From fb25db9c288182463a9be828385a906592dc066b Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 9 Jul 2014 15:48:40 -0600 Subject: [PATCH] progress on suite --- ctaocrypt/src/chacha.c | 7 +- ctaocrypt/src/poly1305.c | 278 ++++++++++++++++++------------------ cyassl/ctaocrypt/poly1305.h | 10 +- cyassl/internal.h | 2 - src/internal.c | 10 +- 5 files changed, 150 insertions(+), 157 deletions(-) diff --git a/ctaocrypt/src/chacha.c b/ctaocrypt/src/chacha.c index 86c94278c..2ea74082b 100644 --- a/ctaocrypt/src/chacha.c +++ b/ctaocrypt/src/chacha.c @@ -17,7 +17,8 @@ * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - * + * + * based from * chacha-ref.c version 20080118 * D. J. Bernstein * Public domain. @@ -90,7 +91,7 @@ int Chacha_SetIV(ChaCha* ctx, const byte* inIv, word32 counter) XMEMCPY(temp, inIv, 12); - ctx->X[12] = counter; /* block counter */ + ctx->X[12] = counter; /* block counter */ ctx->X[13] = temp[0]; /* fixed variable from nonce */ ctx->X[14] = temp[1]; /* counter from nonce */ ctx->X[15] = temp[2]; /* counter from nonce */ @@ -115,7 +116,7 @@ int Chacha_SetKey(ChaCha* ctx, const byte* key, word32 keySz) return BAD_FUNC_ARG; #ifdef XSTREAM_ALIGN - word32 alignKey[4]; + word32 alignKey[keySz / 4]; if ((word)key % 4) { CYASSL_MSG("ChachaSetKey unaligned key"); XMEMCPY(alignKey, key, sizeof(alignKey)); diff --git a/ctaocrypt/src/poly1305.c b/ctaocrypt/src/poly1305.c index 718d2fb7c..1534e4d58 100644 --- a/ctaocrypt/src/poly1305.c +++ b/ctaocrypt/src/poly1305.c @@ -18,7 +18,8 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA * - * Based off the implementation by Andrew Moon + * Based off the public domain implementations by Andrew Moon + * and Daniel J. Bernstein */ #ifdef HAVE_POLY1305 @@ -48,146 +49,87 @@ #define LITTLE32(x) (x) #endif -#ifdef POLY130564 -#if defined(_MSC_VER) - #define POLY1305_NOINLINE __declspec(noinline) -#elif defined(__GNUC__) - #define POLY1305_NOINLINE __attribute__((noinline)) -#else - #define POLY1305_NOINLINE -#endif - -#if defined(_MSC_VER) - #include +#if defined(POLY130564) - typedef struct word128 { - word64 lo; - word64 hi; - } word128; - - #define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi) - #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; - out.hi += (out.lo < t) + in.hi; } - #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; - out.hi += (out.lo < t); } - #define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift))) - #define LO(in) (in.lo) - -#elif defined(__GNUC__) - #if defined(__SIZEOF_INT128__) - typedef unsigned __int128 word128; + #if defined(_MSC_VER) + #define POLY1305_NOINLINE __declspec(noinline) + #elif defined(__GNUC__) + #define POLY1305_NOINLINE __attribute__((noinline)) #else - typedef unsigned word128 __attribute__((mode(TI))); + #define POLY1305_NOINLINE #endif - - #define MUL(out, x, y) out = ((word128)x * y) - #define ADD(out, in) out += in - #define ADDLO(out, in) out += in - #define SHR(in, shift) (word64)(in >> (shift)) - #define LO(in) (word64)(in) -#endif - -static word64 U8TO64(const byte* p) { - return - (((word64)(p[0] & 0xff) ) | - ((word64)(p[1] & 0xff) << 8) | - ((word64)(p[2] & 0xff) << 16) | - ((word64)(p[3] & 0xff) << 24) | - ((word64)(p[4] & 0xff) << 32) | - ((word64)(p[5] & 0xff) << 40) | - ((word64)(p[6] & 0xff) << 48) | - ((word64)(p[7] & 0xff) << 56)); -} - -static void U64TO8(byte* p, word64 v) { - p[0] = (v ) & 0xff; - p[1] = (v >> 8) & 0xff; - p[2] = (v >> 16) & 0xff; - p[3] = (v >> 24) & 0xff; - p[4] = (v >> 32) & 0xff; - p[5] = (v >> 40) & 0xff; - p[6] = (v >> 48) & 0xff; - p[7] = (v >> 56) & 0xff; -} -#else /* if not 64 bit then use 32 bit */ -static word32 U8TO32(const byte *p) { - return - (((word32)(p[0] & 0xff) ) | - ((word32)(p[1] & 0xff) << 8) | - ((word32)(p[2] & 0xff) << 16) | - ((word32)(p[3] & 0xff) << 24)); -} - -static void U32TO8(byte *p, word32 v) { - p[0] = (v ) & 0xff; - p[1] = (v >> 8) & 0xff; - p[2] = (v >> 16) & 0xff; - p[3] = (v >> 24) & 0xff; -} -#endif - -int Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz) { - - if (keySz != 32) - return 1; - -#ifdef CHACHA_AEAD_TEST - int k; - printf("Poly key used: "); - for (k = 0; k < keySz; k++) - printf("%02x", key[k]); - printf("\n"); -#endif - -#ifdef POLY130564 - word64 t0,t1; - - /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ - t0 = U8TO64(key + 0); - t1 = U8TO64(key + 8); - - ctx->r[0] = ( t0 ) & 0xffc0fffffff; - ctx->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff; - ctx->r[2] = ((t1 >> 24) ) & 0x00ffffffc0f; - - /* h (accumulator) = 0 */ - ctx->h[0] = 0; - ctx->h[1] = 0; - ctx->h[2] = 0; - - /* save pad for later */ - ctx->pad[0] = U8TO64(key + 16); - ctx->pad[1] = U8TO64(key + 24); + + #if defined(_MSC_VER) + #include + + typedef struct word128 { + word64 lo; + word64 hi; + } word128; + + #define MUL(out, x, y) out.lo = _umul128((x), (y), &out.hi) + #define ADD(out, in) { word64 t = out.lo; out.lo += in.lo; + out.hi += (out.lo < t) + in.hi; } + #define ADDLO(out, in) { word64 t = out.lo; out.lo += in; + out.hi += (out.lo < t); } + #define SHR(in, shift) (__shiftright128(in.lo, in.hi, (shift))) + #define LO(in) (in.lo) + + #elif defined(__GNUC__) + #if defined(__SIZEOF_INT128__) + typedef unsigned __int128 word128; + #else + typedef unsigned word128 __attribute__((mode(TI))); + #endif + + #define MUL(out, x, y) out = ((word128)x * y) + #define ADD(out, in) out += in + #define ADDLO(out, in) out += in + #define SHR(in, shift) (word64)(in >> (shift)) + #define LO(in) (word64)(in) + #endif + + static word64 U8TO64(const byte* p) { + return + (((word64)(p[0] & 0xff) ) | + ((word64)(p[1] & 0xff) << 8) | + ((word64)(p[2] & 0xff) << 16) | + ((word64)(p[3] & 0xff) << 24) | + ((word64)(p[4] & 0xff) << 32) | + ((word64)(p[5] & 0xff) << 40) | + ((word64)(p[6] & 0xff) << 48) | + ((word64)(p[7] & 0xff) << 56)); + } + + static void U64TO8(byte* p, word64 v) { + p[0] = (v ) & 0xff; + p[1] = (v >> 8) & 0xff; + p[2] = (v >> 16) & 0xff; + p[3] = (v >> 24) & 0xff; + p[4] = (v >> 32) & 0xff; + p[5] = (v >> 40) & 0xff; + p[6] = (v >> 48) & 0xff; + p[7] = (v >> 56) & 0xff; + } #else /* if not 64 bit then use 32 bit */ - /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ - ctx->r[0] = (U8TO32(key + 0) ) & 0x3ffffff; - ctx->r[1] = (U8TO32(key + 3) >> 2) & 0x3ffff03; - ctx->r[2] = (U8TO32(key + 6) >> 4) & 0x3ffc0ff; - ctx->r[3] = (U8TO32(key + 9) >> 6) & 0x3f03fff; - ctx->r[4] = (U8TO32(key + 12) >> 8) & 0x00fffff; - - /* h = 0 */ - ctx->h[0] = 0; - ctx->h[1] = 0; - ctx->h[2] = 0; - ctx->h[3] = 0; - ctx->h[4] = 0; - - /* save pad for later */ - ctx->pad[0] = U8TO32(key + 16); - ctx->pad[1] = U8TO32(key + 20); - ctx->pad[2] = U8TO32(key + 24); - ctx->pad[3] = U8TO32(key + 28); + static word32 U8TO32(const byte *p) { + return + (((word32)(p[0] & 0xff) ) | + ((word32)(p[1] & 0xff) << 8) | + ((word32)(p[2] & 0xff) << 16) | + ((word32)(p[3] & 0xff) << 24)); + } + + static void U32TO8(byte *p, word32 v) { + p[0] = (v ) & 0xff; + p[1] = (v >> 8) & 0xff; + p[2] = (v >> 16) & 0xff; + p[3] = (v >> 24) & 0xff; + } #endif - ctx->leftover = 0; - ctx->final = 0; - - return 0; -} - static void poly1305_blocks(Poly1305* ctx, const unsigned char *m, size_t bytes) { #ifdef POLY130564 @@ -306,13 +248,78 @@ static void poly1305_blocks(Poly1305* ctx, const unsigned char *m, ctx->h[3] = h3; ctx->h[4] = h4; +#endif /* end of 64 bit cpu blocks or 32 bit cpu */ +} + + +int Poly1305SetKey(Poly1305* ctx, const byte* key, word32 keySz) { + + if (keySz != 32) + return 1; + +#ifdef CHACHA_AEAD_TEST + int k; + printf("Poly key used: "); + for (k = 0; k < keySz; k++) + printf("%02x", key[k]); + printf("\n"); #endif +#if defined(POLY130564) + + word64 t0,t1; + + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ + t0 = U8TO64(key + 0); + t1 = U8TO64(key + 8); + + ctx->r[0] = ( t0 ) & 0xffc0fffffff; + ctx->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff; + ctx->r[2] = ((t1 >> 24) ) & 0x00ffffffc0f; + + /* h (accumulator) = 0 */ + ctx->h[0] = 0; + ctx->h[1] = 0; + ctx->h[2] = 0; + + /* save pad for later */ + ctx->pad[0] = U8TO64(key + 16); + ctx->pad[1] = U8TO64(key + 24); + +#else /* if not 64 bit then use 32 bit */ + + /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ + ctx->r[0] = (U8TO32(key + 0) ) & 0x3ffffff; + ctx->r[1] = (U8TO32(key + 3) >> 2) & 0x3ffff03; + ctx->r[2] = (U8TO32(key + 6) >> 4) & 0x3ffc0ff; + ctx->r[3] = (U8TO32(key + 9) >> 6) & 0x3f03fff; + ctx->r[4] = (U8TO32(key + 12) >> 8) & 0x00fffff; + + /* h = 0 */ + ctx->h[0] = 0; + ctx->h[1] = 0; + ctx->h[2] = 0; + ctx->h[3] = 0; + ctx->h[4] = 0; + + /* save pad for later */ + ctx->pad[0] = U8TO32(key + 16); + ctx->pad[1] = U8TO32(key + 20); + ctx->pad[2] = U8TO32(key + 24); + ctx->pad[3] = U8TO32(key + 28); + +#endif + + ctx->leftover = 0; + ctx->final = 0; + + return 0; } + int Poly1305Final(Poly1305* ctx, byte* mac) { -#ifdef POLY130564 +#if defined(POLY130564) word64 h0,h1,h2,c; word64 g0,g1,g2; @@ -476,7 +483,6 @@ int Poly1305Final(Poly1305* ctx, byte* mac) { int Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes) { - size_t i; #ifdef CHACHA_AEAD_TEST int k; @@ -485,6 +491,7 @@ int Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes) { printf("%02x", m[k]); printf("\n"); #endif + size_t i; /* handle leftover */ if (ctx->leftover) { @@ -516,7 +523,6 @@ int Poly1305Update(Poly1305* ctx, const byte* m, word32 bytes) { ctx->buffer[ctx->leftover + i] = m[i]; ctx->leftover += bytes; } - return 0; } #endif /* HAVE_POLY1305 */ diff --git a/cyassl/ctaocrypt/poly1305.h b/cyassl/ctaocrypt/poly1305.h index 9584305f9..8f5df5caa 100644 --- a/cyassl/ctaocrypt/poly1305.h +++ b/cyassl/ctaocrypt/poly1305.h @@ -31,8 +31,6 @@ extern "C" { #endif -//#define POLY1305_BLOCK_SIZE 16 - /* auto detect between 32bit / 64bit */ #define HAS_SIZEOF_INT128_64BIT (defined(__SIZEOF_INT128__) && defined(__LP64__)) #define HAS_MSVC_64BIT (defined(_MSC_VER) && defined(_M_X64)) @@ -51,24 +49,20 @@ enum { POLY1305_PAD_SIZE = 56 }; - /* Poly1305 state */ typedef struct Poly1305 { -#ifdef POLY130564 +#if defined(POLY130564) word64 r[3]; word64 h[3]; word64 pad[2]; - size_t leftover; - unsigned char buffer[POLY1305_BLOCK_SIZE]; - unsigned char final; #else word32 r[5]; word32 h[5]; word32 pad[4]; +#endif size_t leftover; unsigned char buffer[POLY1305_BLOCK_SIZE]; unsigned char final; -#endif } Poly1305; diff --git a/cyassl/internal.h b/cyassl/internal.h index 532f83c72..397d14f82 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -2111,8 +2111,6 @@ CYASSL_LOCAL int GrowInputBuffer(CYASSL* ssl, int size, int usedLength); CYASSL_LOCAL int MakeTlsMasterSecret(CYASSL*); CYASSL_LOCAL int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, int content, int verify); - CYASSL_LOCAL int TLS_poly1305(CYASSL* ssl, byte* digest, const byte* in, - word32 sz, int content, int verify); #endif #ifndef NO_CYASSL_CLIENT diff --git a/src/internal.c b/src/internal.c index 39605290c..2ee09acb2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4329,7 +4329,8 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) + (sz - AEAD_EXP_IV_SZ - ssl->specs.aead_mac_size) % 16; byte p[CHACHA20_BLOCK_SIZE + padding2 + 16]; - XMEMSET(tag, 0, 16); + XMEMSET(tag, 0, ssl->specs.aead_mac_size); + XMEMSET(nonce, 0, AEAD_NONCE_SZ); XMEMSET(cipher, 0, sizeof(cipher)); XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE); XMEMSET(p, 0, CHACHA20_BLOCK_SIZE + padding2 + 16); @@ -8385,13 +8386,6 @@ static void PickHashSigAlgo(CYASSL* ssl, #endif - /* poly1305 */ - InitMd5(&md5); - Md5Update(&md5, ssl->arrays->clientRandom, RAN_LEN); - Md5Update(&md5, ssl->arrays->serverRandom, RAN_LEN); - Md5Update(&md5, messageVerify, verifySz); - Md5Final(&md5, hash); - #ifndef NO_SHA256 ret = InitSha256(&sha256); if (ret != 0)