doxygen/chacha20poly1305_8cpp_source.html

/*

* ChaCha20Poly1305 AEAD

* (C) 2014,2016,2018 Jack Lloyd

* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/chacha20poly1305.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/loadstor.h>


namespace Botan {


ChaCha20Poly1305_Mode::ChaCha20Poly1305_Mode() :

      m_chacha(StreamCipher::create("ChaCha")), m_poly1305(MessageAuthenticationCode::create("Poly1305")) {

   if(!m_chacha || !m_poly1305) {

      throw Algorithm_Not_Found("ChaCha20Poly1305");

   }

}


bool ChaCha20Poly1305_Mode::valid_nonce_length(size_t n) const {

   return (n == 8 || n == 12 || n == 24);

}


size_t ChaCha20Poly1305_Mode::update_granularity() const {

   return 1;

}


size_t ChaCha20Poly1305_Mode::ideal_granularity() const {

   return 128;

}


void ChaCha20Poly1305_Mode::clear() {

   m_chacha->clear();

   m_poly1305->clear();

   reset();

}


void ChaCha20Poly1305_Mode::reset() {

   m_ad.clear();

   m_ctext_len = 0;

   m_nonce_len = 0;

}


bool ChaCha20Poly1305_Mode::has_keying_material() const {

   return m_chacha->has_keying_material();

}


void ChaCha20Poly1305_Mode::key_schedule(std::span<const uint8_t> key) {

   m_chacha->set_key(key);

}


void ChaCha20Poly1305_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {

   BOTAN_ARG_CHECK(idx == 0, "ChaCha20Poly1305: cannot handle non-zero index in set_associated_data_n");

   if(m_ctext_len > 0 || m_nonce_len > 0) {

      throw Invalid_State("Cannot set AD for ChaCha20Poly1305 while processing a message");

   }

   m_ad.assign(ad.begin(), ad.end());

}


void ChaCha20Poly1305_Mode::update_len(size_t len) {

   uint8_t len8[8] = {0};

   store_le(static_cast<uint64_t>(len), len8);

   m_poly1305->update(len8, 8);

}


void ChaCha20Poly1305_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {

   if(!valid_nonce_length(nonce_len)) {

      throw Invalid_IV_Length(name(), nonce_len);

   }


   m_ctext_len = 0;

   m_nonce_len = nonce_len;


   m_chacha->set_iv(nonce, nonce_len);


   uint8_t first_block[64];

   m_chacha->write_keystream(first_block, sizeof(first_block));


   m_poly1305->set_key(first_block, 32);

   // Remainder of first block is discarded

   secure_scrub_memory(first_block, sizeof(first_block));


   m_poly1305->update(m_ad);


   if(cfrg_version()) {

      if(m_ad.size() % 16 != 0) {

         const uint8_t zeros[16] = {0};

         m_poly1305->update(zeros, 16 - m_ad.size() % 16);

      }

   } else {

      update_len(m_ad.size());

   }

}


size_t ChaCha20Poly1305_Encryption::process_msg(uint8_t buf[], size_t sz) {

   m_chacha->cipher1(buf, sz);

   m_poly1305->update(buf, sz);  // poly1305 of ciphertext

   m_ctext_len += sz;

   return sz;

}


void ChaCha20Poly1305_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   update(buffer, offset);

   if(cfrg_version()) {

      if(m_ctext_len % 16 != 0) {

         const uint8_t zeros[16] = {0};

         m_poly1305->update(zeros, 16 - m_ctext_len % 16);

      }

      update_len(m_ad.size());

   }

   update_len(m_ctext_len);


   buffer.resize(buffer.size() + tag_size());

   m_poly1305->final(&buffer[buffer.size() - tag_size()]);

   m_ctext_len = 0;

   m_nonce_len = 0;

}


size_t ChaCha20Poly1305_Decryption::process_msg(uint8_t buf[], size_t sz) {

   m_poly1305->update(buf, sz);  // poly1305 of ciphertext

   m_chacha->cipher1(buf, sz);

   m_ctext_len += sz;

   return sz;

}


void ChaCha20Poly1305_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t sz = buffer.size() - offset;

   uint8_t* buf = buffer.data() + offset;


   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");


   const size_t remaining = sz - tag_size();


   if(remaining > 0) {

      m_poly1305->update(buf, remaining);  // poly1305 of ciphertext

      m_chacha->cipher1(buf, remaining);

      m_ctext_len += remaining;

   }


   if(cfrg_version()) {

      if(m_ctext_len % 16 != 0) {

         const uint8_t zeros[16] = {0};

         m_poly1305->update(zeros, 16 - m_ctext_len % 16);

      }

      update_len(m_ad.size());

   }


   update_len(m_ctext_len);


   uint8_t mac[16];

   m_poly1305->final(mac);


   const uint8_t* included_tag = &buf[remaining];


   m_ctext_len = 0;

   m_nonce_len = 0;


   if(!CT::is_equal(mac, included_tag, tag_size()).as_bool()) {

      throw Invalid_Authentication_Tag("ChaCha20Poly1305 tag check failed");

   }

   buffer.resize(offset + remaining);

}


}  // namespace Botan

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33

Botan::AEAD_Mode::create
static std::unique_ptr< AEAD_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
Definition aead.cpp:54

Botan::Algorithm_Not_Found
Definition exceptn.h:250

Botan::ChaCha20Poly1305_Mode::m_ctext_len
size_t m_ctext_len
Definition chacha20poly1305.h:59

Botan::ChaCha20Poly1305_Mode::has_keying_material
bool has_keying_material() const final
Definition chacha20poly1305.cpp:47

Botan::ChaCha20Poly1305_Mode::set_associated_data_n
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
Definition chacha20poly1305.cpp:55

Botan::ChaCha20Poly1305_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const override
Definition chacha20poly1305.cpp:23

Botan::ChaCha20Poly1305_Mode::m_ad
secure_vector< uint8_t > m_ad
Definition chacha20poly1305.h:57

Botan::ChaCha20Poly1305_Mode::ideal_granularity
size_t ideal_granularity() const override
Definition chacha20poly1305.cpp:31

Botan::ChaCha20Poly1305_Mode::ChaCha20Poly1305_Mode
ChaCha20Poly1305_Mode()
Definition chacha20poly1305.cpp:16

Botan::ChaCha20Poly1305_Mode::name
std::string name() const override
Definition chacha20poly1305.h:33

Botan::ChaCha20Poly1305_Mode::m_chacha
std::unique_ptr< StreamCipher > m_chacha
Definition chacha20poly1305.h:52

Botan::ChaCha20Poly1305_Mode::update_granularity
size_t update_granularity() const override
Definition chacha20poly1305.cpp:27

Botan::ChaCha20Poly1305_Mode::cfrg_version
bool cfrg_version() const
Definition chacha20poly1305.h:61

Botan::ChaCha20Poly1305_Mode::tag_size
size_t tag_size() const override
Definition chacha20poly1305.h:43

Botan::ChaCha20Poly1305_Mode::update_len
void update_len(size_t len)
Definition chacha20poly1305.cpp:63

Botan::ChaCha20Poly1305_Mode::reset
void reset() override
Definition chacha20poly1305.cpp:41

Botan::ChaCha20Poly1305_Mode::clear
void clear() override
Definition chacha20poly1305.cpp:35

Botan::ChaCha20Poly1305_Mode::m_poly1305
std::unique_ptr< MessageAuthenticationCode > m_poly1305
Definition chacha20poly1305.h:53

Botan::ChaCha20Poly1305_Mode::m_nonce_len
size_t m_nonce_len
Definition chacha20poly1305.h:58

Botan::Cipher_Mode::update
void update(T &buffer, size_t offset=0)
Definition cipher_mode.h:149

Botan::Invalid_IV_Length
Definition exceptn.h:163

Botan::Invalid_State
Definition exceptn.h:206

Botan::MessageAuthenticationCode
Definition mac.h:23

Botan::StreamCipher
Definition stream_cipher.h:24

Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:826

Botan
Definition alg_id.cpp:13

Botan::secure_scrub_memory
void secure_scrub_memory(void *ptr, size_t n)
Definition mem_utils.cpp:24

Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69