libsec: add chacha20 poly1305 aead, allow 64 bit iv's for chacha,

adriangrigore · adriangrigore · commit 33fb45be3349 · 2024-07-30T16:06:34.000+03:00
add tsmemcmp() http://9legacy.org/9legacy/patch/libsec-chacha-iv.diff
diff --git a/include/libsec.h b/include/libsec.h
@@ -104,13 +104,18 @@ struct Chachastate
 		};
 	};
 	int	rounds;
+	int	ivwords;
 };
 
-void	setupChachastate(Chachastate*, uchar*, usize, uchar*, int);
-void	chacha_setblock(Chachastate*, u32int);
+void	setupChachastate(Chachastate*, uchar*, usize, uchar*, ulong, int);
+void	chacha_setiv(Chachastate *, uchar*);
+void	chacha_setblock(Chachastate*, u64int);
 void	chacha_encrypt(uchar*, usize, Chachastate*);
 void	chacha_encrypt2(uchar*, uchar*, usize, Chachastate*);
 
+void	ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+int	ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs);
+
 /*
  * DES definitions
  */
@@ -451,3 +456,6 @@ void pbkdf2_x(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d
 /* hmac-based key derivation function (rfc5869) */
 void hkdf_x(uchar *salt, ulong nsalt, uchar *info, ulong ninfo, uchar *key, ulong nkey, uchar *d, ulong dlen,
 	DigestState* (*x)(uchar*, ulong, uchar*, ulong, uchar*, DigestState*), int xlen);
+
+/* timing safe memcmp() */
+int tsmemcmp(void*, void*, ulong);
diff --git a/libsec/Makefile b/libsec/Makefile
@@ -55,6 +55,8 @@ OFILES=\
 	pbkdf2.$O\
 	hkdf.$O\
 	poly1305.$O\
+	ccpoly.$O\
+	tsmemcmp.$O\
 
 default: $(LIB)
 $(LIB): $(OFILES)
diff --git a/libsec/ccpoly.c b/libsec/ccpoly.c
@@ -0,0 +1,84 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+static void
+ccpolyotk(Chachastate *cs, DigestState *ds)
+{
+	uchar otk[ChachaBsize];
+
+	memset(ds, 0, sizeof(*ds));
+	memset(otk, 0, 32);
+	chacha_setblock(cs, 0);
+	chacha_encrypt(otk, ChachaBsize, cs);
+	poly1305(nil, 0, otk, 32, nil, ds);
+}
+
+static void
+ccpolymac(uchar *buf, ulong nbuf, DigestState *ds)
+{
+	static uchar zeros[16] = {0};
+	ulong npad;
+
+	if(nbuf == 0)
+		return;
+	poly1305(buf, nbuf, nil, 0, nil, ds);
+	npad = nbuf % 16;
+	if(npad == 0)
+		return;
+	poly1305(zeros, 16 - npad, nil, 0, nil, ds);
+}
+
+static void
+ccpolytag(ulong ndat, ulong naad, uchar tag[16], DigestState *ds)
+{
+	uchar info[16];
+
+	info[0] = naad;
+	info[1] = naad>>8;
+	info[2] = naad>>16;
+	info[3] = naad>>24;
+	info[4] = 0;
+	info[5] = 0;
+	info[6] = 0;
+	info[7] = 0;
+
+	info[8]  = ndat;
+	info[9]  = ndat>>8;
+	info[10] = ndat>>16;
+	info[11] = ndat>>24;
+	info[12] = 0;
+	info[13] = 0;
+	info[14] = 0;
+	info[15] = 0;
+
+	poly1305(info, 16, nil, 0, tag, ds);
+}
+
+void
+ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs)
+{
+	DigestState ds;
+
+	ccpolyotk(cs, &ds);
+	ccpolymac(aad, naad, &ds);
+	chacha_encrypt(dat, ndat, cs);
+	ccpolymac(dat, ndat, &ds);
+	ccpolytag(ndat, naad, tag, &ds);
+}
+
+int
+ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs)
+{
+	DigestState ds;
+	uchar tmp[16];
+
+	ccpolyotk(cs, &ds);
+	ccpolymac(aad, naad, &ds);
+	ccpolymac(dat, ndat, &ds);
+	ccpolytag(ndat, naad, tmp, &ds);
+	if(tsmemcmp(tag, tmp, 16) != 0)
+		return -1;
+	chacha_encrypt(dat, ndat, cs);
+	return 0;
+}
diff --git a/libsec/chacha.c b/libsec/chacha.c
@@ -54,10 +54,12 @@ load(u32int *d, uchar *s, int nw)
 }
 
 void
-setupChachastate(Chachastate *s, uchar *key, usize keylen, uchar *iv, int rounds)
+setupChachastate(Chachastate *s, uchar *key, usize keylen, uchar *iv, ulong ivlen, int rounds)
 {
 	if(keylen != 256/8 && keylen != 128/8)
 		sysfatal("invalid chacha key length");
+	if(ivlen != 96/8 && ivlen != 64/8)
+		sysfatal("invalid chacha iv length");
 	if(rounds == 0)
 		rounds = 20;
 	s->rounds = rounds;
@@ -69,19 +71,28 @@ setupChachastate(Chachastate *s, uchar *key, usize keylen, uchar *iv, int rounds
 		load(&s->input[4], key, 4);
 		load(&s->input[8], key, 4);
 	}
+	s->ivwords = ivlen/sizeof(u32int);
 	s->input[12] = 0;
+	s->input[13] = 0;
 	if(iv == nil){
-		s->input[13] = 0;
 		s->input[14] = 0;
 		s->input[15] = 0;
 	}else
-		load(&s->input[13], iv, 3);
+		chacha_setiv(s, iv);
 }
 
 void
-chacha_setblock(Chachastate *s, u32int blockno)
+chacha_setiv(Chachastate *s, uchar *iv)
+{
+	load(&s->input[16 - s->ivwords], iv, s->ivwords);
+}
+
+void
+chacha_setblock(Chachastate *s, u64int blockno)
 {
 	s->input[12] = blockno;
+	if(s->ivwords == 2)
+		s->input[13] = blockno>>32;
 }
 
 static void
@@ -148,7 +159,8 @@ encryptblock(Chachastate *s, uchar *src, uchar *dst)
 	}
 #endif
 
