Commit 61925232 authored by Niels Möller's avatar Niels Möller

Implemented chacha-poly1305.

parent 13068371
2014-02-12 Niels Möller <nisse@lysator.liu.se>
* chacha-poly1305.h: New file.
* chacha-poly1305.c: New file.
* chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new
aead algorithm.
* nettle-meta.h (nettle_chacha_poly1305): Declare.
* Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and
chacha-poly1305-meta.c.
(HEADERS): Added chacha-poly1305.h.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added
chacha-poly1305-test.c.
* testsuite/chacha-poly1305-test.c: New file.
* nettle-meta.h (struct nettle_aead): New generalized version
if this struct.
(nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256)
......
......@@ -88,6 +88,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
camellia256-meta.c \
cast128.c cast128-meta.c cbc.c \
chacha-crypt.c chacha-core-internal.c \
chacha-poly1305.c chacha-poly1305-meta.c \
chacha-set-key.c chacha-set-nonce.c \
chacha128-set-key.c chacha256-set-key.c \
ctr.c des.c des3.c des-compat.c eax.c \
......@@ -164,7 +165,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
base16.h base64.h buffer.h camellia.h cast128.h \
cbc.h chacha.h ctr.h \
cbc.h chacha.h chacha-poly1305.h ctr.h \
des.h des-compat.h dsa.h eax.h ecc-curve.h ecc.h ecdsa.h \
gcm.h gosthash94.h hmac.h \
knuth-lfib.h \
......
/* chacha-poly1305-meta.c */
/* nettle, low-level cryptographics library
*
* Copyright (C) 2014 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include "nettle-meta.h"
#include "chacha-poly1305.h"
const struct nettle_aead nettle_chacha_poly1305 =
{ "chacha_poly1305", sizeof(struct chacha_poly1305_ctx),
CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE,
CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE,
(nettle_set_key_func *) chacha_poly1305_set_key,
(nettle_set_key_func *) chacha_poly1305_set_key,
(nettle_set_key_func *) chacha_poly1305_set_nonce,
(nettle_hash_update_func *) chacha_poly1305_update,
(nettle_crypt_func *) chacha_poly1305_encrypt,
(nettle_crypt_func *) chacha_poly1305_decrypt,
(nettle_hash_digest_func *) chacha_poly1305_digest,
};
/* chacha-poly1305.h
*
* AEAD mechanism based on chacha and poly1305.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2014 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include <string.h>
#include "chacha-poly1305.h"
#include "macros.h"
#define CHACHA_ROUNDS 20
void
chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx,
const uint8_t *key)
{
chacha256_set_key (&ctx->chacha, key);
}
void
chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx,
const uint8_t *nonce)
{
union {
uint32_t x[_CHACHA_STATE_LENGTH];
uint8_t subkey[32];
} u;
chacha_set_nonce (&ctx->chacha, nonce);
/* Generate authentication key */
_chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS);
poly1305_set_key (&ctx->poly1305, u.subkey);
/* For final poly1305 processing */
memcpy (ctx->s.b, u.subkey + 16, 16);
/* Increment block count */
ctx->chacha.state[12] = 1;
ctx->auth_size = ctx->data_size = ctx->index = 0;
}
/* FIXME: Duplicated in poly1305-aes128.c */
#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1)
static void
poly1305_update (struct chacha_poly1305_ctx *ctx,
size_t length, const uint8_t *data)
{
MD_UPDATE (ctx, length, data, COMPRESS, (void) 0);
}
void
chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
size_t length, const uint8_t *data)
{
assert (ctx->data_size == 0);
poly1305_update (ctx, length, data);
ctx->auth_size += length;
}
void
chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src)
{
if (!length)
return;
assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
if (!ctx->data_size)
{
uint8_t buf[8];
LE_WRITE_UINT64 (buf, ctx->auth_size);
poly1305_update (ctx, sizeof(buf), buf);
}
chacha_crypt (&ctx->chacha, length, dst, src);
poly1305_update (ctx, length, dst);
ctx->data_size += length;
}
void
chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src)
{
if (!length)
return;
assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
if (!ctx->data_size)
{
uint8_t buf[8];
LE_WRITE_UINT64 (buf, ctx->auth_size);
poly1305_update (ctx, sizeof(buf), buf);
}
poly1305_update (ctx, length, src);
chacha_crypt (&ctx->chacha, length, dst, src);
ctx->data_size += length;
}
void
chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *digest)
{
uint8_t buf[8];
if (!ctx->data_size)
{
LE_WRITE_UINT64 (buf, ctx->auth_size);
poly1305_update (ctx, sizeof(buf), buf);
}
LE_WRITE_UINT64 (buf, ctx->data_size);
poly1305_update (ctx, sizeof(buf), buf);
/* Final bytes. FIXME: Duplicated in poly1305_aes128.c */
if (ctx->index > 0)
{
assert (ctx->index < POLY1305_BLOCK_SIZE);
ctx->block[ctx->index] = 1;
memset (ctx->block + ctx->index + 1,
0, POLY1305_BLOCK_SIZE - 1 - ctx->index);
_poly1305_block (&ctx->poly1305, ctx->block, 0);
}
poly1305_digest (&ctx->poly1305, &ctx->s);
memcpy (digest, &ctx->s.b, length);
}
/* chacha-poly1305.h
*
* AEAD mechanism based on chacha and poly1305.
* See draft-agl-tls-chacha20poly1305-04.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2014 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
#ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED
#define NETTLE_CHACHA_POLY1305_H_INCLUDED
#include "chacha.h"
#include "poly1305.h"
#ifdef __cplusplus
extern "C" {
#endif
/* Name mangling */
#define chacha_poly1305_set_key nettle_chacha_poly1305_set_key
#define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce
#define chacha_poly1305_update nettle_chacha_poly1305_update
#define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt
#define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt
#define chacha_poly1305_digest nettle_chacha_poly1305_digest
#define CHACHA_POLY1305_BLOCK_SIZE 64
/* FIXME: Any need for 128-bit variant? */
#define CHACHA_POLY1305_KEY_SIZE 32
#define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE_SIZE
#define CHACHA_POLY1305_DIGEST_SIZE 16
struct chacha_poly1305_ctx
{
struct chacha_ctx chacha;
struct poly1305_ctx poly1305;
union nettle_block16 s;
uint64_t auth_size;
uint64_t data_size;
/* poly1305 block */
uint8_t block[POLY1305_BLOCK_SIZE];
unsigned index;
};
void
chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx,
const uint8_t *key);
void
chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx,
const uint8_t *nonce);
void
chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
size_t length, const uint8_t *data);
void
chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src);
void
chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src);
void
chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *digest);
#ifdef __cplusplus
}
#endif
#endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */
......@@ -150,6 +150,7 @@ struct nettle_aead
extern const struct nettle_aead nettle_gcm_aes128;
extern const struct nettle_aead nettle_gcm_aes192;
extern const struct nettle_aead nettle_gcm_aes256;
extern const struct nettle_aead nettle_chacha_poly1305;
struct nettle_armor
{
......
......@@ -112,6 +112,9 @@ eax-test$(EXEEXT): eax-test.$(OBJEXT)
poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT)
$(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT)
chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT)
$(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT)
hmac-test$(EXEEXT): hmac-test.$(OBJEXT)
$(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT)
......
......@@ -26,7 +26,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
serpent-test.c twofish-test.c \
knuth-lfib-test.c \
cbc-test.c ctr-test.c gcm-test.c eax-test.c \
poly1305-test.c \
poly1305-test.c chacha-poly1305-test.c \
hmac-test.c umac-test.c \
meta-hash-test.c meta-cipher-test.c meta-armor-test.c \
buffer-test.c yarrow-test.c pbkdf2-test.c
......
#include "testutils.h"
#include "nettle-internal.h"
void
test_main(void)
{
/* From draft-agl-tls-chacha20poly1305-04 */
test_aead (&nettle_chacha_poly1305, NULL,
SHEX("4290bcb154173531f314af57f3be3b50"
"06da371ece272afa1b5dbdd1100a1007"), /* key */
SHEX("87e229d4500845a079c0"), /* auth data */
SHEX("86d09974840bded2a5ca"), /* plain text */
SHEX("e3e446f7ede9a19b62a4"), /* ciphertext */
SHEX("cd7cf67be39c794a"), /* nonce */
SHEX("677dabf4e3d24b876bb284753896e1d6")); /* tag */
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment