diff options
| author | Jack Lloyd <[email protected]> | 2018-08-07 18:30:27 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-08-07 18:30:27 -0400 |
| commit | 2aa4ea30aa5f3a5da07dd2d3e460cde1237b45ff (patch) | |
| tree | 37ae0f493e91f14bb4ce400173387224b81bfac6 | |
| parent | a57b21d0b949ddcd88583c79bc689b90f34c563f (diff) | |
| parent | d578fcd46138a94bfa0627d88437d624b5dba04a (diff) | |
Merge GH #1640 Add XChaCha and XChaCha20Poly1305
| -rw-r--r-- | src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp | 6 | ||||
| -rw-r--r-- | src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h | 3 | ||||
| -rw-r--r-- | src/lib/modes/aead/chacha20poly1305/info.txt | 2 | ||||
| -rw-r--r-- | src/lib/stream/chacha/chacha.cpp | 162 | ||||
| -rw-r--r-- | src/lib/stream/chacha/chacha.h | 3 | ||||
| -rw-r--r-- | src/lib/stream/chacha/info.txt | 2 | ||||
| -rw-r--r-- | src/lib/stream/salsa20/salsa20.cpp | 59 | ||||
| -rw-r--r-- | src/lib/stream/salsa20/salsa20.h | 3 | ||||
| -rw-r--r-- | src/tests/data/aead/chacha20poly1305.vec | 47 | ||||
| -rw-r--r-- | src/tests/data/stream/chacha.vec | 19 | ||||
| -rw-r--r-- | src/tests/data/stream/salsa20.vec | 1 | ||||
| -rw-r--r-- | src/tests/test_stream.cpp | 23 |
12 files changed, 259 insertions, 71 deletions
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp index e1fd4978c..786e21def 100644 --- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp +++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp @@ -1,6 +1,6 @@ /* * ChaCha20Poly1305 AEAD -* (C) 2014,2016 Jack Lloyd +* (C) 2014,2016,2018 Jack Lloyd * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity * * Botan is released under the Simplified BSD License (see license.txt) @@ -20,13 +20,14 @@ ChaCha20Poly1305_Mode::ChaCha20Poly1305_Mode() : bool ChaCha20Poly1305_Mode::valid_nonce_length(size_t n) const { - return (n == 8 || n == 12); + return (n == 8 || n == 12 || n == 24); } void ChaCha20Poly1305_Mode::clear() { m_chacha->clear(); m_poly1305->clear(); + m_nonce_len = 0; reset(); } @@ -34,7 +35,6 @@ void ChaCha20Poly1305_Mode::reset() { m_ad.clear(); m_ctext_len = 0; - m_nonce_len = 0; } void ChaCha20Poly1305_Mode::key_schedule(const uint8_t key[], size_t length) diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h index 5f6417333..c7ed615d6 100644 --- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h +++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.h @@ -20,6 +20,7 @@ namespace Botan { * See draft-irtf-cfrg-chacha20-poly1305-03 for specification * If a nonce of 64 bits is used the older version described in * draft-agl-tls-chacha20poly1305-04 is used instead. +* If a nonce of 192 bits is used, XChaCha20Poly1305 is selected. */ class BOTAN_PUBLIC_API(2,0) ChaCha20Poly1305_Mode : public AEAD_Mode { @@ -53,7 +54,7 @@ class BOTAN_PUBLIC_API(2,0) ChaCha20Poly1305_Mode : public AEAD_Mode size_t m_nonce_len = 0; size_t m_ctext_len = 0; - bool cfrg_version() const { return m_nonce_len == 12; } + bool cfrg_version() const { return m_nonce_len == 12 || m_nonce_len == 24; } void update_len(size_t len); private: void start_msg(const uint8_t nonce[], size_t nonce_len) override; diff --git a/src/lib/modes/aead/chacha20poly1305/info.txt b/src/lib/modes/aead/chacha20poly1305/info.txt index 7452f65c3..c3ea53db0 100644 --- a/src/lib/modes/aead/chacha20poly1305/info.txt +++ b/src/lib/modes/aead/chacha20poly1305/info.txt @@ -1,5 +1,5 @@ <defines> -AEAD_CHACHA20_POLY1305 -> 20141228 +AEAD_CHACHA20_POLY1305 -> 20180807 </defines> <requires> diff --git a/src/lib/stream/chacha/chacha.cpp b/src/lib/stream/chacha/chacha.cpp index f34959377..7ccc4293b 100644 --- a/src/lib/stream/chacha/chacha.cpp +++ b/src/lib/stream/chacha/chacha.cpp @@ -1,6 +1,6 @@ /* * ChaCha -* (C) 2014 Jack Lloyd +* (C) 2014,2018 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ @@ -12,6 +12,53 @@ namespace Botan { +namespace { + +#define CHACHA_QUARTER_ROUND(a, b, c, d) \ + do { \ + a += b; d ^= a; d = rotl<16>(d); \ + c += d; b ^= c; b = rotl<12>(b); \ + a += b; d ^= a; d = rotl<8>(d); \ + c += d; b ^= c; b = rotl<7>(b); \ + } while(0) + +/* +* Generate HChaCha cipher stream (for XChaCha IV setup) +*/ +void hchacha(uint32_t output[8], const uint32_t input[16], size_t rounds) + { + BOTAN_ASSERT(rounds % 2 == 0, "Valid rounds"); + + uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3], + x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7], + x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11], + x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15]; + + for(size_t i = 0; i != rounds / 2; ++i) + { + CHACHA_QUARTER_ROUND(x00, x04, x08, x12); + CHACHA_QUARTER_ROUND(x01, x05, x09, x13); + CHACHA_QUARTER_ROUND(x02, x06, x10, x14); + CHACHA_QUARTER_ROUND(x03, x07, x11, x15); + + CHACHA_QUARTER_ROUND(x00, x05, x10, x15); + CHACHA_QUARTER_ROUND(x01, x06, x11, x12); + CHACHA_QUARTER_ROUND(x02, x07, x08, x13); + CHACHA_QUARTER_ROUND(x03, x04, x09, x14); + } + + output[0] = x00; + output[1] = x01; + output[2] = x02; + output[3] = x03; + output[4] = x12; + output[5] = x13; + output[6] = x14; + output[7] = x15; + } + +} + ChaCha::ChaCha(size_t rounds) : m_rounds(rounds) { BOTAN_ARG_CHECK(m_rounds == 8 || m_rounds == 12 || m_rounds == 20, @@ -46,17 +93,9 @@ void ChaCha::chacha_x4(uint8_t output[64*4], uint32_t input[16], size_t rounds) for(size_t i = 0; i != 4; ++i) { uint32_t x00 = input[ 0], x01 = input[ 1], x02 = input[ 2], x03 = input[ 3], - x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7], - x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11], - x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15]; - -#define CHACHA_QUARTER_ROUND(a, b, c, d) \ - do { \ - a += b; d ^= a; d = rotl<16>(d); \ - c += d; b ^= c; b = rotl<12>(b); \ - a += b; d ^= a; d = rotl<8>(d); \ - c += d; b ^= c; b = rotl<7>(b); \ - } while(0) + x04 = input[ 4], x05 = input[ 5], x06 = input[ 6], x07 = input[ 7], + x08 = input[ 8], x09 = input[ 9], x10 = input[10], x11 = input[11], + x12 = input[12], x13 = input[13], x14 = input[14], x15 = input[15]; for(size_t r = 0; r != rounds / 2; ++r) { @@ -134,10 +173,7 @@ void ChaCha::cipher(const uint8_t in[], uint8_t out[], size_t length) m_position += length; } -/* -* ChaCha Key Schedule -*/ -void ChaCha::key_schedule(const uint8_t key[], size_t length) +void ChaCha::initialize_state() { static const uint32_t TAU[] = { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 }; @@ -145,38 +181,61 @@ void ChaCha::key_schedule(const uint8_t key[], size_t length) static const uint32_t SIGMA[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 }; - const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA; + m_state[4] = m_key[0]; + m_state[5] = m_key[1]; + m_state[6] = m_key[2]; + m_state[7] = m_key[3]; - // Repeat the key if 128 bits - const uint8_t* key2 = (length == 32) ? key + 16 : key; + if(m_key.size() == 4) + { + m_state[0] = TAU[0]; + m_state[1] = TAU[1]; + m_state[2] = TAU[2]; + m_state[3] = TAU[3]; + + m_state[8] = m_key[0]; + m_state[9] = m_key[1]; + m_state[10] = m_key[2]; + m_state[11] = m_key[3]; + } + else + { + m_state[0] = SIGMA[0]; + m_state[1] = SIGMA[1]; + m_state[2] = SIGMA[2]; + m_state[3] = SIGMA[3]; + + m_state[8] = m_key[4]; + m_state[9] = m_key[5]; + m_state[10] = m_key[6]; + m_state[11] = m_key[7]; + } - m_position = 0; - m_state.resize(16); - m_buffer.resize(4*64); + m_state[12] = 0; + m_state[13] = 0; + m_state[14] = 0; + m_state[15] = 0; - m_state[0] = CONSTANTS[0]; - m_state[1] = CONSTANTS[1]; - m_state[2] = CONSTANTS[2]; - m_state[3] = CONSTANTS[3]; + m_position = 0; + } - m_state[4] = load_le<uint32_t>(key, 0); - m_state[5] = load_le<uint32_t>(key, 1); - m_state[6] = load_le<uint32_t>(key, 2); - m_state[7] = load_le<uint32_t>(key, 3); +/* +* ChaCha Key Schedule +*/ +void ChaCha::key_schedule(const uint8_t key[], size_t length) + { + m_key.resize(length / 4); + load_le<uint32_t>(m_key.data(), key, m_key.size()); - m_state[8] = load_le<uint32_t>(key2, 0); - m_state[9] = load_le<uint32_t>(key2, 1); - m_state[10] = load_le<uint32_t>(key2, 2); - m_state[11] = load_le<uint32_t>(key2, 3); + m_state.resize(16); + m_buffer.resize(4*64); - // Default all-zero IV - const uint8_t ZERO[8] = { 0 }; - set_iv(ZERO, sizeof(ZERO)); + set_iv(nullptr, 0); } bool ChaCha::valid_iv_length(size_t iv_len) const { - return (iv_len == 0 || iv_len == 8 || iv_len == 12); + return (iv_len == 0 || iv_len == 8 || iv_len == 12 || iv_len == 24); } void ChaCha::set_iv(const uint8_t iv[], size_t length) @@ -186,8 +245,7 @@ void ChaCha::set_iv(const uint8_t iv[], size_t length) if(!valid_iv_length(length)) throw Invalid_IV_Length(name(), length); - m_state[12] = 0; - m_state[13] = 0; + initialize_state(); if(length == 0) { @@ -206,6 +264,29 @@ void ChaCha::set_iv(const uint8_t iv[], size_t length) m_state[14] = load_le<uint32_t>(iv, 1); m_state[15] = load_le<uint32_t>(iv, 2); } + else if(length == 24) + { + m_state[12] = load_le<uint32_t>(iv, 0); + m_state[13] = load_le<uint32_t>(iv, 1); + m_state[14] = load_le<uint32_t>(iv, 2); + m_state[15] = load_le<uint32_t>(iv, 3); + + secure_vector<uint32_t> hc(8); + hchacha(hc.data(), m_state.data(), m_rounds); + + m_state[ 4] = hc[0]; + m_state[ 5] = hc[1]; + m_state[ 6] = hc[2]; + m_state[ 7] = hc[3]; + m_state[ 