/src/hpn-ssh/openbsd-compat/chacha_private.h

Source (jump to first uncovered line)
/* OPENBSD ORIGINAL: lib/libc/crypt/chacha_private.h */

/*
chacha-merged.c version 20080118
D. J. Bernstein
Public domain.
*/

/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */

typedef unsigned char u8;
typedef unsigned int u32;

typedef struct
{
  u32 input[16]; /* could be compressed */
} chacha_ctx;

#define U8C(v) (v##U)
#define U32C(v) (v##U)

#define U8V(v) ((u8)(v) & U8C(0xFF))
#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))

#define ROTL32(v, n) \
  (U32V((v) << (n)) | ((v) >> (32 - (n))))

#define U8TO32_LITTLE(p) \
  (((u32)((p)[0])      ) | \
   ((u32)((p)[1]) <<  8) | \
   ((u32)((p)[2]) << 16) | \
   ((u32)((p)[3]) << 24))

#define U32TO8_LITTLE(p, v) \
  do { \
    (p)[0] = U8V((v)      ); \
    (p)[1] = U8V((v) >>  8); \
    (p)[2] = U8V((v) >> 16); \
    (p)[3] = U8V((v) >> 24); \
  } while (0)

#define ROTATE(v,c) (ROTL32(v,c))
#define XOR(v,w) ((v) ^ (w))
#define PLUS(v,w) (U32V((v) + (w)))
#define PLUSONE(v) (PLUS((v),1))

#define QUARTERROUND(a,b,c,d) \
  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);

static const char sigma[16] = "expand 32-byte k";
static const char tau[16] = "expand 16-byte k";

static void
chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
{
  const char *constants;

  x->input[4] = U8TO32_LITTLE(k + 0);
  x->input[5] = U8TO32_LITTLE(k + 4);
  x->input[6] = U8TO32_LITTLE(k + 8);
  x->input[7] = U8TO32_LITTLE(k + 12);
  if (kbits == 256) { /* recommended */
    k += 16;
    constants = sigma;
  } else { /* kbits == 128 */
    constants = tau;
  }
  x->input[8] = U8TO32_LITTLE(k + 0);
  x->input[9] = U8TO32_LITTLE(k + 4);
  x->input[10] = U8TO32_LITTLE(k + 8);
  x->input[11] = U8TO32_LITTLE(k + 12);
  x->input[0] = U8TO32_LITTLE(constants + 0);
  x->input[1] = U8TO32_LITTLE(constants + 4);
  x->input[2] = U8TO32_LITTLE(constants + 8);
  x->input[3] = U8TO32_LITTLE(constants + 12);
}

static void
chacha_ivsetup(chacha_ctx *x,const u8 *iv)
{
  x->input[12] = 0;
  x->input[13] = 0;
  x->input[14] = U8TO32_LITTLE(iv + 0);
  x->input[15] = U8TO32_LITTLE(iv + 4);
}

static void
chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
{
  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
  u8 *ctarget = NULL;
  u8 tmp[64];
  u_int i;

  if (!bytes) return;

  j0 = x->input[0];
  j1 = x->input[1];
  j2 = x->input[2];
  j3 = x->input[3];
  j4 = x->input[4];
  j5 = x->input[5];
  j6 = x->input[6];
  j7 = x->input[7];
  j8 = x->input[8];
  j9 = x->input[9];
  j10 = x->input[10];
  j11 = x->input[11];
  j12 = x->input[12];
  j13 = x->input[13];
  j14 = x->input[14];
  j15 = x->input[15];

