[thirdparty/openssl.git] / crypto / evp / e_chacha20_poly1305.c

/*
 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"

#ifndef OPENSSL_NO_CHACHA

# include <openssl/evp.h>
# include <openssl/objects.h>
# include "internal/evp_int.h"
# include "evp_locl.h"
# include "internal/chacha.h"

typedef struct {
    union {
        double align;   /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
        unsigned int d[CHACHA_KEY_SIZE / 4];
    } key;
    unsigned int  counter[CHACHA_CTR_SIZE / 4];
    unsigned char buf[CHACHA_BLK_SIZE];
    unsigned int  partial_len;
} EVP_CHACHA_KEY;

#define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)

static int chacha_init_key(EVP_CIPHER_CTX *ctx,
                           const unsigned char user_key[CHACHA_KEY_SIZE],
                           const unsigned char iv[CHACHA_CTR_SIZE], int enc)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int i;

    if (user_key)
        for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
            key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);
        }

    if (iv)
        for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
            key->counter[i/4] = CHACHA_U8TOU32(iv+i);
        }

    key->partial_len = 0;

    return 1;
}

static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
                         const unsigned char *inp, size_t len)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int n, rem, ctr32;

    if ((n = key->partial_len)) {
        while (len && n < CHACHA_BLK_SIZE) {
            *out++ = *inp++ ^ key->buf[n++];
            len--;
        }
        key->partial_len = n;

        if (len == 0)
            return 1;

        if (n == CHACHA_BLK_SIZE) {
            key->partial_len = 0;
            key->counter[0]++;
            if (key->counter[0] == 0)
                key->counter[1]++;
        }
    }

    rem = (unsigned int)(len % CHACHA_BLK_SIZE);
    len -= rem;
    ctr32 = key->counter[0];
    while (len >= CHACHA_BLK_SIZE) {
        size_t blocks = len / CHACHA_BLK_SIZE;
        /*
         * 1<<28 is just a not-so-small yet not-so-large number...
         * Below condition is practically never met, but it has to
         * be checked for code correctness.
         */
        if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
            blocks = (1U<<28);

        /*
         * As ChaCha20_ctr32 operates on 32-bit counter, caller
         * has to handle overflow. 'if' below detects the
         * overflow, which is then handled by limiting the
         * amount of blocks to the exact overflow point...
         */
        ctr32 += (unsigned int)blocks;
        if (ctr32 < blocks) {
            blocks -= ctr32;
            ctr32 = 0;
        }
        blocks *= CHACHA_BLK_SIZE;
        ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
        len -= blocks;
        inp += blocks;
        out += blocks;

        key->counter[0] = ctr32;
        if (ctr32 == 0) key->counter[1]++;
    }

    if (rem) {
        memset(key->buf, 0, sizeof(key->buf));
        ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
                       key->key.d, key->counter);
        for (n = 0; n < rem; n++)
            out[n] = inp[n] ^ key->buf[n];
        key->partial_len = rem;
    }

    return 1;
}

static const EVP_CIPHER chacha20 = {
    NID_chacha20,
    1,                      /* block_size */
    CHACHA_KEY_SIZE,        /* key_len */
    CHACHA_CTR_SIZE,        /* iv_len, 128-bit counter in the context */
    EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
    chacha_init_key,
    chacha_cipher,
    NULL,
    sizeof(EVP_CHACHA_KEY),
    NULL,
    NULL,
    NULL,
    NULL
};

const EVP_CIPHER *EVP_chacha20(void)
{
    return &chacha20;
}

# ifndef OPENSSL_NO_POLY1305
#  include "internal/poly1305.h"

typedef struct {
    EVP_CHACHA_KEY key;
    unsigned int nonce[12/4];
    unsigned char tag[POLY1305_BLOCK_SIZE];
    unsigned char tls_aad[POLY1305_BLOCK_SIZE];
    struct { uint64_t aad, text; } len;
    int aad, mac_inited, tag_len, nonce_len;
    size_t tls_payload_length;
} EVP_CHACHA_AEAD_CTX;

#  define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
#  define aead_data(ctx)        ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
#  define POLY1305_ctx(actx)    ((POLY1305 *)(actx + 1))

static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
                                      const unsigned char *inkey,
                                      const unsigned char *iv, int enc)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    if (!inkey && !iv)
        return 1;

    actx->len.aad = 0;
    actx->len.text = 0;
    actx->aad = 0;
    actx->mac_inited = 0;
    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (iv != NULL) {
        unsigned char temp[CHACHA_CTR_SIZE] = { 0 };

