wolf SSL / wolfSSL-TLS13-Beta

wolfSSL 3.11.1 for TLS1.3 beta

Fork of wolfSSL by wolf SSL

wolfcrypt/src/chacha20_poly1305.c@0:d92f9d21154c, 2015-06-26 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 26 00:39:20 2015 +0000
Revision:
0:d92f9d21154c
wolfSSL 3.6.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 0:d92f9d21154c 1 /* chacha.c
wolfSSL 0:d92f9d21154c 2 *
wolfSSL 0:d92f9d21154c 3 * Copyright (C) 2006-2015 wolfSSL Inc.
wolfSSL 0:d92f9d21154c 4 *
wolfSSL 0:d92f9d21154c 5 * This file is part of wolfSSL. (formerly known as CyaSSL)
wolfSSL 0:d92f9d21154c 6 *
wolfSSL 0:d92f9d21154c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 0:d92f9d21154c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 0:d92f9d21154c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 0:d92f9d21154c 10 * (at your option) any later version.
wolfSSL 0:d92f9d21154c 11 *
wolfSSL 0:d92f9d21154c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 0:d92f9d21154c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 0:d92f9d21154c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 0:d92f9d21154c 15 * GNU General Public License for more details.
wolfSSL 0:d92f9d21154c 16 *
wolfSSL 0:d92f9d21154c 17 * You should have received a copy of the GNU General Public License
wolfSSL 0:d92f9d21154c 18 * along with this program; if not, write to the Free Software
wolfSSL 0:d92f9d21154c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
wolfSSL 0:d92f9d21154c 20 */
wolfSSL 0:d92f9d21154c 21
wolfSSL 0:d92f9d21154c 22
wolfSSL 0:d92f9d21154c 23 #ifdef HAVE_CONFIG_H
wolfSSL 0:d92f9d21154c 24 #include <config.h>
wolfSSL 0:d92f9d21154c 25 #endif
wolfSSL 0:d92f9d21154c 26
wolfSSL 0:d92f9d21154c 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 0:d92f9d21154c 28
wolfSSL 0:d92f9d21154c 29 #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
wolfSSL 0:d92f9d21154c 30
wolfSSL 0:d92f9d21154c 31 #include <wolfssl/wolfcrypt/chacha20_poly1305.h>
wolfSSL 0:d92f9d21154c 32 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 0:d92f9d21154c 33 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 0:d92f9d21154c 34 #include <wolfssl/wolfcrypt/chacha.h>
wolfSSL 0:d92f9d21154c 35 #include <wolfssl/wolfcrypt/poly1305.h>
wolfSSL 0:d92f9d21154c 36
wolfSSL 0:d92f9d21154c 37 #ifdef NO_INLINE
wolfSSL 0:d92f9d21154c 38 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 0:d92f9d21154c 39 #else
wolfSSL 0:d92f9d21154c 40 #include <wolfcrypt/src/misc.c>
wolfSSL 0:d92f9d21154c 41 #endif
wolfSSL 0:d92f9d21154c 42
wolfSSL 0:d92f9d21154c 43 #ifdef CHACHA_AEAD_TEST
wolfSSL 0:d92f9d21154c 44 #include <stdio.h>
wolfSSL 0:d92f9d21154c 45 #endif
wolfSSL 0:d92f9d21154c 46
wolfSSL 0:d92f9d21154c 47 #define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER 0
wolfSSL 0:d92f9d21154c 48 #define CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT 16
