1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/aead.h>
16
17 #include <string.h>
18
19 #include <openssl/chacha.h>
20 #include <openssl/cipher.h>
21 #include <openssl/err.h>
22 #include <openssl/mem.h>
23 #include <openssl/poly1305.h>
24 #include <openssl/type_check.h>
25
26 #include "internal.h"
27 #include "../chacha/internal.h"
28 #include "../fipsmodule/cipher/internal.h"
29 #include "../internal.h"
30
31 struct aead_chacha20_poly1305_ctx {
32 uint8_t key[32];
33 };
34
35 OPENSSL_STATIC_ASSERT(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=
36 sizeof(struct aead_chacha20_poly1305_ctx),
37 "AEAD state is too small");
38 #if defined(__GNUC__) || defined(__clang__)
39 OPENSSL_STATIC_ASSERT(alignof(union evp_aead_ctx_st_state) >=
40 alignof(struct aead_chacha20_poly1305_ctx),
41 "AEAD state has insufficient alignment");
42 #endif
43
aead_chacha20_poly1305_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)44 static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
45 size_t key_len, size_t tag_len) {
46 struct aead_chacha20_poly1305_ctx *c20_ctx =
47 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
48
49 if (tag_len == 0) {
50 tag_len = POLY1305_TAG_LEN;
51 }
52
53 if (tag_len > POLY1305_TAG_LEN) {
54 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
55 return 0;
56 }
57
58 if (key_len != sizeof(c20_ctx->key)) {
59 return 0; // internal error - EVP_AEAD_CTX_init should catch this.
60 }
61
62 OPENSSL_memcpy(c20_ctx->key, key, key_len);
63 ctx->tag_len = tag_len;
64
65 return 1;
66 }
67
aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX * ctx)68 static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}
69
poly1305_update_length(poly1305_state * poly1305,size_t data_len)70 static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
71 uint8_t length_bytes[8];
72
73 for (unsigned i = 0; i < sizeof(length_bytes); i++) {
74 length_bytes[i] = data_len;
75 data_len >>= 8;
76 }
77
78 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
79 }
80
81 // calc_tag fills |tag| with the authentication tag for the given inputs.
calc_tag(uint8_t tag[POLY1305_TAG_LEN],const uint8_t * key,const uint8_t nonce[12],const uint8_t * ad,size_t ad_len,const uint8_t * ciphertext,size_t ciphertext_len,const uint8_t * ciphertext_extra,size_t ciphertext_extra_len)82 static void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,
83 const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
84 const uint8_t *ciphertext, size_t ciphertext_len,
85 const uint8_t *ciphertext_extra,
86 size_t ciphertext_extra_len) {
87 alignas(16) uint8_t poly1305_key[32];
88 OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
89 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,
90 0);
91
92 static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
93 poly1305_state ctx;
94 CRYPTO_poly1305_init(&ctx, poly1305_key);
95 CRYPTO_poly1305_update(&ctx, ad, ad_len);
96 if (ad_len % 16 != 0) {
97 CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
98 }
99 CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
100 CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
101 const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
102 if (ciphertext_total % 16 != 0) {
103 CRYPTO_poly1305_update(&ctx, padding,
104 sizeof(padding) - (ciphertext_total % 16));
105 }
106 poly1305_update_length(&ctx, ad_len);
107 poly1305_update_length(&ctx, ciphertext_total);
108 CRYPTO_poly1305_finish(&ctx, tag);
109 }
110
chacha20_poly1305_seal_scatter(const uint8_t * key,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len,size_t tag_len)111 static int chacha20_poly1305_seal_scatter(
112 const uint8_t *key, uint8_t *out, uint8_t *out_tag,
113 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
114 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
115 size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
116 if (extra_in_len + tag_len < tag_len) {
117 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
118 return 0;
119 }
120 if (max_out_tag_len < tag_len + extra_in_len) {
121 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
122 return 0;
123 }
124 if (nonce_len != 12) {
125 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
126 return 0;
127 }
128
129 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
130 // individual operations that work on more than 256GB at a time.
131 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
132 // 32-bits and this produces a warning because it's always false.
133 // Casting to uint64_t inside the conditional is not sufficient to stop
134 // the warning.
135 const uint64_t in_len_64 = in_len;
136 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
137 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
138 return 0;
139 }
140
141 if (max_out_tag_len < tag_len) {
142 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
143 return 0;
144 }
145
146 // The the extra input is given, it is expected to be very short and so is
147 // encrypted byte-by-byte first.
