Annotation of src/usr.bin/ssh/cipher-chachapoly.c, Revision 1.1
1.1 ! djm 1: /*
! 2: * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
! 3: *
! 4: * Permission to use, copy, modify, and distribute this software for any
! 5: * purpose with or without fee is hereby granted, provided that the above
! 6: * copyright notice and this permission notice appear in all copies.
! 7: *
! 8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 15: */
! 16:
! 17: #include <sys/types.h>
! 18: #include <stdarg.h> /* needed for log.h */
! 19: #include <string.h>
! 20: #include <stdio.h> /* needed for misc.h */
! 21:
! 22: #include "log.h"
! 23: #include "misc.h"
! 24: #include "cipher-chachapoly.h"
! 25:
! 26: void chachapoly_init(struct chachapoly_ctx *ctx,
! 27: const u_char *key, u_int keylen)
! 28: {
! 29: if (keylen != (32 + 32)) /* 2 x 256 bit keys */
! 30: fatal("%s: invalid keylen %u", __func__, keylen);
! 31: chacha_keysetup(&ctx->main_ctx, key, 256);
! 32: chacha_keysetup(&ctx->header_ctx, key + 32, 256);
! 33: }
! 34:
! 35: /*
! 36: * chachapoly_crypt() operates as following:
! 37: * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
! 38: * Theses bytes are treated as additional authenticated data.
! 39: * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
! 40: * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the
! 41: * authentication tag.
! 42: * This tag is written on encryption and verified on decryption.
! 43: * Both 'aadlen' and 'authlen' can be set to 0.
! 44: */
! 45: int
! 46: chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
! 47: const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
! 48: {
! 49: u_char seqbuf[8];
! 50: u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */
! 51: u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
! 52: int r = -1;
! 53:
! 54: /*
! 55: * Run ChaCha20 once to generate the Poly1305 key. The IV is the
! 56: * packet sequence number.
! 57: */
! 58: bzero(poly_key, sizeof(poly_key));
! 59: put_u64(seqbuf, seqnr);
! 60: chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
! 61: chacha_encrypt_bytes(&ctx->main_ctx,
! 62: poly_key, poly_key, sizeof(poly_key));
! 63: /* Set Chacha's block counter to 1 */
! 64: chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
! 65:
! 66: /* If decrypting, check tag before anything else */
! 67: if (!do_encrypt) {
! 68: const u_char *tag = src + aadlen + len;
! 69:
! 70: poly1305_auth(expected_tag, src, aadlen + len, poly_key);
! 71: if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
! 72: goto out;
! 73: }
! 74: /* Crypt additional data */
! 75: if (aadlen) {
! 76: chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
! 77: chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
! 78: }
! 79: chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
! 80: dest + aadlen, len);
! 81:
! 82: /* If encrypting, calculate and append tag */
! 83: if (do_encrypt) {
! 84: poly1305_auth(dest + aadlen + len, dest, aadlen + len,
! 85: poly_key);
! 86: }
! 87: r = 0;
! 88:
! 89: out:
! 90: bzero(expected_tag, sizeof(expected_tag));
! 91: bzero(seqbuf, sizeof(seqbuf));
! 92: bzero(poly_key, sizeof(poly_key));
! 93: return r;
! 94: }
! 95:
! 96: int
! 97: chachapoly_get_length(struct chachapoly_ctx *ctx,
! 98: u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
! 99: {
! 100: u_char buf[4], seqbuf[8];
! 101:
! 102: if (len < 4)
! 103: return -1; /* Insufficient length */
! 104: put_u64(seqbuf, seqnr);
! 105: chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
! 106: chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
! 107: *plenp = get_u32(buf);
! 108: return 0;
! 109: }
! 110: