wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/chacha20_poly1305.c@17:a5f916481144, 2020-06-05 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 05 00:11:07 2020 +0000
- Revision:
- 17:a5f916481144
- Parent:
- 16:8e0d178b1d1e
wolfSSL 4.4.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 15:117db924cf7c | 1 | /* chacha.c |
| wolfSSL | 15:117db924cf7c | 2 | * |
| wolfSSL | 16:8e0d178b1d1e | 3 | * Copyright (C) 2006-2020 wolfSSL Inc. |
| wolfSSL | 15:117db924cf7c | 4 | * |
| wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
| wolfSSL | 15:117db924cf7c | 6 | * |
| wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
| wolfSSL | 15:117db924cf7c | 11 | * |
| wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
| wolfSSL | 15:117db924cf7c | 16 | * |
| wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
| wolfSSL | 15:117db924cf7c | 20 | */ |
| wolfSSL | 15:117db924cf7c | 21 | |
| wolfSSL | 15:117db924cf7c | 22 | |
| wolfSSL | 15:117db924cf7c | 23 | |
| wolfSSL | 15:117db924cf7c | 24 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 15:117db924cf7c | 25 | #include <config.h> |
| wolfSSL | 15:117db924cf7c | 26 | #endif |
| wolfSSL | 15:117db924cf7c | 27 | |
| wolfSSL | 15:117db924cf7c | 28 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 15:117db924cf7c | 29 | |
| wolfSSL | 15:117db924cf7c | 30 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
| wolfSSL | 15:117db924cf7c | 31 | |
| wolfSSL | 15:117db924cf7c | 32 | #include <wolfssl/wolfcrypt/chacha20_poly1305.h> |
| wolfSSL | 15:117db924cf7c | 33 | #include <wolfssl/wolfcrypt/error-crypt.h> |
| wolfSSL | 15:117db924cf7c | 34 | #include <wolfssl/wolfcrypt/logging.h> |
| wolfSSL | 15:117db924cf7c | 35 | |
| wolfSSL | 15:117db924cf7c | 36 | #ifdef NO_INLINE |
| wolfSSL | 15:117db924cf7c | 37 | #include <wolfssl/wolfcrypt/misc.h> |
| wolfSSL | 15:117db924cf7c | 38 | #else |
| wolfSSL | 15:117db924cf7c | 39 | #define WOLFSSL_MISC_INCLUDED |
| wolfSSL | 15:117db924cf7c | 40 | #include <wolfcrypt/src/misc.c> |
| wolfSSL | 15:117db924cf7c | 41 | #endif |
| wolfSSL | 15:117db924cf7c | 42 | |
| wolfSSL | 15:117db924cf7c | 43 | #define CHACHA20_POLY1305_AEAD_INITIAL_COUNTER 0 |
| wolfSSL | 15:117db924cf7c | 44 | int wc_ChaCha20Poly1305_Encrypt( |
| wolfSSL | 15:117db924cf7c | 45 | const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], |
| wolfSSL | 15:117db924cf7c | 46 | const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], |
| wolfSSL | 15:117db924cf7c | 47 | const byte* inAAD, const word32 inAADLen, |
| wolfSSL | 15:117db924cf7c | 48 | const byte* inPlaintext, const word32 inPlaintextLen, |
| wolfSSL | 15:117db924cf7c | 49 | byte* outCiphertext, |
| wolfSSL | 15:117db924cf7c | 50 | byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]) |
| wolfSSL | 15:117db924cf7c | 51 | { |
| wolfSSL | 16:8e0d178b1d1e | 52 | int ret; |
| wolfSSL | 16:8e0d178b1d1e | 53 | ChaChaPoly_Aead aead; |
| wolfSSL | 15:117db924cf7c | 54 | |
