OLD | NEW |
(Empty) | |
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 |
| 5 #ifdef FREEBL_NO_DEPEND |
| 6 #include "stubs.h" |
| 7 #endif |
| 8 |
| 9 #include <string.h> |
| 10 #include <stdio.h> |
| 11 |
| 12 #include "seccomon.h" |
| 13 #include "secerr.h" |
| 14 #include "blapit.h" |
| 15 #include "poly1305/poly1305.h" |
| 16 #include "chacha20/chacha20.h" |
| 17 #include "chacha20poly1305.h" |
| 18 |
| 19 /* Poly1305Do writes the Poly1305 authenticator of the given additional data |
| 20 * and ciphertext to |out|. */ |
| 21 static void |
| 22 Poly1305Do(unsigned char *out, |
| 23 const unsigned char *ad, unsigned int adLen, |
| 24 const unsigned char *ciphertext, unsigned int ciphertextLen, |
| 25 const unsigned char key[32]) |
| 26 { |
| 27 poly1305_state state; |
| 28 unsigned int j; |
| 29 unsigned char lengthBytes[8]; |
| 30 unsigned int i; |
| 31 |
| 32 Poly1305Init(&state, key); |
| 33 j = adLen; |
| 34 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 35 lengthBytes[i] = j; |
| 36 j >>= 8; |
| 37 } |
| 38 Poly1305Update(&state, ad, adLen); |
| 39 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 40 j = ciphertextLen; |
| 41 for (i = 0; i < sizeof(lengthBytes); i++) { |
| 42 lengthBytes[i] = j; |
| 43 j >>= 8; |
| 44 } |
| 45 Poly1305Update(&state, ciphertext, ciphertextLen); |
| 46 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); |
| 47 Poly1305Finish(&state, out); |
| 48 } |
| 49 |
| 50 SECStatus |
| 51 ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, |
| 52 const unsigned char *key, unsigned int keyLen, |
| 53 unsigned int tagLen) |
| 54 { |
| 55 if (keyLen != 32) { |
| 56 PORT_SetError(SEC_ERROR_BAD_KEY); |
| 57 return SECFailure; |
| 58 } |
| 59 if (tagLen == 0 || tagLen > 16) { |
| 60 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 61 return SECFailure; |
| 62 } |
| 63 |
| 64 memcpy(ctx->key, key, sizeof(ctx->key)); |
| 65 ctx->tagLen = tagLen; |
| 66 |
| 67 return SECSuccess; |
| 68 } |
| 69 |
| 70 ChaCha20Poly1305Context * |
| 71 ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen, |
| 72 unsigned int tagLen) |
| 73 { |
| 74 ChaCha20Poly1305Context *ctx; |
| 75 |
| 76 ctx = PORT_New(ChaCha20Poly1305Context); |
| 77 if (ctx == NULL) { |
| 78 return NULL; |
| 79 } |
| 80 |
| 81 if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) { |
| 82 PORT_Free(ctx); |
| 83 ctx = NULL; |
| 84 } |
| 85 |
| 86 return ctx; |
| 87 } |
| 88 |
| 89 void |
| 90 ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit) |
| 91 { |
| 92 memset(ctx, 0, sizeof(*ctx)); |
| 93 if (freeit) { |
| 94 PORT_Free(ctx); |
| 95 } |
| 96 } |
| 97 |
| 98 SECStatus |
| 99 ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, |
| 100 unsigned char *output, unsigned int *outputLen, |
| 101 unsigned int maxOutputLen, |
| 102 const unsigned char *input, unsigned int inputLen, |
| 103 const unsigned char *nonce, unsigned int nonceLen, |
| 104 const unsigned char *ad, unsigned int adLen) |
| 105 { |
| 106 unsigned char block[64]; |
| 107 unsigned char tag[16]; |
| 108 |
| 109 if (nonceLen != 8) { |
| 110 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 111 return SECFailure; |
| 112 } |
| 113 *outputLen = inputLen + ctx->tagLen; |
| 114 if (maxOutputLen < *outputLen) { |
| 115 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
| 116 return SECFailure; |
| 117 } |
| 118 |
| 119 memset(block, 0, sizeof(block)); |
| 120 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 121 // key. The remainder of the block is discarded. |
| 122 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); |
| 123 ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1); |
| 124 |
| 125 Poly1305Do(tag, ad, adLen, output, inputLen, block); |
| 126 memcpy(output + inputLen, tag, ctx->tagLen); |
| 127 |
| 128 return SECSuccess; |
| 129 } |
| 130 |
| 131 SECStatus |
| 132 ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, |
| 133 unsigned char *output, unsigned int *outputLen, |
| 134 unsigned int maxOutputLen, |
| 135 const unsigned char *input, unsigned int inputLen, |
| 136 const unsigned char *nonce, unsigned int nonceLen, |
| 137 const unsigned char *ad, unsigned int adLen) |
| 138 { |
| 139 unsigned char block[64]; |
| 140 unsigned char tag[16]; |
| 141 |
| 142 if (nonceLen != 8) { |
| 143 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 144 return SECFailure; |
| 145 } |
| 146 if (inputLen < ctx->tagLen) { |
| 147 PORT_SetError(SEC_ERROR_INPUT_LEN); |
| 148 return SECFailure; |
| 149 } |
| 150 *outputLen = inputLen - ctx->tagLen; |
| 151 if (maxOutputLen < *outputLen) { |
| 152 PORT_SetError(SEC_ERROR_OUTPUT_LEN); |
| 153 return SECFailure; |
| 154 } |
| 155 |
| 156 memset(block, 0, sizeof(block)); |
| 157 // Generate a block of keystream. The first 32 bytes will be the poly1305 |
| 158 // key. The remainder of the block is discarded. |
| 159 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); |
| 160 Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block); |
| 161 if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0)
{ |
| 162 PORT_SetError(SEC_ERROR_BAD_DATA); |
| 163 return SECFailure; |
| 164 } |
| 165 |
| 166 ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1); |
| 167 |
| 168 return SECSuccess; |
| 169 } |
OLD | NEW |