Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* ChaCha20Poly1305 AEAD
3
* (C) 2014,2016,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/chacha20poly1305.h>
10
#include <botan/loadstor.h>
11
12
namespace Botan {
13
14
ChaCha20Poly1305_Mode::ChaCha20Poly1305_Mode() :
15
   m_chacha(StreamCipher::create("ChaCha")),
16
   m_poly1305(MessageAuthenticationCode::create("Poly1305"))
17
110
   {
18
110
   if(!m_chacha || !m_poly1305)
19
0
      throw Algorithm_Not_Found("ChaCha20Poly1305");
20
110
   }
21
22
bool ChaCha20Poly1305_Mode::valid_nonce_length(size_t n) const
23
153
   {
24
153
   return (n == 8 || n == 12 || n == 24);
25
153
   }
26
27
void ChaCha20Poly1305_Mode::clear()
28
0
   {
29
0
   m_chacha->clear();
30
0
   m_poly1305->clear();
31
0
   reset();
32
0
   }
33
34
void ChaCha20Poly1305_Mode::reset()
35
0
   {
36
0
   m_ad.clear();
37
0
   m_ctext_len = 0;
38
0
   m_nonce_len = 0;
39
0
   }
40
41
void ChaCha20Poly1305_Mode::key_schedule(const uint8_t key[], size_t length)
42
110
   {
43
110
   m_chacha->set_key(key, length);
44
110
   }
45
46
void ChaCha20Poly1305_Mode::set_associated_data(const uint8_t ad[], size_t length)
47
153
   {
48
153
   if(m_ctext_len > 0 || m_nonce_len > 0)
49
0
      throw Invalid_State("Cannot set AD for ChaCha20Poly1305 while processing a message");
50
153
   m_ad.assign(ad, ad + length);
51
153
   }
52
53
void ChaCha20Poly1305_Mode::update_len(size_t len)
54
306
   {
55
306
   uint8_t len8[8] = { 0 };
56
306
   store_le(static_cast<uint64_t>(len), len8);
57
306
   m_poly1305->update(len8, 8);
58
306
   }
59
60
void ChaCha20Poly1305_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
61
153
   {
62
153
   if(!valid_nonce_length(nonce_len))
63
0
      throw Invalid_IV_Length(name(), nonce_len);
64
153
65
153
   m_ctext_len = 0;
66
153
   m_nonce_len = nonce_len;
67
153
68
153
   m_chacha->set_iv(nonce, nonce_len);
69
153
70
153
   uint8_t first_block[64];
71
153
   m_chacha->write_keystream(first_block, sizeof(first_block));
72
153
73
153
   m_poly1305->set_key(first_block, 32);
74
153
   // Remainder of first block is discarded
75
153
   secure_scrub_memory(first_block, sizeof(first_block));
76
153
77
153
   m_poly1305->update(m_ad);
78
153
79
153
   if(cfrg_version())
80
153
      {
81
153
      if(m_ad.size() % 16)
82
153
         {
83
153
         const uint8_t zeros[16] = { 0 };
84
153
         m_poly1305->update(zeros, 16 - m_ad.size() % 16);
85
153
         }
86
153
      }
87
0
   else
88
0
      {
89
0
      update_len(m_ad.size());
90
0
      }
91
153
   }
92
93
size_t ChaCha20Poly1305_Encryption::process(uint8_t buf[], size_t sz)
94
107
   {
95
107
   m_chacha->cipher1(buf, sz);
96
107
   m_poly1305->update(buf, sz); // poly1305 of ciphertext
97
107
   m_ctext_len += sz;
98
107
   return sz;
99
107
   }
100
101
void ChaCha20Poly1305_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
102
107
   {
103
107
   update(buffer, offset);
104
107
   if(cfrg_version())
105
107
      {
106
107
      if(m_ctext_len % 16)
107
51
         {
108
51
         const uint8_t zeros[16] = { 0 };
109
51
         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
110
51
         }
111
107
      update_len(m_ad.size());
112
107
      }
113
107
   update_len(m_ctext_len);
114
107
115
107
   buffer.resize(buffer.size() + tag_size());
116
107
   m_poly1305->final(&buffer[buffer.size() - tag_size()]);
117
107
   m_ctext_len = 0;
118
107
   m_nonce_len = 0;
119
107
   }
120
121
size_t ChaCha20Poly1305_Decryption::process(uint8_t buf[], size_t sz)
122
0
   {
123
0
   m_poly1305->update(buf, sz); // poly1305 of ciphertext
124
0
   m_chacha->cipher1(buf, sz);
125
0
   m_ctext_len += sz;
126
0
   return sz;
127
0
   }
128
129
void ChaCha20Poly1305_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
130
46
   {
131
46
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
132
46
   const size_t sz = buffer.size() - offset;
133
46
   uint8_t* buf = buffer.data() + offset;
134
46
135
46
   BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input");
136
46
137
46
   const size_t remaining = sz - tag_size();
138
46
139
46
   if(remaining)
140
44
      {
141
44
      m_poly1305->update(buf, remaining); // poly1305 of ciphertext
142
44
      m_chacha->cipher1(buf, remaining);
143
44
      m_ctext_len += remaining;
144
44
      }
145
46
146
46
   if(cfrg_version())
147
46
      {
148
46
      if(m_ctext_len % 16)
149
30
         {
150
30
         const uint8_t zeros[16] = { 0 };
151
30
         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
152
30
         }
153
46
      update_len(m_ad.size());
154
46
      }
155
46
156
46
   update_len(m_ctext_len);
157
46
158
46
   uint8_t mac[16];
159
46
   m_poly1305->final(mac);
160
46
161
46
   const uint8_t* included_tag = &buf[remaining];
162
46
163
46
   m_ctext_len = 0;
164
46
   m_nonce_len = 0;
165
46
166
46
   if(!constant_time_compare(mac, included_tag, tag_size()))
167
46
      throw Invalid_Authentication_Tag("ChaCha20Poly1305 tag check failed");
168
0
   buffer.resize(offset + remaining);
169
0
   }
170
171
}