  for (;;) {
    if (bytes < 64) {
      for (i = 0;i < bytes;++i) tmp[i] = m[i];
      m = tmp;
      ctarget = c;
      c = tmp;
    }
    x0 = j0;
    x1 = j1;
    x2 = j2;
    x3 = j3;
    x4 = j4;
    x5 = j5;
    x6 = j6;
    x7 = j7;
    x8 = j8;
    x9 = j9;
    x10 = j10;
    x11 = j11;
    x12 = j12;
    x13 = j13;
    x14 = j14;
    x15 = j15;
    for (i = 20;i > 0;i -= 2) {
      QUARTERROUND( x0, x4, x8,x12)
      QUARTERROUND( x1, x5, x9,x13)
      QUARTERROUND( x2, x6,x10,x14)
      QUARTERROUND( x3, x7,x11,x15)
      QUARTERROUND( x0, x5,x10,x15)
      QUARTERROUND( x1, x6,x11,x12)
      QUARTERROUND( x2, x7, x8,x13)
      QUARTERROUND( x3, x4, x9,x14)
    }
    x0 = PLUS(x0,j0);
    x1 = PLUS(x1,j1);
    x2 = PLUS(x2,j2);
    x3 = PLUS(x3,j3);
    x4 = PLUS(x4,j4);
    x5 = PLUS(x5,j5);
    x6 = PLUS(x6,j6);
    x7 = PLUS(x7,j7);
    x8 = PLUS(x8,j8);
    x9 = PLUS(x9,j9);
    x10 = PLUS(x10,j10);
    x11 = PLUS(x11,j11);
    x12 = PLUS(x12,j12);
    x13 = PLUS(x13,j13);
    x14 = PLUS(x14,j14);
    x15 = PLUS(x15,j15);

#ifndef KEYSTREAM_ONLY
    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
#endif

    j12 = PLUSONE(j12);
    if (!j12) {
      j13 = PLUSONE(j13);
      /* stopping at 2^70 bytes per nonce is user's responsibility */
    }

    U32TO8_LITTLE(c + 0,x0);
    U32TO8_LITTLE(c + 4,x1);
    U32TO8_LITTLE(c + 8,x2);
    U32TO8_LITTLE(c + 12,x3);
    U32TO8_LITTLE(c + 16,x4);
    U32TO8_LITTLE(c + 20,x5);
    U32TO8_LITTLE(c + 24,x6);
    U32TO8_LITTLE(c + 28,x7);
    U32TO8_LITTLE(c + 32,x8);
    U32TO8_LITTLE(c + 36,x9);
    U32TO8_LITTLE(c + 40,x10);
    U32TO8_LITTLE(c + 44,x11);
    U32TO8_LITTLE(c + 48,x12);
    U32TO8_LITTLE(c + 52,x13);
    U32TO8_LITTLE(c + 56,x14);
    U32TO8_LITTLE(c + 60,x15);

    if (bytes <= 64) {
      if (bytes < 64) {
        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
      }
      x->input[12] = j12;
      x->input[13] = j13;
      return;
    }
    bytes -= 64;
    c += 64;
#ifndef KEYSTREAM_ONLY
    m += 64;
#endif
  }
}

Coverage Report

Created: 2024-07-27 06:07

Line	Count	Source (jump to first uncovered line)
1		/* OPENBSD ORIGINAL: lib/libc/crypt/chacha_private.h */
2
3		/*
4		chacha-merged.c version 20080118
5		D. J. Bernstein
6		Public domain.
7		*/
8
9		/* $OpenBSD: chacha_private.h,v 1.3 2022/02/28 21:56:29 dtucker Exp $ */
10
11		typedef unsigned char u8;
12		typedef unsigned int u32;
13
14		typedef struct
15		{
16		u32 input[16]; /* could be compressed */
17		} chacha_ctx;
18
19	806k	#define U8C(v) (v##U)
20	8.27M	#define U32C(v) (v##U)
21
22	806k	#define U8V(v) ((u8)(v) & U8C(0xFF))
23	8.27M	#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
24
25		#define ROTL32(v, n) \
26	4.03M	(U32V((v) << (n)) \| ((v) >> (32 - (n))))
27
28		#define U8TO32_LITTLE(p) \
29	11.0k	(((u32)((p)[0]) ) \| \
30	11.0k	((u32)((p)[1]) << 8) \| \
31	11.0k	((u32)((p)[2]) << 16) \| \
32	11.0k	((u32)((p)[3]) << 24))
33
34		#define U32TO8_LITTLE(p, v) \
35	201k	do { \
36	201k	(p)[0] = U8V((v) ); \
37	201k	(p)[1] = U8V((v) >> 8); \
38	201k	(p)[2] = U8V((v) >> 16); \
39	201k	(p)[3] = U8V((v) >> 24); \
40	201k	} while (0)
41
42	4.03M	#define ROTATE(v,c) (ROTL32(v,c))
43		#define XOR(v,w) ((v) ^ (w))
44	4.24M	#define PLUS(v,w) (U32V((v) + (w)))
45	12.5k	#define PLUSONE(v) (PLUS((v),1))
46
47		#define QUARTERROUND(a,b,c,d) \
48	1.00M	a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
49	1.00M	c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
50	1.00M	a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
51	1.00M	c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
52
53		static const char sigma[16] = "expand 32-byte k";
54		static const char tau[16] = "expand 16-byte k";
55
56		static void
57		chacha_keysetup(chacha_ctx x,const u8 k,u32 kbits)
58	790	{
59	790	const char *constants;
60
61	790	x->input[4] = U8TO32_LITTLE(k + 0);
62	790	x->input[5] = U8TO32_LITTLE(k + 4);
63	790	x->input[6] = U8TO32_LITTLE(k + 8);
64	790	x->input[7] = U8TO32_LITTLE(k + 12);
65	790	if (kbits == 256) { /* recommended */
66	790	k += 16;
67	790	constants = sigma;
68	790	} else { /* kbits == 128 */
69	0	constants = tau;
70	0	}
71	790	x->input[8] = U8TO32_LITTLE(k + 0);
72	790	x->input[9] = U8TO32_LITTLE(k + 4);
73	790	x->input[10] = U8TO32_LITTLE(k + 8);
74	790	x->input[11] = U8TO32_LITTLE(k + 12);
75	790	x->input[0] = U8TO32_LITTLE(constants + 0);
76	790	x->input[1] = U8TO32_LITTLE(constants + 4);
77	790	x->input[2] = U8TO32_LITTLE(constants + 8);
78	790	x->input[3] = U8TO32_LITTLE(constants + 12);
79	790	}
80
81		static void
82		chacha_ivsetup(chacha_ctx x,const u8 iv)
83	790	{
84	790	x->input[12] = 0;
85	790	x->input[13] = 0;
86	790	x->input[14] = U8TO32_LITTLE(iv + 0);
87	790	x->input[15] = U8TO32_LITTLE(iv + 4);
88	790	}
89
90		static void
91		chacha_encrypt_bytes(chacha_ctx x,const u8 m,u8 *c,u32 bytes)
92	790	{
93	790	u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
94	790	u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
95	790	u8 *ctarget = NULL;
96	790	u8 tmp[64];
97	790	u_int i;
98
99	790	if (!bytes) return;
100
101	790	j0 = x->input[0];
102	790	j1 = x->input[1];
103	790	j2 = x->input[2];
104	790	j3 = x->input[3];
105	790	j4 = x->input[4];
106	790	j5 = x->input[5];
107	790	j6 = x->input[6];
108	790	j7 = x->input[7];
109	790	j8 = x->input[8];
110	790	j9 = x->input[9];
111	790	j10 = x->input[10];
112	790	j11 = x->input[11];
113	790	j12 = x->input[12];
114	790	j13 = x->input[13];
115	790	j14 = x->input[14];
116	790	j15 = x->input[15];
117
118	12.5k	for (;;) {
119	12.5k	if (bytes < 64) {
120	15	for (i = 0;i < bytes;++i) tmp[i] = m[i];
121	3	m = tmp;
122	3	ctarget = c;
123	3	c = tmp;
124	3	}
125	12.5k	x0 = j0;
126	12.5k	x1 = j1;
127	12.5k	x2 = j2;
128	12.5k	x3 = j3;
129	12.5k	x4 = j4;
130	12.5k	x5 = j5;
131	12.5k	x6 = j6;
132	12.5k	x7 = j7;
133	12.5k	x8 = j8;
134	12.5k	x9 = j9;
135	12.5k	x10 = j10;
136	12.5k	x11 = j11;
137	12.5k	x12 = j12;
138	12.5k	x13 = j13;
139	12.5k	x14 = j14;
140	12.5k	x15 = j15;
141	138k	for (i = 20;i > 0;i -= 2) {
142	125k	QUARTERROUND( x0, x4, x8,x12)
143	125k	QUARTERROUND( x1, x5, x9,x13)
144	125k	QUARTERROUND( x2, x6,x10,x14)
145	125k	QUARTERROUND( x3, x7,x11,x15)
146	125k	QUARTERROUND( x0, x5,x10,x15)
147	125k	QUARTERROUND( x1, x6,x11,x12)
148	125k	QUARTERROUND( x2, x7, x8,x13)
149	125k	QUARTERROUND( x3, x4, x9,x14)
150	125k	}
151	12.5k	x0 = PLUS(x0,j0);
152	12.5k	x1 = PLUS(x1,j1);
153	12.5k	x2 = PLUS(x2,j2);
154	12.5k	x3 = PLUS(x3,j3);
155	12.5k	x4 = PLUS(x4,j4);
156	12.5k	x5 = PLUS(x5,j5);
157	12.5k	x6 = PLUS(x6,j6);
158	12.5k	x7 = PLUS(x7,j7);
159	12.5k	x8 = PLUS(x8,j8);
160	12.5k	x9 = PLUS(x9,j9);
161	12.5k	x10 = PLUS(x10,j10);
162	12.5k	x11 = PLUS(x11,j11);
163	12.5k	x12 = PLUS(x12,j12);
164	12.5k	x13 = PLUS(x13,j13);
165	12.5k	x14 = PLUS(x14,j14);
166	12.5k	x15 = PLUS(x15,j15);
167
168		#ifndef KEYSTREAM_ONLY
169		x0 = XOR(x0,U8TO32_LITTLE(m + 0));
170		x1 = XOR(x1,U8TO32_LITTLE(m + 4));
171		x2 = XOR(x2,U8TO32_LITTLE(m + 8));
172		x3 = XOR(x3,U8TO32_LITTLE(m + 12));
173		x4 = XOR(x4,U8TO32_LITTLE(m + 16));
174		x5 = XOR(x5,U8TO32_LITTLE(m + 20));
175		x6 = XOR(x6,U8TO32_LITTLE(m + 24));
176		x7 = XOR(x7,U8TO32_LITTLE(m + 28));
177		x8 = XOR(x8,U8TO32_LITTLE(m + 32));
178		x9 = XOR(x9,U8TO32_LITTLE(m + 36));
179		x10 = XOR(x10,U8TO32_LITTLE(m + 40));
180		x11 = XOR(x11,U8TO32_LITTLE(m + 44));
181		x12 = XOR(x12,U8TO32_LITTLE(m + 48));
182		x13 = XOR(x13,U8TO32_LITTLE(m + 52));
183		x14 = XOR(x14,U8TO32_LITTLE(m + 56));
184		x15 = XOR(x15,U8TO32_LITTLE(m + 60));
185		#endif
186
187	12.5k	j12 = PLUSONE(j12);
188	12.5k	if (!j12) {
189	0	j13 = PLUSONE(j13);
190		/* stopping at 2^70 bytes per nonce is user's responsibility */
191	0	}
192
193	12.5k	U32TO8_LITTLE(c + 0,x0);
194	12.5k	U32TO8_LITTLE(c + 4,x1);
195	12.5k	U32TO8_LITTLE(c + 8,x2);
196	12.5k	U32TO8_LITTLE(c + 12,x3);
197	12.5k	U32TO8_LITTLE(c + 16,x4);
198	12.5k	U32TO8_LITTLE(c + 20,x5);
199	12.5k	U32TO8_LITTLE(c + 24,x6);
200	12.5k	U32TO8_LITTLE(c + 28,x7);
201	12.5k	U32TO8_LITTLE(c + 32,x8);
202	12.5k	U32TO8_LITTLE(c + 36,x9);
203	12.5k	U32TO8_LITTLE(c + 40,x10);
204	12.5k	U32TO8_LITTLE(c + 44,x11);
205	12.5k	U32TO8_LITTLE(c + 48,x12);
206	12.5k	U32TO8_LITTLE(c + 52,x13);
207	12.5k	U32TO8_LITTLE(c + 56,x14);
208	12.5k	U32TO8_LITTLE(c + 60,x15);
209
210	12.5k	if (bytes <= 64) {
211	790	if (bytes < 64) {
212	15	for (i = 0;i < bytes;++i) ctarget[i] = c[i];
213	3	}
214	790	x->input[12] = j12;
215	790	x->input[13] = j13;
216	790	return;
217	790	}
218	11.8k	bytes -= 64;
219	11.8k	c += 64;
220		#ifndef KEYSTREAM_ONLY
221		m += 64;
222		#endif
223	11.8k	}
224	790	}