| wolfSSL | 15:117db924cf7c | 55 | /* Validate function arguments */ |
| wolfSSL | 15:117db924cf7c | 56 | if (!inKey || !inIV || |
| wolfSSL | 15:117db924cf7c | 57 | !inPlaintext || !inPlaintextLen || |
| wolfSSL | 15:117db924cf7c | 58 | !outCiphertext || |
| wolfSSL | 15:117db924cf7c | 59 | !outAuthTag) |
| wolfSSL | 15:117db924cf7c | 60 | { |
| wolfSSL | 15:117db924cf7c | 61 | return BAD_FUNC_ARG; |
| wolfSSL | 15:117db924cf7c | 62 | } |
| wolfSSL | 15:117db924cf7c | 63 | |
| wolfSSL | 16:8e0d178b1d1e | 64 | ret = wc_ChaCha20Poly1305_Init(&aead, inKey, inIV, |
| wolfSSL | 16:8e0d178b1d1e | 65 | CHACHA20_POLY1305_AEAD_ENCRYPT); |
| wolfSSL | 16:8e0d178b1d1e | 66 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 67 | ret = wc_ChaCha20Poly1305_UpdateAad(&aead, inAAD, inAADLen); |
| wolfSSL | 16:8e0d178b1d1e | 68 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 69 | ret = wc_ChaCha20Poly1305_UpdateData(&aead, inPlaintext, outCiphertext, |
| wolfSSL | 16:8e0d178b1d1e | 70 | inPlaintextLen); |
| wolfSSL | 16:8e0d178b1d1e | 71 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 72 | ret = wc_ChaCha20Poly1305_Final(&aead, outAuthTag); |
| wolfSSL | 16:8e0d178b1d1e | 73 | return ret; |
| wolfSSL | 15:117db924cf7c | 74 | } |
| wolfSSL | 15:117db924cf7c | 75 | |
| wolfSSL | 15:117db924cf7c | 76 | int wc_ChaCha20Poly1305_Decrypt( |
| wolfSSL | 15:117db924cf7c | 77 | const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], |
| wolfSSL | 15:117db924cf7c | 78 | const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], |
| wolfSSL | 15:117db924cf7c | 79 | const byte* inAAD, const word32 inAADLen, |
| wolfSSL | 15:117db924cf7c | 80 | const byte* inCiphertext, const word32 inCiphertextLen, |
| wolfSSL | 15:117db924cf7c | 81 | const byte inAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], |
| wolfSSL | 15:117db924cf7c | 82 | byte* outPlaintext) |
| wolfSSL | 15:117db924cf7c | 83 | { |
| wolfSSL | 16:8e0d178b1d1e | 84 | int ret; |
| wolfSSL | 16:8e0d178b1d1e | 85 | ChaChaPoly_Aead aead; |
| wolfSSL | 15:117db924cf7c | 86 | byte calculatedAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; |
| wolfSSL | 15:117db924cf7c | 87 | |
| wolfSSL | 15:117db924cf7c | 88 | /* Validate function arguments */ |
| wolfSSL | 15:117db924cf7c | 89 | if (!inKey || !inIV || |
| wolfSSL | 15:117db924cf7c | 90 | !inCiphertext || !inCiphertextLen || |
| wolfSSL | 15:117db924cf7c | 91 | !inAuthTag || |
| wolfSSL | 15:117db924cf7c | 92 | !outPlaintext) |
| wolfSSL | 15:117db924cf7c | 93 | { |
| wolfSSL | 15:117db924cf7c | 94 | return BAD_FUNC_ARG; |
| wolfSSL | 15:117db924cf7c | 95 | } |
| wolfSSL | 15:117db924cf7c | 96 | |
| wolfSSL | 15:117db924cf7c | 97 | XMEMSET(calculatedAuthTag, 0, sizeof(calculatedAuthTag)); |
| wolfSSL | 16:8e0d178b1d1e | 98 | |
| wolfSSL | 16:8e0d178b1d1e | 99 | ret = wc_ChaCha20Poly1305_Init(&aead, inKey, inIV, |
| wolfSSL | 16:8e0d178b1d1e | 100 | CHACHA20_POLY1305_AEAD_DECRYPT); |
