/src/openssl/crypto/evp/e_chacha20_poly1305.c

Source
/*
 * Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include "internal/endian.h"

#ifndef OPENSSL_NO_CHACHA

#include <openssl/evp.h>
#include <openssl/objects.h>
#include "crypto/evp.h"
#include "evp_local.h"
#include "crypto/chacha.h"

typedef struct {
    union {
        OSSL_UNION_ALIGN; /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
        unsigned int d[CHACHA_KEY_SIZE / 4];
    } key;
    unsigned int counter[CHACHA_CTR_SIZE / 4];
    unsigned char buf[CHACHA_BLK_SIZE];
    unsigned int partial_len;
} EVP_CHACHA_KEY;

#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)

#define CHACHA20_POLY1305_MAX_IVLEN 12

static int chacha_init_key(EVP_CIPHER_CTX *ctx,
    const unsigned char user_key[CHACHA_KEY_SIZE],
    const unsigned char iv[CHACHA_CTR_SIZE], int enc)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int i;

    if (user_key)
        for (i = 0; i < CHACHA_KEY_SIZE; i += 4) {
            key->key.d[i / 4] = CHACHA_U8TOU32(user_key + i);
        }

    if (iv)
        for (i = 0; i < CHACHA_CTR_SIZE; i += 4) {
            key->counter[i / 4] = CHACHA_U8TOU32(iv + i);
        }

    key->partial_len = 0;

    return 1;
}

static int chacha_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *inp, size_t len)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int n, rem, ctr32;

    if ((n = key->partial_len)) {
        while (len && n < CHACHA_BLK_SIZE) {
            *out++ = *inp++ ^ key->buf[n++];
            len--;
        }
        key->partial_len = n;

        if (len == 0)
            return 1;

        if (n == CHACHA_BLK_SIZE) {
            key->partial_len = 0;
            key->counter[0]++;
            if (key->counter[0] == 0)
                key->counter[1]++;
        }
    }

    rem = (unsigned int)(len % CHACHA_BLK_SIZE);
    len -= rem;
    ctr32 = key->counter[0];
    while (len >= CHACHA_BLK_SIZE) {
        size_t blocks = len / CHACHA_BLK_SIZE;
        /*
         * 1<<28 is just a not-so-small yet not-so-large number...
         * Below condition is practically never met, but it has to
         * be checked for code correctness.
         */
        if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
            blocks = (1U << 28);

        /*
         * As ChaCha20_ctr32 operates on 32-bit counter, caller
         * has to handle overflow. 'if' below detects the
         * overflow, which is then handled by limiting the
         * amount of blocks to the exact overflow point...
         */
        ctr32 += (unsigned int)blocks;
        if (ctr32 < blocks) {
            blocks -= ctr32;
            ctr32 = 0;
        }
        blocks *= CHACHA_BLK_SIZE;
        ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
        len -= blocks;
        inp += blocks;
        out += blocks;

        key->counter[0] = ctr32;
        if (ctr32 == 0)
            key->counter[1]++;
    }

    if (rem) {
        memset(key->buf, 0, sizeof(key->buf));
        ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
            key->key.d, key->counter);
        for (n = 0; n < rem; n++)
            out[n] = inp[n] ^ key->buf[n];
        key->partial_len = rem;
    }

    return 1;
}

static const EVP_CIPHER chacha20 = {
    NID_chacha20,
    1, /* block_size */
    CHACHA_KEY_SIZE, /* key_len */
    CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */
    EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
    EVP_ORIG_GLOBAL,
    chacha_init_key,
    chacha_cipher,
    NULL,
    sizeof(EVP_CHACHA_KEY),
    NULL,
    NULL,
    NULL,
    NULL
};

const EVP_CIPHER *EVP_chacha20(void)
{
    return &chacha20;
}

#ifndef OPENSSL_NO_POLY1305
#include "crypto/poly1305.h"

typedef struct {
    EVP_CHACHA_KEY key;
    unsigned int nonce[12 / 4];
    unsigned char tag[POLY1305_BLOCK_SIZE];
    unsigned char tls_aad[POLY1305_BLOCK_SIZE];
    struct {
        uint64_t aad, text;
    } len;
    int aad, mac_inited, tag_len, nonce_len;
    size_t tls_payload_length;
} EVP_CHACHA_AEAD_CTX;

#define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
#define aead_data(ctx) ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
#define POLY1305_ctx(actx) ((POLY1305 *)(actx + 1))

static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
    const unsigned char *inkey,
    const unsigned char *iv, int enc)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    if (!inkey && !iv)
        return 1;

    actx->len.aad = 0;
    actx->len.text = 0;
    actx->aad = 0;
    actx->mac_inited = 0;
    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (iv != NULL) {
        unsigned char temp[CHACHA_CTR_SIZE] = { 0 };

        /* pad on the left */
        if (actx->nonce_len <= CHACHA_CTR_SIZE)
            memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
                actx->nonce_len);

        chacha_init_key(ctx, inkey, temp, enc);

        actx->nonce[0] = actx->key.counter[1];
        actx->nonce[1] = actx->key.counter[2];
        actx->nonce[2] = actx->key.counter[3];
    } else {
        chacha_init_key(ctx, inkey, NULL, enc);
    }

    return 1;
}

#if !defined(OPENSSL_SMALL_FOOTPRINT)

#if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64))
#define XOR128_HELPERS
void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
#else
static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
#endif

static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
    unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32];

    if (len != plen + POLY1305_BLOCK_SIZE)
        return -1;

    buf = storage + ((0 - (size_t)storage) & 15); /* align */
    ctr = buf + CHACHA_BLK_SIZE;
    tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;

#ifdef XOR128_HELPERS
    if (plen <= 3 * CHACHA_BLK_SIZE) {
        actx->key.counter[0] = 0;
        buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
        ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
            actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (plen) {
            if (EVP_CIPHER_CTX_is_encrypting(ctx))
                ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
            else
                ctr = xor128_decrypt_n_pad(out, in, ctr, plen);

            in += plen;
            out += plen;
            tohash_len = (size_t)(ctr - tohash);
        }
    }
#else
    if (plen <= CHACHA_BLK_SIZE) {
        size_t i;

        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
            actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
            for (i = 0; i < plen; i++) {
                out[i] = ctr[i] ^= in[i];
            }
        } else {
            for (i = 0; i < plen; i++) {
                unsigned char c = in[i];
                out[i] = ctr[i] ^ c;
                ctr[i] = c;
            }
        }

        in += i;
        out += i;

        tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
        memset(ctr + i, 0, tail);
        ctr += i + tail;
        tohash_len += i + tail;
    }
#endif
    else {
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
            actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash = ctr;
        tohash_len = 0;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
            Poly1305_Update(POLY1305_ctx(actx), out, plen);
        } else {
            Poly1305_Update(POLY1305_ctx(actx), in, plen);
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
        }

        in += plen;
        out += plen;
        tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
        Poly1305_Update(POLY1305_ctx(actx), zero, tail);
    }

    {
        DECLARE_IS_ENDIAN;

        if (IS_LITTLE_ENDIAN) {
            memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            ctr[0] = (unsigned char)(actx->len.aad);
            ctr[1] = (unsigned char)(actx->len.aad >> 8);
            ctr[2] = (unsigned char)(actx->len.aad >> 16);
            ctr[3] = (unsigned char)(actx->len.aad >> 24);
            ctr[4] = (unsigned char)(actx->len.aad >> 32);
            ctr[5] = (unsigned char)(actx->len.aad >> 40);
            ctr[6] = (unsigned char)(actx->len.aad >> 48);
            ctr[7] = (unsigned char)(actx->len.aad >> 56);

            ctr[8] = (unsigned char)(actx->len.text);
            ctr[9] = (unsigned char)(actx->len.text >> 8);
            ctr[10] = (unsigned char)(actx->len.text >> 16);
            ctr[11] = (unsigned char)(actx->len.text >> 24);
            ctr[12] = (unsigned char)(actx->len.text >> 32);
            ctr[13] = (unsigned char)(actx->len.text >> 40);
            ctr[14] = (unsigned char)(actx->len.text >> 48);
            ctr[15] = (unsigned char)(actx->len.text >> 56);
        }
        tohash_len += POLY1305_BLOCK_SIZE;
    }

    Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
    OPENSSL_cleanse(buf, buf_len);
    Poly1305_Final(POLY1305_ctx(actx),
        EVP_CIPHER_CTX_is_encrypting(ctx) ? actx->tag : tohash);

    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
        memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
    } else {
        if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
            memset(out - (len - POLY1305_BLOCK_SIZE), 0,
                len - POLY1305_BLOCK_SIZE);
            return -1;
        }
    }

    return (int)len;
}
#else
static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
#endif

static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t rem, plen = actx->tls_payload_length;

    if (!actx->mac_inited) {
#if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
            return chacha20_poly1305_tls_cipher(ctx, out, in, len);
#endif
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
            actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        actx->len.aad = actx->len.text = 0;
        actx->mac_inited = 1;
        if (plen != NO_TLS_PAYLOAD_LENGTH) {
            Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
                EVP_AEAD_TLS1_AAD_LEN);
            actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
            actx->aad = 1;
        }
    }

    if (in) { /* aad or text */
        if (out == NULL) { /* aad */
            Poly1305_Update(POLY1305_ctx(actx), in, len);
            actx->len.aad += len;
            actx->aad = 1;
            return (int)len;
        } else { /* plain- or ciphertext */
            if (actx->aad) { /* wrap up aad */
                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                    Poly1305_Update(POLY1305_ctx(actx), zero,
                        POLY1305_BLOCK_SIZE - rem);
                actx->aad = 0;
            }

            actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
            if (plen == NO_TLS_PAYLOAD_LENGTH)
                plen = len;
            else if (len != plen + POLY1305_BLOCK_SIZE)
                return -1;

            if (EVP_CIPHER_CTX_is_encrypting(ctx)) { /* plaintext */
                chacha_cipher(ctx, out, in, plen);
                Poly1305_Update(POLY1305_ctx(actx), out, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            } else { /* ciphertext */
                Poly1305_Update(POLY1305_ctx(actx), in, plen);
                chacha_cipher(ctx, out, in, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            }
        }
    }
    if (in == NULL /* explicit final */
        || plen != len) { /* or tls mode */
        DECLARE_IS_ENDIAN;
        unsigned char temp[POLY1305_BLOCK_SIZE];

        if (actx->aad) { /* wrap up aad */
            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                Poly1305_Update(POLY1305_ctx(actx), zero,
                    POLY1305_BLOCK_SIZE - rem);
            actx->aad = 0;
        }

        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
            Poly1305_Update(POLY1305_ctx(actx), zero,
                POLY1305_BLOCK_SIZE - rem);

        if (IS_LITTLE_ENDIAN) {
            Poly1305_Update(POLY1305_ctx(actx),
                (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            temp[0] = (unsigned char)(actx->len.aad);
            temp[1] = (unsigned char)(actx->len.aad >> 8);
            temp[2] = (unsigned char)(actx->len.aad >> 16);
            temp[3] = (unsigned char)(actx->len.aad >> 24);
            temp[4] = (unsigned char)(actx->len.aad >> 32);
            temp[5] = (unsigned char)(actx->len.aad >> 40);
            temp[6] = (unsigned char)(actx->len.aad >> 48);
            temp[7] = (unsigned char)(actx->len.aad >> 56);

            temp[8] = (unsigned char)(actx->len.text);
            temp[9] = (unsigned char)(actx->len.text >> 8);
            temp[10] = (unsigned char)(actx->len.text >> 16);
            temp[11] = (unsigned char)(actx->len.text >> 24);
            temp[12] = (unsigned char)(actx->len.text >> 32);
            temp[13] = (unsigned char)(actx->len.text >> 40);
            temp[14] = (unsigned char)(actx->len.text >> 48);
            temp[15] = (unsigned char)(actx->len.text >> 56);

            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
        }
        Poly1305_Final(POLY1305_ctx(actx),
            EVP_CIPHER_CTX_is_encrypting(ctx) ? actx->tag : temp);
        actx->mac_inited = 0;

        if (in != NULL && len != plen) { /* tls mode */
            if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
                memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
            } else {
                if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
                    memset(out - plen, 0, plen);
                    return -1;
                }
            }
        } else if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
            if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
                return -1;
        }
    }
    return (int)len;
}

static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    if (actx)
        OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
    return 1;
}

static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
    void *ptr)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    switch (type) {
    case EVP_CTRL_INIT:
        if (actx == NULL)
            actx = ctx->cipher_data
                = OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
        if (actx == NULL) {
            ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
            return 0;
        }
        actx->len.aad = 0;
        actx->len.text = 0;
        actx->aad = 0;
        actx->mac_inited = 0;
        actx->tag_len = 0;
        actx->nonce_len = 12;
        actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
        memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
        return 1;

    case EVP_CTRL_COPY:
        if (actx) {
            EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;

            dst->cipher_data = OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
            if (dst->cipher_data == NULL) {
                ERR_raise(ERR_LIB_EVP, EVP_R_COPY_ERROR);
                return 0;
            }
        }
        return 1;

    case EVP_CTRL_GET_IVLEN:
        *(int *)ptr = actx->nonce_len;
        return 1;

    case EVP_CTRL_AEAD_SET_IVLEN:
        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
            return 0;
        actx->nonce_len = arg;
        return 1;

    case EVP_CTRL_AEAD_SET_IV_FIXED:
        if (arg != 12)
            return 0;
        actx->nonce[0] = actx->key.counter[1]
            = CHACHA_U8TOU32((unsigned char *)ptr);
        actx->nonce[1] = actx->key.counter[2]
            = CHACHA_U8TOU32((unsigned char *)ptr + 4);
        actx->nonce[2] = actx->key.counter[3]
            = CHACHA_U8TOU32((unsigned char *)ptr + 8);
        return 1;

    case EVP_CTRL_AEAD_SET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE)
            return 0;
        if (ptr != NULL) {
            memcpy(actx->tag, ptr, arg);
            actx->tag_len = arg;
        }
        return 1;

    case EVP_CTRL_AEAD_GET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE || !EVP_CIPHER_CTX_is_encrypting(ctx))
            return 0;
        memcpy(ptr, actx->tag, arg);
        return 1;

    case EVP_CTRL_AEAD_TLS1_AAD:
        if (arg != EVP_AEAD_TLS1_AAD_LEN)
            return 0;
        {
            unsigned int len;
            unsigned char *aad = ptr;

            memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
            len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | aad[EVP_AEAD_TLS1_AAD_LEN - 1];
            aad = actx->tls_aad;
            if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
                if (len < POLY1305_BLOCK_SIZE)
                    return 0;
                len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
                aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
                aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
            }
            actx->tls_payload_length = len;

