Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / c9abfe422b3e387555f922dfcc280299b6e92975 / . / src / crypto / cipher_extra / e_chacha20poly1305.c
blob: 1c175e9aa096d8eb40af4f1b94a5cb34df68ded0 [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/aead.h>
16
17#include <string.h>
18
19#include <openssl/chacha.h>
20#include <openssl/cipher.h>
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]21#include <openssl/cpu.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/poly1305.h>
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]25#include <openssl/type_check.h>
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]26
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]27#include "../fipsmodule/cipher/internal.h"
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]28#include "../internal.h"
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]29#include "../chacha/internal.h"
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]30
31
32#define POLY1305_TAG_LEN 16
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]33
34struct aead_chacha20_poly1305_ctx {
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]35 uint8_t key[32];
36};
37
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame^]38OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
39 sizeof(struct aead_chacha20_poly1305_ctx),
40 "AEAD state is too small");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]41#if defined(__GNUC__) || defined(__clang__)
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame^]42OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
43 alignof(struct aead_chacha20_poly1305_ctx),
44 "AEAD state has insufficient alignment");
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]45#endif
46
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]47// For convenience (the x86_64 calling convention allows only six parameters in
48// registers), the final parameter for the assembly functions is both an input
49// and output parameter.
50union open_data {
51 struct {
52 alignas(16) uint8_t key[32];
53 uint32_t counter;
54 uint8_t nonce[12];
55 } in;
56 struct {
57 uint8_t tag[POLY1305_TAG_LEN];
58 } out;
59};
60
61union seal_data {
62 struct {
63 alignas(16) uint8_t key[32];
64 uint32_t counter;
65 uint8_t nonce[12];
66 const uint8_t *extra_ciphertext;
67 size_t extra_ciphertext_len;
68 } in;
69 struct {
70 uint8_t tag[POLY1305_TAG_LEN];
71 } out;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]72};
73
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]74#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
75 !defined(OPENSSL_WINDOWS)
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]76static int asm_capable(void) {
77 const int sse41_capable = (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0;
78 return sse41_capable;
79}
80
Robert Sloanc9abfe42018-11-26 12:19:07 -0800[diff] [blame^]81OPENSSL_STATIC_ASSERT(sizeof(union open_data) == 48, "wrong open_data size");
82OPENSSL_STATIC_ASSERT(sizeof(union seal_data) == 48 + 8 + 8,
83 "wrong seal_data size");
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]84
85// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts
86// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
87// Additional input parameters are passed in |aead_data->in|. On exit, it will
88// write calculated tag value to |aead_data->out.tag|, which the caller must
89// check.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]90extern void chacha20_poly1305_open(uint8_t *out_plaintext,
91 const uint8_t *ciphertext,
92 size_t plaintext_len, const uint8_t *ad,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]93 size_t ad_len, union open_data *aead_data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]94
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]95// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts
96// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
97// Additional input parameters are passed in |aead_data->in|. The calculated tag
98// value is over the computed ciphertext concatenated with |extra_ciphertext|
99// and written to |aead_data->out.tag|.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]100extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
101 const uint8_t *plaintext,
102 size_t plaintext_len, const uint8_t *ad,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]103 size_t ad_len, union seal_data *aead_data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]104#else
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]105static int asm_capable(void) { return 0; }
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]106
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]107
108static void chacha20_poly1305_open(uint8_t *out_plaintext,
109 const uint8_t *ciphertext,
110 size_t plaintext_len, const uint8_t *ad,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]111 size_t ad_len, union open_data *aead_data) {}
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]112
113static void chacha20_poly1305_seal(uint8_t *out_ciphertext,
114 const uint8_t *plaintext,
115 size_t plaintext_len, const uint8_t *ad,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]116 size_t ad_len, union seal_data *aead_data) {}
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]117#endif
118
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]119static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
120 size_t key_len, size_t tag_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]121 struct aead_chacha20_poly1305_ctx *c20_ctx =
122 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]123
124 if (tag_len == 0) {
125 tag_len = POLY1305_TAG_LEN;
126 }
127
128 if (tag_len > POLY1305_TAG_LEN) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]129 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]130 return 0;
131 }
132
133 if (key_len != sizeof(c20_ctx->key)) {
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]134 return 0; // internal error - EVP_AEAD_CTX_init should catch this.
