From 1778ca95377e045bd56a0a99d4d27b476ed85345 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 26 May 2016 09:26:09 +0100 Subject: [PATCH] symm/{chacha,salsa20}.[ch]: Support RFC7539-style 96-bit nonces. I think these are a bad idea, but they'll be popular (and are etched into the AEAD proposal). --- .gitignore | 6 ++++ symm/Makefile.am | 8 +++++ symm/chacha.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++----- symm/chacha.h | 35 ++++++++++++++++------ symm/salsa20.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++----- symm/salsa20.h | 33 ++++++++++++++++----- symm/t/chacha | 38 ++++++++++++++++++++++++ symm/t/salsa20.local | 8 +++++ 8 files changed, 263 insertions(+), 31 deletions(-) diff --git a/.gitignore b/.gitignore index d8ded004..184465d3 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,9 @@ symm/stubs.am /symm/safersk.h /symm/salsa2012.h /symm/salsa208.h +/symm/salsa20-ietf.h +/symm/salsa2012-ietf.h +/symm/salsa208-ietf.h /symm/sha224.h /symm/sha384.h /symm/whirlpool256.h @@ -28,4 +31,7 @@ symm/stubs.am /symm/chacha12.h /symm/chacha20.h /symm/chacha8.h +/symm/chacha12-ietf.h +/symm/chacha20-ietf.h +/symm/chacha8-ietf.h /symm/xchacha.h diff --git a/symm/Makefile.am b/symm/Makefile.am index ee3d4172..c30fd7e5 100644 --- a/symm/Makefile.am +++ b/symm/Makefile.am @@ -410,9 +410,13 @@ libsymm_la_SOURCES += salsa20-arm-neon.S endif TESTS += salsa20.t$(EXEEXT) ALL_CIPHERS += salsa20 salsa2012 salsa208 +ALL_CIPHERS += salsa20-ietf salsa2012-ietf salsa208-ietf ALL_CIPHERS += xsalsa20 xsalsa2012 xsalsa208 STUBS_HDR += Salsa20/12,salsa2012,salsa20 STUBS_HDR += Salsa20/8,salsa208,salsa20 +STUBS_HDR += Salsa20-IETF,salsa20-ietf,salsa20 +STUBS_HDR += Salsa20/12-IETF,salsa2012-ietf,salsa20 +STUBS_HDR += Salsa20/8-IETF,salsa208-ietf,salsa20 STUBS_HDR += XSalsa20,xsalsa20,salsa20 STUBS_HDR += XSalsa20/12,xsalsa2012,salsa20 STUBS_HDR += XSalsa20/8,xsalsa208,salsa20 @@ -446,10 +450,14 @@ endif TESTS += chacha.t$(EXEEXT) EXTRA_DIST += t/chacha ALL_CIPHERS += chacha20 chacha12 chacha8 +ALL_CIPHERS += chacha20-ietf chacha12-ietf chacha8-ietf ALL_CIPHERS += xchacha20 xchacha12 xchacha8 STUBS_HDR += ChaCha20,chacha20,chacha STUBS_HDR += ChaCha12,chacha12,chacha STUBS_HDR += ChaCha8,chacha8,chacha +STUBS_HDR += ChaCha20-IETF,chacha20-ietf,chacha +STUBS_HDR += ChaCha12-IETF,chacha12-ietf,chacha +STUBS_HDR += ChaCha8-IETF,chacha8-ietf,chacha STUBS_HDR += XChaCha20,xchacha20,chacha STUBS_HDR += XChaCha12,xchacha12,chacha STUBS_HDR += XChaCha8,xchacha8,chacha diff --git a/symm/chacha.c b/symm/chacha.c index 5fc1c12c..655ecd02 100644 --- a/symm/chacha.c +++ b/symm/chacha.c @@ -163,10 +163,11 @@ void chacha_init(chacha_ctx *ctx, const void *key, size_t ksz, chacha_setnonce(ctx, nonce ? nonce : zerononce); } -/* --- @chacha_setnonce@ --- * +/* --- @chacha_setnonce{,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context - * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ bytes) + * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ or + * @CHACHA_IETF_NONCESZ@ bytes) * * Returns: --- * @@ -184,10 +185,20 @@ void chacha_setnonce(chacha_ctx *ctx, const void *nonce) chacha_seek(ctx, 0); } -/* --- @chacha_seek{,u64}@ --- * +void chacha_setnonce_ietf(chacha_ctx *ctx, const void *nonce) +{ + const octet *n = nonce; + + ctx->a[13] = LOAD32_L(n + 0); + ctx->a[14] = LOAD32_L(n + 4); + ctx->a[15] = LOAD32_L(n + 8); + chacha_seek_ietf(ctx, 