salsa20 0.1.0

data/ext/salsa20_ext/ecrypt-sync.h

@@ -0,0 +1,279 @@
+/* ecrypt-sync.h */
+
+/* 
+ * Header file for synchronous stream ciphers without authentication
+ * mechanism.
+ * 
+ * *** Please only edit parts marked with "[edit]". ***
+ */
+
+#ifndef ECRYPT_SYNC
+#define ECRYPT_SYNC
+
+#include "ecrypt-portable.h"
+
+/* ------------------------------------------------------------------------- */
+
+/* Cipher parameters */
+
+/* 
+ * The name of your cipher.
+ */
+#define ECRYPT_NAME "Salsa20"    /* [edit] */ 
+#define ECRYPT_PROFILE "S!_H."
+
+/*
+ * Specify which key and IV sizes are supported by your cipher. A user
+ * should be able to enumerate the supported sizes by running the
+ * following code:
+ *
+ * for (i = 0; ECRYPT_KEYSIZE(i) <= ECRYPT_MAXKEYSIZE; ++i)
+ *   {
+ *     keysize = ECRYPT_KEYSIZE(i);
+ *
+ *     ...
+ *   }
+ *
+ * All sizes are in bits.
+ */
+
+#define ECRYPT_MAXKEYSIZE 256                 /* [edit] */
+#define ECRYPT_KEYSIZE(i) (128 + (i)*128)     /* [edit] */
+
+#define ECRYPT_MAXIVSIZE 64                   /* [edit] */
+#define ECRYPT_IVSIZE(i) (64 + (i)*64)        /* [edit] */
+
+/* ------------------------------------------------------------------------- */
+
+/* Data structures */
+
+/* 
+ * ECRYPT_ctx is the structure containing the representation of the
+ * internal state of your cipher. 
+ */
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+  /* 
+   * [edit]
+   *
+   * Put here all state variable needed during the encryption process.
+   */
+} ECRYPT_ctx;
+
+/* ------------------------------------------------------------------------- */
+
+/* Mandatory functions */
+
+/*
+ * Key and message independent initialization. This function will be
+ * called once when the program starts (e.g., to build expanded S-box
+ * tables).
+ */
+void ECRYPT_init();
+
+/*
+ * Key setup. It is the user's responsibility to select the values of
+ * keysize and ivsize from the set of supported values specified
+ * above.
+ */
+void ECRYPT_keysetup(
+  ECRYPT_ctx* ctx, 
+  const u8* key, 
+  u32 keysize,                /* Key size in bits. */ 
+  u32 ivsize);                /* IV size in bits. */ 
+
+/*
+ * IV setup. After having called ECRYPT_keysetup(), the user is
+ * allowed to call ECRYPT_ivsetup() different times in order to
+ * encrypt/decrypt different messages with the same key but different
+ * IV's.
+ */
+void ECRYPT_ivsetup(
+  ECRYPT_ctx* ctx, 
+  const u8* iv);
+
+/*
+ * Encryption/decryption of arbitrary length messages.
+ *
+ * For efficiency reasons, the API provides two types of
+ * encrypt/decrypt functions. The ECRYPT_encrypt_bytes() function
+ * (declared here) encrypts byte strings of arbitrary length, while
+ * the ECRYPT_encrypt_blocks() function (defined later) only accepts
+ * lengths which are multiples of ECRYPT_BLOCKLENGTH.
+ * 
+ * The user is allowed to make multiple calls to
+ * ECRYPT_encrypt_blocks() to incrementally encrypt a long message,
+ * but he is NOT allowed to make additional encryption calls once he
+ * has called ECRYPT_encrypt_bytes() (unless he starts a new message
+ * of course). For example, this sequence of calls is acceptable:
+ *
+ * ECRYPT_keysetup();
+ *
+ * ECRYPT_ivsetup();
+ * ECRYPT_encrypt_blocks();
+ * ECRYPT_encrypt_blocks();
+ * ECRYPT_encrypt_bytes();
+ *
+ * ECRYPT_ivsetup();
+ * ECRYPT_encrypt_blocks();
+ * ECRYPT_encrypt_blocks();
+ *
+ * ECRYPT_ivsetup();
+ * ECRYPT_encrypt_bytes();
+ * 
+ * The following sequence is not:
+ *
+ * ECRYPT_keysetup();
+ * ECRYPT_ivsetup();
+ * ECRYPT_encrypt_blocks();
+ * ECRYPT_encrypt_bytes();
+ * ECRYPT_encrypt_blocks();
+ */
+
+void ECRYPT_encrypt_bytes(
+  ECRYPT_ctx* ctx, 
+  const u8* plaintext, 
+  u8* ciphertext, 
+  u32 msglen);                /* Message length in bytes. */ 
+
+void ECRYPT_decrypt_bytes(
+  ECRYPT_ctx* ctx, 
+  const u8* ciphertext, 
+  u8* plaintext, 
+  u32 msglen);                /* Message length in bytes. */ 
+
