From 1990e1629a7439a421f6d875d02da6d0c402165a Mon Sep 17 00:00:00 2001 From: Koen Zandberg Date: Sun, 21 Oct 2018 21:33:30 +0200 Subject: [PATCH 1/2] crypto: Add chacha20poly1305 AEAD algorithm --- sys/crypto/chacha20poly1305.c | 177 ++++++++++++++++++++++++++ sys/include/crypto/chacha20poly1305.h | 104 +++++++++++++++ 2 files changed, 281 insertions(+) create mode 100644 sys/crypto/chacha20poly1305.c create mode 100644 sys/include/crypto/chacha20poly1305.h diff --git a/sys/crypto/chacha20poly1305.c b/sys/crypto/chacha20poly1305.c new file mode 100644 index 0000000000..0fc2ff25c1 --- /dev/null +++ b/sys/crypto/chacha20poly1305.c @@ -0,0 +1,177 @@ +/* + * Copyright (C) 2008 D. J. Bernstein (dedicated to the public domain) + * Copyright (C) 2015 René Kijewski + * Copyright (C) 2018 Koen Zandberg + * + * This file is subject to the terms and conditions of the GNU Lesser + * General Public License v2.1. See the file LICENSE in the top level + * directory for more details. + */ + +/** + * @ingroup sys_crypto_chacha20poly1305 + * @{ + * @file + * @brief Implementation of the chacha20poly1305 aead cipher + * + * @author Koen Zandberg + * @see https://tools.ietf.org/html/rfc8439 + * @} + */ + +#include +#include +#include + +#include "crypto/helper.h" +#include "crypto/chacha20poly1305.h" +#include "crypto/poly1305.h" + +/* Missing operations to convert numbers to little endian prevents this from + * working on big endian systems */ +#if __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ +# error "This code is implementented in a way that it will only work for little-endian systems!" +#endif + +/* Nothing to hide here, Literally "expand 32-byte k" */ +static const uint32_t constant[] = {0x61707865, + 0x3320646e, + 0x79622d32, + 0x6b206574}; + +/* Padding to add to the poly1305 authentication tag */ +static const uint8_t padding[15] = {0}; + +static uint32_t u8to32(const uint8_t *p) +{ + return + ((uint32_t)p[0] | + ((uint32_t)p[1] << 8) | + ((uint32_t)p[2] << 16) | + ((uint32_t)p[3] << 24)); +} + +/* Single round */ +void _r(uint32_t *a, uint32_t *b, uint32_t *d, unsigned c) +{ + *a += *b; + uint32_t tmp = *a ^ *d; + *d = (tmp << c) | (tmp >> (32 - c)); +} + +void _add_initial(chacha20poly1305_ctx_t *ctx, const uint8_t *key, + const uint8_t *nonce, uint32_t blk) +{ + for (unsigned i = 0; i < 4; i++) { + ctx->state[i] += constant[i]; + } + for (unsigned i = 0; i < 8; i++) { + ctx->state[i+4] += u8to32(key + 4*i); + } + ctx->state[12] += u8to32((uint8_t*)&blk); + ctx->state[13] += u8to32(nonce); + ctx->state[14] += u8to32(nonce+4); + ctx->state[15] += u8to32(nonce+8); +} + +void _keystream(chacha20poly1305_ctx_t *ctx, const uint8_t *key, + const uint8_t *nonce, uint32_t blk) +{ + /* Initialize block state */ + memset(ctx->state, 0, sizeof(ctx->state)); + _add_initial(ctx, key, nonce, blk); + + /* perform rounds */ + for (unsigned i = 0; i < 80; ++i) { + uint32_t *a = &ctx->state[((i ) & 3) ]; + uint32_t *b = &ctx->state[((i + ((i & 4) ? 1 : 0)) & 3) + (4 * 1)]; + uint32_t *c = &ctx->state[((i + ((i & 4) ? 2 : 0)) & 3) + (4 * 2)]; + uint32_t *d = &ctx->state[((i + ((i & 4) ? 3 : 0)) & 3) + (4 * 3)]; + _r(a, b, d, 16); + _r(c, d, b, 12); + _r(a, b, d, 8); + _r(c, d, b, 7); + } + /* add initial state */ + _add_initial(ctx, key, nonce, blk); +} + +void _xcrypt(chacha20poly1305_ctx_t *ctx, const uint8_t *key, + const uint8_t *nonce, const uint8_t *in, uint8_t *out, size_t len) +{ + /* Number of full 64 byte blocks */ + const size_t num_blocks = len >> 6; + size_t pos = 0; + /* xcrypt full blocks */ + for (size_t i = 0; i < num_blocks; i++, pos += 64) { + _keystream(ctx, key, nonce, i+1); + for (size_t j = 0; j < 64; j++) { + out[pos+j] = in[pos+j] ^ ((uint8_t*)ctx->state)[j]; + } + } + /* xcrypt remaining bytes */ + if (len - pos) { + _keystream(ctx, key, nonce, num_blocks+1); + for (size_t j = 0; j < len - pos; j++) { + out[pos+j] = in[pos+j] ^ ((uint8_t*)ctx->state)[j]; + } + } +} + +void _poly1305_padded(poly1305_ctx_t *pctx, const uint8_t *data, size_t len) +{ + poly1305_update(pctx, data, len); + const size_t padlen = (16 - len) & 0xF; + poly1305_update(pctx, padding, padlen); +} + +/* Generate a poly1305 tag */ +void _poly1305_gentag(uint8_t *mac, const uint8_t *key, const uint8_t *nonce, + const uint8_t *cipher, size_t cipherlen, + const uint8_t *aad, size_t aadlen) +{ + chacha20poly1305_ctx_t ctx; + /* generate one time key */ + _keystream(&ctx, key, nonce, 0); + poly1305_init(&ctx.poly, (uint8_t*)ctx.state); + /* Add aad */ + _poly1305_padded(&ctx.poly, aad, aadlen); + /* Add ciphertext */ + _poly1305_padded(&ctx.poly, cipher, cipherlen); + /* Add aad length */ + const uint64_t lengths[2] = {aadlen, cipherlen}; + poly1305_update(&ctx.poly, (uint8_t*)lengths, sizeof(lengths)); + poly1305_finish(&ctx.poly, mac); + crypto_secure_wipe(&ctx, sizeof(ctx)); +} + +void chacha20poly1305_encrypt(uint8_t *cipher, const uint8_t *msg, + size_t msglen, const uint8_t *aad, size_t aadlen, + const uint8_t *key, const uint8_t *nonce) +{ + chacha20poly1305_ctx_t ctx; + _xcrypt(&ctx, key, nonce, msg, cipher, msglen); + crypto_secure_wipe(&ctx, sizeof(ctx)); + /* Generate tag */ + _poly1305_gentag(&cipher[msglen], key, nonce, + cipher, msglen, aad, aadlen); + /* Wipe structures */ +} + +int chacha20poly1305_decrypt(const uint8_t *cipher, size_t cipherlen, + uint8_t *msg, size_t *msglen, + const uint8_t *aad, size_t aadlen, + const uint8_t *key, const uint8_t *nonce) +{ + *msglen = cipherlen - CHACHA20POLY1305_TAG_BYTES; + uint8_t mac[16]; + _poly1305_gentag(mac, key, nonce, cipher, + cipherlen - CHACHA20POLY1305_TAG_BYTES, aad, aadlen); + if (crypto_equals(cipher+*msglen, mac, CHACHA20POLY1305_TAG_BYTES) == 0) { + return 0; + } + chacha20poly1305_ctx_t ctx; + /* Number of full blocks */ + _xcrypt(&ctx, key, nonce, cipher, msg, *msglen); + return 1; +} diff --git a/sys/include/crypto/chacha20poly1305.h b/sys/include/crypto/chacha20poly1305.h new file mode 100644 index 0000000000..398669daf5 --- /dev/null +++ b/sys/include/crypto/chacha20poly1305.h @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2018 Koen Zandberg + * + * This file is subject to the terms and conditions of the GNU Lesser + * General Public License v2.1. See the file LICENSE in the top level + * directory for more details. + */ + +/** + * @defgroup sys_crypto_chacha20poly1305 chacha20poly1305 AEAD cipher + * @ingroup sys_crypto + * @brief Provides RFC 8439 style chacha20poly1305 + * + * This module provides the chacha20poly1305 AEAD symmetric cipher following + * [rfc 8439](https://tools.ietf.org/html/rfc8439). + * + * Nonces must be unique per message for a single key. They are allowed to be + * predictable, e.g. a message counter and are allowed to be visible during + * transmission. + * @{ + * + * @file + * @brief Chacha20poly1305 functions + * + * @author Koen Zandberg + */ + +#ifndef CRYPTO_CHACHA20POLY1305_H +#define CRYPTO_CHACHA20POLY1305_H + +#include "crypto/poly1305.