1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2020 Netflix Inc.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25 * SUCH DAMAGE.
26 */
27
28 #include <opencrypto/xform_auth.h>
29 #include <opencrypto/xform_enc.h>
30
31 #include <sodium/crypto_core_hchacha20.h>
32 #include <sodium/crypto_onetimeauth_poly1305.h>
33 #include <sodium/crypto_stream_chacha20.h>
34
35 struct chacha20_poly1305_ctx {
36 struct crypto_onetimeauth_poly1305_state auth;
37 const void *key;
38 uint32_t ic;
39 bool ietf;
40 char nonce[CHACHA20_POLY1305_IV_LEN];
41 };
42
43 struct xchacha20_poly1305_ctx {
44 struct chacha20_poly1305_ctx base_ctx; /* must be first */
45 const void *key;
46 char derived_key[CHACHA20_POLY1305_KEY];
47 };
48
49 static int
chacha20_poly1305_setkey(void * vctx,const uint8_t * key,int len)50 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
51 {
52 struct chacha20_poly1305_ctx *ctx = vctx;
53
54 if (len != CHACHA20_POLY1305_KEY)
55 return (EINVAL);
56
57 ctx->key = key;
58 return (0);
59 }
60
61 static void
chacha20_poly1305_reinit(void * vctx,const uint8_t * iv,size_t ivlen)62 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
63 {
64 struct chacha20_poly1305_ctx *ctx = vctx;
65 char block[CHACHA20_NATIVE_BLOCK_LEN];
66
67 KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce),
68 ("%s: invalid nonce length", __func__));
69
70 memcpy(ctx->nonce, iv, ivlen);
71 ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN);
72
73 /* Block 0 is used for the poly1305 key. */
74 if (ctx->ietf)
75 crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key);
76 else
77 crypto_stream_chacha20(block, sizeof(block), iv, ctx->key);
78 crypto_onetimeauth_poly1305_init(&ctx->auth, block);
79 explicit_bzero(block, sizeof(block));
80
81 /* Start with block 1 for ciphertext. */
82 ctx->ic = 1;
83 }
84
85 static void
chacha20_poly1305_crypt(void * vctx,const uint8_t * in,uint8_t * out)86 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out)
87 {
88 struct chacha20_poly1305_ctx *ctx = vctx;
89 int error __diagused;
90
91 if (ctx->ietf)
92 error = crypto_stream_chacha20_ietf_xor_ic(out, in,
93 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
94 else
95 error = crypto_stream_chacha20_xor_ic(out, in,
96 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
97 KASSERT(error == 0, ("%s failed: %d", __func__, error));
98 ctx->ic++;
99 }
100
101 static void
chacha20_poly1305_crypt_multi(void * vctx,const uint8_t * in,uint8_t * out,size_t len)102 chacha20_poly1305_crypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
103 {
104 struct chacha20_poly1305_ctx *ctx = vctx;
105 int error __diagused;
106
107 KASSERT(len % CHACHA20_NATIVE_BLOCK_LEN == 0, ("%s: invalid length",
108 __func__));
109 if (ctx->ietf)
110 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
111 ctx->nonce, ctx->ic, ctx->key);
112 else
113 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
114 ctx->ic, ctx->key);
115 KASSERT(error == 0, ("%s failed: %d", __func__, error));
116 ctx->ic += len / CHACHA20_NATIVE_BLOCK_LEN;
117 }
118
119 static void
chacha20_poly1305_crypt_last(void * vctx,const uint8_t * in,uint8_t * out,size_t len)120 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out,
121 size_t len)
122 {
123 struct chacha20_poly1305_ctx *ctx = vctx;
124
125 int error __diagused;
126
127 if (ctx->ietf)
128 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
129 ctx->nonce, ctx->ic, ctx->key);
130 else
131 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
132 ctx->ic, ctx->key);
133 KASSERT(error == 0, ("%s failed: %d", __func__, error));
134 }
135
136 static int
chacha20_poly1305_update(void * vctx,const void * data,u_int len)137 chacha20_poly1305_update(void *vctx, const void *data, u_int len)
138 {
139 struct chacha20_poly1305_ctx *ctx = vctx;
140
141 crypto_onetimeauth_poly1305_update(&ctx->auth, data, len);
142 return (0);
143 }
144
145 static void
chacha20_poly1305_final(uint8_t * digest,void * vctx)146 chacha20_poly1305_final(uint8_t *digest, void *vctx)
147 {
148 struct chacha20_poly1305_ctx *ctx = vctx;
149
150 crypto_onetimeauth_poly1305_final(&ctx->auth, digest);
151 }
152
153 const struct enc_xform enc_xform_chacha20_poly1305 = {
154 .type = CRYPTO_CHACHA20_POLY1305,
155 .name = "ChaCha20-Poly1305",
156 .ctxsize = sizeof(struct chacha20_poly1305_ctx),
157 .blocksize = 1,
158 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
159 .ivsize = CHACHA20_POLY1305_IV_LEN,
160 .minkey = CHACHA20_POLY1305_KEY,
161 .maxkey = CHACHA20_POLY1305_KEY,
162 .macsize = POLY1305_HASH_LEN,
163 .setkey = chacha20_poly1305_setkey,
164 .reinit = chacha20_poly1305_reinit,
165 .encrypt = chacha20_poly1305_crypt,
166 .decrypt = chacha20_poly1305_crypt,
167 .encrypt_multi = chacha20_poly1305_crypt_multi,
168 .decrypt_multi = chacha20_poly1305_crypt_multi,
169 .encrypt_last = chacha20_poly1305_crypt_last,
170 .decrypt_last = chacha20_poly1305_crypt_last,
171 .update = chacha20_poly1305_update,
172 .final = chacha20_poly1305_final,
173 };
174
175 static int
xchacha20_poly1305_setkey(void * vctx,const uint8_t * key,int len)176 xchacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
177 {
178 struct xchacha20_poly1305_ctx *ctx = vctx;
179
180 if (len != XCHACHA20_POLY1305_KEY)
181 return (EINVAL);
182
183 ctx->key = key;
184 ctx->base_ctx.key = ctx->derived_key;
185 return (0);
186 }
187
188 static void
xchacha20_poly1305_reinit(void * vctx,const uint8_t * iv,size_t ivlen)189 xchacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
190 {
191 struct xchacha20_poly1305_ctx *ctx = vctx;
192 char nonce[CHACHA20_POLY1305_IV_LEN];
193
194 KASSERT(ivlen == XCHACHA20_POLY1305_IV_LEN,
195 ("%s: invalid nonce length", __func__));
196
197 /*
198 * Use HChaCha20 to derive the internal key used for
199 * ChaCha20-Poly1305.
200 */
201 crypto_core_hchacha20(ctx->derived_key, iv, ctx->key, NULL);
202
203 memset(nonce, 0, 4);
204 memcpy(nonce + 4, iv + crypto_core_hchacha20_INPUTBYTES,
205 sizeof(nonce) - 4);
206 chacha20_poly1305_reinit(&ctx->base_ctx, nonce, sizeof(nonce));
207 explicit_bzero(nonce, sizeof(nonce));
208 }
209
210 const struct enc_xform enc_xform_xchacha20_poly1305 = {
211 .type = CRYPTO_XCHACHA20_POLY1305,
212 .name = "XChaCha20-Poly1305",
213 .ctxsize = sizeof(struct xchacha20_poly1305_ctx),
214 .blocksize = 1,
215 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
216 .ivsize = XCHACHA20_POLY1305_IV_LEN,
217 .minkey = XCHACHA20_POLY1305_KEY,
218 .maxkey = XCHACHA20_POLY1305_KEY,
219 .macsize = POLY1305_HASH_LEN,
220 .setkey = xchacha20_poly1305_setkey,
221 .reinit = xchacha20_poly1305_reinit,
222 .encrypt = chacha20_poly1305_crypt,
223 .decrypt = chacha20_poly1305_crypt,
224 .encrypt_multi = chacha20_poly1305_crypt_multi,
225 .decrypt_multi = chacha20_poly1305_crypt_multi,
226 .encrypt_last = chacha20_poly1305_crypt_last,
227 .decrypt_last = chacha20_poly1305_crypt_last,
228 .update = chacha20_poly1305_update,
229 .final = chacha20_poly1305_final,
230 };
231