diff --git a/libraries/Crypto/AESCommon.cpp b/libraries/Crypto/AESCommon.cpp index cf52f0af..e583b3b9 100644 --- a/libraries/Crypto/AESCommon.cpp +++ b/libraries/Crypto/AESCommon.cpp @@ -31,9 +31,15 @@ * AES192, or AES256 to create an AES block cipher with a specific * key size. * + * \note This AES implementation does not have constant cache behaviour due + * to the use of table lookups. It may not be safe to use this implementation + * in an environment where the attacker can observe the timing of encryption + * and decryption operations. Unless AES compatibility is required, + * it is recommended that the ChaCha stream cipher be used instead. + * * Reference: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard * - * \sa AES128, AES192, AES256 + * \sa ChaCha, AES128, AES192, AES256 */ // AES S-box (http://en.wikipedia.org/wiki/Rijndael_S-box) diff --git a/libraries/Crypto/Arcfour.cpp b/libraries/Crypto/Arcfour.cpp index 61db4bbc..65159628 100644 --- a/libraries/Crypto/Arcfour.cpp +++ b/libraries/Crypto/Arcfour.cpp @@ -30,6 +30,7 @@ * \note While fast and small on 8-bit platforms, Arcfour is a very weak * algorithm when used incorrectly. Security can be improved slightly using * drop() and good key generation. Never reuse the same key with Arcfour. + * ChaCha will almost always be a better option than Arcfour. * * The default key size is 128 bits, but any key size between 40 and * 256 bits (5 to 32 bytes) can be used with setKey(). @@ -41,7 +42,7 @@ * * Reference: http://en.wikipedia.org/wiki/RC4 * - * \sa Cipher + * \sa ChaCha */ /** diff --git a/libraries/Crypto/ChaCha.cpp b/libraries/Crypto/ChaCha.cpp new file mode 100644 index 00000000..836fdc72 --- /dev/null +++ b/libraries/Crypto/ChaCha.cpp @@ -0,0 +1,269 @@ +/* + * Copyright (C) 2015 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#include "ChaCha.h" +#include "Crypto.h" +#include "RotateUtil.h" +#include "EndianUtil.h" +#include + +/** + * \class ChaCha ChaCha.h + * \brief ChaCha stream cipher. + * + * ChaCha is a stream cipher that takes a key, an 8-byte nonce/IV, and a + * counter and hashes them to generate a keystream to XOR with the plaintext. + * Variations on the ChaCha cipher use 8, 12, or 20 rounds of hashing + * operations with either 128-bit or 256-bit keys. + * + * Reference: http://cr.yp.to/chacha.html + */ + +/** + * \brief Constructs a new ChaCha stream cipher. + * + * \param numRounds Number of encryption rounds to use; usually 8, 12, or 20. + */ +ChaCha::ChaCha(uint8_t numRounds) + : rounds(numRounds) + , posn(64) +{ +} + +ChaCha::~ChaCha() +{ + clean(block); + clean(stream); +} + +size_t ChaCha::keySize() const +{ + // Default key size is 128-bit, but any key size is allowed. + return 16; +} + +size_t ChaCha::ivSize() const +{ + // We return 8 but we also support 12-byte nonces in setIV(). + return 8; +} + +/** + * \fn uint8_t ChaCha::numRounds() const + * \brief Returns the number of encryption rounds; usually 8, 12, or 20. + * + * \sa setNumRounds() + */ + +/** + * \fn void ChaCha::setNumRounds(uint8_t numRounds) + * \brief Sets the number of encryption rounds. + * + * \param numRounds The number of encryption rounds; usually 8, 12, or 20. + * + * \sa numRounds() + */ + +bool ChaCha::setKey(const uint8_t *key, size_t len) +{ + static const char tag128[] = "expand 16-byte k"; + static const char tag256[] = "expand 32-byte k"; + if (len <= 16) { + memcpy(block, tag128, 16); + memcpy(block + 16, key, len); + memcpy(block + 32, key, len); + if (len < 16) { + memset(block + 16 + len, 0, 16 - len); + memset(block + 32 + len, 0, 16 - len); + } + } else { + if (len > 32) + len = 32; + memcpy(block, tag256, 16); + memcpy(block + 16, key, len); + if (len < 32) + memset(block + 16 + len, 0, 32 - len); + } + posn = 64; + return true; +} + +bool ChaCha::setIV(const uint8_t *iv, size_t len) +{ + // From draft-nir-cfrg-chacha20-poly1305-04.txt, we can use either + // 64-bit or 96-bit nonces. The 96-bit nonce consists of the high + // word of the counter prepended to a regular 64-bit nonce for ChaCha. + if (len == 8) { + memset(block + 48, 0, 8); + memcpy(block + 56, iv, len); + posn = 64; + return true; + } else if (len == 12) { + memset(block + 48, 0, 4); + memcpy(block + 52, iv, len); + posn = 64; + return true; + } else { + return false; + } +} + +/** + * \brief Sets the starting counter for encryption. + * + * \param counter A 4-byte or 8-byte value to use for the starting counter + * instead of the default value of zero. + * \param len The length of the counter, which must be 4 or 8. + * \return Returns false if \a len is not 4 or 8. + * + * This function must be called after setIV() and before the first call + * to encrypt(). It is used to specify a different starting value than + * zero for the counter portion of the hash input. + * + * \sa setIV() + */ +bool ChaCha::setCounter(const uint8_t *counter, size_t len) +{ + // Normally both the IV and the counter are 8 bytes in length. + // However, if the IV was 12 bytes, then a 4 byte counter can be used. + if (len == 4 || len == 8) { + memcpy(block + 48, counter, len); + posn = 64; + return true; + } else { + return false; + } +} + +void ChaCha::encrypt(uint8_t *output, const uint8_t *input, size_t len) +{ + while (len > 0) { + if (posn >= 64) { + // Generate a new encrypted counter block. + hashCore((uint32_t *)stream, (const uint32_t *)block, rounds); + posn = 0; + + // Increment the counter, taking care not to reveal + // any timing information about the starting value. + // We iterate through the entire counter region even + // if we could stop earlier because a byte is non-zero. + uint16_t temp = 1; + uint8_t index = 48; + while (index < 56) { + temp += block[index]; + block[index] = (uint8_t)temp; + temp >>= 8; + ++index; + } + } + uint8_t templen = 64 - posn; + if (templen > len) + templen = len; + len -= templen; + while (templen > 0) { + *output++ = *input++ ^ stream[posn++]; + --templen; + } + } +} + +void ChaCha::decrypt(uint8_t *output, const uint8_t *input, size_t len) +{ + encrypt(output, input, len); +} + +void ChaCha::clear() +{ + clean(block); + clean(stream); + posn = 64; +} + +// On AVR it is faster to rotate left by 16 bits and then right by 4 bits +// one at a time than to rotate left by 12 bits in a single step. +#define leftRotate12(a) \ + (__extension__ ({ \ + uint32_t temp = (a); \ + temp = (temp << 16) | (temp >> 16); \ + temp = rightRotate(temp, 1); \ + temp = rightRotate(temp, 1); \ + temp = rightRotate(temp, 1); \ + rightRotate(temp, 1); \ + })) + +// Perform a ChaCha