Xuyi Wang / wolfSSL

Important changes to repositories hosted on mbed.com

Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.

To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.

It is also possible to export all your personal repositories from the account settings page.

Dependents:   OS

wolfcrypt/src/chacha20_poly1305.c@16:048e5e270a58, 2019-11-19 (annotated)

Committer:
sPymbed
Date:
Tue Nov 19 14:32:16 2019 +0000
Revision:
16:048e5e270a58
Parent:
15:117db924cf7c 
working ssl

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* chacha.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 15:117db924cf7c 3 * Copyright (C) 2006-2017 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23
wolfSSL 15:117db924cf7c 24 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 25 #include <config.h>
wolfSSL 15:117db924cf7c 26 #endif
wolfSSL 15:117db924cf7c 27
wolfSSL 15:117db924cf7c 28 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 29
wolfSSL 15:117db924cf7c 30 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 15:117db924cf7c 31
wolfSSL 15:117db924cf7c 32 #include <wolfssl/wolfcrypt/chacha20_poly1305.h>
wolfSSL 15:117db924cf7c 33 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 15:117db924cf7c 34 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 15:117db924cf7c 35 #include <wolfssl/wolfcrypt/chacha.h>
wolfSSL 15:117db924cf7c 36 #include <wolfssl/wolfcrypt/poly1305.h>
wolfSSL 15:117db924cf7c 37
wolfSSL 15:117db924cf7c 38 #ifdef NO_INLINE
wolfSSL 15:117db924cf7c 39 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 15:117db924cf7c 40 #else
wolfSSL 15:117db924cf7c 41 #define WOLFSSL_MISC_INCLUDED
wolfSSL 15:117db924cf7c 42 #include <wolfcrypt/src/misc.c>
wolfSSL 15:117db924cf7c 43 #endif
wolfSSL 15:117db924cf7c 44
wolfSSL 15:117db924cf7c 45 #ifdef CHACHA_AEAD_TEST
wolfSSL 15:117db924cf7c 46 #include <stdio.h>
wolfSSL 15:117db924cf7c 47 #endif
wolfSSL 15:117db924cf7c 48
wolfSSL 15:117db924cf7c 49 #define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER 0
wolfSSL 15:117db924cf7c 50 #define CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT 16
wolfSSL 15:117db924cf7c 51
wolfSSL 15:117db924cf7c 52 static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]);
wolfSSL 15:117db924cf7c 53 static int calculateAuthTag(
wolfSSL 15:117db924cf7c 54 const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 15:117db924cf7c 55 const byte* inAAD, const word32 inAADLen,
wolfSSL 15:117db924cf7c 56 const byte *inCiphertext, const word32 inCiphertextLen,
wolfSSL 15:117db924cf7c 57 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]);
wolfSSL 15:117db924cf7c 58
wolfSSL 15:117db924cf7c 59 int wc_ChaCha20Poly1305_Encrypt(
wolfSSL 15:117db924cf7c 60 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 15:117db924cf7c 61 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
wolfSSL 15:117db924cf7c 62 const byte* inAAD, const word32 inAADLen,
wolfSSL 15:117db924cf7c 63 const byte* inPlaintext, const word32 inPlaintextLen,
wolfSSL 15:117db924cf7c 64 byte* outCiphertext,
wolfSSL 15:117db924cf7c 65 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
wolfSSL 15:117db924cf7c 66 {
wolfSSL 15:117db924cf7c 67 int err;
wolfSSL 15:117db924cf7c 68 byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
wolfSSL 15:117db924cf7c 69 ChaCha chaChaCtx;
wolfSSL 15:117db924cf7c 70
wolfSSL 15:117db924cf7c 71 /* Validate function arguments */
wolfSSL 15:117db924cf7c 72
wolfSSL 15:117db924cf7c 73 if (!inKey || !inIV ||
wolfSSL 15:117db924cf7c 74 !inPlaintext || !inPlaintextLen ||
wolfSSL 15:117db924cf7c 75 !outCiphertext ||
wolfSSL 15:117db924cf7c 76 !outAuthTag)
wolfSSL 15:117db924cf7c 77 {
wolfSSL 15:117db924cf7c 78 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 79 }
wolfSSL 15:117db924cf7c 80
wolfSSL 15:117db924cf7c 81 XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
wolfSSL 15:117db924cf7c 82
wolfSSL 15:117db924cf7c 83 /* Create the Poly1305 key */
wolfSSL 15:117db924cf7c 84 err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 15:117db924cf7c 85 if (err != 0) return err;
wolfSSL 15:117db924cf7c 86
wolfSSL 15:117db924cf7c 87 err = wc_Chacha_SetIV(&chaChaCtx, inIV,
wolfSSL 15:117db924cf7c 88 CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
wolfSSL 15:117db924cf7c 89 if (err != 0) return err;
wolfSSL 15:117db924cf7c 90
wolfSSL 15:117db924cf7c 91 err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
wolfSSL 15:117db924cf7c 92 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 15:117db924cf7c 93 if (err != 0) return err;
wolfSSL 15:117db924cf7c 94
wolfSSL 15:117db924cf7c 95 /* Encrypt the plaintext using ChaCha20 */
wolfSSL 15:117db924cf7c 96 err = wc_Chacha_Process(&chaChaCtx, outCiphertext, inPlaintext,
wolfSSL 15:117db924cf7c 97 inPlaintextLen);
wolfSSL 15:117db924cf7c 98 /* Calculate the Poly1305 auth tag */
wolfSSL 15:117db924cf7c 99 if (err == 0)
wolfSSL 15:117db924cf7c 100 err = calculateAuthTag(poly1305Key,
wolfSSL 15:117db924cf7c 101 inAAD, inAADLen,
wolfSSL 15:117db924cf7c 102 outCiphertext, inPlaintextLen,
wolfSSL 15:117db924cf7c 103 outAuthTag);
wolfSSL 15:117db924cf7c 104 ForceZero(poly1305Key, sizeof(poly1305Key));
wolfSSL 15:117db924cf7c 105
wolfSSL 15:117db924cf7c 106 return err;
wolfSSL 15:117db924cf7c 107 }
wolfSSL 15:117db924cf7c 108
wolfSSL 15:117db924cf7c 109
wolfSSL 15:117db924cf7c 110 int wc_ChaCha20Poly1305_Decrypt(
wolfSSL 15:117db924cf7c 111 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 15:117db924cf7c 112 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
wolfSSL 15:117db924cf7c 113 const byte* inAAD, const word32 inAADLen,
wolfSSL 15:117db924cf7c 114 const byte* inCiphertext, const word32 inCiphertextLen,
wolfSSL 15:117db924cf7c 115 const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE],
wolfSSL 15:117db924cf7c 116 byte* outPlaintext)
wolfSSL 15:117db924cf7c 117 {
wolfSSL 15:117db924cf7c 118 int err;
wolfSSL 15:117db924cf7c 119 byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
wolfSSL 15:117db924cf7c 120 ChaCha chaChaCtx;
wolfSSL 15:117db924cf7c 121 byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
wolfSSL 15:117db924cf7c 122
wolfSSL 15:117db924cf7c 123 /* Validate function arguments */
wolfSSL 15:117db924cf7c 124
wolfSSL 15:117db924cf7c 125 if (!inKey || !inIV ||
wolfSSL 15:117db924cf7c 126 !inCiphertext || !inCiphertextLen ||
wolfSSL 15:117db924cf7c 127 !inAuthTag ||
wolfSSL 15:117db924cf7c 128 !outPlaintext)
wolfSSL 15:117db924cf7c 129 {
wolfSSL 15:117db924cf7c 130 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 131 }
wolfSSL 15:117db924cf7c 132
wolfSSL 15:117db924cf7c 133 XMEMSET(calculatedAuthTag, 0, sizeof(calculatedAuthTag));
wolfSSL 15:117db924cf7c 134 XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
wolfSSL 15:117db924cf7c 135
wolfSSL 15:117db924cf7c 136 /* Create the Poly1305 key */
wolfSSL 15:117db924cf7c 137 err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 15:117db924cf7c 138 if (err != 0) return err;
wolfSSL 15:117db924cf7c 139
wolfSSL 15:117db924cf7c 140 err = wc_Chacha_SetIV(&chaChaCtx, inIV,
wolfSSL 15:117db924cf7c 141 CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
wolfSSL 15:117db924cf7c 142 if (err != 0) return err;
wolfSSL 15:117db924cf7c 143
wolfSSL 15:117db924cf7c 144 err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
wolfSSL 15:117db924cf7c 145 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 15:117db924cf7c 146 if (err != 0) return err;
wolfSSL 15:117db924cf7c 147
wolfSSL 15:117db924cf7c 148 /* Calculate the Poly1305 auth tag */
wolfSSL 15:117db924cf7c 149 err = calculateAuthTag(poly1305Key,
wolfSSL 15:117db924cf7c 150 inAAD, inAADLen,
wolfSSL 15:117db924cf7c 151 inCiphertext, inCiphertextLen,
wolfSSL 15:117db924cf7c 152 calculatedAuthTag);
wolfSSL 15:117db924cf7c 153
wolfSSL 15:117db924cf7c 154 /* Compare the calculated auth tag with the received one */
wolfSSL 15:117db924cf7c 155 if (err == 0 && ConstantCompare(inAuthTag, calculatedAuthTag,
wolfSSL 15:117db924cf7c 156 CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0)
wolfSSL 15:117db924cf7c 157 {
wolfSSL 15:117db924cf7c 158 err = MAC_CMP_FAILED_E;
wolfSSL 15:117db924cf7c 159 }
wolfSSL 15:117db924cf7c 160
wolfSSL 15:117db924cf7c 161 /* Decrypt the received ciphertext */
wolfSSL 15:117db924cf7c 162 if (err == 0)
wolfSSL 15:117db924cf7c 163 err = wc_Chacha_Process(&chaChaCtx, outPlaintext, inCiphertext,
wolfSSL 15:117db924cf7c 164 inCiphertextLen);
wolfSSL 15:117db924cf7c 165 ForceZero(poly1305Key, sizeof(poly1305Key));
wolfSSL 15:117db924cf7c 166
wolfSSL 15:117db924cf7c 167 return err;
wolfSSL 15:117db924cf7c 168 }
wolfSSL 15:117db924cf7c 169
wolfSSL 15:117db924cf7c 170
wolfSSL 15:117db924cf7c 171 static int calculateAuthTag(
wolfSSL 15:117db924cf7c 172 const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 15:117db924cf7c 173 const byte *inAAD, const word32 inAADLen,
wolfSSL 15:117db924cf7c 174 const byte *inCiphertext, const word32 inCiphertextLen,
wolfSSL 15:117db924cf7c 175 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
wolfSSL 15:117db924cf7c 176 {
wolfSSL 15:117db924cf7c 177 int err;
wolfSSL 15:117db924cf7c 178 Poly1305 poly1305Ctx;
wolfSSL 15:117db924cf7c 179 byte padding[CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1];
wolfSSL 15:117db924cf7c 180 word32 paddingLen;
wolfSSL 15:117db924cf7c 181 byte little64[16];
wolfSSL 15:117db924cf7c 182
wolfSSL 15:117db924cf7c 183 XMEMSET(padding, 0, sizeof(padding));
wolfSSL 15:117db924cf7c 184
wolfSSL 15:117db924cf7c 185 /* Initialize Poly1305 */
wolfSSL 15:117db924cf7c 186 err = wc_Poly1305SetKey(&poly1305Ctx, inAuthKey,
wolfSSL 15:117db924cf7c 187 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 15:117db924cf7c 188 if (err)
wolfSSL 15:117db924cf7c 189 return err;
wolfSSL 15:117db924cf7c 190
wolfSSL 15:117db924cf7c 191 /* Create the authTag by MAC'ing the following items: */
wolfSSL 15:117db924cf7c 192 /* -- AAD */
wolfSSL 15:117db924cf7c 193 if (inAAD && inAADLen)
wolfSSL 15:117db924cf7c 194 {
wolfSSL 15:117db924cf7c 195 err = wc_Poly1305Update(&poly1305Ctx, inAAD, inAADLen);
wolfSSL 15:117db924cf7c 196 /* -- padding1: pad the AAD to 16 bytes */
wolfSSL 15:117db924cf7c 197 paddingLen = -(int)inAADLen &
wolfSSL 15:117db924cf7c 198 (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
wolfSSL 15:117db924cf7c 199 if (paddingLen)
wolfSSL 15:117db924cf7c 200 err += wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
wolfSSL 15:117db924cf7c 201
wolfSSL 15:117db924cf7c 202 if (err)
wolfSSL 15:117db924cf7c 203 return err;
wolfSSL 15:117db924cf7c 204 }
wolfSSL 15:117db924cf7c 205
wolfSSL 15:117db924cf7c 206 /* -- Ciphertext */
wolfSSL 15:117db924cf7c 207 err = wc_Poly1305Update(&poly1305Ctx, inCiphertext, inCiphertextLen);
wolfSSL 15:117db924cf7c 208 if (err)
wolfSSL 15:117db924cf7c 209 return err;
wolfSSL 15:117db924cf7c 210
wolfSSL 15:117db924cf7c 211 /* -- padding2: pad the ciphertext to 16 bytes */
wolfSSL 15:117db924cf7c 212 paddingLen = -(int)inCiphertextLen &
wolfSSL 15:117db924cf7c 213 (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
wolfSSL 15:117db924cf7c 214 if (paddingLen)
wolfSSL 15:117db924cf7c 215 {
wolfSSL 15:117db924cf7c 216 err = wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
wolfSSL 15:117db924cf7c 217 if (err)
wolfSSL 15:117db924cf7c 218 return err;
wolfSSL 15:117db924cf7c 219 }
wolfSSL 15:117db924cf7c 220
wolfSSL 15:117db924cf7c 221 /* -- AAD length as a 64-bit little endian integer */
wolfSSL 15:117db924cf7c 222 word32ToLittle64(inAADLen, little64);
wolfSSL 15:117db924cf7c 223 /* -- Ciphertext length as a 64-bit little endian integer */
wolfSSL 15:117db924cf7c 224 word32ToLittle64(inCiphertextLen, little64 + 8);
wolfSSL 15:117db924cf7c 225 err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64));
wolfSSL 15:117db924cf7c 226 if (err)
wolfSSL 15:117db924cf7c 227 return err;
wolfSSL 15:117db924cf7c 228
wolfSSL 15:117db924cf7c 229 /* Finalize the auth tag */
wolfSSL 15:117db924cf7c 230 err = wc_Poly1305Final(&poly1305Ctx, outAuthTag);
wolfSSL 15:117db924cf7c 231
wolfSSL 15:117db924cf7c 232 return err;
wolfSSL 15:117db924cf7c 233 }
wolfSSL 15:117db924cf7c 234
wolfSSL 15:117db924cf7c 235
wolfSSL 15:117db924cf7c 236 static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8])
wolfSSL 15:117db924cf7c 237 {
wolfSSL 15:117db924cf7c 238 #ifndef WOLFSSL_X86_64_BUILD
wolfSSL 15:117db924cf7c 239 XMEMSET(outLittle64 + 4, 0, 4);
wolfSSL 15:117db924cf7c 240
wolfSSL 15:117db924cf7c 241 outLittle64[0] = (byte)(inLittle32 & 0x000000FF);
wolfSSL 15:117db924cf7c 242 outLittle64[1] = (byte)((inLittle32 & 0x0000FF00) >> 8);
wolfSSL 15:117db924cf7c 243 outLittle64[2] = (byte)((inLittle32 & 0x00FF0000) >> 16);
wolfSSL 15:117db924cf7c 244 outLittle64[3] = (byte)((inLittle32 & 0xFF000000) >> 24);
wolfSSL 15:117db924cf7c 245 #else
wolfSSL 15:117db924cf7c 246 *(word64*)outLittle64 = inLittle32;
wolfSSL 15:117db924cf7c 247 #endif
wolfSSL 15:117db924cf7c 248 }
wolfSSL 15:117db924cf7c 249
wolfSSL 15:117db924cf7c 250
wolfSSL 15:117db924cf7c 251 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
wolfSSL 15:117db924cf7c 252