diff options
Diffstat (limited to 'cipher-chachapoly-libcrypto.c')
-rw-r--r-- | cipher-chachapoly-libcrypto.c | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/cipher-chachapoly-libcrypto.c b/cipher-chachapoly-libcrypto.c new file mode 100644 index 000000000..719f9c843 --- /dev/null +++ b/cipher-chachapoly-libcrypto.c | |||
@@ -0,0 +1,166 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2013 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: cipher-chachapoly-libcrypto.c,v 1.1 2020/04/03 04:32:21 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | #ifdef WITH_OPENSSL | ||
21 | #include "openbsd-compat/openssl-compat.h" | ||
22 | #endif | ||
23 | |||
24 | #if defined(HAVE_EVP_CHACHA20) && !defined(HAVE_BROKEN_CHACHA20) | ||
25 | |||
26 | #include <sys/types.h> | ||
27 | #include <stdarg.h> /* needed for log.h */ | ||
28 | #include <string.h> | ||
29 | #include <stdio.h> /* needed for misc.h */ | ||
30 | |||
31 | #include <openssl/evp.h> | ||
32 | |||
33 | #include "log.h" | ||
34 | #include "sshbuf.h" | ||
35 | #include "ssherr.h" | ||
36 | #include "cipher-chachapoly.h" | ||
37 | |||
38 | struct chachapoly_ctx { | ||
39 | EVP_CIPHER_CTX *main_evp, *header_evp; | ||
40 | }; | ||
41 | |||
42 | struct chachapoly_ctx * | ||
43 | chachapoly_new(const u_char *key, u_int keylen) | ||
44 | { | ||
45 | struct chachapoly_ctx *ctx; | ||
46 | |||
47 | if (keylen != (32 + 32)) /* 2 x 256 bit keys */ | ||
48 | return NULL; | ||
49 | if ((ctx = calloc(1, sizeof(*ctx))) == NULL) | ||
50 | return NULL; | ||
51 | if ((ctx->main_evp = EVP_CIPHER_CTX_new()) == NULL || | ||
52 | (ctx->header_evp = EVP_CIPHER_CTX_new()) == NULL) | ||
53 | goto fail; | ||
54 | if (!EVP_CipherInit(ctx->main_evp, EVP_chacha20(), key, NULL, 1)) | ||
55 | goto fail; | ||
56 | if (!EVP_CipherInit(ctx->header_evp, EVP_chacha20(), key + 32, NULL, 1)) | ||
57 | goto fail; | ||
58 | if (EVP_CIPHER_CTX_iv_length(ctx->header_evp) != 16) | ||
59 | goto fail; | ||
60 | return ctx; | ||
61 | fail: | ||
62 | chachapoly_free(ctx); | ||
63 | return NULL; | ||
64 | } | ||
65 | |||
66 | void | ||
67 | chachapoly_free(struct chachapoly_ctx *cpctx) | ||
68 | { | ||
69 | if (cpctx == NULL) | ||
70 | return; | ||
71 | EVP_CIPHER_CTX_free(cpctx->main_evp); | ||
72 | EVP_CIPHER_CTX_free(cpctx->header_evp); | ||
73 | freezero(cpctx, sizeof(*cpctx)); | ||
74 | } | ||
75 | |||
76 | /* | ||
77 | * chachapoly_crypt() operates as following: | ||
78 | * En/decrypt with header key 'aadlen' bytes from 'src', storing result | ||
79 | * to 'dest'. The ciphertext here is treated as additional authenticated | ||
80 | * data for MAC calculation. | ||
81 | * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use | ||
82 | * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication | ||
83 | * tag. This tag is written on encryption and verified on decryption. | ||
84 | */ | ||
85 | int | ||
86 | chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | ||
87 | const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) | ||
88 | { | ||
89 | u_char seqbuf[16]; /* layout: u64 counter || u64 seqno */ | ||
90 | int r = SSH_ERR_INTERNAL_ERROR; | ||
91 | u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; | ||
92 | |||
93 | /* | ||
94 | * Run ChaCha20 once to generate the Poly1305 key. The IV is the | ||
95 | * packet sequence number. | ||
96 | */ | ||
97 | memset(seqbuf, 0, sizeof(seqbuf)); | ||
98 | POKE_U64(seqbuf + 8, seqnr); | ||
99 | memset(poly_key, 0, sizeof(poly_key)); | ||
100 | if (!EVP_CipherInit(ctx->main_evp, NULL, NULL, seqbuf, 1) || | ||
101 | EVP_Cipher(ctx->main_evp, poly_key, | ||
102 | poly_key, sizeof(poly_key)) < 0) { | ||
103 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
104 | goto out; | ||
105 | } | ||
106 | |||
107 | /* If decrypting, check tag before anything else */ | ||
108 | if (!do_encrypt) { | ||
109 | const u_char *tag = src + aadlen + len; | ||
110 | |||
111 | poly1305_auth(expected_tag, src, aadlen + len, poly_key); | ||
112 | if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) { | ||
113 | r = SSH_ERR_MAC_INVALID; | ||
114 | goto out; | ||
115 | } | ||
116 | } | ||
117 | |||
118 | /* Crypt additional data */ | ||
119 | if (aadlen) { | ||
120 | if (!EVP_CipherInit(ctx->header_evp, NULL, NULL, seqbuf, 1) || | ||
121 | EVP_Cipher(ctx->header_evp, dest, src, aadlen) < 0) { | ||
122 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
123 | goto out; | ||
124 | } | ||
125 | } | ||
126 | |||
127 | /* Set Chacha's block counter to 1 */ | ||
128 | seqbuf[0] = 1; | ||
129 | if (!EVP_CipherInit(ctx->main_evp, NULL, NULL, seqbuf, 1) || | ||
130 | EVP_Cipher(ctx->main_evp, dest + aadlen, src + aadlen, len) < 0) { | ||
131 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
132 | goto out; | ||
133 | } | ||
134 | |||
135 | /* If encrypting, calculate and append tag */ | ||
136 | if (do_encrypt) { | ||
137 | poly1305_auth(dest + aadlen + len, dest, aadlen + len, | ||
138 | poly_key); | ||
139 | } | ||
140 | r = 0; | ||
141 | out: | ||
142 | explicit_bzero(expected_tag, sizeof(expected_tag)); | ||
143 | explicit_bzero(seqbuf, sizeof(seqbuf)); | ||
144 | explicit_bzero(poly_key, sizeof(poly_key)); | ||
145 | return r; | ||
146 | } | ||
147 | |||
148 | /* Decrypt and extract the encrypted packet length */ | ||
149 | int | ||
150 | chachapoly_get_length(struct chachapoly_ctx *ctx, | ||
151 | u_int *plenp, u_int seqnr, const u_char *cp, u_int len) | ||
152 | { | ||
153 | u_char buf[4], seqbuf[16]; | ||
154 | |||
155 | if (len < 4) | ||
156 | return SSH_ERR_MESSAGE_INCOMPLETE; | ||
157 | memset(seqbuf, 0, sizeof(seqbuf)); | ||
158 | POKE_U64(seqbuf + 8, seqnr); | ||
159 | if (!EVP_CipherInit(ctx->header_evp, NULL, NULL, seqbuf, 0)) | ||
160 | return SSH_ERR_LIBCRYPTO_ERROR; | ||
161 | if (EVP_Cipher(ctx->header_evp, buf, (u_char *)cp, sizeof(buf)) < 0) | ||
162 | return SSH_ERR_LIBCRYPTO_ERROR; | ||
163 | *plenp = PEEK_U32(buf); | ||
164 | return 0; | ||
165 | } | ||
166 | #endif /* defined(HAVE_EVP_CHACHA20) && !defined(HAVE_BROKEN_CHACHA20) */ | ||