| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 | 4 |
| 5 #ifdef FREEBL_NO_DEPEND | 5 #ifdef FREEBL_NO_DEPEND |
| 6 #include "stubs.h" | 6 #include "stubs.h" |
| 7 #endif | 7 #endif |
| 8 | 8 |
| 9 #include <string.h> | 9 #include <string.h> |
| 10 #include <stdio.h> | 10 #include <stdio.h> |
| 11 | 11 |
| 12 #include "seccomon.h" | 12 #include "seccomon.h" |
| 13 #include "secerr.h" | 13 #include "secerr.h" |
| 14 #include "blapit.h" | 14 #include "blapit.h" |
| 15 #include "poly1305/poly1305.h" | 15 |
| 16 #include "chacha20/chacha20.h" | 16 #ifndef NSS_DISABLE_CHACHAPOLY |
| 17 #include "poly1305.h" |
| 18 #include "chacha20.h" |
| 17 #include "chacha20poly1305.h" | 19 #include "chacha20poly1305.h" |
| 20 #endif |
| 18 | 21 |
| 19 /* Poly1305Do writes the Poly1305 authenticator of the given additional data | 22 /* Poly1305Do writes the Poly1305 authenticator of the given additional data |
| 20 * and ciphertext to |out|. */ | 23 * and ciphertext to |out|. */ |
| 24 #ifndef NSS_DISABLE_CHACHAPOLY |
| 21 static void | 25 static void |
| 22 Poly1305Do(unsigned char *out, | 26 Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen, |
| 23 » const unsigned char *ad, unsigned int adLen, | 27 const unsigned char *ciphertext, unsigned int ciphertextLen, |
| 24 » const unsigned char *ciphertext, unsigned int ciphertextLen, | 28 const unsigned char key[32]) |
| 25 » const unsigned char key[32]) | |
| 26 { | 29 { |
| 27 poly1305_state state; | 30 poly1305_state state; |
| 28 unsigned int j; | 31 unsigned int j; |
| 29 unsigned char lengthBytes[8]; | 32 unsigned char lengthBytes[8]; |
| 33 static const unsigned char zeros[15]; |
| 30 unsigned int i; | 34 unsigned int i; |
| 31 | 35 |
| 32 Poly1305Init(&state, key); | 36 Poly1305Init(&state, key); |
| 37 Poly1305Update(&state, ad, adLen); |
| 38 if (adLen % 16 > 0) { |
| 39 Poly1305Update(&state, zeros, 16 - adLen % 16); |
| 40 } |
| 41 Poly1305Update(&state, ciphertext, ciphertextLen); |
| 42 if (ciphertextLen % 16 > 0) { |
| 43 Poly1305Update(&state, zeros, 16 - ciphertextLen % 16); |
| 44 } |
| 33 j = adLen; | 45 j = adLen; |
| 34 for (i = 0; i < sizeof(lengthBytes); i++) { | 46 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 35 » lengthBytes[i] = j; | 47 lengthBytes[i] = j; |
| 36 » j >>= 8; | 48 j >>= 8; |
| 37 } | 49 } |
| 38 Poly1305Update(&state, ad, adLen); | |
| 39 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); | 50 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 40 j = ciphertextLen; | 51 j = ciphertextLen; |
| 41 for (i = 0; i < sizeof(lengthBytes); i++) { | 52 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 42 » lengthBytes[i] = j; | 53 lengthBytes[i] = j; |
| 43 » j >>= 8; | 54 j >>= 8; |
| 44 } | 55 } |
| 45 Poly1305Update(&state, ciphertext, ciphertextLen); | |
| 46 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); | 56 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 47 Poly1305Finish(&state, out); | 57 Poly1305Finish(&state, out); |
| 48 } | 58 } |
| 59 #endif |
| 49 | 60 |
| 50 SECStatus | 61 SECStatus |
| 51 ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, | 62 ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, |
| 52 » » » const unsigned char *key, unsigned int keyLen, | 63 const unsigned char *key, unsigned int keyLen, |
| 53 » » » unsigned int tagLen) | 64 unsigned int tagLen) |
| 54 { | 65 { |
| 66 #ifdef NSS_DISABLE_CHACHAPOLY |
| 67 return SECFailure; |
| 68 #else |
| 55 if (keyLen != 32) { | 69 if (keyLen != 32) { |
| 56 » PORT_SetError(SEC_ERROR_BAD_KEY); | 70 PORT_SetError(SEC_ERROR_BAD_KEY); |
| 57 » return SECFailure; | 71 return SECFailure; |
| 58 } | 72 } |
| 59 if (tagLen == 0 || tagLen > 16) { | 73 if (tagLen == 0 || tagLen > 16) { |
