diff options
author | Daiki Ueno <dueno@redhat.com> | 2020-03-09 13:01:18 +0100 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2020-03-09 19:09:18 +0100 |
commit | 2176ccc158d220f2884a10980266899c495b77be (patch) | |
tree | b911b0287da426c48957d6c47c125c8c697e1126 /chacha-crypt.c | |
parent | a9894036fc5e3c972d751ea28e64e23ddc77fc37 (diff) | |
download | nettle-2176ccc158d220f2884a10980266899c495b77be.tar.gz |
chacha: add variant that treats counter value as 32-bit
The ChaCha-Poly1305 implementation previously used the chacha_crypt
function that assumes the block counter is 64-bit long, while RFC 8439
defines that the counter is 32-bit long. Although this should be fine
as long as up to 256 gigabytes of data is encrypted with the same key,
it would be nice to use a separate functions (chacha_set_counter32 and
chacha_crypt32) that assume the counter is 32-bit long.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'chacha-crypt.c')
-rw-r--r-- | chacha-crypt.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/chacha-crypt.c b/chacha-crypt.c index 63d799ce..0bb44ed9 100644 --- a/chacha-crypt.c +++ b/chacha-crypt.c @@ -85,3 +85,35 @@ chacha_crypt(struct chacha_ctx *ctx, m += CHACHA_BLOCK_SIZE; } } + +void +chacha_crypt32(struct chacha_ctx *ctx, + size_t length, + uint8_t *c, + const uint8_t *m) +{ + if (!length) + return; + + for (;;) + { + uint32_t x[_CHACHA_STATE_LENGTH]; + + _chacha_core (x, ctx->state, CHACHA_ROUNDS); + + ++ctx->state[12]; + + /* stopping at 2^70 length per nonce is user's responsibility */ + + if (length <= CHACHA_BLOCK_SIZE) + { + memxor3 (c, m, x, length); + return; + } + memxor3 (c, m, x, CHACHA_BLOCK_SIZE); + + length -= CHACHA_BLOCK_SIZE; + c += CHACHA_BLOCK_SIZE; + m += CHACHA_BLOCK_SIZE; + } +} |