static void
salsa20_setiv (void *context, const byte *iv, unsigned int ivlen)
{
SALSA20_context_t *ctx = (SALSA20_context_t *)context;
if (!iv)
{
ctx->input[6] = 0;
ctx->input[7] = 0;
}
else if (ivlen == SALSA20_IV_SIZE)
{
ctx->input[6] = LE_READ_UINT32(iv + 0);
ctx->input[7] = LE_READ_UINT32(iv + 4);
}
else
{
log_info ("WARNING: salsa20_setiv: bad ivlen=%u\n", ivlen);
ctx->input[6] = 0;
ctx->input[7] = 0;
}
/* Reset the block counter. */
ctx->input[8] = 0;
ctx->input[9] = 0;
/* Reset the unused pad bytes counter. */
ctx->unused = 0;
}
void
salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce)
{
ctx->input[6] = LE_READ_UINT32(nonce + 0);
ctx->input[7] = LE_READ_UINT32(nonce + 4);
ctx->input[8] = 0;
ctx->input[9] = 0;
}
static void salsa20_ivsetup(SALSA20_context_t *ctx, const byte *iv)
{
ctx->input[6] = LE_READ_UINT32(iv + 0);
ctx->input[7] = LE_READ_UINT32(iv + 4);
/* Reset the block counter. */
ctx->input[8] = 0;
ctx->input[9] = 0;
}
uint64_t
_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg)
{
uint64_t y;
assert (length > 0);
assert (length <= 1024);
assert (length % 32 == 0);
for (y = 0; length > 0; length -= 32, msg += 32, key += 8)
{
uint32_t a, b;
a = LE_READ_UINT32 (msg) + key[0];
b = LE_READ_UINT32 (msg + 16) + key[4];
y += (uint64_t) a * b;
a = LE_READ_UINT32 (msg + 4) + key[1];
b = LE_READ_UINT32 (msg + 20) + key[5];
y += (uint64_t) a * b;
a = LE_READ_UINT32 (msg + 8) + key[2];
b = LE_READ_UINT32 (msg + 24) + key[6];
y += (uint64_t) a * b;
a = LE_READ_UINT32 (msg + 12) + key[3];
b = LE_READ_UINT32 (msg + 28) + key[7];
y += (uint64_t) a * b;
}
return y;
}
static void
salsa20_keysetup(SALSA20_context_t *ctx, const byte *key, int keylen)
{
/* These constants are the little endian encoding of the string
"expand 32-byte k". For the 128 bit variant, the "32" in that
string will be fixed up to "16". */
ctx->input[0] = 0x61707865; /* "apxe" */
ctx->input[5] = 0x3320646e; /* "3 dn" */
ctx->input[10] = 0x79622d32; /* "yb-2" */
ctx->input[15] = 0x6b206574; /* "k et" */
ctx->input[1] = LE_READ_UINT32(key + 0);
ctx->input[2] = LE_READ_UINT32(key + 4);
ctx->input[3] = LE_READ_UINT32(key + 8);
ctx->input[4] = LE_READ_UINT32(key + 12);
if (keylen == SALSA20_MAX_KEY_SIZE) /* 256 bits */
{
ctx->input[11] = LE_READ_UINT32(key + 16);
ctx->input[12] = LE_READ_UINT32(key + 20);
ctx->input[13] = LE_READ_UINT32(key + 24);
ctx->input[14] = LE_READ_UINT32(key + 28);
}
else /* 128 bits */
{
ctx->input[11] = ctx->input[1];
ctx->input[12] = ctx->input[2];
ctx->input[13] = ctx->input[3];
ctx->input[14] = ctx->input[4];
ctx->input[5] -= 0x02000000; /* Change to "1 dn". */
ctx->input[10] += 0x00000004; /* Change to "yb-6". */
}
}
/* If input is not a integral number of blocks, the final block is
padded with zeros, no length field or anything like that. That's
pretty broken, since it means that "$100" and "$100\0" always have
the same checksum, but I think that's how it's supposed to work. */
uint32_t
des_cbc_cksum(const uint8_t *src, des_cblock *dst,
long length, des_key_schedule ctx,
const_des_cblock *iv)
{
/* FIXME: I'm not entirely sure how this function is supposed to
* work, in particular what it should return, and if iv can be
* modified. */
uint8_t block[DES_BLOCK_SIZE];
memcpy(block, *iv, DES_BLOCK_SIZE);
while (length >= DES_BLOCK_SIZE)
{
memxor(block, src, DES_BLOCK_SIZE);
nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block);
src += DES_BLOCK_SIZE;
length -= DES_BLOCK_SIZE;
}
if (length > 0)
{
memxor(block, src, length);
nettle_des_encrypt(ctx, DES_BLOCK_SIZE, block, block);
}
memcpy(*dst, block, DES_BLOCK_SIZE);
return LE_READ_UINT32(block + 4);
}
static gcry_err_code_t
salsa20_do_setkey (SALSA20_context_t *ctx,
const byte *key, unsigned int keylen)
{
static int initialized;
static const char *selftest_failed;
if (!initialized )
{
initialized = 1;
selftest_failed = selftest ();
if (selftest_failed)
log_error ("SALSA20 selftest failed (%s)\n", selftest_failed );
}
if (selftest_failed)
return GPG_ERR_SELFTEST_FAILED;
if (keylen != SALSA20_MIN_KEY_SIZE
&& keylen != SALSA20_MAX_KEY_SIZE)
return GPG_ERR_INV_KEYLEN;
/* These constants are the little endian encoding of the string
"expand 32-byte k". For the 128 bit variant, the "32" in that
string will be fixed up to "16". */
ctx->input[0] = 0x61707865; /* "apxe" */
ctx->input[5] = 0x3320646e; /* "3 dn" */
ctx->input[10] = 0x79622d32; /* "yb-2" */
ctx->input[15] = 0x6b206574; /* "k et" */
ctx->input[1] = LE_READ_UINT32(key + 0);
ctx->input[2] = LE_READ_UINT32(key + 4);
ctx->input[3] = LE_READ_UINT32(key + 8);
ctx->input[4] = LE_READ_UINT32(key + 12);
if (keylen == SALSA20_MAX_KEY_SIZE) /* 256 bits */
{
ctx->input[11] = LE_READ_UINT32(key + 16);
ctx->input[12] = LE_READ_UINT32(key + 20);
ctx->input[13] = LE_READ_UINT32(key + 24);
ctx->input[14] = LE_READ_UINT32(key + 28);
}
else /* 128 bits */
{
ctx->input[11] = ctx->input[1];
ctx->input[12] = ctx->input[2];
ctx->input[13] = ctx->input[3];
ctx->input[14] = ctx->input[4];
ctx->input[5] -= 0x02000000; /* Change to "1 dn". */
ctx->input[10] += 0x00000004; /* Change to "yb-6". */
}
/* We default to a zero nonce. */
salsa20_setiv (ctx, NULL, 0);
return 0;
}
FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE)
{
uint32_t w0, w1, w2, w3; /* working ciphertext */
uint32_t t0, t1, t2, t3;
unsigned round;
/* Get clear text, using little-endian byte order.
* Also XOR with the first subkey. */
w0 = LE_READ_UINT32(src) ^ ctx->keys[0];
w1 = LE_READ_UINT32(src + 4) ^ ctx->keys[1];
w2 = LE_READ_UINT32(src + 8) ^ ctx->keys[2];
w3 = LE_READ_UINT32(src + 12) ^ ctx->keys[3];
for (round = 1; round < ctx->nrounds; round++)
{
t0 = AES_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]);
t1 = AES_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]);
t2 = AES_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]);
t3 = AES_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]);
/* We could unroll the loop twice, to avoid these
assignments. If all eight variables fit in registers,
that should give a slight speedup. */
w0 = t0;
w1 = t1;
w2 = t2;
w3 = t3;
}
/* Final round */
t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, ctx->keys[4*round]);
t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, ctx->keys[4*round + 1]);
t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, ctx->keys[4*round + 2]);
t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, ctx->keys[4*round + 3]);
LE_WRITE_UINT32(dst, t0);
LE_WRITE_UINT32(dst + 8, t2);
LE_WRITE_UINT32(dst + 4, t1);
LE_WRITE_UINT32(dst + 12, t3);
}
void
_nettle_md5_compress(uint32_t *digest, const uint8_t *input)
{
uint32_t data[MD5_DATA_LENGTH];
uint32_t a, b, c, d;
unsigned i;
for (i = 0; i < MD5_DATA_LENGTH; i++, input += 4)
data[i] = LE_READ_UINT32(input);
a = digest[0];
b = digest[1];
c = digest[2];
d = digest[3];
ROUND(F1, a, b, c, d, data[ 0] + 0xd76aa478, 7);
ROUND(F1, d, a, b, c, data[ 1] + 0xe8c7b756, 12);
ROUND(F1, c, d, a, b, data[ 2] + 0x242070db, 17);
ROUND(F1, b, c, d, a, data[ 3] + 0xc1bdceee, 22);
ROUND(F1, a, b, c, d, data[ 4] + 0xf57c0faf, 7);
ROUND(F1, d, a, b, c, data[ 5] + 0x4787c62a, 12);
ROUND(F1, c, d, a, b, data[ 6] + 0xa8304613, 17);
ROUND(F1, b, c, d, a, data[ 7] + 0xfd469501, 22);
ROUND(F1, a, b, c, d, data[ 8] + 0x698098d8, 7);
ROUND(F1, d, a, b, c, data[ 9] + 0x8b44f7af, 12);
ROUND(F1, c, d, a, b, data[10] + 0xffff5bb1, 17);
ROUND(F1, b, c, d, a, data[11] + 0x895cd7be, 22);
ROUND(F1, a, b, c, d, data[12] + 0x6b901122, 7);
ROUND(F1, d, a, b, c, data[13] + 0xfd987193, 12);
ROUND(F1, c, d, a, b, data[14] + 0xa679438e, 17);
ROUND(F1, b, c, d, a, data[15] + 0x49b40821, 22);
ROUND(F2, a, b, c, d, data[ 1] + 0xf61e2562, 5);
ROUND(F2, d, a, b, c, data[ 6] + 0xc040b340, 9);
ROUND(F2, c, d, a, b, data[11] + 0x265e5a51, 14);
ROUND(F2, b, c, d, a, data[ 0] + 0xe9b6c7aa, 20);
ROUND(F2, a, b, c, d, data[ 5] + 0xd62f105d, 5);
ROUND(F2, d, a, b, c, data[10] + 0x02441453, 9);
ROUND(F2, c, d, a, b, data[15] + 0xd8a1e681, 14);
ROUND(F2, b, c, d, a, data[ 4] + 0xe7d3fbc8, 20);
ROUND(F2, a, b, c, d, data[ 9] + 0x21e1cde6, 5);
ROUND(F2, d, a, b, c, data[14] + 0xc33707d6, 9);
ROUND(F2, c, d, a, b, data[ 3] + 0xf4d50d87, 14);
ROUND(F2, b, c, d, a, data[ 8] + 0x455a14ed, 20);
ROUND(F2, a, b, c, d, data[13] + 0xa9e3e905, 5);
ROUND(F2, d, a, b, c, data[ 2] + 0xfcefa3f8, 9);
ROUND(F2, c, d, a, b, data[ 7] + 0x676f02d9, 14);
ROUND(F2, b, c, d, a, data[12] + 0x8d2a4c8a, 20);
ROUND(F3, a, b, c, d, data[ 5] + 0xfffa3942, 4);
ROUND(F3, d, a, b, c, data[ 8] + 0x8771f681, 11);
ROUND(F3, c, d, a, b, data[11] + 0x6d9d6122, 16);
ROUND(F3, b, c, d, a, data[14] + 0xfde5380c, 23);
ROUND(F3, a, b, c, d, data[ 1] + 0xa4beea44, 4);
ROUND(F3, d, a, b, c, data[ 4] + 0x4bdecfa9, 11);
ROUND(F3, c, d, a, b, data[ 7] + 0xf6bb4b60, 16);
ROUND(F3, b, c, d, a, data[10] + 0xbebfbc70, 23);
ROUND(F3, a, b, c, d, data[13] + 0x289b7ec6, 4);
ROUND(F3, d, a, b, c, data[ 0] + 0xeaa127fa, 11);
ROUND(F3, c, d, a, b, data[ 3] + 0xd4ef3085, 16);
ROUND(F3, b, c, d, a, data[ 6] + 0x04881d05, 23);
ROUND(F3, a, b, c, d, data[ 9] + 0xd9d4d039, 4);
ROUND(F3, d, a, b, c, data[12] + 0xe6db99e5, 11);
ROUND(F3, c, d, a, b, data[15] + 0x1fa27cf8, 16);
ROUND(F3, b, c, d, a, data[ 2] + 0xc4ac5665, 23);
ROUND(F4, a, b, c, d, data[ 0] + 0xf4292244, 6);
ROUND(F4, d, a, b, c, data[ 7] + 0x432aff97, 10);
ROUND(F4, c, d, a, b, data[14] + 0xab9423a7, 15);
ROUND(F4, b, c, d, a, data[ 5] + 0xfc93a039, 21);
ROUND(F4, a, b, c, d, data[12] + 0x655b59c3, 6);
ROUND(F4, d, a, b, c, data[ 3] + 0x8f0ccc92, 10);
ROUND(F4, c, d, a, b, data[10] + 0xffeff47d, 15);
ROUND(F4, b, c, d, a, data[ 1] + 0x85845dd1, 21);
ROUND(F4, a, b, c, d, data[ 8] + 0x6fa87e4f, 6);
ROUND(F4, d, a, b, c, data[15] + 0xfe2ce6e0, 10);
ROUND(F4, c, d, a, b, data[ 6] + 0xa3014314, 15);
ROUND(F4, b, c, d, a, data[13] + 0x4e0811a1, 21);
ROUND(F4, a, b, c, d, data[ 4] + 0xf7537e82, 6);
ROUND(F4, d, a, b, c, data[11] + 0xbd3af235, 10);
ROUND(F4, c, d, a, b, data[ 2] + 0x2ad7d2bb, 15);
ROUND(F4, b, c, d, a, data[ 9] + 0xeb86d391, 21);
digest[0] += a;
digest[1] += b;
digest[2] += c;
digest[3] += d;
}
