Support for XChaCha20 and XChaCha20-Poly1305

2025-12-08 05:19:46 +00:00 · 2019-06-04 15:30:13 +02:00 · 2019-06-04 15:30:13 +02:00 · c09ed08d76
commit c09ed08d76
parent 14528bd87a
9 changed files with 271 additions and 67 deletions
--- a/lib/Crypto/Cipher/ChaCha20.py
+++ b/lib/Crypto/Cipher/ChaCha20.py
@ -57,9 +57,28 @@ _raw_chacha20_lib = load_pycryptodome_raw_lib("Crypto.Cipher._chacha20",
                                      unsigned long block_high,
                                      unsigned long block_low,
                                      unsigned offset);
+                    int hchacha20(  const uint8_t key[32],
+                                    const uint8_t nonce16[16],
+                                    uint8_t subkey[32]);
                    """)


+def _HChaCha20(key, nonce):
+
+    assert(len(key) == 32)
+    assert(len(nonce) == 16)
+
+    subkey = bytearray(32)
+    result = _raw_chacha20_lib.hchacha20(
+                c_uint8_ptr(key),
+                c_uint8_ptr(nonce),
+                c_uint8_ptr(subkey))
+    if result:
+        raise ValueError("Error %d when deriving subkey with HChaCha20" % result)
+
+    return subkey
+
+
 class ChaCha20Cipher(object):
    """ChaCha20 cipher object. Do not create it directly. Use :py:func:`new` instead.

@ -70,13 +89,23 @@ class ChaCha20Cipher(object):
    block_size = 1

    def __init__(self, key, nonce):
-        """Initialize a ChaCha20 cipher object
+        """Initialize a ChaCha20/XChaCha20 cipher object

        See also `new()` at the module level."""

+        # XChaCha20 requires a key derivation with HChaCha20
+        # See 2.3 in https://tools.ietf.org/html/draft-arciszewski-xchacha-03
+        if len(nonce) == 24:
+            key = _HChaCha20(key, nonce[:16])
+            nonce = b'\x00' * 4 + nonce[16:]
+            self._name = "XChaCha20"
+        else:
+            self._name = "ChaCha20"
+
        self.nonce = _copy_bytes(None, None, nonce)

        self._next = ( self.encrypt, self.decrypt )
+
        self._state = VoidPointer()
        result = _raw_chacha20_lib.chacha20_init(
                        self._state.address_of(),
@ -85,7 +114,8 @@ class ChaCha20Cipher(object):
                        self.nonce,
                        c_size_t(len(nonce)))
        if result:
-            raise ValueError("Error %d instantiating a ChaCha20 cipher")
+            raise ValueError("Error %d instantiating a %s cipher" % (result,
+                                                                     self._name))
        self._state = SmartPointer(self._state.get(),
                                   _raw_chacha20_lib.chacha20_destroy)

@ -109,15 +139,15 @@ class ChaCha20Cipher(object):

    def _encrypt(self, plaintext, output):
        """Encrypt without FSM checks"""
-        
+
        if output is None:
            ciphertext = create_string_buffer(len(plaintext))
        else:
            ciphertext = output
-            
+
            if not is_writeable_buffer(output):
                raise TypeError("output must be a bytearray or a writeable memoryview")
-        
+
            if len(plaintext) != len(output):
                raise ValueError("output must have the same length as the input"
                                 "  (%d bytes)" % len(plaintext))
@ -128,8 +158,8 @@ class ChaCha20Cipher(object):
                                         c_uint8_ptr(ciphertext),
                                         c_size_t(len(plaintext)))
        if result:
-            raise ValueError("Error %d while encrypting with ChaCha20" % result)
-        
+            raise ValueError("Error %d while encrypting with %s" % (result, self._name))
+
        if output is None:
            return get_raw_buffer(ciphertext)
        else:
@ -137,7 +167,7 @@ class ChaCha20Cipher(object):

    def decrypt(self, ciphertext, output=None):
        """Decrypt a piece of data.
-        
+
        Args:
          ciphertext(bytes/bytearray/memoryview): The data to decrypt, of any size.
        Keyword Args:
@ -176,12 +206,12 @@ class ChaCha20Cipher(object):
                                                 offset
                                                 )
        if result:
-            raise ValueError("Error %d while seeking with ChaCha20" % result)
+            raise ValueError("Error %d while seeking with %s" % (result, self._name))


 def _derive_Poly1305_key_pair(key, nonce):
    """Derive a tuple (r, s, nonce) for a Poly1305 MAC.
-    
+
    If nonce is ``None``, a new 12-byte nonce is generated.
    """

@ -209,14 +239,16 @@ def _derive_Poly1305_key_pair(key, nonce):


 def new(**kwargs):
-    """Create a new ChaCha20 cipher
+    """Create a new ChaCha20 or XChaCha20 cipher

    Keyword Args:
        key (bytes/bytearray/memoryview): The secret key to use.
            It must be 32 bytes long.
        nonce (bytes/bytearray/memoryview): A mandatory value that
            must never be reused for any other encryption
-            done with this key. It must be 8 or 12 bytes long.
+            done with this key.
+            For ChaCha20, it must be 8 or 12 bytes long.
+            For XChaCha20, it must be 24 bytes long.

            If not provided, 8 bytes will be randomly generated
            (you can find them back in the ``nonce`` attribute).
@ -234,9 +266,10 @@ def new(**kwargs):
        nonce = get_random_bytes(8)

    if len(key) != 32:
-        raise ValueError("ChaCha20 key must be 32 bytes long")
-    if len(nonce) not in (8, 12):
-        raise ValueError("ChaCha20 nonce must be 8 or 12 bytes long")
+        raise ValueError("ChaCha20/XChaCha20 key must be 32 bytes long")
+
+    if len(nonce) not in (8, 12, 24):
+        raise ValueError("Nonce must be 8/12 bytes(ChaCha20) or 24 bytes (XChaCha20)")

    if kwargs:
        raise TypeError("Unknown parameters: " + str(kwargs))