search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / common / mbedtls / chachapoly.c
blob90a71b4893bf44097926608e54498c5f6789ec85
1 /**
2 * \file chachapoly.c
3 *
4 * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 */
21 #include "common.h"
22
23 #if defined(MBEDTLS_CHACHAPOLY_C)
24
25 #include "mbedtls/chachapoly.h"
26 #include "mbedtls/platform_util.h"
27 #include "mbedtls/error.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_SELF_TEST)
32 #if defined(MBEDTLS_PLATFORM_C)
33 #include "mbedtls/platform.h"
34 #else
35 #include <stdio.h>
36 #define mbedtls_printf printf
37 #endif /* MBEDTLS_PLATFORM_C */
38 #endif /* MBEDTLS_SELF_TEST */
39
40 #if !defined(MBEDTLS_CHACHAPOLY_ALT)
41
42 /* Parameter validation macros */
43 #define CHACHAPOLY_VALIDATE_RET( cond ) \
44 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
45 #define CHACHAPOLY_VALIDATE( cond ) \
46 MBEDTLS_INTERNAL_VALIDATE( cond )
47
48 #define CHACHAPOLY_STATE_INIT ( 0 )
49 #define CHACHAPOLY_STATE_AAD ( 1 )
50 #define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
51 #define CHACHAPOLY_STATE_FINISHED ( 3 )
52
53 /**
54 * \brief Adds nul bytes to pad the AAD for Poly1305.
55 *
56 * \param ctx The ChaCha20-Poly1305 context.
57 */
58 static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx) {
59 uint32_t partial_block_len = (uint32_t)(ctx->aad_len % 16U);
60 unsigned char zeroes[15];
61
62 if (partial_block_len == 0U)
63 return (0);
64
65 memset(zeroes, 0, sizeof(zeroes));
66
67 return (mbedtls_poly1305_update(&ctx->poly1305_ctx,
68 zeroes,
69 16U - partial_block_len));
70 }
71
72 /**
73 * \brief Adds nul bytes to pad the ciphertext for Poly1305.
74 *
75 * \param ctx The ChaCha20-Poly1305 context.
76 */
77 static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx) {
78 uint32_t partial_block_len = (uint32_t)(ctx->ciphertext_len % 16U);
79 unsigned char zeroes[15];
80
81 if (partial_block_len == 0U)
82 return (0);
83
84 memset(zeroes, 0, sizeof(zeroes));
85 return (mbedtls_poly1305_update(&ctx->poly1305_ctx,
86 zeroes,
87 16U - partial_block_len));
88 }
89
90 void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx) {
91 CHACHAPOLY_VALIDATE(ctx != NULL);
92
93 mbedtls_chacha20_init(&ctx->chacha20_ctx);
94 mbedtls_poly1305_init(&ctx->poly1305_ctx);
95 ctx->aad_len = 0U;
96 ctx->ciphertext_len = 0U;
97 ctx->state = CHACHAPOLY_STATE_INIT;
98 ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
99 }
100
101 void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx) {
102 if (ctx == NULL)
103 return;
104
105 mbedtls_chacha20_free(&ctx->chacha20_ctx);
106 mbedtls_poly1305_free(&ctx->poly1305_ctx);
107 ctx->aad_len = 0U;
108 ctx->ciphertext_len = 0U;
109 ctx->state = CHACHAPOLY_STATE_INIT;
110 ctx->mode = MBEDTLS_CHACHAPOLY_ENCRYPT;
111 }
112
113 int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
114 const unsigned char key[32]) {
115 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
116 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
117 CHACHAPOLY_VALIDATE_RET(key != NULL);
118
119 ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
120
121 return (ret);
122 }
123
124 int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
125 const unsigned char nonce[12],
126 mbedtls_chachapoly_mode_t mode) {
127 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
128 unsigned char poly1305_key[64];
129 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
130 CHACHAPOLY_VALIDATE_RET(nonce != NULL);
131
132 /* Set counter = 0, will be update to 1 when generating Poly1305 key */
133 ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
134 if (ret != 0)
135 goto cleanup;
136
137 /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
138 * counter = 0. This is the same as encrypting a buffer of zeroes.
139 * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
140 * The other 256 bits are discarded.
141 */
142 memset(poly1305_key, 0, sizeof(poly1305_key));
143 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
144 poly1305_key, poly1305_key);
145 if (ret != 0)
146 goto cleanup;
147
148 ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
149
150 if (ret == 0) {
151 ctx->aad_len = 0U;
152 ctx->ciphertext_len = 0U;
153 ctx->state = CHACHAPOLY_STATE_AAD;
154 ctx->mode = mode;
155 }
156
157 cleanup:
158 mbedtls_platform_zeroize(poly1305_key, 64U);
159 return (ret);
160 }
161
162 int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
163 const unsigned char *aad,
164 size_t aad_len) {
165 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
166 CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad != NULL);
167
168 if (ctx->state != CHACHAPOLY_STATE_AAD)
169 return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
170
171 ctx->aad_len += aad_len;
172
173 return (mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len));
174 }
175
176 int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
177 size_t len,
178 const unsigned char *input,
179 unsigned char *output) {
180 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
181 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
182 CHACHAPOLY_VALIDATE_RET(len == 0 || input != NULL);
183 CHACHAPOLY_VALIDATE_RET(len == 0 || output != NULL);
184
185 if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
186 (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
187 return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
188 }
189
190 if (ctx->state == CHACHAPOLY_STATE_AAD) {
191 ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
192
193 ret = chachapoly_pad_aad(ctx);
194 if (ret != 0)
195 return (ret);
196 }
197
198 ctx->ciphertext_len += len;
199
200 if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
201 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
202 if (ret != 0)
203 return (ret);
204
205 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
206 if (ret != 0)
207 return (ret);
208 } else { /* DECRYPT */
209 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
210 if (ret != 0)
211 return (ret);
212
213 ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
214 if (ret != 0)
215 return (ret);
216 }
217
218 return (0);
219 }
220
221 int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
222 unsigned char mac[16]) {
223 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
224 unsigned char len_block[16];
225 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
226 CHACHAPOLY_VALIDATE_RET(mac != NULL);
227
228 if (ctx->state == CHACHAPOLY_STATE_INIT) {
229 return (MBEDTLS_ERR_CHACHAPOLY_BAD_STATE);
230 }
231
232 if (ctx->state == CHACHAPOLY_STATE_AAD) {
233 ret = chachapoly_pad_aad(ctx);
234 if (ret != 0)
235 return (ret);
236 } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
237 ret = chachapoly_pad_ciphertext(ctx);
238 if (ret != 0)
239 return (ret);
240 }
241
242 ctx->state = CHACHAPOLY_STATE_FINISHED;
243
244 /* The lengths of the AAD and ciphertext are processed by
245 * Poly1305 as the final 128-bit block, encoded as little-endian integers.
246 */
247 len_block[ 0] = (unsigned char)(ctx->aad_len);
248 len_block[ 1] = (unsigned char)(ctx->aad_len >> 8);
249 len_block[ 2] = (unsigned char)(ctx->aad_len >> 16);
250 len_block[ 3] = (unsigned char)(ctx->aad_len >> 24);
251 len_block[ 4] = (unsigned char)(ctx->aad_len >> 32);
252 len_block[ 5] = (unsigned char)(ctx->aad_len >> 40);
253 len_block[ 6] = (unsigned char)(ctx->aad_len >> 48);
254 len_block[ 7] = (unsigned char)(ctx->aad_len >> 56);
255 len_block[ 8] = (unsigned char)(ctx->ciphertext_len);
256 len_block[ 9] = (unsigned char)(ctx->ciphertext_len >> 8);
257 len_block[10] = (unsigned char)(ctx->ciphertext_len >> 16);
258 len_block[11] = (unsigned char)(ctx->ciphertext_len >> 24);
259 len_block[12] = (unsigned char)(ctx->ciphertext_len >> 32);
260 len_block[13] = (unsigned char)(ctx->ciphertext_len >> 40);
261 len_block[14] = (unsigned char)(ctx->ciphertext_len >> 48);
262 len_block[15] = (unsigned char)(ctx->ciphertext_len >> 56);
263
264 ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
265 if (ret != 0)
266 return (ret);
267
268 ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
269
270 return (ret);
271 }
272
273 static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
274 mbedtls_chachapoly_mode_t mode,
275 size_t length,
276 const unsigned char nonce[12],
277 const unsigned char *aad,
278 size_t aad_len,
279 const unsigned char *input,
280 unsigned char *output,
281 unsigned char tag[16]) {
282 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
283
284 ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
285 if (ret != 0)
286 goto cleanup;
287
288 ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
289 if (ret != 0)
290 goto cleanup;
291
292 ret = mbedtls_chachapoly_update(ctx, length, input, output);
293 if (ret != 0)
294 goto cleanup;
295
296 ret = mbedtls_chachapoly_finish(ctx, tag);
297
298 cleanup:
299 return (ret);
300 }
301
302 int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
303 size_t length,
304 const unsigned char nonce[12],
305 const unsigned char *aad,
306 size_t aad_len,
307 const unsigned char *input,
308 unsigned char *output,
309 unsigned char tag[16]) {
310 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
311 CHACHAPOLY_VALIDATE_RET(nonce != NULL);
312 CHACHAPOLY_VALIDATE_RET(tag != NULL);
313 CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad != NULL);
314 CHACHAPOLY_VALIDATE_RET(length == 0 || input != NULL);
315 CHACHAPOLY_VALIDATE_RET(length == 0 || output != NULL);
316
317 return (chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
