1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2020 Netflix Inc. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <opencrypto/xform_auth.h> 29 #include <opencrypto/xform_enc.h> 30 31 #include <sodium/crypto_core_hchacha20.h> 32 #include <sodium/crypto_onetimeauth_poly1305.h> 33 #include <sodium/crypto_stream_chacha20.h> 34 35 struct chacha20_poly1305_ctx { 36 struct crypto_onetimeauth_poly1305_state auth; 37 const void *key; 38 uint32_t ic; 39 bool ietf; 40 char nonce[CHACHA20_POLY1305_IV_LEN]; 41 }; 42 43 struct xchacha20_poly1305_ctx { 44 struct chacha20_poly1305_ctx base_ctx; /* must be first */ 45 const void *key; 46 char derived_key[CHACHA20_POLY1305_KEY]; 47 }; 48 49 static int 50 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len) 51 { 52 struct chacha20_poly1305_ctx *ctx = vctx; 53 54 if (len != CHACHA20_POLY1305_KEY) 55 return (EINVAL); 56 57 ctx->key = key; 58 return (0); 59 } 60 61 static void 62 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 63 { 64 struct chacha20_poly1305_ctx *ctx = vctx; 65 char block[CHACHA20_NATIVE_BLOCK_LEN]; 66 67 KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce), 68 ("%s: invalid nonce length", __func__)); 69 70 memcpy(ctx->nonce, iv, ivlen); 71 ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN); 72 73 /* Block 0 is used for the poly1305 key. */ 74 if (ctx->ietf) 75 crypto_stream_chacha20_ietf(block, sizeof(block), iv, ctx->key); 76 else 77 crypto_stream_chacha20(block, sizeof(block), iv, ctx->key); 78 crypto_onetimeauth_poly1305_init(&ctx->auth, block); 79 explicit_bzero(block, sizeof(block)); 80 81 /* Start with block 1 for ciphertext. */ 82 ctx->ic = 1; 83 } 84 85 static void 86 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out) 87 { 88 struct chacha20_poly1305_ctx *ctx = vctx; 89 int error __diagused; 90 91 if (ctx->ietf) 92 error = crypto_stream_chacha20_ietf_xor_ic(out, in, 93 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key); 94 else 95 error = crypto_stream_chacha20_xor_ic(out, in, 96 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key); 97 KASSERT(error == 0, ("%s failed: %d", __func__, error)); 98 ctx->ic++; 99 } 100 101 static void 102 chacha20_poly1305_crypt_multi(void *vctx, const uint8_t *in, uint8_t *out, size_t len) 103 { 104 struct chacha20_poly1305_ctx *ctx = vctx; 105 int error __diagused; 106 107 KASSERT(len % CHACHA20_NATIVE_BLOCK_LEN == 0, ("%s: invalid length", 108 __func__)); 109 if (ctx->ietf) 110 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len, 111 ctx->nonce, ctx->ic, ctx->key); 112 else 113 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce, 114 ctx->ic, ctx->key); 115 KASSERT(error == 0, ("%s failed: %d", __func__, error)); 116 ctx->ic += len / CHACHA20_NATIVE_BLOCK_LEN; 117 } 118 119 static void 120 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out, 121 size_t len) 122 { 123 struct chacha20_poly1305_ctx *ctx = vctx; 124 125 int error __diagused; 126 127 if (ctx->ietf) 128 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len, 129 ctx->nonce, ctx->ic, ctx->key); 130 else 131 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce, 132 ctx->ic, ctx->key); 133 KASSERT(error == 