comparison nss/lib/freebl/chacha20poly1305.c @ 0:1e5118fa0cb1

This is NSS with a Cmake Buildsyste To compile a static NSS library for Windows we've used the Chromium-NSS fork and added a Cmake buildsystem to compile it statically for Windows. See README.chromium for chromium changes and README.trustbridge for our modifications.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 28 Jul 2014 10:47:06 +0200
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:1e5118fa0cb1
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5 #ifdef FREEBL_NO_DEPEND
6 #include "stubs.h"
7 #endif
8
9 #include <string.h>
10 #include <stdio.h>
11
12 #include "seccomon.h"
13 #include "secerr.h"
14 #include "blapit.h"
15 #include "poly1305/poly1305.h"
16 #include "chacha20/chacha20.h"
17 #include "chacha20poly1305.h"
18
19 /* Poly1305Do writes the Poly1305 authenticator of the given additional data
20 * and ciphertext to |out|. */
21 static void
22 Poly1305Do(unsigned char *out,
23 const unsigned char *ad, unsigned int adLen,
24 const unsigned char *ciphertext, unsigned int ciphertextLen,
25 const unsigned char key[32])
26 {
27 poly1305_state state;
28 unsigned int j;
29 unsigned char lengthBytes[8];
30 unsigned int i;
31
32 Poly1305Init(&state, key);
33 j = adLen;
34 for (i = 0; i < sizeof(lengthBytes); i++) {
35 lengthBytes[i] = j;
36 j >>= 8;
37 }
38 Poly1305Update(&state, ad, adLen);
39 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
40 j = ciphertextLen;
41 for (i = 0; i < sizeof(lengthBytes); i++) {
42 lengthBytes[i] = j;
43 j >>= 8;
44 }
45 Poly1305Update(&state, ciphertext, ciphertextLen);
46 Poly1305Update(&state, lengthBytes, sizeof(lengthBytes));
47 Poly1305Finish(&state, out);
48 }
49
50 SECStatus
51 ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
52 const unsigned char *key, unsigned int keyLen,
53 unsigned int tagLen)
54 {
55 if (keyLen != 32) {
56 PORT_SetError(SEC_ERROR_BAD_KEY);
57 return SECFailure;
58 }
59 if (tagLen == 0 || tagLen > 16) {
60 PORT_SetError(SEC_ERROR_INPUT_LEN);
61 return SECFailure;
62 }
63
64 memcpy(ctx->key, key, sizeof(ctx->key));
65 ctx->tagLen = tagLen;
66
67 return SECSuccess;
68 }
69
70 ChaCha20Poly1305Context *
71 ChaCha20Poly1305_CreateContext(const unsigned char *key, unsigned int keyLen,
72 unsigned int tagLen)
73 {
74 ChaCha20Poly1305Context *ctx;
75
76 ctx = PORT_New(ChaCha20Poly1305Context);
77 if (ctx == NULL) {
78 return NULL;
79 }
80
81 if (ChaCha20Poly1305_InitContext(ctx, key, keyLen, tagLen) != SECSuccess) {
82 PORT_Free(ctx);
83 ctx = NULL;
84 }
85
86 return ctx;
87 }
88
89 void
90 ChaCha20Poly1305_DestroyContext(ChaCha20Poly1305Context *ctx, PRBool freeit)
91 {
92 memset(ctx, 0, sizeof(*ctx));
93 if (freeit) {
94 PORT_Free(ctx);
95 }
96 }
97
98 SECStatus
99 ChaCha20Poly1305_Seal(const ChaCha20Poly1305Context *ctx,
100 unsigned char *output, unsigned int *outputLen,
101 unsigned int maxOutputLen,
102 const unsigned char *input, unsigned int inputLen,
103 const unsigned char *nonce, unsigned int nonceLen,
104 const unsigned char *ad, unsigned int adLen)
105 {
106 unsigned char block[64];
107 unsigned char tag[16];
108
109 if (nonceLen != 8) {
110 PORT_SetError(SEC_ERROR_INPUT_LEN);
111 return SECFailure;
112 }
113 *outputLen = inputLen + ctx->tagLen;
114 if (maxOutputLen < *outputLen) {
115 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
116 return SECFailure;
117 }
118
119 memset(block, 0, sizeof(block));
120 // Generate a block of keystream. The first 32 bytes will be the poly1305
121 // key. The remainder of the block is discarded.
122 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
123 ChaCha20XOR(output, input, inputLen, ctx->key, nonce, 1);
124
125 Poly1305Do(tag, ad, adLen, output, inputLen, block);
126 memcpy(output + inputLen, tag, ctx->tagLen);
127
128 return SECSuccess;
129 }
130
131 SECStatus
132 ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx,
133 unsigned char *output, unsigned int *outputLen,
134 unsigned int maxOutputLen,
135 const unsigned char *input, unsigned int inputLen,
136 const unsigned char *nonce, unsigned int nonceLen,
137 const unsigned char *ad, unsigned int adLen)
138 {
139 unsigned char block[64];
140 unsigned char tag[16];
141
142 if (nonceLen != 8) {
143 PORT_SetError(SEC_ERROR_INPUT_LEN);
144 return SECFailure;
145 }
146 if (inputLen < ctx->tagLen) {
147 PORT_SetError(SEC_ERROR_INPUT_LEN);
148 return SECFailure;
149 }
150 *outputLen = inputLen - ctx->tagLen;
151 if (maxOutputLen < *outputLen) {
152 PORT_SetError(SEC_ERROR_OUTPUT_LEN);
153 return SECFailure;
154 }
155
156 memset(block, 0, sizeof(block));
157 // Generate a block of keystream. The first 32 bytes will be the poly1305
158 // key. The remainder of the block is discarded.
159 ChaCha20XOR(block, block, sizeof(block), ctx->key, nonce, 0);
160 Poly1305Do(tag, ad, adLen, input, inputLen - ctx->tagLen, block);
161 if (NSS_SecureMemcmp(tag, &input[inputLen - ctx->tagLen], ctx->tagLen) != 0) {
162 PORT_SetError(SEC_ERROR_BAD_DATA);
163 return SECFailure;
164 }
165
166 ChaCha20XOR(output, input, inputLen - ctx->tagLen, ctx->key, nonce, 1);
167
168 return SECSuccess;
169 }
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)