1 /* Copyright (c) 2014, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/aead.h>
16
17 #include <string.h>
18
19 #include <openssl/chacha.h>
20 #include <openssl/cipher.h>
21 #include <openssl/cpu.h>
22 #include <openssl/err.h>
23 #include <openssl/mem.h>
24 #include <openssl/poly1305.h>
25
26 #include "../fipsmodule/cipher/internal.h"
27 #include "../internal.h"
28
29
30 #define POLY1305_TAG_LEN 16
31
32 struct aead_chacha20_poly1305_ctx {
33 unsigned char key[32];
34 };
35
36 #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
37 !defined(OPENSSL_WINDOWS)
asm_capable(void)38 static int asm_capable(void) {
39 const int sse41_capable = (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0;
40 return sse41_capable;
41 }
42
43 // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It
44 // decrypts |plaintext_len| bytes from |ciphertext| and writes them to
45 // |out_plaintext|. On entry, |aead_data| must contain the final 48 bytes of
46 // the initial ChaCha20 block, i.e. the key, followed by four zeros, followed
47 // by the nonce. On exit, it will contain the calculated tag value, which the
48 // caller must check.
49 extern void chacha20_poly1305_open(uint8_t *out_plaintext,
50 const uint8_t *ciphertext,
51 size_t plaintext_len, const uint8_t *ad,
52 size_t ad_len, uint8_t *aead_data);
53
54 // chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It
55 // encrypts |plaintext_len| bytes from |plaintext| and writes them to
56 // |out_ciphertext|. On entry, |aead_data| must contain the final 48 bytes of
57 // the initial ChaCha20 block, i.e. the key, followed by four zeros, followed
58 // by the nonce. On exit, it will contain the calculated tag value, which the
59 // caller must append to the ciphertext.
60 extern void chacha20_poly1305_seal(uint8_t *out_ciphertext,
61 const uint8_t *plaintext,
62 size_t plaintext_len, const uint8_t *ad,
63 size_t ad_len, uint8_t *aead_data);
64 #else
asm_capable(void)65 static int asm_capable(void) {
66 return 0;
67 }
68
69
chacha20_poly1305_open(uint8_t * out_plaintext,const uint8_t * ciphertext,size_t plaintext_len,const uint8_t * ad,size_t ad_len,uint8_t * aead_data)70 static void chacha20_poly1305_open(uint8_t *out_plaintext,
71 const uint8_t *ciphertext,
72 size_t plaintext_len, const uint8_t *ad,
73 size_t ad_len, uint8_t *aead_data) {}
74
chacha20_poly1305_seal(uint8_t * out_ciphertext,const uint8_t * plaintext,size_t plaintext_len,const uint8_t * ad,size_t ad_len,uint8_t * aead_data)75 static void chacha20_poly1305_seal(uint8_t *out_ciphertext,
76 const uint8_t *plaintext,
77 size_t plaintext_len, const uint8_t *ad,
78 size_t ad_len, uint8_t *aead_data) {}
79 #endif
80
aead_chacha20_poly1305_init(EVP_AEAD_CTX * ctx,const uint8_t * key,size_t key_len,size_t tag_len)81 static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
82 size_t key_len, size_t tag_len) {
83 struct aead_chacha20_poly1305_ctx *c20_ctx;
84
85 if (tag_len == 0) {
86 tag_len = POLY1305_TAG_LEN;
87 }
88
89 if (tag_len > POLY1305_TAG_LEN) {
90 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
91 return 0;
92 }
93
94 if (key_len != sizeof(c20_ctx->key)) {
95 return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
96 }
97
98 c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
99 if (c20_ctx == NULL) {
100 return 0;
101 }
102
103 OPENSSL_memcpy(c20_ctx->key, key, key_len);
104 ctx->aead_state = c20_ctx;
105 ctx->tag_len = tag_len;
106
107 return 1;
108 }
109
aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX * ctx)110 static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
111 struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
112 OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
113 OPENSSL_free(c20_ctx);
114 }
115
poly1305_update_length(poly1305_state * poly1305,size_t data_len)116 static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
117 uint8_t length_bytes[8];
118
119 for (unsigned i = 0; i < sizeof(length_bytes); i++) {
120 length_bytes[i] = data_len;
121 data_len >>= 8;
122 }
123
124 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
125 }
126
127 /* calc_tag fills |tag| with the authentication tag for the given inputs. */
calc_tag(uint8_t tag[POLY1305_TAG_LEN],const struct aead_chacha20_poly1305_ctx * c20_ctx,const uint8_t nonce[12],const uint8_t * ad,size_t ad_len,const uint8_t * ciphertext,size_t ciphertext_len,const uint8_t * ciphertext_extra,size_t ciphertext_extra_len)128 static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
129 const struct aead_chacha20_poly1305_ctx *c20_ctx,
130 const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
131 const uint8_t *ciphertext, size_t ciphertext_len,
132 const uint8_t *ciphertext_extra,
133 size_t ciphertext_extra_len) {
134 alignas(16) uint8_t poly1305_key[32];
135 OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
136 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
137 c20_ctx->key, nonce, 0);
138
139 static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
140 poly1305_state ctx;
141 CRYPTO_poly1305_init(&ctx, poly1305_key);
142 CRYPTO_poly1305_update(&ctx, ad, ad_len);
143 if (ad_len % 16 != 0) {
144 CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));
145 }
146 CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);
147 CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);
148 const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;
149 if (ciphertext_total % 16 != 0) {
150 CRYPTO_poly1305_update(&ctx, padding,
151 sizeof(padding) - (ciphertext_total % 16));
152 }
153 poly1305_update_length(&ctx, ad_len);
154 poly1305_update_length(&ctx, ciphertext_total);
155 CRYPTO_poly1305_finish(&ctx, tag);
156 }
157
aead_chacha20_poly1305_seal_scatter(const EVP_AEAD_CTX * ctx,uint8_t * out,uint8_t * out_tag,size_t * out_tag_len,size_t max_out_tag_len,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * extra_in,size_t extra_in_len,const uint8_t * ad,size_t ad_len)158 static int aead_chacha20_poly1305_seal_scatter(
159 const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,
160 size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,
161 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,
162 size_t extra_in_len, const uint8_t *ad, size_t ad_len) {
163 const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
164
165 if (extra_in_len + ctx->tag_len < ctx->tag_len) {
166 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
167 return 0;
168 }
169 if (max_out_tag_len < ctx->tag_len + extra_in_len) {
170 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
171 return 0;
172 }
173 if (nonce_len != 12) {
174 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
175 return 0;
176 }
177
178 /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
179 * individual operations that work on more than 256GB at a time.
180 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
181 * 32-bits and this produces a warning because it's always false.
182 * Casting to uint64_t inside the conditional is not sufficient to stop
183 * the warning. */
184 const uint64_t in_len_64 = in_len;
185 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
186 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
187 return 0;
188 }
189
190 if (max_out_tag_len < ctx->tag_len) {
191 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
192 return 0;
193 }
194
195 /* The the extra input is given, it is expected to be very short and so is
196 * encrypted byte-by-byte first. */
197 if (extra_in_len) {
198 static const size_t kChaChaBlockSize = 64;
199 uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
200 size_t offset = in_len % kChaChaBlockSize;
201 uint8_t block[64 /* kChaChaBlockSize */];
202
203 for (size_t done = 0; done < extra_in_len; block_counter++) {
204 memset(block, 0, sizeof(block));
205 CRYPTO_chacha_20(block, block, sizeof(block), c20_ctx->key, nonce,
206 block_counter);
207 for (size_t i = offset; i < sizeof(block) && done < extra_in_len;
208 i++, done++) {
209 out_tag[done] = extra_in[done] ^ block[i];
210 }
211 offset = 0;
212 }
213 }
214
215 alignas(16) uint8_t tag[48 + 8 + 8];
216
217 if (asm_capable()) {
218 OPENSSL_memcpy(tag, c20_ctx->key, 32);
219 OPENSSL_memset(tag + 32, 0, 4);
220 OPENSSL_memcpy(tag + 32 + 4, nonce, 12);
221 OPENSSL_memcpy(tag + 48, &out_tag, sizeof(out_tag));
222 OPENSSL_memcpy(tag + 56, &extra_in_len, sizeof(extra_in_len));
223 chacha20_poly1305_seal(out, in, in_len, ad, ad_len, tag);
224 } else {
225 CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
226 calc_tag(tag, c20_ctx, nonce, ad, ad_len, out, in_len,
227 out_tag, extra_in_len);
228 }
229
230 OPENSSL_memcpy(out_tag + extra_in_len, tag, ctx->tag_len);
231 *out_tag_len = extra_in_len + ctx->tag_len;
232 return 1;
233 }
234
aead_chacha20_poly1305_open_gather(const EVP_AEAD_CTX * ctx,uint8_t * out,const uint8_t * nonce,size_t nonce_len,const uint8_t * in,size_t in_len,const uint8_t * in_tag,size_t in_tag_len,const uint8_t * ad,size_t ad_len)235 static int aead_chacha20_poly1305_open_gather(
236 const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
237 size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
238 size_t in_tag_len, const uint8_t *ad, size_t ad_len) {
239 const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
240
241 if (nonce_len != 12) {
242 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
243 return 0;
244 }
245
246 if (in_tag_len != ctx->tag_len) {
247 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
248 return 0;
249 }
250
251 /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
252 * individual operations that work on more than 256GB at a time.
253 * |in_len_64| is needed because, on 32-bit platforms, size_t is only
254 * 32-bits and this produces a warning because it's always false.
255 * Casting to uint64_t inside the conditional is not sufficient to stop
256 * the warning. */
257 const uint64_t in_len_64 = in_len;
258 if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
259 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
260 return 0;
261 }
262
263 alignas(16) uint8_t tag[48];
264
265 if (asm_capable()) {
266 OPENSSL_memcpy(tag, c20_ctx->key, 32);
267 OPENSSL_memset(tag + 32, 0, 4);
268 OPENSSL_memcpy(tag + 32 + 4, nonce, 12);
269 chacha20_poly1305_open(out, in, in_len, ad, ad_len, tag);
270 } else {
271 calc_tag(tag, c20_ctx, nonce, ad, ad_len, in, in_len, NULL, 0);
272 CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
273 }
274
275 if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {
276 OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
277 return 0;
278 }
279
280 return 1;
281 }
282
283 static const EVP_AEAD aead_chacha20_poly1305 = {
284 32, /* key len */
285 12, /* nonce len */
286 POLY1305_TAG_LEN, /* overhead */
287 POLY1305_TAG_LEN, /* max tag length */
288 1, /* seal_scatter_supports_extra_in */
289
290 aead_chacha20_poly1305_init,
291 NULL, /* init_with_direction */
292 aead_chacha20_poly1305_cleanup,
293 NULL /* open */,
294 aead_chacha20_poly1305_seal_scatter,
295 aead_chacha20_poly1305_open_gather,
296 NULL, /* get_iv */
297 };
298
EVP_aead_chacha20_poly1305(void)299 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
300 return &aead_chacha20_poly1305;
301 }
302