/* This initializes in SIMD format */
void ECRYPT_ivsetup(ECRYPT_ctx *x,const u8 *iv)
{
x->input[tr[6]] = U8TO32_LITTLE(iv + 0);
x->input[tr[7]] = U8TO32_LITTLE(iv + 4);
x->input[tr[8]] = 0;
x->input[tr[9]] = 0;
}
void chacha_ivsetup(u32 *x,const byte *iv)
{
x[12] = 0;
x[13] = 0;
x[14] = U8TO32_LITTLE(iv + 0);
x[15] = U8TO32_LITTLE(iv + 4);
}
static void salsa20_ivsetup(struct salsa20_ctx *ctx, const u8 *iv)
{
ctx->input[6] = U8TO32_LITTLE(iv + 0);
ctx->input[7] = U8TO32_LITTLE(iv + 4);
ctx->input[8] = 0;
ctx->input[9] = 0;
}
void ECRYPT_ivsetup(ECRYPT_ctx *x,const u8 *iv)
{
x->input[12] = 0;
x->input[13] = 0;
x->input[14] = U8TO32_LITTLE(iv + 0);
x->input[15] = U8TO32_LITTLE(iv + 4);
}
void ECRYPT_ivsetup(ECRYPT_ctx *x,const u8 *iv)
{
x->input[6] = U8TO32_LITTLE(iv + 0);
x->input[7] = U8TO32_LITTLE(iv + 4);
x->input[8] = 0;
x->input[9] = 0;
}
void ECRYPT_Salsa::ECRYPT_ivsetup(void *xa,const u8 *iv)
{
SALSA_ctx* x = (SALSA_ctx*)xa;
x->input[6] = U8TO32_LITTLE(iv + 0);
x->input[7] = U8TO32_LITTLE(iv + 4);
x->input[8] = 0;
x->input[9] = 0;
}
/*
* Salsa20/8 Core function (combined with XOR)
*
* This function accepts two 64-byte Python byte strings (x and y).
* It creates a new 64-byte Python byte string with the result
* of the expression salsa20_8(xor(x,y)).
*/
EXPORT_SYM int Salsa20_8_core(const uint8_t *x, const uint8_t *y, uint8_t *out)
{
uint32_t input_32[16];
int i;
if (NULL==x || NULL==y || NULL==out)
return ERR_NULL;
for (i=0; i<16; i++) {
uint32_t tmp;
U8TO32_LITTLE(tmp, &x[i*4]);
U8TO32_LITTLE(input_32[i], &y[i*4]);
input_32[i] ^= tmp;
}
_salsa20_block(8, input_32, out);
return 0;
}
/*
* This is intended for RNG application: add more system randomnes into state.
*/
void dfsch_salsa20_addkey(dfsch_salsa20_state_t* st, uint8_t k[32]){
st->input[1] += U8TO32_LITTLE(k + 0);
st->input[2] += U8TO32_LITTLE(k + 4);
st->input[3] += U8TO32_LITTLE(k + 8);
st->input[4] += U8TO32_LITTLE(k + 12);
k += 16;
st->input[11] += U8TO32_LITTLE(k + 0);
st->input[12] += U8TO32_LITTLE(k + 4);
st->input[13] += U8TO32_LITTLE(k + 8);
st->input[14] += U8TO32_LITTLE(k + 12);
st->input[0] += 1;
st->input[5] += 3;
st->input[10] += 5;
st->input[15] += 7;
}
/*
* Fetch a pointer to the relevant key material and its size.
*
* This API is expected to only be used only for reseeding, where the
* endianness does not matter; the goal is to simply incorporate the key
* material into the hash iterator that will produce key'.
*
* Do not expect the buffer pointed to by this API to match the exact
* endianness, etc, as the key material that was supplied to
* randomdev_encrypt_init().