8] = hc[4]; + m_state[ 9] = hc[5]; + m_state[10] = hc[6]; + m_state[11] = hc[7]; + m_state[12] = 0; + m_state[13] = 0; + m_state[14] = load_le<uint32_t>(iv, 4); + m_state[15] = load_le<uint32_t>(iv, 5); + } chacha_x4(m_buffer.data(), m_state.data(), m_rounds); m_position = 0; @@ -213,6 +294,7 @@ void ChaCha::set_iv(const uint8_t iv[], size_t length) void ChaCha::clear() { + zap(m_key); zap(m_state); zap(m_buffer); m_position = 0; diff --git a/src/lib/stream/chacha/chacha.h b/src/lib/stream/chacha/chacha.h index 8016a73f6..a4f3e3b75 100644 --- a/src/lib/stream/chacha/chacha.h +++ b/src/lib/stream/chacha/chacha.h @@ -53,6 +53,8 @@ class BOTAN_PUBLIC_API(2,0) ChaCha final : public StreamCipher private: void key_schedule(const uint8_t key[], size_t key_len) override; + void initialize_state(); + void chacha_x4(uint8_t output[64*4], uint32_t state[16], size_t rounds); #if defined(BOTAN_HAS_CHACHA_SSE2) @@ -60,6 +62,7 @@ class BOTAN_PUBLIC_API(2,0) ChaCha final : public StreamCipher #endif size_t m_rounds; + secure_vector<uint32_t> m_key; secure_vector<uint32_t> m_state; secure_vector<uint8_t> m_buffer; size_t m_position = 0; diff --git a/src/lib/stream/chacha/info.txt b/src/lib/stream/chacha/info.txt index 0bcd013ad..ba9c3da34 100644 --- a/src/lib/stream/chacha/info.txt +++ b/src/lib/stream/chacha/info.txt @@ -1,3 +1,3 @@ <defines> -CHACHA -> 20140103 +CHACHA -> 20180807 </defines> diff --git a/src/lib/stream/salsa20/salsa20.cpp b/src/lib/stream/salsa20/salsa20.cpp index 47123c970..3ee6cf37e 100644 --- a/src/lib/stream/salsa20/salsa20.cpp +++ b/src/lib/stream/salsa20/salsa20.cpp @@ -128,10 +128,7 @@ void Salsa20::cipher(const uint8_t in[], uint8_t out[], size_t length) m_position += length; } -/* -* Salsa20 Key Schedule -*/ -void Salsa20::key_schedule(const uint8_t key[], size_t length) +void Salsa20::initialize_state() { static const uint32_t TAU[] = { 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574 }; @@ -139,32 +136,53 @@ void Salsa20::key_schedule(const uint8_t key[], size_t length) static const uint32_t SIGMA[] = { 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 }; - const uint32_t* CONSTANTS = (length == 16) ? TAU : SIGMA; - - m_state.resize(16); - m_buffer.resize(64); + const uint32_t* CONSTANTS = (m_key.size() == 4) ? TAU : SIGMA; m_state[0] = CONSTANTS[0]; m_state[5] = CONSTANTS[1]; m_state[10] = CONSTANTS[2]; m_state[15] = CONSTANTS[3]; - m_state[1] = load_le<uint32_t>(key, 0); - m_state[2] = load_le<uint32_t>(key, 1); - m_state[3] = load_le<uint32_t>(key, 2); - m_state[4] = load_le<uint32_t>(key, 3); + m_state[1] = m_key[0]; + m_state[2] = m_key[1]; + m_state[3] = m_key[2]; + m_state[4] = m_key[3]; - if(length == 32) - key += 16; + if(m_key.size() == 4) + { + m_state[11] = m_key[0]; + m_state[12] = m_key[1]; + m_state[13] = m_key[2]; + m_state[14] = m_key[3]; + } + else + { + m_state[11] = m_key[4]; + m_state[12] = m_key[5]; + m_state[13] = m_key[6]; + m_state[14] = m_key[7]; + } - m_state[11] = load_le<uint32_t>(key, 0); - m_state[12] = load_le<uint32_t>(key, 1); - m_state[13] = load_le<uint32_t>(key, 