318 length, nonce, aad, aad_len,
319 input, output, tag));
320 }
321
322 int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
323 size_t length,
324 const unsigned char nonce[12],
325 const unsigned char *aad,
326 size_t aad_len,
327 const unsigned char tag[16],
328 const unsigned char *input,
329 unsigned char *output) {
330 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
331 unsigned char check_tag[16];
332 size_t i;
333 int diff;
334 CHACHAPOLY_VALIDATE_RET(ctx != NULL);
335 CHACHAPOLY_VALIDATE_RET(nonce != NULL);
336 CHACHAPOLY_VALIDATE_RET(tag != NULL);
337 CHACHAPOLY_VALIDATE_RET(aad_len == 0 || aad != NULL);
338 CHACHAPOLY_VALIDATE_RET(length == 0 || input != NULL);
339 CHACHAPOLY_VALIDATE_RET(length == 0 || output != NULL);
340
341 if ((ret = chachapoly_crypt_and_tag(ctx,
342 MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
343 aad, aad_len, input, output, check_tag)) != 0) {
344 return (ret);
345 }
346
347 /* Check tag in "constant-time" */
348 for (diff = 0, i = 0; i < sizeof(check_tag); i++)
349 diff |= tag[i] ^ check_tag[i];
350
351 if (diff != 0) {
352 mbedtls_platform_zeroize(output, length);
353 return (MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED);
354 }
355
356 return (0);
357 }
358
359 #endif /* MBEDTLS_CHACHAPOLY_ALT */
360
361 #if defined(MBEDTLS_SELF_TEST)
362
363 static const unsigned char test_key[1][32] = {
364 {
365 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
366 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
367 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
368 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
369 }
370 };
371
372 static const unsigned char test_nonce[1][12] = {
373 {
374 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
375 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
376 }
377 };
378
379 static const unsigned char test_aad[1][12] = {
380 {
381 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
382 0xc4, 0xc5, 0xc6, 0xc7
383 }
384 };
385
386 static const size_t test_aad_len[1] = {
387 12U
388 };
389
390 static const unsigned char test_input[1][114] = {
391 {
392 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
393 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
394 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
395 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
396 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
397 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
398 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
399 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
400 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
401 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
402 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
403 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
404 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
405 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
406 0x74, 0x2e
407 }
408 };
409
410 static const unsigned char test_output[1][114] = {
411 {
412 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
413 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
414 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
415 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
416 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
417 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
418 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
419 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
420 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
421 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
422 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
423 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
424 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
425 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
426 0x61, 0x16
427 }
428 };
429
430 static const size_t test_input_len[1] = {
431 114U
432 };
433
434 static const unsigned char test_mac[1][16] = {
435 {
436 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
437 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
438 }
439 };
440
441 /* Make sure no other definition is already present. */
442 #undef ASSERT
443
444 #define ASSERT( cond, args ) \
445 do \
446 { \
447 if( ! ( cond ) ) \
448 { \
449 if( verbose != 0 ) \
450 mbedtls_printf args; \
451 \
452 return( -1 ); \
453 } \
454 } \
455 while( 0 )
456
457 int mbedtls_chachapoly_self_test(int verbose) {
458 mbedtls_chachapoly_context ctx;
459 unsigned i;
460 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
461 unsigned char output[200];
462 unsigned char mac[16];
463
464 for (i = 0U; i < 1U; i++) {
465 if (verbose != 0)
466 mbedtls_printf(" ChaCha20-Poly1305 test %u ", i);
467
468 mbedtls_chachapoly_init(&ctx);
469
470 ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
471 ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
472
473 ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
474 test_input_len[i],
475 test_nonce[i],
476 test_aad[i],
477 test_aad_len[i],
478 test_input[i],
479 output,
480 mac);
481
482 ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
483
484 ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
485 ("failure (wrong output)\n"));
486
487 ASSERT(0 == memcmp(mac, test_mac[i], 16U),
488 ("failure (wrong MAC)\n"));
489
490 mbedtls_chachapoly_free(&ctx);
491
492 if (verbose != 0)
493 mbedtls_printf("passed\n");
494 }
495
496 if (verbose != 0)
497 mbedtls_printf("\n");
498
499 return (0);
500 }
501
502 #endif /* MBEDTLS_SELF_TEST */
503
504 #endif /* MBEDTLS_CHACHAPOLY_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware