2 chacha-merged.c version 20080118
7 /* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */
10 __FBSDID("$FreeBSD$");
12 #include <sys/param.h>
13 #include <sys/types.h>
15 #include <crypto/chacha20/chacha.h>
21 typedef struct chacha_ctx chacha_ctx;
24 #define U32C(v) (v##U)
26 #define U8V(v) ((u8)(v) & U8C(0xFF))
27 #define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
29 #define ROTL32(v, n) \
30 (U32V((v) << (n)) | ((v) >> (32 - (n))))
32 #define U8TO32_LITTLE(p) \
34 ((u32)((p)[1]) << 8) | \
35 ((u32)((p)[2]) << 16) | \
36 ((u32)((p)[3]) << 24))
38 #define U32TO8_LITTLE(p, v) \
41 (p)[1] = U8V((v) >> 8); \
42 (p)[2] = U8V((v) >> 16); \
43 (p)[3] = U8V((v) >> 24); \
46 #define ROTATE(v,c) (ROTL32(v,c))
47 #define XOR(v,w) ((v) ^ (w))
48 #define PLUS(v,w) (U32V((v) + (w)))
49 #define PLUSONE(v) (PLUS((v),1))
51 #define QUARTERROUND(a,b,c,d) \
52 a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
53 c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
54 a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
55 c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
57 static const char sigma[16] = "expand 32-byte k";
58 static const char tau[16] = "expand 16-byte k";
61 chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
63 const char *constants;
65 x->input[4] = U8TO32_LITTLE(k + 0);
66 x->input[5] = U8TO32_LITTLE(k + 4);
67 x->input[6] = U8TO32_LITTLE(k + 8);
68 x->input[7] = U8TO32_LITTLE(k + 12);
69 if (kbits == 256) { /* recommended */
72 } else { /* kbits == 128 */
75 x->input[8] = U8TO32_LITTLE(k + 0);
76 x->input[9] = U8TO32_LITTLE(k + 4);
77 x->input[10] = U8TO32_LITTLE(k + 8);
78 x->input[11] = U8TO32_LITTLE(k + 12);
79 x->input[0] = U8TO32_LITTLE(constants + 0);
80 x->input[1] = U8TO32_LITTLE(constants + 4);
81 x->input[2] = U8TO32_LITTLE(constants + 8);
82 x->input[3] = U8TO32_LITTLE(constants + 12);
86 chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
88 x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
89 x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
90 x->input[14] = U8TO32_LITTLE(iv + 0);
91 x->input[15] = U8TO32_LITTLE(iv + 4);
95 chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
97 u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
98 u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
124 for (i = 0;i < bytes;++i) tmp[i] = m[i];
145 for (i = 20;i > 0;i -= 2) {
146 QUARTERROUND( x0, x4, x8,x12)
147 QUARTERROUND( x1, x5, x9,x13)
148 QUARTERROUND( x2, x6,x10,x14)
149 QUARTERROUND( x3, x7,x11,x15)
150 QUARTERROUND( x0, x5,x10,x15)
151 QUARTERROUND( x1, x6,x11,x12)
152 QUARTERROUND( x2, x7, x8,x13)
153 QUARTERROUND( x3, x4, x9,x14)
172 x0 = XOR(x0,U8TO32_LITTLE(m + 0));
173 x1 = XOR(x1,U8TO32_LITTLE(m + 4));
174 x2 = XOR(x2,U8TO32_LITTLE(m + 8));
175 x3 = XOR(x3,U8TO32_LITTLE(m + 12));
176 x4 = XOR(x4,U8TO32_LITTLE(m + 16));
177 x5 = XOR(x5,U8TO32_LITTLE(m + 20));
178 x6 = XOR(x6,U8TO32_LITTLE(m + 24));
179 x7 = XOR(x7,U8TO32_LITTLE(m + 28));
180 x8 = XOR(x8,U8TO32_LITTLE(m + 32));
181 x9 = XOR(x9,U8TO32_LITTLE(m + 36));
182 x10 = XOR(x10,U8TO32_LITTLE(m + 40));
183 x11 = XOR(x11,U8TO32_LITTLE(m + 44));
184 x12 = XOR(x12,U8TO32_LITTLE(m + 48));
185 x13 = XOR(x13,U8TO32_LITTLE(m + 52));
186 x14 = XOR(x14,U8TO32_LITTLE(m + 56));
187 x15 = XOR(x15,U8TO32_LITTLE(m + 60));
192 /* stopping at 2^70 bytes per nonce is user's responsibility */
195 U32TO8_LITTLE(c + 0,x0);
196 U32TO8_LITTLE(c + 4,x1);
197 U32TO8_LITTLE(c + 8,x2);
198 U32TO8_LITTLE(c + 12,x3);
199 U32TO8_LITTLE(c + 16,x4);
200 U32TO8_LITTLE(c + 20,x5);
201 U32TO8_LITTLE(c + 24,x6);
202 U32TO8_LITTLE(c + 28,x7);
203 U32TO8_LITTLE(c + 32,x8);
204 U32TO8_LITTLE(c + 36,x9);
205 U32TO8_LITTLE(c + 40,x10);
206 U32TO8_LITTLE(c + 44,x11);
207 U32TO8_LITTLE(c + 48,x12);
208 U32TO8_LITTLE(c + 52,x13);
209 U32TO8_LITTLE(c + 56,x14);
210 U32TO8_LITTLE(c + 60,x15);
214 for (i = 0;i < bytes;++i) ctarget[i] = c[i];