|
| 1 | +/* |
| 2 | +** This file contains th implementation for |
| 3 | +** - the ChaCha20 cipher |
| 4 | +** - the Poly1305 message digest |
| 5 | +** |
| 6 | +** The code was taken from the public domain implementation |
| 7 | +** of the sqleet project (https://github.com/resilar/sqleet) |
| 8 | +*/ |
| 9 | + |
| 10 | +#include <stdint.h> |
| 11 | + |
| 12 | +#define ROL32(x, c) (((x) << (c)) | ((x) >> (32-(c)))) |
| 13 | +#define ROR32(x, c) (((x) >> (c)) | ((x) << (32-(c)))) |
| 14 | + |
| 15 | +#define LOAD32_LE(p) \ |
| 16 | + ( ((uint32_t)((p)[0]) << 0) \ |
| 17 | + | ((uint32_t)((p)[1]) << 8) \ |
| 18 | + | ((uint32_t)((p)[2]) << 16) \ |
| 19 | + | ((uint32_t)((p)[3]) << 24) \ |
| 20 | + ) |
| 21 | +#define LOAD32_BE(p) \ |
| 22 | + ( ((uint32_t)((p)[3]) << 0) \ |
| 23 | + | ((uint32_t)((p)[2]) << 8) \ |
| 24 | + | ((uint32_t)((p)[1]) << 16) \ |
| 25 | + | ((uint32_t)((p)[0]) << 24) \ |
| 26 | + ) |
| 27 | + |
| 28 | +#define STORE32_LE(p, v) \ |
| 29 | + (p)[0] = ((v) >> 0) & 0xFF; \ |
| 30 | + (p)[1] = ((v) >> 8) & 0xFF; \ |
| 31 | + (p)[2] = ((v) >> 16) & 0xFF; \ |
| 32 | + (p)[3] = ((v) >> 24) & 0xFF; |
| 33 | +#define STORE32_BE(p, v) \ |
| 34 | + (p)[3] = ((v) >> 0) & 0xFF; \ |
| 35 | + (p)[2] = ((v) >> 8) & 0xFF; \ |
| 36 | + (p)[1] = ((v) >> 16) & 0xFF; \ |
| 37 | + (p)[0] = ((v) >> 24) & 0xFF; |
| 38 | +#define STORE64_BE(p, v) \ |
| 39 | + (p)[7] = ((v) >> 0) & 0xFF; \ |
| 40 | + (p)[6] = ((v) >> 8) & 0xFF; \ |
| 41 | + (p)[5] = ((v) >> 16) & 0xFF; \ |
| 42 | + (p)[4] = ((v) >> 24) & 0xFF; \ |
| 43 | + (p)[3] = ((v) >> 32) & 0xFF; \ |
| 44 | + (p)[2] = ((v) >> 40) & 0xFF; \ |
| 45 | + (p)[1] = ((v) >> 48) & 0xFF; \ |
| 46 | + (p)[0] = ((v) >> 56) & 0xFF; |
| 47 | + |
| 48 | +/* |
| 49 | + * ChaCha20 stream cipher |
| 50 | + */ |
| 51 | +static void chacha20_block(unsigned char out[64], const uint32_t in[16]) |
| 52 | +{ |
| 53 | + int i; |
| 54 | + uint32_t x[16]; |
| 55 | + memcpy(x, in, sizeof(uint32_t) * 16); |
| 56 | + |
| 57 | + #define QR(x, a, b, c, d) \ |
| 58 | + x[a] += x[b]; x[d] ^= x[a]; x[d] = ROL32(x[d], 16); \ |
| 59 | + x[c] += x[d]; x[b] ^= x[c]; x[b] = ROL32(x[b], 12); \ |
| 60 | + x[a] += x[b]; x[d] ^= x[a]; x[d] = ROL32(x[d], 8); \ |
| 61 | + x[c] += x[d]; x[b] ^= x[c]; x[b] = ROL32(x[b], 7); |
| 62 | + for (i = 0; i < 10; i++) |
| 63 | + { |
| 64 | + /* Column round */ |
| 65 | + QR(x, 0, 4, 8, 12) |
| 66 | + QR(x, 1, 5, 9, 13) |
| 67 | + QR(x, 2, 6, 10, 14) |
| 68 | + QR(x, 3, 7, 11, 15) |
| 69 | + /* Diagonal round */ |
| 70 | + QR(x, 0, 5, 10, 15) |
| 71 | + QR(x, 1, 6, 11, 12) |
| 72 | + QR(x, 2, 7, 8, 13) |
| 73 | + QR(x, 3, 4, 9, 14) |
| 74 | + } |
| 75 | + #undef QR |
| 76 | + |
| 77 | + for (i = 0; i < 16; i++) |
| 78 | + { |
| 79 | + const uint32_t v = x[i] + in[i]; |
| 80 | + STORE32_LE(out, v); |
| 81 | + out += 4; |
| 82 | + } |
| 83 | +} |
| 84 | + |
| 85 | +void chacha20_xor(unsigned char* data, size_t n, const unsigned char key[32], |
| 86 | + const unsigned char nonce[12], uint32_t counter) |
| 87 | +{ |
| 88 | + size_t i; |
| 89 | + uint32_t state[16]; |
| 90 | + unsigned char block[64]; |
| 91 | + static const unsigned char sigma[16] = "expand 32-byte k"; |
| 92 | + |
| 93 | + state[ 0] = LOAD32_LE(sigma + 0); |
| 94 | + state[ 1] = LOAD32_LE(sigma + 4); |
| 95 | + state[ 2] = LOAD32_LE(sigma + 8); |
| 96 | + state[ 3] = LOAD32_LE(sigma + 12); |
| 97 | + |
| 98 | + state[ 4] = LOAD32_LE(key + 0); |
| 99 | + state[ 5] = LOAD32_LE(key + 4); |
| 100 | + state[ 6] = LOAD32_LE(key + 8); |
| 101 | + state[ 7] = LOAD32_LE(key + 12); |
| 102 | + state[ 8] = LOAD32_LE(key + 16); |
| 103 | + state[ 9] = LOAD32_LE(key + 20); |
| 104 | + state[10] = LOAD32_LE(key + 24); |
| 105 | + state[11] = LOAD32_LE(key + 28); |
| 106 | + |
| 107 | + state[12] = counter; |
| 108 | + |
| 109 | + state[13] = LOAD32_LE(nonce + 0); |
| 110 | + state[14] = LOAD32_LE(nonce + 4); |
| 111 | + state[15] = LOAD32_LE(nonce + 8); |
| 112 | + |
| 113 | + while (n >= 64) |
| 114 | + { |
| 115 | + chacha20_block(block, state); |
| 116 | + for (i = 0; i < 64; i++) |
| 117 | + { |
| 118 | + data[i] ^= block[i]; |
| 119 | + } |
| 120 | + state[12]++; |
| 121 | + data += 64; |
| 122 | + n -= 64; |
| 123 | + } |
| 124 | + |
| 125 | + if (n > 0) |
| 126 | + { |
| 127 | + chacha20_block(block, state); |
| 128 | + for (i = 0; i < n; i++) |
| 129 | + { |
| 130 | + data[i] ^= block[i]; |
| 131 | + } |
| 132 | + } |
| 133 | +} |
| 134 | + |
| 135 | +/* |
| 136 | + * Poly1305 authentication tags |
| 137 | + */ |
| 138 | +void poly1305(const unsigned char* msg, size_t n, const unsigned char key[32], |
| 139 | + unsigned char tag[16]) |
| 140 | +{ |
| 141 | + uint32_t c, m, w; |
| 142 | + uint32_t r0, r1, r2, r3, r4; |
| 143 | + uint32_t s1, s2, s3, s4; |
| 144 | + uint64_t f0, f1, f2, f3; |
| 145 | + uint32_t g0, g1, g2, g3, g4; |
| 146 | + uint32_t h0, h1, h2, h3, h4; |
| 147 | + unsigned char buf[16]; |
| 148 | + size_t i; |
| 149 | + |
| 150 | + c = 1 << 24; |
| 151 | + r0 = (LOAD32_LE(key + 0) >> 0) & 0x03FFFFFF; |
| 152 | + r1 = (LOAD32_LE(key + 3) >> 2) & 0x03FFFF03; |
| 153 | + r2 = (LOAD32_LE(key + 6) >> 4) & 0x03FFC0FF; |
| 154 | + r3 = (LOAD32_LE(key + 9) >> 6) & 0x03F03FFF; |
| 155 | + r4 = (LOAD32_LE(key + 12) >> 8) & 0x000FFFFF; |
| 156 | + s1 = r1 * 5; s2 = r2 * 5; s3 = r3 * 5; s4 = r4 * 5; |
| 157 | + h0 = h1 = h2 = h3 = h4 = 0; |
| 158 | + while (n >= 16) |
| 159 | + { |
| 160 | + uint64_t d0, d1, d2, d3, d4; |
| 161 | +process_block: |
| 162 | + h0 += (LOAD32_LE(msg + 0) >> 0) & 0x03FFFFFF; |
| 163 | + h1 += (LOAD32_LE(msg + 3) >> 2) & 0x03FFFFFF; |
| 164 | + h2 += (LOAD32_LE(msg + 6) >> 4) & 0x03FFFFFF; |
| 165 | + h3 += (LOAD32_LE(msg + 9) >> 6) & 0x03FFFFFF; |
| 166 | + h4 += (LOAD32_LE(msg + 12) >> 8) | c; |
| 167 | + |
| 168 | + #define MUL(a,b) ((uint64_t)(a) * (b)) |
| 169 | + d0 = MUL(h0,r0) + MUL(h1,s4) + MUL(h2,s3) + MUL(h3,s2) + MUL(h4,s1); |
| 170 | + d1 = MUL(h0,r1) + MUL(h1,r0) + MUL(h2,s4) + MUL(h3,s3) + MUL(h4,s2); |
| 171 | + d2 = MUL(h0,r2) + MUL(h1,r1) + MUL(h2,r0) + MUL(h3,s4) + MUL(h4,s3); |
| 172 | + d3 = MUL(h0,r3) + MUL(h1,r2) + MUL(h2,r1) + MUL(h3,r0) + MUL(h4,s4); |
| 173 | + d4 = MUL(h0,r4) + MUL(h1,r3) + MUL(h2,r2) + MUL(h3,r1) + MUL(h4,r0); |
| 174 | + #undef MUL |
| 175 | + |
| 176 | + h0 = d0 & 0x03FFFFFF; d1 += (uint32_t)(d0 >> 26); |
| 177 | + h1 = d1 & 0x03FFFFFF; d2 += (uint32_t)(d1 >> 26); |
| 178 | + h2 = d2 & 0x03FFFFFF; d3 += (uint32_t)(d2 >> 26); |
| 179 | + h3 = d3 & 0x03FFFFFF; d4 += (uint32_t)(d3 >> 26); |
| 180 | + h4 = d4 & 0x03FFFFFF; h0 += (uint32_t)(d4 >> 26) * 5; |
| 181 | + h1 += (h0 >> 26); h0 = h0 & 0x03FFFFFF; |
| 182 | + |
| 183 | + msg += 16; |
| 184 | + n -= 16; |
| 185 | + } |
| 186 | + if (n) |
| 187 | + { |
| 188 | + for (i = 0; i < n; i++) buf[i] = msg[i]; |
| 189 | + buf[i++] = 1; |
| 190 | + while (i < 16) buf[i++] = 0; |
| 191 | + msg = buf; |
| 192 | + n = 16; |
| 193 | + c = 0; |
| 194 | + goto process_block; |
| 195 | + } |
| 196 | + *(volatile uint32_t*) &r0 = 0; |
| 197 | + *(volatile uint32_t*) &r1 = 0; *(volatile uint32_t*) &s1 = 0; |
| 198 | + *(volatile uint32_t*) &r2 = 0; *(volatile uint32_t*) &s2 = 0; |
| 199 | + *(volatile uint32_t*) &r3 = 0; *(volatile uint32_t*) &s3 = 0; |
| 200 | + *(volatile uint32_t*) &r4 = 0; *(volatile uint32_t*) &s4 = 0; |
| 201 | + |
| 202 | + h2 += (h1 >> 26); h1 &= 0x03FFFFFF; |
| 203 | + h3 += (h2 >> 26); h2 &= 0x03FFFFFF; |
| 204 | + h4 += (h3 >> 26); h3 &= 0x03FFFFFF; |
| 205 | + h0 += (h4 >> 26) * 5; h4 &= 0x03FFFFFF; |
| 206 | + h1 += (h0 >> 26); h0 &= 0x03FFFFFF; |
| 207 | + |
| 208 | + g0 = h0 + 5; |
| 209 | + g1 = h1 + (g0 >> 26); g0 &= 0x03FFFFFF; |
| 210 | + g2 = h2 + (g1 >> 26); g1 &= 0x03FFFFFF; |
| 211 | + g3 = h3 + (g2 >> 26); g2 &= 0x03FFFFFF; |
| 212 | + g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x03FFFFFF; |
| 213 | + |
| 214 | + w = ~(m = (g4 >> 31) - 1); |
| 215 | + h0 = (h0 & w) | (g0 & m); |
| 216 | + h1 = (h1 & w) | (g1 & m); |
| 217 | + h2 = (h2 & w) | (g2 & m); |
| 218 | + h3 = (h3 & w) | (g3 & m); |
| 219 | + h4 = (h4 & w) | (g4 & m); |
| 220 | + |
| 221 | + f0 = ((h0 >> 0) | (h1 << 26)) + (uint64_t) LOAD32_LE(&key[16]); |
| 222 | + f1 = ((h1 >> 6) | (h2 << 20)) + (uint64_t) LOAD32_LE(&key[20]); |
| 223 | + f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t) LOAD32_LE(&key[24]); |
| 224 | + f3 = ((h3 >> 18) | (h4 << 8)) + (uint64_t) LOAD32_LE(&key[28]); |
| 225 | + |
| 226 | + STORE32_LE(tag + 0, f0); f1 += (f0 >> 32); |
| 227 | + STORE32_LE(tag + 4, f1); f2 += (f1 >> 32); |
| 228 | + STORE32_LE(tag + 8, f2); f3 += (f2 >> 32); |
| 229 | + STORE32_LE(tag + 12, f3); |
| 230 | +} |
| 231 | + |
| 232 | +int poly1305_tagcmp(const unsigned char tag1[16], const unsigned char tag2[16]) |
| 233 | +{ |
| 234 | + unsigned int d = 0; |
| 235 | + d |= tag1[ 0] ^ tag2[ 0]; |
| 236 | + d |= tag1[ 1] ^ tag2[ 1]; |
| 237 | + d |= tag1[ 2] ^ tag2[ 2]; |
| 238 | + d |= tag1[ 3] ^ tag2[ 3]; |
| 239 | + d |= tag1[ 4] ^ tag2[ 4]; |
| 240 | + d |= tag1[ 5] ^ tag2[ 5]; |
| 241 | + d |= tag1[ 6] ^ tag2[ 6]; |
| 242 | + d |= tag1[ 7] ^ tag2[ 7]; |
| 243 | + d |= tag1[ 8] ^ tag2[ 8]; |
| 244 | + d |= tag1[ 9] ^ tag2[ 9]; |
| 245 | + d |= tag1[10] ^ tag2[10]; |
| 246 | + d |= tag1[11] ^ tag2[11]; |
| 247 | + d |= tag1[12] ^ tag2[12]; |
| 248 | + d |= tag1[13] ^ tag2[13]; |
| 249 | + d |= tag1[14] ^ tag2[14]; |
| 250 | + d |= tag1[15] ^ tag2[15]; |
| 251 | + return d; |
| 252 | +} |
| 253 | + |
| 254 | +/* |
| 255 | + * Platform-specific entropy functions for seeding RNG |
| 256 | + */ |
| 257 | +#if defined(__unix__) || defined(__APPLE__) |
| 258 | +#define _GNU_SOURCE |
| 259 | +#include <unistd.h> |
| 260 | +#include <sys/syscall.h> |
| 261 | + |
| 262 | +#ifdef __linux__ |
| 263 | +#include <linux/random.h> |
| 264 | +#endif |
| 265 | + |
| 266 | +/* Returns the number of urandom bytes read (either 0 or n) */ |
| 267 | +static size_t read_urandom(void* buf, size_t n) |
| 268 | +{ |
| 269 | + size_t i; |
| 270 | + ssize_t ret; |
| 271 | + int fd, count; |
| 272 | + struct stat st; |
| 273 | + int errnold = errno; |
| 274 | + |
| 275 | + do |
| 276 | + { |
| 277 | + fd = open("/dev/urandom", O_RDONLY, 0); |
| 278 | + } |
| 279 | + while (fd == -1 && errno == EINTR); |
| 280 | + if (fd == -1) |
| 281 | + goto fail; |
| 282 | + fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); |
| 283 | + |
| 284 | + /* Check the sanity of the device node */ |
| 285 | + if (fstat(fd, &st) == -1 || !S_ISCHR(st.st_mode) |
| 286 | + #ifdef __linux__ |
| 287 | + || ioctl(fd, RNDGETENTCNT, &count) == -1 |
| 288 | + #endif |
| 289 | + ) |
| 290 | + { |
| 291 | + close(fd); |
| 292 | + goto fail; |
| 293 | + } |
| 294 | + |
| 295 | + /* Read bytes */ |
| 296 | + for (i = 0; i < n; i += ret) |
| 297 | + { |
| 298 | + while ((ret = read(fd, (char *)buf + i, n - i)) == -1) |
| 299 | + { |
| 300 | + if (errno != EAGAIN && errno != EINTR) |
| 301 | + { |
| 302 | + close(fd); |
| 303 | + goto fail; |
| 304 | + } |
| 305 | + } |
| 306 | + } |
| 307 | + close(fd); |
| 308 | + |
| 309 | + /* Verify that the random device returned non-zero data */ |
| 310 | + for (i = 0; i < n; i++) |
| 311 | + { |
| 312 | + if (((unsigned char *)buf)[i] != 0) |
| 313 | + { |
| 314 | + errno = errnold; |
| 315 | + return n; |
| 316 | + } |
| 317 | + } |
| 318 | + |
| 319 | + /* Tiny n may unintentionally fall through! */ |
| 320 | +fail: |
| 321 | + fprintf(stderr, "bad /dev/urandom RNG)\n"); |
| 322 | + abort(); /* PANIC! */ |
| 323 | + return 0; |
| 324 | +} |
| 325 | + |
| 326 | +static size_t entropy(void* buf, size_t n) |
| 327 | +{ |
| 328 | +#if defined(__linux__) && defined(SYS_getrandom) |
| 329 | + if (syscall(SYS_getrandom, buf, n, 0) == n) |
| 330 | + return n; |
| 331 | +#elif defined(SYS_getentropy) |
| 332 | + if (syscall(SYS_getentropy, buf, n) == 0) |
| 333 | + return n; |
| 334 | +#endif |
| 335 | + return read_urandom(buf, n); |
| 336 | +} |
| 337 | + |
| 338 | +#elif defined(_WIN32) |
| 339 | + |
| 340 | +#include <windows.h> |
| 341 | +#define RtlGenRandom SystemFunction036 |
| 342 | +BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); |
| 343 | +#pragma comment(lib, "advapi32.lib") |
| 344 | + |
| 345 | +static size_t entropy(void* buf, size_t n) |
| 346 | +{ |
| 347 | + return RtlGenRandom(buf, n) ? n : 0; |
| 348 | +} |
| 349 | + |
| 350 | +#else |
| 351 | +# error "Secure pseudorandom number generator unimplemented for this OS" |
| 352 | +#endif |
| 353 | + |
| 354 | +/* |
| 355 | + * ChaCha20 random number generator |
| 356 | + */ |
| 357 | +void chacha20_rng(void* out, size_t n) |
| 358 | +{ |
| 359 | + static size_t available = 0; |
| 360 | + static uint32_t counter = 0xFFFFFFFF; |
| 361 | + static unsigned char key[32], nonce[12], buffer[64]; |
| 362 | + sqlite3_mutex* mutex; |
| 363 | + size_t m; |
| 364 | + |
| 365 | + mutex = sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_PRNG); |
| 366 | + sqlite3_mutex_enter(mutex); |
| 367 | + while (n > 0) |
| 368 | + { |
| 369 | + if (available == 0) |
| 370 | + { |
| 371 | + if (counter == 0xFFFFFFFF) |
| 372 | + { |
| 373 | + if (entropy(key, sizeof(key)) != sizeof(key)) |
| 374 | + abort(); |
| 375 | + if (entropy(nonce, sizeof(nonce)) != sizeof(nonce)) |
| 376 | + abort(); |
| 377 | + counter = 0; |
| 378 | + } |
| 379 | + chacha20_xor(buffer, sizeof(buffer), key, nonce, ++counter); |
| 380 | + available = sizeof(buffer); |
| 381 | + } |
| 382 | + m = (available < n) ? available : n; |
| 383 | + memcpy(out, buffer + (sizeof(buffer) - available), m); |
| 384 | + out = (unsigned char *)out + m; |
| 385 | + available -= m; |
| 386 | + n -= m; |
| 387 | + } |
| 388 | + sqlite3_mutex_leave(mutex); |
| 389 | +} |
0 commit comments