3 * Salsa20 stream cipher
5 * (c) 2015 Straylight/Edgeware
8 /*----- Header files ------------------------------------------------------*/
14 #include <mLib/bits.h>
23 #include "salsa20-core.h"
25 /*----- Global variables --------------------------------------------------*/
27 const octet salsa20_keysz[] = { KSZ_SET, 32, 16, 10, 0 };
29 /*----- The Salsa20 core function and utilities ---------------------------*/
33 * Arguments: @unsigned r@ = number of rounds
34 * @const salsa20_matrix src@ = input matrix
35 * @salsa20_matrix dest@ = where to put the output
40 * Use: Apply the Salsa20/r core function to @src@, writing the
41 * result to @dest@. This consists of @r@ rounds followed by
42 * the feedforward step.
45 CPU_DISPATCH(static, (void),
46 void, core, (unsigned r, const salsa20_matrix src,
49 pick_core, simple_core);
51 static void simple_core(unsigned r, const salsa20_matrix src,
53 { SALSA20_nR(dest, src, r); SALSA20_FFWD(dest, src); }
55 #if CPUFAM_X86 || CPUFAM_AMD64
56 extern core__functype salsa20_core_x86ish_sse2;
60 extern core__functype salsa20_core_arm_neon;
63 static core__functype *pick_core(void)
65 #if CPUFAM_X86 || CPUFAM_AMD64
66 DISPATCH_PICK_COND(salsa20_core, salsa20_core_x86ish_sse2,
67 cpu_feature_p(CPUFEAT_X86_SSE2));
70 DISPATCH_PICK_COND(salsa20_core, salsa20_core_arm_neon,
71 cpu_feature_p(CPUFEAT_ARM_NEON));
73 DISPATCH_PICK_FALLBACK(salsa20_core, simple_core);
76 /* --- @populate@ --- *
78 * Arguments: @salsa20_matrix a@ = a matrix to fill in
79 * @const void *key@ = pointer to key material
80 * @size_t ksz@ = size of key
84 * Use: Fills in a Salsa20 matrix from the key, setting the
85 * appropriate constants according to the key length. The nonce
86 * and position words are left uninitialized.
89 static void populate(salsa20_matrix a, const void *key, size_t ksz)
93 KSZ_ASSERT(salsa20, ksz);
95 /* Here's the pattern of key, constant, nonce, and counter pieces in the
96 * matrix, before and after our permutation.
98 * [ C0 K0 K1 K2 ] [ C0 C1 C2 C3 ]
99 * [ K3 C1 N0 N1 ] --> [ K3 T1 K7 K2 ]
100 * [ T0 T1 C2 K4 ] [ T0 K6 K1 N1 ]
101 * [ K5 K6 K7 C3 ] [ K5 K0 N0 K4 ]
104 a[13] = LOAD32_L(k + 0);
105 a[10] = LOAD32_L(k + 4);
107 a[ 7] = LOAD16_L(k + 8);
110 a[ 7] = LOAD32_L(k + 8);
111 a[ 4] = LOAD32_L(k + 12);
118 a[ 0] = SALSA20_A128;
119 a[ 1] = SALSA20_B128;
120 a[ 2] = ksz == 10 ? SALSA20_C80 : SALSA20_C128;
121 a[ 3] = SALSA20_D128;
123 a[15] = LOAD32_L(k + 16);
124 a[12] = LOAD32_L(k + 20);
125 a[ 9] = LOAD32_L(k + 24);
126 a[ 6] = LOAD32_L(k + 28);
127 a[ 0] = SALSA20_A256;
128 a[ 1] = SALSA20_B256;
129 a[ 2] = SALSA20_C256;
130 a[ 3] = SALSA20_D256;
134 /*----- Salsa20 implementation --------------------------------------------*/
136 /* --- @salsa20_init@ --- *
138 * Arguments: @salsa20_ctx *ctx@ = context to fill in
139 * @const void *key@ = pointer to key material
140 * @size_t ksz@ = size of key (either 32 or 16)
141 * @const void *nonce@ = initial nonce, or null
145 * Use: Initializes a Salsa20 context ready for use.
