1 /*
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 #include "inner.h"
26
27 static void
gen_chapol_init(br_sslrec_chapol_context * cc,br_chacha20_run ichacha,br_poly1305_run ipoly,const void * key,const void * iv)28 gen_chapol_init(br_sslrec_chapol_context *cc,
29 br_chacha20_run ichacha, br_poly1305_run ipoly,
30 const void *key, const void *iv)
31 {
32 cc->seq = 0;
33 cc->ichacha = ichacha;
34 cc->ipoly = ipoly;
35 memcpy(cc->key, key, sizeof cc->key);
36 memcpy(cc->iv, iv, sizeof cc->iv);
37 }
38
39 static void
gen_chapol_process(br_sslrec_chapol_context * cc,int record_type,unsigned version,void * data,size_t len,void * tag,int encrypt)40 gen_chapol_process(br_sslrec_chapol_context *cc,
41 int record_type, unsigned version, void *data, size_t len,
42 void *tag, int encrypt)
43 {
44 unsigned char header[13];
45 unsigned char nonce[12];
46 uint64_t seq;
47 size_t u;
48
49 seq = cc->seq ++;
50 br_enc64be(header, seq);
51 header[8] = (unsigned char)record_type;
52 br_enc16be(header + 9, version);
53 br_enc16be(header + 11, len);
54 memcpy(nonce, cc->iv, 12);
55 for (u = 0; u < 8; u ++) {
56 nonce[11 - u] ^= (unsigned char)seq;
57 seq >>= 8;
58 }
59 cc->ipoly(cc->key, nonce, data, len, header, sizeof header,
60 tag, cc->ichacha, encrypt);
61 }
62
63 static void
in_chapol_init(br_sslrec_chapol_context * cc,br_chacha20_run ichacha,br_poly1305_run ipoly,const void * key,const void * iv)64 in_chapol_init(br_sslrec_chapol_context *cc,
65 br_chacha20_run ichacha, br_poly1305_run ipoly,
66 const void *key, const void *iv)
67 {
68 cc->vtable.in = &br_sslrec_in_chapol_vtable;
69 gen_chapol_init(cc, ichacha, ipoly, key, iv);
70 }
71
72 static int
chapol_check_length(const br_sslrec_chapol_context * cc,size_t rlen)73 chapol_check_length(const br_sslrec_chapol_context *cc, size_t rlen)
74 {
75 /*
76 * Overhead is just the authentication tag (16 bytes).
77 */
78 (void)cc;
79 return rlen >= 16 && rlen <= (16384 + 16);
80 }
81
82 static unsigned char *
chapol_decrypt(br_sslrec_chapol_context * cc,int record_type,unsigned version,void * data,size_t * data_len)83 chapol_decrypt(br_sslrec_chapol_context *cc,
84 int record_type, unsigned version, void *data, size_t *data_len)
85 {
86 unsigned char *buf;
87 size_t u, len;
88 unsigned char tag[16];
89 unsigned bad;
90
91 buf = data;
92 len = *data_len - 16;
93 gen_chapol_process(cc, record_type, version, buf, len, tag, 0);
94 bad = 0;
95 for (u = 0; u < 16; u ++) {
96 bad |= tag[u] ^ buf[len + u];
97 }
98 if (bad) {
99 return NULL;
100 }
101 *data_len = len;
102 return buf;
103 }
104
105 /* see bearssl_ssl.h */
106 const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable = {
107 {
108 sizeof(br_sslrec_chapol_context),
109 (int (*)(const br_sslrec_in_class *const *, size_t))
110 &chapol_check_length,
111 (unsigned char *(*)(const br_sslrec_in_class **,
112 int, unsigned, void *, size_t *))
113 &chapol_decrypt
114 },
115 (void (*)(const br_sslrec_in_chapol_class **,
116 br_chacha20_run, br_poly1305_run,
117 const void *, const void *))
118 &in_chapol_init
119 };
120
121 static void
out_chapol_init(br_sslrec_chapol_context * cc,br_chacha20_run ichacha,br_poly1305_run ipoly,const void * key,const void * iv)122 out_chapol_init(br_sslrec_chapol_context *cc,
123 br_chacha20_run ichacha, br_poly1305_run ipoly,
124 const void *key, const void *iv)
125 {
126 cc->vtable.out = &br_sslrec_out_chapol_vtable;
127 gen_chapol_init(cc, ichacha, ipoly, key, iv);
128 }
129
130 static void
chapol_max_plaintext(const br_sslrec_chapol_context * cc,size_t * start,size_t * end)131 chapol_max_plaintext(const br_sslrec_chapol_context *cc,
132 size_t *start, size_t *end)
133 {
134 size_t len;
135
136 (void)cc;
137 len = *end - *start - 16;
138 if (len > 16384) {
139 len = 16384;
140 }
141 *end = *start + len;
142 }
143
144 static unsigned char *
chapol_encrypt(br_sslrec_chapol_context * cc,int record_type,unsigned version,void * data,size_t * data_len)145 chapol_encrypt(br_sslrec_chapol_context *cc,
146 int record_type, unsigned version, void *data, size_t *data_len)
147 {
148 unsigned char *buf;
149 size_t len;
150
151 buf = data;
152 len = *data_len;
153 gen_chapol_process(cc, record_type, version, buf, len, buf + len, 1);
154 buf -= 5;
155 buf[0] = (unsigned char)record_type;
156 br_enc16be(buf + 1, version);
157 br_enc16be(buf + 3, len + 16);
158 *data_len = len + 21;
159 return buf;
160 }
161
162 /* see bearssl_ssl.h */
163 const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable = {
164 {
165 sizeof(br_sslrec_chapol_context),
166 (void (*)(const br_sslrec_out_class *const *,
167 size_t *, size_t *))
168 &chapol_max_plaintext,
169 (unsigned char *(*)(const br_sslrec_out_class **,
170 int, unsigned, void *, size_t *))
171 &chapol_encrypt
172 },
173 (void (*)(const br_sslrec_out_chapol_class **,
174 br_chacha20_run, br_poly1305_run,
175 const void *, const void *))
176 &out_chapol_init
177 };
178