5 * (c) 2015 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
34 #include <mLib/bits.h>
38 #include "chacha-core.h"
45 /*----- Global variables --------------------------------------------------*/
47 const octet chacha_keysz[] = { KSZ_SET, 32, 16, 10, 0 };
49 /*----- The ChaCha core function and utilities ----------------------------*/
53 * Arguments: @unsigned r@ = number of rounds
54 * @const chacha_matrix src@ = input matrix
55 * @chacha_matrix dest@ = where to put the output
60 * Use: Apply the ChaCha/r core function to @src@, writing the
61 * result to @dest@. This consists of @r@ rounds followed by
62 * the feedforward step.
65 CPU_DISPATCH(static, (void), void, core,
66 (unsigned r, const chacha_matrix src, chacha_matrix dest),
67 (r, src, dest), pick_core, simple_core);
69 static void simple_core(unsigned r, const chacha_matrix src,
71 { CHACHA_nR(dest, src, r); CHACHA_FFWD(dest, src); }
73 #if CPUFAM_X86 || CPUFAM_AMD64
74 extern core__functype chacha_core_x86ish_sse2;
78 extern core__functype chacha_core_arm_neon;
82 extern core__functype chacha_core_arm64;
85 static core__functype *pick_core(void)
87 #if CPUFAM_X86 || CPUFAM_AMD64
88 DISPATCH_PICK_COND(chacha_core, chacha_core_x86ish_sse2,
89 cpu_feature_p(CPUFEAT_X86_SSE2));
92 DISPATCH_PICK_COND(chacha_core, chacha_core_arm_neon,
93 cpu_feature_p(CPUFEAT_ARM_NEON));
96 DISPATCH_PICK_COND(chacha_core, chacha_core_arm64, 1);
98 DISPATCH_PICK_FALLBACK(chacha_core, simple_core);
101 /* --- @populate@ --- *
103 * Arguments: @chacha_matrix a@ = a matrix to fill in
104 * @const void *key@ = pointer to key material
105 * @size_t ksz@ = size of key
109 * Use: Fills in a ChaCha matrix from the key, setting the
110 * appropriate constants according to the key length. The nonce
111 * and position words are left uninitialized.
114 static void populate(chacha_matrix a, const void *key, size_t ksz)
116 const octet *k = key;
118 KSZ_ASSERT(chacha, ksz);
120 a[ 4] = LOAD32_L(k + 0);
121 a[ 5] = LOAD32_L(k + 4);
123 a[ 6] = LOAD16_L(k + 8);
126 a[ 6] = LOAD32_L(k + 8);
127 a[ 7] = LOAD32_L(k + 12);
136 a[ 2] = ksz == 10 ? CHACHA_C80 : CHACHA_C128;
139 a[ 8] = LOAD32_L(k + 16);
140 a[ 9] = LOAD32_L(k + 20);
141 a[10] = LOAD32_L(k + 24);
142 a[11] = LOAD32_L(k + 28);
150 /*----- ChaCha implementation ---------------------------------------------*/
152 /* --- @chacha_init@ --- *
154 * Arguments: @chacha_ctx *ctx@ = context to fill in
155 * @const void *key@ = pointer to key material
156 * @size_t ksz@ = size of key (either 32 or 16)
157 * @const void *nonce@ = initial nonce, or null
161 * Use: Initializes a ChaCha context ready for use.
164 void chacha_init(chacha_ctx *ctx, const void *key, size_t ksz,
167 static const octet zerononce[CHACHA_NONCESZ];
169 populate(ctx->a, key, ksz);
170 chacha_setnonce(ctx, nonce ? nonce : zerononce);
173 /* --- @chacha_setnonce{,_ietf}@ --- *
175 * Arguments: @chacha_ctx *ctx@ = pointer to context
176 * @const void *nonce@ = the nonce (@CHACHA_NONCESZ@ or
177 * @CHACHA_IETF_NONCESZ@ bytes)
181 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
182 * different message. The stream position is reset to zero (see
183 * @chacha_seek@ etc.).
186 void chacha_setnonce(chacha_ctx *ctx, const void *nonce)
188 const octet *n = nonce;
190 ctx->a[14] = LOAD32_L(n + 0);
191 ctx->a[15] = LOAD32_L(n + 4);
195 void chacha_setnonce_ietf(chacha_ctx *ctx, const void *nonce)
197 const octet *n = nonce;
199 ctx->a[13] = LOAD32_L(n + 0);
200 ctx->a[14] = LOAD32_L(n + 4);
201 ctx->a[15] = LOAD32_L(n + 8);
202 chacha_seek_ietf(ctx, 0);
205 /* --- @chacha_seek{,u64,_ietf}@ --- *
207 * Arguments: @chacha_ctx *ctx@ = pointer to context
208 * @unsigned long i@, @kludge64 i@, @uint32 i@ = new position
212 * Use: Sets a new stream position, in units of Chacha output
213 * blocks, which are @CHACHA_OUTSZ@ bytes each. Byte
214 * granularity can be achieved by calling @chachaR_encrypt@
218 void chacha_seek(chacha_ctx *ctx, unsigned long i)
219 { kludge64 ii; ASSIGN64(ii, i); chacha_seeku64(ctx, ii); }
221 void chacha_seeku64(chacha_ctx *ctx, kludge64 i)
223 ctx->a[12] = LO64(i); ctx->a[13] = HI64(i);
224 ctx->bufi = CHACHA_OUTSZ;
227 void chacha_seek_ietf(chacha_ctx *ctx, uint32 i)
230 /* --- @chacha_tell{,u64,_ietf}@ --- *
232 * Arguments: @chacha_ctx *ctx@ = pointer to context
234 * Returns: The current position in the output stream, in blocks,
238 unsigned long chacha_tell(chacha_ctx *ctx)
239 { kludge64 i = chacha_tellu64(ctx); return (GET64(unsigned long, i)); }
241 kludge64 chacha_tellu64(chacha_ctx *ctx)
242 { kludge64 i; SET64(i, ctx->a[13], ctx->a[12]); return (i); }
244 uint32 chacha_tell_ietf(chacha_ctx *ctx)
245 { return (ctx->a[12]); }
247 /* --- @chacha{20,12,8}_encrypt@ --- *
249 * Arguments: @chacha_ctx *ctx@ = pointer to context
250 * @const void *src@ = source buffer (or null)
251 * @void *dest@ = destination buffer (or null)
252 * @size_t sz@ = size of the buffers
256 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
257 * ChaCha works by XORing plaintext with a keystream, so
258 * encryption and decryption are the same operation. If @dest@
259 * is null then ignore @src@ and skip @sz@ bytes of the
260 * keystream. If @src@ is null, then just write the keystream
264 #define CHACHA_ENCRYPT(r, ctx, src, dest, sz) \
265 chacha##r##_encrypt(ctx, src, dest, sz)
266 #define DEFENCRYPT(r) \
267 void CHACHA_ENCRYPT(r, chacha_ctx *ctx, const void *src, \
268 void *dest, size_t sz) \
271 const octet *s = src; \
274 kludge64 pos, delta; \
276 SALSA20_OUTBUF(ctx, d, s, sz); \
280 n = sz/CHACHA_OUTSZ; \
281 pos = chacha_tellu64(ctx); \
282 ASSIGN64(delta, n); \
283 ADD64(pos, pos, delta); \
284 chacha_seeku64(ctx, pos); \
285 sz = sz%CHACHA_OUTSZ; \
287 while (sz >= CHACHA_OUTSZ) { \
288 core(r, ctx->a, b); \
289 CHACHA_STEP(ctx->a); \
290 SALSA20_GENFULL(b, d); \
291 sz -= CHACHA_OUTSZ; \
294 while (sz >= CHACHA_OUTSZ) { \
295 core(r, ctx->a, b); \
296 CHACHA_STEP(ctx->a); \
297 SALSA20_MIXFULL(b, d, s); \
298 sz -= CHACHA_OUTSZ; \
303 core(r, ctx->a, b); \
304 CHACHA_STEP(ctx->a); \
305 SALSA20_PREPBUF(ctx, b); \
306 SALSA20_OUTBUF(ctx, d, s, sz); \
310 CHACHA_VARS(DEFENCRYPT)
312 /*----- HChaCha implementation --------------------------------------------*/
314 #define HCHACHA_RAW(r, ctx, src, dest) hchacha##r##_raw(ctx, src, dest)
315 #define HCHACHA_PRF(r, ctx, src, dest) hchacha##r##_prf(ctx, src, dest)
317 /* --- @hchacha{20,12,8}_prf@ --- *
319 * Arguments: @chacha_ctx *ctx@ = pointer to context
320 * @const void *src@ = the input (@HCHACHA_INSZ@ bytes)
321 * @void *dest@ = the output (@HCHACHA_OUTSZ@ bytes)
325 * Use: Apply the HChacha/r pseudorandom function to @src@, writing
326 * the result to @out@.
