From 61925232a2b1fdca34fc179a626afa7931973437 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niels=20M=C3=B6ller?= Date: Wed, 12 Feb 2014 22:19:47 +0100 Subject: Implemented chacha-poly1305. --- ChangeLog | 14 ++++ Makefile.in | 3 +- chacha-poly1305-meta.c | 44 ++++++++++++ chacha-poly1305.c | 152 +++++++++++++++++++++++++++++++++++++++ chacha-poly1305.h | 90 +++++++++++++++++++++++ nettle-meta.h | 1 + testsuite/.test-rules.make | 3 + testsuite/Makefile.in | 2 +- testsuite/chacha-poly1305-test.c | 16 +++++ 9 files changed, 323 insertions(+), 2 deletions(-) create mode 100644 chacha-poly1305-meta.c create mode 100644 chacha-poly1305.c create mode 100644 chacha-poly1305.h create mode 100644 testsuite/chacha-poly1305-test.c diff --git a/ChangeLog b/ChangeLog index 22a26b2e..0c454a7e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,19 @@ 2014-02-12 Niels Möller + * chacha-poly1305.h: New file. + * chacha-poly1305.c: New file. + * chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new + aead algorithm. + * nettle-meta.h (nettle_chacha_poly1305): Declare. + + * Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and + chacha-poly1305-meta.c. + (HEADERS): Added chacha-poly1305.h. + + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added + chacha-poly1305-test.c. + * testsuite/chacha-poly1305-test.c: New file. + * nettle-meta.h (struct nettle_aead): New generalized version if this struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256) diff --git a/Makefile.in b/Makefile.in index f5319c1b..dbb07aa6 100644 --- a/Makefile.in +++ b/Makefile.in @@ -88,6 +88,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ camellia256-meta.c \ cast128.c cast128-meta.c cbc.c \ chacha-crypt.c chacha-core-internal.c \ + chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ chacha128-set-key.c chacha256-set-key.c \ ctr.c des.c des3.c des-compat.c eax.c \ @@ -164,7 +165,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \ base16.h base64.h buffer.h camellia.h cast128.h \ - cbc.h chacha.h ctr.h \ + cbc.h chacha.h chacha-poly1305.h ctr.h \ des.h des-compat.h dsa.h eax.h ecc-curve.h ecc.h ecdsa.h \ gcm.h gosthash94.h hmac.h \ knuth-lfib.h \ diff --git a/chacha-poly1305-meta.c b/chacha-poly1305-meta.c new file mode 100644 index 00000000..8b46d5b9 --- /dev/null +++ b/chacha-poly1305-meta.c @@ -0,0 +1,44 @@ +/* chacha-poly1305-meta.c */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include + +#include "nettle-meta.h" + +#include "chacha-poly1305.h" + +const struct nettle_aead nettle_chacha_poly1305 = + { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx), + CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE, + CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE, + (nettle_set_key_func *) chacha_poly1305_set_key, + (nettle_set_key_func *) chacha_poly1305_set_key, + (nettle_set_key_func *) chacha_poly1305_set_nonce, + (nettle_hash_update_func *) chacha_poly1305_update, + (nettle_crypt_func *) chacha_poly1305_encrypt, + (nettle_crypt_func *) chacha_poly1305_decrypt, + (nettle_hash_digest_func *) chacha_poly1305_digest, + }; diff --git a/chacha-poly1305.c b/chacha-poly1305.c new file mode 100644 index 00000000..a5d683fa --- /dev/null +++ b/chacha-poly1305.c @@ -0,0 +1,152 @@ +/* chacha-poly1305.h + * + * AEAD mechanism based on chacha and poly1305. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "chacha-poly1305.h" + +#include "macros.h" + +#define CHACHA_ROUNDS 20 + +void +chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, + const uint8_t *key) +{ + chacha256_set_key (&ctx->chacha, key); +} + +void +chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, + const uint8_t *nonce) +{ + union { + uint32_t x[_CHACHA_STATE_LENGTH]; + uint8_t subkey[32]; + } u; + + chacha_set_nonce (&ctx->chacha, nonce); + /* Generate authentication key */ + _chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); + poly1305_set_key (&ctx->poly1305, u.subkey); + /* For final poly1305 processing */ + memcpy (ctx->s.b, u.subkey + 16, 16); + /* Increment block count */ + ctx->chacha.state[12] = 1; + + ctx->auth_size = ctx->data_size = ctx->index = 0; +} + +/* FIXME: Duplicated in poly1305-aes128.c */ +#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->poly1305, (data), 1) + +static void +poly1305_update (struct chacha_poly1305_ctx *ctx, + size_t length, const uint8_t *data) +{ + MD_UPDATE (ctx, length, data, COMPRESS, (void) 0); +} + +void +chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, + size_t length, const uint8_t *data) +{ + assert (ctx->data_size == 0); + poly1305_update (ctx, length, data); + ctx->auth_size += length; +} + + +void +chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + if (!length) + return; + + assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); + if (!ctx->data_size) + { + uint8_t buf[8]; + LE_WRITE_UINT64 (buf, ctx->auth_size); + poly1305_update (ctx, sizeof(buf), buf); + } + chacha_crypt (&ctx->chacha, length, dst, src); + poly1305_update (ctx, length, dst); + ctx->data_size += length; +} + +void +chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src) +{ + if (!length) + return; + + assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); + if (!ctx->data_size) + { + uint8_t buf[8]; + LE_WRITE_UINT64 (buf, ctx->auth_size); + poly1305_update (ctx, sizeof(buf), buf); + } + poly1305_update (ctx, length, src); + chacha_crypt (&ctx->chacha, length, dst, src); + ctx->data_size += length; +} + +void +chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *digest) +{ + uint8_t buf[8]; + if (!ctx->data_size) + { + LE_WRITE_UINT64 (buf, ctx->auth_size); + poly1305_update (ctx, sizeof(buf), buf); + } + LE_WRITE_UINT64 (buf, ctx->data_size); + poly1305_update (ctx, sizeof(buf), buf); + + /* Final bytes. FIXME: Duplicated in poly1305_aes128.c */ + if (ctx->index > 0) + { + assert (ctx->index < POLY1305_BLOCK_SIZE); + + ctx->block[ctx->index] = 1; + memset (ctx->block + ctx->index + 1, + 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); + + _poly1305_block (&ctx->poly1305, ctx->block, 0); + } + + poly1305_digest (&ctx->poly1305, &ctx->s); + memcpy (digest, &ctx->s.b, length); +} diff --git a/chacha-poly1305.h b/chacha-poly1305.h new file mode 100644 index 00000000..ffdfd497 --- /dev/null +++ b/chacha-poly1305.h @@ -0,0 +1,90 @@ +/* chacha-poly1305.h + * + * AEAD mechanism based on chacha and poly1305. + * See draft-agl-tls-chacha20poly1305-04. + */ + +/* nettle, low-level cryptographics library + * + * Copyright (C) 2014 Niels Möller + * + * The nettle library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at your + * option) any later version. + * + * The nettle library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with the nettle library; see the file COPYING.LIB. If not, write to + * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02111-1301, USA. + */ + +#ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED +#define NETTLE_CHACHA_POLY1305_H_INCLUDED + +#include "chacha.h" +#include "poly1305.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define chacha_poly1305_set_key nettle_chacha_poly1305_set_key +#define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce +#define chacha_poly1305_update nettle_chacha_poly1305_update +#define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt +#define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt +#define chacha_poly1305_digest nettle_chacha_poly1305_digest + +#define CHACHA_POLY1305_BLOCK_SIZE 64 +/* FIXME: Any need for 128-bit variant? */ +#define CHACHA_POLY1305_KEY_SIZE 32 +#define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE_SIZE +#define CHACHA_POLY1305_DIGEST_SIZE 16 + +struct chacha_poly1305_ctx +{ + struct chacha_ctx chacha; + struct poly1305_ctx poly1305; + union nettle_block16 s; + uint64_t auth_size; + uint64_t data_size; + /* poly1305 block */ + uint8_t block[POLY1305_BLOCK_SIZE]; + unsigned index; +}; + +void +chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, + const uint8_t *key); +void +chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, + const uint8_t *nonce); + +void +chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, + size_t length, const uint8_t *data); + +void +chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *dst, const uint8_t *src); + +void +chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, + size_t length, uint8_t *digest); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */ diff --git a/nettle-meta.h b/nettle-meta.h index 67e75172..f167b54e 100644 --- a/nettle-meta.h +++ b/nettle-meta.h @@ -150,6 +150,7 @@ struct nettle_aead extern const struct nettle_aead nettle_gcm_aes128; extern const struct nettle_aead nettle_gcm_aes192; extern const struct nettle_aead nettle_gcm_aes256; +extern const struct nettle_aead nettle_chacha_poly1305; struct nettle_armor { diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index ccd8e5a9..43079ecb 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -112,6 +112,9 @@ eax-test$(EXEEXT): eax-test.$(OBJEXT) poly1305-test$(EXEEXT): poly1305-test.$(OBJEXT) $(LINK) poly1305-test.$(OBJEXT) $(TEST_OBJS) -o poly1305-test$(EXEEXT) +chacha-poly1305-test$(EXEEXT): chacha-poly1305-test.$(OBJEXT) + $(LINK) chacha-poly1305-test.$(OBJEXT) $(TEST_OBJS) -o chacha-poly1305-test$(EXEEXT) + hmac-test$(EXEEXT): hmac-test.$(OBJEXT) $(LINK) hmac-test.$(OBJEXT) $(TEST_OBJS) -o hmac-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index 8860ba5c..d59a2cba 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -26,7 +26,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ serpent-test.c twofish-test.c \ knuth-lfib-test.c \ cbc-test.c ctr-test.c gcm-test.c eax-test.c \ - poly1305-test.c \ + poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c meta-armor-test.c \ buffer-test.c yarrow-test.c pbkdf2-test.c diff --git a/testsuite/chacha-poly1305-test.c b/testsuite/chacha-poly1305-test.c new file mode 100644 index 00000000..2f320f32 --- /dev/null +++ b/testsuite/chacha-poly1305-test.c @@ -0,0 +1,16 @@ +#include "testutils.h" +#include "nettle-internal.h" + +void +test_main(void) +{ + /* From draft-agl-tls-chacha20poly1305-04 */ + test_aead (&nettle_chacha_poly1305, NULL, + SHEX("4290bcb154173531f314af57f3be3b50" + "06da371ece272afa1b5dbdd1100a1007"), /* key */ + SHEX("87e229d4500845a079c0"), /* auth data */ + SHEX("86d09974840bded2a5ca"), /* plain text */ + SHEX("e3e446f7ede9a19b62a4"), /* ciphertext */ + SHEX("cd7cf67be39c794a"), /* nonce */ + SHEX("677dabf4e3d24b876bb284753896e1d6")); /* tag */ +} -- cgit v1.2.1