salsa20 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +8 -0
- data/CHANGELOG +3 -0
- data/LICENSE +25 -0
- data/README.rdoc +52 -0
- data/Rakefile +21 -0
- data/ext/salsa20_ext/ecrypt-config.h +272 -0
- data/ext/salsa20_ext/ecrypt-machine.h +46 -0
- data/ext/salsa20_ext/ecrypt-portable.h +303 -0
- data/ext/salsa20_ext/ecrypt-sync.h +279 -0
- data/ext/salsa20_ext/extconf.rb +7 -0
- data/ext/salsa20_ext/salsa20.c +221 -0
- data/ext/salsa20_ext/salsa20_ext.c +87 -0
- data/lib/salsa20.rb +105 -0
- data/salsa20.gemspec +28 -0
- data/test/salsa20_test.rb +140 -0
- metadata +94 -0
@@ -0,0 +1,279 @@
|
|
1
|
+
/* ecrypt-sync.h */
|
2
|
+
|
3
|
+
/*
|
4
|
+
* Header file for synchronous stream ciphers without authentication
|
5
|
+
* mechanism.
|
6
|
+
*
|
7
|
+
* *** Please only edit parts marked with "[edit]". ***
|
8
|
+
*/
|
9
|
+
|
10
|
+
#ifndef ECRYPT_SYNC
|
11
|
+
#define ECRYPT_SYNC
|
12
|
+
|
13
|
+
#include "ecrypt-portable.h"
|
14
|
+
|
15
|
+
/* ------------------------------------------------------------------------- */
|
16
|
+
|
17
|
+
/* Cipher parameters */
|
18
|
+
|
19
|
+
/*
|
20
|
+
* The name of your cipher.
|
21
|
+
*/
|
22
|
+
#define ECRYPT_NAME "Salsa20" /* [edit] */
|
23
|
+
#define ECRYPT_PROFILE "S!_H."
|
24
|
+
|
25
|
+
/*
|
26
|
+
* Specify which key and IV sizes are supported by your cipher. A user
|
27
|
+
* should be able to enumerate the supported sizes by running the
|
28
|
+
* following code:
|
29
|
+
*
|
30
|
+
* for (i = 0; ECRYPT_KEYSIZE(i) <= ECRYPT_MAXKEYSIZE; ++i)
|
31
|
+
* {
|
32
|
+
* keysize = ECRYPT_KEYSIZE(i);
|
33
|
+
*
|
34
|
+
* ...
|
35
|
+
* }
|
36
|
+
*
|
37
|
+
* All sizes are in bits.
|
38
|
+
*/
|
39
|
+
|
40
|
+
#define ECRYPT_MAXKEYSIZE 256 /* [edit] */
|
41
|
+
#define ECRYPT_KEYSIZE(i) (128 + (i)*128) /* [edit] */
|
42
|
+
|
43
|
+
#define ECRYPT_MAXIVSIZE 64 /* [edit] */
|
44
|
+
#define ECRYPT_IVSIZE(i) (64 + (i)*64) /* [edit] */
|
45
|
+
|
46
|
+
/* ------------------------------------------------------------------------- */
|
47
|
+
|
48
|
+
/* Data structures */
|
49
|
+
|
50
|
+
/*
|
51
|
+
* ECRYPT_ctx is the structure containing the representation of the
|
52
|
+
* internal state of your cipher.
|
53
|
+
*/
|
54
|
+
|
55
|
+
typedef struct
|
56
|
+
{
|
57
|
+
u32 input[16]; /* could be compressed */
|
58
|
+
/*
|
59
|
+
* [edit]
|
60
|
+
*
|
61
|
+
* Put here all state variable needed during the encryption process.
|
62
|
+
*/
|
63
|
+
} ECRYPT_ctx;
|
64
|
+
|
65
|
+
/* ------------------------------------------------------------------------- */
|
66
|
+
|
67
|
+
/* Mandatory functions */
|
68
|
+
|
69
|
+
/*
|
70
|
+
* Key and message independent initialization. This function will be
|
71
|
+
* called once when the program starts (e.g., to build expanded S-box
|
72
|
+
* tables).
