Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 1 | /* Copyright (c) 2014, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #include <openssl/aead.h> |
| 16 | |
Adam Langley | 2b2d66d | 2015-01-30 17:08:37 -0800 | [diff] [blame] | 17 | #include <string.h> |
| 18 | |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 19 | #include <openssl/chacha.h> |
| 20 | #include <openssl/cipher.h> |
Adam Langley | 5fa2cdf | 2017-02-03 08:23:18 -0800 | [diff] [blame] | 21 | #include <openssl/cpu.h> |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 22 | #include <openssl/err.h> |
| 23 | #include <openssl/mem.h> |
| 24 | #include <openssl/poly1305.h> |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 25 | #include <openssl/type_check.h> |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 26 | |
Adam Langley | 2e2a226 | 2017-05-03 13:23:37 -0700 | [diff] [blame] | 27 | #include "../fipsmodule/cipher/internal.h" |
Brian Smith | 7cae9f5 | 2016-01-17 20:12:57 -1000 | [diff] [blame] | 28 | #include "../internal.h" |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 29 | |
| 30 | |
| 31 | #define POLY1305_TAG_LEN 16 |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 32 | |
| 33 | struct aead_chacha20_poly1305_ctx { |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 34 | uint8_t key[32]; |
| 35 | }; |
| 36 | |
| 37 | // For convenience (the x86_64 calling convention allows only six parameters in |
| 38 | // registers), the final parameter for the assembly functions is both an input |
| 39 | // and output parameter. |
| 40 | union open_data { |
| 41 | struct { |
| 42 | alignas(16) uint8_t key[32]; |
| 43 | uint32_t counter; |
| 44 | uint8_t nonce[12]; |
| 45 | } in; |
| 46 | struct { |
| 47 | uint8_t tag[POLY1305_TAG_LEN]; |
| 48 | } out; |
| 49 | }; |
| 50 | |
| 51 | union seal_data { |
| 52 | struct { |
| 53 | alignas(16) uint8_t key[32]; |
| 54 | uint32_t counter; |
| 55 | uint8_t nonce[12]; |
| 56 | const uint8_t *extra_ciphertext; |
| 57 | size_t extra_ciphertext_len; |
| 58 | } in; |
| 59 | struct { |
| 60 | uint8_t tag[POLY1305_TAG_LEN]; |
| 61 | } out; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 62 | }; |
| 63 | |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 64 | #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \ |
| 65 | !defined(OPENSSL_WINDOWS) |
Adam Langley | 5fa2cdf | 2017-02-03 08:23:18 -0800 | [diff] [blame] | 66 | static int asm_capable(void) { |
| 67 | const int sse41_capable = (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0; |
| 68 | return sse41_capable; |
| 69 | } |
| 70 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 71 | OPENSSL_COMPILE_ASSERT(sizeof(union open_data) == 48, wrong_open_data_size); |
| 72 | OPENSSL_COMPILE_ASSERT(sizeof(union seal_data) == 48 + 8 + 8, |
| 73 | wrong_seal_data_size); |
| 74 | |
| 75 | // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts |
| 76 | // |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|. |
| 77 | // Additional input parameters are passed in |aead_data->in|. On exit, it will |
| 78 | // write calculated tag value to |aead_data->out.tag|, which the caller must |
| 79 | // check. |
Adam Langley | 71e4aff | 2017-01-26 14:00:47 -0800 | [diff] [blame] | 80 | extern void chacha20_poly1305_open(uint8_t *out_plaintext, |
| 81 | const uint8_t *ciphertext, |
| 82 | size_t plaintext_len, const uint8_t *ad, |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 83 | size_t ad_len, union open_data *aead_data); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 84 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 85 | // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts |
| 86 | // |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|. |
| 87 | // Additional input parameters are passed in |aead_data->in|. The calculated tag |
| 88 | // value is over the computed ciphertext concatenated with |extra_ciphertext| |
| 89 | // and written to |aead_data->out.tag|. |
Adam Langley | 71e4aff | 2017-01-26 14:00:47 -0800 | [diff] [blame] | 90 | extern void chacha20_poly1305_seal(uint8_t *out_ciphertext, |
| 91 | const uint8_t *plaintext, |
| 92 | size_t plaintext_len, const uint8_t *ad, |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 93 | size_t ad_len, union seal_data *aead_data); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 94 | #else |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 95 | static int asm_capable(void) { return 0; } |
Adam Langley | 5fa2cdf | 2017-02-03 08:23:18 -0800 | [diff] [blame] | 96 | |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 97 | |
