897 { 0, 0, { 0 } }
898 };
899
900 int main(int argc, char *argv[])
901 {
902 test_run(argc, argv, defs, SRCDIR"/t/chacha");
903 return (0);
904 }
905
906 #endif
907
908 /*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library