chachapoly.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525
  1. /**
  2. * \file chachapoly.c
  3. *
  4. * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
  5. *
  6. * Copyright The Mbed TLS Contributors
  7. * SPDX-License-Identifier: Apache-2.0
  8. *
  9. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  10. * not use this file except in compliance with the License.
  11. * You may obtain a copy of the License at
  12. *
  13. * http://www.apache.org/licenses/LICENSE-2.0
  14. *
  15. * Unless required by applicable law or agreed to in writing, software
  16. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  17. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18. * See the License for the specific language governing permissions and
  19. * limitations under the License.
  20. */
  21. #include "common.h"
  22. #if defined(MBEDTLS_CHACHAPOLY_C)
  23. #include "mbedtls/chachapoly.h"
  24. #include "mbedtls/platform_util.h"
  25. #include "mbedtls/error.h"
  26. #include <string.h>
  27. #if defined(MBEDTLS_SELF_TEST)
  28. #if defined(MBEDTLS_PLATFORM_C)
  29. #include "mbedtls/platform.h"
  30. #else
  31. #include <stdio.h>
  32. #define mbedtls_printf printf
  33. #endif /* MBEDTLS_PLATFORM_C */
  34. #endif /* MBEDTLS_SELF_TEST */
  35. #if !defined(MBEDTLS_CHACHAPOLY_ALT)
  36. /* Parameter validation macros */
  37. #define CHACHAPOLY_VALIDATE_RET( cond ) \
  38. MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
  39. #define CHACHAPOLY_VALIDATE( cond ) \
  40. MBEDTLS_INTERNAL_VALIDATE( cond )
  41. #define CHACHAPOLY_STATE_INIT ( 0 )
  42. #define CHACHAPOLY_STATE_AAD ( 1 )
  43. #define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
  44. #define CHACHAPOLY_STATE_FINISHED ( 3 )
  45. /**
  46. * \brief Adds nul bytes to pad the AAD for Poly1305.
  47. *
  48. * \param ctx The ChaCha20-Poly1305 context.
  49. */
  50. static int chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
  51. {
  52. uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
  53. unsigned char zeroes[15];
  54. if( partial_block_len == 0U )
  55. return( 0 );
  56. memset( zeroes, 0, sizeof( zeroes ) );
  57. return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
  58. zeroes,
  59. 16U - partial_block_len ) );
  60. }
  61. /**
  62. * \brief Adds nul bytes to pad the ciphertext for Poly1305.
  63. *
  64. * \param ctx The ChaCha20-Poly1305 context.
  65. */
  66. static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
  67. {
  68. uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
  69. unsigned char zeroes[15];
  70. if( partial_block_len == 0U )
  71. return( 0 );
  72. memset( zeroes, 0, sizeof( zeroes ) );
  73. return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
  74. zeroes,
  75. 16U - partial_block_len ) );
  76. }
  77. void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
  78. {
  79. CHACHAPOLY_VALIDATE( ctx != NULL );
  80. mbedtls_chacha20_init( &ctx->chacha20_ctx );
  81. mbedtls_poly1305_init( &ctx->poly1305_ctx );
  82. ctx->aad_len = 0U;
  83. ctx->ciphertext_len = 0U;
  84. ctx->state = CHACHAPOLY_STATE_INIT;
  85. ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
  86. }
  87. void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
  88. {
  89. if( ctx == NULL )
  90. return;
  91. mbedtls_chacha20_free( &ctx->chacha20_ctx );
  92. mbedtls_poly1305_free( &ctx->poly1305_ctx );
  93. ctx->aad_len = 0U;
  94. ctx->ciphertext_len = 0U;
  95. ctx->state = CHACHAPOLY_STATE_INIT;
  96. ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
  97. }
  98. int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
  99. const unsigned char key[32] )
  100. {
  101. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  102. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  103. CHACHAPOLY_VALIDATE_RET( key != NULL );
  104. ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
  105. return( ret );
  106. }
  107. int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
  108. const unsigned char nonce[12],
  109. mbedtls_chachapoly_mode_t mode )
  110. {
  111. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  112. unsigned char poly1305_key[64];
  113. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  114. CHACHAPOLY_VALIDATE_RET( nonce != NULL );
  115. /* Set counter = 0, will be update to 1 when generating Poly1305 key */
  116. ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
  117. if( ret != 0 )
  118. goto cleanup;
  119. /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
  120. * counter = 0. This is the same as encrypting a buffer of zeroes.
