xref: /freebsd/sys/opencrypto/xform_chacha20_poly1305.c (revision 13ec1e3155c7e9bf037b12af186351b7fa9b9450)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2020 Netflix Inc.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <opencrypto/xform_auth.h>
29 #include <opencrypto/xform_enc.h>
30 
31 #include <sodium/crypto_core_hchacha20.h>
32 #include <sodium/crypto_onetimeauth_poly1305.h>
33 #include <sodium/crypto_stream_chacha20.h>
34 
35 struct chacha20_poly1305_ctx {
36 	struct crypto_onetimeauth_poly1305_state auth;
37 	const void *key;
38 	uint32_t ic;
39 	bool ietf;
40 	char nonce[CHACHA20_POLY1305_IV_LEN];
41 };
42 
43 struct xchacha20_poly1305_ctx {
44 	struct chacha20_poly1305_ctx base_ctx;	/* must be first */
45 	const void *key;
46 	char derived_key[CHACHA20_POLY1305_KEY];
47 };
48 
49 static int
50 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
51 {
52 	struct chacha20_poly1305_ctx *ctx = vctx;
53 
54 	if (len != CHACHA20_POLY1305_KEY)
55 		return (EINVAL);
56 
57 	ctx->key = key;
58 	return (0);
59 }
60 
61 static void
62 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
63 {
64 	struct chacha20_poly1305_ctx *ctx = vctx;
65 	char block[CHACHA20_NATIVE_BLOCK_LEN];
66 
67 	KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce),
68 	    ("%s: invalid nonce length", __func__));
69 
70 	memcpy(ctx->nonce, iv, ivlen);
71 	ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN);
72 
73 	/* Block 0 is used for the poly1305 key. */
74 	if (ctx->ietf)
75 		crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key);
76 	else
77 		crypto_stream_chacha20(block, sizeof(block), iv, ctx->key);
78 	crypto_onetimeauth_poly1305_init(&ctx->auth, block);
79 	explicit_bzero(block, sizeof(block));
80 
81 	/* Start with block 1 for ciphertext. */
82 	ctx->ic = 1;
83 }
84 
85 static void
86 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out)
87 {
88 	struct chacha20_poly1305_ctx *ctx = vctx;
89 	int error __diagused;
90 
91 	if (ctx->ietf)
92 		error = crypto_stream_chacha20_ietf_xor_ic(out, in,
93 		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
94 	else
95 		error = crypto_stream_chacha20_xor_ic(out, in,
96 		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
97 	KASSERT(error == 0, ("%s failed: %d", __func__, error));
98 	ctx->ic++;
99 }
100 
101 static void
102 chacha20_poly1305_crypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len)
103 {
104 	struct chacha20_poly1305_ctx *ctx = vctx;
105 	int error __diagused;
106 
107 	KASSERT(len % CHACHA20_NATIVE_BLOCK_LEN == 0, ("%s: invalid length",
108 	    __func__));
109 	if (ctx->ietf)
110 		error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
111 		    ctx->nonce, ctx->ic, ctx->key);
112 	else
113 		error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
114 		    ctx->ic, ctx->key);
115 	KASSERT(error == 0, ("%s failed: %d", __func__, error));
116 	ctx->ic += len / CHACHA20_NATIVE_BLOCK_LEN;
117 }
118 
119 static void
120 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out,
121     size_t len)
122 {
123 	struct chacha20_poly1305_ctx *ctx = vctx;
124 
125 	int error __diagused;
126 
127 	if (ctx->ietf)
128 		error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
129 		    ctx->nonce, ctx->ic, ctx->key);
130 	else
131 		error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
