1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/aead.h>
16
17 #include <string.h>
18
19 #include <openssl/chacha.h>
20 #include <openssl/cipher.h>
21 #include <openssl/cpu.h>
22 #include <openssl/err.h>
23 #include <openssl/mem.h>
24 #include <openssl/poly1305.h>
25 #include <openssl/type_check.h>
26
27 #include "../fipsmodule/cipher/internal.h"
28 #include "../internal.h"
29 #include "../chacha/internal.h"
30
31
32 #define POLY1305_TAG_LEN 16
33
34 struct aead_chacha20_poly1305_ctx {
35 uint8_t key[32];
36 };
37
38 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
39 sizeof(struct aead_chacha20_poly1305_ctx),
40 "AEAD state is too small");
41 #if defined(__GNUC__) || defined(__clang__)
42 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
43 alignof(struct aead_chacha20_poly1305_ctx),
44 "AEAD state has insufficient alignment");
45 #endif
46
47 // For convenience (the x86_64 calling convention allows only six parameters in
48 // registers), the final parameter for the assembly functions is both an input
49 // and output parameter.
50 union open_data {
51 struct {
52 alignas(16) uint8_t key[32];
53 uint32_t counter;
54 uint8_t nonce[12];
55 } in;
56 struct {
57 uint8_t tag[POLY1305_TAG_LEN];
58 } out;
59 };
60
61 union seal_data {
62 struct {
63 alignas(16) uint8_t key[32];
64 uint32_t counter;
65 uint8_t nonce[12];
66 const uint8_t *extra_ciphertext;
67 size_t extra_ciphertext_len;
68 } in;
69 struct {
70 uint8_t tag[POLY1305_TAG_LEN];
71 } out;
72 };
73
74 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
75 !defined(OPENSSL_WINDOWS)
asm_capable(void)76 static int asm_capable(void) {
77 const int sse41_capable = (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0;
78 return sse41_capable;
79 }
80
81 OPENSSL_STATIC_ASSERT(sizeof(union open_data) == 48, "wrong open_data size");
82 OPENSSL_STATIC_ASSERT(sizeof(union seal_data) == 48 + 8 + 8,
83 "wrong seal_data size");
84
85 // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts
86 // |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.
87 // Additional input parameters are passed in |aead_data->in|. On exit, it will
88 // write calculated tag value to |aead_data->out.tag|, which the caller must
89 // check.
90 extern void chacha20_poly1305_open(uint8_t *out_plaintext,
91 const uint8_t *ciphertext,
92 size_t plaintext_len, const uint8_t *ad,
93 size_t ad_len, union open_data *aead_data);
94
95 // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts
96 // |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.
97 // Additional input parameters are passed in |aead_data->in|. The calculated tag
98 // value is over the computed ciphertext concatenated with |extra_ciphertext|
99 // and written to |aead_data->out.tag|.
100 extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
101 const uint8_t *plaintext,
102 size_t plaintext_len, const uint8_t *ad,
103 size_t ad_len, union seal_data *aead_data);
104 #else
asm_capable(void)105 static int asm_capable(void) { return 0; }
106
107
chacha20_poly1305_open(uint8_t * out_plaintext,const uint8_t * ciphertext,size_t plaintext_len,const uint8_t * ad,size_t ad_len,union open_data * aead_data)108 static void chacha20_poly1305_open(uint8_t *out_plaintext,
109 const uint8_t *ciphertext,
110 size_t plaintext_len, const uint8_t *ad,
111 size_t ad_len, union open_data *aead_data) {}
112
chacha20_poly1305_seal(uint8_t * out_ciphertext,const uint8_t * plaintext,size_t plaintext_len,const uint8_t * ad,size_t ad_len,union seal_data * aead_data)113 static void chacha20_poly1305_seal(uint8_t *out_ciphertext,
114 const uint8_t *plaintext,
115 size_t plaintext_len, const uint8_t *ad,
116 size_t ad_len, union seal_data *aead_data) {}
117 #endif
118
aead_chacha20_poly1305_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)119 static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
120 size_t key_len, size_t tag_len) {
121 struct aead_chacha20_poly1305_ctx *c20_ctx =
122 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
123
124 if (tag_len == 0) {
125 tag_len = POLY1305_TAG_LEN;
126 }
127
128 if (tag_len > POLY1305_TAG_LEN) {
129 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
130 return 0;
131 }
132
133 if (key_len != sizeof(c20_ctx->key)) {
134 return 0; // internal error - EVP_AEAD_CTX_init should catch this.
