setupChachastate, chacha_setblock, chacha_setiv, chacha_encrypt, chacha_encrypt2, hchacha, ccpoly_encrypt, ccpoly_decrypt – chacha encryption

#include <u.h>
#include <libc.h>
#include <libsec.h>

void setupChachastate(Chachastate *s, uchar key[], ulong keylen, uchar *iv, ulong ivlen, int rounds)

void chacha_encrypt(uchar *data, ulong len, Chachastate *s)

void chacha_encrypt2(uchar *src, uchar *dst, ulong len, Chachastate *s)

void chacha_setblock(Chachastate *s, u64int blockno)

void chacha_setiv(Chachastate *s, uchar *iv);

void hchacha(uchar h[32], uchar *key, ulong keylen, uchar nonce[16], int rounds);

void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);

int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);


Chacha is D J Berstein's symmetric stream cipher, as modified by RFC7539. It supports keys of 256 bits (128 bits is supported here for special purposes). It has an underlying block size of 64 bytes (named as constant ChachaBsize).

SetupChachastate takes a reference to a Chachastate structure, a key of keylen bytes, which should normally be ChachaKeylen, a iv or nonce of ivlen bytes (can be ChachaIVlen=12, 8 or XChachaIVlen=24; set to all zeros if the iv argument is nil), and the number of rounds (set to the default of 20 if the argument is zero). With a key length of 256 bits (32 bytes), a nonce of 96 bits (12 bytes) and 20 rounds, the function implements the Chacha20 encryption function of RFC7539.

Chacha_encrypt encrypts len bytes of buf in place using the Chachastate in s. Len can be any byte length. Encryption and decryption are the same operation given the same starting state s.

Chacha_encrypt2 is similar, but encrypts len bytes of src into dst without modifying src.

Chacha_setblock sets the Chacha block counter for the next encryption to blockno, allowing seeking in an encrypted stream.

Chacha_setiv sets the the initialization vector (nonce) to iv.

Hchacha is a key expansion function that takes a 128 or 256–bit key and a 128–bit nonce and produces a new 256–bit key.

Ccpoly_encrypt and ccpoly_decrypt implement authenticated encryption with associated data (AEAD) using Chacha cipher and Poly1305 message authentication code as specified in RFC7539. These routines require a Chachastate that has been setup with a new (per key unique) initialization vector (nonce) on each invocation. The referenced data dat[ndat] is in–place encrypted or decrypted. Ccpoly_encrypt produces a 16 byte authentication tag, while ccpoly_decrypt verifies the tag, returning zero on success or negative on a mismatch. The aad[naad] arguments refer to the additional authenticated data that is included in the tag calculation, but not encrypted.


mp(2), aes(2), blowfish(2), des(2), dsa(2), elgamal(2), rc4(2), rsa(2), salsa(2), sechash(2), prime(2), rand(2)