| 98 | static void chacha20_poly1305_open(uint8_t *out_plaintext, |
| 99 | const uint8_t *ciphertext, |
| 100 | size_t plaintext_len, const uint8_t *ad, |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 101 | size_t ad_len, union open_data *aead_data) {} |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 102 | |
| 103 | static void chacha20_poly1305_seal(uint8_t *out_ciphertext, |
| 104 | const uint8_t *plaintext, |
| 105 | size_t plaintext_len, const uint8_t *ad, |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 106 | size_t ad_len, union seal_data *aead_data) {} |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 107 | #endif |
| 108 | |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 109 | static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key, |
| 110 | size_t key_len, size_t tag_len) { |
| 111 | struct aead_chacha20_poly1305_ctx *c20_ctx; |
| 112 | |
| 113 | if (tag_len == 0) { |
| 114 | tag_len = POLY1305_TAG_LEN; |
| 115 | } |
| 116 | |
| 117 | if (tag_len > POLY1305_TAG_LEN) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 118 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 119 | return 0; |
| 120 | } |
| 121 | |
| 122 | if (key_len != sizeof(c20_ctx->key)) { |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 123 | return 0; // internal error - EVP_AEAD_CTX_init should catch this. |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 124 | } |
| 125 | |
| 126 | c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx)); |
| 127 | if (c20_ctx == NULL) { |
| 128 | return 0; |
| 129 | } |
| 130 | |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 131 | OPENSSL_memcpy(c20_ctx->key, key, key_len); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 132 | ctx->aead_state = c20_ctx; |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 133 | ctx->tag_len = tag_len; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 134 | |
| 135 | return 1; |
| 136 | } |
| 137 | |
| 138 | static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) { |
| 139 | struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; |
| 140 | OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key)); |
| 141 | OPENSSL_free(c20_ctx); |
| 142 | } |
| 143 | |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 144 | static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) { |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 145 | uint8_t length_bytes[8]; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 146 | |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 147 | for (unsigned i = 0; i < sizeof(length_bytes); i++) { |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 148 | length_bytes[i] = data_len; |
| 149 | data_len >>= 8; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 150 | } |
| 151 | |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 152 | CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes)); |
| 153 | } |
| 154 | |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 155 | // calc_tag fills |tag| with the authentication tag for the given inputs. |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 156 | static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], |
| 157 | const struct aead_chacha20_poly1305_ctx *c20_ctx, |
| 158 | const uint8_t nonce[12], const uint8_t *ad, size_t ad_len, |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 159 | const uint8_t *ciphertext, size_t ciphertext_len, |
| 160 | const uint8_t *ciphertext_extra, |
| 161 | size_t ciphertext_extra_len) { |
Brian Smith | 7cae9f5 | 2016-01-17 20:12:57 -1000 | [diff] [blame] | 162 | alignas(16) uint8_t poly1305_key[32]; |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 163 | OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key)); |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 164 | CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), |
| 165 | c20_ctx->key, nonce, 0); |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 166 | |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 167 | static const uint8_t padding[16] = { 0 }; // Padding is all zeros. |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 168 | poly1305_state ctx; |
| 169 | CRYPTO_poly1305_init(&ctx, poly1305_key); |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 170 | CRYPTO_poly1305_update(&ctx, ad, ad_len); |
| 171 | if (ad_len % 16 != 0) { |
| 172 | CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16)); |
| 173 | } |
| 174 | CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len); |
| 175 | CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len); |
