add support for xchacha20 and xchacha20-poly1305

xchacha is a chacha stream that allows for an extended nonce, which in turn makes it feasible to use random nonces. ok tb@
libressl · Jan 22, 2019 · f9ad715 · f9ad715
1 parent 1450233
commit f9ad715
Show file tree

Hide file tree

Showing 10 changed files with 399 additions and 11 deletions.
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
@@ -667,6 +667,7 @@ CRYPTO_get_mem_ex_functions
 CRYPTO_get_mem_functions
 CRYPTO_get_new_dynlockid
 CRYPTO_get_new_lockid
+CRYPTO_hchacha_20
 CRYPTO_is_mem_check_on
 CRYPTO_lock
 CRYPTO_malloc
@@ -708,6 +709,7 @@ CRYPTO_set_mem_ex_functions
 CRYPTO_set_mem_functions
 CRYPTO_strdup
 CRYPTO_thread_id
+CRYPTO_xchacha_20
 CRYPTO_xts128_encrypt
 Camellia_cbc_encrypt
 Camellia_cfb128_encrypt
@@ -1493,6 +1495,7 @@ EVP_add_digest
 EVP_aead_aes_128_gcm
 EVP_aead_aes_256_gcm
 EVP_aead_chacha20_poly1305
+EVP_aead_xchacha20_poly1305
 EVP_aes_128_cbc
 EVP_aes_128_cbc_hmac_sha1
 EVP_aes_128_ccm

diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.9 2019/01/22 00:59:21 dlg Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -277,3 +277,49 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
 		m += 64;
 	}
 }
+
+void
+CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32],
+    const unsigned char nonce[16])
+{
+	uint32_t x[16];
+	int i;
+
+	x[0] = U8TO32_LITTLE(sigma + 0);
+	x[1] = U8TO32_LITTLE(sigma + 4);
+	x[2] = U8TO32_LITTLE(sigma + 8);
+	x[3] = U8TO32_LITTLE(sigma + 12);
+	x[4] = U8TO32_LITTLE(key + 0);
+	x[5] = U8TO32_LITTLE(key + 4);
+	x[6] = U8TO32_LITTLE(key + 8);
+	x[7] = U8TO32_LITTLE(key + 12);
+	x[8] = U8TO32_LITTLE(key + 16);
+	x[9] = U8TO32_LITTLE(key + 20);
+	x[10] = U8TO32_LITTLE(key + 24);
+	x[11] = U8TO32_LITTLE(key + 28);
+	x[12] = U8TO32_LITTLE(nonce + 0);
+	x[13] = U8TO32_LITTLE(nonce + 4);
+	x[14] = U8TO32_LITTLE(nonce + 8);
+	x[15] = U8TO32_LITTLE(nonce + 12);
+
+	for (i = 20; i > 0; i -= 2) {
+		QUARTERROUND(x[0], x[4], x[8], x[12])
+		QUARTERROUND(x[1], x[5], x[9], x[13])
+		QUARTERROUND(x[2], x[6], x[10], x[14])
+		QUARTERROUND(x[3], x[7], x[11], x[15])
+		QUARTERROUND(x[0], x[5], x[10], x[15])
+		QUARTERROUND(x[1], x[6], x[11], x[12])
+		QUARTERROUND(x[2], x[7], x[8], x[13])
+		QUARTERROUND(x[3], x[4], x[9], x[14])
+	}
+
+	U32TO8_LITTLE(subkey + 0, x[0]);
+	U32TO8_LITTLE(subkey + 4, x[1]);
+	U32TO8_LITTLE(subkey + 8, x[2]);
+	U32TO8_LITTLE(subkey + 12, x[3]);
+
+	U32TO8_LITTLE(subkey + 16, x[12]);
+	U32TO8_LITTLE(subkey + 20, x[13]);
+	U32TO8_LITTLE(subkey + 24, x[14]);
+	U32TO8_LITTLE(subkey + 28, x[15]);
+}
diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.c,v 1.7 2015/12/09 14:07:55 bcook Exp $ */
+/* $OpenBSD: chacha.c,v 1.8 2019/01/22 00:59:21 dlg Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <[email protected]>
  *
@@ -75,3 +75,13 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
 
 	chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len);
 }
+
+void
+CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
+    const unsigned char key[32], const unsigned char iv[24])
+{
+	uint8_t subkey[32];
+
+	CRYPTO_hchacha_20(subkey, key, iv);
+	CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0);
+}
diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.h,v 1.7 2015/12/09 14:07:55 bcook Exp $ */
+/* $OpenBSD: chacha.h,v 1.8 2019/01/22 00:59:21 dlg Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <[email protected]>
  *
@@ -46,6 +46,10 @@ void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in,
 
 void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len,
     const unsigned char key[32], const unsigned char iv[8], uint64_t counter);
+void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len,
+    const unsigned char key[32], const unsigned char iv[24]);
+void CRYPTO_hchacha_20(unsigned char out[32],
+    const unsigned char key[32], const unsigned char iv[16]);
 
 #ifdef  __cplusplus
 }

diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.18 2017/08/28 17:48:02 jsing Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.19 2019/01/22 00:59:21 dlg Exp $ */
 
 /*
  * Copyright (c) 2015 Reyk Floter <[email protected]>
@@ -36,6 +36,7 @@
 #define CHACHA20_CONSTANT_LEN 4
 #define CHACHA20_IV_LEN 8
 #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN)
+#define XCHACHA20_NONCE_LEN 24
 
 struct aead_chacha20_poly1305_ctx {
 	unsigned char key[32];
@@ -246,6 +247,108 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
 	return 1;
 }
 
+static int
+aead_xchacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out,
+    size_t *out_len, size_t max_out_len, const unsigned char *nonce,
+    size_t nonce_len, const unsigned char *in, size_t in_len,
+    const unsigned char *ad, size_t ad_len)
+{
+	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
+	unsigned char poly1305_key[32];
+	unsigned char subkey[32];
+	poly1305_state poly1305;
+
+	if (max_out_len < in_len + c20_ctx->tag_len) {
+		EVPerror(EVP_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	if (nonce_len != ctx->aead->nonce_len) {
+		EVPerror(EVP_R_IV_TOO_LARGE);
+		return 0;
+	}
+
+	CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce);
+
+	CRYPTO_chacha_20(out, in, in_len, subkey, nonce + 16, 1);
+
+	memset(poly1305_key, 0, sizeof(poly1305_key));
+	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
+	    subkey, nonce + 16, 0);
+
+	CRYPTO_poly1305_init(&poly1305, poly1305_key);
+	poly1305_update_with_pad16(&poly1305, ad, ad_len);
+	poly1305_update_with_pad16(&poly1305, out, in_len);
+	poly1305_update_with_length(&poly1305, NULL, ad_len);
+	poly1305_update_with_length(&poly1305, NULL, in_len);
+
+	if (c20_ctx->tag_len != POLY1305_TAG_LEN) {
+		unsigned char tag[POLY1305_TAG_LEN];
+		CRYPTO_poly1305_finish(&poly1305, tag);
+		memcpy(out + in_len, tag, c20_ctx->tag_len);
+		*out_len = in_len + c20_ctx->tag_len;
+		return 1;
+	}
+
+	CRYPTO_poly1305_finish(&poly1305, out + in_len);
+	*out_len = in_len + POLY1305_TAG_LEN;
+	return 1;
+}
+
+static int
+aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out,
+    size_t *out_len, size_t max_out_len, const unsigned char *nonce,
+    size_t nonce_len, const unsigned char *in, size_t in_len,
+    const unsigned char *ad, size_t ad_len)
+{
+	const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
+	unsigned char mac[POLY1305_TAG_LEN];
+	unsigned char poly1305_key[32];
+	unsigned char subkey[32];
+	poly1305_state poly1305;
+	size_t plaintext_len;
+
+	if (in_len < c20_ctx->tag_len) {
+		EVPerror(EVP_R_BAD_DECRYPT);
+		return 0;
+	}
+
+	if (nonce_len != ctx->aead->nonce_len) {
+		EVPerror(EVP_R_IV_TOO_LARGE);
+		return 0;
+	}
+
+	plaintext_len = in_len - c20_ctx->tag_len;
+
+	if (max_out_len < plaintext_len) {
+		EVPerror(EVP_R_BUFFER_TOO_SMALL);
+		return 0;
+	}
+
+	CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce);
+
+	memset(poly1305_key, 0, sizeof(poly1305_key));
+	CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
+	    subkey, nonce + 16, 0);
+
+	CRYPTO_poly1305_init(&poly1305, poly1305_key);
+	poly1305_update_with_pad16(&poly1305, ad, ad_len);
+	poly1305_update_with_pad16(&poly1305, in, plaintext_len);
+	poly1305_update_with_length(&poly1305, NULL, ad_len);
+	poly1305_update_with_length(&poly1305, NULL, plaintext_len);
+
+	CRYPTO_poly1305_finish(&poly1305, mac);
+	if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) {
+		EVPerror(EVP_R_BAD_DECRYPT);
+		return 0;
+	}
+
+	CRYPTO_chacha_20(out, in, plaintext_len, subkey, nonce + 16, 1);
+
+	*out_len = plaintext_len;
+	return 1;
+}
+
 /* RFC 7539 */
 static const EVP_AEAD aead_chacha20_poly1305 = {
 	.key_len = 32,
@@ -265,4 +368,22 @@ EVP_aead_chacha20_poly1305()
 	return &aead_chacha20_poly1305;
 }
 
+static const EVP_AEAD aead_xchacha20_poly1305 = {
+	.key_len = 32,
+	.nonce_len = XCHACHA20_NONCE_LEN,
+	.overhead = POLY1305_TAG_LEN,
+	.max_tag_len = POLY1305_TAG_LEN,
+
+	.init = aead_chacha20_poly1305_init,
+	.cleanup = aead_chacha20_poly1305_cleanup,
+	.seal = aead_xchacha20_poly1305_seal,
+	.open = aead_xchacha20_poly1305_open,
+};
+
+const EVP_AEAD *
+EVP_aead_xchacha20_poly1305()
+{
+	return &aead_xchacha20_poly1305;
+}
+
 #endif  /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.71 2019/01/19 01:24:18 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.72 2019/01/22 00:59:21 dlg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young ([email protected])
  * All rights reserved.
  *
@@ -1243,6 +1243,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm(void);
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 /* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */
 const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
+/* EVP_aead_xchacha20_poly1305 is XChaCha20 with a Poly1305 authenticator. */
+const EVP_AEAD *EVP_aead_xchacha20_poly1305(void);
 #endif
 
 /* EVP_AEAD_key_length returns the length of the keys used. */

diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.6 2017/08/28 17:43:43 jsing Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.7 2019/01/22 00:59:21 dlg Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 28 2017 $
+.Dd $Mdocdate: January 22 2019 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -30,7 +30,8 @@
 .Nm EVP_AEAD_nonce_length ,
 .Nm EVP_aead_aes_128_gcm ,
 .Nm EVP_aead_aes_256_gcm ,
-.Nm EVP_aead_chacha20_poly1305
+.Nm EVP_aead_chacha20_poly1305,
+.Nm EVP_aead_xchacha20_poly1305
 .Nd authenticated encryption with additional data
 .Sh SYNOPSIS
 .In openssl/evp.h
@@ -101,6 +102,10 @@
 .Fo EVP_aead_chacha20_poly1305
 .Fa void
 .Fc
+.Ft const EVP_AEAD *
+.Fo EVP_aead_xchacha20_poly1305
+.Fa void
+.Fc
 .Sh DESCRIPTION
 AEAD (Authenticated Encryption with Additional Data) couples
 confidentiality and integrity in a single primitive.
@@ -219,6 +224,8 @@ AES-128 in Galois Counter Mode.
 AES-256 in Galois Counter Mode.
 .It Fn EVP_aead_chacha20_poly1305
 ChaCha20 with a Poly1305 authenticator.
+.It Fn EVP_aead_xchacha20_poly1305
+XChaCha20 with a Poly1305 authenticator.
 .El
 .Pp
 Where possible the
@@ -285,6 +292,13 @@ EVP_AEAD_CTX_cleanup(&ctx);
 .%R RFC 7539
 .%T ChaCha20 and Poly1305 for IETF Protocols
 .Re
+.Pp
+.Rs
+.%A S. Arciszewski
+.%D October 2018
+.%R draft-arciszewski-xchacha-02
+.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
+.Re
 .Sh HISTORY
 AEAD is based on the implementation by
 .An Adam Langley

diff --git a/src/regress/lib/libcrypto/aead/aeadtest.c b/src/regress/lib/libcrypto/aead/aeadtest.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: aeadtest.c,v 1.11 2018/07/17 17:06:49 tb Exp $	*/
+/*	$OpenBSD: aeadtest.c,v 1.12 2019/01/22 00:59:21 dlg Exp $	*/
 /* ====================================================================
  * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
@@ -52,8 +52,11 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>
+#include <unistd.h>
+#include <ctype.h>
 
 #include <openssl/evp.h>
+#include <openssl/err.h>
 
 /* This program tests an AEAD against a series of test vectors from a file. The
  * test vector file consists of key-value lines where the key and value are
@@ -134,6 +137,12 @@ aead_from_name(const EVP_AEAD **aead, const char *name)
 		*aead = EVP_aead_chacha20_poly1305();
 #else
 		fprintf(stderr, "No chacha20-poly1305 support.\n");
+#endif
+	} else if (strcmp(name, "xchacha20-poly1305") == 0) {
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+		*aead = EVP_aead_xchacha20_poly1305();
+#else
+		fprintf(stderr, "No xchacha20-poly1305 support.\n");
 #endif
 	} else {
 		fprintf(stderr, "Unknown AEAD: %s\n", name);

diff --git a/src/regress/lib/libcrypto/aead/aeadtests.txt b/src/regress/lib/libcrypto/aead/aeadtests.txt
@@ -1,4 +1,4 @@
-#	$OpenBSD: aeadtests.txt,v 1.7 2018/07/17 17:06:49 tb Exp $
+#	$OpenBSD: aeadtests.txt,v 1.8 2019/01/22 00:59:21 dlg Exp $
 #
 # MACsec GCM-AES Test Vectors (bn-randall-test-vectors-0511-v1.pdf)
 #
@@ -75,3 +75,12 @@ AD: c0c1c2c3c4c5c6c7d0d1d2d3d4d5d6d72e202500000000090000004529000029
 CT: 610394701f8d017f7c12924889
 TAG: 6b71bfe25236efd7cdc67066906315b2
 
+# Test vector from draft-arciszewski-xchacha-02
+AEAD: xchacha20-poly1305
+KEY: 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f
+NONCE: 404142434445464748494a4b4c4d4e4f5051525354555657
+IN: 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e
+AD: 50515253c0c1c2c3c4c5c6c7
+CT: bd6d179d3e83d43b9576579493c0e939572a1700252bfaccbed2902c21396cbb731c7f1b0b4aa6440bf3a82f4eda7e39ae64c6708c54c216cb96b72e1213b4522f8c9ba40db5d945b11b69b982c1bb9e3f3fac2bc369488f76b2383565d3fff921f9664c97637da9768812f615c68b13b52e
+TAG: c0875924c1c7987947deafd8780acf49
+