/src/openssl111/crypto/evp/e_chacha20_poly1305.c

Source (jump to first uncovered line)
/*
 * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"

#ifndef OPENSSL_NO_CHACHA

# include <openssl/evp.h>
# include <openssl/objects.h>
# include "evp_local.h"
# include "crypto/evp.h"
# include "crypto/chacha.h"

typedef struct {
    union {
        double align;   /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
        unsigned int d[CHACHA_KEY_SIZE / 4];
    } key;
    unsigned int  counter[CHACHA_CTR_SIZE / 4];
    unsigned char buf[CHACHA_BLK_SIZE];
    unsigned int  partial_len;
} EVP_CHACHA_KEY;

#define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)

#define CHACHA20_POLY1305_MAX_IVLEN     12

static int chacha_init_key(EVP_CIPHER_CTX *ctx,
                           const unsigned char user_key[CHACHA_KEY_SIZE],
                           const unsigned char iv[CHACHA_CTR_SIZE], int enc)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int i;

    if (user_key)
        for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
            key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);
        }

    if (iv)
        for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
            key->counter[i/4] = CHACHA_U8TOU32(iv+i);
        }

    key->partial_len = 0;

    return 1;
}

static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
                         const unsigned char *inp, size_t len)
{
    EVP_CHACHA_KEY *key = data(ctx);
    unsigned int n, rem, ctr32;

    if ((n = key->partial_len)) {
        while (len && n < CHACHA_BLK_SIZE) {
            *out++ = *inp++ ^ key->buf[n++];
            len--;
        }
        key->partial_len = n;

        if (len == 0)
            return 1;

        if (n == CHACHA_BLK_SIZE) {
            key->partial_len = 0;
            key->counter[0]++;
            if (key->counter[0] == 0)
                key->counter[1]++;
        }
    }

    rem = (unsigned int)(len % CHACHA_BLK_SIZE);
    len -= rem;
    ctr32 = key->counter[0];
    while (len >= CHACHA_BLK_SIZE) {
        size_t blocks = len / CHACHA_BLK_SIZE;
        /*
         * 1<<28 is just a not-so-small yet not-so-large number...
         * Below condition is practically never met, but it has to
         * be checked for code correctness.
         */
        if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
            blocks = (1U<<28);

        /*
         * As ChaCha20_ctr32 operates on 32-bit counter, caller
         * has to handle overflow. 'if' below detects the
         * overflow, which is then handled by limiting the
         * amount of blocks to the exact overflow point...
         */
        ctr32 += (unsigned int)blocks;
        if (ctr32 < blocks) {
            blocks -= ctr32;
            ctr32 = 0;
        }
        blocks *= CHACHA_BLK_SIZE;
        ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
        len -= blocks;
        inp += blocks;
        out += blocks;

        key->counter[0] = ctr32;
        if (ctr32 == 0) key->counter[1]++;
    }

    if (rem) {
        memset(key->buf, 0, sizeof(key->buf));
        ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
                       key->key.d, key->counter);
        for (n = 0; n < rem; n++)
            out[n] = inp[n] ^ key->buf[n];
        key->partial_len = rem;
    }

    return 1;
}

static const EVP_CIPHER chacha20 = {
    NID_chacha20,
    1,                      /* block_size */
    CHACHA_KEY_SIZE,        /* key_len */
    CHACHA_CTR_SIZE,        /* iv_len, 128-bit counter in the context */
    EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
    chacha_init_key,
    chacha_cipher,
    NULL,
    sizeof(EVP_CHACHA_KEY),
    NULL,
    NULL,
    NULL,
    NULL
};

const EVP_CIPHER *EVP_chacha20(void)
{
    return &chacha20;
}

# ifndef OPENSSL_NO_POLY1305
#  include "crypto/poly1305.h"

typedef struct {
    EVP_CHACHA_KEY key;
    unsigned int nonce[12/4];
    unsigned char tag[POLY1305_BLOCK_SIZE];
    unsigned char tls_aad[POLY1305_BLOCK_SIZE];
    struct { uint64_t aad, text; } len;
    int aad, mac_inited, tag_len, nonce_len;
    size_t tls_payload_length;
} EVP_CHACHA_AEAD_CTX;

#  define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
#  define aead_data(ctx)        ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
#  define POLY1305_ctx(actx)    ((POLY1305 *)(actx + 1))

static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
                                      const unsigned char *inkey,
                                      const unsigned char *iv, int enc)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    if (!inkey && !iv)
        return 1;

    actx->len.aad = 0;
    actx->len.text = 0;
    actx->aad = 0;
    actx->mac_inited = 0;
    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (iv != NULL) {
        unsigned char temp[CHACHA_CTR_SIZE] = { 0 };

        /* pad on the left */
        if (actx->nonce_len <= CHACHA_CTR_SIZE)
            memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
                   actx->nonce_len);

        chacha_init_key(ctx, inkey, temp, enc);

        actx->nonce[0] = actx->key.counter[1];
        actx->nonce[1] = actx->key.counter[2];
        actx->nonce[2] = actx->key.counter[3];
    } else {
        chacha_init_key(ctx, inkey, NULL, enc);
    }

    return 1;
}

#  if !defined(OPENSSL_SMALL_FOOTPRINT)

#   if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
                                 defined(_M_AMD64) || defined(_M_X64))
#    define XOR128_HELPERS
void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len);
static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
#   else
static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
#   endif

static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                        const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
    unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32];

    if (len != plen + POLY1305_BLOCK_SIZE)
        return -1;

    buf = storage + ((0 - (size_t)storage) & 15);   /* align */
    ctr = buf + CHACHA_BLK_SIZE;
    tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;