        /* pad on the left */
        if (actx->nonce_len <= CHACHA_CTR_SIZE)
            memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
                   actx->nonce_len);

        chacha_init_key(ctx, inkey, temp, enc);

        actx->nonce[0] = actx->key.counter[1];
        actx->nonce[1] = actx->key.counter[2];
        actx->nonce[2] = actx->key.counter[3];
    } else {
        chacha_init_key(ctx, inkey, NULL, enc);
    }

    return 1;
}

#  if !defined(OPENSSL_SMALL_FOOTPRINT)

#   if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
                                 defined(_M_AMD64) || defined(_M_X64))
#    define XOR128_HELPERS
void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
#   else
static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
#   endif

static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
    unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32];

    if (len != plen + POLY1305_BLOCK_SIZE)
        return -1;

    buf = storage + ((0 - (size_t)storage) & 15);   /* align */
    ctr = buf + CHACHA_BLK_SIZE;
    tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;

#   ifdef XOR128_HELPERS
    if (plen <= 3 * CHACHA_BLK_SIZE) {
        actx->key.counter[0] = 0;
        buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
        ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
                       actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (plen) {
            if (ctx->encrypt)
                ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
            else
                ctr = xor128_decrypt_n_pad(out, in, ctr, plen);

            in += plen;
            out += plen;
            tohash_len = (size_t)(ctr - tohash);
        }
    }
#   else
    if (plen <= CHACHA_BLK_SIZE) {
        size_t i;

        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (ctx->encrypt) {
            for (i = 0; i < plen; i++) {
                out[i] = ctr[i] ^= in[i];
            }
        } else {
            for (i = 0; i < plen; i++) {
                unsigned char c = in[i];
                out[i] = ctr[i] ^ c;
                ctr[i] = c;
            }
        }

        in += i;
        out += i;

        tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
        memset(ctr + i, 0, tail);
        ctr += i + tail;
        tohash_len += i + tail;
    }
#   endif
    else {
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash = ctr;
        tohash_len = 0;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (ctx->encrypt) {
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
            Poly1305_Update(POLY1305_ctx(actx), out, plen);
        } else {
            Poly1305_Update(POLY1305_ctx(actx), in, plen);
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
        }

        in += plen;
        out += plen;
        tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
        Poly1305_Update(POLY1305_ctx(actx), zero, tail);
    }

    {
        const union {
            long one;
            char little;
        } is_endian = { 1 };

        if (is_endian.little) {
            memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            ctr[0]  = (unsigned char)(actx->len.aad);
            ctr[1]  = (unsigned char)(actx->len.aad>>8);
            ctr[2]  = (unsigned char)(actx->len.aad>>16);
            ctr[3]  = (unsigned char)(actx->len.aad>>24);
            ctr[4]  = (unsigned char)(actx->len.aad>>32);
            ctr[5]  = (unsigned char)(actx->len.aad>>40);
            ctr[6]  = (unsigned char)(actx->len.aad>>48);
            ctr[7]  = (unsigned char)(actx->len.aad>>56);

            ctr[8]  = (unsigned char)(actx->len.text);
            ctr[9]  = (unsigned char)(actx->len.text>>8);
            ctr[10] = (unsigned char)(actx->len.text>>16);
            ctr[11] = (unsigned char)(actx->len.text>>24);
            ctr[12] = (unsigned char)(actx->len.text>>32);
            ctr[13] = (unsigned char)(actx->len.text>>40);
            ctr[14] = (unsigned char)(actx->len.text>>48);
            ctr[15] = (unsigned char)(actx->len.text>>56);
        }
        tohash_len += POLY1305_BLOCK_SIZE;
    }

    Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
    OPENSSL_cleanse(buf, buf_len);
    Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                    : tohash);

    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (ctx->encrypt) {
        memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
    } else {
        if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
            memset(out - (len - POLY1305_BLOCK_SIZE), 0,
                   len - POLY1305_BLOCK_SIZE);
            return -1;
        }
    }

    return len;
}
#  else
static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
#  endif

static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                    const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t rem, plen = actx->tls_payload_length;

    if (!actx->mac_inited) {
#  if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
            return chacha20_poly1305_tls_cipher(ctx, out, in, len);
#  endif
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        actx->len.aad = actx->len.text = 0;
        actx->mac_inited = 1;
        if (plen != NO_TLS_PAYLOAD_LENGTH) {
            Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
                            EVP_AEAD_TLS1_AAD_LEN);
            actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
            actx->aad = 1;
        }
    }

    if (in) {                                   /* aad or text */
        if (out == NULL) {                      /* aad */
            Poly1305_Update(POLY1305_ctx(actx), in, len);
            actx->len.aad += len;
            actx->aad = 1;
            return len;
        } else {                                /* plain- or ciphertext */
            if (actx->aad) {                    /* wrap up aad */
                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                    Poly1305_Update(POLY1305_ctx(actx), zero,
                                    POLY1305_BLOCK_SIZE - rem);
                actx->aad = 0;
            }

            actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
            if (plen == NO_TLS_PAYLOAD_LENGTH)
                plen = len;
            else if (len != plen + POLY1305_BLOCK_SIZE)
                return -1;

            if (ctx->encrypt) {                 /* plaintext */
                chacha_cipher(ctx, out, in, plen);
                Poly1305_Update(POLY1305_ctx(actx), out, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            } else {                            /* ciphertext */
                Poly1305_Update(POLY1305_ctx(actx), in, plen);
                chacha_cipher(ctx, out, in, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            }
        }
    }
    if (in == NULL                              /* explicit final */
        || plen != len) {                       /* or tls mode */
        const union {
            long one;
            char little;
        } is_endian = { 1 };
        unsigned char temp[POLY1305_BLOCK_SIZE];

        if (actx->aad) {                        /* wrap up aad */
            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                Poly1305_Update(POLY1305_ctx(actx), zero,
                                POLY1305_BLOCK_SIZE - rem);
            actx->aad = 0;
        }

        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
            Poly1305_Update(POLY1305_ctx(actx), zero,
                            POLY1305_BLOCK_SIZE - rem);

        if (is_endian.little) {
            Poly1305_Update(POLY1305_ctx(actx),
                            (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            temp[0]  = (unsigned char)(actx->len.aad);
            temp[1]  = (unsigned char)(actx->len.aad>>8);
            temp[2]  = (unsigned char)(actx->len.aad>>16);
            temp[3]  = (unsigned char)(actx->len.aad>>24);
            temp[4]  = (unsigned char)(actx->len.aad>>32);
            temp[5]  = (unsigned char)(actx->len.aad>>40);
            temp[6]  = (unsigned char)(actx->len.aad>>48);
            temp[7]  = (unsigned char)(actx->len.aad>>56);

            temp[8]  = (unsigned char)(actx->len.text);
            temp[9]  = (unsigned char)(actx->len.text>>8);
            temp[10] = (unsigned char)(actx->len.text>>16);
            temp[11] = (unsigned char)(actx->len.text>>24);
            temp[12] = (unsigned char)(actx->len.text>>32);
            temp[13] = (unsigned char)(actx->len.text>>40);
            temp[14] = (unsigned char)(actx->len.text>>48);
            temp[15] = (unsigned char)(actx->len.text>>56);

            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
        }
        Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                        : temp);
        actx->mac_inited = 0;

        if (in != NULL && len != plen) {        /* tls mode */
            if (ctx->encrypt) {
                memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
            } else {
                if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
                    memset(out - plen, 0, plen);
                    return -1;
                }
            }
        }
        else if (!ctx->encrypt) {
            if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
                return -1;
        }
    }
    return len;
}

static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    if (actx)
        OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
    return 1;
}

static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                  void *ptr)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    switch(type) {
    case EVP_CTRL_INIT:
        if (actx == NULL)
            actx = ctx->cipher_data
                 = OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
        if (actx == NULL) {
            EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);
            return 0;
        }
        actx->len.aad = 0;
        actx->len.text = 0;
        actx->aad = 0;
        actx->mac_inited = 0;
        actx->tag_len = 0;
        actx->nonce_len = 12;
        actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
        memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
        return 1;

    case EVP_CTRL_COPY:
        if (actx) {
            EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;

            dst->cipher_data =
                   OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
            if (dst->cipher_data == NULL) {
                EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
                return 0;
            }
        }
        return 1;

    case EVP_CTRL_AEAD_SET_IVLEN:
        if (arg <= 0 || arg > CHACHA_CTR_SIZE)
            return 0;
        actx->nonce_len = arg;
        return 1;

    case EVP_CTRL_AEAD_SET_IV_FIXED:
        if (arg != 12)
            return 0;
        actx->nonce[0] = actx->key.counter[1]
                       = CHACHA_U8TOU32((unsigned char *)ptr);
        actx->nonce[1] = actx->key.counter[2]
                       = CHACHA_U8TOU32((unsigned char *)ptr+4);
        actx->nonce[2] = actx->key.counter[3]
                       = CHACHA_U8TOU32((unsigned char *)ptr+8);
        return 1;

    case EVP_CTRL_AEAD_SET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE)
            return 0;
        if (ptr != NULL) {
            memcpy(actx->tag, ptr, arg);
            actx->tag_len = arg;
        }
        return 1;

    case EVP_CTRL_AEAD_GET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE || !ctx->encrypt)
            return 0;
        memcpy(ptr, actx->tag, arg);
        return 1;

    case EVP_CTRL_AEAD_TLS1_AAD:
        if (arg != EVP_AEAD_TLS1_AAD_LEN)
            return 0;
        {
            unsigned int len;
            unsigned char *aad = ptr;

            memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
            len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
                  aad[EVP_AEAD_TLS1_AAD_LEN - 1];
            aad = actx->tls_aad;
            if (!ctx->encrypt) {
                if (len < POLY1305_BLOCK_SIZE)
                    return 0;
                len -= POLY1305_BLOCK_SIZE;     /* discount attached tag */
                aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
                aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
            }
            actx->tls_payload_length = len;

