xref: /freebsd/crypto/openssh/cipher-chachapoly.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /*
2  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 /* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */
18 
19 #include "includes.h"
20 
21 #include <sys/types.h>
22 #include <stdarg.h> /* needed for log.h */
23 #include <string.h>
24 #include <stdio.h>  /* needed for misc.h */
25 
26 #include "log.h"
27 #include "misc.h"
28 #include "cipher-chachapoly.h"
29 
30 void chachapoly_init(struct chachapoly_ctx *ctx,
31     const u_char *key, u_int keylen)
32 {
33 	if (keylen != (32 + 32)) /* 2 x 256 bit keys */
34 		fatal("%s: invalid keylen %u", __func__, keylen);
35 	chacha_keysetup(&ctx->main_ctx, key, 256);
36 	chacha_keysetup(&ctx->header_ctx, key + 32, 256);
37 }
38 
39 /*
40  * chachapoly_crypt() operates as following:
41  * En/decrypt with header key 'aadlen' bytes from 'src', storing result
42  * to 'dest'. The ciphertext here is treated as additional authenticated
43  * data for MAC calculation.
44  * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use
45  * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication
46  * tag. This tag is written on encryption and verified on decryption.
47  */
48 int
49 chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
50     const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
51 {
52 	u_char seqbuf[8];
53 	const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
54 	u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
55 	int r = -1;
56 
57 	/*
58 	 * Run ChaCha20 once to generate the Poly1305 key. The IV is the
59 	 * packet sequence number.
60 	 */
61 	memset(poly_key, 0, sizeof(poly_key));
62 	put_u64(seqbuf, seqnr);
63 	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
64 	chacha_encrypt_bytes(&ctx->main_ctx,
65 	    poly_key, poly_key, sizeof(poly_key));
66 	/* Set Chacha's block counter to 1 */
67 	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
68 
69 	/* If decrypting, check tag before anything else */
70 	if (!do_encrypt) {
71 		const u_char *tag = src + aadlen + len;
72 
73 		poly1305_auth(expected_tag, src, aadlen + len, poly_key);
74 		if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
75 			goto out;
76 	}
77 	/* Crypt additional data */
78 	if (aadlen) {
79 		chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
80 		chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
81 	}
82 	chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
83 	    dest + aadlen, len);
84 
85 	/* If encrypting, calculate and append tag */
86 	if (do_encrypt) {
87 		poly1305_auth(dest + aadlen + len, dest, aadlen + len,
88 		    poly_key);
89 	}
90 	r = 0;
91 
92  out:
93 	explicit_bzero(expected_tag, sizeof(expected_tag));
94 	explicit_bzero(seqbuf, sizeof(seqbuf));
95 	explicit_bzero(poly_key, sizeof(poly_key));
96 	return r;
97 }
98 
99 /* Decrypt and extract the encrypted packet length */
100 int
101 chachapoly_get_length(struct chachapoly_ctx *ctx,
102     u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
103 {
104 	u_char buf[4], seqbuf[8];
105 
106 	if (len < 4)
107 		return -1; /* Insufficient length */
108 	put_u64(seqbuf, seqnr);
109 	chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
110 	chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
111 	*plenp = get_u32(buf);
112 	return 0;
113 }
114 
115