Botan 3.9.0
Crypto and TLS for C&
chacha20poly1305.h
Go to the documentation of this file.
1/*
2* ChaCha20Poly1305 AEAD
3* (C) 2014 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#ifndef BOTAN_AEAD_CHACHA20_POLY1305_H_
10#define BOTAN_AEAD_CHACHA20_POLY1305_H_
11
12#include <botan/aead.h>
13
14#include <botan/assert.h>
15#include <botan/mac.h>
16#include <botan/stream_cipher.h>
17
18namespace Botan {
19
20/**
21* Base class
22* See draft-irtf-cfrg-chacha20-poly1305-03 for specification
23* If a nonce of 64 bits is used the older version described in
24* draft-agl-tls-chacha20poly1305-04 is used instead.
25* If a nonce of 192 bits is used, XChaCha20Poly1305 is selected.
26*/
28 public:
29 void set_associated_data_n(size_t idx, std::span<const uint8_t> ad) final;
30
31 bool associated_data_requires_key() const override { return false; }
32
33 std::string name() const override { return "ChaCha20Poly1305"; }
34
35 size_t update_granularity() const override;
36
37 size_t ideal_granularity() const override;
38
40
41 bool valid_nonce_length(size_t n) const override;
42
43 size_t tag_size() const override { return 16; }
44
45 void clear() override;
46
47 void reset() override;
48
49 bool has_keying_material() const final;
50
51 protected:
52 std::unique_ptr<StreamCipher> m_chacha; // NOLINT(*non-private-member-variable*)
53 std::unique_ptr<MessageAuthenticationCode> m_poly1305; // NOLINT(*non-private-member-variable*)
54
56
57 secure_vector<uint8_t> m_ad; // NOLINT(*non-private-member-variable*)
58 size_t m_nonce_len = 0; // NOLINT(*non-private-member-variable*)
59 size_t m_ctext_len = 0; // NOLINT(*non-private-member-variable*)
60
61 bool cfrg_version() const { return m_nonce_len == 12 || m_nonce_len == 24; }
62
63 void update_len(size_t len);
64
65 private:
66 void start_msg(const uint8_t nonce[], size_t nonce_len) override;
67
68 void key_schedule(std::span<const uint8_t> key) override;
69};
70
71/**
72* ChaCha20Poly1305 Encryption
73*/
75 public:
76 size_t output_length(size_t input_length) const override { return input_length + tag_size(); }
77
78 size_t minimum_final_size() const override { return 0; }
79
80 private:
81 size_t process_msg(uint8_t buf[], size_t size) override;
82 void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
83};
84
85/**
86* ChaCha20Poly1305 Decryption
87*/
89 public:
90 size_t output_length(size_t input_length) const override {
91 BOTAN_ARG_CHECK(input_length >= tag_size(), "Sufficient input");
92 return input_length - tag_size();
93 }
94
95 size_t minimum_final_size() const override { return tag_size(); }
96
97 private:
98 size_t process_msg(uint8_t buf[], size_t size) override;
99 void finish_msg(secure_vector<uint8_t>& final_block, size_t offset = 0) override;
100};
101
102} // namespace Botan
103
104#endif
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
size_t output_length(size_t input_length) const override
size_t minimum_final_size() const override
size_t minimum_final_size() const override
size_t output_length(size_t input_length) const override
bool has_keying_material() const final
void set_associated_data_n(size_t idx, std::span< const uint8_t > ad) final
bool valid_nonce_length(size_t n) const override
secure_vector< uint8_t > m_ad
size_t ideal_granularity() const override
std::string name() const override
std::unique_ptr< StreamCipher > m_chacha
size_t update_granularity() const override
size_t tag_size() const override
bool associated_data_requires_key() const override
Key_Length_Specification key_spec() const override
std::unique_ptr< MessageAuthenticationCode > m_poly1305
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69