kris
/
boringssl
1
0
Derivar 0
Código Questões 0 Pedidos de integração 0 Lançamentos 0 Wiki Trabalho
Não pode escolher mais do que 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
2080 Cometimentos
12 Ramos
38 MiB
 
 
 
 
 
 
Árvore: a0ef7b0a56
Ramos Etiquetas
${ item.name }
Criar ramo ${ searchTerm }
de 'a0ef7b0a56'
${ noResults }
boringssl/crypto/cipher/e_chacha20poly1305.c

312 linhas
11 KiB
Em bruto Responsabilidade Histórico 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/aead.h>

  16. 

  17. #include <string.h>

  18. 

  19. #include <openssl/chacha.h>

  20. #include <openssl/cipher.h>

  21. #include <openssl/err.h>

  22. #include <openssl/mem.h>

  23. #include <openssl/poly1305.h>

  24. 

  25. #include "internal.h"

  26. 

  27. 

  28. #define POLY1305_TAG_LEN 16

  29. 

  30. struct aead_chacha20_poly1305_ctx {

  31.   unsigned char key[32];

  32.   unsigned char tag_len;

  33. };

  34. 

  35. static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,

  36.                                        size_t key_len, size_t tag_len) {

  37.   struct aead_chacha20_poly1305_ctx *c20_ctx;

  38. 

  39.   if (tag_len == 0) {

  40.     tag_len = POLY1305_TAG_LEN;

  41.   }

  42. 

  43.   if (tag_len > POLY1305_TAG_LEN) {

  44.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  45.     return 0;

  46.   }

  47. 

  48.   if (key_len != sizeof(c20_ctx->key)) {

  49.     return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */

  50.   }

  51. 

  52.   c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));

  53.   if (c20_ctx == NULL) {

  54.     return 0;

  55.   }

  56. 

  57.   memcpy(c20_ctx->key, key, key_len);

  58.   c20_ctx->tag_len = tag_len;

  59.   ctx->aead_state = c20_ctx;

  60. 

  61.   return 1;

  62. }

  63. 

  64. static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {

  65.   struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  66.   OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));

  67.   OPENSSL_free(c20_ctx);

  68. }

  69. 

  70. static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {

  71.   uint8_t length_bytes[8];

  72.   unsigned i;

  73. 

  74.   for (i = 0; i < sizeof(length_bytes); i++) {

  75.     length_bytes[i] = data_len;

  76.     data_len >>= 8;

  77.   }

  78. 

  79.   CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));

  80. }

  81. 

  82. #if defined(__arm__)

  83. #define ALIGNED __attribute__((aligned(16)))

  84. #else

  85. #define ALIGNED

  86. #endif

  87. 

  88. typedef void (*aead_poly1305_update)(poly1305_state *ctx, const uint8_t *ad,

  89.                                      size_t ad_len, const uint8_t *ciphertext,

  90.                                      size_t ciphertext_len);

  91. 

  92. /* aead_poly1305 fills |tag| with the authentication tag for the given

  93.  * inputs, using |update| to control the order and format that the inputs are

  94.  * signed/authenticated. */

  95. static void aead_poly1305(aead_poly1305_update update,

  96.                           uint8_t tag[POLY1305_TAG_LEN],

  97.                           const struct aead_chacha20_poly1305_ctx *c20_ctx,

  98.                           const uint8_t nonce[12], const uint8_t *ad,

  99.                           size_t ad_len, const uint8_t *ciphertext,

  100.                           size_t ciphertext_len) {

  101.   uint8_t poly1305_key[32] ALIGNED;

  102.   memset(poly1305_key, 0, sizeof(poly1305_key));

  103.   CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),

  104.                    c20_ctx->key, nonce, 0);

  105.   poly1305_state ctx;

  106.   CRYPTO_poly1305_init(&ctx, poly1305_key);

  107.   update(&ctx, ad, ad_len, ciphertext, ciphertext_len);

  108.   CRYPTO_poly1305_finish(&ctx, tag);

  109. }

  110. 