            /*
             * merge record sequence number as per RFC7905
             */
            actx->key.counter[1] = actx->nonce[0];
            actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
            actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad + 4);
            actx->mac_inited = 0;

            return POLY1305_BLOCK_SIZE; /* tag length */
        }

    case EVP_CTRL_AEAD_SET_MAC_KEY:
        /* no-op */
        return 1;

    default:
        return -1;
    }
}

static const EVP_CIPHER chacha20_poly1305 = {
    NID_chacha20_poly1305,
    1, /* block_size */
    CHACHA_KEY_SIZE, /* key_len */
    12, /* iv_len, 96-bit nonce in the context */
    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_CUSTOM_IV_LENGTH,
    EVP_ORIG_GLOBAL,
    chacha20_poly1305_init_key,
    chacha20_poly1305_cipher,
    chacha20_poly1305_cleanup,
    0, /* 0 moves context-specific structure allocation to ctrl */
    NULL, /* set_asn1_parameters */
    NULL, /* get_asn1_parameters */
    chacha20_poly1305_ctrl,
    NULL /* app_data */
};

const EVP_CIPHER *EVP_chacha20_poly1305(void)
{
    return (&chacha20_poly1305);
}
#endif
#endif

Coverage Report

Created: 2025-12-10 06:24

Line	Count	Source
1		/*
2		* Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include "internal/endian.h"
13
14		#ifndef OPENSSL_NO_CHACHA
15
16		#include <openssl/evp.h>
17		#include <openssl/objects.h>
18		#include "crypto/evp.h"
19		#include "evp_local.h"
20		#include "crypto/chacha.h"
21
22		typedef struct {
23		union {
24		OSSL_UNION_ALIGN; /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
25		unsigned int d[CHACHA_KEY_SIZE / 4];
26		} key;
27		unsigned int counter[CHACHA_CTR_SIZE / 4];
28		unsigned char buf[CHACHA_BLK_SIZE];
29		unsigned int partial_len;
30		} EVP_CHACHA_KEY;
31
32	0	#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
33
34	0	#define CHACHA20_POLY1305_MAX_IVLEN 12
35
36		static int chacha_init_key(EVP_CIPHER_CTX *ctx,
37		const unsigned char user_key[CHACHA_KEY_SIZE],
38		const unsigned char iv[CHACHA_CTR_SIZE], int enc)
39	0	{
40	0	EVP_CHACHA_KEY *key = data(ctx);
41	0	unsigned int i;
42
43	0	if (user_key)
44	0	for (i = 0; i < CHACHA_KEY_SIZE; i += 4) {
45	0	key->key.d[i / 4] = CHACHA_U8TOU32(user_key + i);
46	0	}
47
48	0	if (iv)
49	0	for (i = 0; i < CHACHA_CTR_SIZE; i += 4) {
50	0	key->counter[i / 4] = CHACHA_U8TOU32(iv + i);
51	0	}
52
53	0	key->partial_len = 0;
54
55	0	return 1;
56	0	}
57
58		static int chacha_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
59		const unsigned char *inp, size_t len)
60	0	{
61	0	EVP_CHACHA_KEY *key = data(ctx);
62	0	unsigned int n, rem, ctr32;
63
64	0	if ((n = key->partial_len)) {
65	0	while (len && n < CHACHA_BLK_SIZE) {
66	0	out++ = inp++ ^ key->buf[n++];
67	0	len--;
68	0	}
69	0	key->partial_len = n;
70
71	0	if (len == 0)
72	0	return 1;
73
74	0	if (n == CHACHA_BLK_SIZE) {
75	0	key->partial_len = 0;
76	0	key->counter[0]++;
77	0	if (key->counter[0] == 0)
78	0	key->counter[1]++;
79	0	}
80	0	}
81
82	0	rem = (unsigned int)(len % CHACHA_BLK_SIZE);
83	0	len -= rem;
84	0	ctr32 = key->counter[0];
85	0	while (len >= CHACHA_BLK_SIZE) {
86	0	size_t blocks = len / CHACHA_BLK_SIZE;
87		/*
88		* 1<<28 is just a not-so-small yet not-so-large number...
89		* Below condition is practically never met, but it has to
90		* be checked for code correctness.
91		*/
92	0	if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
93	0	blocks = (1U << 28);
94
95		/*
96		* As ChaCha20_ctr32 operates on 32-bit counter, caller
97		* has to handle overflow. 'if' below detects the
98		* overflow, which is then handled by limiting the
99		* amount of blocks to the exact overflow point...
100		*/
101	0	ctr32 += (unsigned int)blocks;
102	0	if (ctr32 < blocks) {
103	0	blocks -= ctr32;
104	0	ctr32 = 0;
105	0	}
106	0	blocks *= CHACHA_BLK_SIZE;
107	0	ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
108	0	len -= blocks;
109	0	inp += blocks;
110	0	out += blocks;
111
112	0	key->counter[0] = ctr32;
113	0	if (ctr32 == 0)
114	0	key->counter[1]++;
115	0	}
116
117	0	if (rem) {
118	0	memset(key->buf, 0, sizeof(key->buf));
119	0	ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
120	0	key->key.d, key->counter);
121	0	for (n = 0; n < rem; n++)
122	0	out[n] = inp[n] ^ key->buf[n];
123	0	key->partial_len = rem;
124	0	}
125
126	0	return 1;
127	0	}
128
129		static const EVP_CIPHER chacha20 = {
130		NID_chacha20,
131		1, /* block_size */
132		CHACHA_KEY_SIZE, /* key_len */
133		CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */
134		EVP_CIPH_CUSTOM_IV \| EVP_CIPH_ALWAYS_CALL_INIT,
135		EVP_ORIG_GLOBAL,
136		chacha_init_key,
137		chacha_cipher,
138		NULL,
139		sizeof(EVP_CHACHA_KEY),
140		NULL,
141		NULL,
142		NULL,
143		NULL
144		};
145
146		const EVP_CIPHER *EVP_chacha20(void)
147	3	{
148	3	return &chacha20;
149	3	}
150
151		#ifndef OPENSSL_NO_POLY1305
152		#include "crypto/poly1305.h"
153
154		typedef struct {
155		EVP_CHACHA_KEY key;
156		unsigned int nonce[12 / 4];
157		unsigned char tag[POLY1305_BLOCK_SIZE];
158		unsigned char tls_aad[POLY1305_BLOCK_SIZE];
159		struct {
160		uint64_t aad, text;
161		} len;
162		int aad, mac_inited, tag_len, nonce_len;
163		size_t tls_payload_length;
164		} EVP_CHACHA_AEAD_CTX;
165
166	0	#define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
167	0	#define aead_data(ctx) ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
168	0	#define POLY1305_ctx(actx) ((POLY1305 *)(actx + 1))
169
170		static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
171		const unsigned char *inkey,
172		const unsigned char *iv, int enc)
173	0	{
174	0	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
175
176	0	if (!inkey && !iv)
177	0	return 1;
178
179	0	actx->len.aad = 0;
180	0	actx->len.text = 0;
181	0	actx->aad = 0;
182	0	actx->mac_inited = 0;
183	0	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
184
185	0	if (iv != NULL) {
186	0	unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
187
188		/* pad on the left */
189	0	if (actx->nonce_len <= CHACHA_CTR_SIZE)
190	0	memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
191	0	actx->nonce_len);
192
193	0	chacha_init_key(ctx, inkey, temp, enc);
194
195	0	actx->nonce[0] = actx->key.counter[1];
196	0	actx->nonce[1] = actx->key.counter[2];
197	0	actx->nonce[2] = actx->key.counter[3];
198	0	} else {
199	0	chacha_init_key(ctx, inkey, NULL, enc);
200	0	}
201
202	0	return 1;
203	0	}
204
205		#if !defined(OPENSSL_SMALL_FOOTPRINT)
206
207		#if defined(POLY1305_ASM) && (defined(__x86_64) \|\| defined(__x86_64__) \|\| defined(_M_AMD64) \|\| defined(_M_X64))
208		#define XOR128_HELPERS
209		void xor128_encrypt_n_pad(void out, const void inp, void otp, size_t len);
210		void xor128_decrypt_n_pad(void out, const void inp, void otp, size_t len);
211		static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
212		#else
213		static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
214		#endif
215
216		static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
217		const unsigned char *in, size_t len)
218	0	{
219	0	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
220	0	size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
221	0	unsigned char buf, tohash, *ctr, storage[sizeof(zero) + 32];
222
223	0	if (len != plen + POLY1305_BLOCK_SIZE)
224	0	return -1;
225
226	0	buf = storage + ((0 - (size_t)storage) & 15); /* align */
227	0	ctr = buf + CHACHA_BLK_SIZE;
228	0	tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;
229
230		#ifdef XOR128_HELPERS
231		if (plen <= 3 * CHACHA_BLK_SIZE) {
232		actx->key.counter[0] = 0;
233		buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
234		ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
235		actx->key.counter);
236		Poly1305_Init(POLY1305_ctx(actx), buf);
237		actx->key.partial_len = 0;
238		memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
239		tohash_len = POLY1305_BLOCK_SIZE;
240		actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
241		actx->len.text = plen;
242
243		if (plen) {
244		if (EVP_CIPHER_CTX_is_encrypting(ctx))
245		ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
246		else
247		ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
248
249		in += plen;
250		out += plen;
251		tohash_len = (size_t)(ctr - tohash);
252		}
253		}
254		#else
255	0	if (plen <= CHACHA_BLK_SIZE) {
256	0	size_t i;
257
258	0	actx->key.counter[0] = 0;
259	0	ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
260	0	actx->key.key.d, actx->key.counter);
261	0	Poly1305_Init(POLY1305_ctx(actx), buf);
262	0	actx->key.partial_len = 0;
263	0	memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
264	0	tohash_len = POLY1305_BLOCK_SIZE;
265	0	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
266	0	actx->len.text = plen;
267
268	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
269	0	for (i = 0; i < plen; i++) {
270	0	out[i] = ctr[i] ^= in[i];
271	0	}
272	0	} else {
273	0	for (i = 0; i < plen; i++) {
274	0	unsigned char c = in[i];
275	0	out[i] = ctr[i] ^ c;
276	0	ctr[i] = c;
277	0	}
278	0	}
279
280	0	in += i;
281	0	out += i;
282
283	0	tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
284	0	memset(ctr + i, 0, tail);
285	0	ctr += i + tail;
286	0	tohash_len += i + tail;
287	0	}
288	0	#endif
289	0	else {
290	0	actx->key.counter[0] = 0;
291	0	ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
292	0	actx->key.key.d, actx->key.counter);
293	0	Poly1305_Init(POLY1305_ctx(actx), buf);
294	0	actx->key.counter[0] = 1;
295	0	actx->key.partial_len = 0;
296	0	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
297	0	tohash = ctr;
298	0	tohash_len = 0;
299	0	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
300	0	actx->len.text = plen;
301
302	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
303	0	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
304	0	Poly1305_Update(POLY1305_ctx(actx), out, plen);
305	0	} else {
306	0	Poly1305_Update(POLY1305_ctx(actx), in, plen);
307	0	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
308	0	}
309
310	0	in += plen;
311	0	out += plen;
312	0	tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
313	0	Poly1305_Update(POLY1305_ctx(actx), zero, tail);
314	0	}
315
316	0	{
317	0	DECLARE_IS_ENDIAN;
318
319	0	if (IS_LITTLE_ENDIAN) {
320	0	memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
321	0	} else {
322	0	ctr[0] = (unsigned char)(actx->len.aad);
323	0	ctr[1] = (unsigned char)(actx->len.aad >> 8);
324	0	ctr[2] = (unsigned char)(actx->len.aad >> 16);
325	0	ctr[3] = (unsigned char)(actx->len.aad >> 24);
326	0	ctr[4] = (unsigned char)(actx->len.aad >> 32);
327	0	ctr[5] = (unsigned char)(actx->len.aad >> 40);
328	0	ctr[6] = (unsigned char)(actx->len.aad >> 48);
329	0	ctr[7] = (unsigned char)(actx->len.aad >> 56);
330
331	0	ctr[8] = (unsigned char)(actx->len.text);
332	0	ctr[9] = (unsigned char)(actx->len.text >> 8);
333	0	ctr[10] = (unsigned char)(actx->len.text >> 16);
334	0	ctr[11] = (unsigned char)(actx->len.text >> 24);
335	0	ctr[12] = (unsigned char)(actx->len.text >> 32);
336	0	ctr[13] = (unsigned char)(actx->len.text >> 40);
337	0	ctr[14] = (unsigned char)(actx->len.text >> 48);
338	0	ctr[15] = (unsigned char)(actx->len.text >> 56);
339	0	}
340	0	tohash_len += POLY1305_BLOCK_SIZE;
341	0	}
342
343	0	Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
344	0	OPENSSL_cleanse(buf, buf_len);
345	0	Poly1305_Final(POLY1305_ctx(actx),
346	0	EVP_CIPHER_CTX_is_encrypting(ctx) ? actx->tag : tohash);
347
348	0	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
349
350	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
351	0	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
352	0	} else {
353	0	if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
354	0	memset(out - (len - POLY1305_BLOCK_SIZE), 0,
355	0	len - POLY1305_BLOCK_SIZE);
356	0	return -1;
357	0	}
358	0	}
359
360	0	return (int)len;
361	0	}
362		#else
363		static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
364		#endif
365
366		static int chacha20_poly1305_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
367		const unsigned char *in, size_t len)
368	0	{
369	0	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
370	0	size_t rem, plen = actx->tls_payload_length;
371
372	0	if (!actx->mac_inited) {
373	0	#if !defined(OPENSSL_SMALL_FOOTPRINT)
374	0	if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
375	0	return chacha20_poly1305_tls_cipher(ctx, out, in, len);
376	0	#endif
