1 1.1 riastrad /* $NetBSD: chacha_ref.c,v 1.1 2020/07/25 22:46:34 riastradh Exp $ */ 2 1.1 riastrad 3 1.1 riastrad /*- 4 1.1 riastrad * Copyright (c) 2020 The NetBSD Foundation, Inc. 5 1.1 riastrad * All rights reserved. 6 1.1 riastrad * 7 1.1 riastrad * Redistribution and use in source and binary forms, with or without 8 1.1 riastrad * modification, are permitted provided that the following conditions 9 1.1 riastrad * are met: 10 1.1 riastrad * 1. Redistributions of source code must retain the above copyright 11 1.1 riastrad * notice, this list of conditions and the following disclaimer. 12 1.1 riastrad * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 riastrad * notice, this list of conditions and the following disclaimer in the 14 1.1 riastrad * documentation and/or other materials provided with the distribution. 15 1.1 riastrad * 16 1.1 riastrad * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 17 1.1 riastrad * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 18 1.1 riastrad * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 19 1.1 riastrad * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 20 1.1 riastrad * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 1.1 riastrad * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 1.1 riastrad * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 1.1 riastrad * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 1.1 riastrad * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 1.1 riastrad * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 1.1 riastrad * POSSIBILITY OF SUCH DAMAGE. 27 1.1 riastrad */ 28 1.1 riastrad 29 1.1 riastrad /* 30 1.1 riastrad * ChaCha pseudorandom function family and stream cipher portable C 31 1.1 riastrad * implementation. Derived from the specification, 32 1.1 riastrad * 33 1.1 riastrad * Daniel J. Bernstein, `ChaCha, a variant of Salsa20', Workshop 34 1.1 riastrad * Record of the State of the Art in Stream Ciphers -- SASC 2008. 35 1.1 riastrad * https://cr.yp.to/papers.html#chacha 36 1.1 riastrad * 37 1.1 riastrad * which in turn builds on the specification of Salsa20 available at 38 1.1 riastrad * <https://cr.yp.to/snuffle.html>. The particular parametrization of 39 1.1 riastrad * the stream cipher, with a 32-bit block counter and 96-bit nonce, is 40 1.1 riastrad * described in 41 1.1 riastrad * 42 1.1 riastrad * Y. Nir and A. Langley, `ChaCha20 and Poly1305 for IETF 43 1.1 riastrad * Protocols', IETF RFC 8439, June 2018. 44 1.1 riastrad * https://tools.ietf.org/html/rfc8439 45 1.1 riastrad */ 46 1.1 riastrad 47 1.1 riastrad #include "chacha_ref.h" 48 1.1 riastrad 49 1.1 riastrad static uint32_t 51 1.1 riastrad rol32(uint32_t u, unsigned c) 52 1.1 riastrad { 53 1.1 riastrad 54 1.1 riastrad return (u << c) | (u >> (32 - c)); 55 1.1 riastrad } 56 1.1 riastrad 57 1.1 riastrad #define CHACHA_QUARTERROUND(a, b, c, d) do \ 58 1.1 riastrad { \ 59 1.1 riastrad (a) += (b); (d) ^= (a); (d) = rol32((d), 16); \ 60 1.1 riastrad (c) += (d); (b) ^= (c); (b) = rol32((b), 12); \ 61 1.1 riastrad (a) += (b); (d) ^= (a); (d) = rol32((d), 8); \ 62 1.1 riastrad (c) += (d); (b) ^= (c); (b) = rol32((b), 7); \ 63 1.1 riastrad } while (/*CONSTCOND*/0) 64 1.1 riastrad 65 1.1 riastrad const uint8_t chacha_const32[16] = "expand 32-byte k"; 66 1.1 riastrad 67 1.1 riastrad static void 68 1.1 riastrad