Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / fdeb488e6332a17729db5a04236e48a46a019272 / . / src / crypto / cipher / e_chacha20poly1305.c
blob: 3bf78340197b3654c69e394acfbc0e3be063ab2e [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]1/* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/aead.h>
16
17#include <string.h>
18
19#include <openssl/chacha.h>
20#include <openssl/cipher.h>
21#include <openssl/err.h>
22#include <openssl/mem.h>
23#include <openssl/poly1305.h>
24
25#include "internal.h"
26
27
28#define POLY1305_TAG_LEN 16
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]29
30struct aead_chacha20_poly1305_ctx {
31 unsigned char key[32];
32 unsigned char tag_len;
33};
34
35static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
36 size_t key_len, size_t tag_len) {
37 struct aead_chacha20_poly1305_ctx *c20_ctx;
38
39 if (tag_len == 0) {
40 tag_len = POLY1305_TAG_LEN;
41 }
42
43 if (tag_len > POLY1305_TAG_LEN) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]44 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]45 return 0;
46 }
47
48 if (key_len != sizeof(c20_ctx->key)) {
49 return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
50 }
51
52 c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
53 if (c20_ctx == NULL) {
54 return 0;
55 }
56
57 memcpy(c20_ctx->key, key, key_len);
58 c20_ctx->tag_len = tag_len;
59 ctx->aead_state = c20_ctx;
60
61 return 1;
62}
63
64static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
65 struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
66 OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
67 OPENSSL_free(c20_ctx);
68}
69
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]70static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]71 uint8_t length_bytes[8];
72 unsigned i;
73
74 for (i = 0; i < sizeof(length_bytes); i++) {
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]75 length_bytes[i] = data_len;
76 data_len >>= 8;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]77 }
78
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]79 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
80}
81
82#if defined(__arm__)
83#define ALIGNED __attribute__((aligned(16)))
84#else
85#define ALIGNED
86#endif
87
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]88typedef void (*aead_poly1305_update)(poly1305_state *ctx, const uint8_t *ad,
89 size_t ad_len, const uint8_t *ciphertext,
90 size_t ciphertext_len);
91
92/* aead_poly1305 fills |tag| with the authentication tag for the given
93 * inputs, using |update| to control the order and format that the inputs are
94 * signed/authenticated. */
95static void aead_poly1305(aead_poly1305_update update,
96 uint8_t tag[POLY1305_TAG_LEN],
97 const struct aead_chacha20_poly1305_ctx *c20_ctx,
98 const uint8_t nonce[12], const uint8_t *ad,
99 size_t ad_len, const uint8_t *ciphertext,
100 size_t ciphertext_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]101 uint8_t poly1305_key[32] ALIGNED;
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]102 memset(poly1305_key, 0, sizeof(poly1305_key));
103 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
104 c20_ctx->key, nonce, 0);
105 poly1305_state ctx;
106 CRYPTO_poly1305_init(&ctx, poly1305_key);
107 update(&ctx, ad, ad_len, ciphertext, ciphertext_len);
108 CRYPTO_poly1305_finish(&ctx, tag);
109}
110
111static int seal(aead_poly1305_update poly1305_update, const EVP_AEAD_CTX *ctx,
112 uint8_t *out, size_t *out_len, size_t max_out_len,
113 const uint8_t nonce[12], const uint8_t *in, size_t in_len,
114 const uint8_t *ad, size_t ad_len) {
115 const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]116 const uint64_t in_len_64 = in_len;
117
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]118 /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]119 * individual operations that work on more than 256GB at a time.
120 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
121 * 32-bits and this produces a warning because it's always false.
122 * Casting to uint64_t inside the conditional is not sufficient to stop
123 * the warning. */
124 if (in_len_64 >= (1ull << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]125 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]126 return 0;
127 }
128
129 if (in_len + c20_ctx->tag_len < in_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]130 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]131 return 0;
132 }
133
134 if (max_out_len < in_len + c20_ctx->tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]135 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]136 return 0;
137 }
138
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]139 CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]140
141 uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]142 aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);
143
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]144 memcpy(out + in_len, tag, c20_ctx->tag_len);
145 *out_len = in_len + c20_ctx->tag_len;
146 return 1;
147}
148
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]149static int open(aead_poly1305_update poly1305_update, const EVP_AEAD_CTX *ctx,
150 uint8_t *out, size_t *out_len, size_t max_out_len,
151 const uint8_t nonce[12], const uint8_t *in, size_t in_len,
152 const uint8_t *ad, size_t ad_len) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]153 const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]154 size_t plaintext_len;
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]155 const uint64_t in_len_64 = in_len;
156
157 if (in_len < c20_ctx->tag_len) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]158 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]159 return 0;
160 }
161
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]162 /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]163 * individual operations that work on more than 256GB at a time.
164 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
165 * 32-bits and this produces a warning because it's always false.
166 * Casting to uint64_t inside the conditional is not sufficient to stop
167 * the warning. */
168 if (in_len_64 >= (1ull << 32) * 64 - 64) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]169 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]170 return 0;
171 }
172
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]173 plaintext_len = in_len - c20_ctx->tag_len;
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]174 uint8_t tag[POLY1305_TAG_LEN] ALIGNED;
175 aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, in,
176 plaintext_len);
177 if (CRYPTO_memcmp(tag, in + plaintext_len, c20_ctx->tag_len) != 0) {
Kenny Rootb8494592015-09-25 02:29:14 +0000[diff] [blame]178 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]179 return 0;
180 }
181
182 CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);
183 *out_len = plaintext_len;
184 return 1;
185}
186
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]187static void poly1305_update_padded_16(poly1305_state *poly1305,
188 const uint8_t *data, size_t data_len) {
189 static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
190
191 CRYPTO_poly1305_update(poly1305, data, data_len);
192 if (data_len % 16 != 0) {
193 CRYPTO_poly1305_update(poly1305, padding, sizeof(padding) - (data_len % 16));
194 }
195}
196
197static void poly1305_update(poly1305_state *ctx, const uint8_t *ad,
198 size_t ad_len, const uint8_t *ciphertext,
199 size_t ciphertext_len) {
200 poly1305_update_padded_16(ctx, ad, ad_len);
201 poly1305_update_padded_16(ctx, ciphertext, ciphertext_len);
202 poly1305_update_length(ctx, ad_len);
203 poly1305_update_length(ctx, ciphertext_len);
204}
205
206static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
207 size_t *out_len, size_t max_out_len,
208 const uint8_t *nonce, size_t nonce_len,
209 const uint8_t *in, size_t in_len,
210 const uint8_t *ad, size_t ad_len) {
211 if (nonce_len != 12) {
212 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
213 return 0;
214 }
215 return seal(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
216 in_len, ad, ad_len);
217}
218
219static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
220 size_t *out_len, size_t max_out_len,
221 const uint8_t *nonce, size_t nonce_len,
222 const uint8_t *in, size_t in_len,
223 const uint8_t *ad, size_t ad_len) {
224 if (nonce_len != 12) {
225 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
226 return 0;
227 }
228 return open(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
229 in_len, ad, ad_len);
230}
231
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]232static const EVP_AEAD aead_chacha20_poly1305 = {
233 32, /* key len */
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]234 12, /* nonce len */
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]235 POLY1305_TAG_LEN, /* overhead */
236 POLY1305_TAG_LEN, /* max tag length */
Adam Langleye9ada862015-05-11 17:20:37 -0700[diff] [blame]237 aead_chacha20_poly1305_init,
238 NULL, /* init_with_direction */
239 aead_chacha20_poly1305_cleanup,
240 aead_chacha20_poly1305_seal,
241 aead_chacha20_poly1305_open,
242 NULL, /* get_rc4_state */
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]243};
244
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]245const EVP_AEAD *EVP_aead_chacha20_poly1305_rfc7539(void) {
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame]246 return &aead_chacha20_poly1305;
247}
Adam Langleyfdeb4882015-10-30 13:15:30 -0700[diff] [blame^]248
249static void poly1305_update_old(poly1305_state *ctx, const uint8_t *ad,
250 size_t ad_len, const uint8_t *ciphertext,
251 size_t ciphertext_len) {
252 CRYPTO_poly1305_update(ctx, ad, ad_len);
253 poly1305_update_length(ctx, ad_len);
254 CRYPTO_poly1305_update(ctx, ciphertext, ciphertext_len);
255 poly1305_update_length(ctx, ciphertext_len);
256}
257
258static int aead_chacha20_poly1305_old_seal(
259 const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
260 const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
261 const uint8_t *ad, size_t ad_len) {
262 if (nonce_len != 8) {
263 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
264 return 0;
265 }
266 uint8_t nonce_96[12];
267 memset(nonce_96, 0, 4);
268 memcpy(nonce_96 + 4, nonce, 8);
269 return seal(poly1305_update_old, ctx, out, out_len, max_out_len, nonce_96, in,
270 in_len, ad, ad_len);
271}
272
273static int aead_chacha20_poly1305_old_open(
274 const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
275 const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
276 const uint8_t *ad, size_t ad_len) {
277 if (nonce_len != 8) {
278 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
279 return 0;
280 }
281 uint8_t nonce_96[12];
282 memset(nonce_96, 0, 4);
283 memcpy(nonce_96 + 4, nonce, 8);
284 return open(poly1305_update_old, ctx, out, out_len, max_out_len, nonce_96, in,
285 in_len, ad, ad_len);
286}
287
288static const EVP_AEAD aead_chacha20_poly1305_old = {
289 32, /* key len */
290 8, /* nonce len */
291 POLY1305_TAG_LEN, /* overhead */
292 POLY1305_TAG_LEN, /* max tag length */
293 aead_chacha20_poly1305_init,
294 NULL, /* init_with_direction */
295 aead_chacha20_poly1305_cleanup,
296 aead_chacha20_poly1305_old_seal,
297 aead_chacha20_poly1305_old_open,
298 NULL, /* get_rc4_state */
299};
300
301const EVP_AEAD *EVP_aead_chacha20_poly1305_old(void) {
302 return &aead_chacha20_poly1305_old;
303}
304
305const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
306 return &aead_chacha20_poly1305_old;
307}