2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
28 gen_chapol_init(br_sslrec_chapol_context *cc,
29 br_chacha20_run ichacha, br_poly1305_run ipoly,
30 const void *key, const void *iv)
33 cc->ichacha = ichacha;
35 memcpy(cc->key, key, sizeof cc->key);
36 memcpy(cc->iv, iv, sizeof cc->iv);
40 gen_chapol_process(br_sslrec_chapol_context *cc,
41 int record_type, unsigned version, void *data, size_t len,
42 void *tag, int encrypt)
44 unsigned char header[13];
45 unsigned char nonce[12];
50 br_enc64be(header, seq);
51 header[8] = (unsigned char)record_type;
52 br_enc16be(header + 9, version);
53 br_enc16be(header + 11, len);
54 memcpy(nonce, cc->iv, 12);
55 for (u = 0; u < 8; u ++) {
56 nonce[11 - u] ^= (unsigned char)seq;
59 cc->ipoly(cc->key, nonce, data, len, header, sizeof header,
60 tag, cc->ichacha, encrypt);
64 in_chapol_init(br_sslrec_chapol_context *cc,
65 br_chacha20_run ichacha, br_poly1305_run ipoly,
66 const void *key, const void *iv)
68 cc->vtable.in = &br_sslrec_in_chapol_vtable;
69 gen_chapol_init(cc, ichacha, ipoly, key, iv);
73 chapol_check_length(const br_sslrec_chapol_context *cc, size_t rlen)
76 * Overhead is just the authentication tag (16 bytes).
79 return rlen >= 16 && rlen <= (16384 + 16);
82 static unsigned char *
83 chapol_decrypt(br_sslrec_chapol_context *cc,
84 int record_type, unsigned version, void *data, size_t *data_len)
88 unsigned char tag[16];
93 gen_chapol_process(cc, record_type, version, buf, len, tag, 0);
95 for (u = 0; u < 16; u ++) {
96 bad |= tag[u] ^ buf[len + u];
105 /* see bearssl_ssl.h */
106 const br_sslrec_in_chapol_class br_sslrec_in_chapol_vtable = {
108 sizeof(br_sslrec_chapol_context),
109 (int (*)(const br_sslrec_in_class *const *, size_t))
110 &chapol_check_length,
111 (unsigned char *(*)(const br_sslrec_in_class **,
112 int, unsigned, void *, size_t *))
115 (void (*)(const br_sslrec_in_chapol_class **,
116 br_chacha20_run, br_poly1305_run,
117 const void *, const void *))
122 out_chapol_init(br_sslrec_chapol_context *cc,
123 br_chacha20_run ichacha, br_poly1305_run ipoly,
124 const void *key, const void *iv)
126 cc->vtable.out = &br_sslrec_out_chapol_vtable;
127 gen_chapol_init(cc, ichacha, ipoly, key, iv);
131 chapol_max_plaintext(const br_sslrec_chapol_context *cc,
132 size_t *start, size_t *end)
137 len = *end - *start - 16;
144 static unsigned char *
145 chapol_encrypt(br_sslrec_chapol_context *cc,
146 int record_type, unsigned version, void *data, size_t *data_len)
153 gen_chapol_process(cc, record_type, version, buf, len, buf + len, 1);
155 buf[0] = (unsigned char)record_type;
156 br_enc16be(buf + 1, version);
157 br_enc16be(buf + 3, len + 16);
158 *data_len = len + 21;
162 /* see bearssl_ssl.h */
163 const br_sslrec_out_chapol_class br_sslrec_out_chapol_vtable = {
165 sizeof(br_sslrec_chapol_context),
166 (void (*)(const br_sslrec_out_class *const *,
168 &chapol_max_plaintext,
169 (unsigned char *(*)(const br_sslrec_out_class **,
170 int, unsigned, void *, size_t *))
173 (void (*)(const br_sslrec_out_chapol_class **,
174 br_chacha20_run, br_poly1305_run,
175 const void *, const void *))