148 void salsa20_init(salsa20_ctx *ctx, const void *key, size_t ksz,
151 static const octet zerononce[SALSA20_NONCESZ];
153 populate(ctx->a, key, ksz);
154 salsa20_setnonce(ctx, nonce ? nonce : zerononce);
157 /* --- @salsa20_setnonce@ --- *
159 * Arguments: @salsa20_ctx *ctx@ = pointer to context
160 * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes)
164 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
165 * different message. The stream position is reset to zero (see
166 * @salsa20_seek@ etc.).
169 void salsa20_setnonce(salsa20_ctx *ctx, const void *nonce)
171 const octet *n = nonce;
173 ctx->a[14] = LOAD32_L(n + 0);
174 ctx->a[11] = LOAD32_L(n + 4);
175 salsa20_seek(ctx, 0);
178 /* --- @salsa20_seek@, @salsa20_seeku64@ --- *
180 * Arguments: @salsa20_ctx *ctx@ = pointer to context
181 * @unsigned long i@, @kludge64 i@ = new position to set
185 * Use: Sets a new stream position, in units of Salsa20 output
186 * blocks, which are @SALSA20_OUTSZ@ bytes each. Byte
187 * granularity can be achieved by calling @salsa20R_encrypt@
191 void salsa20_seek(salsa20_ctx *ctx, unsigned long i)
192 { kludge64 ii; ASSIGN64(ii, i); salsa20_seeku64(ctx, ii); }
194 void salsa20_seeku64(salsa20_ctx *ctx, kludge64 i)
196 ctx->a[8] = LO64(i); ctx->a[5] = HI64(i);
197 ctx->bufi = SALSA20_OUTSZ;
200 /* --- @salsa20_tell@, @salsa20_tellu64@ --- *
202 * Arguments: @salsa20_ctx *ctx@ = pointer to context
204 * Returns: The current position in the output stream, in blocks,
208 unsigned long salsa20_tell(salsa20_ctx *ctx)
209 { kludge64 i = salsa20_tellu64(ctx); return (GET64(unsigned long, i)); }
211 kludge64 salsa20_tellu64(salsa20_ctx *ctx)
212 { kludge64 i; SET64(i, ctx->a[5], ctx->a[8]); return (i); }
214 /* --- @salsa20{,12,8}_encrypt@ --- *
216 * Arguments: @salsa20_ctx *ctx@ = pointer to context
217 * @const void *src@ = source buffer (or null)
218 * @void *dest@ = destination buffer (or null)
219 * @size_t sz@ = size of the buffers
223 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
224 * Salsa20 works by XORing plaintext with a keystream, so
225 * encryption and decryption are the same operation. If @dest@
226 * is null then ignore @src@ and skip @sz@ bytes of the
227 * keystream. If @src@ is null, then just write the keystream
231 #define SALSA20_ENCRYPT(r, ctx, src, dest, sz) \
232 SALSA20_DECOR(salsa20, r, _encrypt)(ctx, src, dest, sz)
233 #define DEFENCRYPT(r) \
234 void SALSA20_ENCRYPT(r, salsa20_ctx *ctx, const void *src, \
235 void *dest, size_t sz) \
238 const octet *s = src; \
241 kludge64 pos, delta; \
243 SALSA20_OUTBUF(ctx, d, s, sz); \
247 n = sz/SALSA20_OUTSZ; \
248 pos = salsa20_tellu64(ctx); \
249 ASSIGN64(delta, n); \
250 ADD64(pos, pos, delta); \
251 salsa20_seeku64(ctx, pos); \
252 sz = sz%SALSA20_OUTSZ; \
254 while (sz >= SALSA20_OUTSZ) { \
255 core(r, ctx->a, b); \
256 SALSA20_STEP(ctx->a); \
257 SALSA20_GENFULL(b, d); \
258 sz -= SALSA20_OUTSZ; \
261 while (sz >= SALSA20_OUTSZ) { \
262 core(r, ctx->a, b); \
263 SALSA20_STEP(ctx->a); \
264 SALSA20_MIXFULL(b, d, s); \
265 sz -= SALSA20_OUTSZ; \
270 core(r, ctx->a, b); \
271 SALSA20_STEP(ctx->a); \
272 SALSA20_PREPBUF(ctx, b); \
273 SALSA20_OUTBUF(ctx, d, s, sz); \
277 SALSA20_VARS(DEFENCRYPT)
279 /*----- HSalsa20 implementation -------------------------------------------*/
281 #define HSALSA20_RAW(r, ctx, src, dest) \
282 SALSA20_DECOR(hsalsa20, r, _raw)(ctx, src, dest)
283 #define HSALSA20_PRF(r, ctx, src, dest) \
284 SALSA20_DECOR(hsalsa20, r, _prf)(ctx, src, dest)
286 /* --- @hsalsa20{,12,8}_prf@ --- *
288 * Arguments: @salsa20_ctx *ctx@ = pointer to context
289 * @const void *src@ = the input (@HSALSA20_INSZ@ bytes)
290 * @void *dest@ = the output (@HSALSA20_OUTSZ@ bytes)
294 * Use: Apply the HSalsa20/r pseudorandom function to @src@, writing
295 * the result to @out@.
