Commit Graph

3529 Commits

Author SHA1 Message Date
Simon Butcher
6665b67ddf Merge remote-tracking branch 'public/pr/1390' into development 2018-06-27 10:51:47 +01:00
Nicholas Wilson
2682edf205 Fix build using -std=c99
In each place where POSIX/GNU functions are used, the file must declare
that it wants POSIX functionality before including any system headers.
2018-06-25 12:00:26 +01:00
Nicholas Wilson
512b4ee9c7 Use gmtime_r to fix thread-safety issue, and use mbedtls_time on Windows 2018-06-25 11:59:54 +01:00
niisato
8ee2422ef8 about a issue Replace "new" variable #1782 2018-06-25 19:05:48 +09:00
Andres Amaya Garcia
bf7fe4f3f0 Replace check with APPLE with CMAKE_SYSTEM_NAME 2018-06-21 20:21:38 +01:00
Andres Amaya Garcia
5b92352374 Document ssl_write_real() behaviour in detail 2018-06-21 19:23:21 +01:00
Ron Eldor
755bb6af5f Add ecc extensions only if ecc ciphersuite is used
Fix compliancy to RFC4492. ECC extensions should be included
only if ec ciphersuites are used. Interoperability issue with
bouncy castle. #1157
2018-06-21 16:35:26 +03:00
Andres Amaya Garcia
e3402ce44f Enable APPLE_BUILD in makefile if using system ar 2018-06-20 10:43:21 +01:00
Philippe Antoine
21f73b57ed Coding style
Commit to be squashed
2018-06-20 08:13:24 +02:00
Andres Amaya Garcia
c51d613eac Ensure crosscompiling with make works in Mac OS X 2018-06-19 17:25:42 +01:00
Manuel Pégourié-Gonnard
2e58e8ee34 Implement ChachaPoly mode in TLS 2018-06-19 12:12:47 +02:00
Manuel Pégourié-Gonnard
ce66d5e8e1 Declare ChaCha-Poly ciphersuites
Prefer them over AES-GCM as they have better performance and fewer side
channel considerations in software implementations.
2018-06-19 12:11:38 +02:00
Manuel Pégourié-Gonnard
f57bf8b467 Define specific mode for ChachaPoly
The TLS layer is checking for mode, such as GCM, CCM, CBC, STREAM. ChachaPoly
needs to have its own mode, even if it's used just one cipher, in order to
allow consistent handling of mode in the TLS layer.
2018-06-19 11:32:48 +02:00
Manuel Pégourié-Gonnard
a18034a8e2 Adjust to added fields in cipher_base_t
This is a follow-up to the previous merge commit: two fields were added in the
merged development branch
2018-06-19 11:32:01 +02:00
Manuel Pégourié-Gonnard
0dadba2b58 Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (182 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-19 11:13:50 +02:00
Simon Butcher
2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Angus Gratton
d8213d00db Let MBEDTLS_SSL_MAX_CONTENT_LEN to be split into outward & inward sizes
For the situation where the mbedTLS device has limited RAM, but the
other end of the connection doesn't support the max_fragment_length
extension. To be spec-compliant, mbedTLS has to keep a 16384 byte
incoming buffer. However the outgoing buffer can be made smaller without
breaking spec compliance, and we save some RAM.

See comments in include/mbedtls/config.h for some more details.

