Implement the Salsa family of stream ciphers.

Note that we only have unit tests for Salsa20.

include/cryb/Makefile.am

@@ -7,6 +7,7 @@ cryb_HEADERS += \
 	aes.h \
 	chacha.h \
 	rc4.h \
+	salsa.h \
 	\
 	cipher.h
 endif CRYB_CIPHER

include/cryb/salsa.h

@@ -0,0 +1,66 @@
+/*-
+ * Copyright (c) 2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef CRYB_SALSA_H_INCLUDED
+#define CRYB_SALSA_H_INCLUDED
+
+#ifndef CRYB_TO
+#include <cryb/to.h>
+#endif
+
+#include <cryb/cipher.h>
+
+CRYB_BEGIN
+
+#define salsa_cipher			cryb_salsa_cipher
+#define salsa_ctx			cryb_salsa_ctx
+#define salsa_init			cryb_salsa_init
+#define salsa_reset			cryb_salsa_reset
+#define salsa_keystream			cryb_salsa_keystream
+#define salsa_encrypt			cryb_salsa_encrypt
+#define salsa_decrypt			cryb_salsa_decrypt
+#define salsa_finish			cryb_salsa_finish
+
+extern cipher_algorithm salsa_cipher;
+
+typedef struct {
+	uint32_t state[16];
+	unsigned int rounds;
+} salsa_ctx;
+
+void salsa_init(salsa_ctx *, cipher_mode, const uint8_t *, size_t);
+void salsa_reset(salsa_ctx *, const uint8_t *, unsigned int);
+size_t salsa_keystream(salsa_ctx *, uint8_t *, size_t);
+size_t salsa_encrypt(salsa_ctx *, const void *, uint8_t *, size_t);
+size_t salsa_decrypt(salsa_ctx *, const uint8_t *, void *, size_t);
+void salsa_finish(salsa_ctx *);
+
+CRYB_END
+
+#endif

lib/cipher/Makefile.am

@@ -6,6 +6,7 @@ libcryb_cipher_la_SOURCES = \
 	cryb_aes.c \
 	cryb_chacha.c \
 	cryb_rc4.c \
+	cryb_salsa.c \
 	\
 	cryb_cipher.c
 