148 if (extra_in_len) {
149 static const size_t kChaChaBlockSize = 64;
150 uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
151 size_t offset = in_len % kChaChaBlockSize;
152 uint8_t block[64 /* kChaChaBlockSize */];
153
154 for (size_t done = 0; done < extra_in_len; block_counter++) {
155 memset(block, 0, sizeof(block));
156 CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,
157 block_counter);
158 for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
159 i++, done++) {
160 out_tag[done] = extra_in[done] ^ block[i];
161 }
162 offset = 0;
163 }
164 }
165
166 union chacha20_poly1305_seal_data data;
167 if (chacha20_poly1305_asm_capable()) {
168 OPENSSL_memcpy(data.in.key, key, 32);
169 data.in.counter = 0;
170 OPENSSL_memcpy(data.in.nonce, nonce, 12);
171 data.in.extra_ciphertext = out_tag;
172 data.in.extra_ciphertext_len = extra_in_len;
173 chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);
174 } else {
175 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
176 calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,
177 extra_in_len);
178 }
179
180 OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);
181 *out_tag_len = extra_in_len + tag_len;
182 return 1;
183 }
184
aead_chacha20_poly1305_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)185 static int aead_chacha20_poly1305_seal_scatter(
186 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
187 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
188 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
189 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
190 const struct aead_chacha20_poly1305_ctx *c20_ctx =
191 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
192
193 return chacha20_poly1305_seal_scatter(
194 c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,
195 nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);
196 }
197
aead_xchacha20_poly1305_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)198 static int aead_xchacha20_poly1305_seal_scatter(
199 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
200 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
201 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
202 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
203 const struct aead_chacha20_poly1305_ctx *c20_ctx =
204 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
205
206 if (nonce_len != 24) {
207 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
208 return 0;
209 }
210
211 alignas(4) uint8_t derived_key[32];
212 alignas(4) uint8_t derived_nonce[12];
213 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
214 OPENSSL_memset(derived_nonce, 0, 4);
215 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
216
217 return chacha20_poly1305_seal_scatter(
218 derived_key, out, out_tag, out_tag_len, max_out_tag_len,
219 derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,
220 ad, ad_len, ctx->tag_len);
221 }
222
chacha20_poly1305_open_gather(const uint8_t * key,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len,size_t tag_len)223 static int chacha20_poly1305_open_gather(
224 const uint8_t *key, uint8_t *out, const uint8_t *nonce,
225 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
226 size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {
227 if (nonce_len != 12) {
228 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
229 return 0;
230 }
231
232 if (in_tag_len != tag_len) {
233 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
234 return 0;
235 }
236
237 // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
238 // individual operations that work on more than 256GB at a time.
239 // |in_len_64| is needed because, on 32-bit platforms, size_t is only
240 // 32-bits and this produces a warning because it's always false.
241 // Casting to uint64_t inside the conditional is not sufficient to stop
242 // the warning.
243 const uint64_t in_len_64 = in_len;
244 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
245 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
246 return 0;
247 }
248
249 union chacha20_poly1305_open_data data;
250 if (chacha20_poly1305_asm_capable()) {
251 OPENSSL_memcpy(data.in.key, key, 32);
252 data.in.counter = 0;
253 OPENSSL_memcpy(data.in.nonce, nonce, 12);
254 chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);
255 } else {
256 calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);
257 CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);
258 }
259
260 if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {
261 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
262 return 0;
263 }
264
265 return 1;
266 }
267
aead_chacha20_poly1305_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)268 static int aead_chacha20_poly1305_open_gather(
269 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
270 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
271 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
272 const struct aead_chacha20_poly1305_ctx *c20_ctx =
273 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
274
275 return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,
276 in_len, in_tag, in_tag_len, ad, ad_len,
277 ctx->tag_len);
278 }
279
aead_xchacha20_poly1305_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)280 static int aead_xchacha20_poly1305_open_gather(
281 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
282 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
283 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
284 const struct aead_chacha20_poly1305_ctx *c20_ctx =
285 (struct aead_chacha20_poly1305_ctx *)&ctx->state;
286
287 if (nonce_len != 24) {
288 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
289 return 0;
290 }
291
292 alignas(4) uint8_t derived_key[32];
293 alignas(4) uint8_t derived_nonce[12];
294 CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);
295 OPENSSL_memset(derived_nonce, 0, 4);
296 OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);
297
298 return chacha20_poly1305_open_gather(
299 derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,
300 in_tag, in_tag_len, ad, ad_len, ctx->tag_len);
301 }
302
303 static const EVP_AEAD aead_chacha20_poly1305 = {
304 32, // key len
305 12, // nonce len
306 POLY1305_TAG_LEN, // overhead
307 POLY1305_TAG_LEN, // max tag length
308 1, // seal_scatter_supports_extra_in
309
310 aead_chacha20_poly1305_init,
311 NULL, // init_with_direction
312 aead_chacha20_poly1305_cleanup,
313 NULL /* open */,
314 aead_chacha20_poly1305_seal_scatter,
315 aead_chacha20_poly1305_open_gather,
316 NULL, // get_iv
317 NULL, // tag_len
318 };
319
320 static const EVP_AEAD aead_xchacha20_poly1305 = {
321 32, // key len
322 24, // nonce len
323 POLY1305_TAG_LEN, // overhead
324 POLY1305_TAG_LEN, // max tag length
325 1, // seal_scatter_supports_extra_in
326
327 aead_chacha20_poly1305_init,
328 NULL, // init_with_direction
329 aead_chacha20_poly1305_cleanup,
330 NULL /* open */,
331 aead_xchacha20_poly1305_seal_scatter,
332 aead_xchacha20_poly1305_open_gather,
333 NULL, // get_iv
334 NULL, // tag_len
335 };
336
EVP_aead_chacha20_poly1305(void)337 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
338 return &aead_chacha20_poly1305;
339 }
340
EVP_aead_xchacha20_poly1305(void)341 const EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {
342 return &aead_xchacha20_poly1305;
343 }
344