3 * Salsa20 stream cipher
5 * (c) 2015 Straylight/Edgeware
8 /*----- Header files ------------------------------------------------------*/
12 #include <mLib/bits.h>
20 #include "salsa20-core.h"
22 /*----- Global variables --------------------------------------------------*/
24 const octet salsa20_keysz[] = { KSZ_SET, 32, 16, 10, 0 };
26 /*----- The Salsa20 core function and utilities ---------------------------*/
30 * Arguments: @unsigned r@ = number of rounds
31 * @const salsa20_matrix src@ = input matrix
32 * @salsa20_matrix dest@ = where to put the output
37 * Use: Apply the Salsa20/r core function to @src@, writing the
38 * result to @dest@. This consists of @r@ rounds followed by
39 * the feedforward step.
42 static void core(unsigned r, const salsa20_matrix src, salsa20_matrix dest)
43 { SALSA20_nR(dest, src, r); SALSA20_FFWD(dest, src); }
45 /* --- @populate@ --- *
47 * Arguments: @salsa20_matrix a@ = a matrix to fill in
48 * @const void *key@ = pointer to key material
49 * @size_t ksz@ = size of key
53 * Use: Fills in a Salsa20 matrix from the key, setting the
54 * appropriate constants according to the key length. The nonce
55 * and position words are left uninitialized.
58 static void populate(salsa20_matrix a, const void *key, size_t ksz)
62 KSZ_ASSERT(salsa20, ksz);
64 a[ 1] = LOAD32_L(k + 0);
65 a[ 2] = LOAD32_L(k + 4);
67 a[ 3] = LOAD16_L(k + 8);
70 a[ 3] = LOAD32_L(k + 8);
71 a[ 4] = LOAD32_L(k + 12);
80 a[10] = ksz == 10 ? SALSA20_C80 : SALSA20_C128;
83 a[11] = LOAD32_L(k + 16);
84 a[12] = LOAD32_L(k + 20);
85 a[13] = LOAD32_L(k + 24);
86 a[14] = LOAD32_L(k + 28);
94 /*----- Salsa20 implementation --------------------------------------------*/
96 /* --- @salsa20_init@ --- *
98 * Arguments: @salsa20_ctx *ctx@ = context to fill in
99 * @const void *key@ = pointer to key material
100 * @size_t ksz@ = size of key (either 32 or 16)
101 * @const void *nonce@ = initial nonce, or null
105 * Use: Initializes a Salsa20 context ready for use.
108 void salsa20_init(salsa20_ctx *ctx, const void *key, size_t ksz,
111 static const octet zerononce[SALSA20_NONCESZ];
113 populate(ctx->a, key, ksz);
114 salsa20_setnonce(ctx, nonce ? nonce : zerononce);
117 /* --- @salsa20_setnonce@ --- *
119 * Arguments: @salsa20_ctx *ctx@ = pointer to context
120 * @const void *nonce@ = the nonce (@SALSA20_NONCESZ@ bytes)
124 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
125 * different message. The stream position is reset to zero (see
126 * @salsa20_seek@ etc.).