| wolfSSL | 16:8e0d178b1d1e | 101 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 102 | ret = wc_ChaCha20Poly1305_UpdateAad(&aead, inAAD, inAADLen); |
| wolfSSL | 16:8e0d178b1d1e | 103 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 104 | ret = wc_ChaCha20Poly1305_UpdateData(&aead, inCiphertext, outPlaintext, |
| wolfSSL | 16:8e0d178b1d1e | 105 | inCiphertextLen); |
| wolfSSL | 16:8e0d178b1d1e | 106 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 107 | ret = wc_ChaCha20Poly1305_Final(&aead, calculatedAuthTag); |
| wolfSSL | 16:8e0d178b1d1e | 108 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 109 | ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag); |
| wolfSSL | 16:8e0d178b1d1e | 110 | return ret; |
| wolfSSL | 16:8e0d178b1d1e | 111 | } |
| wolfSSL | 16:8e0d178b1d1e | 112 | |
| wolfSSL | 16:8e0d178b1d1e | 113 | int wc_ChaCha20Poly1305_CheckTag( |
| wolfSSL | 16:8e0d178b1d1e | 114 | const byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE], |
| wolfSSL | 16:8e0d178b1d1e | 115 | const byte authTagChk[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]) |
| wolfSSL | 16:8e0d178b1d1e | 116 | { |
| wolfSSL | 16:8e0d178b1d1e | 117 | int ret = 0; |
| wolfSSL | 16:8e0d178b1d1e | 118 | if (authTag == NULL || authTagChk == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 119 | return BAD_FUNC_ARG; |
| wolfSSL | 16:8e0d178b1d1e | 120 | } |
| wolfSSL | 16:8e0d178b1d1e | 121 | if (ConstantCompare(authTag, authTagChk, |
| wolfSSL | 16:8e0d178b1d1e | 122 | CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE) != 0) { |
| wolfSSL | 16:8e0d178b1d1e | 123 | ret = MAC_CMP_FAILED_E; |
| wolfSSL | 16:8e0d178b1d1e | 124 | } |
| wolfSSL | 16:8e0d178b1d1e | 125 | return ret; |
| wolfSSL | 16:8e0d178b1d1e | 126 | } |
| wolfSSL | 16:8e0d178b1d1e | 127 | |
| wolfSSL | 16:8e0d178b1d1e | 128 | int wc_ChaCha20Poly1305_Init(ChaChaPoly_Aead* aead, |
| wolfSSL | 16:8e0d178b1d1e | 129 | const byte inKey[CHACHA20_POLY1305_AEAD_KEYSIZE], |
| wolfSSL | 16:8e0d178b1d1e | 130 | const byte inIV[CHACHA20_POLY1305_AEAD_IV_SIZE], |
| wolfSSL | 16:8e0d178b1d1e | 131 | int isEncrypt) |
| wolfSSL | 16:8e0d178b1d1e | 132 | { |
| wolfSSL | 16:8e0d178b1d1e | 133 | int ret; |
| wolfSSL | 16:8e0d178b1d1e | 134 | byte authKey[CHACHA20_POLY1305_AEAD_KEYSIZE]; |
| wolfSSL | 16:8e0d178b1d1e | 135 | |
| wolfSSL | 16:8e0d178b1d1e | 136 | /* check arguments */ |
| wolfSSL | 16:8e0d178b1d1e | 137 | if (aead == NULL || inKey == NULL || inIV == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 138 | return BAD_FUNC_ARG; |
| wolfSSL | 16:8e0d178b1d1e | 139 | } |
| wolfSSL | 16:8e0d178b1d1e | 140 | |
| wolfSSL | 16:8e0d178b1d1e | 141 | /* setup aead context */ |
| wolfSSL | 16:8e0d178b1d1e | 142 | XMEMSET(aead, 0, sizeof(ChaChaPoly_Aead)); |
| wolfSSL | 16:8e0d178b1d1e | 143 | XMEMSET(authKey, 0, sizeof(authKey)); |
| wolfSSL | 16:8e0d178b1d1e | 144 | aead->isEncrypt = isEncrypt; |