(The lower limit of outgoing buffer size is the buffer size used during
handshake/cert negotiation. As the handshake is half-duplex it might
even be possible to store this data in the "incoming" buffer during the
handshake, which would save even more RAM - but it would also be a lot
hackier and error-prone. I didn't really explore this possibility, but
thought I'd mention it here in case someone sees this later on a mission
to jam mbedTLS into an even tinier RAM footprint.)
2018-06-18 20:51:51 +10:00
Manuel Pégourié-Gonnard
c7bc9e122f Fix a few typos 2018-06-18 10:30:30 +02:00
Simon Butcher
cbe248a3f5 Merge remote-tracking branch 'public/pr/1727' into development 2018-06-17 17:37:29 +01:00
Simon Butcher
1f91575546 Merge remote-tracking branch 'public/pr/1681' into development 2018-06-17 17:35:54 +01:00
Simon Butcher
2711ad7505 Merge remote-tracking branch 'public/pr/1736' into development 2018-06-17 17:34:55 +01:00
Simon Butcher
600c5e6d20 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750, some of which was independently
fixed by Azim Khan and already merged in PR #1646.
2018-06-17 17:24:56 +01:00
Simon Butcher
2dbecc04cc Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 20:15:00 +01:00
Simon Butcher
66a8903f4a Fix for missing len var when XTS config'd and CTR not
The AES XTS self-test was using a variable len, which was declared only when CTR
was enabled. Changed the declaration of len to be conditional on CTR and XTS.
2018-06-15 18:20:29 +01:00
Simon Butcher
5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Simon Butcher
675590519a Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 14:13:14 +01:00
Jaeden Amero
ff2f493432 config: List cipher modes in alphabetical order
Keeping the cipher modes list in alphabetical order makes it easier to
find things. Move OFB and XTS to their appropriate locations in the
list.
2018-06-14 11:42:27 +01:00
Simon Butcher
6ac1cf6f5f Merge remote-tracking branch 'public/pr/1182' into development 2018-06-14 10:33:29 +01:00
Simon Butcher
c1bf1aaee5 Merge remote-tracking branch 'public/pr/1555' into development 2018-06-14 10:24:56 +01:00
Simon Butcher
73a4b80475 Merge remote-tracking branch 'public/pr/1672' into development 2018-06-14 10:24:02 +01:00
Simon Butcher
2ff0e52087 Fix missing preprocessor condition in AES self-test
The AES OFB self-test made use of a variable `offset` but failed to have a
preprocessor condition around it, so unless CTR and CBC were enabled, the
variable would be undeclared.
2018-06-14 09:57:07 +01:00
Philippe Antoine
c03059db42 Simplify code in mbedtls_x509_csr_parse 2018-06-14 07:35:11 +02:00
Gilles Peskine
0a8352b4c2 Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
In ssl_parse_encrypted_pms, some operational failures from
ssl_decrypt_encrypted_pms lead to diff being set to a value that
depended on some uninitialized unsigned char and size_t values. This didn't
affect the behavior of the program (assuming an implementation with no
trap values for size_t) because all that matters is whether diff is 0,
but Valgrind rightfully complained about the use of uninitialized
memory. Behave nicely and initialize the offending memory.
2018-06-13 18:21:25 +02:00
Jaeden Amero
8cfc75f603 aes: xts: Fix style issues with gf128mul 2018-06-13 12:13:58 +01:00
Jaeden Amero
5f0b06aeda aes: xts: Fix description of gf128mul
THe function `mbedtls_gf128mul_x_ble()` doesn't multiply by x, x^4, and
x^8. Update the function description to properly describe what the function
does.
2018-06-13 12:13:58 +01:00
Jaeden Amero
c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero
21d79cf947 aes: Add self test for AES-XTS 2018-06-13 12:05:04 +01:00
Jaeden Amero
cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero
d82cd860b2 aes: xts: Rewrite to avoid use of goto
The flow was a bit hard to follow with the `goto` everywhere. Rewrite the
XTS implementation to avoid the use of `goto`.
2018-06-13 12:05:04 +01:00
Jaeden Amero
0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero
5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero
9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero
e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero
010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Jaeden Amero
97cc3b1354 gf128mul: Remove the jump table
If we're unlucky with memory placement, gf128mul_table_bbe may spread over
two cache lines and this would leak b >> 63 to a cache timing attack.
Instead, take an approach that is less likely to make different memory
loads depending on the value of b >> 63 and is also unlikely to be compiled
to a condition.
2018-06-13 12:03:29 +01:00
Aorimn
5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn
380162c34c Double perf for AES-XEX
As seen from the first benchmark run, AES-XEX was running pourly (even
slower than AES-CBC). This commit doubles the performances of the
current implementation.
2018-06-13 12:02:30 +01:00
Aorimn
8bb817a4c1 Add AES-XEX to the version features 2018-06-13 12:02:29 +01:00
Aorimn
9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn
0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Aorimn
b053658f95 Add 2 files for multiplication in GF(128)
Multiplication in GF(128) is required by the AES-XEX mode for computing
X in the XEX formula from
https://en.wikipedia.org/wiki/Disk_encryption_theory#Xor-encrypt-xor_.28XEX.29
2018-06-13 11:56:03 +01:00
Andres Amaya Garcia
1d9375919a Conditionally assign APPLE_BUILD var in makefile 2018-06-13 10:05:43 +01:00
Andres Amaya Garcia
c471cd7e0a Autodetect if running on OS X in makefile 2018-06-13 09:28:04 +01:00
Roberto Vargas
7decfe8c1e Convert mbedtls_free and mbedtls_calloc into functions
When MBEDTLS_PLATFORM_MEMORY is defined but MBEDTLS_PLATFORM_FREE_MACRO or
MBEDTLS_PLATFORM_CALLOC_MACRO are not defined then the actual functions
used to allocate and free memory are stored in function pointers.
These pointers are exposed to the caller, and it means that the caller
and the library have to share a data section.

