-
Notifications
You must be signed in to change notification settings - Fork 2
/
aead.c
97 lines (81 loc) · 2.18 KB
/
aead.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/*
* Copyright (c) 2018 Amol Surati
*
* SPDX-License-Identifier: GPL-3.0-or-later
*/
#include <assert.h>
#include <string.h>
#include <bytes.h>
#include <chacha.h>
#include <poly1305.h>
#include <aead.h>
/* Conforms to RFC 7539 and 7905. */
static void aead_mac(uint8_t *out, const uint8_t* otk, const void *msg,
int mlen, const void *aad, int alen)
{
int pad;
struct poly1305_ctx ctx;
static const uint8_t z[16] = {0};
uint64_t v;
poly1305_init(&ctx, otk);
poly1305_update(&ctx, aad, alen);
pad = 16 - (alen & 0xf);
if (pad != 16)
poly1305_update(&ctx, z, pad);
poly1305_update(&ctx, msg, mlen);
pad = 16 - (mlen & 0xf);
if (pad != 16)
poly1305_update(&ctx, z, pad);
v = htole64(alen);
poly1305_update(&ctx, &v, sizeof(v));
v = htole64(mlen);
poly1305_update(&ctx, &v, sizeof(v));
poly1305_final(&ctx, out);
}
/* The last 16 bytes of the msg are the tag. */
int aead_dec(const uint8_t* key, const uint8_t *nonce, const void *msg,
int mlen, const void *aad, int alen, uint8_t *out)
{
struct chacha20_ctx ctx;
static uint8_t otk[32];
assert(key);
assert(nonce);
assert(msg);
assert(mlen > 16);
assert(aad);
assert(out);
/* Generate the one time key for mac. */
memset(otk, 0, sizeof(otk));
chacha20_init(&ctx, key, nonce, 0);
chacha20_enc(&ctx, otk, otk, 32);
/* Generate mac. */
aead_mac(otk, otk, msg, mlen - 16, aad, alen);
/* Not-a-constant-time compare. */
assert(memcmp(otk, (const uint8_t *)msg + mlen - 16, 16) == 0);
/* Decrypt the data. */
chacha20_init(&ctx, key, nonce, 1);
chacha20_dec(&ctx, out, msg, mlen - 16);
return mlen - 16;
}
int aead_enc(const uint8_t* key, const uint8_t *nonce, const void *msg,
int mlen, const void *aad, int alen, uint8_t *out)
{
struct chacha20_ctx ctx;
static uint8_t otk[32];
assert(key);
assert(nonce);
assert(msg);
assert(mlen > 0);
assert(aad);
assert(out);
/* Generate the one time key for mac. */
memset(otk, 0, sizeof(otk));
chacha20_init(&ctx, key, nonce, 0);
chacha20_enc(&ctx, otk, otk, 32);
/* Encrypt the data. */
chacha20_init(&ctx, key, nonce, 1);
chacha20_enc(&ctx, out, msg, mlen);
/* Generate mac. */
aead_mac(out + mlen, otk, out, mlen, aad, alen);
return mlen + 16;
}