xref: /freebsd/sys/opencrypto/xform_chacha20_poly1305.c (revision 681ce946f33e75c590e97c53076e86dff1fe8f4a)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2020 Netflix Inc.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <opencrypto/xform_auth.h>
29 #include <opencrypto/xform_enc.h>
30 
31 #include <sodium/crypto_onetimeauth_poly1305.h>
32 #include <sodium/crypto_stream_chacha20.h>
33 
34 struct chacha20_poly1305_ctx {
35 	struct crypto_onetimeauth_poly1305_state auth;
36 	const void *key;
37 	uint32_t ic;
38 	bool ietf;
39 	char nonce[CHACHA20_POLY1305_IV_LEN];
40 };
41 
42 static int
43 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
44 {
45 	struct chacha20_poly1305_ctx *ctx = vctx;
46 
47 	if (len != CHACHA20_POLY1305_KEY)
48 		return (EINVAL);
49 
50 	ctx->key = key;
51 	return (0);
52 }
53 
54 static void
55 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
56 {
57 	struct chacha20_poly1305_ctx *ctx = vctx;
58 	char block[CHACHA20_NATIVE_BLOCK_LEN];
59 
60 	KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce),
61 	    ("%s: invalid nonce length", __func__));
62 
63 	memcpy(ctx->nonce, iv, ivlen);
64 	ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN);
65 
66 	/* Block 0 is used for the poly1305 key. */
67 	if (ctx->ietf)
68 		crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key);
69 	else
70 		crypto_stream_chacha20(block, sizeof(block), iv, ctx->key);
71 	crypto_onetimeauth_poly1305_init(&ctx->auth, block);
72 	explicit_bzero(block, sizeof(block));
73 
74 	/* Start with block 1 for ciphertext. */
75 	ctx->ic = 1;
76 }
77 
78 static void
79 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out)
80 {
81 	struct chacha20_poly1305_ctx *ctx = vctx;
82 	int error __diagused;
83 
84 	if (ctx->ietf)
85 		error = crypto_stream_chacha20_ietf_xor_ic(out, in,
86 		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
87 	else
88 		error = crypto_stream_chacha20_xor_ic(out, in,
89 		    CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
90 	KASSERT(error == 0, ("%s failed: %d", __func__, error));
91 	ctx->ic++;
92 }
93 
94 static void
95 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out,
96     size_t len)
97 {
98 	struct chacha20_poly1305_ctx *ctx = vctx;
99 
100 	int error __diagused;
101 
102 	if (ctx->ietf)
103 		error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
104 		    ctx->nonce, ctx->ic, ctx->key);
105 	else
106 		error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
107 		    ctx->ic, ctx->key);
108 	KASSERT(error == 0, ("%s failed: %d", __func__, error));
109 }
110 
111 static int
112 chacha20_poly1305_update(void *vctx, const void *data, u_int len)
113 {
114 	struct chacha20_poly1305_ctx *ctx = vctx;
115 
116 	crypto_onetimeauth_poly1305_update(&ctx->auth, data, len);
117 	return (0);
118 }
119 
120 static void
121 chacha20_poly1305_final(uint8_t *digest, void *vctx)
122 {
123 	struct chacha20_poly1305_ctx *ctx = vctx;
124 
125 	crypto_onetimeauth_poly1305_final(&ctx->auth, digest);
126 }
127 
128 const struct enc_xform enc_xform_chacha20_poly1305 = {
129 	.type = CRYPTO_CHACHA20_POLY1305,
130 	.name = "ChaCha20-Poly1305",
131 	.ctxsize = sizeof(struct chacha20_poly1305_ctx),
132 	.blocksize = 1,
133 	.native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
134 	.ivsize = CHACHA20_POLY1305_IV_LEN,
135 	.minkey = CHACHA20_POLY1305_KEY,
136 	.maxkey = CHACHA20_POLY1305_KEY,
137 	.macsize = POLY1305_HASH_LEN,
138 	.encrypt = chacha20_poly1305_crypt,
139 	.decrypt = chacha20_poly1305_crypt,
140 	.setkey = chacha20_poly1305_setkey,
141 	.reinit = chacha20_poly1305_reinit,
142 	.encrypt_last = chacha20_poly1305_crypt_last,
143 	.decrypt_last = chacha20_poly1305_crypt_last,
144 	.update = chacha20_poly1305_update,
145 	.final = chacha20_poly1305_final,
146 };
147