1 /* $OpenBSD: chacha.c,v 1.9 2022/08/20 18:44:58 jsing Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <stdint.h>
19 
20 #include <openssl/chacha.h>
21 
22 #include "chacha-merged.c"
23 
24 void
25 ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, uint32_t keybits)
26 {
27 	chacha_keysetup((chacha_ctx *)ctx, key, keybits);
28 	ctx->unused = 0;
29 }
30 
31 void
32 ChaCha_set_iv(ChaCha_ctx *ctx, const unsigned char *iv,
33     const unsigned char *counter)
34 {
35 	chacha_ivsetup((chacha_ctx *)ctx, iv, counter);
36 	ctx->unused = 0;
37 }
38 
39 void
40 ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len)
41 {
42 	unsigned char *k;
43 	uint64_t n;
44 	int i, l;
45 
46 	/* Consume remaining keystream, if any exists. */
47 	if (ctx->unused > 0) {
48 		k = ctx->ks + 64 - ctx->unused;
49 		l = (len > ctx->unused) ? ctx->unused : len;
50 		for (i = 0; i < l; i++)
51 			*(out++) = *(in++) ^ *(k++);
52 		ctx->unused -= l;
53 		len -= l;
54 	}
55 
56 	while (len > 0) {
57 		if ((n = len) > UINT32_MAX)
58 			n = UINT32_MAX;
59 
60 		chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)n);
61 
62 		in += n;
63 		out += n;
64 		len -= n;
65 	}
66 }
67 
68 void
69 CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
70     const unsigned char key[32], const unsigned char iv[8], uint64_t counter)
71 {
72 	struct chacha_ctx ctx;
73 	uint64_t n;
74 
75 	/*
76 	 * chacha_ivsetup expects the counter to be in u8. Rather than
77 	 * converting size_t to u8 and then back again, pass a counter of
78 	 * NULL and manually assign it afterwards.
79 	 */
80 	chacha_keysetup(&ctx, key, 256);
81 	chacha_ivsetup(&ctx, iv, NULL);
82 	if (counter != 0) {
83 		ctx.input[12] = (uint32_t)counter;
84 		ctx.input[13] = (uint32_t)(counter >> 32);
85 	}
86 
87 	while (len > 0) {
88 		if ((n = len) > UINT32_MAX)
89 			n = UINT32_MAX;
90 
91 		chacha_encrypt_bytes(&ctx, in, out, (uint32_t)n);
92 
93 		in += n;
94 		out += n;
95 		len -= n;
96 	}
97 }
98 
99 void
100 CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
101     const unsigned char key[32], const unsigned char iv[24])
102 {
103 	uint8_t subkey[32];
104 
105 	CRYPTO_hchacha_20(subkey, key, iv);
106 	CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0);
107 }
108