1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2020 Netflix Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28#include <opencrypto/xform_auth.h>
29#include <opencrypto/xform_enc.h>
30
31#include <sodium/crypto_core_hchacha20.h>
32#include <sodium/crypto_onetimeauth_poly1305.h>
33#include <sodium/crypto_stream_chacha20.h>
34
35struct chacha20_poly1305_ctx {
36	struct crypto_onetimeauth_poly1305_state auth;
37	const void *key;
38	uint32_t ic;
39	bool ietf;
40	char nonce[CHACHA20_POLY1305_IV_LEN];
41};
42
43struct xchacha20_poly1305_ctx {
44	struct chacha20_poly1305_ctx base_ctx;	/* must be first */
45	const void *key;
46	char derived_key[CHACHA20_POLY1305_KEY];
47};
48
49static int
50chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
51{
52	struct chacha20_poly1305_ctx *ctx = vctx;
53
54	if (len != CHACHA20_POLY1305_KEY)
55		return (EINVAL);
56
57	ctx->key = key;
58	return (0);
59}
60
61static void
62chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
63{
64	struct chacha20_poly1305_ctx *ctx = vctx;
65	char block[CHACHA20_NATIVE_BLOCK_LEN];
66
67	KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce),
68	    ("%s: invalid nonce length", __func__));
69
70	memcpy(ctx->nonce, iv, ivlen);
71	ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN);
72
73	/* Block 0 is used for the poly1305 key. */
74	if (ctx->ietf)
75		crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key);
76	else
77		crypto_stream_chacha20(block, sizeof(block), iv, ctx->key);
78	crypto_onetimeauth_poly1305_init(&ctx->auth, block);
79	explicit_bzero(block, sizeof(block));
80
81	/* Start with block 1 for ciphertext. */
82	ctx->ic = 1;
83}
84
85static void
86chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out)
87{
88	struct chacha20_poly1305_ctx *ctx = vctx;
89	int error __diagused;
90
91	if (ctx->ietf)
92		error = crypto_stream_chacha20_ietf_xor_ic(out, in,
93		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
94	else
95		error = crypto_stream_chacha20_xor_ic(out, in,
96		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
97	KASSERT(error == 0, ("%s failed: %d", __func__, error));
98	ctx->ic++;
99}
100
101static void
102chacha20_poly1305_crypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
103{
104	struct chacha20_poly1305_ctx *ctx = vctx;
105	int error __diagused;
106
107	KASSERT(len % CHACHA20_NATIVE_BLOCK_LEN == 0, ("%s: invalid length",
108	    __func__));
109	if (ctx->ietf)
110		error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
111		    ctx->nonce, ctx->ic, ctx->key);
112	else
113		error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
114		    ctx->ic, ctx->key);
115	KASSERT(error == 0, ("%s failed: %d", __func__, error));
116	ctx->ic += len / CHACHA20_NATIVE_BLOCK_LEN;
117}
118
119static void
120chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out,
121    size_t len)
122{
123	struct chacha20_poly1305_ctx *ctx = vctx;
124
125	int error __diagused;
126
127	if (ctx->ietf)
128		error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
129		    ctx->nonce, ctx->ic, ctx->key);
130	else
131		error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
132		    ctx->ic, ctx->key);
133	KASSERT(error == 0, ("%s failed: %d", __func__, error));
134}
135
136static int
137chacha20_poly1305_update(void *vctx, const void *data, u_int len)
138{
139	struct chacha20_poly1305_ctx *ctx = vctx;
140
141	crypto_onetimeauth_poly1305_update(&ctx->auth, data, len);
142	return (0);
143}
144
145static void
146chacha20_poly1305_final(uint8_t *digest, void *vctx)
147{
148	struct chacha20_poly1305_ctx *ctx = vctx;
149
150	crypto_onetimeauth_poly1305_final(&ctx->auth, digest);
151}
152
153const struct enc_xform enc_xform_chacha20_poly1305 = {
154	.type = CRYPTO_CHACHA20_POLY1305,
155	.name = "ChaCha20-Poly1305",
156	.ctxsize = sizeof(struct chacha20_poly1305_ctx),
157	.blocksize = 1,
158	.native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
159	.ivsize = CHACHA20_POLY1305_IV_LEN,
160	.minkey = CHACHA20_POLY1305_KEY,
161	.maxkey = CHACHA20_POLY1305_KEY,
162	.macsize = POLY1305_HASH_LEN,
163	.setkey = chacha20_poly1305_setkey,
164	.reinit = chacha20_poly1305_reinit,
165	.encrypt = chacha20_poly1305_crypt,
166	.decrypt = chacha20_poly1305_crypt,
167	.encrypt_multi = chacha20_poly1305_crypt_multi,
168	.decrypt_multi = chacha20_poly1305_crypt_multi,
169	.encrypt_last = chacha20_poly1305_crypt_last,
170	.decrypt_last = chacha20_poly1305_crypt_last,
171	.update = chacha20_poly1305_update,
172	.final = chacha20_poly1305_final,
173};
174
175static int
176xchacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
177{
178	struct xchacha20_poly1305_ctx *ctx = vctx;
179
180	if (len != XCHACHA20_POLY1305_KEY)
181		return (EINVAL);
182
183	ctx->key = key;
184	ctx->base_ctx.key = ctx->derived_key;
185	return (0);
186}
187
188static void
189xchacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
190{
191	struct xchacha20_poly1305_ctx *ctx = vctx;
192	char nonce[CHACHA20_POLY1305_IV_LEN];
193
194	KASSERT(ivlen == XCHACHA20_POLY1305_IV_LEN,
195	    ("%s: invalid nonce length", __func__));
196
197	/*
198	 * Use HChaCha20 to derive the internal key used for
199	 * ChaCha20-Poly1305.
200	 */
201	crypto_core_hchacha20(ctx->derived_key, iv, ctx->key, NULL);
202
203	memset(nonce, 0, 4);
204	memcpy(nonce + 4, iv + crypto_core_hchacha20_INPUTBYTES,
205	    sizeof(nonce) - 4);
206	chacha20_poly1305_reinit(&ctx->base_ctx, nonce, sizeof(nonce));
207	explicit_bzero(nonce, sizeof(nonce));
208}
209
210const struct enc_xform enc_xform_xchacha20_poly1305 = {
211	.type = CRYPTO_XCHACHA20_POLY1305,
212	.name = "XChaCha20-Poly1305",
213	.ctxsize = sizeof(struct xchacha20_poly1305_ctx),
214	.blocksize = 1,
215	.native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
216	.ivsize = XCHACHA20_POLY1305_IV_LEN,
217	.minkey = XCHACHA20_POLY1305_KEY,
218	.maxkey = XCHACHA20_POLY1305_KEY,
219	.macsize = POLY1305_HASH_LEN,
220	.setkey = xchacha20_poly1305_setkey,
221	.reinit = xchacha20_poly1305_reinit,
222	.encrypt = chacha20_poly1305_crypt,
223	.decrypt = chacha20_poly1305_crypt,
224	.encrypt_multi = chacha20_poly1305_crypt_multi,
225	.decrypt_multi = chacha20_poly1305_crypt_multi,
226	.encrypt_last = chacha20_poly1305_crypt_last,
227	.decrypt_last = chacha20_poly1305_crypt_last,
228	.update = chacha20_poly1305_update,
229	.final = chacha20_poly1305_final,
230};
231