quarter round operation. +#define quarterRound(a, b, c, d) \ + do { \ + uint32_t _b = (b); \ + uint32_t _a = (a) + _b; \ + uint32_t _d = leftRotate((d) ^ _a, 16); \ + uint32_t _c = (c) + _d; \ + _b = leftRotate12(_b ^ _c); \ + _a += _b; \ + (d) = _d = leftRotate(_d ^ _a, 8); \ + _c += _d; \ + (a) = _a; \ + (b) = leftRotate7(_b ^ _c); \ + (c) = _c; \ + } while (0) + +/** + * \brief Executes the ChaCha hash core on an input memory block. + * + * \param output Output memory block, must be at least 16 words in length + * and must not overlap with \a input. + * \param input Input memory block, must be at least 16 words in length. + * \param rounds Number of ChaCha rounds to perform; usually 8, 12, or 20. + * + * This function is provided for the convenience of applications that need + * access to the ChaCha hash core without the higher-level processing that + * turns the core into a stream cipher. + */ +void ChaCha::hashCore(uint32_t *output, const uint32_t *input, uint8_t rounds) +{ + uint8_t posn; + + // Copy the input buffer to the output prior to the first round + // and convert from little-endian to host byte order. + for (posn = 0; posn < 16; ++posn) + output[posn] = le32toh(input[posn]); + + // Perform the ChaCha rounds in sets of two. + for (; rounds >= 2; rounds -= 2) { + // Column round. + quarterRound(output[0], output[4], output[8], output[12]); + quarterRound(output[1], output[5], output[9], output[13]); + quarterRound(output[2], output[6], output[10], output[14]); + quarterRound(output[3], output[7], output[11], output[15]); + + // Diagonal round. + quarterRound(output[0], output[5], output[10], output[15]); + quarterRound(output[1], output[6], output[11], output[12]); + quarterRound(output[2], output[7], output[8], output[13]); + quarterRound(output[3], output[4], output[9], output[14]); + } + + // Add the original input to the final output, convert back to + // little-endian, and return the result. + for (posn = 0; posn < 16; ++posn) + output[posn] = htole32(output[posn] + le32toh(input[posn])); +} diff --git a/libraries/Crypto/ChaCha.h b/libraries/Crypto/ChaCha.h new file mode 100644 index 00000000..21a140f1 --- /dev/null +++ b/libraries/Crypto/ChaCha.h @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2015 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef CRYPTO_CHACHA_h +#define CRYPTO_CHACHA_h + +#include "Cipher.h" + +class ChaCha : public Cipher +{ +public: + explicit ChaCha(uint8_t numRounds = 20); + virtual ~ChaCha(); + + size_t keySize() const; + size_t ivSize() const; + + uint8_t numRounds() const { return rounds; } + void setNumRounds(uint8_t numRounds) { rounds = numRounds; } + + bool setKey(const uint8_t *key, size_t len); + bool setIV(const uint8_t *iv, size_t len); + bool setCounter(const uint8_t *counter, size_t len); + + void encrypt(uint8_t *output, const uint8_t *input, size_t len); + void decrypt(uint8_t *output, const uint8_t *input, size_t len); + + void clear(); + + static void hashCore(uint32_t *output, const uint32_t *input, uint8_t rounds); + +private: + uint8_t block[64]; + uint8_t stream[64]; + uint8_t rounds; + uint8_t posn; +}; + +#endif diff --git a/libraries/Crypto/EndianUtil.h b/libraries/Crypto/EndianUtil.h new file mode 100644 index 00000000..58ba1804 --- /dev/null +++ b/libraries/Crypto/EndianUtil.h @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2015 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef CRYPTO_ENDIANUTIL_H +#define CRYPTO_ENDIANUTIL_H + +#include + +// CPU is assumed to be little endian. Edit this file if you +// need to port this library to a big endian CPU. + +#define htole32(x) (x) +#define le32toh(x) (x) +#define htobe32(x) \ + (__extension__ ({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | \ + ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | \ + ((_temp << 24) & 0xFF000000); \ + })) +#define be32toh(x) (htobe32((x))) + +#endif diff --git a/libraries/Crypto/RotateUtil.h b/libraries/Crypto/RotateUtil.h new file mode 100644 index 00000000..c0b2cdc4 --- /dev/null +++ b/libraries/Crypto/RotateUtil.h @@ -0,0 +1,174 @@ +/* + * Copyright (C) 2015 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifndef CRYPTO_ROTATEUTIL_H +#define CRYPTO_ROTATEUTIL_H + +#include + +// Rotation functions that are optimised for best performance on AVR. +// The most efficient rotations are where the number of bits is 1 or a +// multiple of 8, so we compose the efficient rotations to produce all +// other rotation counts of interest. All macros below assume arguments +// of 32 bits in size. + +// Generic left rotate - best performance when "bits" is 1 or a multiple of 8. +#define leftRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp << (bits)) | (_temp >> (32 - (bits))); \ + })) + +// Generic right rotate - best performance when "bits" is 1 or a multiple of 8. +#define rightRotate(a, bits) \ + (__extension__ ({ \ + uint32_t _temp = (a); \ + (_temp >> (bits)) | (_temp << (32 - (bits))); \ + })) + +// Left rotate by 1. +#define leftRotate1(a) (leftRotate((a), 1)) + +// Left rotate by 2. +#define leftRotate2(a) (leftRotate(leftRotate((a), 1), 1)) + +// Left rotate by 3. +#define leftRotate3(a) (leftRotate(leftRotate(leftRotate((a), 1), 1), 1)) + +// Left rotate by 4. +#define leftRotate4(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 1), 1), 1), 1)) + +// Left rotate by 5: Rotate left by 8, then right by 3. +#define leftRotate5(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 8), 1), 1), 1)) + +// Left rotate by 6: Rotate left by 8, then right by 2. +#define leftRotate6(a) (rightRotate(rightRotate(leftRotate((a), 8), 1), 1)) + +// Left rotate by 7: Rotate left by 8, then right by 1. +#define leftRotate7(a) (rightRotate(leftRotate((a), 8), 1)) + +// Left rotate by 8. +#define leftRotate8(a) (leftRotate((a), 8)) + +// Left rotate by 9: Rotate left by 8, then left by 1. +#define leftRotate9(a) (leftRotate(leftRotate((a), 8), 1)) + +// Left rotate by 10: Rotate left by 8, then left by 2. +#define leftRotate10(a) (leftRotate(leftRotate(leftRotate((a), 8), 1), 1)) + +// Left rotate by 11: Rotate left by 8, then left by 3. +#define leftRotate11(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1)) + +// Left rotate by 12: Rotate left by 8, then left by 4. +#define leftRotate12(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 8), 1), 1), 1), 1)) + +// Left rotate by 13: Rotate left by 16, then right by 3. +#define leftRotate13(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 16), 1), 1), 1)) + +// Left rotate by 14: Rotate left by 16, then