chacha_core_ref(uint8_t out[restrict static 64], const uint8_t in[static 16], 69 1.1 riastrad const uint8_t k[static 32], const uint8_t c[static 16], unsigned nr) 70 1.1 riastrad { 71 1.1 riastrad uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15; 72 1.1 riastrad uint32_t y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15; 73 1.1 riastrad 74 1.1 riastrad x0 = y0 = le32dec(c + 0); 75 1.1 riastrad x1 = y1 = le32dec(c + 4); 76 1.1 riastrad x2 = y2 = le32dec(c + 8); 77 1.1 riastrad x3 = y3 = le32dec(c + 12); 78 1.1 riastrad x4 = y4 = le32dec(k + 0); 79 1.1 riastrad x5 = y5 = le32dec(k + 4); 80 1.1 riastrad x6 = y6 = le32dec(k + 8); 81 1.1 riastrad x7 = y7 = le32dec(k + 12); 82 1.1 riastrad x8 = y8 = le32dec(k + 16); 83 1.1 riastrad x9 = y9 = le32dec(k + 20); 84 1.1 riastrad x10 = y10 = le32dec(k + 24); 85 1.1 riastrad x11 = y11 = le32dec(k + 28); 86 1.1 riastrad x12 = y12 = le32dec(in + 0); 87 1.1 riastrad x13 = y13 = le32dec(in + 4); 88 1.1 riastrad x14 = y14 = le32dec(in + 8); 89 1.1 riastrad x15 = y15 = le32dec(in + 12); 90 1.1 riastrad 91 1.1 riastrad for (; nr > 0; nr -= 2) { 92 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 93 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 94 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 95 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 96 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 97 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 98 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 99 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 100 1.1 riastrad } 101 1.1 riastrad 102 1.1 riastrad le32enc(out + 0, x0 + y0); 103 1.1 riastrad le32enc(out + 4, x1 + y1); 104 1.1 riastrad le32enc(out + 8, x2 + y2); 105 1.1 riastrad le32enc(out + 12, x3 + y3); 106 1.1 riastrad le32enc(out + 16, x4 + y4); 107 1.1 riastrad le32enc(out + 20, x5 + y5); 108 1.1 riastrad le32enc(out + 24, x6 + y6); 109 1.1 riastrad le32enc(out + 28, x7 + y7); 110 1.1 riastrad le32enc(out + 32, x8 + y8); 111 1.1 riastrad le32enc(out + 36, x9 + y9); 112 1.1 riastrad le32enc(out + 40, x10 + y10); 113 1.1 riastrad le32enc(out + 44, x11 + y11); 114 1.1 riastrad le32enc(out + 48, x12 + y12); 115 1.1 riastrad le32enc(out + 52, x13 + y13); 116 1.1 riastrad le32enc(out + 56, x14 + y14); 117 1.1 riastrad le32enc(out + 60, x15 + y15); 118 1.1 riastrad } 119 1.1 riastrad 120 1.1 riastrad /* ChaCha stream cipher (IETF style, 96-bit nonce and 32-bit block counter) */ 122 1.1 riastrad 123 1.1 riastrad static void 124 1.1 riastrad chacha_stream_ref(uint8_t *restrict s, size_t nbytes, 125 1.1 riastrad uint32_t blkno, 126 1.1 riastrad const uint8_t nonce[static 12], 127 1.1 riastrad const uint8_t k[static 32], 128 1.1 riastrad unsigned nr) 129 1.1 riastrad { 130 1.1 riastrad const uint8_t *c = chacha_const32; 131 1.1 riastrad uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15; 132 1.1 riastrad uint32_t y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15; 133 1.1 riastrad unsigned i; 134 1.1 riastrad 135 1.1 riastrad x0 = le32dec(c + 0); 136 1.1 riastrad x1 = le32dec(c + 4); 137 1.1 riastrad x2 = le32dec(c + 8); 138 1.1 riastrad x3 = le32dec(c + 12); 139 1.1 riastrad x4 = le32dec(k + 0); 140 1.1 riastrad x5 = le32dec(k + 4); 141 1.1 riastrad x6 = le32dec(k + 8); 142 1.1 riastrad x7 = le32dec(k + 12); 143 1.1 riastrad x8 = le32dec(k + 16); 144 1.1 riastrad x9 = le32dec(k + 20); 145 1.1 riastrad x10 = le32dec(k + 24); 146 1.1 riastrad x11 = le32dec(k + 28); 147 1.1 riastrad /* x12 = blkno */ 148 1.1 riastrad x13 = le32dec(nonce + 0); 149 1.1 riastrad x14 = le32dec(nonce + 4); 150 1.1 riastrad x15 = le32dec(nonce + 8); 151 1.1 riastrad 152 1.1 riastrad for (; nbytes >= 64; nbytes -= 64, s += 64, blkno++) { 153 1.1 riastrad y0 = x0; 154 1.1 riastrad y1 = x1; 155 1.1 riastrad y2 = x2; 156 1.1 riastrad y3 = x3; 157 1.1 riastrad y4 = x4; 158 1.1 riastrad y5 = x5; 159 1.1 riastrad y6 = x6; 160 1.1 riastrad y7 = x7; 161 1.1 riastrad y8 = x8; 162 1.1 riastrad y9 = x9; 163 1.1 riastrad y10 = x10; 164 1.1 riastrad y11 = x11; 165 1.1 riastrad y12 = x12 = blkno; 166 1.1 riastrad y13 = x13; 167 1.1 riastrad y14 = x14; 168 1.1 riastrad y15 = x15; 169 1.1 riastrad for (i = nr; i > 0; i -= 2) { 170 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 171 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 172 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 173 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 174 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 175 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 176 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 177 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 178 1.1 riastrad } 179 1.1 riastrad le32enc(s + 0, x0 + y0); 180 1.1 riastrad le32enc(s + 4, x1 + y1); 181 1.1 riastrad le32enc(s + 8, x2 + y2); 182 1.1 riastrad le32enc(s + 12, x3 + y3); 183 1.1 riastrad le32enc(s + 16, x4 + y4); 184 1.1 riastrad le32enc(s + 20, x5 + y5); 185 1.1 riastrad le32enc(s + 24, x6 + y6); 186 1.1 riastrad le32enc(s + 28, x7 + y7); 187 1.1 riastrad le32enc(s + 32, x8 + y8); 188 1.1 riastrad le32enc(s + 36, x9 + y9); 189 1.1 riastrad le32enc(s + 40, x10 + y10); 190 1.1 riastrad le32enc(s + 44, x11 + y11); 191 1.1 riastrad le32enc(s + 48, x12 + y12); 192 1.1 riastrad le32enc(s + 52, x13 + y13); 193 1.1 riastrad le32enc(s + 56, x14 + y14); 194 1.1 riastrad le32enc(s + 60, x15 + y15); 195 1.1 riastrad } 196 1.1 riastrad 197 1.1 riastrad if (nbytes) { 199 1.1 riastrad uint8_t buf[64]; 200 1.1 riastrad 201 1.1 riastrad y0 = x0; 202 1.1 riastrad y1 = x1; 203 1.1 riastrad y2 = x2; 204 1.1 riastrad y3 = x3; 205 1.1 riastrad y4 = x4; 206 1.1 riastrad y5 = x5; 207 1.1 riastrad y6 = x6; 208 1.1 riastrad y7 = x7; 209 1.1 riastrad y8 = x8; 210 1.1 riastrad y9 = x9; 211 1.1 riastrad y10 = x10; 212 1.1 riastrad y11 = x11; 213 1.1 riastrad y12 = x12 = blkno; 214 1.1 riastrad y13 = x13; 215 1.1 riastrad y14 = x14; 216 1.1 riastrad y15 = x15; 217 1.1 riastrad for (i = nr; i > 0; i -= 2) { 218 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 219 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 220 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 221 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 222 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 223 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 224 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 225 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 226 1.1 riastrad } 227 1.1 riastrad le32enc(buf + 0, x0 + y0); 228 1.1 riastrad le32enc(buf + 4, x1 + y1); 229 1.1 riastrad le32enc(buf + 8, x2 + y2); 230 1.1 riastrad le32enc(buf + 12, x3 + y3); 231 1.1 riastrad le32enc(buf + 16, x4 + y4); 232 1.1 riastrad le32enc(buf + 20, x5 + y5); 233 1.1 riastrad le32enc(buf + 24, x6 + y6); 234 1.1 riastrad le32enc(buf + 28, x7 + y7); 235 1.1 riastrad le32enc(buf + 32, x8 + y8); 236 1.1 riastrad le32enc(buf + 36, x9 + y9); 237 1.1 riastrad le32enc(buf + 40, x10 + y10); 238 1.1 riastrad le32enc(buf + 44, x11 + y11); 239 1.1 riastrad le32enc(buf + 48, x12 + y12); 240 1.1 riastrad le32enc(buf + 52, x13 + y13); 241 1.1 riastrad le32enc(buf + 56, x14 + y14); 242 1.1 riastrad le32enc(buf + 60, x15 + y15); 243 1.1 riastrad memcpy(s, buf, nbytes); 244 1.1 riastrad } 245 1.1 riastrad } 246 1.1 riastrad 247 1.1 riastrad static void 249 1.1 riastrad chacha_stream_xor_ref(uint8_t *s, const uint8_t *p, size_t nbytes, 250 1.1 riastrad uint32_t blkno, 251 1.1 riastrad const uint8_t nonce[static 12], 252 1.1 riastrad const uint8_t k[static 32], 253 1.1 riastrad unsigned nr) 254 1.1 riastrad { 255 1.1 riastrad const uint8_t *c = chacha_const32; 256 1.1 riastrad uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15; 257 1.1 riastrad uint32_t y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15; 258 1.1 riastrad unsigned i; 259 1.1 riastrad 260 1.1 riastrad x0 = le32dec(c + 0); 261 1.1 riastrad x1 = le32dec(c + 4); 262 1.1 riastrad x2 = le32dec(c + 8); 263 1.1 riastrad x3 = le32dec(c + 12); 264 1.1 riastrad x4 = le32dec(k + 0); 265 1.1 riastrad x5 = le32dec(k + 4); 266 1.1 riastrad x6 = le32dec(k + 8); 267 1.1 riastrad x7 = le32dec(k + 12); 268 1.1 riastrad x8 = le32dec(k + 16); 269 1.1 riastrad x9 = le32dec(k + 20); 270 1.1 riastrad x10 = le32dec(k + 24); 271 1.1 riastrad x11 = le32dec(k + 28); 272 1.1 riastrad /* x12 = blkno */ 273 1.1 riastrad x13 = le32dec(nonce + 0); 274 1.1 riastrad x14 = le32dec(nonce + 4); 275 1.1 riastrad x15 = le32dec(nonce + 8); 276 1.1 riastrad 277 1.1 riastrad for (; nbytes >= 64; nbytes -= 64, s += 64, p += 64, blkno++) { 278 1.1 riastrad y0 = x0; 279 1.1 riastrad y1 = x1; 280 1.1 riastrad y2 = x2; 281 1.1 riastrad y3 = x3; 282 1.1 riastrad y4 = x4; 283 1.1 riastrad y5 = x5; 284 1.1 riastrad y6 = x6; 285 1.1 riastrad y7 = x7; 286 1.1 riastrad y8 = x8; 287 1.1 riastrad y9 = x9; 288 1.1 riastrad y10 = x10; 289 1.1 riastrad y11 = x11; 290 1.1 riastrad y12 = x12 = blkno; 291 1.1 riastrad y13 = x13; 292 1.1 riastrad y14 = x14; 293 1.1 riastrad y15 = x15; 294 1.1 riastrad for (i = nr; i > 0; i -= 2) { 295 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 296 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 297 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 298 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 299 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 300 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 301 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 302 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 303 1.1 riastrad } 304 1.1 riastrad le32enc(s + 0, (x0 + y0) ^ le32dec(p + 0)); 305 1.1 riastrad le32enc(s + 4, (x1 + y1) ^ le32dec(p + 4)); 306 1.1 riastrad le32enc(s + 8, (x2 + y2) ^ le32dec(p + 8)); 307 1.1 riastrad le32enc(s + 12, (x3 + y3) ^ le32dec(p + 12)); 308 1.1 riastrad le32enc(s + 16, (x4 + y4) ^ le32dec(p + 16)); 309 1.1 riastrad le32enc(s + 20, (x5 + y5) ^ le32dec(p + 20)); 310 1.1 riastrad le32enc(s + 24, (x6 + y6) ^ le32dec(p + 24)); 311 1.1 riastrad le32enc(s + 28, (x7 + y7) ^ le32dec(p + 28)); 312 1.1 riastrad le32enc(s + 32, (x8 + y8) ^ le32dec(p + 32)); 313 1.1 riastrad le32enc(s + 36, (x9 + y9) ^ le32dec(p + 36)); 314 1.1 riastrad le32enc(s + 40, (x10 + y10) ^ le32dec(p + 40)); 315 1.1 riastrad le32enc(s + 44, (x11 + y11) ^ le32dec(p + 44)); 316 1.1 riastrad le32enc(s + 48, (x12 + y12) ^ le32dec(p + 48)); 317 1.1 riastrad le32enc(s + 52, (x13 + y13) ^ le32dec(p + 52)); 318 1.1 riastrad le32enc(s + 56, (x14 + y14) ^ le32dec(p + 56)); 319 1.1 riastrad le32enc(s + 60, (x15 + y15) ^ le32dec(p + 60)); 320 1.1 riastrad } 321 1.1 riastrad 322 1.1 riastrad if (nbytes) { 324 1.1 riastrad uint8_t buf[64]; 325 1.1 riastrad 326 1.1 riastrad y0 = x0; 327 1.1 riastrad y1 = x1; 328 1.1 riastrad y2 = x2; 329 1.1 riastrad y3 = x3; 330 1.1 riastrad y4 = x4; 331 1.1 riastrad y5 = x5; 332 1.1 riastrad y6 = x6; 333 1.1 riastrad y7 = x7; 334 1.1 riastrad y8 = x8; 335 1.1 riastrad y9 = x9; 336 1.1 riastrad y10 = x10; 337 1.1 riastrad y11 = x11; 338 1.1 riastrad y12 = x12 = blkno; 339 1.1 riastrad y13 = x13; 340 1.1 riastrad y14 = x14; 341 1.1 riastrad y15 = x15; 342 1.1 riastrad for (i = nr; i > 0; i -= 2) { 343 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 344 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 345 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 346 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 347 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 348 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 349 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 350 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 351 1.1 riastrad } 352 1.1 riastrad le32enc(buf + 0, x0 + y0); 353 1.1 riastrad le32enc(buf + 4, x1 + y1); 354 1.1 riastrad le32enc(buf + 8, x2 + y2); 355 1.1 riastrad le32enc(buf + 12, x3 + y3); 356 1.1 riastrad le32enc(buf + 16, x4 + y4); 357 1.1 riastrad le32enc(buf + 20, x5 + y5); 358 1.1 riastrad le32enc(buf + 24, x6 + y6); 359 1.1 riastrad le32enc(buf + 28, x7 + y7); 360 1.1 riastrad le32enc(buf + 32, x8 + y8); 361 1.1 riastrad le32enc(buf + 36, x9 + y9); 362 1.1 riastrad le32enc(buf + 40, x10 + y10); 363 1.1 riastrad le32enc(buf + 44, x11 + y11); 364 1.1 riastrad le32enc(buf + 48, x12 + y12); 365 1.1 riastrad le32enc(buf + 52, x13 + y13); 366 1.1 riastrad le32enc(buf + 56, x14 + y14); 367 1.1 riastrad le32enc(buf + 60, x15 + y15); 368 1.1 riastrad for (i = 0; i < nbytes - nbytes%4; i += 4) 369 1.1 riastrad le32enc(s + i, le32dec(p + i) ^ le32dec(buf + i)); 370 1.1 riastrad for (; i < nbytes; i++) 371 1.1 riastrad s[i] = p[i] ^ buf[i]; 372 1.1 riastrad } 373 1.1 riastrad } 374 1.1 riastrad 375 1.1 riastrad /* HChaCha */ 377 1.1 riastrad 378 1.1 riastrad static void 379 1.1 riastrad hchacha_ref(uint8_t out[restrict static 32], const uint8_t in[static 16], 380 1.1 riastrad const uint8_t k[static 32], const uint8_t c[static 16], unsigned nr) 381 1.1 riastrad { 382 1.1 riastrad uint32_t y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15; 383 1.1 riastrad 384 1.1 riastrad y0 = le32dec(c + 0); 385 1.1 riastrad y1 = le32dec(c + 4); 386 1.1 riastrad y2 = le32dec(c + 8); 387 1.1 riastrad y3 = le32dec(c + 12); 388 1.1 riastrad y4 = le32dec(k + 0); 389 1.1 riastrad y5 = le32dec(k + 4); 390 1.1 riastrad y6 = le32dec(k + 8); 391 1.1 riastrad y7 = le32dec(k + 12); 392 1.1 riastrad y8 = le32dec(k + 16); 393 1.1 riastrad y9 = le32dec(k + 20); 394 1.1 riastrad y10 = le32dec(k + 24); 395 1.1 riastrad y11 = le32dec(k + 28); 396 1.1 riastrad y12 = le32dec(in + 0); 397 1.1 riastrad y13 = le32dec(in + 4); 398 1.1 riastrad y14 = le32dec(in + 8); 399 1.1 riastrad y15 = le32dec(in + 12); 400 1.1 riastrad 401 1.1 riastrad for (; nr > 0; nr -= 2) { 402 1.1 riastrad CHACHA_QUARTERROUND( y0, y4, y8,y12); 403 1.1 riastrad CHACHA_QUARTERROUND( y1, y5, y9,y13); 404 1.1 riastrad CHACHA_QUARTERROUND( y2, y6,y10,y14); 405 1.1 riastrad CHACHA_QUARTERROUND( y3, y7,y11,y15); 406 1.1 riastrad CHACHA_QUARTERROUND( y0, y5,y10,y15); 407 1.1 riastrad CHACHA_QUARTERROUND( y1, y6,y11,y12); 408 1.1 riastrad CHACHA_QUARTERROUND( y2, y7, y8,y13); 409 1.1 riastrad CHACHA_QUARTERROUND( y3, y4, y9,y14); 410 1.1 riastrad } 411 1.1 riastrad 412 1.1 riastrad le32enc(out + 0, y0); 413 1.1 riastrad le32enc(out + 4, y1); 414 1.1 riastrad le32enc(out + 8, y2); 415 1.1 riastrad le32enc(out + 12, y3); 416 1.1 riastrad le32enc(out + 16, y12); 417 1.1 riastrad le32enc(out + 20, y13); 418 1.1 riastrad le32enc(out + 24, y14); 419 1.1 riastrad le32enc(out + 28, y15); 420 1.1 riastrad } 421 1.1 riastrad 422 1.1 riastrad /* XChaCha stream cipher */ 424 1.1 riastrad 425 1.1 riastrad /* https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-03 */ 426 1.1 riastrad 427 1.1 riastrad static void 428 1.1 riastrad xchacha_stream_ref(uint8_t *restrict s, size_t nbytes, uint32_t blkno, 429 1.1 riastrad const uint8_t nonce[static 24], const uint8_t k[static 32], unsigned nr) 430 1.1 riastrad { 431 1.1 riastrad uint8_t subkey[32]; 432 1.1 riastrad uint8_t subnonce[12]; 433 1.1 riastrad 434 1.1 riastrad hchacha_ref(subkey, nonce/*[0:16)*/, k, chacha_const32, nr); 435 1.1 riastrad memset(subnonce, 0, 4); 436 1.1 riastrad memcpy(subnonce + 4, nonce + 16, 8); 437 1.1 riastrad chacha_stream_ref(s, nbytes, blkno, subnonce, subkey, nr); 438 1.1 riastrad } 439 1.1 riastrad 440 1.1 riastrad static void 441 1.1 riastrad xchacha_stream_xor_ref(uint8_t *restrict c, const uint8_t *p, size_t nbytes, 442 1.1 riastrad uint32_t blkno, 443 1.1 riastrad const uint8_t nonce[static 24], 444 1.1 riastrad const uint8_t k[static 32], 445 1.1 riastrad unsigned nr) 446 1.1 riastrad { 447 1.1 riastrad uint8_t subkey[32]; 448 1.1 riastrad uint8_t subnonce[12]; 449 1.1 riastrad 450 1.1 riastrad hchacha_ref(subkey, nonce/*[0:16)*/, k, chacha_const32, nr); 451 1.1 riastrad memset(subnonce, 0, 4); 452 1.1 riastrad memcpy(subnonce + 4, nonce + 16, 8); 453 1.1 riastrad chacha_stream_xor_ref(c, p, nbytes, blkno, subnonce, subkey, nr); 454 1.1 riastrad } 455 1.1 riastrad 456 1.1 riastrad static int 457 1.1 riastrad chacha_probe_ref(void) 458 1.1 riastrad { 459 1.1 riastrad 460 1.1 riastrad /* The reference implementation is always available. */ 461 1.1 riastrad return 0; 462 1.1 riastrad } 463 1.1 riastrad 464 1.1 riastrad const struct chacha_impl chacha_ref_impl = { 465 1.1 riastrad .ci_name = "Portable C ChaCha", 466 1.1 riastrad .ci_probe = chacha_probe_ref, 467 .ci_chacha_core = chacha_core_ref, 468 .ci_hchacha = hchacha_ref, 469 .ci_chacha_stream = chacha_stream_ref, 470 .ci_chacha_stream_xor = chacha_stream_xor_ref, 471 .ci_xchacha_stream = xchacha_stream_ref, 472 .ci_xchacha_stream_xor = xchacha_stream_xor_ref, 473 }; 474
Indexes created Sun Sep 21 20:09:37 GMT 2025