1*e7b1675dSTing-Kang Chang// Copyright 2020 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage subtle 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "errors" 21*e7b1675dSTing-Kang Chang "fmt" 22*e7b1675dSTing-Kang Chang 23*e7b1675dSTing-Kang Chang "golang.org/x/crypto/chacha20poly1305" 24*e7b1675dSTing-Kang Chang "github.com/google/tink/go/subtle/random" 25*e7b1675dSTing-Kang Chang "github.com/google/tink/go/tink" 26*e7b1675dSTing-Kang Chang) 27*e7b1675dSTing-Kang Chang 28*e7b1675dSTing-Kang Changconst ( 29*e7b1675dSTing-Kang Chang poly1305TagSize = 16 30*e7b1675dSTing-Kang Chang) 31*e7b1675dSTing-Kang Chang 32*e7b1675dSTing-Kang Chang// ChaCha20Poly1305 is an implementation of AEAD interface. 33*e7b1675dSTing-Kang Changtype ChaCha20Poly1305 struct { 34*e7b1675dSTing-Kang Chang Key []byte 35*e7b1675dSTing-Kang Chang} 36*e7b1675dSTing-Kang Chang 37*e7b1675dSTing-Kang Chang// Assert that ChaCha20Poly1305 implements the AEAD interface. 38*e7b1675dSTing-Kang Changvar _ tink.AEAD = (*ChaCha20Poly1305)(nil) 39*e7b1675dSTing-Kang Chang 40*e7b1675dSTing-Kang Chang// NewChaCha20Poly1305 returns an ChaCha20Poly1305 instance. 41*e7b1675dSTing-Kang Chang// The key argument should be a 32-bytes key. 42*e7b1675dSTing-Kang Changfunc NewChaCha20Poly1305(key []byte) (*ChaCha20Poly1305, error) { 43*e7b1675dSTing-Kang Chang if len(key) != chacha20poly1305.KeySize { 44*e7b1675dSTing-Kang Chang return nil, errors.New("chacha20poly1305: bad key length") 45*e7b1675dSTing-Kang Chang } 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang return &ChaCha20Poly1305{Key: key}, nil 48*e7b1675dSTing-Kang Chang} 49*e7b1675dSTing-Kang Chang 50*e7b1675dSTing-Kang Chang// Encrypt encrypts plaintext with associatedData. 51*e7b1675dSTing-Kang Chang// 52*e7b1675dSTing-Kang Chang// The resulting ciphertext consists of two parts: 53*e7b1675dSTing-Kang Chang// 1. the nonce used for encryption 54*e7b1675dSTing-Kang Chang// 2. the actual ciphertext 55*e7b1675dSTing-Kang Changfunc (ca *ChaCha20Poly1305) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) { 56*e7b1675dSTing-Kang Chang if len(plaintext) > maxInt-chacha20poly1305.NonceSize-poly1305TagSize { 57*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("chacha20poly1305: plaintext too long") 58*e7b1675dSTing-Kang Chang } 59*e7b1675dSTing-Kang Chang c, err := chacha20poly1305.New(ca.Key) 60*e7b1675dSTing-Kang Chang if err != nil { 61*e7b1675dSTing-Kang Chang return nil, err 62*e7b1675dSTing-Kang Chang } 63*e7b1675dSTing-Kang Chang 64*e7b1675dSTing-Kang Chang nonce := random.GetRandomBytes(chacha20poly1305.NonceSize) 65*e7b1675dSTing-Kang Chang // Set dst's capacity to fit the nonce and ciphertext. 66*e7b1675dSTing-Kang Chang dst := make([]byte, 0, chacha20poly1305.NonceSize+len(plaintext)+c.Overhead()) 67*e7b1675dSTing-Kang Chang dst = append(dst, nonce...) 68*e7b1675dSTing-Kang Chang // Seal appends the ciphertext to dst. So the final output is: nonce || ciphertext. 69*e7b1675dSTing-Kang Chang return c.Seal(dst, nonce, plaintext, associatedData), nil 70*e7b1675dSTing-Kang Chang} 71*e7b1675dSTing-Kang Chang 72*e7b1675dSTing-Kang Chang// Decrypt decrypts ciphertext with associatedData. 73*e7b1675dSTing-Kang Chang// 74*e7b1675dSTing-Kang Chang// ciphertext consists of two parts: 75*e7b1675dSTing-Kang Chang// 1. the nonce used for encryption 76*e7b1675dSTing-Kang Chang// 2. the actual ciphertext 77*e7b1675dSTing-Kang Changfunc (ca *ChaCha20Poly1305) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) { 78*e7b1675dSTing-Kang Chang if len(ciphertext) < chacha20poly1305.NonceSize+poly1305TagSize { 79*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("chacha20poly1305: ciphertext too short") 80*e7b1675dSTing-Kang Chang } 81*e7b1675dSTing-Kang Chang 82*e7b1675dSTing-Kang Chang c, err := chacha20poly1305.New(ca.Key) 83*e7b1675dSTing-Kang Chang if err != nil { 84*e7b1675dSTing-Kang Chang return nil, err 85*e7b1675dSTing-Kang Chang } 86*e7b1675dSTing-Kang Chang 87*e7b1675dSTing-Kang Chang nonce := ciphertext[:chacha20poly1305.NonceSize] 88*e7b1675dSTing-Kang Chang pt, err := c.Open(nil, nonce, ciphertext[chacha20poly1305.NonceSize:] /*=ciphertext*/, associatedData) 89*e7b1675dSTing-Kang Chang if err != nil { 90*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("ChaCha20Poly1305.Decrypt: %v", err) 91*e7b1675dSTing-Kang Chang } 92*e7b1675dSTing-Kang Chang return pt, nil 93*e7b1675dSTing-Kang Chang} 94