right by 2. +#define leftRotate14(a) (rightRotate(rightRotate(leftRotate((a), 16), 1), 1)) + +// Left rotate by 15: Rotate left by 16, then right by 1. +#define leftRotate15(a) (rightRotate(leftRotate((a), 16), 1)) + +// Left rotate by 16. +#define leftRotate16(a) (leftRotate((a), 16)) + +// Left rotate by 17: Rotate left by 16, then left by 1. +#define leftRotate17(a) (leftRotate(leftRotate((a), 16), 1)) + +// Left rotate by 18: Rotate left by 16, then left by 2. +#define leftRotate18(a) (leftRotate(leftRotate(leftRotate((a), 16), 1), 1)) + +// Left rotate by 19: Rotate left by 16, then left by 3. +#define leftRotate19(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1)) + +// Left rotate by 20: Rotate left by 16, then left by 4. +#define leftRotate20(a) (leftRotate(leftRotate(leftRotate(leftRotate(leftRotate((a), 16), 1), 1), 1), 1)) + +// Left rotate by 21: Rotate left by 24, then right by 3. +#define leftRotate21(a) (rightRotate(rightRotate(rightRotate(leftRotate((a), 24), 1), 1), 1)) + +// Left rotate by 22: Rotate left by 24, then right by 2. +#define leftRotate22(a) (rightRotate(rightRotate(leftRotate((a), 24), 1), 1)) + +// Left rotate by 23: Rotate left by 24, then right by 1. +#define leftRotate23(a) (rightRotate(leftRotate((a), 24), 1)) + +// Left rotate by 24. +#define leftRotate24(a) (leftRotate((a), 24)) + +// Left rotate by 25: Rotate left by 24, then left by 1. +#define leftRotate25(a) (leftRotate(leftRotate((a), 24), 1)) + +// Left rotate by 26: Rotate left by 24, then left by 2. +#define leftRotate26(a) (leftRotate(leftRotate(leftRotate((a), 24), 1), 1)) + +// Left rotate by 27: Rotate left by 24, then left by 3. +#define leftRotate27(a) (leftRotate(leftRotate(leftRotate(leftRotate((a), 24), 1), 1), 1)) + +// Left rotate by 28: Rotate right by 4. +#define leftRotate28(a) (rightRotate(rightRotate(rightRotate(rightRotate((a), 1), 1), 1), 1)) + +// Left rotate by 29: Rotate right by 3. +#define leftRotate29(a) (rightRotate(rightRotate(rightRotate((a), 1), 1), 1)) + +// Left rotate by 30: Rotate right by 2. +#define leftRotate30(a) (rightRotate(rightRotate((a), 1), 1)) + +// Left rotate by 31: Rotate right by 1. +#define leftRotate31(a) (rightRotate((a), 1)) + +// Define the right rotations in terms of left rotations. +#define rightRotate1(a) (leftRotate31((a))) +#define rightRotate2(a) (leftRotate30((a))) +#define rightRotate3(a) (leftRotate29((a))) +#define rightRotate4(a) (leftRotate28((a))) +#define rightRotate5(a) (leftRotate27((a))) +#define rightRotate6(a) (leftRotate26((a))) +#define rightRotate7(a) (leftRotate25((a))) +#define rightRotate8(a) (leftRotate24((a))) +#define rightRotate9(a) (leftRotate23((a))) +#define rightRotate10(a) (leftRotate22((a))) +#define rightRotate11(a) (leftRotate21((a))) +#define rightRotate12(a) (leftRotate20((a))) +#define rightRotate13(a) (leftRotate19((a))) +#define rightRotate14(a) (leftRotate18((a))) +#define rightRotate15(a) (leftRotate17((a))) +#define rightRotate16(a) (leftRotate16((a))) +#define rightRotate17(a) (leftRotate15((a))) +#define rightRotate18(a) (leftRotate14((a))) +#define rightRotate19(a) (leftRotate13((a))) +#define rightRotate20(a) (leftRotate12((a))) +#define rightRotate21(a) (leftRotate11((a))) +#define rightRotate22(a) (leftRotate10((a))) +#define