diff options
Diffstat (limited to 'security/nss/lib/freebl/chacha20poly1305.c')
| -rw-r--r-- | security/nss/lib/freebl/chacha20poly1305.c | 198 |
1 files changed, 198 insertions, 0 deletions
diff --git a/security/nss/lib/freebl/chacha20poly1305.c b/security/nss/lib/freebl/chacha20poly1305.c new file mode 100644 index 000000000..cd265e1ff --- /dev/null +++ b/security/nss/lib/freebl/chacha20poly1305.c @@ -0,0 +1,198 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifdef FREEBL_NO_DEPEND +#include "stubs.h" +#endif + +#include <string.h> +#include <stdio.h> + +#include "seccomon.h" +#include "secerr.h" +#include "blapit.h" + +#ifndef NSS_DISABLE_CHACHAPOLY +#include "poly1305.h" +#include "chacha20.h" +#include "chacha20poly1305.h" +#endif + +/* Poly1305Do writes the Poly1305 authenticator of the given additional data + * and ciphertext to |out|. */ +#ifndef NSS_DISABLE_CHACHAPOLY +static void +Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen, + const unsigned char *ciphertext, unsigned int ciphertextLen, + const unsigned char key[32]) +{ + poly1305_state state; + unsigned int j; + unsigned char lengthBytes[8]; + static const unsigned char zeros[15]; + unsigned int i; + + Poly1305Init(&state, key); + Poly1305Update(&state, ad, adLen); + if (adLen % 16 > 0) { + Poly1305Update(&state, zeros, 16 - adLen % 16); + } + Poly1305Update(&state, ciphertext, ciphertextLen); + if (ciphertextLen % 16 > 0) { + Poly1305Update(&state, zeros, 16 - ciphertextLen % 16); + } + j = adLen; + for (i = 0; i < sizeof(lengthBytes); i++) { + lengthBytes[i] = j; + j >>= 8; + } + Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); + j = ciphertextLen; + for (i = 0; i < sizeof(lengthBytes); i++) { + lengthBytes[i] = j; + j >>= 8; + } + Poly1305Update(&state, lengthBytes, sizeof(lengthBytes)); + Poly1305Finish(&state, out); +} +#endif + +SECStatus +ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, + const unsigned char *key, unsigned int keyLen, + unsigned int tagLen) +{ +#ifdef NSS_DISABLE_CHACHAPOLY + return SECFailure; +#else + if (keyLen != 32) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } + if (tagLen == 0 || tagLen > 16) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + + PORT_Memcpy(ctx->key, key, sizeof(ctx->key)); + ctx->tagLen = tagLen; + + return SECSuccess; +#endif +} + +ChaCha20Poly1305Context * +ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen, + unsigned int tagLen) +{ +#ifdef NSS_DISABLE_CHACHAPOLY + return NULL; +#else + ChaCha20Poly1305Context *ctx; + + ctx = PORT_New(ChaCha20Poly1305Context); + if (ctx == NULL) { + return NULL; + } + + if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) { + PORT_Free(ctx); + ctx = NULL; + } + + return ctx; +#endif +} + +void +ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit) +{ +#ifndef NSS_DISABLE_CHACHAPOLY + PORT_Memset(ctx, 0, sizeof(*ctx)); + if (freeit) { + PORT_Free(ctx); + } +#endif +} + +SECStatus +ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx, unsigned char *output, + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen, + const unsigned char *nonce, unsigned int nonceLen, + const unsigned char *ad, unsigned int adLen) +{ +#ifdef NSS_DISABLE_CHACHAPOLY + return SECFailure; +#else + unsigned char block[64]; + unsigned char tag[16]; + + if (nonceLen != 12) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + *outputLen = inputLen + ctx->tagLen; + if (maxOutputLen < *outputLen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + + PORT_Memset(block, 0, sizeof(block)); + // Generate a block of keystream. The first 32 bytes will be the poly1305 + // key. The remainder of the block is discarded. + ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); + ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1); + + Poly1305Do(tag, ad, adLen, output, inputLen, block); + PORT_Memcpy(output + inputLen, tag, ctx->tagLen); + + return SECSuccess; +#endif +} + +SECStatus +ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output, + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen, + const unsigned char *nonce, unsigned int nonceLen, + const unsigned char *ad, unsigned int adLen) +{ +#ifdef NSS_DISABLE_CHACHAPOLY + return SECFailure; +#else + unsigned char block[64]; + unsigned char tag[16]; + unsigned int ciphertextLen; + + if (nonceLen != 12) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + if (inputLen < ctx->tagLen) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + ciphertextLen = inputLen - ctx->tagLen; + *outputLen = ciphertextLen; + if (maxOutputLen < *outputLen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + + PORT_Memset(block, 0, sizeof(block)); + // Generate a block of keystream. The first 32 bytes will be the poly1305 + // key. The remainder of the block is discarded. + ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0); + Poly1305Do(tag, ad, adLen, input, ciphertextLen, block); + if (NSS_SecureMemcmp(tag, &input[ciphertextLen], ctx->tagLen) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + ChaCha20XOR(output, input, ciphertextLen, ctx->key, nonce, 1); + + return SECSuccess; +#endif +} |