329 #define DEFHCHACHA(r) \
330 static void HCHACHA_RAW(r, chacha_matrix k, \
331 const uint32 *src, uint32 *dest) \
336 /* --- HChaCha, computed from full ChaCha --- * \
338 * The security proof makes use of the fact that HChaCha (i.e., \
339 * without the final feedforward step) can be computed from full \
340 * ChaCha using only knowledge of the non-secret input. I don't \
341 * want to compromise the performance of the main function by \
342 * making the feedforward step separate, but this operation is less \
343 * speed critical, so we do it the harder way. \
346 for (i = 0; i < 4; i++) k[12 + i] = src[i]; \
348 for (i = 0; i < 8; i++) dest[i] = a[(i + 4)^4] - k[(i + 4)^4]; \
351 void HCHACHA_PRF(r, chacha_ctx *ctx, const void *src, void *dest) \
353 const octet *s = src; \
355 uint32 in[4], out[8]; \
358 for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \
359 HCHACHA_RAW(r, ctx->a, in, out); \
360 for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \
362 CHACHA_VARS(DEFHCHACHA)
364 /*----- XChaCha implementation -------------------------------------------*/
366 /* --- Some convenient macros for naming functions --- *
368 * Because the crypto core is involved in XChaCha/r's per-nonce setup, we
369 * need to take an interest in the number of rounds in most of the various
370 * functions, and it will probably help if we distinguish the context
371 * structures for the various versions.
374 #define XCHACHA_CTX(r) xchacha##r##_ctx
375 #define XCHACHA_INIT(r, ctx, k, ksz, n) xchacha##r##_init(ctx, k, ksz, n)
376 #define XCHACHA_SETNONCE(r, ctx, n) xchacha##r##_setnonce(ctx, n)
377 #define XCHACHA_SEEK(r, ctx, i) xchacha##r##_seek(ctx, i)
378 #define XCHACHA_SEEKU64(r, ctx, i) xchacha##r##_seeku64(ctx, i)
379 #define XCHACHA_TELL(r, ctx) xchacha##r##_tell(ctx)
380 #define XCHACHA_TELLU64(r, ctx) xchacha##r##_tellu64(ctx)
381 #define XCHACHA_ENCRYPT(r, ctx, src, dest, sz) \
382 xchacha##r##_encrypt(ctx, src, dest, sz)
384 /* --- @xchacha{20,12,8}_init@ --- *
386 * Arguments: @xchachaR_ctx *ctx@ = the context to fill in
387 * @const void *key@ = pointer to key material
388 * @size_t ksz@ = size of key (either 32 or 16)
389 * @const void *nonce@ = initial nonce, or null
393 * Use: Initializes an XChaCha/r context ready for use.
395 * There is a different function for each number of rounds,
396 * unlike for plain ChaCha.
399 #define DEFXINIT(r) \
400 void XCHACHA_INIT(r, XCHACHA_CTX(r) *ctx, \
401 const void *key, size_t ksz, const void *nonce) \
403 static const octet zerononce[XCHACHA_NONCESZ]; \
405 populate(ctx->k, key, ksz); \
406 ctx->s.a[ 0] = CHACHA_A256; \
407 ctx->s.a[ 1] = CHACHA_B256; \
408 ctx->s.a[ 2] = CHACHA_C256; \
409 ctx->s.a[ 3] = CHACHA_D256; \
410 XCHACHA_SETNONCE(r, ctx, nonce ? nonce : zerononce); \
412 CHACHA_VARS(DEFXINIT)
414 /* --- @xchacha{20,12,8}_setnonce@ --- *
416 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
417 * @const void *nonce@ = the nonce (@XCHACHA_NONCESZ@ bytes)
421 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
422 * different message. The stream position is reset to zero (see
423 * @chacha_seek@ etc.).
425 * There is a different function for each number of rounds,
426 * unlike for plain ChaCha.