rightRotate23(a) (leftRotate9((a))) +#define rightRotate24(a) (leftRotate8((a))) +#define rightRotate25(a) (leftRotate7((a))) +#define rightRotate26(a) (leftRotate6((a))) +#define rightRotate27(a) (leftRotate5((a))) +#define rightRotate28(a) (leftRotate4((a))) +#define rightRotate29(a) (leftRotate3((a))) +#define rightRotate30(a) (leftRotate2((a))) +#define rightRotate31(a) (leftRotate1((a))) + +#endif diff --git a/libraries/Crypto/examples/TestChaCha/TestChaCha.ino b/libraries/Crypto/examples/TestChaCha/TestChaCha.ino new file mode 100644 index 00000000..ba0ccd8e --- /dev/null +++ b/libraries/Crypto/examples/TestChaCha/TestChaCha.ino @@ -0,0 +1,375 @@ +/* + * Copyright (C) 2015 Southern Storm Software, Pty Ltd. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +/* +This example runs tests on the ChaCha implementation to verify correct behaviour. +*/ + +#include +#include +#include + +#define MAX_PLAINTEXT_SIZE 64 +#define MAX_CIPHERTEXT_SIZE 64 + +struct TestVector +{ + const char *name; + byte key[32]; + size_t keySize; + uint8_t rounds; + byte plaintext[MAX_PLAINTEXT_SIZE]; + byte ciphertext[MAX_CIPHERTEXT_SIZE]; + byte iv[8]; + byte counter[8]; + size_t size; +}; + +// Use the test vectors from section 9 of the Salsa20 specification, +// http://cr.yp.to/snuffle/spec.pdf, but modify the ciphertext to +// the expected output from ChaCha20/12/8. Unfortunately the ChaCha +// specification doesn't contain test vectors - these were generated +// using the reference implementation from http://cr.yp.to/chacha.html. + +static TestVector const testVectorChaCha20_128 = { + .name = "ChaCha20 128-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}, + .keySize = 16, + .rounds = 20, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0x1C, 0x91, 0xE7, 0x99, 0x71, 0xC0, 0x1C, 0x2A, + 0xEC, 0xE9, 0x24, 0x35, 0xB1, 0x6E, 0xBF, 0xFD, + 0x33, 0x05, 0xCC, 0x17, 0x24, 0x9D, 0x66, 0xA7, + 0xA0, 0xCA, 0xB8, 0x36, 0x03, 0xA6, 0x9D, 0x93, + 0x9A, 0x4C, 0x10, 0x40, 0xD9, 0x2A, 0x86, 0x78, + 0x3A, 0xAD, 0x71, 0x87, 0x55, 0x9F, 0x5B, 0x9A, + 0x68, 0x52, 0xA0, 0xAD, 0x59, 0xAE, 0x04, 0x10, + 0x25, 0x74, 0x5C, 0x05, 0x62, 0x78, 0xF4, 0x8A}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +static TestVector const testVectorChaCha20_256 = { + .name = "ChaCha20 256-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, + 211, 212, 213, 214, 215, 216}, + .keySize = 32, + .rounds = 20, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0x2A, 0x7E, 0x73, 0xC2, 0x2A, 0xE5, 0xCF, 0x4E, + 0x21, 0x75, 0xB1, 0x26, 0x38, 0x3F, 0x60, 0x84, + 0x11, 0x25, 0xFC, 0xAD, 0xFD, 0x16, 0x54, 0xF2, + 0xD7, 0x8C, 0x5D, 0x49, 0x8D, 0x96, 0xBE, 0x15, + 0xC9, 0x00, 0x12, 0x09, 0x14, 0x43, 0x2D, 0x6D, + 0x64, 0x33, 0x88, 0xA6, 0x16, 0x39, 0x86, 0xFD, + 0xD8, 0x85, 0x4D, 0x76, 0x42, 0xEC, 0x0A, 0x0C, + 0x8A, 0xF2, 0x99, 0x2E, 0x54, 0xAE, 0xB4, 0xD9}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +static TestVector const testVectorChaCha12_128 = { + .name = "ChaCha12 128-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}, + .keySize = 16, + .rounds = 12, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0xCB, 0xC1, 0xCF, 0x63, 0xE8, 0xD0, 0x62, 0x83, + 0xFC, 0x12, 0x87, 0x8C, 0x62, 0x09, 0x5B, 0xF8, + 0x84, 0x93, 0x30, 0xC6, 0xE6, 0x26, 0x87, 0x99, + 0xB0, 0xD9, 0xC1, 0xE1, 0xD7, 0x58, 0xCA, 0x05, + 0xFE, 0x46, 0x40, 0xD1, 0xDC, 0x14, 0x68, 0x3C, + 0xFF, 0x25, 0xF7, 0x70, 0x5F, 0xBF, 0x37, 0xC5, + 0x29, 0x8F, 0x3C, 0x55, 0x74, 0xDF, 0xF7, 0x49, + 0x8D, 0xD8, 0xE9, 0xBA, 0x5D, 0xF1, 0x9F, 0xA5}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +static TestVector const testVectorChaCha12_256 = { + .name = "ChaCha12 256-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, + 211, 212, 213, 214, 215, 216}, + .keySize = 32, + .rounds = 12, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0xB8, 0x49, 0xD4, 0x70, 0xE0, 0xFF, 0x57, 0x12, + 0x95, 0xBF, 0xD9, 0xCD, 0x26, 0xFD, 0x4D, 0x6E, + 0x70, 0xA2, 0xBC, 0x58, 0x63, 0xF6, 0x2C, 0xC3, + 0xC7, 0x1C, 0x9B, 0x1A, 0x54, 0xDC, 0xF9, 0xF8, + 0xFD, 0x59, 0xEA, 0xC9, 0xC3, 0x10, 0xA1, 0xDE, + 0xD1, 0x53, 0x84, 0xD6, 0x8D, 0xC6, 0x61, 0x09, + 0x2E, 0x62, 0x14, 0xC5, 0x77, 0x4B, 0x6B, 0x5B, + 0x0D, 0x35, 0xE6, 0x17, 0x41, 0x51, 0xA6, 0xA4}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +static TestVector const testVectorChaCha8_128 = { + .name = "ChaCha8 128-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}, + .keySize = 16, + .rounds = 8, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0x76, 0x42, 0x84, 0xB4, 0x87, 0x1F, 0x54, 0xAE, + 0x33, 0xBF, 0x79, 0x3C, 0xE2, 0x78, 0x5B, 0x4D, + 0xE7, 0x90, 0xF3, 0x8C, 0xB8, 0xF4, 0xA1, 0x56, + 0x87, 0x8B, 0x54, 0x06, 0xBE, 0x5A, 0x1B, 0x1C, + 0x30, 0x31, 0xD3, 0xCD, 0x90, 0x34, 0xC8, 0x93, + 0x2C, 0x0A, 0x5E, 0xC9, 0x4A, 0x1A, 0x66, 0x4C, + 0x28, 0x94, 0xA9, 0x61, 0xBB, 0xB4, 0xF0, 0x2D, + 0x59, 0x73, 0x9F, 0xC9, 0xF1, 0xF0, 0x66, 0x05}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +static TestVector const testVectorChaCha8_256 = { + .name = "ChaCha8 256-bit", + .key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, + 211, 212, 213, 214, 215, 216}, + .keySize = 32, + .rounds = 8, + .plaintext = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + .ciphertext = {0x38, 0x0F, 0x75, 0xD6, 0x32, 0xF8, 0xBB, 0x2C, + 0x44, 0x81, 0xF4, 0x27, 0x90, 0xB8, 0xAA, 0xE3, + 0x09, 0xD1, 0xB9, 0x55, 0xC2, 0xF5, 0x85, 0x27, + 0xBB, 0x8F, 0x43, 0x00, 0x68, 0x2B, 0x2A, 0x1B, + 0x7A, 0xC1, 0x5B, 0xC3, 0xA3, 0xFF, 0x29, 0xC9, + 0xD2, 0x95, 0x98, 0xF6, 0x3C, 0xAC, 0x9B, 0x2C, + 0xA3, 0xF1, 0x40, 0x1E, 0xFA, 0x7C, 0xAC, 0xA3, + 0xB1, 0x61, 0x27, 0x50, 0xBB, 0x03, 0x24, 0x36}, + .iv = {101,102,103,104,105,106,107,108}, + .counter = {109, 110, 111, 112, 113, 114, 115, 116}, + .size = 64 +}; + +ChaCha chacha; + +byte buffer[128]; + +bool testCipher_N(ChaCha *cipher, const struct TestVector *test, size_t inc) +{ + byte output[MAX_CIPHERTEXT_SIZE]; + size_t posn, len; + + cipher->clear(); + if (!cipher->setKey(test->key, test->keySize)) { + Serial.print("setKey "); + return false; + } + if (!cipher->setIV(test->iv, cipher->ivSize())) { + Serial.print("setIV "); + return false; + } + if (!cipher->setCounter(test->counter, 8)) { + Serial.print("setCounter "); + return false; + } + + memset(output, 0xBA, sizeof(output)); + + for (posn = 0; posn < test->size; posn += inc) { + len = test->size - posn; + if (len > inc) + len = inc; + cipher->encrypt(output + posn, test->plaintext + posn, len); + } + + if (memcmp(output, test->ciphertext, test->size) != 0) { + Serial.print(output[0], HEX); + Serial.print("->"); + Serial.print(test->ciphertext[0], HEX); + return false; + } + + cipher->setKey(test->key, test->keySize); + cipher->setIV(test->iv, cipher->ivSize()); + cipher->setCounter(test->counter, 8); + + for (posn = 0; posn < test->size; posn += inc) { + len = test->size - posn; + if (len > inc) + len = inc; + cipher->decrypt(output + posn, test->ciphertext + posn, len); + } + + if (memcmp(output, test->plaintext, test->size) != 0) + return false; + + return true; +} + +void testCipher(ChaCha *cipher, const struct TestVector *test) +{ + bool ok; + + Serial.print(test->name); + Serial.print(" ... "); + + cipher->setNumRounds(test->rounds); + + ok = testCipher_N(cipher, test, test->size); + ok &= testCipher_N(cipher, test, 1); + ok &= testCipher_N(cipher, test, 2); + ok &= testCipher_N(cipher, test, 5); + ok &= testCipher_N(cipher, test, 8); + ok &= testCipher_N(cipher, test, 13); + ok &= testCipher_N(cipher, test, 16); + + if (ok) + Serial.println("Passed"); + else + Serial.println("Failed"); +} + +void perfCipherEncrypt(ChaCha *cipher, const struct TestVector *test) +{ + unsigned long start; + unsigned long elapsed; + int count; + + Serial.print(test->name); + Serial.print(" Encrypt ... "); + + cipher->setNumRounds(test->rounds); + cipher->setKey(test->key, test->keySize); + cipher->setIV(test->iv, cipher->ivSize()); + start = micros(); + for (count = 0; count < 500; ++count) { + cipher->encrypt(buffer, buffer, sizeof(buffer)); + } + elapsed = micros() - start; + + Serial.print(elapsed / (sizeof(buffer) * 500.0)); + Serial.print("us per byte, "); + Serial.print((sizeof(buffer) * 500.0 * 1000000.0) / elapsed); + Serial.println(" bytes per second"); +} + +void perfCipherDecrypt(ChaCha *cipher, const struct TestVector *test) +{ + unsigned long start; + unsigned long elapsed; + int count; + + Serial.print(test->name); + Serial.print(" Decrypt ... "); + + cipher->setNumRounds(test->rounds); + cipher->setKey(test->key, test->keySize); + cipher->setIV(test->iv, cipher->ivSize()); + start = micros(); + for (count = 0; count < 500; ++count) { + cipher->decrypt(buffer, buffer, sizeof(buffer)); + } + elapsed = micros() - start; + + Serial.print(elapsed / (sizeof(buffer) * 500.0)); + Serial.print("us per byte, "); + Serial.print((sizeof(buffer) * 500.0 * 1000000.0) / elapsed); + Serial.println(" bytes per second"); +} + +void perfCipher(ChaCha *cipher, const struct TestVector *test) +{ + perfCipherEncrypt(cipher, test); + perfCipherDecrypt(cipher, test); +} + +void setup() +{ + Serial.begin(9600); + + Serial.println(); + + Serial.println("Test Vectors:"); + testCipher(&chacha, &testVectorChaCha20_128); + testCipher(&chacha, &testVectorChaCha20_256); + testCipher(&chacha, &testVectorChaCha12_128); + testCipher(&chacha, &testVectorChaCha12_256); + testCipher(&chacha, &testVectorChaCha8_128); + testCipher(&chacha, &testVectorChaCha8_256); + + Serial.println(); + + Serial.println("Performance Tests:"); + perfCipher(&chacha, &testVectorChaCha20_128); + perfCipher(&chacha, &testVectorChaCha20_256); + perfCipher(&chacha, &testVectorChaCha12_128); + perfCipher(&chacha, &testVectorChaCha12_256); + perfCipher(&chacha, &testVectorChaCha8_128); + perfCipher(&chacha, &testVectorChaCha8_256); +} + +void loop() +{ +}