Implement AEAD-ChaCha20-Poly1305.

This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
This commit is contained in:
Daniel King 2016-05-17 14:43:01 -03:00 committed by Manuel Pégourié-Gonnard
parent 5d77eaa233
commit 31ac12e004
15 changed files with 954 additions and 32 deletions

View File

@ -0,0 +1,224 @@
/**
* \file aead_chacha20_poly1305.h
*
* \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
*
* Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_AEAD_CHACHA20_POLY1305_H
#define MBEDTLS_AEAD_CHACHA20_POLY1305_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT)
#include "chacha20.h"
#include "poly1305.h"
#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA -0x00047 /**< Invalid input parameter(s). */
#define MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE -0x00049 /**< The requested operation is not permitted in the current state */
typedef enum
{
MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT
}
mbedtls_aead_chacha20_poly1305_mode_t;
typedef struct
{
mbedtls_chacha20_context chacha20_ctx; /** ChaCha20 context */
mbedtls_poly1305_context poly1305_ctx; /** Poly1305 context */
uint64_t aad_len; /** Length (bytes) of the Additional Authenticated Data */
uint64_t ciphertext_len; /** Length (bytes) of the ciphertext */
int state; /** Current state of the context */
mbedtls_aead_chacha20_poly1305_mode_t mode; /** Cipher mode (encrypt or decrypt) */
}
mbedtls_aead_chacha20_poly1305_context;
/**
* \brief Initialize ChaCha20-Poly1305 context
*
* \param ctx ChaCha20-Poly1305 context to be initialized
*/
void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx );
/**
* \brief Clear ChaCha20-Poly1305 context
*
* \param ctx ChaCha20-Poly1305 context to be cleared
*/
void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx );
/**
* \brief Set the ChaCha20-Poly1305 symmetric encryption key.
*
* \param ctx The ChaCha20-Poly1305 context.
* \param key The 256-bit (32 bytes) key.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if \p ctx or \p key are NULL.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx,
const unsigned char key[32] );
/**
* \brief Setup ChaCha20-Poly1305 context for encryption or decryption.
*
* \note If the context is being used for AAD only (no data to
* encrypt or decrypt) then \p mode can be set to any value.
*
* \param ctx The ChaCha20-Poly1305 context.
* \param nonce The nonce/IV to use for the message. This must be unique
* for every message encrypted under the same key.
* \param mode Specifies whether the context is used to encrypt or
* decrypt data.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if \p ctx or \p mac are NULL.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx,
const unsigned char nonce[12],
mbedtls_aead_chacha20_poly1305_mode_t mode );
/**
* \brief Process additional authenticated data (AAD).
*
* This function processes data that is authenticated, but
* not encrypted.
*
* \note This function is called before data is encrypted/decrypted.
* I.e. call this function to process the AAD before calling
* mbedtls_aead_chacha20_poly1305_update.
*
* You may call this function multiple times to process
* an arbitrary amount of AAD. It is permitted to call
* this function 0 times, if no AAD is used.
*
* This function cannot be called any more if data has
* been processed by mbedtls_aead_chacha20_poly1305_update,
* or if the context has been finished.
*
* \param ctx The ChaCha20-Poly1305 context.
* \param aad_len The length (in bytes) of the AAD. The length has no
* restrictions.
* \param aad Buffer containing the AAD.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if \p ctx or \p aad are NULL.
* MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
* the context has not been setup, the context has been
* finished, or if the AAD has been finished.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx,
size_t aad_len,
const unsigned char *aad );
/**
* \brief Encrypt/decrypt data.
*
* The direction (encryption or decryption) depends on the
* mode that was given when calling
* mbedtls_aead_chacha20_poly1305_starts.
*
* You may call this function multiple times to process
* an arbitrary amount of data. It is permitted to call
* this function 0 times, if no data is to be encrypted
* or decrypted.
*
* \param ctx The ChaCha20-Poly1305 context.
* \param len The length (in bytes) of the data to encrypt or decrypt.
* \param input Buffer containing the data to encrypt or decrypt.
* \param output Buffer to where the encrypted or decrypted data is written.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if \p ctx, \p input, or \p output are NULL.
* MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
* the context has not been setup, or if the context has been
* finished.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx,
size_t len,
const unsigned char *input,
unsigned char *output );
/**
* \brief Compute the ChaCha20-Poly1305 MAC.
*
* \param ctx The ChaCha20-Poly1305 context.
* \param mac Buffer to where the 128-bit (16 bytes) MAC is written.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if \p ctx or \p mac are NULL.
* MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE is returned if
* the context has not been setup.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx,
unsigned char mac[16] );
#else /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
#include "aead_chacha20_poly1305_alt.h"
#endif /* !MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
/**
* \brief Encrypt or decrypt data, and produce a MAC with ChaCha20-Poly1305.
*
* \param key The 256-bit (32 bytes) encryption key to use.
* \param nonce The 96-bit (12 bytes) nonce/IV to use.
* \param mode Specifies whether the data in the \p input buffer is to
* be encrypted or decrypted. If there is no data to encrypt
* or decrypt (i.e. \p ilen is 0) then the value of this
* parameter does not matter.
* \param aad_len The length (in bytes) of the AAD data to process.
* \param aad Buffer containing the additional authenticated data (AAD).
* \param ilen The length (in bytes) of the data to encrypt or decrypt.
* \param input Buffer containing the data to encrypt or decrypt.
* \param output Buffer to where the encrypted or decrypted data is written.
* \param mac Buffer to where the computed 128-bit (16 bytes) MAC is written.
*
* \return MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA is returned
* if one or more of the required parameters are NULL.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_aead_chacha20_poly1305_crypt_and_mac( const unsigned char key[32],
const unsigned char nonce[12],
mbedtls_aead_chacha20_poly1305_mode_t mode,
size_t aad_len,
const unsigned char *aad,
size_t ilen,
const unsigned char *input,
unsigned char *output,
unsigned char mac[16] );
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_aead_chacha20_poly1305_self_test( int verbose );
#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_H */

View File

@ -99,6 +99,27 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
const unsigned char nonce[12], const unsigned char nonce[12],
uint32_t counter ); uint32_t counter );
/**
* \brief Generates a block of keystream bytes for a specific counter value.
*
* This function uses the key and nonce previously set in
* the context (via mbedtls_chacha20_setkey and
* mbedtls_chacha20_starts), but ignores the previously
* set counter and uses the counter given as the parameter to
* this function.
*
* \param ctx The ChaCha20 context. This context is not modified.
* \param counter The counter value to use.
* \param keystream Buffer to where the generated keystream bytes are written.
*
* \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or keystream are
* NULL.
* Otherwise, 0 is returned to indicate success.
*/
int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx,
uint32_t counter,
unsigned char keystream[64] );
/** /**
* \brief Encrypt or decrypt data. * \brief Encrypt or decrypt data.
* *

View File

@ -269,6 +269,7 @@
* digests and ciphers instead. * digests and ciphers instead.
* *
*/ */
//#define MBEDTLS_AEAD_CHACHA20_POLY1305_ALT
//#define MBEDTLS_AES_ALT //#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT //#define MBEDTLS_ARC4_ALT
//#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_BLOWFISH_ALT
@ -1688,6 +1689,17 @@
*/ */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C
/**
* \def MBEDTLS_AEAD_CHACHA20_POLY1305_C
*
* Enable the ChaCha20-Poly1305 AEAD algorithm.
*
* Module: library/aead_chacha20_poly1305.c
*
* This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
*/
#define MBEDTLS_AEAD_CHACHA20_POLY1305_C
/** /**
* \def MBEDTLS_ARC4_C * \def MBEDTLS_ARC4_C
* *
@ -1837,6 +1849,16 @@
*/ */
#define MBEDTLS_CAMELLIA_C #define MBEDTLS_CAMELLIA_C
/**
* \def MBEDTLS_CHACHA20_C
*
* Enable the ChaCha20 block cipher.
*
* Module: library/chacha20.c
* Caller: library/aead_chacha20_poly1305.c
*/
#define MBEDTLS_CHACHA20_C
/** /**
* \def MBEDTLS_CCM_C * \def MBEDTLS_CCM_C
* *
@ -2405,6 +2427,7 @@
* Enable the Poly1305 MAC algorithm. * Enable the Poly1305 MAC algorithm.
* *
* Module: library/poly1305.c * Module: library/poly1305.c
* Caller: library/aead_chacha20_poly1305.c
*/ */
#define MBEDTLS_POLY1305_C #define MBEDTLS_POLY1305_C

View File

@ -78,6 +78,7 @@
* SHA512 1 0x0039-0x0039 * SHA512 1 0x0039-0x0039
* CHACHA20 1 0x003B-0x003B * CHACHA20 1 0x003B-0x003B
* POLY1305 1 0x0041-0x0041 * POLY1305 1 0x0041-0x0041
* AEAD_CHACHA20_POLY1305 2 0x0047-0x0049
* *
* High-level module nr (3 bits - 0x0...-0x7...) * High-level module nr (3 bits - 0x0...-0x7...)
* Name ID Nr of Errors * Name ID Nr of Errors

View File

@ -3,6 +3,7 @@ option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF)
option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF) option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF)
set(src_crypto set(src_crypto
aead_chacha20_poly1305.c
aes.c aes.c
aesni.c aesni.c
arc4.c arc4.c

View File

@ -47,7 +47,8 @@ ifdef WINDOWS_BUILD
DLEXT=dll DLEXT=dll
endif endif
OBJS_CRYPTO= aes.o aesni.o arc4.o \ OBJS_CRYPTO= aead_chacha20_poly1305.o \
aes.o aesni.o arc4.o \
asn1parse.o asn1write.o base64.o \ asn1parse.o asn1write.o base64.o \
bignum.o blowfish.o camellia.o \ bignum.o blowfish.o camellia.o \
ccm.o chacha20.o \ ccm.o chacha20.o \

View File

@ -0,0 +1,463 @@
/**
* \file aead_chacha20_poly1305.c
*
* \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
*
* Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
#include "mbedtls/aead_chacha20_poly1305.h"
#include <string.h>
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_AEAD_CHACHA20_POLY1305_ALT)
#define AEAD_CHACHA20_POLY1305_STATE_INIT ( 0 )
#define AEAD_CHACHA20_POLY1305_STATE_AAD ( 1 )
#define AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
#define AEAD_CHACHA20_POLY1305_STATE_FINISHED ( 3 )
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/**
* \brief Adds padding bytes (zeroes) to pad the AAD for Poly1305.
*
* \param ctx The ChaCha20-Poly1305 context.
*/
static void mbedtls_aead_chacha20_poly1305_pad_aad( mbedtls_aead_chacha20_poly1305_context *ctx )
{
uint32_t partial_block_len = (uint32_t)( ctx->aad_len % 16U );
unsigned char zeroes[15];
if ( partial_block_len > 0U )
{
memset( zeroes, 0, sizeof(zeroes) );
(void)mbedtls_poly1305_update( &ctx->poly1305_ctx,
16U - partial_block_len,
zeroes );
}
}
/**
* \brief Adds padding bytes (zeroes) to pad the ciphertext for Poly1305.
*
* \param ctx The ChaCha20-Poly1305 context.
*/
static void mbedtls_aead_chacha20_poly1305_pad_ciphertext( mbedtls_aead_chacha20_poly1305_context *ctx )
{
uint32_t partial_block_len = (uint32_t)( ctx->ciphertext_len % 16U );
unsigned char zeroes[15];
if ( partial_block_len > 0U )
{
memset( zeroes, 0, sizeof(zeroes) );
(void)mbedtls_poly1305_update( &ctx->poly1305_ctx,
16U - partial_block_len,
zeroes );
}
}
void mbedtls_aead_chacha20_poly1305_init( mbedtls_aead_chacha20_poly1305_context *ctx )
{
if ( ctx != NULL )
{
mbedtls_chacha20_init( &ctx->chacha20_ctx );
mbedtls_poly1305_init( &ctx->poly1305_ctx );
ctx->aad_len = 0U;
ctx->ciphertext_len = 0U;
ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT;
ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT;
}
}
void mbedtls_aead_chacha20_poly1305_free( mbedtls_aead_chacha20_poly1305_context *ctx )
{
if ( ctx != NULL )
{
mbedtls_chacha20_free( &ctx->chacha20_ctx );
mbedtls_poly1305_free( &ctx->poly1305_ctx );
ctx->aad_len = 0U;
ctx->ciphertext_len = 0U;
ctx->state = AEAD_CHACHA20_POLY1305_STATE_INIT;
ctx->mode = MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT;
}
}
int mbedtls_aead_chacha20_poly1305_setkey( mbedtls_aead_chacha20_poly1305_context *ctx,
const unsigned char key[32] )
{
int result;
if ( ( ctx == NULL ) || ( key == NULL ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
}
result = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
return( result );
}
int mbedtls_aead_chacha20_poly1305_starts( mbedtls_aead_chacha20_poly1305_context *ctx,
const unsigned char nonce[12],
mbedtls_aead_chacha20_poly1305_mode_t mode )
{
int result;
unsigned char poly1305_key[64];
if ( ( ctx == NULL ) || ( nonce == NULL ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
}
result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 1U );
if ( result != 0 )
goto cleanup;
/* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0.
* Only the first 256-bits (32 bytes) of the key is used for Poly1305.
* The other 256 bits are discarded.
*/
result = mbedtls_chacha20_keystream_block( &ctx->chacha20_ctx, 0U, poly1305_key );
if ( result != 0 )
goto cleanup;
result = mbedtls_poly1305_setkey( &ctx->poly1305_ctx, poly1305_key );
if ( result == 0 )
{
ctx->aad_len = 0U;
ctx->ciphertext_len = 0U;
ctx->state = AEAD_CHACHA20_POLY1305_STATE_AAD;
ctx->mode = mode;
}
cleanup:
mbedtls_zeroize( poly1305_key, 64U );
return( result );
}
int mbedtls_aead_chacha20_poly1305_update_aad( mbedtls_aead_chacha20_poly1305_context *ctx,
size_t aad_len,
const unsigned char *aad )
{
if ( ( ctx == NULL ) || ( aad == NULL ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
}
else if ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD )
{
return (MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
}
ctx->aad_len += aad_len;
return ( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad_len, aad ) );
}
int mbedtls_aead_chacha20_poly1305_update( mbedtls_aead_chacha20_poly1305_context *ctx,
size_t len,
const unsigned char *input,
unsigned char *output )
{
if ( ( ctx == NULL ) || ( input == NULL ) || ( output == NULL ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
}
else if ( ( ctx->state != AEAD_CHACHA20_POLY1305_STATE_AAD ) &&
( ctx->state != AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
}
if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD )
{
ctx->state = AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT;
mbedtls_aead_chacha20_poly1305_pad_aad( ctx );
}
ctx->ciphertext_len += len;
if ( ctx->mode == MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT )
{
/* Note: the following functions return an error only if one or more of
* the input pointers are NULL. Since we have checked their validity
* above, we can safety ignore the return value.
*/
(void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
(void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, output );
}
else /* DECRYPT */
{
(void)mbedtls_poly1305_update( &ctx->poly1305_ctx, len, input );
(void)mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
}
return( 0 );
}
int mbedtls_aead_chacha20_poly1305_finish( mbedtls_aead_chacha20_poly1305_context *ctx,
unsigned char mac[16] )
{
unsigned char len_block[16];
if ( ( ctx == NULL ) || ( mac == NULL ) )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA );
}
else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_INIT )
{
return( MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE );
}
if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_AAD )
{
mbedtls_aead_chacha20_poly1305_pad_aad( ctx );
}
else if ( ctx->state == AEAD_CHACHA20_POLY1305_STATE_CIPHERTEXT )
{
mbedtls_aead_chacha20_poly1305_pad_ciphertext( ctx );
}
ctx->state = AEAD_CHACHA20_POLY1305_STATE_FINISHED;
/* The lengths of the AAD and ciphertext are processed by
* Poly1305 as the final 128-bit block, encoded as little-endian integers.
*/
len_block[0] = (unsigned char)ctx->aad_len;
len_block[1] = (unsigned char)( ctx->aad_len >> 8 );
len_block[2] = (unsigned char)( ctx->aad_len >> 16 );
len_block[3] = (unsigned char)( ctx->aad_len >> 24 );
len_block[4] = (unsigned char)( ctx->aad_len >> 32 );
len_block[5] = (unsigned char)( ctx->aad_len >> 40 );
len_block[6] = (unsigned char)( ctx->aad_len >> 48 );
len_block[7] = (unsigned char)( ctx->aad_len >> 56 );
len_block[8] = (unsigned char)ctx->ciphertext_len;
len_block[9] = (unsigned char)( ctx->ciphertext_len >> 8 );
len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
(void)mbedtls_poly1305_update( &ctx->poly1305_ctx, 16U, len_block );
(void)mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
return( 0 );
}
#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_ALT */
int mbedtls_aead_chacha20_poly1305_crypt_and_mac ( const unsigned char key[32],
const unsigned char nonce[12],
mbedtls_aead_chacha20_poly1305_mode_t mode,
size_t aad_len,
const unsigned char *aad,
size_t ilen,
const unsigned char *input,
unsigned char *output,
unsigned char mac[16] )
{
mbedtls_aead_chacha20_poly1305_context ctx;
int result;
mbedtls_aead_chacha20_poly1305_init( &ctx );
result = mbedtls_aead_chacha20_poly1305_setkey( &ctx, key );
if ( result != 0 )
goto cleanup;
result = mbedtls_aead_chacha20_poly1305_starts( &ctx, nonce, mode );
if ( result != 0 )
goto cleanup;
result = mbedtls_aead_chacha20_poly1305_update_aad( &ctx, aad_len, aad );
if ( result != 0 )
goto cleanup;
result = mbedtls_aead_chacha20_poly1305_update( &ctx, ilen, input, output );
if ( result != 0 )
goto cleanup;
result = mbedtls_aead_chacha20_poly1305_finish( &ctx, mac );
cleanup:
mbedtls_aead_chacha20_poly1305_free( &ctx );
return( result );
}
#if defined(MBEDTLS_SELF_TEST)
static const unsigned char test_key[1][32] =
{
{
0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
}
};
static const unsigned char test_nonce[1][12] =
{
{
0x07, 0x00, 0x00, 0x00, /* 32-bit common part */
0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 /* 64-bit IV */
}
};
static const unsigned char test_aad[1][12] =
{
{
0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
0xc4, 0xc5, 0xc6, 0xc7
}
};
static const size_t test_aad_len[1] =
{
12U
};
static const unsigned char test_input[1][114] =
{
{
0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
0x74, 0x2e
}
};
static const unsigned char test_output[1][114] =
{
{
0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
0x61, 0x16
}
};
static const size_t test_input_len[1] =
{
114U
};
static const unsigned char test_mac[1][16] =
{
{
0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
}
};
int mbedtls_aead_chacha20_poly1305_self_test( int verbose )
{
size_t i;
int result;
unsigned char output[200];
unsigned char mac[16];
for ( i = 0U; i < 1U; i++ )
{
result = mbedtls_aead_chacha20_poly1305_crypt_and_mac( test_key[i],
test_nonce[i],
MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
test_aad_len[i],
test_aad[i],
test_input_len[i],
test_input[i],
output,
mac );
if ( result != 0 )
{
if ( verbose != 0 )
{
mbedtls_printf( "ChaCha20-Poly1305 test %zi error code: %i\n", i, result );
}
return( -1 );
}
if ( memcmp( output, test_output[i], test_input_len[i] ) != 0 )
{
if ( verbose != 0 )
{
mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong output)\n", i );
}
return( -1 );
}
if ( memcmp( mac, test_mac[i], 16U ) != 0 )
{
if ( verbose != 0 )
{
mbedtls_printf( "ChaCha20-Poly1305 test %zi failure (wrong MAC)\n", i );
}
return( -1 );
}
}
return( 0 );
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */

View File

@ -134,46 +134,47 @@ static void mbedtls_chacha20_inner_block( uint32_t state[16] )
* \param working_state This state is used as a temporary working area. * \param working_state This state is used as a temporary working area.
* \param keystream Generated keystream bytes are written to this buffer. * \param keystream Generated keystream bytes are written to this buffer.
*/ */
static void mbedtls_chacha20_block( mbedtls_chacha20_context *ctx, static void mbedtls_chacha20_block( const uint32_t initial_state[16],
uint32_t working_state[16],
unsigned char keystream[64] ) unsigned char keystream[64] )
{ {
size_t i; size_t i;
size_t offset; size_t offset;
memcpy( ctx->working_state, memcpy( working_state,
ctx->initial_state, initial_state,
sizeof(ctx->initial_state) ); CHACHA20_BLOCK_SIZE_BYTES );
for ( i = 0U; i < 10U; i++ ) for ( i = 0U; i < 10U; i++ )
{ {
mbedtls_chacha20_inner_block( ctx->working_state ); mbedtls_chacha20_inner_block( working_state );
} }
ctx->working_state[0] += ctx->initial_state[0]; working_state[0] += initial_state[0];
ctx->working_state[1] += ctx->initial_state[1]; working_state[1] += initial_state[1];
ctx->working_state[2] += ctx->initial_state[2]; working_state[2] += initial_state[2];
ctx->working_state[3] += ctx->initial_state[3]; working_state[3] += initial_state[3];
ctx->working_state[4] += ctx->initial_state[4]; working_state[4] += initial_state[4];
ctx->working_state[5] += ctx->initial_state[5]; working_state[5] += initial_state[5];
ctx->working_state[6] += ctx->initial_state[6]; working_state[6] += initial_state[6];
ctx->working_state[7] += ctx->initial_state[7]; working_state[7] += initial_state[7];
ctx->working_state[8] += ctx->initial_state[8]; working_state[8] += initial_state[8];
ctx->working_state[9] += ctx->initial_state[9]; working_state[9] += initial_state[9];
ctx->working_state[10] += ctx->initial_state[10]; working_state[10] += initial_state[10];
ctx->working_state[11] += ctx->initial_state[11]; working_state[11] += initial_state[11];
ctx->working_state[12] += ctx->initial_state[12]; working_state[12] += initial_state[12];
ctx->working_state[13] += ctx->initial_state[13]; working_state[13] += initial_state[13];
ctx->working_state[14] += ctx->initial_state[14]; working_state[14] += initial_state[14];
ctx->working_state[15] += ctx->initial_state[15]; working_state[15] += initial_state[15];
for ( i = 0U; i < 16; i++ ) for ( i = 0U; i < 16; i++ )
{ {
offset = i * 4U; offset = i * 4U;
keystream[offset ] = (unsigned char) ctx->working_state[i]; keystream[offset ] = (unsigned char) working_state[i];
keystream[offset + 1U] = (unsigned char)( ctx->working_state[i] >> 8 ); keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 );
keystream[offset + 2U] = (unsigned char)( ctx->working_state[i] >> 16 ); keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
keystream[offset + 3U] = (unsigned char)( ctx->working_state[i] >> 24 ); keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
} }
} }
@ -245,6 +246,43 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
return( 0 ); return( 0 );
} }
int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx,
uint32_t counter,
unsigned char keystream[64] )
{
uint32_t initial_state[16];
uint32_t working_state[16];
if ( ( ctx == NULL ) || ( keystream == NULL ) )
{
return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
}
initial_state[0] = ctx->initial_state[0];
initial_state[1] = ctx->initial_state[1];
initial_state[2] = ctx->initial_state[2];
initial_state[3] = ctx->initial_state[3];
initial_state[4] = ctx->initial_state[4];
initial_state[5] = ctx->initial_state[5];
initial_state[6] = ctx->initial_state[6];
initial_state[7] = ctx->initial_state[7];
initial_state[8] = ctx->initial_state[8];
initial_state[9] = ctx->initial_state[9];
initial_state[10] = ctx->initial_state[10];
initial_state[11] = ctx->initial_state[11];
initial_state[12] = counter;
initial_state[13] = ctx->initial_state[13];
initial_state[14] = ctx->initial_state[14];
initial_state[15] = ctx->initial_state[15];
mbedtls_chacha20_block( initial_state, working_state, keystream );
mbedtls_zeroize( initial_state, sizeof(initial_state) );
mbedtls_zeroize( working_state, sizeof(working_state) );
return ( 0 );
}
int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
size_t size, size_t size,
const unsigned char *input, const unsigned char *input,
@ -271,7 +309,7 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
/* Process full blocks */ /* Process full blocks */
while ( size >= CHACHA20_BLOCK_SIZE_BYTES ) while ( size >= CHACHA20_BLOCK_SIZE_BYTES )
{ {
mbedtls_chacha20_block( ctx, &output[offset] ); mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, &output[offset] );
for ( i = 0U; i < 64U; i += 8U ) for ( i = 0U; i < 64U; i += 8U )
{ {
@ -288,14 +326,14 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
/* Increment counter */ /* Increment counter */
ctx->initial_state[CHACHA20_CTR_INDEX]++; ctx->initial_state[CHACHA20_CTR_INDEX]++;
offset += 64U; offset += CHACHA20_BLOCK_SIZE_BYTES;
size -= 64U; size -= CHACHA20_BLOCK_SIZE_BYTES;
} }
/* Last (partial) block */ /* Last (partial) block */
if ( size > 0U ) if ( size > 0U )
{ {
mbedtls_chacha20_block( ctx, ctx->keystream8 ); mbedtls_chacha20_block( ctx->initial_state, ctx->working_state, ctx->keystream8 );
for ( i = 0U; i < size; i++) for ( i = 0U; i < size; i++)
{ {

View File

@ -41,6 +41,10 @@
#include <stdio.h> #include <stdio.h>
#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
#include "mbedtls/aead_chacha20_poly1305.h"
#endif
#if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_AES_C)
#include "mbedtls/aes.h" #include "mbedtls/aes.h"
#endif #endif
@ -575,6 +579,13 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
// Low level error codes // Low level error codes
// //
// BEGIN generated code // BEGIN generated code
#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_INPUT_DATA) )
mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - Invalid input parameter(s)" );
if( use_ret == -(MBEDTLS_ERR_AEAD_CHACHA20_POLY1305_BAD_STATE) )
mbedtls_snprintf( buf, buflen, "AEAD_CHACHA20_POLY1305 - The requested operation is not permitted in the current state" );
#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
#if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_AES_C)
if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) ) if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
mbedtls_snprintf( buf, buflen, "AES - Invalid key length" ); mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );

View File

@ -516,6 +516,9 @@ static const char *features[] = {
#if defined(MBEDTLS_AES_C) #if defined(MBEDTLS_AES_C)
"MBEDTLS_AES_C", "MBEDTLS_AES_C",
#endif /* MBEDTLS_AES_C */ #endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_AEAD_CHACHA20_POLY1305_C)
"MBEDTLS_AEAD_CHACHA20_POLY1305_C",
#endif /* MBEDTLS_AEAD_CHACHA20_POLY1305_C */
#if defined(MBEDTLS_ARC4_C) #if defined(MBEDTLS_ARC4_C)
"MBEDTLS_ARC4_C", "MBEDTLS_ARC4_C",
#endif /* MBEDTLS_ARC4_C */ #endif /* MBEDTLS_ARC4_C */

View File

@ -29,7 +29,7 @@ if( @ARGV ) {
my $error_format_file = $data_dir.'/error.fmt'; my $error_format_file = $data_dir.'/error.fmt';
my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH my @low_level_modules = qw( AEAD_CHACHA20_POLY1305 AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH
CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES CAMELLIA CCM CHACHA20 CMAC CTR_DRBG DES
ENTROPY GCM HMAC_DRBG MD2 MD4 MD5 ENTROPY GCM HMAC_DRBG MD2 MD4 MD5
NET OID PADLOCK PBKDF2 POLY1305 RIPEMD160 NET OID PADLOCK PBKDF2 POLY1305 RIPEMD160
@ -88,6 +88,7 @@ foreach my $line (@matches)
$module_name = "BIGNUM" if ($module_name eq "MPI"); $module_name = "BIGNUM" if ($module_name eq "MPI");
$module_name = "CTR_DRBG" if ($module_name eq "CTR"); $module_name = "CTR_DRBG" if ($module_name eq "CTR");
$module_name = "HMAC_DRBG" if ($module_name eq "HMAC"); $module_name = "HMAC_DRBG" if ($module_name eq "HMAC");
$module_name = "AEAD_CHACHA20_POLY1305" if ($module_name eq "AEAD");
my $define_name = $module_name; my $define_name = $module_name;
$define_name = "X509_USE,X509_CREATE" if ($define_name eq "X509"); $define_name = "X509_USE,X509_CREATE" if ($define_name eq "X509");

View File

@ -44,6 +44,7 @@ if(MSVC)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-")
endif(MSVC) endif(MSVC)
add_test_suite(aead_chacha20_poly1305)
add_test_suite(aes aes.ecb) add_test_suite(aes aes.ecb)
add_test_suite(aes aes.cbc) add_test_suite(aes aes.cbc)
add_test_suite(aes aes.cfb) add_test_suite(aes aes.cfb)

View File

@ -45,7 +45,8 @@ ifdef ZLIB
LOCAL_LDFLAGS += -lz LOCAL_LDFLAGS += -lz
endif endif
APPS = test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \ APPS = test_suite_aead_chacha20_poly1305$(EXEXT) \
test_suite_aes.ecb$(EXEXT) test_suite_aes.cbc$(EXEXT) \
test_suite_aes.cfb$(EXEXT) test_suite_aes.rest$(EXEXT) \ test_suite_aes.cfb$(EXEXT) test_suite_aes.rest$(EXEXT) \
test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \ test_suite_arc4$(EXEXT) test_suite_asn1write$(EXEXT) \
test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \ test_suite_base64$(EXEXT) test_suite_blowfish$(EXEXT) \
@ -203,6 +204,11 @@ test_suite_hmac_drbg.pr.c : suites/test_suite_hmac_drbg.function suites/test_sui
echo " Gen $@" echo " Gen $@"
perl scripts/generate_code.pl suites $* $* perl scripts/generate_code.pl suites $* $*
test_suite_aead_chacha20_poly1305$(EXEXT): test_suite_aead_chacha20_poly1305.c $(DEP)
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test_suite_aes.ecb$(EXEXT): test_suite_aes.ecb.c $(DEP) test_suite_aes.ecb$(EXEXT): test_suite_aes.ecb.c $(DEP)
echo " CC $<" echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@

View File

@ -0,0 +1,19 @@
ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
mbedtls_aead_chacha20_poly1305_enc:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"1ae10b594f09e26a7e902ecbd0600691"
ChaCha20-Poly1305 RFC 7539 Example and Test Vector (Encrypt)
depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
mbedtls_aead_chacha20_poly1305_dec:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":"070000004041424344454647":"50515253c0c1c2c3c4c5c6c7":"d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b6116":"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e":"1ae10b594f09e26a7e902ecbd0600691"
ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Encrypt)
depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
mbedtls_aead_chacha20_poly1305_enc:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"eead9d67890cbb22392336fea1851f38"
ChaCha20-Poly1305 RFC 7539 Test Vector #1 (Decrypt)
depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
mbedtls_aead_chacha20_poly1305_dec:"1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0":"000000000102030405060708":"f33388860000000000004e91":"64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b":"496e7465726e65742d4472616674732061726520647261667420646f63756d656e74732076616c696420666f722061206d6178696d756d206f6620736978206d6f6e74687320616e64206d617920626520757064617465642c207265706c616365642c206f72206f62736f6c65746564206279206f7468657220646f63756d656e747320617420616e792074696d652e20497420697320696e617070726f70726961746520746f2075736520496e7465726e65742d447261667473206173207265666572656e6365206d6174657269616c206f7220746f2063697465207468656d206f74686572207468616e206173202fe2809c776f726b20696e2070726f67726573732e2fe2809d":"eead9d67890cbb22392336fea1851f38"
ChaCha20-Poly1305 Selftest
depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C:MBEDTLS_SELF_TEST
aead_chacha20_poly1305_selftest:

View File

@ -0,0 +1,109 @@
/* BEGIN_HEADER */
#include "mbedtls/aead_chacha20_poly1305.h"
/* END_HEADER */
/* BEGIN_DEPENDENCIES
* depends_on:MBEDTLS_AEAD_CHACHA20_POLY1305_C
* END_DEPENDENCIES
*/
/* BEGIN_CASE */
void mbedtls_aead_chacha20_poly1305_enc( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
{
unsigned char key_str[32];
unsigned char nonce_str[12];
unsigned char aad_str[10000];
unsigned char input_str[10000];
unsigned char output_str[10000];
unsigned char mac_str[16];
unsigned char output[10000];
unsigned char mac[16];
size_t input_len;
size_t output_len;
size_t aad_len;
size_t key_len;
size_t nonce_len;
size_t mac_len;
memset( key_str, 0x00, 32 );
memset( nonce_str, 0x00, 12 );
memset( aad_str, 0x00, 10000 );
memset( input_str, 0x00, 10000 );
memset( output_str, 0x00, 10000 );
memset( mac_str, 0x00, 16 );
aad_len = unhexify( aad_str, hex_aad_string );
input_len = unhexify( input_str, hex_input_string );
output_len = unhexify( output_str, hex_output_string );
key_len = unhexify( key_str, hex_key_string );
nonce_len = unhexify( nonce_str, hex_nonce_string );
mac_len = unhexify( mac_str, hex_mac_string );
TEST_ASSERT( key_len == 32 );
TEST_ASSERT( nonce_len == 12 );
TEST_ASSERT( mac_len == 16 );
mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str,
MBEDTLS_AEAD_CHACHA20_POLY1305_ENCRYPT,
aad_len, aad_str,
input_len, input_str, output,
mac );
TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
}
/* END_CASE */
/* BEGIN_CASE */
void mbedtls_aead_chacha20_poly1305_dec( char *hex_key_string, char *hex_nonce_string, char *hex_aad_string, char *hex_input_string, char *hex_output_string, char *hex_mac_string )
{
unsigned char key_str[32];
unsigned char nonce_str[12];
unsigned char aad_str[10000];
unsigned char input_str[10000];
unsigned char output_str[10000];
unsigned char mac_str[16];
unsigned char output[10000];
unsigned char mac[16];
size_t input_len;
size_t output_len;
size_t aad_len;
size_t key_len;
size_t nonce_len;
size_t mac_len;
memset( key_str, 0x00, 32 );
memset( nonce_str, 0x00, 12 );
memset( aad_str, 0x00, 10000 );
memset( input_str, 0x00, 10000 );
memset( output_str, 0x00, 10000 );
memset( mac_str, 0x00, 16 );
aad_len = unhexify( aad_str, hex_aad_string );
input_len = unhexify( input_str, hex_input_string );
output_len = unhexify( output_str, hex_output_string );
key_len = unhexify( key_str, hex_key_string );
nonce_len = unhexify( nonce_str, hex_nonce_string );
mac_len = unhexify( mac_str, hex_mac_string );
TEST_ASSERT( key_len == 32 );
TEST_ASSERT( nonce_len == 12 );
TEST_ASSERT( mac_len == 16 );
mbedtls_aead_chacha20_poly1305_crypt_and_mac( key_str, nonce_str,
MBEDTLS_AEAD_CHACHA20_POLY1305_DECRYPT,
aad_len, aad_str,
input_len, input_str, output,
mac );
TEST_ASSERT( memcmp( output_str, output, output_len ) == 0 );
TEST_ASSERT( memcmp( mac_str, mac, 16U ) == 0 );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void aead_chacha20_poly1305_selftest()
{
TEST_ASSERT( mbedtls_aead_chacha20_poly1305_self_test( 1 ) == 0 );
}
/* END_CASE */