129 void salsa20_setnonce(salsa20_ctx *ctx, const void *nonce)
131 const octet *n = nonce;
133 ctx->a[6] = LOAD32_L(n + 0);
134 ctx->a[7] = LOAD32_L(n + 4);
135 salsa20_seek(ctx, 0);
138 /* --- @salsa20_seek@, @salsa20_seeku64@ --- *
140 * Arguments: @salsa20_ctx *ctx@ = pointer to context
141 * @unsigned long i@, @kludge64 i@ = new position to set
145 * Use: Sets a new stream position, in units of Salsa20 output
146 * blocks, which are @SALSA20_OUTSZ@ bytes each. Byte
147 * granularity can be achieved by calling @salsa20R_encrypt@
151 void salsa20_seek(salsa20_ctx *ctx, unsigned long i)
152 { kludge64 ii; ASSIGN64(ii, i); salsa20_seeku64(ctx, ii); }
154 void salsa20_seeku64(salsa20_ctx *ctx, kludge64 i)
156 ctx->a[8] = LO64(i); ctx->a[9] = HI64(i);
157 ctx->bufi = SALSA20_OUTSZ;
160 /* --- @salsa20_tell@, @salsa20_tellu64@ --- *
162 * Arguments: @salsa20_ctx *ctx@ = pointer to context
164 * Returns: The current position in the output stream, in blocks,
168 unsigned long salsa20_tell(salsa20_ctx *ctx)
169 { kludge64 i = salsa20_tellu64(ctx); return (GET64(unsigned long, i)); }
171 kludge64 salsa20_tellu64(salsa20_ctx *ctx)
172 { kludge64 i; SET64(i, ctx->a[9], ctx->a[8]); return (i); }
174 /* --- @salsa20{,12,8}_encrypt@ --- *
176 * Arguments: @salsa20_ctx *ctx@ = pointer to context
177 * @const void *src@ = source buffer (or null)
178 * @void *dest@ = destination buffer (or null)
179 * @size_t sz@ = size of the buffers
183 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
184 * Salsa20 works by XORing plaintext with a keystream, so
185 * encryption and decryption are the same operation. If @dest@
186 * is null then ignore @src@ and skip @sz@ bytes of the
187 * keystream. If @src@ is null, then just write the keystream
191 #define SALSA20_ENCRYPT(r, ctx, src, dest, sz) \
192 SALSA20_DECOR(salsa20, r, _encrypt)(ctx, src, dest, sz)
193 #define DEFENCRYPT(r) \
194 void SALSA20_ENCRYPT(r, salsa20_ctx *ctx, const void *src, \
195 void *dest, size_t sz) \
198 const octet *s = src; \
201 kludge64 pos, delta; \
203 SALSA20_OUTBUF(ctx, d, s, sz); \
207 n = sz/SALSA20_OUTSZ; \
208 pos = salsa20_tellu64(ctx); \
209 ASSIGN64(delta, n); \
210 ADD64(pos, pos, delta); \
211 salsa20_seeku64(ctx, pos); \
212 sz = sz%SALSA20_OUTSZ; \
214 while (sz >= SALSA20_OUTSZ) { \
215 core(r, ctx->a, b); \
216 SALSA20_STEP(ctx->a); \
217 SALSA20_GENFULL(b, d); \
218 sz -= SALSA20_OUTSZ; \
221 while (sz >= SALSA20_OUTSZ) { \
222 core(r, ctx->a, b); \
223 SALSA20_STEP(ctx->a); \
224 SALSA20_MIXFULL(b, d, s); \
225 sz -= SALSA20_OUTSZ; \
230 core(r, ctx->a, b); \
231 SALSA20_STEP(ctx->a); \
232 SALSA20_PREPBUF(ctx, b); \
233 SALSA20_OUTBUF(ctx, d, s, sz); \
237 SALSA20_VARS(DEFENCRYPT)
239 /*----- HSalsa20 implementation -------------------------------------------*/
241 #define HSALSA20_RAW(r, ctx, src, dest) \
242 SALSA20_DECOR(hsalsa20, r, _raw)(ctx, src, dest)
243 #define HSALSA20_PRF(r, ctx, src, dest) \
244 SALSA20_DECOR(hsalsa20, r, _prf)(ctx, src, dest)
246 /* --- @hsalsa20{,12,8}_prf@ --- *
248 * Arguments: @salsa20_ctx *ctx@ = pointer to context
249 * @const void *src@ = the input (@HSALSA20_INSZ@ bytes)
250 * @void *dest@ = the output (@HSALSA20_OUTSZ@ bytes)
254 * Use: Apply the HSalsa20/r pseudorandom function to @src@, writing
255 * the result to @out@.
