Index: lib/libcrypto/Symbols.list =================================================================== RCS file: /cvs/src/lib/libcrypto/Symbols.list,v retrieving revision 1.76 diff -u -p -r1.76 Symbols.list --- lib/libcrypto/Symbols.list 12 Sep 2018 06:35:38 -0000 1.76 +++ lib/libcrypto/Symbols.list 15 Oct 2018 21:06:51 -0000 @@ -671,6 +679,7 @@ CRYPTO_get_mem_ex_functions CRYPTO_get_mem_functions CRYPTO_get_new_dynlockid CRYPTO_get_new_lockid +CRYPTO_hchacha_20 CRYPTO_is_mem_check_on CRYPTO_lock CRYPTO_malloc @@ -712,6 +721,7 @@ CRYPTO_set_mem_ex_functions CRYPTO_set_mem_functions CRYPTO_strdup CRYPTO_thread_id +CRYPTO_xchacha_20 CRYPTO_xts128_encrypt Camellia_cbc_encrypt Camellia_cfb128_encrypt @@ -1476,6 +1486,7 @@ EVP_add_digest EVP_aead_aes_128_gcm EVP_aead_aes_256_gcm EVP_aead_chacha20_poly1305 +EVP_aead_xchacha20_poly1305 EVP_aes_128_cbc EVP_aes_128_cbc_hmac_sha1 EVP_aes_128_ccm Index: lib/libcrypto/chacha/chacha-merged.c =================================================================== RCS file: /cvs/src/lib/libcrypto/chacha/chacha-merged.c,v retrieving revision 1.8 diff -u -p -r1.8 chacha-merged.c --- lib/libcrypto/chacha/chacha-merged.c 13 Aug 2017 16:55:31 -0000 1.8 +++ lib/libcrypto/chacha/chacha-merged.c 15 Oct 2018 21:06:52 -0000 @@ -277,3 +277,49 @@ chacha_encrypt_bytes(chacha_ctx *x, cons m += 64; } } + +void +CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32], + const unsigned char nonce[16]) +{ + uint32_t x[16]; + int i; + + x[0] = U8TO32_LITTLE(sigma + 0); + x[1] = U8TO32_LITTLE(sigma + 4); + x[2] = U8TO32_LITTLE(sigma + 8); + x[3] = U8TO32_LITTLE(sigma + 12); + x[4] = U8TO32_LITTLE(key + 0); + x[5] = U8TO32_LITTLE(key + 4); + x[6] = U8TO32_LITTLE(key + 8); + x[7] = U8TO32_LITTLE(key + 12); + x[8] = U8TO32_LITTLE(key + 16); + x[9] = U8TO32_LITTLE(key + 20); + x[10] = U8TO32_LITTLE(key + 24); + x[11] = U8TO32_LITTLE(key + 28); + x[12] = U8TO32_LITTLE(nonce + 0); + x[13] = U8TO32_LITTLE(nonce + 4); + x[14] = U8TO32_LITTLE(nonce + 8); + x[15] = U8TO32_LITTLE(nonce + 12); + + for (i = 20; i > 0; i -= 2) { + QUARTERROUND(x[0], x[4], x[8], x[12]) + QUARTERROUND(x[1], x[5], x[9], x[13]) + QUARTERROUND(x[2], x[6], x[10], x[14]) + QUARTERROUND(x[3], x[7], x[11], x[15]) + QUARTERROUND(x[0], x[5], x[10], x[15]) + QUARTERROUND(x[1], x[6], x[11], x[12]) + QUARTERROUND(x[2], x[7], x[8], x[13]) + QUARTERROUND(x[3], x[4], x[9], x[14]) + } + + U32TO8_LITTLE(subkey + 0, x[0]); + U32TO8_LITTLE(subkey + 4, x[1]); + U32TO8_LITTLE(subkey + 8, x[2]); + U32TO8_LITTLE(subkey + 12, x[3]); + + U32TO8_LITTLE(subkey + 16, x[12]); + U32TO8_LITTLE(subkey + 20, x[13]); + U32TO8_LITTLE(subkey + 24, x[14]); + U32TO8_LITTLE(subkey + 28, x[15]); +} Index: lib/libcrypto/chacha/chacha.c =================================================================== RCS file: /cvs/src/lib/libcrypto/chacha/chacha.c,v retrieving revision 1.7 diff -u -p -r1.7 chacha.c --- lib/libcrypto/chacha/chacha.c 9 Dec 2015 14:07:55 -0000 1.7 +++ lib/libcrypto/chacha/chacha.c 15 Oct 2018 21:06:52 -0000 @@ -75,3 +75,13 @@ CRYPTO_chacha_20(unsigned char *out, con chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len); } + +void +CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]) +{ + uint8_t subkey[32]; + + CRYPTO_hchacha_20(subkey, key, iv); + CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0); +} Index: lib/libcrypto/chacha/chacha.h =================================================================== RCS file: /cvs/src/lib/libcrypto/chacha/chacha.h,v retrieving revision 1.7 diff -u -p -r1.7 chacha.h --- lib/libcrypto/chacha/chacha.h 9 Dec 2015 14:07:55 -0000 1.7 +++ lib/libcrypto/chacha/chacha.h 15 Oct 2018 21:06:52 -0000 @@ -46,6 +46,10 @@ void ChaCha(ChaCha_ctx *ctx, unsigned ch void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, const unsigned char key[32], const unsigned char iv[8], uint64_t counter); +void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]); +void CRYPTO_hchacha_20(unsigned char out[32], + const unsigned char key[32], const unsigned char iv[16]); #ifdef __cplusplus } Index: lib/libcrypto/evp/e_chacha20poly1305.c =================================================================== RCS file: /cvs/src/lib/libcrypto/evp/e_chacha20poly1305.c,v retrieving revision 1.18 diff -u -p -r1.18 e_chacha20poly1305.c --- lib/libcrypto/evp/e_chacha20poly1305.c 28 Aug 2017 17:48:02 -0000 1.18 +++ lib/libcrypto/evp/e_chacha20poly1305.c 15 Oct 2018 21:06:52 -0000 @@ -36,6 +36,7 @@ #define CHACHA20_CONSTANT_LEN 4 #define CHACHA20_IV_LEN 8 #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN) +#define XCHACHA20_NONCE_LEN 24 struct aead_chacha20_poly1305_ctx { unsigned char key[32]; @@ -246,6 +247,108 @@ aead_chacha20_poly1305_open(const EVP_AE return 1; } +static int +aead_xchacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + + if (max_out_len < in_len + c20_ctx->tag_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + CRYPTO_chacha_20(out, in, in_len, subkey, nonce + 16, 1); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, out, in_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, in_len); + + if (c20_ctx->tag_len != POLY1305_TAG_LEN) { + unsigned char tag[POLY1305_TAG_LEN]; + CRYPTO_poly1305_finish(&poly1305, tag); + memcpy(out + in_len, tag, c20_ctx->tag_len); + *out_len = in_len + c20_ctx->tag_len; + return 1; + } + + CRYPTO_poly1305_finish(&poly1305, out + in_len); + *out_len = in_len + POLY1305_TAG_LEN; + return 1; +} + +static int +aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char mac[POLY1305_TAG_LEN]; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + size_t plaintext_len; + + if (in_len < c20_ctx->tag_len) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + plaintext_len = in_len - c20_ctx->tag_len; + + if (max_out_len < plaintext_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, in, plaintext_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, plaintext_len); + + CRYPTO_poly1305_finish(&poly1305, mac); + if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + CRYPTO_chacha_20(out, in, plaintext_len, subkey, nonce + 16, 1); + + *out_len = plaintext_len; + return 1; +} + /* RFC 7539 */ static const EVP_AEAD aead_chacha20_poly1305 = { .key_len = 32, @@ -263,6 +366,24 @@ const EVP_AEAD * EVP_aead_chacha20_poly1305() { return &aead_chacha20_poly1305; +} + +static const EVP_AEAD aead_xchacha20_poly1305 = { + .key_len = 32, + .nonce_len = XCHACHA20_NONCE_LEN, + .overhead = POLY1305_TAG_LEN, + .max_tag_len = POLY1305_TAG_LEN, + + .init = aead_chacha20_poly1305_init, + .cleanup = aead_chacha20_poly1305_cleanup, + .seal = aead_xchacha20_poly1305_seal, + .open = aead_xchacha20_poly1305_open, +}; + +const EVP_AEAD * +EVP_aead_xchacha20_poly1305() +{ + return &aead_xchacha20_poly1305; } #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ Index: lib/libcrypto/evp/evp.h =================================================================== RCS file: /cvs/src/lib/libcrypto/evp/evp.h,v retrieving revision 1.69 diff -u -p -r1.69 evp.h --- lib/libcrypto/evp/evp.h 12 Sep 2018 06:35:38 -0000 1.69 +++ lib/libcrypto/evp/evp.h 15 Oct 2018 21:06:53 -0000 @@ -1238,6 +1242,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm(voi #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */ const EVP_AEAD *EVP_aead_chacha20_poly1305(void); +/* EVP_aead_xchacha20_poly1305 is XChaCha20 with a Poly1305 authenticator. */ +const EVP_AEAD *EVP_aead_xchacha20_poly1305(void); #endif /* EVP_AEAD_key_length returns the length of the keys used. */ Index: lib/libcrypto/man/EVP_AEAD_CTX_init.3 =================================================================== RCS file: /cvs/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3,v retrieving revision 1.6 diff -u -p -r1.6 EVP_AEAD_CTX_init.3 --- lib/libcrypto/man/EVP_AEAD_CTX_init.3 28 Aug 2017 17:43:43 -0000 1.6 +++ lib/libcrypto/man/EVP_AEAD_CTX_init.3 15 Oct 2018 21:06:53 -0000 @@ -30,7 +30,8 @@ .Nm EVP_AEAD_nonce_length , .Nm EVP_aead_aes_128_gcm , .Nm EVP_aead_aes_256_gcm , -.Nm EVP_aead_chacha20_poly1305 +.Nm EVP_aead_chacha20_poly1305, +.Nm EVP_aead_xchacha20_poly1305 .Nd authenticated encryption with additional data .Sh SYNOPSIS .In openssl/evp.h @@ -101,6 +102,10 @@ .Fo EVP_aead_chacha20_poly1305 .Fa void .Fc +.Ft const EVP_AEAD * +.Fo EVP_aead_xchacha20_poly1305 +.Fa void +.Fc .Sh DESCRIPTION AEAD (Authenticated Encryption with Additional Data) couples confidentiality and integrity in a single primitive. @@ -219,6 +224,8 @@ AES-128 in Galois Counter Mode. AES-256 in Galois Counter Mode. .It Fn EVP_aead_chacha20_poly1305 ChaCha20 with a Poly1305 authenticator. +.It Fn EVP_aead_xchacha20_poly1305 +XChaCha20 with a Poly1305 authenticator. .El .Pp Where possible the @@ -284,6 +291,13 @@ EVP_AEAD_CTX_cleanup(&ctx); .%D May 2015 .%R RFC 7539 .%T ChaCha20 and Poly1305 for IETF Protocols +.Re +.Pp +.Rs +.%A S. Arciszewski +.%D October 2018 +.%R draft-arciszewski-xchacha-02 +.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 .Re .Sh HISTORY AEAD is based on the implementation by Index: regress/lib/libcrypto/aead/aeadtest.c =================================================================== RCS file: /cvs/src/regress/lib/libcrypto/aead/aeadtest.c,v retrieving revision 1.10 diff -u -p -r1.10 aeadtest.c --- regress/lib/libcrypto/aead/aeadtest.c 28 Aug 2017 17:52:58 -0000 1.10 +++ regress/lib/libcrypto/aead/aeadtest.c 15 Oct 2018 21:06:53 -0000 @@ -51,8 +51,11 @@ #include #include #include +#include +#include #include +#include /* This program tests an AEAD against a series of test vectors from a file. The * test vector file consists of key-value lines where the key and value are @@ -133,6 +136,12 @@ aead_from_name(const EVP_AEAD **aead, co *aead = EVP_aead_chacha20_poly1305(); #else fprintf(stderr, "No chacha20-poly1305 support.\n"); +#endif + } else if (strcmp(name, "xchacha20-poly1305") == 0) { +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + *aead = EVP_aead_xchacha20_poly1305(); +#else + fprintf(stderr, "No xchacha20-poly1305 support.\n"); #endif } else { fprintf(stderr, "Unknown AEAD: %s\n", name); Index: regress/lib/libcrypto/aead/aeadtests.txt =================================================================== RCS file: /cvs/src/regress/lib/libcrypto/aead/aeadtests.txt,v retrieving revision 1.6 diff -u -p -r1.6 aeadtests.txt --- regress/lib/libcrypto/aead/aeadtests.txt 28 Aug 2017 17:52:58 -0000 1.6 +++ regress/lib/libcrypto/aead/aeadtests.txt 15 Oct 2018 21:06:53 -0000 @@ -74,3 +74,12 @@ AD: c0c1c2c3c4c5c6c7d0d1d2d3d4d5d6d72e20 CT: 610394701f8d017f7c12924889 TAG: 6b71bfe25236efd7cdc67066906315b2 +# Test vector from draft-arciszewski-xchacha-02 +AEAD: xchacha20-poly1305 +KEY: 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f +NONCE: 404142434445464748494a4b4c4d4e4f5051525354555657 +IN: 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e +AD: 50515253c0c1c2c3c4c5c6c7 +CT: bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b4522f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff921f9664c97637da9768812f615c68b13b52e +TAG: c0875924c1c7987947deafd8780acf49 + Index: regress/lib/libcrypto/chacha/chachatest.c =================================================================== RCS file: /cvs/src/regress/lib/libcrypto/chacha/chachatest.c,v retrieving revision 1.4 diff -u -p -r1.4 chachatest.c --- regress/lib/libcrypto/chacha/chachatest.c 26 May 2017 16:48:22 -0000 1.4 +++ regress/lib/libcrypto/chacha/chachatest.c 15 Oct 2018 21:06:54 -0000 @@ -291,6 +291,170 @@ struct chacha_test_function chacha_test_ #define N_FUNCS (sizeof(chacha_test_functions) / sizeof(*chacha_test_functions)) +/* draft-arciszewski-xchacha-02 test vectors */ +static int +crypto_hchacha_20_test(void) +{ + static const unsigned char