diff options
author | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-11-21 14:12:23 +1100 |
commit | 0fde8acdad78a4d20cadae974376cc0165f645ee (patch) | |
tree | 6e6aa82b73163bcb412920050d98f82ca9f4e86e /cipher-chachapoly.c | |
parent | fdb2306acdc3eb2bc46b6dfdaaf6005c650af22a (diff) |
- djm@cvs.openbsd.org 2013/11/21 00:45:44
[Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
[chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
[dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
[ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
cipher "chacha20-poly1305@openssh.com" that combines Daniel
Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode.
Inspired by and similar to Adam Langley's proposal for TLS:
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
but differs in layout used for the MAC calculation and the use of a
second ChaCha20 instance to separately encrypt packet lengths.
Details are in the PROTOCOL.chacha20poly1305 file.
Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
ok markus@ naddy@
Diffstat (limited to 'cipher-chachapoly.c')
-rw-r--r-- | cipher-chachapoly.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c new file mode 100644 index 000000000..20628ab5d --- /dev/null +++ b/cipher-chachapoly.c | |||
@@ -0,0 +1,114 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2013 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: cipher-chachapoly.c,v 1.2 2013/11/21 02:50:00 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <stdarg.h> /* needed for log.h */ | ||
23 | #include <string.h> | ||
24 | #include <stdio.h> /* needed for misc.h */ | ||
25 | |||
26 | #include "log.h" | ||
27 | #include "misc.h" | ||
28 | #include "cipher-chachapoly.h" | ||
29 | |||
30 | void chachapoly_init(struct chachapoly_ctx *ctx, | ||
31 | const u_char *key, u_int keylen) | ||
32 | { | ||
33 | if (keylen != (32 + 32)) /* 2 x 256 bit keys */ | ||
34 | fatal("%s: invalid keylen %u", __func__, keylen); | ||
35 | chacha_keysetup(&ctx->main_ctx, key, 256); | ||
36 | chacha_keysetup(&ctx->header_ctx, key + 32, 256); | ||
37 | } | ||
38 | |||
39 | /* | ||
40 | * chachapoly_crypt() operates as following: | ||
41 | * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'. | ||
42 | * Theses bytes are treated as additional authenticated data. | ||
43 | * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. | ||
44 | * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the | ||
45 | * authentication tag. | ||
46 | * This tag is written on encryption and verified on decryption. | ||
47 | * Both 'aadlen' and 'authlen' can be set to 0. | ||
48 | */ | ||
49 | int | ||
50 | chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | ||
51 | const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) | ||
52 | { | ||
53 | u_char seqbuf[8]; | ||
54 | u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */ | ||
55 | u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; | ||
56 | int r = -1; | ||
57 | |||
58 | /* | ||
59 | * Run ChaCha20 once to generate the Poly1305 key. The IV is the | ||
60 | * packet sequence number. | ||
61 | */ | ||
62 | bzero(poly_key, sizeof(poly_key)); | ||
63 | put_u64(seqbuf, seqnr); | ||
64 | chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); | ||
65 | chacha_encrypt_bytes(&ctx->main_ctx, | ||
66 | poly_key, poly_key, sizeof(poly_key)); | ||
67 | /* Set Chacha's block counter to 1 */ | ||
68 | chacha_ivsetup(&ctx->main_ctx, seqbuf, one); | ||
69 | |||
70 | /* If decrypting, check tag before anything else */ | ||
71 | if (!do_encrypt) { | ||
72 | const u_char *tag = src + aadlen + len; | ||
73 | |||
74 | poly1305_auth(expected_tag, src, aadlen + len, poly_key); | ||
75 | if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) | ||
76 | goto out; | ||
77 | } | ||
78 | /* Crypt additional data */ | ||
79 | if (aadlen) { | ||
80 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); | ||
81 | chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen); | ||
82 | } | ||
83 | chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen, | ||
84 | dest + aadlen, len); | ||
85 | |||
86 | /* If encrypting, calculate and append tag */ | ||
87 | if (do_encrypt) { | ||
88 | poly1305_auth(dest + aadlen + len, dest, aadlen + len, | ||
89 | poly_key); | ||
90 | } | ||
91 | r = 0; | ||
92 | |||
93 | out: | ||
94 | bzero(expected_tag, sizeof(expected_tag)); | ||
95 | bzero(seqbuf, sizeof(seqbuf)); | ||
96 | bzero(poly_key, sizeof(poly_key)); | ||
97 | return r; | ||
98 | } | ||
99 | |||
100 | int | ||
101 | chachapoly_get_length(struct chachapoly_ctx *ctx, | ||
102 | u_int *plenp, u_int seqnr, const u_char *cp, u_int len) | ||
103 | { | ||
104 | u_char buf[4], seqbuf[8]; | ||
105 | |||
106 | if (len < 4) | ||
107 | return -1; /* Insufficient length */ | ||
108 | put_u64(seqbuf, seqnr); | ||
109 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); | ||
110 | chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); | ||
111 | *plenp = get_u32(buf); | ||
112 | return 0; | ||
113 | } | ||
114 | |||