Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 9e3a49ef53cb0abbb05e19ef4509ff1b692f0832 / . / src / crypto / cipher_extra / e_chacha20poly1305.c
blob: 165018895869e267b0763c1e94ca1881516f8e8f [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/aead.h>
16
17#include <string.h>
18
19#include <openssl/chacha.h>
20#include <openssl/cipher.h>
21#include <openssl/err.h>
22#include <openssl/mem.h>
23#include <openssl/poly1305.h>
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]24#include <openssl/type_check.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]25
Pete Bentley17486112021-01-20 11:51:47 +0000[diff] [blame]26#include "internal.h"
27#include "../chacha/internal.h"
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]28#include "../fipsmodule/cipher/internal.h"
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]29#include "../internal.h"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]30
31struct aead_chacha20_poly1305_ctx {
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]32 uint8_t key[32];
33};
34
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]35OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
36 sizeof(struct aead_chacha20_poly1305_ctx),
37 "AEAD state is too small");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]38#if defined(__GNUC__) || defined(__clang__)
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame]39OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
40 alignof(struct aead_chacha20_poly1305_ctx),
41 "AEAD state has insufficient alignment");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]42#endif
43
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]44static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
45 size_t key_len, size_t tag_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]46 struct aead_chacha20_poly1305_ctx *c20_ctx =
47 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]48
49 if (tag_len == 0) {
50 tag_len = POLY1305_TAG_LEN;
51 }
52
53 if (tag_len > POLY1305_TAG_LEN) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]54 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]55 return 0;
56 }
57
58 if (key_len != sizeof(c20_ctx->key)) {
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]59 return 0; // internal error - EVP_AEAD_CTX_init should catch this.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]60 }
61
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]62 OPENSSL_memcpy(c20_ctx->key, key, key_len);
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]63 ctx->tag_len = tag_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]64
65 return 1;
66}
67
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]68static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]69
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]70static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]71 uint8_t length_bytes[8];
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]72
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]73 for (unsigned i = 0; i < sizeof(length_bytes); i++) {
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]74 length_bytes[i] = data_len;
75 data_len >>= 8;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]76 }
77
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]78 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
79}
80
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]81// calc_tag fills |tag| with the authentication tag for the given inputs.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]82static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]83 const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]84 const uint8_t *ciphertext, size_t ciphertext_len,
85 const uint8_t *ciphertext_extra,
86 size_t ciphertext_extra_len) {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]87 alignas(16) uint8_t poly1305_key[32];
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]88 OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]89 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,
90 0);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]91
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]92 static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]93 poly1305_state ctx;
94 CRYPTO_poly1305_init(&ctx, poly1305_key);
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]95 CRYPTO_poly1305_update(&ctx, ad, ad_len);
96 if (ad_len % 16 != 0) {
97 CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
98 }
99 CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
100 CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
101 const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
102 if (ciphertext_total % 16 != 0) {
103 CRYPTO_poly1305_update(&ctx, padding,
104 sizeof(padding) - (ciphertext_total % 16));
105 }
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]106 poly1305_update_length(&ctx, ad_len);
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]107 poly1305_update_length(&ctx, ciphertext_total);
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]108 CRYPTO_poly1305_finish(&ctx, tag);
109}
110
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]111static int chacha20_poly1305_seal_scatter(
112 const uint8_t *key, uint8_t *out, uint8_t *out_tag,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]113 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
Robert Sloan927a4952017-07-03 11:25:09 -0700[diff] [blame]114 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]115 size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
116 if (extra_in_len + tag_len < tag_len) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]117 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
118 return 0;
119 }
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]120 if (max_out_tag_len < tag_len + extra_in_len) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]121 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
122 return 0;
123 }
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]124 if (nonce_len != 12) {
125 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
126 return 0;
127 }
128
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]129 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
130 // individual operations that work on more than 256GB at a time.
131 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
132 // 32-bits and this produces a warning because it's always false.
133 // Casting to uint64_t inside the conditional is not sufficient to stop
134 // the warning.
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]135 const uint64_t in_len_64 = in_len;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]136 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]137 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]138 return 0;
139 }
140
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]141 if (max_out_tag_len < tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]142 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]143 return 0;
144 }
145
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]146 // The the extra input is given, it is expected to be very short and so is
147 // encrypted byte-by-byte first.