|
73
|
+
*/
|
74
|
+
void ECRYPT_init();
|
75
|
+
|
76
|
+
/*
|
77
|
+
* Key setup. It is the user's responsibility to select the values of
|
78
|
+
* keysize and ivsize from the set of supported values specified
|
79
|
+
* above.
|
80
|
+
*/
|
81
|
+
void ECRYPT_keysetup(
|
82
|
+
ECRYPT_ctx* ctx,
|
83
|
+
const u8* key,
|
84
|
+
u32 keysize, /* Key size in bits. */
|
85
|
+
u32 ivsize); /* IV size in bits. */
|
86
|
+
|
87
|
+
/*
|
88
|
+
* IV setup. After having called ECRYPT_keysetup(), the user is
|
89
|
+
* allowed to call ECRYPT_ivsetup() different times in order to
|
90
|
+
* encrypt/decrypt different messages with the same key but different
|
91
|
+
* IV's.
|
92
|
+
*/
|
93
|
+
void ECRYPT_ivsetup(
|
94
|
+
ECRYPT_ctx* ctx,
|
95
|
+
const u8* iv);
|
96
|
+
|
97
|
+
/*
|
98
|
+
* Encryption/decryption of arbitrary length messages.
|
99
|
+
*
|
100
|
+
* For efficiency reasons, the API provides two types of
|
101
|
+
* encrypt/decrypt functions. The ECRYPT_encrypt_bytes() function
|
102
|
+
* (declared here) encrypts byte strings of arbitrary length, while
|
103
|
+
* the ECRYPT_encrypt_blocks() function (defined later) only accepts
|
104
|
+
* lengths which are multiples of ECRYPT_BLOCKLENGTH.
|
105
|
+
*
|
106
|
+
* The user is allowed to make multiple calls to
|
107
|
+
* ECRYPT_encrypt_blocks() to incrementally encrypt a long message,
|
108
|
+
* but he is NOT allowed to make additional encryption calls once he
|
109
|
+
* has called ECRYPT_encrypt_bytes() (unless he starts a new message
|
110
|
+
* of course). For example, this sequence of calls is acceptable:
|
111
|
+
*
|
112
|
+
* ECRYPT_keysetup();
|
113
|
+
*
|
114
|
+
* ECRYPT_ivsetup();
|
115
|
+
* ECRYPT_encrypt_blocks();
|
116
|
+
* ECRYPT_encrypt_blocks();
|
117
|
+
* ECRYPT_encrypt_bytes();
|
118
|
+
*
|
119
|
+
* ECRYPT_ivsetup();
|
120
|
+
* ECRYPT_encrypt_blocks();
|
121
|
+
* ECRYPT_encrypt_blocks();
|
122
|
+
*
|
123
|
+
* ECRYPT_ivsetup();
|
124
|
+
* ECRYPT_encrypt_bytes();
|
125
|
+
*
|
126
|
+
* The following sequence is not:
|
127
|
+
*
|
128
|
+
* ECRYPT_keysetup();
|
129
|
+
* ECRYPT_ivsetup();
|
130
|
+
* ECRYPT_encrypt_blocks();
|
131
|
+
* ECRYPT_encrypt_bytes();
|
132
|
+
* ECRYPT_encrypt_blocks();
|
133
|
+
*/
|
134
|
+
|
135
|
+
void ECRYPT_encrypt_bytes(
|
136
|
+
ECRYPT_ctx* ctx,
|
137
|
+
const u8* plaintext,
|
138
|
+
u8* ciphertext,
|
139
|
+
u32 msglen); /* Message length in bytes. */
|
140
|
+
|
141
|
+
void ECRYPT_decrypt_bytes(
|
142
|
+
ECRYPT_ctx* ctx,
|
143
|
+
const u8* ciphertext,
|
144
|
+
u8* plaintext,
|
145
|
+
u32 msglen); /* Message length in bytes. */
|
146
|
+
|
147
|
+
/* ------------------------------------------------------------------------- */
|
148
|
+
|
149
|
+
/* Optional features */
|
150
|
+
|
151
|
+
/*
|
152
|
+
* For testing purposes it can sometimes be useful to have a function
|
153
|
+
* which immediately generates keystream without having to provide it
|
154
|
+
* with a zero plaintext. If your cipher cannot provide this function
|
155
|
+
* (e.g., because it is not strictly a synchronous cipher), please
|
156
|
+
* reset the ECRYPT_GENERATES_KEYSTREAM flag.
