diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-11-26 15:25:10 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2015-11-26 15:25:10 +0100 |
| commit | 254031cf7020f1b185c6d0af89c653a271e0ed01 (patch) | |
| tree | 9d8b55c3639a7c137ca6cd135a81b5f395d5f860 /sys/man | |
| parent | 90695e2eb24430a984e76afb6aaf1c10e2d4809e (diff) | |
libsec: add chacha20 poly1305 aead, allow 64 bit iv's for chacha, add tsmemcmp()
chacha20 comes in two variants: ietf rfc7539, using 96 bit iv and 32 bit counter
and draft-agl-tls-chacha20poly1305 using 64 bit iv and a 64 bit counter. so
setupChachastate() now takes a ivlen argument which sets the mode.
add ccpoly_encrypt()/ccpoly_decrypt() routines.
to implement timing safe ccpoly_decrypt(), a constant time memcmp was needed, so
adding tsmemcmp() to libsec.
Diffstat (limited to 'sys/man')
| -rw-r--r-- | sys/man/2/chacha | 63 |
1 files changed, 53 insertions, 10 deletions
diff --git a/sys/man/2/chacha b/sys/man/2/chacha index de07d133d..4ccf3834c 100644 --- a/sys/man/2/chacha +++ b/sys/man/2/chacha @@ -1,17 +1,15 @@ .TH CHACHA 2 .SH NAME -setupChachastate, chacha_setblock, chacha_encrypt, chacha_encrypt2 - chacha encryption +setupChachastate, chacha_setblock, chacha_setiv, chacha_encrypt, chacha_encrypt2, ccpoly_encrypt, ccpoly_decrypt \- chacha encryption .SH SYNOPSIS .B #include <u.h> .br .B #include <libc.h> .br -.B #include <mp.h> -.br .B #include <libsec.h> .PP .B -void setupChachastate(Chachastate *s, uchar key[], ulong keylen, uchar *nonce, int rounds) +void setupChachastate(Chachastate *s, uchar key[], ulong keylen, uchar *iv, ulong ivlen, int rounds) .PP .B void chacha_encrypt(uchar *data, ulong len, Chachastate *s) @@ -20,7 +18,16 @@ void chacha_encrypt(uchar *data, ulong len, Chachastate *s) void chacha_encrypt2(uchar *src, uchar *dst, ulong len, Chachastate *s) .PP .B -void chacha_setblock(Chachastate *s, u32int blockno) +void chacha_setblock(Chachastate *s, u64int blockno) +.PP +.B +void chacha_setiv(Chachastate *s, uchar *iv); +.PP +.B +void ccpoly_encrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs); +.PP +.B +int ccpoly_decrypt(uchar *dat, ulong ndat, uchar *aad, ulong naad, uchar tag[16], Chachastate *cs); .SH DESCRIPTION .PP Chacha is D J Berstein's symmetric stream cipher, as modified by RFC7539. It supports @@ -38,14 +45,19 @@ of bytes, which should normally be .BR ChachaKeylen , a -.I nonce -or initialisation vector of -.B ChachaIVlen -bytes (set to all zeros if the argument is nil), +.I iv +or nonce of +.I ivlen +bytes (can be +.BR ChachaIVlen =12 +or 8, set to all zeros if the +.I iv +argument is nil), and the number of .I rounds (set to the default of 20 if the argument is zero). -With a keylength of 256 bits (32 bytes) and 20 +With a key length of 256 bits (32 bytes), a nonce of 96 bits (12 bytes) +and 20 .IR rounds , the function implements the Chacha20 encryption function of RFC7539. .PP @@ -77,6 +89,37 @@ without modifying sets the Chacha block counter for the next encryption to .IR blockno , allowing seeking in an encrypted stream. +.PP +.I Chacha_setiv +sets the the initialization vector (nonce) to +.IR iv . +.PP +.I Ccpoly_encrypt +and +.I ccpoly_decrypt +implement authenticated encryption with associated data (AEAD) +using Chacha cipher and Poly1305 message authentication code +as specified in RFC7539. +These routines require a +.I Chachastate +that has been setup with a new (per key unique) initialization +vector (nonce) on each invocation. The referenced data +.IR dat [ ndat ] +is in-place encrypted or decrypted. +.I Ccpoly_encrypt +produces a 16 byte authentication +.IR tag , +while +.I ccpoly_decrypt +verifies the +.IR tag , +returning zero on success or negative on a mismatch. +The +.IR aad [ naad ] +arguments refer to the additional authenticated data +that is included in the +.I tag +calculation, but not encrypted. .SH SOURCE .B /sys/src/libsec .SH SEE ALSO |