cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add detached versions of ChaCha20-Poly1305

Browse Source
This commit is contained in:
Frank Denis 2016-03-21 13:11:04 +01:00
parent 89a6f58e4d
commit de451c23a0
2 changed files with 234 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
View File

@ -25,32 +25,22 @@ _u64_le_from_ull(unsigned char out[8U], unsigned long long x)
}
int
crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
unsigned long long *clen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c,
unsigned char *mac,
unsigned long long *maclen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
(void) nsec;
/* LCOV_EXCL_START */
#ifdef ULONG_LONG_MAX
if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) {
if (clen_p != NULL) {
*clen_p = 0ULL;
}
return -1;
}
#endif
/* LCOV_EXCL_STOP */
crypto_stream_chacha20(block0, sizeof block0, npub, k);
crypto_onetimeauth_poly1305_init(&state, block0);
sodium_memzero(block0, sizeof block0);
@ -65,31 +55,28 @@ crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
_u64_le_from_ull(slen, mlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
crypto_onetimeauth_poly1305_final(&state, c + mlen);
crypto_onetimeauth_poly1305_final(&state, mac);
sodium_memzero(&state, sizeof state);
if (clen_p != NULL) {
*clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES;
if (maclen_p != NULL) {
*maclen_p = crypto_aead_chacha20poly1305_ABYTES;
}
return 0;
}
int
crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
unsigned long long *clen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
crypto_aead_chacha20poly1305_encrypt(unsigned char *c,
unsigned long long *clen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
int ret;
(void) nsec;
/* LCOV_EXCL_START */
#ifdef ULONG_LONG_MAX
if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) {
@ -100,7 +87,34 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
}
#endif
/* LCOV_EXCL_STOP */
ret = crypto_aead_chacha20poly1305_encrypt_detached(c,
c + mlen, NULL,
m, mlen,
ad, adlen,
nsec, npub, k);
if (clen_p != NULL) {
*clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES;
}
return ret;
}
int
crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c,
unsigned char *mac,
unsigned long long *maclen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
(void) nsec;
crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k);
crypto_onetimeauth_poly1305_init(&state, block0);
sodium_memzero(block0, sizeof block0);
@ -119,11 +133,98 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
_u64_le_from_ull(slen, mlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
crypto_onetimeauth_poly1305_final(&state, c + mlen);
crypto_onetimeauth_poly1305_final(&state, mac);
sodium_memzero(&state, sizeof state);
if (maclen_p != NULL) {
*maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES;
}
return 0;
}
int
crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c,
unsigned long long *clen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k)
{
int ret;
/* LCOV_EXCL_START */
#ifdef ULONG_LONG_MAX
if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES) {
if (clen_p != NULL) {
*clen_p = 0ULL;
}
return -1;
}
#endif
/* LCOV_EXCL_STOP */
ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached(c,
c + mlen, NULL,
m, mlen,
ad, adlen,
nsec, npub, k);
if (clen_p != NULL) {
*clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES;
*clen_p = mlen + crypto_aead_chacha20poly1305_ietf_ABYTES;
}
return ret;
}
int
crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
unsigned long long *mlen_p,
unsigned char *nsec,
const unsigned char *c,
unsigned long long clen,
const unsigned char *mac,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
unsigned char computed_mac[crypto_aead_chacha20poly1305_ABYTES];
unsigned long long mlen;
int ret;
(void) nsec;
if (mlen_p != NULL) {
*mlen_p = 0ULL;
}
crypto_stream_chacha20(block0, sizeof block0, npub, k);
crypto_onetimeauth_poly1305_init(&state, block0);
sodium_memzero(block0, sizeof block0);
crypto_onetimeauth_poly1305_update(&state, ad, adlen);
_u64_le_from_ull(slen, adlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
mlen = clen;
crypto_onetimeauth_poly1305_update(&state, c, mlen);
_u64_le_from_ull(slen, mlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
crypto_onetimeauth_poly1305_final(&state, computed_mac);
sodium_memzero(&state, sizeof state);
(void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
ret = crypto_verify_16(computed_mac, mac);
sodium_memzero(computed_mac, sizeof computed_mac);
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
crypto_stream_chacha20_xor_ic(m, c, mlen, npub, 1U, k);
if (mlen_p != NULL) {
*mlen_p = mlen;
}
return 0;
}
@ -138,11 +239,36 @@ crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
unsigned long long adlen,
const unsigned char *npub,
const unsigned char *k)
{
int ret;
if (clen < crypto_aead_chacha20poly1305_ABYTES) {
return -1;
}
return crypto_aead_chacha20poly1305_decrypt_detached
(m, mlen_p, nsec,
c, clen - crypto_aead_chacha20poly1305_ABYTES,
c + clen - crypto_aead_chacha20poly1305_ABYTES,
ad, adlen,
npub, k);
}
int
crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
unsigned long long *mlen_p,
unsigned char *nsec,
const unsigned char *c,
unsigned long long clen,
const unsigned char *mac,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
unsigned char mac[crypto_aead_chacha20poly1305_ABYTES];
unsigned char computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES];
unsigned long long mlen;
int ret;
@ -150,34 +276,34 @@ crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
if (mlen_p != NULL) {
*mlen_p = 0ULL;
}
if (clen < crypto_aead_chacha20poly1305_ABYTES) {
return -1;
}
crypto_stream_chacha20(block0, sizeof block0, npub, k);
crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k);
crypto_onetimeauth_poly1305_init(&state, block0);
sodium_memzero(block0, sizeof block0);
crypto_onetimeauth_poly1305_update(&state, ad, adlen);
crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
mlen = clen;
crypto_onetimeauth_poly1305_update(&state, c, mlen);
crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
_u64_le_from_ull(slen, adlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
mlen = clen - crypto_aead_chacha20poly1305_ABYTES;
crypto_onetimeauth_poly1305_update(&state, c, mlen);
_u64_le_from_ull(slen, mlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
crypto_onetimeauth_poly1305_final(&state, mac);
crypto_onetimeauth_poly1305_final(&state, computed_mac);
sodium_memzero(&state, sizeof state);
(void) sizeof(int[sizeof mac == 16U ? 1 : -1]);
ret = crypto_verify_16(mac, c + mlen);
sodium_memzero(mac, sizeof mac);
(void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
ret = crypto_verify_16(computed_mac, mac);
sodium_memzero(computed_mac, sizeof computed_mac);
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
crypto_stream_chacha20_xor_ic
(m, c, mlen, npub, 1U, k);
crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, npub, 1U, k);
if (mlen_p != NULL) {
*mlen_p = mlen;
}
@ -195,52 +321,15 @@ crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
const unsigned char *npub,
const unsigned char *k)
{
crypto_onetimeauth_poly1305_state state;
unsigned char block0[64U];
unsigned char slen[8U];
unsigned char mac[crypto_aead_chacha20poly1305_ABYTES];
unsigned long long mlen;
int ret;
(void) nsec;
if (mlen_p != NULL) {
*mlen_p = 0ULL;
}
if (clen < crypto_aead_chacha20poly1305_ABYTES) {
if (clen < crypto_aead_chacha20poly1305_ietf_ABYTES) {
return -1;
}
crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k);
crypto_onetimeauth_poly1305_init(&state, block0);
sodium_memzero(block0, sizeof block0);
crypto_onetimeauth_poly1305_update(&state, ad, adlen);
crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
mlen = clen - crypto_aead_chacha20poly1305_ABYTES;
crypto_onetimeauth_poly1305_update(&state, c, mlen);
crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
_u64_le_from_ull(slen, adlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
_u64_le_from_ull(slen, mlen);
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
crypto_onetimeauth_poly1305_final(&state, mac);
sodium_memzero(&state, sizeof state);
(void) sizeof(int[sizeof mac == 16U ? 1 : -1]);
ret = crypto_verify_16(mac, c + mlen);
sodium_memzero(mac, sizeof mac);
if (ret != 0) {
memset(m, 0, mlen);
return -1;
}
crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, npub, 1U, k);
if (mlen_p != NULL) {
*mlen_p = mlen;
}
return 0;
return crypto_aead_chacha20poly1305_ietf_decrypt_detached
(m, mlen_p, nsec,
c, clen - crypto_aead_chacha20poly1305_ietf_ABYTES,
c + clen - crypto_aead_chacha20poly1305_ietf_ABYTES,
ad, adlen,
npub, k);
}
size_t

50
src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h
View File

@ -11,6 +11,8 @@
extern "C" {
#endif
/* -- IETF ChaCha20-Poly1305 construction with a 96-bit nonce and a 32-bit internal counter -- */
#define crypto_aead_chacha20poly1305_ietf_KEYBYTES 32U
SODIUM_EXPORT
size_t crypto_aead_chacha20poly1305_ietf_keybytes(void);
@ -51,6 +53,31 @@ int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m,
const unsigned char *k)
__attribute__ ((warn_unused_result));
int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c,
unsigned char *mac,
unsigned long long *maclen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k);
int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
unsigned long long *mlen_p,
unsigned char *nsec,
const unsigned char *c,
unsigned long long clen,
const unsigned char *mac,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *npub,
const unsigned char *k)
__attribute__ ((warn_unused_result));
/* -- Original ChaCha20-Poly1305 construction with a 64-bit nonce and a 64-bit internal counter -- */
#define crypto_aead_chacha20poly1305_KEYBYTES 32U
SODIUM_EXPORT
size_t crypto_aead_chacha20poly1305_keybytes(void);
@ -90,6 +117,29 @@ int crypto_aead_chacha20poly1305_decrypt(unsigned char *m,
const unsigned char *k)
__attribute__ ((warn_unused_result));
int crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c,
unsigned char *mac,
unsigned long long *maclen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *nsec,
const unsigned char *npub,
const unsigned char *k);
int crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
unsigned long long *mlen_p,
unsigned char *nsec,
const unsigned char *c,
unsigned long long clen,
const unsigned char *mac,
const unsigned char *ad,
unsigned long long adlen,
const unsigned char *npub,
const unsigned char *k)
__attribute__ ((warn_unused_result));
/* Aliases */
#define crypto_aead_chacha20poly1305_IETF_KEYBYTES crypto_aead_chacha20poly1305_ietf_KEYBYTES