|
157
|
+
*/
|
158
|
+
|
159
|
+
#define ECRYPT_GENERATES_KEYSTREAM
|
160
|
+
#ifdef ECRYPT_GENERATES_KEYSTREAM
|
161
|
+
|
162
|
+
void ECRYPT_keystream_bytes(
|
163
|
+
ECRYPT_ctx* ctx,
|
164
|
+
u8* keystream,
|
165
|
+
u32 length); /* Length of keystream in bytes. */
|
166
|
+
|
167
|
+
#endif
|
168
|
+
|
169
|
+
/* ------------------------------------------------------------------------- */
|
170
|
+
|
171
|
+
/* Optional optimizations */
|
172
|
+
|
173
|
+
/*
|
174
|
+
* By default, the functions in this section are implemented using
|
175
|
+
* calls to functions declared above. However, you might want to
|
176
|
+
* implement them differently for performance reasons.
|
177
|
+
*/
|
178
|
+
|
179
|
+
/*
|
180
|
+
* All-in-one encryption/decryption of (short) packets.
|
181
|
+
*
|
182
|
+
* The default definitions of these functions can be found in
|
183
|
+
* "ecrypt-sync.c". If you want to implement them differently, please
|
184
|
+
* undef the ECRYPT_USES_DEFAULT_ALL_IN_ONE flag.
|
185
|
+
*/
|
186
|
+
#define ECRYPT_USES_DEFAULT_ALL_IN_ONE /* [edit] */
|
187
|
+
|
188
|
+
void ECRYPT_encrypt_packet(
|
189
|
+
ECRYPT_ctx* ctx,
|
190
|
+
const u8* iv,
|
191
|
+
const u8* plaintext,
|
192
|
+
u8* ciphertext,
|
193
|
+
u32 msglen);
|
194
|
+
|
195
|
+
void ECRYPT_decrypt_packet(
|
196
|
+
ECRYPT_ctx* ctx,
|
197
|
+
const u8* iv,
|
198
|
+
const u8* ciphertext,
|
199
|
+
u8* plaintext,
|
200
|
+
u32 msglen);
|
201
|
+
|
202
|
+
/*
|
203
|
+
* Encryption/decryption of blocks.
|
204
|
+
*
|
205
|
+
* By default, these functions are defined as macros. If you want to
|
206
|
+
* provide a different implementation, please undef the
|
207
|
+
* ECRYPT_USES_DEFAULT_BLOCK_MACROS flag and implement the functions
|
208
|
+
* declared below.