| wolfSSL | 16:8e0d178b1d1e | 145 | |
| wolfSSL | 16:8e0d178b1d1e | 146 | /* Initialize the ChaCha20 context (key and iv) */ |
| wolfSSL | 16:8e0d178b1d1e | 147 | ret = wc_Chacha_SetKey(&aead->chacha, inKey, |
| wolfSSL | 16:8e0d178b1d1e | 148 | CHACHA20_POLY1305_AEAD_KEYSIZE); |
| wolfSSL | 16:8e0d178b1d1e | 149 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 150 | ret = wc_Chacha_SetIV(&aead->chacha, inIV, |
| wolfSSL | 16:8e0d178b1d1e | 151 | CHACHA20_POLY1305_AEAD_INITIAL_COUNTER); |
| wolfSSL | 16:8e0d178b1d1e | 152 | } |
| wolfSSL | 15:117db924cf7c | 153 | |
| wolfSSL | 15:117db924cf7c | 154 | /* Create the Poly1305 key */ |
| wolfSSL | 16:8e0d178b1d1e | 155 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 156 | ret = wc_Chacha_Process(&aead->chacha, authKey, authKey, |
| wolfSSL | 16:8e0d178b1d1e | 157 | CHACHA20_POLY1305_AEAD_KEYSIZE); |
| wolfSSL | 16:8e0d178b1d1e | 158 | } |
| wolfSSL | 15:117db924cf7c | 159 | |
| wolfSSL | 16:8e0d178b1d1e | 160 | /* Initialize Poly1305 context */ |
| wolfSSL | 16:8e0d178b1d1e | 161 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 162 | ret = wc_Poly1305SetKey(&aead->poly, authKey, |
| wolfSSL | 16:8e0d178b1d1e | 163 | CHACHA20_POLY1305_AEAD_KEYSIZE); |
| wolfSSL | 15:117db924cf7c | 164 | } |
| wolfSSL | 15:117db924cf7c | 165 | |
| wolfSSL | 16:8e0d178b1d1e | 166 | /* advance counter by 1 after creating Poly1305 key */ |
| wolfSSL | 16:8e0d178b1d1e | 167 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 168 | ret = wc_Chacha_SetIV(&aead->chacha, inIV, |
| wolfSSL | 16:8e0d178b1d1e | 169 | CHACHA20_POLY1305_AEAD_INITIAL_COUNTER + 1); |
| wolfSSL | 16:8e0d178b1d1e | 170 | } |
| wolfSSL | 15:117db924cf7c | 171 | |
| wolfSSL | 16:8e0d178b1d1e | 172 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 173 | aead->state = CHACHA20_POLY1305_STATE_READY; |
| wolfSSL | 16:8e0d178b1d1e | 174 | } |
| wolfSSL | 16:8e0d178b1d1e | 175 | |
| wolfSSL | 16:8e0d178b1d1e | 176 | return ret; |
| wolfSSL | 15:117db924cf7c | 177 | } |
| wolfSSL | 15:117db924cf7c | 178 | |
| wolfSSL | 16:8e0d178b1d1e | 179 | /* optional additional authentication data */ |
| wolfSSL | 16:8e0d178b1d1e | 180 | int wc_ChaCha20Poly1305_UpdateAad(ChaChaPoly_Aead* aead, |
| wolfSSL | 16:8e0d178b1d1e | 181 | const byte* inAAD, word32 inAADLen) |
| wolfSSL | 15:117db924cf7c | 182 | { |
| wolfSSL | 16:8e0d178b1d1e | 183 | int ret = 0; |
| wolfSSL | 15:117db924cf7c | 184 | |
| wolfSSL | 16:8e0d178b1d1e | 185 | if (aead == NULL || (inAAD == NULL && inAADLen > 0)) { |
| wolfSSL | 16:8e0d178b1d1e | 186 | return BAD_FUNC_ARG; |
| wolfSSL | 16:8e0d178b1d1e | 187 | } |
| wolfSSL | 16:8e0d178b1d1e | 188 | if (aead->state != CHACHA20_POLY1305_STATE_READY && |
| wolfSSL | 16:8e0d178b1d1e | 189 | aead->state != CHACHA20_POLY1305_STATE_AAD) { |
| wolfSSL | 16:8e0d178b1d1e | 190 | return BAD_STATE_E; |
| wolfSSL | 16:8e0d178b1d1e | 191 | } |
| wolfSSL | 16:8e0d178b1d1e | 192 | |
| wolfSSL | 16:8e0d178b1d1e | 193 | if (inAAD && inAADLen > 0) { |
| wolfSSL | 16:8e0d178b1d1e | 194 | ret = wc_Poly1305Update(&aead->poly, inAAD, inAADLen); |
| wolfSSL | 16:8e0d178b1d1e | 195 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 196 | aead->aadLen += inAADLen; |
| wolfSSL | 16:8e0d178b1d1e | 197 | aead->state = CHACHA20_POLY1305_STATE_AAD; |
| wolfSSL | 16:8e0d178b1d1e | 198 | } |
| wolfSSL | 16:8e0d178b1d1e | 199 | } |
| wolfSSL | 15:117db924cf7c | 200 | |
| wolfSSL | 16:8e0d178b1d1e | 201 | return ret; |
| wolfSSL | 16:8e0d178b1d1e | 202 | } |
| wolfSSL | 16:8e0d178b1d1e | 203 | |
| wolfSSL | 16:8e0d178b1d1e | 204 | /* inData and outData can be same pointer (inline) */ |
| wolfSSL | 16:8e0d178b1d1e | 205 | int wc_ChaCha20Poly1305_UpdateData(ChaChaPoly_Aead* aead, |
| wolfSSL | 16:8e0d178b1d1e | 206 | const byte* inData, byte* outData, word32 dataLen) |
| wolfSSL | 16:8e0d178b1d1e | 207 | { |
| wolfSSL | 16:8e0d178b1d1e | 208 | int ret = 0; |
| wolfSSL | 15:117db924cf7c | 209 | |
| wolfSSL | 16:8e0d178b1d1e | 210 | if (aead == NULL || inData == NULL || outData == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 211 | return BAD_FUNC_ARG; |
| wolfSSL | 16:8e0d178b1d1e | 212 | } |
| wolfSSL | 16:8e0d178b1d1e | 213 | if (aead->state != CHACHA20_POLY1305_STATE_READY && |
| wolfSSL | 16:8e0d178b1d1e | 214 | aead->state != CHACHA20_POLY1305_STATE_AAD && |
| wolfSSL | 16:8e0d178b1d1e | 215 | aead->state != CHACHA20_POLY1305_STATE_DATA) { |
| wolfSSL | 16:8e0d178b1d1e | 216 | return BAD_STATE_E; |
| wolfSSL | 16:8e0d178b1d1e | 217 | } |
| wolfSSL | 15:117db924cf7c | 218 | |
| wolfSSL | 16:8e0d178b1d1e | 219 | /* Pad the AAD */ |
| wolfSSL | 16:8e0d178b1d1e | 220 | if (aead->state == CHACHA20_POLY1305_STATE_AAD) { |
| wolfSSL | 16:8e0d178b1d1e | 221 | ret = wc_Poly1305_Pad(&aead->poly, aead->aadLen); |
| wolfSSL | 15:117db924cf7c | 222 | } |
| wolfSSL | 15:117db924cf7c | 223 | |
| wolfSSL | 16:8e0d178b1d1e | 224 | /* advance state */ |
| wolfSSL | 16:8e0d178b1d1e | 225 | aead->state = CHACHA20_POLY1305_STATE_DATA; |
| wolfSSL | 15:117db924cf7c | 226 | |
| wolfSSL | 16:8e0d178b1d1e | 227 | /* Perform ChaCha20 encrypt/decrypt and Poly1305 auth calc */ |
| wolfSSL | 16:8e0d178b1d1e | 228 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 229 | if (aead->isEncrypt) { |
| wolfSSL | 16:8e0d178b1d1e | 230 | ret = wc_Chacha_Process(&aead->chacha, outData, inData, dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 231 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 232 | ret = wc_Poly1305Update(&aead->poly, outData, dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 233 | } |
| wolfSSL | 16:8e0d178b1d1e | 234 | else { |
| wolfSSL | 16:8e0d178b1d1e | 235 | ret = wc_Poly1305Update(&aead->poly, inData, dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 236 | if (ret == 0) |
| wolfSSL | 16:8e0d178b1d1e | 237 | ret = wc_Chacha_Process(&aead->chacha, outData, inData, dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 238 | } |
