chacha20_poly1305.c
Go to the documentation of this file.
1 /**
2  * @file chacha20_poly1305.c
3  * @brief ChaCha20Poly1305 AEAD
4  *
5  * @section License
6  *
7  * Copyright (C) 2010-2018 Oryx Embedded SARL. All rights reserved.
8  *
9  * This file is part of CycloneCrypto Open.
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with this program; if not, write to the Free Software Foundation,
23  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
24  *
25  * @author Oryx Embedded SARL (www.oryx-embedded.com)
26  * @version 1.9.0
27  **/
28 
29 //Switch to the appropriate trace level
30 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
31 
32 //Dependencies
33 #include "core/crypto.h"
34 #include "cipher/chacha.h"
35 #include "mac/poly1305.h"
36 #include "aead/chacha20_poly1305.h"
37 #include "debug.h"
38 
39 //Check crypto library configuration
40 #if (CHACHA20_POLY1305_SUPPORT == ENABLED)
41 
42 
43 /**
44  * @brief Authenticated encryption using ChaCha20Poly1305
45  * @param[in] k key
46  * @param[in] kLen Length of the key
47  * @param[in] n Nonce
48  * @param[in] nLen Length of the nonce
49  * @param[in] a Additional authenticated data
50  * @param[in] aLen Length of the additional data
51  * @param[in] p Plaintext to be encrypted
52  * @param[out] c Ciphertext resulting from the encryption
53  * @param[in] length Total number of data bytes to be encrypted
54  * @param[out] t MAC resulting from the encryption process
55  * @param[in] tLen Length of the MAC
56  * @return Error code
57  **/
58 
59 error_t chacha20Poly1305Encrypt(const uint8_t *k, size_t kLen,
60  const uint8_t *n, size_t nLen, const uint8_t *a, size_t aLen,
61  const uint8_t *p, uint8_t *c, size_t length, uint8_t *t, size_t tLen)
62 {
63  error_t error;
64  size_t paddingLen;
65  ChachaContext chachaContext;
66  Poly1305Context poly1305Context;
67  uint8_t temp[32];
68 
69  //Check the length of the message-authentication code
70  if(tLen != 16)
71  return ERROR_INVALID_LENGTH;
72 
73  //Initialize ChaCha20 context
74  error = chachaInit(&chachaContext, 20, k, kLen, n, nLen);
75  //Any error to report?
76  if(error)
77  return error;
78 
79  //First, a Poly1305 one-time key is generated from the 256-bit key
80  //and nonce
81  chachaCipher(&chachaContext, NULL, temp, 32);
82 
83  //The other 256 bits of the Chacha20 block are discarded
84  chachaCipher(&chachaContext, NULL, NULL, 32);
85 
86  //Next, the ChaCha20 encryption function is called to encrypt the
87  //plaintext, using the same key and nonce
88  chachaCipher(&chachaContext, p, c, length);
89 
90  //Initialize the Poly1305 function with the key calculated above
91  poly1305Init(&poly1305Context, temp);
92 
93  //Compute MAC over the AAD
94  poly1305Update(&poly1305Context, a, aLen);
95 
96  //If the length of the AAD is not an integral multiple of 16 bytes,
97  //then padding is required
98  if((aLen % 16) != 0)
99  {
100  //Compute the number of padding bytes
101  paddingLen = 16 - (aLen % 16);
102 
103  //The padding is up to 15 zero bytes, and it brings the total
104  //length so far to an integral multiple of 16
105  cryptoMemset(temp, 0, paddingLen);
106 
107  //Compute MAC over the padding
108  poly1305Update(&poly1305Context, temp, paddingLen);
109  }
110 
111  //Compute MAC over the ciphertext
112  poly1305Update(&poly1305Context, c, length);
113 
114  //If the length of the ciphertext is not an integral multiple of 16 bytes,
115  //then padding is required
116  if((length % 16) != 0)
117  {
118  //Compute the number of padding bytes
119  paddingLen = 16 - (length % 16);
120 
121  //The padding is up to 15 zero bytes, and it brings the total
122  //length so far to an integral multiple of 16
123  cryptoMemset(temp, 0, paddingLen);
124 
125  //Compute MAC over the padding
126  poly1305Update(&poly1305Context, temp, paddingLen);
127  }
128 
129  //Encode the length of the AAD as a 64-bit little-endian integer
130  STORE64LE(aLen, temp);
131  //Compute MAC over the length field
132  poly1305Update(&poly1305Context, temp, sizeof(uint64_t));
133 
134  //Encode the length of the ciphertext as a 64-bit little-endian integer
135  STORE64LE(length, temp);
136  //Compute MAC over the length field
137  poly1305Update(&poly1305Context, temp, sizeof(uint64_t));
138 
139  //Compute message-authentication code
140  poly1305Final(&poly1305Context, t);
141 
142  //Successful encryption
143  return NO_ERROR;
144 }
145 
146 
147 /**
148  * @brief Authenticated decryption using ChaCha20Poly1305
149  * @param[in] k key
150  * @param[in] kLen Length of the key
151  * @param[in] n Nonce
152  * @param[in] nLen Length of the nonce
153  * @param[in] a Additional authenticated data
154  * @param[in] aLen Length of the additional data
155  * @param[in] c Ciphertext to be decrypted
156  * @param[out] p Plaintext resulting from the decryption
157  * @param[in] length Total number of data bytes to be decrypted
158  * @param[in] t MAC to be verified
159  * @param[in] tLen Length of the MAC
160  * @return Error code
161  **/
162 
163 error_t chacha20Poly1305Decrypt(const uint8_t *k, size_t kLen,
164  const uint8_t *n, size_t nLen, const uint8_t *a, size_t aLen,
165  const uint8_t *c, uint8_t *p, size_t length, const uint8_t *t, size_t tLen)
166 {
167  error_t error;
168  size_t paddingLen;
169  ChachaContext chachaContext;
170  Poly1305Context poly1305Context;
171  uint8_t temp[32];
172 
173  //Check the length of the message-authentication code
174  if(tLen != 16)
175  return ERROR_INVALID_LENGTH;
176 
177  //Initialize ChaCha20 context
178  error = chachaInit(&chachaContext, 20, k, kLen, n, nLen);
179  //Any error to report?
180  if(error)
181  return error;
182 
183  //First, a Poly1305 one-time key is generated from the 256-bit key
184  //and nonce
185  chachaCipher(&chachaContext, NULL, temp, 32);
186 
187  //The other 256 bits of the Chacha20 block are discarded
188  chachaCipher(&chachaContext, NULL, NULL, 32);
189 
190  //Initialize the Poly1305 function with the key calculated above
191  poly1305Init(&poly1305Context, temp);
192 
193  //Compute MAC over the AAD
194  poly1305Update(&poly1305Context, a, aLen);
195 
196  //If the length of the AAD is not an integral multiple of 16 bytes,
197  //then padding is required
198  if((aLen % 16) != 0)
199  {
200  //Compute the number of padding bytes
201  paddingLen = 16 - (aLen % 16);
202 
203  //The padding is up to 15 zero bytes, and it brings the total
204  //length so far to an integral multiple of 16
205  cryptoMemset(temp, 0, paddingLen);
206 
207  //Compute MAC over the padding
208  poly1305Update(&poly1305Context, temp, paddingLen);
209  }
210 
211  //Compute MAC over the ciphertext
212  poly1305Update(&poly1305Context, c, length);
213 
214  //If the length of the ciphertext is not an integral multiple of 16 bytes,
215  //then padding is required
216  if((length % 16) != 0)
217  {
218  //Compute the number of padding bytes
219  paddingLen = 16 - (length % 16);
220 
221  //The padding is up to 15 zero bytes, and it brings the total
222  //length so far to an integral multiple of 16
223  cryptoMemset(temp, 0, paddingLen);
224 
225  //Compute MAC over the padding
226  poly1305Update(&poly1305Context, temp, paddingLen);
227  }
228 
229  //Encode the length of the AAD as a 64-bit little-endian integer
230  STORE64LE(aLen, temp);
231  //Compute MAC over the length field
232  poly1305Update(&poly1305Context, temp, sizeof(uint64_t));
233 
234  //Encode the length of the ciphertext as a 64-bit little-endian integer
235  STORE64LE(length, temp);
236  //Compute MAC over the length field
237  poly1305Update(&poly1305Context, temp, sizeof(uint64_t));
238 
239  //Compute message-authentication code
240  poly1305Final(&poly1305Context, temp);
241 
242  //Finally, we decrypt the ciphertext
243  chachaCipher(&chachaContext, c, p, length);
244 
245  //The calculated tag is bitwise compared to the received tag. The
246  //message is authenticated if and only if the tags match
247  if(cryptoMemcmp(temp, t, tLen))
248  return ERROR_FAILURE;
249 
250  //Successful encryption
251  return NO_ERROR;
252 }
253 
254 #endif
#define STORE64LE(a, p)
Definition: cpu_endian.h:293
error_t chachaInit(ChachaContext *context, uint_t nr, const uint8_t *key, size_t keyLen, const uint8_t *nonce, size_t nonceLen)
Initialize ChaCha context using the supplied key and nonce.
Definition: chacha.c:68
uint8_t c
Definition: ndp.h:510
Debugging facilities.
void poly1305Update(Poly1305Context *context, const void *data, size_t length)
Update Poly1305 message-authentication code computation.
Definition: poly1305.c:87
uint8_t p
Definition: ndp.h:295
Generic error code.
Definition: error.h:43
General definitions for cryptographic algorithms.
void poly1305Init(Poly1305Context *context, const uint8_t *key)
Initialize Poly1305 message-authentication code computation.
Definition: poly1305.c:47
Poly1305 context.
Definition: poly1305.h:45
error_t chacha20Poly1305Encrypt(const uint8_t *k, size_t kLen, const uint8_t *n, size_t nLen, const uint8_t *a, size_t aLen, const uint8_t *p, uint8_t *c, size_t length, uint8_t *t, size_t tLen)
Authenticated encryption using ChaCha20Poly1305.
uint8_t a
Definition: ndp.h:407
ChaCha20Poly1305 AEAD.
void chachaCipher(ChachaContext *context, const uint8_t *input, uint8_t *output, size_t length)
Encrypt/decrypt data with the ChaCha algorithm.
Definition: chacha.c:177
Success.
Definition: error.h:42
error_t
Error codes.
Definition: error.h:40
Poly1305 message-authentication code.
error_t chacha20Poly1305Decrypt(const uint8_t *k, size_t kLen, const uint8_t *n, size_t nLen, const uint8_t *a, size_t aLen, const uint8_t *c, uint8_t *p, size_t length, const uint8_t *t, size_t tLen)
Authenticated decryption using ChaCha20Poly1305.
ChaCha algorithm context.
Definition: chacha.h:45
#define cryptoMemcmp(p1, p2, length)
Definition: crypto.h:602
#define cryptoMemset(p, value, length)
Definition: crypto.h:584
uint8_t length
Definition: dtls_misc.h:140
uint8_t n
ChaCha encryption algorithm.
void poly1305Final(Poly1305Context *context, uint8_t *tag)
Finalize Poly1305 message-authentication code computation.
Definition: poly1305.c:125