OLD | NEW |
(Empty) | |
| 1 #include <string.h> |
| 2 #include <stdio.h> |
| 3 |
| 4 #include "seccomon.h" |
| 5 #include "poly1305/poly1305.h" |
| 6 #include "chacha20/chacha20.h" |
| 7 |
| 8 /* Poly1305Do writes the Poly1305 authenticator of the given additional data |
| 9 * and ciphertext to |out|. */ |
| 10 static void Poly1305Do(unsigned char *out, |
| 11 const unsigned char *ad, size_t adLen, |
| 12 const unsigned char *ciphertext, size_t ciphertextLen, |
| 13 const unsigned char key[32]) |
| 14 { |
| 15 poly1305_state state; |
| 16 size_t j; |
| 17 unsigned char lengthBytes[8]; |
| 18 unsigned int i; |
| 19 |
| 20 Poly1305Init(&state, key); |
| 21 j = adLen; |
| 22 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 23 lengthBytes[i] = j; |
| 24 j >>= 8; |
| 25 } |
| 26 Poly1305Update(&state, ad, adLen); |
| 27 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 28 j = ciphertextLen; |
| 29 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 30 lengthBytes[i] = j; |
| 31 j >>= 8; |
| 32 } |
| 33 Poly1305Update(&state, ciphertext, ciphertextLen); |
| 34 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 35 Poly1305Finish(&state, out); |
| 36 } |
| 37 |
| 38 SECStatus ChaCha20Poly1305_Seal( |
| 39 unsigned char *out, |
| 40 const unsigned char *ad, size_t adLen, |
| 41 const unsigned char *plaintext, size_t plaintextLen, |
| 42 size_t tagLen, |
| 43 const unsigned char key[32], |
| 44 const unsigned char nonce[8]) |
| 45 { |
| 46 unsigned char block[64]; |
| 47 unsigned char tag[16]; |
| 48 |
| 49 if (tagLen == 0 || tagLen > 16) { |
| 50 return SECFailure; |
| 51 } |
| 52 |
| 53 memset(block, 0, 64); |
| 54 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 55 // key. The remainder of the block is discarded. |
| 56 ChaCha20XOR(block, block, sizeof(block), key, nonce, 0); |
| 57 ChaCha20XOR(out, plaintext, plaintextLen, key, nonce, 1); |
| 58 |
| 59 Poly1305Do(tag, ad, adLen, out, plaintextLen, block); |
| 60 memcpy(out + plaintextLen, tag, tagLen); |
| 61 |
| 62 return SECSuccess; |
| 63 } |
| 64 |
| 65 SECStatus ChaCha20Poly1305_Open( |
| 66 unsigned char *out, |
| 67 const unsigned char *ad, size_t adLen, |
| 68 const unsigned char *ciphertext, size_t ciphertextLen, |
| 69 size_t tagLen, |
| 70 const unsigned char key[32], |
| 71 const unsigned char nonce[8]) |
| 72 { |
| 73 unsigned char block[64]; |
| 74 unsigned int i; |
| 75 unsigned char macBad; |
| 76 unsigned char mac[16]; |
| 77 |
| 78 if (tagLen == 0 || tagLen > 16) { |
| 79 return SECFailure; |
| 80 } |
| 81 |
| 82 if (ciphertextLen < tagLen) { |
| 83 return SECFailure; |
| 84 } |
| 85 |
| 86 memset(block, 0, 64); |
| 87 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 88 // key. The remainder is used to decrypt the first 32 bytes of plaintext. |
| 89 ChaCha20XOR(block, block, sizeof(block), key, nonce, 0); |
| 90 Poly1305Do(mac, ad, adLen, ciphertext, ciphertextLen - tagLen, block); |
| 91 macBad = 0; |
| 92 for (i = 0; i < tagLen; i++) { |
| 93 macBad |= mac[i] ^ ciphertext[ciphertextLen - tagLen + i]; |
| 94 } |
| 95 if (macBad) { |
| 96 return SECFailure; |
| 97 } |
| 98 |
| 99 ChaCha20XOR(out, ciphertext, ciphertextLen, key, nonce, 1); |
| 100 |
| 101 return SECSuccess; |
| 102 } |
OLD | NEW |