`salsa20`: support 16 byte keys

[micolous]

16 and 10 byte keys use different constants, as described in the Salsa20 paper:

The diagonal constants are the same for every block, every nonce, and every 32-byte key. As an extra (non-recommended) option, Salsa20 can use a 16-byte key, repeated to form a 32-byte key; in this case the diagonal constants change to 0x61707865, 0x3120646e, 0x79622d36, 0x6b206574. Salsa20 can also use a 10- byte key, zero-padded to form a 16-byte key; in this case the diagonal constants change to 0x61707865, 0x3120646e, 0x79622d30, 0x6b206574.

RustCrypto only supports the 32-byte key:

https://github.com/RustCrypto/stream-ciphers/blob/07ee501ac9067abe0679a596aa771a575baec68e/salsa20/src/lib.rs#L120-L121

So it's not possible to "extend" the key without changing the constant.

[tarcieri]

Is there a specific interoperability reason you want to support these? Or do you want them supported specifically for the sake of supporting them?

Salsa20-80 and Salsa20-128 exist due to the requirements of eSTREAM and are not recommended. Salsa20 is designed for 256-bit keys:

https://cr.yp.to/snuffle/keysizes.pdf

An 80-bit key size in particular is quite small and potentially vulnerable to brute force attacks.

[micolous]

Is there a specific interoperability reason you want to support these?

Yes, I'm decrypting BLTE archives, which are encrypted with 16-byte keys[^1]. I can't control the contents of these files, or which key length or encryption algorithm they use.

I'm aware it sucks... but the other algorithm this file format encrypts with is RC4, and it also uses MD5 checksums. 🙃

[^1]: key_name in that file is 8 bytes, but that's a reference to a mapping table to 16 byte keys.