Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/evp/e_chacha20poly1305.c |
Source code | Switch to Preprocessed file |
Line | Source | Count | ||||||
---|---|---|---|---|---|---|---|---|
1 | /* $OpenBSD: e_chacha20poly1305.c,v 1.18 2017/08/28 17:48:02 jsing Exp $ */ | - | ||||||
2 | - | |||||||
3 | /* | - | ||||||
4 | * Copyright (c) 2015 Reyk Floter <reyk@openbsd.org> | - | ||||||
5 | * Copyright (c) 2014, Google Inc. | - | ||||||
6 | * | - | ||||||
7 | * Permission to use, copy, modify, and/or distribute this software for any | - | ||||||
8 | * purpose with or without fee is hereby granted, provided that the above | - | ||||||
9 | * copyright notice and this permission notice appear in all copies. | - | ||||||
10 | * | - | ||||||
11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | - | ||||||
12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | - | ||||||
13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY | - | ||||||
14 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | - | ||||||
15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION | - | ||||||
16 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN | - | ||||||
17 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | - | ||||||
18 | */ | - | ||||||
19 | - | |||||||
20 | #include <stdint.h> | - | ||||||
21 | #include <string.h> | - | ||||||
22 | - | |||||||
23 | #include <openssl/opensslconf.h> | - | ||||||
24 | - | |||||||
25 | #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) | - | ||||||
26 | - | |||||||
27 | #include <openssl/err.h> | - | ||||||
28 | #include <openssl/evp.h> | - | ||||||
29 | #include <openssl/chacha.h> | - | ||||||
30 | #include <openssl/poly1305.h> | - | ||||||
31 | - | |||||||
32 | #include "evp_locl.h" | - | ||||||
33 | - | |||||||
34 | #define POLY1305_TAG_LEN 16 | - | ||||||
35 | - | |||||||
36 | #define CHACHA20_CONSTANT_LEN 4 | - | ||||||
37 | #define CHACHA20_IV_LEN 8 | - | ||||||
38 | #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN) | - | ||||||
39 | - | |||||||
40 | struct aead_chacha20_poly1305_ctx { | - | ||||||
41 | unsigned char key[32]; | - | ||||||
42 | unsigned char tag_len; | - | ||||||
43 | }; | - | ||||||
44 | - | |||||||
45 | static int | - | ||||||
46 | aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const unsigned char *key, | - | ||||||
47 | size_t key_len, size_t tag_len) | - | ||||||
48 | { | - | ||||||
49 | struct aead_chacha20_poly1305_ctx *c20_ctx; | - | ||||||
50 | - | |||||||
51 | if (tag_len == 0)
| 4-68 | ||||||
52 | tag_len = POLY1305_TAG_LEN; executed 68 times by 2 tests: tag_len = 16; Executed by:
| 68 | ||||||
53 | - | |||||||
54 | if (tag_len > POLY1305_TAG_LEN) {
| 0-72 | ||||||
55 | EVPerror(EVP_R_TOO_LARGE); | - | ||||||
56 | return 0; never executed: return 0; | 0 | ||||||
57 | } | - | ||||||
58 | - | |||||||
59 | /* Internal error - EVP_AEAD_CTX_init should catch this. */ | - | ||||||
60 | if (key_len != sizeof(c20_ctx->key))
| 0-72 | ||||||
61 | return 0; never executed: return 0; | 0 | ||||||
62 | - | |||||||
63 | c20_ctx = malloc(sizeof(struct aead_chacha20_poly1305_ctx)); | - | ||||||
64 | if (c20_ctx == NULL)
| 0-72 | ||||||
65 | return 0; never executed: return 0; | 0 | ||||||
66 | - | |||||||
67 | memcpy(&c20_ctx->key[0], key, key_len); | - | ||||||
68 | c20_ctx->tag_len = tag_len; | - | ||||||
69 | ctx->aead_state = c20_ctx; | - | ||||||
70 | - | |||||||
71 | return 1; executed 72 times by 3 tests: return 1; Executed by:
| 72 | ||||||
72 | } | - | ||||||
73 | - | |||||||
74 | static void | - | ||||||
75 | aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) | - | ||||||
76 | { | - | ||||||
77 | struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; | - | ||||||
78 | - | |||||||
79 | freezero(c20_ctx, sizeof(*c20_ctx)); | - | ||||||
80 | } executed 72 times by 3 tests: end of block Executed by:
| 72 | ||||||
81 | - | |||||||
82 | static void | - | ||||||
83 | poly1305_update_with_length(poly1305_state *poly1305, | - | ||||||
84 | const unsigned char *data, size_t data_len) | - | ||||||
85 | { | - | ||||||
86 | size_t j = data_len; | - | ||||||
87 | unsigned char length_bytes[8]; | - | ||||||
88 | unsigned i; | - | ||||||
89 | - | |||||||
90 | for (i = 0; i < sizeof(length_bytes); i++) {
| 332-2656 | ||||||
91 | length_bytes[i] = j; | - | ||||||
92 | j >>= 8; | - | ||||||
93 | } executed 2656 times by 3 tests: end of block Executed by:
| 2656 | ||||||
94 | - | |||||||
95 | if (data != NULL)
| 0-332 | ||||||
96 | CRYPTO_poly1305_update(poly1305, data, data_len); never executed: CRYPTO_poly1305_update(poly1305, data, data_len); | 0 | ||||||
97 | CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes)); | - | ||||||
98 | } executed 332 times by 3 tests: end of block Executed by:
| 332 | ||||||
99 | - | |||||||
100 | static void | - | ||||||
101 | poly1305_update_with_pad16(poly1305_state *poly1305, | - | ||||||
102 | const unsigned char *data, size_t data_len) | - | ||||||
103 | { | - | ||||||
104 | static const unsigned char zero_pad16[16]; | - | ||||||
105 | size_t pad_len; | - | ||||||
106 | - | |||||||
107 | CRYPTO_poly1305_update(poly1305, data, data_len); | - | ||||||
108 | - | |||||||
109 | /* pad16() is defined in RFC 7539 2.8.1. */ | - | ||||||
110 | if ((pad_len = data_len % 16) == 0)
| 123-209 | ||||||
111 | return; executed 123 times by 3 tests: return; Executed by:
| 123 | ||||||
112 | - | |||||||
113 | CRYPTO_poly1305_update(poly1305, zero_pad16, 16 - pad_len); | - | ||||||
114 | } executed 209 times by 3 tests: end of block Executed by:
| 209 | ||||||
115 | - | |||||||
116 | static int | - | ||||||
117 | aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, | - | ||||||
118 | size_t *out_len, size_t max_out_len, const unsigned char *nonce, | - | ||||||
119 | size_t nonce_len, const unsigned char *in, size_t in_len, | - | ||||||
120 | const unsigned char *ad, size_t ad_len) | - | ||||||
121 | { | - | ||||||
122 | const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; | - | ||||||
123 | unsigned char poly1305_key[32]; | - | ||||||
124 | poly1305_state poly1305; | - | ||||||
125 | const unsigned char *iv; | - | ||||||
126 | const uint64_t in_len_64 = in_len; | - | ||||||
127 | uint64_t ctr; | - | ||||||
128 | - | |||||||
129 | /* The underlying ChaCha implementation may not overflow the block | - | ||||||
130 | * counter into the second counter word. Therefore we disallow | - | ||||||
131 | * individual operations that work on more than 2TB at a time. | - | ||||||
132 | * in_len_64 is needed because, on 32-bit platforms, size_t is only | - | ||||||
133 | * 32-bits and this produces a warning because it's always false. | - | ||||||
134 | * Casting to uint64_t inside the conditional is not sufficient to stop | - | ||||||
135 | * the warning. */ | - | ||||||
136 | if (in_len_64 >= (1ULL << 32) * 64 - 64) {
| 0-98 | ||||||
137 | EVPerror(EVP_R_TOO_LARGE); | - | ||||||
138 | return 0; never executed: return 0; | 0 | ||||||
139 | } | - | ||||||
140 | - | |||||||
141 | if (max_out_len < in_len + c20_ctx->tag_len) {
| 0-98 | ||||||
142 | EVPerror(EVP_R_BUFFER_TOO_SMALL); | - | ||||||
143 | return 0; never executed: return 0; | 0 | ||||||
144 | } | - | ||||||
145 | - | |||||||
146 | if (nonce_len != ctx->aead->nonce_len) {
| 0-98 | ||||||
147 | EVPerror(EVP_R_IV_TOO_LARGE); | - | ||||||
148 | return 0; never executed: return 0; | 0 | ||||||
149 | } | - | ||||||
150 | - | |||||||
151 | ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | | - | ||||||
152 | nonce[2] << 16 | nonce[3] << 24) << 32; | - | ||||||
153 | iv = nonce + CHACHA20_CONSTANT_LEN; | - | ||||||
154 | - | |||||||
155 | memset(poly1305_key, 0, sizeof(poly1305_key)); | - | ||||||
156 | CRYPTO_chacha_20(poly1305_key, poly1305_key, | - | ||||||
157 | sizeof(poly1305_key), c20_ctx->key, iv, ctr); | - | ||||||
158 | - | |||||||
159 | CRYPTO_poly1305_init(&poly1305, poly1305_key); | - | ||||||
160 | poly1305_update_with_pad16(&poly1305, ad, ad_len); | - | ||||||
161 | CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, iv, ctr + 1); | - | ||||||
162 | poly1305_update_with_pad16(&poly1305, out, in_len); | - | ||||||
163 | poly1305_update_with_length(&poly1305, NULL, ad_len); | - | ||||||
164 | poly1305_update_with_length(&poly1305, NULL, in_len); | - | ||||||
165 | - | |||||||
166 | if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
| 0-98 | ||||||
167 | unsigned char tag[POLY1305_TAG_LEN]; | - | ||||||
168 | CRYPTO_poly1305_finish(&poly1305, tag); | - | ||||||
169 | memcpy(out + in_len, tag, c20_ctx->tag_len); | - | ||||||
170 | *out_len = in_len + c20_ctx->tag_len; | - | ||||||
171 | return 1; never executed: return 1; | 0 | ||||||
172 | } | - | ||||||
173 | - | |||||||
174 | CRYPTO_poly1305_finish(&poly1305, out + in_len); | - | ||||||
175 | *out_len = in_len + POLY1305_TAG_LEN; | - | ||||||
176 | return 1; executed 98 times by 3 tests: return 1; Executed by:
| 98 | ||||||
177 | } | - | ||||||
178 | - | |||||||
179 | static int | - | ||||||
180 | aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, | - | ||||||
181 | size_t *out_len, size_t max_out_len, const unsigned char *nonce, | - | ||||||
182 | size_t nonce_len, const unsigned char *in, size_t in_len, | - | ||||||
183 | const unsigned char *ad, size_t ad_len) | - | ||||||
184 | { | - | ||||||
185 | const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; | - | ||||||
186 | unsigned char mac[POLY1305_TAG_LEN]; | - | ||||||
187 | unsigned char poly1305_key[32]; | - | ||||||
188 | const unsigned char *iv = nonce; | - | ||||||
189 | poly1305_state poly1305; | - | ||||||
190 | const uint64_t in_len_64 = in_len; | - | ||||||
191 | size_t plaintext_len; | - | ||||||
192 | uint64_t ctr = 0; | - | ||||||
193 | - | |||||||
194 | if (in_len < c20_ctx->tag_len) {
| 0-68 | ||||||
195 | EVPerror(EVP_R_BAD_DECRYPT); | - | ||||||
196 | return 0; never executed: return 0; | 0 | ||||||
197 | } | - | ||||||
198 | - | |||||||
199 | /* The underlying ChaCha implementation may not overflow the block | - | ||||||
200 | * counter into the second counter word. Therefore we disallow | - | ||||||
201 | * individual operations that work on more than 2TB at a time. | - | ||||||
202 | * in_len_64 is needed because, on 32-bit platforms, size_t is only | - | ||||||
203 | * 32-bits and this produces a warning because it's always false. | - | ||||||
204 | * Casting to uint64_t inside the conditional is not sufficient to stop | - | ||||||
205 | * the warning. */ | - | ||||||
206 | if (in_len_64 >= (1ULL << 32) * 64 - 64) {
| 0-68 | ||||||
207 | EVPerror(EVP_R_TOO_LARGE); | - | ||||||
208 | return 0; never executed: return 0; | 0 | ||||||
209 | } | - | ||||||
210 | - | |||||||
211 | if (nonce_len != ctx->aead->nonce_len) {
| 0-68 | ||||||
212 | EVPerror(EVP_R_IV_TOO_LARGE); | - | ||||||
213 | return 0; never executed: return 0; | 0 | ||||||
214 | } | - | ||||||
215 | - | |||||||
216 | plaintext_len = in_len - c20_ctx->tag_len; | - | ||||||
217 | - | |||||||
218 | if (max_out_len < plaintext_len) {
| 0-68 | ||||||
219 | EVPerror(EVP_R_BUFFER_TOO_SMALL); | - | ||||||
220 | return 0; never executed: return 0; | 0 | ||||||
221 | } | - | ||||||
222 | - | |||||||
223 | ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | | - | ||||||
224 | nonce[2] << 16 | nonce[3] << 24) << 32; | - | ||||||
225 | iv = nonce + CHACHA20_CONSTANT_LEN; | - | ||||||
226 | - | |||||||
227 | memset(poly1305_key, 0, sizeof(poly1305_key)); | - | ||||||
228 | CRYPTO_chacha_20(poly1305_key, poly1305_key, | - | ||||||
229 | sizeof(poly1305_key), c20_ctx->key, iv, ctr); | - | ||||||
230 | - | |||||||
231 | CRYPTO_poly1305_init(&poly1305, poly1305_key); | - | ||||||
232 | poly1305_update_with_pad16(&poly1305, ad, ad_len); | - | ||||||
233 | poly1305_update_with_pad16(&poly1305, in, plaintext_len); | - | ||||||
234 | poly1305_update_with_length(&poly1305, NULL, ad_len); | - | ||||||
235 | poly1305_update_with_length(&poly1305, NULL, plaintext_len); | - | ||||||
236 | - | |||||||
237 | CRYPTO_poly1305_finish(&poly1305, mac); | - | ||||||
238 | - | |||||||
239 | if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) {
| 4-64 | ||||||
240 | EVPerror(EVP_R_BAD_DECRYPT); | - | ||||||
241 | return 0; executed 4 times by 1 test: return 0; Executed by:
| 4 | ||||||
242 | } | - | ||||||
243 | - | |||||||
244 | CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, iv, ctr + 1); | - | ||||||
245 | *out_len = plaintext_len; | - | ||||||
246 | return 1; executed 64 times by 3 tests: return 1; Executed by:
| 64 | ||||||
247 | } | - | ||||||
248 | - | |||||||
249 | /* RFC 7539 */ | - | ||||||
250 | static const EVP_AEAD aead_chacha20_poly1305 = { | - | ||||||
251 | .key_len = 32, | - | ||||||
252 | .nonce_len = CHACHA20_NONCE_LEN, | - | ||||||
253 | .overhead = POLY1305_TAG_LEN, | - | ||||||
254 | .max_tag_len = POLY1305_TAG_LEN, | - | ||||||
255 | - | |||||||
256 | .init = aead_chacha20_poly1305_init, | - | ||||||
257 | .cleanup = aead_chacha20_poly1305_cleanup, | - | ||||||
258 | .seal = aead_chacha20_poly1305_seal, | - | ||||||
259 | .open = aead_chacha20_poly1305_open, | - | ||||||
260 | }; | - | ||||||
261 | - | |||||||
262 | const EVP_AEAD * | - | ||||||
263 | EVP_aead_chacha20_poly1305() | - | ||||||
264 | { | - | ||||||
265 | return &aead_chacha20_poly1305; executed 38 times by 3 tests: return &aead_chacha20_poly1305; Executed by:
| 38 | ||||||
266 | } | - | ||||||
267 | - | |||||||
268 | #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ | - | ||||||
Source code | Switch to Preprocessed file |