extremecoders-re/borkedsalsa.c

## 156 changes: 156 additions & 0 deletions borkedsalsa.c
@@ -0,0 +1,156 @@

    typedef unsigned int uint32_t;
typedef unsigned int uint32_t;

    typedef unsigned short uint16_t;
typedef unsigned short uint16_t;

    typedef unsigned char uint8_t;
typedef unsigned char uint8_t;


    static uint16_t rotl(uint16_t value, uint16_t shift)
static uint16_t rotl(uint16_t value, uint16_t shift)

    {
{

      return (value << shift) | (value >> (32 - shift));
  return (value << shift) | (value >> (32 - shift));

    }
}


    static void s20_quarterround(uint16_t *y0, uint16_t *y1, uint16_t *y2, uint16_t *y3)
static void s20_quarterround(uint16_t *y0, uint16_t *y1, uint16_t *y2, uint16_t *y3)

    {
{

      *y1 = *y1 ^ rotl(*y0 + *y3, 7);
  *y1 = *y1 ^ rotl(*y0 + *y3, 7);

      *y2 = *y2 ^ rotl(*y1 + *y0, 9);
  *y2 = *y2 ^ rotl(*y1 + *y0, 9);

      *y3 = *y3 ^ rotl(*y2 + *y1, 13);
  *y3 = *y3 ^ rotl(*y2 + *y1, 13);

      *y0 = *y0 ^ rotl(*y3 + *y2, 18);
  *y0 = *y0 ^ rotl(*y3 + *y2, 18);

    }
}


    static void s20_rowround(uint16_t y[16])
static void s20_rowround(uint16_t y[16])

    {
{

      s20_quarterround(&y[0], &y[1], &y[2], &y[3]);
  s20_quarterround(&y[0], &y[1], &y[2], &y[3]);

      s20_quarterround(&y[5], &y[6], &y[7], &y[4]);
  s20_quarterround(&y[5], &y[6], &y[7], &y[4]);

      s20_quarterround(&y[10], &y[11], &y[8], &y[9]);
  s20_quarterround(&y[10], &y[11], &y[8], &y[9]);

      s20_quarterround(&y[15], &y[12], &y[13], &y[14]);
  s20_quarterround(&y[15], &y[12], &y[13], &y[14]);

    }
}


    static void s20_columnround(uint16_t x[16])
static void s20_columnround(uint16_t x[16])

    {
{

      s20_quarterround(&x[0], &x[4], &x[8], &x[12]);
  s20_quarterround(&x[0], &x[4], &x[8], &x[12]);

      s20_quarterround(&x[5], &x[9], &x[13], &x[1]);
  s20_quarterround(&x[5], &x[9], &x[13], &x[1]);

      s20_quarterround(&x[10], &x[14], &x[2], &x[6]);
  s20_quarterround(&x[10], &x[14], &x[2], &x[6]);

      s20_quarterround(&x[15], &x[3], &x[7], &x[11]);
  s20_quarterround(&x[15], &x[3], &x[7], &x[11]);

    }
}


    static void s20_doubleround(uint16_t x[16])
static void s20_doubleround(uint16_t x[16])

    {
{

      s20_columnround(x);
  s20_columnround(x);

      s20_rowround(x);
  s20_rowround(x);

    }
}


    static uint16_t s20_littleendian(uint8_t *b)
static uint16_t s20_littleendian(uint8_t *b)

    {
{

      return (b[0] + (b[1] << 8));
  return (b[0] + (b[1] << 8));

    }
}


    static void s20_rev_littleendian(uint8_t *b, uint16_t w)
static void s20_rev_littleendian(uint8_t *b, uint16_t w)

    {
{

      b[0] = w;
  b[0] = w;

      b[1] = w >> 8;
  b[1] = w >> 8;

      b[2] = w >> 16; // always zero
  b[2] = w >> 16; // always zero

      b[3] = w >> 24; // always zero
  b[3] = w >> 24; // always zero

    }
}


    static void s20_hash(uint8_t seq[64])
static void s20_hash(uint8_t seq[64])

    {
{

      int i;
  int i;

      uint16_t x[16];
  uint16_t x[16];

      uint16_t z[16];
  uint16_t z[16];


      // Create two copies of the state in little-endian format
  // Create two copies of the state in little-endian format

      // First copy is hashed together
  // First copy is hashed together

      // Second copy is added to first, word-by-word
  // Second copy is added to first, word-by-word

      for (i = 0; i < 16; ++i)
  for (i = 0; i < 16; ++i)

        x[i] = z[i] = s20_littleendian(seq + (4 * i));
    x[i] = z[i] = s20_littleendian(seq + (4 * i));


      for (i = 0; i < 10; ++i)
  for (i = 0; i < 10; ++i)

        s20_doubleround(z);
    s20_doubleround(z);


      for (i = 0; i < 16; ++i)
  for (i = 0; i < 16; ++i)

      {
  {

        z[i] += x[i];
    z[i] += x[i];

        s20_rev_littleendian(seq + (4 * i), z[i]);
    s20_rev_littleendian(seq + (4 * i), z[i]);

