FelipeMdeO opened a new pull request, #19403:
URL: https://github.com/apache/nuttx/pull/19403

   ## Summary
   
   This PR adds a new OCF algorithm ID, `CRYPTO_CHACHA20_DJB`, implementing the
   original ChaCha20 construction as designed by Daniel J. Bernstein (DJB),
   alongside the already-supported IETF variant.
   
   ChaCha20 exists in two standard parameterizations that differ only in how the
   last four words of the cipher state (words 12..15) are split:
   
   - **Original DJB construction (2008)**: 64-bit little-endian block counter
     (state words 12–13) + 64-bit nonce (state words 14–15). This is the layout
     used by OpenSSH's `[email protected]` and by libtomcrypt's
     `chacha_ivctr64()`.
   - **IETF variant (RFC 8439)**: 32-bit block counter (word 12) + 96-bit nonce
     (words 13–15). This is what the existing `CRYPTO_CHACHA20` implements, and
     what TLS uses.
   
   ## Impact
   
   - **Users**: no impact on existing code paths. `CRYPTO_CHACHA20` (IETF) is
     unchanged; `CRYPTO_CHACHA20_DJB` is a new, separate algorithm ID in
     `include/crypto/cryptodev.h` (`CRYPTO_ALGORITHM_MAX` bumped accordingly).
   - **Security**: implements a well-established construction (original ChaCha20
     by D. J. Bernstein); no changes to existing algorithms.
   
   ## Testing
   
   Host: Ubuntu 24.04 (aarch64), GCC 13.3.0
   Target: `sim:nsh` + `CONFIG_CRYPTO_CRYPTODEV=y` +
   `CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y`
   
   The new transform was verified on the simulator with a small `/dev/crypto`
   test program (session with `cipher = CRYPTO_CHACHA20_DJB`, `CIOCCRYPT` over
   64 zero bytes) against ChaCha20 keystreams computed independently with
   OpenSSL on the host. The DJB 16-byte IV (64-bit LE counter || 64-bit nonce)
   is byte-for-byte the same layout OpenSSL's `enc -chacha20` takes as `-iv`
   (32-bit LE counter || 96-bit nonce), so the same 16 bytes must produce the
   same keystream — while NuttX's IETF `CRYPTO_CHACHA20`, which parses the IV
   differently, must diverge:
   
   ```console
   $ K=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
   $ head -c 64 /dev/zero | openssl enc -chacha20 -K $K -iv 
00000000000000000001020304050607 | xxd -p -c 32
   f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c1
   34a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a
   $ head -c 64 /dev/zero | openssl enc -chacha20 -K $K -iv 
01000000000000000001020304050607 | xxd -p -c 32
   38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd
   9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c7
   ```
   
   (The first keystream matches the well-known ChaCha20 test vector for
   key `00 01 02 .. 1f` / nonce `00 01 02 03 04 05 06 07`.)
   
   On the simulator (test program run as the `hello` built-in):
   
   ```console
   $ ./tools/configure.sh sim:nsh
   $ kconfig-tweak --enable CONFIG_ALLOW_BSD_COMPONENTS
   $ kconfig-tweak --enable CONFIG_CRYPTO
   $ kconfig-tweak --enable CONFIG_CRYPTO_SW_AES
   $ kconfig-tweak --enable CONFIG_CRYPTO_CRYPTODEV
   $ kconfig-tweak --enable CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO
   $ make olddefconfig && make -j4
   $ ./nuttx
   NuttShell (NSH) NuttX-12.6.0-RC1
   nsh> hello
   CRYPTO_CHACHA20_DJB /dev/crypto test
   PASS: DJB ctr=0 keystream matches OpenSSL
   PASS: DJB ctr=1 keystream matches OpenSSL
   PASS: IETF CRYPTO_CHACHA20 diverges from DJB layout
   chacha20-djb: 3 passed, 0 failed
   ```
   
   The second vector exercises the DJB IV layout with block counter = 1,
   confirming the counter is taken from IV bytes 0..7 (words 12..13). The third
   check creates a `CRYPTO_CHACHA20` (IETF) session with the same key and IV
   bytes and confirms its keystream differs, demonstrating the two
   parameterizations are distinct and the new ID is required for OpenSSH
   interoperability.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to