In TF-A, we execute in a very constrained environment, where some images
are executed from ROM and other images are executed from SRAM. The
images that are executed from ROM cannot be modified. The SRAM size
is very small and we are moving libraries to the ROM that can be shared
between the different SRAM images.  These SRAM images could import all the
symbols used in mbedtls, but it would create an undesirable hard binary
dependency between the different images. For this reason, all the library
functions in ROM are accesed using a jump table whose base address is
known, allowing the images to execute with different versions of the ROM.

This commit changes the function pointers to actual functions,
so that the SRAM images only have to use the new exported symbols
(mbedtls_calloc and mbedtls_free) using the jump table. In
our scenario, mbedtls_platform_set_calloc_free is called from
mbedtls_memory_buffer_alloc_init which initializes the function pointers
to the internal buffer_alloc_calloc and buffer_alloc_free functions.

No functional changes to mbedtls_memory_buffer_alloc_init.

Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-13 09:17:59 +01:00
Andres Amaya Garcia
c06c9ae088 Add alias APPLE make var of APPLE_BUILD 2018-06-12 18:29:28 +01:00
Darryl Green
b11de306c4 Fix braces in mbedtls_memory_buffer_alloc_status() 2018-06-12 16:56:04 +01:00
Simon Butcher
e47d6fd97e Merge remote-tracking branch 'public/pr/1497' into development 2018-06-12 16:53:04 +01:00
Simon Butcher
f0d7629771 Merge remote-tracking branch 'public/pr/1593' into development 2018-06-12 16:41:41 +01:00
Simon Butcher
ebb6427992 Merge remote-tracking branch 'public/pr/1646' into development 2018-06-12 16:41:04 +01:00
Simon Butcher
263498ac36 Merge remote-tracking branch 'public/pr/1667' into development 2018-06-12 16:40:07 +01:00
Simon Butcher
4844bf2b5c Add OFB as additional block mode
Following rebasing on the development branch which introduced the ARIA cipher,
OFB was missing as a block mode from some cipher tables.
2018-06-11 15:21:05 +01:00
Simon Butcher
5db13621ec Clarify documentation for AES OFB
1. Changed reference/link to NIST SP800-38A
 2. Clarified language around AES-OFB usage
2018-06-11 14:03:22 +01:00
Simon Butcher
00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher
ad4e4938d1 Fix AES-OFB support for errors, tests and self-test
Adds error handling into mbedtls_aes_crypt_ofb for AES errors, a self-test
for the OFB mode using NIST SP 800-38A test vectors and adds a check to
potential return errors in setting the AES encryption key in the OFB test
suite.
2018-06-11 14:03:22 +01:00
Simon Butcher
7487c5b2c8 Add missing OFB entry to null ciphersuite
The OFB entry has been omitted from the the null cipher suite definition,
null_base_info.
2018-06-11 14:03:22 +01:00
Simon Butcher
8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Simon Butcher
76a5b22973 Add OFB block mode to AES-128/192/256
Adds a new configuration of MBEDTLS_CIPHER_MODE_OFB and OFB mode to AES.
2018-06-11 14:03:22 +01:00
Thomas Fossati
656864b360 Add an HKDF (RFC 5869) implementation 2018-06-11 13:10:14 +01:00
Manuel Pégourié-Gonnard
39b1904b9f Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (97 commits)
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  Remove useless parameter from function
  Wipe sensitive info from the stack
  ...
2018-06-07 12:02:55 +02:00
Manuel Pégourié-Gonnard
21a65e0011 Fix usage of inline with for some compilers 2018-06-07 11:54:17 +02:00
Manuel Pégourié-Gonnard
2adb375c50 Add option to avoid 64-bit multiplication
Motivation is similar to NO_UDBL_DIVISION.

