Merge pull request #10220 from bergzand/pr/crypto/chacha20poly1305

chacha20poly1305: Initial implementation of AEAD cipher.

sys/crypto/chacha20poly1305.c

@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2008  D. J. Bernstein  (dedicated to the public domain)
+ * Copyright (C) 2015  René Kijewski  <rene.kijewski@fu-berlin.de>
+ * Copyright (C) 2018  Koen Zandberg
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+/**
+ * @ingroup sys_crypto_chacha20poly1305
+ * @{
+ * @file
+ * @brief   Implementation of the chacha20poly1305 aead cipher
+ *
+ * @author  Koen Zandberg <koen@bergzand.net>
+ * @see     https://tools.ietf.org/html/rfc8439
+ * @}
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "crypto/helper.h"
+#include "crypto/chacha20poly1305.h"
+#include "crypto/poly1305.h"
+
+/* Missing operations to convert numbers to little endian prevents this from
+ * working on big endian systems */
+#if __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__
+#   error "This code is implementented in a way that it will only work for little-endian systems!"
+#endif
+
+/* Nothing to hide here, Literally "expand 32-byte k" */
+static const uint32_t constant[] = {0x61707865,
+                                    0x3320646e,
+                                    0x79622d32,
+                                    0x6b206574};
+
+/* Padding to add to the poly1305 authentication tag */
+static const uint8_t padding[15] = {0};
+
+static uint32_t u8to32(const uint8_t *p)
+{
+    return
+        ((uint32_t)p[0] |
+        ((uint32_t)p[1] <<  8) |
+        ((uint32_t)p[2] << 16) |
+        ((uint32_t)p[3] << 24));
+}
+
+/* Single round */
+void _r(uint32_t *a, uint32_t *b, uint32_t *d, unsigned c)
+{
+    *a += *b;
+    uint32_t tmp = *a ^ *d;
+    *d = (tmp << c) | (tmp >> (32 - c));
+}
+
+void _add_initial(chacha20poly1305_ctx_t *ctx, const uint8_t *key,
+                  const uint8_t *nonce, uint32_t blk)
+{
+    for (unsigned i = 0; i < 4; i++) {
+        ctx->state[i] += constant[i];
+    }
+    for (unsigned i = 0; i < 8; i++) {
+        ctx->state[i+4] += u8to32(key + 4*i);
+    }
+    ctx->state[12] += u8to32((uint8_t*)&blk);
+    ctx->state[13] += u8to32(nonce);
+    ctx->state[14] += u8to32(nonce+4);
+    ctx->state[15] += u8to32(nonce+8);
+}
+
+void _keystream(chacha20poly1305_ctx_t *ctx, const uint8_t *key,
+                const uint8_t *nonce, uint32_t blk)
+{
+    /* Initialize block state */
+    memset(ctx->state, 0, sizeof(ctx->state));
+    _add_initial(ctx, key, nonce, blk);
+
+    /* perform rounds */
+    for (unsigned i = 0; i < 80; ++i) {
+        uint32_t *a = &ctx->state[((i                    ) & 3)          ];
+        uint32_t *b = &ctx->state[((i + ((i & 4) ? 1 : 0)) & 3) + (4 * 1)];
+        uint32_t *c = &ctx->state[((i + ((i & 4) ? 2 : 0)) & 3) + (4 * 2)];
+        uint32_t *d = &ctx->state[((i + ((i & 4) ? 3 : 0)) & 3) + (4 * 3)];
+        _r(a, b, d, 16);
+        _r(c, d, b, 12);
+        _r(a, b, d, 8);
+        _r(c, d, b, 7);
+    }
+    /* add initial state */
+    _add_initial(ctx, key, nonce, blk);
+}
+
+void _xcrypt(chacha20poly1305_ctx_t *ctx, const uint8_t *key,
+              const uint8_t *nonce, const uint8_t *in, uint8_t *out, size_t len)
+{
+    /* Number of full 64 byte blocks */
+    const size_t num_blocks = len >> 6;
+    size_t pos = 0;
+    /* xcrypt full blocks */
+    for (size_t i = 0; i < num_blocks; i++, pos += 64) {
+        _keystream(ctx, key, nonce, i+1);
+        for (size_t j = 0; j < 64; j++) {
+            out[pos+j] = in[pos+j] ^ ((uint8_t*)ctx->state)[j];
+        }
+    }
+    /* xcrypt remaining bytes */
+    if (len - pos) {
+        _keystream(ctx, key, nonce, num_blocks+1);
+        for (size_t j = 0; j < len - pos; j++) {
+            out[pos+j] = in[pos+j] ^ ((uint8_t*)ctx->state)[j];
+        }
+    }
+}
+
+void _poly1305_padded(poly1305_ctx_t *pctx, const uint8_t *data, size_t len)
+{
+    poly1305_update(pctx, data, len);
+    const size_t padlen = (16 - len) & 0xF;
+    poly1305_update(pctx, padding, padlen);
+}
+
+/* Generate a poly1305 tag */
+void _poly1305_gentag(uint8_t *mac, const uint8_t *key, const uint8_t *nonce,
+                      const uint8_t *cipher, size_t cipherlen,
+                      const uint8_t *aad, size_t aadlen)
+{
+    chacha20poly1305_ctx_t ctx;
+    /* generate one time key */
+    _keystream(&ctx, key, nonce, 0);
+    poly1305_init(&ctx.poly, (uint8_t*)ctx.state);
+    /* Add aad */
+    _poly1305_padded(&ctx.poly, aad, aadlen);
+    /* Add ciphertext */
+    _poly1305_padded(&ctx.poly, cipher, cipherlen);
+    /* Add aad length */
+    const uint64_t lengths[2] = {aadlen, cipherlen};
+    poly1305_update(&ctx.poly, (uint8_t*)lengths, sizeof(lengths));
+    poly1305_finish(&ctx.poly, mac);
+    crypto_secure_wipe(&ctx, sizeof(ctx));
+}
+
+void chacha20poly1305_encrypt(uint8_t *cipher, const uint8_t *msg,
+                              size_t msglen, const uint8_t *aad, size_t aadlen,
+                              const uint8_t *key, const uint8_t *nonce)
+{
+    chacha20poly1305_ctx_t ctx;
+    _xcrypt(&ctx, key, nonce, msg, cipher, msglen);
+    crypto_secure_wipe(&ctx, sizeof(ctx));
+    /* Generate tag */
+    _poly1305_gentag(&cipher[msglen], key, nonce,
+                    cipher, msglen, aad, aadlen);
+    /* Wipe structures */
+}
+
+int chacha20poly1305_decrypt(const uint8_t *cipher, size_t cipherlen,
+                             uint8_t *msg, size_t *msglen,
+                             const uint8_t *aad, size_t aadlen,
+                             const uint8_t *key, const uint8_t *nonce)
+{
+    *msglen = cipherlen - CHACHA20POLY1305_TAG_BYTES;
+    uint8_t mac[16];
+    _poly1305_gentag(mac, key, nonce, cipher,
+                     cipherlen - CHACHA20POLY1305_TAG_BYTES, aad, aadlen);
+    if (crypto_equals(cipher+*msglen, mac, CHACHA20POLY1305_TAG_BYTES) == 0) {
+        return 0;
+    }
+    chacha20poly1305_ctx_t ctx;
+    /* Number of full blocks */
+    _xcrypt(&ctx, key, nonce, cipher, msg, *msglen);
+    return 1;
+}

sys/include/crypto/chacha20poly1305.h

@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2018 Koen Zandberg
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+/**
+ * @defgroup    sys_crypto_chacha20poly1305 chacha20poly1305 AEAD cipher
+ * @ingroup     sys_crypto
+ * @brief       Provides RFC 8439 style chacha20poly1305
+ *
+ * This module provides the chacha20poly1305 AEAD symmetric cipher following
+ * [rfc 8439](https://tools.ietf.org/html/rfc8439).
+ *
+ * Nonces must be unique per message for a single key. They are allowed to be
+ * predictable, e.g. a message counter and are allowed to be visible during
+ * transmission.
+ * @{
+ *
+ * @file
+ * @brief       Chacha20poly1305 functions
+ *
+ * @author      Koen Zandberg <koen@bergzand.net>
+ */
+
+#ifndef CRYPTO_CHACHA20POLY1305_H
+#define CRYPTO_CHACHA20POLY1305_H
+
+#include "crypto/poly1305.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define CHACHA20POLY1305_KEY_BYTES      (32U) /**< Key length in bytes */
+#define CHACHA20POLY1305_NONCE_BYTES    (12U) /**< Nonce length in bytes */
+#define CHACHA20POLY1305_TAG_BYTES      (16U) /**< Tag length in bytes */
+
+/**
+ * @brief Chacha20poly1305 state struct
+ */
+typedef union
+{
+    /* We need both the state matrix and the poly1305 state, but nearly not at
+     * the same time. This works as long as the first 8 members of state
+     * overlap fully or completely not with the first and second key parts
+     * from the @ref poly1305_ctx_t struct */
+    uint32_t state[16];  /**< The current state of the key stream. */
+    poly1305_ctx_t poly; /**< Poly1305 state for the MAC */
+} chacha20poly1305_ctx_t;
+
+/**
+ * @brief Encrypt a plaintext to ciphertext and append a tag to protect the
+ * ciphertext and additional data.
+ *
+ * It is allowed to have cipher == msg as long
+ * as there is @ref CHACHA20POLY1305_TAG_BYTES space left to hold the
+ * authentication tag
+ *
+ *
+ * @param[out]  cipher      resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES
+ *                          longer than the message length
+ * @param[in]   msg         message to encrypt
+ * @param[in]   msglen      length in bytes of the message
+ * @param[in]   aad         additional authenticated data to protect
+ * @param[in]   aadlen      length of the additional authenticated data
+ * @param[in]   key         key to encrypt with, must be
+ *                          CHACHA20POLY1305_KEY_BYTES long
+ * @param[in]   nonce       Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES
+ *                          long
+ */
+void chacha20poly1305_encrypt(uint8_t *cipher, const uint8_t *msg,
+                              size_t msglen, const uint8_t *aad, size_t aadlen,
+                              const uint8_t *key, const uint8_t *nonce);
+
+/**
+ * @brief Verify the tag and decrypt a ciphertext to plaintext.
+ *
+ * It is allowed to have cipher == msg
+ *
+ * @param[in]   cipher      resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES
+ *                          longer than the message length
+ * @param[in]   cipherlen   length of the ciphertext
+ * @param[out]  msg         message to encrypt
+ * @param[in]   msglen      resulting length in bytes of the message
+ * @param[in]   aad         additional authenticated data to verify
+ * @param[in]   aadlen      length of the additional authenticated data
+ * @param[in]   key         key to decrypt with, must be
+ *                          CHACHA20POLY1305_KEY_BYTES long
+ * @param[in]   nonce       Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES
+ *                          long
+ */
+int chacha20poly1305_decrypt(const uint8_t *cipher, size_t cipherlen,
+                             uint8_t *msg, size_t *msglen,
+                             const uint8_t *aad, size_t aadlen,
+                             const uint8_t *key, const uint8_t *nonce);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* CRYPTO_CHACHA20POLY1305_H */
+/** @} */

tests/unittests/tests-crypto/tests-crypto-chacha20poly1305.c

@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2018 Koen Zandberg
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+#include "embUnit/embUnit.h"
+#include "tests-crypto.h"
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "crypto/chacha20poly1305.h"
+
+/* ciphertext buffer */
+uint8_t ebuf[1024];
+/* Plaintext buffer */
+uint8_t pbuf[1024];
+
+static const uint8_t key_1[32] = {
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+};
+
+static const uint8_t msg_1[] = {
+    0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+    0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+    0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+    0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+    0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+    0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+    0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+    0x74, 0x2e
+};
+
+static const uint8_t aad_1[] = {
+    0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7
+};
+
+static const uint8_t nonce_1[] = {
+    0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47
+};
+
+static const uint8_t ciphertext_1[] = {
+    0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc,
+    0x53, 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+    0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e,
+    0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+    0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6,
+    0x7e, 0xcd, 0x3b, 0x36, 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+    0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4,
+    0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+    0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65,
+    0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09,
+    0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91,
+};
+
+static void _test_chacha20poly1305(const uint8_t *key, const uint8_t *nonce,
+                                   const uint8_t *msg, size_t msglen,
+                                   const uint8_t *aad, size_t aadlen)
+{
+    memcpy(ebuf, msg, msglen);
+    chacha20poly1305_encrypt(ebuf, msg, msglen, aad, aadlen, key, nonce);
+    TEST_ASSERT_EQUAL_INT(0, memcmp(ebuf, ciphertext_1, msglen + 16));
+    size_t len;
+    TEST_ASSERT_EQUAL_INT(1,
+            chacha20poly1305_decrypt(ebuf, msglen+16, pbuf, &len, aad, aadlen, key, nonce));
+    TEST_ASSERT_EQUAL_INT(0, memcmp(pbuf, msg_1, msglen));
+}
+
+static void test_crypto_chacha20poly1305_1(void)
+{
+    _test_chacha20poly1305(key_1, nonce_1, msg_1, sizeof(msg_1), aad_1, sizeof(aad_1));
+}
+
+Test *tests_crypto_chacha20poly1305_tests(void)
+{
+    EMB_UNIT_TESTFIXTURES(fixtures) {
+        new_TestFixture(test_crypto_chacha20poly1305_1),
+    };
+    EMB_UNIT_TESTCALLER(crypto_chacha20poly1305_tests, NULL, NULL, fixtures);
+    return (Test *) &crypto_chacha20poly1305_tests;
+}

tests/unittests/tests-crypto/tests-crypto.c

@@ -14,6 +14,7 @@ void tests_crypto(void)
     TESTS_RUN(tests_crypto_helper_tests());
     TESTS_RUN(tests_crypto_chacha_tests());
     TESTS_RUN(tests_crypto_poly1305_tests());
+    TESTS_RUN(tests_crypto_chacha20poly1305_tests());
     TESTS_RUN(tests_crypto_aes_tests());
     TESTS_RUN(tests_crypto_cipher_tests());
     TESTS_RUN(tests_crypto_modes_ccm_tests());

tests/unittests/tests-crypto/tests-crypto.h

@@ -48,6 +48,8 @@ Test *tests_crypto_chacha_tests(void);
 
 Test *tests_crypto_poly1305_tests(void);
 
+Test *tests_crypto_chacha20poly1305_tests(void);
+
 static inline int compare(const uint8_t *a, const uint8_t *b, uint8_t len)
 {
     int result = 1;