lilcrypto/aead_chacha20_poly1305.c

439 lines
12 KiB
C

/*
* Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "internal.h"
#include "util.h"
/*
* Implements ChaCha20-Poly1305 according to RFC 8439, XChaCha20-Poly1305
* according to draft-irtf-cfrg-xchacha-03.
*/
static int
chacha20_xchacha20_keysetup(struct lc_cipher_ctx *cctx,
uint8_t akey[LC_POLY1305_KEYLEN], void *initparams)
{
size_t i, olen, akeylen;
for (i = 0; i < LC_POLY1305_KEYLEN; i++)
akey[i] = 0;
if (!lc_cipher_encrypt_init(cctx, initparams) ||
!lc_cipher_encrypt_update(cctx, akey, &olen, akey,
LC_POLY1305_KEYLEN))
return 0;
akeylen = olen;
if (!lc_cipher_encrypt_final(cctx, akey + olen, &olen))
return 0;
akeylen += olen;
return akeylen == LC_POLY1305_KEYLEN;
}
static int
chacha20_poly1305_seal(uint8_t *out, size_t *outlen, void *initparams,
const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen)
{
struct lc_chacha20_poly1305_params *params = initparams;
struct lc_cipher_ctx *cctx = NULL;
struct lc_auth_ctx *actx = NULL;
struct lc_chacha20_params cparams;
struct lc_poly1305_params aparams;
uint8_t buf[sizeof(uint64_t) * 2];
size_t i, olen;
int ret = 0;
*outlen = 0;
/* inlen and aadlen are capped by design; enough space of tag. */
if (inlen > UINT64_MAX || aadlen > UINT64_MAX ||
inlen > SIZE_MAX - LC_POLY1305_TAGLEN)
return 0;
/* Counter 0 is used for deriving Poly1305 key. */
if (inlen > SIZE_MAX - (LC_CHACHA20_BLOCKLEN - 1) ||
(inlen + LC_CHACHA20_BLOCKLEN - 1) / LC_CHACHA20_BLOCKLEN >
CHACHA20_CTRMAX - 1)
return 0;
if (out == NULL) {
*outlen = inlen + LC_POLY1305_TAGLEN;
return 1;
}
cctx = lc_cipher_ctx_new(lc_cipher_impl_chacha20());
if (cctx == NULL)
goto cleanup;
actx = lc_auth_ctx_new(lc_auth_impl_poly1305());
if (actx == NULL)
goto cleanup;
for (i = 0; i < sizeof(params->key); i++)
cparams.key[i] = params->key[i];
for (i = 0; i < sizeof(params->nonce); i++)
cparams.nonce[i] = params->nonce[i];
cparams.counter = 0;
if (!chacha20_xchacha20_keysetup(cctx, aparams.key, &cparams))
goto cleanup;
if (!lc_auth_init(actx, &aparams) ||
!lc_auth_update(actx, aad, aadlen))
goto cleanup;
if (aadlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (aadlen % 16)))
goto cleanup;
cparams.counter = 1;
if (!lc_cipher_encrypt_init(cctx, &cparams) ||
!lc_cipher_encrypt_update(cctx, out, &olen, in, inlen))
goto cleanup;
*outlen = olen;
if (!lc_cipher_encrypt_final(cctx, out + olen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != inlen)
goto cleanup;
if (!lc_auth_update(actx, out, inlen))
goto cleanup;
if (inlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (inlen % 16)))
goto cleanup;
store64le(&buf[0], aadlen);
store64le(&buf[sizeof(uint64_t)], inlen);
if (!lc_auth_update(actx, buf, sizeof(buf)) ||
!lc_auth_final(actx, out + inlen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != inlen + LC_POLY1305_TAGLEN)
goto cleanup;
ret = 1;
cleanup:
lc_scrub(buf, sizeof(buf));
lc_scrub(&aparams, sizeof(aparams));
lc_scrub(&cparams, sizeof(cparams));
lc_auth_ctx_free(actx);
lc_cipher_ctx_free(cctx);
return ret;
}
static int
xchacha20_poly1305_seal(uint8_t *out, size_t *outlen, void *initparams,
const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen)
{
struct lc_xchacha20_poly1305_params *params = initparams;
struct lc_cipher_ctx *cctx = NULL;
struct lc_auth_ctx *actx = NULL;
struct lc_xchacha20_params cparams;
struct lc_poly1305_params aparams;
uint8_t buf[sizeof(uint64_t) * 2];
size_t i, olen;
int ret = 0;
*outlen = 0;
/* inlen and aadlen are capped by design; enough space of tag. */
if (inlen > UINT64_MAX || aadlen > UINT64_MAX ||
inlen > SIZE_MAX - LC_POLY1305_TAGLEN)
return 0;
/* Counter 0 is used for deriving Poly1305 key. */
if (inlen > SIZE_MAX - (LC_CHACHA20_BLOCKLEN - 1) ||
(inlen + LC_CHACHA20_BLOCKLEN - 1) / LC_CHACHA20_BLOCKLEN >
CHACHA20_CTRMAX - 1)
return 0;
if (out == NULL) {
*outlen = inlen + LC_POLY1305_TAGLEN;
return 1;
}
cctx = lc_cipher_ctx_new(lc_cipher_impl_xchacha20());
if (cctx == NULL)
goto cleanup;
actx = lc_auth_ctx_new(lc_auth_impl_poly1305());
if (actx == NULL)
goto cleanup;
for (i = 0; i < sizeof(params->key); i++)
cparams.key[i] = params->key[i];
for (i = 0; i < sizeof(params->nonce); i++)
cparams.nonce[i] = params->nonce[i];
cparams.counter = 0;
if (!chacha20_xchacha20_keysetup(cctx, aparams.key, &cparams))
goto cleanup;
if (!lc_auth_init(actx, &aparams) ||
!lc_auth_update(actx, aad, aadlen))
goto cleanup;
if (aadlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (aadlen % 16)))
goto cleanup;
cparams.counter = 1;
if (!lc_cipher_encrypt_init(cctx, &cparams) ||
!lc_cipher_encrypt_update(cctx, out, &olen, in, inlen))
goto cleanup;
*outlen = olen;
if (!lc_cipher_encrypt_final(cctx, out + olen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != inlen)
goto cleanup;
if (!lc_auth_update(actx, out, inlen))
goto cleanup;
if (inlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (inlen % 16)))
goto cleanup;
store64le(&buf[0], aadlen);
store64le(&buf[sizeof(uint64_t)], inlen);
if (!lc_auth_update(actx, buf, sizeof(buf)) ||
!lc_auth_final(actx, out + inlen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != inlen + LC_POLY1305_TAGLEN)
goto cleanup;
ret = 1;
cleanup:
lc_scrub(buf, sizeof(buf));
lc_scrub(&aparams, sizeof(aparams));
lc_scrub(&cparams, sizeof(cparams));
lc_auth_ctx_free(actx);
lc_cipher_ctx_free(cctx);
return ret;
}
static int
chacha20_poly1305_open(uint8_t *out, size_t *outlen, void *initparams,
const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen)
{
struct lc_chacha20_poly1305_params *params = initparams;
struct lc_cipher_ctx *cctx = NULL;
struct lc_auth_ctx *actx = NULL;
struct lc_chacha20_params cparams;
struct lc_poly1305_params aparams;
uint8_t tag[LC_POLY1305_TAGLEN];
uint8_t buf[sizeof(uint64_t) * 2];
size_t i, olen, ctlen;
int ret = 0;
*outlen = 0;
/* inlen includes the tag; inlen and aadlen are capped by design. */
if (inlen < LC_POLY1305_TAGLEN ||
inlen > UINT64_MAX || aadlen > UINT64_MAX)
return 0;
/* Counter 0 is used for deriving Poly1305 key. */
if (inlen > SIZE_MAX - (LC_CHACHA20_BLOCKLEN - 1) ||
(inlen + LC_CHACHA20_BLOCKLEN - 1) / LC_CHACHA20_BLOCKLEN >
CHACHA20_CTRMAX - 1) {
return 0;
}
if (out == NULL) {
*outlen = inlen - LC_POLY1305_TAGLEN;
return 1;
}
cctx = lc_cipher_ctx_new(lc_cipher_impl_chacha20());
if (cctx == NULL)
goto cleanup;
actx = lc_auth_ctx_new(lc_auth_impl_poly1305());
if (actx == NULL)
goto cleanup;
for (i = 0; i < sizeof(params->key); i++)
cparams.key[i] = params->key[i];
for (i = 0; i < sizeof(params->nonce); i++)
cparams.nonce[i] = params->nonce[i];
cparams.counter = 0;
if (!chacha20_xchacha20_keysetup(cctx, aparams.key, &cparams))
goto cleanup;
if (!lc_auth_init(actx, &aparams) ||
!lc_auth_update(actx, aad, aadlen))
goto cleanup;
if (aadlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (aadlen % 16)))
goto cleanup;
ctlen = inlen - LC_POLY1305_TAGLEN;
if (!lc_auth_update(actx, in, ctlen))
goto cleanup;
if (ctlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (ctlen % 16)))
goto cleanup;
store64le(&buf[0], aadlen);
store64le(&buf[sizeof(uint64_t)], ctlen);
if (!lc_auth_update(actx, buf, sizeof(buf)) ||
!lc_auth_final(actx, tag, &olen))
goto cleanup;
if (olen != LC_POLY1305_TAGLEN)
goto cleanup;
if (!lc_ct_cmp(tag, in + ctlen, LC_POLY1305_TAGLEN))
goto cleanup;
cparams.counter = 1;
if (!lc_cipher_decrypt_init(cctx, &cparams) ||
!lc_cipher_decrypt_update(cctx, out, &olen, in, ctlen))
goto cleanup;
*outlen = olen;
if (!lc_cipher_decrypt_final(cctx, out + olen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != ctlen)
goto cleanup;
ret = 1;
cleanup:
lc_scrub(buf, sizeof(buf));
lc_scrub(&aparams, sizeof(aparams));
lc_scrub(&cparams, sizeof(cparams));
lc_scrub(tag, sizeof(tag));
lc_auth_ctx_free(actx);
lc_cipher_ctx_free(cctx);
return ret;
}
static int
xchacha20_poly1305_open(uint8_t *out, size_t *outlen, void *initparams,
const uint8_t *aad, size_t aadlen, const uint8_t *in, size_t inlen)
{
struct lc_xchacha20_poly1305_params *params = initparams;
struct lc_cipher_ctx *cctx = NULL;
struct lc_auth_ctx *actx = NULL;
struct lc_xchacha20_params cparams;
struct lc_poly1305_params aparams;
uint8_t tag[LC_POLY1305_TAGLEN];
uint8_t buf[sizeof(uint64_t) * 2];
size_t i, olen, ctlen;
int ret = 0;
*outlen = 0;
/* inlen includes the tag; inlen and aadlen are capped by design. */
if (inlen < LC_POLY1305_TAGLEN ||
inlen > UINT64_MAX || aadlen > UINT64_MAX)
return 0;
/* Counter 0 is used for deriving Poly1305 key. */
if (inlen > SIZE_MAX - (LC_CHACHA20_BLOCKLEN - 1) ||
(inlen + LC_CHACHA20_BLOCKLEN - 1) / LC_CHACHA20_BLOCKLEN >
CHACHA20_CTRMAX - 1) {
return 0;
}
if (out == NULL) {
*outlen = inlen - LC_POLY1305_TAGLEN;
return 1;
}
cctx = lc_cipher_ctx_new(lc_cipher_impl_xchacha20());
if (cctx == NULL)
goto cleanup;
actx = lc_auth_ctx_new(lc_auth_impl_poly1305());
if (actx == NULL)
goto cleanup;
for (i = 0; i < sizeof(params->key); i++)
cparams.key[i] = params->key[i];
for (i = 0; i < sizeof(params->nonce); i++)
cparams.nonce[i] = params->nonce[i];
cparams.counter = 0;
if (!chacha20_xchacha20_keysetup(cctx, aparams.key, &cparams))
goto cleanup;
if (!lc_auth_init(actx, &aparams) ||
!lc_auth_update(actx, aad, aadlen))
goto cleanup;
if (aadlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (aadlen % 16)))
goto cleanup;
ctlen = inlen - LC_POLY1305_TAGLEN;
if (!lc_auth_update(actx, in, ctlen))
goto cleanup;
if (ctlen % 16 != 0)
if (!lc_auth_update(actx, zerobuf, 16 - (ctlen % 16)))
goto cleanup;
store64le(&buf[0], aadlen);
store64le(&buf[sizeof(uint64_t)], ctlen);
if (!lc_auth_update(actx, buf, sizeof(buf)) ||
!lc_auth_final(actx, tag, &olen))
goto cleanup;
if (olen != LC_POLY1305_TAGLEN)
goto cleanup;
if (!lc_ct_cmp(tag, in + ctlen, LC_POLY1305_TAGLEN))
goto cleanup;
cparams.counter = 1;
if (!lc_cipher_decrypt_init(cctx, &cparams) ||
!lc_cipher_decrypt_update(cctx, out, &olen, in, ctlen))
goto cleanup;
*outlen = olen;
if (!lc_cipher_decrypt_final(cctx, out + olen, &olen))
goto cleanup;
*outlen += olen;
if (*outlen != ctlen)
goto cleanup;
ret = 1;
cleanup:
lc_scrub(buf, sizeof(buf));
lc_scrub(&aparams, sizeof(aparams));
lc_scrub(&cparams, sizeof(cparams));
lc_scrub(tag, sizeof(tag));
lc_auth_ctx_free(actx);
lc_cipher_ctx_free(cctx);
return ret;
}
const struct lc_aead_impl *
lc_aead_impl_chacha20_poly1305(void)
{
static struct lc_aead_impl chacha20_poly1305_impl = {
.seal = &chacha20_poly1305_seal,
.open = &chacha20_poly1305_open,
.blocklen = LC_CHACHA20_BLOCKLEN,
};
return &chacha20_poly1305_impl;
}
const struct lc_aead_impl *
lc_aead_impl_xchacha20_poly1305(void)
{
static struct lc_aead_impl xchacha20_poly1305_impl = {
.seal = &xchacha20_poly1305_seal,
.open = &xchacha20_poly1305_open,
.blocklen = LC_XCHACHA20_BLOCKLEN,
};
return &xchacha20_poly1305_impl;
}