1 // ring has a garbage API so its use is avoided, but rust-crypto doesn't have RFC-variant poly1305
2 // Instead, we steal rust-crypto's implementation and tweak it to match the RFC.
4 // Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
5 // http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
7 // option. This file may not be copied, modified, or distributed
8 // except according to those terms.
10 // This is a port of Andrew Moons poly1305-donna
11 // https://github.com/floodyberry/poly1305-donna
13 #[cfg(not(feature = "fuzztarget"))]
15 use util::chacha20::ChaCha20;
16 use util::poly1305::Poly1305;
18 use crypto::util::fixed_time_eq;
22 #[derive(Clone, Copy)]
23 pub struct ChaCha20Poly1305RFC {
31 impl ChaCha20Poly1305RFC {
33 fn pad_mac_16(mac: &mut Poly1305, len: usize) {
35 mac.input(&[0; 16][0..16 - (len % 16)]);
38 pub fn new(key: &[u8], nonce: &[u8], aad: &[u8]) -> ChaCha20Poly1305RFC {
39 assert!(key.len() == 16 || key.len() == 32);
40 assert!(nonce.len() == 12);
42 // Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
43 assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
45 let mut cipher = ChaCha20::new(key, &nonce[4..]);
46 let mut mac_key = [0u8; 64];
47 let zero_key = [0u8; 64];
48 cipher.process(&zero_key, &mut mac_key);
50 let mut mac = Poly1305::new(&mac_key[..32]);
52 ChaCha20Poly1305RFC::pad_mac_16(&mut mac, aad.len());
59 aad_len: aad.len() as u64,
63 pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
64 assert!(input.len() == output.len());
65 assert!(self.finished == false);
66 self.cipher.process(input, output);
67 self.data_len += input.len();
68 self.mac.input(output);
69 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
71 self.mac.input(&byte_utils::le64_to_array(self.aad_len));
72 self.mac.input(&byte_utils::le64_to_array(self.data_len as u64));
73 self.mac.raw_result(out_tag);
76 pub fn decrypt(&mut self, input: &[u8], output: &mut [u8], tag: &[u8]) -> bool {
77 assert!(input.len() == output.len());
78 assert!(self.finished == false);
82 self.mac.input(input);
84 self.data_len += input.len();
85 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
86 self.mac.input(&byte_utils::le64_to_array(self.aad_len));
87 self.mac.input(&byte_utils::le64_to_array(self.data_len as u64));
89 let mut calc_tag = [0u8; 16];
90 self.mac.raw_result(&mut calc_tag);
91 if fixed_time_eq(&calc_tag, tag) {
92 self.cipher.process(input, output);
100 #[cfg(not(feature = "fuzztarget"))]
101 pub use self::real_chachapoly::ChaCha20Poly1305RFC;
103 #[cfg(feature = "fuzztarget")]
104 mod fuzzy_chachapoly {
105 #[derive(Clone, Copy)]
106 pub struct ChaCha20Poly1305RFC {
110 impl ChaCha20Poly1305RFC {
111 pub fn new(key: &[u8], nonce: &[u8], _aad: &[u8]) -> ChaCha20Poly1305RFC {
112 assert!(key.len() == 16 || key.len() == 32);
113 assert!(nonce.len() == 12);
115 // Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
116 assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
118 let mut tag = [0; 16];
119 tag.copy_from_slice(&key[0..16]);
121 ChaCha20Poly1305RFC {
127 pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
128 assert!(input.len() == output.len());
129 assert!(self.finished == false);
131 output.copy_from_slice(&input);
132 out_tag.copy_from_slice(&self.tag);
133 self.finished = true;
136 pub fn decrypt(&mut self, input: &[u8], output: &mut [u8], tag: &[u8]) -> bool {
137 assert!(input.len() == output.len());
138 assert!(self.finished == false);
140 if tag[..] != self.tag[..] { return false; }
141 output.copy_from_slice(input);
142 self.finished = true;
147 #[cfg(feature = "fuzztarget")]
148 pub use self::fuzzy_chachapoly::ChaCha20Poly1305RFC;