|
209
|
+
*/
|
210
|
+
|
211
|
+
#define ECRYPT_BLOCKLENGTH 64 /* [edit] */
|
212
|
+
|
213
|
+
#define ECRYPT_USES_DEFAULT_BLOCK_MACROS /* [edit] */
|
214
|
+
#ifdef ECRYPT_USES_DEFAULT_BLOCK_MACROS
|
215
|
+
|
216
|
+
#define ECRYPT_encrypt_blocks(ctx, plaintext, ciphertext, blocks) \
|
217
|
+
ECRYPT_encrypt_bytes(ctx, plaintext, ciphertext, \
|
218
|
+
(blocks) * ECRYPT_BLOCKLENGTH)
|
219
|
+
|
220
|
+
#define ECRYPT_decrypt_blocks(ctx, ciphertext, plaintext, blocks) \
|
221
|
+
ECRYPT_decrypt_bytes(ctx, ciphertext, plaintext, \
|
222
|
+
(blocks) * ECRYPT_BLOCKLENGTH)
|
223
|
+
|
224
|
+
#ifdef ECRYPT_GENERATES_KEYSTREAM
|
225
|
+
|
226
|
+
#define ECRYPT_keystream_blocks(ctx, keystream, blocks) \
|
227
|
+
ECRYPT_keystream_bytes(ctx, keystream, \
|
228
|
+
(blocks) * ECRYPT_BLOCKLENGTH)
|
229
|
+
|
230
|
+
#endif
|
231
|
+
|
232
|
+
#else
|
233
|
+
|
234
|
+
void ECRYPT_encrypt_blocks(
|
235
|
+
ECRYPT_ctx* ctx,
|
236
|
+
const u8* plaintext,
|
237
|
+
u8* ciphertext,
|
238
|
+
u32 blocks); /* Message length in blocks. */
|
239
|
+
|
240
|
+
void ECRYPT_decrypt_blocks(
|
241
|
+
ECRYPT_ctx* ctx,
|
242
|
+
const u8* ciphertext,
|
243
|
+
u8* plaintext,
|
244
|
+
u32 blocks); /* Message length in blocks. */
|
245
|
+
|
246
|
+
#ifdef ECRYPT_GENERATES_KEYSTREAM
|
247
|
+
|
248
|
+
void ECRYPT_keystream_blocks(
|
249
|
+
ECRYPT_ctx* ctx,
|
250
|
+
const u8* keystream,
|
251
|
+
u32 blocks); /* Keystream length in blocks. */
|
252
|
+
|
253
|
+
#endif
|
254
|
+
|
255
|
+
#endif
|
256
|
+
|
257
|
+
/*
|
258
|
+
* If your cipher can be implemented in different ways, you can use
|
259
|
+
* the ECRYPT_VARIANT parameter to allow the user to choose between
|
260
|
+
* them at compile time (e.g., gcc -DECRYPT_VARIANT=3 ...). Please
|
261
|
+
* only use this possibility if you really think it could make a
|
262
|
+
* significant difference and keep the number of variants
|
263
|
+
* (ECRYPT_MAXVARIANT) as small as possible (definitely not more than
|
264
|
+
* 10). Note also that all variants should have exactly the same
|
265
|
+
* external interface (i.e., the same ECRYPT_BLOCKLENGTH, etc.).
|
266
|
+
*/
|
267
|
+
#define ECRYPT_MAXVARIANT 1 /* [edit] */
|
268
|
+
|
269
|
+
#ifndef ECRYPT_VARIANT
|
270
|
+
#define ECRYPT_VARIANT 1
|
271
|
+
#endif
|
272
|
+
|
273
|
+
#if (ECRYPT_VARIANT > ECRYPT_MAXVARIANT)
|
274
|
+
#error this variant does not exist
|
275
|
+
#endif
|
276
|
+
|
277
|
+
/* ------------------------------------------------------------------------- */
|
278
|
+
|
279
|
+
#endif
|
@@ -0,0 +1,221 @@
|
|
1
|
+
/*
|
2
|
+
salsa20-merged.c version 20051118
|
3
|
+
D. J. Bernstein
|
4
|
+
Public domain.