+/* ------------------------------------------------------------------------- */
+
+/* Optional features */
+
+/* 
+ * For testing purposes it can sometimes be useful to have a function
+ * which immediately generates keystream without having to provide it
+ * with a zero plaintext. If your cipher cannot provide this function
+ * (e.g., because it is not strictly a synchronous cipher), please
+ * reset the ECRYPT_GENERATES_KEYSTREAM flag.
+ */
+
+#define ECRYPT_GENERATES_KEYSTREAM
+#ifdef ECRYPT_GENERATES_KEYSTREAM
+
+void ECRYPT_keystream_bytes(
+  ECRYPT_ctx* ctx,
+  u8* keystream,
+  u32 length);                /* Length of keystream in bytes. */
+
+#endif
+
+/* ------------------------------------------------------------------------- */
+
+/* Optional optimizations */
+
+/* 
+ * By default, the functions in this section are implemented using
+ * calls to functions declared above. However, you might want to
+ * implement them differently for performance reasons.
+ */
+
+/*
+ * All-in-one encryption/decryption of (short) packets.
+ *
+ * The default definitions of these functions can be found in
+ * "ecrypt-sync.c". If you want to implement them differently, please
+ * undef the ECRYPT_USES_DEFAULT_ALL_IN_ONE flag.
+ */
+#define ECRYPT_USES_DEFAULT_ALL_IN_ONE        /* [edit] */
+
+void ECRYPT_encrypt_packet(
+  ECRYPT_ctx* ctx, 
+  const u8* iv,
+  const u8* plaintext, 
+  u8* ciphertext, 
+  u32 msglen);
+
+void ECRYPT_decrypt_packet(
+  ECRYPT_ctx* ctx, 
+  const u8* iv,
+  const u8* ciphertext, 
+  u8* plaintext, 
+  u32 msglen);
+
+/*
+ * Encryption/decryption of blocks.
+ * 
+ * By default, these functions are defined as macros. If you want to
+ * provide a different implementation, please undef the
+ * ECRYPT_USES_DEFAULT_BLOCK_MACROS flag and implement the functions
+ * declared below.
+ */
+
+#define ECRYPT_BLOCKLENGTH 64                  /* [edit] */
+
+#define ECRYPT_USES_DEFAULT_BLOCK_MACROS      /* [edit] */
+#ifdef ECRYPT_USES_DEFAULT_BLOCK_MACROS
+
+#define ECRYPT_encrypt_blocks(ctx, plaintext, ciphertext, blocks)  \
+  ECRYPT_encrypt_bytes(ctx, plaintext, ciphertext,                 \
+    (blocks) * ECRYPT_BLOCKLENGTH)
+
+#define ECRYPT_decrypt_blocks(ctx, ciphertext, plaintext, blocks)  \
+  ECRYPT_decrypt_bytes(ctx, ciphertext, plaintext,                 \
+    (blocks) * ECRYPT_BLOCKLENGTH)
+
+#ifdef ECRYPT_GENERATES_KEYSTREAM
+
+#define ECRYPT_keystream_blocks(ctx, keystream, blocks)            \
+  ECRYPT_keystream_bytes(ctx, keystream,                        \
+    (blocks) * ECRYPT_BLOCKLENGTH)
+
+#endif
+
+#else
+
+void ECRYPT_encrypt_blocks(
+  ECRYPT_ctx* ctx, 
+  const u8* plaintext, 
+  u8* ciphertext, 
+  u32 blocks);                /* Message length in blocks. */ 
+
+void ECRYPT_decrypt_blocks(
+  ECRYPT_ctx* ctx, 
+  const u8* ciphertext, 
+  u8* plaintext, 
+  u32 blocks);                /* Message length in blocks. */ 
+
+#ifdef ECRYPT_GENERATES_KEYSTREAM
+
+void ECRYPT_keystream_blocks(
+  ECRYPT_ctx* ctx,
+  const u8* keystream,
+  u32 blocks);                /* Keystream length in blocks. */ 
+
+#endif
+
+#endif
+
+/*
+ * If your cipher can be implemented in different ways, you can use
+ * the ECRYPT_VARIANT parameter to allow the user to choose between
+ * them at compile time (e.g., gcc -DECRYPT_VARIANT=3 ...). Please
+ * only use this possibility if you really think it could make a
+ * significant difference and keep the number of variants
+ * (ECRYPT_MAXVARIANT) as small as possible (definitely not more than
+ * 10). Note also that all variants should have exactly the same
+ * external interface (i.e., the same ECRYPT_BLOCKLENGTH, etc.). 
+ */
+#define ECRYPT_MAXVARIANT 1                   /* [edit] */
+
+#ifndef ECRYPT_VARIANT
+#define ECRYPT_VARIANT 1
+#endif
+
+#if (ECRYPT_VARIANT > ECRYPT_MAXVARIANT)
+#error this variant does not exist
+#endif
+
+/* ------------------------------------------------------------------------- */
+
+#endif

