chacha: add variant that treats counter value as 32-bit

The ChaCha-Poly1305 implementation previously used the chacha_crypt
function that assumes the block counter is 64-bit long, while RFC 8439
defines that the counter is 32-bit long.  Although this should be fine
as long as up to 256 gigabytes of data is encrypted with the same key,
it would be nice to use a separate functions (chacha_set_counter32 and
chacha_crypt32) that assume the counter is 32-bit long.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

1 files changed, 32 insertions, 0 deletions

diff --git a/chacha-crypt.c b/chacha-crypt.c
index 63d799ce..0bb44ed9 100644
--- a/chacha-crypt.c
+++ b/chacha-crypt.c
@@ -85,3 +85,35 @@ chacha_crypt(struct chacha_ctx *ctx,
       m += CHACHA_BLOCK_SIZE;
   }
 }
+
+void
+chacha_crypt32(struct chacha_ctx *ctx,
+	       size_t length,
+	       uint8_t *c,
+	       const uint8_t *m)
+{
+  if (!length)
+    return;
+
+  for (;;)
+    {
+      uint32_t x[_CHACHA_STATE_LENGTH];
+
+      _chacha_core (x, ctx->state, CHACHA_ROUNDS);
+
+      ++ctx->state[12];
+
+      /* stopping at 2^70 length per nonce is user's responsibility */
+
+      if (length <= CHACHA_BLOCK_SIZE)
+	{
+	  memxor3 (c, m, x, length);
+	  return;
+	}
+      memxor3 (c, m, x, CHACHA_BLOCK_SIZE);
+
+      length -= CHACHA_BLOCK_SIZE;
+      c += CHACHA_BLOCK_SIZE;
+      m += CHACHA_BLOCK_SIZE;
+  }
+}