258 #define DEFHSALSA20(r) \
259 static void HSALSA20_RAW(r, salsa20_matrix k, \
260 const uint32 *src, uint32 *dest) \
265 /* --- HSalsa20, computed from full Salsa20 --- * \
267 * The security proof makes use of the fact that HSalsa20 (i.e., \
268 * without the final feedforward step) can be computed from full \
269 * Salsa20 using only knowledge of the non-secret input. I don't \
270 * want to compromise the performance of the main function by \
271 * making the feedforward step separate, but this operation is less \
272 * speed critical, so we do it the harder way. \
275 for (i = 0; i < 4; i++) k[i + 6] = src[i]; \
277 for (i = 0; i < 4; i++) dest[i] = a[5*i] - k[5*i]; \
278 for (i = 4; i < 8; i++) dest[i] = a[i + 2] - k[i + 2]; \
281 void HSALSA20_PRF(r, salsa20_ctx *ctx, const void *src, void *dest) \
283 const octet *s = src; \
285 uint32 in[4], out[8]; \
288 for (i = 0; i < 4; i++) in[i] = LOAD32_L(s + 4*i); \
289 HSALSA20_RAW(r, ctx->a, in, out); \
290 for (i = 0; i < 8; i++) STORE32_L(d + 4*i, out[i]); \
292 SALSA20_VARS(DEFHSALSA20)
294 /*----- XSalsa20 implementation -------------------------------------------*/
296 /* --- Some convenient macros for naming functions --- *
298 * Because the crypto core is involved in XSalsa20/r's per-nonce setup, we
299 * need to take an interest in the number of rounds in most of the various
300 * functions, and it will probably help if we distinguish the context
301 * structures for the various versions.
304 #define XSALSA20_CTX(r) SALSA20_DECOR(xsalsa20, r, _ctx)
305 #define XSALSA20_INIT(r, ctx, k, ksz, n) \
306 SALSA20_DECOR(xsalsa20, r, _init)(ctx, k, ksz, n)
307 #define XSALSA20_SETNONCE(r, ctx, n) \
308 SALSA20_DECOR(xsalsa20, r, _setnonce)(ctx, n)
309 #define XSALSA20_SEEK(r, ctx, i) \
310 SALSA20_DECOR(xsalsa20, r, _seek)(ctx, i)
311 #define XSALSA20_SEEKU64(r, ctx, i) \
312 SALSA20_DECOR(xsalsa20, r, _seeku64)(ctx, i)
313 #define XSALSA20_TELL(r, ctx) \
314 SALSA20_DECOR(xsalsa20, r, _tell)(ctx)
315 #define XSALSA20_TELLU64(r, ctx) \
316 SALSA20_DECOR(xsalsa20, r, _tellu64)(ctx)
317 #define XSALSA20_ENCRYPT(r, ctx, src, dest, sz) \
318 SALSA20_DECOR(xsalsa20, r, _encrypt)(ctx, src, dest, sz)
320 /* --- @xsalsa20{,12,8}_init@ --- *
322 * Arguments: @xsalsa20R_ctx *ctx@ = the context to fill in
323 * @const void *key@ = pointer to key material
324 * @size_t ksz@ = size of key (either 32 or 16)
325 * @const void *nonce@ = initial nonce, or null
329 * Use: Initializes an XSalsa20/r context ready for use.
331 * There is a different function for each number of rounds,
332 * unlike for plain Salsa20.
335 #define DEFXINIT(r) \
336 void XSALSA20_INIT(r, XSALSA20_CTX(r) *ctx, \
337 const void *key, size_t ksz, const void *nonce) \
339 static const octet zerononce[XSALSA20_NONCESZ]; \
341 populate(ctx->k, key, ksz); \
342 ctx->s.a[ 0] = SALSA20_A256; \
343 ctx->s.a[ 5] = SALSA20_B256; \
344 ctx->s.a[10] = SALSA20_C256; \
345 ctx->s.a[15] = SALSA20_D256; \
346 XSALSA20_SETNONCE(r, ctx, nonce ? nonce : zerononce); \
348 SALSA20_VARS(DEFXINIT)
350 /* --- @xsalsa20{,12,8}_setnonce@ --- *
352 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
353 * @const void *nonce@ = the nonce (@XSALSA20_NONCESZ@ bytes)
357 * Use: Set a new nonce in the context @ctx@, e.g., for processing a
358 * different message. The stream position is reset to zero (see
359 * @salsa20_seek@ etc.).
361 * There is a different function for each number of rounds,
362 * unlike for plain Salsa20.