#   ifdef XOR128_HELPERS
    if (plen <= 3 * CHACHA_BLK_SIZE) {
        actx->key.counter[0] = 0;
        buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
        ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
                       actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (plen) {
            if (ctx->encrypt)
                ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
            else
                ctr = xor128_decrypt_n_pad(out, in, ctr, plen);

            in += plen;
            out += plen;
            tohash_len = (size_t)(ctr - tohash);
        }
    }
#   else
    if (plen <= CHACHA_BLK_SIZE) {
        size_t i;

        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.partial_len = 0;
        memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash_len = POLY1305_BLOCK_SIZE;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (ctx->encrypt) {
            for (i = 0; i < plen; i++) {
                out[i] = ctr[i] ^= in[i];
            }
        } else {
            for (i = 0; i < plen; i++) {
                unsigned char c = in[i];
                out[i] = ctr[i] ^ c;
                ctr[i] = c;
            }
        }

        in += i;
        out += i;

        tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
        memset(ctr + i, 0, tail);
        ctr += i + tail;
        tohash_len += i + tail;
    }
#   endif
    else {
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
        tohash = ctr;
        tohash_len = 0;
        actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
        actx->len.text = plen;

        if (ctx->encrypt) {
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
            Poly1305_Update(POLY1305_ctx(actx), out, plen);
        } else {
            Poly1305_Update(POLY1305_ctx(actx), in, plen);
            ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
        }

        in += plen;
        out += plen;
        tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
        Poly1305_Update(POLY1305_ctx(actx), zero, tail);
    }

    {
        const union {
            long one;
            char little;
        } is_endian = { 1 };

        if (is_endian.little) {
            memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            ctr[0]  = (unsigned char)(actx->len.aad);
            ctr[1]  = (unsigned char)(actx->len.aad>>8);
            ctr[2]  = (unsigned char)(actx->len.aad>>16);
            ctr[3]  = (unsigned char)(actx->len.aad>>24);
            ctr[4]  = (unsigned char)(actx->len.aad>>32);
            ctr[5]  = (unsigned char)(actx->len.aad>>40);
            ctr[6]  = (unsigned char)(actx->len.aad>>48);
            ctr[7]  = (unsigned char)(actx->len.aad>>56);

            ctr[8]  = (unsigned char)(actx->len.text);
            ctr[9]  = (unsigned char)(actx->len.text>>8);
            ctr[10] = (unsigned char)(actx->len.text>>16);
            ctr[11] = (unsigned char)(actx->len.text>>24);
            ctr[12] = (unsigned char)(actx->len.text>>32);
            ctr[13] = (unsigned char)(actx->len.text>>40);
            ctr[14] = (unsigned char)(actx->len.text>>48);
            ctr[15] = (unsigned char)(actx->len.text>>56);
        }
        tohash_len += POLY1305_BLOCK_SIZE;
    }

    Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
    OPENSSL_cleanse(buf, buf_len);
    Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                    : tohash);

    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;

    if (ctx->encrypt) {
        memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
    } else {
        if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
            memset(out - (len - POLY1305_BLOCK_SIZE), 0,
                   len - POLY1305_BLOCK_SIZE);
            return -1;
        }
    }

    return len;
}
#  else
static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
#  endif

static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                    const unsigned char *in, size_t len)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    size_t rem, plen = actx->tls_payload_length;

    if (!actx->mac_inited) {
#  if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
            return chacha20_poly1305_tls_cipher(ctx, out, in, len);
#  endif
        actx->key.counter[0] = 0;
        ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
                       actx->key.key.d, actx->key.counter);
        Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
        actx->key.counter[0] = 1;
        actx->key.partial_len = 0;
        actx->len.aad = actx->len.text = 0;
        actx->mac_inited = 1;
        if (plen != NO_TLS_PAYLOAD_LENGTH) {
            Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
                            EVP_AEAD_TLS1_AAD_LEN);
            actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
            actx->aad = 1;
        }
    }

    if (in) {                                   /* aad or text */
        if (out == NULL) {                      /* aad */
            Poly1305_Update(POLY1305_ctx(actx), in, len);
            actx->len.aad += len;
            actx->aad = 1;
            return len;
        } else {                                /* plain- or ciphertext */
            if (actx->aad) {                    /* wrap up aad */
                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                    Poly1305_Update(POLY1305_ctx(actx), zero,
                                    POLY1305_BLOCK_SIZE - rem);
                actx->aad = 0;
            }

            actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
            if (plen == NO_TLS_PAYLOAD_LENGTH)
                plen = len;
            else if (len != plen + POLY1305_BLOCK_SIZE)
                return -1;

            if (ctx->encrypt) {                 /* plaintext */
                chacha_cipher(ctx, out, in, plen);
                Poly1305_Update(POLY1305_ctx(actx), out, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            } else {                            /* ciphertext */
                Poly1305_Update(POLY1305_ctx(actx), in, plen);
                chacha_cipher(ctx, out, in, plen);
                in += plen;
                out += plen;
                actx->len.text += plen;
            }
        }
    }
    if (in == NULL                              /* explicit final */
        || plen != len) {                       /* or tls mode */
        const union {
            long one;
            char little;
        } is_endian = { 1 };
        unsigned char temp[POLY1305_BLOCK_SIZE];

        if (actx->aad) {                        /* wrap up aad */
            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
                Poly1305_Update(POLY1305_ctx(actx), zero,
                                POLY1305_BLOCK_SIZE - rem);
            actx->aad = 0;
        }

        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
            Poly1305_Update(POLY1305_ctx(actx), zero,
                            POLY1305_BLOCK_SIZE - rem);

        if (is_endian.little) {
            Poly1305_Update(POLY1305_ctx(actx),
                            (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
        } else {
            temp[0]  = (unsigned char)(actx->len.aad);
            temp[1]  = (unsigned char)(actx->len.aad>>8);
            temp[2]  = (unsigned char)(actx->len.aad>>16);
            temp[3]  = (unsigned char)(actx->len.aad>>24);
            temp[4]  = (unsigned char)(actx->len.aad>>32);
            temp[5]  = (unsigned char)(actx->len.aad>>40);
            temp[6]  = (unsigned char)(actx->len.aad>>48);
            temp[7]  = (unsigned char)(actx->len.aad>>56);

            temp[8]  = (unsigned char)(actx->len.text);
            temp[9]  = (unsigned char)(actx->len.text>>8);
            temp[10] = (unsigned char)(actx->len.text>>16);
            temp[11] = (unsigned char)(actx->len.text>>24);
            temp[12] = (unsigned char)(actx->len.text>>32);
            temp[13] = (unsigned char)(actx->len.text>>40);
            temp[14] = (unsigned char)(actx->len.text>>48);
            temp[15] = (unsigned char)(actx->len.text>>56);

            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
        }
        Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                        : temp);
        actx->mac_inited = 0;

        if (in != NULL && len != plen) {        /* tls mode */
            if (ctx->encrypt) {
                memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
            } else {
                if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
                    memset(out - plen, 0, plen);
                    return -1;
                }
            }
        }
        else if (!ctx->encrypt) {
            if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
                return -1;
        }
    }
    return len;
}

static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
    if (actx)
        OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
    return 1;
}

static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                  void *ptr)
{
    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);

    switch(type) {
    case EVP_CTRL_INIT:
        if (actx == NULL)
            actx = ctx->cipher_data
                 = OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
        if (actx == NULL) {
            EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);
            return 0;
        }
        actx->len.aad = 0;
        actx->len.text = 0;
        actx->aad = 0;
        actx->mac_inited = 0;
        actx->tag_len = 0;
        actx->nonce_len = 12;
        actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
        memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
        return 1;

    case EVP_CTRL_COPY:
        if (actx) {
            EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;

            dst->cipher_data =
                   OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
            if (dst->cipher_data == NULL) {
                EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
                return 0;
            }
        }
        return 1;

    case EVP_CTRL_GET_IVLEN:
        *(int *)ptr = actx->nonce_len;
        return 1;

    case EVP_CTRL_AEAD_SET_IVLEN:
        if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
            return 0;
        actx->nonce_len = arg;
        return 1;

    case EVP_CTRL_AEAD_SET_IV_FIXED:
        if (arg != 12)
            return 0;
        actx->nonce[0] = actx->key.counter[1]
                       = CHACHA_U8TOU32((unsigned char *)ptr);
        actx->nonce[1] = actx->key.counter[2]
                       = CHACHA_U8TOU32((unsigned char *)ptr+4);
        actx->nonce[2] = actx->key.counter[3]
                       = CHACHA_U8TOU32((unsigned char *)ptr+8);
        return 1;

    case EVP_CTRL_AEAD_SET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE)
            return 0;
        if (ptr != NULL) {
            memcpy(actx->tag, ptr, arg);
            actx->tag_len = arg;
        }
        return 1;

    case EVP_CTRL_AEAD_GET_TAG:
        if (arg <= 0 || arg > POLY1305_BLOCK_SIZE || !ctx->encrypt)
            return 0;
        memcpy(ptr, actx->tag, arg);
        return 1;

    case EVP_CTRL_AEAD_TLS1_AAD:
        if (arg != EVP_AEAD_TLS1_AAD_LEN)
            return 0;
        {
            unsigned int len;
            unsigned char *aad = ptr;

            memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
            len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
                  aad[EVP_AEAD_TLS1_AAD_LEN - 1];
            aad = actx->tls_aad;
            if (!ctx->encrypt) {
                if (len < POLY1305_BLOCK_SIZE)
                    return 0;
                len -= POLY1305_BLOCK_SIZE;     /* discount attached tag */
                aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
                aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
            }
            actx->tls_payload_length = len;

