salsa20: add support for 16-byte keys, and first test vector (#432)

micolous · micolous · commit cdd8f9db3dba · 2025-09-08T14:34:57.000+10:00
diff --git a/salsa20/src/lib.rs b/salsa20/src/lib.rs
@@ -79,7 +79,7 @@ use cipher::{
     Block, BlockSizeUser, IvSizeUser, KeyIvInit, KeySizeUser, StreamCipherClosure,
     StreamCipherCore, StreamCipherCoreWrapper, StreamCipherSeekCore,
     array::{Array, ArraySize, typenum::Unsigned},
-    consts::{U4, U6, U8, U10, U24, U32, U64},
+    consts::{U4, U6, U8, U10, U16, U24, U32, U64},
 };
 use core::marker::PhantomData;
 
@@ -103,8 +103,19 @@ pub type Salsa12 = StreamCipherCoreWrapper<SalsaCore<U6, U32>>;
 /// (20 rounds; **recommended**)
 pub type Salsa20 = StreamCipherCoreWrapper<SalsaCore<U10, U32>>;
 
+/// Salsa20/20 stream cipher, using 16-byte keys (*not recommended*)
+///
+/// # ⚠️ Security warning
+///
+/// Using Salsa20 with keys shorter than 32 bytes is
+/// [**explicitly discouraged** by its creator][0]. It is included for
+/// compatibility with systems that use these weaker keys.
+///
+/// [0]: https://cr.yp.to/snuffle/keysizes.pdf
+pub type Salsa20_16 = StreamCipherCoreWrapper<SalsaCore<U10, U16>>;
+
 /// Key type used by all Salsa variants and [`XSalsa20`].
-pub type Key<KeySize> = Array<u8, KeySize>;
+pub type Key<KeySize = U32> = Array<u8, KeySize>;
 
 /// Nonce type used by all Salsa variants.
 pub type Nonce = Array<u8, U8>;
@@ -115,8 +126,11 @@ pub type XNonce = Array<u8, U24>;
 /// Number of 32-bit words in the Salsa20 state
 const STATE_WORDS: usize = 16;
 
-/// State initialization constant ("expand 32-byte k")
-const CONSTANTS: [u32; 4] = [0x6170_7865, 0x3320_646e, 0x7962_2d32, 0x6b20_6574];
+/// State initialization constant for 32-byte keys ("expand 32-byte k")
+const CONSTANTS_32: [u32; 4] = [0x6170_7865, 0x3320_646e, 0x7962_2d32, 0x6b20_6574];
+
+/// State initialization constant for 16-byte keys ("expand 16-byte k")
+const CONSTANTS_16: [u32; 4] = [0x6170_7865, 0x3120_646e, 0x7962_2d36, 0x6b20_6574];
 
 /// The Salsa20 core function.
 pub struct SalsaCore<R: Unsigned, KeySize = U32> {
@@ -157,31 +171,84 @@ impl<R: Unsigned, KeySize> BlockSizeUser for SalsaCore<R, KeySize> {
     type BlockSize = U64;
 }
 
-impl<R: Unsigned> KeyIvInit for SalsaCore<R, U32>
-{
+impl<R: Unsigned> KeyIvInit for SalsaCore<R, U16> {
+    /// Create a new Salsa core using a _weaker_ 16-byte key.
+    ///
+    /// # ⚠️ Security warning
+    ///
+    /// Using Salsa20 with keys shorter than 32 bytes is
+    /// [**explicitly discouraged** by its creator][0]. It is included for
+    /// compatibility with systems that use these weaker keys.
+    ///
+    /// [0]: https://cr.yp.to/snuffle/keysizes.pdf
+    fn new(key: &Key<U16>, iv: &Nonce) -> Self {
+        let mut state = [0u32; STATE_WORDS];
+        state[0] = CONSTANTS_16[0];
+
+        for (i, chunk) in key.chunks(4).enumerate() {
+            state[1 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
+        }
+
+        state[5] = CONSTANTS_16[1];
+
+        for (i, chunk) in iv.chunks(4).enumerate() {
+            state[6 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
+        }
+
+        state[8] = 0;
+        state[9] = 0;
+        state[10] = CONSTANTS_16[2];
+
+        for (i, chunk) in key.chunks(4).enumerate() {
+            state[11 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
+        }
+
+        state[15] = CONSTANTS_16[3];
+
+        cfg_if! {
+            if #[cfg(any(target_arch = "x86", target_arch = "x86_64"))] {
+                state = [
+                    state[0], state[5], state[10], state[15],
+                    state[4], state[9], state[14], state[3],
+                    state[8], state[13], state[2], state[7],
+                    state[12], state[1], state[6], state[11],
+                ];
+            }
+        }
+
+        Self {
+            state,
+            rounds: PhantomData,
+            key_size: PhantomData,
+        }
+    }
+}
+
+impl<R: Unsigned> KeyIvInit for SalsaCore<R, U32> {
+    /// Create a new Salsa core using a 32-byte key.
     fn new(key: &Key<U32>, iv: &Nonce) -> Self {
         let mut state = [0u32; STATE_WORDS];
-        state[0] = CONSTANTS[0];
+        state[0] = CONSTANTS_32[0];
 
         for (i, chunk) in key[..16].chunks(4).enumerate() {
             state[1 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
         }
 
-        state[5] = CONSTANTS[1];
+        state[5] = CONSTANTS_32[1];
 
         for (i, chunk) in iv.chunks(4).enumerate() {
             state[6 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
         }
 
         state[8] = 0;
         state[9] = 0;
-        state[10] = CONSTANTS[2];
+        state[10] = CONSTANTS_32[2];
 
         for (i, chunk) in key[16..].chunks(4).enumerate() {
             state[11 + i] = u32::from_le_bytes(chunk.try_into().unwrap());
         }
 
-        state[15] = CONSTANTS[3];
+        state[15] = CONSTANTS_32[3];
 
         Self {
             state,
diff --git a/salsa20/src/xsalsa.rs b/salsa20/src/xsalsa.rs
@@ -1,6 +1,6 @@
 //! XSalsa20 is an extended nonce variant of Salsa20
 
-use super::{CONSTANTS, Key, Nonce, SalsaCore, Unsigned, XNonce};
+use super::{CONSTANTS_32, Key, Nonce, SalsaCore, Unsigned, XNonce};
 use cipher::{
     BlockSizeUser, IvSizeUser, KeyIvInit, KeySizeUser, StreamCipherClosure, StreamCipherCore,
     StreamCipherCoreWrapper, StreamCipherSeekCore,
@@ -96,22 +96,22 @@ pub fn hsalsa<R: Unsigned>(key: &Key<U32>, input: &Array<u8, U16>) -> Array<u8,
     }
 
     let mut state = [0u32; 16];
-    state[0] = CONSTANTS[0];
+    state[0] = CONSTANTS_32[0];
     state[1..5]
         .iter_mut()
         .zip(key[0..16].chunks_exact(4))
         .for_each(|(v, chunk)| *v = to_u32(chunk));
-    state[5] = CONSTANTS[1];
+    state[5] = CONSTANTS_32[1];
     state[6..10]
         .iter_mut()
         .zip(input.chunks_exact(4))
         .for_each(|(v, chunk)| *v = to_u32(chunk));
-    state[10] = CONSTANTS[2];
+    state[10] = CONSTANTS_32[2];
     state[11..15]
         .iter_mut()
         .zip(key[16..].chunks_exact(4))
         .for_each(|(v, chunk)| *v = to_u32(chunk));
-    state[15] = CONSTANTS[3];
+    state[15] = CONSTANTS_32[3];
 
     // 20 rounds consisting of 10 column rounds and 10 diagonal rounds
     for _ in 0..R::USIZE {
diff --git a/salsa20/tests/data/ecrypt16.blb b/salsa20/tests/data/ecrypt16.blb
diff --git a/salsa20/tests/ecrypt.rs b/salsa20/tests/ecrypt.rs
@@ -1,5 +1,5 @@
 use cipher::{KeyIvInit, StreamCipher, StreamCipherSeek, blobby};
-use salsa20::Salsa20;
+use salsa20::{Salsa20, Salsa20_16};
 
 /// ECRYPT test vectors:
 /// https://github.com/das-labor/legacy/blob/master/microcontroller-2/arm-crypto-lib/testvectors/salsa20-256.64-verified.test-vectors
@@ -27,3 +27,30 @@ fn salsa20_ecrypt() {
         assert_eq!(buf, tv.expected);
     }
 }
+
+/// ECRYPT test vectors:
+/// https://github.com/das-labor/legacy/blob/master/microcontroller-2/arm-crypto-lib/testvectors/salsa20-128.64-verified.test-vectors
+#[test]
+fn salsa20_ecrypt16() {
+    blobby::parse_into_structs!(
+        include_bytes!("data/ecrypt16.blb");
+        #[define_struct]
+        static TEST_VECTORS: &[
+            TestVector { key, iv, pos, expected }
+        ];
+    );
+
+    for tv in TEST_VECTORS {
+        let key = tv.key.try_into().unwrap();
+        let iv = tv.iv.try_into().unwrap();
+        let pos = u32::from_be_bytes(tv.pos.try_into().unwrap());
+
+        let mut c = Salsa20_16::new(key, iv);
+        c.seek(pos);
+
+        let mut buf = [0u8; 64];
+        c.apply_keystream(&mut buf);
+
+        assert_eq!(buf, expected);
+    }
+}