0); +} + +/* --- @chacha_seek{,u64,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context - * @unsigned long i@, @kludge64 i@ = new position to set + * @unsigned long i@, @kludge64 i@, @uint32 i@ = new position * * Returns: --- * @@ -206,7 +217,10 @@ void chacha_seeku64(chacha_ctx *ctx, kludge64 i) ctx->bufi = CHACHA_OUTSZ; } -/* --- @chacha_tell{,u64}@ --- * +void chacha_seek_ietf(chacha_ctx *ctx, uint32 i) + { ctx->a[12] = i; } + +/* --- @chacha_tell{,u64,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context * @@ -220,6 +234,9 @@ unsigned long chacha_tell(chacha_ctx *ctx) kludge64 chacha_tellu64(chacha_ctx *ctx) { kludge64 i; SET64(i, ctx->a[13], ctx->a[12]); return (i); } +uint32 chacha_tell_ietf(chacha_ctx *ctx) + { return (ctx->a[12]); } + /* --- @chacha{20,12,8}_encrypt@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context @@ -482,6 +499,9 @@ typedef struct gctx { gcipher c; chacha_ctx ctx; } gctx; static void gsetiv(gcipher *c, const void *iv) { gctx *g = (gctx *)c; chacha_setnonce(&g->ctx, iv); } +static void gsetiv_ietf(gcipher *c, const void *iv) + { gctx *g = (gctx *)c; chacha_setnonce_ietf(&g->ctx, iv); } + static void gdestroy(gcipher *c) { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); } @@ -495,11 +515,14 @@ static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops) #define DEFGCIPHER(r) \ \ - static const gcipher_ops gops_##r; \ + static const gcipher_ops gops_##r, gops_##r##_ietf; \ \ static gcipher *ginit_##r(const void *k, size_t sz) \ { return (ginit(k, sz, &gops_##r)); } \ \ + static gcipher *ginit_##r##_ietf(const void *k, size_t sz) \ + { return (ginit(k, sz, &gops_##r##_ietf)); } \ + \ static void gencrypt_##r(gcipher *c, const void *s, \ void *t, size_t sz) \ { gctx *g = (gctx *)c; CHACHA_ENCRYPT(r, &g->ctx, s, t, sz); } \ @@ -509,9 +532,19 @@ static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops) gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \ }; \ \ + static const gcipher_ops gops_##r##_ietf = { \ + &chacha##r##_ietf, \ + gencrypt_##r, gencrypt_##r, gdestroy, gsetiv_ietf, 0 \ + }; \ + \ const gccipher chacha##r = { \ "chacha" #r, chacha_keysz, \ CHACHA_NONCESZ, ginit_##r \ + }; \ + \ + const gccipher chacha##r##_ietf = { \ + "chacha" #r "-ietf", chacha_keysz, \ + CHACHA_IETF_NONCESZ, ginit_##r##_ietf \ }; CHACHA_VARS(DEFGCIPHER) @@ -683,12 +716,27 @@ typedef struct grctx { static void gr_seek(void *r, kludge64 pos) { grctx *g = r; chacha_seeku64(&g->ctx, pos); } +static void gr_seek_ietf(void *r, kludge64 pos) + { grctx *g = r; chacha_seek_ietf(&g->ctx, LO64(pos)); } + static kludge64 gr_tell(void *r) { grctx *g = r; return (chacha_tellu64(&g->ctx)); } +static kludge64 gr_tell_ietf(void *r) +{ + grctx *g = r; + kludge64 pos; + + SET64(pos, 0, chacha_tell_ietf(&g->ctx)); + return (pos); +} + static void gr_setnonce(void *r, const void *n) { grctx *g = r; chacha_setnonce(&g->ctx, n); } +static void gr_setnonce_ietf(void *r, const void *n) + { grctx *g = r; chacha_setnonce_ietf(&g->ctx, n); } + static void grdestroy(grand *r) { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); } @@ -712,14 +760,33 @@ static grand *grinit(const void *k, size_t ksz, const void *n, { CHACHA_NONCESZ, gr_seek, gr_tell, \ gr_setnonce, gr_generate_##rr }; \ \ + static const grops grops_##rr##_ietf = \ + { CHACHA_IETF_NONCESZ, gr_seek_ietf, gr_tell_ietf, \ + gr_setnonce_ietf, gr_generate_##rr }; \ + \ static const grand_ops grops_rand_##rr = { \ "chacha" #rr, GRAND_CRYPTO, 0, \ grmisc, grdestroy, grword, \ grbyte, grword, grand_defaultrange, grfill \ }; \ \ + static const grand_ops grops_rand_##rr##_ietf = { \ + "chacha" #rr "-ietf", GRAND_CRYPTO, 0, \ + grmisc, grdestroy, grword, \ + grbyte, grword, grand_defaultrange, grfill \ + }; \ + \ grand *chacha##rr##_rand(const void *k, size_t ksz, const void *n) \ - { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); } + { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); } \ + \ + grand *chacha##rr##_ietf_rand(const void *k, size_t ksz, \ + const void *n) \ + { \ + return (grinit(k, ksz, n, \ + &grops_rand_##rr##_ietf, \ + &grops_##rr##_ietf)); \ + } + CHACHA_VARS(DEFGRAND) #define DEFXGRAND(rr) \ @@ -816,7 +883,9 @@ CHACHA_VARS(DEFVCORE) kludge64 pos64; \ chacha_init(ctx, k, ksz, 0); \ if (nsz == 8) chacha_setnonce(ctx, n); \ + else if (nsz == 12) chacha_setnonce_ietf(ctx, n); \ if (psz == 8) { LOAD64_(pos64, p); chacha_seeku64(ctx, pos64); } \ + else if (psz == 4) chacha_seek_ietf(ctx, LOAD32(p)); \ } while (0) #define XCHACHA_TESTSETUP(r, ctx, k, ksz, n, nsz, p, psz) do { \ diff --git a/symm/chacha.h b/symm/chacha.h index 490b2059..4e5a765a 100644 --- a/symm/chacha.h +++ b/symm/chacha.h @@ -47,6 +47,7 @@ /*----- Constants ---------------------------------------------------------*/ #define CHACHA_NONCESZ 8u +#define CHACHA_IETF_NONCESZ 12u #define CHACHA_KEYSZ 32u #define CHACHA_OUTSZ 64u @@ -91,10 +92,11 @@ extern void chacha_init(chacha_ctx */*ctx*/, const void */*key*/, size_t /*ksz*/, const void */*nonce*/); -/* --- @chacha_setnonce@ --- * +/* --- @chacha_setnonce{,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context - * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ bytes) + * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ or + * @CHACHA_IETF_NONCESZ@ bytes) * * Returns: --- * @@ -104,24 +106,26 @@ extern void chacha_init(chacha_ctx */*ctx*/, */ extern void chacha_setnonce(chacha_ctx */*ctx*/, const void */*nonce*/); +extern void chacha_setnonce_ietf(chacha_ctx */*ctx*/, const void */*nonce*/); -/* --- @chacha_seek{,u64}@ --- * +/* --- @chacha_seek{,u64,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context - * @unsigned long i@, @kludge64 i@ = new position to set + * @unsigned long i@, @kludge64 i@, @uint32 i@ = new position * * Returns: --- * - * Use: Sets a new stream position, in units of ChaCha output + * Use: Sets a new stream position, in units of Chacha output * blocks, which are @CHACHA_OUTSZ@ bytes each. Byte - * granularity can be achieved by calling @chacha_encrypt@ + * granularity can be achieved by calling @chachaR_encrypt@ * appropriately. */ extern void chacha_seek(chacha_ctx */*ctx*/, unsigned long /*i*/); extern void chacha_seeku64(chacha_ctx */*ctx*/, kludge64 /*i*/); +extern void chacha_seek_ietf(chacha_ctx */*ctx*/, uint32 /*i*/); -/* --- @chacha_tell{,u64}@ --- * +/* --- @chacha_tell{,u64,_ietf}@ --- * * * Arguments: @chacha_ctx *ctx@ = pointer to context * @@ -131,6 +135,7 @@ extern void chacha_seeku64(chacha_ctx */*ctx*/, kludge64 /*i*/); extern unsigned long chacha_tell(chacha_ctx */*ctx*/); extern kludge64 chacha_tellu64(chacha_ctx */*ctx*/); +extern uint32 chacha_tell_ietf(chacha_ctx */*ctx*/); /* --- @chacha{20,12,8}_encrypt@ --- * * @@ -305,22 +310,28 @@ extern const octet chacha_keysz[]; #define chacha20_keysz chacha_keysz #define chacha12_keysz chacha_keysz #define chacha8_keysz chacha_keysz +#define chacha_ietf_keysz chacha_keysz +#define chacha20_ietf_keysz chacha_keysz +#define chacha12_ietf_keysz chacha_keysz +#define chacha8_ietf_keysz chacha_keysz #define xchacha_keysz chacha_keysz #define xchacha20_keysz chacha_keysz #define xchacha12_keysz chacha_keysz #define xchacha8_keysz chacha_keysz const gccipher chacha20, chacha12, chacha8; +const gccipher chacha20_ietf, chacha12_ietf, chacha8_ietf; const gccipher xchacha20, xchacha12, xchacha8; /*----- Generic random number generator interface -------------------------*/ -/* --- @chacha{20,12,8}_rand@, @xchacha{20,12,8}_rand@ --- * +/* --- @chacha{20,12,8}{,_ietf}_rand@, @xchacha{20,12,8}_rand@ --- * * * Arguments: @const void *k@ = pointer to key material * @size_t ksz@ = size of key material * @const void *n@ = pointer to nonce or null - * (@CHACHA_NONCESZ@ or @XCHACHA_NONCESZ@) + * (@CHACHA_NONCESZ@, @CHACHA_IETF_NONCESZ@, or + * @XCHACHA_NONCESZ@) * * Returns: Pointer to generic random number generator instance. * @@ -334,6 +345,12 @@ extern grand *chacha12_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); extern grand *chacha8_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); +extern grand *chacha20_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); +extern grand *chacha12_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); +extern grand *chacha8_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); extern grand *xchacha20_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); extern grand *xchacha12_rand(const void */*k*/, size_t /*ksz*/, diff --git a/symm/salsa20.c b/symm/salsa20.c index b8c630dd..15285985 100644 --- a/symm/salsa20.c +++ b/symm/salsa20.c @@ -172,10 +172,11 @@ void salsa20_init(salsa20_ctx *ctx, const void *key, size_t ksz, salsa20_setnonce(ctx, nonce ? nonce : zerononce); } -/* --- @salsa20_setnonce@ --- * +/* --- @salsa20_setnonce{,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context - * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes) + * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ or + * @SALSA20_IETF_NONCESZ@ bytes) * * Returns: --- * @@ -193,10 +194,20 @@ void salsa20_setnonce(salsa20_ctx *ctx, const void *nonce) salsa20_seek(ctx, 0); } -/* --- @salsa20_seek{,u64}@ --- * +void salsa20_setnonce_ietf(salsa20_ctx *ctx, const void *nonce) +{ + const octet *n = nonce; + + ctx->a[ 5] = LOAD32_L(n + 0); + ctx->a[14] = LOAD32_L(n + 4); + ctx->a[11] = LOAD32_L(n + 8); + salsa20_seek_ietf(ctx, 0); +} + +/* --- @salsa20_seek{,u64,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context - * @unsigned long i@, @kludge64 i@ = new position to set + * @unsigned long i@, @kludge64 i@, @uint32@ = new position * * Returns: --- * @@ -215,7 +226,10 @@ void salsa20_seeku64(salsa20_ctx *ctx, kludge64 i) ctx->bufi = SALSA20_OUTSZ; } -/* --- @salsa20_tell{,u64}@ --- * +void salsa20_seek_ietf(salsa20_ctx *ctx, uint32 i) + { ctx->a[8] = i; } + +/* --- @salsa20_tell{,u64,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context * @@ -229,6 +243,9 @@ unsigned long salsa20_tell(salsa20_ctx *ctx) kludge64 salsa20_tellu64(salsa20_ctx *ctx) { kludge64 i; SET64(i, ctx->a[5], ctx->a[8]); return (i); } +uint32 salsa20_tell_ietf(salsa20_ctx *ctx) + { return (ctx->a[5]); } + /* --- @salsa20{,12,8}_encrypt@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context @@ -502,6 +519,9 @@ typedef struct gctx { gcipher c; salsa20_ctx ctx; } gctx; static void gsetiv(gcipher *c, const void *iv) { gctx *g = (gctx *)c; salsa20_setnonce(&g->ctx, iv); } +static void gsetiv_ietf(gcipher *c, const void *iv) + { gctx *g = (gctx *)c; salsa20_setnonce_ietf(&g->ctx, iv); } + static void gdestroy(gcipher *c) { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); } @@ -515,11 +535,14 @@ static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops) #define DEFGCIPHER(r) \ \ - static const gcipher_ops gops_##r; \ + static const gcipher_ops gops_##r, gops_##r##_ietf; \ \ static gcipher *ginit_##r(const void *k, size_t sz) \ { return (ginit(k, sz, &gops_##r)); } \ \ + static gcipher *ginit_##r##_ietf(const void *k, size_t sz) \ + { return (ginit(k, sz, &gops_##r##_ietf)); } \ + \ static void gencrypt_##r(gcipher *c, const void *s, \ void *t, size_t sz) \ { gctx *g = (gctx *)c; SALSA20_ENCRYPT(r, &g->ctx, s, t, sz); } \ @@ -529,9 +552,19 @@ static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops) gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \ }; \ \ + static const gcipher_ops gops_##r##_ietf = { \ + &SALSA20_DECOR(salsa20, r, _ietf), \ + gencrypt_##r, gencrypt_##r, gdestroy, gsetiv_ietf, 0 \ + }; \ + \ const gccipher SALSA20_DECOR(salsa20, r, ) = { \ SALSA20_NAME_##r, salsa20_keysz, \ SALSA20_NONCESZ, ginit_##r \ + }; \ + \ + const gccipher SALSA20_DECOR(salsa20, r, _ietf) = { \ + SALSA20_NAME_##r "-ietf", salsa20_keysz, \ + SALSA20_IETF_NONCESZ, ginit_##r##_ietf \ }; SALSA20_VARS(DEFGCIPHER) @@ -703,12 +736,27 @@ typedef struct grctx { static void gr_seek(void *r, kludge64 pos) { grctx *g = r; salsa20_seeku64(&g->ctx, pos); } +static void gr_seek_ietf(void *r, kludge64 pos) + { grctx *g = r; salsa20_seek_ietf(&g->ctx, LO64(pos)); } + static kludge64 gr_tell(void *r) { grctx *g = r; return (salsa20_tellu64(&g->ctx)); } +static kludge64 gr_tell_ietf(void *r) +{ + grctx *g = r; + kludge64 pos; + + SET64(pos, 0, salsa20_tell_ietf(&g->ctx)); + return (pos); +} + static void gr_setnonce(void *r, const void *n) { grctx *g = r; salsa20_setnonce(&g->ctx, n); } +static void gr_setnonce_ietf(void *r, const void *n) + { grctx *g = r; salsa20_setnonce(&g->ctx, n); } + static void grdestroy(grand *r) { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); } @@ -732,15 +780,34 @@ static grand *grinit(const void *k, size_t ksz, const void *n, { SALSA20_NONCESZ, gr_seek, gr_tell, \ gr_setnonce, gr_generate_##rr }; \ \ + static const grops grops_##rr##_ietf = \ + { SALSA20_IETF_NONCESZ, gr_seek_ietf, gr_tell_ietf, \ + gr_setnonce_ietf, gr_generate_##rr }; \ + \ static const grand_ops grops_rand_##rr = { \ SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \ grmisc, grdestroy, grword, \ grbyte, grword, grand_defaultrange, grfill \ }; \ \ + static const grand_ops grops_rand_##rr##_ietf = { \ + SALSA20_NAME_##rr "-ietf", GRAND_CRYPTO, 0, \ + grmisc, grdestroy, grword, \ + grbyte, grword, grand_defaultrange, grfill \ + }; \ + \ grand *SALSA20_DECOR(salsa20, rr, _rand) \ (const void *k, size_t ksz, const void *n) \ - { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); } + { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); } \ + \ + grand *SALSA20_DECOR(salsa20, rr, _ietf_rand) \ + (const void *k, size_t ksz, const void *n) \ + { \ + return (grinit(k, ksz, n, \ + &grops_rand_##rr##_ietf, \ + &grops_##rr##_ietf)); \ + } + SALSA20_VARS(DEFGRAND) #define DEFXGRAND(rr) \ @@ -846,7 +913,9 @@ SALSA20_VARS(DEFVCORE) kludge64 pos64; \ salsa20_init(ctx, k, ksz, 0); \ if (nsz == 8) salsa20_setnonce(ctx, n); \ + else if (nsz == 12) salsa20_setnonce_ietf(ctx, n); \ if (psz == 8) { LOAD64_(pos64, p); salsa20_seeku64(ctx, pos64); } \ + else if (psz == 4) salsa20_seek_ietf(ctx, LOAD32(p)); \ } while (0) #define XSALSA20_TESTSETUP(r, ctx, k, ksz, n, nsz, p, psz) do { \ diff --git a/symm/salsa20.h b/symm/salsa20.h index 7b2d00b2..043b22d1 100644 --- a/symm/salsa20.h +++ b/symm/salsa20.h @@ -47,6 +47,7 @@ /*----- Constants ---------------------------------------------------------*/ #define SALSA20_NONCESZ 8u +#define SALSA20_IETF_NONCESZ 12u #define SALSA20_KEYSZ 32u #define SALSA20_OUTSZ 64u @@ -91,10 +92,11 @@ extern void salsa20_init(salsa20_ctx */*ctx*/, const void */*key*/, size_t /*ksz*/, const void */*nonce*/); -/* --- @salsa20_setnonce@ --- * +/* --- @salsa20_setnonce{,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context - * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes) + * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ or + * @SALSA20_IETF_NONCESZ@ bytes) * * Returns: --- * @@ -104,8 +106,10 @@ extern void salsa20_init(salsa20_ctx */*ctx*/, */ extern void salsa20_setnonce(salsa20_ctx */*ctx*/, const void */*nonce*/); +extern void salsa20_setnonce_ietf(salsa20_ctx */*ctx*/, + const void */*nonce*/); -/* --- @salsa20_seek{,u64}@ --- * +/* --- @salsa20_seek{,u64,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context * @unsigned long i@, @kludge64 i@ = new position to set @@ -120,8 +124,9 @@ extern void salsa20_setnonce(salsa20_ctx */*ctx*/, const void */*nonce*/); extern void salsa20_seek(salsa20_ctx */*ctx*/, unsigned long /*i*/); extern void salsa20_seeku64(salsa20_ctx */*ctx*/, kludge64 /*i*/); +extern void salsa20_seek_ietf(salsa20_ctx */*ctx*/, uint32 /*i*/); -/* --- @salsa20_tell{,u64}@ --- * +/* --- @salsa20_tell{,u64,_ietf}@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context * @@ -131,6 +136,7 @@ extern void salsa20_seeku64(salsa20_ctx */*ctx*/, kludge64 /*i*/); extern unsigned long salsa20_tell(salsa20_ctx */*ctx*/); extern kludge64 salsa20_tellu64(salsa20_ctx */*ctx*/); +extern uint32 salsa20_tell_ietf(salsa20_ctx */*ctx*/); /* --- @salsa20{,12,8}_encrypt@ --- * * @@ -229,7 +235,7 @@ extern void xsalsa2012_setnonce(xsalsa2012_ctx */*ctx*/, extern void xsalsa208_setnonce(xsalsa208_ctx */*ctx*/, const void */*nonce*/); -/* --- @xsalsa20{,12,8}_seek{,u64}@ --- * +/* --- @xsalsa20{,12,8}_seek@, @xsalsa20{,12,8}_seeku64@ --- * * * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context * @unsigned long i@, @kludge64 i@ = new position to set @@ -253,7 +259,7 @@ extern void xsalsa20_seeku64(xsalsa20_ctx */*ctx*/, kludge64 /*i*/); extern void xsalsa2012_seeku64(xsalsa2012_ctx */*ctx*/, kludge64 /*i*/); extern void xsalsa208_seeku64(xsalsa208_ctx */*ctx*/, kludge64 /*i*/); -/* --- @xsalsa20{,12,8}_tell{,u64}@ --- * +/* --- @xsalsa20{,12,8}_tell@, @xsalsa20{,12,8}_tellu64@ --- * * * Arguments: @salsa20_ctx *ctx@ = pointer to context * @@ -304,21 +310,26 @@ extern void xsalsa208_encrypt(xsalsa208_ctx */*ctx*/, extern const octet salsa20_keysz[]; #define salsa2012_keysz salsa20_keysz #define salsa208_keysz salsa20_keysz +#define salsa20_ietf_keysz salsa20_keysz +#define salsa2012_ietf_keysz salsa20_keysz +#define salsa208_ietf_keysz salsa20_keysz #define xsalsa20_keysz salsa20_keysz #define xsalsa2012_keysz salsa20_keysz #define xsalsa208_keysz salsa20_keysz const gccipher salsa20, salsa2012, salsa208; +const gccipher salsa20_ietf, salsa2012_ietf, salsa208_ietf; const gccipher xsalsa20, xsalsa2012, xsalsa208; /*----- Generic random number generator interface -------------------------*/ -/* --- @salsa20{,12,8}_rand@, @xsalsa20{,12,8}_rand@ --- * +/* --- @salsa20{,12,8}{,_ietf}_rand@, @xsalsa20{,12,8}{,_ietf}_rand@ --- * * * Arguments: @const void *k@ = pointer to key material * @size_t ksz@ = size of key material * @const void *n@ = pointer to nonce or null - * (@SALSA20_NONCESZ@ or @XSALSA20_NONCESZ@) + * (@SALSA20_NONCESZ@, @SALSA20_IETF_NONCESZ@, + * or @XSALSA20_NONCESZ@) * * Returns: Pointer to generic random number generator instance. * @@ -332,6 +343,12 @@ extern grand *salsa2012_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); extern grand *salsa208_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); +extern grand *salsa20_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); +extern grand *salsa2012_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); +extern grand *salsa208_ietf_rand(const void */*k*/, size_t /*ksz*/, + const void */*n*/); extern grand *xsalsa20_rand(const void */*k*/, size_t /*ksz*/, const void */*n*/); extern grand *xsalsa2012_rand(const void */*k*/, size_t /*ksz*/, diff --git a/symm/t/chacha b/symm/t/chacha index 84d92de6..4777803a 100644 --- a/symm/t/chacha +++ b/symm/t/chacha @@ -187,4 +187,42 @@ chacha20 { c46ec1b18ce8a878725a37e780dfb735 1ada31d5cf688221 "" 0 "" 826abdd84460e2e9349f0ef4af5b179b426e4b2d109a9c5bb44000ae51bea90a496beeef62a76850ff3f0402c4ddc99f6db07f151c1c0dfac2e56565d62896255b23132e7b469c7bfb88fa95d44ca5ae3e45e848a4108e98bad7a9eb15512784a6a9e6e591dce674120acaf9040ff50ff3ac30ccfb5e14204f5e4268b90a8804; + + ## Tests from RFC7539. + 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f + 000000090000004a00000000 00000001 0 "" + 10f1e7e4d13b5915500fdd1fa32071c4c7d1f4c733c068030422aa9ac3d46c4ed2826446079faa0914c2d705d98b02a2b5129cd1de164eb9cbd083e8a2503c4e; + 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f + 000000000000004a00000000 00000001 0 + 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e + 6e2e359a2568f98041ba0728dd0d6981e97e7aec1d4360c20a27afccfd9fae0bf91b65c5524733ab8f593dabcd62b3571639d624e65152ab8f530c359f0861d807ca0dbf500d6a6156a38e088a22b65e52bc514d16ccf806818ce91ab77937365af90bbf74a35be6b40b8eedf2785e42874d; + 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f + 000000000001020304050607 "" 0 "" + 8ad5a08b905f81cc815040274ab29471a833b637e3fd0da508dbb8e2fdd1a646; + 0000000000000000000000000000000000000000000000000000000000000000 + 000000000000000000000000 "" 0 "" + 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee65869f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f; + 0000000000000000000000000000000000000000000000000000000000000001 + 000000000000000000000000 00000001 0 "" + 3aeb5224ecf849929b9d828db1ced4dd832025e8018b8160b82284f3c949aa5a8eca00bbb4a73bdad192b5c42f73f2fd4e273644c8b36125a64addeb006c13a0; + 00ff000000000000000000000000000000000000000000000000000000000000 + 000000000000000000000000 00000002 0 "" + 72d54dfbf12ec44b362692df94137f328fea8da73990265ec1bbbea1ae9af0ca13b25aa26cb4a648cb9b9d1be65b2c0924a66c54d545ec1b7374f4872e99f096; + 0000000000000000000000000000000000000000000000000000000000000000 + 000000000000000000000002 "" 0 "" + c2c64d378cd536374ae204b9ef933fcd1a8b2288b3dfa49672ab765b54ee27c78a970e0e955c14f3a88e741b97c286f75f8fc299e8148362fa198a39531bed6d; + 0000000000000000000000000000000000000000000000000000000000000001 + 000000000000000000000002 00000001 0 + 416e79207375626d697373696f6e20746f20746865204945544620696e74656e6465642062792074686520436f6e7472696275746f7220666f72207075626c69636174696f6e20617320616c6c206f722070617274206f6620616e204945544620496e7465726e65742d4472616674206f722052464320616e6420616e792073746174656d656e74206d6164652077697468696e2074686520636f6e74657874206f6620616e204945544620616374697669747920697320636f6e7369646572656420616e20224945544620436f6e747269627574696f6e222e20537563682073746174656d656e747320696e636c756465206f72616c2073746174656d656e747320696e20494554462073657373696f6e732c2061732077656c6c206173207772697474656e20616e6420656c656374726f6e696320636f6d6d756e69636174696f6e73206d61646520617420616e792074696d65206f7220706c6163652c207768696368206172652061646472657373656420746f + a3fbf07df3fa2fde4f376ca23e82737041605d9f4f4f57bd8cff2c1d4b7955ec2a97948bd3722915c8f3d337f7d370050e9e96d647b7c39f56e031ca5eb6250d4042e02785ececfa4b4bb5e8ead0440e20b6e8db09d881a7c6132f420e52795042bdfa7773d8a9051447b3291ce1411c680465552aa6c405b7764d5e87bea85ad00f8449ed8f72d0d662ab052691ca66424bc86d2df80ea41f43abf937d3259dc4b2d0dfb48a6c9139ddd7f76966e928e635553ba76c5c879d7b35d49eb2e62b0871cdac638939e25e8a1e0ef9d5280fa8ca328b351c3c765989cbcf3daa8b6ccc3aaf9f3979c92b3720fc88dc95ed84a1be059c6499b9fda236e7e818b04b0bc39c1e876b193bfe5569753f88128cc08aaa9b63d1a16f80ef2554d7189c411f5869ca52c5b83fa36ff216b9c1d30062bebcfd2dc5bce0911934fda79a86f6e698ced759c3ff9b6477338f3da4f9cd8514ea9982ccafb341b2384dd902f3d1ab7ac61dd29c6f21ba5b862f3730e37cfdc4fd806c22f221; + 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 + 000000000000000000000002 0000002a 0 + 2754776173206272696c6c69672c20616e642074686520736c6974687920746f7665730a446964206779726520616e642067696d626c6520696e2074686520776162653a0a416c6c206d696d737920776572652074686520626f726f676f7665732c0a416e6420746865206d6f6d65207261746873206f757467726162652e + 62e6347f95ed87a45ffae7426f27a1df5fb69110044c0d73118effa95b01e5cf166d3df2d721caf9b21e5fb14c616871fd84c54f9d65b283196c7fe4f60553ebf39c6402c42234e32a356b3e764312a61a5532055716ead6962568f87d3f3f7704c6a8d1bcd1bf4d50d6154b6da731b187b58dfd728afa36757a797ac188d1; + 0000000000000000000000000000000000000000000000000000000000000001 + 000000000000000000000002 "" 0 "" + ecfa254f845f647473d3cb140da9e87606cb33066c447b87bc2666dde3fbb739; + 1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0 + 000000000000000000000002 "" 0 "" + 965e3bc6f9ec7ed9560808f4d229f94b137ff275ca9b3fcbdd59deaad23310ae; } diff --git a/symm/t/salsa20.local b/symm/t/salsa20.local index 167430f5..91887492 100644 --- a/symm/t/salsa20.local +++ b/symm/t/salsa20.local @@ -59,6 +59,14 @@ salsa20 { ## Homemade tests for skipping. 0f62b5085bae0154a7fa4da0f34699ec3f92e5388bde3184d72a7dd02376c91c 288ff65dc42b92f9 "" 131025 "" 36de843cccab0390b8b5862f1e4596ae; + + ## Homemade test of IETF-style 12-byte nonces. + 0102030405060708090a0b0c0d0e0f10c9cacbcccdcecfd0d1d2d3d4d5d6d7d8 + 7172737465666768696a6b6c 706f6e6d 0 "" + 45254427290f6bc1ff8b7a06aae9d9625990b66a1533c841ef31de22d772287e68c507e1c5991f02664e4cb054f5f6b8b1a0858206489577c0c384ecea67f64a; + 0102030405060708090a0b0c0d0e0f10 + 7172737465666768696a6b6c 706f6e6d 0 "" + 27ad2ef81ec852113043feef25120df7f1c83d900a3732b9062ff6fd8f56bbe186556ef6a1a32bebe75eab3391d6701d0ee80510978cb78dab097ab568b6b1c1; } xsalsa20 { -- 2.11.0