298 #define DEFHSALSA20(r) \
299 static void HSALSA20_RAW(r, salsa20_matrix k, \
300 const uint32 *src, uint32 *dest) \
305 /* --- HSalsa20, computed from full Salsa20 --- * \
307 * The security proof makes use of the fact that HSalsa20 (i.e., \
308 * without the final feedforward step) can be computed from full \
309 * Salsa20 using only knowledge of the non-secret input. I don't \
310 * want to compromise the performance of the main function by \
311 * making the feedforward step separate, but this operation is less \
312 * speed critical, so we do it the harder way. \
315 for (i = 0; i < 4; i++) k[14 - 3*i] = src[i]; \
317 for (i = 0; i < 4; i++) dest[i] = a[5*i] - k[i]; \
318 for (i = 4; i < 8; i++) dest[i] = a[i + 2] - k[26 - 3*i]; \
321 void HSALSA20_PRF(r, salsa20_ctx *ctx, const void *src, void *dest) \
323 const octet *s = src; \
325 uint32 in[4], out[8]; \
328 for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \
329 HSALSA20_RAW(r, ctx->a, in, out); \
330 for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \
332 SALSA20_VARS(DEFHSALSA20)
334 /*----- XSalsa20 implementation -------------------------------------------*/
336 /* --- Some convenient macros for naming functions --- *
338 * Because the crypto core is involved in XSalsa20/r's per-nonce setup, we
339 * need to take an interest in the number of rounds in most of the various
340 * functions, and it will probably help if we distinguish the context
341 * structures for the various versions.
344 #define XSALSA20_CTX(r) SALSA20_DECOR(xsalsa20, r, _ctx)
345 #define XSALSA20_INIT(r, ctx, k, ksz, n) \
346 SALSA20_DECOR(xsalsa20, r, _init)(ctx, k, ksz, n)
347 #define XSALSA20_SETNONCE(r, ctx, n) \
348 SALSA20_DECOR(xsalsa20, r, _setnonce)(ctx, n)
349 #define XSALSA20_SEEK(r, ctx, i) \
350 SALSA20_DECOR(xsalsa20, r, _seek)(ctx, i)
351 #define XSALSA20_SEEKU64(r, ctx, i) \
352 SALSA20_DECOR(xsalsa20, r, _seeku64)(ctx, i)
353 #define XSALSA20_TELL(r, ctx) \
354 SALSA20_DECOR(xsalsa20, r, _tell)(ctx)
355 #define XSALSA20_TELLU64(r, ctx) \
356 SALSA20_DECOR(xsalsa20, r, _tellu64)(ctx)
357 #define XSALSA20_ENCRYPT(r, ctx, src, dest, sz) \
358 SALSA20_DECOR(xsalsa20, r, _encrypt)(ctx, src, dest, sz)
360 /* --- @xsalsa20{,12,8}_init@ --- *
362 * Arguments: @xsalsa20R_ctx *ctx@ = the context to fill in
363 * @const void *key@ = pointer to key material
364 * @size_t ksz@ = size of key (either 32 or 16)
365 * @const void *nonce@ = initial nonce, or null
369 * Use: Initializes an XSalsa20/r context ready for use.
371 * There is a different function for each number of rounds,
372 * unlike for plain Salsa20.