      }
  }

    }
}


    static void s20_expand32(uint8_t *k, uint8_t n[16], uint8_t keystream[64])
static void s20_expand32(uint8_t *k, uint8_t n[16], uint8_t keystream[64])

    {
{

      int i, j;
  int i, j;

      // The constants specified by the Salsa20 specification, 'sigma'
  // The constants specified by the Salsa20 specification, 'sigma'

      // "expand 32-byte k"
  // "expand 32-byte k"

      uint8_t o[4][4] = {
  uint8_t o[4][4] = {

        { 'e', 'x', 'p', 'a' },
    { 'e', 'x', 'p', 'a' },

        { 'n', 'd', ' ', '3' },
    { 'n', 'd', ' ', '3' },

        { '2', '-', 'b', 'y' },
    { '2', '-', 'b', 'y' },

        { 't', 'e', ' ', 'k' }
    { 't', 'e', ' ', 'k' }

      };
  };


      // Copy all of 'sigma' into the correct spots in our keystream block
  // Copy all of 'sigma' into the correct spots in our keystream block

      for (i = 0; i < 64; i += 20)
  for (i = 0; i < 64; i += 20)

        for (j = 0; j < 4; ++j)
    for (j = 0; j < 4; ++j)

          keystream[i + j] = o[i / 20][j];
      keystream[i + j] = o[i / 20][j];


      // Copy the key and the nonce into the keystream block
  // Copy the key and the nonce into the keystream block

      for (i = 0; i < 16; ++i) {
  for (i = 0; i < 16; ++i) {

        keystream[4+i]  = k[i];
    keystream[4+i]  = k[i];

        keystream[44+i] = k[i+16];
    keystream[44+i] = k[i+16];

        keystream[24+i] = n[i];
    keystream[24+i] = n[i];

      }
  }


      s20_hash(keystream);
  s20_hash(keystream);

    }
}


    int s20_crypt(uint8_t *key,
int s20_crypt(uint8_t *key,

                                uint8_t nonce[8],
                            uint8_t nonce[8],

                                uint16_t si,
                            uint16_t si,

                                uint8_t *buf,
                            uint8_t *buf,

                                uint16_t buflen)
                            uint16_t buflen)

    {
{

      uint8_t keystream[64];
  uint8_t keystream[64];

      // 'n' is the 8-byte nonce (unique message number) concatenated
  // 'n' is the 8-byte nonce (unique message number) concatenated

      // with the per-block 'counter' value (4 bytes in our case, 8 bytes
  // with the per-block 'counter' value (4 bytes in our case, 8 bytes

      // in the standard). We leave the high 4 bytes set to zero because
  // in the standard). We leave the high 4 bytes set to zero because

      // we permit only a 32-bit integer for stream index and length.
  // we permit only a 32-bit integer for stream index and length.

      uint8_t n[16] = { 0 };
  uint8_t n[16] = { 0 };

      uint16_t i;
  uint16_t i;


      // If any of the parameters we received are invalid
  // If any of the parameters we received are invalid

      if (key == NULL || nonce == NULL || buf == NULL)
  if (key == NULL || nonce == NULL || buf == NULL)

        return -1;
    return -1;


      // Set up the low 8 bytes of n with the unique message number
  // Set up the low 8 bytes of n with the unique message number

      for (i = 0; i < 8; ++i)
  for (i = 0; i < 8; ++i)

        n[i] = nonce[i];
    n[i] = nonce[i];


      // If we're not on a block boundary, compute the first keystream
  // If we're not on a block boundary, compute the first keystream

      // block. This will make the primary loop (below) cleaner
  // block. This will make the primary loop (below) cleaner

      if (si % 64 != 0) {
  if (si % 64 != 0) {

        // Set the second-to-highest 4 bytes of n to the block number
    // Set the second-to-highest 4 bytes of n to the block number

        s20_rev_littleendian(n+8, si / 64);
    s20_rev_littleendian(n+8, si / 64);

        // Expand the key with n and hash to produce a keystream block
    // Expand the key with n and hash to produce a keystream block

        s20_expand32(key, n, keystream);
    s20_expand32(key, n, keystream);

      }
  }


      // Walk over the plaintext byte-by-byte, xoring the keystream with
  // Walk over the plaintext byte-by-byte, xoring the keystream with

      // the plaintext and producing new keystream blocks as needed
  // the plaintext and producing new keystream blocks as needed

      for (i = 0; i < buflen; ++i) {
  for (i = 0; i < buflen; ++i) {

        // If we've used up our entire keystream block (or have just begun
    // If we've used up our entire keystream block (or have just begun

        // and happen to be on a block boundary), produce keystream block
    // and happen to be on a block boundary), produce keystream block

        if ((si + i) % 64 == 0) {
    if ((si + i) % 64 == 0) {

          s20_rev_littleendian(n+8, ((si + i) / 64));
      s20_rev_littleendian(n+8, ((si + i) / 64));

          s20_expand32(key, n, keystream);
      s20_expand32(key, n, keystream);

        }
    }


        // xor one byte of plaintext with one byte of keystream
    // xor one byte of plaintext with one byte of keystream

        buf[i] ^= keystream[(si + i) % 64];
    buf[i] ^= keystream[(si + i) % 64];

      }
  }


      return 0;
  return 0;

    }
}