| 60 » PORT_SetError(SEC_ERROR_INPUT_LEN); | 74 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 61 » return SECFailure; | 75 return SECFailure; |
| 62 } | 76 } |
| 63 | 77 |
| 64 memcpy(ctx->key, key, sizeof(ctx->key)); | 78 PORT_Memcpy(ctx->key, key, sizeof(ctx->key)); |
| 65 ctx->tagLen = tagLen; | 79 ctx->tagLen = tagLen; |
| 66 | 80 |
| 67 return SECSuccess; | 81 return SECSuccess; |
| 82 #endif |
| 68 } | 83 } |
| 69 | 84 |
| 70 ChaCha20Poly1305Context * | 85 ChaCha20Poly1305Context * |
| 71 ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen, | 86 ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen, |
| 72 » » » unsigned int tagLen) | 87 unsigned int tagLen) |
| 73 { | 88 { |
| 89 #ifdef NSS_DISABLE_CHACHAPOLY |
| 90 return NULL; |
| 91 #else |
| 74 ChaCha20Poly1305Context *ctx; | 92 ChaCha20Poly1305Context *ctx; |
| 75 | 93 |
| 76 ctx = PORT_New(ChaCha20Poly1305Context); | 94 ctx = PORT_New(ChaCha20Poly1305Context); |
| 77 if (ctx == NULL) { | 95 if (ctx == NULL) { |
| 78 » return NULL; | 96 return NULL; |
| 79 } | 97 } |
| 80 | 98 |
| 81 if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) { | 99 if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) { |
| 82 » PORT_Free(ctx); | 100 PORT_Free(ctx); |
| 83 » ctx = NULL; | 101 ctx = NULL; |
| 84 } | 102 } |
| 85 | 103 |
| 86 return ctx; | 104 return ctx; |
| 105 #endif |
| 87 } | 106 } |
| 88 | 107 |
| 89 void | 108 void |
| 90 ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit) | 109 ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit) |
| 91 { | 110 { |
| 92 memset(ctx, 0, sizeof(*ctx)); | 111 #ifndef NSS_DISABLE_CHACHAPOLY |
| 112 PORT_Memset(ctx, 0, sizeof(*ctx)); |
| 93 if (freeit) { | 113 if (freeit) { |
| 94 » PORT_Free(ctx); | 114 PORT_Free(ctx); |
| 95 } | 115 } |
| 116 #endif |
| 96 } | 117 } |
| 97 | 118 |
| 98 SECStatus | 119 SECStatus |
| 99 ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, | 120 ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output, |
| 100 » » unsigned char *output, unsigned int *outputLen, | 121 unsigned int *outputLen, unsigned int maxOutputLen, |
| 101 » » unsigned int maxOutputLen, | 122 const unsigned char *input, unsigned int inputLen, |
| 102 » » const unsigned char *input, unsigned int inputLen, | 123 const unsigned char *nonce, unsigned int nonceLen, |
| 103 » » const unsigned char *nonce, unsigned int nonceLen, | 124 const unsigned char *ad, unsigned int adLen) |
| 104 » » const unsigned char *ad, unsigned int adLen) | |
| 105 { | 125 { |
| 126 #ifdef NSS_DISABLE_CHACHAPOLY |
| 127 return SECFailure; |
| 128 #else |
| 106 unsigned char block[64]; | 129 unsigned char block[64]; |
| 107 unsigned char tag[16]; | 130 unsigned char tag[16]; |
| 108 | 131 |
| 109 if (nonceLen != 8) { | 132 if (nonceLen != 12) { |
| 110 » PORT_SetError(SEC_ERROR_INPUT_LEN); | 133 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 111 » return SECFailure; | 134 return SECFailure; |
| 112 } | 135 } |
| 113 *outputLen = inputLen + ctx->tagLen; | 136 *outputLen = inputLen + ctx->tagLen; |
| 114 if (maxOutputLen < *outputLen) { | 137 if (maxOutputLen < *outputLen) { |
| 115 » PORT_SetError(SEC_ERROR_OUTPUT_LEN); | 138 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
| 116 » return SECFailure; | 139 return SECFailure; |
| 117 } | 140 } |
| 118 | 141 |
| 119 memset(block, 0, sizeof(block)); | 142 PORT_Memset(block, 0, sizeof(block)); |
| 120 // Generate a block of keystream. The first 32 bytes will be the poly1305 | 143 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 121 // key. The remainder of the block is discarded. | 144 // key. The remainder of the block is discarded. |