429 #define DEFXNONCE(r) \
430 void XCHACHA_SETNONCE(r, XCHACHA_CTX(r) *ctx, const void *nonce) \
432 const octet *n = nonce; \
436 for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \
437 HCHACHA_RAW(r, ctx->k, in, ctx->s.a + 4); \
438 chacha_setnonce(&ctx->s, n + 16); \
440 CHACHA_VARS(DEFXNONCE)
442 /* --- @xchacha{20,12,8}_seek{,u64}@ --- *
444 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
445 * @unsigned long i@, @kludge64 i@ = new position to set
449 * Use: Sets a new stream position, in units of ChaCha output
450 * blocks, which are @XCHACHA_OUTSZ@ bytes each. Byte
451 * granularity can be achieved by calling @xchachaR_encrypt@
454 * There is a different function for each number of rounds,
455 * unlike for plain ChaCha, because the context structures are
459 /* --- @xchacha{20,12,8}_tell{,u64}@ --- *
461 * Arguments: @chacha_ctx *ctx@ = pointer to context
463 * Returns: The current position in the output stream, in blocks,
466 * There is a different function for each number of rounds,
467 * unlike for plain ChaCha, because the context structures are
471 /* --- @xchacha{20,12,8}_encrypt@ --- *
473 * Arguments: @xchachaR_ctx *ctx@ = pointer to context
474 * @const void *src@ = source buffer (or null)
475 * @void *dest@ = destination buffer (or null)
476 * @size_t sz@ = size of the buffers
480 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
481 * XChaCha works by XORing plaintext with a keystream, so
482 * encryption and decryption are the same operation. If @dest@
483 * is null then ignore @src@ and skip @sz@ bytes of the
484 * keystream. If @src@ is null, then just write the keystream
488 #define DEFXPASSTHRU(r) \
489 void XCHACHA_SEEK(r, XCHACHA_CTX(r) *ctx, unsigned long i) \
490 { chacha_seek(&ctx->s, i); } \
491 void XCHACHA_SEEKU64(r, XCHACHA_CTX(r) *ctx, kludge64 i) \
492 { chacha_seeku64(&ctx->s, i); } \
493 unsigned long XCHACHA_TELL(r, XCHACHA_CTX(r) *ctx) \
494 { return chacha_tell(&ctx->s); } \
495 kludge64 XCHACHA_TELLU64(r, XCHACHA_CTX(r) *ctx) \
496 { return chacha_tellu64(&ctx->s); } \
497 void XCHACHA_ENCRYPT(r, XCHACHA_CTX(r) *ctx, \
498 const void *src, void *dest, size_t sz) \
499 { CHACHA_ENCRYPT(r, &ctx->s, src, dest, sz); }
500 CHACHA_VARS(DEFXPASSTHRU)
502 /*----- Generic cipher interface ------------------------------------------*/
504 typedef struct gctx { gcipher c; chacha_ctx ctx; } gctx;
506 static void gsetiv(gcipher *c, const void *iv)
507 { gctx *g = (gctx *)c; chacha_setnonce(&g->ctx, iv); }
509 static void gsetiv_ietf(gcipher *c, const void *iv)
510 { gctx *g = (gctx *)c; chacha_setnonce_ietf(&g->ctx, iv); }
512 static void gdestroy(gcipher *c)
513 { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); }
515 static gcipher *ginit(const void *k, size_t sz, const gcipher_ops *ops)
517 gctx *g = S_CREATE(gctx);
519 chacha_init(&g->ctx, k, sz, 0);
523 #define DEFGCIPHER(r) \
525 static const gcipher_ops gops_##r, gops_##r##_ietf; \
527 static gcipher *ginit_##r(const void *k, size_t sz) \
528 { return (ginit(k, sz, &gops_##r)); } \
530 static gcipher *ginit_##r##_ietf(const void *k, size_t sz) \
531 { return (ginit(k, sz, &gops_##r##_ietf)); } \
533 static void gencrypt_##r(gcipher *c, const void *s, \
534 void *t, size_t sz) \
535 { gctx *g = (gctx *)c; CHACHA_ENCRYPT(r, &g->ctx, s, t, sz); } \
537 static const gcipher_ops gops_##r = { \
