2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2020 Netflix Inc.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <opencrypto/xform_auth.h>
29 #include <opencrypto/xform_enc.h>
31 #include <sodium/crypto_onetimeauth_poly1305.h>
32 #include <sodium/crypto_stream_chacha20.h>
34 struct chacha20_poly1305_cipher_ctx {
38 char nonce[CHACHA20_POLY1305_IV_LEN];
42 chacha20_poly1305_setkey(void *vctx, const uint8_t *key, int len)
44 struct chacha20_poly1305_cipher_ctx *ctx = vctx;
46 if (len != CHACHA20_POLY1305_KEY)
54 chacha20_poly1305_reinit(void *vctx, const uint8_t *iv, size_t ivlen)
56 struct chacha20_poly1305_cipher_ctx *ctx = vctx;
58 KASSERT(ivlen == 8 || ivlen == sizeof(ctx->nonce),
59 ("%s: invalid nonce length", __func__));
61 /* Block 0 is used for the poly1305 key. */
62 memcpy(ctx->nonce, iv, ivlen);
63 ctx->ietf = (ivlen == CHACHA20_POLY1305_IV_LEN);
68 chacha20_poly1305_crypt(void *vctx, const uint8_t *in, uint8_t *out)
70 struct chacha20_poly1305_cipher_ctx *ctx = vctx;
74 error = crypto_stream_chacha20_ietf_xor_ic(out, in,
75 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
77 error = crypto_stream_chacha20_xor_ic(out, in,
78 CHACHA20_NATIVE_BLOCK_LEN, ctx->nonce, ctx->ic, ctx->key);
79 KASSERT(error == 0, ("%s failed: %d", __func__, error));
84 chacha20_poly1305_crypt_last(void *vctx, const uint8_t *in, uint8_t *out,
87 struct chacha20_poly1305_cipher_ctx *ctx = vctx;
92 error = crypto_stream_chacha20_ietf_xor_ic(out, in, len,
93 ctx->nonce, ctx->ic, ctx->key);
95 error = crypto_stream_chacha20_xor_ic(out, in, len, ctx->nonce,
97 KASSERT(error == 0, ("%s failed: %d", __func__, error));
100 struct enc_xform enc_xform_chacha20_poly1305 = {
101 .type = CRYPTO_CHACHA20_POLY1305,
102 .name = "ChaCha20-Poly1305",
103 .ctxsize = sizeof(struct chacha20_poly1305_cipher_ctx),
105 .native_blocksize = CHACHA20_NATIVE_BLOCK_LEN,
106 .ivsize = CHACHA20_POLY1305_IV_LEN,
107 .minkey = CHACHA20_POLY1305_KEY,
108 .maxkey = CHACHA20_POLY1305_KEY,
109 .encrypt = chacha20_poly1305_crypt,
110 .decrypt = chacha20_poly1305_crypt,
111 .setkey = chacha20_poly1305_setkey,
112 .reinit = chacha20_poly1305_reinit,
113 .encrypt_last = chacha20_poly1305_crypt_last,
114 .decrypt_last = chacha20_poly1305_crypt_last,
117 struct chacha20_poly1305_auth_ctx {
118 struct crypto_onetimeauth_poly1305_state state;
121 CTASSERT(sizeof(union authctx) >= sizeof(struct chacha20_poly1305_auth_ctx));
124 chacha20_poly1305_Init(void *vctx)
129 chacha20_poly1305_Setkey(void *vctx, const uint8_t *key, u_int klen)
131 struct chacha20_poly1305_auth_ctx *ctx = vctx;
137 chacha20_poly1305_Reinit(void *vctx, const uint8_t *nonce, u_int noncelen)
139 struct chacha20_poly1305_auth_ctx *ctx = vctx;
140 char block[CHACHA20_NATIVE_BLOCK_LEN];
144 crypto_stream_chacha20(block, sizeof(block), nonce, ctx->key);
146 case CHACHA20_POLY1305_IV_LEN:
147 crypto_stream_chacha20_ietf(block, sizeof(block), nonce, ctx->key);
150 __assert_unreachable();
152 crypto_onetimeauth_poly1305_init(&ctx->state, block);
153 explicit_bzero(block, sizeof(block));
157 chacha20_poly1305_Update(void *vctx, const void *data, u_int len)
159 struct chacha20_poly1305_auth_ctx *ctx = vctx;
161 crypto_onetimeauth_poly1305_update(&ctx->state, data, len);
166 chacha20_poly1305_Final(uint8_t *digest, void *vctx)
168 struct chacha20_poly1305_auth_ctx *ctx = vctx;
170 crypto_onetimeauth_poly1305_final(&ctx->state, digest);
173 struct auth_hash auth_hash_chacha20_poly1305 = {
174 .type = CRYPTO_POLY1305,
175 .name = "ChaCha20-Poly1305",
176 .keysize = POLY1305_KEY_LEN,
177 .hashsize = POLY1305_HASH_LEN,
178 .ctxsize = sizeof(struct chacha20_poly1305_auth_ctx),
179 .blocksize = crypto_onetimeauth_poly1305_BYTES,
180 .Init = chacha20_poly1305_Init,
181 .Setkey = chacha20_poly1305_Setkey,
182 .Reinit = chacha20_poly1305_Reinit,
183 .Update = chacha20_poly1305_Update,
184 .Final = chacha20_poly1305_Final,