365 #define DEFXNONCE(r) \
366 void XSALSA20_SETNONCE(r, XSALSA20_CTX(r) *ctx, const void *nonce) \
368 const octet *n = nonce; \
369 uint32 in[4], out[8]; \
372 for (i = 0; i < 4; i++) in[i] = LOAD32_L(n + 4*i); \
373 HSALSA20_RAW(r, ctx->k, in, out); \
374 for (i = 0; i < 4; i++) ctx->s.a[i + 1] = out[i]; \
375 for (i = 4; i < 8; i++) ctx->s.a[i + 7] = out[i]; \
376 salsa20_setnonce(&ctx->s, n + 16); \
378 SALSA20_VARS(DEFXNONCE)
380 /* --- @xsalsa20{,12,8}_seek@, @xsalsa20{,12,8}_seeku64@ --- *
382 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
383 * @unsigned long i@, @kludge64 i@ = new position to set
387 * Use: Sets a new stream position, in units of Salsa20 output
388 * blocks, which are @XSALSA20_OUTSZ@ bytes each. Byte
389 * granularity can be achieved by calling @xsalsa20R_encrypt@
392 * There is a different function for each number of rounds,
393 * unlike for plain Salsa20, because the context structures are
397 /* --- @xsalsa20{,12,8}_tell@, @xsalsa20{,12,8}_tellu64@ --- *
399 * Arguments: @salsa20_ctx *ctx@ = pointer to context
401 * Returns: The current position in the output stream, in blocks,
404 * There is a different function for each number of rounds,
405 * unlike for plain Salsa20, because the context structures are
409 /* --- @xsalsa20{,12,8}_encrypt@ --- *
411 * Arguments: @xsalsa20R_ctx *ctx@ = pointer to context
412 * @const void *src@ = source buffer (or null)
413 * @void *dest@ = destination buffer (or null)
414 * @size_t sz@ = size of the buffers
418 * Use: Encrypts or decrypts @sz@ bytes of data from @src@ to @dest@.
419 * XSalsa20 works by XORing plaintext with a keystream, so
420 * encryption and decryption are the same operation. If @dest@
421 * is null then ignore @src@ and skip @sz@ bytes of the
422 * keystream. If @src@ is null, then just write the keystream
426 #define DEFXPASSTHRU(r) \
427 void XSALSA20_SEEK(r, XSALSA20_CTX(r) *ctx, unsigned long i) \
428 { salsa20_seek(&ctx->s, i); } \
429 void XSALSA20_SEEKU64(r, XSALSA20_CTX(r) *ctx, kludge64 i) \
430 { salsa20_seeku64(&ctx->s, i); } \
431 unsigned long XSALSA20_TELL(r, XSALSA20_CTX(r) *ctx) \
432 { return salsa20_tell(&ctx->s); } \
433 kludge64 XSALSA20_TELLU64(r, XSALSA20_CTX(r) *ctx) \
434 { return salsa20_tellu64(&ctx->s); } \
435 void XSALSA20_ENCRYPT(r, XSALSA20_CTX(r) *ctx, \
436 const void *src, void *dest, size_t sz) \
437 { SALSA20_ENCRYPT(r, &ctx->s, src, dest, sz); }
438 SALSA20_VARS(DEFXPASSTHRU)
440 /*----- Generic cipher interface ------------------------------------------*/
442 typedef struct gctx { gcipher c; salsa20_ctx ctx; } gctx;
444 static void gsetiv(gcipher *c, const void *iv)
445 { gctx *g = (gctx *)c; salsa20_setnonce(&g->ctx, iv); }
447 static void gdestroy(gcipher *c)
448 { gctx *g = (gctx *)c; BURN(*g); S_DESTROY(g); }
450 #define DEFGCIPHER(r) \
452 static const gcipher_ops gops_##r; \
454 static gcipher *ginit_##r(const void *k, size_t sz) \
456 gctx *g = S_CREATE(gctx); \
457 g->c.ops = &gops_##r; \
458 salsa20_init(&g->ctx, k, sz, 0); \
