Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 22 Apr 2017 01:06:23 +0000 (UTC)
From:      =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r317277 - head/sys/crypto/chacha20
Message-ID:  <201704220106.v3M16NLH097822@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: des
Date: Sat Apr 22 01:06:23 2017
New Revision: 317277
URL: https://svnweb.freebsd.org/changeset/base/317277

Log:
  Fix counter increment in Salsa and ChaCha.
  
  In my eagerness to eliminate a branch which is taken once per 2^38
  bytes of keystream, I forgot that the state words are in host order.
  Thus, the counter increment code worked fine on little-endian
  machines, but not on big-endian ones.  Switch to a simpler (branchful)
  solution.

Modified:
  head/sys/crypto/chacha20/chacha20.c

Modified: head/sys/crypto/chacha20/chacha20.c
==============================================================================
--- head/sys/crypto/chacha20/chacha20.c	Fri Apr 21 23:01:32 2017	(r317276)
+++ head/sys/crypto/chacha20/chacha20.c	Sat Apr 22 01:06:23 2017	(r317277)
@@ -130,7 +130,6 @@ size_t
 chacha20_encrypt(chacha20_ctx *ctx, const void *vpt, uint8_t *ct, size_t len)
 {
 	const uint8_t *pt = vpt;
-	uint64_t ctr;
 	uint32_t mix[16];
 	uint8_t ks[64];
 	unsigned int b, i;
@@ -157,8 +156,8 @@ chacha20_encrypt(chacha20_ctx *ctx, cons
 			for (i = 0; i < 64 && i < len; ++i)
 				*ct++ = *pt++ ^ ks[i];
 		}
-		ctr = le64dec(ctx->state + 12);
-		le64enc(ctx->state + 12, ++ctr);
+		if (++ctx->state[12] == 0)
+			++ctx->state[13];
 	}
 	return (len);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704220106.v3M16NLH097822>