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define CHACHA20POLY1305_KEY_BYTES (32U) /**< Key length in bytes */ +#define CHACHA20POLY1305_NONCE_BYTES (12U) /**< Nonce length in bytes */ +#define CHACHA20POLY1305_TAG_BYTES (16U) /**< Tag length in bytes */ + +/** + * @brief Chacha20poly1305 state struct + */ +typedef union +{ + /* We need both the state matrix and the poly1305 state, but nearly not at + * the same time. This works as long as the first 8 members of state + * overlap fully or completely not with the first and second key parts + * from the @ref poly1305_ctx_t struct */ + uint32_t state[16]; /**< The current state of the key stream. */ + poly1305_ctx_t poly; /**< Poly1305 state for the MAC */ +} chacha20poly1305_ctx_t; + +/** + * @brief Encrypt a plaintext to ciphertext and append a tag to protect the + * ciphertext and additional data. + * + * It is allowed to have cipher == msg as long + * as there is @ref CHACHA20POLY1305_TAG_BYTES space left to hold the + * authentication tag + * + * + * @param[out] cipher resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES + * longer than the message length + * @param[in] msg message to encrypt + * @param[in] msglen length in bytes of the message + * @param[in] aad additional authenticated data to protect + * @param[in] aadlen length of the additional authenticated data + * @param[in] key key to encrypt with, must be + * CHACHA20POLY1305_KEY_BYTES long + * @param[in] nonce Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES + * long + */ +void chacha20poly1305_encrypt(uint8_t *cipher, const uint8_t *msg, + size_t msglen, const uint8_t *aad, size_t aadlen, + const uint8_t *key, const uint8_t *nonce); + +/** + * @brief Verify the tag and decrypt a ciphertext to plaintext. + * + * It is allowed to have cipher == msg + * + * @param[in] cipher resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES + * longer than the message length + * @param[in] cipherlen length of the ciphertext + * @param[out] msg message to encrypt + * @param[in] msglen resulting length in bytes of the message + * @param[in] aad additional authenticated data to verify + * @param[in] aadlen length of the additional authenticated data + * @param[in] key key to decrypt with, must be + * CHACHA20POLY1305_KEY_BYTES long + * @param[in] nonce Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES + * long + */ +int chacha20poly1305_decrypt(const uint8_t *cipher, size_t cipherlen, + uint8_t *msg, size_t *msglen, + const uint8_t *aad, size_t aadlen, + const uint8_t *key, const uint8_t *nonce); + +#ifdef __cplusplus +} +#endif +#endif /* CRYPTO_CHACHA20POLY1305_H */ +/** @} */ From f4a4f5d0b1a51624e0b8c65c126ac53baf5106d7 Mon Sep 17 00:00:00 2001 From: Koen Zandberg Date: Sun, 21 Oct 2018 21:34:29 +0200 Subject: [PATCH 2/2] chacha20poly1305: Provide a test based on the rfc Add a test case to the crypto tests testing the chacha20poly1305 algorithm with the test vectors from rfc 8439. --- .../tests-crypto-chacha20poly1305.c | 86 +++++++++++++++++++ tests/unittests/tests-crypto/tests-crypto.c | 1 + tests/unittests/tests-crypto/tests-crypto.h | 2 + 3 files changed, 89 insertions(+) create mode 100644 tests/unittests/tests-crypto/tests-crypto-chacha20poly1305.c diff --git a/tests/unittests/tests-crypto/tests-crypto-chacha20poly1305.c b/tests/unittests/tests-crypto/tests-crypto-chacha20poly1305.c new file mode 100644 index 0000000000..a22cd67d00 --- /dev/null +++ b/tests/unittests/tests-crypto/tests-crypto-chacha20poly1305.