1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2020 Netflix Inc. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <opencrypto/xform_auth.h> 29 #include <opencrypto/xform_enc.h> 30 31 #include <sodium/crypto_onetimeauth_poly1305.h> 32 #include <sodium/crypto_stream_chacha20.h> 33 34 struct chacha20_poly1305_ctx { 35 struct crypto_onetimeauth_poly1305_state auth; 36 const void *key; 37 uint32_t ic; 38 bool ietf; 39 char nonce[CHACHA20_POLY1305_IV_LEN]; 40 }; 41 42 static int 43 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len) 44 { 45 struct chacha20_poly1305_ctx *ctx = vctx; 46 47 if (len != CHACHA20_POLY1305_KEY) 48 return (EINVAL); 49 50 ctx->key = key; 51 return (0); 52 } 53 54 static void 55 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 56 { 57 struct chacha20_poly1305_ctx *ctx = vctx; 58 char block[CHACHA20_NATIVE_BLOCK_LEN]; 59 60 KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce), 61 ("%s: invalid nonce length", __func__)); 62 63 memcpy(ctx->nonce, iv, ivlen); 64 ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN); 65 66 /* Block 0 is used for the poly1305 key. */ 67 if (ctx->ietf) 68 crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key); 69 else 70 crypto_stream_chacha20(block, sizeof(block), iv, ctx->key); 71 crypto_onetimeauth_poly1305_init(&ctx->auth, block); 72 explicit_bzero(block, sizeof(block)); 73 74 /* Start with block 1 for ciphertext. */ 75 ctx->ic = 1; 76 } 77 78 static void 79 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out) 80 { 81 struct chacha20_poly1305_ctx *ctx = vctx; 82 int error __diagused; 83 84 if (ctx->ietf) 85 error = crypto_stream_chacha20_ietf_xor_ic(out, in, 86 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key); 87 else 88 error = crypto_stream_chacha20_xor_ic(out, in, 89 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key); 90 KASSERT(error == 0, ("%s failed: %d", __func__, error)); 91 ctx->ic++; 92 } 93 94 static void 95 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out, 96 size_t len) 97 { 98 struct chacha20_poly1305_ctx *ctx = vctx; 99 100 int error __diagused; 101 102 if (ctx->ietf) 103 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len, 104 ctx->nonce, ctx->ic, ctx->key); 105 else 106 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce, 107 ctx->ic, ctx->key); 108 KASSERT(error == 0, ("%s failed: %d", __func__, error)); 109 } 110 111 static int 112 chacha20_poly1305_update(void *vctx, const void *data, u_int len) 113 { 114 struct chacha20_poly1305_ctx *ctx = vctx; 115 116 crypto_onetimeauth_poly1305_update(&ctx->auth, data, len); 117 return (0); 118 } 119 120 static void 121 chacha20_poly1305_final(uint8_t *digest, void *vctx) 122 { 123 struct chacha20_poly1305_ctx *ctx = vctx; 124 125 crypto_onetimeauth_poly1305_final(&ctx->auth, digest); 126 } 127 128 const struct enc_xform enc_xform_chacha20_poly1305 = { 129 .type = CRYPTO_CHACHA20_POLY1305, 130 .name = "ChaCha20-Poly1305", 131 .ctxsize = sizeof(struct chacha20_poly1305_ctx), 132 .blocksize = 1, 133 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN, 134 .ivsize = CHACHA20_POLY1305_IV_LEN, 135 .minkey = CHACHA20_POLY1305_KEY, 136 .maxkey = CHACHA20_POLY1305_KEY, 137 .macsize = POLY1305_HASH_LEN, 138 .encrypt = chacha20_poly1305_crypt, 139 .decrypt = chacha20_poly1305_crypt, 140 .setkey = chacha20_poly1305_setkey, 141 .reinit = chacha20_poly1305_reinit, 142 .encrypt_last = chacha20_poly1305_crypt_last, 143 .decrypt_last = chacha20_poly1305_crypt_last, 144 .update = chacha20_poly1305_update, 145 .final = chacha20_poly1305_final, 146 }; 147