462 static void gencrypt_##r(gcipher *c, const void *s, \
463 void *t, size_t sz) \
464 { gctx *g = (gctx *)c; SALSA20_ENCRYPT(r, &g->ctx, s, t, sz); } \
466 static const gcipher_ops gops_##r = { \
467 &SALSA20_DECOR(salsa20, r, ), \
468 gencrypt_##r, gencrypt_##r, gdestroy, gsetiv, 0 \
471 const gccipher SALSA20_DECOR(salsa20, r, ) = { \
472 SALSA20_NAME_##r, salsa20_keysz, \
473 SALSA20_NONCESZ, ginit_##r \
476 SALSA20_VARS(DEFGCIPHER)
478 #define DEFGXCIPHER(r) \
480 typedef struct { gcipher c; XSALSA20_CTX(r) ctx; } gxctx_##r; \
482 static void gxsetiv_##r(gcipher *c, const void *iv) \
483 { gxctx_##r *g = (gxctx_##r *)c; XSALSA20_SETNONCE(r, &g->ctx, iv); } \
485 static void gxdestroy_##r(gcipher *c) \
486 { gxctx_##r *g = (gxctx_##r *)c; BURN(*g); S_DESTROY(g); } \
488 static const gcipher_ops gxops_##r; \
490 static gcipher *gxinit_##r(const void *k, size_t sz) \
492 gxctx_##r *g = S_CREATE(gxctx_##r); \
493 g->c.ops = &gxops_##r; \
494 XSALSA20_INIT(r, &g->ctx, k, sz, 0); \
498 static void gxencrypt_##r(gcipher *c, const void *s, \
499 void *t, size_t sz) \
501 gxctx_##r *g = (gxctx_##r *)c; \
502 XSALSA20_ENCRYPT(r, &g->ctx, s, t, sz); \
505 static const gcipher_ops gxops_##r = { \
506 &SALSA20_DECOR(xsalsa20, r, ), \
507 gxencrypt_##r, gxencrypt_##r, gxdestroy_##r, gxsetiv_##r, 0 \
510 const gccipher SALSA20_DECOR(xsalsa20, r, ) = { \
511 "x" SALSA20_NAME_##r, salsa20_keysz, \
512 XSALSA20_NONCESZ, gxinit_##r \
515 SALSA20_VARS(DEFGXCIPHER)
517 /*----- Generic random number generator interface -------------------------*/
519 typedef struct grops {
521 void (*seek)(void *, kludge64);
522 kludge64 (*tell)(void *);
523 void (*setnonce)(void *, const void *);
524 void (*generate)(void *, void *, size_t);
527 typedef struct grbasectx {
532 static int grmisc(grand *r, unsigned op, ...)
534 octet buf[XSALSA20_NONCESZ];
535 grbasectx *g = (grbasectx *)r;
549 switch (va_arg(ap, unsigned)) {
552 case GRAND_SEEDUINT32:
553 case GRAND_SEEDBLOCK:
556 case SALSA20_SEEKU64:
558 case SALSA20_TELLU64:
568 i = va_arg(ap, unsigned); STORE32_L(buf, i);
569 memset(buf + 4, 0, g->ops->noncesz - 4);
570 g->ops->setnonce(g, buf);
572 case GRAND_SEEDUINT32:
573 i = va_arg(ap, uint32); STORE32_L(buf, i);
574 memset(buf + 4, 0, g->ops->noncesz - 4);
575 g->ops->setnonce(g, buf);
577 case GRAND_SEEDBLOCK:
578 p = va_arg(ap, const void *);
579 sz = va_arg(ap, size_t);
580 if (sz < g->ops->noncesz) {
582 memset(buf + sz, 0, g->ops->noncesz - sz);
585 g->ops->setnonce(g, p);
588 rr = va_arg(ap, grand *);
589 rr->ops->fill(rr, buf, g->ops->noncesz);
590 g->ops->setnonce(g, buf);
593 ul = va_arg(ap, unsigned long); ASSIGN64(pos, ul);
594 g->ops->seek(g, pos);
596 case SALSA20_SEEKU64:
597 pos = va_arg(ap, kludge64);
598 g->ops->seek(g, pos);
601 pos = g->ops->tell(g);
602 *va_arg(ap, unsigned long *) = GET64(unsigned long, pos);
604 case SALSA20_TELLU64:
605 *va_arg(ap, kludge64 *) = g->ops->tell(g);
615 static octet grbyte(grand *r)
617 grbasectx *g = (grbasectx *)r;
