diff options
Diffstat (limited to 'lib/libcrypto/evp/e_chacha20poly1305.c')
-rw-r--r-- | lib/libcrypto/evp/e_chacha20poly1305.c | 137 |
1 files changed, 67 insertions, 70 deletions
diff --git a/lib/libcrypto/evp/e_chacha20poly1305.c b/lib/libcrypto/evp/e_chacha20poly1305.c index 9df6b7c453f..6e4a3f507aa 100644 --- a/lib/libcrypto/evp/e_chacha20poly1305.c +++ b/lib/libcrypto/evp/e_chacha20poly1305.c @@ -6,7 +6,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -63,24 +63,24 @@ #define POLY1305_TAG_LEN 16 #define CHACHA20_NONCE_LEN 8 -struct aead_chacha20_poly1305_ctx - { +struct aead_chacha20_poly1305_ctx { unsigned char key[32]; unsigned char tag_len; - }; +}; -static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, size_t tag_len) - { +static int +aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *key, + size_t key_len, size_t tag_len) +{ struct aead_chacha20_poly1305_ctx *c20_ctx; if (tag_len == 0) tag_len = POLY1305_TAG_LEN; - if (tag_len > POLY1305_TAG_LEN) - { + if (tag_len > POLY1305_TAG_LEN) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_INIT, EVP_R_TOO_LARGE); return 0; - } + } if (key_len != sizeof(c20_ctx->key)) return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */ @@ -94,38 +94,39 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *k ctx->aead_state = c20_ctx; return 1; - } +} -static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) - { +static void +aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) +{ struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key)); OPENSSL_free(c20_ctx); - } +} -static void poly1305_update_with_length(poly1305_state *poly1305, - const unsigned char *data, size_t data_len) - { +static void +poly1305_update_with_length(poly1305_state *poly1305, + const unsigned char *data, size_t data_len) +{ size_t j = data_len; unsigned char length_bytes[8]; unsigned i; - for (i = 0; i < sizeof(length_bytes); i++) - { + for (i = 0; i < sizeof(length_bytes); i++) { length_bytes[i] = j; j >>= 8; - } + } CRYPTO_poly1305_update(poly1305, data, data_len); CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes)); } -static ssize_t aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, - unsigned char *out, size_t max_out_len, - const unsigned char *nonce, size_t nonce_len, - const unsigned char *in, size_t in_len, - const unsigned char *ad, size_t ad_len) - { +static ssize_t +aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t max_out_len, const unsigned char *nonce, size_t nonce_len, + const unsigned char *in, size_t in_len, const unsigned char *ad, + size_t ad_len) +{ const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; unsigned char poly1305_key[32]; poly1305_state poly1305; @@ -138,50 +139,48 @@ static ssize_t aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, * 32-bits and this produces a warning because it's always false. * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ - if (in_len_64 >= (1ull << 32)*64-64) - { + if (in_len_64 >= (1ull << 32)*64 - 64) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_TOO_LARGE); return -1; - } + } - if (max_out_len < in_len + c20_ctx->tag_len) - { - EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_BUFFER_TOO_SMALL); + if (max_out_len < in_len + c20_ctx->tag_len) { + EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, + EVP_R_BUFFER_TOO_SMALL); return -1; - } + } - if (nonce_len != CHACHA20_NONCE_LEN) - { + if (nonce_len != CHACHA20_NONCE_LEN) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_SEAL, EVP_R_IV_TOO_LARGE); return -1; - } + } memset(poly1305_key, 0, sizeof(poly1305_key)); - CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + c20_ctx->key, nonce, 0); CRYPTO_poly1305_init(&poly1305, poly1305_key); poly1305_update_with_length(&poly1305, ad, ad_len); CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1); poly1305_update_with_length(&poly1305, out, in_len); - if (c20_ctx->tag_len != POLY1305_TAG_LEN) - { + if (c20_ctx->tag_len != POLY1305_TAG_LEN) { unsigned char tag[POLY1305_TAG_LEN]; CRYPTO_poly1305_finish(&poly1305, tag); memcpy(out + in_len, tag, c20_ctx->tag_len); return in_len + c20_ctx->tag_len; - } + } CRYPTO_poly1305_finish(&poly1305, out + in_len); return in_len + POLY1305_TAG_LEN; - } +} -static ssize_t aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, - unsigned char *out, size_t max_out_len, - const unsigned char *nonce, size_t nonce_len, - const unsigned char *in, size_t in_len, - const unsigned char *ad, size_t ad_len) - { +static ssize_t +aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t max_out_len, const unsigned char *nonce, size_t nonce_len, + const unsigned char *in, size_t in_len, const unsigned char *ad, + size_t ad_len) +{ const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; unsigned char mac[POLY1305_TAG_LEN]; unsigned char poly1305_key[32]; @@ -189,11 +188,10 @@ static ssize_t aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, poly1305_state poly1305; const uint64_t in_len_64 = in_len; - if (in_len < c20_ctx->tag_len) - { + if (in_len < c20_ctx->tag_len) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT); return -1; - } + } /* The underlying ChaCha implementation may not overflow the block * counter into the second counter word. Therefore we disallow @@ -202,46 +200,44 @@ static ssize_t aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, * 32-bits and this produces a warning because it's always false. * Casting to uint64_t inside the conditional is not sufficient to stop * the warning. */ - if (in_len_64 >= (1ull << 32)*64-64) - { + if (in_len_64 >= (1ull << 32)*64 - 64) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_TOO_LARGE); return -1; - } + } - if (nonce_len != CHACHA20_NONCE_LEN) - { + if (nonce_len != CHACHA20_NONCE_LEN) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_IV_TOO_LARGE); return -1; - } + } out_len = in_len - c20_ctx->tag_len; - if (max_out_len < out_len) - { - EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BUFFER_TOO_SMALL); + if (max_out_len < out_len) { + EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, + EVP_R_BUFFER_TOO_SMALL); return -1; - } + } memset(poly1305_key, 0, sizeof(poly1305_key)); - CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), c20_ctx->key, nonce, 0); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + c20_ctx->key, nonce, 0); CRYPTO_poly1305_init(&poly1305, poly1305_key); poly1305_update_with_length(&poly1305, ad, ad_len); poly1305_update_with_length(&poly1305, in, out_len); CRYPTO_poly1305_finish(&poly1305, mac); - if (CRYPTO_memcmp(mac, in + out_len, c20_ctx->tag_len) != 0) - { + if (CRYPTO_memcmp(mac, in + out_len, c20_ctx->tag_len) != 0) { EVPerr(EVP_F_AEAD_CHACHA20_POLY1305_OPEN, EVP_R_BAD_DECRYPT); return -1; - } + } CRYPTO_chacha_20(out, in, out_len, c20_ctx->key, nonce, 1); + return out_len; - } +} -static const EVP_AEAD aead_chacha20_poly1305 = - { +static const EVP_AEAD aead_chacha20_poly1305 = { 32, /* key len */ CHACHA20_NONCE_LEN, /* nonce len */ POLY1305_TAG_LEN, /* overhead */ @@ -251,11 +247,12 @@ static const EVP_AEAD aead_chacha20_poly1305 = aead_chacha20_poly1305_cleanup, aead_chacha20_poly1305_seal, aead_chacha20_poly1305_open, - }; +}; -const EVP_AEAD *EVP_aead_chacha20_poly1305() - { +const EVP_AEAD * +EVP_aead_chacha20_poly1305() +{ return &aead_chacha20_poly1305; - } +} #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ |