1 /*
2  * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /* chacha20 cipher implementation */
11 
12 #include "cipher_chacha20.h"
13 
chacha20_initkey(PROV_CIPHER_CTX * bctx,const uint8_t * key,size_t keylen)14 static int chacha20_initkey(PROV_CIPHER_CTX *bctx, const uint8_t *key,
15                             size_t keylen)
16 {
17     PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)bctx;
18     unsigned int i;
19 
20     if (key != NULL) {
21         for (i = 0; i < CHACHA_KEY_SIZE; i += 4)
22             ctx->key.d[i / 4] = CHACHA_U8TOU32(key + i);
23     }
24     ctx->partial_len = 0;
25     return 1;
26 }
27 
chacha20_initiv(PROV_CIPHER_CTX * bctx)28 static int chacha20_initiv(PROV_CIPHER_CTX *bctx)
29 {
30     PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)bctx;
31     unsigned int i;
32 
33     if (bctx->iv_set) {
34         for (i = 0; i < CHACHA_CTR_SIZE; i += 4)
35             ctx->counter[i / 4] = CHACHA_U8TOU32(bctx->oiv + i);
36     }
37     ctx->partial_len = 0;
38     return 1;
39 }
40 
chacha20_cipher(PROV_CIPHER_CTX * bctx,unsigned char * out,const unsigned char * in,size_t inl)41 static int chacha20_cipher(PROV_CIPHER_CTX *bctx, unsigned char *out,
42                            const unsigned char *in, size_t inl)
43 {
44     PROV_CHACHA20_CTX *ctx = (PROV_CHACHA20_CTX *)bctx;
45     unsigned int n, rem, ctr32;
46 
47     n = ctx->partial_len;
48     if (n > 0) {
49         while (inl > 0 && n < CHACHA_BLK_SIZE) {
50             *out++ = *in++ ^ ctx->buf[n++];
51             inl--;
52         }
53         ctx->partial_len = n;
54 
55         if (inl == 0)
56             return 1;
57 
58         if (n == CHACHA_BLK_SIZE) {
59             ctx->partial_len = 0;
60             ctx->counter[0]++;
61             if (ctx->counter[0] == 0)
62                 ctx->counter[1]++;
63         }
64     }
65 
66     rem = (unsigned int)(inl % CHACHA_BLK_SIZE);
67     inl -= rem;
68     ctr32 = ctx->counter[0];
69     while (inl >= CHACHA_BLK_SIZE) {
70         size_t blocks = inl / CHACHA_BLK_SIZE;
71 
72         /*
73          * 1<<28 is just a not-so-small yet not-so-large number...
74          * Below condition is practically never met, but it has to
75          * be checked for code correctness.
76          */
77         if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
78             blocks = (1U << 28);
79 
80         /*
81          * As ChaCha20_ctr32 operates on 32-bit counter, caller
82          * has to handle overflow. 'if' below detects the
83          * overflow, which is then handled by limiting the
84          * amount of blocks to the exact overflow point...
85          */
86         ctr32 += (unsigned int)blocks;
87         if (ctr32 < blocks) {
88             blocks -= ctr32;
89             ctr32 = 0;
90         }
91         blocks *= CHACHA_BLK_SIZE;
92         ChaCha20_ctr32(out, in, blocks, ctx->key.d, ctx->counter);
93         inl -= blocks;
94         in += blocks;
95         out += blocks;
96 
97         ctx->counter[0] = ctr32;
98         if (ctr32 == 0) ctx->counter[1]++;
99     }
100 
101     if (rem > 0) {
102         memset(ctx->buf, 0, sizeof(ctx->buf));
103         ChaCha20_ctr32(ctx->buf, ctx->buf, CHACHA_BLK_SIZE,
104                        ctx->key.d, ctx->counter);
105         for (n = 0; n < rem; n++)
106             out[n] = in[n] ^ ctx->buf[n];
107         ctx->partial_len = rem;
108     }
109 
110     return 1;
111 }
112 
113 static const PROV_CIPHER_HW_CHACHA20 chacha20_hw = {
114     { chacha20_initkey, chacha20_cipher },
115     chacha20_initiv
116 };
117 
ossl_prov_cipher_hw_chacha20(size_t keybits)118 const PROV_CIPHER_HW *ossl_prov_cipher_hw_chacha20(size_t keybits)
119 {
120     return (PROV_CIPHER_HW *)&chacha20_hw;
121 }
122 
123