Roll shell-encryption 1c3aa8007597...ccada6d8fd

This CL is doing the following:
- Rolling to the recent version
- Update the README with the exact version

Bug: chromium:1076079
Change-Id: Ie16aeaf8e2325762e6928a991c1aefe21dbfb24b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2170868Reviewed-by: Nico Weber <thakis@chromium.org>
Commit-Queue: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#763480}

third_party/shell-encryption/README.chromium

 Name: Simple Homomorphic Encryption Library with Lattices
 URL: https://github.com/google/shell-encryption
-Version: 388d4d1ac027c41840564bf99dd88f0f6d05672c
+Version: 1c3aa80075974a241f2e0f9e7b3c7eccada6d8fd
 License: Apache Version 2.0
 License File: src/LICENSE
 Security Critical: no

third_party/shell-encryption/src/prng/chacha_prng_util.cc

@@ -31,16 +31,27 @@ absl::Status ChaChaPrngResalt(absl::string_view key, int buffer_size,
                               int* salt_counter, int* position_in_buffer,
                               std::vector<Uint8>* buffer) {
   buffer->assign(buffer_size, 0);
-  std::string salt = "salt";
-  if (salt.size() > kChaChaNonceSize) {
-    return absl::InternalError("The salt length is too large.");
+
+  // Following https://tools.ietf.org/html/rfc7539, Sec 2.3, we create the
+  // nonce as a kChaChaNonceSize (=12) bytes string, where the 4 first
+  // bytes are fixed, and the next 8 bytes correspond to the counter.
+  std::string nonce = "salt00000000";
+  if (nonce.size() != kChaChaNonceSize) {
+    return absl::InternalError("The salt length is incorrect.");
+  }
+  Uint64 counter = static_cast<Uint64>(*salt_counter);
+  for (int i = 0; i < 8; i++) {
+    nonce[4 + i] = counter & 0xFF;
+    counter >>= 8;
   }
-  salt.resize(kChaChaNonceSize, 0);
 
+  // We call the CRYPTO_chacha_20() function from OpenSSL. Note that the last
+  // parameter is a *block* counter. The salt counter needs instead to be
+  // included in the nonce.
   CRYPTO_chacha_20(buffer->data(), buffer->data(), buffer->size(),
                    reinterpret_cast<const Uint8*>(key.data()),
-                   reinterpret_cast<const Uint8*>(salt.data()),
-                   static_cast<uint32_t>(*salt_counter));
+                   reinterpret_cast<const Uint8*>(nonce.data()),
+                   /* counter = */ 0);
 
   ++(*salt_counter);
   *position_in_buffer = 0;

third_party/shell-encryption/src/prng/prng_test.cc

@@ -142,5 +142,29 @@ TYPED_TEST(PrngTest, ReplayDifferentInKeyTest) {
   EXPECT_NE(r64, other_r64);
 }
 
+TYPED_TEST(PrngTest, GeneratesUniqueRandomStrings) {
+  const int kKeySize = 20;
+  const int kIterations = 10000;
+  const char charset[] = "abcdefghijklmnopqrstuvwxyz0123456789";
+
+  std::vector<std::string> keys;
+  for (int i = 0; i < kIterations; i++) {
+    // Create a random key
+    std::string key(kKeySize, 0);
+    for (int j = 0; j < kKeySize; j++) {
+      ASSERT_OK_AND_ASSIGN(auto v, this->prng_->Rand8());
+      key[j] = charset[static_cast<int>(v) % sizeof(charset)];
+    }
+
+    // With very high probability (~(1/36)^20), a key will only appear once.
+    int count = 0;
+    for (auto k : keys) {
+      if (k == key) count++;
+    }
+    ASSERT_EQ(count, 0);
+    keys.push_back(key);
+  }
+}
+
 }  // namespace
 }  // namespace rlwe