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]135 }
136
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]137 OPENSSL_memcpy(c20_ctx->key, key, key_len);
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]138 ctx->tag_len = tag_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]139
140 return 1;
141}
142
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]143static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]144
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]145static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]146 uint8_t length_bytes[8];
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]147
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]148 for (unsigned i = 0; i < sizeof(length_bytes); i++) {
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]149 length_bytes[i] = data_len;
150 data_len >>= 8;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]151 }
152
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]153 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
154}
155
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]156// calc_tag fills |tag| with the authentication tag for the given inputs.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]157static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]158 const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]159 const uint8_t *ciphertext, size_t ciphertext_len,
160 const uint8_t *ciphertext_extra,
161 size_t ciphertext_extra_len) {
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]162 alignas(16) uint8_t poly1305_key[32];
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]163 OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]164 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,
165 0);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]166
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]167 static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]168 poly1305_state ctx;
169 CRYPTO_poly1305_init(&ctx, poly1305_key);
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]170 CRYPTO_poly1305_update(&ctx, ad, ad_len);
171 if (ad_len % 16 != 0) {
172 CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
173 }
174 CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
175 CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
176 const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
177 if (ciphertext_total % 16 != 0) {
178 CRYPTO_poly1305_update(&ctx, padding,
179 sizeof(padding) - (ciphertext_total % 16));
180 }
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]181 poly1305_update_length(&ctx, ad_len);
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]182 poly1305_update_length(&ctx, ciphertext_total);
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]183 CRYPTO_poly1305_finish(&ctx, tag);
184}
185
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]186static int chacha20_poly1305_seal_scatter(
187 const uint8_t *key, uint8_t *out, uint8_t *out_tag,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]188 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
Robert Sloan927a4952017-07-03 11:25:09 -0700[diff] [blame]189 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]190 size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
191 if (extra_in_len + tag_len < tag_len) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]192 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
193 return 0;
194 }
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]195 if (max_out_tag_len < tag_len + extra_in_len) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]196 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
197 return 0;
198 }
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]199 if (nonce_len != 12) {
200 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
201 return 0;
202 }
203
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]204 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
205 // individual operations that work on more than 256GB at a time.
206 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
207 // 32-bits and this produces a warning because it's always false.
208 // Casting to uint64_t inside the conditional is not sufficient to stop
209 // the warning.
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]210 const uint64_t in_len_64 = in_len;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]211 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]212 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]213 return 0;
214 }
215
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]216 if (max_out_tag_len < tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]217 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]218 return 0;
219 }
220
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]221 // The the extra input is given, it is expected to be very short and so is
222 // encrypted byte-by-byte first.
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]223 if (extra_in_len) {
224 static const size_t kChaChaBlockSize = 64;
225 uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
226 size_t offset = in_len % kChaChaBlockSize;
227 uint8_t block[64 /* kChaChaBlockSize */];
228
229 for (size_t done = 0; done < extra_in_len; block_counter++) {
230 memset(block, 0, sizeof(block));
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]231 CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]232 block_counter);
233 for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
234 i++, done++) {
235 out_tag[done] = extra_in[done] ^ block[i];
236 }
237 offset = 0;
238 }
239 }
240
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]241 union seal_data data;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]242 if (asm_capable()) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]243 OPENSSL_memcpy(data.in.key, key, 32);
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]244 data.in.counter = 0;
245 OPENSSL_memcpy(data.in.nonce, nonce, 12);
246 data.in.extra_ciphertext = out_tag;
247 data.in.extra_ciphertext_len = extra_in_len;
248 chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]249 } else {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]250 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
251 calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]252 extra_in_len);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]253 }
Kenny Roote99801b2015-11-06 15:31:15 -0800[diff] [blame]254
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]255 OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);
256 *out_tag_len = extra_in_len + tag_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]257 return 1;
258}
259
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]260static int aead_chacha20_poly1305_seal_scatter(
261 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
262 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
263 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
264 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]265 const struct aead_chacha20_poly1305_ctx *c20_ctx =
266 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]267
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]268 return chacha20_poly1305_seal_scatter(
269 c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,
270 nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
271}
272
273static int aead_xchacha20_poly1305_seal_scatter(
274 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
275 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
276 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
277 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]278 const struct aead_chacha20_poly1305_ctx *c20_ctx =
279 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]280
281 if (nonce_len != 24) {
282 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
283 return 0;
284 }
285
286 alignas(4) uint8_t derived_key[32];
287 alignas(4) uint8_t derived_nonce[12];
288 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
289 OPENSSL_memset(derived_nonce, 0, 4);
290 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
291
292 return chacha20_poly1305_seal_scatter(
293 derived_key, out, out_tag, out_tag_len, max_out_tag_len,
294 derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,
295 ad, ad_len, ctx->tag_len);
296}
297
298static int chacha20_poly1305_open_gather(
299 const uint8_t *key, uint8_t *out, const uint8_t *nonce,
300 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
301 size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]302 if (nonce_len != 12) {
303 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
304 return 0;
305 }
306
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]307 if (in_tag_len != tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]308 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]309 return 0;
310 }
311
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]312 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
313 // individual operations that work on more than 256GB at a time.