619 g->ops->generate(g, &o, 1);
623 static uint32 grword(grand *r)
625 grbasectx *g = (grbasectx *)r;
627 g->ops->generate(g, b, sizeof(b));
628 return (LOAD32_L(b));
631 static void grfill(grand *r, void *p, size_t sz)
633 grbasectx *g = (grbasectx *)r;
634 g->ops->generate(r, p, sz);
637 typedef struct grctx {
642 static void gr_seek(void *r, kludge64 pos)
643 { grctx *g = r; salsa20_seeku64(&g->ctx, pos); }
645 static kludge64 gr_tell(void *r)
646 { grctx *g = r; return (salsa20_tellu64(&g->ctx)); }
648 static void gr_setnonce(void *r, const void *n)
649 { grctx *g = r; salsa20_setnonce(&g->ctx, n); }
651 static void grdestroy(grand *r)
652 { grctx *g = (grctx *)r; BURN(*g); S_DESTROY(g); }
654 #define DEFGRAND(rr) \
656 static void gr_generate_##rr(void *r, void *b, size_t sz) \
657 { grctx *g = r; SALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
659 static const grops grops_##rr = \
660 { SALSA20_NONCESZ, gr_seek, gr_tell, \
661 gr_setnonce, gr_generate_##rr }; \
663 static const grand_ops grops_rand_##rr = { \
664 SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
665 grmisc, grdestroy, grword, \
666 grbyte, grword, grand_defaultrange, grfill \
669 grand *SALSA20_DECOR(salsa20, rr, _rand) \
670 (const void *k, size_t ksz, const void *n) \
672 grctx *g = S_CREATE(g); \
673 g->r.r.ops = &grops_rand_##rr; \
674 g->r.ops = &grops_##rr; \
675 salsa20_init(&g->ctx, k, ksz, n); \
678 SALSA20_VARS(DEFGRAND)
680 #define DEFXGRAND(rr) \
682 typedef struct grxctx_##rr { \
684 XSALSA20_CTX(rr) ctx; \
687 static void grx_seek_##rr(void *r, kludge64 pos) \
688 { grxctx_##rr *g = r; XSALSA20_SEEKU64(rr, &g->ctx, pos); } \
690 static kludge64 grx_tell_##rr(void *r) \
691 { grxctx_##rr *g = r; return (XSALSA20_TELLU64(rr, &g->ctx)); } \
693 static void grx_setnonce_##rr(void *r, const void *n) \
694 { grxctx_##rr *g = r; XSALSA20_SETNONCE(rr, &g->ctx, n); } \
696 static void grxdestroy_##rr(grand *r) \
697 { grxctx_##rr *g = (grxctx_##rr *)r; BURN(*g); S_DESTROY(g); } \
699 static void grx_generate_##rr(void *r, void *b, size_t sz) \
700 { grxctx_##rr *g = r; XSALSA20_ENCRYPT(rr, &g->ctx, 0, b, sz); } \
702 static const grops grxops_##rr = \
703 { XSALSA20_NONCESZ, grx_seek_##rr, grx_tell_##rr, \
704 grx_setnonce_##rr, grx_generate_##rr }; \
706 static const grand_ops grxops_rand_##rr = { \
707 "x" SALSA20_NAME_##rr, GRAND_CRYPTO, 0, \
708 grmisc, grxdestroy_##rr, grword, \
709 grbyte, grword, grand_defaultrange, grfill \
712 grand *SALSA20_DECOR(xsalsa20, rr, _rand) \
713 (const void *k, size_t ksz, const void *n) \
715 grxctx_##rr *g = S_CREATE(g); \
716 g->r.r.ops = &grxops_rand_##rr; \
717 g->r.ops = &grxops_##rr; \
718 XSALSA20_INIT(rr, &g->ctx, k, ksz, n); \
721 SALSA20_VARS(DEFXGRAND)
723 /*----- Test rig ----------------------------------------------------------*/
730 #include <mLib/quis.h>
731 #include <mLib/testrig.h>
733 #define DEFVCORE(r) \
734 static int v_core_##r(dstr *v) \
736 salsa20_matrix a, b; \
737 dstr d = DSTR_INIT; \
