/**
* \brief Reseeds the random number generator from operating system entropy.
*
* \param state The RandState object.
*
* \return NOISE_ERROR_NONE on success.
* \return NOISE_ERROR_INVALID_PARAM if \a state is NULL.
*
* This function forces the random number generator to fetch fresh entropy
* from the operating system. Normally this isn't necessary because
* noise_randstate_generate() will reseed automatically when necessary.
*
* If the application needs to generate a highly critical value such as a
* new keypair then it may want to force a reseed. Even this isn't necessary
* for \ref dhstate "DHState" and \ref signstate "SignState" which already
* seek fresh operating system entropy when generating keypairs.
*
* \sa noise_randstate_generate()
*/
int noise_randstate_reseed(NoiseRandState *state)
{
uint8_t data[40];
/* Validate the parameter */
if (!state)
return NOISE_ERROR_INVALID_PARAM;
/* Get new random data from the operating system, encrypt it
with the previous key/IV, and then replace the key/IV */
noise_rand_bytes(data, sizeof(data));
chacha_encrypt_bytes(&(state->chacha), data, data, sizeof(data));
chacha_keysetup(&(state->chacha), data, 256);
chacha_ivsetup(&(state->chacha), data + 32, 0);
state->left = NOISE_RAND_RESEED_COUNT;
/* And force a rekey as well for good measure */
memset(data, 0, sizeof(data));
chacha_encrypt_bytes(&(state->chacha), data, data, sizeof(data));
chacha_keysetup(&(state->chacha), data, 256);
chacha_ivsetup(&(state->chacha), data + 32, 0);
noise_clean(data, sizeof(data));
/* Ready to go */
return NOISE_ERROR_NONE;
}
void chachapoly_init(struct chachapoly_ctx *ctx,
const u_char *key, u_int keylen)
{
// if (keylen != (32 + 32)) /* 2 x 256 bit keys */
// fatal("%s: invalid keylen %u", __func__, keylen);
chacha_keysetup(&ctx->main_ctx, key, 256);
chacha_keysetup(&ctx->header_ctx, key + 32, 256);
}
int chachapoly_init(struct chachapoly_ctx *ctx,
const u_char *key, u_int keylen)
{
if (keylen != (32 + 32)) /* 2 x 256 bit keys */
return SSH_ERR_INVALID_ARGUMENT;
chacha_keysetup(&ctx->main_ctx, key, 256);
chacha_keysetup(&ctx->header_ctx, key + 32, 256);
return 0;
}
/*
setup needed for both encrypt & decrypt
*/
static void setup(u64 mlen, u64 adlen, const byte *npub, const byte *k)
{
assert( k != NULL) ;
assert( npub != NULL) ;
/*
run ChaCha key schedule
and then ChaCha
*/
chacha_keysetup(chacha_ctx, (byte *) k, 256, 64) ;
chacha_ivsetup(chacha_ctx, npub) ;
chacha_round() ;
/*
set up H, I & finalblock for authentication
*/
chacha_copy( H, 1 ) ;
memcpy( I, H, AUTH_BYTES ) ;
store64((byte *) finalblock,8 * adlen);
store64(((byte *) finalblock) + 8,8 * mlen);
/*
random init for counter
*/
chacha_copy( counter, 1 ) ;
iter_count = 0 ;
/*
use ChaCha to generate aes round keys
*/
chacha_copy( aes_rk, AES_RKEYS ) ;
#ifdef TESTING
printf( "setup: called for %lld text and %lld ad\n", mlen, adlen ) ;
printf( "setup: round keys start with %08x %08x\n", aes_rk[0], aes_rk[1] ) ;
#endif
}
/**
* \brief Creates a new random number generator.
*
* \param state Points to the variable where to store the pointer to
* the new RandState object.
*
* \return NOISE_ERROR_NONE on success.
* \return NOISE_ERROR_INVALID_PARAM if \a state is NULL.
* \return NOISE_ERROR_NO_MEMORY if there is insufficient memory to
* allocate the new RandState object.
*
* \sa noise_randstate_free(), noise_randstate_generate()
*/
int noise_randstate_new(NoiseRandState **state)
{
/* Starting key for the random state before the first reseed.