            /*
             * merge record sequence number as per RFC7905
             */
            actx->key.counter[1] = actx->nonce[0];
            actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
            actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
            actx->mac_inited = 0;

            return POLY1305_BLOCK_SIZE;         /* tag length */
        }

    case EVP_CTRL_AEAD_SET_MAC_KEY:
        /* no-op */
        return 1;

    default:
        return -1;
    }
}

static EVP_CIPHER chacha20_poly1305 = {
    NID_chacha20_poly1305,
    1,                  /* block_size */
    CHACHA_KEY_SIZE,    /* key_len */
    12,                 /* iv_len, 96-bit nonce in the context */
    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
    EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
    chacha20_poly1305_init_key,
    chacha20_poly1305_cipher,
    chacha20_poly1305_cleanup,
    0,          /* 0 moves context-specific structure allocation to ctrl */
    NULL,       /* set_asn1_parameters */
    NULL,       /* get_asn1_parameters */
    chacha20_poly1305_ctrl,
    NULL        /* app_data */
};

const EVP_CIPHER *EVP_chacha20_poly1305(void)
{
    return(&chacha20_poly1305);
}
# endif
#endif
Commit	Line	Data
62867571	1	/*
1212818e	2	* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
bd989745	3	*
4a8b0c55	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
62867571 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
bd989745 AP	8	*/
	9
	10	#include <stdio.h>
	11	#include "internal/cryptlib.h"
	12
	13	#ifndef OPENSSL_NO_CHACHA
	14
	15	# include <openssl/evp.h>
	16	# include <openssl/objects.h>
bd989745	17	# include "internal/evp_int.h"
5a285add	18	# include "evp_locl.h"
bd989745 AP	19	# include "internal/chacha.h"
	20
	21	typedef struct {
	22	union {
	23	double align; /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
	24	unsigned int d[CHACHA_KEY_SIZE / 4];
	25	} key;
	26	unsigned int counter[CHACHA_CTR_SIZE / 4];
	27	unsigned char buf[CHACHA_BLK_SIZE];
	28	unsigned int partial_len;
	29	} EVP_CHACHA_KEY;
	30
	31	#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
	32
	33	static int chacha_init_key(EVP_CIPHER_CTX *ctx,
	34	const unsigned char user_key[CHACHA_KEY_SIZE],
	35	const unsigned char iv[CHACHA_CTR_SIZE], int enc)
	36	{
	37	EVP_CHACHA_KEY *key = data(ctx);
	38	unsigned int i;
	39
	40	if (user_key)
	41	for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
	42	key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);
	43	}
	44
	45	if (iv)
	46	for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
	47	key->counter[i/4] = CHACHA_U8TOU32(iv+i);
	48	}
	49
	50	key->partial_len = 0;
	51
	52	return 1;
	53	}
	54
	55	static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
	56	const unsigned char *inp, size_t len)
	57	{
	58	EVP_CHACHA_KEY *key = data(ctx);
	59	unsigned int n, rem, ctr32;
	60
	61	if ((n = key->partial_len)) {
	62	while (len && n < CHACHA_BLK_SIZE) {
	63	out++ = inp++ ^ key->buf[n++];
	64	len--;
	65	}
	66	key->partial_len = n;
	67
	68	if (len == 0)
	69	return 1;
	70
	71	if (n == CHACHA_BLK_SIZE) {
	72	key->partial_len = 0;
	73	key->counter[0]++;
	74	if (key->counter[0] == 0)
	75	key->counter[1]++;
	76	}
	77	}
	78
	79	rem = (unsigned int)(len % CHACHA_BLK_SIZE);
	80	len -= rem;
	81	ctr32 = key->counter[0];
	82	while (len >= CHACHA_BLK_SIZE) {
83	size_t blocks = len / CHACHA_BLK_SIZE;
84	/*
85	* 1<<28 is just a not-so-small yet not-so-large number...
86	* Below condition is practically never met, but it has to
87	* be checked for code correctness.
88	*/
89	if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
90	blocks = (1U<<28);
91
92	/*
93	* As ChaCha20_ctr32 operates on 32-bit counter, caller
94	* has to handle overflow. 'if' below detects the
95	* overflow, which is then handled by limiting the
96	* amount of blocks to the exact overflow point...
97	*/
98	ctr32 += (unsigned int)blocks;
99	if (ctr32 < blocks) {
100	blocks -= ctr32;
101	ctr32 = 0;
102	}
103	blocks *= CHACHA_BLK_SIZE;
104	ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
105	len -= blocks;
106	inp += blocks;
107	out += blocks;
108
109	key->counter[0] = ctr32;
110	if (ctr32 == 0) key->counter[1]++;
111	}
112
113	if (rem) {
114	memset(key->buf, 0, sizeof(key->buf));
115	ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
116	key->key.d, key->counter);
117	for (n = 0; n < rem; n++)
118	out[n] = inp[n] ^ key->buf[n];
119	key->partial_len = rem;
120	}
121
122	return 1;
123	}
124
125	static const EVP_CIPHER chacha20 = {
126	NID_chacha20,
127	1, /* block_size */
128	CHACHA_KEY_SIZE, /* key_len */
129	CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */
c83680a0	130	EVP_CIPH_CUSTOM_IV \| EVP_CIPH_ALWAYS_CALL_INIT,
bd989745 AP	131	chacha_init_key,
	132	chacha_cipher,
	133	NULL,
	134	sizeof(EVP_CHACHA_KEY),
	135	NULL,
	136	NULL,
	137	NULL,
	138	NULL
	139	};
	140
	141	const EVP_CIPHER *EVP_chacha20(void)
	142	{
26a7d938	143	return &chacha20;
bd989745 AP	144	}
	145
	146	# ifndef OPENSSL_NO_POLY1305
	147	# include "internal/poly1305.h"
	148
	149	typedef struct {
	150	EVP_CHACHA_KEY key;
	151	unsigned int nonce[12/4];
	152	unsigned char tag[POLY1305_BLOCK_SIZE];
a091e212	153	unsigned char tls_aad[POLY1305_BLOCK_SIZE];
bd989745 AP	154	struct { uint64_t aad, text; } len;
	155	int aad, mac_inited, tag_len, nonce_len;
	156	size_t tls_payload_length;
	157	} EVP_CHACHA_AEAD_CTX;
	158
	159	# define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
	160	# define aead_data(ctx) ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
	161	# define POLY1305_ctx(actx) ((POLY1305 *)(actx + 1))
	162
	163	static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
	164	const unsigned char *inkey,
	165	const unsigned char *iv, int enc)
	166	{
	167	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
bd989745 AP	168
	169	if (!inkey && !iv)
	170	return 1;
	171
	172	actx->len.aad = 0;
	173	actx->len.text = 0;
	174	actx->aad = 0;
	175	actx->mac_inited = 0;
	176	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
	177
d2dfd482 KY	178	if (iv != NULL) {
d2dfd482 KY	179	unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
bd989745	180
d2dfd482 KY	181	/* pad on the left */
d2dfd482 KY	182	if (actx->nonce_len <= CHACHA_CTR_SIZE)
a091e212 AP	183	memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
a091e212 AP	184	actx->nonce_len);
bd989745	185
d2dfd482 KY	186	chacha_init_key(ctx, inkey, temp, enc);
	187
	188	actx->nonce[0] = actx->key.counter[1];
	189	actx->nonce[1] = actx->key.counter[2];
	190	actx->nonce[2] = actx->key.counter[3];
	191	} else {
	192	chacha_init_key(ctx, inkey, NULL, enc);
	193	}
bd989745 AP	194
	195	return 1;
	196	}
	197
a091e212	198	# if !defined(OPENSSL_SMALL_FOOTPRINT)
0edb109f AP	199
	200	# if defined(POLY1305_ASM) && (defined(__x86_64) \|\| defined(__x86_64__) \|\| \
	201	defined(_M_AMD64) \|\| defined(_M_X64))
	202	# define XOR128_HELPERS
	203	void xor128_encrypt_n_pad(void out, const void inp, void otp, size_t len);
	204	void xor128_decrypt_n_pad(void out, const void inp, void otp, size_t len);
	205	static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
	206	# else
a091e212	207	static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
0edb109f	208	# endif
a091e212 AP	209
	210	static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	211	const unsigned char *in, size_t len)
	212	{
	213	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
0edb109f AP	214	size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
0edb109f AP	215	unsigned char buf, tohash, *ctr, storage[sizeof(zero) + 32];
a091e212 AP	216
	217	if (len != plen + POLY1305_BLOCK_SIZE)
	218	return -1;
	219
	220	buf = storage + ((0 - (size_t)storage) & 15); /* align */
	221	ctr = buf + CHACHA_BLK_SIZE;
	222	tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;
	223
0edb109f AP	224	# ifdef XOR128_HELPERS
0edb109f AP	225	if (plen <= 3 * CHACHA_BLK_SIZE) {
a091e212	226	actx->key.counter[0] = 0;
0edb109f AP	227	buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
0edb109f AP	228	ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
a091e212 AP	229	actx->key.counter);
	230	Poly1305_Init(POLY1305_ctx(actx), buf);
	231	actx->key.partial_len = 0;
	232	memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
	233	tohash_len = POLY1305_BLOCK_SIZE;
	234	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
	235	actx->len.text = plen;
	236
0edb109f AP	237	if (plen) {
	238	if (ctx->encrypt)
	239	ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
	240	else
	241	ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
	242
	243	in += plen;
	244	out += plen;
	245	tohash_len = (size_t)(ctr - tohash);
	246	}
	247	}
	248	# else
	249	if (plen <= CHACHA_BLK_SIZE) {
	250	size_t i;
	251
	252	actx->key.counter[0] = 0;
	253	ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
	254	actx->key.key.d, actx->key.counter);
	255	Poly1305_Init(POLY1305_ctx(actx), buf);
	256	actx->key.partial_len = 0;
	257	memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
	258	tohash_len = POLY1305_BLOCK_SIZE;
	259	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
	260	actx->len.text = plen;
	261
a091e212 AP	262	if (ctx->encrypt) {
	263	for (i = 0; i < plen; i++) {
	264	out[i] = ctr[i] ^= in[i];
	265	}
	266	} else {
	267	for (i = 0; i < plen; i++) {
	268	unsigned char c = in[i];
	269	out[i] = ctr[i] ^ c;
	270	ctr[i] = c;
	271	}
	272	}
	273
	274	in += i;
	275	out += i;
	276
	277	tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
	278	memset(ctr + i, 0, tail);
	279	ctr += i + tail;
	280	tohash_len += i + tail;
0edb109f AP	281	}
	282	# endif
	283	else {
a091e212	284	actx->key.counter[0] = 0;
0edb109f AP	285	ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
0edb109f AP	286	actx->key.key.d, actx->key.counter);
a091e212 AP	287	Poly1305_Init(POLY1305_ctx(actx), buf);
	288	actx->key.counter[0] = 1;
	289	actx->key.partial_len = 0;
	290	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
	291	tohash = ctr;
	292	tohash_len = 0;
	293	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
	294	actx->len.text = plen;
	295
	296	if (ctx->encrypt) {
	297	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
	298	Poly1305_Update(POLY1305_ctx(actx), out, plen);
	299	} else {
	300	Poly1305_Update(POLY1305_ctx(actx), in, plen);
	301	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
	302	}
	303
	304	in += plen;
	305	out += plen;
	306	tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
	307	Poly1305_Update(POLY1305_ctx(actx), zero, tail);
	308	}
	309
	310	{
	311	const union {
	312	long one;
	313	char little;
	314	} is_endian = { 1 };
	315
	316	if (is_endian.little) {
	317	memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
	318	} else {
	319	ctr[0] = (unsigned char)(actx->len.aad);
	320	ctr[1] = (unsigned char)(actx->len.aad>>8);
	321	ctr[2] = (unsigned char)(actx->len.aad>>16);
	322	ctr[3] = (unsigned char)(actx->len.aad>>24);
	323	ctr[4] = (unsigned char)(actx->len.aad>>32);
	324	ctr[5] = (unsigned char)(actx->len.aad>>40);
	325	ctr[6] = (unsigned char)(actx->len.aad>>48);
	326	ctr[7] = (unsigned char)(actx->len.aad>>56);
	327
	328	ctr[8] = (unsigned char)(actx->len.text);
	329	ctr[9] = (unsigned char)(actx->len.text>>8);
	330	ctr[10] = (unsigned char)(actx->len.text>>16);
	331	ctr[11] = (unsigned char)(actx->len.text>>24);
	332	ctr[12] = (unsigned char)(actx->len.text>>32);
	333	ctr[13] = (unsigned char)(actx->len.text>>40);
	334	ctr[14] = (unsigned char)(actx->len.text>>48);
	335	ctr[15] = (unsigned char)(actx->len.text>>56);
	336	}
	337	tohash_len += POLY1305_BLOCK_SIZE;
	338	}
	339
	340	Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
0edb109f	341	OPENSSL_cleanse(buf, buf_len);
a091e212 AP	342	Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
	343	: tohash);
	344
	345	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
	346
	347	if (ctx->encrypt) {
	348	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
	349	} else {
	350	if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
	351	memset(out - (len - POLY1305_BLOCK_SIZE), 0,
	352	len - POLY1305_BLOCK_SIZE);
	353	return -1;
	354	}
	355	}
	356
	357	return len;
	358	}
	359	# else
	360	static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
	361	# endif
	362
bd989745 AP	363	static int chacha20_poly1305_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
	364	const unsigned char *in, size_t len)
	365	{
	366	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
	367	size_t rem, plen = actx->tls_payload_length;
bd989745 AP	368
bd989745 AP	369	if (!actx->mac_inited) {
a091e212 AP	370	# if !defined(OPENSSL_SMALL_FOOTPRINT)
	371	if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
	372	return chacha20_poly1305_tls_cipher(ctx, out, in, len);
	373	# endif
bd989745	374	actx->key.counter[0] = 0;
a091e212	375	ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
bd989745 AP	376	actx->key.key.d, actx->key.counter);
	377	Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
	378	actx->key.counter[0] = 1;
30a5f322 AP	379	actx->key.partial_len = 0;
30a5f322 AP	380	actx->len.aad = actx->len.text = 0;
bd989745	381	actx->mac_inited = 1;
a091e212 AP	382	if (plen != NO_TLS_PAYLOAD_LENGTH) {
	383	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
	384	EVP_AEAD_TLS1_AAD_LEN);
	385	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
	386	actx->aad = 1;
	387	}
bd989745 AP	388	}
	389
	390	if (in) { /* aad or text */
	391	if (out == NULL) { /* aad */
	392	Poly1305_Update(POLY1305_ctx(actx), in, len);
	393	actx->len.aad += len;
	394	actx->aad = 1;
	395	return len;
	396	} else { /* plain- or ciphertext */
	397	if (actx->aad) { /* wrap up aad */
	398	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
	399	Poly1305_Update(POLY1305_ctx(actx), zero,
	400	POLY1305_BLOCK_SIZE - rem);
	401	actx->aad = 0;
	402	}
	403
	404	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
	405	if (plen == NO_TLS_PAYLOAD_LENGTH)
	406	plen = len;
	407	else if (len != plen + POLY1305_BLOCK_SIZE)
	408	return -1;
	409
	410	if (ctx->encrypt) { /* plaintext */
	411	chacha_cipher(ctx, out, in, plen);
	412	Poly1305_Update(POLY1305_ctx(actx), out, plen);
	413	in += plen;
	414	out += plen;
	415	actx->len.text += plen;
	416	} else { /* ciphertext */
	417	Poly1305_Update(POLY1305_ctx(actx), in, plen);
	418	chacha_cipher(ctx, out, in, plen);
	419	in += plen;
	420	out += plen;
	421	actx->len.text += plen;
	422	}
	423	}
	424	}
	425	if (in == NULL /* explicit final */
	426	\|\| plen != len) { /* or tls mode */
	427	const union {
	428	long one;
	429	char little;
	430	} is_endian = { 1 };
	431	unsigned char temp[POLY1305_BLOCK_SIZE];
	432
	433	if (actx->aad) { /* wrap up aad */
	434	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
	435	Poly1305_Update(POLY1305_ctx(actx), zero,
	436	POLY1305_BLOCK_SIZE - rem);
	437	actx->aad = 0;
	438	}
	439
	440	if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
	441	Poly1305_Update(POLY1305_ctx(actx), zero,
	442	POLY1305_BLOCK_SIZE - rem);
	443
	444	if (is_endian.little) {
	445	Poly1305_Update(POLY1305_ctx(actx),
	446	(unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
	447	} else {
	448	temp[0] = (unsigned char)(actx->len.aad);
	449	temp[1] = (unsigned char)(actx->len.aad>>8);
	450	temp[2] = (unsigned char)(actx->len.aad>>16);
	451	temp[3] = (unsigned char)(actx->len.aad>>24);
452	temp[4] = (unsigned char)(actx->len.aad>>32);
453	temp[5] = (unsigned char)(actx->len.aad>>40);
454	temp[6] = (unsigned char)(actx->len.aad>>48);
455	temp[7] = (unsigned char)(actx->len.aad>>56);
456
457	temp[8] = (unsigned char)(actx->len.text);
458	temp[9] = (unsigned char)(actx->len.text>>8);
459	temp[10] = (unsigned char)(actx->len.text>>16);
460	temp[11] = (unsigned char)(actx->len.text>>24);
461	temp[12] = (unsigned char)(actx->len.text>>32);
462	temp[13] = (unsigned char)(actx->len.text>>40);
463	temp[14] = (unsigned char)(actx->len.text>>48);
464	temp[15] = (unsigned char)(actx->len.text>>56);
465
466	Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
467	}
468	Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
469	: temp);
470	actx->mac_inited = 0;
471
472	if (in != NULL && len != plen) { /* tls mode */
473	if (ctx->encrypt) {
474	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
475	} else {
476	if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
bf52165b	477	memset(out - plen, 0, plen);
bd989745 AP	478	return -1;
	479	}
	480	}
	481	}
	482	else if (!ctx->encrypt) {
	483	if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
	484	return -1;
	485	}
	486	}
	487	return len;
	488	}
	489
	490	static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
	491	{
	492	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
	493	if (actx)
