From: Loup Vaillant Date: Mon, 9 Jan 2023 18:10:03 +0000 (+0100) Subject: Simplified and unified Chacha20 API X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=8a38935c135547d2d6fbe3e40765537276d39ce3;p=Monocypher.git Simplified and unified Chacha20 API We had 6 functions. Now we only have 3. While the basic variants are a bit more convenient to use, I don't expect users will be using them frequently enough for it to matter. But having 6 functions to chose from instead of 3 is in my opinion a non-negligible cost. Then there's HChacha20, the odd one out. While we're here breaking the API left and right, I figured I needed a stable naming scheme for everything. And I think each function should be named crypto__(), with relatively few clusters. And HChacha20 quite clearly belong to the "chacha20" cluster, even though it's sometimes used as kind of a hash (for the extended nonce DJB only relies on its properties as a bastardised stream cipher). And while we're speaking clusters, I'm considering having one man page per cluster, with no regards towards whether a function is "advanced" or not. In practice this would mean: - Bundling HChacha20 and Chacha20 functions in the same man page. This would help highlight how they're related. - Bundling low-level EdDSA building blocks with the high-level construction. We can always push the advanced stuff down the man page, but the main point here is to make it easier to find. Oh and we'd perhaps add the conversion to X25519 as well. - Bundling dirty X25519 function together with the clean one. And perhaps the conversion to EdDSA too. - The Elligator functions are already documented together, but I think they deserve their dedicated prefix. Like, "crypto_elligator_". However we go about it, I'd like to strive towards a more systematic way of documenting things, to the point of enabling some automatic checks as hinted in #250. --- diff --git a/doc/man/man3/advanced/crypto_chacha20.3monocypher b/doc/man/man3/advanced/crypto_chacha20.3monocypher index 51c8b5f..9dc045b 100644 --- a/doc/man/man3/advanced/crypto_chacha20.3monocypher +++ b/doc/man/man3/advanced/crypto_chacha20.3monocypher @@ -8,7 +8,7 @@ .\" .\" ---------------------------------------------------------------------------- .\" -.\" Copyright (c) 2017-2019 Loup Vaillant +.\" Copyright (c) 2017-2019, 2023 Loup Vaillant .\" Copyright (c) 2018 Michael Savage .\" Copyright (c) 2017, 2019-2021 Fabio Scotoni .\" All rights reserved. @@ -40,7 +40,7 @@ .\" .\" ---------------------------------------------------------------------------- .\" -.\" Written in 2017-2021 by Loup Vaillant, Michael Savage and Fabio Scotoni +.\" Written in 2017-2023 by Loup Vaillant, Michael Savage and Fabio Scotoni .\" .\" To the extent possible under law, the author(s) have dedicated all copyright .\" and related neighboring rights to this software to the public domain @@ -50,44 +50,36 @@ .\" with this software. If not, see .\" .\" -.Dd June 11, 2021 +.Dd January 8, 2023 .Dt CRYPTO_CHACHA20 3MONOCYPHER .Os .Sh NAME .Nm crypto_chacha20 , -.Nm crypto_chacha20_ctr , .Nm crypto_xchacha20 , -.Nm crypto_xchacha20_ctr +.Nm crypto_ietf_chacha20 .Nd ChaCha20 and XChaCha20 encryption functions .Sh SYNOPSIS .In monocypher.h -.Ft void +.Ft uint64_t .Fo crypto_chacha20 .Fa "uint8_t *cipher_text" .Fa "const uint8_t *plain_text" .Fa "size_t text_size" .Fa "const uint8_t key[32]" .Fa "const uint8_t nonce[8]" +.Fa "uint64_t ctr" .Fc -.Ft void -.Fo crypto_xchacha20 -.Fa "uint8_t *cipher_text" -.Fa "const uint8_t *plain_text" -.Fa "size_t text_size" -.Fa "const uint8_t key[32]" -.Fa "const uint8_t nonce[24]" -.Fc -.Ft uint64_t -.Fo crypto_chacha20_ctr +.Ft uint32_t +.Fo crypto_ietf_chacha20 .Fa "uint8_t *cipher_text" .Fa "const uint8_t *plain_text" .Fa "size_t text_size" .Fa "const uint8_t key[32]" -.Fa "const uint8_t nonce[8]" -.Fa "uint64_t ctr" +.Fa "const uint8_t nonce[12]" +.Fa "uint32_t ctr" .Fc .Ft uint64_t -.Fo crypto_xchacha20_ctr +.Fo crypto_xchacha20 .Fa "uint8_t *cipher_text" .Fa "const uint8_t *plain_text" .Fa "size_t text_size" @@ -108,12 +100,12 @@ The arguments are: .It Fa key A 32-byte secret key. .It Fa nonce -An 8-byte or 24-byte number, used only once with any given key. +An 8-byte, 12-byte, or 24-byte number used only once with any given key. It does not need to be secret or random, but it does have to be unique. Repeating a nonce with the same key reveals the XOR of two different messages, which allows decryption. 24-byte nonces can be selected at random. -8-byte nonces +8-byte and 12-byte nonces .Em cannot because they are too small and the same nonce may be selected twice by accident. @@ -137,7 +129,14 @@ and .Fa cipher_text , in bytes. .It Fa ctr -The number of 64-byte blocks since the beginning of the stream. +The number of 64-byte blocks we skip from the beginning of the stream. +This can be used to encrypt (or decrypt) part of a long message or to +implement some AEAD constructions such as the one described in RFC +8439. +Should be zero by default. +When using this, be careful not to accidentally reuse parts of the +random stream as that would destroy confidentiality. +The return value can help here. .El .Pp The @@ -151,23 +150,31 @@ and must either be the same buffer (for in-place encryption) or non-overlapping. .Pp -.Fn crypto_chacha20 -performs a ChaCha20 operation. -It uses an 8-byte nonce, which is too small to be selected at random. -Use a message counter as a nonce instead. -.Pp +.Fn crypto_chacha20 , +.Fn crypto_ietf_chacha20 , +and .Fn crypto_xchacha20 -performs an XChaCha20 operation. -It uses a 24-byte nonce, which is large enough to be selected at random. +perform a ChaCha20 operation. +Their main difference is the size of their nonce and counter. +.Fn crypto_ietf_chacha20 +in particular implements RFC 8439, +and is provided strictly for compatibility with existing systems or +standards compliance. .Pp .Fn crypto_xchacha20 -is recommended over -.Fn crypto_chacha20 . -The ability to use random nonces makes it easier to use securely, and -the performance hit is often negligible in practice. +Is the only function that uses a nonce long enough to be random. +This makes it easier to use securely, +and the performance hit of the extended nonce is often negligible in +practice. +Use it instead of +.Fn crypto_chacha20 +and +.Fn crypto_ietf_chacha20 +if possible. .Pp The -.Fn crypto_chacha20 +.Fn crypto_chacha20 , +.Fn crypto_ietf_chacha20 , and .Fn crypto_xchacha20 encrypt @@ -207,35 +214,19 @@ Additionally, it be used to generate large amounts of random-looking data quickly \(en for example to generate padding. .Pp -The -.Fn crypto_chacha20_ctr -and -.Fn crypto_xchacha20_ctr -perform ChaCha20 or XChaCha20 encryption, -starting the stream at the block -.Fa ctr -(which is the byte -.Ql ctr \(mu 64 ) . -This can be used to encrypt (or decrypt) part of a long message or to -implement some AEAD constructions such as the one described in RFC -8439. -When using this, be careful not to accidentally reuse parts of the -random stream as that would destroy confidentiality. .Sh RETURN VALUES -.Fn crypto_chacha20 +.Fn crypto_chacha20 , +.Fn crypto_ietf_chacha20 , and .Fn crypto_xchacha20 -return nothing. -.Fn crypto_chacha20_ctr -and -.Fn crypto_xchacha20_ctr -functions return the next +return the next .Fa ctr to use with the same key and nonce values; -this is always +this is the previous +.Fa ctr , +plus .Fa text_size -divided by 64, -plus one if there was a remainder. +divided by 64 (rounded up). .Sh EXAMPLES The following examples assume the existence of .Fn arc4random_buf , @@ -254,7 +245,7 @@ uint8_t plain_text [500] = {1}; /* Secret message */ uint8_t cipher_text[500]; /* Encrypted message */ arc4random_buf(key, 32); arc4random_buf(nonce, 24); -crypto_xchacha20(cipher_text, plain_text, 500, key, nonce); +crypto_xchacha20(cipher_text, plain_text, 500, key, nonce, 0); /* Wipe secrets if they are no longer needed */ crypto_wipe(key, 32); crypto_wipe(plain_text, 500); @@ -266,7 +257,7 @@ uint8_t key [ 32]; /* Same key as above */ const uint8_t nonce [ 24]; /* Same nonce as above */ uint8_t plain_text [500]; /* Message to decrypt */ uint8_t cipher_text[500]; /* Secret message */ -crypto_xchacha20(cipher_text, plain_text, 500, key, nonce); +crypto_xchacha20(cipher_text, plain_text, 500, key, nonce, 0); /* Wipe secrets if they are no longer needed */ crypto_wipe(key, 32); /* The plaintext likely needs to be processed before you wipe it */ @@ -284,23 +275,21 @@ unsigned int i; arc4random_buf(key, 32); arc4random_buf(nonce, 24); for(i = 0; i < 500; i += 64) { - ctr = crypto_xchacha20_ctr(cipher_text+i, plain_text+i, 64, - key, nonce, ctr); + ctr = crypto_xchacha20(cipher_text+i, plain_text+i, 64, + key, nonce, ctr); } /* Process data that didn't fit into 64-byte pieces */ -crypto_xchacha20_ctr(cipher_text+500-(i-64), - plain_text+500-(i-64), - 500-(i-64), - key, nonce, ctr); +crypto_xchacha20(cipher_text+500-(i-64), + plain_text+500-(i-64), + 500-(i-64), + key, nonce, ctr); /* Wipe secrets if they are no longer needed */ crypto_wipe(key, 32); crypto_wipe(plain_text, 500); .Ed .Pp Encryption by jumping around (do not do this, this is only meant to show -how -.Fn crypto_xchacha20_ctr -works): +how the counter works): .Bd -literal -offset indent uint8_t key [ 32]; /* Secret random key */ uint8_t nonce [ 24]; /* Unique nonce (possibly random) */ @@ -309,12 +298,12 @@ uint8_t cipher_text[500]; /* Will be the encrypted message */ arc4random_buf(key, 32); arc4random_buf(nonce, 24); /* Encrypt the second part of the message first... */ -crypto_xchacha20_ctr(cipher_text + (3 * 64), - plain_text + (3 * 64), - 500 - (3 * 64), - key, nonce, 3); +crypto_xchacha20(cipher_text + (3 * 64), + plain_text + (3 * 64), + 500 - (3 * 64), + key, nonce, 3); /* ...then encrypt the first part */ -crypto_xchacha20_ctr(cipher_text, plain_text, 3 * 64, key, nonce, 0); +crypto_xchacha20(cipher_text, plain_text, 3 * 64, key, nonce, 0); /* Wipe secrets if they are no longer needed */ crypto_wipe(key, 32); crypto_wipe(plain_text, 500); @@ -340,6 +329,8 @@ as long as ChaCha20 itself is secure). .Sh HISTORY .Fn crypto_chacha20 , .Fn crypto_chacha20_ctr , +.Fn crypto_ietf_chacha20 , +.Fn crypto_ietf_chacha20_ctr , .Fn crypto_xchacha20 , and .Fn crypto_xchacha20_ctr @@ -352,8 +343,15 @@ They replace and .Fn crypto_chacha20_set_ctr that were deprecated in Monocypher 3.0.0. +In Monocypher 4.0.0, only the ctr variants have been kept, +and were renamed +.Fn crypto_chacha20 , +.Fn crypto_ietf_chacha20 , +and +.Fn crypto_xchacha20 +respectively. .Sh SECURITY CONSIDERATIONS -.Ss Encrypted does not mean secure +.Ss Encrypted does not mean secure . ChaCha20 only protects against eavesdropping, not forgeries. Most applications need protection against forgeries to be properly secure. diff --git a/doc/man/man3/advanced/crypto_chacha20_H.3monocypher b/doc/man/man3/advanced/crypto_chacha20_H.3monocypher deleted file mode 120000 index 9e603a2..0000000 --- a/doc/man/man3/advanced/crypto_chacha20_H.3monocypher +++ /dev/null @@ -1 +0,0 @@ -crypto_hchacha20.3monocypher \ No newline at end of file diff --git a/doc/man/man3/advanced/crypto_chacha20_ctr.3monocypher b/doc/man/man3/advanced/crypto_chacha20_ctr.3monocypher deleted file mode 120000 index 2dfb4d4..0000000 --- a/doc/man/man3/advanced/crypto_chacha20_ctr.3monocypher +++ /dev/null @@ -1 +0,0 @@ -crypto_chacha20.3monocypher \ No newline at end of file diff --git a/doc/man/man3/advanced/crypto_hchacha20.3monocypher b/doc/man/man3/advanced/crypto_chacha20_h.3monocypher similarity index 92% rename from doc/man/man3/advanced/crypto_hchacha20.3monocypher rename to doc/man/man3/advanced/crypto_chacha20_h.3monocypher index e3270ba..b4a3543 100644 --- a/doc/man/man3/advanced/crypto_hchacha20.3monocypher +++ b/doc/man/man3/advanced/crypto_chacha20_h.3monocypher @@ -8,7 +8,7 @@ .\" .\" ---------------------------------------------------------------------------- .\" -.\" Copyright (c) 2017-2019 Loup Vaillant +.\" Copyright (c) 2017-2019, 2023 Loup Vaillant .\" Copyright (c) 2017-2018 Michael Savage .\" Copyright (c) 2019-2022 Fabio Scotoni .\" All rights reserved. @@ -40,7 +40,7 @@ .\" .\" ---------------------------------------------------------------------------- .\" -.\" Written in 2017-2022 by Loup Vaillant, Michael Savage and Fabio Scotoni +.\" Written in 2017-2023 by Loup Vaillant, Michael Savage and Fabio Scotoni .\" .\" To the extent possible under law, the author(s) have dedicated all copyright .\" and related neighboring rights to this software to the public domain @@ -50,22 +50,22 @@ .\" with this software. If not, see .\" .\" -.Dd February 13, 2022 -.Dt CRYPTO_HCHACHA20 3MONOCYPHER +.Dd January 9, 2023 +.Dt CRYPTO_CHACHA20_H 3MONOCYPHER .Os .Sh NAME -.Nm crypto_hchacha20 +.Nm crypto_chacha20_h .Nd HChaCha20 special-purpose hashing .Sh SYNOPSIS .In monocypher.h .Ft void -.Fo crypto_hchacha20 +.Fo crypto_chacha20_h .Fa "uint8_t out[32]" .Fa "const uint8_t key[32]" .Fa "const uint8_t in[16]" .Fc .Sh DESCRIPTION -.Fn crypto_hchacha20 +.Fn crypto_chacha20_h provides a not-so-cryptographic hash. It may be used for some specific purposes such as X25519 key derivation or XChaCha20 initialisation. @@ -107,7 +107,7 @@ uint8_t key[32]; /* Must have enough entropy */ uint8_t in [16]; /* Does not have to be random */ uint8_t out[32]; /* Will be random iff the above holds */ arc4random_buf(key, 32); -crypto_hchacha20(out, key, in); +crypto_chacha20_h(out, key, in); /* Wipe secrets if they are no longer needed */ crypto_wipe(key, 32); crypto_wipe(in , 16); @@ -120,11 +120,13 @@ HChaCha20 derives from ChaCha20 the same way HSalsa20 derives from Salsa20. .Sh HISTORY The -.Fn crypto_hchacha20 +.Fn crypto_chacha20_h function first appeared in Monocypher 0.1 as .Fn crypto_chacha20_H . It was renamed to .Fn crypto_hchacha20 -in Monocypher 3.0.0. +in Monocypher 3.0.0, then +.Fn crypto_chacha20_h +in Monocypher 4.0.0. .Sh CAVEATS .Sy This is not a general-purpose cryptographic hash function . diff --git a/doc/man/man3/advanced/crypto_xchacha20_ctr.3monocypher b/doc/man/man3/advanced/crypto_xchacha20_ctr.3monocypher deleted file mode 120000 index 2dfb4d4..0000000 --- a/doc/man/man3/advanced/crypto_xchacha20_ctr.3monocypher +++ /dev/null @@ -1 +0,0 @@ -crypto_chacha20.3monocypher \ No newline at end of file diff --git a/src/monocypher.c b/src/monocypher.c index cf307c6..7fa90c5 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -201,7 +201,7 @@ static void chacha20_rounds(u32 out[16], const u32 in[16]) static const u8 *chacha20_constant = (const u8*)"expand 32-byte k"; // 16 bytes -void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16]) +void crypto_chacha20_h(u8 out[32], const u8 key[32], const u8 in [16]) { u32 block[16]; load32_le_buf(block , chacha20_constant, 4); @@ -216,7 +216,7 @@ void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16]) WIPE_BUFFER(block); } -u64 crypto_chacha20_ctr(u8 *cipher_text, const u8 *plain_text, +u64 crypto_chacha20_djb(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[8], u64 ctr) { @@ -275,46 +275,27 @@ u64 crypto_chacha20_ctr(u8 *cipher_text, const u8 *plain_text, return ctr; } -u32 crypto_ietf_chacha20_ctr(u8 *cipher_text, const u8 *plain_text, - size_t text_size, - const u8 key[32], const u8 nonce[12], u32 ctr) +u32 crypto_chacha20_ietf(u8 *cipher_text, const u8 *plain_text, + size_t text_size, + const u8 key[32], const u8 nonce[12], u32 ctr) { u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32); - return (u32)crypto_chacha20_ctr(cipher_text, plain_text, text_size, + return (u32)crypto_chacha20_djb(cipher_text, plain_text, text_size, key, nonce + 4, big_ctr); } -u64 crypto_xchacha20_ctr(u8 *cipher_text, const u8 *plain_text, - size_t text_size, - const u8 key[32], const u8 nonce[24], u64 ctr) +u64 crypto_chacha20_x(u8 *cipher_text, const u8 *plain_text, + size_t text_size, + const u8 key[32], const u8 nonce[24], u64 ctr) { u8 sub_key[32]; - crypto_hchacha20(sub_key, key, nonce); - ctr = crypto_chacha20_ctr(cipher_text, plain_text, text_size, - sub_key, nonce+16, ctr); + crypto_chacha20_h(sub_key, key, nonce); + ctr = crypto_chacha20_djb(cipher_text, plain_text, text_size, + sub_key, nonce + 16, ctr); WIPE_BUFFER(sub_key); return ctr; } -void crypto_chacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, - const u8 key[32], const u8 nonce[8]) -{ - crypto_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); - -} -void crypto_ietf_chacha20(u8 *cipher_text, const u8 *plain_text, - size_t text_size, - const u8 key[32], const u8 nonce[12]) -{ - crypto_ietf_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); -} - -void crypto_xchacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, - const u8 key[32], const u8 nonce[24]) -{ - crypto_xchacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); -} - ///////////////// /// Poly 1305 /// ///////////////// @@ -2693,7 +2674,7 @@ void crypto_hidden_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32]) u8 buf[64]; // seed + representative COPY(buf + 32, seed, 32); do { - crypto_chacha20(buf, 0, 64, buf+32, zero); + crypto_chacha20_djb(buf, 0, 64, buf+32, zero, 0); crypto_x25519_dirty_fast(pk, buf); // or the "small" version } while(crypto_curve_to_hidden(buf+32, pk, buf[32])); // Note that the return value of crypto_curve_to_hidden() is @@ -2852,9 +2833,9 @@ void crypto_lock_aead(u8 mac[16], u8 *cipher_text, { u8 sub_key[32]; u8 auth_key[64]; // "Wasting" the whole Chacha block is faster - crypto_hchacha20(sub_key, key, nonce); - crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); - crypto_chacha20_ctr(cipher_text, plain_text, text_size, + crypto_chacha20_h(sub_key, key, nonce); + crypto_chacha20_djb(auth_key, 0, 64, sub_key, nonce + 16, 0); + crypto_chacha20_djb(cipher_text, plain_text, text_size, sub_key, nonce + 16, 1); lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size); WIPE_BUFFER(sub_key); @@ -2868,14 +2849,14 @@ int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24], { u8 sub_key[32]; u8 auth_key[64]; // "Wasting" the whole Chacha block is faster - crypto_hchacha20(sub_key, key, nonce); - crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); + crypto_chacha20_h(sub_key, key, nonce); + crypto_chacha20_djb(auth_key, 0, 64, sub_key, nonce + 16, 0); u8 real_mac[16]; lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size); WIPE_BUFFER(auth_key); int mismatch = crypto_verify16(mac, real_mac); if (!mismatch) { - crypto_chacha20_ctr(plain_text, cipher_text, text_size, + crypto_chacha20_djb(plain_text, cipher_text, text_size, sub_key, nonce + 16, 1); } WIPE_BUFFER(sub_key); diff --git a/src/monocypher.h b/src/monocypher.h index d4078da..e98ac36 100644 --- a/src/monocypher.h +++ b/src/monocypher.h @@ -210,45 +210,30 @@ int crypto_eddsa_check(const uint8_t signature [64], // Specialised hash. // Used to hash X25519 shared secrets. -void crypto_hchacha20(uint8_t out[32], - const uint8_t key[32], - const uint8_t in [16]); +void crypto_chacha20_h(uint8_t out[32], + const uint8_t key[32], + const uint8_t in [16]); // Unauthenticated stream cipher. // Don't forget to add authentication. -void crypto_chacha20(uint8_t *cipher_text, - const uint8_t *plain_text, - size_t text_size, - const uint8_t key[32], - const uint8_t nonce[8]); -void crypto_xchacha20(uint8_t *cipher_text, - const uint8_t *plain_text, - size_t text_size, - const uint8_t key[32], - const uint8_t nonce[24]); -void crypto_ietf_chacha20(uint8_t *cipher_text, - const uint8_t *plain_text, - size_t text_size, - const uint8_t key[32], - const uint8_t nonce[12]); -uint64_t crypto_chacha20_ctr(uint8_t *cipher_text, +uint64_t crypto_chacha20_djb(uint8_t *cipher_text, const uint8_t *plain_text, size_t text_size, const uint8_t key[32], const uint8_t nonce[8], uint64_t ctr); -uint64_t crypto_xchacha20_ctr(uint8_t *cipher_text, +uint32_t crypto_chacha20_ietf(uint8_t *cipher_text, const uint8_t *plain_text, size_t text_size, const uint8_t key[32], - const uint8_t nonce[24], - uint64_t ctr); -uint32_t crypto_ietf_chacha20_ctr(uint8_t *cipher_text, - const uint8_t *plain_text, - size_t text_size, - const uint8_t key[32], - const uint8_t nonce[12], - uint32_t ctr); + const uint8_t nonce[12], + uint32_t ctr); +uint64_t crypto_chacha20_x(uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size, + const uint8_t key[32], + const uint8_t nonce[24], + uint64_t ctr); // Poly 1305 diff --git a/tests/speed/speed.c b/tests/speed/speed.c index 3d4b625..359bba8 100644 --- a/tests/speed/speed.c +++ b/tests/speed/speed.c @@ -62,7 +62,7 @@ static u64 chacha20(void) RANDOM_INPUT(nonce, 8); TIMING_START { - crypto_chacha20(out, in, SIZE, key, nonce); + crypto_chacha20_djb(out, in, SIZE, key, nonce, 0); } TIMING_END; } diff --git a/tests/test.c b/tests/test.c index 6236b23..7c1de6f 100644 --- a/tests/test.c +++ b/tests/test.c @@ -113,7 +113,7 @@ static void chacha20(vector_reader *reader) u64 ctr = load64_le(next_input(reader).buf); vector out = next_output(reader); u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, + u64 new_ctr = crypto_chacha20_djb(out.buf, plain.buf, plain.size, key.buf, nonce.buf, ctr); ASSERT(new_ctr - ctr == nb_blocks); } @@ -126,8 +126,8 @@ static void ietf_chacha20(vector_reader *reader) u32 ctr = load32_le(next_input(reader).buf); vector out = next_output(reader); u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); - u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); + u32 new_ctr = crypto_chacha20_ietf(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); ASSERT(new_ctr - ctr == nb_blocks); } @@ -139,8 +139,8 @@ static void xchacha20(vector_reader *reader) u64 ctr = load64_le(next_input(reader).buf); vector out = next_output(reader); u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); + u64 new_ctr = crypto_chacha20_x(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); ASSERT(new_ctr - ctr == nb_blocks); } @@ -149,7 +149,7 @@ static void hchacha20(vector_reader *reader) vector key = next_input(reader); vector nonce = next_input(reader); vector out = next_output(reader); - crypto_hchacha20(out.buf, key.buf, nonce.buf); + crypto_chacha20_h(out.buf, key.buf, nonce.buf); } static void test_chacha20() @@ -163,9 +163,9 @@ static void test_chacha20() u8 out_full[128]; u8 out1 [64]; u8 out2 [64]; - crypto_chacha20 (out_full, plain , 128, key, nonce); - crypto_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + crypto_chacha20_djb(out_full, plain , 128, key, nonce, 0); + crypto_chacha20_djb(out1 , plain + 0, 64, key, nonce, 0); + crypto_chacha20_djb(out2 , plain + 64, 64, key, nonce, 1); ASSERT_EQUAL(out_full , out1, 64); ASSERT_EQUAL(out_full + 64, out2, 64); } @@ -178,8 +178,8 @@ static void test_chacha20() u8 zeroes [INPUT_SIZE] = {0}; RANDOM_INPUT(key , 32); RANDOM_INPUT(nonce, 8); - crypto_chacha20(output_normal, zeroes, i, key, nonce); - crypto_chacha20(output_stream, 0 , i, key, nonce); + crypto_chacha20_djb(output_normal, zeroes, i, key, nonce, 0); + crypto_chacha20_djb(output_stream, 0 , i, key, nonce, 0); ASSERT_EQUAL(output_normal, output_stream, i); } @@ -191,8 +191,8 @@ static void test_chacha20() RANDOM_INPUT(input, INPUT_SIZE); RANDOM_INPUT(key , 32); RANDOM_INPUT(nonce, 8); - crypto_chacha20(output, input, INPUT_SIZE, key, nonce); - crypto_chacha20(input , input, INPUT_SIZE, key, nonce); + crypto_chacha20_djb(output, input, INPUT_SIZE, key, nonce, 0); + crypto_chacha20_djb(input , input, INPUT_SIZE, key, nonce, 0); ASSERT_EQUAL(output, input, INPUT_SIZE); } @@ -205,9 +205,9 @@ static void test_chacha20() u8 out_full[128]; u8 out1 [64]; u8 out2 [64]; - crypto_ietf_chacha20 (out_full, plain , 128, key, nonce); - crypto_ietf_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_ietf_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + crypto_chacha20_ietf(out_full, plain , 128, key, nonce, 0); + crypto_chacha20_ietf(out1 , plain + 0, 64, key, nonce, 0); + crypto_chacha20_ietf(out2 , plain + 64, 64, key, nonce, 1); ASSERT_EQUAL(out_full , out1, 64); ASSERT_EQUAL(out_full + 64, out2, 64); } @@ -221,9 +221,9 @@ static void test_chacha20() u8 out_full[128]; u8 out1 [64]; u8 out2 [64]; - crypto_xchacha20 (out_full, plain , 128, key, nonce); - crypto_xchacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_xchacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + crypto_chacha20_x(out_full, plain , 128, key, nonce, 0); + crypto_chacha20_x(out1 , plain + 0, 64, key, nonce, 0); + crypto_chacha20_x(out2 , plain + 64, 64, key, nonce, 1); ASSERT_EQUAL(out_full , out1, 64); ASSERT_EQUAL(out_full + 64, out2, 64); } @@ -240,8 +240,8 @@ static void test_chacha20() // Run with and without overlap, then compare u8 out[32]; - crypto_hchacha20(out, key, in); - crypto_hchacha20(buffer + out_idx, buffer + key_idx, buffer + in_idx); + crypto_chacha20_h(out, key, in); + crypto_chacha20_h(buffer + out_idx, buffer + key_idx, buffer + in_idx); ASSERT_EQUAL(out, buffer + out_idx, 32); } } diff --git a/tests/tis-ci.c b/tests/tis-ci.c index 31fe93f..435d904 100644 --- a/tests/tis-ci.c +++ b/tests/tis-ci.c @@ -69,7 +69,7 @@ static void chacha20(vector_reader *reader) u64 ctr = load64_le(next_input(reader).buf); vector out = next_output(reader); u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, + u64 new_ctr = crypto_chacha20_djb(out.buf, plain.buf, plain.size, key.buf, nonce.buf, ctr); if (new_ctr - ctr != nb_blocks) { printf("FAILURE: Chacha20 returned counter not correct: "); @@ -84,8 +84,8 @@ static void ietf_chacha20(vector_reader *reader) u64 ctr = load64_le(next_input(reader).buf); vector out = next_output(reader); u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); - u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); + u32 new_ctr = crypto_chacha20_ietf(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); if (new_ctr - ctr != nb_blocks) { printf("FAILURE: IETF Chacha20 returned counter not correct: "); } @@ -96,7 +96,7 @@ static void hchacha20(vector_reader *reader) vector key = next_input(reader); vector nonce = next_input(reader); vector out = next_output(reader); - crypto_hchacha20(out.buf, key.buf, nonce.buf); + crypto_chacha20_h(out.buf, key.buf, nonce.buf); } static void xchacha20(vector_reader *reader) @@ -107,8 +107,8 @@ static void xchacha20(vector_reader *reader) u64 ctr = load64_le(next_input(reader).buf); vector out = next_output(reader); u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); + u64 new_ctr = crypto_chacha20_x(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); if (new_ctr - ctr != nb_blocks) { printf("FAILURE: XChacha20 returned counter not correct: "); }