diff options
Diffstat (limited to 'cipher-chachapoly.c')
-rw-r--r-- | cipher-chachapoly.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c new file mode 100644 index 000000000..91b0830fd --- /dev/null +++ b/cipher-chachapoly.c | |||
@@ -0,0 +1,114 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2013 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: cipher-chachapoly.c,v 1.3 2013/12/15 21:42:35 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <stdarg.h> /* needed for log.h */ | ||
23 | #include <string.h> | ||
24 | #include <stdio.h> /* needed for misc.h */ | ||
25 | |||
26 | #include "log.h" | ||
27 | #include "misc.h" | ||
28 | #include "cipher-chachapoly.h" | ||
29 | |||
30 | void chachapoly_init(struct chachapoly_ctx *ctx, | ||
31 | const u_char *key, u_int keylen) | ||
32 | { | ||
33 | if (keylen != (32 + 32)) /* 2 x 256 bit keys */ | ||
34 | fatal("%s: invalid keylen %u", __func__, keylen); | ||
35 | chacha_keysetup(&ctx->main_ctx, key, 256); | ||
36 | chacha_keysetup(&ctx->header_ctx, key + 32, 256); | ||
37 | } | ||
38 | |||
39 | /* | ||
40 | * chachapoly_crypt() operates as following: | ||
41 | * En/decrypt with header key 'aadlen' bytes from 'src', storing result | ||
42 | * to 'dest'. The ciphertext here is treated as additional authenticated | ||
43 | * data for MAC calculation. | ||
44 | * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use | ||
45 | * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication | ||
46 | * tag. This tag is written on encryption and verified on decryption. | ||
47 | */ | ||
48 | int | ||
49 | chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest, | ||
50 | const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt) | ||
51 | { | ||
52 | u_char seqbuf[8]; | ||
53 | const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */ | ||
54 | u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; | ||
55 | int r = -1; | ||
56 | |||
57 | /* | ||
58 | * Run ChaCha20 once to generate the Poly1305 key. The IV is the | ||
59 | * packet sequence number. | ||
60 | */ | ||
61 | bzero(poly_key, sizeof(poly_key)); | ||
62 | put_u64(seqbuf, seqnr); | ||
63 | chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL); | ||
64 | chacha_encrypt_bytes(&ctx->main_ctx, | ||
65 | poly_key, poly_key, sizeof(poly_key)); | ||
66 | /* Set Chacha's block counter to 1 */ | ||
67 | chacha_ivsetup(&ctx->main_ctx, seqbuf, one); | ||
68 | |||
69 | /* If decrypting, check tag before anything else */ | ||
70 | if (!do_encrypt) { | ||
71 | const u_char *tag = src + aadlen + len; | ||
72 | |||
73 | poly1305_auth(expected_tag, src, aadlen + len, poly_key); | ||
74 | if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) | ||
75 | goto out; | ||
76 | } | ||
77 | /* Crypt additional data */ | ||
78 | if (aadlen) { | ||
79 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); | ||
80 | chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen); | ||
81 | } | ||
82 | chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen, | ||
83 | dest + aadlen, len); | ||
84 | |||
85 | /* If encrypting, calculate and append tag */ | ||
86 | if (do_encrypt) { | ||
87 | poly1305_auth(dest + aadlen + len, dest, aadlen + len, | ||
88 | poly_key); | ||
89 | } | ||
90 | r = 0; | ||
91 | |||
92 | out: | ||
93 | bzero(expected_tag, sizeof(expected_tag)); | ||
94 | bzero(seqbuf, sizeof(seqbuf)); | ||
95 | bzero(poly_key, sizeof(poly_key)); | ||
96 | return r; | ||
97 | } | ||
98 | |||
99 | /* Decrypt and extract the encrypted packet length */ | ||
100 | int | ||
101 | chachapoly_get_length(struct chachapoly_ctx *ctx, | ||
102 | u_int *plenp, u_int seqnr, const u_char *cp, u_int len) | ||
103 | { | ||
104 | u_char buf[4], seqbuf[8]; | ||
105 | |||
106 | if (len < 4) | ||
107 | return -1; /* Insufficient length */ | ||
108 | put_u64(seqbuf, seqnr); | ||
109 | chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL); | ||
110 | chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4); | ||
111 | *plenp = get_u32(buf); | ||
112 | return 0; | ||
113 | } | ||
114 | |||