|
5
|
+
*/
|
6
|
+
|
7
|
+
#include "ecrypt-sync.h"
|
8
|
+
|
9
|
+
#define ROTATE(v,c) (ROTL32(v,c))
|
10
|
+
#define XOR(v,w) ((v) ^ (w))
|
11
|
+
#define PLUS(v,w) (U32V((v) + (w)))
|
12
|
+
#define PLUSONE(v) (PLUS((v),1))
|
13
|
+
|
14
|
+
void ECRYPT_init(void)
|
15
|
+
{
|
16
|
+
return;
|
17
|
+
}
|
18
|
+
|
19
|
+
static const char sigma[16] = "expand 32-byte k";
|
20
|
+
static const char tau[16] = "expand 16-byte k";
|
21
|
+
|
22
|
+
void ECRYPT_keysetup(ECRYPT_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
|
23
|
+
{
|
24
|
+
const char *constants;
|
25
|
+
|
26
|
+
(void) ivbits; /* avoid unused parameter compiler warning */
|
27
|
+
|
28
|
+
x->input[1] = U8TO32_LITTLE(k + 0);
|
29
|
+
x->input[2] = U8TO32_LITTLE(k + 4);
|
30
|
+
x->input[3] = U8TO32_LITTLE(k + 8);
|
31
|
+
x->input[4] = U8TO32_LITTLE(k + 12);
|
32
|
+
if (kbits == 256) { /* recommended */
|
33
|
+
k += 16;
|
34
|
+
constants = sigma;
|
35
|
+
} else { /* kbits == 128 */
|
36
|
+
constants = tau;
|
37
|
+
}
|
38
|
+
x->input[11] = U8TO32_LITTLE(k + 0);
|
39
|
+
x->input[12] = U8TO32_LITTLE(k + 4);
|
40
|
+
x->input[13] = U8TO32_LITTLE(k + 8);
|
41
|
+
x->input[14] = U8TO32_LITTLE(k + 12);
|
42
|
+
x->input[0] = U8TO32_LITTLE(constants + 0);
|
43
|
+
x->input[5] = U8TO32_LITTLE(constants + 4);
|
44
|
+
x->input[10] = U8TO32_LITTLE(constants + 8);
|
45
|
+
x->input[15] = U8TO32_LITTLE(constants + 12);
|
46
|
+
}
|
47
|
+
|
48
|
+
void ECRYPT_ivsetup(ECRYPT_ctx *x,const u8 *iv)
|
49
|
+
{
|
50
|
+
x->input[6] = U8TO32_LITTLE(iv + 0);
|
51
|
+
x->input[7] = U8TO32_LITTLE(iv + 4);
|
52
|
+
x->input[8] = 0;
|
53
|
+
x->input[9] = 0;
|
54
|
+
}
|
55
|
+
|
56
|
+
void ECRYPT_encrypt_bytes(ECRYPT_ctx *x,const u8 *m,u8 *c,u32 bytes)
|
57
|
+
{
|
58
|
+
u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
|
59
|
+
u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
|
60
|
+
u8 *ctarget = 0;
|
61
|
+
u8 tmp[64];
|
62
|
+
u32 i;
|
63
|
+
|
64
|
+
if (!bytes) return;
|
65
|
+
|
66
|
+
j0 = x->input[0];
|
67
|
+
j1 = x->input[1];
|
68
|
+
j2 = x->input[2];
|
69
|
+
j3 = x->input[3];
|
70
|
+
j4 = x->input[4];
|
71
|
+
j5 = x->input[5];
|
72
|
+
j6 = x->input[6];
|
73
|
+
j7 = x->input[7];
|
74
|
+
j8 = x->input[8];
|
75
|
+
j9 = x->input[9];
|
76
|
+
j10 = x->input[10];
|
77
|
+
j11 = x->input[11];
|
78
|
+
j12 = x->input[12];
|
79
|
+
j13 = x->input[13];
|
80
|
+
j14 = x->input[14];
|
81
|
+
j15 = x->input[15];
|
82
|
+
|
83
|
+
for (;;) {
|
84
|
+
if (bytes < 64) {
|
85
|
+
for (i = 0;i < bytes;++i) tmp[i] = m[i];
|
86
|
+
m = tmp;
|
87
|
+
ctarget = c;
|
88
|
+
c = tmp;
|
89
|
+
}
|
90
|
+
x0 = j0;
|
91
|
+
x1 = j1;
|
92
|
+
x2 = j2;
|
93
|
+
x3 = j3;
|
94
|
+
x4 = j4;
|
95
|
+
x5 = j5;
|
96
|
+
x6 = j6;
|
97
|
+
x7 = j7;
|
98
|
+
x8 = j8;
|
99
|
+
x9 = j9;
|
100
|
+
x10 = j10;
|
101
|
+
x11 = j11;
|
102
|
+
x12 = j12;
|
103
|
+
x13 = j13;
|
104
|
+
x14 = j14;
|
105
|
+
x15 = j15;
|
106
|
+
for (i = 20;i > 0;i -= 2) {
|
107
|
+
x4 = XOR( x4,ROTATE(PLUS( x0,x12), 7));
|
108
|
+
x8 = XOR( x8,ROTATE(PLUS( x4, x0), 9));
|
109
|
+
x12 = XOR(x12,ROTATE(PLUS( x8, x4),13));
|
110
|
+
x0 = XOR( x0,ROTATE(PLUS(x12, x8),18));
|
111
|
+
x9 = XOR( x9,ROTATE(PLUS( x5, x1), 7));
|
112
|
+
x13 = XOR(x13,ROTATE(PLUS( x9, x5), 9));
|
113
|
+
x1 = XOR( x1,ROTATE(PLUS(x13, x9),13));
|
114
|
+
x5 = XOR( x5,ROTATE(PLUS( x1,x13),18));
|
115
|
+
x14 = XOR(x14,ROTATE(PLUS(x10, x6), 7));
|
116
|
+
x2 = XOR( x2,ROTATE(PLUS(x14,x10), 9));
|
117
|
+
x6 = XOR( x6,ROTATE(PLUS( x2,x14),13));
|
118
|
+
x10 = XOR(x10,ROTATE(PLUS( x6, x2),18));
|
119
|
+
x3 = XOR( x3,ROTATE(PLUS(x15,x11), 7));
|
120
|
+
x7 = XOR( x7,ROTATE(PLUS( x3,x15), 9));
|
121
|
+
x11 = XOR(x11,ROTATE(PLUS( x7, x3),13));
|
122
|
+
x15 = XOR(x15,ROTATE(PLUS(x11, x7),18));
|
123
|
+
x1 = XOR( x1,ROTATE(PLUS( x0, x3), 7));
|
124
|
+
x2 = XOR( x2,ROTATE(PLUS( x1, x0), 9));
|
125
|
+
x3 = XOR( x3,ROTATE(PLUS( x2, x1),13));
|
126
|
+
x0 = XOR( x0,ROTATE(PLUS( x3, x2),18));
|
127
|
+
x6 = XOR( x6,ROTATE(PLUS( x5, x4), 7));
|
128
|
+
x7 = XOR( x7,ROTATE(PLUS( x6, x5), 9));
|
129
|
+
x4 = XOR( x4,ROTATE(PLUS( x7, x6),13));
|
130
|
+
x5 = XOR( x5,ROTATE(PLUS( x4, x7),18));
|
131
|
+
x11 = XOR(x11,ROTATE(PLUS(x10, x9), 7));
|
132
|
+
x8 = XOR( x8,ROTATE(PLUS(x11,x10), 9));
|
133
|
+
x9 = XOR( x9,ROTATE(PLUS( x8,x11),13));
|
134
|
+
x10 = XOR(x10,ROTATE(PLUS( x9, x8),18));
|
135
|
+
x12 = XOR(x12,ROTATE(PLUS(x15,x14), 7));
|
136
|
+
x13 = XOR(x13,ROTATE(PLUS(x12,x15), 9));
|
137
|
+
x14 = XOR(x14,ROTATE(PLUS(x13,x12),13));
|
138
|
+
x15 = XOR(x15,ROTATE(PLUS(x14,x13),18));
|
139
|
+
}
|
140
|
+
x0 = PLUS(x0,j0);
|
141
|
+
x1 = PLUS(x1,j1);
|
142
|
+
x2 = PLUS(x2,j2);
|
143
|
+
x3 = PLUS(x3,j3);
|
144
|
+
x4 = PLUS(x4,j4);
|
145
|
+
x5 = PLUS(x5,j5);
|
146
|
+
x6 = PLUS(x6,j6);
|
147
|
+
x7 = PLUS(x7,j7);
|
148
|
+
x8 = PLUS(x8,j8);
|
149
|
