Salsa20 accepts empty IVs

Treats it as an all-zero 64-bit IV. GH #697

2 files changed, 9 insertions, 4 deletions

diff --git a/src/lib/stream/salsa20/salsa20.cpp b/src/lib/stream/salsa20/salsa20.cpp
index 0d8942789..60bf19285 100644
--- a/src/lib/stream/salsa20/salsa20.cpp
+++ b/src/lib/stream/salsa20/salsa20.cpp
@@ -158,8 +158,7 @@ void Salsa20::key_schedule(const byte key[], size_t length)
 
    m_position = 0;
 
-   const byte ZERO[8] = { 0 };
-   set_iv(ZERO, sizeof(ZERO));
+   set_iv(nullptr, 0); // all-zero IV
    }
 
 /*
@@ -170,7 +169,13 @@ void Salsa20::set_iv(const byte iv[], size_t length)
    if(!valid_iv_length(length))
       throw Invalid_IV_Length(name(), length);
 
-   if(length == 8)
+   if(length == 0)
+      {
+      // Salsa20 null IV
+      m_state[6] = 0;
+      m_state[7] = 0;
+      }
+   else if(length == 8)
       {
       // Salsa20
       m_state[6] = load_le<u32bit>(iv, 0);
diff --git a/src/lib/stream/salsa20/salsa20.h b/src/lib/stream/salsa20/salsa20.h
index 8256ea4db..a128c5a98 100644
--- a/src/lib/stream/salsa20/salsa20.h
+++ b/src/lib/stream/salsa20/salsa20.h
@@ -23,7 +23,7 @@ class BOTAN_DLL Salsa20 final : public StreamCipher
       void set_iv(const byte iv[], size_t iv_len) override;
 
       bool valid_iv_length(size_t iv_len) const override
-         { return (iv_len == 8 || iv_len == 24); }
+         { return (iv_len == 0 || iv_len == 8 || iv_len == 24); }
 
       Key_Length_Specification key_spec() const override
          {