539 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \
542 static const gcipher_ops gops_##r##_ietf = { \
544 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv_ietf, 0 \
547 const gccipher chacha##r = { \
548 "chacha" #r, chacha_keysz, \
549 CHACHA_NONCESZ, ginit_##r \
552 const gccipher chacha##r##_ietf = { \
553 "chacha" #r "-ietf", chacha_keysz, \
554 CHACHA_IETF_NONCESZ, ginit_##r##_ietf \
557 CHACHA_VARS(DEFGCIPHER)
559 #define DEFGXCIPHER(r) \
561 typedef struct { gcipher c; XCHACHA_CTX(r) ctx; } gxctx_##r; \
563 static void gxsetiv_##r(gcipher *c, const void *iv) \
564 { gxctx_##r *g = (gxctx_##r *)c; XCHACHA_SETNONCE(r, &g->ctx, iv); } \
566 static void gxdestroy_##r(gcipher *c) \
567 { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \
569 static const gcipher_ops gxops_##r; \
571 static gcipher *gxinit_##r(const void *k, size_t sz) \
573 gxctx_##r *g = S_CREATE(gxctx_##r); \
574 g->c.ops = &gxops_##r; \
575 XCHACHA_INIT(r, &g->ctx, k, sz, 0); \
579 static void gxencrypt_##r(gcipher *c, const void *s, \
580 void *t, size_t sz) \
582 gxctx_##r *g = (gxctx_##r *)c; \
583 XCHACHA_ENCRYPT(r, &g->ctx, s, t, sz); \
586 static const gcipher_ops gxops_##r = { \
588 gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \
591 const gccipher xchacha##r = { \
592 "xchacha" #r, chacha_keysz, \
593 CHACHA_NONCESZ, gxinit_##r \
596 CHACHA_VARS(DEFGXCIPHER)
598 /*----- Generic random number generator interface -------------------------*/
600 typedef struct grops {
602 void (*seek)(void *, kludge64);
603 kludge64 (*tell)(void *);
604 void (*setnonce)(void *, const void *);
605 void (*generate)(void *, void *, size_t);
608 typedef struct grbasectx {
613 static int grmisc(grand *r, unsigned op, ...)
615 octet buf[XCHACHA_NONCESZ];
616 grbasectx *g = (grbasectx *)r;
630 switch (va_arg(ap, unsigned)) {
633 case GRAND_SEEDUINT32:
634 case GRAND_SEEDBLOCK:
649 i = va_arg(ap, unsigned); STORE32_L(buf, i);
650 memset(buf + 4, 0, g->ops->noncesz - 4);
651 g->ops->setnonce(g, buf);
653 case GRAND_SEEDUINT32:
654 i = va_arg(ap, uint32); STORE32_L(buf, i);
655 memset(buf + 4, 0, g->ops->noncesz - 4);
656 g->ops->setnonce(g, buf);
658 case GRAND_SEEDBLOCK:
659 p = va_arg(ap, const void *);
660 sz = va_arg(ap, size_t);
661 if (sz < g->ops->noncesz) {
663 memset(buf + sz, 0, g->ops->noncesz - sz);
666 g->ops->setnonce(g, p);
669 rr = va_arg(ap, grand *);
670 rr->ops->fill(rr, buf, g->ops->noncesz);
671 g->ops->setnonce(g, buf);
674 ul = va_arg(ap, unsigned long); ASSIGN64(pos, ul);
675 g->ops->seek(g, pos);
678 pos = va_arg(ap, kludge64);
679 g->ops->seek(g, pos);
682 pos = g->ops->tell(g);
683 *va_arg(ap, unsigned long *) = GET64(unsigned long, pos);
686 *va_arg(ap, kludge64 *) = g->ops->tell(g);
696 static octet grbyte(grand *r)
698 grbasectx *g = (grbasectx *)r;
700 g->ops->generate(g, &o, 1);
704 static uint32 grword(grand *r)
706 grbasectx *g = (grbasectx *)r;
708 g->ops->generate(g, b, sizeof(b));
709 return (LOAD32_L(b));
712 static void grfill(grand *r, void *p, size_t sz)
714 grbasectx *g = (grbasectx *)r;
715 g->ops->generate(r, p, sz);
718 typedef struct grctx {
723 static void gr_seek(void *r, kludge64 pos)
724 { grctx *g = r; chacha_seeku64(&g->ctx, pos); }
726 static void gr_seek_ietf(void *r, kludge64 pos)
727 { grctx *g = r; chacha_seek_ietf(&g->ctx, LO64(pos)); }
