1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
// chachapoly.h - written and placed in the public domain by Jeffrey Walton
// RFC 8439, Section 2.8, AEAD Construction, http://tools.ietf.org/html/rfc8439
/// \file chachapoly.h
/// \brief ChaCha20/Poly1305-TLS AEAD cipher
/// \details ChaCha20Poly1305 is an authenticated encryption cipher that combines
/// ChaCha20TLS and Poly1305TLS. The cipher uses the IETF versions of ChaCha and
/// Poly1305 because it is defined in RFC 8439, section 2.8, AEAD_CHACHA20_POLY1305
/// construction.
/// \sa <A HREF="http://tools.ietf.org/html/rfc8439">RFC 8439, ChaCha20 and Poly1305
/// for IETF Protocols</A>.
#ifndef CRYPTOPP_CHACHA_POLY1305_H
#define CRYPTOPP_CHACHA_POLY1305_H
#include "cryptlib.h"
#include "authenc.h"
#include "chacha.h"
#include "poly1305.h"
NAMESPACE_BEGIN(CryptoPP)
/// \brief ChaCha20Poly1305 cipher base implementation
/// \details Base implementation of the AuthenticatedSymmetricCipher interface
/// \since Crypto++ 8.1
class ChaCha20Poly1305_Base
: public FixedKeyLength<32, SimpleKeyingInterface::UNIQUE_IV, 12>, public AuthenticatedSymmetricCipherBase
{
public:
virtual ~ChaCha20Poly1305_Base() {}
virtual const MessageAuthenticationCode & GetMAC() const = 0;
virtual MessageAuthenticationCode & AccessMAC() = 0;
public:
// AuthenticatedSymmetricCipher
std::string AlgorithmName() const
{return std::string("ChaCha20/Poly1305");}
std::string AlgorithmProvider() const
{return "C++";}
size_t MinKeyLength() const
{return 32;}
size_t MaxKeyLength() const
{return 32;}
size_t DefaultKeyLength() const
{return 32;}
size_t GetValidKeyLength(size_t n) const
{CRYPTOPP_UNUSED(n); return 32;}
bool IsValidKeyLength(size_t n) const
{return n==32;}
unsigned int OptimalDataAlignment() const
{return GetSymmetricCipher().OptimalDataAlignment();}
IV_Requirement IVRequirement() const
{return UNIQUE_IV;}
unsigned int IVSize() const
{return 16;}
unsigned int MinIVLength() const
{return 12;}
unsigned int MaxIVLength() const
{return 12;}
unsigned int DigestSize() const
{return 16;}
lword MaxHeaderLength() const
{return LWORD_MAX;}
lword MaxMessageLength() const
{return LWORD_MAX;}
lword MaxFooterLength() const
{return 16;}
/// \brief Encrypts and calculates a MAC in one call
/// \param ciphertext the encryption buffer
/// \param mac the mac buffer
/// \param macLength the size of the MAC buffer, in bytes
/// \param iv the iv buffer
/// \param ivLength the size of the IV buffer, in bytes
/// \param aad the AAD buffer
/// \param aadLength the size of the AAD buffer, in bytes
/// \param message the message buffer
/// \param messageLength the size of the messagetext buffer, in bytes
/// \details EncryptAndAuthenticate() encrypts and generates the MAC in one call. The function
/// truncates the MAC if <tt>macSize < TagSize()</tt>.
virtual void EncryptAndAuthenticate(byte *ciphertext, byte *mac, size_t macSize, const byte *iv, int ivLength, const byte *aad, size_t aadLength, const byte *message, size_t messageLength);
/// \brief Decrypts and verifies a MAC in one call
/// \param message the decryption buffer
/// \param mac the mac buffer
/// \param macLength the size of the MAC buffer, in bytes
/// \param iv the iv buffer
/// \param ivLength the size of the IV buffer, in bytes
/// \param aad the AAD buffer
/// \param aadLength the size of the AAD buffer, in bytes
/// \param cipher the cipher buffer
/// \param cipherLength the size of the ciphertext buffer, in bytes
/// \return true if the MAC is valid and the decoding succeeded, false otherwise
/// \details DecryptAndVerify() decrypts and verifies the MAC in one call.
/// <tt>message</tt> is a decryption buffer and should be at least as large as the ciphertext buffer.
/// \details The function returns true iff MAC is valid. DecryptAndVerify() assumes the MAC
/// is truncated if <tt>macLength < TagSize()</tt>.
virtual bool DecryptAndVerify(byte *message, const byte *mac, size_t macLength, const byte *iv, int ivLength, const byte *aad, size_t aadLength, const byte *ciphertext, size_t ciphertextLength);
protected:
// AuthenticatedSymmetricCipherBase
bool AuthenticationIsOnPlaintext() const {return false;}
unsigned int AuthenticationBlockSize() const {return 1;}
void SetKeyWithoutResync(const byte *userKey, size_t keylength, const NameValuePairs ¶ms);
void Resync(const byte *iv, size_t len);
size_t AuthenticateBlocks(const byte *data, size_t len);
void AuthenticateLastHeaderBlock();
void AuthenticateLastConfidentialBlock();
void AuthenticateLastFooterBlock(byte *mac, size_t macSize);
protected:
// ChaCha20 does not stash away the user key. There's no way to restart
// ChaCha once an encryption or decryption is performed. In fact, we
// cannot even Resynchronize it correctly. Compensate here.
void RekeyCipherAndMac(const byte *userKey, size_t userKeyLength, const NameValuePairs ¶ms);
SecByteBlock m_userKey;
};
/// \brief ChaCha20Poly1305 cipher final implementation
/// \details ChaCha20Poly1305 is an authenticated encryption cipher that combines
/// ChaCha20TLS and Poly1305TLS. The cipher uses the IETF versions of ChaCha and
/// Poly1305 because it is defined in RFC 8439, section 2.8, AEAD_CHACHA20_POLY1305
/// construction.
/// \sa <A HREF="http://tools.ietf.org/html/rfc8439">RFC 8439, ChaCha20 and Poly1305
/// for IETF Protocols</A>.
/// \since Crypto++ 8.1
class ChaCha20Poly1305_Final : public ChaCha20Poly1305_Base
{
protected:
const SymmetricCipher & GetSymmetricCipher()
{return const_cast<ChaCha20Poly1305_Final *>(this)->AccessSymmetricCipher();}
SymmetricCipher & AccessSymmetricCipher()
{return m_cipher;}
bool IsForwardTransformation() const
{return m_cipher.IsForwardTransformation();}
const MessageAuthenticationCode & GetMAC() const
{return const_cast<ChaCha20Poly1305_Final *>(this)->AccessMAC();}
MessageAuthenticationCode & AccessMAC()
{return m_mac;}
private:
ChaChaTLS::Encryption m_cipher;
Poly1305TLS m_mac;
};
/// \brief ChaCha20Poly1305-TLS cipher mode of operation
/// \details ChaCha20Poly1305 is an authenticated encryption cipher that combines
/// ChaCha20TLS and Poly1305TLS. The cipher uses the IETF versions of ChaCha and
/// Poly1305 because it is defined in RFC 8439, section 2.8, AEAD_CHACHA20_POLY1305
/// construction.
/// \sa <A HREF="http://tools.ietf.org/html/rfc8439">RFC 8439, ChaCha20 and Poly1305
/// for IETF Protocols</A>.
/// \since Crypto++ 8.1
struct ChaCha20Poly1305 : public AuthenticatedSymmetricCipherDocumentation
{
typedef ChaCha20Poly1305_Final Encryption;
typedef Encryption Decryption;
};
NAMESPACE_END
#endif // CRYPTOPP_CHACHA_POLY1305_H
|