*/
void
randomdev_getkey(union randomdev_key *context, const void **keyp, size_t *szp)
{
if (!random_chachamode) {
*keyp = &context->key.keyMaterial;
*szp = context->key.keyLen / 8;
return;
}
/* Chacha20 mode */
*keyp = (const void *)&context->chacha.input[4];
/* Sanity check keysize */
if (context->chacha.input[0] == U8TO32_LITTLE(sigma) &&
context->chacha.input[1] == U8TO32_LITTLE(&sigma[4]) &&
context->chacha.input[2] == U8TO32_LITTLE(&sigma[8]) &&
context->chacha.input[3] == U8TO32_LITTLE(&sigma[12])) {
*szp = 32;
return;
}
#if 0
/*
* Included for the sake of completeness; as-implemented, Fortuna
* doesn't need or use 128-bit Chacha20.
*/
if (context->chacha->input[0] == U8TO32_LITTLE(tau) &&
context->chacha->input[1] == U8TO32_LITTLE(&tau[4]) &&
context->chacha->input[2] == U8TO32_LITTLE(&tau[8]) &&
context->chacha->input[3] == U8TO32_LITTLE(&tau[12])) {
*szp = 16;
return;
}
#endif
#ifdef _KERNEL
panic("%s: Invalid chacha20 keysize: %16D\n", __func__,
(void *)context->chacha.input, " ");
#else
raise(SIGKILL);
#endif
}
/* This initializes in SIMD format */
void ECRYPT_keysetup(ECRYPT_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
{
const char *constants;
x->input[tr[1]] = U8TO32_LITTLE(k + 0);
x->input[tr[2]] = U8TO32_LITTLE(k + 4);
x->input[tr[3]] = U8TO32_LITTLE(k + 8);
x->input[tr[4]] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[tr[11]] = U8TO32_LITTLE(k + 0);
x->input[tr[12]] = U8TO32_LITTLE(k + 4);
x->input[tr[13]] = U8TO32_LITTLE(k + 8);
x->input[tr[14]] = U8TO32_LITTLE(k + 12);
x->input[tr[0]] = U8TO32_LITTLE(constants + 0);
x->input[tr[5]] = U8TO32_LITTLE(constants + 4);
x->input[tr[10]] = U8TO32_LITTLE(constants + 8);
x->input[tr[15]] = U8TO32_LITTLE(constants + 12);
}
void ECRYPT_keysetup(ECRYPT_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
{
unsigned int i;
static const char *constants;
x->input[1] = U8TO32_LITTLE(k + 0);
x->input[2] = U8TO32_LITTLE(k + 4);
x->input[3] = U8TO32_LITTLE(k + 8);
x->input[4] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[11] = U8TO32_LITTLE(k + 0);
x->input[12] = U8TO32_LITTLE(k + 4);
x->input[13] = U8TO32_LITTLE(k + 8);
x->input[14] = U8TO32_LITTLE(k + 12);
x->input[0] = U8TO32_LITTLE(constants + 0);
x->input[5] = U8TO32_LITTLE(constants + 4);
x->input[10] = U8TO32_LITTLE(constants + 8);
x->input[15] = U8TO32_LITTLE(constants + 12);
}
void dfsch_salsa20_setkey(dfsch_salsa20_state_t* st, uint8_t k[32]){
const char *constants;
st->input[1] = U8TO32_LITTLE(k + 0);
st->input[2] = U8TO32_LITTLE(k + 4);
st->input[3] = U8TO32_LITTLE(k + 8);
st->input[4] = U8TO32_LITTLE(k + 12);
k += 16;
constants = sigma;
st->input[11] = U8TO32_LITTLE(k + 0);
st->input[12] = U8TO32_LITTLE(k + 4);
st->input[13] = U8TO32_LITTLE(k + 8);
st->input[14] = U8TO32_LITTLE(k + 12);
st->input[0] = U8TO32_LITTLE(constants + 0);
st->input[5] = U8TO32_LITTLE(constants + 4);
st->input[10] = U8TO32_LITTLE(constants + 8);
st->input[15] = U8TO32_LITTLE(constants + 12);
}
void ECRYPT_keysetup(ECRYPT_ctx *x, const u8 *k, u32 kbits, u32 ivbits )
{
const u8 *constants;
x->input[4] = U8TO32_LITTLE(k + 0);
x->input[5] = U8TO32_LITTLE(k + 4);
x->input[6] = U8TO32_LITTLE(k + 8);
x->input[7] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[8] = U8TO32_LITTLE(k + 0);
x->input[9] = U8TO32_LITTLE(k + 4);
x->input[10] = U8TO32_LITTLE(k + 8);
x->input[11] = U8TO32_LITTLE(k + 12);
x->input[0] = U8TO32_LITTLE(constants + 0);
x->input[1] = U8TO32_LITTLE(constants + 4);
x->input[2] = U8TO32_LITTLE(constants + 8);
x->input[3] = U8TO32_LITTLE(constants + 12);
}
static void salsa20_keysetup(struct salsa20_ctx *ctx, const u8 *k, u32 kbytes)
{
const char *constants;
ctx->input[1] = U8TO32_LITTLE(k + 0);
ctx->input[2] = U8TO32_LITTLE(k + 4);
ctx->input[3] = U8TO32_LITTLE(k + 8);
ctx->input[4] = U8TO32_LITTLE(k + 12);
if (kbytes == 32) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbytes == 16 */
constants = tau;
}
ctx->input[11] = U8TO32_LITTLE(k + 0);
ctx->input[12] = U8TO32_LITTLE(k + 4);
ctx->input[13] = U8TO32_LITTLE(k + 8);
ctx->input[14] = U8TO32_LITTLE(k + 12);
ctx->input[0] = U8TO32_LITTLE(constants + 0);
ctx->input[5] = U8TO32_LITTLE(constants + 4);
ctx->input[10] = U8TO32_LITTLE(constants + 8);
ctx->input[15] = U8TO32_LITTLE(constants + 12);
}
void chacha_keysetup(u32 *x,const byte *k,u32 kbits,u32 ivbits)
{
const char *constants;
x[4] = U8TO32_LITTLE(k + 0);
x[5] = U8TO32_LITTLE(k + 4);
x[6] = U8TO32_LITTLE(k + 8);
x[7] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x[8] = U8TO32_LITTLE(k + 0);
x[9] = U8TO32_LITTLE(k + 4);
x[10] = U8TO32_LITTLE(k + 8);
x[11] = U8TO32_LITTLE(k + 12);
x[0] = U8TO32_LITTLE(constants + 0);
x[1] = U8TO32_LITTLE(constants + 4);
x[2] = U8TO32_LITTLE(constants + 8);
x[3] = U8TO32_LITTLE(constants + 12);
}
EXPORT_SYM int Salsa20_stream_init(uint8_t *key, size_t keylen,
uint8_t *nonce, size_t nonce_len,
stream_state **pSalsaState)
{
const char *constants;
uint32_t *input;
stream_state *salsaState;
if (NULL == pSalsaState || NULL == key || NULL == nonce)
return ERR_NULL;
if (keylen != 16 && keylen != 32)
return ERR_KEY_SIZE;
if (nonce_len != 8)
return ERR_NONCE_SIZE;
*pSalsaState = salsaState = calloc(1, sizeof(stream_state));
if (NULL == salsaState)
return ERR_MEMORY;
input = salsaState->input;
U8TO32_LITTLE (input[1], key);
U8TO32_LITTLE (input[2], key + 4);
U8TO32_LITTLE (input[3], key + 8);
U8TO32_LITTLE (input[4], key + 12);
if (keylen == 32) {
key += 16;
constants = sigma;
} else {
constants = tau;
}
U8TO32_LITTLE (input[11], key + 0);
U8TO32_LITTLE (input[12], key + 4);
U8TO32_LITTLE (input[13], key + 8);
U8TO32_LITTLE (input[14], key + 12);
U8TO32_LITTLE (input[0], constants);
U8TO32_LITTLE (input[5], constants + 4);
U8TO32_LITTLE (input[10], constants + 8);
U8TO32_LITTLE (input[15], constants + 12);
/* nonce setup */
U8TO32_LITTLE (input[6], nonce);
U8TO32_LITTLE (input[7], nonce + 4);
/* Block counter setup*/
input[8] = 0;
input[9] = 0;
salsaState->blockindex = 64;
return 0;
}
void ECRYPT_encrypt_bytes(ECRYPT_ctx *x,const u8 *m,u8 *c,u32 bytes)
{
u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
u8 *ctarget;
u8 tmp[64];
int i;
if (!bytes) return;
j0 = x->input[0];
j1 = x->input[1];
j2 = x->input[2];
j3 = x->input[3];
j4 = x->input[4];
j5 = x->input[5];
j6 = x->input[6];
j7 = x->input[7];
j8 = x->input[8];
j9 = x->input[9];
j10 = x->input[10];
j11 = x->input[11];
j12 = x->input[12];
j13 = x->input[13];
j14 = x->input[14];
j15 = x->input[15];
for (;;) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) tmp[i] = m[i];
m = tmp;
ctarget = c;
c = tmp;
}
x0 = j0;
x1 = j1;
x2 = j2;
x3 = j3;
x4 = j4;
x5 = j5;
x6 = j6;
x7 = j7;
x8 = j8;
x9 = j9;
x10 = j10;
x11 = j11;
x12 = j12;
x13 = j13;
x14 = j14;
x15 = j15;
for (i = 8;i > 0;i -= 2) {
x4 = XOR( x4,ROTATE(PLUS( x0,x12), 7));
x8 = XOR( x8,ROTATE(PLUS( x4, x0), 9));
x12 = XOR(x12,ROTATE(PLUS( x8, x4),13));
x0 = XOR( x0,ROTATE(PLUS(x12, x8),18));
x9 = XOR( x9,ROTATE(PLUS( x5, x1), 7));
x13 = XOR(x13,ROTATE(PLUS( x9, x5), 9));
x1 = XOR( x1,ROTATE(PLUS(x13, x9),13));
x5 = XOR( x5,ROTATE(PLUS( x1,x13),18));
x14 = XOR(x14,ROTATE(PLUS(x10, x6), 7));
x2 = XOR( x2,ROTATE(PLUS(x14,x10), 9));
x6 = XOR( x6,ROTATE(PLUS( x2,x14),13));
x10 = XOR(x10,ROTATE(PLUS( x6, x2),18));
x3 = XOR( x3,ROTATE(PLUS(x15,x11), 7));
x7 = XOR( x7,ROTATE(PLUS( x3,x15), 9));
x11 = XOR(x11,ROTATE(PLUS( x7, x3),13));
x15 = XOR(x15,ROTATE(PLUS(x11, x7),18));
x1 = XOR( x1,ROTATE(PLUS( x0, x3), 7));
x2 = XOR( x2,ROTATE(PLUS( x1, x0), 9));
x3 = XOR( x3,ROTATE(PLUS( x2, x1),13));
x0 = XOR( x0,ROTATE(PLUS( x3, x2),18));
x6 = XOR( x6,ROTATE(PLUS( x5, x4), 7));
x7 = XOR( x7,ROTATE(PLUS( x6, x5), 9));
x4 = XOR( x4,ROTATE(PLUS( x7, x6),13));
x5 = XOR( x5,ROTATE(PLUS( x4, x7),18));
x11 = XOR(x11,ROTATE(PLUS(x10, x9), 7));
