From 314b0e719f69f4ef7811d81c9346e1b71bdef302 Mon Sep 17 00:00:00 2001 From: dlg <> Date: Tue, 22 Jan 2019 00:59:21 +0000 Subject: add support for xchacha20 and xchacha20-poly1305 xchacha is a chacha stream that allows for an extended nonce, which in turn makes it feasible to use random nonces. ok tb@ --- src/lib/libcrypto/Symbols.list | 3 + src/lib/libcrypto/chacha/chacha-merged.c | 48 ++++++++++- src/lib/libcrypto/chacha/chacha.c | 12 ++- src/lib/libcrypto/chacha/chacha.h | 6 +- src/lib/libcrypto/evp/e_chacha20poly1305.c | 123 ++++++++++++++++++++++++++++- src/lib/libcrypto/evp/evp.h | 4 +- src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 | 20 ++++- 7 files changed, 208 insertions(+), 8 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list index 4836a3ff9f..d367b93cd4 100644 --- a/src/lib/libcrypto/Symbols.list +++ b/src/lib/libcrypto/Symbols.list @@ -667,6 +667,7 @@ CRYPTO_get_mem_ex_functions CRYPTO_get_mem_functions CRYPTO_get_new_dynlockid CRYPTO_get_new_lockid +CRYPTO_hchacha_20 CRYPTO_is_mem_check_on CRYPTO_lock CRYPTO_malloc @@ -708,6 +709,7 @@ CRYPTO_set_mem_ex_functions CRYPTO_set_mem_functions CRYPTO_strdup CRYPTO_thread_id +CRYPTO_xchacha_20 CRYPTO_xts128_encrypt Camellia_cbc_encrypt Camellia_cfb128_encrypt @@ -1493,6 +1495,7 @@ EVP_add_digest EVP_aead_aes_128_gcm EVP_aead_aes_256_gcm EVP_aead_chacha20_poly1305 +EVP_aead_xchacha20_poly1305 EVP_aes_128_cbc EVP_aes_128_cbc_hmac_sha1 EVP_aes_128_ccm diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c index 08511ed273..67508f208d 100644 --- a/src/lib/libcrypto/chacha/chacha-merged.c +++ b/src/lib/libcrypto/chacha/chacha-merged.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */ +/* $OpenBSD: chacha-merged.c,v 1.9 2019/01/22 00:59:21 dlg Exp $ */ /* chacha-merged.c version 20080118 D. J. Bernstein @@ -277,3 +277,49 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes) m += 64; } } + +void +CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32], + const unsigned char nonce[16]) +{ + uint32_t x[16]; + int i; + + x[0] = U8TO32_LITTLE(sigma + 0); + x[1] = U8TO32_LITTLE(sigma + 4); + x[2] = U8TO32_LITTLE(sigma + 8); + x[3] = U8TO32_LITTLE(sigma + 12); + x[4] = U8TO32_LITTLE(key + 0); + x[5] = U8TO32_LITTLE(key + 4); + x[6] = U8TO32_LITTLE(key + 8); + x[7] = U8TO32_LITTLE(key + 12); + x[8] = U8TO32_LITTLE(key + 16); + x[9] = U8TO32_LITTLE(key + 20); + x[10] = U8TO32_LITTLE(key + 24); + x[11] = U8TO32_LITTLE(key + 28); + x[12] = U8TO32_LITTLE(nonce + 0); + x[13] = U8TO32_LITTLE(nonce + 4); + x[14] = U8TO32_LITTLE(nonce + 8); + x[15] = U8TO32_LITTLE(nonce + 12); + + for (i = 20; i > 0; i -= 2) { + QUARTERROUND(x[0], x[4], x[8], x[12]) + QUARTERROUND(x[1], x[5], x[9], x[13]) + QUARTERROUND(x[2], x[6], x[10], x[14]) + QUARTERROUND(x[3], x[7], x[11], x[15]) + QUARTERROUND(x[0], x[5], x[10], x[15]) + QUARTERROUND(x[1], x[6], x[11], x[12]) + QUARTERROUND(x[2], x[7], x[8], x[13]) + QUARTERROUND(x[3], x[4], x[9], x[14]) + } + + U32TO8_LITTLE(subkey + 0, x[0]); + U32TO8_LITTLE(subkey + 4, x[1]); + U32TO8_LITTLE(subkey + 8, x[2]); + U32TO8_LITTLE(subkey + 12, x[3]); + + U32TO8_LITTLE(subkey + 16, x[12]); + U32TO8_LITTLE(subkey + 20, x[13]); + U32TO8_LITTLE(subkey + 24, x[14]); + U32TO8_LITTLE(subkey + 28, x[15]); +} diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c index 0c384ab88a..6a2dddf055 100644 --- a/src/lib/libcrypto/chacha/chacha.c +++ b/src/lib/libcrypto/chacha/chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha.c,v 1.7 2015/12/09 14:07:55 bcook Exp $ */ +/* $OpenBSD: chacha.c,v 1.8 2019/01/22 00:59:21 dlg Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -75,3 +75,13 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len); } + +void +CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]) +{ + uint8_t subkey[32]; + + CRYPTO_hchacha_20(subkey, key, iv); + CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0); +} diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h index 8d94e626f8..e2345b2199 100644 --- a/src/lib/libcrypto/chacha/chacha.h +++ b/src/lib/libcrypto/chacha/chacha.h @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha.h,v 1.7 2015/12/09 14:07:55 bcook Exp $ */ +/* $OpenBSD: chacha.h,v 1.8 2019/01/22 00:59:21 dlg Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -46,6 +46,10 @@ void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, const unsigned char key[32], const unsigned char iv[8], uint64_t counter); +void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]); +void CRYPTO_hchacha_20(unsigned char out[32], + const unsigned char key[32], const unsigned char iv[16]); #ifdef __cplusplus } diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c index 089ef12fb3..a5cf8a19f2 100644 --- a/src/lib/libcrypto/evp/e_chacha20poly1305.c +++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.18 2017/08/28 17:48:02 jsing Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.19 2019/01/22 00:59:21 dlg Exp $ */ /* * Copyright (c) 2015 Reyk Floter @@ -36,6 +36,7 @@ #define CHACHA20_CONSTANT_LEN 4 #define CHACHA20_IV_LEN 8 #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN) +#define XCHACHA20_NONCE_LEN 24 struct aead_chacha20_poly1305_ctx { unsigned char key[32]; @@ -246,6 +247,108 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, return 1; } +static int +aead_xchacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + + if (max_out_len < in_len + c20_ctx->tag_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + CRYPTO_chacha_20(out, in, in_len, subkey, nonce + 16, 1); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, out, in_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, in_len); + + if (c20_ctx->tag_len != POLY1305_TAG_LEN) { + unsigned char tag[POLY1305_TAG_LEN]; + CRYPTO_poly1305_finish(&poly1305, tag); + memcpy(out + in_len, tag, c20_ctx->tag_len); + *out_len = in_len + c20_ctx->tag_len; + return 1; + } + + CRYPTO_poly1305_finish(&poly1305, out + in_len); + *out_len = in_len + POLY1305_TAG_LEN; + return 1; +} + +static int +aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char mac[POLY1305_TAG_LEN]; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + size_t plaintext_len; + + if (in_len < c20_ctx->tag_len) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + plaintext_len = in_len - c20_ctx->tag_len; + + if (max_out_len < plaintext_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, in, plaintext_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, plaintext_len); + + CRYPTO_poly1305_finish(&poly1305, mac); + if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + CRYPTO_chacha_20(out, in, plaintext_len, subkey, nonce + 16, 1); + + *out_len = plaintext_len; + return 1; +} + /* RFC 7539 */ static const EVP_AEAD aead_chacha20_poly1305 = { .key_len = 32, @@ -265,4 +368,22 @@ EVP_aead_chacha20_poly1305() return &aead_chacha20_poly1305; } +static const EVP_AEAD aead_xchacha20_poly1305 = { + .key_len = 32, + .nonce_len = XCHACHA20_NONCE_LEN, + .overhead = POLY1305_TAG_LEN, + .max_tag_len = POLY1305_TAG_LEN, + + .init = aead_chacha20_poly1305_init, + .cleanup = aead_chacha20_poly1305_cleanup, + .seal = aead_xchacha20_poly1305_seal, + .open = aead_xchacha20_poly1305_open, +}; + +const EVP_AEAD * +EVP_aead_xchacha20_poly1305() +{ + return &aead_xchacha20_poly1305; +} + #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h index 35f2b3281b..0645303686 100644 --- a/src/lib/libcrypto/evp/evp.h +++ b/src/lib/libcrypto/evp/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.71 2019/01/19 01:24:18 tb Exp $ */ +/* $OpenBSD: evp.h,v 1.72 2019/01/22 00:59:21 dlg Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1243,6 +1243,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm(void); #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */ const EVP_AEAD *EVP_aead_chacha20_poly1305(void); +/* EVP_aead_xchacha20_poly1305 is XChaCha20 with a Poly1305 authenticator. */ +const EVP_AEAD *EVP_aead_xchacha20_poly1305(void); #endif /* EVP_AEAD_key_length returns the length of the keys used. */ diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 index debcc773c4..a4d759a2ed 100644 --- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 +++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.6 2017/08/28 17:43:43 jsing Exp $ +.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.7 2019/01/22 00:59:21 dlg Exp $ .\" .\" Copyright (c) 2014, Google Inc. .\" Parts of the text were written by Adam Langley and David Benjamin. @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 28 2017 $ +.Dd $Mdocdate: January 22 2019 $ .Dt EVP_AEAD_CTX_INIT 3 .Os .Sh NAME @@ -30,7 +30,8 @@ .Nm EVP_AEAD_nonce_length , .Nm EVP_aead_aes_128_gcm , .Nm EVP_aead_aes_256_gcm , -.Nm EVP_aead_chacha20_poly1305 +.Nm EVP_aead_chacha20_poly1305, +.Nm EVP_aead_xchacha20_poly1305 .Nd authenticated encryption with additional data .Sh SYNOPSIS .In openssl/evp.h @@ -101,6 +102,10 @@ .Fo EVP_aead_chacha20_poly1305 .Fa void .Fc +.Ft const EVP_AEAD * +.Fo EVP_aead_xchacha20_poly1305 +.Fa void +.Fc .Sh DESCRIPTION AEAD (Authenticated Encryption with Additional Data) couples confidentiality and integrity in a single primitive. @@ -219,6 +224,8 @@ AES-128 in Galois Counter Mode. AES-256 in Galois Counter Mode. .It Fn EVP_aead_chacha20_poly1305 ChaCha20 with a Poly1305 authenticator. +.It Fn EVP_aead_xchacha20_poly1305 +XChaCha20 with a Poly1305 authenticator. .El .Pp Where possible the @@ -285,6 +292,13 @@ EVP_AEAD_CTX_cleanup(&ctx); .%R RFC 7539 .%T ChaCha20 and Poly1305 for IETF Protocols .Re +.Pp +.Rs +.%A S. Arciszewski +.%D October 2018 +.%R draft-arciszewski-xchacha-02 +.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305 +.Re .Sh HISTORY AEAD is based on the implementation by .An Adam Langley -- cgit v1.2.3-55-g6feb