kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
1644 Cometimentos
12 Ramos
38 MiB
Árvore: fc05994e24
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de 'fc05994e24'
${ noResults }
boringssl/crypto/cipher/e_chacha20poly1305.c

e_chacha20poly1305.c 7.1 KiB
Em bruto Vista normal Histórico

ChaCha20-Poly1305 support.
há 10 anos
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Enable more warnings & treat warnings as errors on Windows. Change-Id: I2bf0144aaa8b670ff00b8e8dfe36bd4d237b9a8a Reviewed-on: https://boringssl-review.googlesource.com/3140 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Always write the Poly1305 tag to an aligned buffer. With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the Poly1305 code can end up writing to an unaligned address otherwise and that triggers a bus error on ARM. Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81 Reviewed-on: https://boringssl-review.googlesource.com/2850 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Remove the func parameter to OPENSSL_PUT_ERROR. Much of this was done automatically with find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' find . -name '*.c' | xargs sed -E -i '' -e 's/(OPENSSL_PUT_ERROR\([a-zA-Z_0-9]+, )[a-zA-Z_0-9]+, ([a-zA-Z_0-9]+\);)/\1\2/' BUG=468039 Change-Id: I4c75fd95dff85ab1d4a546b05e6aed1aeeb499d8 Reviewed-on: https://boringssl-review.googlesource.com/5276 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Don't delay-initialize legacy AEADs. Instead, add a separate init_with_direction hook. Normal AEADs ignore the direction, while legacy AEADs must be initialized with it. This avoids maintaining extra state to support the delayed initialization. Change-Id: I25271f0e56ee2783a2fd4d4026434154d58dc0a8 Reviewed-on: https://boringssl-review.googlesource.com/3731 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
Add SSL_get_rc4_state. This allows the current RC4 state of an SSL* to be extracted. We have internal uses for this functionality. Change-Id: Ic124c4b253c8325751f49e7a4c021768620ea4b7 Reviewed-on: https://boringssl-review.googlesource.com/3722 Reviewed-by: Adam Langley <agl@google.com>
há 9 anos
ChaCha20-Poly1305 support.
há 10 anos
Convert all zero-argument functions to '(void)' Otherwise, in C, it becomes a K&R function declaration which doesn't actually type-check the number of arguments. Change-Id: I0731a9fefca46fb1c266bfb1c33d464cf451a22e Reviewed-on: https://boringssl-review.googlesource.com/1582 Reviewed-by: Adam Langley <agl@google.com>
há 10 anos
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220 
  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/aead.h>

  16. 

  17. #include <string.h>

  18. 

  19. #include <openssl/chacha.h>

  20. #include <openssl/cipher.h>

  21. #include <openssl/err.h>

  22. #include <openssl/mem.h>

  23. #include <openssl/poly1305.h>

  24. 

  25. #include "internal.h"

  26. 

  27. 

  28. #define POLY1305_TAG_LEN 16

  29. #define CHACHA20_NONCE_LEN 8

  30. 

  31. struct aead_chacha20_poly1305_ctx {

  32.   unsigned char key[32];

  33.   unsigned char tag_len;

  34. };

  35. 

  36. static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  37.                                        size_t key_len, size_t tag_len) {

  38.   struct aead_chacha20_poly1305_ctx *c20_ctx;

  39. 

  40.   if (tag_len == 0) {

  41.     tag_len = POLY1305_TAG_LEN;

  42.   }

  43. 

  44.   if (tag_len > POLY1305_TAG_LEN) {

  45.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  46.     return 0;

  47.   }

  48. 

  49.   if (key_len != sizeof(c20_ctx->key)) {

  50.     return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */

  51.   }

  52. 

  53.   c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));

  54.   if (c20_ctx == NULL) {

  55.     return 0;

  56.   }

  57. 

  58.   memcpy(c20_ctx->key, key, key_len);

  59.   c20_ctx->tag_len = tag_len;

  60.   ctx->aead_state = c20_ctx;

  61. 

  62.   return 1;

  63. }

  64. 

  65. static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {

  66.   struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  67.   OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));

  68.   OPENSSL_free(c20_ctx);

  69. }

  70. 

  71. static void poly1305_update_with_length(poly1305_state *poly1305,

  72.                                         const uint8_t *data, size_t data_len) {

  73.   size_t j = data_len;

  74.   uint8_t length_bytes[8];

  75.   unsigned i;

  76. 

  77.   for (i = 0; i < sizeof(length_bytes); i++) {

  78.     length_bytes[i] = j;

  79.     j >>= 8;

  80.   }

  81. 

  82.   CRYPTO_poly1305_update(poly1305, data, data_len);

  83.   CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));

  84. }

  85. 

  86. #if defined(__arm__)

  87. #define ALIGNED __attribute__((aligned(16)))

  88. #else

  89. #define ALIGNED

  90. #endif

  91. 

  92. static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  93.                                        size_t *out_len, size_t max_out_len,

  94.                                        const uint8_t *nonce, size_t nonce_len,

  95.                                        const uint8_t *in, size_t in_len,

  96.                                        const uint8_t *ad, size_t ad_len) {

  97.   const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  98.   uint8_t poly1305_key[32] ALIGNED;

  99.   poly1305_state poly1305;

  100.   const uint64_t in_len_64 = in_len;

  101. 

  102.   /* The underlying ChaCha implementation may not overflow the block

  103.    * counter into the second counter word. Therefore we disallow

  104.    * individual operations that work on more than 256GB at a time.

  105.    * |in_len_64| is needed because, on 32-bit platforms, size_t is only

  106.    * 32-bits and this produces a warning because it's always false.

  107.    * Casting to uint64_t inside the conditional is not sufficient to stop

  108.    * the warning. */

  109.   if (in_len_64 >= (1ull << 32) * 64 - 64) {

  110.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  111.     return 0;

  112.   }

  113. 

  114.   if (in_len + c20_ctx->tag_len < in_len) {

  115.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  116.     return 0;

  117.   }

  118. 

  119.   if (max_out_len < in_len + c20_ctx->tag_len) {

  120.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);

  121.     return 0;

  122.   }

  123. 

  124.   if (nonce_len != CHACHA20_NONCE_LEN) {

  125.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);

  126.     return 0;

  127.   }

  128. 

  129.   memset(poly1305_key, 0, sizeof(poly1305_key));

  130.   CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),

  131.                    c20_ctx->key, nonce, 0);

  132. 

  133.   CRYPTO_poly1305_init(&poly1305, poly1305_key);

  134.   poly1305_update_with_length(&poly1305, ad, ad_len);

  135.   CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);

  136.   poly1305_update_with_length(&poly1305, out, in_len);

  137. 

  138.   uint8_t tag[POLY1305_TAG_LEN] ALIGNED;

  139.   CRYPTO_poly1305_finish(&poly1305, tag);

  140.   memcpy(out + in_len, tag, c20_ctx->tag_len);

  141.   *out_len = in_len + c20_ctx->tag_len;

  142.   return 1;

  143. }

  144. 

  145. static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  146.                                        size_t *out_len, size_t max_out_len,

  147.                                        const uint8_t *nonce, size_t nonce_len,

  148.                                        const uint8_t *in, size_t in_len,

  149.                                        const uint8_t *ad, size_t ad_len) {

  150.   const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  151.   uint8_t mac[POLY1305_TAG_LEN];

  152.   uint8_t poly1305_key[32] ALIGNED;

  153.   size_t plaintext_len;

  154.   poly1305_state poly1305;

  155.   const uint64_t in_len_64 = in_len;

  156. 

  157.   if (in_len < c20_ctx->tag_len) {

  158.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  159.     return 0;

  160.   }

  161. 

  162.   /* The underlying ChaCha implementation may not overflow the block

  163.    * counter into the second counter word. Therefore we disallow

  164.    * individual operations that work on more than 256GB at a time.

  165.    * |in_len_64| is needed because, on 32-bit platforms, size_t is only

  166.    * 32-bits and this produces a warning because it's always false.

  167.    * Casting to uint64_t inside the conditional is not sufficient to stop

  168.    * the warning. */

  169.   if (in_len_64 >= (1ull << 32) * 64 - 64) {

  170.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  171.     return 0;

  172.   }

  173. 

  174.   if (nonce_len != CHACHA20_NONCE_LEN) {

  175.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);

  176.     return 0;

  177.   }

  178. 

  179.   plaintext_len = in_len - c20_ctx->tag_len;

  180. 

  181.   if (max_out_len < plaintext_len) {

  182.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);

  183.     return 0;

  184.   }

  185. 

  186.   memset(poly1305_key, 0, sizeof(poly1305_key));

  187.   CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),

  188.                    c20_ctx->key, nonce, 0);

  189. 

  190.   CRYPTO_poly1305_init(&poly1305, poly1305_key);

  191.   poly1305_update_with_length(&poly1305, ad, ad_len);

  192.   poly1305_update_with_length(&poly1305, in, plaintext_len);

  193.   CRYPTO_poly1305_finish(&poly1305, mac);

  194. 

  195.   if (CRYPTO_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) {

  196.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  197.     return 0;

  198.   }

  199. 

  200.   CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);

  201.   *out_len = plaintext_len;

  202.   return 1;

  203. }

  204. 

  205. static const EVP_AEAD aead_chacha20_poly1305 = {

  206.     32,                 /* key len */

  207.     CHACHA20_NONCE_LEN, /* nonce len */

  208.     POLY1305_TAG_LEN,   /* overhead */

  209.     POLY1305_TAG_LEN,   /* max tag length */

  210.     aead_chacha20_poly1305_init,

  211.     NULL, /* init_with_direction */

  212.     aead_chacha20_poly1305_cleanup,

  213.     aead_chacha20_poly1305_seal,

  214.     aead_chacha20_poly1305_open,

  215.     NULL,               /* get_rc4_state */

  216. };

  217. 

  218. const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {

  219.   return &aead_chacha20_poly1305;

  220. }