375 #define DEFXINIT(r) \
376 void XSALSA20_INIT(r, XSALSA20_CTX(r) *ctx, \
377 const void *key, size_t ksz, const void *nonce) \
379 static const octet zerononce[XSALSA20_NONCESZ]; \
381 populate(ctx->k, key, ksz); \
382 ctx->s.a[ 0] = SALSA20_A256; \
383 ctx->s.a[ 1] = SALSA20_B256; \
384 ctx->s.a[ 2] = SALSA20_C256; \
385 ctx->s.a[ 3] = SALSA20_D256; \
386 XSALSA20_SETNONCE(r, ctx, nonce ? nonce : zerononce); \
388 SALSA20_VARS(DEFXINIT)
390 /* --- @xsalsa20{,12,8}_setnonce@ --- *
392 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
393 * @const void *nonce@ = the nonce (@XSALSA20_NONCESZ@ bytes)
397 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
398 * different message. The stream position is reset to zero (see
399 * @salsa20_seek@ etc.).
401 * There is a different function for each number of rounds,
402 * unlike for plain Salsa20.
405 #define DEFXNONCE(r) \
406 void XSALSA20_SETNONCE(r, XSALSA20_CTX(r) *ctx, const void *nonce) \
408 const octet *n = nonce; \
409 uint32 in[4], out[8]; \
412 for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \
413 HSALSA20_RAW(r, ctx->k, in, out); \
414 for (i = 0; i < 4; i++) ctx->s.a[13 - 3*i] = out[i]; \
415 for (i = 4; i < 8; i++) ctx->s.a[27 - 3*i] = out[i]; \
416 salsa20_setnonce(&ctx->s, n + 16); \
418 SALSA20_VARS(DEFXNONCE)
420 /* --- @xsalsa20{,12,8}_seek@, @xsalsa20{,12,8}_seeku64@ --- *
422 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
423 * @unsigned long i@, @kludge64 i@ = new position to set
427 * Use: Sets a new stream position, in units of Salsa20 output
428 * blocks, which are @XSALSA20_OUTSZ@ bytes each. Byte
429 * granularity can be achieved by calling @xsalsa20R_encrypt@
432 * There is a different function for each number of rounds,
433 * unlike for plain Salsa20, because the context structures are
437 /* --- @xsalsa20{,12,8}_tell@, @xsalsa20{,12,8}_tellu64@ --- *
439 * Arguments: @salsa20_ctx *ctx@ = pointer to context
441 * Returns: The current position in the output stream, in blocks,
444 * There is a different function for each number of rounds,
445 * unlike for plain Salsa20, because the context structures are
449 /* --- @xsalsa20{,12,8}_encrypt@ --- *
451 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
452 * @const void *src@ = source buffer (or null)
453 * @void *dest@ = destination buffer (or null)
454 * @size_t sz@ = size of the buffers
458 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
459 * XSalsa20 works by XORing plaintext with a keystream, so
460 * encryption and decryption are the same operation. If @dest@
461 * is null then ignore @src@ and skip @sz@ bytes of the
462 * keystream. If @src@ is null, then just write the keystream
466 #define DEFXPASSTHRU(r) \
467 void XSALSA20_SEEK(r, XSALSA20_CTX(r) *ctx, unsigned long i) \
468 { salsa20_seek(&ctx->s, i); } \
469 void XSALSA20_SEEKU64(r, XSALSA20_CTX(r) *ctx, kludge64 i) \
470 { salsa20_seeku64(&ctx->s, i); } \
471 unsigned long XSALSA20_TELL(r, XSALSA20_CTX(r) *ctx) \
472 { return salsa20_tell(&ctx->s); } \
473 kludge64 XSALSA20_TELLU64(r, XSALSA20_CTX(r) *ctx) \
474 { return salsa20_tellu64(&ctx->s); } \
475 void XSALSA20_ENCRYPT(r, XSALSA20_CTX(r) *ctx, \
476 const void *src, void *dest, size_t sz) \
477 { SALSA20_ENCRYPT(r, &ctx->s, src, dest, sz); }