This is the SHA256 initialization vector, to introduce a
little chaos into the starting state. */
static uint8_t const starting_key[32] = {
0x6A, 0x09, 0xE6, 0x67, 0xBB, 0x67, 0xAE, 0x85,
0x3C, 0x6E, 0xF3, 0x72, 0xA5, 0x4F, 0xF5, 0x3A,
0x51, 0x0E, 0x52, 0x7F, 0x9B, 0x05, 0x68, 0x8C,
0x1F, 0x83, 0xD9, 0xAB, 0x5B, 0xE0, 0xCD, 0x19
};
/* Validate the parameter */
if (!state)
return NOISE_ERROR_INVALID_PARAM;
/* Create the random number generator state */
*state = noise_new(NoiseRandState);
if (!(*state))
return NOISE_ERROR_NO_MEMORY;
/* Initialize the random number generator */
chacha_keysetup(&((*state)->chacha), starting_key, 256);
noise_randstate_reseed((*state));
return NOISE_ERROR_NONE;
}
static inline void
_rs_init(unsigned char *buf, size_t n)
{
if (n < KEYSZ + IVSZ)
return;
chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
chacha_ivsetup(&rs, buf + KEYSZ);
}
/**
* \brief Forces a rekey on the random number generator.
*
* \param state The state of the random number generator.
*/
static void noise_randstate_rekey(NoiseRandState *state)
{
uint8_t data[40];
memset(data, 0, sizeof(data));
chacha_encrypt_bytes(&(state->chacha), data, data, sizeof(data));
chacha_keysetup(&(state->chacha), data, 256);
chacha_ivsetup(&(state->chacha), data + 32, 0);
noise_clean(data, sizeof(data));
}
/* Initialise the encryption routine by setting up the key schedule
* from the supplied <*data> which must be RANDOM_KEYSIZE bytes of binary
* data.
*/
void
randomdev_encrypt_init(union randomdev_key *context, const void *data)
{
if (random_chachamode) {
chacha_keysetup(&context->chacha, data, RANDOM_KEYSIZE * 8);
} else {
rijndael_cipherInit(&context->cipher, MODE_ECB, NULL);
rijndael_makeKey(&context->key, DIR_ENCRYPT, RANDOM_KEYSIZE*8, data);
}
}
kcl_err_t
kcl_chacha_init(void **ctxp, const void *key, size_t keysize, const void *iv, size_t ivsize, uint64_t counter)
{
chacha_ctx *chacha;
if ((chacha = kcl_malloc(sizeof(chacha_ctx))) == NULL)
return KCL_ERR_NOMEM;
chacha_keysetup(chacha, key, keysize);
chacha_ivsetup(chacha, iv, ivsize, counter);
*ctxp = chacha;
return KCL_ERR_NONE;
}
void hs1siv_chacha256(void *out, unsigned outbytes, unsigned char *iv, void *user_key)
{
chacha_ctx_t ctx;
// CHANGE typecasting added
chacha_keysetup(&ctx, (unsigned char*)user_key, 256);
chacha_ivsetup(&ctx,iv);
#if ( ! HS1_SIV_XOR )
memset(out, 0, outbytes);
#endif
// CHANGE typecasting added
chacha_xor(&ctx,(unsigned char*)out,(unsigned char*)out,outbytes);
}
static inline void
_rs_init(u_char *buf, size_t n)
{
if (n < KEYSZ + IVSZ)
return;
if (rs == NULL) {
if (_rs_allocate(&rs, &rsx) == -1)
abort();
}
chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
}
void
CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
const unsigned char key[32], const unsigned char iv[8], size_t counter)
{
struct chacha_ctx ctx;
/*
* chacha_ivsetup expects the counter to be in u8. Rather than
* converting size_t to u8 and then back again, pass a counter of
* NULL and manually assign it afterwards.
*/
chacha_keysetup(&ctx, key, 256);
chacha_ivsetup(&ctx, iv, NULL);
if (counter != 0) {
ctx.input[12] = (uint32_t)counter;
ctx.input[13] = (uint32_t)(((uint64_t)counter) >> 32);
}
static inline void
_rs_init(u_char *buf, size_t n)
{
if (n < KEYSZ + IVSZ)
return;
if (rs == NULL) {
#ifndef GETDNS_ON_WINDOWS
if ((rs = mmap(NULL, sizeof(*rs), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
abort();
#ifdef MAP_INHERIT_ZERO
if (minherit(rs, sizeof(*rs), MAP_INHERIT_ZERO) == -1)
abort();
#endif
#else /* WINDOWS */
rs = malloc(sizeof(*rs));
if(!rs)
abort();
#endif
}
if (rsx == NULL) {
#ifndef GETDNS_ON_WINDOWS
if ((rsx = mmap(NULL, sizeof(*rsx), PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
abort();
#else /* WINDOWS */
rsx = malloc(sizeof(*rsx));
if(!rsx)
abort();
#endif
}
chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
}
void
ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, uint32_t keybits)
{
chacha_keysetup((chacha_ctx *)ctx, key, keybits);
}