wolfSSL 0:d92f9d21154c 49
wolfSSL 0:d92f9d21154c 50 static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8]);
wolfSSL 0:d92f9d21154c 51 static int calculateAuthTag(
wolfSSL 0:d92f9d21154c 52 const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 0:d92f9d21154c 53 const byte* inAAD, const word32 inAADLen,
wolfSSL 0:d92f9d21154c 54 const byte *inCiphertext, const word32 inCiphertextLen,
wolfSSL 0:d92f9d21154c 55 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]);
wolfSSL 0:d92f9d21154c 56
wolfSSL 0:d92f9d21154c 57 int wc_ChaCha20Poly1305_Encrypt(
wolfSSL 0:d92f9d21154c 58 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 0:d92f9d21154c 59 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
wolfSSL 0:d92f9d21154c 60 const byte* inAAD, const word32 inAADLen,
wolfSSL 0:d92f9d21154c 61 const byte* inPlaintext, const word32 inPlaintextLen,
wolfSSL 0:d92f9d21154c 62 byte* outCiphertext,
wolfSSL 0:d92f9d21154c 63 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
wolfSSL 0:d92f9d21154c 64 {
wolfSSL 0:d92f9d21154c 65 int err;
wolfSSL 0:d92f9d21154c 66 byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
wolfSSL 0:d92f9d21154c 67 ChaCha chaChaCtx;
wolfSSL 0:d92f9d21154c 68
wolfSSL 0:d92f9d21154c 69 /* Validate function arguments */
wolfSSL 0:d92f9d21154c 70
wolfSSL 0:d92f9d21154c 71 if (!inKey || !inIV ||
wolfSSL 0:d92f9d21154c 72 !inPlaintext || !inPlaintextLen ||
wolfSSL 0:d92f9d21154c 73 !outCiphertext ||
wolfSSL 0:d92f9d21154c 74 !outAuthTag)
wolfSSL 0:d92f9d21154c 75 {
wolfSSL 0:d92f9d21154c 76 return BAD_FUNC_ARG;
wolfSSL 0:d92f9d21154c 77 }
wolfSSL 0:d92f9d21154c 78
wolfSSL 0:d92f9d21154c 79 XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
wolfSSL 0:d92f9d21154c 80
wolfSSL 0:d92f9d21154c 81 /* Create the Poly1305 key */
wolfSSL 0:d92f9d21154c 82 err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 0:d92f9d21154c 83 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 84
wolfSSL 0:d92f9d21154c 85 err = wc_Chacha_SetIV(&chaChaCtx, inIV,
wolfSSL 0:d92f9d21154c 86 CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
wolfSSL 0:d92f9d21154c 87 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 88
wolfSSL 0:d92f9d21154c 89 err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
wolfSSL 0:d92f9d21154c 90 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 0:d92f9d21154c 91 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 92
wolfSSL 0:d92f9d21154c 93 /* Encrypt the plaintext using ChaCha20 */
wolfSSL 0:d92f9d21154c 94 err = wc_Chacha_Process(&chaChaCtx, outCiphertext, inPlaintext,
wolfSSL 0:d92f9d21154c 95 inPlaintextLen);
wolfSSL 0:d92f9d21154c 96 /* Calculate the Poly1305 auth tag */
wolfSSL 0:d92f9d21154c 97 if (err == 0)
wolfSSL 0:d92f9d21154c 98 err = calculateAuthTag(poly1305Key,
wolfSSL 0:d92f9d21154c 99 inAAD, inAADLen,
wolfSSL 0:d92f9d21154c 100 outCiphertext, inPlaintextLen,
wolfSSL 0:d92f9d21154c 101 outAuthTag);
wolfSSL 0:d92f9d21154c 102 ForceZero(poly1305Key, sizeof(poly1305Key));
wolfSSL 0:d92f9d21154c 103
wolfSSL 0:d92f9d21154c 104 return err;
wolfSSL 0:d92f9d21154c 105 }
wolfSSL 0:d92f9d21154c 106
wolfSSL 0:d92f9d21154c 107
wolfSSL 0:d92f9d21154c 108 int wc_ChaCha20Poly1305_Decrypt(
wolfSSL 0:d92f9d21154c 109 const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 0:d92f9d21154c 110 const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE],
wolfSSL 0:d92f9d21154c 111 const byte* inAAD, const word32 inAADLen,
wolfSSL 0:d92f9d21154c 112 const byte* inCiphertext, const word32 inCiphertextLen,
wolfSSL 0:d92f9d21154c 113 const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE],
wolfSSL 0:d92f9d21154c 114 byte* outPlaintext)
wolfSSL 0:d92f9d21154c 115 {
wolfSSL 0:d92f9d21154c 116 int err;
wolfSSL 0:d92f9d21154c 117 byte poly1305Key[CHACHA20_POLY1305_AEAD_KEYSIZE];
wolfSSL 0:d92f9d21154c 118 ChaCha chaChaCtx;
wolfSSL 0:d92f9d21154c 119 byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE];
wolfSSL 0:d92f9d21154c 120
wolfSSL 0:d92f9d21154c 121 /* Validate function arguments */
wolfSSL 0:d92f9d21154c 122
wolfSSL 0:d92f9d21154c 123 if (!inKey || !inIV ||
wolfSSL 0:d92f9d21154c 124 !inCiphertext || !inCiphertextLen ||
wolfSSL 0:d92f9d21154c 125 !inAuthTag ||
wolfSSL 0:d92f9d21154c 126 !outPlaintext)
wolfSSL 0:d92f9d21154c 127 {
wolfSSL 0:d92f9d21154c 128 return BAD_FUNC_ARG;
wolfSSL 0:d92f9d21154c 129 }
wolfSSL 0:d92f9d21154c 130
wolfSSL 0:d92f9d21154c 131 XMEMSET(calculatedAuthTag, 0, sizeof(calculatedAuthTag));
wolfSSL 0:d92f9d21154c 132 XMEMSET(poly1305Key, 0, sizeof(poly1305Key));
wolfSSL 0:d92f9d21154c 133
wolfSSL 0:d92f9d21154c 134 /* Create the Poly1305 key */
wolfSSL 0:d92f9d21154c 135 err = wc_Chacha_SetKey(&chaChaCtx, inKey, CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 0:d92f9d21154c 136 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 137
wolfSSL 0:d92f9d21154c 138 err = wc_Chacha_SetIV(&chaChaCtx, inIV,
wolfSSL 0:d92f9d21154c 139 CHACHA20_POLY1305_AEAD_INITIAL_COUNTER);
wolfSSL 0:d92f9d21154c 140 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 141
wolfSSL 0:d92f9d21154c 142 err = wc_Chacha_Process(&chaChaCtx, poly1305Key, poly1305Key,
wolfSSL 0:d92f9d21154c 143 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 0:d92f9d21154c 144 if (err != 0) return err;
wolfSSL 0:d92f9d21154c 145
wolfSSL 0:d92f9d21154c 146 /* Calculate the Poly1305 auth tag */
wolfSSL 0:d92f9d21154c 147 err = calculateAuthTag(poly1305Key,
wolfSSL 0:d92f9d21154c 148 inAAD, inAADLen,
wolfSSL 0:d92f9d21154c 149 inCiphertext, inCiphertextLen,
wolfSSL 0:d92f9d21154c 150 calculatedAuthTag);
wolfSSL 0:d92f9d21154c 151
wolfSSL 0:d92f9d21154c 152 /* Compare the calculated auth tag with the received one */
wolfSSL 0:d92f9d21154c 153 if (err == 0 && ConstantCompare(inAuthTag, calculatedAuthTag,
wolfSSL 0:d92f9d21154c 154 CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0)
wolfSSL 0:d92f9d21154c 155 {
wolfSSL 0:d92f9d21154c 156 err = MAC_CMP_FAILED_E;
wolfSSL 0:d92f9d21154c 157 }
wolfSSL 0:d92f9d21154c 158
wolfSSL 0:d92f9d21154c 159 /* Decrypt the received ciphertext */
wolfSSL 0:d92f9d21154c 160 if (err == 0)
wolfSSL 0:d92f9d21154c 161 err = wc_Chacha_Process(&chaChaCtx, outPlaintext, inCiphertext,
wolfSSL 0:d92f9d21154c 162 inCiphertextLen);
wolfSSL 0:d92f9d21154c 163 ForceZero(poly1305Key, sizeof(poly1305Key));
wolfSSL 0:d92f9d21154c 164
wolfSSL 0:d92f9d21154c 165 return err;
wolfSSL 0:d92f9d21154c 166 }
wolfSSL 0:d92f9d21154c 167
wolfSSL 0:d92f9d21154c 168
wolfSSL 0:d92f9d21154c 169 static int calculateAuthTag(
wolfSSL 0:d92f9d21154c 170 const byte inAuthKey[CHACHA20_POLY1305_AEAD_KEYSIZE],
wolfSSL 0:d92f9d21154c 171 const byte *inAAD, const word32 inAADLen,
wolfSSL 0:d92f9d21154c 172 const byte *inCiphertext, const word32 inCiphertextLen,
wolfSSL 0:d92f9d21154c 173 byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE])
wolfSSL 0:d92f9d21154c 174 {
wolfSSL 0:d92f9d21154c 175 int err;
wolfSSL 0:d92f9d21154c 176 Poly1305 poly1305Ctx;
wolfSSL 0:d92f9d21154c 177 byte padding[CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1];
wolfSSL 0:d92f9d21154c 178 word32 paddingLen;
wolfSSL 0:d92f9d21154c 179 byte little64[8];
wolfSSL 0:d92f9d21154c 180
wolfSSL 0:d92f9d21154c 181 XMEMSET(padding, 0, sizeof(padding));
wolfSSL 0:d92f9d21154c 182
wolfSSL 0:d92f9d21154c 183 /* Initialize Poly1305 */
wolfSSL 0:d92f9d21154c 184
wolfSSL 0:d92f9d21154c 185 err = wc_Poly1305SetKey(&poly1305Ctx, inAuthKey,
wolfSSL 0:d92f9d21154c 186 CHACHA20_POLY1305_AEAD_KEYSIZE);
wolfSSL 0:d92f9d21154c 187 if (err)
wolfSSL 0:d92f9d21154c 188 {
wolfSSL 0:d92f9d21154c 189 return err;
wolfSSL 0:d92f9d21154c 190 }
wolfSSL 0:d92f9d21154c 191
wolfSSL 0:d92f9d21154c 192 /* Create the authTag by MAC'ing the following items: */
wolfSSL 0:d92f9d21154c 193
wolfSSL 0:d92f9d21154c 194 /* -- AAD */
wolfSSL 0:d92f9d21154c 195
wolfSSL 0:d92f9d21154c 196 if (inAAD && inAADLen)
wolfSSL 0:d92f9d21154c 197 {
wolfSSL 0:d92f9d21154c 198 err = wc_Poly1305Update(&poly1305Ctx, inAAD, inAADLen);
wolfSSL 0:d92f9d21154c 199
wolfSSL 0:d92f9d21154c 200 /* -- padding1: pad the AAD to 16 bytes */
wolfSSL 0:d92f9d21154c 201
wolfSSL 0:d92f9d21154c 202 paddingLen = -inAADLen & (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
wolfSSL 0:d92f9d21154c 203 if (paddingLen)
wolfSSL 0:d92f9d21154c 204 {
wolfSSL 0:d92f9d21154c 205 err += wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
wolfSSL 0:d92f9d21154c 206 }
wolfSSL 0:d92f9d21154c 207
wolfSSL 0:d92f9d21154c 208 if (err)
wolfSSL 0:d92f9d21154c 209 {
wolfSSL 0:d92f9d21154c 210 return err;
wolfSSL 0:d92f9d21154c 211 }
wolfSSL 0:d92f9d21154c 212 }
wolfSSL 0:d92f9d21154c 213
wolfSSL 0:d92f9d21154c 214 /* -- Ciphertext */
wolfSSL 0:d92f9d21154c 215
wolfSSL 0:d92f9d21154c 216 err = wc_Poly1305Update(&poly1305Ctx, inCiphertext, inCiphertextLen);
wolfSSL 0:d92f9d21154c 217 if (err)
wolfSSL 0:d92f9d21154c 218 {
wolfSSL 0:d92f9d21154c 219 return err;
wolfSSL 0:d92f9d21154c 220 }
wolfSSL 0:d92f9d21154c 221
wolfSSL 0:d92f9d21154c 222 /* -- padding2: pad the ciphertext to 16 bytes */
wolfSSL 0:d92f9d21154c 223
wolfSSL 0:d92f9d21154c 224 paddingLen = -inCiphertextLen &
wolfSSL 0:d92f9d21154c 225 (CHACHA20_POLY1305_MAC_PADDING_ALIGNMENT - 1);
wolfSSL 0:d92f9d21154c 226 if (paddingLen)
wolfSSL 0:d92f9d21154c 227 {
wolfSSL 0:d92f9d21154c 228 err = wc_Poly1305Update(&poly1305Ctx, padding, paddingLen);
wolfSSL 0:d92f9d21154c 229 if (err)
wolfSSL 0:d92f9d21154c 230 {
wolfSSL 0:d92f9d21154c 231 return err;
wolfSSL 0:d92f9d21154c 232 }
wolfSSL 0:d92f9d21154c 233 }
wolfSSL 0:d92f9d21154c 234
wolfSSL 0:d92f9d21154c 235 /* -- AAD length as a 64-bit little endian integer */
wolfSSL 0:d92f9d21154c 236
wolfSSL 0:d92f9d21154c 237 word32ToLittle64(inAADLen, little64);
wolfSSL 0:d92f9d21154c 238
wolfSSL 0:d92f9d21154c 239 err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64));
wolfSSL 0:d92f9d21154c 240 if (err)
wolfSSL 0:d92f9d21154c 241 {
wolfSSL 0:d92f9d21154c 242 return err;
wolfSSL 0:d92f9d21154c 243 }
wolfSSL 0:d92f9d21154c 244
wolfSSL 0:d92f9d21154c 245 /* -- Ciphertext length as a 64-bit little endian integer */
wolfSSL 0:d92f9d21154c 246
wolfSSL 0:d92f9d21154c 247 word32ToLittle64(inCiphertextLen, little64);
wolfSSL 0:d92f9d21154c 248
wolfSSL 0:d92f9d21154c 249 err = wc_Poly1305Update(&poly1305Ctx, little64, sizeof(little64));
wolfSSL 0:d92f9d21154c 250 if (err)
wolfSSL 0:d92f9d21154c 251 {
wolfSSL 0:d92f9d21154c 252 return err;
wolfSSL 0:d92f9d21154c 253 }
wolfSSL 0:d92f9d21154c 254
wolfSSL 0:d92f9d21154c 255 /* Finalize the auth tag */
wolfSSL 0:d92f9d21154c 256
wolfSSL 0:d92f9d21154c 257 err = wc_Poly1305Final(&poly1305Ctx, outAuthTag);
wolfSSL 0:d92f9d21154c 258
wolfSSL 0:d92f9d21154c 259 return err;
wolfSSL 0:d92f9d21154c 260 }
wolfSSL 0:d92f9d21154c 261
wolfSSL 0:d92f9d21154c 262
wolfSSL 0:d92f9d21154c 263 static void word32ToLittle64(const word32 inLittle32, byte outLittle64[8])
wolfSSL 0:d92f9d21154c 264 {
wolfSSL 0:d92f9d21154c 265 XMEMSET(outLittle64, 0, 8);
wolfSSL 0:d92f9d21154c 266
wolfSSL 0:d92f9d21154c 267 outLittle64[0] = (inLittle32 & 0x000000FF);
wolfSSL 0:d92f9d21154c 268 outLittle64[1] = (inLittle32 & 0x0000FF00) >> 8;
wolfSSL 0:d92f9d21154c 269 outLittle64[2] = (inLittle32 & 0x00FF0000) >> 16;
wolfSSL 0:d92f9d21154c 270 outLittle64[3] = (inLittle32 & 0xFF000000) >> 24;
wolfSSL 0:d92f9d21154c 271 }
wolfSSL 0:d92f9d21154c 272
wolfSSL 0:d92f9d21154c 273
wolfSSL 0:d92f9d21154c 274 #endif /* HAVE_CHACHA && HAVE_POLY1305 */
wolfSSL 0:d92f9d21154c 275