lib/cipher/cryb_salsa.c

@@ -0,0 +1,188 @@
+/*-
+ * Copyright (c) 2017 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "cryb/impl.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#include <cryb/bitwise.h>
+#include <cryb/endian.h>
+#include <cryb/memset_s.h>
+
+#include <cryb/salsa.h>
+
+#define SALSA_QR(x, a, b, c, d)						\
+	do {								\
+		x[a] ^= rol32(x[d] + x[c],  7);				\
+		x[b] ^= rol32(x[a] + x[d],  9);				\
+		x[c] ^= rol32(x[b] + x[a], 13);				\
+		x[d] ^= rol32(x[c] + x[b], 18);				\
+	} while (0)
+
+static const char magic128[] = "expand 16-byte k";
+static const char magic256[] = "expand 32-byte k";
+
+/*
+ * Fill the state array with 16 bytes of magic and 32 bytes of key,
+ * repeating the key if necessary.  The 8-byte stream position and the
+ * 8-byte nonce are initialized to all-zeroes.  The number of rounds is
+ * set to 20, the most commonly used value.
+ */
+void
+salsa_init(salsa_ctx *ctx, cipher_mode mode, const uint8_t *key, size_t keylen)
+{
+
+	(void)mode;
+	memset(ctx, 0, sizeof *ctx);
+	if (keylen == 32) {
+		/* magic */
+		ctx->state[ 0] = le32dec(magic256 + 0);
+		ctx->state[ 5] = le32dec(magic256 + 4);
+		ctx->state[10] = le32dec(magic256 + 8);
+		ctx->state[15] = le32dec(magic256 + 12);
+		/* first half of key */
+		ctx->state[ 1] = le32dec(key + 0);
+		ctx->state[ 2] = le32dec(key + 4);
+		ctx->state[ 3] = le32dec(key + 8);
+		ctx->state[ 4] = le32dec(key + 12);
+		/* second half of key */
+		ctx->state[11] = le32dec(key + 16);
+		ctx->state[12] = le32dec(key + 20);
+		ctx->state[13] = le32dec(key + 24);
+		ctx->state[14] = le32dec(key + 28);
+	} else {
+		/* magic */
+		ctx->state[ 0] = le32dec(magic128 + 0);
+		ctx->state[ 5] = le32dec(magic128 + 4);
+		ctx->state[10] = le32dec(magic128 + 8);
+		ctx->state[15] = le32dec(magic128 + 12);
+		/* first half of key */
+		ctx->state[ 1] = le32dec(key + 0);
+		ctx->state[ 2] = le32dec(key + 4);
+		ctx->state[ 3] = le32dec(key + 8);
+		ctx->state[ 4] = le32dec(key + 12);
+		/* repeat first half of key */
+		ctx->state[11] = le32dec(key + 0);
+		ctx->state[12] = le32dec(key + 4);
+		ctx->state[13] = le32dec(key + 8);
+		ctx->state[14] = le32dec(key + 12);
+	}
+	ctx->rounds = 20;
+}
+
+/*
+ * Reset the stream position, load a new nonce, and change the number of
+ * rounds if requested.
+ */
+void
+salsa_reset(salsa_ctx *ctx, const uint8_t *nonce, unsigned int rounds)
+{
+
+	/* reset stream counter */
+	ctx->state[8] = 0;
+	ctx->state[9] = 0;
+	/* copy nonce */
+	ctx->state[6] = le32dec(nonce + 0);
+	ctx->state[7] = le32dec(nonce + 4);
+	/* set rounds if specified */
+	if (rounds != 0)
+		ctx->rounds = rounds;
+}
+
+/*
+ * Generate a block of keystream.
+ */
+size_t
+salsa_keystream(salsa_ctx *ctx, uint8_t *ks, size_t len)
+{
+
+	return (salsa_encrypt(ctx, NULL, ks, len));
+}
+
+/*
+ * Encryption: generate a block of keystream, xor it with the plaintext to
+ * produce the ciphertext, and increment the stream position.
+ */
+size_t
+salsa_encrypt(salsa_ctx *ctx, const void *vpt, uint8_t *ct, size_t len)
+{
+	const uint8_t *pt = vpt;
+	uint64_t ctr;
+	uint32_t mix[16];
+	uint8_t ks[64];
+	unsigned int b, i;
+
+	len -= len % sizeof ks;
+	for (b = 0; b < len; b += sizeof ks) {
+		memcpy(mix, ctx->state, sizeof mix);
+		for (i = 0; i < ctx->rounds; i += 2) {
+			SALSA_QR(mix,  4,  8, 12,  0);
+			SALSA_QR(mix,  9, 13,  1,  5);
+			SALSA_QR(mix, 14,  2,  6, 10);
+			SALSA_QR(mix,  3,  7, 11, 15);
+			SALSA_QR(mix,  1,  2,  3,  0);
+			SALSA_QR(mix,  6,  7,  4,  5);
+			SALSA_QR(mix, 11,  8,  9, 10);
+			SALSA_QR(mix, 12, 13, 14, 15);
+		}
+		for (i = 0; i < 16; ++i)
+			le32enc(ks + i * 4, ctx->state[i] + mix[i]);
+		if (pt == NULL) {
+			memcpy(ct, ks, sizeof ks);
+			ct += sizeof ks;
+		} else {
+			for (i = 0; i < 64 && i < len; ++i)
+				*ct++ = *pt++ ^ ks[i];
+		}
+		ctr = le64dec(ctx->state + 12);
+		le64enc(ctx->state + 12, ++ctr);
+	}
+	return (len);
+}
+
+/*
+ * Decryption: identical to encryption.
+ */
+size_t
+salsa_decrypt(salsa_ctx *ctx, const uint8_t *ct, void *vpt, size_t len)
+{
+
+	return (salsa_encrypt(ctx, ct, vpt, len));
+}
+
+/*
+ * Wipe our state.
+ */
+void
+salsa_finish(salsa_ctx *ctx)
+{
+
+	(void)memset_s(ctx, 0, sizeof *ctx, sizeof *ctx);
+}

t/.gitignore

@@ -36,6 +36,7 @@
 /t_rc4
 /t_rfc3986
 /t_rfc4648
+/t_salsa
 /t_sha1
 /t_sha1_openssl
 /t_sha224

t/Makefile.am

@@ -79,10 +79,11 @@ endif CRYB_RAND
 if CRYB_CIPHER
 TESTS += t_cipher
 t_cipher_LDADD = $(libt) $(libcipher)
-TESTS += t_aes t_chacha t_rc4
+TESTS += t_aes t_chacha t_rc4 t_salsa
 t_aes_LDADD = $(libt) $(libcipher)
 t_chacha_LDADD = $(libt) $(libcipher)
 t_rc4_LDADD = $(libt) $(libcipher)
+t_salsa_LDADD = $(libt) $(libcipher)
 endif CRYB_CIPHER
 
 # libcryb-core