377	0	actx->key.counter[0] = 0;
378	0	ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
379	0	actx->key.key.d, actx->key.counter);
380	0	Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
381	0	actx->key.counter[0] = 1;
382	0	actx->key.partial_len = 0;
383	0	actx->len.aad = actx->len.text = 0;
384	0	actx->mac_inited = 1;
385	0	if (plen != NO_TLS_PAYLOAD_LENGTH) {
386	0	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
387	0	EVP_AEAD_TLS1_AAD_LEN);
388	0	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
389	0	actx->aad = 1;
390	0	}
391	0	}
392
393	0	if (in) { /* aad or text */
394	0	if (out == NULL) { /* aad */
395	0	Poly1305_Update(POLY1305_ctx(actx), in, len);
396	0	actx->len.aad += len;
397	0	actx->aad = 1;
398	0	return (int)len;
399	0	} else { /* plain- or ciphertext */
400	0	if (actx->aad) { /* wrap up aad */
401	0	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
402	0	Poly1305_Update(POLY1305_ctx(actx), zero,
403	0	POLY1305_BLOCK_SIZE - rem);
404	0	actx->aad = 0;
405	0	}
406
407	0	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
408	0	if (plen == NO_TLS_PAYLOAD_LENGTH)
409	0	plen = len;
410	0	else if (len != plen + POLY1305_BLOCK_SIZE)
411	0	return -1;
412
413	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) { /* plaintext */
414	0	chacha_cipher(ctx, out, in, plen);
415	0	Poly1305_Update(POLY1305_ctx(actx), out, plen);
416	0	in += plen;
417	0	out += plen;
418	0	actx->len.text += plen;
419	0	} else { /* ciphertext */
420	0	Poly1305_Update(POLY1305_ctx(actx), in, plen);
421	0	chacha_cipher(ctx, out, in, plen);
422	0	in += plen;
423	0	out += plen;
424	0	actx->len.text += plen;
425	0	}
426	0	}
427	0	}
428	0	if (in == NULL /* explicit final */
429	0	\|\| plen != len) { /* or tls mode */
430	0	DECLARE_IS_ENDIAN;
431	0	unsigned char temp[POLY1305_BLOCK_SIZE];
432
433	0	if (actx->aad) { /* wrap up aad */
434	0	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
435	0	Poly1305_Update(POLY1305_ctx(actx), zero,
436	0	POLY1305_BLOCK_SIZE - rem);
437	0	actx->aad = 0;
438	0	}
439
440	0	if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
441	0	Poly1305_Update(POLY1305_ctx(actx), zero,
442	0	POLY1305_BLOCK_SIZE - rem);
443
444	0	if (IS_LITTLE_ENDIAN) {
445	0	Poly1305_Update(POLY1305_ctx(actx),
446	0	(unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
447	0	} else {
448	0	temp[0] = (unsigned char)(actx->len.aad);
449	0	temp[1] = (unsigned char)(actx->len.aad >> 8);
450	0	temp[2] = (unsigned char)(actx->len.aad >> 16);
451	0	temp[3] = (unsigned char)(actx->len.aad >> 24);
452	0	temp[4] = (unsigned char)(actx->len.aad >> 32);
453	0	temp[5] = (unsigned char)(actx->len.aad >> 40);
454	0	temp[6] = (unsigned char)(actx->len.aad >> 48);
455	0	temp[7] = (unsigned char)(actx->len.aad >> 56);
456
457	0	temp[8] = (unsigned char)(actx->len.text);
458	0	temp[9] = (unsigned char)(actx->len.text >> 8);
459	0	temp[10] = (unsigned char)(actx->len.text >> 16);
460	0	temp[11] = (unsigned char)(actx->len.text >> 24);
461	0	temp[12] = (unsigned char)(actx->len.text >> 32);
462	0	temp[13] = (unsigned char)(actx->len.text >> 40);
463	0	temp[14] = (unsigned char)(actx->len.text >> 48);
464	0	temp[15] = (unsigned char)(actx->len.text >> 56);
465
466	0	Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
467	0	}
468	0	Poly1305_Final(POLY1305_ctx(actx),
469	0	EVP_CIPHER_CTX_is_encrypting(ctx) ? actx->tag : temp);
470	0	actx->mac_inited = 0;
471
472	0	if (in != NULL && len != plen) { /* tls mode */
473	0	if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
474	0	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
475	0	} else {
476	0	if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
477	0	memset(out - plen, 0, plen);
478	0	return -1;
479	0	}
480	0	}
481	0	} else if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
482	0	if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
483	0	return -1;
484	0	}
485	0	}
486	0	return (int)len;
487	0	}
488
489		static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
490	0	{
491	0	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
492	0	if (actx)
493	0	OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