  111. static int seal_impl(aead_poly1305_update poly1305_update,

  112.                      const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,

  113.                      size_t max_out_len, const uint8_t nonce[12],

  114.                      const uint8_t *in, size_t in_len, const uint8_t *ad,

  115.                      size_t ad_len) {

  116.   const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  117.   const uint64_t in_len_64 = in_len;

  118. 

  119.   /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow

  120.    * individual operations that work on more than 256GB at a time.

  121.    * |in_len_64| is needed because, on 32-bit platforms, size_t is only

  122.    * 32-bits and this produces a warning because it's always false.

  123.    * Casting to uint64_t inside the conditional is not sufficient to stop

  124.    * the warning. */

  125.   if (in_len_64 >= (1ull << 32) * 64 - 64) {

  126.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  127.     return 0;

  128.   }

  129. 

  130.   if (in_len + c20_ctx->tag_len < in_len) {

  131.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  132.     return 0;

  133.   }

  134. 

  135.   if (max_out_len < in_len + c20_ctx->tag_len) {

  136.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);

  137.     return 0;

  138.   }

  139. 

  140.   CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);

  141. 

  142.   uint8_t tag[POLY1305_TAG_LEN] ALIGNED;

  143.   aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);

  144. 

  145.   memcpy(out + in_len, tag, c20_ctx->tag_len);

  146.   *out_len = in_len + c20_ctx->tag_len;

  147.   return 1;

  148. }

  149. 

  150. static int open_impl(aead_poly1305_update poly1305_update,

  151.                      const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,

  152.                      size_t max_out_len, const uint8_t nonce[12],

  153.                      const uint8_t *in, size_t in_len, const uint8_t *ad,

  154.                      size_t ad_len) {

  155.   const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;

  156.   size_t plaintext_len;

  157.   const uint64_t in_len_64 = in_len;

  158. 

  159.   if (in_len < c20_ctx->tag_len) {

  160.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  161.     return 0;

  162.   }

  163. 

  164.   /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow

  165.    * individual operations that work on more than 256GB at a time.

  166.    * |in_len_64| is needed because, on 32-bit platforms, size_t is only

  167.    * 32-bits and this produces a warning because it's always false.

  168.    * Casting to uint64_t inside the conditional is not sufficient to stop

  169.    * the warning. */

  170.   if (in_len_64 >= (1ull << 32) * 64 - 64) {

  171.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);

  172.     return 0;

  173.   }

  174. 

  175.   plaintext_len = in_len - c20_ctx->tag_len;

  176.   uint8_t tag[POLY1305_TAG_LEN] ALIGNED;

  177.   aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, in,

  178.                 plaintext_len);

  179.   if (CRYPTO_memcmp(tag, in + plaintext_len, c20_ctx->tag_len) != 0) {

  180.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);

  181.     return 0;

  182.   }

  183. 

  184.   CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);

  185.   *out_len = plaintext_len;

  186.   return 1;

  187. }

  188. 

  189. static void poly1305_update_padded_16(poly1305_state *poly1305,

  190.                                       const uint8_t *data, size_t data_len) {

  191.   static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */

  192. 

  193.   CRYPTO_poly1305_update(poly1305, data, data_len);

  194.   if (data_len % 16 != 0) {

  195.     CRYPTO_poly1305_update(poly1305, padding, sizeof(padding) - (data_len % 16));

  196.   }

  197. }

  198. 

  199. static void poly1305_update(poly1305_state *ctx, const uint8_t *ad,

  200.                             size_t ad_len, const uint8_t *ciphertext,

  201.                             size_t ciphertext_len) {

  202.   poly1305_update_padded_16(ctx, ad, ad_len);

  203.   poly1305_update_padded_16(ctx, ciphertext, ciphertext_len);

  204.   poly1305_update_length(ctx, ad_len);

  205.   poly1305_update_length(ctx, ciphertext_len);

  206. }

  207. 

  208. static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  209.                                        size_t *out_len, size_t max_out_len,

  210.                                        const uint8_t *nonce, size_t nonce_len,

  211.                                        const uint8_t *in, size_t in_len,

  212.                                        const uint8_t *ad, size_t ad_len) {

  213.   if (nonce_len != 12) {

  214.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  215.     return 0;

  216.   }

  217.   return seal_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,

  218.                    in_len, ad, ad_len);

  219. }

  220. 

  221. static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  222.                                        size_t *out_len, size_t max_out_len,

  223.                                        const uint8_t *nonce, size_t nonce_len,

  224.                                        const uint8_t *in, size_t in_len,

  225.                                        const uint8_t *ad, size_t ad_len) {

  226.   if (nonce_len != 12) {

  227.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  228.     return 0;

  229.   }

  230.   return open_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,

  231.                    in_len, ad, ad_len);

  232. }

  233. 

  234. static const EVP_AEAD aead_chacha20_poly1305 = {

  235.     32,                 /* key len */

  236.     12,                 /* nonce len */

  237.     POLY1305_TAG_LEN,   /* overhead */

  238.     POLY1305_TAG_LEN,   /* max tag length */

  239.     aead_chacha20_poly1305_init,

  240.     NULL, /* init_with_direction */

  241.     aead_chacha20_poly1305_cleanup,

  242.     aead_chacha20_poly1305_seal,

  243.     aead_chacha20_poly1305_open,

  244.     NULL,               /* get_rc4_state */

  245.     NULL,               /* get_iv */

  246. };

  247. 

  248. const EVP_AEAD *EVP_aead_chacha20_poly1305_rfc7539(void) {

  249.   return &aead_chacha20_poly1305;

  250. }

  251. 

  252. static void poly1305_update_old(poly1305_state *ctx, const uint8_t *ad,

  253.                                 size_t ad_len, const uint8_t *ciphertext,

  254.                                 size_t ciphertext_len) {

  255.   CRYPTO_poly1305_update(ctx, ad, ad_len);

  256.   poly1305_update_length(ctx, ad_len);

  257.   CRYPTO_poly1305_update(ctx, ciphertext, ciphertext_len);

  258.   poly1305_update_length(ctx, ciphertext_len);

  259. }

  260. 

  261. static int aead_chacha20_poly1305_old_seal(

  262.     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,

  263.     const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,

  264.     const uint8_t *ad, size_t ad_len) {

  265.   if (nonce_len != 8) {

  266.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  267.     return 0;

  268.   }

  269.   uint8_t nonce_96[12];

  270.   memset(nonce_96, 0, 4);

  271.   memcpy(nonce_96 + 4, nonce, 8);

  272.   return seal_impl(poly1305_update_old, ctx, out, out_len, max_out_len,

  273.                    nonce_96, in, in_len, ad, ad_len);

  274. }

  275. 

  276. static int aead_chacha20_poly1305_old_open(

  277.     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,

  278.     const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,

  279.     const uint8_t *ad, size_t ad_len) {

  280.   if (nonce_len != 8) {

  281.     OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);

  282.     return 0;

  283.   }

  284.   uint8_t nonce_96[12];

  285.   memset(nonce_96, 0, 4);

  286.   memcpy(nonce_96 + 4, nonce, 8);

  287.   return open_impl(poly1305_update_old, ctx, out, out_len, max_out_len,

  288.                    nonce_96, in, in_len, ad, ad_len);

  289. }

  290. 

  291. static const EVP_AEAD aead_chacha20_poly1305_old = {

  292.     32,                 /* key len */

  293.     8,                  /* nonce len */

  294.     POLY1305_TAG_LEN,   /* overhead */

  295.     POLY1305_TAG_LEN,   /* max tag length */

  296.     aead_chacha20_poly1305_init,

  297.     NULL, /* init_with_direction */

  298.     aead_chacha20_poly1305_cleanup,

  299.     aead_chacha20_poly1305_old_seal,

  300.     aead_chacha20_poly1305_old_open,

  301.     NULL,               /* get_rc4_state */

  302.     NULL,               /* get_iv */

  303. };

  304. 

  305. const EVP_AEAD *EVP_aead_chacha20_poly1305_old(void) {

  306.   return &aead_chacha20_poly1305_old;

  307. }

  308. 

  309. const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {

  310.   return &aead_chacha20_poly1305_old;

  311. }