From 31ac12e004dd169f47c2d575abad77fd9fedd4e4 Mon Sep 17 00:00:00 2001 From: Daniel King Date: Tue, 17 May 2016 14:43:01 -0300 Subject: [PATCH] Implement AEAD-ChaCha20-Poly1305. This implementation is based off the description in RFC 7539. The ChaCha20 code is also updated to provide a means of generating keystream blocks with arbitrary counter values. This is used to generated the one-time Poly1305 key in the AEAD construction. --- include/mbedtls/aead_chacha20_poly1305.h | 224 +++++++++ include/mbedtls/chacha20.h | 21 + include/mbedtls/config.h | 23 + include/mbedtls/error.h | 1 + library/CMakeLists.txt | 1 + library/Makefile | 3 +- library/aead_chacha20_poly1305.c | 463 ++++++++++++++++++ library/chacha20.c | 96 ++-- library/error.c | 11 + library/version_features.c | 3 + scripts/generate_errors.pl | 3 +- tests/CMakeLists.txt | 1 + tests/Makefile | 8 +- .../test_suite_aead_chacha20_poly1305.data | 19 + ...test_suite_aead_chacha20_poly1305.function | 109 +++++ 15 files changed, 954 insertions(+), 32 deletions(-) create mode 100644 include/mbedtls/aead_chacha20_poly1305.h create mode 100644 library/aead_chacha20_poly1305.c create mode 100644 tests/suites/test_suite_aead_chacha20_poly1305.data create mode 100644 tests/suites/test_suite_aead_chacha20_poly1305.function diff --git a/include/mbedtls/aead_chacha20_poly1305.h b/include/mbedtls/aead_chacha20_poly1305.h new file mode 100644 index 000000000..a1ccf319e --- /dev/null +++ b/include/mbedtls/aead_chacha20_poly1305.h @@ -0,0 +1,224 @@ +/** + * \file aead_chacha20_poly1305.h + * + * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539. + * + * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#ifndef MBEDTLS_AEAD_CHACHA20_POLY1305_H +#define MBEDTLS_AEAD_CHACHA20_POLY1305_H + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT) + +#include "chacha20.h" +#include "poly1305.h" + +#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA -0x00047 /**< Invalid input parameter(s). */ +#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE -0x00049 /**< The requested operation is not permitted in the current state */ + +typedef enum +{ + MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT, + MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT +} +mbedtls_aead_chacha20_poly1305_mode_t; + +typedef struct +{ + mbedtls_chacha20_context chacha20_ctx; /** ChaCha20 context */ + mbedtls_poly1305_context poly1305_ctx; /** Poly1305 context */ + uint64_t aad_len; /** Length (bytes) of the Additional Authenticated Data */ + uint64_t ciphertext_len; /** Length (bytes) of the ciphertext */ + int state; /** Current state of the context */ + mbedtls_aead_chacha20_poly1305_mode_t mode; /** Cipher mode (encrypt or decrypt) */ +} +mbedtls_aead_chacha20_poly1305_context; + +/** + * \brief Initialize ChaCha20-Poly1305 context + * + * \param ctx ChaCha20-Poly1305 context to be initialized + */ +void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx ); + +/** + * \brief Clear ChaCha20-Poly1305 context + * + * \param ctx ChaCha20-Poly1305 context to be cleared + */ +void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx ); + +/** + * \brief Set the ChaCha20-Poly1305 symmetric encryption key. + * + * \param ctx The ChaCha20-Poly1305 context. + * \param key The 256-bit (32 bytes) key. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if \p ctx or \p key are NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx, + const unsigned char key[32] ); + +/** + * \brief Setup ChaCha20-Poly1305 context for encryption or decryption. + * + * \note If the context is being used for AAD only (no data to + * encrypt or decrypt) then \p mode can be set to any value. + * + * \param ctx The ChaCha20-Poly1305 context. + * \param nonce The nonce/IV to use for the message. This must be unique + * for every message encrypted under the same key. + * \param mode Specifies whether the context is used to encrypt or + * decrypt data. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if \p ctx or \p mac are NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx, + const unsigned char nonce[12], + mbedtls_aead_chacha20_poly1305_mode_t mode ); + +/** + * \brief Process additional authenticated data (AAD). + * + * This function processes data that is authenticated, but + * not encrypted. + * + * \note This function is called before data is encrypted/decrypted. + * I.e. call this function to process the AAD before calling + * mbedtls_aead_chacha20_poly1305_update. + * + * You may call this function multiple times to process + * an arbitrary amount of AAD. It is permitted to call + * this function 0 times, if no AAD is used. + * + * This function cannot be called any more if data has + * been processed by mbedtls_aead_chacha20_poly1305_update, + * or if the context has been finished. + * + * \param ctx The ChaCha20-Poly1305 context. + * \param aad_len The length (in bytes) of the AAD. The length has no + * restrictions. + * \param aad Buffer containing the AAD. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if \p ctx or \p aad are NULL. + * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if + * the context has not been setup, the context has been + * finished, or if the AAD has been finished. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx, + size_t aad_len, + const unsigned char *aad ); + +/** + * \brief Encrypt/decrypt data. + * + * The direction (encryption or decryption) depends on the + * mode that was given when calling + * mbedtls_aead_chacha20_poly1305_starts. + * + * You may call this function multiple times to process + * an arbitrary amount of data. It is permitted to call + * this function 0 times, if no data is to be encrypted + * or decrypted. + * + * \param ctx The ChaCha20-Poly1305 context. + * \param len The length (in bytes) of the data to encrypt or decrypt. + * \param input Buffer containing the data to encrypt or decrypt. + * \param output Buffer to where the encrypted or decrypted data is written. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if \p ctx, \p input, or \p output are NULL. + * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if + * the context has not been setup, or if the context has been + * finished. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx, + size_t len, + const unsigned char *input, + unsigned char *output ); + +/** + * \brief Compute the ChaCha20-Poly1305 MAC. + * + * \param ctx The ChaCha20-Poly1305 context. + * \param mac Buffer to where the 128-bit (16 bytes) MAC is written. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if \p ctx or \p mac are NULL. + * MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if + * the context has not been setup. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx, + unsigned char mac[16] ); + +#else /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */ +#include "aead_chacha20_poly1305_alt.h" +#endif /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */ + +/** + * \brief Encrypt or decrypt data, and produce a MAC with ChaCha20-Poly1305. + * + * \param key The 256-bit (32 bytes) encryption key to use. + * \param nonce The 96-bit (12 bytes) nonce/IV to use. + * \param mode Specifies whether the data in the \p input buffer is to + * be encrypted or decrypted. If there is no data to encrypt + * or decrypt (i.e. \p ilen is 0) then the value of this + * parameter does not matter. + * \param aad_len The length (in bytes) of the AAD data to process. + * \param aad Buffer containing the additional authenticated data (AAD). + * \param ilen The length (in bytes) of the data to encrypt or decrypt. + * \param input Buffer containing the data to encrypt or decrypt. + * \param output Buffer to where the encrypted or decrypted data is written. + * \param mac Buffer to where the computed 128-bit (16 bytes) MAC is written. + * + * \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned + * if one or more of the required parameters are NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_aead_chacha20_poly1305_crypt_and_mac( const unsigned char key[32], + const unsigned char nonce[12], + mbedtls_aead_chacha20_poly1305_mode_t mode, + size_t aad_len, + const unsigned char *aad, + size_t ilen, + const unsigned char *input, + unsigned char *output, + unsigned char mac[16] ); + +/** + * \brief Checkup routine + * + * \return 0 if successful, or 1 if the test failed + */ +int mbedtls_aead_chacha20_poly1305_self_test( int verbose ); + +#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_H */ diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h index d23618ee0..ab87f66b9 100644 --- a/include/mbedtls/chacha20.h +++ b/include/mbedtls/chacha20.h @@ -99,6 +99,27 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, const unsigned char nonce[12], uint32_t counter ); +/** + * \brief Generates a block of keystream bytes for a specific counter value. + * + * This function uses the key and nonce previously set in + * the context (via mbedtls_chacha20_setkey and + * mbedtls_chacha20_starts), but ignores the previously + * set counter and uses the counter given as the parameter to + * this function. + * + * \param ctx The ChaCha20 context. This context is not modified. + * \param counter The counter value to use. + * \param keystream Buffer to where the generated keystream bytes are written. + * + * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or keystream are + * NULL. + * Otherwise, 0 is returned to indicate success. + */ +int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx, + uint32_t counter, + unsigned char keystream[64] ); + /** * \brief Encrypt or decrypt data. * diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7d0960a29..22d465cda 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -269,6 +269,7 @@ * digests and ciphers instead. * */ +//#define MBEDTLS_AEAD_CHACHA20_POLY1305_ALT //#define MBEDTLS_AES_ALT //#define MBEDTLS_ARC4_ALT //#define MBEDTLS_BLOWFISH_ALT @@ -1688,6 +1689,17 @@ */ #define MBEDTLS_AES_C +/** + * \def MBEDTLS_AEAD_CHACHA20_POLY1305_C + * + * Enable the ChaCha20-Poly1305 AEAD algorithm. + * + * Module: library/aead_chacha20_poly1305.c + * + * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C + */ +#define MBEDTLS_AEAD_CHACHA20_POLY1305_C + /** * \def MBEDTLS_ARC4_C * @@ -1837,6 +1849,16 @@ */ #define MBEDTLS_CAMELLIA_C +/** + * \def MBEDTLS_CHACHA20_C + * + * Enable the ChaCha20 block cipher. + * + * Module: library/chacha20.c + * Caller: library/aead_chacha20_poly1305.c + */ +#define MBEDTLS_CHACHA20_C + /** * \def MBEDTLS_CCM_C * @@ -2405,6 +2427,7 @@ * Enable the Poly1305 MAC algorithm. * * Module: library/poly1305.c + * Caller: library/aead_chacha20_poly1305.c */ #define MBEDTLS_POLY1305_C diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index feeda79ed..72b7f18ff 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -78,6 +78,7 @@ * SHA512 1 0x0039-0x0039 * CHACHA20 1 0x003B-0x003B * POLY1305 1 0x0041-0x0041 + * AEAD_CHACHA20_POLY1305 2 0x0047-0x0049 * * High-level module nr (3 bits - 0x0...-0x7...) * Name ID Nr of Errors diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 251b6c625..b8f663d9c 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -3,6 +3,7 @@ option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF) option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF) set(src_crypto + aead_chacha20_poly1305.c aes.c aesni.c arc4.c diff --git a/library/Makefile b/library/Makefile index 5fd693b25..de4bd5c42 100644 --- a/library/Makefile +++ b/library/Makefile @@ -47,7 +47,8 @@ ifdef WINDOWS_BUILD DLEXT=dll endif -OBJS_CRYPTO= aes.o aesni.o arc4.o \ +OBJS_CRYPTO= aead_chacha20_poly1305.o \ + aes.o aesni.o arc4.o \ asn1parse.o asn1write.o base64.o \ bignum.o blowfish.o camellia.o \ ccm.o chacha20.o \ diff --git a/library/aead_chacha20_poly1305.c b/library/aead_chacha20_poly1305.c new file mode 100644 index 000000000..ab29dfa1b --- /dev/null +++ b/library/aead_chacha20_poly1305.c @@ -0,0 +1,463 @@ +/** + * \file aead_chacha20_poly1305.c + * + * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539. + * + * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C) + +#include "mbedtls/aead_chacha20_poly1305.h" +#include + +#if defined(MBEDTLS_SELF_TEST) +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif /* MBEDTLS_PLATFORM_C */ +#endif /* MBEDTLS_SELF_TEST */ + +#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT) + +#define AEAD_CHACHA20_POLY1305_STATE_INIT ( 0 ) +#define AEAD_CHACHA20_POLY1305_STATE_AAD ( 1 ) +#define AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */ +#define AEAD_CHACHA20_POLY1305_STATE_FINISHED ( 3 ) + +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + +/** + * \brief Adds padding bytes (zeroes) to pad the AAD for Poly1305. + * + * \param ctx The ChaCha20-Poly1305 context. + */ +static void mbedtls_aead_chacha20_poly1305_pad_aad( mbedtls_aead_chacha20_poly1305_context *ctx ) +{ + uint32_t partial_block_len = (uint32_t)( ctx->aad_len % 16U ); + unsigned char zeroes[15]; + + if ( partial_block_len > 0U ) + { + memset( zeroes, 0, sizeof(zeroes) ); + (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, + 16U - partial_block_len, + zeroes ); + } +} + +/** + * \brief Adds padding bytes (zeroes) to pad the ciphertext for Poly1305. + * + * \param ctx The ChaCha20-Poly1305 context. + */ +static void mbedtls_aead_chacha20_poly1305_pad_ciphertext( mbedtls_aead_chacha20_poly1305_context *ctx ) +{ + uint32_t partial_block_len = (uint32_t)( ctx->ciphertext_len % 16U ); + unsigned char zeroes[15]; + + if ( partial_block_len > 0U ) + { + memset( zeroes, 0, sizeof(zeroes) ); + (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, + 16U - partial_block_len, + zeroes ); + } +} + +void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx ) +{ + if ( ctx != NULL ) + { + mbedtls_chacha20_init( &ctx->chacha20_ctx ); + mbedtls_poly1305_init( &ctx->poly1305_ctx ); + ctx->aad_len = 0U; + ctx->ciphertext_len = 0U; + ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT; + ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT; + } +} + +void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx ) +{ + if ( ctx != NULL ) + { + mbedtls_chacha20_free( &ctx->chacha20_ctx ); + mbedtls_poly1305_free( &ctx->poly1305_ctx ); + ctx->aad_len = 0U; + ctx->ciphertext_len = 0U; + ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT; + ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT; + } +} + +int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx, + const unsigned char key[32] ) +{ + int result; + + if ( ( ctx == NULL ) || ( key == NULL ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA ); + } + + result = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key ); + + return( result ); +} + +int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx, + const unsigned char nonce[12], + mbedtls_aead_chacha20_poly1305_mode_t mode ) +{ + int result; + unsigned char poly1305_key[64]; + + if ( ( ctx == NULL ) || ( nonce == NULL ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA ); + } + + result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 1U ); + if ( result != 0 ) + goto cleanup; + + /* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0. + * Only the first 256-bits (32 bytes) of the key is used for Poly1305. + * The other 256 bits are discarded. + */ + result = mbedtls_chacha20_keystream_block( &ctx->chacha20_ctx, 0U, poly1305_key ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_poly1305_setkey( &ctx->poly1305_ctx, poly1305_key ); + + if ( result == 0 ) + { + ctx->aad_len = 0U; + ctx->ciphertext_len = 0U; + ctx->state = AEAD_CHACHA20_POLY1305_STATE_AAD; + ctx->mode = mode; + } + +cleanup: + mbedtls_zeroize( poly1305_key, 64U ); + return( result ); +} + +int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx, + size_t aad_len, + const unsigned char *aad ) +{ + if ( ( ctx == NULL ) || ( aad == NULL ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA ); + } + else if ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD ) + { + return (MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE ); + } + + ctx->aad_len += aad_len; + + return ( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad_len, aad ) ); +} + +int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx, + size_t len, + const unsigned char *input, + unsigned char *output ) +{ + if ( ( ctx == NULL ) || ( input == NULL ) || ( output == NULL ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA ); + } + else if ( ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD ) && + ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE ); + } + + if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD ) + { + ctx->state = AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT; + + mbedtls_aead_chacha20_poly1305_pad_aad( ctx ); + } + + ctx->ciphertext_len += len; + + if ( ctx->mode == MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT ) + { + /* Note: the following functions return an error only if one or more of + * the input pointers are NULL. Since we have checked their validity + * above, we can safety ignore the return value. + */ + (void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output ); + (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, output ); + } + else /* DECRYPT */ + { + (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, input ); + (void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output ); + } + + return( 0 ); +} + +int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx, + unsigned char mac[16] ) +{ + unsigned char len_block[16]; + + if ( ( ctx == NULL ) || ( mac == NULL ) ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA ); + } + else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_INIT ) + { + return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE ); + } + + if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD ) + { + mbedtls_aead_chacha20_poly1305_pad_aad( ctx ); + } + else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ) + { + mbedtls_aead_chacha20_poly1305_pad_ciphertext( ctx ); + } + + ctx->state = AEAD_CHACHA20_POLY1305_STATE_FINISHED; + + /* The lengths of the AAD and ciphertext are processed by + * Poly1305 as the final 128-bit block, encoded as little-endian integers. + */ + len_block[0] = (unsigned char)ctx->aad_len; + len_block[1] = (unsigned char)( ctx->aad_len >> 8 ); + len_block[2] = (unsigned char)( ctx->aad_len >> 16 ); + len_block[3] = (unsigned char)( ctx->aad_len >> 24 ); + len_block[4] = (unsigned char)( ctx->aad_len >> 32 ); + len_block[5] = (unsigned char)( ctx->aad_len >> 40 ); + len_block[6] = (unsigned char)( ctx->aad_len >> 48 ); + len_block[7] = (unsigned char)( ctx->aad_len >> 56 ); + len_block[8] = (unsigned char)ctx->ciphertext_len; + len_block[9] = (unsigned char)( ctx->ciphertext_len >> 8 ); + len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 ); + len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 ); + len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 ); + len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 ); + len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 ); + len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 ); + + (void)mbedtls_poly1305_update( &ctx->poly1305_ctx, 16U, len_block ); + (void)mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac ); + + return( 0 ); +} + +#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */ + +int mbedtls_aead_chacha20_poly1305_crypt_and_mac ( const unsigned char key[32], + const unsigned char nonce[12], + mbedtls_aead_chacha20_poly1305_mode_t mode, + size_t aad_len, + const unsigned char *aad, + size_t ilen, + const unsigned char *input, + unsigned char *output, + unsigned char mac[16] ) +{ + mbedtls_aead_chacha20_poly1305_context ctx; + int result; + + mbedtls_aead_chacha20_poly1305_init( &ctx ); + + result = mbedtls_aead_chacha20_poly1305_setkey( &ctx, key ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_aead_chacha20_poly1305_starts( &ctx, nonce, mode ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_aead_chacha20_poly1305_update_aad( &ctx, aad_len, aad ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_aead_chacha20_poly1305_update( &ctx, ilen, input, output ); + if ( result != 0 ) + goto cleanup; + + result = mbedtls_aead_chacha20_poly1305_finish( &ctx, mac ); + +cleanup: + mbedtls_aead_chacha20_poly1305_free( &ctx ); + return( result ); +} + +#if defined(MBEDTLS_SELF_TEST) + +static const unsigned char test_key[1][32] = +{ + { + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f + } +}; + +static const unsigned char test_nonce[1][12] = +{ + { + 0x07, 0x00, 0x00, 0x00, /* 32-bit common part */ + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */ + } +}; + +static const unsigned char test_aad[1][12] = +{ + { + 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, + 0xc4, 0xc5, 0xc6, 0xc7 + } +}; + +static const size_t test_aad_len[1] = +{ + 12U +}; + +static const unsigned char test_input[1][114] = +{ + { + 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61, + 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c, + 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20, + 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73, + 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39, + 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63, + 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66, + 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f, + 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20, + 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20, + 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75, + 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73, + 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, + 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, + 0x74, 0x2e + } +}; + +static const unsigned char test_output[1][114] = +{ + { + 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, + 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2, + 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe, + 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, + 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12, + 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b, + 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, + 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36, + 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c, + 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, + 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94, + 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc, + 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, + 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b, + 0x61, 0x16 + } +}; + +static const size_t test_input_len[1] = +{ + 114U +}; + +static const unsigned char test_mac[1][16] = +{ + { + 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a, + 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91 + } +}; + +int mbedtls_aead_chacha20_poly1305_self_test( int verbose ) +{ + size_t i; + int result; + unsigned char output[200]; + unsigned char mac[16]; + + for ( i = 0U; i < 1U; i++ ) + { + result = mbedtls_aead_chacha20_poly1305_crypt_and_mac( test_key[i], + test_nonce[i], + MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT, + test_aad_len[i], + test_aad[i], + test_input_len[i], + test_input[i], + output, + mac ); + if ( result != 0 ) + { + if ( verbose != 0 ) + { + mbedtls_printf( "ChaCha20-Poly1305 test %zi error code: %i\n", i, result ); + } + return( -1 ); + } + + if ( memcmp( output, test_output[i], test_input_len[i] ) != 0 ) + { + if ( verbose != 0 ) + { + mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong output)\n", i ); + } + return( -1 ); + } + + if ( memcmp( mac, test_mac[i], 16U ) != 0 ) + { + if ( verbose != 0 ) + { + mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong MAC)\n", i ); + } + return( -1 ); + } + } + + return( 0 ); +} + +#endif /* MBEDTLS_SELF_TEST */ + +#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */ diff --git a/library/chacha20.c b/library/chacha20.c index 8206a3bf0..b20c7ad55 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -134,46 +134,47 @@ static void mbedtls_chacha20_inner_block( uint32_t state[16] ) * \param working_state This state is used as a temporary working area. * \param keystream Generated keystream bytes are written to this buffer. */ -static void mbedtls_chacha20_block( mbedtls_chacha20_context *ctx, +static void mbedtls_chacha20_block( const uint32_t initial_state[16], + uint32_t working_state[16], unsigned char keystream[64] ) { size_t i; size_t offset; - memcpy( ctx->working_state, - ctx->initial_state, - sizeof(ctx->initial_state) ); + memcpy( working_state, + initial_state, + CHACHA20_BLOCK_SIZE_BYTES ); for ( i = 0U; i < 10U; i++ ) { - mbedtls_chacha20_inner_block( ctx->working_state ); + mbedtls_chacha20_inner_block( working_state ); } - ctx->working_state[0] += ctx->initial_state[0]; - ctx->working_state[1] += ctx->initial_state[1]; - ctx->working_state[2] += ctx->initial_state[2]; - ctx->working_state[3] += ctx->initial_state[3]; - ctx->working_state[4] += ctx->initial_state[4]; - ctx->working_state[5] += ctx->initial_state[5]; - ctx->working_state[6] += ctx->initial_state[6]; - ctx->working_state[7] += ctx->initial_state[7]; - ctx->working_state[8] += ctx->initial_state[8]; - ctx->working_state[9] += ctx->initial_state[9]; - ctx->working_state[10] += ctx->initial_state[10]; - ctx->working_state[11] += ctx->initial_state[11]; - ctx->working_state[12] += ctx->initial_state[12]; - ctx->working_state[13] += ctx->initial_state[13]; - ctx->working_state[14] += ctx->initial_state[14]; - ctx->working_state[15] += ctx->initial_state[15]; + working_state[0] += initial_state[0]; + working_state[1] += initial_state[1]; + working_state[2] += initial_state[2]; + working_state[3] += initial_state[3]; + working_state[4] += initial_state[4]; + working_state[5] += initial_state[5]; + working_state[6] += initial_state[6]; + working_state[7] += initial_state[7]; + working_state[8] += initial_state[8]; + working_state[9] += initial_state[9]; + working_state[10] += initial_state[10]; + working_state[11] += initial_state[11]; + working_state[12] += initial_state[12]; + working_state[13] += initial_state[13]; + working_state[14] += initial_state[14]; + working_state[15] += initial_state[15]; for ( i = 0U; i < 16; i++ ) { offset = i * 4U; - keystream[offset ] = (unsigned char) ctx->working_state[i]; - keystream[offset + 1U] = (unsigned char)( ctx->working_state[i] >> 8 ); - keystream[offset + 2U] = (unsigned char)( ctx->working_state[i] >> 16 ); - keystream[offset + 3U] = (unsigned char)( ctx->working_state[i] >> 24 ); + keystream[offset ] = (unsigned char) working_state[i]; + keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 ); + keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 ); + keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 ); } } @@ -245,6 +246,43 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, return( 0 ); } +int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx, + uint32_t counter, + unsigned char keystream[64] ) +{ + uint32_t initial_state[16]; + uint32_t working_state[16]; + + if ( ( ctx == NULL ) || ( keystream == NULL ) ) + { + return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); + } + + initial_state[0] = ctx->initial_state[0]; + initial_state[1] = ctx->initial_state[1]; + initial_state[2] = ctx->initial_state[2]; + initial_state[3] = ctx->initial_state[3]; + initial_state[4] = ctx->initial_state[4]; + initial_state[5] = ctx->initial_state[5]; + initial_state[6] = ctx->initial_state[6]; + initial_state[7] = ctx->initial_state[7]; + initial_state[8] = ctx->initial_state[8]; + initial_state[9] = ctx->initial_state[9]; + initial_state[10] = ctx->initial_state[10]; + initial_state[11] = ctx->initial_state[11]; + initial_state[12] = counter; + initial_state[13] = ctx->initial_state[13]; + initial_state[14] = ctx->initial_state[14]; + initial_state[15] = ctx->initial_state[15]; + + mbedtls_chacha20_block( initial_state, working_state, keystream ); + + mbedtls_zeroize( initial_state, sizeof(initial_state) ); + mbedtls_zeroize( working_state, sizeof(working_state) ); + + return ( 0 ); +} + int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, size_t size, const unsigned char *input, @@ -271,7 +309,7 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, /* Process full blocks */ while ( size >= CHACHA20_BLOCK_SIZE_BYTES ) { - mbedtls_chacha20_block( ctx, &output[offset] ); + mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, &output[offset] ); for ( i = 0U; i < 64U; i += 8U ) { @@ -288,14 +326,14 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, /* Increment counter */ ctx->initial_state[CHACHA20_CTR_INDEX]++; - offset += 64U; - size -= 64U; + offset += CHACHA20_BLOCK_SIZE_BYTES; + size -= CHACHA20_BLOCK_SIZE_BYTES; } /* Last (partial) block */ if ( size > 0U ) { - mbedtls_chacha20_block( ctx, ctx->keystream8 ); + mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, ctx->keystream8 ); for ( i = 0U; i < size; i++) { diff --git a/library/error.c b/library/error.c index 12bd2101b..d0a75ca5a 100644 --- a/library/error.c +++ b/library/error.c @@ -41,6 +41,10 @@ #include +#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C) +#include "mbedtls/aead_chacha20_poly1305.h" +#endif + #if defined(MBEDTLS_AES_C) #include "mbedtls/aes.h" #endif @@ -575,6 +579,13 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) // Low level error codes // // BEGIN generated code +#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C) + if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA) ) + mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - Invalid input parameter(s)" ); + if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE) ) + mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - The requested operation is not permitted in the current state" ); +#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */ + #if defined(MBEDTLS_AES_C) if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) ) mbedtls_snprintf( buf, buflen, "AES - Invalid key length" ); diff --git a/library/version_features.c b/library/version_features.c index babf2c782..64aa9f641 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -516,6 +516,9 @@ static const char *features[] = { #if defined(MBEDTLS_AES_C) "MBEDTLS_AES_C", #endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C) + "MBEDTLS_AEAD_CHACHA20_POLY1305_C", +#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */ #if defined(MBEDTLS_ARC4_C) "MBEDTLS_ARC4_C", #endif /* MBEDTLS_ARC4_C */ diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 1dac39bf1..b5d141322 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -29,7 +29,7 @@ if( @ARGV ) { my $error_format_file = $data_dir.'/error.fmt'; -my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH +my @low_level_modules = qw( AEAD_CHACHA20_POLY1305 AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES ENTROPY GCM HMAC_DRBG MD2 MD4 MD5 NET OID PADLOCK PBKDF2 POLY1305 RIPEMD160 @@ -88,6 +88,7 @@ foreach my $line (@matches) $module_name = "BIGNUM" if ($module_name eq "MPI"); $module_name = "CTR_DRBG" if ($module_name eq "CTR"); $module_name = "HMAC_DRBG" if ($module_name eq "HMAC"); + $module_name = "AEAD_CHACHA20_POLY1305" if ($module_name eq "AEAD"); my $define_name = $module_name; $define_name = "X509_USE,X509_CREATE" if ($define_name eq "X509"); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 82f155419..03797ec32 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -44,6 +44,7 @@ if(MSVC) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-") endif(MSVC) +add_test_suite(aead_chacha20_poly1305) add_test_suite(aes aes.ecb) add_test_suite(aes aes.cbc) add_test_suite(aes aes.cfb) diff --git a/tests/Makefile b/tests/Makefile index 90b2028f5..4a23e64cc 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -45,7 +45,8 @@ ifdef ZLIB LOCAL_LDFLAGS += -lz endif -APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ +APPS = test_suite_aead_chacha20_poly1305$(EXEXT) \ + test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ test_suite_aes.cfb$(EXEXT) test_suite_aes.rest$(EXEXT) \ test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \ test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \ @@ -203,6 +204,11 @@ test_suite_hmac_drbg.pr.c : suites/test_suite_hmac_drbg.function suites/test_sui echo " Gen $@" perl scripts/generate_code.pl suites $* $* + +test_suite_aead_chacha20_poly1305$(EXEXT): test_suite_aead_chacha20_poly1305.c $(DEP) + echo " CC $<" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + test_suite_aes.ecb$(EXEXT): test_suite_aes.ecb.c $(DEP) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/tests/suites/test_suite_aead_chacha20_poly1305.data b/tests/suites/test_suite_aead_chacha20_poly1305.data new file mode 100644 index 000000000..1cbfa24da --- /dev/null +++ b/tests/suites/test_suite_aead_chacha20_poly1305.data @@ -0,0 +1,19 @@ +ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt) +depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C +mbedtls_aead_chacha20_poly1305_enc:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600691" + +ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt) +depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C +mbedtls_aead_chacha20_poly1305_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600691" + +ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Encrypt) +depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C +mbedtls_aead_chacha20_poly1305_enc:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38" + +ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt) +depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C +mbedtls_aead_chacha20_poly1305_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"eead9d67890cbb22392336fea1851f38" + +ChaCha20-Poly1305 Selftest +depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C:MBEDTLS_SELF_TEST +aead_chacha20_poly1305_selftest: diff --git a/tests/suites/test_suite_aead_chacha20_poly1305.function b/tests/suites/test_suite_aead_chacha20_poly1305.function new file mode 100644 index 000000000..6abd05414 --- /dev/null +++ b/tests/suites/test_suite_aead_chacha20_poly1305.function @@ -0,0 +1,109 @@ +/* BEGIN_HEADER */ +#include "mbedtls/aead_chacha20_poly1305.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void mbedtls_aead_chacha20_poly1305_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string ) +{ + unsigned char key_str[32]; + unsigned char nonce_str[12]; + unsigned char aad_str[10000]; + unsigned char input_str[10000]; + unsigned char output_str[10000]; + unsigned char mac_str[16]; + unsigned char output[10000]; + unsigned char mac[16]; + size_t input_len; + size_t output_len; + size_t aad_len; + size_t key_len; + size_t nonce_len; + size_t mac_len; + + memset( key_str, 0x00, 32 ); + memset( nonce_str, 0x00, 12 ); + memset( aad_str, 0x00, 10000 ); + memset( input_str, 0x00, 10000 ); + memset( output_str, 0x00, 10000 ); + memset( mac_str, 0x00, 16 ); + + aad_len = unhexify( aad_str, hex_aad_string ); + input_len = unhexify( input_str, hex_input_string ); + output_len = unhexify( output_str, hex_output_string ); + key_len = unhexify( key_str, hex_key_string ); + nonce_len = unhexify( nonce_str, hex_nonce_string ); + mac_len = unhexify( mac_str, hex_mac_string ); + + TEST_ASSERT( key_len == 32 ); + TEST_ASSERT( nonce_len == 12 ); + TEST_ASSERT( mac_len == 16 ); + + mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str, + MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT, + aad_len, aad_str, + input_len, input_str, output, + mac ); + + TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 ); + TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void mbedtls_aead_chacha20_poly1305_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string ) +{ + unsigned char key_str[32]; + unsigned char nonce_str[12]; + unsigned char aad_str[10000]; + unsigned char input_str[10000]; + unsigned char output_str[10000]; + unsigned char mac_str[16]; + unsigned char output[10000]; + unsigned char mac[16]; + size_t input_len; + size_t output_len; + size_t aad_len; + size_t key_len; + size_t nonce_len; + size_t mac_len; + + memset( key_str, 0x00, 32 ); + memset( nonce_str, 0x00, 12 ); + memset( aad_str, 0x00, 10000 ); + memset( input_str, 0x00, 10000 ); + memset( output_str, 0x00, 10000 ); + memset( mac_str, 0x00, 16 ); + + aad_len = unhexify( aad_str, hex_aad_string ); + input_len = unhexify( input_str, hex_input_string ); + output_len = unhexify( output_str, hex_output_string ); + key_len = unhexify( key_str, hex_key_string ); + nonce_len = unhexify( nonce_str, hex_nonce_string ); + mac_len = unhexify( mac_str, hex_mac_string ); + + TEST_ASSERT( key_len == 32 ); + TEST_ASSERT( nonce_len == 12 ); + TEST_ASSERT( mac_len == 16 ); + + mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str, + MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT, + aad_len, aad_str, + input_len, input_str, output, + mac ); + + TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 ); + TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ +void aead_chacha20_poly1305_selftest() +{ + TEST_ASSERT( mbedtls_aead_chacha20_poly1305_self_test( 1 ) == 0 ); +} +/* END_CASE */