From: Daiki Ueno dueno@redhat.com
The ChaCha20 based header protection algorithm in QUIC requires a way to set the initial value of counter: https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#name-chacha20-based-...
This will add a new function chacha_set_nonce128, which takes the counter value embedded in the nonce.
Signed-off-by: Daiki Ueno dueno@redhat.com --- chacha-set-nonce.c | 9 +++++++++ chacha.h | 5 +++++ testsuite/chacha-test.c | 15 +++++++++++++++ 3 files changed, 29 insertions(+)
diff --git a/chacha-set-nonce.c b/chacha-set-nonce.c index 607f176b..7098de58 100644 --- a/chacha-set-nonce.c +++ b/chacha-set-nonce.c @@ -68,3 +68,12 @@ chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } + +void +chacha_set_nonce128(struct chacha_ctx *ctx, const uint8_t *nonce) +{ + ctx->state[12] = LE_READ_UINT32(nonce + 0); + ctx->state[13] = LE_READ_UINT32(nonce + 4); + ctx->state[14] = LE_READ_UINT32(nonce + 8); + ctx->state[15] = LE_READ_UINT32(nonce + 12); +} diff --git a/chacha.h b/chacha.h index 429a55b6..ff33f03d 100644 --- a/chacha.h +++ b/chacha.h @@ -46,6 +46,7 @@ extern "C" { #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 +#define chacha_set_nonce128 nettle_chacha_set_nonce128 #define chacha_crypt nettle_chacha_crypt
/* Currently, only 256-bit keys are supported. */ @@ -53,6 +54,7 @@ extern "C" { #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 +#define CHACHA_NONCE128_SIZE 16
#define _CHACHA_STATE_LENGTH 16
@@ -81,6 +83,9 @@ chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce);
+void +chacha_set_nonce128(struct chacha_ctx *ctx, const uint8_t *nonce); + void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); diff --git a/testsuite/chacha-test.c b/testsuite/chacha-test.c index d6489e9c..4731598b 100644 --- a/testsuite/chacha-test.c +++ b/testsuite/chacha-test.c @@ -66,6 +66,10 @@ test_chacha(const struct tstring *key, const struct tstring *nonce, draft-irtf-cfrg-chacha20-poly1305-08 test cases. */ ctx.state[12]++; } + else if (nonce->length == CHACHA_NONCE128_SIZE) + { + chacha_set_nonce128(&ctx, nonce->data); + } else die ("Bad nonce size %u.\n", (unsigned) nonce->length);
@@ -644,4 +648,15 @@ test_main(void) "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), 20); + + /* This is identical to the 96-bit nonce test, but it manually sets + the counter value */ + test_chacha(SHEX("0001020304050607 08090a0b0c0d0e0f" + "1011121314151617 18191a1b1c1d1e1f"), + SHEX("0100000000000009 0000004a00000000"), + SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" + "c7d1f4c733c06803 0422aa9ac3d46c4e" + "d2826446079faa09 14c2d705d98b02a2" + "b5129cd1de164eb9 cbd083e8a2503c4e"), + 20); }