+
x9 = PLUS(x9,j9);
|
150
|
+
x10 = PLUS(x10,j10);
|
151
|
+
x11 = PLUS(x11,j11);
|
152
|
+
x12 = PLUS(x12,j12);
|
153
|
+
x13 = PLUS(x13,j13);
|
154
|
+
x14 = PLUS(x14,j14);
|
155
|
+
x15 = PLUS(x15,j15);
|
156
|
+
|
157
|
+
x0 = XOR(x0,U8TO32_LITTLE(m + 0));
|
158
|
+
x1 = XOR(x1,U8TO32_LITTLE(m + 4));
|
159
|
+
x2 = XOR(x2,U8TO32_LITTLE(m + 8));
|
160
|
+
x3 = XOR(x3,U8TO32_LITTLE(m + 12));
|
161
|
+
x4 = XOR(x4,U8TO32_LITTLE(m + 16));
|
162
|
+
x5 = XOR(x5,U8TO32_LITTLE(m + 20));
|
163
|
+
x6 = XOR(x6,U8TO32_LITTLE(m + 24));
|
164
|
+
x7 = XOR(x7,U8TO32_LITTLE(m + 28));
|
165
|
+
x8 = XOR(x8,U8TO32_LITTLE(m + 32));
|
166
|
+
x9 = XOR(x9,U8TO32_LITTLE(m + 36));
|
167
|
+
x10 = XOR(x10,U8TO32_LITTLE(m + 40));
|
168
|
+
x11 = XOR(x11,U8TO32_LITTLE(m + 44));
|
169
|
+
x12 = XOR(x12,U8TO32_LITTLE(m + 48));
|
170
|
+
x13 = XOR(x13,U8TO32_LITTLE(m + 52));
|
171
|
+
x14 = XOR(x14,U8TO32_LITTLE(m + 56));
|
172
|
+
x15 = XOR(x15,U8TO32_LITTLE(m + 60));
|
173
|
+
|
174
|
+
j8 = PLUSONE(j8);
|
175
|
+
if (!j8) {
|
176
|
+
j9 = PLUSONE(j9);
|
177
|
+
/* stopping at 2^70 bytes per nonce is user's responsibility */
|
178
|
+
}
|
179
|
+
|
180
|
+
U32TO8_LITTLE(c + 0,x0);
|
181
|
+
U32TO8_LITTLE(c + 4,x1);
|
182
|
+
U32TO8_LITTLE(c + 8,x2);
|
183
|
+
U32TO8_LITTLE(c + 12,x3);
|
184
|
+
U32TO8_LITTLE(c + 16,x4);
|
185
|
+
U32TO8_LITTLE(c + 20,x5);
|
186
|
+
U32TO8_LITTLE(c + 24,x6);
|
187
|
+
U32TO8_LITTLE(c + 28,x7);
|
188
|
+
U32TO8_LITTLE(c + 32,x8);
|
189
|
+
U32TO8_LITTLE(c + 36,x9);
|
190
|
+
U32TO8_LITTLE(c + 40,x10);
|
191
|
+
U32TO8_LITTLE(c + 44,x11);
|
192
|
+
U32TO8_LITTLE(c + 48,x12);
|
193
|
+
U32TO8_LITTLE(c + 52,x13);
|
194
|
+
U32TO8_LITTLE(c + 56,x14);
|
195
|
+
U32TO8_LITTLE(c + 60,x15);
|
196
|
+
|
197
|
+
if (bytes <= 64) {
|
198
|
+
if (bytes < 64) {
|
199
|
+
for (i = 0;i < bytes;++i) ctarget[i] = c[i];
|
200
|
+
}
|
201
|
+
x->input[8] = j8;
|
202
|
+
x->input[9] = j9;
|
203
|
+
return;
|
204
|
+
}
|
205
|
+
bytes -= 64;
|
206
|
+
c += 64;
|
207
|
+
m += 64;
|
208
|
+
}
|
209
|
+
}
|
210
|
+
|
211
|
+
void ECRYPT_decrypt_bytes(ECRYPT_ctx *x,const u8 *c,u8 *m,u32 bytes)
|
212
|
+
{
|
213
|
+
ECRYPT_encrypt_bytes(x,c,m,bytes);
|
214
|
+
}
|
215
|
+
|
216
|
+
void ECRYPT_keystream_bytes(ECRYPT_ctx *x,u8 *stream,u32 bytes)
|
217
|
+
{
|
218
|
+
u32 i;
|
219
|
+
for (i = 0;i < bytes;++i) stream[i] = 0;
|
220
|
+
ECRYPT_encrypt_bytes(x,stream,stream,bytes);
|
221
|
+
}
|