1 /* $OpenBSD: chachapoly.c,v 1.6 2020/07/22 13:54:30 tobhe Exp $ */
2 /*
3 * Copyright (c) 2015 Mike Belopuhov
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/param.h>
19 #include <sys/systm.h>
20 #include <lib/libkern/libkern.h>
21
22 #include <crypto/chacha_private.h>
23 #include <crypto/poly1305.h>
24 #include <crypto/chachapoly.h>
25
26 int
chacha20_setkey(void * sched,u_int8_t * key,int len)27 chacha20_setkey(void *sched, u_int8_t *key, int len)
28 {
29 struct chacha20_ctx *ctx = (struct chacha20_ctx *)sched;
30
31 if (len != CHACHA20_KEYSIZE + CHACHA20_SALT)
32 return (-1);
33
34 /* initial counter is 1 */
35 ctx->nonce[0] = 1;
36 memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE,
37 CHACHA20_SALT);
38 chacha_keysetup((chacha_ctx *)&ctx->block, key, CHACHA20_KEYSIZE * 8);
39 return (0);
40 }
41
42 void
chacha20_reinit(caddr_t key,u_int8_t * iv)43 chacha20_reinit(caddr_t key, u_int8_t *iv)
44 {
45 struct chacha20_ctx *ctx = (struct chacha20_ctx *)key;
46
47 chacha_ivsetup((chacha_ctx *)ctx->block, iv, ctx->nonce);
48 }
49
50 void
chacha20_crypt(caddr_t key,u_int8_t * data)51 chacha20_crypt(caddr_t key, u_int8_t *data)
52 {
53 struct chacha20_ctx *ctx = (struct chacha20_ctx *)key;
54
55 chacha_encrypt_bytes((chacha_ctx *)ctx->block, data, data,
56 CHACHA20_BLOCK_LEN);
57 }
58
59 void
Chacha20_Poly1305_Init(void * xctx)60 Chacha20_Poly1305_Init(void *xctx)
61 {
62 CHACHA20_POLY1305_CTX *ctx = xctx;
63
64 memset(ctx, 0, sizeof(*ctx));
65 }
66
67 void
Chacha20_Poly1305_Setkey(void * xctx,const uint8_t * key,uint16_t klen)68 Chacha20_Poly1305_Setkey(void *xctx, const uint8_t *key, uint16_t klen)
69 {
70 CHACHA20_POLY1305_CTX *ctx = xctx;
71
72 /* salt is provided with the key material */
73 memcpy(ctx->nonce + CHACHA20_CTR, key + CHACHA20_KEYSIZE,
74 CHACHA20_SALT);
75 chacha_keysetup((chacha_ctx *)&ctx->chacha, key, CHACHA20_KEYSIZE * 8);
76 }
77
78 void
Chacha20_Poly1305_Reinit(void * xctx,const uint8_t * iv,uint16_t ivlen)79 Chacha20_Poly1305_Reinit(void *xctx, const uint8_t *iv, uint16_t ivlen)
80 {
81 CHACHA20_POLY1305_CTX *ctx = xctx;
82
83 /* initial counter is 0 */
84 chacha_ivsetup((chacha_ctx *)&ctx->chacha, iv, ctx->nonce);
85 chacha_encrypt_bytes((chacha_ctx *)&ctx->chacha, ctx->key, ctx->key,
86 POLY1305_KEYLEN);
87 poly1305_init((poly1305_state *)&ctx->poly, ctx->key);
88 }
89
90 int
Chacha20_Poly1305_Update(void * xctx,const uint8_t * data,uint16_t len)91 Chacha20_Poly1305_Update(void *xctx, const uint8_t *data, uint16_t len)
92 {
93 static const char zeroes[POLY1305_BLOCK_LEN];
94 CHACHA20_POLY1305_CTX *ctx = xctx;
95 size_t rem;
96
97 poly1305_update((poly1305_state *)&ctx->poly, data, len);
98
99 /* number of bytes in the last 16 byte block */
100 rem = (len + POLY1305_BLOCK_LEN) & (POLY1305_BLOCK_LEN - 1);
101 if (rem > 0)
102 poly1305_update((poly1305_state *)&ctx->poly, zeroes,
103 POLY1305_BLOCK_LEN - rem);
104 return (0);
105 }
106
107 void
Chacha20_Poly1305_Final(uint8_t tag[POLY1305_TAGLEN],void * xctx)108 Chacha20_Poly1305_Final(uint8_t tag[POLY1305_TAGLEN], void *xctx)
109 {
110 CHACHA20_POLY1305_CTX *ctx = xctx;
111
112 poly1305_finish((poly1305_state *)&ctx->poly, tag);
113 explicit_bzero(ctx, sizeof(*ctx));
114 }
115
116 static const uint8_t pad0[16] = { 0 };
117
118 void
chacha20poly1305_encrypt(uint8_t * dst,const uint8_t * src,const size_t src_len,const uint8_t * ad,const size_t ad_len,const uint64_t nonce,const uint8_t key[CHACHA20POLY1305_KEY_SIZE])119 chacha20poly1305_encrypt(
120 uint8_t *dst,
121 const uint8_t *src,
122 const size_t src_len,
123 const uint8_t *ad,
124 const size_t ad_len,
125 const uint64_t nonce,
126 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
127 ) {
128 poly1305_state poly1305_ctx;
129 chacha_ctx chacha_ctx;
130 union {
131 uint8_t b0[CHACHA20POLY1305_KEY_SIZE];
132 uint64_t lens[2];
133 } b = { { 0 } };
134 uint64_t le_nonce = htole64(nonce);
135
136 chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8);
137 chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL);
138 chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0));
139 poly1305_init(&poly1305_ctx, b.b0);
140
141 poly1305_update(&poly1305_ctx, ad, ad_len);
142 poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf);
143
144 chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, src_len);
145
146 poly1305_update(&poly1305_ctx, dst, src_len);
147 poly1305_update(&poly1305_ctx, pad0, (0x10 - src_len) & 0xf);
148
149 b.lens[0] = htole64(ad_len);
150 b.lens[1] = htole64(src_len);
151 poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens));
152
153 poly1305_finish(&poly1305_ctx, dst + src_len);
154
155 explicit_bzero(&chacha_ctx, sizeof(chacha_ctx));
156 explicit_bzero(&b, sizeof(b));
157 }
158
159 int
chacha20poly1305_decrypt(uint8_t * dst,const uint8_t * src,const size_t src_len,const uint8_t * ad,const size_t ad_len,const uint64_t nonce,const uint8_t key[CHACHA20POLY1305_KEY_SIZE])160 chacha20poly1305_decrypt(
161 uint8_t *dst,
162 const uint8_t *src,
163 const size_t src_len,
164 const uint8_t *ad,
165 const size_t ad_len,
166 const uint64_t nonce,
167 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
168 ) {
169 poly1305_state poly1305_ctx;
170 chacha_ctx chacha_ctx;
171 int ret;
172 size_t dst_len;
173 union {
174 uint8_t b0[CHACHA20POLY1305_KEY_SIZE];
175 uint8_t mac[CHACHA20POLY1305_AUTHTAG_SIZE];
176 uint64_t lens[2];
177 } b = { { 0 } };
178 uint64_t le_nonce = htole64(nonce);
179
180 if (src_len < CHACHA20POLY1305_AUTHTAG_SIZE)
181 return 0;
182
183 chacha_keysetup(&chacha_ctx, key, CHACHA20POLY1305_KEY_SIZE * 8);
184 chacha_ivsetup(&chacha_ctx, (uint8_t *) &le_nonce, NULL);
185 chacha_encrypt_bytes(&chacha_ctx, b.b0, b.b0, sizeof(b.b0));
186 poly1305_init(&poly1305_ctx, b.b0);
187
188 poly1305_update(&poly1305_ctx, ad, ad_len);
189 poly1305_update(&poly1305_ctx, pad0, (0x10 - ad_len) & 0xf);
190
191 dst_len = src_len - CHACHA20POLY1305_AUTHTAG_SIZE;
192 poly1305_update(&poly1305_ctx, src, dst_len);
193 poly1305_update(&poly1305_ctx, pad0, (0x10 - dst_len) & 0xf);
194
195 b.lens[0] = htole64(ad_len);
196 b.lens[1] = htole64(dst_len);
197 poly1305_update(&poly1305_ctx, (uint8_t *)b.lens, sizeof(b.lens));
198
199 poly1305_finish(&poly1305_ctx, b.mac);
200
201 ret = timingsafe_bcmp(b.mac, src + dst_len, CHACHA20POLY1305_AUTHTAG_SIZE);
202 if (!ret)
203 chacha_encrypt_bytes(&chacha_ctx, (uint8_t *) src, dst, dst_len);
204
205 explicit_bzero(&chacha_ctx, sizeof(chacha_ctx));
206 explicit_bzero(&b, sizeof(b));
207
208 return !ret;
209 }
210
211 void
xchacha20poly1305_encrypt(uint8_t * dst,const uint8_t * src,const size_t src_len,const uint8_t * ad,const size_t ad_len,const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],const uint8_t key[CHACHA20POLY1305_KEY_SIZE])212 xchacha20poly1305_encrypt(
213 uint8_t *dst,
214 const uint8_t *src,
215 const size_t src_len,
216 const uint8_t *ad,
217 const size_t ad_len,
218 const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
219 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
220 ) {
221 int i;
222 uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)];
223 uint64_t h_nonce;
224
225 memcpy(&h_nonce, nonce + 16, sizeof(h_nonce));
226 h_nonce = le64toh(h_nonce);
227 hchacha20(derived_key, nonce, key);
228
229 for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++)
230 (derived_key[i]) = htole32((derived_key[i]));
231
232 chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
233 h_nonce, (uint8_t *)derived_key);
234 explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE);
235 }
236
237 int
xchacha20poly1305_decrypt(uint8_t * dst,const uint8_t * src,const size_t src_len,const uint8_t * ad,const size_t ad_len,const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],const uint8_t key[CHACHA20POLY1305_KEY_SIZE])238 xchacha20poly1305_decrypt(
239 uint8_t *dst,
240 const uint8_t *src,
241 const size_t src_len,
242 const uint8_t *ad,
243 const size_t ad_len,
244 const uint8_t nonce[XCHACHA20POLY1305_NONCE_SIZE],
245 const uint8_t key[CHACHA20POLY1305_KEY_SIZE]
246 ) {
247 int ret, i;
248 uint32_t derived_key[CHACHA20POLY1305_KEY_SIZE / sizeof(uint32_t)];
249 uint64_t h_nonce;
250
251 memcpy(&h_nonce, nonce + 16, sizeof(h_nonce));
252 h_nonce = le64toh(h_nonce);
253 hchacha20(derived_key, nonce, key);
254 for(i = 0; i < (sizeof(derived_key)/sizeof(derived_key[0])); i++)
255 (derived_key[i]) = htole32((derived_key[i]));
256
257 ret = chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
258 h_nonce, (uint8_t *)derived_key);
259 explicit_bzero(derived_key, CHACHA20POLY1305_KEY_SIZE);
260
261 return ret;
262 }
263