ArduinoLibs
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Friends Groups Pages
ChaChaPoly.cpp
1 /*
2  * Copyright (C) 2015 Southern Storm Software, Pty Ltd.
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice shall be included
12  * in all copies or substantial portions of the Software.
13  *
14  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15  * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
19  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
20  * DEALINGS IN THE SOFTWARE.
21  */
22 
23 #include "ChaChaPoly.h"
24 #include "Crypto.h"
25 #include "utility/EndianUtil.h"
26 #include <string.h>
27 
46 {
47  state.authSize = 0;
48  state.dataSize = 0;
49  state.dataStarted = false;
50  state.ivSize = 8;
51 }
52 
57 {
58  clean(state);
59 }
60 
61 size_t ChaChaPoly::keySize() const
62 {
63  // Default key size is 256-bit, but any key size is allowed.
64  return 32;
65 }
66 
67 size_t ChaChaPoly::ivSize() const
68 {
69  // Return 8 but we also support 12-byte nonces in setIV().
70  return 8;
71 }
72 
73 size_t ChaChaPoly::tagSize() const
74 {
75  // Any tag size between 1 and 16 is supported.
76  return 16;
77 }
78 
79 bool ChaChaPoly::setKey(const uint8_t *key, size_t len)
80 {
81  return chacha.setKey(key, len);
82 }
83 
84 bool ChaChaPoly::setIV(const uint8_t *iv, size_t len)
85 {
86  // ChaCha::setIV() supports both 64-bit and 96-bit nonces.
87  if (!chacha.setIV(iv, len))
88  return false;
89 
90  // Generate the key and nonce to use for Poly1305.
91  uint32_t data[16];
92  chacha.keystreamBlock(data);
93  poly1305.reset(data);
94  memcpy(state.nonce, data + 4, 16);
95  clean(data);
96 
97  // Reset the size counters for the auth data and payload.
98  state.authSize = 0;
99  state.dataSize = 0;
100  state.dataStarted = false;
101  state.ivSize = len;
102 }
103 
104 void ChaChaPoly::encrypt(uint8_t *output, const uint8_t *input, size_t len)
105 {
106  if (!state.dataStarted) {
107  poly1305.pad();
108  state.dataStarted = true;
109  }
110  chacha.encrypt(output, input, len);
111  poly1305.update(output, len);
112  state.dataSize += len;
113 }
114 
115 void ChaChaPoly::decrypt(uint8_t *output, const uint8_t *input, size_t len)
116 {
117  if (!state.dataStarted) {
118  poly1305.pad();
119  state.dataStarted = true;
120  }
121  poly1305.update(input, len);
122  chacha.encrypt(output, input, len); // encrypt() is the same as decrypt()
123  state.dataSize += len;
124 }
125 
126 void ChaChaPoly::addAuthData(const void *data, size_t len)
127 {
128  if (!state.dataStarted) {
129  poly1305.update(data, len);
130  state.authSize += len;
131  }
132 }
133 
134 void ChaChaPoly::computeTag(void *tag, size_t len)
135 {
136  uint64_t sizes[2];
137 
138  // Pad the final Poly1305 block and then hash the sizes.
139  poly1305.pad();
140  sizes[0] = htole64(state.authSize);
141  sizes[1] = htole64(state.dataSize);
142  poly1305.update(sizes, sizeof(sizes));
143 
144  // Compute the tag and copy it to the return buffer.
145  poly1305.finalize(state.nonce, tag, len);
146  clean(sizes);
147 }
148 
149 bool ChaChaPoly::checkTag(const void *tag, size_t len)
150 {
151  // Can never match if the expected tag length is too long.
152  if (len > 16)
153  return false;
154 
155  // Compute the tag and check it.
156  uint8_t temp[16];
157  computeTag(temp, len);
158  bool equal = secure_compare(temp, tag, len);
159  clean(temp);
160  return equal;
161 }
162 
164 {
165  chacha.clear();
166  poly1305.clear();
167  clean(state);
168  state.ivSize = 8;
169 }
void finalize(const void *nonce, void *token, size_t len)
Finalizes the authentication process and returns the token.
Definition: Poly1305.cpp:179
void reset(const void *key)
Resets the Poly1305 message authenticator for a new session.
Definition: Poly1305.cpp:110
bool setKey(const uint8_t *key, size_t len)
Sets the key to use for future encryption and decryption operations.
Definition: ChaCha.cpp:87
virtual ~ChaChaPoly()
Destroys this ChaChaPoly authenticated cipher.
Definition: ChaChaPoly.cpp:56
size_t tagSize() const
Returns the size of the authentication tag.
Definition: ChaChaPoly.cpp:73
bool setIV(const uint8_t *iv, size_t len)
Sets the initialization vector to use for future encryption and decryption operations.
Definition: ChaCha.cpp:111
bool setIV(const uint8_t *iv, size_t len)
Sets the initialization vector to use for future encryption and decryption operations.
Definition: ChaChaPoly.cpp:84
size_t keySize() const
Default size of the key for this cipher, in bytes.
Definition: ChaChaPoly.cpp:61
void computeTag(void *tag, size_t len)
Finalizes the encryption process and computes the authentication tag.
Definition: ChaChaPoly.cpp:134
ChaChaPoly()
Constructs a new ChaChaPoly authenticated cipher.
Definition: ChaChaPoly.cpp:45
void encrypt(uint8_t *output, const uint8_t *input, size_t len)
Encrypts an input buffer and writes the ciphertext to an output buffer.
Definition: ChaCha.cpp:158
void addAuthData(const void *data, size_t len)
Adds extra data that will be authenticated but not encrypted.
Definition: ChaChaPoly.cpp:126
void encrypt(uint8_t *output, const uint8_t *input, size_t len)
Encrypts an input buffer and writes the ciphertext to an output buffer.
Definition: ChaChaPoly.cpp:104
size_t ivSize() const
Size of the initialization vector for this cipher, in bytes.
void update(const void *data, size_t len)
Updates the message authenticator with more data.
Definition: Poly1305.cpp:142
void clear()
Clears all security-sensitive state from this cipher.
Definition: ChaCha.cpp:218
void clear()
Clears all security-sensitive state from this cipher.
Definition: ChaChaPoly.cpp:163
void decrypt(uint8_t *output, const uint8_t *input, size_t len)
Decrypts an input buffer and writes the plaintext to an output buffer.
Definition: ChaChaPoly.cpp:115
void pad()
Pads the input stream with zero bytes to a multiple of 16.
Definition: Poly1305.cpp:251
void clear()
Clears the authenticator's state, removing all sensitive data.
Definition: Poly1305.cpp:265
bool setKey(const uint8_t *key, size_t len)
Sets the key to use for future encryption and decryption operations.
Definition: ChaChaPoly.cpp:79
bool checkTag(const void *tag, size_t len)
Finalizes the decryption process and checks the authentication tag.
Definition: ChaChaPoly.cpp:149