132 		    ctx->ic, ctx->key);
133 	KASSERT(error == 0, ("%s failed: %d", __func__, error));
134 }
135 
136 static int
137 chacha20_poly1305_update(void *vctx, const void *data, u_int len)
138 {
139 	struct chacha20_poly1305_ctx *ctx = vctx;
140 
141 	crypto_onetimeauth_poly1305_update(&ctx->auth, data, len);
142 	return (0);
143 }
144 
145 static void
146 chacha20_poly1305_final(uint8_t *digest, void *vctx)
147 {
148 	struct chacha20_poly1305_ctx *ctx = vctx;
149 
150 	crypto_onetimeauth_poly1305_final(&ctx->auth, digest);
151 }
152 
153 const struct enc_xform enc_xform_chacha20_poly1305 = {
154 	.type = CRYPTO_CHACHA20_POLY1305,
155 	.name = "ChaCha20-Poly1305",
156 	.ctxsize = sizeof(struct chacha20_poly1305_ctx),
157 	.blocksize = 1,
158 	.native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
159 	.ivsize = CHACHA20_POLY1305_IV_LEN,
160 	.minkey = CHACHA20_POLY1305_KEY,
161 	.maxkey = CHACHA20_POLY1305_KEY,
162 	.macsize = POLY1305_HASH_LEN,
163 	.setkey = chacha20_poly1305_setkey,
164 	.reinit = chacha20_poly1305_reinit,
165 	.encrypt = chacha20_poly1305_crypt,
166 	.decrypt = chacha20_poly1305_crypt,
167 	.encrypt_multi = chacha20_poly1305_crypt_multi,
168 	.decrypt_multi = chacha20_poly1305_crypt_multi,
169 	.encrypt_last = chacha20_poly1305_crypt_last,
170 	.decrypt_last = chacha20_poly1305_crypt_last,
171 	.update = chacha20_poly1305_update,
172 	.final = chacha20_poly1305_final,
173 };
174 
175 static int
176 xchacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
177 {
178 	struct xchacha20_poly1305_ctx *ctx = vctx;
179 
180 	if (len != XCHACHA20_POLY1305_KEY)
181 		return (EINVAL);
182 
183 	ctx->key = key;
184 	ctx->base_ctx.key = ctx->derived_key;
185 	return (0);
186 }
187 
188 static void
189 xchacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
190 {
191 	struct xchacha20_poly1305_ctx *ctx = vctx;
192 	char nonce[CHACHA20_POLY1305_IV_LEN];
193 
194 	KASSERT(ivlen == XCHACHA20_POLY1305_IV_LEN,
195 	    ("%s: invalid nonce length", __func__));
196 
197 	/*
198 	 * Use HChaCha20 to derive the internal key used for
199 	 * ChaCha20-Poly1305.
200 	 */
201 	crypto_core_hchacha20(ctx->derived_key, iv, ctx->key, NULL);
202 
203 	memset(nonce, 0, 4);
204 	memcpy(nonce + 4, iv + crypto_core_hchacha20_INPUTBYTES,
205 	    sizeof(nonce) - 4);
206 	chacha20_poly1305_reinit(&ctx->base_ctx, nonce, sizeof(nonce));
207 	explicit_bzero(nonce, sizeof(nonce));
208 }
209 
210 const struct enc_xform enc_xform_xchacha20_poly1305 = {
211 	.type = CRYPTO_XCHACHA20_POLY1305,
212 	.name = "XChaCha20-Poly1305",
213 	.ctxsize = sizeof(struct xchacha20_poly1305_ctx),
214 	.blocksize = 1,
215 	.native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
216 	.ivsize = XCHACHA20_POLY1305_IV_LEN,
217 	.minkey = XCHACHA20_POLY1305_KEY,
218 	.maxkey = XCHACHA20_POLY1305_KEY,
219 	.macsize = POLY1305_HASH_LEN,
220 	.setkey = xchacha20_poly1305_setkey,
221 	.reinit = xchacha20_poly1305_reinit,
222 	.encrypt = chacha20_poly1305_crypt,
223 	.decrypt = chacha20_poly1305_crypt,
224 	.encrypt_multi = chacha20_poly1305_crypt_multi,
225 	.decrypt_multi = chacha20_poly1305_crypt_multi,
226 	.encrypt_last = chacha20_poly1305_crypt_last,
227 	.decrypt_last = chacha20_poly1305_crypt_last,
228 	.update = chacha20_poly1305_update,
229 	.final = chacha20_poly1305_final,
230 };
231