data/ext/salsa20_ext/extconf.rb

@@ -0,0 +1,7 @@
+require 'mkmf'
+require 'rbconfig'
+
+$CFLAGS << ' -Wall -funroll-loops'
+$CFLAGS << ' -Wextra -O0 -ggdb3' if ENV['DEBUG']
+
+create_makefile("salsa20_ext")

data/ext/salsa20_ext/salsa20.c

@@ -0,0 +1,221 @@
+/*
+salsa20-merged.c version 20051118
+D. J. Bernstein
+Public domain.
+*/
+
+#include "ecrypt-sync.h"
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+void ECRYPT_init(void)
+{
+  return;
+}
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+void ECRYPT_keysetup(ECRYPT_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  (void) ivbits; /* avoid unused parameter compiler warning */
+
+  x->input[1] = U8TO32_LITTLE(k + 0);
+  x->input[2] = U8TO32_LITTLE(k + 4);
+  x->input[3] = U8TO32_LITTLE(k + 8);
+  x->input[4] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[11] = U8TO32_LITTLE(k + 0);
+  x->input[12] = U8TO32_LITTLE(k + 4);
+  x->input[13] = U8TO32_LITTLE(k + 8);
+  x->input[14] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[5] = U8TO32_LITTLE(constants + 4);
+  x->input[10] = U8TO32_LITTLE(constants + 8);
+  x->input[15] = U8TO32_LITTLE(constants + 12);
+}
+
+void ECRYPT_ivsetup(ECRYPT_ctx *x,const u8 *iv)
+{
+  x->input[6] = U8TO32_LITTLE(iv + 0);
+  x->input[7] = U8TO32_LITTLE(iv + 4);
+  x->input[8] = 0;
+  x->input[9] = 0;
+}
+
+void ECRYPT_encrypt_bytes(ECRYPT_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = 0;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+       x4 = XOR( x4,ROTATE(PLUS( x0,x12), 7));
+       x8 = XOR( x8,ROTATE(PLUS( x4, x0), 9));
+      x12 = XOR(x12,ROTATE(PLUS( x8, x4),13));
+       x0 = XOR( x0,ROTATE(PLUS(x12, x8),18));
+       x9 = XOR( x9,ROTATE(PLUS( x5, x1), 7));
+      x13 = XOR(x13,ROTATE(PLUS( x9, x5), 9));
+       x1 = XOR( x1,ROTATE(PLUS(x13, x9),13));
+       x5 = XOR( x5,ROTATE(PLUS( x1,x13),18));
+      x14 = XOR(x14,ROTATE(PLUS(x10, x6), 7));
+       x2 = XOR( x2,ROTATE(PLUS(x14,x10), 9));
+       x6 = XOR( x6,ROTATE(PLUS( x2,x14),13));
+      x10 = XOR(x10,ROTATE(PLUS( x6, x2),18));
+       x3 = XOR( x3,ROTATE(PLUS(x15,x11), 7));
+       x7 = XOR( x7,ROTATE(PLUS( x3,x15), 9));
+      x11 = XOR(x11,ROTATE(PLUS( x7, x3),13));
+      x15 = XOR(x15,ROTATE(PLUS(x11, x7),18));
+       x1 = XOR( x1,ROTATE(PLUS( x0, x3), 7));
+       x2 = XOR( x2,ROTATE(PLUS( x1, x0), 9));
+       x3 = XOR( x3,ROTATE(PLUS( x2, x1),13));
+       x0 = XOR( x0,ROTATE(PLUS( x3, x2),18));
+       x6 = XOR( x6,ROTATE(PLUS( x5, x4), 7));
+       x7 = XOR( x7,ROTATE(PLUS( x6, x5), 9));
+       x4 = XOR( x4,ROTATE(PLUS( x7, x6),13));
+       x5 = XOR( x5,ROTATE(PLUS( x4, x7),18));
+      x11 = XOR(x11,ROTATE(PLUS(x10, x9), 7));
+       x8 = XOR( x8,ROTATE(PLUS(x11,x10), 9));
+       x9 = XOR( x9,ROTATE(PLUS( x8,x11),13));
+      x10 = XOR(x10,ROTATE(PLUS( x9, x8),18));
+      x12 = XOR(x12,ROTATE(PLUS(x15,x14), 7));
+      x13 = XOR(x13,ROTATE(PLUS(x12,x15), 9));
+      x14 = XOR(x14,ROTATE(PLUS(x13,x12),13));
+      x15 = XOR(x15,ROTATE(PLUS(x14,x13),18));
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+
+    j8 = PLUSONE(j8);
+    if (!j8) {
+      j9 = PLUSONE(j9);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[8] = j8;
+      x->input[9] = j9;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+    m += 64;
+  }
+}
+
+void ECRYPT_decrypt_bytes(ECRYPT_ctx *x,const u8 *c,u8 *m,u32 bytes)
+{
+  ECRYPT_encrypt_bytes(x,c,m,bytes);
+}
+
+void ECRYPT_keystream_bytes(ECRYPT_ctx *x,u8 *stream,u32 bytes)
+{
+  u32 i;
+  for (i = 0;i < bytes;++i) stream[i] = 0;
+  ECRYPT_encrypt_bytes(x,stream,stream,bytes);
+}