            /*
             * merge record sequence number as per RFC7905
             */
            actx->key.counter[1] = actx->nonce[0];
            actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
            actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
            actx->mac_inited = 0;

            return POLY1305_BLOCK_SIZE;         /* tag length */
        }

    case EVP_CTRL_AEAD_SET_MAC_KEY:
        /* no-op */
        return 1;

    default:
        return -1;
    }
}

static EVP_CIPHER chacha20_poly1305 = {
    NID_chacha20_poly1305,
    1,                  /* block_size */
    CHACHA_KEY_SIZE,    /* key_len */
    12,                 /* iv_len, 96-bit nonce in the context */
    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
    EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER |
    EVP_CIPH_CUSTOM_IV_LENGTH,
    chacha20_poly1305_init_key,
    chacha20_poly1305_cipher,
    chacha20_poly1305_cleanup,
    0,          /* 0 moves context-specific structure allocation to ctrl */
    NULL,       /* set_asn1_parameters */
    NULL,       /* get_asn1_parameters */
    chacha20_poly1305_ctrl,
    NULL        /* app_data */
};

const EVP_CIPHER *EVP_chacha20_poly1305(void)
{
    return(&chacha20_poly1305);
}
# endif
#endif

Coverage Report

Created: 2023-09-25 06:45

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the OpenSSL license (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12
13		#ifndef OPENSSL_NO_CHACHA
14
15		# include <openssl/evp.h>
16		# include <openssl/objects.h>
17		# include "evp_local.h"
18		# include "crypto/evp.h"
19		# include "crypto/chacha.h"
20
21		typedef struct {
22		union {
23		double align; /* this ensures even sizeof(EVP_CHACHA_KEY)%8==0 */
24		unsigned int d[CHACHA_KEY_SIZE / 4];
25		} key;
26		unsigned int counter[CHACHA_CTR_SIZE / 4];
27		unsigned char buf[CHACHA_BLK_SIZE];
28		unsigned int partial_len;
29		} EVP_CHACHA_KEY;
30
31	19.0k	#define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
32
33	926	#define CHACHA20_POLY1305_MAX_IVLEN 12
34
35		static int chacha_init_key(EVP_CIPHER_CTX *ctx,
36		const unsigned char user_key[CHACHA_KEY_SIZE],
37		const unsigned char iv[CHACHA_CTR_SIZE], int enc)
38	10.0k	{
39	10.0k	EVP_CHACHA_KEY *key = data(ctx);
40	10.0k	unsigned int i;
41
42	10.0k	if (user_key)
43	8.52k	for (i = 0; i < CHACHA_KEY_SIZE; i+=4) {
44	7.57k	key->key.d[i/4] = CHACHA_U8TOU32(user_key+i);
45	7.57k	}
46
47	10.0k	if (iv)
48	45.3k	for (i = 0; i < CHACHA_CTR_SIZE; i+=4) {
49	36.3k	key->counter[i/4] = CHACHA_U8TOU32(iv+i);
50	36.3k	}
51
52	10.0k	key->partial_len = 0;
53
54	10.0k	return 1;
55	10.0k	}
56
57		static int chacha_cipher(EVP_CIPHER_CTX * ctx, unsigned char *out,
58		const unsigned char *inp, size_t len)
59	9.05k	{
60	9.05k	EVP_CHACHA_KEY *key = data(ctx);
61	9.05k	unsigned int n, rem, ctr32;
62
63	9.05k	if ((n = key->partial_len)) {
64	0	while (len && n < CHACHA_BLK_SIZE) {
65	0	out++ = inp++ ^ key->buf[n++];
66	0	len--;
67	0	}
68	0	key->partial_len = n;
69
70	0	if (len == 0)
71	0	return 1;
72
73	0	if (n == CHACHA_BLK_SIZE) {
74	0	key->partial_len = 0;
75	0	key->counter[0]++;
76	0	if (key->counter[0] == 0)
77	0	key->counter[1]++;
78	0	}
79	0	}
80
81	9.05k	rem = (unsigned int)(len % CHACHA_BLK_SIZE);
82	9.05k	len -= rem;
83	9.05k	ctr32 = key->counter[0];
84	9.81k	while (len >= CHACHA_BLK_SIZE) {
85	753	size_t blocks = len / CHACHA_BLK_SIZE;
86		/*
87		* 1<<28 is just a not-so-small yet not-so-large number...
88		* Below condition is practically never met, but it has to
89		* be checked for code correctness.
90		*/
91	753	if (sizeof(size_t)>sizeof(unsigned int) && blocks>(1U<<28))
92	0	blocks = (1U<<28);
93
94		/*
95		* As ChaCha20_ctr32 operates on 32-bit counter, caller
96		* has to handle overflow. 'if' below detects the
97		* overflow, which is then handled by limiting the
98		* amount of blocks to the exact overflow point...
99		*/
100	753	ctr32 += (unsigned int)blocks;
101	753	if (ctr32 < blocks) {
102	0	blocks -= ctr32;
103	0	ctr32 = 0;
104	0	}
105	753	blocks *= CHACHA_BLK_SIZE;
106	753	ChaCha20_ctr32(out, inp, blocks, key->key.d, key->counter);
107	753	len -= blocks;
108	753	inp += blocks;
109	753	out += blocks;
110
111	753	key->counter[0] = ctr32;
112	753	if (ctr32 == 0) key->counter[1]++;
113	753	}
114
115	9.05k	if (rem) {
116	8.92k	memset(key->buf, 0, sizeof(key->buf));
117	8.92k	ChaCha20_ctr32(key->buf, key->buf, CHACHA_BLK_SIZE,
118	8.92k	key->key.d, key->counter);
119	57.3k	for (n = 0; n < rem; n++)
120	48.3k	out[n] = inp[n] ^ key->buf[n];
121	8.92k	key->partial_len = rem;
122	8.92k	}
123
124	9.05k	return 1;
125	9.05k	}
126
127		static const EVP_CIPHER chacha20 = {
128		NID_chacha20,
129		1, /* block_size */
130		CHACHA_KEY_SIZE, /* key_len */
131		CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */
132		EVP_CIPH_CUSTOM_IV \| EVP_CIPH_ALWAYS_CALL_INIT,
133		chacha_init_key,
134		chacha_cipher,
135		NULL,
136		sizeof(EVP_CHACHA_KEY),
137		NULL,
138		NULL,
139		NULL,
140		NULL
141		};
142
143		const EVP_CIPHER *EVP_chacha20(void)
144	31	{
145	31	return &chacha20;
146	31	}
147
148		# ifndef OPENSSL_NO_POLY1305
149		# include "crypto/poly1305.h"
150
151		typedef struct {
152		EVP_CHACHA_KEY key;
153		unsigned int nonce[12/4];
154		unsigned char tag[POLY1305_BLOCK_SIZE];
155		unsigned char tls_aad[POLY1305_BLOCK_SIZE];
156		struct { uint64_t aad, text; } len;
157		int aad, mac_inited, tag_len, nonce_len;
158		size_t tls_payload_length;
159		} EVP_CHACHA_AEAD_CTX;
160
161	56.2k	# define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
162	59.8k	# define aead_data(ctx) ((EVP_CHACHA_AEAD_CTX *)(ctx)->cipher_data)
163	62.8k	# define POLY1305_ctx(actx) ((POLY1305 *)(actx + 1))
164
165		static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx,
166		const unsigned char *inkey,
167		const unsigned char *iv, int enc)
168	10.9k	{
169	10.9k	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
170
171	10.9k	if (!inkey && !iv)
172	926	return 1;
173
174	10.0k	actx->len.aad = 0;
175	10.0k	actx->len.text = 0;
176	10.0k	actx->aad = 0;
177	10.0k	actx->mac_inited = 0;
178	10.0k	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
179
180	10.0k	if (iv != NULL) {
181	9.07k	unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
182
183		/* pad on the left */
184	9.07k	if (actx->nonce_len <= CHACHA_CTR_SIZE)
185	9.07k	memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv,
186	9.07k	actx->nonce_len);
187
188	9.07k	chacha_init_key(ctx, inkey, temp, enc);
189
190	9.07k	actx->nonce[0] = actx->key.counter[1];
191	9.07k	actx->nonce[1] = actx->key.counter[2];
192	9.07k	actx->nonce[2] = actx->key.counter[3];
193	9.07k	} else {
194	926	chacha_init_key(ctx, inkey, NULL, enc);
195	926	}
196
197	10.0k	return 1;
198	10.9k	}
199
200		# if !defined(OPENSSL_SMALL_FOOTPRINT)
201
202		# if defined(POLY1305_ASM) && (defined(__x86_64) \|\| defined(__x86_64__) \|\| \
203		defined(_M_AMD64) \|\| defined(_M_X64))
204		# define XOR128_HELPERS
205		void xor128_encrypt_n_pad(void out, const void inp, void otp, size_t len);
206		void xor128_decrypt_n_pad(void out, const void inp, void otp, size_t len);
207		static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 };
208		# else
209		static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 };
210		# endif
211
212		static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
213		const unsigned char *in, size_t len)
214	15	{
215	15	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
216	15	size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length;
217	15	unsigned char buf, tohash, *ctr, storage[sizeof(zero) + 32];
218
219	15	if (len != plen + POLY1305_BLOCK_SIZE)
220	0	return -1;
221
222	15	buf = storage + ((0 - (size_t)storage) & 15); /* align */
223	15	ctr = buf + CHACHA_BLK_SIZE;
224	15	tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE;
225
226	15	# ifdef XOR128_HELPERS
227	15	if (plen <= 3 * CHACHA_BLK_SIZE) {
228	7	actx->key.counter[0] = 0;
229	7	buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE);
230	7	ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d,
231	7	actx->key.counter);
232	7	Poly1305_Init(POLY1305_ctx(actx), buf);
233	7	actx->key.partial_len = 0;
234	7	memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
235	7	tohash_len = POLY1305_BLOCK_SIZE;
236	7	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
237	7	actx->len.text = plen;
238
239	7	if (plen) {
240	6	if (ctx->encrypt)
241	0	ctr = xor128_encrypt_n_pad(out, in, ctr, plen);
242	6	else
243	6	ctr = xor128_decrypt_n_pad(out, in, ctr, plen);
244
245	6	in += plen;
246	6	out += plen;
247	6	tohash_len = (size_t)(ctr - tohash);
248	6	}
249	7	}
250		# else
251		if (plen <= CHACHA_BLK_SIZE) {
252		size_t i;
253
254		actx->key.counter[0] = 0;
255		ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE),
256		actx->key.key.d, actx->key.counter);
257		Poly1305_Init(POLY1305_ctx(actx), buf);
258		actx->key.partial_len = 0;
259		memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE);
260		tohash_len = POLY1305_BLOCK_SIZE;
261		actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
262		actx->len.text = plen;
263
264		if (ctx->encrypt) {
265		for (i = 0; i < plen; i++) {
266		out[i] = ctr[i] ^= in[i];
267		}
268		} else {
269		for (i = 0; i < plen; i++) {
270		unsigned char c = in[i];
271		out[i] = ctr[i] ^ c;
272		ctr[i] = c;
273		}
274		}
275
276		in += i;
277		out += i;
278
279		tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1);
280		memset(ctr + i, 0, tail);
281		ctr += i + tail;
282		tohash_len += i + tail;
283		}
284		# endif
285	8	else {
286	8	actx->key.counter[0] = 0;
287	8	ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE),
288	8	actx->key.key.d, actx->key.counter);
289	8	Poly1305_Init(POLY1305_ctx(actx), buf);
290	8	actx->key.counter[0] = 1;
291	8	actx->key.partial_len = 0;
292	8	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE);
293	8	tohash = ctr;
294	8	tohash_len = 0;
295	8	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
296	8	actx->len.text = plen;
297
298	8	if (ctx->encrypt) {
299	0	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
300	0	Poly1305_Update(POLY1305_ctx(actx), out, plen);
301	8	} else {
302	8	Poly1305_Update(POLY1305_ctx(actx), in, plen);
303	8	ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter);
304	8	}
305
306	8	in += plen;
307	8	out += plen;
308	8	tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1);
309	8	Poly1305_Update(POLY1305_ctx(actx), zero, tail);
310	8	}
311
312	15	{
313	15	const union {
314	15	long one;
315	15	char little;
316	15	} is_endian = { 1 };
317
318	15	if (is_endian.little) {
319	15	memcpy(ctr, (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
320	15	} else {
321	0	ctr[0] = (unsigned char)(actx->len.aad);
322	0	ctr[1] = (unsigned char)(actx->len.aad>>8);
323	0	ctr[2] = (unsigned char)(actx->len.aad>>16);
324	0	ctr[3] = (unsigned char)(actx->len.aad>>24);
325	0	ctr[4] = (unsigned char)(actx->len.aad>>32);
326	0	ctr[5] = (unsigned char)(actx->len.aad>>40);
327	0	ctr[6] = (unsigned char)(actx->len.aad>>48);
328	0	ctr[7] = (unsigned char)(actx->len.aad>>56);
329
330	0	ctr[8] = (unsigned char)(actx->len.text);
331	0	ctr[9] = (unsigned char)(actx->len.text>>8);
332	0	ctr[10] = (unsigned char)(actx->len.text>>16);
333	0	ctr[11] = (unsigned char)(actx->len.text>>24);
334	0	ctr[12] = (unsigned char)(actx->len.text>>32);
335	0	ctr[13] = (unsigned char)(actx->len.text>>40);
336	0	ctr[14] = (unsigned char)(actx->len.text>>48);
337	0	ctr[15] = (unsigned char)(actx->len.text>>56);
338	0	}
339	15	tohash_len += POLY1305_BLOCK_SIZE;
340	15	}
341
342	15	Poly1305_Update(POLY1305_ctx(actx), tohash, tohash_len);
343	15	OPENSSL_cleanse(buf, buf_len);
344	15	Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
345	15	: tohash);
346
347	15	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
348
349	15	if (ctx->encrypt) {
350	0	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
351	15	} else {
352	15	if (CRYPTO_memcmp(tohash, in, POLY1305_BLOCK_SIZE)) {
353	15	memset(out - (len - POLY1305_BLOCK_SIZE), 0,
354	15	len - POLY1305_BLOCK_SIZE);
355	15	return -1;
356	15	}
357	15	}
358
359	0	return len;
360	15	}
361		# else
362		static const unsigned char zero[CHACHA_BLK_SIZE] = { 0 };
363		# endif
364
365		static int chacha20_poly1305_cipher(EVP_CIPHER_CTX ctx, unsigned char out,
366		const unsigned char *in, size_t len)
367	27.1k	{
368	27.1k	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
369	27.1k	size_t rem, plen = actx->tls_payload_length;
370
371	27.1k	if (!actx->mac_inited) {
372	9.07k	# if !defined(OPENSSL_SMALL_FOOTPRINT)
373	9.07k	if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
374	15	return chacha20_poly1305_tls_cipher(ctx, out, in, len);
375	9.05k	# endif
376	9.05k	actx->key.counter[0] = 0;
377	9.05k	ChaCha20_ctr32(actx->key.buf, zero, CHACHA_BLK_SIZE,
378	9.05k	actx->key.key.d, actx->key.counter);
379	9.05k	Poly1305_Init(POLY1305_ctx(actx), actx->key.buf);
380	9.05k	actx->key.counter[0] = 1;
381	9.05k	actx->key.partial_len = 0;
382	9.05k	actx->len.aad = actx->len.text = 0;
383	9.05k	actx->mac_inited = 1;
384	9.05k	if (plen != NO_TLS_PAYLOAD_LENGTH) {
385	0	Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad,
386	0	EVP_AEAD_TLS1_AAD_LEN);
387	0	actx->len.aad = EVP_AEAD_TLS1_AAD_LEN;
388	0	actx->aad = 1;
389	0	}
390	9.05k	}
391
392	27.1k	if (in) { /* aad or text */
393	18.1k	if (out == NULL) { /* aad */
394	9.05k	Poly1305_Update(POLY1305_ctx(actx), in, len);
395	9.05k	actx->len.aad += len;
396	9.05k	actx->aad = 1;
397	9.05k	return len;
398	9.05k	} else { /* plain- or ciphertext */
399	9.05k	if (actx->aad) { /* wrap up aad */
400	9.05k	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
401	9.05k	Poly1305_Update(POLY1305_ctx(actx), zero,
402	9.05k	POLY1305_BLOCK_SIZE - rem);
403	9.05k	actx->aad = 0;
404	9.05k	}
405
406	9.05k	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
407	9.05k	if (plen == NO_TLS_PAYLOAD_LENGTH)
408	9.05k	plen = len;
409	0	else if (len != plen + POLY1305_BLOCK_SIZE)
410	0	return -1;
411
412	9.05k	if (ctx->encrypt) { /* plaintext */
413	1.28k	chacha_cipher(ctx, out, in, plen);
414	1.28k	Poly1305_Update(POLY1305_ctx(actx), out, plen);
415	1.28k	in += plen;
416	1.28k	out += plen;
417	1.28k	actx->len.text += plen;
418	7.77k	} else { /* ciphertext */
419	7.77k	Poly1305_Update(POLY1305_ctx(actx), in, plen);
420	7.77k	chacha_cipher(ctx, out, in, plen);
421	7.77k	in += plen;
422	7.77k	out += plen;
423	7.77k	actx->len.text += plen;
424	7.77k	}
425	9.05k	}
426	18.1k	}
427		if (in == NULL /* explicit final */
428	18.1k	\|\| plen != len) { /* or tls mode */
429	9.05k	const union {
430	9.05k	long one;
431	9.05k	char little;
432	9.05k	} is_endian = { 1 };
433	9.05k	unsigned char temp[POLY1305_BLOCK_SIZE];
434
435	9.05k	if (actx->aad) { /* wrap up aad */
436	0	if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
437	0	Poly1305_Update(POLY1305_ctx(actx), zero,
438	0	POLY1305_BLOCK_SIZE - rem);
439	0	actx->aad = 0;
440	0	}
441
442	9.05k	if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
443	8.39k	Poly1305_Update(POLY1305_ctx(actx), zero,
444	8.39k	POLY1305_BLOCK_SIZE - rem);
445
446	9.05k	if (is_endian.little) {
447	9.05k	Poly1305_Update(POLY1305_ctx(actx),
448	9.05k	(unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
449	9.05k	} else {
450	0	temp[0] = (unsigned char)(actx->len.aad);
451	0	temp[1] = (unsigned char)(actx->len.aad>>8);
452	0	temp[2] = (unsigned char)(actx->len.aad>>16);
453	0	temp[3] = (unsigned char)(actx->len.aad>>24);
454	0	temp[4] = (unsigned char)(actx->len.aad>>32);
455	0	temp[5] = (unsigned char)(actx->len.aad>>40);
456	0	temp[6] = (unsigned char)(actx->len.aad>>48);
457	0	temp[7] = (unsigned char)(actx->len.aad>>56);
458
459	0	temp[8] = (unsigned char)(actx->len.text);
460	0	temp[9] = (unsigned char)(actx->len.text>>8);
461	0	temp[10] = (unsigned char)(actx->len.text>>16);
462	0	temp[11] = (unsigned char)(actx->len.text>>24);
463	0	temp[12] = (unsigned char)(actx->len.text>>32);
464	0	temp[13] = (unsigned char)(actx->len.text>>40);
465	0	temp[14] = (unsigned char)(actx->len.text>>48);
466	0	temp[15] = (unsigned char)(actx->len.text>>56);
467
468	0	Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
469	0	}
470	9.05k	Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
471	9.05k	: temp);
472	9.05k	actx->mac_inited = 0;
473
474	9.05k	if (in != NULL && len != plen) { /* tls mode */
475	0	if (ctx->encrypt) {
476	0	memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
477	0	} else {
478	0	if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
479	0	memset(out - plen, 0, plen);
480	0	return -1;
481	0	}
482	0	}
483	0	}
484	9.05k	else if (!ctx->encrypt) {
485	7.77k	if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
486	7.77k	return -1;
487	7.77k	}
488	9.05k	}
489	10.3k	return len;
490	18.1k	}
491
492		static int chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx)
493	947	{
494	947	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
495	947	if (actx)
496	947	OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
497	947	return 1;
498	947	}
499
500		static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
501		void *ptr)
502	20.8k	{
503	20.8k	EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
504
505	20.8k	switch(type) {
506	947	case EVP_CTRL_INIT:
507	947	if (actx == NULL)
508	947	actx = ctx->cipher_data
509	947	= OPENSSL_zalloc(sizeof(*actx) + Poly1305_ctx_size());
510	947	if (actx == NULL) {
511	0	EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_INITIALIZATION_ERROR);
512	0	return 0;
513	0	}
514	947	actx->len.aad = 0;
515	947	actx->len.text = 0;
516	947	actx->aad = 0;
517	947	actx->mac_inited = 0;
518	947	actx->tag_len = 0;
519	947	actx->nonce_len = 12;
520	947	actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
521	947	memset(actx->tls_aad, 0, POLY1305_BLOCK_SIZE);
522	947	return 1;
523
524	0	case EVP_CTRL_COPY:
525	0	if (actx) {
526	0	EVP_CIPHER_CTX dst = (EVP_CIPHER_CTX )ptr;
527
528	0	dst->cipher_data =
529	0	OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
530	0	if (dst->cipher_data == NULL) {
531	0	EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
532	0	return 0;
533	0	}
534	0	}
535	0	return 1;
536
537	9.85k	case EVP_CTRL_GET_IVLEN:
538	9.85k	(int )ptr = actx->nonce_len;
539	9.85k	return 1;
540
541	926	case EVP_CTRL_AEAD_SET_IVLEN:
542	926	if (arg <= 0 \|\| arg > CHACHA20_POLY1305_MAX_IVLEN)
543	0	return 0;
544	926	actx->nonce_len = arg;
545	926	return 1;
546
547	0	case EVP_CTRL_AEAD_SET_IV_FIXED:
548	0	if (arg != 12)
549	0	return 0;
550	0	actx->nonce[0] = actx->key.counter[1]
551	0	= CHACHA_U8TOU32((unsigned char *)ptr);
552	0	actx->nonce[1] = actx->key.counter[2]
553	0	= CHACHA_U8TOU32((unsigned char *)ptr+4);
554	0	actx->nonce[2] = actx->key.counter[3]
555	0	= CHACHA_U8TOU32((unsigned char *)ptr+8);
556	0	return 1;
557
558	7.77k	case EVP_CTRL_AEAD_SET_TAG:
559	7.77k	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE)
560	0	return 0;
561	7.77k	if (ptr != NULL) {
562	7.77k	memcpy(actx->tag, ptr, arg);
563	7.77k	actx->tag_len = arg;
564	7.77k	}
565	7.77k	return 1;
566
567	1.28k	case EVP_CTRL_AEAD_GET_TAG:
568	1.28k	if (arg <= 0 \|\| arg > POLY1305_BLOCK_SIZE \|\| !ctx->encrypt)
569	0	return 0;
570	1.28k	memcpy(ptr, actx->tag, arg);
571	1.28k	return 1;
572
573	18	case EVP_CTRL_AEAD_TLS1_AAD:
574	18	if (arg != EVP_AEAD_TLS1_AAD_LEN)
575	0	return 0;
576	18	{
577	18	unsigned int len;
578	18	unsigned char *aad = ptr;
579
580	18	memcpy(actx->tls_aad, ptr, EVP_AEAD_TLS1_AAD_LEN);
581	18	len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 \|
582	18	aad[EVP_AEAD_TLS1_AAD_LEN - 1];
583	18	aad = actx->tls_aad;
584	18	if (!ctx->encrypt) {
585	18	if (len < POLY1305_BLOCK_SIZE)
586	3	return 0;
587	15	len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
588	15	aad[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8);
589	15	aad[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len;
590	15	}
591	15	actx->tls_payload_length = len;
592
593		/*
594		* merge record sequence number as per RFC7905
595		*/
596	15	actx->key.counter[1] = actx->nonce[0];
597	15	actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
598	15	actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4);
599	15	actx->mac_inited = 0;
600
601	15	return POLY1305_BLOCK_SIZE; /* tag length */
602	18	}
603
604	0	case EVP_CTRL_AEAD_SET_MAC_KEY:
605		/* no-op */
606	0	return 1;
607
608	0	default:
609	0	return -1;
610	20.8k	}
611	20.8k	}
612
613		static EVP_CIPHER chacha20_poly1305 = {
614		NID_chacha20_poly1305,
615		1, /* block_size */
616		CHACHA_KEY_SIZE, /* key_len */
617		12, /* iv_len, 96-bit nonce in the context */
618		EVP_CIPH_FLAG_AEAD_CIPHER \| EVP_CIPH_CUSTOM_IV \|
619		EVP_CIPH_ALWAYS_CALL_INIT \| EVP_CIPH_CTRL_INIT \|
620		EVP_CIPH_CUSTOM_COPY \| EVP_CIPH_FLAG_CUSTOM_CIPHER \|
621		EVP_CIPH_CUSTOM_IV_LENGTH,
622		chacha20_poly1305_init_key,
623		chacha20_poly1305_cipher,
624		chacha20_poly1305_cleanup,
625		0, /* 0 moves context-specific structure allocation to ctrl */
626		NULL, /* set_asn1_parameters */
627		NULL, /* get_asn1_parameters */
628		chacha20_poly1305_ctrl,
629		NULL /* app_data */
630		};
631
632		const EVP_CIPHER *EVP_chacha20_poly1305(void)
633	37	{
634	37	return(&chacha20_poly1305);
635	37	}
636		# endif
637		#endif