The alternative implementation of 64-bit mult is straightforward and aims at
obvious correctness. Also, visual examination of the generate assembly show
that it's quite efficient with clang, armcc5 and arm-clang. However current
GCC generates fairly inefficient code for it.

I tried to rework the code in order to make GCC generate more efficient code.
Unfortunately the only way to do that is to get rid of 64-bit add and handle
the carry manually, but this causes other compilers to generate less efficient
code with branches, which is not acceptable from a side-channel point of view.

So let's keep the obvious code that works for most compilers and hope future
versions of GCC learn to manage registers in a sensible way in that context.

See https://bugs.launchpad.net/gcc-arm-embedded/+bug/1775263
2018-06-07 11:05:33 +02:00
Simon Butcher
d5a09f1e68 Updated version number to 2.10.0 for release 2018-06-06 14:52:00 +01:00
Philippe Antoine
747fd53938 Fixes different off by ones 2018-06-05 16:13:10 +02:00
Gilles Peskine
d0e55a4657 ssl_decrypt_buf: remove code for hashes that aren't used in TLS 2018-06-04 14:41:19 +02:00
Manuel Pégourié-Gonnard
94175a50f7 Refresh generated file 2018-06-04 12:42:17 +02:00
Manuel Pégourié-Gonnard
3dc62a0a9b chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668
2018-06-04 12:18:19 +02:00
Manuel Pégourié-Gonnard
26c3b0a4b1 Fix return type of internal function
Fixes incomplete change in f4f01b6b7a
2018-06-04 12:06:23 +02:00
Gilles Peskine
5c38984fa7 Use our habitual INTERNAL_ERROR debug message 2018-06-04 12:02:43 +02:00
Gilles Peskine
a7fe25d5a5 Remove tests of #define's that don't exist 2018-06-04 12:01:18 +02:00
Gilles Peskine
1bd9d58b21 Clarify comment about integer division by a variable 2018-06-04 11:58:44 +02:00
Simon Butcher
246cb05a92 Merge remote-tracking branch 'public/pr/1410' into development 2018-06-01 19:25:56 +01:00
Gilles Peskine
02b9329f2b Fix MSan build without MBEDTLS_TIMING_C
When MBEDTLS_TIMING_C was not defined in config.h, but the MemSan
memory sanitizer was activated, entropy_poll.c used memset without
declaring it. Fix this by including string.h unconditionally.
2018-06-01 18:19:59 +02:00
Janos Follath
4c579391b1 CCM*: Remove superfluous braces 2018-05-30 13:58:38 +01:00
Gilles Peskine
20b4408fbd Fix Lucky13 attack protection when using HMAC-SHA-384
As a protection against the Lucky Thirteen attack, the TLS code for
CBC decryption in encrypt-then-MAC mode performs extra MAC
calculations to compensate for variations in message size due to
padding. The amount of extra MAC calculation to perform was based on
the assumption that the bulk of the time is spent in processing
64-byte blocks, which is correct for most supported hashes but not for
SHA-384. Correct the amount of extra work for SHA-384 (and SHA-512
which is currently not used in TLS, and MD2 although no one should
care about that).
2018-05-29 14:06:49 +02:00
Janos Follath
997e85c049 CCM*: Remove nested if 2018-05-29 11:59:22 +01:00
Janos Follath
b5734a28d9 CCM*: Add implementation 2018-05-29 11:59:22 +01:00
Azim Khan
45b79cf12b Treat warnings as errors for IAR
Fix IAR compiler warnings

Two warnings have been fixed:
1. code 'if( len <= 0xFFFFFFFF )' gave warning 'pointless integer comparison'.
   This was fixed by wraping the condition in '#if SIZE_MAX > 0xFFFFFFFF'.
2. code 'diff |= A[i] ^ B[i];' gave warning 'the order of volatile accesses is undefined in'.
   This was fixed by read the volatile data in temporary variables before the computation.

Explain IAR warning on volatile access

Consistent use of CMAKE_C_COMPILER_ID
2018-05-25 14:54:14 +01:00
Manuel Pégourié-Gonnard
f4f01b6b7a Check return values from lower modules
The cast to void was motivated by the assumption that the functions only
return non-zero when passed bad arguments, but that might not be true of
alternative implementation, for example on hardware failure.
2018-05-24 18:50:18 +02:00
Manuel Pégourié-Gonnard
1729789075 Misc style adjustments
- fix some whitespace
- fix most overlong lines
- remove some superfluous parentheses
- s/result/ret/ for consistency with the rest of the library
2018-05-24 18:50:18 +02:00
Manuel Pégourié-Gonnard
98fae6d800 ChaCha20: move working state from ctx to stack
No need to keep it around.
2018-05-24 17:38:31 +02:00
Manuel Pégourié-Gonnard
9620f9b99e Rm mbedtls_ prefix form static functions
- prefix is no necessary for static ids and makes lines longer
- most often omitted (even though we're not fully consistent)
2018-05-24 17:04:02 +02:00
Manuel Pégourié-Gonnard
fb78c90138 Use recently-introduced platform_util module 2018-05-24 16:54:57 +02:00
Manuel Pégourié-Gonnard
39f25616b3 Fix edit mistake in cipher_wrap.c
Error was from 08c337d058
2018-05-24 14:06:02 +02:00
Manuel Pégourié-Gonnard
3798b6be6b Add some error codes and merge others
- need HW failure codes too
- re-use relevant poly codes for chachapoly to save on limited space

Values were chosen to leave 3 free slots at the end of the NET odd range.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
32902e6eae cipher: handle ChaCha20 as a stream cipher
That's what it is. So we shouldn't set a block size != 1.

While at it, move call to chachapoly_update() closer to the one for GCM, as
they are similar (AEAD).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
c0dfcd4bf1 Simplify selftest functions using macros
This reduces clutter, making the functions more readable.

Also, it makes lcov see each line as covered. This is not cheating, as the
lines that were previously seen as not covered are not supposed to be reached
anyway (failing branches of the selftests).

Thanks to this and previous test suite enhancements, lcov now sees chacha20.c
and poly1305.c at 100% line coverage, and for chachapoly.c only two lines are
not covered (error returns from lower-level module that should never happen
except perhaps if an alternative implementation returns an unexpected error).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
59d2c30eba chachapoly: add test for parameter validation
Also fix two bugs found by the new tests.

Also remove redundant test case dependency declarations while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
a8fa8b8f96 poly1305: add test for parameter validation
Also fix two validation bugs found while adding the tests.

Also handle test dependencies the right way while at it.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
1465602ee1 poly1305: fix bug in starts() and add test for it 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
55c0d096b7 chacha20: fix bug in starts() and add test for it
Previously the streaming API would fail when encrypting multiple messages with
the same key.
2018-05-24 13:37:31 +02:00