0, ("%s failed: %d", __func__, error)); 134 } 135 136 static int 137 chacha20_poly1305_update(void *vctx, const void *data, u_int len) 138 { 139 struct chacha20_poly1305_ctx *ctx = vctx; 140 141 crypto_onetimeauth_poly1305_update(&ctx->auth, data, len); 142 return (0); 143 } 144 145 static void 146 chacha20_poly1305_final(uint8_t *digest, void *vctx) 147 { 148 struct chacha20_poly1305_ctx *ctx = vctx; 149 150 crypto_onetimeauth_poly1305_final(&ctx->auth, digest); 151 } 152 153 const struct enc_xform enc_xform_chacha20_poly1305 = { 154 .type = CRYPTO_CHACHA20_POLY1305, 155 .name = "ChaCha20-Poly1305", 156 .ctxsize = sizeof(struct chacha20_poly1305_ctx), 157 .blocksize = 1, 158 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN, 159 .ivsize = CHACHA20_POLY1305_IV_LEN, 160 .minkey = CHACHA20_POLY1305_KEY, 161 .maxkey = CHACHA20_POLY1305_KEY, 162 .macsize = POLY1305_HASH_LEN, 163 .setkey = chacha20_poly1305_setkey, 164 .reinit = chacha20_poly1305_reinit, 165 .encrypt = chacha20_poly1305_crypt, 166 .decrypt = chacha20_poly1305_crypt, 167 .encrypt_multi = chacha20_poly1305_crypt_multi, 168 .decrypt_multi = chacha20_poly1305_crypt_multi, 169 .encrypt_last = chacha20_poly1305_crypt_last, 170 .decrypt_last = chacha20_poly1305_crypt_last, 171 .update = chacha20_poly1305_update, 172 .final = chacha20_poly1305_final, 173 }; 174 175 static int 176 xchacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len) 177 { 178 struct xchacha20_poly1305_ctx *ctx = vctx; 179 180 if (len != XCHACHA20_POLY1305_KEY) 181 return (EINVAL); 182 183 ctx->key = key; 184 ctx->base_ctx.key = ctx->derived_key; 185 return (0); 186 } 187 188 static void 189 xchacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen) 190 { 191 struct xchacha20_poly1305_ctx *ctx = vctx; 192 char nonce[CHACHA20_POLY1305_IV_LEN]; 193 194 KASSERT(ivlen == XCHACHA20_POLY1305_IV_LEN, 195 ("%s: invalid nonce length", __func__)); 196 197 /* 198 * Use HChaCha20 to derive the internal key used for 199 * ChaCha20-Poly1305. 200 */ 201 crypto_core_hchacha20(ctx->derived_key, iv, ctx->key, NULL); 202 203 memset(nonce, 0, 4); 204 memcpy(nonce + 4, iv + crypto_core_hchacha20_INPUTBYTES, 205 sizeof(nonce) - 4); 206 chacha20_poly1305_reinit(&ctx->base_ctx, nonce, sizeof(nonce)); 207 explicit_bzero(nonce, sizeof(nonce)); 208 } 209 210 const struct enc_xform enc_xform_xchacha20_poly1305 = { 211 .type = CRYPTO_XCHACHA20_POLY1305, 212 .name = "XChaCha20-Poly1305", 213 .ctxsize = sizeof(struct xchacha20_poly1305_ctx), 214 .blocksize = 1, 215 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN, 216 .ivsize = XCHACHA20_POLY1305_IV_LEN, 217 .minkey = XCHACHA20_POLY1305_KEY, 218 .maxkey = XCHACHA20_POLY1305_KEY, 219 .macsize = POLY1305_HASH_LEN, 220 .setkey = xchacha20_poly1305_setkey, 221 .reinit = xchacha20_poly1305_reinit, 222 .encrypt = chacha20_poly1305_crypt, 223 .decrypt = chacha20_poly1305_crypt, 224 .encrypt_multi = chacha20_poly1305_crypt_multi, 225 .decrypt_multi = chacha20_poly1305_crypt_multi, 226 .encrypt_last = chacha20_poly1305_crypt_last, 227 .decrypt_last = chacha20_poly1305_crypt_last, 228 .update = chacha20_poly1305_update, 229 .final = chacha20_poly1305_final, 230 }; 231