diff options
Diffstat (limited to 'stdlib')
| -rw-r--r-- | stdlib/Makefile | 2 | ||||
| -rw-r--r-- | stdlib/arc4random.c | 196 | ||||
| -rw-r--r-- | stdlib/arc4random.h | 48 | ||||
| -rw-r--r-- | stdlib/chacha20.c | 191 | ||||
| -rw-r--r-- | stdlib/tst-arc4random-chacha20.c | 167 |
5 files changed, 45 insertions, 559 deletions
diff --git a/stdlib/Makefile b/stdlib/Makefile index a900962..f7b25c1 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -246,7 +246,6 @@ tests := \ # tests tests-internal := \ - tst-arc4random-chacha20 \ tst-strtod1i \ tst-strtod3 \ tst-strtod4 \ @@ -256,7 +255,6 @@ tests-internal := \ # tests-internal tests-static := \ - tst-arc4random-chacha20 \ tst-secure-getenv \ # tests-static diff --git a/stdlib/arc4random.c b/stdlib/arc4random.c index 65547e7..e417ef6 100644 --- a/stdlib/arc4random.c +++ b/stdlib/arc4random.c @@ -1,4 +1,4 @@ -/* Pseudo Random Number Generator based on ChaCha20. +/* Pseudo Random Number Generator Copyright (C) 2022 Free Software Foundation, Inc. This file is part of the GNU C Library. @@ -16,7 +16,6 @@ License along with the GNU C Library; if not, see <https://www.gnu.org/licenses/>. */ -#include <arc4random.h> #include <errno.h> #include <not-cancel.h> #include <stdio.h> @@ -24,53 +23,6 @@ #include <sys/mman.h> #include <sys/param.h> #include <sys/random.h> -#include <tls-internal.h> - -/* arc4random keeps two counters: 'have' is the current valid bytes not yet - consumed in 'buf' while 'count' is the maximum number of bytes until a - reseed. - - Both the initial seed and reseed try to obtain entropy from the kernel - and abort the process if none could be obtained. - - The state 'buf' improves the usage of the cipher calls, allowing to call - optimized implementations (if the architecture provides it) and minimize - function call overhead. */ - -#include <chacha20.c> - -/* Called from the fork function to reset the state. */ -void -__arc4random_fork_subprocess (void) -{ - struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state; - if (state != NULL) - { - explicit_bzero (state, sizeof (*state)); - /* Force key init. */ - state->count = -1; - } -} - -/* Return the current thread random state or try to create one if there is - none available. In the case malloc can not allocate a state, arc4random - will try to get entropy with arc4random_getentropy. */ -static struct arc4random_state_t * -arc4random_get_state (void) -{ - struct arc4random_state_t *state = __glibc_tls_internal ()->rand_state; - if (state == NULL) - { - state = malloc (sizeof (struct arc4random_state_t)); - if (state != NULL) - { - /* Force key initialization on first call. */ - state->count = -1; - __glibc_tls_internal ()->rand_state = state; - } - } - return state; -} static void arc4random_getrandom_failure (void) @@ -78,106 +30,63 @@ arc4random_getrandom_failure (void) __libc_fatal ("Fatal glibc error: cannot get entropy for arc4random\n"); } -static void -arc4random_rekey (struct arc4random_state_t *state, uint8_t *rnd, size_t rndlen) +void +__arc4random_buf (void *p, size_t n) { - chacha20_crypt (state->ctx, state->buf, state->buf, sizeof state->buf); - - /* Mix optional user provided data. */ - if (rnd != NULL) - { - size_t m = MIN (rndlen, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE); - for (size_t i = 0; i < m; i++) - state->buf[i] ^= rnd[i]; - } - - /* Immediately reinit for backtracking resistance. */ - chacha20_init (state->ctx, state->buf, state->buf + CHACHA20_KEY_SIZE); - explicit_bzero (state->buf, CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE); - state->have = sizeof (state->buf) - (CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE); -} + static int seen_initialized; + size_t l; + int fd; -static void -arc4random_getentropy (void *rnd, size_t len) -{ - if (__getrandom_nocancel (rnd, len, GRND_NONBLOCK) == len) + if (n == 0) return; - int fd = TEMP_FAILURE_RETRY (__open64_nocancel ("/dev/urandom", - O_RDONLY | O_CLOEXEC)); - if (fd != -1) + for (;;) { - uint8_t *p = rnd; - uint8_t *end = p + len; - do + l = TEMP_FAILURE_RETRY (__getrandom_nocancel (p, n, 0)); + if (l > 0) { - ssize_t ret = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, end - p)); - if (ret <= 0) - arc4random_getrandom_failure (); - p += ret; + if ((size_t) l == n) + return; /* Done reading, success. */ + p = (uint8_t *) p + l; + n -= l; + continue; /* Interrupted by a signal; keep going. */ } - while (p < end); - - if (__close_nocancel (fd) == 0) - return; + else if (l < 0 && errno == ENOSYS) + break; /* No syscall, so fallback to /dev/urandom. */ + arc4random_getrandom_failure (); } - arc4random_getrandom_failure (); -} -/* Check if the thread context STATE should be reseed with kernel entropy - depending of requested LEN bytes. If there is less than requested, - the state is either initialized or reseeded, otherwise the internal - counter subtract the requested length. */ -static void -arc4random_check_stir (struct arc4random_state_t *state, size_t len) -{ - if (state->count <= len || state->count == -1) + if (atomic_load_relaxed (&seen_initialized) == 0) { - uint8_t rnd[CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE]; - arc4random_getentropy (rnd, sizeof rnd); - - if (state->count == -1) - chacha20_init (state->ctx, rnd, rnd + CHACHA20_KEY_SIZE); - else - arc4random_rekey (state, rnd, sizeof rnd); - - explicit_bzero (rnd, sizeof rnd); - - /* Invalidate the buf. */ - state->have = 0; - memset (state->buf, 0, sizeof state->buf); - state->count = CHACHA20_RESEED_SIZE; + /* Poll /dev/random as an approximation of RNG initialization. */ + struct pollfd pfd = { .events = POLLIN }; + pfd.fd = TEMP_FAILURE_RETRY ( + __open64_nocancel ("/dev/random", O_RDONLY | O_CLOEXEC | O_NOCTTY)); + if (pfd.fd < 0) + arc4random_getrandom_failure (); + if (TEMP_FAILURE_RETRY (__poll_infinity_nocancel (&pfd, 1)) < 0) + arc4random_getrandom_failure (); + if (__close_nocancel (pfd.fd) < 0) + arc4random_getrandom_failure (); + atomic_store_relaxed (&seen_initialized, 1); } - else - state->count -= len; -} -void -__arc4random_buf (void *buffer, size_t len) -{ - struct arc4random_state_t *state = arc4random_get_state (); - if (__glibc_unlikely (state == NULL)) - { - arc4random_getentropy (buffer, len); - return; - } - - arc4random_check_stir (state, len); - while (len > 0) + fd = TEMP_FAILURE_RETRY ( + __open64_nocancel ("/dev/urandom", O_RDONLY | O_CLOEXEC | O_NOCTTY)); + if (fd < 0) + arc4random_getrandom_failure (); + for (;;) { - if (state->have > 0) - { - size_t m = MIN (len, state->have); - uint8_t *ks = state->buf + sizeof (state->buf) - state->have; - memcpy (buffer, ks, m); - explicit_bzero (ks, m); - buffer += m; - len -= m; - state->have -= m; - } - if (state->have == 0) - arc4random_rekey (state, NULL, 0); + l = TEMP_FAILURE_RETRY (__read_nocancel (fd, p, n)); + if (l <= 0) + arc4random_getrandom_failure (); + if ((size_t) l == n) + break; /* Done reading, success. */ + p = (uint8_t *) p + l; + n -= l; } + if (__close_nocancel (fd) < 0) + arc4random_getrandom_failure (); } libc_hidden_def (__arc4random_buf) weak_alias (__arc4random_buf, arc4random_buf) @@ -186,22 +95,7 @@ uint32_t __arc4random (void) { uint32_t r; - - struct arc4random_state_t *state = arc4random_get_state (); - if (__glibc_unlikely (state == NULL)) - { - arc4random_getentropy (&r, sizeof (uint32_t)); - return r; - } - - arc4random_check_stir (state, sizeof (uint32_t)); - if (state->have < sizeof (uint32_t)) - arc4random_rekey (state, NULL, 0); - uint8_t *ks = state->buf + sizeof (state->buf) - state->have; - memcpy (&r, ks, sizeof (uint32_t)); - memset (ks, 0, sizeof (uint32_t)); - state->have -= sizeof (uint32_t); - + __arc4random_buf (&r, sizeof (r)); return r; } libc_hidden_def (__arc4random) diff --git a/stdlib/arc4random.h b/stdlib/arc4random.h deleted file mode 100644 index cd39389..0000000 --- a/stdlib/arc4random.h +++ /dev/null @@ -1,48 +0,0 @@ -/* Arc4random definition used on TLS. - Copyright (C) 2022 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <https://www.gnu.org/licenses/>. */ - -#ifndef _CHACHA20_H -#define _CHACHA20_H - -#include <stddef.h> -#include <stdint.h> - -/* Internal ChaCha20 state. */ -#define CHACHA20_STATE_LEN 16 -#define CHACHA20_BLOCK_SIZE 64 - -/* Maximum number bytes until reseed (16 MB). */ -#define CHACHA20_RESEED_SIZE (16 * 1024 * 1024) - -/* Internal arc4random buffer, used on each feedback step so offer some - backtracking protection and to allow better used of vectorized - chacha20 implementations. */ -#define CHACHA20_BUFSIZE (8 * CHACHA20_BLOCK_SIZE) - -_Static_assert (CHACHA20_BUFSIZE >= CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE, - "CHACHA20_BUFSIZE < CHACHA20_BLOCK_SIZE + CHACHA20_BLOCK_SIZE"); - -struct arc4random_state_t -{ - uint32_t ctx[CHACHA20_STATE_LEN]; - size_t have; - size_t count; - uint8_t buf[CHACHA20_BUFSIZE]; -}; - -#endif diff --git a/stdlib/chacha20.c b/stdlib/chacha20.c deleted file mode 100644 index 2745a81..0000000 --- a/stdlib/chacha20.c +++ /dev/null @@ -1,191 +0,0 @@ -/* Generic ChaCha20 implementation (used on arc4random). - Copyright (C) 2022 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <https://www.gnu.org/licenses/>. */ - -#include <array_length.h> -#include <endian.h> -#include <stddef.h> -#include <stdint.h> -#include <string.h> - -/* 32-bit stream position, then 96-bit nonce. */ -#define CHACHA20_IV_SIZE 16 -#define CHACHA20_KEY_SIZE 32 - -#define CHACHA20_STATE_LEN 16 - -/* The ChaCha20 implementation is based on RFC8439 [1], omitting the final - XOR of the keystream with the plaintext because the plaintext is a - stream of zeros. */ - -enum chacha20_constants -{ - CHACHA20_CONSTANT_EXPA = 0x61707865U, - CHACHA20_CONSTANT_ND_3 = 0x3320646eU, - CHACHA20_CONSTANT_2_BY = 0x79622d32U, - CHACHA20_CONSTANT_TE_K = 0x6b206574U -}; - -static inline uint32_t -read_unaligned_32 (const uint8_t *p) -{ - uint32_t r; - memcpy (&r, p, sizeof (r)); - return r; -} - -static inline void -write_unaligned_32 (uint8_t *p, uint32_t v) -{ - memcpy (p, &v, sizeof (v)); -} - -#if __BYTE_ORDER == __BIG_ENDIAN -# define read_unaligned_le32(p) __builtin_bswap32 (read_unaligned_32 (p)) -# define set_state(v) __builtin_bswap32 ((v)) -#else -# define read_unaligned_le32(p) read_unaligned_32 ((p)) -# define set_state(v) (v) -#endif - -static inline void -chacha20_init (uint32_t *state, const uint8_t *key, const uint8_t *iv) -{ - state[0] = CHACHA20_CONSTANT_EXPA; - state[1] = CHACHA20_CONSTANT_ND_3; - state[2] = CHACHA20_CONSTANT_2_BY; - state[3] = CHACHA20_CONSTANT_TE_K; - - state[4] = read_unaligned_le32 (key + 0 * sizeof (uint32_t)); - state[5] = read_unaligned_le32 (key + 1 * sizeof (uint32_t)); - state[6] = read_unaligned_le32 (key + 2 * sizeof (uint32_t)); - state[7] = read_unaligned_le32 (key + 3 * sizeof (uint32_t)); - state[8] = read_unaligned_le32 (key + 4 * sizeof (uint32_t)); - state[9] = read_unaligned_le32 (key + 5 * sizeof (uint32_t)); - state[10] = read_unaligned_le32 (key + 6 * sizeof (uint32_t)); - state[11] = read_unaligned_le32 (key + 7 * sizeof (uint32_t)); - - state[12] = read_unaligned_le32 (iv + 0 * sizeof (uint32_t)); - state[13] = read_unaligned_le32 (iv + 1 * sizeof (uint32_t)); - state[14] = read_unaligned_le32 (iv + 2 * sizeof (uint32_t)); - state[15] = read_unaligned_le32 (iv + 3 * sizeof (uint32_t)); -} - -static inline uint32_t -rotl32 (unsigned int shift, uint32_t word) -{ - return (word << (shift & 31)) | (word >> ((-shift) & 31)); -} - -static void -state_final (const uint8_t *src, uint8_t *dst, uint32_t v) -{ -#ifdef CHACHA20_XOR_FINAL - v ^= read_unaligned_32 (src); -#endif - write_unaligned_32 (dst, v); -} - -static inline void -chacha20_block (uint32_t *state, uint8_t *dst, const uint8_t *src) -{ - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t x8, x9, x10, x11, x12, x13, x14, x15; - - x0 = state[0]; - x1 = state[1]; - x2 = state[2]; - x3 = state[3]; - x4 = state[4]; - x5 = state[5]; - x6 = state[6]; - x7 = state[7]; - x8 = state[8]; - x9 = state[9]; - x10 = state[10]; - x11 = state[11]; - x12 = state[12]; - x13 = state[13]; - x14 = state[14]; - x15 = state[15]; - - for (int i = 0; i < 20; i += 2) - { -#define QROUND(_x0, _x1, _x2, _x3) \ - do { \ - _x0 = _x0 + _x1; _x3 = rotl32 (16, (_x0 ^ _x3)); \ - _x2 = _x2 + _x3; _x1 = rotl32 (12, (_x1 ^ _x2)); \ - _x0 = _x0 + _x1; _x3 = rotl32 (8, (_x0 ^ _x3)); \ - _x2 = _x2 + _x3; _x1 = rotl32 (7, (_x1 ^ _x2)); \ - } while(0) - - QROUND (x0, x4, x8, x12); - QROUND (x1, x5, x9, x13); - QROUND (x2, x6, x10, x14); - QROUND (x3, x7, x11, x15); - - QROUND (x0, x5, x10, x15); - QROUND (x1, x6, x11, x12); - QROUND (x2, x7, x8, x13); - QROUND (x3, x4, x9, x14); - } - - state_final (&src[0], &dst[0], set_state (x0 + state[0])); - state_final (&src[4], &dst[4], set_state (x1 + state[1])); - state_final (&src[8], &dst[8], set_state (x2 + state[2])); - state_final (&src[12], &dst[12], set_state (x3 + state[3])); - state_final (&src[16], &dst[16], set_state (x4 + state[4])); - state_final (&src[20], &dst[20], set_state (x5 + state[5])); - state_final (&src[24], &dst[24], set_state (x6 + state[6])); - state_final (&src[28], &dst[28], set_state (x7 + state[7])); - state_final (&src[32], &dst[32], set_state (x8 + state[8])); - state_final (&src[36], &dst[36], set_state (x9 + state[9])); - state_final (&src[40], &dst[40], set_state (x10 + state[10])); - state_final (&src[44], &dst[44], set_state (x11 + state[11])); - state_final (&src[48], &dst[48], set_state (x12 + state[12])); - state_final (&src[52], &dst[52], set_state (x13 + state[13])); - state_final (&src[56], &dst[56], set_state (x14 + state[14])); - state_final (&src[60], &dst[60], set_state (x15 + state[15])); - - state[12]++; -} - -static void -__attribute_maybe_unused__ -chacha20_crypt_generic (uint32_t *state, uint8_t *dst, const uint8_t *src, - size_t bytes) -{ - while (bytes >= CHACHA20_BLOCK_SIZE) - { - chacha20_block (state, dst, src); - - bytes -= CHACHA20_BLOCK_SIZE; - dst += CHACHA20_BLOCK_SIZE; - src += CHACHA20_BLOCK_SIZE; - } - - if (__glibc_unlikely (bytes != 0)) - { - uint8_t stream[CHACHA20_BLOCK_SIZE]; - chacha20_block (state, stream, src); - memcpy (dst, stream, bytes); - explicit_bzero (stream, sizeof stream); - } -} - -/* Get the architecture optimized version. */ -#include <chacha20_arch.h> diff --git a/stdlib/tst-arc4random-chacha20.c b/stdlib/tst-arc4random-chacha20.c deleted file mode 100644 index 45ba549..0000000 --- a/stdlib/tst-arc4random-chacha20.c +++ /dev/null @@ -1,167 +0,0 @@ -/* Basic tests for chacha20 cypher used in arc4random. - Copyright (C) 2022 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - The GNU C Library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with the GNU C Library; if not, see - <https://www.gnu.org/licenses/>. */ - -#include <arc4random.h> -#include <support/check.h> -#include <sys/cdefs.h> - -/* The test does not define CHACHA20_XOR_FINAL to mimic what arc4random - actual does. */ -#include <chacha20.c> - -static int -do_test (void) -{ - const uint8_t key[CHACHA20_KEY_SIZE] = - { - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - }; - const uint8_t iv[CHACHA20_IV_SIZE] = - { - 0x0, 0x0, 0x0, 0x0, - 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, - }; - const uint8_t expected1[CHACHA20_BUFSIZE] = - { - 0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90, 0x40, 0x5d, 0x6a, - 0xe5, 0x53, 0x86, 0xbd, 0x28, 0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, - 0xed, 0x1a, 0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7, 0xda, - 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d, 0x77, 0x24, 0xe0, 0x3f, - 0xb8, 0xd8, 0x4a, 0x37, 0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, - 0x1c, 0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86, 0x9f, 0x07, - 0xe7, 0xbe, 0x55, 0x51, 0x38, 0x7a, 0x98, 0xba, 0x97, 0x7c, 0x73, - 0x2d, 0x08, 0x0d, 0xcb, 0x0f, 0x29, 0xa0, 0x48, 0xe3, 0x65, 0x69, - 0x12, 0xc6, 0x53, 0x3e, 0x32, 0xee, 0x7a, 0xed, 0x29, 0xb7, 0x21, - 0x76, 0x9c, 0xe6, 0x4e, 0x43, 0xd5, 0x71, 0x33, 0xb0, 0x74, 0xd8, - 0x39, 0xd5, 0x31, 0xed, 0x1f, 0x28, 0x51, 0x0a, 0xfb, 0x45, 0xac, - 0xe1, 0x0a, 0x1f, 0x4b, 0x79, 0x4d, 0x6f, 0x2d, 0x09, 0xa0, 0xe6, - 0x63, 0x26, 0x6c, 0xe1, 0xae, 0x7e, 0xd1, 0x08, 0x19, 0x68, 0xa0, - 0x75, 0x8e, 0x71, 0x8e, 0x99, 0x7b, 0xd3, 0x62, 0xc6, 0xb0, 0xc3, - 0x46, 0x34, 0xa9, 0xa0, 0xb3, 0x5d, 0x01, 0x27, 0x37, 0x68, 0x1f, - 0x7b, 0x5d, 0x0f, 0x28, 0x1e, 0x3a, 0xfd, 0xe4, 0x58, 0xbc, 0x1e, - 0x73, 0xd2, 0xd3, 0x13, 0xc9, 0xcf, 0x94, 0xc0, 0x5f, 0xf3, 0x71, - 0x62, 0x40, 0xa2, 0x48, 0xf2, 0x13, 0x20, 0xa0, 0x58, 0xd7, 0xb3, - 0x56, 0x6b, 0xd5, 0x20, 0xda, 0xaa, 0x3e, 0xd2, 0xbf, 0x0a, 0xc5, - 0xb8, 0xb1, 0x20, 0xfb, 0x85, 0x27, 0x73, 0xc3, 0x63, 0x97, 0x34, - 0xb4, 0x5c, 0x91, 0xa4, 0x2d, 0xd4, 0xcb, 0x83, 0xf8, 0x84, 0x0d, - 0x2e, 0xed, 0xb1, 0x58, 0x13, 0x10, 0x62, 0xac, 0x3f, 0x1f, 0x2c, - 0xf8, 0xff, 0x6d, 0xcd, 0x18, 0x56, 0xe8, 0x6a, 0x1e, 0x6c, 0x31, - 0x67, 0x16, 0x7e, 0xe5, 0xa6, 0x88, 0x74, 0x2b, 0x47, 0xc5, 0xad, - 0xfb, 0x59, 0xd4, 0xdf, 0x76, 0xfd, 0x1d, 0xb1, 0xe5, 0x1e, 0xe0, - 0x3b, 0x1c, 0xa9, 0xf8, 0x2a, 0xca, 0x17, 0x3e, 0xdb, 0x8b, 0x72, - 0x93, 0x47, 0x4e, 0xbe, 0x98, 0x0f, 0x90, 0x4d, 0x10, 0xc9, 0x16, - 0x44, 0x2b, 0x47, 0x83, 0xa0, 0xe9, 0x84, 0x86, 0x0c, 0xb6, 0xc9, - 0x57, 0xb3, 0x9c, 0x38, 0xed, 0x8f, 0x51, 0xcf, 0xfa, 0xa6, 0x8a, - 0x4d, 0xe0, 0x10, 0x25, 0xa3, 0x9c, 0x50, 0x45, 0x46, 0xb9, 0xdc, - 0x14, 0x06, 0xa7, 0xeb, 0x28, 0x15, 0x1e, 0x51, 0x50, 0xd7, 0xb2, - 0x04, 0xba, 0xa7, 0x19, 0xd4, 0xf0, 0x91, 0x02, 0x12, 0x17, 0xdb, - 0x5c, 0xf1, 0xb5, 0xc8, 0x4c, 0x4f, 0xa7, 0x1a, 0x87, 0x96, 0x10, - 0xa1, 0xa6, 0x95, 0xac, 0x52, 0x7c, 0x5b, 0x56, 0x77, 0x4a, 0x6b, - 0x8a, 0x21, 0xaa, 0xe8, 0x86, 0x85, 0x86, 0x8e, 0x09, 0x4c, 0xf2, - 0x9e, 0xf4, 0x09, 0x0a, 0xf7, 0xa9, 0x0c, 0xc0, 0x7e, 0x88, 0x17, - 0xaa, 0x52, 0x87, 0x63, 0x79, 0x7d, 0x3c, 0x33, 0x2b, 0x67, 0xca, - 0x4b, 0xc1, 0x10, 0x64, 0x2c, 0x21, 0x51, 0xec, 0x47, 0xee, 0x84, - 0xcb, 0x8c, 0x42, 0xd8, 0x5f, 0x10, 0xe2, 0xa8, 0xcb, 0x18, 0xc3, - 0xb7, 0x33, 0x5f, 0x26, 0xe8, 0xc3, 0x9a, 0x12, 0xb1, 0xbc, 0xc1, - 0x70, 0x71, 0x77, 0xb7, 0x61, 0x38, 0x73, 0x2e, 0xed, 0xaa, 0xb7, - 0x4d, 0xa1, 0x41, 0x0f, 0xc0, 0x55, 0xea, 0x06, 0x8c, 0x99, 0xe9, - 0x26, 0x0a, 0xcb, 0xe3, 0x37, 0xcf, 0x5d, 0x3e, 0x00, 0xe5, 0xb3, - 0x23, 0x0f, 0xfe, 0xdb, 0x0b, 0x99, 0x07, 0x87, 0xd0, 0xc7, 0x0e, - 0x0b, 0xfe, 0x41, 0x98, 0xea, 0x67, 0x58, 0xdd, 0x5a, 0x61, 0xfb, - 0x5f, 0xec, 0x2d, 0xf9, 0x81, 0xf3, 0x1b, 0xef, 0xe1, 0x53, 0xf8, - 0x1d, 0x17, 0x16, 0x17, 0x84, 0xdb - }; - - const uint8_t expected2[CHACHA20_BUFSIZE] = - { - 0x1c, 0x88, 0x22, 0xd5, 0x3c, 0xd1, 0xee, 0x7d, 0xb5, 0x32, 0x36, - 0x48, 0x28, 0xbd, 0xf4, 0x04, 0xb0, 0x40, 0xa8, 0xdc, 0xc5, 0x22, - 0xf3, 0xd3, 0xd9, 0x9a, 0xec, 0x4b, 0x80, 0x57, 0xed, 0xb8, 0x50, - 0x09, 0x31, 0xa2, 0xc4, 0x2d, 0x2f, 0x0c, 0x57, 0x08, 0x47, 0x10, - 0x0b, 0x57, 0x54, 0xda, 0xfc, 0x5f, 0xbd, 0xb8, 0x94, 0xbb, 0xef, - 0x1a, 0x2d, 0xe1, 0xa0, 0x7f, 0x8b, 0xa0, 0xc4, 0xb9, 0x19, 0x30, - 0x10, 0x66, 0xed, 0xbc, 0x05, 0x6b, 0x7b, 0x48, 0x1e, 0x7a, 0x0c, - 0x46, 0x29, 0x7b, 0xbb, 0x58, 0x9d, 0x9d, 0xa5, 0xb6, 0x75, 0xa6, - 0x72, 0x3e, 0x15, 0x2e, 0x5e, 0x63, 0xa4, 0xce, 0x03, 0x4e, 0x9e, - 0x83, 0xe5, 0x8a, 0x01, 0x3a, 0xf0, 0xe7, 0x35, 0x2f, 0xb7, 0x90, - 0x85, 0x14, 0xe3, 0xb3, 0xd1, 0x04, 0x0d, 0x0b, 0xb9, 0x63, 0xb3, - 0x95, 0x4b, 0x63, 0x6b, 0x5f, 0xd4, 0xbf, 0x6d, 0x0a, 0xad, 0xba, - 0xf8, 0x15, 0x7d, 0x06, 0x2a, 0xcb, 0x24, 0x18, 0xc1, 0x76, 0xa4, - 0x75, 0x51, 0x1b, 0x35, 0xc3, 0xf6, 0x21, 0x8a, 0x56, 0x68, 0xea, - 0x5b, 0xc6, 0xf5, 0x4b, 0x87, 0x82, 0xf8, 0xb3, 0x40, 0xf0, 0x0a, - 0xc1, 0xbe, 0xba, 0x5e, 0x62, 0xcd, 0x63, 0x2a, 0x7c, 0xe7, 0x80, - 0x9c, 0x72, 0x56, 0x08, 0xac, 0xa5, 0xef, 0xbf, 0x7c, 0x41, 0xf2, - 0x37, 0x64, 0x3f, 0x06, 0xc0, 0x99, 0x72, 0x07, 0x17, 0x1d, 0xe8, - 0x67, 0xf9, 0xd6, 0x97, 0xbf, 0x5e, 0xa6, 0x01, 0x1a, 0xbc, 0xce, - 0x6c, 0x8c, 0xdb, 0x21, 0x13, 0x94, 0xd2, 0xc0, 0x2d, 0xd0, 0xfb, - 0x60, 0xdb, 0x5a, 0x2c, 0x17, 0xac, 0x3d, 0xc8, 0x58, 0x78, 0xa9, - 0x0b, 0xed, 0x38, 0x09, 0xdb, 0xb9, 0x6e, 0xaa, 0x54, 0x26, 0xfc, - 0x8e, 0xae, 0x0d, 0x2d, 0x65, 0xc4, 0x2a, 0x47, 0x9f, 0x08, 0x86, - 0x48, 0xbe, 0x2d, 0xc8, 0x01, 0xd8, 0x2a, 0x36, 0x6f, 0xdd, 0xc0, - 0xef, 0x23, 0x42, 0x63, 0xc0, 0xb6, 0x41, 0x7d, 0x5f, 0x9d, 0xa4, - 0x18, 0x17, 0xb8, 0x8d, 0x68, 0xe5, 0xe6, 0x71, 0x95, 0xc5, 0xc1, - 0xee, 0x30, 0x95, 0xe8, 0x21, 0xf2, 0x25, 0x24, 0xb2, 0x0b, 0xe4, - 0x1c, 0xeb, 0x59, 0x04, 0x12, 0xe4, 0x1d, 0xc6, 0x48, 0x84, 0x3f, - 0xa9, 0xbf, 0xec, 0x7a, 0x3d, 0xcf, 0x61, 0xab, 0x05, 0x41, 0x57, - 0x33, 0x16, 0xd3, 0xfa, 0x81, 0x51, 0x62, 0x93, 0x03, 0xfe, 0x97, - 0x41, 0x56, 0x2e, 0xd0, 0x65, 0xdb, 0x4e, 0xbc, 0x00, 0x50, 0xef, - 0x55, 0x83, 0x64, 0xae, 0x81, 0x12, 0x4a, 0x28, 0xf5, 0xc0, 0x13, - 0x13, 0x23, 0x2f, 0xbc, 0x49, 0x6d, 0xfd, 0x8a, 0x25, 0x68, 0x65, - 0x7b, 0x68, 0x6d, 0x72, 0x14, 0x38, 0x2a, 0x1a, 0x00, 0x90, 0x30, - 0x17, 0xdd, 0xa9, 0x69, 0x87, 0x84, 0x42, 0xba, 0x5a, 0xff, 0xf6, - 0x61, 0x3f, 0x55, 0x3c, 0xbb, 0x23, 0x3c, 0xe4, 0x6d, 0x9a, 0xee, - 0x93, 0xa7, 0x87, 0x6c, 0xf5, 0xe9, 0xe8, 0x29, 0x12, 0xb1, 0x8c, - 0xad, 0xf0, 0xb3, 0x43, 0x27, 0xb2, 0xe0, 0x42, 0x7e, 0xcf, 0x66, - 0xb7, 0xce, 0xb7, 0xc0, 0x91, 0x8d, 0xc4, 0x7b, 0xdf, 0xf1, 0x2a, - 0x06, 0x2a, 0xdf, 0x07, 0x13, 0x30, 0x09, 0xce, 0x7a, 0x5e, 0x5c, - 0x91, 0x7e, 0x01, 0x68, 0x30, 0x61, 0x09, 0xb7, 0xcb, 0x49, 0x65, - 0x3a, 0x6d, 0x2c, 0xae, 0xf0, 0x05, 0xde, 0x78, 0x3a, 0x9a, 0x9b, - 0xfe, 0x05, 0x38, 0x1e, 0xd1, 0x34, 0x8d, 0x94, 0xec, 0x65, 0x88, - 0x6f, 0x9c, 0x0b, 0x61, 0x9c, 0x52, 0xc5, 0x53, 0x38, 0x00, 0xb1, - 0x6c, 0x83, 0x61, 0x72, 0xb9, 0x51, 0x82, 0xdb, 0xc5, 0xee, 0xc0, - 0x42, 0xb8, 0x9e, 0x22, 0xf1, 0x1a, 0x08, 0x5b, 0x73, 0x9a, 0x36, - 0x11, 0xcd, 0x8d, 0x83, 0x60, 0x18 - }; - - /* Check with the expected internal arc4random keystream buffer. Some - architecture optimizations expects a buffer with a minimum size which - is a multiple of then ChaCha20 blocksize, so they might not be prepared - to handle smaller buffers. */ - - uint8_t output[CHACHA20_BUFSIZE]; - - uint32_t state[CHACHA20_STATE_LEN]; - chacha20_init (state, key, iv); - - /* Check with the initial state. */ - uint8_t input[CHACHA20_BUFSIZE] = { 0 }; - - chacha20_crypt (state, output, input, CHACHA20_BUFSIZE); - TEST_COMPARE_BLOB (output, sizeof output, expected1, CHACHA20_BUFSIZE); - - /* And on the next round. */ - chacha20_crypt (state, output, input, CHACHA20_BUFSIZE); - TEST_COMPARE_BLOB (output, sizeof output, expected2, CHACHA20_BUFSIZE); - - return 0; -} - -#include <support/test-driver.c> |