| 176 | const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len; |
| 177 | if (ciphertext_total % 16 != 0) { |
| 178 | CRYPTO_poly1305_update(&ctx, padding, |
| 179 | sizeof(padding) - (ciphertext_total % 16)); |
| 180 | } |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 181 | poly1305_update_length(&ctx, ad_len); |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 182 | poly1305_update_length(&ctx, ciphertext_total); |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 183 | CRYPTO_poly1305_finish(&ctx, tag); |
| 184 | } |
| 185 | |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 186 | static int aead_chacha20_poly1305_seal_scatter( |
| 187 | const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, |
| 188 | size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce, |
Martin Kreichgauer | 74bce29 | 2017-06-23 14:49:22 -0700 | [diff] [blame] | 189 | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, |
| 190 | size_t extra_in_len, const uint8_t *ad, size_t ad_len) { |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 191 | const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 192 | |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 193 | if (extra_in_len + ctx->tag_len < ctx->tag_len) { |
| 194 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
| 195 | return 0; |
| 196 | } |
| 197 | if (max_out_tag_len < ctx->tag_len + extra_in_len) { |
| 198 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
| 199 | return 0; |
| 200 | } |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 201 | if (nonce_len != 12) { |
| 202 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
| 203 | return 0; |
| 204 | } |
| 205 | |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 206 | // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow |
| 207 | // individual operations that work on more than 256GB at a time. |
| 208 | // |in_len_64| is needed because, on 32-bit platforms, size_t is only |
| 209 | // 32-bits and this produces a warning because it's always false. |
| 210 | // Casting to uint64_t inside the conditional is not sufficient to stop |
| 211 | // the warning. |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 212 | const uint64_t in_len_64 = in_len; |
Piotr Sikora | 537cfc3 | 2016-03-18 15:53:29 -0700 | [diff] [blame] | 213 | if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 214 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 215 | return 0; |
| 216 | } |
| 217 | |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 218 | if (max_out_tag_len < ctx->tag_len) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 219 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 220 | return 0; |
| 221 | } |
| 222 | |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 223 | // The the extra input is given, it is expected to be very short and so is |
| 224 | // encrypted byte-by-byte first. |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 225 | if (extra_in_len) { |
| 226 | static const size_t kChaChaBlockSize = 64; |
| 227 | uint32_t block_counter = 1 + (in_len / kChaChaBlockSize); |
| 228 | size_t offset = in_len % kChaChaBlockSize; |
| 229 | uint8_t block[64 /* kChaChaBlockSize */]; |
| 230 | |
| 231 | for (size_t done = 0; done < extra_in_len; block_counter++) { |
| 232 | memset(block, 0, sizeof(block)); |
| 233 | CRYPTO_chacha_20(block, block, sizeof(block), c20_ctx->key, nonce, |
| 234 | block_counter); |
| 235 | for (size_t i = offset; i < sizeof(block) && done < extra_in_len; |
| 236 | i++, done++) { |
| 237 | out_tag[done] = extra_in[done] ^ block[i]; |
| 238 | } |
| 239 | offset = 0; |
| 240 | } |
| 241 | } |
| 242 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 243 | union seal_data data; |
Adam Langley | 5fa2cdf | 2017-02-03 08:23:18 -0800 | [diff] [blame] | 244 | if (asm_capable()) { |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 245 | OPENSSL_memcpy(data.in.key, c20_ctx->key, 32); |
| 246 | data.in.counter = 0; |
| 247 | OPENSSL_memcpy(data.in.nonce, nonce, 12); |
| 248 | data.in.extra_ciphertext = out_tag; |
| 249 | data.in.extra_ciphertext_len = extra_in_len; |
| 250 | chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 251 | } else { |
| 252 | CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1); |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 253 | calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, out, in_len, out_tag, |
| 254 | extra_in_len); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 255 | } |
Brian Smith | 3e23e4c | 2015-10-03 11:38:58 -1000 | [diff] [blame] | 256 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 257 | OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, ctx->tag_len); |
Adam Langley | c66e397 | 2017-06-28 13:33:08 -0700 | [diff] [blame] | 258 | *out_tag_len = extra_in_len + ctx->tag_len; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 259 | return 1; |
| 260 | } |
| 261 | |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 262 | static int aead_chacha20_poly1305_open_gather( |
| 263 | const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, |
| 264 | size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, |
| 265 | size_t in_tag_len, const uint8_t *ad, size_t ad_len) { |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 266 | const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 267 | |
Adam Langley | 2e83924 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 268 | if (nonce_len != 12) { |
| 269 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE); |
| 270 | return 0; |
| 271 | } |
| 272 | |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 273 | if (in_tag_len != ctx->tag_len) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 274 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 275 | return 0; |
| 276 | } |
| 277 | |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 278 | // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow |
| 279 | // individual operations that work on more than 256GB at a time. |
| 280 | // |in_len_64| is needed because, on 32-bit platforms, size_t is only |
| 281 | // 32-bits and this produces a warning because it's always false. |
| 282 | // Casting to uint64_t inside the conditional is not sufficient to stop |
| 283 | // the warning. |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 284 | const uint64_t in_len_64 = in_len; |
Piotr Sikora | 537cfc3 | 2016-03-18 15:53:29 -0700 | [diff] [blame] | 285 | if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 286 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 287 | return 0; |
| 288 | } |
| 289 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 290 | union open_data data; |
Adam Langley | 5fa2cdf | 2017-02-03 08:23:18 -0800 | [diff] [blame] | 291 | if (asm_capable()) { |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 292 | OPENSSL_memcpy(data.in.key, c20_ctx->key, 32); |
| 293 | data.in.counter = 0; |
| 294 | OPENSSL_memcpy(data.in.nonce, nonce, 12); |
| 295 | chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 296 | } else { |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 297 | calc_tag(data.out.tag, c20_ctx, nonce, ad, ad_len, in, in_len, NULL, 0); |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 298 | CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1); |
vkrasnov | 8d56558 | 2017-01-19 15:12:44 -0800 | [diff] [blame] | 299 | } |
| 300 | |
David Benjamin | 8d20074 | 2017-08-01 15:02:26 -0400 | [diff] [blame] | 301 | if (CRYPTO_memcmp(data.out.tag, in_tag, ctx->tag_len) != 0) { |
David Benjamin | 3570d73 | 2015-06-29 00:28:17 -0400 | [diff] [blame] | 302 | OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 303 | return 0; |
| 304 | } |
| 305 | |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 306 | return 1; |
| 307 | } |
| 308 | |
| 309 | static const EVP_AEAD aead_chacha20_poly1305 = { |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 310 | 32, // key len |
| 311 | 12, // nonce len |
| 312 | POLY1305_TAG_LEN, // overhead |
| 313 | POLY1305_TAG_LEN, // max tag length |
| 314 | 1, // seal_scatter_supports_extra_in |
Martin Kreichgauer | 74bce29 | 2017-06-23 14:49:22 -0700 | [diff] [blame] | 315 | |
David Benjamin | b34f510 | 2015-02-28 03:59:33 -0500 | [diff] [blame] | 316 | aead_chacha20_poly1305_init, |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 317 | NULL, // init_with_direction |
David Benjamin | b34f510 | 2015-02-28 03:59:33 -0500 | [diff] [blame] | 318 | aead_chacha20_poly1305_cleanup, |
Martin Kreichgauer | 18d9f28 | 2017-06-06 12:29:48 -0700 | [diff] [blame] | 319 | NULL /* open */, |
| 320 | aead_chacha20_poly1305_seal_scatter, |
| 321 | aead_chacha20_poly1305_open_gather, |
David Benjamin | 808f832 | 2017-08-18 14:06:02 -0400 | [diff] [blame] | 322 | NULL, // get_iv |
| 323 | NULL, // tag_len |
Adam Langley | de0b202 | 2014-06-20 12:00:00 -0700 | [diff] [blame] | 324 | }; |
| 325 | |
David Benjamin | 8ffab72 | 2015-11-30 18:48:18 -0500 | [diff] [blame] | 326 | const EVP_AEAD *EVP_aead_chacha20_poly1305(void) { |
David Benjamin | c44d2f4 | 2014-08-20 16:24:00 -0400 | [diff] [blame] | 327 | return &aead_chacha20_poly1305; |
| 328 | } |