729 static kludge64 gr_tell(void *r)
730 { grctx *g = r; return (chacha_tellu64(&g->ctx)); }
732 static kludge64 gr_tell_ietf(void *r)
737 SET64(pos, 0, chacha_tell_ietf(&g->ctx));
741 static void gr_setnonce(void *r, const void *n)
742 { grctx *g = r; chacha_setnonce(&g->ctx, n); }
744 static void gr_setnonce_ietf(void *r, const void *n)
745 { grctx *g = r; chacha_setnonce_ietf(&g->ctx, n); }
747 static void grdestroy(grand *r)
748 { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); }
750 static grand *grinit(const void *k, size_t ksz, const void *n,
751 const grand_ops *ops, const grops *myops)
753 grctx *g = S_CREATE(grctx);
756 chacha_init(&g->ctx, k, ksz, 0);
757 if (n) myops->setnonce(g, n);
761 #define DEFGRAND(rr) \
763 static void gr_generate_##rr(void *r, void *b, size_t sz) \
764 { grctx *g = r; CHACHA_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
766 static const grops grops_##rr = \
767 { CHACHA_NONCESZ, gr_seek, gr_tell, \
768 gr_setnonce, gr_generate_##rr }; \
770 static const grops grops_##rr##_ietf = \
771 { CHACHA_IETF_NONCESZ, gr_seek_ietf, gr_tell_ietf, \
772 gr_setnonce_ietf, gr_generate_##rr }; \
774 static const grand_ops grops_rand_##rr = { \
775 "chacha" #rr, GRAND_CRYPTO, 0, \
776 grmisc, grdestroy, grword, \
777 grbyte, grword, grand_defaultrange, grfill \
780 static const grand_ops grops_rand_##rr##_ietf = { \
781 "chacha" #rr "-ietf", GRAND_CRYPTO, 0, \
782 grmisc, grdestroy, grword, \
783 grbyte, grword, grand_defaultrange, grfill \
786 grand *chacha##rr##_rand(const void *k, size_t ksz, const void *n) \
787 { return (grinit(k, ksz, n, &grops_rand_##rr, &grops_##rr)); } \
789 grand *chacha##rr##_ietf_rand(const void *k, size_t ksz, \
792 return (grinit(k, ksz, n, \
793 &grops_rand_##rr##_ietf, \
794 &grops_##rr##_ietf)); \
797 CHACHA_VARS(DEFGRAND)
799 #define DEFXGRAND(rr) \
801 typedef struct grxctx_##rr { \
803 XCHACHA_CTX(rr) ctx; \
806 static void grx_seek_##rr(void *r, kludge64 pos) \
807 { grxctx_##rr *g = r; XCHACHA_SEEKU64(rr, &g->ctx, pos); } \
809 static kludge64 grx_tell_##rr(void *r) \
810 { grxctx_##rr *g = r; return (XCHACHA_TELLU64(rr, &g->ctx)); } \
812 static void grx_setnonce_##rr(void *r, const void *n) \
813 { grxctx_##rr *g = r; XCHACHA_SETNONCE(rr, &g->ctx, n); } \
815 static void grxdestroy_##rr(grand *r) \
816 { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \
818 static void grx_generate_##rr(void *r, void *b, size_t sz) \
819 { grxctx_##rr *g = r; XCHACHA_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
821 static const grops grxops_##rr = \
822 { XCHACHA_NONCESZ, grx_seek_##rr, grx_tell_##rr, \
823 grx_setnonce_##rr, grx_generate_##rr }; \
825 static const grand_ops grxops_rand_##rr = { \
826 "xchacha" #rr, GRAND_CRYPTO, 0, \
827 grmisc, grxdestroy_##rr, grword, \
828 grbyte, grword, grand_defaultrange, grfill \
831 grand *xchacha##rr##_rand(const void *k, size_t ksz, const void *n) \
833 grxctx_##rr *g = S_CREATE(grxctx_##rr); \
834 g->r.r.ops = &grxops_rand_##rr; \
835 g->r.ops = &grxops_##rr; \
836 XCHACHA_INIT(rr, &g->ctx, k, ksz, n); \
839 CHACHA_VARS(DEFXGRAND)
841 /*----- Test rig ----------------------------------------------------------*/
848 #include <mLib/quis.h>
849 #include <mLib/testrig.h>
851 #define DEFVCORE(r) \
852 static int v_core_##r(dstr *v) \
854 chacha_matrix a, b; \
855 dstr d = DSTR_INIT; \