2); - m_state[14] = load_le<uint32_t>(key, 3); + m_state[6] = 0; + m_state[7] = 0; + m_state[8] = 0; + m_state[9] = 0; m_position = 0; + } + +/* +* Salsa20 Key Schedule +*/ +void Salsa20::key_schedule(const uint8_t key[], size_t length) + { + m_key.resize(length / 4); + load_le<uint32_t>(m_key.data(), key, m_key.size()); + + m_state.resize(16); + m_buffer.resize(64); - set_iv(nullptr, 0); // all-zero IV + set_iv(nullptr, 0); } /* @@ -177,6 +195,8 @@ void Salsa20::set_iv(const uint8_t iv[], size_t length) if(!valid_iv_length(length)) throw Invalid_IV_Length(name(), length); + initialize_state(); + if(length == 0) { // Salsa20 null IV @@ -235,6 +255,7 @@ std::string Salsa20::name() const */ void Salsa20::clear() { + zap(m_key); zap(m_state); zap(m_buffer); m_position = 0; diff --git a/src/lib/stream/salsa20/salsa20.h b/src/lib/stream/salsa20/salsa20.h index d21ee318e..090f9b18d 100644 --- a/src/lib/stream/salsa20/salsa20.h +++ b/src/lib/stream/salsa20/salsa20.h @@ -40,6 +40,9 @@ class BOTAN_PUBLIC_API(2,0) Salsa20 final : public StreamCipher private: void key_schedule(const uint8_t key[], size_t key_len) override; + void initialize_state(); + + secure_vector<uint32_t> m_key; secure_vector<uint32_t> m_state; secure_vector<uint8_t> m_buffer; size_t m_position = 0; diff --git a/src/tests/data/aead/chacha20poly1305.vec b/src/tests/data/aead/chacha20poly1305.vec index e258bb3af..9dc47ebb0 100644 --- a/src/tests/data/aead/chacha20poly1305.vec +++ b/src/tests/data/aead/chacha20poly1305.vec @@ -50,3 +50,50 @@ Nonce = BBBBBBBBBBBBBBBBBBBBBBBB AD = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC In = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Out = A0C9391216A037370BDFF40626C5DD13D45447FBEBA3C985BF65FBCBE51663F9214F9C6757F9FC0CFF3135E68DC7251F + +# XChaCha20Poly1305 from golang/crypto and wireguard-go tests + +Key = 0000000000000000000000000000000000000000000000000000000000000000 +AD = +Nonce = 000000000000000000000000000000000000000000000000 +In = 000000000000000000000000000000 +Out = 789e9689e5208d7fd9e1f3c5b5341fb2f7033812ac9ebd3745e2c99c7bbfeb + +Key = 0000000000000000000000000000000000000000000000000000000000000000 +AD = +Nonce = 000000000000000000000000000000000000000000000000 +In = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Out = 789e9689e5208d7fd9e1f3c5b5341f48ef18a13e418998addadd97a3693a987f8e82ecd5c1433bfed1af49750c0f1ff29c4174a05b119aa3a9e8333812e0c0feb1299c5949d895ee01dbf50f8395dd84 + +Key = b7bbfe61b8041658ddc95d5cbdc01bbe7626d24f3a043b70ddee87541234cff7 +AD = +Nonce = e293239d4c0a07840c5f83cb515be7fd59c333933027e99c +In = 02dc819b71875e49f5e1e5a768141cfd3f14307ae61a34d81decd9a3367c00c7 +Out = 7a51f271bd2e547943c7be3316c05519a5d16803712289aa2369950b1504dd8267222e47b13280077ecada7b8795d535 + +Key = 4ea8fab44a07f7ffc0329b2c2f8f994efdb6d505aec32113ae324def5d929ba1 +AD = d499bb9758debe59a93783c61974b7 +Nonce = 404d5086271c58bf27b0352a205d21ce4367d7b6a7628961 +In = 7afc5f3f24155002e17dc176a8f1f3a097ff5a991b02ff4640f70b90db0c15c328b696d6998ea7988edfe3b960e47824e4ae002fbe589be57896a9b7bf5578599c6ba0153c7c +Out = 26d2b46ad58b6988e2dcf1d09ba8ab6f532dc7e0847cdbc0ed00284225c02bbdb278ee8381ebd127a06926107d1b731cfb1521b267168926492e8f77219ad922257a5be2c5e52e6183ca4dfd0ad3912d7bd1ec968065 + +Key = 0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f +Nonce = 0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f +In = 0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f +Out = e1a046aa7f71e2af8b80b6408b2fd8d3a350278cde79c94d9efaa475e1339b3dd490127b + +Key = 979196dbd78526f2f584f7534db3f5824d8ccfa858ca7e09bdd3656ecd36033c +Nonce = d9a8213e8a697508805c2c171ad54487ead9e3e02d82d5bc +In = 43cc6d624e451bbed952c3e071dc6c03392ce11eb14316a94b2fdc98b22fedea +Out = 53c1e8bef2dbb8f2505ec010a7afe21d5a8e6dd8f987e4ea1a2ed5dfbc844ea400db34496fd2153526c6e87c36694200 + +Key = 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f +Nonce = 07000000404142434445464748494a4b0000000000000000 +In = 4C616469657320616E642047656E746C656D656E206F662074686520636C617373206F66202739393A204966204920636F756C64206F6666657220796F75206F6E6C79206F6E652074697020666F7220746865206675747572652C2073756E73637265656E20776F756C642062652069742E +Out = 453c0693a7407f04ff4c56aedb17a3c0a1afff01174930fc22287c33dbcf0ac8b89ad929530a1bb3ab5e69f24c7f6070c8f840c9abb4f69fbfc8a7ff5126faeebbb55805ee9c1cf2ce5a57263287aec5780f04ec324c3514122cfc3231fc1a8b718a62863730a2702bb76366116bed09e0fdd4c860b7074be894fac9697399be5cc1 + +Key = 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f +Nonce = 07000000404142434445464748494a4b0000000000000000 +AD = 50515253c0c1c2c3c4c5c6c7 +In = 4C616469657320616E642047656E746C656D656E206F662074686520636C617373206F66202739393A204966204920636F756C64206F6666657220796F75206F6E6C79206F6E652074697020666F7220746865206675747572652C2073756E73637265656E20776F756C642062652069742E +Out = 453c0693a7407f04ff4c56aedb17a3c0a1afff01174930fc22287c33dbcf0ac8b89ad929530a1bb3ab5e69f24c7f6070c8f840c9abb4f69fbfc8a7ff5126faeebbb55805ee9c1cf2ce5a57263287aec5780f04ec324c3514122cfc3231fc1a8b718a62863730a2702bb76366116bed09e0fd5c6d84b6b0c1abaf249d5dd0f7f5a7ea diff --git a/src/tests/data/stream/chacha.vec b/src/tests/data/stream/chacha.vec index 7b382082f..50b8dc4bf 100644 --- a/src/tests/data/stream/chacha.vec +++ b/src/tests/data/stream/chacha.vec @@ -473,3 +473,22 @@ Seek = 4294967232 Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F Nonce = 000102030405060708090A0B Out = DBF81BB406517BE1A54F4740E5DDDF2B7965747B757FA9D5B7EDD6B27FEDDB89D5D47F9B24E57DF393017A5079F61852CD8B86859884120AF867D25D3B259E2B + +# XChaCha tests from https://github.com/aead/chacha20 + +Key = 0000000000000000000000000000000000000000000000000000000000000000 +Nonce = 000000000000000000000000000000000000000000000000 +Out = bcd02a18bf3f01d19292de30a7a8fdaca4b65e50a6002cc72cd6d2f7c91ac3d5728f83e0aad2bfcf9abd2d2db58faedd65015dd83fc09b131e271043019e8e0f789e9689e5208d7fd9e1f3c5b5341f48ef18a13e418998addadd97a3693a987f8e82ecd5c1433bfed1af49750c0f1ff29c4174a05b119aa3a9e8333812e0c0fea49e1ee0134a70a9d49c24e0cbd8fc3ba27e97c3322ad487f778f8dc6a122fa59cbe33e7 + +Key = 