/* * Copyright (C) 2018 Koen Zandberg * * This file is subject to the terms and conditions of the GNU Lesser * General Public License v2.1. See the file LICENSE in the top level * directory for more details. */ /** * @defgroup sys_crypto_chacha20poly1305 chacha20poly1305 AEAD cipher * @ingroup sys_crypto * @brief Provides RFC 8439 style chacha20poly1305 * * This module provides the chacha20poly1305 AEAD symmetric cipher following * [rfc 8439](https://tools.ietf.org/html/rfc8439). * * Nonces must be unique per message for a single key. They are allowed to be * predictable, e.g. a message counter and are allowed to be visible during * transmission. * @{ * * @file * @brief Chacha20poly1305 functions * * @author Koen Zandberg */ #ifndef CRYPTO_CHACHA20POLY1305_H #define CRYPTO_CHACHA20POLY1305_H #include "crypto/poly1305.h" #ifdef __cplusplus extern "C" { #endif #define CHACHA20POLY1305_KEY_BYTES (32U) /**< Key length in bytes */ #define CHACHA20POLY1305_NONCE_BYTES (12U) /**< Nonce length in bytes */ #define CHACHA20POLY1305_TAG_BYTES (16U) /**< Tag length in bytes */ /** * @brief Chacha20poly1305 state struct */ typedef union { /* We need both the state matrix and the poly1305 state, but nearly not at * the same time. This works as long as the first 8 members of state * overlap fully or completely not with the first and second key parts * from the @ref poly1305_ctx_t struct */ uint32_t state[16]; /**< The current state of the key stream. */ poly1305_ctx_t poly; /**< Poly1305 state for the MAC */ } chacha20poly1305_ctx_t; /** * @brief Encrypt a plaintext to ciphertext and append a tag to protect the * ciphertext and additional data. * * It is allowed to have cipher == msg as long * as there is @ref CHACHA20POLY1305_TAG_BYTES space left to hold the * authentication tag * * * @param[out] cipher resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES * longer than the message length * @param[in] msg message to encrypt * @param[in] msglen length in bytes of the message * @param[in] aad additional authenticated data to protect * @param[in] aadlen length of the additional authenticated data * @param[in] key key to encrypt with, must be * CHACHA20POLY1305_KEY_BYTES long * @param[in] nonce Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES * long */ void chacha20poly1305_encrypt(uint8_t *cipher, const uint8_t *msg, size_t msglen, const uint8_t *aad, size_t aadlen, const uint8_t *key, const uint8_t *nonce); /** * @brief Verify the tag and decrypt a ciphertext to plaintext. * * It is allowed to have cipher == msg * * @param[in] cipher resulting ciphertext, is CHACHA20POLY1305_TAG_BYTES * longer than the message length * @param[in] cipherlen length of the ciphertext * @param[out] msg message to encrypt * @param[in] msglen resulting length in bytes of the message * @param[in] aad additional authenticated data to verify * @param[in] aadlen length of the additional authenticated data * @param[in] key key to decrypt with, must be * CHACHA20POLY1305_KEY_BYTES long * @param[in] nonce Nonce to use. Must be CHACHA20POLY1305_NONCE_BYTES * long */ int chacha20poly1305_decrypt(const uint8_t *cipher, size_t cipherlen, uint8_t *msg, size_t *msglen, const uint8_t *aad, size_t aadlen, const uint8_t *key, const uint8_t *nonce); #ifdef __cplusplus } #endif #endif /* CRYPTO_CHACHA20POLY1305_H */ /** @} */