3 * AEAD schemes based on Salsa20/ChaCha and Poly1305
5 * (c) 2018 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software: you can redistribute it and/or modify it
13 * under the terms of the GNU Library General Public License as published
14 * by the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb. If not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
28 #ifndef CATACOMB_LATINPOLY_DEF_H
29 #define CATACOMB_LATINPOLY_DEF_H
35 /*----- Header files ------------------------------------------------------*/
37 #include <mLib/bits.h>
41 #ifndef CATACOMB_ARENA_H
49 #ifndef CATACOMB_GAEAD_H
53 #ifndef CATACOMB_KEYSZ_H
57 #ifndef CATACOMB_LATINPOLY_H
58 # include "latinpoly.h"
61 #ifndef CATACOMB_PARANOIA_H
62 # include "paranoia.h"
65 #ifndef CATACOMB_POLY1305_H
66 # include "poly1305.h"
69 #ifndef CATACOMB_SALSA20_H
73 /*----- Data structures ---------------------------------------------------*/
75 typedef struct latinpoly_aad {
80 typedef struct latinpoly_key {
82 octet key[SALSA20_KEYSZ];
86 /*----- Common definitions ------------------------------------------------*/
89 extern const octet latinpoly_noncesz[], latinpoly_tagsz[];
92 extern void latinpoly_aadhash_poly1305(gaead_aad */*a*/,
93 const void */*h*/, size_t /*hsz*/);
94 extern void latinpoly_aadhash_naclbox(gaead_aad */*a*/,
95 const void */*h*/, size_t /*hsz*/);
96 extern void latinpoly_aaddestroy(gaead_aad */*a*/);
99 enum { LPVAR_NACLBOX, LPVAR_POLY1305 };
101 /* --- @latinpoly_tag@ --- *
103 * Arguments: @const poly1305_ctx *aad@ = Poly1305 context hashing AAD
104 * @poly1305_ctx *ct@ = Poly1305 context hashing ciphertext
105 * @void *tag@ = where to write the tag
109 * Use: Completes a Latin-dance-Poly1305 tag, combining the AAD and
110 * ciphertext hashes, appending their lengths, and writing the
111 * final masked hash to @tag@. The @ct@ context is clobbered.
114 extern void latinpoly_tag(const poly1305_ctx */*aad*/,
115 poly1305_ctx */*ct*/, void */*tag*/);
117 /*----- Macros ------------------------------------------------------------*/
119 #define LATINPOLY_DEF(latin, base, name) \
123 /* Reinitialize the stream cipher and hash state given a new nonce. */ \
124 static int reinit_##latin(x##latin##_ctx *ctx, int var, \
125 poly1305_ctx *aadpoly, poly1305_ctx *ctpoly, \
126 const void *n, size_t nsz) \
129 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ]; \
132 case SALSA20_NONCESZ: \
133 memcpy(ctx->s.a, ctx->k, sizeof(ctx->k)); \
134 base##_setnonce(&ctx->s, n); \
136 case SALSA20_IETF_NONCESZ: \
137 memcpy(ctx->s.a, ctx->k, sizeof(ctx->k)); \
138 base##_setnonce_ietf(&ctx->s, n); \
140 case XSALSA20_NONCESZ: \
141 x##latin##_setnonce(ctx, n); \
147 latin##_encrypt(&ctx->s, 0, b, sizeof(b)); \
148 poly1305_keyinit(&pk, b, POLY1305_KEYSZ); \
149 poly1305_macinit(ctpoly, &pk, b + POLY1305_KEYSZ); \
151 case LPVAR_NACLBOX: \
152 aadpoly->count = 0; aadpoly->nbuf = 0; \
154 case LPVAR_POLY1305: \
155 poly1305_macinit(aadpoly, &pk, b + POLY1305_KEYSZ); \
156 latin##_encrypt(&ctx->s, 0, 0, SALSA20_OUTSZ - sizeof(b)); \
164 /* AAD operations. */ \
166 static const gaead_aadops gaops_##latin##_poly1305 = \
167 { &latin##_poly1305, 0, latinpoly_aadhash_poly1305, latinpoly_aaddestroy }; \
169 static const gaead_aadops gaops_##latin##_naclbox = \
170 { &latin##_naclbox, 0, latinpoly_aadhash_naclbox, latinpoly_aaddestroy }; \
172 /* Encryption operations. */ \
174 typedef struct gectx_##latin { \
177 x##latin##_ctx ctx; \
181 static gaead_aad *geaad_##latin(gaead_enc *e) \
182 { gectx_##latin *enc = (gectx_##latin *)e; return (&enc->aad.a); } \
184 static int gereinit_##latin##_poly1305(gaead_enc *e, \
185 const void *n, size_t nsz, \
186 size_t hsz, size_t msz, size_t tsz) \
188 gectx_##latin *enc = (gectx_##latin *)e; \
189 return (reinit_##latin(&enc->ctx, LPVAR_POLY1305, \
190 &enc->aad.poly, &enc->poly, n, nsz)); \
193 static int gereinit_##latin##_naclbox(gaead_enc *e, \
194 const void *n, size_t nsz, \
195 size_t hsz, size_t msz, size_t tsz) \
197 gectx_##latin *enc = (gectx_##latin *)e; \
198 return (reinit_##latin(&enc->ctx, LPVAR_NACLBOX, \
199 &enc->aad.poly, &enc->poly, n, nsz)); \
202 static int geenc_##latin(gaead_enc *e, \
203 const void *m, size_t msz, buf *b) \
205 gectx_##latin *enc = (gectx_##latin *)e; \
208 if (msz) { q = buf_get(b, msz); if (!q) return (-1); } \
210 latin##_encrypt(&enc->ctx.s, m, q, msz); \
211 poly1305_hash(&enc->poly, q, msz); \
215 static int gedone_##latin##_common(gectx_##latin *enc, \
216 const latinpoly_aad *aad, \
217 buf *b, size_t tsz) \
219 if (tsz != POLY1305_TAGSZ) return (-1); \
220 assert((!enc->aad.poly.count && !enc->aad.poly.nbuf && !aad) || \
222 if (!BOK(b)) return (-1); \
226 static int gedone_##latin##_poly1305(gaead_enc *e, const gaead_aad *a, \
227 buf *b, void *t, size_t tsz) \
229 gectx_##latin *enc = (gectx_##latin *)e; \
230 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
232 if (gedone_##latin##_common(enc, aad, b, tsz)) return (-1); \
233 latinpoly_tag(aad ? &aad->poly : 0, &enc->poly, t); \
237 static int gedone_##latin##_naclbox(gaead_enc *e, const gaead_aad *a, \
238 buf *b, void *t, size_t tsz) \
240 gectx_##latin *enc = (gectx_##latin *)e; \
241 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
243 if (gedone_##latin##_common(enc, aad, b, tsz)) return (-1); \
244 poly1305_done(&enc->poly, t); \
248 static void gedestroy_##latin(gaead_enc *e) \
249 { gectx_##latin *enc = (gectx_##latin *)e; BURN(*enc); S_DESTROY(enc); } \
251 static gaead_encops geops_##latin##_poly1305 = \
252 { &latin##_poly1305, geaad_##latin, gereinit_##latin##_poly1305, \
253 geenc_##latin, gedone_##latin##_poly1305, gedestroy_##latin }; \
255 static gaead_encops geops_##latin##_naclbox = \
256 { &latin##_naclbox, geaad_##latin, gereinit_##latin##_naclbox, \
257 geenc_##latin, gedone_##latin##_naclbox, gedestroy_##latin }; \
259 /* Decryption operations. */ \
261 typedef struct gdctx_##latin { \
264 x##latin##_ctx ctx; \
268 static gaead_aad *gdaad_##latin(gaead_dec *d) \
269 { gdctx_##latin *dec = (gdctx_##latin *)d; return (&dec->aad.a); } \
271 static int gdreinit_##latin##_poly1305(gaead_dec *d, \
272 const void *n, size_t nsz, \
273 size_t hsz, size_t msz, size_t tsz) \
275 gdctx_##latin *dec = (gdctx_##latin *)d; \
276 return (reinit_##latin(&dec->ctx, LPVAR_POLY1305, \
277 &dec->aad.poly, &dec->poly, n, nsz)); \
280 static int gdreinit_##latin##_naclbox(gaead_dec *d, \
281 const void *n, size_t nsz, \
282 size_t hsz, size_t msz, size_t tsz) \
284 gdctx_##latin *dec = (gdctx_##latin *)d; \
285 return (reinit_##latin(&dec->ctx, LPVAR_NACLBOX, \
286 &dec->aad.poly, &dec->poly, n, nsz)); \
289 static int gddec_##latin(gaead_dec *d, \
290 const void *c, size_t csz, buf *b) \
292 gdctx_##latin *dec = (gdctx_##latin *)d; \
295 if (csz) { q = buf_get(b, csz); if (!q) return (-1); } \
297 poly1305_hash(&dec->poly, c, csz); \
298 latin##_encrypt(&dec->ctx.s, c, q, csz); \
302 static int gddone_##latin##_common(gdctx_##latin *dec, \
303 const latinpoly_aad *aad, \
304 buf *b, size_t tsz) \
306 if (tsz != POLY1305_TAGSZ) return (-1); \
307 assert((!dec->aad.poly.count && !dec->aad.poly.nbuf && !aad) || \
309 if (!BOK(b)) return (-1); \
313 static int gddone_##latin##_poly1305(gaead_dec *d, const gaead_aad *a, \
314 buf *b, const void *t, size_t tsz) \
316 gdctx_##latin *dec = (gdctx_##latin *)d; \
317 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
318 octet u[POLY1305_TAGSZ]; \
320 if (gddone_##latin##_common(dec, aad, b, tsz)) return (-1); \
321 latinpoly_tag(aad ? &aad->poly : 0, &dec->poly, u); \
322 if (ct_memeq(t, u, POLY1305_TAGSZ)) return (+1); \
326 static int gddone_##latin##_naclbox(gaead_dec *d, const gaead_aad *a, \
327 buf *b, const void *t, size_t tsz) \
329 gdctx_##latin *dec = (gdctx_##latin *)d; \
330 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
331 octet u[POLY1305_TAGSZ]; \
333 if (gddone_##latin##_common(dec, aad, b, tsz)) return (-1); \
334 poly1305_done(&dec->poly, u); \
335 if (ct_memeq(t, u, POLY1305_TAGSZ)) return (+1); \
339 static void gddestroy_##latin(gaead_dec *d) \
340 { gdctx_##latin *dec = (gdctx_##latin *)d; BURN(*dec); S_DESTROY(dec); } \
342 static gaead_decops gdops_##latin##_poly1305 = \
343 { &latin##_poly1305, gdaad_##latin, gdreinit_##latin##_poly1305, \
344 gddec_##latin, gddone_##latin##_poly1305, gddestroy_##latin }; \
346 static gaead_decops gdops_##latin##_naclbox = \
347 { &latin##_poly1305, gdaad_##latin, gdreinit_##latin##_naclbox, \
348 gddec_##latin, gddone_##latin##_naclbox, gddestroy_##latin }; \
350 /* Key operations. */ \
352 static gaead_enc *gkenc_##latin##_poly1305(const gaead_key *k, \
353 const void *n, size_t nsz, \
354 size_t hsz, size_t msz, \
357 latinpoly_key *key = (latinpoly_key *)k; \
358 gectx_##latin *enc = S_CREATE(gectx_##latin); \
360 enc->e.ops = &geops_##latin##_poly1305; \
361 enc->aad.a.ops = &gaops_##latin##_poly1305; \
362 x##latin##_init(&enc->ctx, key->key, key->ksz, 0); \
363 if (reinit_##latin(&enc->ctx, LPVAR_POLY1305, \
364 &enc->aad.poly, &enc->poly, n, nsz)) \
365 { gedestroy_##latin(&enc->e); return (0); } \
369 static gaead_enc *gkenc_##latin##_naclbox(const gaead_key *k, \
370 const void *n, size_t nsz, \
371 size_t hsz, size_t msz, \
374 latinpoly_key *key = (latinpoly_key *)k; \
375 gectx_##latin *enc = S_CREATE(gectx_##latin); \
377 enc->e.ops = &geops_##latin##_naclbox; \
378 enc->aad.a.ops = &gaops_##latin##_naclbox; \
379 x##latin##_init(&enc->ctx, key->key, key->ksz, 0); \
380 if (reinit_##latin(&enc->ctx, LPVAR_NACLBOX, \
381 &enc->aad.poly, &enc->poly, n, nsz)) \
382 { gedestroy_##latin(&enc->e); return (0); } \
386 static gaead_dec *gkdec_##latin##_poly1305(const gaead_key *k, \
387 const void *n, size_t nsz, \
388 size_t hsz, size_t msz, \
391 latinpoly_key *key = (latinpoly_key *)k; \
392 gdctx_##latin *dec = S_CREATE(gdctx_##latin); \
394 dec->d.ops = &gdops_##latin##_poly1305; \
395 dec->aad.a.ops = &gaops_##latin##_poly1305; \
396 x##latin##_init(&dec->ctx, key->key, key->ksz, 0); \
397 if (reinit_##latin(&dec->ctx, LPVAR_POLY1305, \
398 &dec->aad.poly, &dec->poly, n, nsz)) \
399 { gddestroy_##latin(&dec->d); return (0); } \
403 static gaead_dec *gkdec_##latin##_naclbox(const gaead_key *k, \
404 const void *n, size_t nsz, \
405 size_t hsz, size_t msz, \
408 latinpoly_key *key = (latinpoly_key *)k; \
409 gdctx_##latin *dec = S_CREATE(gdctx_##latin); \
411 dec->d.ops = &gdops_##latin##_naclbox; \
412 dec->aad.a.ops = &gaops_##latin##_naclbox; \
413 x##latin##_init(&dec->ctx, key->key, key->ksz, 0); \
414 if (reinit_##latin(&dec->ctx, LPVAR_NACLBOX, \
415 &dec->aad.poly, &dec->poly, n, nsz)) \
416 { gddestroy_##latin(&dec->d); return (0); } \
420 static void gkdestroy_##latin(gaead_key *k) \
421 { latinpoly_key *key = (latinpoly_key *)k; BURN(*key); S_DESTROY(key); } \
423 static const gaead_keyops gkops_##latin##_poly1305 = \
424 { &latin##_poly1305, 0, \
425 gkenc_##latin##_poly1305, gkdec_##latin##_poly1305, \
426 gkdestroy_##latin }; \
428 static const gaead_keyops gkops_##latin##_naclbox = \
429 { &latin##_naclbox, 0, \
430 gkenc_##latin##_naclbox, gkdec_##latin##_naclbox, \
431 gkdestroy_##latin }; \
433 /* Class definition. */ \
435 static gaead_key *gkey_##latin##_common(const gaead_keyops *ops, \
436 const void *k, size_t ksz) \
438 latinpoly_key *key = S_CREATE(latinpoly_key); \
441 KSZ_ASSERT(latin, ksz); memcpy(key->key, k, ksz); key->ksz = ksz; \
445 static gaead_key *gkey_##latin##_poly1305(const void *k, size_t ksz) \
446 { return (gkey_##latin##_common(&gkops_##latin##_poly1305, k, ksz)); } \
448 static gaead_key *gkey_##latin##_naclbox(const void *k, size_t ksz) \
449 { return (gkey_##latin##_common(&gkops_##latin##_naclbox, k, ksz)); } \
451 const gcaead latin##_poly1305 = { \
452 name "-poly1305", latin##_keysz, latinpoly_noncesz, latinpoly_tagsz, \
453 64, 0, 0, AEADF_AADNDEP, \
454 gkey_##latin##_poly1305 \
457 const gcaead latin##_naclbox = { \
458 name "-naclbox", latin##_keysz, latinpoly_noncesz, latinpoly_tagsz, \
459 64, 0, 0, AEADF_AADNDEP | AEADF_NOAAD, \
460 gkey_##latin##_naclbox \
463 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob