Update documentation

2019-02-06 00:52:41 -05:00 · 2019-02-06 00:52:41 -05:00 · 483bb4a8e7
parent df8abd5f00
commit 483bb4a8e7
2 changed files with 28 additions and 19 deletions
--- a/chacha.cpp
+++ b/chacha.cpp
@ -39,6 +39,7 @@ void ChaCha_TestInstantiations()
 {
    ChaCha::Encryption x;
    ChaChaTLS::Encryption y;
+    XChaCha20::Encryption z;
 }
 #endif

@ -424,19 +425,14 @@ void ChaChaTLS_Policy::CipherSetKey(const NameValuePairs &params, const byte *ke
    // the function, so we have to use the heavier-weight SetKey to change it.
    word64 block;
    if (params.GetValue("InitialBlock", block))
-        m_state[16] = static_cast<word32>(block);
+        m_state[CTR] = static_cast<word32>(block);
    else
-        m_state[16] = 0;
-
-    // State words are defined in RFC 8439, Section 2.3.
-    m_state[0] = 0x61707865;
-    m_state[1] = 0x3320646e;
-    m_state[2] = 0x79622d32;
-    m_state[3] = 0x6b206574;
+        m_state[CTR] = 0;

    // State words are defined in RFC 8439, Section 2.3. Key is 32-bytes.
    GetBlock<word32, LittleEndian> get(key);
-    get(m_state[4])(m_state[5])(m_state[6])(m_state[7])(m_state[8])(m_state[9])(m_state[10])(m_state[11]);
+    get(m_state[KEY+0])(m_state[KEY+1])(m_state[KEY+2])(m_state[KEY+3])
+        (m_state[KEY+4])(m_state[KEY+5])(m_state[KEY+6])(m_state[KEY+7]);
 }

 void ChaChaTLS_Policy::CipherResynchronize(byte *keystreamBuffer, const byte *IV, size_t length)
@ -444,9 +440,16 @@ void ChaChaTLS_Policy::CipherResynchronize(byte *keystreamBuffer, const byte *IV
    CRYPTOPP_UNUSED(keystreamBuffer), CRYPTOPP_UNUSED(length);
    CRYPTOPP_ASSERT(length==12);

+    // State words are defined in RFC 8439, Section 2.3.
+    m_state[0] = 0x61707865; m_state[1] = 0x3320646e;
+    m_state[2] = 0x79622d32; m_state[3] = 0x6b206574;
+
+    // Copy saved key into state
+    std::memcpy(m_state+4, m_state+KEY, 8*sizeof(word32));
+
    // State words are defined in RFC 8439, Section 2.3
    GetBlock<word32, LittleEndian> get(IV);
-    m_state[12] = m_state[16];
+    m_state[12] = m_state[CTR];
    get(m_state[13])(m_state[14])(m_state[15]);
 }

@ -510,9 +513,9 @@ void XChaCha20_Policy::CipherSetKey(const NameValuePairs &params, const byte *ke

    word64 block;
    if (params.GetValue("InitialBlock", block))
-        m_state[24] = static_cast<word32>(block);
+        m_state[CTR] = static_cast<word32>(block);
    else
-        m_state[24] = 1;
+        m_state[CTR] = 1;

    // Stash key away for use in CipherResynchronize
    GetBlock<word32, LittleEndian> get(key);
@ -545,7 +548,7 @@ void XChaCha20_Policy::CipherResynchronize(byte *keystreamBuffer, const byte *iv
    m_state[2] = 0x79622d32; m_state[3] = 0x6b206574;

    // Setup new IV
-    m_state[12] = m_state[24];
+    m_state[12] = m_state[CTR];
    m_state[13] = 0;
    m_state[14] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, iv+16);
    m_state[15] = GetWord<word32>(false, LITTLE_ENDIAN_ORDER, iv+20);
--- a/chacha.h
+++ b/chacha.h
@ -5,10 +5,10 @@

 // The library added Bernstein's ChaCha classses at Crypto++ 5.6.4. The IETF
 // uses a slightly different implementation than Bernstein, and the IETF
-// classes were added at Crypto++ 8.1. We wanted to maintain ABI compatibility
-// at the 8.1 release so the original ChaCha classes were not disturbed.
-// Instead new classes were added for IETF ChaCha. The back-end implementation
-// shares code as expected, however.
+// ChaCha and XChaCha classes were added at Crypto++ 8.1. We wanted to maintain
+// ABI compatibility at the 8.1 release so the original ChaCha classes were not
+// disturbed. Instead new classes were added for IETF ChaCha. The back-end
+// implementation shares code as expected, however.

 /// \file chacha.h
 /// \brief Classes for ChaCha8, ChaCha12 and ChaCha20 stream ciphers
@ -20,7 +20,10 @@
 ///   implementation for cipher suites
 ///   <tt>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</tt>,
 ///   <tt>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256</tt>,
-///   and <tt>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</tt>.
+///   and <tt>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</tt>. Finally,
+///   the library provides <a
+///   href="https://tools.ietf.org/html/draft-arciszewski-xchacha">XChaCha:
+///   eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 (rev. 03)</a>.
 /// \since ChaCha since Crypto++ 5.6.4, ChaChaTLS and XChaCha20 since Crypto++ 8.1

 #ifndef CRYPTOPP_CHACHA_H
@ -125,8 +128,10 @@ protected:
    std::string AlgorithmName() const;
    std::string AlgorithmProvider() const;

-    FixedSizeAlignedSecBlock<word32, 16+1> m_state;
+    FixedSizeAlignedSecBlock<word32, 16+8+1> m_state;
    CRYPTOPP_CONSTANT(ROUNDS = ChaChaTLS_Info::ROUNDS)
+    CRYPTOPP_CONSTANT(KEY = 16)  // Index into m_state
+    CRYPTOPP_CONSTANT(CTR = 24)  // Index into m_state
 };

 /// \brief ChaCha-TLS stream cipher
@ -191,6 +196,7 @@ protected:
    FixedSizeAlignedSecBlock<word32, 16+8+1> m_state;
    CRYPTOPP_CONSTANT(ROUNDS = XChaCha20_Info::ROUNDS)
    CRYPTOPP_CONSTANT(KEY = 16)  // Index into m_state
+    CRYPTOPP_CONSTANT(CTR = 24)  // Index into m_state
 };

 /// \brief XChaCha stream cipher