| Index: nss/lib/freebl/chacha20poly1305.c
|
| ===================================================================
|
| --- nss/lib/freebl/chacha20poly1305.c (revision 0)
|
| +++ nss/lib/freebl/chacha20poly1305.c (revision 0)
|
| @@ -0,0 +1,169 @@
|
| +/* This Source Code Form is subject to the terms of the Mozilla Public
|
| + * License, v. 2.0. If a copy of the MPL was not distributed with this
|
| + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
| +
|
| +#ifdef FREEBL_NO_DEPEND
|
| +#include "stubs.h"
|
| +#endif
|
| +
|
| +#include <string.h>
|
| +#include <stdio.h>
|
| +
|
| +#include "seccomon.h"
|
| +#include "secerr.h"
|
| +#include "blapit.h"
|
| +#include "poly1305/poly1305.h"
|
| +#include "chacha20/chacha20.h"
|
| +#include "chacha20poly1305.h"
|
| +
|
| +/* Poly1305Do writes the Poly1305 authenticator of the given additional data
|
| + * and ciphertext to |out|. */
|
| +static void
|
| +Poly1305Do(unsigned char *out,
|
| + const unsigned char *ad, unsigned int adLen,
|
| + const unsigned char *ciphertext, unsigned int ciphertextLen,
|
| + const unsigned char key[32])
|
| +{
|
| + poly1305_state state;
|
| + unsigned int j;
|
| + unsigned char lengthBytes[8];
|
| + unsigned int i;
|
| +
|
| + Poly1305Init(&state, key);
|
| + j = adLen;
|
| + for (i = 0; i < sizeof(lengthBytes); i++) {
|
| + lengthBytes[i] = j;
|
| + j >>= 8;
|
| + }
|
| + Poly1305Update(&state, ad, adLen);
|
| + Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
|
| + j = ciphertextLen;
|
| + for (i = 0; i < sizeof(lengthBytes); i++) {
|
| + lengthBytes[i] = j;
|
| + j >>= 8;
|
| + }
|
| + Poly1305Update(&state, ciphertext, ciphertextLen);
|
| + Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
|
| + Poly1305Finish(&state, out);
|
| +}
|
| +
|
| +SECStatus
|
| +ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
|
| + const unsigned char *key, unsigned int keyLen,
|
| + unsigned int tagLen)
|
| +{
|
| + if (keyLen != 32) {
|
| + PORT_SetError(SEC_ERROR_BAD_KEY);
|
| + return SECFailure;
|
| + }
|
| + if (tagLen == 0 || tagLen > 16) {
|
| + PORT_SetError(SEC_ERROR_INPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| +
|
| + memcpy(ctx->key, key, sizeof(ctx->key));
|
| + ctx->tagLen = tagLen;
|
| +
|
| + return SECSuccess;
|
| +}
|
| +
|
| +ChaCha20Poly1305Context *
|
| +ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
|
| + unsigned int tagLen)
|
| +{
|
| + ChaCha20Poly1305Context *ctx;
|
| +
|
| + ctx = PORT_New(ChaCha20Poly1305Context);
|
| + if (ctx == NULL) {
|
| + return NULL;
|
| + }
|
| +
|
| + if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) {
|
| + PORT_Free(ctx);
|
| + ctx = NULL;
|
| + }
|
| +
|
| + return ctx;
|
| +}
|
| +
|
| +void
|
| +ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
|
| +{
|
| + memset(ctx, 0, sizeof(*ctx));
|
| + if (freeit) {
|
| + PORT_Free(ctx);
|
| + }
|
| +}
|
| +
|
| +SECStatus
|
| +ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
|
| + unsigned char *output, unsigned int *outputLen,
|
| + unsigned int maxOutputLen,
|
| + const unsigned char *input, unsigned int inputLen,
|
| + const unsigned char *nonce, unsigned int nonceLen,
|
| + const unsigned char *ad, unsigned int adLen)
|
| +{
|
| + unsigned char block[64];
|
| + unsigned char tag[16];
|
| +
|
| + if (nonceLen != 8) {
|
| + PORT_SetError(SEC_ERROR_INPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| + *outputLen = inputLen + ctx->tagLen;
|
| + if (maxOutputLen < *outputLen) {
|
| + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| +
|
| + memset(block, 0, sizeof(block));
|
| + // Generate a block of keystream. The first 32 bytes will be the poly1305
|
| + // key. The remainder of the block is discarded.
|
| + ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
|
| + ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1);
|
| +
|
| + Poly1305Do(tag, ad, adLen, output, inputLen, block);
|
| + memcpy(output + inputLen, tag, ctx->tagLen);
|
| +
|
| + return SECSuccess;
|
| +}
|
| +
|
| +SECStatus
|
| +ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
|
| + unsigned char *output, unsigned int *outputLen,
|
| + unsigned int maxOutputLen,
|
| + const unsigned char *input, unsigned int inputLen,
|
| + const unsigned char *nonce, unsigned int nonceLen,
|
| + const unsigned char *ad, unsigned int adLen)
|
| +{
|
| + unsigned char block[64];
|
| + unsigned char tag[16];
|
| +
|
| + if (nonceLen != 8) {
|
| + PORT_SetError(SEC_ERROR_INPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| + if (inputLen < ctx->tagLen) {
|
| + PORT_SetError(SEC_ERROR_INPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| + *outputLen = inputLen - ctx->tagLen;
|
| + if (maxOutputLen < *outputLen) {
|
| + PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
| + return SECFailure;
|
| + }
|
| +
|
| + memset(block, 0, sizeof(block));
|
| + // Generate a block of keystream. The first 32 bytes will be the poly1305
|
| + // key. The remainder of the block is discarded.
|
| + ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
|
| + Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block);
|
| + if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0) {
|
| + PORT_SetError(SEC_ERROR_BAD_DATA);
|
| + return SECFailure;
|
| + }
|
| +
|
| + ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1);
|
| +
|
| + return SECSuccess;
|
| +}
|
|
|
| Property changes on: nss/lib/freebl/chacha20poly1305.c
|
| ___________________________________________________________________
|
| Added: svn:eol-style
|
| + LF
|
|
|
|
|
Chromium Code Reviews
Issue 27510015:
Support ChaCha20+Poly1305 cipher suites. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/