]> git.ipfire.org Git - thirdparty/openssl.git/blob - providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c
projects / thirdparty / openssl.git / blob
? search:


55a57de7264f1bde1e00099a69385eb2215308c4
[thirdparty/openssl.git] / providers / implementations / ciphers / cipher_chacha20_poly1305_hw.c
1 /*
2 * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /* chacha20_poly1305 cipher implementation */
11
12 #include "internal/endian.h"
13 #include "cipher_chacha20_poly1305.h"
14
15 static int chacha_poly1305_tls_init(PROV_CIPHER_CTX *bctx,
16 unsigned char *aad, size_t alen)
17 {
18 unsigned int len;
19 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
20
21 if (alen != EVP_AEAD_TLS1_AAD_LEN)
22 return 0;
23
24 memcpy(ctx->tls_aad, aad, EVP_AEAD_TLS1_AAD_LEN);
25 len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1];
26 aad = ctx->tls_aad;
27 if (!bctx->enc) {
28 if (len < POLY1305_BLOCK_SIZE)
29 return 0;
30 len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
31 aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
32 aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
33 }
34 ctx->tls_payload_length = len;
35
36 /* merge record sequence number as per RFC7905 */
37 ctx->chacha.counter[1] = ctx->nonce[0];
38 ctx->chacha.counter[2] = ctx->nonce[1] ^ CHACHA_U8TOU32(aad);
39 ctx->chacha.counter[3] = ctx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
40 ctx->mac_inited = 0;
41
42 return POLY1305_BLOCK_SIZE; /* tag length */
43 }
44
45 static int chacha_poly1305_tls_iv_set_fixed(PROV_CIPHER_CTX *bctx,
46 unsigned char *fixed, size_t flen)
47 {
48 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
49
50 if (flen != CHACHA20_POLY1305_IVLEN)
51 return 0;
52 ctx->nonce[0] = ctx->chacha.counter[1] = CHACHA_U8TOU32(fixed);
53 ctx->nonce[1] = ctx->chacha.counter[2] = CHACHA_U8TOU32(fixed + 4);
54 ctx->nonce[2] = ctx->chacha.counter[3] = CHACHA_U8TOU32(fixed + 8);
55 return 1;
56 }
57
58
59 static int chacha20_poly1305_initkey(PROV_CIPHER_CTX *bctx,
60 const unsigned char *key, size_t keylen)
61 {
62 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
63
64 ctx->len.aad = 0;
65 ctx->len.text = 0;
66 ctx->aad = 0;
67 ctx->mac_inited = 0;
68 ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
69
70 if (bctx->enc)
71 return chacha20_einit(&ctx->chacha, key, keylen, NULL, 0);
72 else
73 return chacha20_dinit(&ctx->chacha, key, keylen, NULL, 0);
74 }
75
76 static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx)
77 {
78 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
79 unsigned char tempiv[CHACHA_CTR_SIZE] = { 0 };
80 int ret = 1;
81
82 ctx->len.aad = 0;
83 ctx->len.text = 0;
84 ctx->aad = 0;
85 ctx->mac_inited = 0;
86 ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
87
88 /* pad on the left */
89 if (ctx->nonce_len <= CHACHA_CTR_SIZE) {
90 memcpy(tempiv + CHACHA_CTR_SIZE - ctx->nonce_len, bctx->oiv,
91 ctx->nonce_len);
92
93 if (bctx->enc)
94 ret = chacha20_einit(&ctx->chacha, NULL, 0, tempiv, sizeof(tempiv));
95 else
96 ret = chacha20_dinit(&ctx->chacha, NULL, 0, tempiv, sizeof(tempiv));
97 ctx->nonce[0] = ctx->chacha.counter[1];
98 ctx->nonce[1] = ctx->chacha.counter[2];
99 ctx->nonce[2] = ctx->chacha.counter[3];
100 bctx->iv_set = 1;
101 }
102 return ret;
103 }
104
105 #if !defined(OPENSSL_SMALL_FOOTPRINT)
106
107 # if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) \
108 || defined(_M_AMD64) || defined(_M_X64))
109 # define XOR128_HELPERS
110 void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
111 void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
112 static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
113 # else
114 static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
115 # endif
116
117 static int chacha20_poly1305_tls_cipher(PROV_CIPHER_CTX *bctx,
118 unsigned char *out,
119 size_t *out_padlen,
120 const unsigned char *in, size_t len)
121 {
122 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
123 POLY1305 *poly = &ctx->poly1305;
124 size_t tail, tohash_len, buf_len, plen = ctx->tls_payload_length;
125 unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32];
126
127 DECLARE_IS_ENDIAN;
128
129 buf = storage + ((0 - (size_t)storage) & 15); /* align */
130 ctr = buf + CHACHA_BLK_SIZE;
131 tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;
132
133 # ifdef XOR128_HELPERS
134 if (plen <= 3 * CHACHA_BLK_SIZE) {
135 ctx->chacha.counter[0] = 0;
136 buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
137 ChaCha20_ctr32(buf, zero, buf_len, ctx->chacha.key.d, ctx->chacha.counter);
138 Poly1305_Init(poly, buf);
139 ctx->chacha.partial_len = 0;
140 memcpy(tohash, ctx->tls_aad, POLY1305_BLOCK_SIZE);
141 tohash_len = POLY1305_BLOCK_SIZE;
142 ctx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
143 ctx->len.text = plen;
144
145 if (plen) {
146 if (bctx->enc)
147 ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
148 else
149 ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
150
151 in += plen;
152 out += plen;
153 tohash_len = (size_t)(ctr - tohash);
154 }
155 }
156 # else
157 if (plen <= CHACHA_BLK_SIZE) {
158 size_t i;
159
160 ctx->chacha.counter[0] = 0;
161 ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
162 ctx->chacha.key.d, ctx->chacha.counter);
163 Poly1305_Init(poly, buf);
164 ctx->chacha.partial_len = 0;
165 memcpy(tohash, ctx->tls_aad, POLY1305_BLOCK_SIZE);
166 tohash_len = POLY1305_BLOCK_SIZE;
167 ctx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
168 ctx->len.text = plen;
169
170 if (bctx->enc) {
171 for (i = 0; i < plen; i++)
172 out[i] = ctr[i] ^= in[i];
173 } else {
174 for (i = 0; i < plen; i++) {
175 unsigned char c = in[i];
176
177 out[i] = ctr[i] ^ c;
178 ctr[i] = c;
179 }
180 }
181
182 in += i;
183 out += i;
184
185 tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
186 memset(ctr + i, 0, tail);
187 ctr += i + tail;
188 tohash_len += i + tail;
189 }
190 # endif
191 else {
192 ctx->chacha.counter[0] = 0;
193 ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
194 ctx->chacha.key.d, ctx->chacha.counter);
195 Poly1305_Init(poly, buf);
196 ctx->chacha.counter[0] = 1;
197 ctx->chacha.partial_len = 0;
198 Poly1305_Update(poly, ctx->tls_aad, POLY1305_BLOCK_SIZE);
199 tohash = ctr;
200 tohash_len = 0;
201 ctx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
202 ctx->len.text = plen;
203
204 if (bctx->enc) {
205 ChaCha20_ctr32(out, in, plen, ctx->chacha.key.d, ctx->chacha.counter);
206 Poly1305_Update(poly, out, plen);
207 } else {
208 Poly1305_Update(poly, in, plen);
209 ChaCha20_ctr32(out, in, plen, ctx->chacha.key.d, ctx->chacha.counter);
210 }
211
212 in += plen;
213 out += plen;
214 tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
215 Poly1305_Update(poly, zero, tail);
216 }
217
218 if (IS_LITTLE_ENDIAN) {
219 memcpy(ctr, (unsigned char *)&ctx->len, POLY1305_BLOCK_SIZE);
220 } else {
221 ctr[0] = (unsigned char)(ctx->len.aad);
222 ctr[1] = (unsigned char)(ctx->len.aad>>8);
223 ctr[2] = (unsigned char)(ctx->len.aad>>16);
224 ctr[3] = (unsigned char)(ctx->len.aad>>24);
225 ctr[4] = (unsigned char)(ctx->len.aad>>32);
226 ctr[5] = (unsigned char)(ctx->len.aad>>40);
227 ctr[6] = (unsigned char)(ctx->len.aad>>48);
228 ctr[7] = (unsigned char)(ctx->len.aad>>56);
229
230 ctr[8] = (unsigned char)(ctx->len.text);
231 ctr[9] = (unsigned char)(ctx->len.text>>8);
232 ctr[10] = (unsigned char)(ctx->len.text>>16);
233 ctr[11] = (unsigned char)(ctx->len.text>>24);
234 ctr[12] = (unsigned char)(ctx->len.text>>32);
235 ctr[13] = (unsigned char)(ctx->len.text>>40);
236 ctr[14] = (unsigned char)(ctx->len.text>>48);
237 ctr[15] = (unsigned char)(ctx->len.text>>56);
238 }
239 tohash_len += POLY1305_BLOCK_SIZE;
240
241 Poly1305_Update(poly, tohash, tohash_len);
242 OPENSSL_cleanse(buf, buf_len);
243 Poly1305_Final(poly, bctx->enc ? ctx->tag : tohash);
244
245 ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
246
247 if (bctx->enc) {
248 memcpy(out, ctx->tag, POLY1305_BLOCK_SIZE);
249 } else {
250 if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
251 if (len > POLY1305_BLOCK_SIZE)
252 memset(out - (len - POLY1305_BLOCK_SIZE), 0,
253 len - POLY1305_BLOCK_SIZE);
254 return 0;
255 }
256 /* Strip the tag */
257 len -= POLY1305_BLOCK_SIZE;
258 }
259
260 *out_padlen = len;
261 return 1;
262 }
263 #else
264 static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
265 #endif /* OPENSSL_SMALL_FOOTPRINT */
266
267 static int chacha20_poly1305_aead_cipher(PROV_CIPHER_CTX *bctx,
268 unsigned char *out, size_t *outl,
269 const unsigned char *in, size_t inl)
270 {
271 PROV_CHACHA20_POLY1305_CTX *ctx = (PROV_CHACHA20_POLY1305_CTX *)bctx;
272 POLY1305 *poly = &ctx->poly1305;
273 size_t rem, plen = ctx->tls_payload_length;
274 size_t olen = 0;
275 int rv = 0;
276
277 DECLARE_IS_ENDIAN;
278
279 if (!ctx->mac_inited) {
280 if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL) {
281 if (inl != plen + POLY1305_BLOCK_SIZE)
282 return 0;
283 #if !defined(OPENSSL_SMALL_FOOTPRINT)
284 return chacha20_poly1305_tls_cipher(bctx, out, outl, in, inl);
285 #endif
286 }
287
288 ctx->chacha.counter[0] = 0;
289 ChaCha20_ctr32(ctx->chacha.buf, zero, CHACHA_BLK_SIZE,
290 ctx->chacha.key.d, ctx->chacha.counter);
291 Poly1305_Init(poly, ctx->chacha.buf);
292 ctx->chacha.counter[0] = 1;
293 ctx->chacha.partial_len = 0;
294 ctx->len.aad = ctx->len.text = 0;
295 ctx->mac_inited = 1;
296 if (plen != NO_TLS_PAYLOAD_LENGTH) {
297 Poly1305_Update(poly, ctx->tls_aad, EVP_AEAD_TLS1_AAD_LEN);
298 ctx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
299 ctx->aad = 1;
300 }
301 }
302
303 if (in != NULL) { /* aad or text */
304 if (out == NULL) { /* aad */
305 Poly1305_Update(poly, in, inl);
306 ctx->len.aad += inl;
307 ctx->aad = 1;
308 goto finish;
309 } else { /* plain- or ciphertext */
310 if (ctx->aad) { /* wrap up aad */
311 if ((rem = (size_t)ctx->len.aad % POLY1305_BLOCK_SIZE))
312 Poly1305_Update(poly, zero, POLY1305_BLOCK_SIZE - rem);
313 ctx->aad = 0;
314 }
315
316 ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
317 if (plen == NO_TLS_PAYLOAD_LENGTH)
318 plen = inl;
319 else if (inl != plen + POLY1305_BLOCK_SIZE)
320 goto err;
321
322 if (bctx->enc) { /* plaintext */
323 ctx->chacha.base.hw->cipher(&ctx->chacha.base, out, in, plen);
324 Poly1305_Update(poly, out, plen);
325 in += plen;
326 out += plen;
327 ctx->len.text += plen;
328 } else { /* ciphertext */
329 Poly1305_Update(poly, in, plen);
330 ctx->chacha.base.hw->cipher(&ctx->chacha.base, out, in, plen);
331 in += plen;
332 out += plen;
333 ctx->len.text += plen;
334 }
335 }
336 }
337 /* explicit final, or tls mode */
338 if (in == NULL || inl != plen) {
339
340 unsigned char temp[POLY1305_BLOCK_SIZE];
341
342 if (ctx->aad) { /* wrap up aad */
343 if ((rem = (size_t)ctx->len.aad % POLY1305_BLOCK_SIZE))
344 Poly1305_Update(poly, zero, POLY1305_BLOCK_SIZE - rem);
345 ctx->aad = 0;
346 }
347
348 if ((rem = (size_t)ctx->len.text % POLY1305_BLOCK_SIZE))
349 Poly1305_Update(poly, zero, POLY1305_BLOCK_SIZE - rem);
350
351 if (IS_LITTLE_ENDIAN) {
352 Poly1305_Update(poly, (unsigned char *)&ctx->len,
353 POLY1305_BLOCK_SIZE);
354 } else {
355 temp[0] = (unsigned char)(ctx->len.aad);
356 temp[1] = (unsigned char)(ctx->len.aad>>8);
357 temp[2] = (unsigned char)(ctx->len.aad>>16);
358 temp[3] = (unsigned char)(ctx->len.aad>>24);
359 temp[4] = (unsigned char)(ctx->len.aad>>32);
360 temp[5] = (unsigned char)(ctx->len.aad>>40);
361 temp[6] = (unsigned char)(ctx->len.aad>>48);
362 temp[7] = (unsigned char)(ctx->len.aad>>56);
363 temp[8] = (unsigned char)(ctx->len.text);
364 temp[9] = (unsigned char)(ctx->len.text>>8);
365 temp[10] = (unsigned char)(ctx->len.text>>16);
366 temp[11] = (unsigned char)(ctx->len.text>>24);
367 temp[12] = (unsigned char)(ctx->len.text>>32);
368 temp[13] = (unsigned char)(ctx->len.text>>40);
369 temp[14] = (unsigned char)(ctx->len.text>>48);
370 temp[15] = (unsigned char)(ctx->len.text>>56);
371 Poly1305_Update(poly, temp, POLY1305_BLOCK_SIZE);
372 }
373 Poly1305_Final(poly, bctx->enc ? ctx->tag : temp);
374 ctx->mac_inited = 0;
375
376 if (in != NULL && inl != plen) {
377 if (bctx->enc) {
378 memcpy(out, ctx->tag, POLY1305_BLOCK_SIZE);
379 } else {
380 if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
381 memset(out - plen, 0, plen);
382 goto err;
383 }
384 /* Strip the tag */
385 inl -= POLY1305_BLOCK_SIZE;
386 }
387 }
388 else if (!bctx->enc) {
389 if (CRYPTO_memcmp(temp, ctx->tag, ctx->tag_len))
390 goto err;
391 }
392 }
393 finish:
394 olen = inl;
395 rv = 1;
396 err:
397 *outl = olen;
398 return rv;
399 }
400
401 static const PROV_CIPHER_HW_CHACHA20_POLY1305 chacha20poly1305_hw =
402 {
403 { chacha20_poly1305_initkey, NULL },
404 chacha20_poly1305_aead_cipher,
405 chacha20_poly1305_initiv,
406 chacha_poly1305_tls_init,
407 chacha_poly1305_tls_iv_set_fixed
408 };
409
410 const PROV_CIPHER_HW *ossl_prov_cipher_hw_chacha20_poly1305(size_t keybits)
411 {
412 return (PROV_CIPHER_HW *)&chacha20poly1305_hw;
413 }
A mirror of the official openssl repository