| 122 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); | 145 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); |
| 123 ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1); | 146 ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1); |
| 124 | 147 |
| 125 Poly1305Do(tag, ad, adLen, output, inputLen, block); | 148 Poly1305Do(tag, ad, adLen, output, inputLen, block); |
| 126 memcpy(output + inputLen, tag, ctx->tagLen); | 149 PORT_Memcpy(output + inputLen, tag, ctx->tagLen); |
| 127 | 150 |
| 128 return SECSuccess; | 151 return SECSuccess; |
| 152 #endif |
| 129 } | 153 } |
| 130 | 154 |
| 131 SECStatus | 155 SECStatus |
| 132 ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, | 156 ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output, |
| 133 » » unsigned char *output, unsigned int *outputLen, | 157 unsigned int *outputLen, unsigned int maxOutputLen, |
| 134 » » unsigned int maxOutputLen, | 158 const unsigned char *input, unsigned int inputLen, |
| 135 » » const unsigned char *input, unsigned int inputLen, | 159 const unsigned char *nonce, unsigned int nonceLen, |
| 136 » » const unsigned char *nonce, unsigned int nonceLen, | 160 const unsigned char *ad, unsigned int adLen) |
| 137 » » const unsigned char *ad, unsigned int adLen) | |
| 138 { | 161 { |
| 162 #ifdef NSS_DISABLE_CHACHAPOLY |
| 163 return SECFailure; |
| 164 #else |
| 139 unsigned char block[64]; | 165 unsigned char block[64]; |
| 140 unsigned char tag[16]; | 166 unsigned char tag[16]; |
| 167 unsigned int ciphertextLen; |
| 141 | 168 |
| 142 if (nonceLen != 8) { | 169 if (nonceLen != 12) { |
| 143 » PORT_SetError(SEC_ERROR_INPUT_LEN); | 170 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 144 » return SECFailure; | 171 return SECFailure; |
| 145 } | 172 } |
| 146 if (inputLen < ctx->tagLen) { | 173 if (inputLen < ctx->tagLen) { |
| 147 » PORT_SetError(SEC_ERROR_INPUT_LEN); | 174 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 148 » return SECFailure; | 175 return SECFailure; |
| 149 } | 176 } |
| 150 *outputLen = inputLen - ctx->tagLen; | 177 ciphertextLen = inputLen - ctx->tagLen; |
| 178 *outputLen = ciphertextLen; |
| 151 if (maxOutputLen < *outputLen) { | 179 if (maxOutputLen < *outputLen) { |
| 152 » PORT_SetError(SEC_ERROR_OUTPUT_LEN); | 180 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
| 153 » return SECFailure; | 181 return SECFailure; |
| 154 } | 182 } |
| 155 | 183 |
| 156 memset(block, 0, sizeof(block)); | 184 PORT_Memset(block, 0, sizeof(block)); |
| 157 // Generate a block of keystream. The first 32 bytes will be the poly1305 | 185 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 158 // key. The remainder of the block is discarded. | 186 // key. The remainder of the block is discarded. |
| 159 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); | 187 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); |
| 160 Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block); | 188 Poly1305Do(tag, ad, adLen, input, ciphertextLen, block); |
| 161 if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0)
{ | 189 if (NSS_SecureMemcmp(tag, &input[ciphertextLen], ctx->tagLen) != 0) { |
| 162 » PORT_SetError(SEC_ERROR_BAD_DATA); | 190 PORT_SetError(SEC_ERROR_BAD_DATA); |
| 163 » return SECFailure; | 191 return SECFailure; |
| 164 } | 192 } |
| 165 | 193 |
| 166 ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1); | 194 ChaCha20XOR(output, input, ciphertextLen, ctx->key, nonce, 1); |
| 167 | 195 |
| 168 return SECSuccess; | 196 return SECSuccess; |
| 197 #endif |
| 169 } | 198 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1843333003:
Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master