1/* $OpenBSD: chachapoly.c,v 1.6 2020/07/22 13:54:30 tobhe Exp $ */ 2/* 3 * Copyright (c) 2015 Mike Belopuhov 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <sys/param.h> 19#include <sys/systm.h> 20#include <lib/libkern/libkern.h> 21 22#include <crypto/chacha_private.h> 23#include <crypto/poly1305.h> 24#include <crypto/chachapoly.h> 25 26int 27chacha20_setkey(void *sched, u_int8_t *key, int len) 28{ 29 struct chacha20_ctx *ctx = (struct chacha20_ctx *)sched; 30 31 if (len != CHACHA20_KEYSIZE + CHACHA20_SALT) 32 return (-1); 33 34 /* initial counter is 1 */ 35 ctx->nonce[0] = 1; 36 memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE, 37 CHACHA20_SALT); 38 chacha_keysetup((chacha_ctx *)&ctx->block, key, CHACHA20_KEYSIZE * 8); 39 return (0); 40} 41 42void 43chacha20_reinit(caddr_t key, u_int8_t *iv) 44{ 45 struct chacha20_ctx *ctx = (struct chacha20_ctx *)key; 46 47 chacha_ivsetup((chacha_ctx *)ctx->block, iv, ctx->nonce); 48} 49 50void 51chacha20_crypt(caddr_t key, u_int8_t *data) 52{ 53 struct chacha20_ctx *ctx = (struct chacha20_ctx *)key; 54 55 chacha_encrypt_bytes((chacha_ctx *)ctx->block, data, data, 56 CHACHA20_BLOCK_LEN); 57} 58 59void 60Chacha20_Poly1305_Init(void *xctx) 61{ 62 CHACHA20_POLY1305_CTX *ctx = xctx; 63 64 memset(ctx, 0, sizeof(*ctx)); 65} 66 67void 68Chacha20_Poly1305_Setkey(void *xctx, const uint8_t *key, uint16_t klen) 69{ 70 CHACHA20_POLY1305_CTX *ctx = xctx; 71 72 /* salt is provided with the key material */ 73 memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE, 74 CHACHA20_SALT); 75 chacha_keysetup((chacha_ctx *)&ctx->chacha, key, CHACHA20_KEYSIZE * 8); 76} 77 78void 79Chacha20_Poly1305_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen) 80{ 81 CHACHA20_POLY1305_CTX *ctx = xctx; 82 83 /* initial counter is 0 */ 84 chacha_ivsetup((chacha_ctx *)&ctx->chacha, iv, ctx->nonce); 85 chacha_encrypt_bytes((chacha_ctx *)&ctx->chacha, ctx->key, ctx->key, 86 POLY1305_KEYLEN); 87 poly1305_init((poly1305_state *)&ctx->poly, ctx->key); 88} 89 90int 91Chacha20_Poly1305_Update(void *xctx, const uint8_t *data, uint16_t len) 92{ 93 static const char zeroes[POLY1305_BLOCK_LEN]; 94 CHACHA20_POLY1305_CTX *ctx = xctx; 95 size_t rem; 96 97 poly1305_update((poly1305_state *)&ctx->poly, data, len); 98 99 /* number of bytes in the last 16 byte block */ 100 rem = (len + POLY1305_BLOCK_LEN) & (POLY1305_BLOCK_LEN - 1); 101 if (rem > 0) 102 poly1305_update((poly1305_state *)&ctx->poly, zeroes, 103 POLY1305_BLOCK_LEN - rem); 104 return (0); 105} 106 107void 108Chacha20_Poly1305_Final(uint8_t tag[POLY1305_TAGLEN], void *xctx) 109{ 110 CHACHA20_POLY1305_CTX *ctx = xctx; 111 112 poly1305_finish((poly1305_state *)&ctx->poly, tag); 113 explicit_bzero(ctx, sizeof(*ctx)); 114} 115 116static const uint8_t pad0[16] = { 0 }; 117 118void 119chacha20poly1305_encrypt( 120 uint8_t *dst, 121 const uint8_t *src, 122 const size_t src_len, 123 const uint8_t *ad, 124 const size_t ad_len, 125 const uint64_t nonce, 126 const uint8_t key[CHACHA20POLY1305_KEY_SIZE] 127) { 128 poly1305_state poly1305_ctx; 129 chacha_ctx chacha_ctx; 130 union { 131 uint8_t b0[CHACHA20POLY1305_KEY_SIZE]; 132 uint64_t lens[2]; 133 } b = { { 0 } }; 134 uint64_t le_nonce = htole64(nonce); 135 136 chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8); 137 chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL); 138 chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0)); 139 poly1305_init(&poly1305_ctx, b.b0); 140 141 poly1305_update(&poly1305_ctx, ad, ad_len); 142 poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf); 143 144 chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, src_len); 145 146 poly1305_update(&poly1305_ctx, dst, src_len); 147 poly1305_update(&poly1305_ctx, pad0, (0x10 - src_len) & 0xf); 148 149 b.lens[0] = htole64(ad_len); 150 b.lens[1] = htole64(src_len); 151 poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens)); 152 153 poly1305_finish(&poly1305_ctx, dst + src_len); 154 155 explicit_bzero(&chacha_ctx, sizeof(chacha_ctx)); 156 explicit_bzero(&b, sizeof(b)); 157} 158 159int 160chacha20poly1305_decrypt( 161 uint8_t *dst, 162 const uint8_t *src, 163 const size_t src_len, 164 const uint8_t *ad, 165 const size_t ad_len, 166 const uint64_t nonce, 167 const uint8_t key[CHACHA20POLY1305_KEY_SIZE] 168) { 169 poly1305_state poly1305_ctx; 170 chacha_ctx chacha_ctx; 171 int ret; 172 size_t dst_len; 173 union { 174 uint8_t b0[CHACHA20POLY1305_KEY_SIZE]; 175 uint8_t mac[CHACHA20POLY1305_AUTHTAG_SIZE]; 176 uint64_t lens[2]; 177 } b = { { 0 } }; 178 uint64_t le_nonce = htole64(nonce); 179 180 if (src_len < CHACHA20POLY1305_AUTHTAG_SIZE) 181 return 0; 182 183 chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8); 184 chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL); 185 chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0)); 186 poly1305_init(&poly1305_ctx, b.b0); 187 188 poly1305_update(&poly1305_ctx, ad, ad_len); 189 poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf); 190 191 dst_len = src_len - CHACHA20POLY1305_AUTHTAG_SIZE; 192 poly1305_update(&poly1305_ctx, src, dst_len); 193 poly1305_update(&poly1305_ctx, pad0, (0x10 - dst_len) & 0xf); 194 195 b.lens[0] = htole64(ad_len); 196 b.lens[1] = htole64(dst_len); 197 poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens)); 198 199 poly1305_finish(&poly1305_ctx, b.mac); 200 201 ret = timingsafe_bcmp(b.mac, src + dst_len, CHACHA20POLY1305_AUTHTAG_SIZE); 202 if (!ret) 203 chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, dst_len); 204 205 explicit_bzero(&chacha_ctx, sizeof(chacha_ctx)); 206 explicit_bzero(&b, sizeof(b)); 207 208 return !ret; 209} 210 211void 212xchacha20poly1305_encrypt( 213 uint8_t *dst, 214 const uint8_t *src, 215 const size_t src_len, 216 const uint8_t *ad, 217 const size_t ad_len, 218 const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE], 219 const uint8_t key[CHACHA20POLY1305_KEY_SIZE] 220) { 221 int i; 222 uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)]; 223 uint64_t h_nonce; 224 225 memcpy(&h_nonce, nonce + 16, sizeof(h_nonce)); 226 h_nonce = le64toh(h_nonce); 227 hchacha20(derived_key, nonce, key); 228 229 for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++) 230 (derived_key[i]) = htole32((derived_key[i])); 231 232 chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, 233 h_nonce, (uint8_t *)derived_key); 234 explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE); 235} 236 237int 238xchacha20poly1305_decrypt( 239 uint8_t *dst, 240 const uint8_t *src, 241 const size_t src_len, 242 const uint8_t *ad, 243 const size_t ad_len, 244 const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE], 245 const uint8_t key[CHACHA20POLY1305_KEY_SIZE] 246) { 247 int ret, i; 248 uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)]; 249 uint64_t h_nonce; 250 251 memcpy(&h_nonce, nonce + 16, sizeof(h_nonce)); 252 h_nonce = le64toh(h_nonce); 253 hchacha20(derived_key, nonce, key); 254 for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++) 255 (derived_key[i]) = htole32((derived_key[i])); 256 257 ret = chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len, 258 h_nonce, (uint8_t *)derived_key); 259 explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE); 260 261 return ret; 262} 263