3 * AEAD schemes based on Salsa20/ChaCha and Poly1305
5 * (c) 2018 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software: you can redistribute it and/or modify it
13 * under the terms of the GNU Library General Public License as published
14 * by the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb. If not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
28 #ifndef CATACOMB_LATINPOLY_DEF_H
29 #define CATACOMB_LATINPOLY_DEF_H
35 /*----- Header files ------------------------------------------------------*/
37 #include <mLib/bits.h>
41 #ifndef CATACOMB_ARENA_H
49 #ifndef CATACOMB_GAEAD_H
53 #ifndef CATACOMB_KEYSZ_H
57 #ifndef CATACOMB_LATINPOLY_H
58 # include "latinpoly.h"
61 #ifndef CATACOMB_PARANOIA_H
62 # include "paranoia.h"
65 #ifndef CATACOMB_POLY1305_H
66 # include "poly1305.h"
69 #ifndef CATACOMB_SALSA20_H
73 /*----- Data structures ---------------------------------------------------*/
75 typedef struct latinpoly_aad {
80 typedef struct latinpoly_key {
82 octet key[SALSA20_KEYSZ];
86 /*----- Common definitions ------------------------------------------------*/
89 extern const octet latinpoly_noncesz[], latinpoly_tagsz[];
92 extern void latinpoly_aadhash(gaead_aad */*a*/,
93 const void */*h*/, size_t /*hsz*/);
94 extern void latinpoly_aaddestroy(gaead_aad */*a*/);
96 /* --- @latinpoly_tag@ --- *
98 * Arguments: @const poly1305_ctx *aad@ = Poly1305 context hashing AAD
99 * @poly1305_ctx *ct@ = Poly1305 context hashing ciphertext
100 * @void *tag@ = where to write the tag
104 * Use: Completes a Latin-dance-Poly1305 tag, combining the AAD and
105 * ciphertext hashes, appending their lengths, and writing the
106 * final masked hash to @tag@. The @ct@ context is clobbered.
109 extern void latinpoly_tag(const poly1305_ctx */*aad*/,
110 poly1305_ctx */*ct*/, void */*tag*/);
112 /*----- Macros ------------------------------------------------------------*/
114 #define LATINPOLY_DEF(latin, base, name) \
118 /* Reinitialize the stream cipher and hash state given a new nonce. */ \
119 static int reinit_##latin(x##latin##_ctx *ctx, \
120 poly1305_ctx *aadpoly, poly1305_ctx *ctpoly, \
121 const void *n, size_t nsz) \
124 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ]; \
127 case SALSA20_NONCESZ: \
128 memcpy(ctx->s.a, ctx->k, sizeof(ctx->k)); \
129 base##_setnonce(&ctx->s, n); \
131 case SALSA20_IETF_NONCESZ: \
132 memcpy(ctx->s.a, ctx->k, sizeof(ctx->k)); \
133 base##_setnonce_ietf(&ctx->s, n); \
135 case XSALSA20_NONCESZ: \
136 x##latin##_setnonce(ctx, n); \
142 latin##_encrypt(&ctx->s, 0, b, sizeof(b)); \
143 poly1305_keyinit(&pk, b, POLY1305_KEYSZ); \
144 poly1305_macinit(aadpoly, &pk, b + POLY1305_KEYSZ); \
145 poly1305_macinit(ctpoly, &pk, b + POLY1305_KEYSZ); \
146 latin##_encrypt(&ctx->s, 0, 0, SALSA20_OUTSZ - sizeof(b)); \
150 /* AAD operations. */ \
152 static const gaead_aadops gaops_##latin = \
153 { &latin##_poly1305, 0, latinpoly_aadhash, latinpoly_aaddestroy }; \
155 /* Encryption operations. */ \
157 typedef struct gectx_##latin { \
160 x##latin##_ctx ctx; \
164 static gaead_aad *geaad_##latin(gaead_enc *e) \
165 { gectx_##latin *enc = (gectx_##latin *)e; return (&enc->aad.a); } \
167 static int gereinit_##latin(gaead_enc *e, const void *n, size_t nsz, \
168 size_t hsz, size_t msz, size_t tsz) \
170 gectx_##latin *enc = (gectx_##latin *)e; \
171 return (reinit_##latin(&enc->ctx, &enc->aad.poly, &enc->poly, n, nsz)); \
174 static int geenc_##latin(gaead_enc *e, \
175 const void *m, size_t msz, buf *b) \
177 gectx_##latin *enc = (gectx_##latin *)e; \
180 if (msz) { q = buf_get(b, msz); if (!q) return (-1); } \
182 latin##_encrypt(&enc->ctx.s, m, q, msz); \
183 poly1305_hash(&enc->poly, q, msz); \
187 static int gedone_##latin(gaead_enc *e, const gaead_aad *a, \
188 buf *b, void *t, size_t tsz) \
190 gectx_##latin *enc = (gectx_##latin *)e; \
191 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
193 if (tsz != POLY1305_TAGSZ) return (-1); \
194 assert((!enc->aad.poly.count && !enc->aad.poly.nbuf && !a) || \
196 if (!BOK(b)) return (-1); \
197 latinpoly_tag(aad ? &aad->poly : 0, &enc->poly, t); \
201 static void gedestroy_##latin(gaead_enc *e) \
202 { gectx_##latin *enc = (gectx_##latin *)e; BURN(*enc); S_DESTROY(enc); } \
204 static gaead_encops geops_##latin = \
205 { &latin##_poly1305, geaad_##latin, gereinit_##latin, \
206 geenc_##latin, gedone_##latin, gedestroy_##latin }; \
208 /* Decryption operations. */ \
210 typedef struct gdctx_##latin { \
213 x##latin##_ctx ctx; \
217 static gaead_aad *gdaad_##latin(gaead_dec *d) \
218 { gdctx_##latin *dec = (gdctx_##latin *)d; return (&dec->aad.a); } \
220 static int gdreinit_##latin(gaead_dec *d, const void *n, size_t nsz, \
221 size_t hsz, size_t msz, size_t tsz) \
223 gdctx_##latin *dec = (gdctx_##latin *)d; \
224 return (reinit_##latin(&dec->ctx, &dec->aad.poly, &dec->poly, n, nsz)); \
227 static int gddec_##latin(gaead_dec *d, \
228 const void *c, size_t csz, buf *b) \
230 gdctx_##latin *dec = (gdctx_##latin *)d; \
233 if (csz) { q = buf_get(b, csz); if (!q) return (-1); } \
235 poly1305_hash(&dec->poly, c, csz); \
236 latin##_encrypt(&dec->ctx.s, c, q, csz); \
240 static int gddone_##latin(gaead_dec *d, const gaead_aad *a, \
241 buf *b, const void *t, size_t tsz) \
243 gdctx_##latin *dec = (gdctx_##latin *)d; \
244 const latinpoly_aad *aad = (const latinpoly_aad *)a; \
245 octet u[POLY1305_TAGSZ]; \
247 if (tsz != POLY1305_TAGSZ) return (-1); \
248 assert((!dec->aad.poly.count && !dec->aad.poly.nbuf && !a) || \
250 if (!BOK(b)) return (-1); \
251 latinpoly_tag(aad ? &aad->poly : 0, &dec->poly, u); \
252 if (ct_memeq(t, u, POLY1305_TAGSZ)) return (+1); \
256 static void gddestroy_##latin(gaead_dec *d) \
257 { gdctx_##latin *dec = (gdctx_##latin *)d; BURN(*dec); S_DESTROY(dec); } \
259 static gaead_decops gdops_##latin = \
260 { &latin##_poly1305, gdaad_##latin, gdreinit_##latin, \
261 gddec_##latin, gddone_##latin, gddestroy_##latin }; \
263 /* Key operations. */ \
265 static gaead_enc *gkenc_##latin(const gaead_key *k, \
266 const void *n, size_t nsz, \
267 size_t hsz, size_t msz, size_t tsz) \
269 latinpoly_key *key = (latinpoly_key *)k; \
270 gectx_##latin *enc = S_CREATE(gectx_##latin); \
272 enc->e.ops = &geops_##latin; enc->aad.a.ops = &gaops_##latin; \
273 x##latin##_init(&enc->ctx, key->key, key->ksz, 0); \
274 reinit_##latin(&enc->ctx, &enc->aad.poly, &enc->poly, n, nsz); \
278 static gaead_dec *gkdec_##latin(const gaead_key *k, \
279 const void *n, size_t nsz, \
280 size_t hsz, size_t msz, size_t tsz) \
282 latinpoly_key *key = (latinpoly_key *)k; \
283 gdctx_##latin *dec = S_CREATE(gdctx_##latin); \
285 dec->d.ops = &gdops_##latin; dec->aad.a.ops = &gaops_##latin; \
286 x##latin##_init(&dec->ctx, key->key, key->ksz, 0); \
287 reinit_##latin(&dec->ctx, &dec->aad.poly, &dec->poly, n, nsz); \
291 static void gkdestroy_##latin(gaead_key *k) \
292 { latinpoly_key *key = (latinpoly_key *)k; BURN(*key); S_DESTROY(key); } \
294 static const gaead_keyops gkops_##latin = \
295 { &latin##_poly1305, 0, gkenc_##latin, gkdec_##latin, \
296 gkdestroy_##latin }; \
298 /* Class definition. */ \
300 static gaead_key *gkey_##latin(const void *k, size_t ksz) \
302 latinpoly_key *key = S_CREATE(latinpoly_key); \
304 key->k.ops = &gkops_##latin; \
305 KSZ_ASSERT(latin, ksz); memcpy(key->key, k, ksz); key->ksz = ksz; \
309 const gcaead latin##_poly1305 = { \
310 name "-poly1305", latin##_keysz, latinpoly_noncesz, latinpoly_tagsz, \
311 64, 0, 0, AEADF_AADNDEP, \
315 /*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / blob