859 DENSURE(&d, CHACHA_OUTSZ); d.len = CHACHA_OUTSZ; \
860 n = *(int *)v[0].buf; \
861 for (i = 0; i < CHACHA_OUTSZ/4; i++) \
862 a[i] = LOAD32_L(v[1].buf + 4*i); \
863 for (i = 0; i < n; i++) { \
865 memcpy(a, b, sizeof(a)); \
867 for (i = 0; i < CHACHA_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, a[i]); \
869 if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \
871 printf("\nfail core:" \
872 "\n\titerations = %d" \
874 type_hex.dump(&v[1], stdout); \
875 printf("\n\texpected = "); \
876 type_hex.dump(&v[2], stdout); \
877 printf("\n\tcalculated = "); \
878 type_hex.dump(&d, stdout); \
885 CHACHA_VARS(DEFVCORE)
887 #define CHACHA_CTX(r) chacha_ctx
889 #define CHACHA_TESTSETUP(r, ctx, k, ksz, n, nsz, p, psz) do { \
891 chacha_init(ctx, k, ksz, 0); \
892 if (nsz == 8) chacha_setnonce(ctx, n); \
893 else if (nsz == 12) chacha_setnonce_ietf(ctx, n); \
894 if (psz == 8) { LOAD64_(pos64, p); chacha_seeku64(ctx, pos64); } \
895 else if (psz == 4) chacha_seek_ietf(ctx, LOAD32(p)); \
898 #define XCHACHA_TESTSETUP(r, ctx, k, ksz, n, nsz, p, psz) do { \
900 XCHACHA_INIT(r, ctx, k, ksz, 0); \
901 if (nsz == 24) XCHACHA_SETNONCE(r, ctx, n); \
902 if (psz == 8) { LOAD64_(pos64, p); xchacha##r##_seeku64(ctx, pos64); } \
905 #define DEFxVENC(base, BASE, r) \
906 static int v_encrypt_##base##_##r(dstr *v) \
909 dstr d = DSTR_INIT; \
910 const octet *p, *p0; \
912 size_t sz, sz0, step; \
913 unsigned long skip; \
916 if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \
917 else { p0 = 0; sz0 = v[5].len; } \
918 DENSURE(&d, sz0); d.len = sz0; \
919 skip = *(unsigned long *)v[3].buf; \
922 while (step < sz0 + skip) { \
923 step = step ? 3*step + 4 : 1; \
924 if (step > sz0 + skip) step = sz0 + skip; \
925 BASE##_TESTSETUP(r, &ctx, v[0].buf, v[0].len, \
926 v[1].buf, v[1].len, v[2].buf, v[2].len); \
928 for (sz = skip; sz >= step; sz -= step) \
929 BASE##_ENCRYPT(r, &ctx, 0, 0, step); \
930 if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \
931 for (p = p0, q = (octet *)d.buf, sz = sz0; \
933 sz -= step, q += step) { \
934 BASE##_ENCRYPT(r, &ctx, p, q, step); \
937 if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \
939 if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \
941 printf("\nfail encrypt:" \
943 "\n\tkey = ", (unsigned long)step); \
944 type_hex.dump(&v[0], stdout); \
945 printf("\n\tnonce = "); \
946 type_hex.dump(&v[1], stdout); \
947 printf("\n\tposition = "); \
948 type_hex.dump(&v[2], stdout); \
949 printf("\n\tskip = %lu", skip); \
950 printf("\n\tmessage = "); \
951 type_hex.dump(&v[4], stdout); \
952 printf("\n\texpected = "); \
953 type_hex.dump(&v[5], stdout); \
954 printf("\n\tcalculated = "); \
955 type_hex.dump(&d, stdout); \
963 #define DEFVENC(r) DEFxVENC(chacha, CHACHA, r)
964 #define DEFXVENC(r) DEFxVENC(xchacha, XCHACHA, r)
966 CHACHA_VARS(DEFXVENC)
968 static test_chunk defs[] = {
969 #define DEFxTAB(base, r) \
970 { #base #r, v_encrypt_##base##_##r, \
971 { &type_hex, &type_hex, &type_hex, &type_ulong, \
972 &type_hex, &type_hex, 0 } },
974 { "chacha" #r "-core", v_core_##r, \
975 { &type_int, &type_hex, &type_hex, 0 } }, \
977 #define DEFXTAB(r) DEFxTAB(xchacha, r)
983 int main(int argc, char *argv[])
985 test_run(argc, argv, defs, SRCDIR"/t/chacha");
991 /*----- That's all, folks -------------------------------------------------*/