key[32] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + static const unsigned char nonce[16] = { + 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4a, + 0x00, 0x00, 0x00, 0x00, 0x31, 0x41, 0x59, 0x27, + }; + static const unsigned char result[32] = { + 0x82, 0x41, 0x3b, 0x42, 0x27, 0xb2, 0x7b, 0xfe, + 0xd3, 0x0e, 0x42, 0x50, 0x8a, 0x87, 0x7d, 0x73, + 0xa0, 0xf9, 0xe4, 0xd5, 0x8a, 0x74, 0xa8, 0x53, + 0xc1, 0x2e, 0xc4, 0x13, 0x26, 0xd3, 0xec, 0xdc, + }; + unsigned char out[32]; + int failed = 0; + size_t k; + + CRYPTO_hchacha_20(out, key, nonce); + + if (memcmp(out, result, sizeof(out)) != 0) { + printf("HChaCha20 failed!\n"); + + printf("Got:\t"); + for (k = 0; k < sizeof(out); k++) + printf("%2.2x", out[k]); + printf("\n"); + + printf("Want:\t"); + for (k = 0; k < sizeof(result); k++) + printf("%2.2x", result[k]); + printf("\n"); + + failed = 1; + } + + return (failed); +} + +static int +crypto_xchacha_20_test(void) +{ + static const unsigned char key[32] = { + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, + }; + static const unsigned char iv[24] = { + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x58 + }; + static const unsigned char plain[] = { + 0x54, 0x68, 0x65, 0x20, 0x64, 0x68, 0x6f, 0x6c, + 0x65, 0x20, 0x28, 0x70, 0x72, 0x6f, 0x6e, 0x6f, + 0x75, 0x6e, 0x63, 0x65, 0x64, 0x20, 0x22, 0x64, + 0x6f, 0x6c, 0x65, 0x22, 0x29, 0x20, 0x69, 0x73, + 0x20, 0x61, 0x6c, 0x73, 0x6f, 0x20, 0x6b, 0x6e, + 0x6f, 0x77, 0x6e, 0x20, 0x61, 0x73, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x41, 0x73, 0x69, 0x61, 0x74, + 0x69, 0x63, 0x20, 0x77, 0x69, 0x6c, 0x64, 0x20, + 0x64, 0x6f, 0x67, 0x2c, 0x20, 0x72, 0x65, 0x64, + 0x20, 0x64, 0x6f, 0x67, 0x2c, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x77, 0x68, 0x69, 0x73, 0x74, 0x6c, + 0x69, 0x6e, 0x67, 0x20, 0x64, 0x6f, 0x67, 0x2e, + 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x61, + 0x62, 0x6f, 0x75, 0x74, 0x20, 0x74, 0x68, 0x65, + 0x20, 0x73, 0x69, 0x7a, 0x65, 0x20, 0x6f, 0x66, + 0x20, 0x61, 0x20, 0x47, 0x65, 0x72, 0x6d, 0x61, + 0x6e, 0x20, 0x73, 0x68, 0x65, 0x70, 0x68, 0x65, + 0x72, 0x64, 0x20, 0x62, 0x75, 0x74, 0x20, 0x6c, + 0x6f, 0x6f, 0x6b, 0x73, 0x20, 0x6d, 0x6f, 0x72, + 0x65, 0x20, 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x61, + 0x20, 0x6c, 0x6f, 0x6e, 0x67, 0x2d, 0x6c, 0x65, + 0x67, 0x67, 0x65, 0x64, 0x20, 0x66, 0x6f, 0x78, + 0x2e, 0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x68, + 0x69, 0x67, 0x68, 0x6c, 0x79, 0x20, 0x65, 0x6c, + 0x75, 0x73, 0x69, 0x76, 0x65, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x73, 0x6b, 0x69, 0x6c, 0x6c, 0x65, + 0x64, 0x20, 0x6a, 0x75, 0x6d, 0x70, 0x65, 0x72, + 0x20, 0x69, 0x73, 0x20, 0x63, 0x6c, 0x61, 0x73, + 0x73, 0x69, 0x66, 0x69, 0x65, 0x64, 0x20, 0x77, + 0x69, 0x74, 0x68, 0x20, 0x77, 0x6f, 0x6c, 0x76, + 0x65, 0x73, 0x2c, 0x20, 0x63, 0x6f, 0x79, 0x6f, + 0x74, 0x65, 0x73, 0x2c, 0x20, 0x6a, 0x61, 0x63, + 0x6b, 0x61, 0x6c, 0x73, 0x2c, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x66, 0x6f, 0x78, 0x65, 0x73, 0x20, + 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, + 0x61, 0x78, 0x6f, 0x6e, 0x6f, 0x6d, 0x69, 0x63, + 0x20, 0x66, 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x20, + 0x43, 0x61, 0x6e, 0x69, 0x64, 0x61, 0x65, 0x2e, + }; + static const unsigned char cipher[] = { + 0x45, 0x59, 0xab, 0xba, 0x4e, 0x48, 0xc1, 0x61, + 0x02, 0xe8, 0xbb, 0x2c, 0x05, 0xe6, 0x94, 0x7f, + 0x50, 0xa7, 0x86, 0xde, 0x16, 0x2f, 0x9b, 0x0b, + 0x7e, 0x59, 0x2a, 0x9b, 0x53, 0xd0, 0xd4, 0xe9, + 0x8d, 0x8d, 0x64, 0x10, 0xd5, 0x40, 0xa1, 0xa6, + 0x37, 0x5b, 0x26, 0xd8, 0x0d, 0xac, 0xe4, 0xfa, + 0xb5, 0x23, 0x84, 0xc7, 0x31, 0xac, 0xbf, 0x16, + 0xa5, 0x92, 0x3c, 0x0c, 0x48, 0xd3, 0x57, 0x5d, + 0x4d, 0x0d, 0x2c, 0x67, 0x3b, 0x66, 0x6f, 0xaa, + 0x73, 0x10, 0x61, 0x27, 0x77, 0x01, 0x09, 0x3a, + 0x6b, 0xf7, 0xa1, 0x58, 0xa8, 0x86, 0x42, 0x92, + 0xa4, 0x1c, 0x48, 0xe3, 0xa9, 0xb4, 0xc0, 0xda, + 0xec, 0xe0, 0xf8, 0xd9, 0x8d, 0x0d, 0x7e, 0x05, + 0xb3, 0x7a, 0x30, 0x7b, 0xbb, 0x66, 0x33, 0x31, + 0x64, 0xec, 0x9e, 0x1b, 0x24, 0xea, 0x0d, 0x6c, + 0x3f, 0xfd, 0xdc, 0xec, 0x4f, 0x68, 0xe7, 0x44, + 0x30, 0x56, 0x19, 0x3a, 0x03, 0xc8, 0x10, 0xe1, + 0x13, 0x44, 0xca, 0x06, 0xd8, 0xed, 0x8a, 0x2b, + 0xfb, 0x1e, 0x8d, 0x48, 0xcf, 0xa6, 0xbc, 0x0e, + 0xb4, 0xe2, 0x46, 0x4b, 0x74, 0x81, 0x42, 0x40, + 0x7c, 0x9f, 0x43, 0x1a, 0xee, 0x76, 0x99, 0x60, + 0xe1, 0x5b, 0xa8, 0xb9, 0x68, 0x90, 0x46, 0x6e, + 0xf2, 0x45, 0x75, 0x99, 0x85, 0x23, 0x85, 0xc6, + 0x61, 0xf7, 0x52, 0xce, 0x20, 0xf9, 0xda, 0x0c, + 0x09, 0xab, 0x6b, 0x19, 0xdf, 0x74, 0xe7, 0x6a, + 0x95, 0x96, 0x74, 0x46, 0xf8, 0xd0, 0xfd, 0x41, + 0x5e, 0x7b, 0xee, 0x2a, 0x12, 0xa1, 0x14, 0xc2, + 0x0e, 0xb5, 0x29, 0x2a, 0xe7, 0xa3, 0x49, 0xae, + 0x57, 0x78, 0x20, 0xd5, 0x52, 0x0a, 0x1f, 0x3f, + 0xb6, 0x2a, 0x17, 0xce, 0x6a, 0x7e, 0x68, 0xfa, + 0x7c, 0x79, 0x11, 0x1d, 0x88, 0x60, 0x92, 0x0b, + 0xc0, 0x48, 0xef, 0x43, 0xfe, 0x84, 0x48, 0x6c, + 0xcb, 0x87, 0xc2, 0x5f, 0x0a, 0xe0, 0x45, 0xf0, + 0xcc, 0xe1, 0xe7, 0x98, 0x9a, 0x9a, 0xa2, 0x20, + 0xa2, 0x8b, 0xdd, 0x48, 0x27, 0xe7, 0x51, 0xa2, + 0x4a, 0x6d, 0x5c, 0x62, 0xd7, 0x90, 0xa6, 0x63, + 0x93, 0xb9, 0x31, 0x11, 0xc1, 0xa5, 0x5d, 0xd7, + 0x42, 0x1a, 0x10, 0x18, 0x49, 0x74, 0xc7, 0xc5, + }; + unsigned char out[sizeof(cipher)]; + int failed = 0; + size_t k; + + CRYPTO_xchacha_20(out, plain, sizeof(out), key, iv); + + if (memcmp(out, cipher, sizeof(out)) != 0) { + printf("XChaCha20 failed!\n"); + + printf("Got:\t"); + for (k = 0; k < sizeof(out); k++) + printf("%2.2x", out[k]); + printf("\n"); + + printf("Want:\t"); + for (k = 0; k < sizeof(cipher); k++) + printf("%2.2x", cipher[k]); + printf("\n"); + + failed = 1; + } + + return (failed); +} + int main(int argc, char **argv) { @@ -333,6 +497,12 @@ main(int argc, char **argv) free(out); } } + + if (crypto_hchacha_20_test() != 0) + failed = 1; + + if (crypto_xchacha_20_test() != 0) + failed = 1; return failed; }