494	0	return 1;
495	0	}
496
497		static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
498		void *ptr)
499	0	{
500	0	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
501
502	0	switch (type) {
503	0	case EVP_CTRL_INIT:
504	0	if (actx == NULL)
505	0	actx = ctx->cipher_data
506	0	= OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
507	0	if (actx == NULL) {
508	0	ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
509	0	return 0;
510	0	}
511	0	actx->len.aad = 0;
512	0	actx->len.text = 0;
513	0	actx->aad = 0;
514	0	actx->mac_inited = 0;
515	0	actx->tag_len = 0;
516	0	actx->nonce_len = 12;
517	0	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
518	0	memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
519	0	return 1;
520
521	0	case EVP_CTRL_COPY:
522	0	if (actx) {
523	0	EVP_CIPHER_CTX dst = (EVP_CIPHER_CTX )ptr;
524
525	0	dst->cipher_data = OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
526	0	if (dst->cipher_data == NULL) {
527	0	ERR_raise(ERR_LIB_EVP, EVP_R_COPY_ERROR);
528	0	return 0;
529	0	}
530	0	}
531	0	return 1;
532
533	0	case EVP_CTRL_GET_IVLEN:
534	0	(int )ptr = actx->nonce_len;
535	0	return 1;
536
537	0	case EVP_CTRL_AEAD_SET_IVLEN:
538	0	if (arg <= 0 \|\| arg > CHACHA20_POLY1305_MAX_IVLEN)
539	0	return 0;
540	0	actx->nonce_len = arg;
541	0	return 1;
542
543	0	case EVP_CTRL_AEAD_SET_IV_FIXED:
544	0	if (arg != 12)
545	0	return 0;
546	0	actx->nonce[0] = actx->key.counter[1]
547	0	= CHACHA_U8TOU32((unsigned char *)ptr);
548	0	actx->nonce[1] = actx->key.counter[2]
549	0	= CHACHA_U8TOU32((unsigned char *)ptr + 4);
550	0	actx->nonce[2] = actx->key.counter[3]
551	0	= CHACHA_U8TOU32((unsigned char *)ptr + 8);
552	0	return 1;
553
554	0	case EVP_CTRL_AEAD_SET_TAG:
555	0	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE)
556	0	return 0;
557	0	if (ptr != NULL) {
558	0	memcpy(actx->tag, ptr, arg);
559	0	actx->tag_len = arg;
560	0	}
561	0	return 1;
562
563	0	case EVP_CTRL_AEAD_GET_TAG:
564	0	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE \|\| !EVP_CIPHER_CTX_is_encrypting(ctx))
565	0	return 0;
566	0	memcpy(ptr, actx->tag, arg);
567	0	return 1;
568
569	0	case EVP_CTRL_AEAD_TLS1_AAD:
570	0	if (arg != EVP_AEAD_TLS1_AAD_LEN)
571	0	return 0;
572	0	{
573	0	unsigned int len;
574	0	unsigned char *aad = ptr;
575
576	0	memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
577	0	len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 \| aad[EVP_AEAD_TLS1_AAD_LEN - 1];
578	0	aad = actx->tls_aad;
579	0	if (!EVP_CIPHER_CTX_is_encrypting(ctx)) {
580	0	if (len < POLY1305_BLOCK_SIZE)
581	0	return 0;
582	0	len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
583	0	aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
584	0	aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
585	0	}
586	0	actx->tls_payload_length = len;
587
588		/*
589		* merge record sequence number as per RFC7905
590		*/
591	0	actx->key.counter[1] = actx->nonce[0];
592	0	actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
593	0	actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad + 4);
594	0	actx->mac_inited = 0;
595
596	0	return POLY1305_BLOCK_SIZE; /* tag length */
597	0	}
598
599	0	case EVP_CTRL_AEAD_SET_MAC_KEY:
600		/* no-op */
601	0	return 1;
602
603	0	default:
604	0	return -1;
605	0	}
606	0	}
607
608		static const EVP_CIPHER chacha20_poly1305 = {
609		NID_chacha20_poly1305,
610		1, /* block_size */
611		CHACHA_KEY_SIZE, /* key_len */
612		12, /* iv_len, 96-bit nonce in the context */
613		EVP_CIPH_FLAG_AEAD_CIPHER \| EVP_CIPH_CUSTOM_IV \| EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT \| EVP_CIPH_CUSTOM_COPY \| EVP_CIPH_FLAG_CUSTOM_CIPHER \| EVP_CIPH_CUSTOM_IV_LENGTH,
614		EVP_ORIG_GLOBAL,
615		chacha20_poly1305_init_key,
616		chacha20_poly1305_cipher,
617		chacha20_poly1305_cleanup,
618		0, /* 0 moves context-specific structure allocation to ctrl */
619		NULL, /* set_asn1_parameters */
620		NULL, /* get_asn1_parameters */
621		chacha20_poly1305_ctrl,
622		NULL /* app_data */
623		};
624
625		const EVP_CIPHER *EVP_chacha20_poly1305(void)
626	3	{
627	3	return (&chacha20_poly1305);
628	3	}
629		#endif
630		#endif