18 assert(key.size() == KEYLEN);
23 assert(key.size() == KEYLEN);
24 m_chacha20.SetKey(key);
29int timingsafe_bcmp_internal(
const unsigned char* b1,
const unsigned char* b2,
size_t n)
noexcept
31 const unsigned char *p1 = b1, *p2 = b2;
41 static const std::byte PADDING[16] = {{}};
45 chacha20.Keystream(first_block);
52 const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
53 poly1305.Update(aad).Update(
Span{PADDING}.
first(aad_padding_length));
55 const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
56 poly1305.Update(cipher).Update(
Span{PADDING}.
first(cipher_padding_length));
60 WriteLE64(length_desc + 8, cipher.size());
61 poly1305.Update(length_desc);
64 poly1305.Finalize(tag);
71 assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
74 m_chacha20.Seek(
nonce, 1);
75 m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
76 m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));
79 m_chacha20.Seek(
nonce, 0);
80 ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
85 assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
88 m_chacha20.Seek(
nonce, 0);
89 std::byte expected_tag[EXPANSION];
90 ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
91 if (timingsafe_bcmp_internal(
UCharCast(expected_tag),
UCharCast(cipher.last(EXPANSION).data()), EXPANSION))
return false;
94 m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
95 m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
102 m_chacha20.Seek(
nonce, 1);
103 m_chacha20.Keystream(keystream);
126 m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
132 bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
AEADChaCha20Poly1305(Span< const std::byte > key) noexcept
Initialize an AEAD instance with a specified 32-byte key.
ChaCha20::Nonce96 Nonce96
96-bit nonce type.
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > cipher) noexcept
Encrypt a message with a specified 96-bit nonce and aad.
void SetKey(Span< const std::byte > key) noexcept
Switch to another 32-byte key.
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > plain) noexcept
Decrypt a message with a specified 96-bit nonce and aad.
void Keystream(Nonce96 nonce, Span< std::byte > keystream) noexcept
Get a number of keystream bytes from the underlying stream cipher.
static constexpr unsigned BLOCKLEN
Block size (inputs/outputs to Keystream / Crypt should be multiples of this).
Unrestricted ChaCha20 cipher.
void NextPacket() noexcept
Update counters (and if necessary, key) to transition to the next message.
const uint32_t m_rekey_interval
Every how many iterations this cipher rekeys.
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Span< std::byte > plain) noexcept
Decrypt a message with a specified aad.
uint32_t m_packet_counter
The number of encryptions/decryptions since the last rekey.
AEADChaCha20Poly1305 m_aead
Internal AEAD.
static constexpr auto KEYLEN
Length of keys expected by the constructor.
uint64_t m_rekey_counter
The number of rekeys performed so far.
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Span< std::byte > cipher) noexcept
Encrypt a message with a specified aad.
C++ wrapper with std::byte Span interface around poly1305_donna code.
static constexpr unsigned KEYLEN
Length of the keys expected by the constructor.
static constexpr unsigned TAGLEN
Length of the output produced by Finalize().
CONSTEXPR_IF_NOT_DEBUG Span< C > first(std::size_t count) const noexcept
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
void WriteLE64(B *ptr, uint64_t x)
unsigned char * UCharCast(char *c)
1.9.4