314 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
315 // 32-bits and this produces a warning because it's always false.
316 // Casting to uint64_t inside the conditional is not sufficient to stop
317 // the warning.
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]318 const uint64_t in_len_64 = in_len;
David Benjamin4969cc92016-04-22 15:02:23 -0400[diff] [blame]319 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]320 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]321 return 0;
322 }
323
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]324 union open_data data;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]325 if (asm_capable()) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]326 OPENSSL_memcpy(data.in.key, key, 32);
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]327 data.in.counter = 0;
328 OPENSSL_memcpy(data.in.nonce, nonce, 12);
329 chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]330 } else {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]331 calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);
332 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
David Benjaminf31229b2017-01-25 14:08:15 -0500[diff] [blame]333 }
334
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]335 if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]336 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]337 return 0;
338 }
339
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]340 return 1;
341}
342
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]343static int aead_chacha20_poly1305_open_gather(
344 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
345 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
346 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]347 const struct aead_chacha20_poly1305_ctx *c20_ctx =
348 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]349
350 return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,
351 in_len, in_tag, in_tag_len, ad, ad_len,
352 ctx->tag_len);
353}
354
355static int aead_xchacha20_poly1305_open_gather(
356 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
357 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
358 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
Robert Sloan5bdaadb2018-10-30 16:00:26 -0700[diff] [blame]359 const struct aead_chacha20_poly1305_ctx *c20_ctx =
360 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]361
362 if (nonce_len != 24) {
363 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
364 return 0;
365 }
366
367 alignas(4) uint8_t derived_key[32];
368 alignas(4) uint8_t derived_nonce[12];
369 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
370 OPENSSL_memset(derived_nonce, 0, 4);
371 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
372
373 return chacha20_poly1305_open_gather(
374 derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,
375 in_tag, in_tag_len, ad, ad_len, ctx->tag_len);
376}
377
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]378static const EVP_AEAD aead_chacha20_poly1305 = {
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]379 32, // key len
380 12, // nonce len
381 POLY1305_TAG_LEN, // overhead
382 POLY1305_TAG_LEN, // max tag length
383 1, // seal_scatter_supports_extra_in
Robert Sloan927a4952017-07-03 11:25:09 -0700[diff] [blame]384
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]385 aead_chacha20_poly1305_init,
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]386 NULL, // init_with_direction
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]387 aead_chacha20_poly1305_cleanup,
Robert Sloan8ff03552017-06-14 12:40:58 -0700[diff] [blame]388 NULL /* open */,
389 aead_chacha20_poly1305_seal_scatter,
390 aead_chacha20_poly1305_open_gather,
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]391 NULL, // get_iv
392 NULL, // tag_len
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]393};
394
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]395static const EVP_AEAD aead_xchacha20_poly1305 = {
396 32, // key len
397 24, // nonce len
398 POLY1305_TAG_LEN, // overhead
399 POLY1305_TAG_LEN, // max tag length
400 1, // seal_scatter_supports_extra_in
401
402 aead_chacha20_poly1305_init,
403 NULL, // init_with_direction
404 aead_chacha20_poly1305_cleanup,
405 NULL /* open */,
406 aead_xchacha20_poly1305_seal_scatter,
407 aead_xchacha20_poly1305_open_gather,
408 NULL, // get_iv
409 NULL, // tag_len
410};
411
Adam Langley4139edb2016-01-13 15:00:54 -0800[diff] [blame]412const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
Kenny Root03bcf612015-11-05 20:20:27 +0000[diff] [blame]413 return &aead_chacha20_poly1305;
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame]414}
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]415
416const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {
417 return &aead_xchacha20_poly1305;
418}