x8 = XOR( x8,ROTATE(PLUS(x11,x10), 9));
x9 = XOR( x9,ROTATE(PLUS( x8,x11),13));
x10 = XOR(x10,ROTATE(PLUS( x9, x8),18));
x12 = XOR(x12,ROTATE(PLUS(x15,x14), 7));
x13 = XOR(x13,ROTATE(PLUS(x12,x15), 9));
x14 = XOR(x14,ROTATE(PLUS(x13,x12),13));
x15 = XOR(x15,ROTATE(PLUS(x14,x13),18));
}
x0 = PLUS(x0,j0);
x1 = PLUS(x1,j1);
x2 = PLUS(x2,j2);
x3 = PLUS(x3,j3);
x4 = PLUS(x4,j4);
x5 = PLUS(x5,j5);
x6 = PLUS(x6,j6);
x7 = PLUS(x7,j7);
x8 = PLUS(x8,j8);
x9 = PLUS(x9,j9);
x10 = PLUS(x10,j10);
x11 = PLUS(x11,j11);
x12 = PLUS(x12,j12);
x13 = PLUS(x13,j13);
x14 = PLUS(x14,j14);
x15 = PLUS(x15,j15);
x0 = XOR(x0,U8TO32_LITTLE(m + 0));
x1 = XOR(x1,U8TO32_LITTLE(m + 4));
x2 = XOR(x2,U8TO32_LITTLE(m + 8));
x3 = XOR(x3,U8TO32_LITTLE(m + 12));
x4 = XOR(x4,U8TO32_LITTLE(m + 16));
x5 = XOR(x5,U8TO32_LITTLE(m + 20));
x6 = XOR(x6,U8TO32_LITTLE(m + 24));
x7 = XOR(x7,U8TO32_LITTLE(m + 28));
x8 = XOR(x8,U8TO32_LITTLE(m + 32));
x9 = XOR(x9,U8TO32_LITTLE(m + 36));
x10 = XOR(x10,U8TO32_LITTLE(m + 40));
x11 = XOR(x11,U8TO32_LITTLE(m + 44));
x12 = XOR(x12,U8TO32_LITTLE(m + 48));
x13 = XOR(x13,U8TO32_LITTLE(m + 52));
x14 = XOR(x14,U8TO32_LITTLE(m + 56));
x15 = XOR(x15,U8TO32_LITTLE(m + 60));
j8 = PLUSONE(j8);
if (!j8) {
j9 = PLUSONE(j9);
/* stopping at 2^70 bytes per nonce is user's responsibility */
}
U32TO8_LITTLE(c + 0,x0);
U32TO8_LITTLE(c + 4,x1);
U32TO8_LITTLE(c + 8,x2);
U32TO8_LITTLE(c + 12,x3);
U32TO8_LITTLE(c + 16,x4);
U32TO8_LITTLE(c + 20,x5);
U32TO8_LITTLE(c + 24,x6);
U32TO8_LITTLE(c + 28,x7);
U32TO8_LITTLE(c + 32,x8);
U32TO8_LITTLE(c + 36,x9);
U32TO8_LITTLE(c + 40,x10);
U32TO8_LITTLE(c + 44,x11);
U32TO8_LITTLE(c + 48,x12);
U32TO8_LITTLE(c + 52,x13);
U32TO8_LITTLE(c + 56,x14);
U32TO8_LITTLE(c + 60,x15);
if (bytes <= 64) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) ctarget[i] = c[i];
}
x->input[8] = j8;
x->input[9] = j9;
return;
}
bytes -= 64;
c += 64;
m += 64;
}
}
void ECRYPT_Salsa::ECRYPT_keysetup(void *xa,const u8 *k,u32 kbits,u32 ivbits)
{
const char *constants;
SALSA_ctx* x = (SALSA_ctx*)xa;
x->input[1] = U8TO32_LITTLE(k + 0);
x->input[2] = U8TO32_LITTLE(k + 4);
x->input[3] = U8TO32_LITTLE(k + 8);
x->input[4] = U8TO32_LITTLE(k + 12);
if (kbits == 256) { /* recommended */
k += 16;
constants = sigma;
} else { /* kbits == 128 */
constants = tau;
}
x->input[11] = U8TO32_LITTLE(k + 0);
x->input[12] = U8TO32_LITTLE(k + 4);
x->input[13] = U8TO32_LITTLE(k + 8);
x->input[14] = U8TO32_LITTLE(k + 12);
x->input[0] = U8TO32_LITTLE(constants + 0);
x->input[5] = U8TO32_LITTLE(constants + 4);
x->input[10] = U8TO32_LITTLE(constants + 8);
x->input[15] = U8TO32_LITTLE(constants + 12);
}