-	s->input[12]++;
+	if(++s->input[12] == 0 && s->ivwords == 2)
+		s->input[13]++;
 }
 
 void
diff --git a/libsec/chachatest.c b/libsec/chachatest.c
@@ -31,7 +31,7 @@ u32int	rfccount = 1;
 char	rfctext[] = "Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, "
 	"sunscreen would be it.";
 uchar	rfcout[3*ChachaBsize];
-uchar	rfcref[3*ChachaBsize] = {
+uchar	rfcref[] = {
 	0x6e, 0x2e, 0x35, 0x9a, 0x25, 0x68, 0xf9, 0x80, 0x41, 0xba, 0x07, 0x28, 0xdd, 0x0d, 0x69, 0x81,
 	0xe9, 0x7e, 0x7a, 0xec, 0x1d, 0x43, 0x60, 0xc2, 0x0a, 0x27, 0xaf, 0xcc, 0xfd, 0x9f, 0xae, 0x0b,
 	0xf9, 0x1b, 0x65, 0xc5, 0x52, 0x47, 0x33, 0xab, 0x8f, 0x59, 0x3d, 0xab, 0xcd, 0x62, 0xb3, 0x57,
@@ -42,10 +42,26 @@ uchar	rfcref[3*ChachaBsize] = {
 	0x87, 0x4d
 };
 
+uchar	ccpaad[] = {
+	0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+};
+uchar	ccpkey[] = {
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+};
+uchar	ccpiv[] = {
+	0x07, 0x00, 0x00, 0x00,
+	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+};
+uchar	ccptag[] = {
+	0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91,
+};
+
 void
 main(int argc, char **argv)
 {
 	Chachastate s;
+	uchar tag[16];
 	int n;
 
 	ARGBEGIN{
@@ -54,17 +70,51 @@ main(int argc, char **argv)
 	print("key:\n");
 	printblock(rfckey, sizeof(rfckey));
 	n = strlen(rfctext);
-	setupChachastate(&s, rfckey, sizeof(rfckey), rfcnonce, 0);
+	setupChachastate(&s, rfckey, sizeof(rfckey), rfcnonce, sizeof(rfcnonce), 0);
 	chacha_setblock(&s, rfccount);
 	print("rfc in:\n");
 	printblock((uchar*)rfctext, n);
 	chacha_encrypt2((uchar*)rfctext, rfcout, n, &s);
 	print("rfc out:\n");
 	printblock(rfcout, n);
-	if(memcmp(rfcout, rfcref, sizeof(rfcout)) != 0){
+	if(memcmp(rfcout, rfcref, sizeof(rfcref)) != 0){
 		print("failure of vision\n");
 		exits("wrong");
 	}
+	print("\n");
+
+	print("ccpoly key:\n");
+	printblock(ccpkey, sizeof(ccpkey));
+
+	print("ccpoly iv:\n");
+	printblock(ccpiv, sizeof(ccpiv));
+
+	setupChachastate(&s, ccpkey, sizeof(ccpkey), ccpiv, sizeof(ccpiv), 20);
+
+	memmove(rfcout, rfctext, sizeof(rfctext)-1);
+	ccpoly_encrypt(rfcout, sizeof(rfctext)-1, ccpaad, sizeof(ccpaad), tag, &s);
+
+	print("ccpoly cipher:\n");
+	printblock(rfcout, sizeof(rfctext)-1);
+
+	print("ccpoly tag:\n");
+	printblock(tag, sizeof(tag));
+
+	if(memcmp(tag, ccptag, sizeof(tag)) != 0){
+		print("bad ccpoly tag\n");
+		exits("wrong");
+	}
+
+	if(ccpoly_decrypt(rfcout, sizeof(rfctext)-1, ccpaad, sizeof(ccpaad), tag, &s) != 0){
+		print("ccpoly decryption failed\n");
+		exits("wrong");
+	}
+
+	if(memcmp(rfcout, rfctext, sizeof(rfctext)-1) != 0){
+		print("ccpoly bad decryption\n");
+		exits("wrong");
+	}
+
 	print("passed\n");
 	exits(nil);
 }
diff --git a/libsec/tsmemcmp.c b/libsec/tsmemcmp.c
@@ -0,0 +1,26 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+/*
+ * timing safe memcmp()
+ */
+int
+tsmemcmp(void *a1, void *a2, ulong n)
+{
+	int lt, gt, c1, c2, r, m;
+	uchar *s1, *s2;
+
+	r = m = 0;
+	s1 = a1;
+	s2 = a2;
+	while(n--){
+		c1 = *s1++;
+		c2 = *s2++;
+		lt = (c1 - c2) >> 8;
+		gt = (c2 - c1) >> 8;
+		r |= (lt - gt) & ~m;
+		m |= lt | gt;
+	}
+	return r;
+}
