Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* ChaCha20Poly1305 AEAD
3
* (C) 2014,2016,2018 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/chacha20poly1305.h>
10
#include <botan/internal/loadstor.h>
11
12
namespace Botan {
13
14
ChaCha20Poly1305_Mode::ChaCha20Poly1305_Mode() :
15
   m_chacha(StreamCipher::create("ChaCha")),
16
   m_poly1305(MessageAuthenticationCode::create("Poly1305"))
17
58
   {
18
58
   if(!m_chacha || !m_poly1305)
19
0
      throw Algorithm_Not_Found("ChaCha20Poly1305");
20
58
   }
21
22
bool ChaCha20Poly1305_Mode::valid_nonce_length(size_t n) const
23
55
   {
24
55
   return (n == 8 || n == 12 || n == 24);
25
55
   }
26
27
void ChaCha20Poly1305_Mode::clear()
28
0
   {
29
0
   m_chacha->clear();
30
0
   m_poly1305->clear();
31
0
   reset();
32
0
   }
33
34
void ChaCha20Poly1305_Mode::reset()
35
0
   {
36
0
   m_ad.clear();
37
0
   m_ctext_len = 0;
38
0
   m_nonce_len = 0;
39
0
   }
40
41
void ChaCha20Poly1305_Mode::key_schedule(const uint8_t key[], size_t length)
42
58
   {
43
58
   m_chacha->set_key(key, length);
44
58
   }
45
46
void ChaCha20Poly1305_Mode::set_associated_data(const uint8_t ad[], size_t length)
47
55
   {
48
55
   if(m_ctext_len > 0 || m_nonce_len > 0)
49
0
      throw Invalid_State("Cannot set AD for ChaCha20Poly1305 while processing a message");
50
55
   m_ad.assign(ad, ad + length);
51
55
   }
52
53
void ChaCha20Poly1305_Mode::update_len(size_t len)
54
110
   {
55
110
   uint8_t len8[8] = { 0 };
56
110
   store_le(static_cast<uint64_t>(len), len8);
57
110
   m_poly1305->update(len8, 8);
58
110
   }
59
60
void ChaCha20Poly1305_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
61
55
   {
62
55
   if(!valid_nonce_length(nonce_len))
63
0
      throw Invalid_IV_Length(name(), nonce_len);
64
65
55
   m_ctext_len = 0;
66
55
   m_nonce_len = nonce_len;
67
68
55
   m_chacha->set_iv(nonce, nonce_len);
69
70
55
   uint8_t first_block[64];
71
55
   m_chacha->write_keystream(first_block, sizeof(first_block));
72
73
55
   m_poly1305->set_key(first_block, 32);
74
   // Remainder of first block is discarded
75
55
   secure_scrub_memory(first_block, sizeof(first_block));
76
77
55
   m_poly1305->update(m_ad);
78
79
55
   if(cfrg_version())
80
55
      {
81
55
      if(m_ad.size() % 16)
82
55
         {
83
55
         const uint8_t zeros[16] = { 0 };
84
55
         m_poly1305->update(zeros, 16 - m_ad.size() % 16);
85
55
         }
86
55
      }
87
0
   else
88
0
      {
89
0
      update_len(m_ad.size());
90
0
      }
91
55
   }
92
93
size_t ChaCha20Poly1305_Encryption::process(uint8_t buf[], size_t sz)
94
22
   {
95
22
   m_chacha->cipher1(buf, sz);
96
22
   m_poly1305->update(buf, sz); // poly1305 of ciphertext
97
22
   m_ctext_len += sz;
98
22
   return sz;
99
22
   }
100
101
void ChaCha20Poly1305_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
102
22
   {
103
22
   update(buffer, offset);
104
22
   if(cfrg_version())
105
22
      {
106
22
      if(m_ctext_len % 16)
107
10
         {
108
10
         const uint8_t zeros[16] = { 0 };
109
10
         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
110
10
         }
111
22
      update_len(m_ad.size());
112
22
      }
113
22
   update_len(m_ctext_len);
114
115
22
   buffer.resize(buffer.size() + tag_size());
116
22
   m_poly1305->final(&buffer[buffer.size() - tag_size()]);
117
22
   m_ctext_len = 0;
118
22
   m_nonce_len = 0;
119
22
   }
120
121
size_t ChaCha20Poly1305_Decryption::process(uint8_t buf[], size_t sz)
122
0
   {
123
0
   m_poly1305->update(buf, sz); // poly1305 of ciphertext
124
0
   m_chacha->cipher1(buf, sz);
125
0
   m_ctext_len += sz;
126
0
   return sz;
127
0
   }
128
129
void ChaCha20Poly1305_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
130
33
   {
131
33
   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
132
33
   const size_t sz = buffer.size() - offset;
133
33
   uint8_t* buf = buffer.data() + offset;
134
135
33
   BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input");
136
137
33
   const size_t remaining = sz - tag_size();
138
139
33
   if(remaining)
140
32
      {
141
32
      m_poly1305->update(buf, remaining); // poly1305 of ciphertext
142
32
      m_chacha->cipher1(buf, remaining);
143
32
      m_ctext_len += remaining;
144
32
      }
145
146
33
   if(cfrg_version())
147
33
      {
148
33
      if(m_ctext_len % 16)
149
28
         {
150
28
         const uint8_t zeros[16] = { 0 };
151
28
         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
152
28
         }
153
33
      update_len(m_ad.size());
154
33
      }
155
156
33
   update_len(m_ctext_len);
157
158
33
   uint8_t mac[16];
159
33
   m_poly1305->final(mac);
160
161
33
   const uint8_t* included_tag = &buf[remaining];
162
163
33
   m_ctext_len = 0;
164
33
   m_nonce_len = 0;
165
166
33
   if(!constant_time_compare(mac, included_tag, tag_size()))
167
33
      throw Invalid_Authentication_Tag("ChaCha20Poly1305 tag check failed");
168
0
   buffer.resize(offset + remaining);
169
0
   }
170
171
}