| wolfSSL | 16:8e0d178b1d1e | 239 | } |
| wolfSSL | 16:8e0d178b1d1e | 240 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 241 | aead->dataLen += dataLen; |
| wolfSSL | 16:8e0d178b1d1e | 242 | } |
| wolfSSL | 16:8e0d178b1d1e | 243 | return ret; |
| wolfSSL | 16:8e0d178b1d1e | 244 | } |
| wolfSSL | 16:8e0d178b1d1e | 245 | |
| wolfSSL | 16:8e0d178b1d1e | 246 | int wc_ChaCha20Poly1305_Final(ChaChaPoly_Aead* aead, |
| wolfSSL | 16:8e0d178b1d1e | 247 | byte outAuthTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]) |
| wolfSSL | 16:8e0d178b1d1e | 248 | { |
| wolfSSL | 16:8e0d178b1d1e | 249 | int ret = 0; |
| wolfSSL | 16:8e0d178b1d1e | 250 | |
| wolfSSL | 16:8e0d178b1d1e | 251 | if (aead == NULL || outAuthTag == NULL) { |
| wolfSSL | 16:8e0d178b1d1e | 252 | return BAD_FUNC_ARG; |
| wolfSSL | 16:8e0d178b1d1e | 253 | } |
| wolfSSL | 16:8e0d178b1d1e | 254 | if (aead->state != CHACHA20_POLY1305_STATE_AAD && |
| wolfSSL | 16:8e0d178b1d1e | 255 | aead->state != CHACHA20_POLY1305_STATE_DATA) { |
| wolfSSL | 16:8e0d178b1d1e | 256 | return BAD_STATE_E; |
| wolfSSL | 15:117db924cf7c | 257 | } |
| wolfSSL | 15:117db924cf7c | 258 | |
| wolfSSL | 16:8e0d178b1d1e | 259 | /* Pad the AAD - Make sure it is done */ |
| wolfSSL | 16:8e0d178b1d1e | 260 | if (aead->state == CHACHA20_POLY1305_STATE_AAD) { |
| wolfSSL | 16:8e0d178b1d1e | 261 | ret = wc_Poly1305_Pad(&aead->poly, aead->aadLen); |
| wolfSSL | 16:8e0d178b1d1e | 262 | } |
| wolfSSL | 16:8e0d178b1d1e | 263 | |
| wolfSSL | 16:8e0d178b1d1e | 264 | /* Pad the ciphertext to 16 bytes */ |
| wolfSSL | 16:8e0d178b1d1e | 265 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 266 | ret = wc_Poly1305_Pad(&aead->poly, aead->dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 267 | } |
| wolfSSL | 16:8e0d178b1d1e | 268 | |
| wolfSSL | 16:8e0d178b1d1e | 269 | /* Add the aad length and plaintext/ciphertext length */ |
| wolfSSL | 16:8e0d178b1d1e | 270 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 271 | ret = wc_Poly1305_EncodeSizes(&aead->poly, aead->aadLen, |
| wolfSSL | 16:8e0d178b1d1e | 272 | aead->dataLen); |
| wolfSSL | 16:8e0d178b1d1e | 273 | } |
| wolfSSL | 15:117db924cf7c | 274 | |
| wolfSSL | 15:117db924cf7c | 275 | /* Finalize the auth tag */ |
| wolfSSL | 16:8e0d178b1d1e | 276 | if (ret == 0) { |
| wolfSSL | 16:8e0d178b1d1e | 277 | ret = wc_Poly1305Final(&aead->poly, outAuthTag); |
| wolfSSL | 16:8e0d178b1d1e | 278 | } |
| wolfSSL | 15:117db924cf7c | 279 | |
| wolfSSL | 16:8e0d178b1d1e | 280 | /* reset and cleanup sensitive context */ |
| wolfSSL | 16:8e0d178b1d1e | 281 | ForceZero(aead, sizeof(ChaChaPoly_Aead)); |
| wolfSSL | 15:117db924cf7c | 282 | |
| wolfSSL | 16:8e0d178b1d1e | 283 | return ret; |
| wolfSSL | 15:117db924cf7c | 284 | } |
| wolfSSL | 15:117db924cf7c | 285 | |
| wolfSSL | 15:117db924cf7c | 286 | #endif /* HAVE_CHACHA && HAVE_POLY1305 */ |
| wolfSSL | 15:117db924cf7c | 287 |