  121. * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
  122. * The other 256 bits are discarded.
  123. */
  124. memset( poly1305_key, 0, sizeof( poly1305_key ) );
  125. ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
  126. poly1305_key, poly1305_key );
  127. if( ret != 0 )
  128. goto cleanup;
  129. ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
  130. if( ret == 0 )
  131. {
  132. ctx->aad_len = 0U;
  133. ctx->ciphertext_len = 0U;
  134. ctx->state = CHACHAPOLY_STATE_AAD;
  135. ctx->mode = mode;
  136. }
  137. cleanup:
  138. mbedtls_platform_zeroize( poly1305_key, 64U );
  139. return( ret );
  140. }
  141. int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
  142. const unsigned char *aad,
  143. size_t aad_len )
  144. {
  145. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  146. CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
  147. if( ctx->state != CHACHAPOLY_STATE_AAD )
  148. return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
  149. ctx->aad_len += aad_len;
  150. return( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad, aad_len ) );
  151. }
  152. int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
  153. size_t len,
  154. const unsigned char *input,
  155. unsigned char *output )
  156. {
  157. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  158. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  159. CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL );
  160. CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL );
  161. if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
  162. ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
  163. {
  164. return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
  165. }
  166. if( ctx->state == CHACHAPOLY_STATE_AAD )
  167. {
  168. ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
  169. ret = chachapoly_pad_aad( ctx );
  170. if( ret != 0 )
  171. return( ret );
  172. }
  173. ctx->ciphertext_len += len;
  174. if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
  175. {
  176. ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
  177. if( ret != 0 )
  178. return( ret );
  179. ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
  180. if( ret != 0 )
  181. return( ret );
  182. }
  183. else /* DECRYPT */
  184. {
  185. ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, input, len );
  186. if( ret != 0 )
  187. return( ret );
  188. ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
  189. if( ret != 0 )
  190. return( ret );
  191. }
  192. return( 0 );
  193. }
  194. int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
  195. unsigned char mac[16] )
  196. {
  197. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  198. unsigned char len_block[16];
  199. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  200. CHACHAPOLY_VALIDATE_RET( mac != NULL );
  201. if( ctx->state == CHACHAPOLY_STATE_INIT )
  202. {
  203. return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
  204. }
  205. if( ctx->state == CHACHAPOLY_STATE_AAD )
  206. {
  207. ret = chachapoly_pad_aad( ctx );
  208. if( ret != 0 )
  209. return( ret );
  210. }
  211. else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
  212. {
  213. ret = chachapoly_pad_ciphertext( ctx );
  214. if( ret != 0 )
  215. return( ret );
  216. }
  217. ctx->state = CHACHAPOLY_STATE_FINISHED;
  218. /* The lengths of the AAD and ciphertext are processed by
  219. * Poly1305 as the final 128-bit block, encoded as little-endian integers.
  220. */
  221. MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
  222. MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
  223. ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
  224. if( ret != 0 )
  225. return( ret );
  226. ret = mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
  227. return( ret );
  228. }
  229. static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
  230. mbedtls_chachapoly_mode_t mode,
  231. size_t length,
  232. const unsigned char nonce[12],
  233. const unsigned char *aad,
  234. size_t aad_len,
  235. const unsigned char *input,
  236. unsigned char *output,
  237. unsigned char tag[16] )
  238. {
  239. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  240. ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
  241. if( ret != 0 )
  242. goto cleanup;
  243. ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
  244. if( ret != 0 )
  245. goto cleanup;
  246. ret = mbedtls_chachapoly_update( ctx, length, input, output );
  247. if( ret != 0 )
  248. goto cleanup;
  249. ret = mbedtls_chachapoly_finish( ctx, tag );
  250. cleanup:
  251. return( ret );
  252. }
  253. int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
  254. size_t length,
  255. const unsigned char nonce[12],
  256. const unsigned char *aad,
  257. size_t aad_len,
  258. const unsigned char *input,
  259. unsigned char *output,
  260. unsigned char tag[16] )
  261. {
  262. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  263. CHACHAPOLY_VALIDATE_RET( nonce != NULL );
  264. CHACHAPOLY_VALIDATE_RET( tag != NULL );
  265. CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
  266. CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL );
  267. CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL );
  268. return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
  269. length, nonce, aad, aad_len,
  270. input, output, tag ) );
  271. }
  272. int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
  273. size_t length,
  274. const unsigned char nonce[12],
  275. const unsigned char *aad,
  276. size_t aad_len,
  277. const unsigned char tag[16],
  278. const unsigned char *input,
  279. unsigned char *output )
  280. {
  281. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  282. unsigned char check_tag[16];
  283. size_t i;
  284. int diff;
  285. CHACHAPOLY_VALIDATE_RET( ctx != NULL );
  286. CHACHAPOLY_VALIDATE_RET( nonce != NULL );
  287. CHACHAPOLY_VALIDATE_RET( tag != NULL );
  288. CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
  289. CHACHAPOLY_VALIDATE_RET( length == 0 || input != NULL );
  290. CHACHAPOLY_VALIDATE_RET( length == 0 || output != NULL );
  291. if( ( ret = chachapoly_crypt_and_tag( ctx,
  292. MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
  293. aad, aad_len, input, output, check_tag ) ) != 0 )
  294. {
  295. return( ret );
  296. }
  297. /* Check tag in "constant-time" */
  298. for( diff = 0, i = 0; i < sizeof( check_tag ); i++ )
  299. diff |= tag[i] ^ check_tag[i];
  300. if( diff != 0 )
  301. {
  302. mbedtls_platform_zeroize( output, length );
  303. return( MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED );
  304. }
  305. return( 0 );
  306. }
  307. #endif /* MBEDTLS_CHACHAPOLY_ALT */
  308. #if defined(MBEDTLS_SELF_TEST)
  309. static const unsigned char test_key[1][32] =
  310. {
  311. {
  312. 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
  313. 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
  314. 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
  315. 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
  316. }
  317. };
  318. static const unsigned char test_nonce[1][12] =
  319. {
  320. {
  321. 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
  322. 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
  323. }
  324. };
  325. static const unsigned char test_aad[1][12] =
  326. {
  327. {
  328. 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
  329. 0xc4, 0xc5, 0xc6, 0xc7
  330. }
  331. };
  332. static const size_t test_aad_len[1] =
  333. {
  334. 12U
  335. };
  336. static const unsigned char test_input[1][114] =
  337. {
  338. {
  339. 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
  340. 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
  341. 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
  342. 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
  343. 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
  344. 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
  345. 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
  346. 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
  347. 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
  348. 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
  349. 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
  350. 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
  351. 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
  352. 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
  353. 0x74, 0x2e
  354. }
  355. };
  356. static const unsigned char test_output[1][114] =
  357. {
  358. {
  359. 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
  360. 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
  361. 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
  362. 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
  363. 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
  364. 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
  365. 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
  366. 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
  367. 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
  368. 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
  369. 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
  370. 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
  371. 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
  372. 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
  373. 0x61, 0x16
  374. }
  375. };
  376. static const size_t test_input_len[1] =
  377. {
  378. 114U
  379. };
  380. static const unsigned char test_mac[1][16] =
  381. {
  382. {
  383. 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
  384. 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
  385. }
  386. };
  387. /* Make sure no other definition is already present. */
  388. #undef ASSERT
  389. #define ASSERT( cond, args ) \
  390. do \
  391. { \
  392. if( ! ( cond ) ) \
  393. { \
  394. if( verbose != 0 ) \
  395. mbedtls_printf args; \
  396. \
  397. return( -1 ); \
  398. } \
  399. } \
  400. while( 0 )
  401. int mbedtls_chachapoly_self_test( int verbose )
  402. {
  403. mbedtls_chachapoly_context ctx;
  404. unsigned i;
  405. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  406. unsigned char output[200];
  407. unsigned char mac[16];
  408. for( i = 0U; i < 1U; i++ )
  409. {
  410. if( verbose != 0 )
  411. mbedtls_printf( " ChaCha20-Poly1305 test %u ", i );
  412. mbedtls_chachapoly_init( &ctx );
  413. ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
  414. ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
  415. ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
  416. test_input_len[i],
  417. test_nonce[i],
  418. test_aad[i],
  419. test_aad_len[i],
  420. test_input[i],
  421. output,
  422. mac );
  423. ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
  424. ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
  425. ( "failure (wrong output)\n" ) );
  426. ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
  427. ( "failure (wrong MAC)\n" ) );
  428. mbedtls_chachapoly_free( &ctx );
  429. if( verbose != 0 )
  430. mbedtls_printf( "passed\n" );
  431. }
  432. if( verbose != 0 )
  433. mbedtls_printf( "\n" );
  434. return( 0 );
  435. }
  436. #endif /* MBEDTLS_SELF_TEST */
  437. #endif /* MBEDTLS_CHACHAPOLY_C */