135 }
136
137 OPENSSL_memcpy(c20_ctx->key, key, key_len);
138 ctx->tag_len = tag_len;
139
140 return 1;
141 }
142
aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX * ctx)143 static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}
144
poly1305_update_length(poly1305_state * poly1305,size_t data_len)145 static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
146 uint8_t length_bytes[8];
147
148 for (unsigned i = 0; i < sizeof(length_bytes); i++) {
149 length_bytes[i] = data_len;
150 data_len >>= 8;
151 }
152
153 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
154 }
155
156 // calc_tag fills |tag| with the authentication tag for the given inputs.
calc_tag(uint8_t tag[POLY1305_TAG_LEN],const uint8_t * key,const uint8_t nonce[12],const uint8_t * ad,size_t ad_len,const uint8_t * ciphertext,size_t ciphertext_len,const uint8_t * ciphertext_extra,size_t ciphertext_extra_len)157 static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,
158 const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
159 const uint8_t *ciphertext, size_t ciphertext_len,
160 const uint8_t *ciphertext_extra,
161 size_t ciphertext_extra_len) {
162 alignas(16) uint8_t poly1305_key[32];
163 OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
164 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,
165 0);
166
167 static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
168 poly1305_state ctx;
169 CRYPTO_poly1305_init(&ctx, poly1305_key);
170 CRYPTO_poly1305_update(&ctx, ad, ad_len);
171 if (ad_len % 16 != 0) {
172 CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
173 }
174 CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
175 CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
176 const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
177 if (ciphertext_total % 16 != 0) {
178 CRYPTO_poly1305_update(&ctx, padding,
179 sizeof(padding) - (ciphertext_total % 16));
180 }
181 poly1305_update_length(&ctx, ad_len);
182 poly1305_update_length(&ctx, ciphertext_total);
183 CRYPTO_poly1305_finish(&ctx, tag);
184 }
185
chacha20_poly1305_seal_scatter(const uint8_t * key,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len,size_t tag_len)186 static int chacha20_poly1305_seal_scatter(
187 const uint8_t *key, uint8_t *out, uint8_t *out_tag,
188 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
189 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
190 size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
191 if (extra_in_len + tag_len < tag_len) {
192 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
193 return 0;
194 }
195 if (max_out_tag_len < tag_len + extra_in_len) {
196 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
197 return 0;
198 }
199 if (nonce_len != 12) {
200 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
201 return 0;
202 }
203
204 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
205 // individual operations that work on more than 256GB at a time.
206 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
207 // 32-bits and this produces a warning because it's always false.
208 // Casting to uint64_t inside the conditional is not sufficient to stop
209 // the warning.
210 const uint64_t in_len_64 = in_len;
211 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
212 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
213 return 0;
214 }
215
216 if (max_out_tag_len < tag_len) {
217 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
218 return 0;
219 }
220
221 // The the extra input is given, it is expected to be very short and so is
222 // encrypted byte-by-byte first.
223 if (extra_in_len) {
224 static const size_t kChaChaBlockSize = 64;
225 uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
226 size_t offset = in_len % kChaChaBlockSize;
227 uint8_t block[64 /* kChaChaBlockSize */];
228
229 for (size_t done = 0; done < extra_in_len; block_counter++) {
230 memset(block, 0, sizeof(block));
231 CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,
232 block_counter);
233 for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
234 i++, done++) {
235 out_tag[done] = extra_in[done] ^ block[i];
236 }
237 offset = 0;
238 }
239 }
240
241 union seal_data data;
242 if (asm_capable()) {
243 OPENSSL_memcpy(data.in.key, key, 32);
244 data.in.counter = 0;
245 OPENSSL_memcpy(data.in.nonce, nonce, 12);
246 data.in.extra_ciphertext = out_tag;
247 data.in.extra_ciphertext_len = extra_in_len;
248 chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
249 } else {
250 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
251 calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,
252 extra_in_len);
253 }
254
255 OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);
256 *out_tag_len = extra_in_len + tag_len;
257 return 1;
258 }
259
aead_chacha20_poly1305_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)260 static int aead_chacha20_poly1305_seal_scatter(
261 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
262 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
263 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
264 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
265 const struct aead_chacha20_poly1305_ctx *c20_ctx =
266 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
267
268 return chacha20_poly1305_seal_scatter(
269 c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,
270 nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
271 }
272
aead_xchacha20_poly1305_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)273 static int aead_xchacha20_poly1305_seal_scatter(
274 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
275 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
276 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
277 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
278 const struct aead_chacha20_poly1305_ctx *c20_ctx =
279 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
280
281 if (nonce_len != 24) {
282 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
283 return 0;
284 }
285
286 alignas(4) uint8_t derived_key[32];
287 alignas(4) uint8_t derived_nonce[12];
288 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
289 OPENSSL_memset(derived_nonce, 0, 4);
290 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
291
292 return chacha20_poly1305_seal_scatter(
293 derived_key, out, out_tag, out_tag_len, max_out_tag_len,
294 derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,
295 ad, ad_len, ctx->tag_len);
296 }
297
chacha20_poly1305_open_gather(const uint8_t * key,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len,size_t tag_len)298 static int chacha20_poly1305_open_gather(
299 const uint8_t *key, uint8_t *out, const uint8_t *nonce,
300 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
301 size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
302 if (nonce_len != 12) {
303 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
304 return 0;
305 }
306
307 if (in_tag_len != tag_len) {
308 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
309 return 0;
310 }
311
312 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
313 // individual operations that work on more than 256GB at a time.
314 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
315 // 32-bits and this produces a warning because it's always false.
316 // Casting to uint64_t inside the conditional is not sufficient to stop
317 // the warning.
318 const uint64_t in_len_64 = in_len;
319 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
320 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
321 return 0;
322 }
323
324 union open_data data;
325 if (asm_capable()) {
326 OPENSSL_memcpy(data.in.key, key, 32);
327 data.in.counter = 0;
328 OPENSSL_memcpy(data.in.nonce, nonce, 12);
329 chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
330 } else {
331 calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);
332 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
333 }
334
335 if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {
336 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
337 return 0;
338 }
339
340 return 1;
341 }
342
aead_chacha20_poly1305_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)343 static int aead_chacha20_poly1305_open_gather(
344 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
345 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
346 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
347 const struct aead_chacha20_poly1305_ctx *c20_ctx =
348 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
349
350 return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,
351 in_len, in_tag, in_tag_len, ad, ad_len,
352 ctx->tag_len);
353 }
354
aead_xchacha20_poly1305_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)355 static int aead_xchacha20_poly1305_open_gather(
356 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
357 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
358 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
359 const struct aead_chacha20_poly1305_ctx *c20_ctx =
360 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
361
362 if (nonce_len != 24) {
363 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
364 return 0;
365 }
366
367 alignas(4) uint8_t derived_key[32];
368 alignas(4) uint8_t derived_nonce[12];
369 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
370 OPENSSL_memset(derived_nonce, 0, 4);
371 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
372
373 return chacha20_poly1305_open_gather(
374 derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,
375 in_tag, in_tag_len, ad, ad_len, ctx->tag_len);
376 }
377
378 static const EVP_AEAD aead_chacha20_poly1305 = {
379 32, // key len
380 12, // nonce len
381 POLY1305_TAG_LEN, // overhead
382 POLY1305_TAG_LEN, // max tag length
383 1, // seal_scatter_supports_extra_in
384
385 aead_chacha20_poly1305_init,
386 NULL, // init_with_direction
387 aead_chacha20_poly1305_cleanup,
388 NULL /* open */,
389 aead_chacha20_poly1305_seal_scatter,
390 aead_chacha20_poly1305_open_gather,
391 NULL, // get_iv
392 NULL, // tag_len
393 };
394
395 static const EVP_AEAD aead_xchacha20_poly1305 = {
396 32, // key len
397 24, // nonce len
398 POLY1305_TAG_LEN, // overhead
399 POLY1305_TAG_LEN, // max tag length
400 1, // seal_scatter_supports_extra_in
401
402 aead_chacha20_poly1305_init,
403 NULL, // init_with_direction
404 aead_chacha20_poly1305_cleanup,
405 NULL /* open */,
406 aead_xchacha20_poly1305_seal_scatter,
407 aead_xchacha20_poly1305_open_gather,
408 NULL, // get_iv
409 NULL, // tag_len
410 };
411
EVP_aead_chacha20_poly1305(void)412 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
413 return &aead_chacha20_poly1305;
414 }
415
EVP_aead_xchacha20_poly1305(void)416 const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {
417 return &aead_xchacha20_poly1305;
418 }
419