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]148 if (extra_in_len) {
149 static const size_t kChaChaBlockSize = 64;
150 uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
151 size_t offset = in_len % kChaChaBlockSize;
152 uint8_t block[64 /* kChaChaBlockSize */];
153
154 for (size_t done = 0; done < extra_in_len; block_counter++) {
155 memset(block, 0, sizeof(block));
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]156 CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]157 block_counter);
158 for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
159 i++, done++) {
160 out_tag[done] = extra_in[done] ^ block[i];
161 }
162 offset = 0;
163 }
164 }
165
Pete Bentley17486112021-01-20 11:51:47 +0000[diff] [blame]166 union chacha20_poly1305_seal_data data;
167 if (chacha20_poly1305_asm_capable()) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]168 OPENSSL_memcpy(data.in.key, key, 32);
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]169 data.in.counter = 0;
170 OPENSSL_memcpy(data.in.nonce, nonce, 12);
171 data.in.extra_ciphertext = out_tag;
172 data.in.extra_ciphertext_len = extra_in_len;
173 chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]174 } else {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]175 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
176 calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]177 extra_in_len);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]178 }
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]179
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]180 OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);
181 *out_tag_len = extra_in_len + tag_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]182 return 1;
183}
184
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]185static int aead_chacha20_poly1305_seal_scatter(
186 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
187 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
188 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
189 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]190 const struct aead_chacha20_poly1305_ctx *c20_ctx =
191 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]192
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]193 return chacha20_poly1305_seal_scatter(
194 c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,
195 nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
196}
197
198static int aead_xchacha20_poly1305_seal_scatter(
199 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
200 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
201 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
202 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]203 const struct aead_chacha20_poly1305_ctx *c20_ctx =
204 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]205
206 if (nonce_len != 24) {
207 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
208 return 0;
209 }
210
211 alignas(4) uint8_t derived_key[32];
212 alignas(4) uint8_t derived_nonce[12];
213 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
214 OPENSSL_memset(derived_nonce, 0, 4);
215 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
216
217 return chacha20_poly1305_seal_scatter(
218 derived_key, out, out_tag, out_tag_len, max_out_tag_len,
219 derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,
220 ad, ad_len, ctx->tag_len);
221}
222
223static int chacha20_poly1305_open_gather(
224 const uint8_t *key, uint8_t *out, const uint8_t *nonce,
225 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
226 size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]227 if (nonce_len != 12) {
228 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
229 return 0;
230 }
231
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]232 if (in_tag_len != tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]233 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]234 return 0;
235 }
236
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]237 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
238 // individual operations that work on more than 256GB at a time.
239 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
240 // 32-bits and this produces a warning because it's always false.
241 // Casting to uint64_t inside the conditional is not sufficient to stop
242 // the warning.
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]243 const uint64_t in_len_64 = in_len;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]244 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]245 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]246 return 0;
247 }
248
Pete Bentley17486112021-01-20 11:51:47 +0000[diff] [blame]249 union chacha20_poly1305_open_data data;
250 if (chacha20_poly1305_asm_capable()) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]251 OPENSSL_memcpy(data.in.key, key, 32);
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]252 data.in.counter = 0;
253 OPENSSL_memcpy(data.in.nonce, nonce, 12);
254 chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]255 } else {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]256 calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);
257 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]258 }
259
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]260 if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]261 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]262 return 0;
263 }
264
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]265 return 1;
266}
267
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]268static int aead_chacha20_poly1305_open_gather(
269 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
270 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
271 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]272 const struct aead_chacha20_poly1305_ctx *c20_ctx =
273 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]274
275 return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,
276 in_len, in_tag, in_tag_len, ad, ad_len,
277 ctx->tag_len);
278}
279
280static int aead_xchacha20_poly1305_open_gather(
281 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
282 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
283 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]284 const struct aead_chacha20_poly1305_ctx *c20_ctx =
285 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]286
287 if (nonce_len != 24) {
288 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
289 return 0;
290 }
291
292 alignas(4) uint8_t derived_key[32];
293 alignas(4) uint8_t derived_nonce[12];
294 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
295 OPENSSL_memset(derived_nonce, 0, 4);
296 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
297
298 return chacha20_poly1305_open_gather(
299 derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,
300 in_tag, in_tag_len, ad, ad_len, ctx->tag_len);
301}
302
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]303static const EVP_AEAD aead_chacha20_poly1305 = {
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]304 32, // key len
305 12, // nonce len
306 POLY1305_TAG_LEN, // overhead
307 POLY1305_TAG_LEN, // max tag length
308 1, // seal_scatter_supports_extra_in
Robert Sloan927a4952017-07-03 11:25:09 -0700[diff] [blame]309
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]310 aead_chacha20_poly1305_init,
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]311 NULL, // init_with_direction
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]312 aead_chacha20_poly1305_cleanup,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]313 NULL /* open */,
314 aead_chacha20_poly1305_seal_scatter,
315 aead_chacha20_poly1305_open_gather,
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]316 NULL, // get_iv
317 NULL, // tag_len
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]318};
319
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]320static const EVP_AEAD aead_xchacha20_poly1305 = {
321 32, // key len
322 24, // nonce len
323 POLY1305_TAG_LEN, // overhead
324 POLY1305_TAG_LEN, // max tag length
325 1, // seal_scatter_supports_extra_in
326
327 aead_chacha20_poly1305_init,
328 NULL, // init_with_direction
329 aead_chacha20_poly1305_cleanup,
330 NULL /* open */,
331 aead_xchacha20_poly1305_seal_scatter,
332 aead_xchacha20_poly1305_open_gather,
333 NULL, // get_iv
334 NULL, // tag_len
335};
336
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]337const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
Kenny Root03bcf612015-11-05 20:20:27 +0000[diff] [blame]338 return &aead_chacha20_poly1305;
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame]339}
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]340
341const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {
342 return &aead_xchacha20_poly1305;
343}