a8f95768	494	OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
bd989745 AP	495	return 1;
	496	}
	497
	498	static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
	499	void *ptr)
	500	{
	501	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
	502
	503	switch(type) {
	504	case EVP_CTRL_INIT:
	505	if (actx == NULL)
	506	actx = ctx->cipher_data
	507	= OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
	508	if (actx == NULL) {
	509	EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);
	510	return 0;
	511	}
	512	actx->len.aad = 0;
	513	actx->len.text = 0;
	514	actx->aad = 0;
	515	actx->mac_inited = 0;
	516	actx->tag_len = 0;
	517	actx->nonce_len = 12;
	518	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
a091e212	519	memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
bd989745 AP	520	return 1;
	521
	522	case EVP_CTRL_COPY:
	523	if (actx) {
700b8145 F	524	EVP_CIPHER_CTX dst = (EVP_CIPHER_CTX )ptr;
	525
	526	dst->cipher_data =
	527	OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
	528	if (dst->cipher_data == NULL) {
bd989745 AP	529	EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
	530	return 0;
	531	}
	532	}
	533	return 1;
	534
	535	case EVP_CTRL_AEAD_SET_IVLEN:
	536	if (arg <= 0 \|\| arg > CHACHA_CTR_SIZE)
	537	return 0;
	538	actx->nonce_len = arg;
	539	return 1;
	540
	541	case EVP_CTRL_AEAD_SET_IV_FIXED:
	542	if (arg != 12)
	543	return 0;
	544	actx->nonce[0] = actx->key.counter[1]
	545	= CHACHA_U8TOU32((unsigned char *)ptr);
	546	actx->nonce[1] = actx->key.counter[2]
	547	= CHACHA_U8TOU32((unsigned char *)ptr+4);
	548	actx->nonce[2] = actx->key.counter[3]
	549	= CHACHA_U8TOU32((unsigned char *)ptr+8);
	550	return 1;
	551
	552	case EVP_CTRL_AEAD_SET_TAG:
	553	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE)
	554	return 0;
	555	if (ptr != NULL) {
	556	memcpy(actx->tag, ptr, arg);
	557	actx->tag_len = arg;
	558	}
	559	return 1;
	560
	561	case EVP_CTRL_AEAD_GET_TAG:
	562	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE \|\| !ctx->encrypt)
	563	return 0;
	564	memcpy(ptr, actx->tag, arg);
	565	return 1;
	566
	567	case EVP_CTRL_AEAD_TLS1_AAD:
	568	if (arg != EVP_AEAD_TLS1_AAD_LEN)
	569	return 0;
	570	{
	571	unsigned int len;
a091e212	572	unsigned char *aad = ptr;
bd989745	573
a091e212	574	memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
30a5f322 AP	575	len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 \|
30a5f322 AP	576	aad[EVP_AEAD_TLS1_AAD_LEN - 1];
a091e212	577	aad = actx->tls_aad;
bd989745	578	if (!ctx->encrypt) {
2198b3a5 AP	579	if (len < POLY1305_BLOCK_SIZE)
2198b3a5 AP	580	return 0;
bd989745	581	len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
a091e212 AP	582	aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
a091e212 AP	583	aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
bd989745 AP	584	}
	585	actx->tls_payload_length = len;
	586
	587	/*
2198b3a5	588	* merge record sequence number as per RFC7905
bd989745 AP	589	*/
bd989745 AP	590	actx->key.counter[1] = actx->nonce[0];
30a5f322 AP	591	actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
30a5f322 AP	592	actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
bd989745	593	actx->mac_inited = 0;
a091e212	594
bd989745 AP	595	return POLY1305_BLOCK_SIZE; /* tag length */
	596	}
	597
	598	case EVP_CTRL_AEAD_SET_MAC_KEY:
	599	/* no-op */
	600	return 1;
	601
	602	default:
	603	return -1;
	604	}
	605	}
	606
	607	static EVP_CIPHER chacha20_poly1305 = {
	608	NID_chacha20_poly1305,
	609	1, /* block_size */
	610	CHACHA_KEY_SIZE, /* key_len */
	611	12, /* iv_len, 96-bit nonce in the context */
	612	EVP_CIPH_FLAG_AEAD_CIPHER \| EVP_CIPH_CUSTOM_IV \|
	613	EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT \|
	614	EVP_CIPH_CUSTOM_COPY \| EVP_CIPH_FLAG_CUSTOM_CIPHER,
	615	chacha20_poly1305_init_key,
	616	chacha20_poly1305_cipher,
	617	chacha20_poly1305_cleanup,
	618	0, /* 0 moves context-specific structure allocation to ctrl */
	619	NULL, /* set_asn1_parameters */
	620	NULL, /* get_asn1_parameters */
	621	chacha20_poly1305_ctrl,
	622	NULL /* app_data */
	623	};
	624
	625	const EVP_CIPHER *EVP_chacha20_poly1305(void)
	626	{
	627	return(&chacha20_poly1305);
	628	}
	629	# endif
	630	#endif