Support ChaCha20+Poly1305 cipher suites.

nss/lib/freebl/chacha20poly1305.c

Index: nss/lib/freebl/chacha20poly1305.c
===================================================================
--- nss/lib/freebl/chacha20poly1305.c	(revision 0)
+++ nss/lib/freebl/chacha20poly1305.c	(revision 0)
@@ -0,0 +1,111 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "seccomon.h"
+#include "secerr.h"
+#include "poly1305/poly1305.h"
+#include "chacha20/chacha20.h"
+
+/* Poly1305Do writes the Poly1305 authenticator of the given additional data
+ * and ciphertext to |out|. */
+static void
+Poly1305Do(unsigned char *out,
+	   const unsigned char *ad, unsigned int adLen,
+	   const unsigned char *ciphertext, unsigned int ciphertextLen,
+	   const unsigned char key[32])
+{
+    poly1305_state state;
+    unsigned int j;
+    unsigned char lengthBytes[8];
+    unsigned int i;
+
+    Poly1305Init(&state, key);
+    j = adLen;
+    for (i = 0; i < sizeof(lengthBytes); i++) {
+	lengthBytes[i] = j;
+	j >>= 8;
+    }
+    Poly1305Update(&state, ad, adLen);
+    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
+    j = ciphertextLen;
+    for (i = 0; i < sizeof(lengthBytes); i++) {
+	lengthBytes[i] = j;
+	j >>= 8;
+    }
+    Poly1305Update(&state, ciphertext, ciphertextLen);
+    Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
+    Poly1305Finish(&state, out);
+}
+
+SECStatus
+ChaCha20Poly1305_Seal(unsigned char *out,
+		      const unsigned char *ad, unsigned int adLen,
+		      const unsigned char *plaintext, unsigned int plaintextLen,
+		      unsigned int tagLen,
+		      const unsigned char key[32],
+		      const unsigned char nonce[8])
+{
+    unsigned char block[64];
+    unsigned char tag[16];
+
+    if (tagLen == 0 || tagLen > sizeof(tag)) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+
+    memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20XOR(block, block, sizeof(block), key, nonce, 0);
+    ChaCha20XOR(out, plaintext, plaintextLen, key, nonce, 1);
+
+    Poly1305Do(tag, ad, adLen, out, plaintextLen, block);
+    memcpy(out + plaintextLen, tag, tagLen);
+
+    return SECSuccess;
+}
+
+SECStatus
+ChaCha20Poly1305_Open(unsigned char *out,
+		      const unsigned char *ad, unsigned int adLen,
+		      const unsigned char *ciphertext, unsigned int ciphertextLen,
+		      unsigned int tagLen,
+		      const unsigned char key[32],
+		      const unsigned char nonce[8])
+{
+    unsigned char block[64];
+    unsigned int i;
+    unsigned char tag[16];
+
+    if (tagLen == 0 || tagLen > sizeof(tag)) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+
+    if (ciphertextLen < tagLen) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+
+    memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20XOR(block, block, sizeof(block), key, nonce, 0);
+    Poly1305Do(tag, ad, adLen, ciphertext, ciphertextLen - tagLen, block);
+    if (NSS_SecureMemcmp(tag, &ciphertext[ciphertextLen - tagLen], tagLen) != 0) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return SECFailure;
+    }
+
+    ChaCha20XOR(out, ciphertext, ciphertextLen - tagLen, key, nonce, 1);
+
+    return SECSuccess;
+}
Property changes on: nss/lib/freebl/chacha20poly1305.c
___________________________________________________________________
Added: svn:eol-style
   + LF