1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis */
2 /* SPDX-License-Identifier: Unlicense */
3
4 /* The implementation is based on:
5 * "Extending the Salsa20 nonce", https://cr.yp.to/snuffle/xsalsa-20081128.pdf
6 * "Salsa20 specification", http://cr.yp.to/snuffle/spec.pdf
7 * and salsa20-ref.c version 20051118
8 * Public domain from D. J. Bernstein
9 */
10
11 #include "tomcrypt.h"
12
13 #ifdef LTC_XSALSA20
14
15 #if defined(LTC_SHA256) && defined(LTC_TEST)
s_sha256(unsigned char * hash,const unsigned char * data,const int datalen)16 static int s_sha256(unsigned char *hash, const unsigned char *data, const int datalen) {
17 hash_state md;
18 sha256_init(&md);
19 sha256_process(&md, data, datalen);
20 sha256_done(&md, hash);
21 return CRYPT_OK;
22 }
23 #endif
24
xsalsa20_test(void)25 int xsalsa20_test(void)
26 {
27 #ifndef LTC_TEST
28 return CRYPT_NOP;
29 #else
30
31 /***************************************************************************
32 * verify a round trip:
33 */
34 {
35 const unsigned char key[] = {0x1b,0x27,0x55,0x64,0x73,0xe9,0x85,0xd4,0x62,0xcd,0x51,0x19,0x7a,0x9a,0x46,0xc7,0x60,0x09,0x54,0x9e,0xac,0x64,0x74,0xf2,0x06,0xc4,0xee,0x08,0x44,0xf6,0x83,0x89};
36 const unsigned char nonce[] = {0x69,0x69,0x6e,0xe9,0x55,0xb6,0x2b,0x73,0xcd,0x62,0xbd,0xa8,0x75,0xfc,0x73,0xd6,0x82,0x19,0xe0,0x03,0x6b,0x7a,0x0b,0x37};
37 const void *msg = "Kilroy was here!";
38 unsigned char msglen = 17; /* includes trailing NULL */
39 int rounds = 20;
40 unsigned char ciphertext[17];
41 unsigned char msg2[17];
42 salsa20_state st;
43 int err;
44
45 if ((err = xsalsa20_setup(&st, key, 32, nonce, 24, rounds)) != CRYPT_OK) return err;
46 if ((err = salsa20_crypt(&st, msg, msglen, ciphertext)) != CRYPT_OK) return err;
47 if ((err = salsa20_done(&st)) != CRYPT_OK) return err;
48
49 if ((err = xsalsa20_setup(&st, key, 32, nonce, 24, rounds)) != CRYPT_OK) return err;
50 if ((err = salsa20_crypt(&st, ciphertext, msglen, msg2)) != CRYPT_OK) return err;
51 if ((err = salsa20_done(&st)) != CRYPT_OK) return err;
52
53 if (compare_testvector(msg, msglen, msg2, msglen, "XSALSA20-TV1", 1)) return CRYPT_FAIL_TESTVECTOR;
54
55
56 /* round trip with two single function calls */
57 if ((err = xsalsa20_memory(key, sizeof(key), 20, nonce, sizeof(nonce), msg, msglen, ciphertext)) != CRYPT_OK) return err;
58 if ((err = xsalsa20_memory(key, sizeof(key), 20, nonce, sizeof(nonce), ciphertext, msglen, msg2)) != CRYPT_OK) return err;
59 if (compare_testvector(msg, msglen, msg2, msglen, "XSALSA20-TV2", 1)) return CRYPT_FAIL_TESTVECTOR;
60 }
61
62 #ifdef LTC_SHA256
63 /***************************************************************************
64 * verify correct generation of a keystream
65 */
66 {
67 const unsigned char key[] = {0x1b,0x27,0x55,0x64,0x73,0xe9,0x85,0xd4,0x62,0xcd,0x51,0x19,0x7a,0x9a,0x46,0xc7,0x60,0x09,0x54,0x9e,0xac,0x64,0x74,0xf2,0x06,0xc4,0xee,0x08,0x44,0xf6,0x83,0x89};
68 const unsigned char nonce[] = {0x69,0x69,0x6e,0xe9,0x55,0xb6,0x2b,0x73,0xcd,0x62,0xbd,0xa8,0x75,0xfc,0x73,0xd6,0x82,0x19,0xe0,0x03,0x6b,0x7a,0x0b,0x37};
69 const unsigned char expecthash[] = {0x6a,0x60,0x57,0x65,0x27,0xe0,0x00,0x51,0x6d,0xb0,0xda,0x60,0x46,0x20,0xf6,0xd0,0x95,0x65,0x45,0x39,0xf4,0x86,0x83,0x43,0x64,0xdf,0xd9,0x5a,0x6f,0x3f,0xbe,0xb7};
70 int rounds = 20;
71 unsigned char keystream[91101];
72 unsigned long keystreamlen = 91101;
73 unsigned char hash[32];
74 salsa20_state st;
75 int err;
76
77 if ((err = xsalsa20_setup(&st, key, 32, nonce, 24, rounds)) != CRYPT_OK) return err;
78 if ((err = salsa20_keystream(&st, keystream, keystreamlen)) != CRYPT_OK) return err;
79 if ((err = salsa20_done(&st)) != CRYPT_OK) return err;
80 if ((err = s_sha256(hash, keystream, keystreamlen)) != CRYPT_OK) return err;
81 if (compare_testvector(hash, sizeof(hash), expecthash, sizeof(expecthash), "XSALSA20-TV3", 1)) return CRYPT_FAIL_TESTVECTOR;
82 }
83 #endif
84
85 return CRYPT_OK;
86
87 #endif
88 }
89
90 #endif
91