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2018 Koen Zandberg + * + * This file is subject to the terms and conditions of the GNU Lesser + * General Public License v2.1. See the file LICENSE in the top level + * directory for more details. + */ + +#include "embUnit/embUnit.h" +#include "tests-crypto.h" +#include +#include +#include +#include + +#include "crypto/chacha20poly1305.h" + +/* ciphertext buffer */ +uint8_t ebuf[1024]; +/* Plaintext buffer */ +uint8_t pbuf[1024]; + +static const uint8_t key_1[32] = { + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f +}; + +static const uint8_t msg_1[] = { + 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, + 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39, 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, + 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, + 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, + 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73, + 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, + 0x74, 0x2e +}; + +static const uint8_t aad_1[] = { + 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 +}; + +static const uint8_t nonce_1[] = { + 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 +}; + +static const uint8_t ciphertext_1[] = { + 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc, + 0x53, 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, + 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e, + 0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, + 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6, + 0x7e, 0xcd, 0x3b, 0x36, 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, + 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4, + 0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc, + 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65, + 0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, + 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91, +}; + +static void _test_chacha20poly1305(const uint8_t *key, const uint8_t *nonce, + const uint8_t *msg, size_t msglen, + const uint8_t *aad, size_t aadlen) +{ + memcpy(ebuf, msg, msglen); + chacha20poly1305_encrypt(ebuf, msg, msglen, aad, aadlen, key, nonce); + TEST_ASSERT_EQUAL_INT(0, memcmp(ebuf, ciphertext_1, msglen + 16)); + size_t len; + TEST_ASSERT_EQUAL_INT(1, + chacha20poly1305_decrypt(ebuf, msglen+16, pbuf, &len, aad, aadlen, key, nonce)); + TEST_ASSERT_EQUAL_INT(0, memcmp(pbuf, msg_1, msglen)); +} + +static void test_crypto_chacha20poly1305_1(void) +{ + _test_chacha20poly1305(key_1, nonce_1, msg_1, sizeof(msg_1), aad_1, sizeof(aad_1)); +} + +Test *tests_crypto_chacha20poly1305_tests(void) +{ + EMB_UNIT_TESTFIXTURES(fixtures) { + new_TestFixture(test_crypto_chacha20poly1305_1), + }; + EMB_UNIT_TESTCALLER(crypto_chacha20poly1305_tests, NULL, NULL, fixtures); + return (Test *) &crypto_chacha20poly1305_tests; +} diff --git a/tests/unittests/tests-crypto/tests-crypto.c b/tests/unittests/tests-crypto/tests-crypto.c index 3756fae1a4..d10a57fa96 100644 --- a/tests/unittests/tests-crypto/tests-crypto.c +++ b/tests/unittests/tests-crypto/tests-crypto.c @@ -14,6 +14,7 @@ void tests_crypto(void) TESTS_RUN(tests_crypto_helper_tests()); TESTS_RUN(tests_crypto_chacha_tests()); TESTS_RUN(tests_crypto_poly1305_tests()); + TESTS_RUN(tests_crypto_chacha20poly1305_tests()); TESTS_RUN(tests_crypto_aes_tests()); TESTS_RUN(tests_crypto_cipher_tests()); TESTS_RUN(tests_crypto_modes_ccm_tests()); diff --git a/tests/unittests/tests-crypto/tests-crypto.h b/tests/unittests/tests-crypto/tests-crypto.h index ad97004005..e4a1af38c5 100644 --- a/tests/unittests/tests-crypto/tests-crypto.h +++ b/tests/unittests/tests-crypto/tests-crypto.h @@ -48,6 +48,8 @@ Test *tests_crypto_chacha_tests(void); Test *tests_crypto_poly1305_tests(void); +Test *tests_crypto_chacha20poly1305_tests(void); + static inline int compare(const uint8_t *a, const uint8_t *b, uint8_t len) { int result = 1;