8000000000000000000000000000000000000000000000000000000000000000 +Nonce = 000000000000000000000000000000000000000000000000 +Out = ccfe8a9e93431bd582f07b3eb0f4a7afc22ef39337ddd84f0d3545b318a315a32b3abb96de0fc6acde48b248fe8a80e6fa72bfcdf9d8d2656b991676476f052d9373080e30d8c0e217126a3c64402e1d9404ba9d6b8ce4ad5ac9693f3660638c26ea2cd1b4a8d3348c1e179ead353ee72fee558e9994c51a27195e287d00ec2f8cfef8866d1f98714f40cbe4e18cebabf3cd1fd3bb65506e5dce1ad09f438bffe2c96d7f2f0827c8c3f2ca59dbaa393785c6b8da7c69c8a4a63ffd113dcc93de8f52dbcfaed5e4cbcc1dc310b1352868fab7b14d930a9f7a7d47bed0eaf5b151f6dac8bd45510698bdc205d70b944ea5450888dd3ec753da9708bf06c0714822dda74f285c361abd0cd1071324c253dc421905edca36e8808bffef091e7dbdecebdad98cf70b7cede72e9c3c4108e5b32ffae0f42151a8196939d8e3b8384be1 + +Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +Nonce = 000102030405060708090a0b0c0d0e0f1011121314151617 +Out = e53a61cef151e81401067de33adfc02e90ab205361b49b539fda7f0e63b1bc7d68fbee56c9c20c39960e595f3ea76c979804d08cfa728e66cb5f766b840ec61f9ec20f7f90d28dae334426cecb52a8e84b4728a5fdd61deb7f1a3fb63dadf5595e06b6e441670964d595ae59cf21536271bae2594774fb19079b933d8fe744f4 + +Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +Nonce = 000102030405060708090a0b0c0d0e0f1011121314151617 +Seek = 66 +Out = 0f7f90d28dae334426cecb52a8e84b4728a5fdd61deb7f1a3fb63dadf5595e06b6e441670964d595ae59cf21536271bae2594774fb19079b933d8fe744f4 diff --git a/src/tests/data/stream/salsa20.vec b/src/tests/data/stream/salsa20.vec index e8276bf32..5523ebd20 100644 --- a/src/tests/data/stream/salsa20.vec +++ b/src/tests/data/stream/salsa20.vec @@ -1,6 +1,5 @@ [Salsa20] Key = 000102030405060708090A0B0C0D0E0F -Nonce = 0000000000000000 Out = 2DD5C3F7BA2B20F76802410C688688895AD8C1BD4EA6C9B140FB9B90E21049BF583F527970EBC1 Key = 1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A diff --git a/src/tests/test_stream.cpp b/src/tests/test_stream.cpp index 63ea9a9bf..5b61518f5 100644 --- a/src/tests/test_stream.cpp +++ b/src/tests/test_stream.cpp @@ -88,12 +88,15 @@ class Stream_Cipher_Tests final : public Text_Based_Test } bool accepted_nonce_early = false; - try + if(nonce.size() > 0) { - cipher->set_iv(nonce.data(), nonce.size()); - accepted_nonce_early = true; + try + { + cipher->set_iv(nonce.data(), nonce.size()); + accepted_nonce_early = true; + } + catch(Botan::Invalid_State&) {} } - catch(Botan::Invalid_State&) {} cipher->set_key(key); @@ -112,7 +115,7 @@ class Stream_Cipher_Tests final : public Text_Based_Test not set. So, don't set the nonce now, to ensure the previous call had an effect. */ - if(accepted_nonce_early == false) + if(nonce.size() > 0 && accepted_nonce_early == false) { cipher->set_iv(nonce.data(), nonce.size()); } @@ -134,6 +137,16 @@ class Stream_Cipher_Tests final : public Text_Based_Test result.test_eq(provider, "encrypt", buf, expected); } + if(nonce.size() > 0) + { + std::vector<uint8_t> buf = input; + cipher->set_iv(nonce.data(), nonce.size()); + if(seek != 0) + cipher->seek(seek); + cipher->encrypt(buf); + result.test_eq(provider, "second encrypt", buf, expected); + } + cipher->clear(); try |