741 DENSURE(&d, SALSA20_OUTSZ); d.len = SALSA20_OUTSZ; \
742 n = *(int *)v[0].buf; \
743 for (i = 0; i < SALSA20_OUTSZ/4; i++) \
744 a[i] = LOAD32_L(v[1].buf + 4*i); \
745 for (i = 0; i < n; i++) { \
747 memcpy(a, b, sizeof(a)); \
749 for (i = 0; i < SALSA20_OUTSZ/4; i++) STORE32_L(d.buf + 4*i, a[i]); \
751 if (d.len != v[2].len || memcmp(d.buf, v[2].buf, v[2].len) != 0) { \
753 printf("\nfail core:" \
754 "\n\titerations = %d" \
756 type_hex.dump(&v[1], stdout); \
757 printf("\n\texpected = "); \
758 type_hex.dump(&v[2], stdout); \
759 printf("\n\tcalculated = "); \
760 type_hex.dump(&d, stdout); \
767 SALSA20_VARS(DEFVCORE)
769 #define SALSA20_CTX(r) salsa20_ctx
770 #define SALSA20_INIT(r, ctx, k, ksz, n) salsa20_init(ctx, k, ksz, n)
771 #define SALSA20_SEEKU64(r, ctx, i) salsa20_seeku64(ctx, i)
773 #define DEFxVENC(base, BASE, r) \
774 static int v_encrypt_##base##_##r(dstr *v) \
777 dstr d = DSTR_INIT; \
779 const octet *p, *p0; \
781 size_t sz, sz0, step; \
782 unsigned long skip; \
785 if (v[4].len) { p0 = (const octet *)v[4].buf; sz0 = v[4].len; } \
786 else { p0 = 0; sz0 = v[5].len; } \
787 DENSURE(&d, sz0); d.len = sz0; \
788 skip = *(unsigned long *)v[3].buf; \
791 while (step < sz0 + skip) { \
792 step = step ? 3*step + 4 : 1; \
793 if (step > sz0 + skip) step = sz0 + skip; \
794 BASE##_INIT(r, &ctx, v[0].buf, v[0].len, v[1].buf); \
796 LOAD64_(pos, v[2].buf); \
797 BASE##_SEEKU64(r, &ctx, pos); \
800 for (sz = skip; sz >= step; sz -= step) \
801 BASE##_ENCRYPT(r, &ctx, 0, 0, step); \
802 if (sz) BASE##_ENCRYPT(r, &ctx, 0, 0, sz); \
803 for (p = p0, q = (octet *)d.buf, sz = sz0; \
805 sz -= step, q += step) { \
806 BASE##_ENCRYPT(r, &ctx, p, q, step); \
809 if (sz) BASE##_ENCRYPT(r, &ctx, p, q, sz); \
811 if (d.len != v[5].len || memcmp(d.buf, v[5].buf, v[5].len) != 0) { \
813 printf("\nfail encrypt:" \
815 "\n\tkey = ", (unsigned long)step); \
816 type_hex.dump(&v[0], stdout); \
817 printf("\n\tnonce = "); \
818 type_hex.dump(&v[1], stdout); \
819 printf("\n\tposition = "); \
820 type_hex.dump(&v[2], stdout); \
821 printf("\n\tskip = %lu", skip); \
822 printf("\n\tmessage = "); \
823 type_hex.dump(&v[4], stdout); \
824 printf("\n\texpected = "); \
825 type_hex.dump(&v[5], stdout); \
826 printf("\n\tcalculated = "); \
827 type_hex.dump(&d, stdout); \
835 #define DEFVENC(r) DEFxVENC(salsa20, SALSA20, r)
836 #define DEFXVENC(r) DEFxVENC(xsalsa20, XSALSA20, r)
837 SALSA20_VARS(DEFVENC)
838 SALSA20_VARS(DEFXVENC)
840 static test_chunk defs[] = {
841 #define DEFxTAB(pre, base, r) \
842 { pre SALSA20_NAME_##r, v_encrypt_##base##_##r, \
843 { &type_hex, &type_hex, &type_hex, &type_ulong, \
844 &type_hex, &type_hex, 0 } },
846 { SALSA20_NAME_##r "-core", v_core_##r, \
847 { &type_int, &type_hex, &type_hex, 0 } }, \
848 DEFxTAB("", salsa20, r)
849 #define DEFXTAB(r) DEFxTAB("x", xsalsa20, r)
851 SALSA20_VARS(DEFXTAB)
855 int main(int argc, char *argv[])
857 test_run(argc, argv, defs, SRCDIR"/t/salsa20");
863 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob