From 602b1900c6f4e09bf85f309f31985f836c77646a Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Mon, 19 Aug 2019 09:17:50 -0700 Subject: [PATCH] [WIP] ChaCha20Poly1305 AEAD Implements the ChaCha20Poly1305 AEAD described in RFC 8439 using the `chacha20` and `poly1305` crates. --- Cargo.toml | 3 + README.md | 2 +- chacha20poly1305/Cargo.toml | 9 +- chacha20poly1305/src/lib.rs | 174 ++++++++++++++++++++++++++++++++++ chacha20poly1305/tests/lib.rs | 81 ++++++++++++++++ 5 files changed, 267 insertions(+), 2 deletions(-) create mode 100644 chacha20poly1305/tests/lib.rs diff --git a/Cargo.toml b/Cargo.toml index 278e7670..32b0a3de 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -2,3 +2,6 @@ members = [ "chacha20poly1305", ] + +[patch.crates-io] +aead = { git = "https://github.com/mobilecoinofficial/traits" } diff --git a/README.md b/README.md index 69900593..eb3e2c99 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# RustCrypto: stream ciphers +# RustCrypto: Authenticated Encryption with Associated Data [![Build Status](https://travis-ci.org/RustCrypto/AEADs.svg?branch=master)](https://travis-ci.org/RustCrypto/AEADs) [![dependency status](https://deps.rs/repo/github/RustCrypto/AEADs/status.svg)](https://deps.rs/repo/github/AEADs/stream-ciphers) Collection of [Authenticated Encryption with Associated Data (AEAD)][1] diff --git a/chacha20poly1305/Cargo.toml b/chacha20poly1305/Cargo.toml index d13ba0cf..848bef7c 100644 --- a/chacha20poly1305/Cargo.toml +++ b/chacha20poly1305/Cargo.toml @@ -4,10 +4,17 @@ version = "0.0.0" authors = ["RustCrypto Developers"] edition = "2018" license = "MIT OR Apache-2.0" -description = "CTR block mode of operation" +description = """ +ChaCha20Poly1305 Authenticated Encryption with Additional Data Algorithm (RFC 8439) +""" documentation = "chacha20poly1305" repository = "https://github.com/RustCrypto/AEADs" keywords = ["crypto", "cipher", "aead"] categories = ["cryptography", "no-std"] [dependencies] +aead = "0" +chacha20 = { version = "0.2", features = ["zeroize"] } +generic-array = { version = "0.12", default-features = false } +poly1305 = "0.2" +zeroize = { version = "0.9", default-features = false } diff --git a/chacha20poly1305/src/lib.rs b/chacha20poly1305/src/lib.rs index e69de29b..a9498926 100644 --- a/chacha20poly1305/src/lib.rs +++ b/chacha20poly1305/src/lib.rs @@ -0,0 +1,174 @@ +//! ChaCha20Poly1305 Authenticated Encryption with Additional Data Algorithm +//! (RFC 8439) + +#![no_std] + +extern crate alloc; + +pub use aead; +// TODO(tarcieri): re-export this from the AEAD crate +pub use generic_array; + +use aead::{Aead, Error, NewAead}; +use alloc::vec::Vec; +use chacha20::stream_cipher::{NewStreamCipher, SyncStreamCipher, SyncStreamCipherSeek}; +use chacha20::ChaCha20; +use core::convert::TryInto; +use generic_array::{ + typenum::{U0, U12, U16, U32}, + GenericArray, +}; +use poly1305::{Poly1305, Tag}; +use zeroize::{Zeroize, Zeroizing}; + +/// Maximum number of blocks that can be encrypted with ChaCha20 before the +/// counter overflows. +// TODO(tarcieri): move this to the `chacha20` crate? +const CHACHA20_MAX_BLOCKS: usize = core::u32::MAX as usize; + +/// Size of a ChaCha20 block in bytes +// TODO(tarcieri): move this to the `chacha20` crate? +const CHACHA20_BLOCK_SIZE: usize = 64; + +/// ChaCha20Poly1305 AEAD +#[derive(Clone)] +pub struct ChaCha20Poly1305 { + /// Secret key + key: GenericArray, +} + +impl NewAead for ChaCha20Poly1305 { + type KeySize = U32; + + fn new(key: GenericArray) -> Self { + ChaCha20Poly1305 { key } + } +} + +impl Aead for ChaCha20Poly1305 { + type NonceSize = U12; + type TagSize = U16; + type CiphertextOverhead = U0; + + fn encrypt( + &mut self, + associated_data: &[u8], + nonce: &GenericArray, + plaintext: &[u8], + ) -> Result, Error> { + CipherInstance::new(&self.key, nonce).encrypt(associated_data, plaintext) + } + + fn decrypt( + &mut self, + associated_data: &[u8], + nonce: &GenericArray, + ciphertext: &[u8], + ) -> Result, Error> { + CipherInstance::new(&self.key, nonce).decrypt(associated_data, ciphertext) + } +} + +impl Drop for ChaCha20Poly1305 { + fn drop(&mut self) { + self.key.as_mut_slice().zeroize(); + } +} + +/// ChaCha20Poly1305 instantiated with a particular nonce +struct CipherInstance { + chacha20: ChaCha20, + poly1305: Poly1305, +} + +impl CipherInstance { + /// Instantiate the underlying cipher with a particular nonce + fn new(key: &GenericArray, nonce: &GenericArray) -> Self { + let mut chacha20 = ChaCha20::new(key, nonce); + + // Derive Poly1305 key from the first 32-bytes of the ChaCha20 keystream + let mut auth_key = Zeroizing::new([0u8; poly1305::KEY_SIZE]); + chacha20.apply_keystream(&mut *auth_key); + + // Set ChaCha20 counter to 1 + chacha20.seek(CHACHA20_BLOCK_SIZE as u64); + + let poly1305 = Poly1305::new(&auth_key); + Self { chacha20, poly1305 } + } + + /// Encrypt the given message, allocating a vector for the resulting ciphertext + fn encrypt(self, associated_data: &[u8], plaintext: &[u8]) -> Result, Error> { + let mut buffer = Vec::with_capacity(plaintext.len() + poly1305::BLOCK_SIZE); + buffer.extend_from_slice(plaintext); + + let tag = self.encrypt_in_place(associated_data, &mut buffer)?; + buffer.extend_from_slice(tag.code().as_slice()); + Ok(buffer) + } + + /// Encrypt the given message in-place, returning the authentication tag + fn encrypt_in_place( + mut self, + associated_data: &[u8], + buffer: &mut [u8], + ) -> Result { + if buffer.len() / CHACHA20_BLOCK_SIZE >= CHACHA20_MAX_BLOCKS { + return Err(Error); + } + + self.poly1305.input_padded(associated_data); + self.chacha20.apply_keystream(buffer); + self.poly1305.input_padded(buffer); + self.authenticate_lengths(associated_data, buffer)?; + Ok(self.poly1305.result()) + } + + /// Decrypt the given message, allocating a vector for the resulting plaintext + fn decrypt(self, associated_data: &[u8], ciphertext: &[u8]) -> Result, Error> { + if ciphertext.len() < poly1305::BLOCK_SIZE { + return Err(Error); + } + + let tag_start = ciphertext.len() - poly1305::BLOCK_SIZE; + let mut buffer = Vec::from(&ciphertext[..tag_start]); + let tag: [u8; poly1305::BLOCK_SIZE] = ciphertext[tag_start..].try_into().unwrap(); + + self.decrypt_in_place(associated_data, &mut buffer, &tag)?; + Ok(buffer) + } + + /// Decrypt the given message, first authenticating ciphertext integrity + /// and returning an error if it's been tampered with. + fn decrypt_in_place( + mut self, + associated_data: &[u8], + buffer: &mut [u8], + tag: &[u8; poly1305::BLOCK_SIZE], + ) -> Result<(), Error> { + if buffer.len() / CHACHA20_BLOCK_SIZE >= CHACHA20_MAX_BLOCKS { + return Err(Error); + } + + self.poly1305.input_padded(associated_data); + self.poly1305.input_padded(buffer); + self.authenticate_lengths(associated_data, buffer)?; + + if self.poly1305.result() == Tag::new(*GenericArray::from_slice(tag)) { + self.chacha20.apply_keystream(buffer); + Ok(()) + } else { + Err(Error) + } + } + + /// Authenticate the lengths of the associated data and message + fn authenticate_lengths(&mut self, associated_data: &[u8], buffer: &[u8]) -> Result<(), Error> { + let associated_data_len: u64 = associated_data.len().try_into().map_err(|_| Error)?; + let buffer_len: u64 = buffer.len().try_into().map_err(|_| Error)?; + + self.poly1305.input(&associated_data_len.to_le_bytes()); + self.poly1305.input(&buffer_len.to_le_bytes()); + Ok(()) + } +} diff --git a/chacha20poly1305/tests/lib.rs b/chacha20poly1305/tests/lib.rs new file mode 100644 index 00000000..e27fa5dd --- /dev/null +++ b/chacha20poly1305/tests/lib.rs @@ -0,0 +1,81 @@ +//! ChaCha20Poly1305 test vectors. +//! +//! From RFC 8439 Section 2.8.2: +//! + +use chacha20poly1305::aead::{Aead, NewAead}; +use chacha20poly1305::generic_array::GenericArray; +use chacha20poly1305::ChaCha20Poly1305; + +const KEY: &[u8; 32] = &[ + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, +]; + +const NONCE: &[u8; 12] = &[ + 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, +]; + +const AAD: &[u8; 12] = &[ + 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, +]; + +const PLAINTEXT: &[u8] = b"Ladies and Gentlemen of the class of '99: \ + If I could offer you only one tip for the future, sunscreen would be it."; + +const CIPHERTEXT: &[u8] = &[ + 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2, + 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, + 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, + 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, + 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, + 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc, + 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, + 0x61, 0x16, +]; + +const TAG: &[u8] = &[ + 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91, +]; + +#[test] +fn encrypt() { + let key = GenericArray::from_slice(KEY); + let nonce = GenericArray::from_slice(NONCE); + + let mut cipher = ChaCha20Poly1305::new(*key); + let ciphertext = cipher.encrypt(AAD, nonce, PLAINTEXT).unwrap(); + + let tag_begins = ciphertext.len() - 16; + assert_eq!(CIPHERTEXT, &ciphertext[..tag_begins]); + assert_eq!(TAG, &ciphertext[tag_begins..]); +} + +#[test] +fn decrypt() { + let key = GenericArray::from_slice(KEY); + let nonce = GenericArray::from_slice(NONCE); + + let mut ciphertext = Vec::from(CIPHERTEXT); + ciphertext.extend_from_slice(TAG); + + let mut cipher = ChaCha20Poly1305::new(*key); + let plaintext = cipher.decrypt(AAD, nonce, &ciphertext).unwrap(); + + assert_eq!(PLAINTEXT, plaintext.as_slice()); +} + +#[test] +fn decrypt_modified() { + let key = GenericArray::from_slice(KEY); + let nonce = GenericArray::from_slice(NONCE); + + let mut ciphertext = Vec::from(CIPHERTEXT); + ciphertext.extend_from_slice(TAG); + + // Tweak the first byte + ciphertext[0] ^= 0xaa; + + let mut cipher = ChaCha20Poly1305::new(*key); + assert!(cipher.decrypt(AAD, nonce, &ciphertext).is_err()); +}