478 SALSA20_VARS(DEFXPASSTHRU)
480 /*----- Generic cipher interface ------------------------------------------*/
482 typedef struct gctx { gcipher c; salsa20_ctx ctx; } gctx;
484 static void gsetiv(gcipher *c, const void *iv)
485 { gctx *g = (gctx *)c; salsa20_setnonce(&g->ctx, iv); }
487 static void gdestroy(gcipher *c)
488 { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); }
490 #define DEFGCIPHER(r) \
492 static const gcipher_ops gops_##r; \
494 static gcipher *ginit_##r(const void *k, size_t sz) \
496 gctx *g = S_CREATE(gctx); \
497 g->c.ops = &gops_##r; \
498 salsa20_init(&g->ctx, k, sz, 0); \
502 static void gencrypt_##r(gcipher *c, const void *s, \
503 void *t, size_t sz) \
504 { gctx *g = (gctx *)c; SALSA20_ENCRYPT(r, &g->ctx, s, t, sz); } \
506 static const gcipher_ops gops_##r = { \
507 &SALSA20_DECOR(salsa20, r, ), \
508 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \
511 const gccipher SALSA20_DECOR(salsa20, r, ) = { \
512 SALSA20_NAME_##r, salsa20_keysz, \
513 SALSA20_NONCESZ, ginit_##r \
516 SALSA20_VARS(DEFGCIPHER)
518 #define DEFGXCIPHER(r) \
520 typedef struct { gcipher c; XSALSA20_CTX(r) ctx; } gxctx_##r; \
522 static void gxsetiv_##r(gcipher *c, const void *iv) \
523 { gxctx_##r *g = (gxctx_##r *)c; XSALSA20_SETNONCE(r, &g->ctx, iv); } \
525 static void gxdestroy_##r(gcipher *c) \
526 { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \
528 static const gcipher_ops gxops_##r; \
530 static gcipher *gxinit_##r(const void *k, size_t sz) \
532 gxctx_##r *g = S_CREATE(gxctx_##r); \
533 g->c.ops = &gxops_##r; \
534 XSALSA20_INIT(r, &g->ctx, k, sz, 0); \
538 static void gxencrypt_##r(gcipher *c, const void *s, \
539 void *t, size_t sz) \
541 gxctx_##r *g = (gxctx_##r *)c; \
542 XSALSA20_ENCRYPT(r, &g->ctx, s, t, sz); \
545 static const gcipher_ops gxops_##r = { \
546 &SALSA20_DECOR(xsalsa20, r, ), \
547 gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \
550 const gccipher SALSA20_DECOR(xsalsa20, r, ) = { \
551 "x" SALSA20_NAME_##r, salsa20_keysz, \
552 XSALSA20_NONCESZ, gxinit_##r \
555 SALSA20_VARS(DEFGXCIPHER)
557 /*----- Generic random number generator interface -------------------------*/
559 typedef struct grops {
561 void (*seek)(void *, kludge64);
562 kludge64 (*tell)(void *);
563 void (*setnonce)(void *, const void *);
564 void (*generate)(void *, void *, size_t);
567 typedef struct grbasectx {
572 static int grmisc(grand *r, unsigned op, ...)
574 octet buf[XSALSA20_NONCESZ];
575 grbasectx *g = (grbasectx *)r;
589 switch (va_arg(ap, unsigned)) {
592 case GRAND_SEEDUINT32:
593 case GRAND_SEEDBLOCK:
596 case SALSA20_SEEKU64:
598 case SALSA20_TELLU64:
608 i = va_arg(ap, unsigned); STORE32_L(buf, i);
609 memset(buf + 4, 0, g->ops->noncesz - 4);
610 g->ops->setnonce(g, buf);
612 case GRAND_SEEDUINT32:
613 i = va_arg(ap, uint32); STORE32_L(buf, i);
614 memset(buf + 4, 0, g->ops->noncesz - 4);
615 g->ops->setnonce(g, buf);
617 case GRAND_SEEDBLOCK:
618 p = va_arg(ap, const void *);
619 sz = va_arg(ap, size_t);
620 if (sz < g->ops->noncesz) {
622 memset(buf + sz, 0, g->ops->noncesz - sz);
625 g->ops->setnonce(g, p);
628 rr = va_arg(ap, grand *);
629 rr->ops->fill(rr, buf, g->ops->noncesz);
630 g->ops->setnonce(g, buf);
633 ul = va_arg(ap, unsigned long); ASSIGN64(pos, ul);
634 g->ops->seek(g, pos);
636 case SALSA20_SEEKU64:
637 pos = va_arg(ap, kludge64);
638 g->ops->seek(g, pos);
641 pos = g->ops->tell(g);
642 *va_arg(ap, unsigned long *) = GET64(unsigned long, pos);
644 case SALSA20_TELLU64:
645 *va_arg(ap, kludge64 *) = g->ops->tell(g);
655 static octet grbyte(grand *r)
657 grbasectx *g = (grbasectx *)r;
659 g->ops->generate(g, &o, 1);
663 static uint32 grword(grand *r)
665 grbasectx *g = (grbasectx *)r;
667 g->ops->generate(g, b, sizeof(b));
668 return (LOAD32_L(b));
671 static void grfill(grand *r, void *p, size_t sz)
673 grbasectx *g = (grbasectx *)r;
674 g->ops->generate(r, p, sz);
677 typedef struct grctx {
682 static void gr_seek(void *r, kludge64 pos)
683 { grctx *g = r; salsa20_seeku64(&g->ctx, pos); }
685 static kludge64 gr_tell(void *r)
686 { grctx *g = r; return (salsa20_tellu64(&g->ctx)); }
688 static void gr_setnonce(void *r, const void *n)
689 { grctx *g = r; salsa20_setnonce(&g->ctx, n); }
691 static void grdestroy(grand *r)
692 { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); }
694 #define DEFGRAND(rr) \
696 static void gr_generate_##rr(void *r, void *b, size_t sz) \
697 { grctx *g = r; SALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
699 static const grops grops_##rr = \
700 { SALSA20_NONCESZ, gr_seek, gr_tell, \
701 gr_setnonce, gr_generate_##rr }; \
703 static const grand_ops grops_rand_##rr = { \
704 SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
705 grmisc, grdestroy, grword, \
706 grbyte, grword, grand_defaultrange, grfill \
709 grand *SALSA20_DECOR(salsa20, rr, _rand) \
710 (const void *k, size_t ksz, const void *n) \
712 grctx *g = S_CREATE(g); \
713 g->r.r.ops = &grops_rand_##rr; \
714 g->r.ops = &grops_##rr; \
715 salsa20_init(&g->ctx, k, ksz, n); \
718 SALSA20_VARS(DEFGRAND)
720 #define DEFXGRAND(rr) \
722 typedef struct grxctx_##rr { \
724 XSALSA20_CTX(rr) ctx; \
727 static void grx_seek_##rr(void *r, kludge64 pos) \
728 { grxctx_##rr *g = r; XSALSA20_SEEKU64(rr, &g->ctx, pos); } \
730 static kludge64 grx_tell_##rr(void *r) \
731 { grxctx_##rr *g = r; return (XSALSA20_TELLU64(rr, &g->ctx)); } \
733 static void grx_setnonce_##rr(void *r, const void *n) \
734 { grxctx_##rr *g = r; XSALSA20_SETNONCE(rr, &g->ctx, n); } \
736 static void grxdestroy_##rr(grand *r) \
737 { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \
739 static void grx_generate_##rr(void *r, void *b, size_t sz) \
740 { grxctx_##rr *g = r; XSALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
742 static const grops grxops_##rr = \
743 { XSALSA20_NONCESZ, grx_seek_##rr, grx_tell_##rr, \
744 grx_setnonce_##rr, grx_generate_##rr }; \
746 static const grand_ops grxops_rand_##rr = { \
747 "x" SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
748 grmisc, grxdestroy_##rr, grword, \
749 grbyte, grword, grand_defaultrange, grfill \
752 grand *SALSA20_DECOR(xsalsa20, rr, _rand) \
753 (const void *k, size_t ksz, const void *n) \
755 grxctx_##rr *g = S_CREATE(g); \
756 g->r.r.ops = &grxops_rand_##rr; \
757 g->r.ops = &grxops_##rr; \
758 XSALSA20_INIT(rr, &g->ctx, k, ksz, n); \
761 SALSA20_VARS(DEFXGRAND)
763 /*----- Test rig ----------------------------------------------------------*/
770 #include <mLib/quis.h>
771 #include <mLib/testrig.h>
773 static const int perm[] = {
780 #define DEFVCORE(r) \
781 static int v_core_##r(dstr *v) \
783 salsa20_matrix a, b; \
784 dstr d = DSTR_INIT; \
788 DENSURE(&d, SALSA20_OUTSZ); d.len = SALSA20_OUTSZ; \
789 n = *(int *)v[0].buf; \
790 for (i = 0; i < SALSA20_OUTSZ/4; i++) \
791 b[i] = LOAD32_L(v[1].buf + 4*i); \
792 for (i = 0; i < n; i++) { \
793 for (j = 0; j < 16; j++) a[perm[j]] = b[j]; \
795 memcpy(a, b, sizeof(a)); \
797 for (i = 0; i < SALSA20_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, b[i]); \
799 if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \
801 printf("\nfail core:" \
802 "\n\titerations = %d" \
804 type_hex.dump(&v[1], stdout); \
805 printf("\n\texpected = "); \
806 type_hex.dump(&v[2], stdout); \
807 printf("\n\tcalculated = "); \
808 type_hex.dump(&d, stdout); \
815 SALSA20_VARS(DEFVCORE)
817 #define SALSA20_CTX(r) salsa20_ctx
818 #define SALSA20_INIT(r, ctx, k, ksz, n) salsa20_init(ctx, k, ksz, n)
819 #define SALSA20_SEEKU64(r, ctx, i) salsa20_seeku64(ctx, i)
821 #define DEFxVENC(base, BASE, r) \
822 static int v_encrypt_##base##_##r(dstr *v) \
825 dstr d = DSTR_INIT; \
827 const octet *p, *p0; \
829 size_t sz, sz0, step; \
830 unsigned long skip; \
833 if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \
834 else { p0 = 0; sz0 = v[5].len; } \
835 DENSURE(&d, sz0); d.len = sz0; \
836 skip = *(unsigned long *)v[3].buf; \
839 while (step < sz0 + skip) { \
840 step = step ? 3*step + 4 : 1; \
841 if (step > sz0 + skip) step = sz0 + skip; \
842 BASE##_INIT(r, &ctx, v[0].buf, v[0].len, v[1].buf); \
844 LOAD64_(pos, v[2].buf); \
845 BASE##_SEEKU64(r, &ctx, pos); \
848 for (sz = skip; sz >= step; sz -= step) \
849 BASE##_ENCRYPT(r, &ctx, 0, 0, step); \
850 if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \
851 for (p = p0, q = (octet *)d.buf, sz = sz0; \
853 sz -= step, q += step) { \
854 BASE##_ENCRYPT(r, &ctx, p, q, step); \
857 if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \
859 if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \
861 printf("\nfail encrypt:" \
863 "\n\tkey = ", (unsigned long)step); \
864 type_hex.dump(&v[0], stdout); \
865 printf("\n\tnonce = "); \
866 type_hex.dump(&v[1], stdout); \
867 printf("\n\tposition = "); \
868 type_hex.dump(&v[2], stdout); \
869 printf("\n\tskip = %lu", skip); \
870 printf("\n\tmessage = "); \
871 type_hex.dump(&v[4], stdout); \
872 printf("\n\texpected = "); \
873 type_hex.dump(&v[5], stdout); \
874 printf("\n\tcalculated = "); \
875 type_hex.dump(&d, stdout); \
883 #define DEFVENC(r) DEFxVENC(salsa20, SALSA20, r)
884 #define DEFXVENC(r) DEFxVENC(xsalsa20, XSALSA20, r)
885 SALSA20_VARS(DEFVENC)
886 SALSA20_VARS(DEFXVENC)
888 static test_chunk defs[] = {
889 #define DEFxTAB(pre, base, r) \
890 { pre SALSA20_NAME_##r, v_encrypt_##base##_##r, \
891 { &type_hex, &type_hex, &type_hex, &type_ulong, \
892 &type_hex, &type_hex, 0 } },
894 { SALSA20_NAME_##r "-core", v_core_##r, \
895 { &type_int, &type_hex, &type_hex, 0 } }, \
896 DEFxTAB("", salsa20, r)
897 #define DEFXTAB(r) DEFxTAB("x", xsalsa20, r)
899 SALSA20_VARS(DEFXTAB)
903 int main(int argc, char *argv[])
905 test_run(argc, argv, defs, SRCDIR"/t/salsa20");
911 /*----- That's all, folks -------------------------------------------------*/